Tool
EDR / XDR
Palo Alto Cortex XDR
559 rules · Sigma detections in Palo Alto Cortex XDR syntax
The same Sigma detection corpus, machine-rendered into Palo Alto Cortex XDR query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
Download all 1,524 rules (.zip, 675 KB)
Every Palo Alto Cortex XDR query in this view, packaged to deploy.
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance4
Resource Development5
Initial Access7
Execution25
Persistence31
Privilege Escalation17
Stealth63
Defense Impairment16
Credential Access26
Discovery24
Lateral Movement10
Collection11
Command and Control18
Exfiltration7
Impact10
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.
◈
Detection rules
50 shown of 559
medium
Strong
Medium FP
Conhost Spawned By Uncommon Parent Process
Detects when the Console Window Host (conhost.exe) process is spawned by an uncommon parent process, which could be indicative of potential code injection activity.
view Sigma YAML
title: Conhost Spawned By Uncommon Parent Process
id: cbb9e3d1-2386-4e59-912e-62f1484f7a89
status: test
description: Detects when the Console Window Host (conhost.exe) process is spawned by an uncommon parent process, which could be indicative of potential code injection activity.
references:
- https://www.elastic.co/guide/en/security/current/conhost-spawned-by-suspicious-parent-process.html
author: Tim Rauch, Elastic (idea)
date: 2022-09-28
modified: 2025-03-06
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\conhost.exe'
ParentImage|endswith:
- '\explorer.exe'
# - '\csrss.exe' # Legitimate parent as seen in EchoTrail https://www.echotrail.io/insights/search/csrss.exe
# - '\ctfmon.exe' # Seen several times in a testing environment
# - '\dllhost.exe' # FP on clean system from grandparent 'svchost.exe -k DcomLaunch -p'
- '\lsass.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\services.exe'
- '\smss.exe'
- '\spoolsv.exe'
- '\svchost.exe'
- '\userinit.exe'
# - '\wermgr.exe' # Legitimate parent as seen in EchoTrail https://www.echotrail.io/insights/search/wermgr.exe
- '\wininit.exe'
- '\winlogon.exe'
filter_main_svchost:
ParentCommandLine|contains:
- '-k apphost -s AppHostSvc'
- '-k imgsvc'
- '-k localService -p -s RemoteRegistry'
- '-k LocalSystemNetworkRestricted -p -s NgcSvc'
- '-k NetSvcs -p -s NcaSvc'
- '-k netsvcs -p -s NetSetupSvc'
- '-k netsvcs -p -s wlidsvc'
- '-k NetworkService -p -s DoSvc'
- '-k wsappx -p -s AppXSvc'
- '-k wsappx -p -s ClipSVC'
- '-k wusvcs -p -s WaaSMedicSvc'
filter_optional_dropbox:
ParentCommandLine|contains:
- 'C:\Program Files (x86)\Dropbox\Client\'
- 'C:\Program Files\Dropbox\Client\'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Console CodePage Lookup Via CHCP
Detects use of chcp to look up the system locale value as part of host discovery
view Sigma YAML
title: Console CodePage Lookup Via CHCP
id: 7090adee-82e2-4269-bd59-80691e7c6338
status: test
description: Detects use of chcp to look up the system locale value as part of host discovery
references:
- https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/chcp
author: _pete_0, TheDFIRReport
date: 2022-02-21
modified: 2024-03-05
tags:
- attack.discovery
- attack.t1614.001
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\cmd.exe'
ParentCommandLine|contains|windash:
- ' -c '
- ' -r '
- ' -k '
Image|endswith: '\chcp.com'
CommandLine|endswith:
- 'chcp'
- 'chcp '
- 'chcp '
condition: selection
falsepositives:
- During Anaconda update the 'conda.exe' process will eventually execution the 'chcp' command.
- Discord was seen using chcp to look up code pages
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup/info.yml
Convert to SIEM query
medium
Moderate
Medium FP
CrashControl CrashDump Disabled
Detects disabling the CrashDump per registry (as used by HermeticWiper)
view Sigma YAML
title: CrashControl CrashDump Disabled
id: 2ff692c2-4594-41ec-8fcb-46587de769e0
status: test
description: Detects disabling the CrashDump per registry (as used by HermeticWiper)
references:
- https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/
author: Tobias Michalski (Nextron Systems)
date: 2022-02-24
modified: 2023-08-17
tags:
- attack.persistence
- attack.stealth
- attack.defense-impairment
- attack.t1564
- attack.t1112
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|contains: 'SYSTEM\CurrentControlSet\Control\CrashControl'
Details: 'DWORD (0x00000000)'
condition: selection
falsepositives:
- Legitimate disabling of crashdumps
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Created Files by Microsoft Sync Center
This rule detects suspicious files created by Microsoft Sync Center (mobsync)
view Sigma YAML
title: Created Files by Microsoft Sync Center
id: 409f8a98-4496-4aaa-818a-c931c0a8b832
status: test
description: This rule detects suspicious files created by Microsoft Sync Center (mobsync)
references:
- https://redcanary.com/blog/intelligence-insights-november-2021/
author: elhoim
date: 2022-04-28
modified: 2022-06-02
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1055
- attack.t1218
- attack.execution
logsource:
product: windows
category: file_event
detection:
selection_mobsync:
Image|endswith: '\mobsync.exe'
filter_created_file:
TargetFilename|endswith:
- '.dll'
- '.exe'
condition: selection_mobsync and filter_created_file
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Creation Of Non-Existent System DLL
Detects creation of specific system DLL files that are usually not present on the system (or at least not in system directories) but may be loaded by legitimate processes.
Phantom DLL hijacking involves placing malicious DLLs with names of non-existent system binaries in locations where legitimate applications may search for them, leading to execution of the malicious DLLs.
Thus, the creation of such DLLs may indicate preparation for phantom DLL hijacking attacks.
view Sigma YAML
title: Creation Of Non-Existent System DLL
id: df6ecb8b-7822-4f4b-b412-08f524b4576c
related:
- id: 6b98b92b-4f00-4f62-b4fe-4d1920215771 # ImageLoad rule
type: similar
status: test
description: |
Detects creation of specific system DLL files that are usually not present on the system (or at least not in system directories) but may be loaded by legitimate processes.
Phantom DLL hijacking involves placing malicious DLLs with names of non-existent system binaries in locations where legitimate applications may search for them, leading to execution of the malicious DLLs.
Thus, the creation of such DLLs may indicate preparation for phantom DLL hijacking attacks.
references:
- http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html
- https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/
- https://decoded.avast.io/martinchlumecky/png-steganography/
- https://github.com/blackarrowsec/redteam-research/tree/26e6fc0c0d30d364758fa11c2922064a9a7fd309/LPE%20via%20StorSvc
- https://github.com/Wh04m1001/SysmonEoP
- https://itm4n.github.io/cdpsvc-dll-hijacking/
- https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992
- https://securelist.com/passiveneuron-campaign-with-apt-implants-and-cobalt-strike/117745/
- https://www.crowdstrike.com/en-us/blog/4-ways-adversaries-hijack-dlls/
- https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
- https://www.hexacorn.com/blog/2025/06/14/wermgr-exe-boot-offdmpsvc-dll-lolbin/
- https://www.hexacorn.com/blog/2025/06/14/wpr-exe-boottrace-phantom-dll-axeonoffhelper-dll-lolbin/
- https://x.com/0gtweet/status/1564131230941122561
author: Nasreddine Bencherchali (Nextron Systems), fornotes
date: 2022-12-01
modified: 2026-01-24
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith:
- ':\Windows\System32\axeonoffhelper.dll'
- ':\Windows\System32\cdpsgshims.dll'
- ':\Windows\System32\oci.dll'
- ':\Windows\System32\offdmpsvc.dll'
- ':\Windows\System32\shellchromeapi.dll'
- ':\Windows\System32\TSMSISrv.dll'
- ':\Windows\System32\TSVIPSrv.dll'
- ':\Windows\System32\wbem\wbemcomn.dll'
- ':\Windows\System32\WLBSCTRL.dll'
- ':\Windows\System32\wow64log.dll'
- ':\Windows\System32\WptsExtensions.dll'
- '\SprintCSP.dll'
condition: selection
falsepositives:
- Unknown
level: medium
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_create_non_existent_dlls/info.yml
Convert to SIEM query
medium
Moderate
Medium FP
Creation of WerFault.exe/Wer.dll in Unusual Folder
Detects the creation of a file named "WerFault.exe" or "wer.dll" in an uncommon folder, which could be a sign of WerFault DLL hijacking.
view Sigma YAML
title: Creation of WerFault.exe/Wer.dll in Unusual Folder
id: 28a452f3-786c-4fd8-b8f2-bddbe9d616d1
status: test
description: Detects the creation of a file named "WerFault.exe" or "wer.dll" in an uncommon folder, which could be a sign of WerFault DLL hijacking.
references:
- https://www.bleepingcomputer.com/news/security/hackers-are-now-hiding-malware-in-windows-event-logs/
author: frack113
date: 2022-05-09
modified: 2026-05-18
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith:
- '\WerFault.exe'
- '\wer.dll'
filter_main_known_locations:
TargetFilename|startswith:
- 'C:\Windows\SoftwareDistribution\'
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
- 'C:\Windows\WinSxS\'
- 'C:\Windows\UUS\' # covers both C:\Windows\UUS\arm64\ and C:\Windows\UUS\packages\
filter_main_process:
Image|endswith: '\wuaucltcore.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Creation of a Diagcab
Detects the creation of diagcab file, which could be caused by some legitimate installer or is a sign of exploitation (review the filename and its location)
view Sigma YAML
title: Creation of a Diagcab
id: 3d0ed417-3d94-4963-a562-4a92c940656a
status: test
description: Detects the creation of diagcab file, which could be caused by some legitimate installer or is a sign of exploitation (review the filename and its location)
references:
- https://threadreaderapp.com/thread/1533879688141086720.html
author: frack113
date: 2022-06-08
tags:
- attack.resource-development
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith: '.diagcab'
condition: selection
falsepositives:
- Legitimate microsoft diagcab
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Credentials from Password Stores - Keychain
Detects passwords dumps from Keychain
view Sigma YAML
title: Credentials from Password Stores - Keychain
id: b120b587-a4c2-4b94-875d-99c9807d6955
status: test
description: Detects passwords dumps from Keychain
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.001/T1555.001.md
- https://gist.github.com/Capybara/6228955
author: Tim Ismilyaev, oscd.community, Florian Roth (Nextron Systems)
date: 2020-10-19
modified: 2021-11-27
tags:
- attack.credential-access
- attack.t1555.001
logsource:
category: process_creation
product: macos
detection:
selection1:
Image: '/usr/bin/security'
CommandLine|contains:
- 'find-certificate'
- ' export '
selection2:
CommandLine|contains:
- ' dump-keychain '
- ' login-keychain '
condition: 1 of selection*
falsepositives:
- Legitimate administration activities
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Cscript/Wscript Potentially Suspicious Child Process
Detects potentially suspicious child processes of Wscript/Cscript. These include processes such as rundll32 with uncommon exports or PowerShell spawning rundll32 or regsvr32.
Malware such as Pikabot and Qakbot were seen using similar techniques as well as many others.
view Sigma YAML
title: Cscript/Wscript Potentially Suspicious Child Process
id: b6676963-0353-4f88-90f5-36c20d443c6a
status: test
description: |
Detects potentially suspicious child processes of Wscript/Cscript. These include processes such as rundll32 with uncommon exports or PowerShell spawning rundll32 or regsvr32.
Malware such as Pikabot and Qakbot were seen using similar techniques as well as many others.
references:
- Internal Research
- https://github.com/pr0xylife/Pikabot/blob/fc58126127adf0f65e78f4eec59675523f48f086/Pikabot_30.10.2023.txt
- https://github.com/pr0xylife/Pikabot/blob/fc58126127adf0f65e78f4eec59675523f48f086/Pikabot_22.12.2023.txt
author: Nasreddine Bencherchali (Nextron Systems), Alejandro Houspanossian ('@lekz86')
date: 2023-05-15
modified: 2024-01-02
tags:
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith:
- '\wscript.exe'
- '\cscript.exe'
selection_cli_script_main:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
# Note: Add other combinations that are suspicious
selection_cli_script_option_mshta:
CommandLine|contains|all:
- 'mshta'
- 'http'
selection_cli_script_option_other:
CommandLine|contains:
- 'rundll32'
- 'regsvr32'
- 'msiexec'
selection_cli_standalone:
Image|endswith: '\rundll32.exe'
filter_main_rundll32_known_exports:
Image|endswith: '\rundll32.exe'
CommandLine|contains:
- 'UpdatePerUserSystemParameters'
- 'PrintUIEntry'
- 'ClearMyTracksByProcess'
condition: selection_parent and ( selection_cli_standalone or (selection_cli_script_main and 1 of selection_cli_script_option_*) ) and not 1 of filter_main_*
falsepositives:
- Some false positives might occur with admin or third party software scripts. Investigate and apply additional filters accordingly.
level: medium
Convert to SIEM query
medium
Moderate
High FP
Curl.EXE Execution With Custom UserAgent
Detects execution of curl.exe with custom useragent options
view Sigma YAML
title: Curl.EXE Execution With Custom UserAgent
id: 3286d37a-00fd-41c2-a624-a672dcd34e60
status: test
description: Detects execution of curl.exe with custom useragent options
references:
- https://curl.se/docs/manpage.html
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1071.001/T1071.001.md#atomic-test-2---malicious-user-agents---cmd
author: frack113
date: 2022-01-23
modified: 2023-02-21
tags:
- attack.command-and-control
- attack.t1071.001
- detection.threat-hunting
logsource:
category: process_creation
product: windows
detection:
selection_curl:
- Image|endswith: '\curl.exe'
- Product: 'The curl executable'
selection_opt:
CommandLine|contains:
- ' -A '
- ' --user-agent '
condition: all of selection_*
falsepositives:
- Scripts created by developers and admins
- Administrative activity
level: medium
Convert to SIEM query
medium
Strong
Medium FP
CurrentControlSet Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
view Sigma YAML
title: CurrentControlSet Autorun Keys Modification
id: f674e36a-4b91-431e-8aef-f8a96c2aca35
related:
- id: 17f878b8-9968-4578-b814-c4217fc5768c
type: obsolete
status: test
description: Detects modification of autostart extensibility point (ASEP) in registry.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
- https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
- https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019-10-25
modified: 2023-08-17
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.001
logsource:
category: registry_set
product: windows
detection:
system_control_base:
TargetObject|contains: '\SYSTEM\CurrentControlSet\Control'
system_control_keys:
TargetObject|contains:
- '\Terminal Server\WinStations\RDP-Tcp\InitialProgram'
- '\Terminal Server\Wds\rdpwd\StartupPrograms'
- '\SecurityProviders\SecurityProviders'
- '\SafeBoot\AlternateShell'
- '\Print\Providers'
- '\Print\Monitors'
- '\NetworkProvider\Order'
- '\Lsa\Notification Packages'
- '\Lsa\Authentication Packages'
- '\BootVerificationProgram\ImagePath'
filter_empty:
Details: '(Empty)'
filter_cutepdf:
Image: 'C:\Windows\System32\spoolsv.exe'
TargetObject|contains: '\Print\Monitors\CutePDF Writer Monitor'
Details:
- 'cpwmon64_v40.dll'
- 'CutePDF Writer'
filter_onenote:
Image: C:\Windows\System32\spoolsv.exe
TargetObject|contains: 'Print\Monitors\Appmon\Ports\Microsoft.Office.OneNote_'
User|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
filter_poqexec:
Image: 'C:\Windows\System32\poqexec.exe'
TargetObject|endswith: '\NetworkProvider\Order\ProviderOrder'
filter_realvnc:
Image: 'C:\Windows\System32\spoolsv.exe'
TargetObject|endswith: '\Print\Monitors\MONVNC\Driver'
Details: 'VNCpm.dll'
condition: all of system_control_* and not 1 of filter_*
falsepositives:
- Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
- Legitimate administrator sets up autorun keys for legitimate reason
level: medium
Convert to SIEM query
medium
Moderate
High FP
DLL Execution Via Register-cimprovider.exe
Detects using register-cimprovider.exe to execute arbitrary dll file.
view Sigma YAML
title: DLL Execution Via Register-cimprovider.exe
id: a2910908-e86f-4687-aeba-76a5f996e652
status: test
description: Detects using register-cimprovider.exe to execute arbitrary dll file.
references:
- https://twitter.com/PhilipTsukerman/status/992021361106268161
- https://lolbas-project.github.io/lolbas/Binaries/Register-cimprovider/
author: Ivan Dyachkov, Yulia Fomina, oscd.community
date: 2020-10-07
modified: 2021-11-27
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1574
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\register-cimprovider.exe'
CommandLine|contains|all:
- '-path'
- 'dll'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
DLL Load By System Process From Suspicious Locations
Detects when a system process (i.e. located in system32, syswow64, etc.) loads a DLL from a suspicious location or a location with permissive permissions such as "C:\Users\Public"
view Sigma YAML
title: DLL Load By System Process From Suspicious Locations
id: 9e9a9002-56c4-40fd-9eff-e4b09bfa5f6c
status: test
description: Detects when a system process (i.e. located in system32, syswow64, etc.) loads a DLL from a suspicious location or a location with permissive permissions such as "C:\Users\Public"
references:
- https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC (Idea)
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-17
modified: 2023-09-18
tags:
- attack.stealth
- attack.t1070
logsource:
product: windows
category: image_load
detection:
selection:
Image|startswith: 'C:\Windows\'
ImageLoaded|startswith:
# TODO: Add more suspicious paths as you see fit in your env
- 'C:\Users\Public\'
- 'C:\PerfLogs\'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
DLL Names Used By SVR For GraphicalProton Backdoor
Hunts known SVR-specific DLL names.
view Sigma YAML
title: DLL Names Used By SVR For GraphicalProton Backdoor
id: e64c8ef3-9f98-40c8-b71e-96110991cb4c
status: test
description: Hunts known SVR-specific DLL names.
references:
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
author: CISA
date: 2023-12-18
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
- detection.emerging-threats
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith:
- '\AclNumsInvertHost.dll'
- '\AddressResourcesSpec.dll'
- '\BlendMonitorStringBuild.dll'
- '\ChildPaletteConnected.dll'
- '\DeregisterSeekUsers.dll'
- '\HandleFrequencyAll.dll'
- '\HardSwapColor.dll'
- '\LengthInMemoryActivate.dll'
- '\ModeBitmapNumericAnimate.dll'
- '\ModeFolderSignMove.dll'
- '\ParametersNamesPopup.dll'
- '\PerformanceCaptionApi.dll'
- '\ScrollbarHandleGet.dll'
- '\UnregisterAncestorAppendAuto.dll'
- '\WowIcmpRemoveReg.dll'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
DNS-over-HTTPS Enabled by Registry
Detects when a user enables DNS-over-HTTPS.
This can be used to hide internet activity or be used to hide the process of exfiltrating data.
With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors.
view Sigma YAML
title: DNS-over-HTTPS Enabled by Registry
id: 04b45a8a-d11d-49e4-9acc-4a1b524407a5
status: test
description: |
Detects when a user enables DNS-over-HTTPS.
This can be used to hide internet activity or be used to hide the process of exfiltrating data.
With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors.
references:
- https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html
- https://github.com/elastic/detection-rules/issues/1371
- https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode
- https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS
author: Austin Songer
date: 2021-07-22
modified: 2023-08-17
tags:
- attack.persistence
- attack.stealth
- attack.defense-impairment
- attack.t1140
- attack.t1112
logsource:
product: windows
category: registry_set
detection:
selection_edge:
TargetObject|endswith: '\SOFTWARE\Policies\Microsoft\Edge\BuiltInDnsClientEnabled'
Details: DWORD (0x00000001)
selection_chrome:
TargetObject|endswith: '\SOFTWARE\Google\Chrome\DnsOverHttpsMode'
Details: 'secure'
selection_firefox:
TargetObject|endswith: '\SOFTWARE\Policies\Mozilla\Firefox\DNSOverHTTPS\Enabled'
Details: DWORD (0x00000001)
condition: 1 of selection_*
falsepositives:
- Unlikely
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
DarkGate - Autoit3.EXE File Creation By Uncommon Process
Detects the usage of curl.exe, KeyScramblerLogon, or other non-standard/suspicious processes used to create Autoit3.exe.
This activity has been associated with DarkGate malware, which uses Autoit3.exe to execute shellcode that performs
process injection and connects to the DarkGate command-and-control server. Curl, KeyScramblerLogon, and these other
processes consitute non-standard and suspicious ways to retrieve the Autoit3 executable.
view Sigma YAML
title: DarkGate - Autoit3.EXE File Creation By Uncommon Process
id: 1a433e1d-03d2-47a6-8063-ece992cf4e73
status: test
description: |
Detects the usage of curl.exe, KeyScramblerLogon, or other non-standard/suspicious processes used to create Autoit3.exe.
This activity has been associated with DarkGate malware, which uses Autoit3.exe to execute shellcode that performs
process injection and connects to the DarkGate command-and-control server. Curl, KeyScramblerLogon, and these other
processes consitute non-standard and suspicious ways to retrieve the Autoit3 executable.
references:
- https://github.security.telekom.com/2023/08/darkgate-loader.html
- https://www.kroll.com/en/insights/publications/cyber/microsoft-teams-used-as-initial-access-for-darkgate-malware
- https://github.com/pr0xylife/DarkGate/tree/main
author: Micah Babinski
date: 2023-10-15
tags:
- attack.command-and-control
- attack.execution
- attack.t1105
- attack.t1059
- detection.emerging-threats
logsource:
category: file_event
product: windows
detection:
selection:
Image|endswith:
- '\Autoit3.exe'
- '\curl.exe'
- '\ExtExport.exe'
- '\KeyScramblerLogon.exe'
- '\wmprph.exe'
TargetFilename|endswith: '\Autoit3.exe'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
DarkGate - Drop DarkGate Loader In C:\Temp Directory
Detects attackers attempting to save, decrypt and execute the DarkGate Loader in C:\temp folder.
view Sigma YAML
title: DarkGate - Drop DarkGate Loader In C:\Temp Directory
id: df49c691-8026-48dd-94d3-4ba6a79102a8
status: test
description: Detects attackers attempting to save, decrypt and execute the DarkGate Loader in C:\temp folder.
references:
- https://www.bleepingcomputer.com/news/security/hackers-exploit-windows-smartscreen-flaw-to-drop-darkgate-malware/
- https://www.trendmicro.com/en_us/research/24/c/cve-2024-21412--darkgate-operators-exploit-microsoft-windows-sma.html
author: Tomasz Dyduch, Josh Nickels
date: 2024-05-31
tags:
- attack.execution
- attack.t1059
- detection.emerging-threats
logsource:
category: file_event
product: windows
detection:
selection_filename_suffix:
TargetFilename|contains: ':\temp\'
TargetFilename|endswith:
- '.au3'
- '\autoit3.exe'
selection_image_suffix:
Image|contains: ':\temp\'
Image|endswith:
- '.au3'
- '\autoit3.exe'
condition: 1 of selection_*
falsepositives:
- Unlikely legitimate usage of AutoIT in temp folders.
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Dbghelp/Dbgcore DLL Loaded By Uncommon/Suspicious Process
Detects the load of dbghelp/dbgcore DLL by a potentially uncommon or potentially suspicious process.
The Dbghelp and Dbgcore DLLs export functions that allow for the dump of process memory. Tools like ProcessHacker, Task Manager and some attacker tradecraft use the MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll.
As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.
Keep in mind that many legitimate Windows processes and services might load the aforementioned DLLs for debugging or other related purposes. Investigate the CommandLine and the Image location of the process loading the DLL.
view Sigma YAML
title: Dbghelp/Dbgcore DLL Loaded By Uncommon/Suspicious Process
id: 0e277796-5f23-4e49-a490-483131d4f6e1
related:
- id: bdc64095-d59a-42a2-8588-71fd9c9d9abc # Unsigned Loading
type: similar
status: test
description: |
Detects the load of dbghelp/dbgcore DLL by a potentially uncommon or potentially suspicious process.
The Dbghelp and Dbgcore DLLs export functions that allow for the dump of process memory. Tools like ProcessHacker, Task Manager and some attacker tradecraft use the MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll.
As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.
Keep in mind that many legitimate Windows processes and services might load the aforementioned DLLs for debugging or other related purposes. Investigate the CommandLine and the Image location of the process loading the DLL.
references:
- https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump
- https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html
- https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6
author: Perez Diego (@darkquassar), oscd.community, Ecco
date: 2019-10-27
modified: 2024-03-01
tags:
- attack.credential-access
- attack.t1003.001
- detection.threat-hunting
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith:
- '\dbghelp.dll'
- '\dbgcore.dll'
Image|endswith:
- '\bash.exe'
- '\cmd.exe'
- '\cscript.exe'
- '\dnx.exe'
- '\excel.exe'
- '\monitoringhost.exe'
- '\msbuild.exe'
- '\mshta.exe'
- '\outlook.exe'
- '\powerpnt.exe'
- '\regsvcs.exe'
- '\rundll32.exe'
- '\sc.exe'
- '\scriptrunner.exe'
- '\winword.exe'
- '\wmic.exe'
- '\wscript.exe'
# - '\powershell.exe' # Note: Triggered by installing common software
# - '\regsvr32.exe' # Note: triggered by installing common software
# - '\schtasks.exe' # Note: triggered by installing software
# - '\svchost.exe' # Note: triggered by some services
filter_main_tiworker:
# Note: This filter requires "CommandLine" field enrichment
CommandLine|startswith: 'C:\WINDOWS\WinSxS\'
CommandLine|endswith: '\TiWorker.exe -Embedding'
filter_main_generic:
# Note: This filter requires "CommandLine" field enrichment
Image|endswith: '\svchost.exe'
CommandLine|endswith:
- '-k LocalServiceNetworkRestricted'
- '-k WerSvcGroup'
filter_main_rundll32:
# Note: This filter requires "CommandLine" field enrichment
Image|endswith: '\rundll32.exe'
CommandLine|contains:
- '/d srrstr.dll,ExecuteScheduledSPPCreation'
- 'aepdu.dll,AePduRunUpdate'
- 'shell32.dll,OpenAs_RunDL'
- 'Windows.Storage.ApplicationData.dll,CleanupTemporaryState'
condition: selection and not 1 of filter_main_*
falsepositives:
- Debugging scripts might leverage this DLL in order to dump process memory for further analysis.
level: medium
Convert to SIEM query
medium
Moderate
High FP
Defrag Deactivation
Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group
view Sigma YAML
title: Defrag Deactivation
id: 958d81aa-8566-4cea-a565-59ccd4df27b0
status: test
description: Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group
references:
- https://securelist.com/apt-slingshot/84312/
author: Florian Roth (Nextron Systems), Bartlomiej Czyz (@bczyz1)
date: 2019-03-04
modified: 2022-10-09
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1053.005
- attack.s0111
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\schtasks.exe'
CommandLine|contains:
- '/delete'
- '/change'
CommandLine|contains|all:
- '/TN'
- '\Microsoft\Windows\Defrag\ScheduledDefrag'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Delete Defender Scan ShellEx Context Menu Registry Key
Detects deletion of registry key that adds 'Scan with Defender' option in context menu. Attackers may use this to make it harder for users to scan files that are suspicious.
view Sigma YAML
title: Delete Defender Scan ShellEx Context Menu Registry Key
id: 72a0369a-2576-4aaf-bfc9-6bb24a574ac6
related:
- id: b9e8c7d6-a5f4-4e3d-8b1a-9f0c8d7e6a5b
type: similar
status: experimental
description: Detects deletion of registry key that adds 'Scan with Defender' option in context menu. Attackers may use this to make it harder for users to scan files that are suspicious.
references:
- https://research.splunk.com/endpoint/395ed5fe-ad13-4366-9405-a228427bdd91/
- https://winaero.com/how-to-delete-scan-with-windows-defender-from-context-menu-in-windows-10/
- https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
- https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/
author: 'Matt Anderson (Huntress)'
date: 2025-07-11
modified: 2025-10-07
tags:
- attack.defense-impairment
logsource:
category: registry_delete
product: windows
detection:
selection:
TargetObject|contains: 'shellex\ContextMenuHandlers\EPP'
filter_main_defender:
Image|startswith:
- 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
- 'C:\Program Files\Windows Defender\'
- 'C:\Program Files (x86)\Windows Defender\'
Image|endswith: '\MsMpEng.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unlikely as this weakens defenses and normally would not be done even if using another AV.
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Desktop.INI Created by Uncommon Process
Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.
view Sigma YAML
title: Desktop.INI Created by Uncommon Process
id: 81315b50-6b60-4d8f-9928-3466e1022515
status: test
description: Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.
references:
- https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/
author: Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO)
date: 2020-03-19
modified: 2025-12-09
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.009
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith: '\desktop.ini'
filter_main_generic:
Image|startswith:
- 'C:\Windows\'
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
filter_main_upgrade:
TargetFilename|startswith: 'C:\$WINDOWS.~BT\NewOS\'
filter_optional_jetbrains:
Image|startswith: 'C:\Users\'
Image|endswith: '\AppData\Local\JetBrains\Toolbox\bin\7z.exe'
TargetFilename|contains: '\JetBrains\apps\'
filter_optional_onedrive:
Image|startswith: 'C:\Users\'
Image|contains: '\AppData\Local\Microsoft\OneDrive\'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Operations performed through Windows SCCM or equivalent
- Read only access list authority
level: medium
Convert to SIEM query
medium
Moderate
High FP
Detected Windows Software Discovery
Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.
view Sigma YAML
title: Detected Windows Software Discovery
id: e13f668e-7f95-443d-98d2-1816a7648a7b
related:
- id: 2650dd1a-eb2a-412d-ac36-83f06c4f2282
type: derived
status: test
description: Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md
- https://github.com/harleyQu1nn/AggressorScripts # AVQuery.cna
author: Nikita Nazarov, oscd.community
date: 2020-10-16
modified: 2022-10-09
tags:
- attack.discovery
- attack.t1518
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\reg.exe' # Example: reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer" /v svcVersion
CommandLine|contains|all:
- 'query'
- '\software\'
- '/v'
- 'svcversion'
condition: selection
falsepositives:
- Legitimate administration activities
level: medium
Convert to SIEM query
medium
Moderate
High FP
DeviceCredentialDeployment Execution
Detects the execution of DeviceCredentialDeployment to hide a process from view.
view Sigma YAML
title: DeviceCredentialDeployment Execution
id: b8b1b304-a60f-4999-9a6e-c547bde03ffd
status: test
description: |
Detects the execution of DeviceCredentialDeployment to hide a process from view.
references:
- https://github.com/LOLBAS-Project/LOLBAS/pull/147
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-19
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\DeviceCredentialDeployment.exe'
condition: selection
falsepositives:
- Unlikely
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Disable Administrative Share Creation at Startup
Administrative shares are hidden network shares created by Microsoft Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system
view Sigma YAML
title: Disable Administrative Share Creation at Startup
id: c7dcacd0-cc59-4004-b0a4-1d6cdebe6f3e
status: test
description: Administrative shares are hidden network shares created by Microsoft Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md#atomic-test-4---disable-administrative-share-creation-at-startup
author: frack113
date: 2022-01-16
modified: 2024-03-25
tags:
- attack.stealth
- attack.t1070.005
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\Services\LanmanServer\Parameters\'
TargetObject|endswith:
- '\AutoShareWks'
- '\AutoShareServer'
Details: 'DWORD (0x00000000)'
condition: selection
falsepositives:
- Unknown
level: medium
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_disable_administrative_share/info.yml
simulation:
- type: atomic-red-team
name: Disable Administrative Share Creation at Startup
technique: T1070.005
atomic_guid: 99c657aa-ebeb-4179-a665-69288fdd12b8
Convert to SIEM query
medium
Moderate
Medium FP
Disable Exploit Guard Network Protection on Windows Defender
Detects disabling Windows Defender Exploit Guard Network Protection
view Sigma YAML
title: Disable Exploit Guard Network Protection on Windows Defender
id: bf9e1387-b040-4393-9851-1598f8ecfae9
status: test
description: Detects disabling Windows Defender Exploit Guard Network Protection
references:
- https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html
author: Austin Songer @austinsonger
date: 2021-08-04
modified: 2023-08-17
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: 'SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection\DisallowExploitProtectionOverride'
Details: 'DWORD (00000001)'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Disable Internal Tools or Feature in Registry
Detects registry modifications that change features of internal Windows tools (malware like Agent Tesla uses this technique)
view Sigma YAML
title: Disable Internal Tools or Feature in Registry
id: e2482f8d-3443-4237-b906-cc145d87a076
status: test
description: Detects registry modifications that change features of internal Windows tools (malware like Agent Tesla uses this technique)
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md
- https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions
- https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html
- https://www.malwarebytes.com/blog/detections/pum-optional-nodispbackgroundpage
- https://www.malwarebytes.com/blog/detections/pum-optional-nodispcpl
- https://bazaar.abuse.ch/sample/7bde840c7e8c36dce4c3bac937bcf39f36a6f118001b406bfbbc25451ce44fb4/
author: frack113, Nasreddine Bencherchali (Nextron Systems), CrimpSec
date: 2022-03-18
modified: 2025-06-04
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: registry_set
product: windows
detection:
selection_set_1:
TargetObject|endswith:
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisableCMD'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\StartMenuLogOff'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableChangePassword'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableLockWorkstation'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskmgr'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCPL'
- 'SOFTWARE\Policies\Microsoft\Windows\Explorer\DisableNotificationCenter'
- 'SOFTWARE\Policies\Microsoft\Windows\System\DisableCMD'
Details: 'DWORD (0x00000001)'
selection_set_0:
TargetObject|endswith:
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin'
- 'Software\Microsoft\Windows\CurrentVersion\Policies\System\InactivityTimeoutSecs'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\ToastEnabled'
- 'SYSTEM\CurrentControlSet\Control\Storage\Write Protection'
- 'SYSTEM\CurrentControlSet\Control\StorageDevicePolicies\WriteProtect'
Details: 'DWORD (0x00000000)'
condition: 1 of selection_set_*
falsepositives:
- Legitimate admin script
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Disable Microsoft Defender Firewall via Registry
Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage
view Sigma YAML
title: Disable Microsoft Defender Firewall via Registry
id: 974515da-6cc5-4c95-ae65-f97f9150ec7f
status: test
description: Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-2---disable-microsoft-defender-firewall-via-registry
author: frack113
date: 2022-01-09
modified: 2024-03-25
tags:
- attack.defense-impairment
- attack.t1686.003
logsource:
category: registry_set
product: windows
detection:
selection:
# HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall
# HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall
# HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall
TargetObject|contains: '\Services\SharedAccess\Parameters\FirewallPolicy\'
TargetObject|endswith: '\EnableFirewall'
Details: 'DWORD (0x00000000)'
condition: selection
falsepositives:
- Unknown
level: medium
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_disable_defender_firewall/info.yml
simulation:
- type: atomic-red-team
name: Disable Microsoft Defender Firewall via Registry
technique: T1562.004
atomic_guid: afedc8c4-038c-4d82-b3e5-623a95f8a612
Convert to SIEM query
medium
Strong
Medium FP
Disable Or Stop Services
Detects the usage of utilities such as 'systemctl', 'service'...etc to stop or disable tools and services on Linux systems.
Attackers may stop or disable security tools and services to evade detection, maintain persistence, or disrupt system operations.
view Sigma YAML
title: Disable Or Stop Services
id: de25eeb8-3655-4643-ac3a-b662d3f26b6b
status: test
description: |
Detects the usage of utilities such as 'systemctl', 'service'...etc to stop or disable tools and services on Linux systems.
Attackers may stop or disable security tools and services to evade detection, maintain persistence, or disrupt system operations.
references:
- https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-15
modified: 2025-03-18
tags:
- attack.defense-impairment
- attack.t1685
- attack.impact
- attack.t1489
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith:
- '/service'
- '/systemctl'
- '/chkconfig'
CommandLine|contains:
- ' stop '
- ' disable '
filter_main_legit_snapd:
Image|endswith: '/systemctl'
CommandLine|contains:
- '--no-reload disable snap-snapd-'
- ' stop snap-snapd-'
filter_main_ssh_preinstall:
Image|endswith: '/systemctl'
ParentCommandLine|contains: 'tmp.ci/preinst upgrade'
CommandLine|contains|all:
- ' stop '
- 'ssh.'
filter_main_ubuntu_upgrade:
ParentCommandLine|contains: '/dpkg/info/ubuntu-pro-client.prerm upgrade'
Image|endswith: '/systemctl'
filter_optional_aws_agent:
Image|endswith: '/systemctl'
CommandLine|endswith: 'snap.amazon-ssm-agent.amazon-ssm-agent.service'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Legitimate administration activities
- Some false positives are to be expected. Apply additional filters as needed before pushing to production.
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Disable Privacy Settings Experience in Registry
Detects registry modifications that disable Privacy Settings Experience
view Sigma YAML
title: Disable Privacy Settings Experience in Registry
id: 0372e1f9-0fd2-40f7-be1b-a7b2b848fa7b
status: test
description: Detects registry modifications that disable Privacy Settings Experience
references:
- https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1562.001/T1562.001.md
author: frack113
date: 2022-10-02
modified: 2023-08-17
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\SOFTWARE\Policies\Microsoft\Windows\OOBE\DisablePrivacyExperience'
Details: 'DWORD (0x00000000)'
condition: selection
falsepositives:
- Legitimate admin script
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Disable Security Tools
Detects disabling security tools
view Sigma YAML
title: Disable Security Tools
id: ff39f1a6-84ac-476f-a1af-37fcdf53d7c0
status: test
description: Detects disabling security tools
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
author: Daniil Yugoslavskiy, oscd.community
date: 2020-10-19
modified: 2021-11-27
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: macos
detection:
launchctl_unload:
Image: '/bin/launchctl'
CommandLine|contains: 'unload'
security_plists:
CommandLine|contains:
- 'com.objective-see.lulu.plist' # Objective-See firewall management utility
- 'com.objective-see.blockblock.plist' # Objective-See persistence locations watcher/blocker
- 'com.google.santad.plist' # google santa
- 'com.carbonblack.defense.daemon.plist' # carbon black
- 'com.carbonblack.daemon.plist' # carbon black
- 'at.obdev.littlesnitchd.plist' # Objective Development Software firewall management utility
- 'com.tenablesecurity.nessusagent.plist' # Tenable Nessus
- 'com.opendns.osx.RoamingClientConfigUpdater.plist' # OpenDNS Umbrella
- 'com.crowdstrike.falcond.plist' # Crowdstrike Falcon
- 'com.crowdstrike.userdaemon.plist' # Crowdstrike Falcon
- 'osquery' # facebook osquery
- 'filebeat' # elastic log file shipper
- 'auditbeat' # elastic auditing agent/log shipper
- 'packetbeat' # elastic network logger/shipper
- 'td-agent' # fluentd log shipper
disable_gatekeeper:
Image: '/usr/sbin/spctl'
CommandLine|contains: 'disable'
condition: (launchctl_unload and security_plists) or disable_gatekeeper
falsepositives:
- Legitimate activities
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Disable Tamper Protection on Windows Defender
Detects disabling Windows Defender Tamper Protection
view Sigma YAML
title: Disable Tamper Protection on Windows Defender
id: 93d298a1-d28f-47f1-a468-d971e7796679
status: test
description: Detects disabling Windows Defender Tamper Protection
references:
- https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html
author: Austin Songer @austinsonger
date: 2021-08-04
modified: 2023-08-17
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\Microsoft\Windows Defender\Features\TamperProtection'
Details: DWORD (0x00000000)
filter_msmpeng_client: # only disabled temporarily during updates
Image|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
Image|endswith: '\MsMpEng.exe'
filter_msmpeng_domain_controller: # only disabled temporarily during updates
Image: 'C:\Program Files\Windows Defender\MsMpEng.exe'
condition: selection and not 1 of filter_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Disable Windows Firewall by Registry
Detect set EnableFirewall to 0 to disable the Windows firewall
view Sigma YAML
title: Disable Windows Firewall by Registry
id: e78c408a-e2ea-43cd-b5ea-51975cf358c0
status: test
description: Detect set EnableFirewall to 0 to disable the Windows firewall
references:
- https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.004/T1562.004.md
author: frack113
date: 2022-08-19
modified: 2023-08-17
tags:
- attack.defense-impairment
- attack.t1686.003
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith:
- \SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\EnableFirewall
- \SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\EnableFirewall
Details: DWORD (0x00000000)
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Disable Windows Security Center Notifications
Detect set UseActionCenterExperience to 0 to disable the Windows security center notification
view Sigma YAML
title: Disable Windows Security Center Notifications
id: 3ae1a046-f7db-439d-b7ce-b8b366b81fa6
status: test
description: Detect set UseActionCenterExperience to 0 to disable the Windows security center notification
references:
- https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md
author: frack113
date: 2022-08-19
modified: 2023-08-17
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: 'Windows\CurrentVersion\ImmersiveShell\UseActionCenterExperience'
Details: 'DWORD (0x00000000)'
condition: selection
falsepositives:
- Unknown
level: medium
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_disable_security_center_notifications/info.yml
simulation:
- type: atomic-red-team
name: Disable Windows Security Center Notifications
technique: T1112
atomic_guid: 45914594-8df6-4ea9-b3cc-7eb9321a807e
Convert to SIEM query
medium
Strong
Medium FP
Disabling Security Tools
Detects disabling security tools
view Sigma YAML
title: Disabling Security Tools
id: e3a8a052-111f-4606-9aee-f28ebeb76776
status: test
description: Detects disabling security tools
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md
author: Ömer Günal, Alejandro Ortuno, oscd.community
date: 2020-06-17
modified: 2022-10-09
tags:
- attack.defense-impairment
- attack.t1686
logsource:
category: process_creation
product: linux
detection:
selection_iptables_1:
Image|endswith: '/service'
CommandLine|contains|all:
- 'iptables'
- 'stop'
selection_iptables_2:
Image|endswith: '/service'
CommandLine|contains|all:
- 'ip6tables'
- 'stop'
selection_iptables_3:
Image|endswith: '/chkconfig'
CommandLine|contains|all:
- 'iptables'
- 'stop'
selection_iptables_4:
Image|endswith: '/chkconfig'
CommandLine|contains|all:
- 'ip6tables'
- 'stop'
selection_firewall_1:
Image|endswith: '/systemctl'
CommandLine|contains|all:
- 'firewalld'
- 'stop'
selection_firewall_2:
Image|endswith: '/systemctl'
CommandLine|contains|all:
- 'firewalld'
- 'disable'
selection_carbonblack_1:
Image|endswith: '/service'
CommandLine|contains|all:
- 'cbdaemon'
- 'stop'
selection_carbonblack_2:
Image|endswith: '/chkconfig'
CommandLine|contains|all:
- 'cbdaemon'
- 'off'
selection_carbonblack_3:
Image|endswith: '/systemctl'
CommandLine|contains|all:
- 'cbdaemon'
- 'stop'
selection_carbonblack_4:
Image|endswith: '/systemctl'
CommandLine|contains|all:
- 'cbdaemon'
- 'disable'
selection_selinux:
Image|endswith: '/setenforce'
CommandLine|contains: '0'
selection_crowdstrike_1:
Image|endswith: '/systemctl'
CommandLine|contains|all:
- 'stop'
- 'falcon-sensor'
selection_crowdstrike_2:
Image|endswith: '/systemctl'
CommandLine|contains|all:
- 'disable'
- 'falcon-sensor'
condition: 1 of selection*
falsepositives:
- Legitimate administration activities
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Disk Image Creation Via Hdiutil - MacOS
Detects the execution of the hdiutil utility in order to create a disk image.
view Sigma YAML
title: Disk Image Creation Via Hdiutil - MacOS
id: 1cf98dc2-fcb0-47c9-8aea-654c9284d1ae
status: test
description: Detects the execution of the hdiutil utility in order to create a disk image.
references:
- https://www.loobins.io/binaries/hdiutil/
- https://www.sentinelone.com/blog/from-the-front-linesunsigned-macos-orat-malware-gambles-for-the-win/
- https://ss64.com/mac/hdiutil.html
author: Omar Khaled (@beacon_exe)
date: 2024-08-10
tags:
- attack.exfiltration
logsource:
product: macos
category: process_creation
detection:
selection:
Image|endswith: /hdiutil
CommandLine|contains: 'create'
condition: selection
falsepositives:
- Legitimate usage of hdiutil by administrators and users.
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Disk Image Mounting Via Hdiutil - MacOS
Detects the execution of the hdiutil utility in order to mount disk images.
view Sigma YAML
title: Disk Image Mounting Via Hdiutil - MacOS
id: bf241472-f014-4f01-a869-96f99330ca8c
status: test
description: Detects the execution of the hdiutil utility in order to mount disk images.
references:
- https://www.loobins.io/binaries/hdiutil/
- https://www.sentinelone.com/blog/from-the-front-linesunsigned-macos-orat-malware-gambles-for-the-win/
- https://ss64.com/mac/hdiutil.html
author: Omar Khaled (@beacon_exe)
date: 2024-08-10
tags:
- attack.initial-access
- attack.collection
- attack.t1566.001
- attack.t1560.001
logsource:
product: macos
category: process_creation
detection:
selection:
Image|endswith: /hdiutil
CommandLine|contains:
- 'attach '
- 'mount '
condition: selection
falsepositives:
- Legitimate usage of hdiutil by administrators and users.
level: medium
Convert to SIEM query
medium
Strong
High FP
Diskshadow Child Process Spawned
Detects any child process spawning from "Diskshadow.exe". This could be due to executing Diskshadow in interpreter mode or script mode and using the "exec" flag to launch other applications.
view Sigma YAML
title: Diskshadow Child Process Spawned
id: 56b1dde8-b274-435f-a73a-fb75eb81262a
related:
- id: fa1a7e52-3d02-435b-81b8-00da14dd66c1 # Diskshadow Script Mode - Execution From Potential Suspicious Location
type: similar
- id: 1dde5376-a648-492e-9e54-4241dd9b0c7f # Diskshadow Script Mode - Uncommon Script Extension Execution
type: similar
- id: 9f546b25-5f12-4c8d-8532-5893dcb1e4b8 # Potentially Suspicious Child Process Of DiskShadow.EXE
type: similar
- id: 0c2f8629-7129-4a8a-9897-7e0768f13ff2 # Diskshadow Script Mode Execution
type: similar
status: test
description: Detects any child process spawning from "Diskshadow.exe". This could be due to executing Diskshadow in interpreter mode or script mode and using the "exec" flag to launch other applications.
references:
- https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/
- https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration
- https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow
author: Harjot Singh @cyb3rjy0t
date: 2023-09-15
tags:
- attack.stealth
- attack.t1218
- attack.execution
- detection.threat-hunting
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\diskshadow.exe'
filter_main_werfault:
Image|endswith: ':\Windows\System32\WerFault.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Likely from legitimate usage of Diskshadow in Interpreter mode.
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Dism Remove Online Package
Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
view Sigma YAML
title: Dism Remove Online Package
id: 43e32da2-fdd0-4156-90de-50dfd62636f9
status: test
description: Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md#atomic-test-26---disable-windows-defender-with-dism
- https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html
author: frack113
date: 2022-01-16
modified: 2022-08-26
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_dismhost:
Image|endswith: '\DismHost.exe'
ParentCommandLine|contains|all:
- '/Online'
- '/Disable-Feature'
# - '/FeatureName:'
# - '/Remove'
# /NoRestart
# /quiet
selection_dism:
Image|endswith: '\Dism.exe'
CommandLine|contains|all:
- '/Online'
- '/Disable-Feature'
# - '/FeatureName:'
# - '/Remove'
# /NoRestart
# /quiet
condition: 1 of selection_*
falsepositives:
- Legitimate script
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_dism_remove/info.yml
simulation:
- type: atomic-red-team
name: Disable Windows Defender with DISM
technique: T1562.001
atomic_guid: 871438ac-7d6e-432a-b27d-3e7db69faf58
Convert to SIEM query
medium
Moderate
Medium FP
Displaying Hidden Files Feature Disabled
Detects modifications to the "Hidden" and "ShowSuperHidden" explorer registry values in order to disable showing of hidden files and system files.
This technique is abused by several malware families to hide their files from normal users.
view Sigma YAML
title: Displaying Hidden Files Feature Disabled
id: 5a5152f1-463f-436b-b2f5-8eceb3964b42
status: test
description: |
Detects modifications to the "Hidden" and "ShowSuperHidden" explorer registry values in order to disable showing of hidden files and system files.
This technique is abused by several malware families to hide their files from normal users.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md#atomic-test-8---hide-files-through-registry
author: frack113
date: 2022-04-02
modified: 2024-03-26
tags:
- attack.stealth
- attack.t1564.001
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith:
- '\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden'
- '\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden'
Details: 'DWORD (0x00000000)'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
DotNET Assembly DLL Loaded Via Office Application
Detects any assembly DLL being loaded by an Office Product
view Sigma YAML
title: DotNET Assembly DLL Loaded Via Office Application
id: ff0f2b05-09db-4095-b96d-1b75ca24894a
status: test
description: Detects any assembly DLL being loaded by an Office Product
references:
- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
author: Antonlovesdnb
date: 2020-02-19
modified: 2023-03-29
tags:
- attack.execution
- attack.t1204.002
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith:
- '\excel.exe'
- '\mspub.exe'
- '\onenote.exe'
- '\onenoteim.exe' # Just in case
- '\outlook.exe'
- '\powerpnt.exe'
- '\winword.exe'
ImageLoaded|startswith: 'C:\Windows\assembly\'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Download File To Potentially Suspicious Directory Via Wget
Detects the use of wget to download content to a suspicious directory
view Sigma YAML
title: Download File To Potentially Suspicious Directory Via Wget
id: cf610c15-ed71-46e1-bdf8-2bd1a99de6c4
status: test
description: Detects the use of wget to download content to a suspicious directory
references:
- https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
- https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/
- https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
- https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-06-02
tags:
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith: '/wget'
selection_output:
- CommandLine|re: '\s-O\s' # We use regex to ensure a case sensitive argument detection
- CommandLine|contains: '--output-document'
selection_path:
CommandLine|contains: '/tmp/'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Drop Binaries Into Spool Drivers Color Folder
Detects the creation of suspcious binary files inside the "\windows\system32\spool\drivers\color\" as seen in the blog referenced below
view Sigma YAML
title: Drop Binaries Into Spool Drivers Color Folder
id: ce7066a6-508a-42d3-995b-2952c65dc2ce
status: test
description: Detects the creation of suspcious binary files inside the "\windows\system32\spool\drivers\color\" as seen in the blog referenced below
references:
- https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-28
tags:
- attack.stealth
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|startswith: 'C:\Windows\System32\spool\drivers\color\'
TargetFilename|endswith:
- '.dll'
- '.exe'
- '.sys'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Dropping Of Password Filter DLL
Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS
view Sigma YAML
title: Dropping Of Password Filter DLL
id: b7966f4a-b333-455b-8370-8ca53c229762
status: test
description: Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS
references:
- https://pentestlab.blog/2020/02/10/credential-access-password-filter-dll/
- https://github.com/3gstudent/PasswordFilter/tree/master/PasswordFilter
author: Sreeman
date: 2020-10-29
modified: 2022-10-09
tags:
- attack.persistence
- attack.credential-access
- attack.defense-impairment
- attack.t1556.002
logsource:
category: process_creation
product: windows
detection:
selection_cmdline:
CommandLine|contains|all:
- 'HKLM\SYSTEM\CurrentControlSet\Control\Lsa'
- 'scecli\0*'
- 'reg add'
condition: selection_cmdline
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Dumping Process via Sqldumper.exe
Detects process dump via legitimate sqldumper.exe binary
view Sigma YAML
title: Dumping Process via Sqldumper.exe
id: 23ceaf5c-b6f1-4a32-8559-f2ff734be516
status: test
description: Detects process dump via legitimate sqldumper.exe binary
references:
- https://twitter.com/countuponsec/status/910977826853068800
- https://twitter.com/countuponsec/status/910969424215232518
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/
author: Kirill Kiryanov, oscd.community
date: 2020-10-08
modified: 2021-11-27
tags:
- attack.credential-access
- attack.t1003.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\sqldumper.exe'
CommandLine|contains:
- '0x0110'
- '0x01100:40'
condition: selection
falsepositives:
- Legitimate MSSQL Server actions
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Dynamic .NET Compilation Via Csc.EXE
Detects execution of "csc.exe" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages.
view Sigma YAML
title: Dynamic .NET Compilation Via Csc.EXE
id: dcaa3f04-70c3-427a-80b4-b870d73c94c4
status: test
description: Detects execution of "csc.exe" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages.
references:
- https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/
- https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf
- https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/
- https://twitter.com/gN3mes1s/status/1206874118282448897
- https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1027.004/T1027.004.md#atomic-test-1---compile-after-delivery-using-cscexe
author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems)
date: 2019-08-24
modified: 2026-03-23
tags:
- attack.stealth
- attack.t1027.004
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith: '\csc.exe'
selection_susp_location_1:
CommandLine|contains:
- ':\Perflogs\'
- ':\Users\Public\'
- '\AppData\Local\Temp\' # User execution
- '\Temporary Internet'
- '\Windows\Temp\' # Admin execution
selection_susp_location_2:
- CommandLine|contains|all:
- ':\Users\'
- '\Favorites\'
- CommandLine|contains|all:
- ':\Users\'
- '\Favourites\'
- CommandLine|contains|all:
- ':\Users\'
- '\Contacts\'
- CommandLine|contains|all:
- ':\Users\'
- '\Pictures\'
selection_susp_location_3:
CommandLine|re: '(?:[Pp]rogram[Dd]ata|%(?:[Ll]ocal)?[Aa]pp[Dd]ata%|\\[Aa]pp[Dd]ata\\(?:[Ll]ocal(?:[Ll]ow)?|[Rr]oaming))\\[^\\]{1,256}$'
filter_main_programfiles:
# Note: this is a generic filter. You could baseline execution in your env for a more robust rule
ParentImage|startswith:
- 'C:\Program Files (x86)\' # https://twitter.com/gN3mes1s/status/1206874118282448897
- 'C:\Program Files\' # https://twitter.com/gN3mes1s/status/1206874118282448897
filter_main_sdiagnhost:
ParentImage: 'C:\Windows\System32\sdiagnhost.exe' # https://twitter.com/gN3mes1s/status/1206874118282448897
filter_main_w3p:
ParentImage: 'C:\Windows\System32\inetsrv\w3wp.exe' # https://twitter.com/gabriele_pippi/status/1206907900268072962
filter_optional_chocolatey:
ParentImage: # Chocolatey https://chocolatey.org/
- 'C:\ProgramData\chocolatey\choco.exe'
- 'C:\ProgramData\chocolatey\tools\shimgen.exe'
filter_optional_defender:
ParentCommandLine|contains: '\ProgramData\Microsoft\Windows Defender Advanced Threat Protection'
filter_optional_ansible:
# Note: As ansible is widely used we exclude it with this generic filter.
# A better option would be to filter based on script content basis or other marker while hunting
ParentCommandLine|contains:
# '{"failed":true,"msg":"Ansible requires PowerShell v3.0 or newer"}'
- 'JwB7ACIAZgBhAGkAbABlAGQAIgA6AHQAcgB1AGUALAAiAG0AcwBnACIAOgAiAEEAbgBzAGkAYgBsAGUAIAByAGUAcQB1AGkAcgBlAHMAIABQAG8AdwBlAHIAUwBoAGUAbABsACAAdgAzAC4AMAAgAG8AcgAgAG4AZQB3AGUAcgAiAH0AJw'
- 'cAewAiAGYAYQBpAGwAZQBkACIAOgB0AHIAdQBlACwAIgBtAHMAZwAiADoAIgBBAG4AcwBpAGIAbABlACAAcgBlAHEAdQBpAHIAZQBzACAAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAMwAuADAAIABvAHIAIABuAGUAdwBlAHIAIgB9ACcA'
- 'nAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnA'
condition: selection_img and 1 of selection_susp_location_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Legitimate software from program files - https://twitter.com/gN3mes1s/status/1206874118282448897
- Legitimate Microsoft software - https://twitter.com/gabriele_pippi/status/1206907900268072962
- Ansible
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Dynamic .NET Compilation Via Csc.EXE - Hunting
Detects execution of "csc.exe" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages.
view Sigma YAML
title: Dynamic .NET Compilation Via Csc.EXE - Hunting
id: acf2807c-805b-4042-aab9-f86b6ba9cb2b
related:
- id: dcaa3f04-70c3-427a-80b4-b870d73c94c4
type: derived
status: test
description: Detects execution of "csc.exe" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages.
references:
- https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/
- https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf
- https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/
- https://twitter.com/gN3mes1s/status/1206874118282448897
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-02
tags:
- attack.stealth
- attack.t1027.004
- detection.threat-hunting
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\csc.exe'
CommandLine|contains: '/noconfig /fullpaths @'
condition: selection
falsepositives:
- Many legitimate applications make use of dynamic compilation. Use this rule to hunt for anomalies
level: medium
Convert to SIEM query
medium
Moderate
High FP
ESXi Account Creation Via ESXCLI
Detects user account creation on ESXi system via esxcli
view Sigma YAML
title: ESXi Account Creation Via ESXCLI
id: b28e4eb3-8bbc-4f0c-819f-edfe8e2f25db
status: test
description: Detects user account creation on ESXi system via esxcli
references:
- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_system.html
author: Cedric Maurugeon
date: 2023-08-22
tags:
- attack.persistence
- attack.execution
- attack.t1136
- attack.t1059.012
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/esxcli'
CommandLine|contains|all:
- 'system '
- 'account '
- 'add '
condition: selection
falsepositives:
- Legitimate administration activities
level: medium
Convert to SIEM query
medium
Strong
Medium FP
ESXi Network Configuration Discovery Via ESXCLI
Detects execution of the "esxcli" command with the "network" flag in order to retrieve information about the network configuration.
view Sigma YAML
title: ESXi Network Configuration Discovery Via ESXCLI
id: 33e814e0-1f00-4e43-9c34-31fb7ae2b174
status: test
description: Detects execution of the "esxcli" command with the "network" flag in order to retrieve information about the network configuration.
references:
- https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/
- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_network.html
author: Cedric Maurugeon
date: 2023-09-04
tags:
- attack.discovery
- attack.execution
- attack.t1033
- attack.t1007
- attack.t1059.012
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith: '/esxcli'
CommandLine|contains: 'network'
selection_cli:
CommandLine|contains:
- ' get'
- ' list'
condition: all of selection_*
falsepositives:
- Legitimate administration activities
# Note: level can be reduced to low in some envs
level: medium
Convert to SIEM query
medium
Strong
Medium FP
ESXi Storage Information Discovery Via ESXCLI
Detects execution of the "esxcli" command with the "storage" flag in order to retrieve information about the storage status and other related information. Seen used by malware such as DarkSide and LockBit.
view Sigma YAML
title: ESXi Storage Information Discovery Via ESXCLI
id: f41dada5-3f56-4232-8503-3fb7f9cf2d60
status: test
description: Detects execution of the "esxcli" command with the "storage" flag in order to retrieve information about the storage status and other related information. Seen used by malware such as DarkSide and LockBit.
references:
- https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html
- https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html
- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_storage.html
author: Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeon
date: 2023-09-04
tags:
- attack.discovery
- attack.execution
- attack.t1033
- attack.t1007
- attack.t1059.012
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith: '/esxcli'
CommandLine|contains: 'storage'
selection_cli:
CommandLine|contains:
- ' get'
- ' list'
condition: all of selection_*
falsepositives:
- Legitimate administration activities
# Note: level can be reduced to low in some envs
level: medium
Convert to SIEM query
medium
Moderate
High FP
ESXi Syslog Configuration Change Via ESXCLI
Detects changes to the ESXi syslog configuration via "esxcli"
view Sigma YAML
title: ESXi Syslog Configuration Change Via ESXCLI
id: 38eb1dbb-011f-40b1-a126-cf03a0210563
status: test
description: Detects changes to the ESXi syslog configuration via "esxcli"
references:
- https://support.solarwinds.com/SuccessCenter/s/article/Configure-ESXi-Syslog-to-LEM?language=en_US
- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_system.html
author: Cedric Maurugeon
date: 2023-09-04
tags:
- attack.execution
- attack.defense-impairment
- attack.t1685
- attack.t1690
- attack.t1059.012
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/esxcli'
CommandLine|contains|all:
- 'system'
- 'syslog'
- 'config'
CommandLine|contains: ' set'
condition: selection
falsepositives:
- Legitimate administrative activities
level: medium
Convert to SIEM query
Showing 51-100 of 559