Tool
EDR / XDR
Palo Alto Cortex XDR
1,524 rules · Sigma detections in Palo Alto Cortex XDR syntax
The same Sigma detection corpus, machine-rendered into Palo Alto Cortex XDR query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
Download all 1,524 rules (.zip, 675 KB)
Every Palo Alto Cortex XDR query in this view, packaged to deploy.
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance4
Resource Development5
Initial Access7
Execution25
Persistence31
Privilege Escalation17
Stealth63
Defense Impairment16
Credential Access26
Discovery24
Lateral Movement10
Collection11
Command and Control18
Exfiltration7
Impact10
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.
◈
Detection rules
50 shown of 1,524
high
Moderate
Medium FP
Axios NPM Compromise File Creation Indicators - MacOS
Detects file creation events linked to the Axios NPM supply chain compromise on macOS devices. Axios is a popular JavaScript HTTP client.
On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency ([email protected]) that executed a postinstall script as a cross-platform RAT dropper.
view Sigma YAML
title: Axios NPM Compromise File Creation Indicators - MacOS
id: 2db0458c-05c9-4069-a26f-77becd9c8c13
status: experimental
description: |
Detects file creation events linked to the Axios NPM supply chain compromise on macOS devices. Axios is a popular JavaScript HTTP client.
On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency ([email protected]) that executed a postinstall script as a cross-platform RAT dropper.
references:
- https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan
- https://www.derp.ca/research/axios-npm-supply-chain-rat/
- https://www.trendmicro.com/zh_hk/research/26/c/axios-npm-package-compromised.html
- https://www.elastic.co/security-labs/axios-supply-chain-compromise-detections
- https://www.virustotal.com/gui/file/e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-04-01
tags:
- attack.initial-access
- attack.t1195.002
- attack.command-and-control
- attack.t1105
- detection.emerging-threats
logsource:
category: file_event
product: macos
detection:
selection_curl_download:
Image|endswith: '/curl'
TargetFilename: '/Library/Caches/com.apple.act.mond'
selection_node_shell:
Image|endswith: '/node'
TargetFilename: '/tmp/6202033'
condition: 1 of selection_*
falsepositives:
- Highly unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
Axios NPM Compromise File Creation Indicators - Windows
Detects file creation events linked to the Axios NPM supply chain compromise. Axios is a popular JavaScript HTTP client.
On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency ([email protected]) that executed a postinstall script as a cross-platform RAT dropper.
The dropper contacted a C2 server, delivered platform-specific payloads, deleted itself, and replaced package.json to evade detection.
The attack used cscript.exe (VBScript), curl.exe (C2), and PowerShell masquerading as Windows Terminal.
view Sigma YAML
title: Axios NPM Compromise File Creation Indicators - Windows
id: cd6386fa-bb9a-4b67-b006-786b6ab5d2ba
status: experimental
description: |
Detects file creation events linked to the Axios NPM supply chain compromise. Axios is a popular JavaScript HTTP client.
On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency ([email protected]) that executed a postinstall script as a cross-platform RAT dropper.
The dropper contacted a C2 server, delivered platform-specific payloads, deleted itself, and replaced package.json to evade detection.
The attack used cscript.exe (VBScript), curl.exe (C2), and PowerShell masquerading as Windows Terminal.
references:
- https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan
- https://www.derp.ca/research/axios-npm-supply-chain-rat/
- https://www.trendmicro.com/zh_hk/research/26/c/axios-npm-package-compromised.html
- https://www.elastic.co/security-labs/axios-supply-chain-compromise-detections
- https://www.virustotal.com/gui/file/e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-04-01
tags:
- attack.initial-access
- attack.t1195.002
- detection.emerging-threats
logsource:
category: file_event
product: windows
detection:
selection_img:
Image|endswith:
- '\node.exe'
- '\powershell.exe'
selection_fils:
- TargetFilename:
- 'C:\ProgramData\wt.exe'
- 'C:\ProgramData\system.bat'
- TargetFilename|contains|all:
- 'C:\Users\'
- '\AppData\Local\Temp\6202033.vbs'
- TargetFilename|contains|all:
- 'C:\Users\'
- '\AppData\Local\Temp\6202033.ps1'
condition: all of selection_*
falsepositives:
- Highly unlikely
level: high
Convert to SIEM query
high
Moderate
Medium FP
Axios NPM Compromise Indicators - Linux
Detects the Linux-specific execution chain of the plain-crypto-js malicious npm dependency by Axios NPM package, including payload download via curl and detached execution using nohup and python3.
On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency ([email protected]) that executed a postinstall script as a cross-platform RAT dropper.
The dropper contacted a C2 server, delivered platform-specific payloads, deleted itself, and replaced package.json to evade detection.
view Sigma YAML
title: Axios NPM Compromise Indicators - Linux
id: 0a23a62d-c5b3-468b-a072-25064a9a8c87
status: experimental
description: |
Detects the Linux-specific execution chain of the plain-crypto-js malicious npm dependency by Axios NPM package, including payload download via curl and detached execution using nohup and python3.
On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency ([email protected]) that executed a postinstall script as a cross-platform RAT dropper.
The dropper contacted a C2 server, delivered platform-specific payloads, deleted itself, and replaced package.json to evade detection.
references:
- https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan
- https://www.derp.ca/research/axios-npm-supply-chain-rat/
- https://www.trendmicro.com/zh_hk/research/26/c/axios-npm-package-compromised.html
- https://www.elastic.co/security-labs/axios-supply-chain-compromise-detections
- https://www.virustotal.com/gui/file/e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-04-01
tags:
- attack.initial-access
- attack.t1195.002
- attack.execution
- attack.command-and-control
- attack.t1059.006
- attack.t1059.004
- attack.t1105
- detection.emerging-threats
logsource:
category: process_creation
product: linux
detection:
selection_node_shell:
ParentImage|endswith:
- '/node'
- '/bun'
CommandLine|contains|all:
- 'curl '
- '/tmp/ld.py'
- 'python3 '
- 'nohup '
- '6202033'
selection_curl_download:
Image|endswith: '/curl'
CommandLine|contains: 'http://sfrclak.com'
condition: 1 of selection_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
Medium FP
Axios NPM Compromise Indicators - macOS
Detects the macOS-specific execution chain of the plain-crypto-js malicious npm dependency in Axios NPM Package, including AppleScript execution via osascript, payload download, permission modification, execution, and cleanup.
view Sigma YAML
title: Axios NPM Compromise Indicators - macOS
id: a09ee860-31b3-4586-8a68-0ebd74ce0e5f
status: experimental
description: |
Detects the macOS-specific execution chain of the plain-crypto-js malicious npm dependency in Axios NPM Package, including AppleScript execution via osascript, payload download, permission modification, execution, and cleanup.
author: Swachchhanda Shrawan Poudel (Nextron Systems)
references:
- https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan
- https://www.derp.ca/research/axios-npm-supply-chain-rat/
- https://www.trendmicro.com/zh_hk/research/26/c/axios-npm-package-compromised.html
- https://www.elastic.co/security-labs/axios-supply-chain-compromise-detections
- https://www.virustotal.com/gui/file/e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09
date: 2026-04-01
tags:
- attack.initial-access
- attack.t1195.002
- attack.execution
- attack.command-and-control
- attack.t1059.002
- attack.t1059.004
- attack.t1105
- detection.emerging-threats
logsource:
category: process_creation
product: macos
detection:
selection_osascript:
CommandLine|contains|all:
- 'nohup '
- 'osascript '
- '/tmp/6202033'
selection_curl_download:
CommandLine|contains|all:
- 'curl '
- 'packages.npm.org/product'
- '/Library/Caches/com.apple.act.mond'
selection_cleanup:
CommandLine|contains|all:
- 'rm '
- '-rf '
- '/tmp/6202033'
condition: 1 of selection_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
BaaUpdate.exe Suspicious DLL Load
Detects BitLocker Access Agent Update Utility (baaupdate.exe) loading DLLs from suspicious locations that are publicly writable which could indicate an attempt to lateral movement via BitLocker DCOM & COM Hijacking.
This technique abuses COM Classes configured as INTERACTIVE USER to spawn processes in the context of the logged-on user's session. Specifically, it targets the BDEUILauncher Class (CLSID ab93b6f1-be76-4185-a488-a9001b105b94)
which can launch BaaUpdate.exe, which is vulnerable to COM Hijacking when started with input parameters. This allows attackers to execute code in the user's context without needing to steal credentials or use additional techniques to compromise the account.
view Sigma YAML
title: BaaUpdate.exe Suspicious DLL Load
id: 6e8fe0a8-ba0b-4a93-8f9e-82657e7a5984
related:
- id: 9f38c1db-e2ae-40bf-81d0-5b68f73fb512 # Suspicious BitLocker Access Agent Update Utility Execution
type: similar
status: experimental
description: |
Detects BitLocker Access Agent Update Utility (baaupdate.exe) loading DLLs from suspicious locations that are publicly writable which could indicate an attempt to lateral movement via BitLocker DCOM & COM Hijacking.
This technique abuses COM Classes configured as INTERACTIVE USER to spawn processes in the context of the logged-on user's session. Specifically, it targets the BDEUILauncher Class (CLSID ab93b6f1-be76-4185-a488-a9001b105b94)
which can launch BaaUpdate.exe, which is vulnerable to COM Hijacking when started with input parameters. This allows attackers to execute code in the user's context without needing to steal credentials or use additional techniques to compromise the account.
references:
- https://github.com/rtecCyberSec/BitlockMove
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-10-18
tags:
- attack.stealth
- attack.t1218
- attack.lateral-movement
- attack.t1021.003
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith: '\BaaUpdate.exe'
ImageLoaded|endswith: '.dll'
ImageLoaded|contains:
- ':\Perflogs\'
- ':\Users\Default\'
- ':\Users\Public\'
- ':\Windows\Temp\'
- '\AppData\Local\Temp\'
- '\AppData\Roaming\'
- '\Contacts\'
- '\Favorites\'
- '\Favourites\'
- '\Links\'
- '\Music\'
- '\Pictures\'
- '\ProgramData\'
- '\Temporary Internet'
- '\Videos\'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Detects attackers using tooling with bad opsec defaults.
E.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run.
One trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.
view Sigma YAML
title: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
id: a7c3d773-caef-227e-a7e7-c2f13c622329
related:
- id: f5647edc-a7bf-4737-ab50-ef8c60dc3add
type: obsolete
status: test
description: |
Detects attackers using tooling with bad opsec defaults.
E.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run.
One trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.
references:
- https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/
- https://www.cobaltstrike.com/help-opsec
- https://twitter.com/CyberRaiju/status/1251492025678983169
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32
- https://learn.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool
- https://learn.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool
author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems)
date: 2020-10-23
modified: 2024-08-15
tags:
- attack.stealth
- attack.t1218.011
logsource:
category: process_creation
product: windows
detection:
selection_werfault:
Image|endswith: '\WerFault.exe'
CommandLine|endswith: 'WerFault.exe'
selection_rundll32:
Image|endswith: '\rundll32.exe'
CommandLine|endswith: 'rundll32.exe'
selection_regsvcs:
Image|endswith: '\regsvcs.exe'
CommandLine|endswith: 'regsvcs.exe'
selection_regasm:
Image|endswith: '\regasm.exe'
CommandLine|endswith: 'regasm.exe'
selection_regsvr32:
Image|endswith: '\regsvr32.exe'
CommandLine|endswith: 'regsvr32.exe'
filter_optional_edge_update:
ParentImage|contains: '\AppData\Local\Microsoft\EdgeUpdate\Install\{'
Image|endswith: '\rundll32.exe'
CommandLine|endswith: 'rundll32.exe'
filter_optional_chromium_installer:
# As reported in https://github.com/SigmaHQ/sigma/issues/4570 and others
ParentImage|contains:
- '\AppData\Local\BraveSoftware\Brave-Browser\Application\'
- '\AppData\Local\Google\Chrome\Application\'
ParentImage|endswith: '\Installer\setup.exe'
ParentCommandLine|contains: '--uninstall '
Image|endswith: '\rundll32.exe'
CommandLine|endswith: 'rundll32.exe'
condition: 1 of selection_* and not 1 of filter_optional_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
Base64 Encoded PowerShell Command Detected
Detects usage of the "FromBase64String" function in the commandline which is used to decode a base64 encoded string
view Sigma YAML
title: Base64 Encoded PowerShell Command Detected
id: e32d4572-9826-4738-b651-95fa63747e8a
status: test
description: Detects usage of the "FromBase64String" function in the commandline which is used to decode a base64 encoded string
references:
- https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639
author: Florian Roth (Nextron Systems)
date: 2020-01-29
modified: 2023-01-26
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1140
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains: '::FromBase64String('
condition: selection
falsepositives:
- Administrative script libraries
level: high
Convert to SIEM query
high
Moderate
High FP
Base64 MZ Header In CommandLine
Detects encoded base64 MZ header in the commandline
view Sigma YAML
title: Base64 MZ Header In CommandLine
id: 22e58743-4ac8-4a9f-bf19-00a0428d8c5f
status: test
description: Detects encoded base64 MZ header in the commandline
references:
- https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-12
tags:
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- 'TVqQAAMAAAAEAAAA' # MZ..........
- 'TVpQAAIAAAAEAA8A'
- 'TVqAAAEAAAAEABAA'
- 'TVoAAAAAAAAAAAAA'
- 'TVpTAQEAAAAEAAAA'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
Medium FP
Binary Padding - MacOS
Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.
view Sigma YAML
title: Binary Padding - MacOS
id: 95361ce5-c891-4b0a-87ca-e24607884a96
status: test
description: Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.001/T1027.001.md
- https://linux.die.net/man/1/truncate
- https://linux.die.net/man/1/dd
author: 'Igor Fits, Mikhail Larin, oscd.community'
date: 2020-10-19
modified: 2023-02-17
tags:
- attack.stealth
- attack.t1027.001
logsource:
product: macos
category: process_creation
detection:
selection_truncate:
Image|endswith: '/truncate'
CommandLine|contains: '-s +'
selection_dd:
Image|endswith: '/dd'
CommandLine|contains:
- 'if=/dev/zero' # if input is not /dev/zero, then there is no null padding
- 'if=/dev/random' # high-quality random data
- 'if=/dev/urandom' # low-quality random data
condition: 1 of selection_*
falsepositives:
- Legitimate script work
level: high
Convert to SIEM query
high
Moderate
Medium FP
Blackbyte Ransomware Registry
Detects specific windows registry modifications made by BlackByte ransomware variants.
BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption.
This rule triggers when any of the following registry keys are set to DWORD 1, however all three should be investigated as part of a larger BlackByte ransomware detection and response effort.
view Sigma YAML
title: Blackbyte Ransomware Registry
id: 83314318-052a-4c90-a1ad-660ece38d276
status: test
description: |
Detects specific windows registry modifications made by BlackByte ransomware variants.
BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption.
This rule triggers when any of the following registry keys are set to DWORD 1, however all three should be investigated as part of a larger BlackByte ransomware detection and response effort.
references:
- https://redcanary.com/blog/blackbyte-ransomware/?utm_source=twitter&utm_medium=social
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-ransomware-pt-1-in-depth-analysis/
author: frack113
date: 2022-01-24
modified: 2025-10-21
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
- detection.emerging-threats
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject:
- 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy'
- 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections'
- 'HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\LongPathsEnabled'
Details: 'DWORD (0x00000001)'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
BloodHound Collection Files
Detects default file names outputted by the BloodHound collection tool SharpHound
view Sigma YAML
title: BloodHound Collection Files
id: 02773bed-83bf-469f-b7ff-e676e7d78bab
status: test
description: Detects default file names outputted by the BloodHound collection tool SharpHound
references:
- https://academy.hackthebox.com/course/preview/active-directory-bloodhound/bloodhound--data-collection
author: C.J. May
date: 2022-08-09
modified: 2026-02-19
tags:
- attack.discovery
- attack.t1087.001
- attack.t1087.002
- attack.t1482
- attack.t1069.001
- attack.t1069.002
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith:
- 'BloodHound.zip'
- '_computers.json'
- '_containers.json'
# - '_domains.json' # prone to false positives with ProbabilisticRevealTokenRegistry function in Google Chrome
- '_gpos.json'
- '_groups.json'
- '_ous.json'
- '_users.json'
filter_optional_ms_winapps:
Image|endswith: '\svchost.exe'
TargetFilename|startswith: 'C:\Program Files\WindowsApps\Microsoft.'
TargetFilename|endswith: '\pocket_containers.json'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Some false positives may arise in some environment and this may require some tuning. Add additional filters or reduce level depending on the level of noise
level: high
Convert to SIEM query
high
Moderate
Medium FP
Blue Mockingbird
Attempts to detect system changes made by Blue Mockingbird
view Sigma YAML
title: Blue Mockingbird
id: c3198a27-23a0-4c2c-af19-e5328d49680e
related:
- id: ce239692-aa94-41b3-b32f-9cab259c96ea
type: merged
status: test
description: Attempts to detect system changes made by Blue Mockingbird
references:
- https://redcanary.com/blog/blue-mockingbird-cryptominer/
author: Trent Liffick (@tliffick)
date: 2020-05-14
modified: 2022-10-09
tags:
- attack.persistence
- attack.execution
- attack.defense-impairment
- attack.t1112
- attack.t1047
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
sc_cmd:
Image|endswith: '\cmd.exe'
CommandLine|contains|all:
- 'sc config'
- 'wercplsupporte.dll'
wmic_cmd:
Image|endswith: '\wmic.exe'
CommandLine|endswith: 'COR_PROFILER'
condition: sc_cmd or wmic_cmd
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Blue Mockingbird - Registry
Attempts to detect system changes made by Blue Mockingbird
view Sigma YAML
title: Blue Mockingbird - Registry
id: 92b0b372-a939-44ed-a11b-5136cf680e27
related:
- id: c3198a27-23a0-4c2c-af19-e5328d49680e
type: derived
status: test
description: Attempts to detect system changes made by Blue Mockingbird
references:
- https://redcanary.com/blog/blue-mockingbird-cryptominer/
author: Trent Liffick (@tliffick)
date: 2020-05-14
modified: 2023-08-17
tags:
- attack.execution
- attack.persistence
- attack.defense-impairment
- attack.t1112
- attack.t1047
- detection.emerging-threats
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|endswith: '\CurrentControlSet\Services\wercplsupport\Parameters\ServiceDll'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Bypass UAC Using DelegateExecute
Bypasses User Account Control using a fileless method
view Sigma YAML
title: Bypass UAC Using DelegateExecute
id: 46dd5308-4572-4d12-aa43-8938f0184d4f
status: test
description: Bypasses User Account Control using a fileless method
references:
- https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand
- https://devblogs.microsoft.com/oldnewthing/20100312-01/?p=14623
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-7---bypass-uac-using-sdclt-delegateexecute
author: frack113
date: 2022-01-05
modified: 2023-08-17
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\open\command\DelegateExecute'
Details: (Empty)
condition: selection
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute/info.yml
simulation:
- type: atomic-red-team
name: Bypass UAC using sdclt DelegateExecute
technique: T1548.002
atomic_guid: 3be891eb-4608-4173-87e8-78b494c029b7
Convert to SIEM query
high
Strong
Medium FP
Bypass UAC Using Event Viewer
Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification
view Sigma YAML
title: Bypass UAC Using Event Viewer
id: 674202d0-b22a-4af4-ae5f-2eda1f3da1af
status: test
description: Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification
references:
- https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-1---bypass-uac-using-event-viewer-cmd
author: frack113
date: 2022-01-05
modified: 2023-08-17
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.010
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '_Classes\mscfile\shell\open\command\(Default)'
filter:
Details|startswith: '%SystemRoot%\system32\mmc.exe "%1" %'
condition: selection and not filter
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer/info.yml
simulation:
- type: atomic-red-team
name: Bypass UAC using Event Viewer (cmd)
technique: T1548.002
atomic_guid: 5073adf8-9a50-4bd9-b298-a9bd2ead8af9
Convert to SIEM query
high
Strong
Medium FP
Bypass UAC Using SilentCleanup Task
Detects the setting of the environement variable "windir" to a non default value.
Attackers often abuse this variable in order to trigger a UAC bypass via the "SilentCleanup" task.
The SilentCleanup task located in %windir%\system32\cleanmgr.exe is an auto-elevated task that can be abused to elevate any file with administrator privileges without prompting UAC.
view Sigma YAML
title: Bypass UAC Using SilentCleanup Task
id: 724ea201-6514-4f38-9739-e5973c34f49a
status: test
description: |
Detects the setting of the environement variable "windir" to a non default value.
Attackers often abuse this variable in order to trigger a UAC bypass via the "SilentCleanup" task.
The SilentCleanup task located in %windir%\system32\cleanmgr.exe is an auto-elevated task that can be abused to elevate any file with administrator privileges without prompting UAC.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-9---bypass-uac-using-silentcleanup-task
- https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/
- https://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign
author: frack113, Nextron Systems
date: 2022-01-06
modified: 2024-01-30
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\Environment\windir'
filter_main_default:
Details: '%SystemRoot%'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task/info.yml
simulation:
- type: atomic-red-team
name: Bypass UAC using SilentCleanup Task
technique: T1548.002
atomic_guid: 28104f8a-4ff1-4582-bcf6-699dce156608
Convert to SIEM query
high
Moderate
High FP
Bypass UAC via Fodhelper.exe
Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.
view Sigma YAML
title: Bypass UAC via Fodhelper.exe
id: 7f741dcf-fc22-4759-87b4-9ae8376676a2
status: test
description: Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.
references:
- https://eqllib.readthedocs.io/en/latest/analytics/e491ce22-792f-11e9-8f5c-d46d6d62a49e.html
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md
author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community
date: 2019-10-24
modified: 2021-11-27
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\fodhelper.exe'
condition: selection
falsepositives:
- Legitimate use of fodhelper.exe utility by legitimate user
level: high
Convert to SIEM query
high
Strong
High FP
CMSTP Execution Process Creation
Detects various indicators of Microsoft Connection Manager Profile Installer execution
view Sigma YAML
title: CMSTP Execution Process Creation
id: 7d4cdc5a-0076-40ca-aac8-f7e714570e47
status: stable
description: Detects various indicators of Microsoft Connection Manager Profile Installer execution
references:
- https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
author: Nik Seetharaman
date: 2018-07-16
modified: 2020-12-23
tags:
- attack.execution
- attack.stealth
- attack.t1218.003
- attack.g0069
- car.2019-04-001
logsource:
category: process_creation
product: windows
detection:
# CMSTP Spawning Child Process
selection:
ParentImage|endswith: '\cmstp.exe'
condition: selection
falsepositives:
- Legitimate CMSTP use (unlikely in modern enterprise environments)
level: high
Convert to SIEM query
high
Strong
High FP
CMSTP Execution Registry Event
Detects various indicators of Microsoft Connection Manager Profile Installer execution
view Sigma YAML
title: CMSTP Execution Registry Event
id: b6d235fc-1d38-4b12-adbe-325f06728f37
status: stable
description: Detects various indicators of Microsoft Connection Manager Profile Installer execution
references:
- https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
author: Nik Seetharaman
date: 2018-07-16
modified: 2020-12-23
tags:
- attack.execution
- attack.stealth
- attack.t1218.003
- attack.g0069
- car.2019-04-001
logsource:
category: registry_event
product: windows
detection:
selection:
TargetObject|contains: '\cmmgr32.exe'
condition: selection
falsepositives:
- Legitimate CMSTP use (unlikely in modern enterprise environments)
level: high
Convert to SIEM query
high
Strong
Medium FP
CMSTP UAC Bypass via COM Object Access
Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)
view Sigma YAML
title: CMSTP UAC Bypass via COM Object Access
id: 4b60e6f2-bf39-47b4-b4ea-398e33cfe253
status: stable
description: Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)
references:
- https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
- https://twitter.com/hFireF0X/status/897640081053364225
- https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf
- https://github.com/hfiref0x/UACME
author: Nik Seetharaman, Christian Burkard (Nextron Systems)
date: 2019-07-31
modified: 2024-12-01
tags:
- attack.execution
- attack.privilege-escalation
- attack.stealth
- attack.t1548.002
- attack.t1218.003
- attack.g0069
- car.2019-04-001
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\DllHost.exe'
ParentCommandLine|contains:
- ' /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}' # cmstplua.dll
- ' /Processid:{3E000D72-A845-4CD9-BD83-80C07C3B881F}' # CMLUAUTIL
- ' /Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}' # EditionUpgradeManagerObj.dll
- ' /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}' # colorui.dll
- ' /Processid:{E9495B87-D950-4AB5-87A5-FF6D70BF3E90}' # wscui.cpl
IntegrityLevel:
- 'High'
- 'System'
- 'S-1-16-16384' # System
- 'S-1-16-12288' # High
condition: selection
falsepositives:
- Legitimate CMSTP use (unlikely in modern enterprise environments)
level: high
Convert to SIEM query
high
Moderate
Medium FP
COLDSTEEL RAT Anonymous User Process Execution
Detects the creation of a process executing as user called "ANONYMOUS" seen used by the "MileStone2016" variant of COLDSTEEL
view Sigma YAML
title: COLDSTEEL RAT Anonymous User Process Execution
id: e01b6eb5-1eb4-4465-a165-85d40d874add
status: test
description: Detects the creation of a process executing as user called "ANONYMOUS" seen used by the "MileStone2016" variant of COLDSTEEL
references:
- https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-30
tags:
- attack.persistence
- detection.emerging-threats
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|contains:
- '\Windows\System32\'
- '\AppData\'
User|contains: 'ANONYMOUS'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
COM Hijack via Sdclt
Detects changes to 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute'
view Sigma YAML
title: COM Hijack via Sdclt
id: 07743f65-7ec9-404a-a519-913db7118a8d
status: test
description: Detects changes to 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute'
references:
- http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass
- https://www.exploit-db.com/exploits/47696
author: Omkar Gudhate
date: 2020-09-27
modified: 2023-09-28
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1546
- attack.t1548
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\Software\Classes\Folder\shell\open\command\DelegateExecute'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
COM Object Hijacking Via Modification Of Default System CLSID Default Value
Detects potential COM object hijacking via modification of default system CLSID.
view Sigma YAML
title: COM Object Hijacking Via Modification Of Default System CLSID Default Value
id: 790317c0-0a36-4a6a-a105-6e576bf99a14
related:
- id: 3d968d17-ffa4-4bc0-bfdc-f139de76ce77
type: obsolete
- id: a0ff33d8-79e4-4cef-b4f3-9dc4133ccd12
type: obsolete
status: experimental
description: Detects potential COM object hijacking via modification of default system CLSID.
references:
- https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ (idea)
- https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/
- https://blog.talosintelligence.com/uat-5647-romcom/
- https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/darkhotel-a-cluster-of-groups-united-by-common-techniques
- https://threatbook.io/blog/Analysis-of-APT-C-60-Attack-on-South-Korea
- https://catalyst.prodaft.com/public/report/inside-the-latest-espionage-campaign-of-nebulous-mantis
- https://github.com/rtecCyberSec/BitlockMove
- https://cert.gov.ua/article/6284080
- https://securelist.com/forumtroll-apt-hacking-team-dante-spyware/117851/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-07-16
modified: 2025-11-10
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.015
logsource:
category: registry_set
product: windows
detection:
selection_target_root:
TargetObject|contains: '\CLSID\'
TargetObject|endswith:
- '\InprocServer32\(Default)'
- '\LocalServer32\(Default)'
selection_target_builtin_clsid:
TargetObject|contains:
# Note: Add other legitimate CLSID
- '\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\'
- '\{2155fee3-2419-4373-b102-6843707eb41f}\'
- '\{4590f811-1d3a-11d0-891f-00aa004b2e24}\'
- '\{4de225bf-cf59-4cfc-85f7-68b90f185355}\'
- '\{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}\'
- '\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}\'
- '\{F82B4EF1-93A9-4DDE-8015-F7950A1A6E31}\'
- '\{7849596a-48ea-486e-8937-a2a3009f31a9}\'
- '\{0b91a74b-ad7c-4a9d-b563-29eef9167172}\'
- '\{603D3801-BD81-11d0-A3A5-00C04FD706EC}\'
- '\{30D49246-D217-465F-B00B-AC9DDD652EB7}\'
- '\{A7A63E5C-3877-4840-8727-C1EA9D7A4D50}\'
- '\{2227A280-3AEA-1069-A2DE-08002B30309D}\'
- '\{2DEA658F-54C1-4227-AF9B-260AB5FC3543}\'
- '\{AA509086-5Ca9-4C25-8F95-589D3C07B48A}\'
selection_susp_location_1:
Details|contains:
# Note: Add more suspicious paths and locations
- ':\Perflogs\'
- '\AppData\Local\'
- '\Desktop\'
- '\Downloads\'
- '\Microsoft\Windows\Start Menu\Programs\Startup\'
- '\System32\spool\drivers\color\' # as seen in the knotweed blog
- '\Temporary Internet'
- '\Users\Public\'
- '\Windows\Temp\'
- '%appdata%'
- '%temp%'
- '%tmp%'
selection_susp_location_2:
- Details|contains|all:
- ':\Users\'
- '\Favorites\'
- Details|contains|all:
- ':\Users\'
- '\Favourites\'
- Details|contains|all:
- ':\Users\'
- '\Contacts\'
- Details|contains|all:
- ':\Users\'
- '\Pictures\'
condition: all of selection_target_* and 1 of selection_susp_location_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
Medium FP
CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry
Detects changes to the "Ports" registry key with data that includes a Windows path or a file with a suspicious extension.
This could be an attempt to exploit CVE-2020-1048 - a Windows Print Spooler elevation of privilege vulnerability.
view Sigma YAML
title: CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry
id: 7ec912f2-5175-4868-b811-ec13ad0f8567
status: test
description: |
Detects changes to the "Ports" registry key with data that includes a Windows path or a file with a suspicious extension.
This could be an attempt to exploit CVE-2020-1048 - a Windows Print Spooler elevation of privilege vulnerability.
references:
- https://windows-internals.com/printdemon-cve-2020-1048/
author: EagleEye Team, Florian Roth (Nextron Systems), NVISO
date: 2020-05-13
modified: 2024-03-25
tags:
- attack.persistence
- attack.execution
- attack.defense-impairment
- attack.t1112
- cve.2020-1048
- detection.emerging-threats
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|contains: '\Microsoft\Windows NT\CurrentVersion\Ports'
Details|contains:
- '.bat'
- '.com'
- '.dll'
- '.exe'
- '.ps1'
- '.vbe'
- '.vbs'
- 'C:'
condition: selection
falsepositives:
- New printer port install on host
level: high
Convert to SIEM query
high
Moderate
Medium FP
CVE-2021-26858 Exchange Exploitation
Detects possible successful exploitation for vulnerability described in CVE-2021-26858 by looking for
creation of non-standard files on disk by Exchange Server’s Unified Messaging service
which could indicate dropping web shells or other malicious content
view Sigma YAML
title: CVE-2021-26858 Exchange Exploitation
id: b06335b3-55ac-4b41-937e-16b7f5d57dfd
status: test
description: |
Detects possible successful exploitation for vulnerability described in CVE-2021-26858 by looking for
creation of non-standard files on disk by Exchange Server’s Unified Messaging service
which could indicate dropping web shells or other malicious content
references:
- https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
author: Bhabesh Raj
date: 2021-03-03
modified: 2022-10-09
tags:
- attack.t1203
- attack.execution
- cve.2021-26858
- detection.emerging-threats
logsource:
category: file_event
product: windows
detection:
selection:
Image|endswith: 'UMWorkerProcess.exe'
filter:
TargetFilename|endswith:
- 'CacheCleanup.bin'
- '.txt'
- '.LOG'
- '.cfg'
- 'cleanup.bin'
condition: selection and not filter
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
CVE-2021-44077 POC Default Dropped File
Detects the creation of "msiexec.exe" in the "bin" directory of the ManageEngine SupportCenter Plus (Related to CVE-2021-44077) and public POC available (See references section)
view Sigma YAML
title: CVE-2021-44077 POC Default Dropped File
id: 7b501acf-fa98-4272-aa39-194f82edc8a3
status: test
description: Detects the creation of "msiexec.exe" in the "bin" directory of the ManageEngine SupportCenter Plus (Related to CVE-2021-44077) and public POC available (See references section)
references:
- https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/
- https://github.com/horizon3ai/CVE-2021-44077/blob/b7a48e25824e8ead95e028475c7fd0e107e6e6bf/exploit.py
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-06
tags:
- attack.execution
- cve.2021-44077
- detection.emerging-threats
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|endswith: '\ManageEngine\SupportCenterPlus\bin\msiexec.exe'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
Medium FP
CVE-2022-24527 Microsoft Connected Cache LPE
Detects files created during the local privilege exploitation of CVE-2022-24527 Microsoft Connected Cache
view Sigma YAML
title: CVE-2022-24527 Microsoft Connected Cache LPE
id: e0a41412-c69a-446f-8e6e-0e6d7483dad7
status: test
description: Detects files created during the local privilege exploitation of CVE-2022-24527 Microsoft Connected Cache
references:
- https://www.rapid7.com/blog/post/2022/04/12/cve-2022-24527-microsoft-connected-cache-local-privilege-escalation-fixed/
author: Florian Roth (Nextron Systems)
date: 2022-04-13
tags:
- attack.execution
- attack.privilege-escalation
- attack.t1059.001
- cve.2022-24527
- detection.emerging-threats
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|endswith: 'WindowsPowerShell\Modules\webAdministration\webAdministration.psm1'
filter:
User|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
condition: selection and not filter
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux)
Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.
view Sigma YAML
title: CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux)
id: f8987c03-4290-4c96-870f-55e75ee377f4
related:
- id: 1ddaa9a4-eb0b-4398-a9fe-7b018f9e23db
type: similar
status: test
description: |
Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.
references:
- https://confluence.atlassian.com/security/cve-2023-22518-improper-authorization-vulnerability-in-confluence-data-center-and-server-1311473907.html
- https://www.huntress.com/blog/confluence-to-cerber-exploitation-of-cve-2023-22518-for-ransomware-deployment
- https://github.com/ForceFledgling/CVE-2023-22518
author: Andreas Braathen (mnemonic.io)
date: 2023-11-14
tags:
- attack.execution
- attack.t1059
- attack.initial-access
- attack.t1190
- cve.2023-22518
- detection.emerging-threats
logsource:
category: process_creation
product: linux
detection:
selection_parent:
ParentImage|endswith: '/java'
ParentCommandLine|contains: 'confluence'
selection_child:
# Only children associated with known campaigns
Image|endswith:
- '/bash'
- '/curl'
- '/echo'
- '/wget'
filter_main_ulimit:
CommandLine|contains: 'ulimit -u'
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
CVE-2023-38331 Exploitation Attempt - Suspicious Double Extension File
Detects the creation of a file with a double extension and a space by WinRAR. This could be a sign of exploitation of CVE-2023-38331
view Sigma YAML
title: CVE-2023-38331 Exploitation Attempt - Suspicious Double Extension File
id: e4556676-fc5c-4e95-8c39-5ef27791541f
related:
- id: ec3a3c2f-9bb0-4a9b-8f4b-5ec386544343
type: similar
status: test
description: Detects the creation of a file with a double extension and a space by WinRAR. This could be a sign of exploitation of CVE-2023-38331
references:
- https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/
- https://github.com/knight0x07/WinRAR-Code-Execution-Vulnerability-CVE-2023-38831/blob/26ab6c40b6d2c09bb4fc60feaa4a3a90cfd20c23/Part-1-Overview.md
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-30
tags:
- attack.execution
- cve.2023-38331
- detection.emerging-threats
logsource:
category: file_event
product: windows
detection:
selection:
Image|endswith: '\WinRAR.exe'
TargetFilename|contains: '\AppData\Local\Temp\Rar$'
TargetFilename|re: '\.[a-zA-Z0-9]{1,4} \.'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
CVE-2024-50623 Exploitation Attempt - Cleo
Detects exploitation attempt of Cleo's CVE-2024-50623 by looking for a "cmd.exe" process spawning from the Celo software suite with suspicious Powershell commandline.
view Sigma YAML
title: CVE-2024-50623 Exploitation Attempt - Cleo
id: f007b877-02e3-45b7-8501-1b78c2864029
status: experimental
description: |
Detects exploitation attempt of Cleo's CVE-2024-50623 by looking for a "cmd.exe" process spawning from the Celo software suite with suspicious Powershell commandline.
references:
- https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild
author: Tanner Filip, Austin Worline, Chad Hudson, Matt Anderson
date: 2024-12-09
tags:
- attack.initial-access
- attack.execution
- attack.t1190
- cve.2024-50623
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\javaw.exe'
ParentCommandLine|contains:
- 'Harmony'
- 'lexicom'
- 'VersaLex'
- 'VLTrader'
Image|endswith: '\cmd.exe'
CommandLine|contains:
- 'powershell'
- ' -enc '
- ' -EncodedCommand'
- '.Download'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
Medium FP
Cab File Extraction Via Wusa.EXE From Potentially Suspicious Paths
Detects the execution of the "wusa.exe" (Windows Update Standalone Installer) utility to extract ".cab" files using the "/extract" argument from potentially suspicious paths.
view Sigma YAML
title: Cab File Extraction Via Wusa.EXE From Potentially Suspicious Paths
id: c74c0390-3e20-41fd-a69a-128f0275a5ea
related:
- id: 59b39960-5f9d-4a49-9cef-1e4d2c1d0cb9
type: derived
status: test
description: |
Detects the execution of the "wusa.exe" (Windows Update Standalone Installer) utility to extract ".cab" files using the "/extract" argument from potentially suspicious paths.
references:
- https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html
- https://www.echotrail.io/insights/search/wusa.exe/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-05
modified: 2023-11-28
tags:
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection_root:
Image|endswith: '\wusa.exe'
CommandLine|contains: '/extract:'
selection_paths:
CommandLine|contains:
- ':\PerfLogs\'
- ':\Users\Public\'
- ':\Windows\Temp\'
- '\Appdata\Local\Temp\'
# - '\Desktop\'
# - '\Downloads\'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Capsh Shell Invocation - Linux
Detects the use of the "capsh" utility to invoke a shell.
view Sigma YAML
title: Capsh Shell Invocation - Linux
id: db1ac3be-f606-4e3a-89e0-9607cbe6b98a
status: test
description: |
Detects the use of the "capsh" utility to invoke a shell.
references:
- https://gtfobins.github.io/gtfobins/capsh/#shell
- https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
date: 2024-09-02
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/capsh'
CommandLine|endswith: ' --'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Change User Account Associated with the FAX Service
Detect change of the user account associated with the FAX service to avoid the escalation problem.
view Sigma YAML
title: Change User Account Associated with the FAX Service
id: e3fdf743-f05b-4051-990a-b66919be1743
status: test
description: Detect change of the user account associated with the FAX service to avoid the escalation problem.
references:
- https://twitter.com/dottor_morte/status/1544652325570191361
- https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf
author: frack113
date: 2022-07-17
modified: 2022-12-30
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject: HKLM\System\CurrentControlSet\Services\Fax\ObjectName
filter:
Details|contains: NetworkService
condition: selection and not filter
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Change Winevt Channel Access Permission Via Registry
Detects tampering with the "ChannelAccess" registry key in order to change access to Windows event channel.
view Sigma YAML
title: Change Winevt Channel Access Permission Via Registry
id: 7d9263bd-dc47-4a58-bc92-5474abab390c
status: test
description: Detects tampering with the "ChannelAccess" registry key in order to change access to Windows event channel.
references:
- https://app.any.run/tasks/77b2e328-8f36-46b2-b2e2-8a80398217ab/
- https://learn.microsoft.com/en-us/windows/win32/api/winevt/
- https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/
author: frack113
date: 2022-09-17
modified: 2024-03-25
tags:
- attack.defense-impairment
- attack.t1685.001
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\'
TargetObject|endswith: '\ChannelAccess'
# Add more interesting combinations if you found them
Details|contains:
- '(A;;0x1;;;LA)' # Local administrator having GENERIC ALL
- '(A;;0x1;;;SY)' # Local System having GENERIC ALL
- '(A;;0x5;;;BA)' # Built-in administrators having GENERIC ALL and GENERIC WRITE
filter_main_trustedinstaller:
Image: 'C:\Windows\servicing\TrustedInstaller.exe'
filter_main_tiworker:
Image|startswith: 'C:\Windows\WinSxS\'
Image|endswith: '\TiWorker.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Change the Fax Dll
Detect possible persistence using Fax DLL load when service restart
view Sigma YAML
title: Change the Fax Dll
id: 9e3357ba-09d4-4fbd-a7c5-ad6386314513
status: test
description: Detect possible persistence using Fax DLL load when service restart
references:
- https://twitter.com/dottor_morte/status/1544652325570191361
- https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf
author: frack113
date: 2022-07-17
modified: 2022-12-30
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|contains|all:
- '\Software\Microsoft\Fax\Device Providers\'
- '\ImageName'
filter:
Details: '%systemroot%\system32\fxst30.dll' # Windows 10
condition: selection and not filter
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Chopper Webshell Process Pattern
Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells
view Sigma YAML
title: Chopper Webshell Process Pattern
id: fa3c117a-bc0d-416e-a31b-0c0e80653efb
status: test
description: Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells
references:
- https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/
author: Florian Roth (Nextron Systems), MSTI (query)
date: 2022-10-01
tags:
- attack.persistence
- attack.discovery
- attack.t1505.003
- attack.t1018
- attack.t1033
- attack.t1087
logsource:
category: process_creation
product: windows
detection:
selection_origin:
- Image|endswith: '\w3wp.exe'
- ParentImage|endswith: '\w3wp.exe'
selection_cmdline:
CommandLine|contains:
- '&ipconfig&echo'
- '&quser&echo'
- '&whoami&echo'
- '&c:&echo'
- '&cd&echo'
- '&dir&echo'
- '&echo [E]'
- '&echo [S]'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
ChromeLoader Malware Execution
Detects execution of ChromeLoader malware via a registered scheduled task
view Sigma YAML
title: ChromeLoader Malware Execution
id: 0a74c5a9-1b71-4475-9af2-7829d320d5c2
status: test
description: Detects execution of ChromeLoader malware via a registered scheduled task
references:
- https://github.com/xephora/Threat-Remediation-Scripts/tree/main/Threat-Track/CS_INSTALLER
- https://twitter.com/th3_protoCOL/status/1480621526764322817
- https://twitter.com/Kostastsale/status/1480716528421011458
- https://www.virustotal.com/gui/file/ded20df574b843aaa3c8e977c2040e1498ae17c12924a19868df5b12dee6dfdd
author: '@kostastsale'
date: 2022-01-10
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1053.005
- attack.t1059.001
- attack.t1176
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\powershell.exe'
ParentCommandLine|contains: '-ExecutionPolicy Bypass -WindowStyle Hidden -E JAB'
CommandLine|contains: '--load-extension="*\Appdata\local\chrome"'
Image|endswith: '\chrome.exe'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
Medium FP
Chromium Browser Headless Execution To Mockbin Like Site
Detects the execution of a Chromium based browser process with the "headless" flag and a URL pointing to the mockbin.org service (which can be used to exfiltrate data).
view Sigma YAML
title: Chromium Browser Headless Execution To Mockbin Like Site
id: 1c526788-0abe-4713-862f-b520da5e5316
status: test
description: Detects the execution of a Chromium based browser process with the "headless" flag and a URL pointing to the mockbin.org service (which can be used to exfiltrate data).
references:
- https://www.zscaler.com/blogs/security-research/steal-it-campaign
author: X__Junior (Nextron Systems)
date: 2023-09-11
tags:
- attack.execution
logsource:
product: windows
category: process_creation
detection:
selection_img:
Image|endswith:
- '\brave.exe'
- '\chrome.exe'
- '\msedge.exe'
- '\opera.exe'
- '\vivaldi.exe'
selection_headless:
CommandLine|contains: '--headless'
selection_url:
CommandLine|contains:
- '://run.mocky'
- '://mockbin'
condition: all of selection_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_browsers_chromium_mockbin_abuse/info.yml
Convert to SIEM query
high
Strong
Medium FP
Cmd.EXE Missing Space Characters Execution Anomaly
Detects Windows command lines that miss a space before or after the /c flag when running a command using the cmd.exe.
This could be a sign of obfuscation of a fat finger problem (typo by the developer).
view Sigma YAML
title: Cmd.EXE Missing Space Characters Execution Anomaly
id: a16980c2-0c56-4de0-9a79-17971979efdd
status: test
description: |
Detects Windows command lines that miss a space before or after the /c flag when running a command using the cmd.exe.
This could be a sign of obfuscation of a fat finger problem (typo by the developer).
references:
- https://twitter.com/cyb3rops/status/1562072617552678912
- https://ss64.com/nt/cmd.html
author: Florian Roth (Nextron Systems)
date: 2022-08-23
modified: 2026-05-13
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection1: # missing space before the /c
CommandLine|contains:
- 'cmd.exe/c'
- '\cmd/c' # just cmd/c would be prone to false positives
- '"cmd/c'
- 'cmd.exe/k'
- '\cmd/k' # just cmd/k would be prone to false positives
- '"cmd/k'
- 'cmd.exe/r'
- '\cmd/r' # just cmd/r would be prone to false positives
- '"cmd/r'
selection2: # special cases verified via Virustotal Enterprise search
CommandLine|contains:
- '/cwhoami'
- '/cpowershell'
- '/cschtasks'
- '/cbitsadmin'
- '/ccertutil'
- '/kwhoami'
- '/kpowershell'
- '/kschtasks'
- '/kbitsadmin'
- '/kcertutil'
selection3: # missing space after the /c
CommandLine|contains:
- 'cmd.exe /c'
- 'cmd /c'
- 'cmd.exe /k'
- 'cmd /k'
- 'cmd.exe /r'
- 'cmd /r'
filter_generic:
CommandLine|contains:
- 'cmd.exe /c '
- 'cmd /c '
- 'cmd.exe /k '
- 'cmd /k '
- 'cmd.exe /r '
- 'cmd /r '
filter_fp:
- CommandLine|contains: 'AppData\Local\Programs\Microsoft VS Code\resources\app\node_modules'
- CommandLine|endswith: 'cmd.exe/c .'
- CommandLine: 'cmd.exe /c'
- CommandLine: 'cmd /c'
condition: 1 of selection* and not 1 of filter_*
falsepositives:
- Legitimate use of cmd.exe with no arguments e.g. via system("") in C to enable ANSI escape codes
level: high
Convert to SIEM query
high
Moderate
High FP
Communication To Ngrok Tunneling Service - Linux
Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors
view Sigma YAML
title: Communication To Ngrok Tunneling Service - Linux
id: 19bf6fdb-7721-4f3d-867f-53467f6a5db6
status: test
description: Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors
references:
- https://twitter.com/hakluke/status/1587733971814977537/photo/1
- https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent
author: Florian Roth (Nextron Systems)
date: 2022-11-03
tags:
- attack.exfiltration
- attack.command-and-control
- attack.t1567
- attack.t1568.002
- attack.t1572
- attack.t1090
- attack.t1102
- attack.s0508
logsource:
product: linux
category: network_connection
detection:
selection:
DestinationHostname|contains:
- 'tunnel.us.ngrok.com'
- 'tunnel.eu.ngrok.com'
- 'tunnel.ap.ngrok.com'
- 'tunnel.au.ngrok.com'
- 'tunnel.sa.ngrok.com'
- 'tunnel.jp.ngrok.com'
- 'tunnel.in.ngrok.com'
condition: selection
falsepositives:
- Legitimate use of ngrok
level: high
Convert to SIEM query
high
Moderate
High FP
Communication To Ngrok Tunneling Service Initiated
Detects an executable initiating a network connection to "ngrok" tunneling domains.
Attackers were seen using this "ngrok" in order to store their second stage payloads and malware.
While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.
view Sigma YAML
title: Communication To Ngrok Tunneling Service Initiated
id: 1d08ac94-400d-4469-a82f-daee9a908849
related:
- id: 18249279-932f-45e2-b37a-8925f2597670
type: similar
status: test
description: |
Detects an executable initiating a network connection to "ngrok" tunneling domains.
Attackers were seen using this "ngrok" in order to store their second stage payloads and malware.
While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.
references:
- https://twitter.com/hakluke/status/1587733971814977537/photo/1
- https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent
author: Florian Roth (Nextron Systems)
date: 2022-11-03
modified: 2024-02-02
tags:
- attack.exfiltration
- attack.command-and-control
- attack.t1567
- attack.t1568.002
- attack.t1572
- attack.t1090
- attack.t1102
- attack.s0508
logsource:
category: network_connection
product: windows
detection:
selection:
DestinationHostname|contains:
- 'tunnel.us.ngrok.com'
- 'tunnel.eu.ngrok.com'
- 'tunnel.ap.ngrok.com'
- 'tunnel.au.ngrok.com'
- 'tunnel.sa.ngrok.com'
- 'tunnel.jp.ngrok.com'
- 'tunnel.in.ngrok.com'
condition: selection
falsepositives:
- Legitimate use of the ngrok service.
level: high
Convert to SIEM query
high
Moderate
High FP
Commvault QLogin Argument Injection Authentication Bypass (CVE-2025-57791)
Detects the use of argument injection in the Commvault qlogin command - potential exploitation for CVE-2025-57791.
An attacker can inject the `-localadmin` parameter via the password field to bypass authentication and gain a privileged token.
view Sigma YAML
title: Commvault QLogin Argument Injection Authentication Bypass (CVE-2025-57791)
id: ff0225a0-1d9a-4bae-ab26-6038b18bb6d4
status: experimental
description: |
Detects the use of argument injection in the Commvault qlogin command - potential exploitation for CVE-2025-57791.
An attacker can inject the `-localadmin` parameter via the password field to bypass authentication and gain a privileged token.
references:
- https://labs.watchtowr.com/guess-who-would-be-stupid-enough-to-rob-the-same-vault-twice-pre-auth-rce-chains-in-commvault/
author: X__Junior (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-10-20
tags:
- attack.initial-access
- attack.t1190
- detection.emerging-threats
- cve.2025-57791
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'qlogin'
- ' -cs '
- ' -localadmin'
- ' -clp '
- '_localadmin__'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Commvault QOperation Path Traversal Webshell Drop (CVE-2025-57790)
Detects the use of qoperation.exe with the -file argument to write a JSP file to the webroot, indicating a webshell drop.
This is a post-authentication step corresponding to CVE-2025-57790.
view Sigma YAML
title: Commvault QOperation Path Traversal Webshell Drop (CVE-2025-57790)
id: bd3b3fff-a018-4994-9876-68af5809160f
status: experimental
description: |
Detects the use of qoperation.exe with the -file argument to write a JSP file to the webroot, indicating a webshell drop.
This is a post-authentication step corresponding to CVE-2025-57790.
references:
- https://labs.watchtowr.com/guess-who-would-be-stupid-enough-to-rob-the-same-vault-twice-pre-auth-rce-chains-in-commvault/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-10-20
tags:
- attack.persistence
- attack.t1505.003
- detection.emerging-threats
- cve.2025-57790
logsource:
category: process_creation
product: windows
detection:
selection:
# qoperation execute -af F:\Program Files\Commvault\ContentStore\Reports\MetricsUpload\Upload\ABC1234\rekt.xml -file F:\Program Files\Commvault\ContentStore\Apache\webapps\ROOT\wT-poc.jsp
CommandLine|contains|all:
- 'qoperation'
- 'exec'
- ' -af '
- '.xml '
- '\Apache\webapps\ROOT\'
- '.jsp'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Conhost.exe CommandLine Path Traversal
detects the usage of path traversal in conhost.exe indicating possible command/argument confusion/hijacking
view Sigma YAML
title: Conhost.exe CommandLine Path Traversal
id: ee5e119b-1f75-4b34-add8-3be976961e39
status: test
description: detects the usage of path traversal in conhost.exe indicating possible command/argument confusion/hijacking
references:
- https://pentestlab.blog/2020/07/06/indirect-command-execution/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-14
tags:
- attack.execution
- attack.t1059.003
logsource:
category: process_creation
product: windows
detection:
selection:
ParentCommandLine|contains: 'conhost'
CommandLine|contains: '/../../'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
Conti NTDS Exfiltration Command
Detects a command used by conti to exfiltrate NTDS
view Sigma YAML
title: Conti NTDS Exfiltration Command
id: aa92fd02-09f2-48b0-8a93-864813fb8f41
status: test
description: Detects a command used by conti to exfiltrate NTDS
references:
- https://twitter.com/vxunderground/status/1423336151860002816?s=20
- https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection
author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)
date: 2021-08-09
modified: 2022-10-09
tags:
- attack.collection
- attack.t1560
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- '7za.exe'
- '\\C$\\temp\\log.zip'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Conti Volume Shadow Listing
Detects a command used by conti to find volume shadow backups
view Sigma YAML
title: Conti Volume Shadow Listing
id: 7b30e0a7-c675-4b24-8a46-82fa67e2433d
status: test
description: Detects a command used by conti to find volume shadow backups
references:
- https://twitter.com/vxunderground/status/1423336151860002816?s=20
- https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection
author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)
date: 2021-08-09
tags:
- attack.t1587.001
- attack.resource-development
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'vssadmin list shadows'
- 'log.txt'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
High FP
Copy From VolumeShadowCopy Via Cmd.EXE
Detects the execution of the builtin "copy" command that targets a shadow copy (sometimes used to copy registry hives that are in use)
view Sigma YAML
title: Copy From VolumeShadowCopy Via Cmd.EXE
id: c73124a7-3e89-44a3-bdc1-25fe4df754b1
status: test
description: Detects the execution of the builtin "copy" command that targets a shadow copy (sometimes used to copy registry hives that are in use)
references:
- https://twitter.com/vxunderground/status/1423336151860002816?s=20
- https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection
- https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/
author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)
date: 2021-08-09
modified: 2023-03-07
tags:
- attack.impact
- attack.t1490
logsource:
category: process_creation
product: windows
detection:
selection:
# cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM\
# There is an additional "\" to escape the special "?"
CommandLine|contains|all:
- 'copy '
- '\\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy'
condition: selection
falsepositives:
- Backup scenarios using the commandline
level: high
Convert to SIEM query
high
Moderate
Medium FP
Copy Passwd Or Shadow From TMP Path
Detects when the file "passwd" or "shadow" is copied from tmp path
view Sigma YAML
title: Copy Passwd Or Shadow From TMP Path
id: fa4aaed5-4fe0-498d-bbc0-08e3346387ba
status: test
description: Detects when the file "passwd" or "shadow" is copied from tmp path
references:
- https://blogs.blackberry.com/
- https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-01-31
tags:
- attack.credential-access
- attack.t1552.001
logsource:
product: linux
category: process_creation
detection:
selection_img:
Image|endswith: '/cp'
selection_path:
CommandLine|contains: '/tmp/'
selection_file:
CommandLine|contains:
- 'passwd'
- 'shadow'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Creation Exe for Service with Unquoted Path
Adversaries may execute their own malicious payloads by hijacking vulnerable file path references.
Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
view Sigma YAML
title: Creation Exe for Service with Unquoted Path
id: 8c3c76ca-8f8b-4b1d-aaf3-81aebcd367c9
status: test
description: |
Adversaries may execute their own malicious payloads by hijacking vulnerable file path references.
Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.009/T1574.009.md
author: frack113
date: 2021-12-30
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.009
logsource:
product: windows
category: file_event
detection:
selection:
# Feel free to add more
TargetFilename: 'C:\program.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
High FP
Creation of a Local Hidden User Account by Registry
Sysmon registry detection of a local hidden user account.
view Sigma YAML
title: Creation of a Local Hidden User Account by Registry
id: 460479f3-80b7-42da-9c43-2cc1d54dbccd
status: test
description: Sysmon registry detection of a local hidden user account.
references:
- https://twitter.com/SBousseaden/status/1387530414185664538
author: Christian Burkard (Nextron Systems)
date: 2021-05-03
modified: 2025-10-31
tags:
- attack.persistence
- attack.t1136.001
logsource:
product: windows
category: registry_event
detection:
selection:
TargetObject|contains: '\SAM\SAM\Domains\Account\Users\Names\'
TargetObject|endswith: '$\(Default)'
Image|endswith: '\lsass.exe'
condition: selection
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_event/registry_event_add_local_hidden_user/info.yml
simulation:
- type: atomic-red-team
name: Create Hidden User in Registry
technique: T1564.002
atomic_guid: 173126b7-afe4-45eb-8680-fa9f6400431c
Convert to SIEM query
Showing 101-150 of 1,524