Tool
EDR / XDR
Palo Alto Cortex XDR
1,524 rules · Sigma detections in Palo Alto Cortex XDR syntax
The same Sigma detection corpus, machine-rendered into Palo Alto Cortex XDR query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
Download all 1,524 rules (.zip, 675 KB)
Every Palo Alto Cortex XDR query in this view, packaged to deploy.
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance4
Resource Development5
Initial Access7
Execution25
Persistence31
Privilege Escalation17
Stealth63
Defense Impairment16
Credential Access26
Discovery24
Lateral Movement10
Collection11
Command and Control18
Exfiltration7
Impact10
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.
◈
Detection rules
24 shown of 1,524
low
Moderate
High FP
Suspicious Network Command
Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
view Sigma YAML
title: Suspicious Network Command
id: a29c1813-ab1f-4dde-b489-330b952e91ae
status: test
description: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-1---system-network-configuration-discovery-on-windows
author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'
date: 2021-12-07
modified: 2025-10-19
tags:
- attack.discovery
- attack.t1016
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|re:
- 'ipconfig\s+/all'
- 'netsh\s+interface show interface'
- 'arp\s+-a'
- 'nbtstat\s+-n'
- 'net\s+config'
- 'route\s+print'
condition: selection
falsepositives:
- Administrator, hotline ask to user
level: low
Convert to SIEM query
low
Moderate
High FP
Suspicious Query of MachineGUID
Use of reg to get MachineGuid information
view Sigma YAML
title: Suspicious Query of MachineGUID
id: f5240972-3938-4e56-8e4b-e33893176c1f
status: test
description: Use of reg to get MachineGuid information
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-8---windows-machineguid-discovery
author: frack113
date: 2022-01-01
tags:
- attack.discovery
- attack.t1082
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\reg.exe'
CommandLine|contains|all:
- 'SOFTWARE\Microsoft\Cryptography'
- '/v '
- 'MachineGuid'
condition: selection
falsepositives:
- Unknown
level: low
Convert to SIEM query
low
Moderate
High FP
System Drawing DLL Load
Detects processes loading "System.Drawing.ni.dll". This could be an indicator of potential Screen Capture.
view Sigma YAML
title: System Drawing DLL Load
id: 666ecfc7-229d-42b8-821e-1a8f8cb7057c
status: test
description: Detects processes loading "System.Drawing.ni.dll". This could be an indicator of potential Screen Capture.
references:
- https://github.com/OTRF/detection-hackathon-apt29/issues/16
- https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.A.1_3B4E5808-3C71-406A-B181-17B0CE3178C9.md
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-05-02
modified: 2023-02-22
tags:
- attack.collection
- attack.t1113
- detection.threat-hunting
logsource:
product: windows
category: image_load
detection:
selection:
ImageLoaded|endswith: '\System.Drawing.ni.dll'
condition: selection
falsepositives:
- False positives are very common from system and third party applications, activity needs to be investigated. This rule is best correlated with other events to increase the level of suspiciousness
level: low
Convert to SIEM query
low
Strong
High FP
System Information Discovery via Registry Queries
Detects attempts to query system information directly from the Windows Registry.
view Sigma YAML
title: System Information Discovery via Registry Queries
id: 0022869c-49f7-4ff2-ba03-85ac42ddac58
status: experimental
description: Detects attempts to query system information directly from the Windows Registry.
references:
- https://cert.gov.ua/article/6277849
- https://github.com/redcanaryco/atomic-red-team/blob/75fa21076dcefa348a7521403cdd6bfc4e88623c/atomics/T1082/T1082.md
- https://github.com/redcanaryco/atomic-red-team/blob/75fa21076dcefa348a7521403cdd6bfc4e88623c/atomics/T1124/T1124.md
author: lazarg
date: 2025-06-12
modified: 2025-10-25
tags:
- attack.discovery
- attack.t1082
logsource:
category: process_creation
product: windows
detection:
selection_cmd_reg:
Image|endswith: '\reg.exe'
CommandLine|contains: 'query'
CommandLine|contains|windash: '-v'
selection_cmd_powershell:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
CommandLine|contains:
- 'Get-ItemPropertyValue'
- 'gpv'
selection_keys:
CommandLine|contains:
- '\SOFTWARE\Microsoft\Windows Defender' # Details about defender state
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion' # Provides details about the OS
- '\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall' # Lists installed programs
- '\SYSTEM\CurrentControlSet\Control\TimeZoneInformation' # Contains time zone details
- '\SYSTEM\CurrentControlSet\Services' # Details about existing services
condition: 1 of selection_cmd_* and selection_keys
falsepositives:
- Unlikely
level: low
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_discovery_via_reg_queries/info.yml
simulation:
- type: atomic-red-team
name: System Information Discovery
technique: T1010
atomic_guid: 66703791-c902-4560-8770-42b8a91f7667
- type: atomic-red-team
name: Discover OS Product Name via Registry
technique: T1082
atomic_guid: be3b5fe3-a575-4fb8-83f6-ad4a68dd5ce7
- type: atomic-red-team
name: Discover OS Build Number via Registry
technique: T1082
atomic_guid: acfcd709-0013-4f1e-b9ee-bc1e7bafaaec
Convert to SIEM query
low
Strong
High FP
System Integrity Protection (SIP) Enumeration
Detects the use of csrutil to view the Configure System Integrity Protection (SIP) status. This technique is used in post-exploit scenarios.
view Sigma YAML
title: System Integrity Protection (SIP) Enumeration
id: 53821412-17b0-4147-ade0-14faae67d54b
status: test
description: |
Detects the use of csrutil to view the Configure System Integrity Protection (SIP) status. This technique is used in post-exploit scenarios.
references:
- https://ss64.com/osx/csrutil.html
- https://objective-see.org/blog/blog_0x6D.html
- https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/
- https://www.virustotal.com/gui/file/05a2adb266ec6c0ba9ed176d87d8530e71e845348c13caf9f60049760c312cd3/behavior
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2024-01-02
tags:
- attack.discovery
- attack.t1518.001
logsource:
product: macos
category: process_creation
detection:
# VT Query: behavior_processes:"csrutil status" p:5+ type:mac
selection:
Image|endswith: '/csrutil'
CommandLine|contains: 'status'
condition: selection
falsepositives:
- Legitimate administration activities
level: low
Convert to SIEM query
low
Strong
High FP
System Network Connections Discovery - Linux
Detects usage of system utilities to discover system network connections
view Sigma YAML
title: System Network Connections Discovery - Linux
id: 4c519226-f0cd-4471-bd2f-6fbb2bb68a79
status: test
description: Detects usage of system utilities to discover system network connections
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md
author: Daniil Yugoslavskiy, oscd.community
date: 2020-10-19
modified: 2023-01-17
tags:
- attack.discovery
- attack.t1049
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith:
- '/who'
- '/w'
- '/last'
- '/lsof'
- '/netstat'
filter_landscape_sysinfo:
ParentCommandLine|contains: '/usr/bin/landscape-sysinfo'
Image|endswith: '/who'
condition: selection and not 1 of filter_*
falsepositives:
- Legitimate activities
level: low
Convert to SIEM query
low
Moderate
Medium FP
TeamViewer Log File Deleted
Detects the deletion of the TeamViewer log files which may indicate an attempt to destroy forensic evidence
view Sigma YAML
title: TeamViewer Log File Deleted
id: b1decb61-ed83-4339-8e95-53ea51901720
status: test
description: Detects the deletion of the TeamViewer log files which may indicate an attempt to destroy forensic evidence
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md
author: frack113
date: 2022-01-16
modified: 2023-02-15
tags:
- attack.stealth
- attack.t1070.004
logsource:
product: windows
category: file_delete
detection:
selection:
TargetFilename|contains: '\TeamViewer_'
TargetFilename|endswith: '.log'
filter:
Image: C:\Windows\system32\svchost.exe
condition: selection and not filter
falsepositives:
- Unknown
level: low
Convert to SIEM query
low
Moderate
High FP
Virtualbox Driver Installation or Starting of VMs
Adversaries can carry out malicious operations using a virtual instance to avoid detection. This rule is built to detect the registration of the Virtualbox driver or start of a Virtualbox VM.
view Sigma YAML
title: Virtualbox Driver Installation or Starting of VMs
id: bab049ca-7471-4828-9024-38279a4c04da
status: test
description: Adversaries can carry out malicious operations using a virtual instance to avoid detection. This rule is built to detect the registration of the Virtualbox driver or start of a Virtualbox VM.
references:
- https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/
- https://threatpost.com/maze-ransomware-ragnar-locker-virtual-machine/159350/
author: Janantha Marasinghe
date: 2020-09-26
modified: 2025-07-29
tags:
- attack.stealth
- attack.t1564.006
- attack.t1564
logsource:
category: process_creation
product: windows
detection:
selection_1:
CommandLine|contains:
- 'VBoxRT.dll,RTR3Init'
- 'VBoxC.dll'
- 'VBoxDrv.sys'
selection_2:
CommandLine|contains:
- 'startvm'
- 'controlvm'
condition: 1 of selection_*
falsepositives:
- This may have false positives on hosts where Virtualbox is legitimately being used for operations
level: low
Convert to SIEM query
low
Moderate
High FP
WMI Module Loaded By Uncommon Process
Detects WMI modules being loaded by an uncommon process
view Sigma YAML
title: WMI Module Loaded By Uncommon Process
id: 671bb7e3-a020-4824-a00e-2ee5b55f385e
status: test
description: Detects WMI modules being loaded by an uncommon process
references:
- https://threathunterplaybook.com/hunts/windows/190811-WMIModuleLoad/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019-08-10
modified: 2025-02-24
tags:
- attack.execution
- attack.t1047
- detection.threat-hunting
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith:
- '\fastprox.dll'
- '\wbemcomn.dll'
- '\wbemprox.dll'
- '\wbemsvc.dll'
- '\WmiApRpl.dll'
- '\wmiclnt.dll'
- '\WMINet_Utils.dll'
- '\wmiprov.dll'
- '\wmiutils.dll'
filter_main_generic:
Image|contains:
- ':\Program Files (x86)\'
- ':\Program Files\'
- ':\Windows\explorer.exe'
- ':\Windows\Microsoft.NET\Framework\'
- ':\Windows\Microsoft.NET\FrameworkArm\'
- ':\Windows\Microsoft.NET\FrameworkArm64\'
- ':\Windows\Microsoft.NET\Framework64\'
- ':\Windows\System32\'
- ':\Windows\SysWOW64\'
filter_optional_other:
Image|endswith:
- '\WindowsAzureGuestAgent.exe'
- '\WaAppAgent.exe'
filter_optional_thor:
Image|endswith:
- '\thor.exe'
- '\thor64.exe'
filter_optional_defender:
Image|endswith: '\MsMpEng.exe'
filter_optional_teams:
Image|contains:
- '\Microsoft\Teams\current\Teams.exe'
- '\Microsoft\Teams\Update.exe'
filter_optional_sysmon:
Image|endswith:
- ':\Windows\Sysmon.exe'
- ':\Windows\Sysmon64.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: low
Convert to SIEM query
low
Moderate
High FP
Winget Admin Settings Modification
Detects changes to the AppInstaller (winget) admin settings. Such as enabling local manifest installations or disabling installer hash checks
view Sigma YAML
title: Winget Admin Settings Modification
id: 6db5eaf9-88f7-4ed9-af7d-9ef2ad12f236
status: test
description: Detects changes to the AppInstaller (winget) admin settings. Such as enabling local manifest installations or disabling installer hash checks
references:
- https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget
- https://github.com/microsoft/winget-cli/blob/02d2f93807c9851d73eaacb4d8811a76b64b7b01/src/AppInstallerCommonCore/Public/winget/AdminSettings.h#L13
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-17
modified: 2023-08-17
tags:
- attack.persistence
- attack.defense-impairment
logsource:
product: windows
category: registry_set
detection:
selection:
Image|endswith: '\winget.exe'
TargetObject|startswith: '\REGISTRY\A\'
TargetObject|endswith: '\LocalState\admin_settings'
condition: selection
falsepositives:
- The event doesn't contain information about the type of change. False positives are expected with legitimate changes
level: low
Convert to SIEM query
informational
Moderate
High FP
File Deletion
Detects file deletion using "rm", "shred" or "unlink" commands which are used often by adversaries to delete files left behind by the actions of their intrusion activity
view Sigma YAML
title: File Deletion
id: 30aed7b6-d2c1-4eaf-9382-b6bc43e50c57
status: stable
description: Detects file deletion using "rm", "shred" or "unlink" commands which are used often by adversaries to delete files left behind by the actions of their intrusion activity
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md
author: Ömer Günal, oscd.community
date: 2020-10-07
modified: 2022-09-15
tags:
- attack.stealth
- attack.t1070.004
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith:
- '/rm' # covers /rmdir as well
- '/shred'
- '/unlink'
condition: selection
falsepositives:
- Legitimate administration activities
level: informational
Convert to SIEM query
informational
Strong
High FP
File and Directory Discovery - Linux
Detects usage of system utilities such as "find", "tree", "findmnt", etc, to discover files, directories and network shares.
view Sigma YAML
title: File and Directory Discovery - Linux
id: d3feb4ee-ff1d-4d3d-bd10-5b28a238cc72
status: test
description: |
Detects usage of system utilities such as "find", "tree", "findmnt", etc, to discover files, directories and network shares.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md
author: Daniil Yugoslavskiy, oscd.community, CheraghiMilad
date: 2020-10-19
modified: 2024-12-01
tags:
- attack.discovery
- attack.t1083
logsource:
category: process_creation
product: linux
detection:
selection_file_with_asterisk:
Image|endswith: '/file'
CommandLine|re: '(.){200,}' # execution of the 'file */* *>> /tmp/output.txt' will produce huge commandline
selection_recursive_ls:
Image|endswith: '/ls'
CommandLine|contains: '-R'
selection_find_execution:
Image|endswith: '/find'
selection_tree_execution:
Image|endswith: '/tree'
selection_findmnt_execution:
Image|endswith: '/findmnt'
selection_locate_execution:
Image|endswith: '/mlocate'
condition: 1 of selection_*
falsepositives:
- Legitimate activities
level: informational
Convert to SIEM query
informational
Strong
High FP
File and Directory Discovery - MacOS
Detects usage of system utilities to discover files and directories
view Sigma YAML
title: File and Directory Discovery - MacOS
id: 089dbdf6-b960-4bcc-90e3-ffc3480c20f6
status: test
description: Detects usage of system utilities to discover files and directories
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md
author: Daniil Yugoslavskiy, oscd.community
date: 2020-10-19
modified: 2022-11-25
tags:
- attack.discovery
- attack.t1083
logsource:
category: process_creation
product: macos
detection:
select_file_with_asterisk:
Image: '/usr/bin/file'
CommandLine|re: '(.){200,}' # execution of the 'file */* *>> /tmp/output.txt' will produce huge commandline
select_recursive_ls:
Image: '/bin/ls'
CommandLine|contains: '-R'
select_find_execution:
Image: '/usr/bin/find'
select_mdfind_execution:
Image: '/usr/bin/mdfind'
select_tree_execution|endswith:
Image: '/tree'
condition: 1 of select*
falsepositives:
- Legitimate activities
level: informational
Convert to SIEM query
informational
Strong
High FP
Local Groups Discovery - MacOs
Detects enumeration of local system groups
view Sigma YAML
title: Local Groups Discovery - MacOs
id: 89bb1f97-c7b9-40e8-b52b-7d6afbd67276
status: test
description: Detects enumeration of local system groups
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md
author: Ömer Günal, Alejandro Ortuno, oscd.community
date: 2020-10-11
modified: 2022-11-27
tags:
- attack.discovery
- attack.t1069.001
logsource:
category: process_creation
product: macos
detection:
selection_1:
Image|endswith: '/dscacheutil'
CommandLine|contains|all:
- '-q'
- 'group'
selection_2:
Image|endswith: '/cat'
CommandLine|contains: '/etc/group'
selection_3:
Image|endswith: '/dscl'
CommandLine|contains|all:
- '-list'
- '/groups'
condition: 1 of selection*
falsepositives:
- Legitimate administration activities
level: informational
Convert to SIEM query
informational
Strong
High FP
Macos Remote System Discovery
Detects the enumeration of other remote systems.
view Sigma YAML
title: Macos Remote System Discovery
id: 10227522-8429-47e6-a301-f2b2d014e7ad
status: test
description: Detects the enumeration of other remote systems.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md
author: Alejandro Ortuno, oscd.community
date: 2020-10-22
modified: 2021-11-27
tags:
- attack.discovery
- attack.t1018
logsource:
category: process_creation
product: macos
detection:
selection_1:
Image|endswith: '/arp'
CommandLine|contains: '-a'
selection_2:
Image|endswith: '/ping'
CommandLine|contains:
- ' 10.' # 10.0.0.0/8
- ' 192.168.' # 192.168.0.0/16
- ' 172.16.' # 172.16.0.0/12
- ' 172.17.'
- ' 172.18.'
- ' 172.19.'
- ' 172.20.'
- ' 172.21.'
- ' 172.22.'
- ' 172.23.'
- ' 172.24.'
- ' 172.25.'
- ' 172.26.'
- ' 172.27.'
- ' 172.28.'
- ' 172.29.'
- ' 172.30.'
- ' 172.31.'
- ' 127.' # 127.0.0.0/8
- ' 169.254.' # 169.254.0.0/16
condition: 1 of selection*
falsepositives:
- Legitimate administration activities
level: informational
Convert to SIEM query
informational
Moderate
High FP
Network Sniffing - MacOs
Detects the usage of tooling to sniff network traffic.
An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
view Sigma YAML
title: Network Sniffing - MacOs
id: adc9bcc4-c39c-4f6b-a711-1884017bf043
status: test
description: |
Detects the usage of tooling to sniff network traffic.
An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1040/T1040.md
author: Alejandro Ortuno, oscd.community
date: 2020-10-14
modified: 2022-11-26
tags:
- attack.discovery
- attack.credential-access
- attack.t1040
logsource:
category: process_creation
product: macos
detection:
selection:
Image|endswith:
- '/tcpdump'
- '/tshark'
condition: selection
falsepositives:
- Legitimate administration activities
level: informational
Convert to SIEM query
informational
Moderate
High FP
New Application in AppCompat
A General detection for a new application in AppCompat. This indicates an application executing for the first time on an endpoint.
view Sigma YAML
title: New Application in AppCompat
id: 60936b49-fca0-4f32-993d-7415edcf9a5d
status: test
description: A General detection for a new application in AppCompat. This indicates an application executing for the first time on an endpoint.
references:
- https://github.com/OTRF/detection-hackathon-apt29/issues/1
- https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/1.A.1_DFD6A782-9BDB-4550-AB6B-525E825B095E.md
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-05-02
modified: 2023-08-17
tags:
- attack.execution
- attack.t1204.002
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|contains: '\AppCompatFlags\Compatibility Assistant\Store\'
condition: selection
falsepositives:
- This rule is to explore new applications on an endpoint. False positives depends on the organization.
- Newly setup system.
- Legitimate installation of new application.
level: informational
Convert to SIEM query
informational
Strong
High FP
Suspicious High IntegrityLevel Conhost Legacy Option
ForceV1 asks for information directly from the kernel space. Conhost connects to the console application. High IntegrityLevel means the process is running with elevated privileges, such as an Administrator context.
view Sigma YAML
title: Suspicious High IntegrityLevel Conhost Legacy Option
id: 3037d961-21e9-4732-b27a-637bcc7bf539
status: test
description: ForceV1 asks for information directly from the kernel space. Conhost connects to the console application. High IntegrityLevel means the process is running with elevated privileges, such as an Administrator context.
references:
- https://cybercryptosec.medium.com/covid-19-cyber-infection-c615ead7c29
- https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/
- https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control
author: frack113
date: 2022-12-09
modified: 2024-12-01
tags:
- attack.stealth
- attack.t1202
logsource:
product: windows
category: process_creation
detection:
selection:
IntegrityLevel:
- 'High'
- 'S-1-16-12288'
CommandLine|contains|all:
- 'conhost.exe'
- '0xffffffff'
- '-ForceV1'
condition: selection
falsepositives:
- Very Likely, including launching cmd.exe via Run As Administrator
level: informational
Convert to SIEM query
informational
Moderate
High FP
System Information Discovery
Detects system information discovery commands
view Sigma YAML
title: System Information Discovery
id: 42df45e7-e6e9-43b5-8f26-bec5b39cc239
status: stable
description: Detects system information discovery commands
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md
author: Ömer Günal, oscd.community
date: 2020-10-08
modified: 2021-09-14
tags:
- attack.discovery
- attack.t1082
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith:
- '/uname'
- '/hostname'
- '/uptime'
- '/lspci'
- '/dmidecode'
- '/lscpu'
- '/lsmod'
condition: selection
falsepositives:
- Legitimate administration activities
level: informational
Convert to SIEM query
informational
Moderate
High FP
System Network Connections Discovery - MacOs
Detects usage of system utilities to discover system network connections
view Sigma YAML
title: System Network Connections Discovery - MacOs
id: 9a7a0393-2144-4626-9bf1-7c2f5a7321db
status: test
description: Detects usage of system utilities to discover system network connections
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md
author: Daniil Yugoslavskiy, oscd.community
date: 2020-10-19
modified: 2022-12-28
tags:
- attack.discovery
- attack.t1049
logsource:
category: process_creation
product: macos
detection:
selection:
Image|endswith:
- '/who'
- '/w'
- '/last'
- '/lsof'
- '/netstat'
condition: selection
falsepositives:
- Legitimate activities
level: informational
Convert to SIEM query
informational
Moderate
High FP
System Network Discovery - Linux
Detects enumeration of local network configuration
view Sigma YAML
title: System Network Discovery - Linux
id: e7bd1cfa-b446-4c88-8afb-403bcd79e3fa
status: test
description: Detects enumeration of local network configuration
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md
author: Ömer Günal and remotephone, oscd.community
date: 2020-10-06
modified: 2022-09-15
tags:
- attack.discovery
- attack.t1016
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith:
- '/firewall-cmd'
- '/ufw'
- '/iptables'
- '/netstat'
- '/ss'
- '/ip'
- '/ifconfig'
- '/systemd-resolve'
- '/route'
selection_cli:
CommandLine|contains: '/etc/resolv.conf'
condition: 1 of selection_*
falsepositives:
- Legitimate administration activities
level: informational
Convert to SIEM query
informational
Strong
High FP
System Network Discovery - macOS
Detects enumeration of local network configuration
view Sigma YAML
title: System Network Discovery - macOS
id: 58800443-f9fc-4d55-ae0c-98a3966dfb97
status: test
description: Detects enumeration of local network configuration
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md
author: remotephone, oscd.community
date: 2020-10-06
modified: 2024-08-29
tags:
- attack.discovery
- attack.t1016
logsource:
product: macos
category: process_creation
detection:
selection_1:
Image|endswith:
- '/arp'
- '/ifconfig'
- '/netstat'
- '/networksetup'
- '/socketfilterfw'
selection_2:
Image: '/usr/bin/defaults'
CommandLine|contains|all:
- '/Library/Preferences/com.apple.alf'
- 'read'
filter_main_wifivelocityd:
ParentImage|endswith: '/wifivelocityd'
condition: 1 of selection_* and not 1 of filter_main_*
falsepositives:
- Legitimate administration activities
level: informational
Convert to SIEM query
informational
Moderate
High FP
System Shutdown/Reboot - MacOs
Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.
view Sigma YAML
title: System Shutdown/Reboot - MacOs
id: 40b1fbe2-18ea-4ee7-be47-0294285811de
status: test
description: Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1529/T1529.md
author: 'Igor Fits, Mikhail Larin, oscd.community'
date: 2020-10-19
modified: 2022-11-26
tags:
- attack.impact
- attack.t1529
logsource:
product: macos
category: process_creation
detection:
selection:
Image|endswith:
- '/shutdown'
- '/reboot'
- '/halt'
condition: selection
falsepositives:
- Legitimate administrative activity
level: informational
Convert to SIEM query
informational
Strong
High FP
Windows Spooler Service Suspicious Binary Load
Detect DLL Load from Spooler Service backup folder. This behavior has been observed during the exploitation of the Print Spooler Vulnerability CVE-2021-1675 and CVE-2021-34527 (PrinterNightmare).
view Sigma YAML
title: Windows Spooler Service Suspicious Binary Load
id: 02fb90de-c321-4e63-a6b9-25f4b03dfd14
status: test
description: |
Detect DLL Load from Spooler Service backup folder. This behavior has been observed during the exploitation of the Print Spooler Vulnerability CVE-2021-1675 and CVE-2021-34527 (PrinterNightmare).
references:
- https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/
- https://github.com/ly4k/SpoolFool
author: FPT.EagleEye, Thomas Patzke (improvements)
date: 2021-06-29
modified: 2022-06-02
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574
- cve.2021-1675
- cve.2021-34527
- detection.emerging-threats
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith: '\spoolsv.exe'
ImageLoaded|contains:
- '\Windows\System32\spool\drivers\x64\3\'
- '\Windows\System32\spool\drivers\x64\4\'
ImageLoaded|endswith: '.dll'
condition: selection
falsepositives:
- Loading of legitimate driver
level: informational
Convert to SIEM query
Showing 1501-1524 of 1,524