Tool
EDR / XDR
Palo Alto Cortex XDR
1,524 rules · Sigma detections in Palo Alto Cortex XDR syntax
The same Sigma detection corpus, machine-rendered into Palo Alto Cortex XDR query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
Download all 1,524 rules (.zip, 675 KB)
Every Palo Alto Cortex XDR query in this view, packaged to deploy.
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance4
Resource Development5
Initial Access7
Execution25
Persistence31
Privilege Escalation17
Stealth63
Defense Impairment16
Credential Access26
Discovery24
Lateral Movement10
Collection11
Command and Control18
Exfiltration7
Impact10
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.
◈
Detection rules
50 shown of 1,524
high
Moderate
High FP
Cred Dump Tools Dropped Files
Files with well-known filenames (parts of credential dump software or files produced by them) creation
view Sigma YAML
title: Cred Dump Tools Dropped Files
id: 8fbf3271-1ef6-4e94-8210-03c2317947f6
status: test
description: Files with well-known filenames (parts of credential dump software or files produced by them) creation
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
author: Teymur Kheirkhabarov, oscd.community
date: 2019-11-01
modified: 2025-10-25
tags:
- attack.credential-access
- attack.t1003.001
- attack.t1003.002
- attack.t1003.003
- attack.t1003.004
- attack.t1003.005
logsource:
category: file_event
product: windows
detection:
selection:
- TargetFilename|contains:
- '\fgdump-log'
- '\kirbi'
- '\pwdump'
- '\pwhashes'
- '\wce_ccache'
- '\wce_krbtkts'
- TargetFilename|endswith:
- '\cachedump.exe'
- '\cachedump64.exe'
- '\DumpExt.dll'
- '\DumpSvc.exe'
- '\Dumpy.exe'
- '\fgexec.exe'
- '\lsremora.dll'
- '\lsremora64.dll'
- '\NTDS.out'
- '\procdump.exe'
- '\procdump64.exe'
- '\procdump64a.exe'
- '\pstgdump.exe'
- '\pwdump.exe'
- '\SAM.out'
- '\SECURITY.out'
- '\servpw.exe'
- '\servpw64.exe'
- '\SYSTEM.out'
- '\test.pwd'
- '\wceaux.dll'
condition: selection
falsepositives:
- Legitimate Administrator using tool for password recovery
level: high
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files/info.yml
Convert to SIEM query
high
Moderate
Medium FP
Credentials In Files
Detecting attempts to extract passwords with grep and laZagne
view Sigma YAML
title: Credentials In Files
id: 53b1b378-9b06-4992-b972-dde6e423d2b4
status: test
description: Detecting attempts to extract passwords with grep and laZagne
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md
author: 'Igor Fits, Mikhail Larin, oscd.community'
date: 2020-10-19
modified: 2021-11-27
tags:
- attack.credential-access
- attack.t1552.001
logsource:
product: macos
category: process_creation
detection:
selection1:
Image|endswith: '/grep'
CommandLine|contains: 'password'
selection2:
CommandLine|contains: 'laZagne'
condition: 1 of selection*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Curl Download And Execute Combination
Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.
view Sigma YAML
title: Curl Download And Execute Combination
id: 21dd6d38-2b18-4453-9404-a0fe4a0cc288
status: test
description: Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.
references:
- https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983 # Dead Link
author: Sreeman, Nasreddine Bencherchali (Nextron Systems)
date: 2020-01-13
modified: 2024-03-05
tags:
- attack.stealth
- attack.t1218
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|windash: ' -c '
CommandLine|contains|all:
- 'curl '
- 'http'
- '-o'
- '&'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Custom File Open Handler Executes PowerShell
Detects the abuse of custom file open handler, executing powershell
view Sigma YAML
title: Custom File Open Handler Executes PowerShell
id: 7530b96f-ad8e-431d-a04d-ac85cc461fdc
status: test
description: Detects the abuse of custom file open handler, executing powershell
references:
- https://news.sophos.com/en-us/2022/02/01/solarmarker-campaign-used-novel-registry-changes-to-establish-persistence/?cmp=30728
author: CD_R0M_
date: 2022-06-11
modified: 2023-08-17
tags:
- attack.stealth
- attack.t1202
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: 'shell\open\command\'
Details|contains|all:
- 'powershell'
- '-command'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
DHCP Callout DLL Installation
Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)
view Sigma YAML
title: DHCP Callout DLL Installation
id: 9d3436ef-9476-4c43-acca-90ce06bdf33a
status: test
description: Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)
references:
- https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html
- https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx
- https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx
author: Dimitrios Slamaris
date: 2017-05-15
modified: 2023-08-17
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.defense-impairment
- attack.t1574.001
- attack.t1112
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith:
- '\Services\DHCPServer\Parameters\CalloutDlls'
- '\Services\DHCPServer\Parameters\CalloutEnabled'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
DLL Load via LSASS
Detects a method to load DLL via LSASS process using an undocumented Registry key
view Sigma YAML
title: DLL Load via LSASS
id: b3503044-60ce-4bf4-bbcb-e3db98788823
status: test
description: Detects a method to load DLL via LSASS process using an undocumented Registry key
references:
- https://blog.xpnsec.com/exploring-mimikatz-part-1/
- https://twitter.com/SBousseaden/status/1183745981189427200
author: Florian Roth (Nextron Systems)
date: 2019-10-16
modified: 2022-04-21
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1547.008
logsource:
category: registry_event
product: windows
detection:
selection:
TargetObject|contains:
- '\CurrentControlSet\Services\NTDS\DirectoryServiceExtPt'
- '\CurrentControlSet\Services\NTDS\LsaDbExtPt'
filter_domain_controller:
Image: 'C:\Windows\system32\lsass.exe'
Details:
- '%%systemroot%%\system32\ntdsa.dll'
- '%%systemroot%%\system32\lsadb.dll'
condition: selection and not 1 of filter_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
High FP
DLL Loaded From Suspicious Location Via Cmspt.EXE
Detects cmstp loading "dll" or "ocx" files from suspicious locations
view Sigma YAML
title: DLL Loaded From Suspicious Location Via Cmspt.EXE
id: 75e508f7-932d-4ebc-af77-269237a84ce1
status: test
description: Detects cmstp loading "dll" or "ocx" files from suspicious locations
references:
- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/TTPs/Defense%20Evasion/T1218%20-%20Signed%20Binary%20Proxy%20Execution/T1218.003%20-%20CMSTP/Procedures.yaml
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-30
modified: 2023-02-17
tags:
- attack.stealth
- attack.t1218.003
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith: '\cmstp.exe'
ImageLoaded|contains:
# Add more suspicious paths as you see fit in your env
- '\PerfLogs\'
- '\ProgramData\'
- '\Users\'
- '\Windows\Temp\'
- 'C:\Temp\'
ImageLoaded|endswith:
- '.dll'
- '.ocx'
condition: selection
falsepositives:
- Unikely
level: high
Convert to SIEM query
high
Moderate
Medium FP
DLL Search Order Hijackig Via Additional Space in Path
Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...)
but with a space in order to trick DLL load search order and perform a "DLL Search Order Hijacking" attack
view Sigma YAML
title: DLL Search Order Hijackig Via Additional Space in Path
id: b6f91281-20aa-446a-b986-38a92813a18f
status: test
description: |
Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...)
but with a space in order to trick DLL load search order and perform a "DLL Search Order Hijacking" attack
references:
- https://twitter.com/cyb3rops/status/1552932770464292864
- https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-30
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|startswith:
- 'C:\Windows \'
- 'C:\Program Files \'
- 'C:\Program Files (x86) \'
TargetFilename|endswith: '.dll'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
DLL Sideloading Of ShellChromeAPI.DLL
Detects processes loading the non-existent DLL "ShellChromeAPI". One known example is the "DeviceEnroller" binary in combination with the "PhoneDeepLink" flag tries to load this DLL.
Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter
view Sigma YAML
title: DLL Sideloading Of ShellChromeAPI.DLL
id: ee4c5d06-3abc-48cc-8885-77f1c20f4451
related:
- id: e173ad47-4388-4012-ae62-bd13f71c18a8
type: similar
status: test
description: |
Detects processes loading the non-existent DLL "ShellChromeAPI". One known example is the "DeviceEnroller" binary in combination with the "PhoneDeepLink" flag tries to load this DLL.
Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter
references:
- https://mobile.twitter.com/0gtweet/status/1564131230941122561
- https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-01
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
# The DLL shouldn't exist on Windows anymore. If for some reason you still have it. You could filter out legitimate calls
ImageLoaded|endswith: '\ShellChromeAPI.dll'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
DLL Sideloading by VMware Xfer Utility
Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL
view Sigma YAML
title: DLL Sideloading by VMware Xfer Utility
id: ebea773c-a8f1-42ad-a856-00cb221966e8
status: test
description: Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL
references:
- https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-02
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
product: windows
category: process_creation
detection:
selection:
Image|endswith: '\VMwareXferlogs.exe'
filter: # VMware might be installed in another path so update the rule accordingly
Image|startswith: 'C:\Program Files\VMware\'
condition: selection and not filter
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
DNS Exfiltration and Tunneling Tools Execution
Well-known DNS Exfiltration tools execution
view Sigma YAML
title: DNS Exfiltration and Tunneling Tools Execution
id: 98a96a5a-64a0-4c42-92c5-489da3866cb0
status: test
description: Well-known DNS Exfiltration tools execution
references:
- https://github.com/iagox86/dnscat2
- https://github.com/yarrick/iodine
author: Daniil Yugoslavskiy, oscd.community
date: 2019-10-24
modified: 2021-11-27
tags:
- attack.exfiltration
- attack.t1048.001
- attack.command-and-control
- attack.t1071.004
- attack.t1132.001
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\iodine.exe'
- Image|contains: '\dnscat2'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
Medium FP
DPAPI Backup Keys And Certificate Export Activity IOC
Detects file names with specific patterns seen generated and used by tools such as Mimikatz and DSInternals related to exported or stolen DPAPI backup keys and certificates.
view Sigma YAML
title: DPAPI Backup Keys And Certificate Export Activity IOC
id: 7892ec59-c5bb-496d-8968-e5d210ca3ac4
status: test
description: |
Detects file names with specific patterns seen generated and used by tools such as Mimikatz and DSInternals related to exported or stolen DPAPI backup keys and certificates.
references:
- https://www.dsinternals.com/en/dpapi-backup-key-theft-auditing/
- https://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.Common/Data/DPAPI/DPAPIBackupKey.cs#L28-L32
author: Nounou Mbeiri, Nasreddine Bencherchali (Nextron Systems)
date: 2024-06-26
tags:
- attack.credential-access
- attack.t1555
- attack.t1552.004
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|contains:
- 'ntds_capi_'
- 'ntds_legacy_'
- 'ntds_unknown_'
TargetFilename|endswith:
- '.cer'
- '.key'
- '.pfx'
- '.pvk'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
DSInternals Suspicious PowerShell Cmdlets
Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files.
The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.
view Sigma YAML
title: DSInternals Suspicious PowerShell Cmdlets
id: 43d91656-a9b2-4541-b7e2-6a9bd3a13f4e
related:
- id: 846c7a87-8e14-4569-9d49-ecfd4276a01c
type: similar
status: test
description: |
Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files.
The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.
references:
- https://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.PowerShell/DSInternals.psd1
author: Nasreddine Bencherchali (Nextron Systems), Nounou Mbeiri
date: 2024-06-26
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|contains:
- 'Add-ADDBSidHistory'
- 'Add-ADNgcKey'
- 'Add-ADReplNgcKey'
- 'ConvertFrom-ADManagedPasswordBlob'
- 'ConvertFrom-GPPrefPassword'
- 'ConvertFrom-ManagedPasswordBlob'
- 'ConvertFrom-UnattendXmlPassword'
- 'ConvertFrom-UnicodePassword'
- 'ConvertTo-AADHash'
- 'ConvertTo-GPPrefPassword'
- 'ConvertTo-KerberosKey'
- 'ConvertTo-LMHash'
- 'ConvertTo-MsoPasswordHash'
- 'ConvertTo-NTHash'
- 'ConvertTo-OrgIdHash'
- 'ConvertTo-UnicodePassword'
- 'Disable-ADDBAccount'
- 'Enable-ADDBAccount'
- 'Get-ADDBAccount'
- 'Get-ADDBBackupKey'
- 'Get-ADDBDomainController'
- 'Get-ADDBGroupManagedServiceAccount'
- 'Get-ADDBKdsRootKey'
- 'Get-ADDBSchemaAttribute'
- 'Get-ADDBServiceAccount'
- 'Get-ADDefaultPasswordPolicy'
- 'Get-ADKeyCredential' # Covers 'Get-ADKeyCredentialLink'
- 'Get-ADPasswordPolicy'
- 'Get-ADReplAccount'
- 'Get-ADReplBackupKey'
- 'Get-ADReplicationAccount'
- 'Get-ADSIAccount'
- 'Get-AzureADUserEx'
- 'Get-BootKey'
- 'Get-KeyCredential'
- 'Get-LsaBackupKey'
- 'Get-LsaPolicy' # Covers 'Get-LsaPolicyInformation'
- 'Get-SamPasswordPolicy'
- 'Get-SysKey'
- 'Get-SystemKey'
- 'New-ADDBRestoreFromMediaScript'
- 'New-ADKeyCredential' # Covers 'New-ADKeyCredentialLink'
- 'New-ADNgcKey'
- 'New-NTHashSet'
- 'Remove-ADDBObject'
- 'Save-DPAPIBlob'
- 'Set-ADAccountPasswordHash'
- 'Set-ADDBAccountPassword' # Covers 'Set-ADDBAccountPasswordHash'
- 'Set-ADDBBootKey'
- 'Set-ADDBDomainController'
- 'Set-ADDBPrimaryGroup'
- 'Set-ADDBSysKey'
- 'Set-AzureADUserEx'
- 'Set-LsaPolicy' # Covers 'Set-LSAPolicyInformation'
- 'Set-SamAccountPasswordHash'
- 'Set-WinUserPasswordHash'
- 'Test-ADDBPasswordQuality'
- 'Test-ADPasswordQuality'
- 'Test-ADReplPasswordQuality'
- 'Test-PasswordQuality'
- 'Unlock-ADDBAccount'
- 'Write-ADNgcKey'
- 'Write-ADReplNgcKey'
condition: selection
falsepositives:
- Legitimate usage of DSInternals for administration or audit purpose.
level: high
Convert to SIEM query
high
Moderate
High FP
DarkGate - User Created Via Net.EXE
Detects creation of local users via the net.exe command with the name of "DarkGate"
view Sigma YAML
title: DarkGate - User Created Via Net.EXE
id: bf906d7b-7070-4642-8383-e404cf26eba5
status: test
description: Detects creation of local users via the net.exe command with the name of "DarkGate"
references:
- Internal Research
author: X__Junior (Nextron Systems)
date: 2023-08-27
modified: 2023-10-15
tags:
- attack.persistence
- attack.t1136.001
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
# /c net user /add SafeMode DarkGate0!
selection:
Image|endswith:
- '\net.exe'
- '\net1.exe'
CommandLine|contains|all:
- 'user'
- 'add'
- 'DarkGate'
- 'SafeMode'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
Medium FP
Default RDP Port Changed to Non Standard Port
Detects changes to the default RDP port.
Remote desktop is a common feature in operating systems. It allows a user to log into a remote system using an interactive session with a graphical user interface.
Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).
view Sigma YAML
title: Default RDP Port Changed to Non Standard Port
id: 509e84b9-a71a-40e0-834f-05470369bd1e
status: test
description: |
Detects changes to the default RDP port.
Remote desktop is a common feature in operating systems. It allows a user to log into a remote system using an interactive session with a graphical user interface.
Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md
author: frack113
date: 2022-01-01
modified: 2024-03-25
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.010
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\Control\Terminal Server\WinStations\RDP-Tcp\PortNumber'
filter_main_port:
Details: DWORD (0x00000d3d) # 3389
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_change_rdp_port/info.yml
simulation:
- type: atomic-red-team
name: Changing RDP Port to Non Standard Port via Powershell
technique: T1021.001
atomic_guid: 2f840dd4-8a2e-4f44-beb3-6b2399ea3771
- type: atomic-red-team
name: Changing RDP Port to Non Standard Port via Command_Prompt
technique: T1021.001
atomic_guid: 74ace21e-a31c-4f7d-b540-53e4eb6d1f73
Convert to SIEM query
high
Moderate
High FP
Delete All Scheduled Tasks
Detects the usage of schtasks with the delete flag and the asterisk symbol to delete all tasks from the schedule of the local computer, including tasks scheduled by other users.
view Sigma YAML
title: Delete All Scheduled Tasks
id: 220457c1-1c9f-4c2e-afe6-9598926222c1
status: test
description: Detects the usage of schtasks with the delete flag and the asterisk symbol to delete all tasks from the schedule of the local computer, including tasks scheduled by other users.
references:
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-delete
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-09
tags:
- attack.impact
- attack.t1489
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\schtasks.exe'
CommandLine|contains|all:
- ' /delete '
- '/tn \*'
- ' /f'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
Medium FP
Deletion of Volume Shadow Copies via WMI with PowerShell
Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil
view Sigma YAML
title: Deletion of Volume Shadow Copies via WMI with PowerShell
id: 21ff4ca9-f13a-41ad-b828-0077b2af2e40
related:
- id: e17121b4-ef2a-4418-8a59-12fb1631fa9e
type: derived
- id: c1337eb8-921a-4b59-855b-4ba188ddcc42
type: similar
status: test
description: Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell
- https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html
author: Tim Rauch, Elastic (idea)
date: 2022-09-20
modified: 2022-12-30
tags:
- attack.impact
- attack.t1490
logsource:
category: process_creation
product: windows
detection:
selection_get:
CommandLine|contains:
- 'Get-WmiObject'
- 'gwmi'
- 'Get-CimInstance'
- 'gcim'
selection_shadowcopy:
CommandLine|contains: 'Win32_ShadowCopy'
selection_delete:
CommandLine|contains:
- '.Delete()'
- 'Remove-WmiObject'
- 'rwmi'
- 'Remove-CimInstance'
- 'rcim'
condition: all of selection*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Devtoolslauncher.exe Executes Specified Binary
The Devtoolslauncher.exe executes other binary
view Sigma YAML
title: Devtoolslauncher.exe Executes Specified Binary
id: cc268ac1-42d9-40fd-9ed3-8c4e1a5b87e6
status: test
description: The Devtoolslauncher.exe executes other binary
references:
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Devtoolslauncher/
- https://twitter.com/_felamos/status/1179811992841797632
author: Beyu Denis, oscd.community (rule), @_felamos (idea)
date: 2019-10-12
modified: 2021-11-27
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\devtoolslauncher.exe'
CommandLine|contains: 'LaunchForDeploy'
condition: selection
falsepositives:
- Legitimate use of devtoolslauncher.exe by legitimate user
level: high
Convert to SIEM query
high
Moderate
Medium FP
Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE
Detects both of CVE-2022-30190 (Follina) and DogWalk vulnerabilities exploiting msdt.exe binary to load the "sdiageng.dll" library
view Sigma YAML
title: Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE
id: ec8c4047-fad9-416a-8c81-0f479353d7f6
status: test
description: Detects both of CVE-2022-30190 (Follina) and DogWalk vulnerabilities exploiting msdt.exe binary to load the "sdiageng.dll" library
references:
- https://www.securonix.com/blog/detecting-microsoft-msdt-dogwalk/
author: Greg (rule)
date: 2022-06-17
modified: 2023-02-17
tags:
- attack.stealth
- attack.t1202
- cve.2022-30190
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith: '\msdt.exe'
ImageLoaded|endswith: '\sdiageng.dll'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Diamond Sleet APT DLL Sideloading Indicators
Detects DLL sideloading activity seen used by Diamond Sleet APT
view Sigma YAML
title: Diamond Sleet APT DLL Sideloading Indicators
id: d1b65d98-37d7-4ff6-b139-2d87c1af3042
status: test
description: Detects DLL sideloading activity seen used by Diamond Sleet APT
references:
- https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-10-24
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
- detection.emerging-threats
logsource:
product: windows
category: image_load
detection:
selection_1:
Image|endswith: ':\ProgramData\clip.exe'
ImageLoaded|endswith: ':\ProgramData\Version.dll'
selection_2:
Image|endswith: ':\ProgramData\wsmprovhost.exe'
ImageLoaded|endswith: ':\ProgramData\DSROLE.dll'
condition: 1 of selection_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
Diamond Sleet APT File Creation Indicators
Detects file creation activity that is related to Diamond Sleet APT activity
view Sigma YAML
title: Diamond Sleet APT File Creation Indicators
id: e1212b32-55ff-4dfb-a595-62b572248056
status: test
description: Detects file creation activity that is related to Diamond Sleet APT activity
references:
- https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-10-24
tags:
- attack.execution
- detection.emerging-threats
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|endswith:
- ':\ProgramData\4800-84DC-063A6A41C5C'
- ':\ProgramData\clip.exe'
- ':\ProgramData\DSROLE.dll'
- ':\ProgramData\Forest64.exe'
- ':\ProgramData\readme.md'
- ':\ProgramData\Version.dll'
- ':\ProgramData\wsmprovhost.exe'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
Diamond Sleet APT Process Activity Indicators
Detects process creation activity indicators related to Diamond Sleet APT
view Sigma YAML
title: Diamond Sleet APT Process Activity Indicators
id: b5495d8d-24ad-4a44-8caf-ceae9a07a5c2
status: test
description: Detects process creation activity indicators related to Diamond Sleet APT
references:
- https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-10-24
tags:
- attack.execution
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains: ' uTYNkfKxHiZrx3KJ'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
Diamond Sleet APT Scheduled Task Creation - Registry
Detects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability
view Sigma YAML
title: Diamond Sleet APT Scheduled Task Creation - Registry
id: 9f9f92ba-5300-43a4-b435-87d1ee571688
status: test
description: |
Detects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability
references:
- https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-10-24
tags:
- attack.defense-impairment
- attack.t1685
- detection.emerging-threats
logsource:
product: windows
category: registry_event
detection:
selection:
TargetObject|contains|all:
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\'
- 'Windows TeamCity Settings User Interface'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Directory Service Restore Mode(DSRM) Registry Value Tampering
Detects changes to "DsrmAdminLogonBehavior" registry value.
During a Domain Controller (DC) promotion, administrators create a Directory Services Restore Mode (DSRM) local administrator account with a password that rarely changes. The DSRM account is an “Administrator” account that logs in with the DSRM mode when the server is booting up to restore AD backups or recover the server from a failure.
Attackers could abuse DSRM account to maintain their persistence and access to the organization's Active Directory.
If the "DsrmAdminLogonBehavior" value is set to "0", the administrator account can only be used if the DC starts in DSRM.
If the "DsrmAdminLogonBehavior" value is set to "1", the administrator account can only be used if the local AD DS service is stopped.
If the "DsrmAdminLogonBehavior" value is set to "2", the administrator account can always be used.
view Sigma YAML
title: Directory Service Restore Mode(DSRM) Registry Value Tampering
id: b61e87c0-50db-4b2e-8986-6a2be94b33b0
related:
- id: 53ad8e36-f573-46bf-97e4-15ba5bf4bb51
type: similar
status: test
description: |
Detects changes to "DsrmAdminLogonBehavior" registry value.
During a Domain Controller (DC) promotion, administrators create a Directory Services Restore Mode (DSRM) local administrator account with a password that rarely changes. The DSRM account is an “Administrator” account that logs in with the DSRM mode when the server is booting up to restore AD backups or recover the server from a failure.
Attackers could abuse DSRM account to maintain their persistence and access to the organization's Active Directory.
If the "DsrmAdminLogonBehavior" value is set to "0", the administrator account can only be used if the DC starts in DSRM.
If the "DsrmAdminLogonBehavior" value is set to "1", the administrator account can only be used if the local AD DS service is stopped.
If the "DsrmAdminLogonBehavior" value is set to "2", the administrator account can always be used.
references:
- https://adsecurity.org/?p=1785
- https://www.sentinelone.com/blog/detecting-dsrm-account-misconfigurations/
- https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/dsrm-credentials
author: Nischal Khadgi
date: 2024-07-11
tags:
- attack.credential-access
- attack.persistence
- attack.defense-impairment
- attack.t1556
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\Control\Lsa\DsrmAdminLogonBehavior'
filter_main_default_value:
Details: 'DWORD (0x00000000)' # Default value
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Disable Macro Runtime Scan Scope
Detects tampering with the MacroRuntimeScanScope registry key to disable runtime scanning of enabled macros
view Sigma YAML
title: Disable Macro Runtime Scan Scope
id: ab871450-37dc-4a3a-997f-6662aa8ae0f1
description: Detects tampering with the MacroRuntimeScanScope registry key to disable runtime scanning of enabled macros
status: test
date: 2022-10-25
modified: 2023-08-17
author: Nasreddine Bencherchali (Nextron Systems)
references:
- https://www.microsoft.com/en-us/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/
- https://admx.help/?Category=Office2016&Policy=office16.Office.Microsoft.Policies.Windows::L_MacroRuntimeScanScope
- https://github.com/S3cur3Th1sSh1t/OffensiveVBA/blob/28cc6a2802d8176195ac19b3c8e9a749009a82a3/src/AMSIbypasses.vba
tags:
- attack.defense-impairment
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|contains|all:
- '\SOFTWARE\'
- '\Microsoft\Office\'
- '\Common\Security'
TargetObject|endswith: '\MacroRuntimeScanScope'
Details: DWORD (0x00000000)
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Disable PUA Protection on Windows Defender
Detects disabling Windows Defender PUA protection
view Sigma YAML
title: Disable PUA Protection on Windows Defender
id: 8ffc5407-52e3-478f-9596-0a7371eafe13
status: test
description: Detects disabling Windows Defender PUA protection
references:
- https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html
author: Austin Songer @austinsonger
date: 2021-08-04
modified: 2023-08-17
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\Policies\Microsoft\Windows Defender\PUAProtection'
Details: 'DWORD (0x00000000)'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Disable Windows Defender Functionalities Via Registry Keys
Detects when attackers or tools disable Windows Defender functionalities via the Windows registry
view Sigma YAML
title: Disable Windows Defender Functionalities Via Registry Keys
id: 0eb46774-f1ab-4a74-8238-1155855f2263
related:
- id: a64e4198-c1c8-46a5-bc9c-324c86455fd4
type: obsolete
- id: fd115e64-97c7-491f-951c-fc8da7e042fa
type: obsolete
status: test
description: Detects when attackers or tools disable Windows Defender functionalities via the Windows registry
references:
- https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
- https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105
- https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker
- https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html
- https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html
- https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html
- https://securelist.com/key-group-ransomware-samples-and-telegram-schemes/114025/
author: AlertIQ, Ján Trenčanský, frack113, Nasreddine Bencherchali, Swachchhanda Shrawan Poudel
date: 2022-08-01
modified: 2024-10-07
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: windows
category: registry_set
detection:
selection_main:
TargetObject|contains:
- '\SOFTWARE\Microsoft\Windows Defender\'
- '\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\'
- '\SOFTWARE\Policies\Microsoft\Windows Defender\'
selection_dword_1:
TargetObject|endswith:
- '\DisableAntiSpyware'
- '\DisableAntiVirus'
- '\DisableBehaviorMonitoring'
- '\DisableBlockAtFirstSeen'
- '\DisableEnhancedNotifications'
- '\DisableIntrusionPreventionSystem'
- '\DisableIOAVProtection'
- '\DisableOnAccessProtection'
- '\DisableRealtimeMonitoring'
- '\DisableScanOnRealtimeEnable'
- '\DisableScriptScanning'
Details: 'DWORD (0x00000001)'
selection_dword_0:
TargetObject|endswith:
- '\DisallowExploitProtectionOverride'
- '\Features\TamperProtection'
- '\MpEngine\MpEnablePus'
- '\PUAProtection'
- '\Signature Update\ForceUpdateFromMU'
- '\SpyNet\SpynetReporting'
- '\SpyNet\SubmitSamplesConsent'
- '\Windows Defender Exploit Guard\Controlled Folder Access\EnableControlledFolderAccess'
Details: 'DWORD (0x00000000)'
filter_optional_symantec:
Image|startswith: 'C:\Program Files\Symantec\Symantec Endpoint Protection\'
Image|endswith: '\sepWscSvc64.exe'
condition: selection_main and 1 of selection_dword_* and not 1 of filter_optional_*
falsepositives:
- Administrator actions via the Windows Defender interface
- Third party Antivirus
level: high
Convert to SIEM query
high
Moderate
Medium FP
Disabled IE Security Features
Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features
view Sigma YAML
title: Disabled IE Security Features
id: fb50eb7a-5ab1-43ae-bcc9-091818cb8424
status: test
description: Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features
references:
- https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/
author: Florian Roth (Nextron Systems)
date: 2020-06-19
modified: 2021-11-27
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection1:
CommandLine|contains|all:
- ' -name IEHarden '
- ' -value 0 '
selection2:
CommandLine|contains|all:
- ' -name DEPOff '
- ' -value 1 '
selection3:
CommandLine|contains|all:
- ' -name DisableFirstRunCustomize '
- ' -value 2 '
condition: 1 of selection*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Disabled Volume Snapshots
Detects commands that temporarily turn off Volume Snapshots
view Sigma YAML
title: Disabled Volume Snapshots
id: dee4af55-1f22-4e1d-a9d2-4bdc7ecb472a
status: test
description: Detects commands that temporarily turn off Volume Snapshots
references:
- https://twitter.com/0gtweet/status/1354766164166115331
author: Florian Roth (Nextron Systems)
date: 2021-01-28
modified: 2023-12-15
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- '\Services\VSS\Diag'
- '/d Disabled'
condition: selection
falsepositives:
- Legitimate administration
level: high
Convert to SIEM query
high
Strong
Medium FP
Disabled Windows Defender Eventlog
Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections
view Sigma YAML
title: Disabled Windows Defender Eventlog
id: fcddca7c-b9c0-4ddf-98da-e1e2d18b0157
status: test
description: Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections
references:
- https://twitter.com/WhichbufferArda/status/1543900539280293889/photo/2
author: Florian Roth (Nextron Systems)
date: 2022-07-04
modified: 2023-08-17
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational\Enabled'
Details: 'DWORD (0x00000000)'
condition: selection
falsepositives:
- Other Antivirus software installations could cause Windows to disable that eventlog (unknown)
level: high
Convert to SIEM query
high
Moderate
Medium FP
DotNet CLR DLL Loaded By Scripting Applications
Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution.
view Sigma YAML
title: DotNet CLR DLL Loaded By Scripting Applications
id: 4508a70e-97ef-4300-b62b-ff27992990ea
status: test
description: Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution.
references:
- https://github.com/tyranid/DotNetToJScript
- https://thewover.github.io/Introducing-Donut/
- https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html
- https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008
author: omkar72, oscd.community
date: 2020-10-14
modified: 2023-02-23
tags:
- attack.execution
- attack.privilege-escalation
- attack.stealth
- attack.t1055
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith:
- '\cmstp.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\msxsl.exe'
- '\regsvr32.exe'
# - '\svchost.exe'
- '\wmic.exe'
- '\wscript.exe'
ImageLoaded|endswith:
- '\clr.dll'
- '\mscoree.dll'
- '\mscorlib.dll'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Driver Added To Disallowed Images In HVCI - Registry
Detects changes to the "HVCIDisallowedImages" registry value to potentially add a driver to the list, in order to prevent it from loading.
view Sigma YAML
title: Driver Added To Disallowed Images In HVCI - Registry
id: 555155a2-03bf-4fe7-af74-d176b3fdbe16
related:
- id: 44cee399-f6b1-45cc-a87c-ea14c6064d6b
type: similar
status: test
description: |
Detects changes to the "HVCIDisallowedImages" registry value to potentially add a driver to the list, in order to prevent it from loading.
references:
- https://github.com/yardenshafir/conference_talks/blob/3de1f5d7c02656c35117f067fbff0a219c304b09/OffensiveCon_2023_Your_Mitigations_are_My_Opportunities.pdf
- https://x.com/yarden_shafir/status/1822667605175324787
author: Nasreddine Bencherchali (Nextron Systems), Omar Khaled (@beacon_exe)
date: 2023-12-05
modified: 2024-08-21
tags:
- attack.stealth
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains|all:
- '\Control\CI\'
- '\HVCIDisallowedImages'
condition: selection
falsepositives:
- Legitimate usage of this key would also trigger this. Investigate the driver being added and make sure its intended
level: high
Convert to SIEM query
high
Strong
High FP
ESXi Admin Permission Assigned To Account Via ESXCLI
Detects execution of the "esxcli" command with the "system" and "permission" flags in order to assign admin permissions to an account.
view Sigma YAML
title: ESXi Admin Permission Assigned To Account Via ESXCLI
id: 9691f58d-92c1-4416-8bf3-2edd753ec9cf
status: test
description: Detects execution of the "esxcli" command with the "system" and "permission" flags in order to assign admin permissions to an account.
references:
- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_system.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-09-04
tags:
- attack.persistence
- attack.execution
- attack.privilege-escalation
- attack.t1059.012
- attack.t1098
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/esxcli'
CommandLine|contains: 'system'
CommandLine|contains|all:
- ' permission '
- ' set'
- 'Admin'
condition: selection
falsepositives:
- Legitimate administration activities
level: high
Convert to SIEM query
high
Strong
Medium FP
ETW Logging Disabled In .NET Processes - Sysmon Registry
Potential adversaries stopping ETW providers recording loaded .NET assemblies.
view Sigma YAML
title: ETW Logging Disabled In .NET Processes - Sysmon Registry
id: bf4fc428-dcc3-4bbd-99fe-2422aeee2544
related:
- id: a4c90ea1-2634-4ca0-adbb-35eae169b6fc
type: similar
status: test
description: Potential adversaries stopping ETW providers recording loaded .NET assemblies.
references:
- https://twitter.com/_xpn_/status/1268712093928378368
- https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr
- https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables
- https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38
- https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39
- https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_
- https://bunnyinside.com/?term=f71e8cb9c76a
- http://managed670.rssing.com/chan-5590147/all_p1.html
- https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code
- https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/
- https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-06-05
modified: 2023-08-17
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
- attack.t1685
logsource:
product: windows
category: registry_set
detection:
selection_etw_enabled:
TargetObject|endswith: 'SOFTWARE\Microsoft\.NETFramework\ETWEnabled'
Details: 'DWORD (0x00000000)'
selection_complus:
TargetObject|endswith:
- '\COMPlus_ETWEnabled'
- '\COMPlus_ETWFlags'
Details:
- 0 # For REG_SZ type
- 'DWORD (0x00000000)'
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
ETW Logging Tamper In .NET Processes Via CommandLine
Detects changes to environment variables related to ETW logging via the CommandLine.
This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies.
view Sigma YAML
title: ETW Logging Tamper In .NET Processes Via CommandLine
id: 41421f44-58f9-455d-838a-c398859841d4
status: test
description: |
Detects changes to environment variables related to ETW logging via the CommandLine.
This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies.
references:
- https://twitter.com/_xpn_/status/1268712093928378368
- https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr
- https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables
- https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38
- https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39
- https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_
- https://bunnyinside.com/?term=f71e8cb9c76a
- http://managed670.rssing.com/chan-5590147/all_p1.html
- https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code
- https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-05-02
modified: 2022-12-09
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- 'COMPlus_ETWEnabled'
- 'COMPlus_ETWFlags'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
Medium FP
ETW Trace Evasion Activity
Detects command line activity that tries to clear or disable any ETW trace log which could be a sign of logging evasion.
view Sigma YAML
title: ETW Trace Evasion Activity
id: a238b5d0-ce2d-4414-a676-7a531b3d13d6
status: test
description: |
Detects command line activity that tries to clear or disable any ETW trace log which could be a sign of logging evasion.
references:
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil
- https://abuse.io/lockergoga.txt
- https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
author: '@neu5ron, Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community'
date: 2019-03-22
modified: 2022-06-28
tags:
- attack.stealth
- attack.defense-impairment
- attack.t1070
- attack.t1685
- car.2016-04-002
logsource:
category: process_creation
product: windows
detection:
selection_clear_1:
CommandLine|contains|all:
- 'cl'
- '/Trace'
selection_clear_2:
CommandLine|contains|all:
- 'clear-log'
- '/Trace'
selection_disable_1:
CommandLine|contains|all:
- 'sl'
- '/e:false'
selection_disable_2:
CommandLine|contains|all:
- 'set-log'
- '/e:false'
selection_disable_3: # ETW provider removal from a trace session
CommandLine|contains|all:
- 'logman'
- 'update'
- 'trace'
- '--p'
- '-ets'
selection_pwsh_remove: # Autologger provider removal
CommandLine|contains: 'Remove-EtwTraceProvider'
selection_pwsh_set: # Provider “Enable” property modification
CommandLine|contains|all:
- 'Set-EtwTraceProvider'
- '0x11'
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Email Exifiltration Via Powershell
Detects email exfiltration via powershell cmdlets
view Sigma YAML
title: Email Exifiltration Via Powershell
id: 312d0384-401c-4b8b-abdf-685ffba9a332
status: test
description: Detects email exfiltration via powershell cmdlets
references:
- https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/
- https://github.com/Azure/Azure-Sentinel/blob/7e6aa438e254d468feec061618a7877aa528ee9f/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/DEV-0270/Email%20data%20exfiltration%20via%20PowerShell.yaml
author: Nasreddine Bencherchali (Nextron Systems), Azure-Sentinel (idea)
date: 2022-09-09
tags:
- attack.exfiltration
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
CommandLine|contains|all:
- 'Add-PSSnapin'
- 'Get-Recipient'
- '-ExpandProperty'
- 'EmailAddresses'
- 'SmtpAddress'
- '-hidetableheaders'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Emotet Loader Execution Via .LNK File
Detects the Emotet Epoch4 loader as reported by @malware_traffic back in 2022.
The ".lnk" file was delivered via phishing campaign.
view Sigma YAML
title: Emotet Loader Execution Via .LNK File
id: 1f32d820-1d5c-43fe-8fe2-feef0c952eb7
status: test
description: |
Detects the Emotet Epoch4 loader as reported by @malware_traffic back in 2022.
The ".lnk" file was delivered via phishing campaign.
references:
- https://web.archive.org/web/20220422215221/https://twitter.com/malware_traffic/status/1517622327000846338
- https://twitter.com/Cryptolaemus1/status/1517634855940632576
- https://tria.ge/220422-1pw1pscfdl/
- https://tria.ge/220422-1nnmyagdf2/
author: '@kostastsale'
date: 2022-04-22
modified: 2024-08-15
tags:
- attack.execution
- attack.t1059.006
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\cmd.exe'
- '\explorer.exe'
- '\powershell.exe'
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
CommandLine|contains|all:
- 'findstr'
- '.vbs'
- '.lnk'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
Medium FP
Enable LM Hash Storage
Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes.
By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.
view Sigma YAML
title: Enable LM Hash Storage
id: c420410f-c2d8-4010-856b-dffe21866437
related:
- id: 98dedfdd-8333-49d4-9f23-d7018cccae53 # process_creation
type: similar
status: test
description: |
Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes.
By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.
references:
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
- https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password
- https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-12-15
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|endswith: 'System\CurrentControlSet\Control\Lsa\NoLMHash'
Details: 'DWORD (0x00000000)'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Enable LM Hash Storage - ProcCreation
Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes.
By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.
view Sigma YAML
title: Enable LM Hash Storage - ProcCreation
id: 98dedfdd-8333-49d4-9f23-d7018cccae53
related:
- id: c420410f-c2d8-4010-856b-dffe21866437 # Registry
type: similar
status: test
description: |
Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes.
By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.
references:
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
- https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password
- https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-12-15
modified: 2023-12-22
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|contains|all:
- '\System\CurrentControlSet\Control\Lsa'
- 'NoLMHash'
- ' 0'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Equation Group C2 Communication
Detects communication to C2 servers mentioned in the operational notes of the ShadowBroker leak of EquationGroup C2 tools
view Sigma YAML
title: Equation Group C2 Communication
id: 881834a4-6659-4773-821e-1c151789d873
status: test
description: Detects communication to C2 servers mentioned in the operational notes of the ShadowBroker leak of EquationGroup C2 tools
references:
- https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
- https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195
author: Florian Roth (Nextron Systems)
date: 2017-04-15
modified: 2021-11-27
tags:
- attack.exfiltration
- attack.command-and-control
- attack.g0020
- attack.t1041
- detection.emerging-threats
logsource:
category: firewall
detection:
selection:
- dst_ip:
- '69.42.98.86'
- '89.185.234.145'
- src_ip:
- '69.42.98.86'
- '89.185.234.145'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Esentutl Volume Shadow Copy Service Keys
Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\\System\\CurrentControlSet\\Services\\VSS\\Diag\\VolSnap\\Volume are captured.
view Sigma YAML
title: Esentutl Volume Shadow Copy Service Keys
id: 5aad0995-46ab-41bd-a9ff-724f41114971
status: test
description: Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\\System\\CurrentControlSet\\Services\\VSS\\Diag\\VolSnap\\Volume are captured.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-10-20
modified: 2022-12-25
tags:
- attack.credential-access
- attack.t1003.002
logsource:
category: registry_event
product: windows
detection:
selection:
TargetObject|contains: 'System\CurrentControlSet\Services\VSS'
Image|endswith: 'esentutl.exe' # limit esentutl as in references, too many FP to filter
filter:
TargetObject|contains: 'System\CurrentControlSet\Services\VSS\Start'
condition: selection and not filter
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Exchange PowerShell Cmdlet History Deleted
Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence
view Sigma YAML
title: Exchange PowerShell Cmdlet History Deleted
id: a55349d8-9588-4c5a-8e3b-1925fe2a4ffe
status: test
description: Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence
references:
- https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-26
modified: 2022-12-30
tags:
- attack.stealth
- attack.t1070
logsource:
category: file_delete
product: windows
detection:
selection:
TargetFilename|startswith: '\Logging\CmdletInfra\LocalPowerShell\Cmdlet\'
TargetFilename|contains: '_Cmdlet_'
condition: selection
falsepositives:
- Possible FP during log rotation
level: high
Convert to SIEM query
high
Moderate
Medium FP
Execute Pcwrun.EXE To Leverage Follina
Detects indirect command execution via Program Compatibility Assistant "pcwrun.exe" leveraging the follina (CVE-2022-30190) vulnerability
view Sigma YAML
title: Execute Pcwrun.EXE To Leverage Follina
id: 6004abd0-afa4-4557-ba90-49d172e0a299
status: test
description: Detects indirect command execution via Program Compatibility Assistant "pcwrun.exe" leveraging the follina (CVE-2022-30190) vulnerability
references:
- https://twitter.com/nas_bench/status/1535663791362519040
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-13
tags:
- attack.stealth
- attack.t1218
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\pcwrun.exe'
CommandLine|contains: '../'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
Medium FP
Execution DLL of Choice Using WAB.EXE
This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry.
view Sigma YAML
title: Execution DLL of Choice Using WAB.EXE
id: fc014922-5def-4da9-a0fc-28c973f41bfb
status: test
description: This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry.
references:
- https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OSBinaries/Wab.yml
- https://twitter.com/Hexacorn/status/991447379864932352
- http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/
author: oscd.community, Natalia Shornikova
date: 2020-10-13
modified: 2023-08-17
tags:
- attack.stealth
- attack.t1218
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\Software\Microsoft\WAB\DLLPath'
filter:
Details: '%CommonProgramFiles%\System\wab32.dll'
condition: selection and not filter
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Execution of Powershell Script in Public Folder
This rule detects execution of PowerShell scripts located in the "C:\Users\Public" folder
view Sigma YAML
title: Execution of Powershell Script in Public Folder
id: fb9d3ff7-7348-46ab-af8c-b55f5fbf39b4
status: test
description: This rule detects execution of PowerShell scripts located in the "C:\Users\Public" folder
references:
- https://www.mandiant.com/resources/evolution-of-fin7
author: Max Altgelt (Nextron Systems)
date: 2022-04-06
modified: 2022-07-14
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
CommandLine|contains:
- '-f C:\Users\Public'
- '-f "C:\Users\Public'
- '-f %Public%'
- '-fi C:\Users\Public'
- '-fi "C:\Users\Public'
- '-fi %Public%'
- '-fil C:\Users\Public'
- '-fil "C:\Users\Public'
- '-fil %Public%'
- '-file C:\Users\Public'
- '-file "C:\Users\Public'
- '-file %Public%'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
Medium FP
Execution via WorkFolders.exe
Detects using WorkFolders.exe to execute an arbitrary control.exe
view Sigma YAML
title: Execution via WorkFolders.exe
id: 0bbc6369-43e3-453d-9944-cae58821c173
status: test
description: Detects using WorkFolders.exe to execute an arbitrary control.exe
references:
- https://twitter.com/elliotkillick/status/1449812843772227588
author: Maxime Thiebaut (@0xThiebaut)
date: 2021-10-21
modified: 2022-12-25
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\control.exe'
ParentImage|endswith: '\WorkFolders.exe'
filter:
Image: 'C:\Windows\System32\control.exe'
condition: selection and not filter
falsepositives:
- Legitimate usage of the uncommon Windows Work Folders feature.
level: high
Convert to SIEM query
high
Strong
Medium FP
Execution via stordiag.exe
Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe
view Sigma YAML
title: Execution via stordiag.exe
id: 961e0abb-1b1e-4c84-a453-aafe56ad0d34
status: test
description: Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe
references:
- https://strontic.github.io/xcyclopedia/library/stordiag.exe-1F08FC87C373673944F6A7E8B18CD845.html
- https://twitter.com/eral4m/status/1451112385041911809
author: Austin Songer (@austinsonger)
date: 2021-10-21
modified: 2022-12-25
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\stordiag.exe'
Image|endswith:
- '\schtasks.exe'
- '\systeminfo.exe'
- '\fltmc.exe'
filter:
ParentImage|startswith: # as first is "Copy c:\windows\system32\stordiag.exe to a folder"
- 'c:\windows\system32\'
- 'c:\windows\syswow64\'
condition: selection and not filter
falsepositives:
- Legitimate usage of stordiag.exe.
level: high
Convert to SIEM query
high
Strong
Medium FP
Exploitation Activity of CVE-2025-59287 - WSUS Suspicious Child Process
Detects the creation of command-line interpreters (cmd.exe, powershell.exe) as child processes of Windows Server Update Services (WSUS) related process wsusservice.exe.
This behavior is a key indicator of exploitation for the critical remote code execution vulnerability such as CVE-2025-59287, where attackers spawn shells to conduct reconnaissance and further post-exploitation activities.
view Sigma YAML
title: Exploitation Activity of CVE-2025-59287 - WSUS Suspicious Child Process
id: 43259cc4-1b80-4931-bd98-baea01afc196
status: experimental
description: |
Detects the creation of command-line interpreters (cmd.exe, powershell.exe) as child processes of Windows Server Update Services (WSUS) related process wsusservice.exe.
This behavior is a key indicator of exploitation for the critical remote code execution vulnerability such as CVE-2025-59287, where attackers spawn shells to conduct reconnaissance and further post-exploitation activities.
references:
- https://unit42.paloaltonetworks.com/microsoft-cve-2025-59287/
- https://www.huntress.com/blog/exploitation-of-windows-server-update-services-remote-code-execution-vulnerability
- https://hawktrace.com/blog/CVE-2025-59287-UNAUTH
author: Huntress Labs, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-10-31
tags:
- attack.execution
- attack.initial-access
- attack.t1190
- attack.t1203
- cve.2025-59287
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_parent_wsusservice:
ParentImage|endswith: '\wsusservice.exe'
selection_parent_w3wp_wsuspool:
ParentImage|endswith: '\w3wp.exe'
ParentCommandLine|contains: 'WsusPool'
selection_child:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\powershell_ise.exe'
condition: 1 of selection_parent_* and selection_child
falsepositives:
- If this activity is expected, consider filtering based on specific command lines, user context (e.g., `nt authority\network service`), or parent process command lines to reduce noise.
level: high
Convert to SIEM query
high
Strong
Medium FP
Exploitation Attempt Of CVE-2020-1472 - Execution of ZeroLogon PoC
Detects the execution of the commonly used ZeroLogon PoC executable.
view Sigma YAML
title: Exploitation Attempt Of CVE-2020-1472 - Execution of ZeroLogon PoC
id: dcc6a01e-9471-44a0-a699-71ea96f8ed8b
status: test
description: Detects the execution of the commonly used ZeroLogon PoC executable.
references:
- https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/
- https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
author: '@Kostastsale, TheDFIRReport'
date: 2022-02-12
tags:
- attack.execution
- attack.lateral-movement
- attack.t1210
- cve.2020-1472
- detection.emerging-threats
logsource:
product: windows
category: process_creation
detection:
selection_main:
ParentImage|endswith: '\cmd.exe'
Image|endswith:
- '\cool.exe'
- '\zero.exe'
CommandLine|contains|all:
- 'Administrator'
- '-c'
selection_payloads_1:
CommandLine|contains|all:
- 'taskkill'
- '/f'
- '/im'
selection_payloads_2:
CommandLine|contains: 'powershell'
condition: selection_main and 1 of selection_payloads_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
Showing 151-200 of 1,524