Tool
EDR / XDR
Palo Alto Cortex XDR
559 rules · Sigma detections in Palo Alto Cortex XDR syntax
The same Sigma detection corpus, machine-rendered into Palo Alto Cortex XDR query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
Download all 1,524 rules (.zip, 675 KB)
Every Palo Alto Cortex XDR query in this view, packaged to deploy.
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance4
Resource Development5
Initial Access7
Execution25
Persistence31
Privilege Escalation17
Stealth63
Defense Impairment16
Credential Access26
Discovery24
Lateral Movement10
Collection11
Command and Control18
Exfiltration7
Impact10
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.
◈
Detection rules
50 shown of 559
medium
Strong
Medium FP
ESXi System Information Discovery Via ESXCLI
Detects execution of the "esxcli" command with the "system" flag in order to retrieve information about the different component of the system. Such as accounts, modules, NTP, etc.
view Sigma YAML
title: ESXi System Information Discovery Via ESXCLI
id: e80273e1-9faf-40bc-bd85-dbaff104c4e9
status: test
description: Detects execution of the "esxcli" command with the "system" flag in order to retrieve information about the different component of the system. Such as accounts, modules, NTP, etc.
references:
- https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/
- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_system.html
author: Cedric Maurugeon
date: 2023-09-04
tags:
- attack.discovery
- attack.execution
- attack.t1033
- attack.t1007
- attack.t1059.012
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith: '/esxcli'
CommandLine|contains: 'system'
selection_cli:
CommandLine|contains:
- ' get'
- ' list'
condition: all of selection_*
falsepositives:
- Legitimate administration activities
level: medium
Convert to SIEM query
medium
Strong
High FP
ESXi VM Kill Via ESXCLI
Detects execution of the "esxcli" command with the "vm" and "kill" flag in order to kill/shutdown a specific VM.
view Sigma YAML
title: ESXi VM Kill Via ESXCLI
id: 2992ac4d-31e9-4325-99f2-b18a73221bb2
status: test
description: Detects execution of the "esxcli" command with the "vm" and "kill" flag in order to kill/shutdown a specific VM.
references:
- https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/
- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_vm.html
- https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/
- https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html
author: Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeon
date: 2023-09-04
tags:
- attack.execution
- attack.impact
- attack.t1059.012
- attack.t1529
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/esxcli'
CommandLine|contains|all:
- 'vm process'
- 'kill'
condition: selection
falsepositives:
- Legitimate administration activities
level: medium
Convert to SIEM query
medium
Strong
High FP
ESXi VM List Discovery Via ESXCLI
Detects execution of the "esxcli" command with the "vm" flag in order to retrieve information about the installed VMs.
view Sigma YAML
title: ESXi VM List Discovery Via ESXCLI
id: 5f1573a7-363b-4114-9208-ad7a61de46eb
status: test
description: Detects execution of the "esxcli" command with the "vm" flag in order to retrieve information about the installed VMs.
references:
- https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/
- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_vm.html
- https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/
- https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html
author: Cedric Maurugeon
date: 2023-09-04
tags:
- attack.discovery
- attack.execution
- attack.t1033
- attack.t1007
- attack.t1059.012
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/esxcli'
CommandLine|contains: 'vm process'
CommandLine|endswith: ' list'
condition: selection
falsepositives:
- Legitimate administration activities
level: medium
Convert to SIEM query
medium
Strong
Medium FP
ESXi VSAN Information Discovery Via ESXCLI
Detects execution of the "esxcli" command with the "vsan" flag in order to retrieve information about virtual storage. Seen used by malware such as DarkSide.
view Sigma YAML
title: ESXi VSAN Information Discovery Via ESXCLI
id: d54c2f06-aca9-4e2b-81c9-5317858f4b79
status: test
description: Detects execution of the "esxcli" command with the "vsan" flag in order to retrieve information about virtual storage. Seen used by malware such as DarkSide.
references:
- https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html
- https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html
- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_vsan.html
author: Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeon
date: 2023-09-04
tags:
- attack.discovery
- attack.execution
- attack.t1033
- attack.t1007
- attack.t1059.012
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith: '/esxcli'
CommandLine|contains: 'vsan'
selection_cli:
CommandLine|contains:
- ' get'
- ' list'
condition: all of selection_*
falsepositives:
- Legitimate administration activities
# Note: level can be reduced to low in some envs
level: medium
Convert to SIEM query
medium
Strong
Medium FP
EVTX Created In Uncommon Location
Detects the creation of new files with the ".evtx" extension in non-common or non-standard location.
This could indicate tampering with default EVTX locations in order to evade security controls or simply exfiltration of event log to search for sensitive information within.
Note that backup software and legitimate administrator might perform similar actions during troubleshooting.
view Sigma YAML
title: EVTX Created In Uncommon Location
id: 65236ec7-ace0-4f0c-82fd-737b04fd4dcb
status: test
description: |
Detects the creation of new files with the ".evtx" extension in non-common or non-standard location.
This could indicate tampering with default EVTX locations in order to evade security controls or simply exfiltration of event log to search for sensitive information within.
Note that backup software and legitimate administrator might perform similar actions during troubleshooting.
references:
- https://learn.microsoft.com/en-us/windows/win32/eventlog/eventlog-key
author: D3F7A5105
date: 2023-01-02
modified: 2024-03-26
tags:
- attack.defense-impairment
- attack.t1685.001
logsource:
category: file_event
product: windows
definition: 'Requirements: The ".evtx" extension should be monitored via a Sysmon configuration. Example: <TargetFilename condition="end with">.evtx<TargetFilename>'
detection:
selection:
TargetFilename|endswith: '.evtx'
filter_main_path:
TargetFilename|startswith: 'C:\Windows\System32\winevt\Logs\'
filter_main_baseimage:
TargetFilename|startswith: 'C:\ProgramData\Microsoft\Windows\Containers\BaseImages\'
TargetFilename|endswith: '\Windows\System32\winevt\Logs\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Administrator or backup activity
- An unknown bug seems to trigger the Windows "svchost" process to drop EVTX files in the "C:\Windows\Temp" directory in the form "<log_name">_<uuid>.evtx". See https://superuser.com/questions/1371229/low-disk-space-after-filling-up-c-windows-temp-with-evtx-and-txt-files
level: medium
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations/info.yml
Convert to SIEM query
medium
Moderate
High FP
Enable BPF Kprobes Tracing
Detects common command used to enable bpf kprobes tracing
view Sigma YAML
title: Enable BPF Kprobes Tracing
id: 7692f583-bd30-4008-8615-75dab3f08a99
status: test
description: Detects common command used to enable bpf kprobes tracing
references:
- https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/
- https://bpftrace.org/
- https://www.kernel.org/doc/html/v5.0/trace/kprobetrace.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-25
tags:
- attack.execution
- attack.stealth
logsource:
category: process_creation
product: linux
detection:
selection:
CommandLine|contains|all:
- 'echo 1 >'
- '/sys/kernel/debug/tracing/events/kprobes/'
CommandLine|contains:
- '/myprobe/enable'
- '/myretprobe/enable'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Enable Local Manifest Installation With Winget
Detects changes to the AppInstaller (winget) policy. Specifically the activation of the local manifest installation, which allows a user to install new packages via custom manifests.
view Sigma YAML
title: Enable Local Manifest Installation With Winget
id: fa277e82-9b78-42dd-b05c-05555c7b6015
status: test
description: Detects changes to the AppInstaller (winget) policy. Specifically the activation of the local manifest installation, which allows a user to install new packages via custom manifests.
references:
- https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-17
modified: 2023-08-17
tags:
- attack.persistence
- attack.stealth
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|endswith: '\AppInstaller\EnableLocalManifestFiles'
Details: 'DWORD (0x00000001)'
condition: selection
falsepositives:
- Administrators or developers might enable this for testing purposes or to install custom private packages
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Enable Microsoft Dynamic Data Exchange
Enable Dynamic Data Exchange protocol (DDE) in all supported editions of Microsoft Word or Excel.
view Sigma YAML
title: Enable Microsoft Dynamic Data Exchange
id: 63647769-326d-4dde-a419-b925cc0caf42
status: test
description: Enable Dynamic Data Exchange protocol (DDE) in all supported editions of Microsoft Word or Excel.
references:
- https://msrc.microsoft.com/update-guide/vulnerability/ADV170021
author: frack113
date: 2022-02-26
modified: 2023-08-17
tags:
- attack.execution
- attack.t1559.002
logsource:
category: registry_set
product: windows
detection:
selection_word:
TargetObject|endswith: '\Word\Security\AllowDDE'
Details:
- 'DWORD (0x00000001)'
- 'DWORD (0x00000002)'
selection_excel:
TargetObject|endswith:
- '\Excel\Security\DisableDDEServerLaunch'
- '\Excel\Security\DisableDDEServerLookup'
Details: 'DWORD (0x00000000)'
condition: 1 of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback
Detects enabling of the "AllowAnonymousCallback" registry value, which allows a remote connection between computers that do not have a trust relationship.
view Sigma YAML
title: Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback
id: 4d431012-2ab5-4db7-a84e-b29809da2172
status: test
description: Detects enabling of the "AllowAnonymousCallback" registry value, which allows a remote connection between computers that do not have a trust relationship.
references:
- https://learn.microsoft.com/en-us/windows/win32/wmisdk/connecting-to-wmi-remotely-starting-with-vista
author: X__Junior (Nextron Systems)
date: 2023-11-03
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|contains: '\Microsoft\WBEM\CIMOM\AllowAnonymousCallback'
Details: 'DWORD (0x00000001)'
condition: selection
falsepositives:
- Administrative activity
level: medium
Convert to SIEM query
medium
Moderate
High FP
Enabling COR Profiler Environment Variables
Detects .NET Framework CLR and .NET Core CLR "cor_enable_profiling" and "cor_profiler" variables being set and configured.
view Sigma YAML
title: Enabling COR Profiler Environment Variables
id: ad89044a-8f49-4673-9a55-cbd88a1b374f
status: test
description: Detects .NET Framework CLR and .NET Core CLR "cor_enable_profiling" and "cor_profiler" variables being set and configured.
references:
- https://twitter.com/jamieantisocial/status/1304520651248668673
- https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors
- https://www.sans.org/cyber-security-summit/archives
- https://learn.microsoft.com/en-us/dotnet/core/runtime-config/debugging-profiling
author: Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research), Jimmy Bayne (@bohops)
date: 2020-09-10
modified: 2023-11-24
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.012
logsource:
category: registry_set
product: windows
detection:
selection_1:
TargetObject|endswith:
- '\COR_ENABLE_PROFILING'
- '\COR_PROFILER'
- '\CORECLR_ENABLE_PROFILING'
selection_2:
TargetObject|contains: '\CORECLR_PROFILER_PATH'
condition: 1 of selection_*
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Enumeration for 3rd Party Creds From CLI
Detects processes that query known 3rd party registry keys that holds credentials via commandline
view Sigma YAML
title: Enumeration for 3rd Party Creds From CLI
id: 87a476dc-0079-4583-a985-dee7a20a03de
related:
- id: e0b0c2ab-3d52-46d9-8cb7-049dc775fbd1
type: derived
- id: cc1abf27-78a3-4ac5-a51c-f3070b1d8e40
type: similar
status: test
description: Detects processes that query known 3rd party registry keys that holds credentials via commandline
references:
- https://isc.sans.edu/diary/More+Data+Exfiltration/25698
- https://github.com/synacktiv/Radmin3-Password-Cracker/blob/acfc87393e4b7c06353973a14a6c7126a51f36ac/regkey.txt
- https://github.com/HyperSine/how-does-MobaXterm-encrypt-password
- https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-20
modified: 2025-05-22
tags:
- attack.credential-access
- attack.t1552.002
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains: # Add more paths as they are discovered
- '\Software\Aerofox\Foxmail\V3.1'
- '\Software\Aerofox\FoxmailPreview'
- '\Software\DownloadManager\Passwords'
- '\Software\FTPWare\COREFTP\Sites'
- '\Software\IncrediMail\Identities'
- '\Software\Martin Prikryl\WinSCP 2\Sessions'
- '\Software\Mobatek\MobaXterm\'
- '\Software\OpenSSH\Agent\Keys'
- '\Software\OpenVPN-GUI\configs'
- '\Software\ORL\WinVNC3\Password'
- '\Software\Qualcomm\Eudora\CommandLine'
- '\Software\RealVNC\WinVNC4'
- '\Software\RimArts\B2\Settings'
- '\Software\SimonTatham\PuTTY\Sessions'
- '\Software\SimonTatham\PuTTY\SshHostKeys\'
- '\Software\Sota\FFFTP'
- '\Software\TightVNC\Server'
- '\Software\WOW6432Node\Radmin\v3.0\Server\Parameters\Radmin'
filter_main_other_rule: # matched by cc1abf27-78a3-4ac5-a51c-f3070b1d8e40
Image|endswith: 'reg.exe'
CommandLine|contains:
- 'export'
- 'save'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Enumeration for Credentials in Registry
Adversaries may search the Registry on compromised systems for insecurely stored credentials.
The Windows Registry stores configuration information that can be used by the system or other programs.
Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services
view Sigma YAML
title: Enumeration for Credentials in Registry
id: e0b0c2ab-3d52-46d9-8cb7-049dc775fbd1
status: test
description: |
Adversaries may search the Registry on compromised systems for insecurely stored credentials.
The Windows Registry stores configuration information that can be used by the system or other programs.
Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.002/T1552.002.md
author: frack113
date: 2021-12-20
modified: 2022-12-25
tags:
- attack.credential-access
- attack.t1552.002
logsource:
category: process_creation
product: windows
detection:
reg:
Image|endswith: '\reg.exe'
CommandLine|contains|all:
- ' query '
- '/t '
- 'REG_SZ'
- '/s'
hive:
- CommandLine|contains|all:
- '/f '
- 'HKLM'
- CommandLine|contains|all:
- '/f '
- 'HKCU'
- CommandLine|contains: 'HKCU\Software\SimonTatham\PuTTY\Sessions'
condition: reg and hive
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Esentutl Gather Credentials
Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab.
view Sigma YAML
title: Esentutl Gather Credentials
id: 7df1713a-1a5b-4a4b-a071-dc83b144a101
status: test
description: Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab.
references:
- https://twitter.com/vxunderground/status/1423336151860002816
- https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/
author: sam0x90
date: 2021-08-06
modified: 2022-10-09
tags:
- attack.credential-access
- attack.t1003
- attack.t1003.003
- attack.s0404
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'esentutl'
- ' /p'
condition: selection
falsepositives:
- To be determined
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
EventLog EVTX File Deleted
Detects the deletion of the event log files which may indicate an attempt to destroy forensic evidence
view Sigma YAML
title: EventLog EVTX File Deleted
id: 63c779ba-f638-40a0-a593-ddd45e8b1ddc
status: test
description: Detects the deletion of the event log files which may indicate an attempt to destroy forensic evidence
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-15
tags:
- attack.stealth
- attack.t1070
logsource:
category: file_delete
product: windows
detection:
selection:
TargetFilename|startswith: 'C:\Windows\System32\winevt\Logs\'
TargetFilename|endswith: '.evtx'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Execute Code with Pester.bat
Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)
view Sigma YAML
title: Execute Code with Pester.bat
id: 59e938ff-0d6d-4dc3-b13f-36cc28734d4e
status: test
description: Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)
references:
- https://twitter.com/Oddvarmoe/status/993383596244258816
- https://github.com/api0cradle/LOLBAS/blob/d148d278f5f205ce67cfaf49afdfb68071c7252a/OSScripts/pester.md
author: Julia Fomina, oscd.community
date: 2020-10-08
modified: 2023-11-09
tags:
- attack.execution
- attack.stealth
- attack.t1059.001
- attack.t1216
logsource:
category: process_creation
product: windows
detection:
powershell_module:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
CommandLine|contains|all:
- 'Pester'
- 'Get-Help'
cmd_execution:
Image|endswith: '\cmd.exe'
CommandLine|contains|all:
- 'pester'
- ';'
get_help:
CommandLine|contains:
- 'help'
- '\?'
condition: powershell_module or (cmd_execution and get_help)
falsepositives:
- Legitimate use of Pester for writing tests for Powershell scripts and modules
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Execute Code with Pester.bat as Parent
Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)
view Sigma YAML
title: Execute Code with Pester.bat as Parent
id: 18988e1b-9087-4f8a-82fe-0414dce49878
related:
- id: 59e938ff-0d6d-4dc3-b13f-36cc28734d4e
type: similar
status: test
description: Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)
references:
- https://twitter.com/Oddvarmoe/status/993383596244258816
- https://twitter.com/_st0pp3r_/status/1560072680887525378
author: frack113, Nasreddine Bencherchali
date: 2022-08-20
tags:
- attack.execution
- attack.stealth
- attack.t1059.001
- attack.t1216
logsource:
category: process_creation
product: windows
detection:
selection_module:
ParentImage|endswith:
- '\powershell.exe'
- '\pwsh.exe'
ParentCommandLine|contains: '\WindowsPowerShell\Modules\Pester\'
selection_cli:
ParentCommandLine|contains:
- '{ Invoke-Pester -EnableExit ;'
- '{ Get-Help "'
condition: all of selection_*
falsepositives:
- Legitimate use of Pester for writing tests for Powershell scripts and modules
level: medium
Convert to SIEM query
medium
Strong
High FP
Execute Files with Msdeploy.exe
Detects file execution using the msdeploy.exe lolbin
view Sigma YAML
title: Execute Files with Msdeploy.exe
id: 646bc99f-6682-4b47-a73a-17b1b64c9d34
status: test
description: Detects file execution using the msdeploy.exe lolbin
references:
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msdeploy/
- https://twitter.com/pabraeken/status/995837734379032576
- https://twitter.com/pabraeken/status/999090532839313408
author: Beyu Denis, oscd.community
date: 2020-10-18
modified: 2021-11-27
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'verb:sync'
- '-source:RunCommand'
- '-dest:runCommand'
Image|endswith: '\msdeploy.exe'
condition: selection
falsepositives:
- System administrator Usage
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Execute From Alternate Data Streams
Detects execution from an Alternate Data Stream (ADS). Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection
view Sigma YAML
title: Execute From Alternate Data Streams
id: 7f43c430-5001-4f8b-aaa9-c3b88f18fa5c
status: test
description: Detects execution from an Alternate Data Stream (ADS). Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md
author: frack113
date: 2021-09-01
modified: 2022-10-09
tags:
- attack.stealth
- attack.t1564.004
logsource:
category: process_creation
product: windows
detection:
selection_stream:
CommandLine|contains: 'txt:'
selection_tools_type:
CommandLine|contains|all:
- 'type '
- ' > '
selection_tools_makecab:
CommandLine|contains|all:
- 'makecab '
- '.cab'
selection_tools_reg:
CommandLine|contains|all:
- 'reg '
- ' export '
selection_tools_regedit:
CommandLine|contains|all:
- 'regedit '
- ' /E '
selection_tools_esentutl:
CommandLine|contains|all:
- 'esentutl '
- ' /y '
- ' /d '
- ' /o '
condition: selection_stream and (1 of selection_tools_*)
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Execution From Webserver Root Folder
Detects a program executing from a web server root folder. Use this rule to hunt for potential interesting activity such as webshell or backdoors
view Sigma YAML
title: Execution From Webserver Root Folder
id: 35efb964-e6a5-47ad-bbcd-19661854018d
status: test
description: |
Detects a program executing from a web server root folder. Use this rule to hunt for potential interesting activity such as webshell or backdoors
references:
- Internal Research
author: Florian Roth (Nextron Systems)
date: 2019-01-16
modified: 2024-01-18
tags:
- attack.persistence
- attack.t1505.003
- detection.threat-hunting
logsource:
category: process_creation
product: windows
detection:
selection:
Image|contains:
- '\wwwroot\'
- '\wmpub\'
- '\htdocs\'
filter_main_generic:
Image|contains:
- 'bin\'
- '\Tools\'
- '\SMSComponent\'
ParentImage|endswith: '\services.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Various applications
- Tools that include ping or nslookup command invocations
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Execution Of Script Located In Potentially Suspicious Directory
Detects executions of scripts located in potentially suspicious locations such as "/tmp" via a shell such as "bash", "sh", etc.
view Sigma YAML
title: Execution Of Script Located In Potentially Suspicious Directory
id: 30bcce26-51c5-49f2-99c8-7b59e3af36c7
status: test
description: Detects executions of scripts located in potentially suspicious locations such as "/tmp" via a shell such as "bash", "sh", etc.
references:
- https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
- https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/
- https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
- https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-06-02
tags:
- attack.execution
logsource:
product: linux
category: process_creation
detection:
selection_img:
Image|endswith:
- '/bash'
- '/csh'
- '/dash'
- '/fish'
- '/ksh'
- '/sh'
- '/zsh'
selection_flag:
CommandLine|contains: ' -c '
selection_paths:
# Note: Add more suspicious paths
CommandLine|contains: '/tmp/'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Exploit for CVE-2017-0261
Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262
view Sigma YAML
title: Exploit for CVE-2017-0261
id: 864403a1-36c9-40a2-a982-4c9a45f7d833
status: test
description: Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262
references:
- https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html
author: Florian Roth (Nextron Systems)
date: 2018-02-22
modified: 2021-11-27
tags:
- attack.execution
- attack.t1203
- attack.t1204.002
- attack.initial-access
- attack.t1566.001
- cve.2017-0261
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\WINWORD.EXE'
Image|contains: '\FLTLDR.exe'
condition: selection
falsepositives:
- Several false positives identified, check for suspicious file names or locations (e.g. Temp folders)
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Explorer Process Tree Break
Detects a command line process that uses explorer.exe to launch arbitrary commands or binaries,
which is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer spawning from "svchost"
view Sigma YAML
title: Explorer Process Tree Break
id: 949f1ffb-6e85-4f00-ae1e-c3c5b190d605
status: test
description: |
Detects a command line process that uses explorer.exe to launch arbitrary commands or binaries,
which is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer spawning from "svchost"
references:
- https://twitter.com/CyberRaiju/status/1273597319322058752
- https://twitter.com/bohops/status/1276357235954909188?s=12
- https://twitter.com/nas_bench/status/1535322450858233858
- https://securityboulevard.com/2019/09/deobfuscating-ostap-trickbots-34000-line-javascript-downloader/
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), @gott_cyber
date: 2019-06-29
modified: 2025-10-31
tags:
- attack.stealth
- attack.t1036
logsource:
category: process_creation
product: windows
detection:
# Note: See CLSID_SeparateMultipleProcessExplorerHost in the registry for reference
selection_factory:
CommandLine|contains: '/factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b}' # This will catch, the new explorer spawning which indicates a process/tree break. But you won't be able to catch the executing process. For that you need historical data
selection_root:
CommandLine|contains: 'explorer.exe'
CommandLine|contains|windash: ' /root,'
# There exists almost infinite possibilities to spawn from explorer. The "/root" flag is just an example
# It's better to have the ability to look at the process tree and look for explorer processes with "weird" flags to be able to catch this technique.
condition: 1 of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
File Deleted Via Sysinternals SDelete
Detects the deletion of files by the Sysinternals SDelete utility. It looks for the common name pattern used to rename files.
view Sigma YAML
title: File Deleted Via Sysinternals SDelete
id: 6ddab845-b1b8-49c2-bbf7-1a11967f64bc
status: test
description: Detects the deletion of files by the Sysinternals SDelete utility. It looks for the common name pattern used to rename files.
references:
- https://github.com/OTRF/detection-hackathon-apt29/issues/9
- https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.md
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-05-02
modified: 2023-02-15
tags:
- attack.stealth
- attack.t1070.004
logsource:
product: windows
category: file_delete
detection:
selection:
TargetFilename|endswith:
- '.AAA'
- '.ZZZ'
filter_wireshark:
TargetFilename|endswith: '\Wireshark\radius\dictionary.alcatel-lucent.aaa'
condition: selection and not 1 of filter_*
falsepositives:
- Legitimate usage
level: medium
Convert to SIEM query
medium
Strong
Medium FP
File Download From Browser Process Via Inline URL
Detects execution of a browser process with a URL argument pointing to a file with a potentially interesting extension. This can be abused to download arbitrary files or to hide from the user for example by launching the browser in a minimized state.
view Sigma YAML
title: File Download From Browser Process Via Inline URL
id: 94771a71-ba41-4b6e-a757-b531372eaab6
status: test
description: Detects execution of a browser process with a URL argument pointing to a file with a potentially interesting extension. This can be abused to download arbitrary files or to hide from the user for example by launching the browser in a minimized state.
references:
- https://twitter.com/mrd0x/status/1478116126005641220
- https://lolbas-project.github.io/lolbas/Binaries/Msedge/
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-01-11
modified: 2025-10-27
tags:
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith:
- '\brave.exe'
- '\chrome.exe'
- '\msedge.exe'
- '\opera.exe'
- '\vivaldi.exe'
selection_http:
CommandLine|contains: 'http'
selection_extensions:
- CommandLine|endswith:
- '.7z'
- '.dat'
- '.dll'
- '.exe'
- '.hta'
- '.ps1'
- '.psm1'
- '.txt'
- '.vbe'
- '.vbs'
- '.zip'
- CommandLine|contains:
- '.7z"'
- '.dat"'
- '.dll"'
- '.hta"'
- '.ps1"'
- '.psm1"'
- '.txt"'
- '.vbe"'
- '.vbs"'
- '.zip"'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_browsers_inline_file_download/info.yml
Convert to SIEM query
medium
Moderate
High FP
File Download Via Curl.EXE
Detects file download using curl.exe
view Sigma YAML
title: File Download Via Curl.EXE
id: 9a517fca-4ba3-4629-9278-a68694697b81
related:
- id: bbeaed61-1990-4773-bf57-b81dbad7db2d # Basic curl execution
type: derived
- id: e218595b-bbe7-4ee5-8a96-f32a24ad3468 # Suspicious curl execution
type: derived
status: test
description: Detects file download using curl.exe
references:
- https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464
author: Florian Roth (Nextron Systems)
date: 2022-07-05
modified: 2023-02-21
tags:
- attack.command-and-control
- attack.t1105
- detection.threat-hunting
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\curl.exe'
- Product: 'The curl executable'
selection_remote:
CommandLine|contains:
- ' -O' # covers the alias for --remote-name and --output
- '--remote-name'
- '--output'
condition: all of selection_*
falsepositives:
- Scripts created by developers and admins
- Administrative activity
- The "\Git\usr\bin\sh.exe" process uses the "--output" flag to download a specific file in the temp directory with the pattern "gfw-httpget-xxxxxxxx.txt "
level: medium
Convert to SIEM query
medium
Strong
Medium FP
File Download Via Nscurl - MacOS
Detects the execution of the nscurl utility in order to download files.
view Sigma YAML
title: File Download Via Nscurl - MacOS
id: 6d8a7cf1-8085-423b-b87d-7e880faabbdf
status: test
description: Detects the execution of the nscurl utility in order to download files.
references:
- https://www.loobins.io/binaries/nscurl/
- https://www.agnosticdev.com/content/how-diagnose-app-transport-security-issues-using-nscurl-and-openssl
- https://gist.github.com/nasbench/ca6ef95db04ae04ffd1e0b1ce709cadd
author: Daniel Cortez
date: 2024-06-04
tags:
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: macos
detection:
selection:
Image|endswith: '/nscurl'
CommandLine|contains:
- '--download '
- '--download-directory '
- '--output '
- '-dir '
- '-dl '
- '-ld'
- '-o '
condition: selection
falsepositives:
- Legitimate usage of nscurl by administrators and users.
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
File Time Attribute Change
Detect file time attribute change to hide new or changes to existing files
view Sigma YAML
title: File Time Attribute Change
id: 88c0f9d8-30a8-4120-bb6b-ebb54abcf2a0
status: test
description: Detect file time attribute change to hide new or changes to existing files
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md
author: Igor Fits, Mikhail Larin, oscd.community
date: 2020-10-19
modified: 2022-01-12
tags:
- attack.stealth
- attack.t1070.006
logsource:
product: macos
category: process_creation
detection:
selection:
Image|endswith: '/touch'
CommandLine|contains:
- '-t'
- '-acmr'
- '-d'
- '-r'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
File or Folder Permissions Modifications
Detects a file or folder's permissions being modified or tampered with.
view Sigma YAML
title: File or Folder Permissions Modifications
id: 37ae075c-271b-459b-8d7b-55ad5f993dd8
status: test
description: Detects a file or folder's permissions being modified or tampered with.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md
- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh750728(v=ws.11)
- https://github.com/swagkarna/Defeat-Defender-V1.2.0/tree/ae4059c4276da6f6303b8f53cdff085ecae88a91
author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2019-10-23
modified: 2023-11-21
tags:
- attack.defense-impairment
- attack.t1222.001
- detection.threat-hunting
logsource:
category: process_creation
product: windows
detection:
selection_1:
Image|endswith:
- '\cacls.exe'
- '\icacls.exe'
- '\net.exe' # "grant" Option available when used with "net share"
- '\net1.exe' # "grant" Option available when used with "net share"
CommandLine|contains:
- '/grant'
- '/setowner'
- '/inheritance:r' # Remove all inherited ACEs
selection_2:
Image|endswith: '\attrib.exe'
CommandLine|contains: '-r'
selection_3:
Image|endswith: '\takeown.exe' # If this generates FP in your environment. Comment it out or add more suspicious flags and locations
filter_optional_dynatrace_1:
CommandLine|endswith: 'ICACLS C:\ProgramData\dynatrace\gateway\config\connectivity.history /reset'
filter_optional_dynatrace_2:
CommandLine|contains|all:
- 'ICACLS C:\ProgramData\dynatrace\gateway\config\config.properties /grant :r '
- 'S-1-5-19:F'
filter_optional_vscode:
CommandLine|contains:
- '\AppData\Local\Programs\Microsoft VS Code'
- ':\Program Files\Microsoft VS Code'
filter_optional_avira:
CommandLine|contains:
- ':\Program Files (x86)\Avira'
- ':\Program Files\Avira'
condition: 1 of selection_* and not 1 of filter_optional_*
falsepositives:
- Users interacting with the files on their own (unlikely unless privileged users).
- Dynatrace app
level: medium
Convert to SIEM query
medium
Moderate
High FP
Files With System DLL Name In Unsuspected Locations
Detects the creation of a file with the ".dll" extension that has the name of a System DLL in uncommon or unsuspected locations. (Outisde of "System32", "SysWOW64", etc.).
It is highly recommended to perform an initial baseline before using this rule in production.
view Sigma YAML
title: Files With System DLL Name In Unsuspected Locations
id: 13c02350-4177-4e45-ac17-cf7ca628ff5e
status: test
description: |
Detects the creation of a file with the ".dll" extension that has the name of a System DLL in uncommon or unsuspected locations. (Outisde of "System32", "SysWOW64", etc.).
It is highly recommended to perform an initial baseline before using this rule in production.
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-06-24
tags:
- attack.stealth
- attack.t1036.005
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|endswith:
# Note: Add more System DLL that can be abused for DLL sideloading to increase coverage
- '\secur32.dll'
- '\tdh.dll'
filter_main_generic:
# Note: It is recommended to use a more robust filter instead of this generic one, to avoid false negatives.
TargetFilename|contains:
# - '\SystemRoot\System32\'
- 'C:\$WINDOWS.~BT\'
- 'C:\$WinREAgent\'
- 'C:\Windows\SoftwareDistribution\'
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
- 'C:\Windows\WinSxS\'
- 'C:\Windows\uus\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Third party software might bundle specific versions of system DLLs.
# Note: Upgrade to high after an initial baseline to your environement.
level: medium
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_creation_system_dll_files/info.yml
Convert to SIEM query
medium
Strong
Medium FP
Files With System Process Name In Unsuspected Locations
Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.).
It is highly recommended to perform an initial baseline before using this rule in production.
view Sigma YAML
title: Files With System Process Name In Unsuspected Locations
id: d5866ddf-ce8f-4aea-b28e-d96485a20d3d
status: test
description: |
Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.).
It is highly recommended to perform an initial baseline before using this rule in production.
references:
- Internal Research
author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
date: 2020-05-26
modified: 2026-02-04
tags:
- attack.stealth
- attack.t1036.005
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|endswith:
- '\AtBroker.exe'
- '\audiodg.exe'
- '\backgroundTaskHost.exe'
- '\bcdedit.exe'
- '\bitsadmin.exe'
- '\cmdl32.exe'
- '\cmstp.exe'
- '\conhost.exe'
- '\csrss.exe'
- '\dasHost.exe'
- '\dfrgui.exe'
- '\dllhost.exe'
- '\dwm.exe'
- '\eventcreate.exe'
- '\eventvwr.exe'
- '\explorer.exe'
- '\extrac32.exe'
- '\fontdrvhost.exe'
- '\fsquirt.exe' # was seen used by sidewinder APT - https://securelist.com/sidewinder-apt/114089/
- '\ipconfig.exe'
- '\iscsicli.exe'
- '\iscsicpl.exe'
- '\logman.exe'
- '\LogonUI.exe'
- '\LsaIso.exe'
- '\lsass.exe'
- '\lsm.exe'
- '\msiexec.exe'
- '\msinfo32.exe'
- '\mstsc.exe'
- '\nbtstat.exe'
- '\odbcconf.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regini.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\RuntimeBroker.exe'
- '\schtasks.exe'
- '\SearchFilterHost.exe'
- '\SearchIndexer.exe'
- '\SearchProtocolHost.exe'
- '\SecurityHealthService.exe'
- '\SecurityHealthSystray.exe'
- '\services.exe'
- '\ShellAppRuntime.exe'
- '\sihost.exe'
- '\smartscreen.exe'
- '\smss.exe'
- '\spoolsv.exe'
- '\svchost.exe'
- '\SystemSettingsBroker.exe'
- '\taskhost.exe'
- '\taskhostw.exe'
- '\Taskmgr.exe'
- '\TiWorker.exe'
- '\vssadmin.exe'
- '\w32tm.exe'
- '\WerFault.exe'
- '\WerFaultSecure.exe'
- '\wermgr.exe'
- '\wevtutil.exe'
- '\wininit.exe'
- '\winlogon.exe'
- '\winrshost.exe'
- '\WinRTNetMUAHostServer.exe'
- '\wlanext.exe'
- '\wlrmdr.exe'
- '\WmiPrvSE.exe'
- '\wslhost.exe'
- '\WSReset.exe'
- '\WUDFHost.exe'
- '\WWAHost.exe'
filter_main_generic:
# Note: It is recommended to use a more robust filter instead of this generic one, to avoid false negatives.
TargetFilename|contains:
# - '\SystemRoot\System32\'
- 'C:\$WINDOWS.~BT\'
- 'C:\$WinREAgent\'
- 'C:\Windows\SoftwareDistribution\'
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
- 'C:\Windows\WinSxS\'
- 'C:\Windows\uus\'
filter_main_tiworker:
Image|endswith:
- '\TiWorker.exe'
- '\wuaucltcore.exe'
TargetFilename|startswith: 'C:\Windows\Temp\'
filter_main_svchost:
Image|endswith:
- 'C:\Windows\system32\svchost.exe'
- 'C:\Windows\SysWOW64\svchost.exe'
TargetFilename|contains:
- 'C:\Program Files\WindowsApps\'
- 'C:\Program Files (x86)\WindowsApps\'
- '\AppData\Local\Microsoft\WindowsApps\'
filter_main_wuauclt:
Image:
- 'C:\Windows\System32\wuauclt.exe'
- 'C:\Windows\SysWOW64\wuauclt.exe'
- 'C:\Windows\UUS\arm64\wuaucltcore.exe'
filter_main_explorer:
TargetFilename|endswith: 'C:\Windows\explorer.exe'
filter_main_msiexec:
# This filter handles system processes who are updated/installed using misexec.
Image|endswith:
- 'C:\WINDOWS\system32\msiexec.exe'
- 'C:\WINDOWS\SysWOW64\msiexec.exe'
# Add more processes if you find them or simply filter msiexec on its own. If the list grows big
TargetFilename|startswith:
- 'C:\Program Files\PowerShell\7\pwsh.exe'
- 'C:\Program Files\PowerShell\7-preview\pwsh.exe'
- 'C:\Program Files\WindowsApps\Microsoft.PowerShellPreview\'
filter_main_healtray:
TargetFilename|contains: 'C:\Windows\System32\SecurityHealth\'
TargetFilename|endswith: '\SecurityHealthSystray.exe'
Image|endswith: '\SecurityHealthSetup.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- System processes copied outside their default folders for testing purposes
- Third party software naming their software with the same names as the processes mentioned here
# Note: Upgrade to high after an initial baseline to your environement.
level: medium
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_creation_system_file/info.yml
Convert to SIEM query
medium
Strong
Medium FP
Flush Iptables Ufw Chain
Detect use of iptables to flush all firewall rules, tables and chains and allow all network traffic
view Sigma YAML
title: Flush Iptables Ufw Chain
id: 3be619f4-d9ec-4ea8-a173-18fdd01996ab
status: test
description: Detect use of iptables to flush all firewall rules, tables and chains and allow all network traffic
references:
- https://blogs.blackberry.com/
- https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html
- https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-01-18
tags:
- attack.defense-impairment
- attack.t1686
logsource:
product: linux
category: process_creation
detection:
selection_img:
Image|endswith:
- '/iptables'
- '/xtables-legacy-multi'
- '/iptables-legacy-multi'
- '/ip6tables'
- '/ip6tables-legacy-multi'
selection_params:
CommandLine|contains:
- '-F'
- '-Z'
- '-X'
selection_ufw:
CommandLine|contains:
- 'ufw-logging-deny'
- 'ufw-logging-allow'
- 'ufw6-logging-deny'
- 'ufw6-logging-allow'
# - 'ufw-reject-output'
# - 'ufw-track-inputt'
condition: all of selection_*
falsepositives:
- Network administrators
level: medium
Convert to SIEM query
medium
Moderate
High FP
Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet
Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration.
An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
view Sigma YAML
title: Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet
id: 85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98 # Process Creation
related:
- id: 71ff406e-b633-4989-96ec-bc49d825a412 # PowerShell Classic
type: similar
- id: daf7eb81-35fd-410d-9d7a-657837e602bb # PowerShell Module
type: similar
- id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9 # PowerShell Script
type: similar
status: test
description: |
Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration.
An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
author: Nasreddine Bencherchali (Nextron Systems), frack113
date: 2021-07-20
modified: 2022-10-09
tags:
- attack.collection
- attack.t1074.001
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|contains:
- 'Compress-Archive -Path*-DestinationPath $env:TEMP'
- 'Compress-Archive -Path*-DestinationPath*\AppData\Local\Temp\'
- 'Compress-Archive -Path*-DestinationPath*:\Windows\Temp\'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Forest Blizzard APT - JavaScript Constrained File Creation
Detects the creation of JavaScript files inside of the DriverStore directory.
Forest Blizzard used this to exploit the CVE-2022-38028 vulnerability in Windows Print Spooler service by modifying a JavaScript constraints file and executing it with SYSTEM-level permissions.
view Sigma YAML
title: Forest Blizzard APT - JavaScript Constrained File Creation
id: ec7c4e9b-9bc9-47c7-a32f-b53b598da642
status: test
description: |
Detects the creation of JavaScript files inside of the DriverStore directory.
Forest Blizzard used this to exploit the CVE-2022-38028 vulnerability in Windows Print Spooler service by modifying a JavaScript constraints file and executing it with SYSTEM-level permissions.
references:
- https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-04-23
tags:
- attack.defense-impairment
- attack.t1685.001
- detection.emerging-threats
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|startswith: 'C:\Windows\System32\DriverStore\FileRepository\'
TargetFilename|endswith: '\.js'
condition: selection
falsepositives:
- Unlikely
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
GatherNetworkInfo.VBS Reconnaissance Script Output
Detects creation of files which are the results of executing the built-in reconnaissance script "C:\Windows\System32\gatherNetworkInfo.vbs".
view Sigma YAML
title: GatherNetworkInfo.VBS Reconnaissance Script Output
id: f92a6f1e-a512-4a15-9735-da09e78d7273
related:
- id: 575dce0c-8139-4e30-9295-1ee75969f7fe # ProcCreation LOLBIN
type: similar
- id: 07aa184a-870d-413d-893a-157f317f6f58 # ProcCreation Susp
type: similar
status: test
description: Detects creation of files which are the results of executing the built-in reconnaissance script "C:\Windows\System32\gatherNetworkInfo.vbs".
references:
- https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs
- https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-08
tags:
- attack.discovery
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|startswith: 'C:\Windows\System32\config'
TargetFilename|endswith:
- '\Hotfixinfo.txt'
- '\netiostate.txt'
- '\sysportslog.txt'
- '\VmSwitchLog.evtx'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
GoToAssist Temporary Installation Artefact
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
view Sigma YAML
title: GoToAssist Temporary Installation Artefact
id: 5d756aee-ad3e-4306-ad95-cb1abec48de2
status: test
description: |
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows
author: frack113
date: 2022-02-13
tags:
- attack.command-and-control
- attack.t1219.002
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|contains: '\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Expert\'
condition: selection
falsepositives:
- Legitimate use
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Gpresult Display Group Policy Information
Detects cases in which a user uses the built-in Windows utility gpresult to display the Resultant Set of Policy (RSoP) information
view Sigma YAML
title: Gpresult Display Group Policy Information
id: e56d3073-83ff-4021-90fe-c658e0709e72
status: test
description: Detects cases in which a user uses the built-in Windows utility gpresult to display the Resultant Set of Policy (RSoP) information
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult
- https://unit42.paloaltonetworks.com/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/
- https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf
author: frack113
date: 2022-05-01
tags:
- attack.discovery
- attack.t1615
logsource:
product: windows
category: process_creation
detection:
selection:
Image|endswith: '\gpresult.exe'
CommandLine|contains:
- '/z'
- '/v'
condition: selection
falsepositives:
- Unknown
level: medium
simulation:
- type: atomic-red-team
name: Display group policy information via gpresult
technique: T1615
atomic_guid: 0976990f-53b1-4d3f-a185-6df5be429d3b
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_gpresult_execution/info.yml
Convert to SIEM query
medium
Moderate
High FP
Group Has Been Deleted Via Groupdel
Detects execution of the "groupdel" binary. Which is used to delete a group. This is sometimes abused by threat actors in order to cover their tracks
view Sigma YAML
title: Group Has Been Deleted Via Groupdel
id: 8a46f16c-8c4c-82d1-b121-0fdd3ba70a84
status: test
description: Detects execution of the "groupdel" binary. Which is used to delete a group. This is sometimes abused by threat actors in order to cover their tracks
references:
- https://linuxize.com/post/how-to-delete-group-in-linux/
- https://www.cyberciti.biz/faq/linux-remove-user-command/
- https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/
- https://linux.die.net/man/8/groupdel
author: Tuan Le (NCSGroup)
date: 2022-12-26
tags:
- attack.impact
- attack.t1531
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith: '/groupdel'
condition: selection
falsepositives:
- Legitimate administrator activities
level: medium
Convert to SIEM query
medium
Moderate
High FP
Gzip Archive Decode Via PowerShell
Detects attempts of decoding encoded Gzip archives via PowerShell.
view Sigma YAML
title: Gzip Archive Decode Via PowerShell
id: 98767d61-b2e8-4d71-b661-e36783ee24c1
status: test
description: Detects attempts of decoding encoded Gzip archives via PowerShell.
references:
- https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution
author: Hieu Tran
date: 2023-03-13
tags:
- attack.command-and-control
- attack.t1132.001
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|contains|all:
- 'GZipStream'
- '::Decompress'
condition: selection
falsepositives:
- Legitimate administrative scripts may use this functionality. Use "ParentImage" in combination with the script names and allowed users and applications to filter legitimate executions
level: medium
Convert to SIEM query
medium
Strong
Medium FP
HackTool - Jlaive In-Memory Assembly Execution
Detects the use of Jlaive to execute assemblies in a copied PowerShell
view Sigma YAML
title: HackTool - Jlaive In-Memory Assembly Execution
id: 0a99eb3e-1617-41bd-b095-13dc767f3def
status: test
description: Detects the use of Jlaive to execute assemblies in a copied PowerShell
references:
- https://jstnk9.github.io/jstnk9/research/Jlaive-Antivirus-Evasion-Tool
- https://web.archive.org/web/20220514073704/https://github.com/ch2sh/Jlaive
author: Jose Luis Sanchez Martinez (@Joseliyo_Jstnk)
date: 2022-05-24
modified: 2023-02-22
tags:
- attack.execution
- attack.t1059.003
logsource:
product: windows
category: process_creation
detection:
parent_selection:
ParentImage|endswith: '\cmd.exe'
ParentCommandLine|endswith: '.bat'
selection1:
Image|endswith: '\xcopy.exe'
CommandLine|contains|all:
- 'powershell.exe'
- '.bat.exe'
selection2:
Image|endswith: '\xcopy.exe'
CommandLine|contains|all:
- 'pwsh.exe'
- '.bat.exe'
selection3:
Image|endswith: '\attrib.exe'
CommandLine|contains|all:
- '+s'
- '+h'
- '.bat.exe'
condition: parent_selection and (1 of selection*)
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
HackTool - LaZagne Execution
Detects the execution of the LaZagne. A utility used to retrieve multiple types of passwords stored on a local computer.
LaZagne has been leveraged multiple times by threat actors in order to dump credentials.
view Sigma YAML
title: HackTool - LaZagne Execution
id: c2b86e67-b880-4eec-b045-50bc98ef4844
status: experimental
description: |
Detects the execution of the LaZagne. A utility used to retrieve multiple types of passwords stored on a local computer.
LaZagne has been leveraged multiple times by threat actors in order to dump credentials.
references:
- https://github.com/AlessandroZ/LaZagne/tree/master
- https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
- https://cloud.google.com/blog/topics/threat-intelligence/alphv-ransomware-backup/
- https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/
- https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/800c0e06571993a54e39571cf27fd474dcc5c0bc/2017/2017.11.14.Muddying_the_Water/muddying-the-water-targeted-attacks.pdf
author: Nasreddine Bencherchali, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2024-06-24
modified: 2025-10-07
tags:
- attack.credential-access
logsource:
product: windows
category: process_creation
detection:
selection_img_metadata:
Image|endswith: '\lazagne.exe'
selection_img_cli:
# Note: This selection can be prone to FP. An initial baseline is required
Image|contains:
- ':\PerfLogs\'
- ':\ProgramData\'
- ':\Temp\'
- ':\Tmp\'
- ':\Users\Public\'
- ':\Windows\Temp\'
- '\$Recycle.bin'
- '\AppData\'
- '\Desktop\'
- '\Downloads\'
- '\Favorites\'
- '\Links\'
- '\Music\'
- '\Photos\'
- '\Pictures\'
- '\Saved Games\'
- '\Searches\'
- '\Users\Contacts\'
- '\Users\Default\'
- '\Users\Searches\'
- '\Videos\'
- '\Windows\addins\'
- '\Windows\Fonts\'
- '\Windows\IME\'
CommandLine|endswith:
- '.exe all'
- '.exe browsers'
- '.exe chats'
- '.exe databases'
- '.exe games'
- '.exe git'
- '.exe mails'
- '.exe maven'
- '.exe memory'
- '.exe multimedia'
# - '.exe php' # Might be prone to FP
# - '.exe svn' # Might be prone to FP
- '.exe sysadmin'
- '.exe unused'
- '.exe wifi'
- '.exe windows'
selection_cli_modules:
CommandLine|contains:
- ' all '
- ' browsers '
- ' chats '
- ' databases '
- ' games '
- ' mails '
- ' maven '
- ' memory '
- ' multimedia '
- ' php '
- ' svn '
- ' sysadmin '
- ' unused '
- ' wifi '
selection_cli_options:
CommandLine|contains:
- '-1Password'
- '-apachedirectorystudio'
- '-autologon'
- '-ChromiumBased'
- '-coreftp'
- '-credfiles'
- '-credman'
- '-cyberduck'
- '-dbvis'
- '-EyeCon'
- '-filezilla'
- '-filezillaserver'
- '-ftpnavigator'
- '-galconfusion'
- '-gitforwindows'
- '-hashdump'
- '-iisapppool'
- '-IISCentralCertP'
- '-kalypsomedia'
- '-keepass'
- '-keepassconfig'
- '-lsa_secrets'
- '-mavenrepositories'
- '-memory_dump'
- '-Mozilla'
- '-mRemoteNG'
- '-mscache'
- '-opensshforwindows'
- '-openvpn'
- '-outlook'
- '-pidgin'
- '-postgresql'
- '-psi-im'
- '-puttycm'
- '-pypykatz'
- '-Rclone'
- '-rdpmanager'
- '-robomongo'
- '-roguestale'
- '-skype'
- '-SQLDeveloper'
- '-squirrel'
- '-tortoise'
- '-turba'
- '-UCBrowser'
- '-unattended'
- '-vault'
- '-vaultfiles'
- '-vnc'
- '-winscp'
condition: 1 of selection_img_* or all of selection_cli_*
falsepositives:
- Some false positive is expected from tools with similar command line flags.
# Note: Increase the level to "high" after an initial baseline
level: medium
Convert to SIEM query
medium
Moderate
High FP
HackTool - WinRM Access Via Evil-WinRM
Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
view Sigma YAML
title: HackTool - WinRM Access Via Evil-WinRM
id: a197e378-d31b-41c0-9635-cfdf1c1bb423
status: test
description: Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-3---winrm-access-with-evil-winrm
- https://github.com/Hackplayers/evil-winrm
author: frack113
date: 2022-01-07
modified: 2023-02-13
tags:
- attack.lateral-movement
- attack.t1021.006
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\ruby.exe'
CommandLine|contains|all:
- '-i '
- '-u '
- '-p '
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Headless Process Launched Via Conhost.EXE
Detects the launch of a child process via "conhost.exe" with the "--headless" flag.
The "--headless" flag hides the windows from the user upon execution.
view Sigma YAML
title: Headless Process Launched Via Conhost.EXE
id: 00ca75ab-d5ce-43be-b86c-55ff39c6abfc
related:
- id: 056c7317-9a09-4bd4-9067-d051312752ea
type: derived
status: test
description: |
Detects the launch of a child process via "conhost.exe" with the "--headless" flag.
The "--headless" flag hides the windows from the user upon execution.
references:
- https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-07-23
tags:
- attack.execution
- attack.t1059.001
- attack.t1059.003
- detection.threat-hunting
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\conhost.exe'
ParentCommandLine|contains: '--headless'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Hidden Flag Set On File/Directory Via Chflags - MacOS
Detects the execution of the "chflags" utility with the "hidden" flag, in order to hide files on MacOS.
When a file or directory has this hidden flag set, it becomes invisible to the default file listing commands and in graphical file browsers.
view Sigma YAML
title: Hidden Flag Set On File/Directory Via Chflags - MacOS
id: 3b2c1059-ae5f-40b6-b5d4-6106d3ac20fe
status: test
description: |
Detects the execution of the "chflags" utility with the "hidden" flag, in order to hide files on MacOS.
When a file or directory has this hidden flag set, it becomes invisible to the default file listing commands and in graphical file browsers.
references:
- https://www.sentinelone.com/labs/apt32-multi-stage-macos-trojan-innovates-on-crimeware-scripting-technique/
- https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/
- https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf
- https://ss64.com/mac/chflags.html
author: Omar Khaled (@beacon_exe)
date: 2024-08-21
tags:
- attack.credential-access
- attack.command-and-control
- attack.stealth
- attack.t1218
- attack.t1564.004
- attack.t1552.001
- attack.t1105
logsource:
product: macos
category: process_creation
detection:
selection:
Image|endswith: '/chflags'
CommandLine|contains: 'hidden '
condition: selection
falsepositives:
- Legitimate usage of chflags by administrators and users.
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Hidden Powershell in Link File Pattern
Detects events that appear when a user click on a link file with a powershell command in it
view Sigma YAML
title: Hidden Powershell in Link File Pattern
id: 30e92f50-bb5a-4884-98b5-d20aa80f3d7a
status: test
description: Detects events that appear when a user click on a link file with a powershell command in it
references:
- https://www.x86matthew.com/view_post?id=embed_exe_lnk
author: frack113
date: 2022-02-06
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage: C:\Windows\explorer.exe
Image: C:\Windows\System32\cmd.exe
CommandLine|contains|all:
- 'powershell'
- '.lnk'
condition: selection
falsepositives:
- Legitimate commands in .lnk files
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Hidden User Creation
Detects creation of a hidden user account on macOS (UserID < 500) or with IsHidden option
view Sigma YAML
title: Hidden User Creation
id: b22a5b36-2431-493a-8be1-0bae56c28ef3
status: test
description: Detects creation of a hidden user account on macOS (UserID < 500) or with IsHidden option
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.002/T1564.002.md
author: Daniil Yugoslavskiy, oscd.community
date: 2020-10-10
modified: 2021-11-27
tags:
- attack.stealth
- attack.t1564.002
logsource:
category: process_creation
product: macos
detection:
dscl_create:
Image|endswith: '/dscl'
CommandLine|contains: 'create'
id_below_500:
CommandLine|contains: UniqueID
CommandLine|re: '([0-9]|[1-9][0-9]|[1-4][0-9]{2})'
ishidden_option_declaration:
CommandLine|contains: 'IsHidden'
ishidden_option_confirmation:
CommandLine|contains:
- 'true'
- 'yes'
- '1'
condition: dscl_create and id_below_500 or dscl_create and (ishidden_option_declaration and ishidden_option_confirmation)
falsepositives:
- Legitimate administration activities
level: medium
Convert to SIEM query
medium
Strong
High FP
Hiding User Account Via SpecialAccounts Registry Key - CommandLine
Detects changes to the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to "0" in order to hide user account from being listed on the logon screen.
view Sigma YAML
title: Hiding User Account Via SpecialAccounts Registry Key - CommandLine
id: 9ec9fb1b-e059-4489-9642-f270c207923d
related:
- id: f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd
type: similar
status: test
description: |
Detects changes to the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to "0" in order to hide user account from being listed on the logon screen.
references:
- https://thedfirreport.com/2024/01/29/buzzing-on-christmas-eve-trigona-ransomware-in-3-hours/
- https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/
- https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/
- https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/
author: '@Kostastsale, TheDFIRReport'
date: 2022-05-14
modified: 2024-08-23
tags:
- attack.stealth
- attack.t1564.002
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\reg.exe'
CommandLine|contains|all:
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList'
- 'add'
- '/v'
- '/d 0'
condition: selection
falsepositives:
- System administrator activities
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_registry_special_accounts_hide_user/info.yml
Convert to SIEM query
medium
Moderate
Medium FP
IE Change Domain Zone
Hides the file extension through modification of the registry
view Sigma YAML
title: IE Change Domain Zone
id: 45e112d0-7759-4c2a-aa36-9f8fb79d3393
related:
- id: d88d0ab2-e696-4d40-a2ed-9790064e66b3
type: derived
status: test
description: Hides the file extension through modification of the registry
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone
- https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries
author: frack113
date: 2022-01-22
modified: 2023-08-17
tags:
- attack.persistence
- attack.t1137
logsource:
category: registry_set
product: windows
detection:
selection_domains:
TargetObject|contains: \SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
filter:
Details:
- DWORD (0x00000000) # My Computer
- DWORD (0x00000001) # Local Intranet Zone
- '(Empty)'
condition: selection_domains and not filter
falsepositives:
- Administrative scripts
level: medium
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_change_security_zones/info.yml
simulation:
- type: atomic-red-team
name: Add Domain to Trusted Sites Zone
technique: T1112
atomic_guid: cf447677-5a4e-4937-a82c-e47d254afd57
Convert to SIEM query
medium
Moderate
Medium FP
IIS WebServer Access Logs Deleted
Detects the deletion of IIS WebServer access logs which may indicate an attempt to destroy forensic evidence
view Sigma YAML
title: IIS WebServer Access Logs Deleted
id: 3eb8c339-a765-48cc-a150-4364c04652bf
related:
- id: 0649be4a-aeb0-45b0-b89e-7f1668f6d9c0
type: similar
status: test
description: Detects the deletion of IIS WebServer access logs which may indicate an attempt to destroy forensic evidence
references:
- https://www.elastic.co/guide/en/security/current/webserver-access-logs-deleted.html
author: Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-16
modified: 2023-02-15
tags:
- attack.stealth
- attack.t1070
logsource:
category: file_delete
product: windows
detection:
selection:
TargetFilename|contains: '\inetpub\logs\LogFiles\'
TargetFilename|endswith: '.log'
condition: selection
falsepositives:
- During uninstallation of the IIS service
- During log rotation
level: medium
Convert to SIEM query
medium
Strong
Medium FP
ISO or Image Mount Indicator in Recent Files
Detects the creation of recent element file that points to an .ISO, .IMG, .VHD or .VHDX file as often used in phishing attacks.
This can be a false positive on server systems but on workstations users should rarely mount .iso or .img files.
view Sigma YAML
title: ISO or Image Mount Indicator in Recent Files
id: 4358e5a5-7542-4dcb-b9f3-87667371839b
status: test
description: |
Detects the creation of recent element file that points to an .ISO, .IMG, .VHD or .VHDX file as often used in phishing attacks.
This can be a false positive on server systems but on workstations users should rarely mount .iso or .img files.
references:
- https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/
- https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore
- https://blog.emsisoft.com/en/32373/beware-new-wave-of-malware-spreads-via-iso-file-email-attachments/
- https://insights.sei.cmu.edu/blog/the-dangers-of-vhd-and-vhdx-files/
author: Florian Roth (Nextron Systems)
date: 2022-02-11
tags:
- attack.initial-access
- attack.t1566.001
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith:
- '.iso.lnk'
- '.img.lnk'
- '.vhd.lnk'
- '.vhdx.lnk'
TargetFilename|contains: '\Microsoft\Windows\Recent\'
condition: selection
falsepositives:
- Cases in which a user mounts an image file for legitimate reasons
level: medium
Convert to SIEM query
medium
Moderate
High FP
Import PowerShell Modules From Suspicious Directories - ProcCreation
Detects powershell scripts that import modules from suspicious directories
view Sigma YAML
title: Import PowerShell Modules From Suspicious Directories - ProcCreation
id: c31364f7-8be6-4b77-8483-dd2b5a7b69a3
related:
- id: 21f9162c-5f5d-4b01-89a8-b705bd7d10ab
type: similar
status: test
description: Detects powershell scripts that import modules from suspicious directories
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-10
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- 'Import-Module "$Env:Temp\'
- Import-Module '$Env:Temp\
- 'Import-Module $Env:Temp\'
- 'Import-Module "$Env:Appdata\'
- Import-Module '$Env:Appdata\
- 'Import-Module $Env:Appdata\'
- 'Import-Module C:\Users\Public\'
# Import-Module alias is "ipmo"
- 'ipmo "$Env:Temp\'
- ipmo '$Env:Temp\
- 'ipmo $Env:Temp\'
- 'ipmo "$Env:Appdata\'
- ipmo '$Env:Appdata\
- 'ipmo $Env:Appdata\'
- 'ipmo C:\Users\Public\'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
Showing 101-150 of 559