Tool
SIEM
Sigma (generic) detection rules
341 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Expand any rule to see its raw YAML and convert it inline to native query syntax. Pick a platform above to browse every rule already rendered in that language.
◈
Detection rules
50 shown of 341
low
Cisco Discovery
Find information about network devices that is not stored in config files
view Sigma YAML
title: Cisco Discovery
id: 9705a6a1-6db6-4a16-a987-15b7151e299b
status: test
description: Find information about network devices that is not stored in config files
references:
- https://www.cisco.com/c/en/us/td/docs/server_nw_virtual/2-5_release/command_reference/show.html
author: Austin Clark
date: 2019-08-12
modified: 2023-01-04
tags:
- attack.discovery
- attack.t1083
- attack.t1201
- attack.t1057
- attack.t1018
- attack.t1082
- attack.t1016
- attack.t1049
- attack.t1033
- attack.t1124
logsource:
product: cisco
service: aaa
detection:
keywords:
- 'dir'
- 'show arp'
- 'show cdp'
- 'show clock'
- 'show ip interface'
- 'show ip route'
- 'show ip sockets'
- 'show processes'
- 'show ssh'
- 'show users'
- 'show version'
condition: keywords
falsepositives:
- Commonly used by administrators for troubleshooting
level: low
Convert to SIEM query
low
Cisco LDP Authentication Failures
Detects LDP failures which may be indicative of brute force attacks to manipulate MPLS labels
view Sigma YAML
title: Cisco LDP Authentication Failures
id: 50e606bf-04ce-4ca7-9d54-3449494bbd4b
status: test
description: Detects LDP failures which may be indicative of brute force attacks to manipulate MPLS labels
references:
- https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf
author: Tim Brown
date: 2023-01-09
tags:
- attack.initial-access
- attack.persistence
- attack.privilege-escalation
- attack.credential-access
- attack.collection
- attack.stealth
- attack.t1078
- attack.t1110
- attack.t1557
logsource:
product: cisco
service: ldp
definition: 'Requirements: cisco ldp logs need to be enabled and ingested'
detection:
selection_protocol:
- 'LDP'
selection_keywords:
- 'SOCKET_TCP_PACKET_MD5_AUTHEN_FAIL'
- 'TCPMD5AuthenFail'
condition: selection_protocol and selection_keywords
falsepositives:
- Unlikely. Except due to misconfigurations
level: low
Convert to SIEM query
low
Cisco Stage Data
Various protocols maybe used to put data on the device for exfil or infil
view Sigma YAML
title: Cisco Stage Data
id: 5e51acb2-bcbe-435b-99c6-0e3cd5e2aa59
status: test
description: Various protocols maybe used to put data on the device for exfil or infil
author: Austin Clark
date: 2019-08-12
modified: 2023-01-04
tags:
- attack.collection
- attack.lateral-movement
- attack.command-and-control
- attack.exfiltration
- attack.t1074
- attack.t1105
- attack.t1560.001
logsource:
product: cisco
service: aaa
detection:
keywords:
- 'tftp'
- 'rcp'
- 'puts'
- 'copy'
- 'configure replace'
- 'archive tar'
condition: keywords
falsepositives:
- Generally used to copy configs or IOS images
level: low
Convert to SIEM query
low
Cleartext Protocol Usage
Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels.
Ensure that an encryption is used for all sensitive information in transit. Ensure that an encrypted channels is used for all administrative account access.
view Sigma YAML
title: Cleartext Protocol Usage
id: d7fb8f0e-bd5f-45c2-b467-19571c490d7e
status: stable
description: |
Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels.
Ensure that an encryption is used for all sensitive information in transit. Ensure that an encrypted channels is used for all administrative account access.
references:
- https://www.cisecurity.org/controls/cis-controls-list/
- https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
- https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
author: Alexandr Yampolskyi, SOC Prime, Tim Shelton
date: 2019-03-26
modified: 2022-10-10
tags:
- attack.credential-access
# - CSC4
# - CSC4.5
# - CSC14
# - CSC14.4
# - CSC16
# - CSC16.5
# - NIST CSF 1.1 PR.AT-2
# - NIST CSF 1.1 PR.MA-2
# - NIST CSF 1.1 PR.PT-3
# - NIST CSF 1.1 PR.AC-1
# - NIST CSF 1.1 PR.AC-4
# - NIST CSF 1.1 PR.AC-5
# - NIST CSF 1.1 PR.AC-6
# - NIST CSF 1.1 PR.AC-7
# - NIST CSF 1.1 PR.DS-1
# - NIST CSF 1.1 PR.DS-2
# - ISO 27002-2013 A.9.2.1
# - ISO 27002-2013 A.9.2.2
# - ISO 27002-2013 A.9.2.3
# - ISO 27002-2013 A.9.2.4
# - ISO 27002-2013 A.9.2.5
# - ISO 27002-2013 A.9.2.6
# - ISO 27002-2013 A.9.3.1
# - ISO 27002-2013 A.9.4.1
# - ISO 27002-2013 A.9.4.2
# - ISO 27002-2013 A.9.4.3
# - ISO 27002-2013 A.9.4.4
# - ISO 27002-2013 A.8.3.1
# - ISO 27002-2013 A.9.1.1
# - ISO 27002-2013 A.10.1.1
# - PCI DSS 3.2 2.1
# - PCI DSS 3.2 8.1
# - PCI DSS 3.2 8.2
# - PCI DSS 3.2 8.3
# - PCI DSS 3.2 8.7
# - PCI DSS 3.2 8.8
# - PCI DSS 3.2 1.3
# - PCI DSS 3.2 1.4
# - PCI DSS 3.2 4.3
# - PCI DSS 3.2 7.1
# - PCI DSS 3.2 7.2
# - PCI DSS 3.2 7.3
logsource:
category: firewall
detection:
selection:
dst_port:
- 8080
- 21
- 80
- 23
- 50000
- 1521
- 27017
- 3306
- 1433
- 11211
- 15672
- 5900
- 5901
- 5902
- 5903
- 5904
selection_allow1:
action:
- forward
- accept
- 2
selection_allow2:
blocked: "false" # not all fws set action value, but are set to mark as blocked or allowed or not
condition: selection and 1 of selection_allow*
falsepositives:
- Unknown
level: low
Convert to SIEM query
low
Cleartext Protocol Usage Via Netflow
Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels
Ensure that an encryption is used for all sensitive information in transit.
Ensure that an encrypted channels is used for all administrative account access.
view Sigma YAML
title: Cleartext Protocol Usage Via Netflow
id: 7e4bfe58-4a47-4709-828d-d86c78b7cc1f
status: stable
description: |
Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels
Ensure that an encryption is used for all sensitive information in transit.
Ensure that an encrypted channels is used for all administrative account access.
references:
- https://www.cisecurity.org/controls/cis-controls-list/
- https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
- https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
author: Alexandr Yampolskyi, SOC Prime
date: 2019-03-26
modified: 2022-11-18
tags:
- attack.credential-access
# - CSC4
# - CSC4.5
# - CSC14
# - CSC14.4
# - CSC16
# - CSC16.5
# - NIST CSF 1.1 PR.AT-2
# - NIST CSF 1.1 PR.MA-2
# - NIST CSF 1.1 PR.PT-3
# - NIST CSF 1.1 PR.AC-1
# - NIST CSF 1.1 PR.AC-4
# - NIST CSF 1.1 PR.AC-5
# - NIST CSF 1.1 PR.AC-6
# - NIST CSF 1.1 PR.AC-7
# - NIST CSF 1.1 PR.DS-1
# - NIST CSF 1.1 PR.DS-2
# - ISO 27002-2013 A.9.2.1
# - ISO 27002-2013 A.9.2.2
# - ISO 27002-2013 A.9.2.3
# - ISO 27002-2013 A.9.2.4
# - ISO 27002-2013 A.9.2.5
# - ISO 27002-2013 A.9.2.6
# - ISO 27002-2013 A.9.3.1
# - ISO 27002-2013 A.9.4.1
# - ISO 27002-2013 A.9.4.2
# - ISO 27002-2013 A.9.4.3
# - ISO 27002-2013 A.9.4.4
# - ISO 27002-2013 A.8.3.1
# - ISO 27002-2013 A.9.1.1
# - ISO 27002-2013 A.10.1.1
# - PCI DSS 3.2 2.1
# - PCI DSS 3.2 8.1
# - PCI DSS 3.2 8.2
# - PCI DSS 3.2 8.3
# - PCI DSS 3.2 8.7
# - PCI DSS 3.2 8.8
# - PCI DSS 3.2 1.3
# - PCI DSS 3.2 1.4
# - PCI DSS 3.2 4.3
# - PCI DSS 3.2 7.1
# - PCI DSS 3.2 7.2
# - PCI DSS 3.2 7.3
logsource:
service: netflow
detection:
selection:
destination.port:
- 8080
- 21
- 80
- 23
- 50000
- 1521
- 27017
- 1433
- 11211
- 3306
- 15672
- 5900
- 5901
- 5902
- 5903
- 5904
condition: selection
falsepositives:
- Unknown
level: low
Convert to SIEM query
low
Clipboard Collection of Image Data with Xclip Tool
Detects attempts to collect image data stored in the clipboard from users with the usage of xclip tool.
Xclip has to be installed.
Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.
view Sigma YAML
title: Clipboard Collection of Image Data with Xclip Tool
id: f200dc3f-b219-425d-a17e-c38467364816
status: test
description: |
Detects attempts to collect image data stored in the clipboard from users with the usage of xclip tool.
Xclip has to be installed.
Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.
references:
- https://linux.die.net/man/1/xclip
author: 'Pawel Mazur'
date: 2021-10-01
modified: 2022-10-09
tags:
- attack.collection
- attack.t1115
logsource:
product: linux
service: auditd
detection:
selection:
type: EXECVE
a0: xclip
a1:
- '-selection'
- '-sel'
a2:
- clipboard
- clip
a3: '-t'
a4|startswith: 'image/'
a5: '-o'
condition: selection
falsepositives:
- Legitimate usage of xclip tools
level: low
Convert to SIEM query
low
Clipboard Collection with Xclip Tool
Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed.
Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.
view Sigma YAML
title: Clipboard Collection with Xclip Tool
id: ec127035-a636-4b9a-8555-0efd4e59f316
status: test
description: |
Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed.
Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.
references:
- https://www.packetlabs.net/posts/clipboard-data-security/
author: Pawel Mazur, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
date: 2021-10-15
modified: 2022-09-15
tags:
- attack.collection
- attack.t1115
logsource:
product: linux
category: process_creation
detection:
selection:
Image|contains: 'xclip'
CommandLine|contains|all:
- '-sel'
- 'clip'
- '-o'
condition: selection
falsepositives:
- Legitimate usage of xclip tools.
level: low
Convert to SIEM query
low
Clipboard Collection with Xclip Tool - Auditd
Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool.
Xclip has to be installed.
Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.
view Sigma YAML
title: Clipboard Collection with Xclip Tool - Auditd
id: 214e7e6c-f21b-47ff-bb6f-551b2d143fcf
status: test
description: |
Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool.
Xclip has to be installed.
Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.
references:
- https://linux.die.net/man/1/xclip
- https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/
author: 'Pawel Mazur'
date: 2021-09-24
modified: 2022-11-26
tags:
- attack.collection
- attack.t1115
logsource:
product: linux
service: auditd
detection:
selection:
type: EXECVE
a0: xclip
a1:
- '-selection'
- '-sel'
a2:
- clipboard
- clip
a3: '-o'
condition: selection
falsepositives:
- Legitimate usage of xclip tools
level: low
Convert to SIEM query
low
CodeIntegrity - Unmet Signing Level Requirements By File Under Validation
Detects attempted file load events that did not meet the signing level requirements. It often means the file's signature is revoked or a signature with the Lifetime Signing EKU has expired.
This event is best correlated with EID 3089 to determine the error of the validation.
view Sigma YAML
title: CodeIntegrity - Unmet Signing Level Requirements By File Under Validation
id: f8931561-97f5-4c46-907f-0a4a592e47a7
status: experimental
description: |
Detects attempted file load events that did not meet the signing level requirements. It often means the file's signature is revoked or a signature with the Lifetime Signing EKU has expired.
This event is best correlated with EID 3089 to determine the error of the validation.
references:
- https://twitter.com/SBousseaden/status/1483810148602814466
- https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-01-20
modified: 2025-02-28
tags:
- attack.execution
logsource:
product: windows
service: codeintegrity-operational
detection:
selection:
EventID:
- 3033 # Code Integrity determined that a process (%4) attempted to load %2 that did not meet the %5 signing level requirements.
- 3034 # Code Integrity determined that a process (%4) attempted to load %2 that did not meet the %5 signing level requirements or violated code integrity policy. However, due to code integrity auditing policy, the image was allowed to load.
filter_optional_dtrace:
# Example: Code Integrity determined that a process (\Device\HarddiskVolume5\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume5\Program Files\DTrace\dtrace.dll that did not meet the Windows signing level requirements.
FileNameBuffer|endswith: '\Program Files\DTrace\dtrace.dll'
ProcessNameBuffer|endswith: '\Windows\System32\svchost.exe'
RequestedPolicy: 12
filter_optional_av_generic:
# Example: Code Integrity determined that a process (\Device\HarddiskVolume5\ProgramData\Microsoft\Windows Defender\Platform\4.18.2207.7-0\MsMpEng.exe) attempted to load \Device\HarddiskVolume5\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_36fb67bd6dbd887d\igd10iumd64.dll that did not meet the Custom 3 / Antimalware signing level requirements.
FileNameBuffer|contains: '\Windows\System32\DriverStore\FileRepository\'
FileNameBuffer|endswith: '\igd10iumd64.dll'
# ProcessNameBuffer is AV products
RequestedPolicy: 7
filter_optional_electron_based_app:
# Example: Code Integrity determined that a process (\Device\HarddiskVolume5\Users\user\AppData\Local\Keybase\Gui\Keybase.exe) attempted to load \Device\HarddiskVolume5\Windows\System32\nvspcap64.dll that did not meet the Microsoft signing level requirements.
FileNameBuffer|endswith: '\Windows\System32\nvspcap64.dll'
ProcessNameBuffer|endswith:
- '\AppData\Local\Keybase\Gui\Keybase.exe'
- '\Microsoft\Teams\stage\Teams.exe'
RequestedPolicy: 8
filter_optional_bonjour:
FileNameBuffer|endswith: '\Program Files\Bonjour\mdnsNSP.dll'
ProcessNameBuffer|endswith:
- '\Windows\System32\svchost.exe'
- '\Windows\System32\SIHClient.exe'
RequestedPolicy:
- 8
- 12
filter_optional_msoffice_1:
FileNameBuffer|contains: '\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE'
FileNameBuffer|endswith: '\MSOXMLMF.DLL'
# ProcessNameBuffer is AV products
RequestedPolicy: 7
filter_optional_msoffice_2:
ProcessNameBuffer|contains: '\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office'
FileNameBuffer|contains: '\Windows\System32\'
RequestedPolicy: 8
filter_optional_slack:
# Example: https://user-images.githubusercontent.com/112784902/197407680-96d4b662-8a59-4289-a483-b24d630ac2a9.png
# Even though it's the same DLL as the one used in the electron based app filter. We need to do a separate selection due to slack's folder naming convention with the version number :)
FileNameBuffer|endswith: '\Windows\System32\nvspcap64.dll'
ProcessNameBuffer|contains: '\AppData\Local\slack\app-'
ProcessNameBuffer|endswith: '\slack.exe'
RequestedPolicy: 8
filter_optional_firefox:
# Example: https://user-images.githubusercontent.com/62423083/197451483-70e89010-ed96-4357-8079-b5a061a239d6.png
FileNameBuffer|endswith:
- '\Mozilla Firefox\mozavcodec.dll'
- '\Mozilla Firefox\mozavutil.dll'
ProcessNameBuffer|endswith: '\Mozilla Firefox\firefox.exe'
RequestedPolicy: 8
filter_optional_avast:
FileNameBuffer|endswith:
- '\Program Files\Avast Software\Avast\aswAMSI.dll'
- '\Program Files (x86)\Avast Software\Avast\aswAMSI.dll'
RequestedPolicy:
- 8
- 12
filter_main_gac:
# Filtering the path containing this string because of multiple possible DLLs in that location
FileNameBuffer|contains: '\Windows\assembly\GAC\'
ProcessNameBuffer|endswith: '\mscorsvw.exe'
ProcessNameBuffer|contains: '\Windows\Microsoft.NET\'
RequestedPolicy: 8
filter_optional_google_drive:
# Example: \Program Files\Google\Drive File Stream\67.0.2.0\crashpad_handler.exe
FileNameBuffer|contains: '\Program Files\Google\Drive File Stream\'
FileNameBuffer|endswith: '\crashpad_handler.exe'
ProcessNameBuffer|endswith: '\Windows\ImmersiveControlPanel\SystemSettings.exe'
RequestedPolicy: 8
filter_optional_trend_micro:
FileNameBuffer|endswith: '\Trend Micro\Client Server Security Agent\perficrcperfmonmgr.dll'
RequestedPolicy: 8
filter_optional_mdns_responder:
FileNameBuffer|endswith: '\Program Files\National Instruments\Shared\mDNS Responder\nimdnsNSP.dll '
filter_optional_mcafee:
FileNameBuffer|endswith:
- '\Program Files\McAfee\Endpoint Security\Threat Prevention\MfeAmsiProvider.dll'
- '\Program Files\McAfee\MfeAV\AMSIExt.dll'
filter_optional_eset:
FileNameBuffer|endswith: '\Program Files\ESET\ESET Security\eamsi.dll'
filter_optional_comodo:
FileNameBuffer|endswith: '\Program Files\comodo\comodo internet security\amsiprovider_x64.dll'
filter_optional_sentinel_one:
# Example: program files\sentinelone\sentinel agent 23.4.4.223\inprocessclient64.dll
- FileNameBuffer|contains: '\Program Files\SentinelOne\Sentinel Agent'
# Example: Program Files\SentinelOne\Sentinel Agent 23.4.4.223\SentinelAgent.exe
- ProcessNameBuffer|contains: '\Program Files\SentinelOne\Sentinel Agent'
filter_optional_national_instruments:
# Example: \device\harddiskvolume3\program files\national instruments\shared\mdns responder\nimdnsnsp.dll
FileNameBuffer|contains: '\National Instruments\Shared\mDNS Responder\'
filter_optional_kaspersky:
# Example: \Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\x64\antimalware_provider.dll
- ProcessNameBuffer|contains|all:
- '\Kaspersky Lab\'
- '\avp.exe'
- FileNameBuffer|contains|all:
- '\Kaspersky Lab\'
- '\antimalware_provider.dll'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Antivirus and other third party products are known to trigger this rule quite a lot. Initial filters and tuning is required before using this rule.
level: low
Convert to SIEM query
low
CodePage Modification Via MODE.COM
Detects a CodePage modification using the "mode.com" utility.
This behavior has been used by threat actors behind Dharma ransomware.
view Sigma YAML
title: CodePage Modification Via MODE.COM
id: d48c5ffa-3b02-4c0f-9a9e-3c275650dd0e
related:
- id: 12fbff88-16b5-4b42-9754-cd001a789fb3
type: derived
status: test
description: |
Detects a CodePage modification using the "mode.com" utility.
This behavior has been used by threat actors behind Dharma ransomware.
references:
- https://learn.microsoft.com/en-us/windows/win32/intl/code-page-identifiers
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mode
- https://strontic.github.io/xcyclopedia/library/mode.com-59D1ED51ACB8C3D50F1306FD75F20E99.html
- https://www.virustotal.com/gui/file/5e75ef02517afd6e8ba6462b19217dc4a5a574abb33d10eb0f2bab49d8d48c22/behavior
author: Nasreddine Bencherchali (Nextron Systems), Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2024-01-19
tags:
- attack.stealth
- attack.t1036
- detection.threat-hunting
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\mode.com'
- OriginalFileName: 'MODE.COM'
selection_cli:
CommandLine|contains|all:
- ' con '
- ' cp '
- ' select='
condition: all of selection_*
falsepositives:
- Unknown
level: low
Convert to SIEM query
low
Command Executed Via Run Dialog Box - Registry
Detects execution of commands via the run dialog box on Windows by checking values of the "RunMRU" registry key.
This technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps.
view Sigma YAML
title: Command Executed Via Run Dialog Box - Registry
id: f9d091f6-f1c7-4873-a24f-050b4a02b4dd
related:
- id: a7df0e9e-91a5-459a-a003-4cde67c2ff5d
type: derived
status: test
description: |
Detects execution of commands via the run dialog box on Windows by checking values of the "RunMRU" registry key.
This technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps.
references:
- https://www.forensafe.com/blogs/runmrukey.html
- https://medium.com/@shaherzakaria8/downloading-trojan-lumma-infostealer-through-capatcha-1f25255a0e71
- https://redcanary.com/blog/threat-intelligence/intelligence-insights-october-2024/
author: Ahmed Farouk, Nasreddine Bencherchali
date: 2024-11-01
tags:
- detection.threat-hunting
- attack.execution
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|contains: '\Microsoft\Windows\CurrentVersion\Explorer\RunMRU'
filter_main_mrulist:
TargetObject|endswith: '\MRUList'
filter_optional_ping:
Details|contains: 'ping'
filter_optional_generic:
Details:
- '%appdata%\1'
- '%localappdata%\1'
- '%public%\1'
- '%temp%\1'
- 'calc\1'
- 'dxdiag\1'
- 'explorer\1'
- 'gpedit.msc\1'
- 'mmc\1'
- 'notepad\1'
- 'regedit\1'
- 'services.msc\1'
- 'winver\1'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Likely
level: low
Convert to SIEM query
low
Compress-Archive Cmdlet Execution
Detects PowerShell scripts that make use of the "Compress-Archive" cmdlet in order to compress folders and files.
An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
view Sigma YAML
title: Compress-Archive Cmdlet Execution
id: 6dc5d284-69ea-42cf-9311-fb1c3932a69a
status: test
description: |
Detects PowerShell scripts that make use of the "Compress-Archive" cmdlet in order to compress folders and files.
An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560/T1560.md
author: Timur Zinniatullin, oscd.community
date: 2019-10-21
modified: 2023-12-15
tags:
- attack.exfiltration
- attack.collection
- attack.t1560
- detection.threat-hunting
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains: 'Compress-Archive'
condition: selection
falsepositives:
- Likely
level: low
Convert to SIEM query
low
Compressed File Creation Via Tar.EXE
Detects execution of "tar.exe" in order to create a compressed file.
Adversaries may abuse various utilities to compress or encrypt data before exfiltration.
view Sigma YAML
title: Compressed File Creation Via Tar.EXE
id: 418a3163-3247-4b7b-9933-dcfcb7c52ea9
status: test
description: |
Detects execution of "tar.exe" in order to create a compressed file.
Adversaries may abuse various utilities to compress or encrypt data before exfiltration.
references:
- https://unit42.paloaltonetworks.com/chromeloader-malware/
- https://lolbas-project.github.io/lolbas/Binaries/Tar/
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage
author: Nasreddine Bencherchali (Nextron Systems), AdmU3
date: 2023-12-19
tags:
- attack.collection
- attack.exfiltration
- attack.t1560
- attack.t1560.001
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\tar.exe'
- OriginalFileName: 'bsdtar'
selection_create:
CommandLine|contains:
- '-c'
- '-r'
- '-u'
condition: all of selection_*
falsepositives:
- Likely
level: low
Convert to SIEM query
low
Compressed File Extraction Via Tar.EXE
Detects execution of "tar.exe" in order to extract compressed file.
Adversaries may abuse various utilities in order to decompress data to avoid detection.
view Sigma YAML
title: Compressed File Extraction Via Tar.EXE
id: bf361876-6620-407a-812f-bfe11e51e924
status: test
description: |
Detects execution of "tar.exe" in order to extract compressed file.
Adversaries may abuse various utilities in order to decompress data to avoid detection.
references:
- https://unit42.paloaltonetworks.com/chromeloader-malware/
- https://lolbas-project.github.io/lolbas/Binaries/Tar/
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage
author: AdmU3
date: 2023-12-19
tags:
- attack.collection
- attack.exfiltration
- attack.t1560
- attack.t1560.001
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\tar.exe'
- OriginalFileName: 'bsdtar'
selection_extract:
CommandLine|contains: '-x'
condition: all of selection_*
falsepositives:
- Likely
level: low
Convert to SIEM query
low
Connection Proxy
Detects setting proxy configuration
view Sigma YAML
title: Connection Proxy
id: 72f4ab3f-787d-495d-a55d-68c2ff46cf4c
status: test
description: Detects setting proxy configuration
author: Ömer Günal
date: 2020-06-17
modified: 2022-10-05
tags:
- attack.command-and-control
- attack.t1090
logsource:
product: linux
category: process_creation
detection:
selection:
CommandLine|contains:
- 'http_proxy='
- 'https_proxy='
condition: selection
falsepositives:
- Legitimate administration activities
level: low
Convert to SIEM query
low
Container Residence Discovery Via Proc Virtual FS
Detects potential container discovery via listing of certain kernel features in the "/proc" virtual filesystem
view Sigma YAML
title: Container Residence Discovery Via Proc Virtual FS
id: 746c86fb-ccda-4816-8997-01386263acc4
status: test
description: Detects potential container discovery via listing of certain kernel features in the "/proc" virtual filesystem
references:
- https://blog.skyplabs.net/posts/container-detection/
- https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker
tags:
- attack.discovery
- attack.t1082
author: Seth Hanford
date: 2023-08-23
logsource:
category: process_creation
product: linux
detection:
selection_tools:
Image|endswith:
- 'awk'
- '/cat'
- 'grep'
- '/head'
- '/less'
- '/more'
- '/nl'
- '/tail'
selection_procfs_kthreadd: # outside containers, PID 2 == kthreadd
CommandLine|contains: '/proc/2/'
selection_procfs_target:
CommandLine|contains: '/proc/'
CommandLine|endswith:
- '/cgroup' # cgroups end in ':/' outside containers
- '/sched' # PID mismatch when run in containers
condition: selection_tools and 1 of selection_procfs_*
falsepositives:
- Legitimate system administrator usage of these commands
- Some container tools or deployments may use these techniques natively to determine how they proceed with execution, and will need to be filtered
level: low
Convert to SIEM query
low
Container With A hostPath Mount Created
Detects creation of a container with a hostPath mount.
A hostPath volume mounts a directory or a file from the node to the container.
Attackers who have permissions to create a new pod in the cluster may create one with a writable hostPath volume and chroot to escape to the underlying node.
view Sigma YAML
title: Container With A hostPath Mount Created
id: 402b955c-8fe0-4a8c-b635-622b4ac5f902
status: test
description: |
Detects creation of a container with a hostPath mount.
A hostPath volume mounts a directory or a file from the node to the container.
Attackers who have permissions to create a new pod in the cluster may create one with a writable hostPath volume and chroot to escape to the underlying node.
references:
- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Writable%20hostPath%20mount/
- https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216
author: Leo Tsaousis (@laripping)
date: 2024-03-26
tags:
- attack.t1611
- attack.privilege-escalation
logsource:
category: application
product: kubernetes
service: audit
detection:
selection:
verb: 'create'
objectRef.resource: 'pods'
hostPath: '*' # Note: Add the "exists" when it's implemented in SigmaHQ/Aurora
condition: selection
falsepositives:
- The DaemonSet controller creates pods with hostPath volumes within the kube-system namespace.
level: low
Convert to SIEM query
low
Creation Of A Local User Account
Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.
view Sigma YAML
title: Creation Of A Local User Account
id: 51719bf5-e4fd-4e44-8ba8-b830e7ac0731
status: test
description: Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md
- https://ss64.com/osx/sysadminctl.html
author: Alejandro Ortuno, oscd.community
date: 2020-10-06
modified: 2023-02-18
tags:
- attack.t1136.001
- attack.persistence
logsource:
category: process_creation
product: macos
detection:
selection_dscl:
Image|endswith: '/dscl'
CommandLine|contains: 'create'
selection_sysadminctl:
Image|endswith: '/sysadminctl'
CommandLine|contains: 'addUser'
condition: 1 of selection_*
falsepositives:
- Legitimate administration activities
level: low
Convert to SIEM query
low
Creation of an Executable by an Executable
Detects the creation of an executable by another executable.
view Sigma YAML
title: Creation of an Executable by an Executable
id: 297afac9-5d02-4138-8c58-b977bac60556
status: test
description: Detects the creation of an executable by another executable.
references:
- Internal Research
author: frack113
date: 2022-03-09
modified: 2025-02-24
tags:
- attack.resource-development
- attack.t1587.001
- detection.threat-hunting
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith: '.exe'
TargetFilename|endswith: '.exe'
filter_main_generic_1:
Image|endswith:
- ':\Windows\System32\msiexec.exe'
- ':\Windows\system32\cleanmgr.exe'
- ':\Windows\explorer.exe'
- ':\WINDOWS\system32\dxgiadaptercache.exe'
- ':\WINDOWS\system32\Dism.exe'
- ':\Windows\System32\wuauclt.exe'
filter_main_update:
# Security_UserID: S-1-5-18
# Example:
# TargetFilename: C:\Windows\SoftwareDistribution\Download\803d1df4c931df4f3e50a022cda56e88\WindowsUpdateBox.exe
Image|endswith: ':\WINDOWS\system32\svchost.exe'
TargetFilename|contains: ':\Windows\SoftwareDistribution\Download\'
filter_main_upgrade:
Image|endswith: ':\Windows\system32\svchost.exe'
TargetFilename|contains|all:
# Example:
# This example was seen during windows upgrade
# TargetFilename: :\WUDownloadCache\803d1df4c931df4f3e50a022cda56e29\WindowsUpdateBox.exe
- ':\WUDownloadCache\'
- '\WindowsUpdateBox.exe'
filter_main_windows_update_box:
# This FP was seen during Windows Upgrade
# ParentCommandLine: C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s wuauserv
Image|contains: ':\WINDOWS\SoftwareDistribution\Download\'
Image|endswith: '\WindowsUpdateBox.Exe'
TargetFilename|contains: ':\$WINDOWS.~BT\Sources\'
filter_main_tiworker:
Image|contains: ':\Windows\WinSxS\'
Image|endswith: '\TiWorker.exe'
filter_main_programfiles:
- Image|contains:
- ':\Program Files\'
- ':\Program Files (x86)\'
- TargetFilename|contains:
- ':\Program Files\'
- ':\Program Files (x86)\'
filter_main_defender:
Image|contains:
- ':\ProgramData\Microsoft\Windows Defender\'
- ':\Program Files\Windows Defender\'
filter_main_windows_apps:
TargetFilename|contains: '\AppData\Local\Microsoft\WindowsApps\'
filter_main_teams:
Image|endswith: '\AppData\Local\Microsoft\Teams\Update.exe'
TargetFilename|endswith:
- '\AppData\Local\Microsoft\Teams\stage\Teams.exe'
- '\AppData\Local\Microsoft\Teams\stage\Squirrel.exe'
- '\AppData\Local\Microsoft\SquirrelTemp\tempb\'
filter_main_mscorsvw:
# Example:
# ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe" ExecuteQueuedItems /LegacyServiceBehavior
# Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
# TargetFilename: C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\4f8c-0\MSBuild.exe
# TargetFilename: C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\49bc-0\testhost.net47.x86.exe
# TargetFilename: C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\39d8-0\fsc.exe
Image|contains:
- ':\Windows\Microsoft.NET\Framework\'
- ':\Windows\Microsoft.NET\Framework64\'
- ':\Windows\Microsoft.NET\FrameworkArm\'
- ':\Windows\Microsoft.NET\FrameworkArm64\'
Image|endswith: '\mscorsvw.exe'
TargetFilename|contains: ':\Windows\assembly\NativeImages_'
filter_main_vscode:
Image|contains: '\AppData\Local\'
Image|endswith: '\Microsoft VS Code\Code.exe'
TargetFilename|contains: '\.vscode\extensions\'
filter_main_githubdesktop:
Image|endswith: '\AppData\Local\GitHubDesktop\Update.exe'
# Example TargetFileName:
# \AppData\Local\SquirrelTemp\tempb\lib\net45\GitHubDesktop_ExecutionStub.exe
# \AppData\Local\SquirrelTemp\tempb\lib\net45\squirrel.exe
TargetFilename|contains: '\AppData\Local\SquirrelTemp\'
filter_main_windows_temp:
- Image|contains: ':\WINDOWS\TEMP\'
- TargetFilename|contains: ':\WINDOWS\TEMP\'
filter_optional_python:
Image|contains: '\Python27\python.exe'
TargetFilename|contains:
- '\Python27\Lib\site-packages\'
- '\Python27\Scripts\'
- '\AppData\Local\Temp\'
filter_optional_squirrel:
Image|contains: '\AppData\Local\SquirrelTemp\Update.exe'
TargetFilename|contains: '\AppData\Local'
filter_main_temp_installers:
- Image|contains: '\AppData\Local\Temp\'
- TargetFilename|contains: '\AppData\Local\Temp\'
filter_optional_chrome:
Image|endswith: '\ChromeSetup.exe'
TargetFilename|contains: '\Google'
filter_main_dot_net:
Image|contains: ':\Windows\Microsoft.NET\Framework'
Image|endswith: '\mscorsvw.exe'
TargetFilename|contains: ':\Windows\assembly'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
# Please contribute to FP to increase the level
- Software installers
- Update utilities
- 32bit applications launching their 64bit versions
level: low
Convert to SIEM query
low
Crontab Enumeration
Detects usage of crontab to list the tasks of the user
view Sigma YAML
title: Crontab Enumeration
id: 403ed92c-b7ec-4edd-9947-5b535ee12d46
status: test
description: Detects usage of crontab to list the tasks of the user
references:
- https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
- https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/
- https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
- https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-06-02
tags:
- attack.discovery
- attack.t1007
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith: '/crontab'
CommandLine|contains: ' -l'
condition: selection
falsepositives:
- Legitimate use of crontab
level: low
Convert to SIEM query
low
Curl Usage on Linux
Detects a curl process start on linux, which indicates a file download from a remote location or a simple web request to a remote server
view Sigma YAML
title: Curl Usage on Linux
id: ea34fb97-e2c4-4afb-810f-785e4459b194
status: test
description: Detects a curl process start on linux, which indicates a file download from a remote location or a simple web request to a remote server
references:
- https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-15
tags:
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/curl'
condition: selection
falsepositives:
- Scripts created by developers and admins
- Administrative activity
level: low
Convert to SIEM query
low
Curl.EXE Execution
Detects a curl process start on Windows, which could indicates a file download from a remote location or a simple web request to a remote server
view Sigma YAML
title: Curl.EXE Execution
id: bbeaed61-1990-4773-bf57-b81dbad7db2d
related:
- id: e218595b-bbe7-4ee5-8a96-f32a24ad3468 # Suspicious curl execution
type: derived
status: test
description: Detects a curl process start on Windows, which could indicates a file download from a remote location or a simple web request to a remote server
references:
- https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464
author: Florian Roth (Nextron Systems)
date: 2022-07-05
modified: 2023-02-21
tags:
- attack.command-and-control
- attack.t1105
- detection.threat-hunting
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\curl.exe'
- Product: 'The curl executable'
condition: selection
falsepositives:
- Scripts created by developers and admins
- Administrative activity
level: low
Convert to SIEM query
low
DD File Overwrite
Detects potential overwriting and deletion of a file using DD.
view Sigma YAML
title: DD File Overwrite
id: 2953194b-e33c-4859-b9e8-05948c167447
status: test
description: Detects potential overwriting and deletion of a file using DD.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md#atomic-test-2---macoslinux---overwrite-file-with-dd
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
date: 2021-10-15
modified: 2022-07-07
tags:
- attack.impact
- attack.t1485
logsource:
product: linux
category: process_creation
detection:
selection1:
Image:
- '/bin/dd'
- '/usr/bin/dd'
selection2:
CommandLine|contains: 'of='
selection3:
CommandLine|contains:
- 'if=/dev/zero'
- 'if=/dev/null'
condition: all of selection*
falsepositives:
- Any user deleting files that way.
level: low
Convert to SIEM query
low
DMP/HDMP File Creation
Detects the creation of a file with the ".dmp"/".hdmp" extension. Often created by software during a crash. Memory dumps can sometimes contain sensitive information such as credentials. It's best to determine the source of the crash.
view Sigma YAML
title: DMP/HDMP File Creation
id: 3a525307-d100-48ae-b3b9-0964699d7f97
status: test
description: Detects the creation of a file with the ".dmp"/".hdmp" extension. Often created by software during a crash. Memory dumps can sometimes contain sensitive information such as credentials. It's best to determine the source of the crash.
references:
- https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-09-07
tags:
- detection.threat-hunting
- attack.stealth
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|endswith:
- '.dmp'
- '.dump'
- '.hdmp'
condition: selection
falsepositives:
- Likely during crashes of software
level: low
Convert to SIEM query
low
DMSA Link Attributes Modified
Detects modification of dMSA link attributes (msDS-ManagedAccountPrecededByLink) via PowerShell scripts.
This command line pattern could be an indicator an attempt to exploit the BadSuccessor privilege escalation vulnerability in Windows Server 2025.
view Sigma YAML
title: DMSA Link Attributes Modified
id: 9b111d8e-92e0-4153-88bc-daefc1333aba
related:
- id: 6c9eb492-e477-4df9-b0f4-571fc9db29cd # Windows Security Modification of msDS-ManagedAccountPrecededByLink Attribute
type: similar
status: experimental
description: |
Detects modification of dMSA link attributes (msDS-ManagedAccountPrecededByLink) via PowerShell scripts.
This command line pattern could be an indicator an attempt to exploit the BadSuccessor privilege escalation vulnerability in Windows Server 2025.
references:
- https://www.akamai.com/blog/security-research/abusing-bad-successor-for-privilege-escalation-in-active-directory
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-05-24
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.stealth
- attack.t1078.002
- attack.t1098
logsource:
category: ps_script
product: windows
detection:
selection:
ScriptBlockText|contains|all:
- '.Put("msDS-ManagedAccountPrecededByLink'
- 'CN='
condition: selection
falsepositives:
- Legitimate administrative tasks modifying these attributes.
level: low
Convert to SIEM query
low
DNS Events Related To Mining Pools
Identifies clients that may be performing DNS lookups associated with common currency mining pools.
view Sigma YAML
title: DNS Events Related To Mining Pools
id: bf74135c-18e8-4a72-a926-0e4f47888c19
status: test
description: Identifies clients that may be performing DNS lookups associated with common currency mining pools.
references:
- https://github.com/Azure/Azure-Sentinel/blob/fa0411f9424b6c47b4d5a20165e4f1b168c1f103/Detections/ASimDNS/imDNS_Miners.yaml
author: Saw Winn Naung, Azure-Sentinel, @neu5ron
date: 2021-08-19
modified: 2022-07-07
tags:
- attack.execution
- attack.t1569.002
- attack.impact
- attack.t1496
logsource:
service: dns
product: zeek
detection:
selection:
query|endswith:
- 'monerohash.com'
- 'do-dear.com'
- 'xmrminerpro.com'
- 'secumine.net'
- 'xmrpool.com'
- 'minexmr.org'
- 'hashanywhere.com'
- 'xmrget.com'
- 'mininglottery.eu'
- 'minergate.com'
- 'moriaxmr.com'
- 'multipooler.com'
- 'moneropools.com'
- 'xmrpool.eu'
- 'coolmining.club'
- 'supportxmr.com'
- 'minexmr.com'
- 'hashvault.pro'
- 'xmrpool.net'
- 'crypto-pool.fr'
- 'xmr.pt'
- 'miner.rocks'
- 'walpool.com'
- 'herominers.com'
- 'gntl.co.uk'
- 'semipool.com'
- 'coinfoundry.org'
- 'cryptoknight.cc'
- 'fairhash.org'
- 'baikalmine.com'
- 'tubepool.xyz'
- 'fairpool.xyz'
- 'asiapool.io'
- 'coinpoolit.webhop.me'
- 'nanopool.org'
- 'moneropool.com'
- 'miner.center'
- 'prohash.net'
- 'poolto.be'
- 'cryptoescrow.eu'
- 'monerominers.net'
- 'cryptonotepool.org'
- 'extrmepool.org'
- 'webcoin.me'
- 'kippo.eu'
- 'hashinvest.ws'
- 'monero.farm'
- 'linux-repository-updates.com'
- '1gh.com'
- 'dwarfpool.com'
- 'hash-to-coins.com'
- 'pool-proxy.com'
- 'hashfor.cash'
- 'fairpool.cloud'
- 'litecoinpool.org'
- 'mineshaft.ml'
- 'abcxyz.stream'
- 'moneropool.ru'
- 'cryptonotepool.org.uk'
- 'extremepool.org'
- 'extremehash.com'
- 'hashinvest.net'
- 'unipool.pro'
- 'crypto-pools.org'
- 'monero.net'
- 'backup-pool.com'
- 'mooo.com' # Dynamic DNS, may want to exclude
- 'freeyy.me'
- 'cryptonight.net'
- 'shscrypto.net'
exclude_answers:
answers:
- '127.0.0.1'
- '0.0.0.0'
exclude_rejected:
rejected: 'true'
condition: selection and not 1 of exclude_*
falsepositives:
- A DNS lookup does not necessarily mean a successful attempt, verify a) if there was a response using the zeek answers field, if there was then verify the connections (conn.log) to those IPs. b) verify if HTTP, SSL, or TLS activity to the domain that was queried. http.log field is 'host' and ssl/tls is 'server_name'.
level: low
Convert to SIEM query
low
DNS Query Request By QuickAssist.EXE
Detects DNS queries initiated by "QuickAssist.exe" to Microsoft Quick Assist primary endpoint that is used to establish a session.
view Sigma YAML
title: DNS Query Request By QuickAssist.EXE
id: 882e858a-3233-4ba8-855e-2f3d3575803d
status: experimental
description: |
Detects DNS queries initiated by "QuickAssist.exe" to Microsoft Quick Assist primary endpoint that is used to establish a session.
references:
- https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/
- https://www.linkedin.com/posts/kevin-beaumont-security_ive-been-assisting-a-few-orgs-hit-with-successful-activity-7268055739116445701-xxjZ/
- https://x.com/cyb3rops/status/1862406110365245506
- https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist
author: Muhammad Faisal (@faisalusuf)
date: 2024-12-19
tags:
- attack.command-and-control
- attack.initial-access
- attack.lateral-movement
- attack.t1071.001
- attack.t1210
logsource:
category: dns_query
product: windows
detection:
selection:
Image|endswith: '\QuickAssist.exe'
QueryName|endswith: 'remoteassistance.support.services.microsoft.com'
condition: selection
falsepositives:
- Legitimate use of Quick Assist in the environment.
level: low
Convert to SIEM query
low
DNS Query Request To OneLaunch Update Service
Detects DNS query requests to "update.onelaunch.com". This domain is associated with the OneLaunch adware application.
When the OneLaunch application is installed it will attempt to get updates from this domain.
view Sigma YAML
title: DNS Query Request To OneLaunch Update Service
id: df68f791-ad95-447f-a271-640a0dab9cf8
status: test
description: |
Detects DNS query requests to "update.onelaunch.com". This domain is associated with the OneLaunch adware application.
When the OneLaunch application is installed it will attempt to get updates from this domain.
references:
- https://www.malwarebytes.com/blog/detections/pup-optional-onelaunch-silentcf
- https://www.myantispyware.com/2020/12/14/how-to-uninstall-onelaunch-browser-removal-guide/
- https://malware.guide/browser-hijacker/remove-onelaunch-virus/
author: Josh Nickels
date: 2024-02-26
tags:
- attack.credential-access
- attack.collection
- attack.t1056
logsource:
category: dns_query
product: windows
detection:
selection:
QueryName: 'update.onelaunch.com'
Image|endswith: '\OneLaunch.exe'
condition: selection
falsepositives:
- Unlikely
level: low
Convert to SIEM query
low
DNS Query To Ufile.io
Detects DNS queries to "ufile.io", which was seen abused by malware and threat actors as a method for data exfiltration
view Sigma YAML
title: DNS Query To Ufile.io
id: 1cbbeaaf-3c8c-4e4c-9d72-49485b6a176b
related:
- id: 090ffaad-c01a-4879-850c-6d57da98452d
type: similar
status: test
description: Detects DNS queries to "ufile.io", which was seen abused by malware and threat actors as a method for data exfiltration
references:
- https://thedfirreport.com/2021/12/13/diavol-ransomware/
author: yatinwad, TheDFIRReport
date: 2022-06-23
modified: 2023-09-18
tags:
- attack.exfiltration
- attack.t1567.002
logsource:
product: windows
category: dns_query
detection:
selection:
QueryName|contains: 'ufile.io'
condition: selection
falsepositives:
- DNS queries for "ufile" are not malicious by nature necessarily. Investigate the source to determine the necessary actions to take
level: low
Convert to SIEM query
low
DNS Query To Ufile.io - DNS Client
Detects DNS queries to "ufile.io", which was seen abused by malware and threat actors as a method for data exfiltration
view Sigma YAML
title: DNS Query To Ufile.io - DNS Client
id: 090ffaad-c01a-4879-850c-6d57da98452d
related:
- id: 1cbbeaaf-3c8c-4e4c-9d72-49485b6a176b
type: similar
status: test
description: Detects DNS queries to "ufile.io", which was seen abused by malware and threat actors as a method for data exfiltration
references:
- https://thedfirreport.com/2021/12/13/diavol-ransomware/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-16
modified: 2023-09-18
tags:
- attack.exfiltration
- attack.t1567.002
logsource:
product: windows
service: dns-client
definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.'
detection:
selection:
EventID: 3008
QueryName|contains: 'ufile.io'
condition: selection
falsepositives:
- DNS queries for "ufile" are not malicious by nature necessarily. Investigate the source to determine the necessary actions to take
level: low
Convert to SIEM query
low
DNS Request From Windows Script Host
Detects unusual domain resolutions originating from CScript/WScript that can identify malicious javascript files executing in an environment, often as a result from a phishing or watering hole attack.
view Sigma YAML
title: DNS Request From Windows Script Host
id: 12310575-e8b1-475c-a976-57ed540b349c
status: test
description: |
Detects unusual domain resolutions originating from CScript/WScript that can identify malicious javascript files executing in an environment, often as a result from a phishing or watering hole attack.
author: Josh Nickels, Marius Rothenbücher
references:
- Internal Research
date: 2024-09-06
tags:
- attack.execution
- attack.t1059
logsource:
product: windows
category: dns_query
detection:
selection:
Image|endswith:
- '\wscript.exe'
- '\cscript.exe'
QueryName|contains: '.' # Ensures that lookups are for external hosts
filter_main_internal_domains: # Populate this placeholder with known and expected internal domains
QueryName|expand: '%internal_domains%'
filter_optional_trusted_domains: # Mostly certificate distribution domains
- QueryName:
- 'crl.starfieldtech.com'
- 'ocsp.usertrust.com'
- 'officecdn.microsoft.com'
- 'oneocsp.microsoft.com'
- 'oscp.comodoca.com'
- 'oscp.sectigo.com'
- 'oscp.starfieldtech.com'
- 'www.python.org'
- QueryName|endswith:
- '.digicert.com'
- '.entrust.net'
- '.globalsign.net'
- '.verisign.com'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Script files making expected domain requests
level: low
Convert to SIEM query
low
DNS Server Discovery Via LDAP Query
Detects DNS server discovery via LDAP query requests from uncommon applications
view Sigma YAML
title: DNS Server Discovery Via LDAP Query
id: a21bcd7e-38ec-49ad-b69a-9ea17e69509e
status: test
description: Detects DNS server discovery via LDAP query requests from uncommon applications
references:
- https://github.com/redcanaryco/atomic-red-team/blob/980f3f83fd81f37c1ca9c02dccfd1c3d9f9d0841/atomics/T1016/T1016.md#atomic-test-9---dns-server-discovery-using-nslookup
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/7fcdce70-5205-44d6-9c3a-260e616a2f04
author: frack113
date: 2022-08-20
modified: 2023-09-18
tags:
- attack.discovery
- attack.t1482
logsource:
product: windows
category: dns_query
detection:
selection:
QueryName|startswith: '_ldap.'
filter_main_generic:
Image|contains:
- ':\Program Files\'
- ':\Program Files (x86)\'
- ':\Windows\'
filter_main_defender:
Image|contains: ':\ProgramData\Microsoft\Windows Defender\Platform\'
Image|endswith: '\MsMpEng.exe'
filter_main_unknown:
Image: '<unknown process>'
filter_optional_azure:
Image|startswith: 'C:\WindowsAzure\GuestAgent'
filter_main_null:
Image: null
filter_optional_browsers:
# Note: This list is for browsers installed in the user context. To avoid basic evasions based on image name. Best to baseline this list with the browsers you use internally and add their full paths.
Image|endswith:
- '\chrome.exe'
- '\firefox.exe'
- '\opera.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Likely
# Note: Incrase the level once a baseline is established
level: low
Convert to SIEM query
low
Data Compressed
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
view Sigma YAML
title: Data Compressed
id: a3b5e3e9-1b49-4119-8b8e-0344a01f21ee
status: test
description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/a78b9ed805ab9ea2e422e1aa7741e9407d82d7b1/atomics/T1560.001/T1560.001.md
author: Timur Zinniatullin, oscd.community
date: 2019-10-21
modified: 2023-07-28
tags:
- attack.exfiltration
- attack.collection
- attack.t1560.001
logsource:
product: linux
service: auditd
detection:
selection1:
type: 'execve'
a0: 'zip'
selection2:
type: 'execve'
a0: 'gzip'
a1: '-k'
selection3:
type: 'execve'
a0: 'tar'
a1|contains: '-c'
condition: 1 of selection*
falsepositives:
- Legitimate use of archiving tools by legitimate user.
level: low
Convert to SIEM query
low
Data Copied To Clipboard Via Clip.EXE
Detects the execution of clip.exe in order to copy data to the clipboard. Adversaries may collect data stored in the clipboard from users copying information within or between applications.
view Sigma YAML
title: Data Copied To Clipboard Via Clip.EXE
id: ddeff553-5233-4ae9-bbab-d64d2bd634be
status: test
description: Detects the execution of clip.exe in order to copy data to the clipboard. Adversaries may collect data stored in the clipboard from users copying information within or between applications.
references:
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/clip
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1115/T1115.md
author: frack113
date: 2021-07-27
modified: 2023-02-21
tags:
- attack.collection
- attack.t1115
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\clip.exe'
- OriginalFileName: clip.exe
condition: selection
falsepositives:
- Unknown
level: low
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_clip_execution/info.yml
simulation:
- type: atomic-red-team
name: Utilize Clipboard to store or execute commands from
technique: T1115
atomic_guid: 0cd14633-58d4-4422-9ede-daa2c9474ae7
Convert to SIEM query
low
Decode Base64 Encoded Text
Detects usage of base64 utility to decode arbitrary base64-encoded text
view Sigma YAML
title: Decode Base64 Encoded Text
id: e2072cab-8c9a-459b-b63c-40ae79e27031
status: test
description: Detects usage of base64 utility to decode arbitrary base64-encoded text
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md
author: Daniil Yugoslavskiy, oscd.community
date: 2020-10-19
modified: 2021-11-27
tags:
- attack.stealth
- attack.t1027
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/base64'
CommandLine|contains: '-d' # Also covers "--decode"
condition: selection
falsepositives:
- Legitimate activities
level: low
Convert to SIEM query
low
Decode Base64 Encoded Text -MacOs
Detects usage of base64 utility to decode arbitrary base64-encoded text
view Sigma YAML
title: Decode Base64 Encoded Text -MacOs
id: 719c22d7-c11a-4f2c-93a6-2cfdd5412f68
status: test
description: Detects usage of base64 utility to decode arbitrary base64-encoded text
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md
author: Daniil Yugoslavskiy, oscd.community
date: 2020-10-19
modified: 2022-11-26
tags:
- attack.stealth
- attack.t1027
logsource:
category: process_creation
product: macos
detection:
selection:
Image: '/usr/bin/base64'
CommandLine|contains: '-d'
condition: selection
falsepositives:
- Legitimate activities
level: low
Convert to SIEM query
low
Deployment Deleted From Kubernetes Cluster
Detects the removal of a deployment from a Kubernetes cluster.
This could indicate disruptive activity aiming to impact business operations.
view Sigma YAML
title: Deployment Deleted From Kubernetes Cluster
id: 40967487-139b-4811-81d9-c9767a92aa5a
status: test
description: |
Detects the removal of a deployment from a Kubernetes cluster.
This could indicate disruptive activity aiming to impact business operations.
references:
- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Data%20destruction/
author: Leo Tsaousis (@laripping)
date: 2024-03-26
tags:
- attack.t1498
- attack.impact
logsource:
category: application
product: kubernetes
service: audit
detection:
selection:
verb: 'delete'
objectRef.resource: 'deployments'
condition: selection
falsepositives:
- Unknown
level: low
Convert to SIEM query
low
DirLister Execution
Detect the usage of "DirLister.exe" a utility for quickly listing folder or drive contents. It was seen used by BlackCat ransomware to create a list of accessible directories and files.
view Sigma YAML
title: DirLister Execution
id: b4dc61f5-6cce-468e-a608-b48b469feaa2
status: test
description: Detect the usage of "DirLister.exe" a utility for quickly listing folder or drive contents. It was seen used by BlackCat ransomware to create a list of accessible directories and files.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1083/T1083.md
- https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/
author: frack113
date: 2022-08-20
modified: 2023-02-04
tags:
- attack.discovery
- attack.t1083
logsource:
category: process_creation
product: windows
detection:
selection:
- OriginalFileName: 'DirLister.exe'
- Image|endswith: '\DirLister.exe'
condition: selection
falsepositives:
- Legitimate use by users
level: low
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_dirlister_execution/info.yml
simulation:
- type: atomic-red-team
name: Launch DirLister Executable
technique: T1083
atomic_guid: c5bec457-43c9-4a18-9a24-fe151d8971b7
Convert to SIEM query
low
Directory Removal Via Rmdir
Detects execution of the builtin "rmdir" command in order to delete directories.
Adversaries may delete files left behind by the actions of their intrusion activity.
Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how.
Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
view Sigma YAML
title: Directory Removal Via Rmdir
id: 41ca393d-538c-408a-ac27-cf1e038be80c
status: test
description: |
Detects execution of the builtin "rmdir" command in order to delete directories.
Adversaries may delete files left behind by the actions of their intrusion activity.
Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how.
Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase
author: frack113
date: 2022-01-15
modified: 2023-03-07
tags:
- attack.stealth
- attack.t1070.004
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\cmd.exe'
- OriginalFileName: 'Cmd.Exe'
selection_rmdir:
CommandLine|contains: 'rmdir'
selection_flags:
CommandLine|contains:
- '/s'
- '/q'
condition: all of selection_*
falsepositives:
- Unknown
level: low
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_cmd_rmdir_execution/info.yml
Convert to SIEM query
low
Discovery of a System Time
Identifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system.
view Sigma YAML
title: Discovery of a System Time
id: b243b280-65fe-48df-ba07-6ddea7646427
status: test
description: Identifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system.
references:
- https://eqllib.readthedocs.io/en/latest/analytics/fcdb99c2-ac3c-4bde-b664-4b336329bed2.html
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1124/T1124.md
author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
date: 2019-10-24
modified: 2022-06-28
tags:
- attack.discovery
- attack.t1124
logsource:
category: process_creation
product: windows
detection:
selection_time:
Image|endswith:
- '\net.exe'
- '\net1.exe'
CommandLine|contains: 'time'
selection_w32tm:
Image|endswith: '\w32tm.exe'
CommandLine|contains: 'tz'
condition: 1 of selection_*
falsepositives:
- Legitimate use of the system utilities to discover system time for legitimate reason
level: low
Convert to SIEM query
low
Docker Container Discovery Via Dockerenv Listing
Detects listing or file reading of ".dockerenv" which can be a sing of potential container discovery
view Sigma YAML
title: Docker Container Discovery Via Dockerenv Listing
id: 11701de9-d5a5-44aa-8238-84252f131895
status: test
description: Detects listing or file reading of ".dockerenv" which can be a sing of potential container discovery
references:
- https://blog.skyplabs.net/posts/container-detection/
- https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker
tags:
- attack.discovery
- attack.t1082
author: Seth Hanford
date: 2023-08-23
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith:
# Note: add additional tools and utilities to increase coverage
- '/cat'
- '/dir'
- '/find'
- '/ls'
- '/stat'
- '/test'
- 'grep'
CommandLine|endswith: '.dockerenv'
condition: selection
falsepositives:
- Legitimate system administrator usage of these commands
- Some container tools or deployments may use these techniques natively to determine how they proceed with execution, and will need to be filtered
level: low
Convert to SIEM query
low
Download From Suspicious TLD - Blacklist
Detects download of certain file types from hosts in suspicious TLDs
view Sigma YAML
title: Download From Suspicious TLD - Blacklist
id: 00d0b5ab-1f55-4120-8e83-487c0a7baf19
related:
- id: b5de2919-b74a-4805-91a7-5049accbaefe
type: similar
status: test
description: Detects download of certain file types from hosts in suspicious TLDs
references:
- https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap
- https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf
- https://www.spamhaus.org/statistics/tlds/
- https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/
author: Florian Roth (Nextron Systems)
date: 2017-11-07
modified: 2023-05-18
tags:
- attack.initial-access
- attack.t1566
- attack.execution
- attack.t1203
- attack.t1204.002
logsource:
category: proxy
detection:
selection:
c-uri-extension:
- 'exe'
- 'vbs'
- 'bat'
- 'rar'
- 'ps1'
- 'doc'
- 'docm'
- 'xls'
- 'xlsm'
- 'pptm'
- 'rtf'
- 'hta'
- 'dll'
- 'ws'
- 'wsf'
- 'sct'
- 'zip'
# If you want to add more extensions - see https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/
cs-host|endswith:
# Symantec / Chris Larsen analysis
- '.country'
- '.stream'
- '.gdn'
- '.mom'
- '.xin'
- '.kim'
- '.men'
- '.loan'
- '.download'
- '.racing'
- '.online'
- '.science'
- '.ren'
- '.gb'
- '.win'
- '.top'
- '.review'
- '.vip'
- '.party'
- '.tech'
- '.xyz'
- '.date'
- '.faith'
- '.zip'
- '.cricket'
- '.space'
# McAfee report
- '.info'
- '.vn'
- '.cm'
- '.am'
- '.cc'
- '.asia'
- '.ws'
- '.tk'
- '.biz'
- '.su'
- '.st'
- '.ro'
- '.ge'
- '.ms'
- '.pk'
- '.nu'
- '.me'
- '.ph'
- '.to'
- '.tt'
- '.name'
- '.tv'
- '.kz'
- '.tc'
- '.mobi'
# Spamhaus
- '.study'
- '.click'
- '.link'
- '.trade'
- '.accountant'
# Spamhaus 2018 https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/
- '.cf'
- '.gq'
- '.ml'
- '.ga'
# Custom
- '.pw'
condition: selection
falsepositives:
- All kinds of software downloads
level: low
Convert to SIEM query
low
Download From Suspicious TLD - Whitelist
Detects executable downloads from suspicious remote systems
view Sigma YAML
title: Download From Suspicious TLD - Whitelist
id: b5de2919-b74a-4805-91a7-5049accbaefe
related:
- id: 00d0b5ab-1f55-4120-8e83-487c0a7baf19
type: similar
status: test
description: Detects executable downloads from suspicious remote systems
references:
- Internal Research
author: Florian Roth (Nextron Systems)
date: 2017-03-13
modified: 2023-05-18
tags:
- attack.initial-access
- attack.t1566
- attack.execution
- attack.t1203
- attack.t1204.002
logsource:
category: proxy
detection:
selection:
c-uri-extension:
- 'exe'
- 'vbs'
- 'bat'
- 'rar'
- 'ps1'
- 'doc'
- 'docm'
- 'xls'
- 'xlsm'
- 'pptm'
- 'rtf'
- 'hta'
- 'dll'
- 'ws'
- 'wsf'
- 'sct'
- 'zip'
# If you want to add more extensions - see https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/
filter:
cs-host|endswith:
- '.com'
- '.org'
- '.net'
- '.edu'
- '.gov'
- '.uk'
- '.ca'
- '.de'
- '.jp'
- '.fr'
- '.au'
- '.us'
- '.ch'
- '.it'
- '.nl'
- '.se'
- '.no'
- '.es'
# Extend this list as needed
condition: selection and not filter
falsepositives:
- All kind of software downloads
level: low
Convert to SIEM query
low
Dynamic CSharp Compile Artefact
When C# is compiled dynamically, a .cmdline file will be created as a part of the process.
Certain processes are not typically observed compiling C# code, but can do so without touching disk.
This can be used to unpack a payload for execution
view Sigma YAML
title: Dynamic CSharp Compile Artefact
id: e4a74e34-ecde-4aab-b2fb-9112dd01aed0
status: test
description: |
When C# is compiled dynamically, a .cmdline file will be created as a part of the process.
Certain processes are not typically observed compiling C# code, but can do so without touching disk.
This can be used to unpack a payload for execution
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.004/T1027.004.md#atomic-test-2---dynamic-c-compile
author: frack113
date: 2022-01-09
modified: 2023-02-17
tags:
- attack.stealth
- attack.t1027.004
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith: '.cmdline'
condition: selection
falsepositives:
- Unknown
level: low
Convert to SIEM query
low
ETW Logging Disabled For SCM
Detects changes to the "TracingDisabled" key in order to disable ETW logging for services.exe (SCM)
view Sigma YAML
title: ETW Logging Disabled For SCM
id: 4f281b83-0200-4b34-bf35-d24687ea57c2
status: test
description: Detects changes to the "TracingDisabled" key in order to disable ETW logging for services.exe (SCM)
references:
- http://redplait.blogspot.com/2020/07/whats-wrong-with-etw.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-09
modified: 2023-08-17
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
- attack.t1685
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|endswith: 'Software\Microsoft\Windows NT\CurrentVersion\Tracing\SCM\Regular\TracingDisabled'
Details: 'DWORD (0x00000001)' # Funny (sad) enough, this value is by default 1.
condition: selection
falsepositives:
- Unknown
level: low
Convert to SIEM query
low
ETW Logging Disabled For rpcrt4.dll
Detects changes to the "ExtErrorInformation" key in order to disable ETW logging for rpcrt4.dll
view Sigma YAML
title: ETW Logging Disabled For rpcrt4.dll
id: 90f342e1-1aaa-4e43-b092-39fda57ed11e
status: test
description: Detects changes to the "ExtErrorInformation" key in order to disable ETW logging for rpcrt4.dll
references:
- http://redplait.blogspot.com/2020/07/whats-wrong-with-etw.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-09
modified: 2023-08-17
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
- attack.t1685
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|endswith: '\Microsoft\Windows NT\Rpc\ExtErrorInformation'
Details:
# This is disabled by default for some reason
- 'DWORD (0x00000000)' # Off
- 'DWORD (0x00000002)' # Off with exceptions
condition: selection
falsepositives:
- Unknown
level: low
Convert to SIEM query
low
End User Consent
Detects when an end user consents to an application
view Sigma YAML
title: End User Consent
id: 9b2cc4c4-2ad4-416d-8e8e-ee6aa6f5035a
status: test
description: Detects when an end user consents to an application
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#end-user-consent
author: Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'
date: 2022-07-28
tags:
- attack.credential-access
- attack.t1528
logsource:
product: azure
service: auditlogs
detection:
selection:
ConsentContext.IsAdminConsent: 'false'
condition: selection
falsepositives:
- Unknown
level: low
Convert to SIEM query
low
Exports Registry Key To a File
Detects the export of the target Registry key to a file.
view Sigma YAML
title: Exports Registry Key To a File
id: f0e53e89-8d22-46ea-9db5-9d4796ee2f8a
related:
- id: 82880171-b475-4201-b811-e9c826cd5eaa
type: similar
status: test
description: Detects the export of the target Registry key to a file.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Regedit/
- https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
author: Oddvar Moe, Sander Wiebing, oscd.community
date: 2020-10-07
modified: 2024-03-13
tags:
- attack.exfiltration
- attack.discovery
- attack.t1012
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\regedit.exe'
- OriginalFileName: 'REGEDIT.EXE'
selection_cli:
CommandLine|contains|windash: ' -E '
filter_1: # filters to avoid intersection with critical keys rule
CommandLine|contains:
- 'hklm'
- 'hkey_local_machine'
filter_2:
CommandLine|endswith:
- '\system'
- '\sam'
- '\security'
condition: all of selection_* and not all of filter_*
falsepositives:
- Legitimate export of keys
level: low
Convert to SIEM query
low
External Disk Drive Or USB Storage Device Was Recognized By The System
Detects external disk drives or plugged-in USB devices.
view Sigma YAML
title: External Disk Drive Or USB Storage Device Was Recognized By The System
id: f69a87ea-955e-4fb4-adb2-bb9fd6685632
status: test
description: Detects external disk drives or plugged-in USB devices.
references:
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6416
author: Keith Wright
date: 2019-11-20
modified: 2024-02-09
tags:
- attack.t1091
- attack.t1200
- attack.lateral-movement
- attack.initial-access
logsource:
product: windows
service: security
detection:
selection_eid:
EventID: 6416
selection_field:
- ClassName: 'DiskDrive'
- DeviceDescription: 'USB Mass Storage Device'
condition: all of selection_*
falsepositives:
- Likely
level: low
Convert to SIEM query
low
Failed Authentications From Countries You Do Not Operate Out Of
Detect failed authentications from countries you do not operate out of.
view Sigma YAML
title: Failed Authentications From Countries You Do Not Operate Out Of
id: 28870ae4-6a13-4616-bd1a-235a7fad7458
status: test
description: Detect failed authentications from countries you do not operate out of.
references:
- https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts
author: MikeDuddington, '@dudders1'
date: 2022-07-28
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.credential-access
- attack.stealth
- attack.t1078.004
- attack.t1110
logsource:
product: azure
service: signinlogs
detection:
selection:
Status: 'Success'
selection1:
Location|contains: '<Countries you DO operate out of e,g GB, use OR for multiple>'
condition: not selection and not selection1
falsepositives:
- If this was approved by System Administrator.
level: low
Convert to SIEM query
Showing 51-100 of 341