Tool
SIEM
Sigma (generic) detection rules
341 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Expand any rule to see its raw YAML and convert it inline to native query syntax. Pick a platform above to browse every rule already rendered in that language.
◈
Detection rules
41 shown of 341
low
Sysinternals Tools AppX Versions Execution
Detects execution of Sysinternals tools via an AppX package.
Attackers could install the Sysinternals Suite to get access to tools such as psexec and procdump to avoid detection based on System paths.
view Sigma YAML
title: Sysinternals Tools AppX Versions Execution
id: d29a20b2-be4b-4827-81f2-3d8a59eab5fc
status: test
description: |
Detects execution of Sysinternals tools via an AppX package.
Attackers could install the Sysinternals Suite to get access to tools such as psexec and procdump to avoid detection based on System paths.
references:
- https://learn.microsoft.com/en-us/sysinternals/downloads/microsoft-store
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-16
modified: 2023-09-12
tags:
- attack.execution
- attack.stealth
logsource:
product: windows
service: appmodel-runtime
detection:
selection:
EventID: 201
ImageName:
- 'procdump.exe'
- 'psloglist.exe'
- 'psexec.exe'
- 'livekd.exe'
- 'ADExplorer.exe'
condition: selection
falsepositives:
- Legitimate usage of sysinternals applications from the Windows Store will trigger this. Apply exclusions as needed.
level: low
Convert to SIEM query
low
System Drawing DLL Load
Detects processes loading "System.Drawing.ni.dll". This could be an indicator of potential Screen Capture.
view Sigma YAML
title: System Drawing DLL Load
id: 666ecfc7-229d-42b8-821e-1a8f8cb7057c
status: test
description: Detects processes loading "System.Drawing.ni.dll". This could be an indicator of potential Screen Capture.
references:
- https://github.com/OTRF/detection-hackathon-apt29/issues/16
- https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.A.1_3B4E5808-3C71-406A-B181-17B0CE3178C9.md
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-05-02
modified: 2023-02-22
tags:
- attack.collection
- attack.t1113
- detection.threat-hunting
logsource:
product: windows
category: image_load
detection:
selection:
ImageLoaded|endswith: '\System.Drawing.ni.dll'
condition: selection
falsepositives:
- False positives are very common from system and third party applications, activity needs to be investigated. This rule is best correlated with other events to increase the level of suspiciousness
level: low
Convert to SIEM query
low
System Info Discovery via Sysinfo Syscall
Detects use of the sysinfo system call in Linux, which provides a snapshot of key system statistics such as uptime, load averages, memory usage, and the number of running processes.
Malware or reconnaissance tools might leverage sysinfo to fingerprint the system - gathering data to determine if it's a viable target.
view Sigma YAML
title: System Info Discovery via Sysinfo Syscall
id: b207d563-a1d9-4275-b349-77d1eb55aa6d
status: experimental
description: |
Detects use of the sysinfo system call in Linux, which provides a snapshot of key system statistics such as uptime, load averages, memory usage, and the number of running processes.
Malware or reconnaissance tools might leverage sysinfo to fingerprint the system - gathering data to determine if it's a viable target.
references:
- https://github.com/CheraghiMilad/bypass-Neo23x0-auditd-config/blob/f1c478a37911a5447d5ffcd580f22b167bf3df14/sysinfo-syscall/README.md
- https://man7.org/linux/man-pages/man2/sysinfo.2.html
author: Milad Cheraghi
date: 2025-05-30
modified: 2025-12-05
tags:
- attack.discovery
- attack.t1057
- attack.t1082
logsource:
product: linux
service: auditd
definition: |
Required auditd configuration:
-a always,exit -F arch=b64 -S sysinfo -k discovery_sysinfo_syscall
-a always,exit -F arch=b32 -S sysinfo -k discovery_sysinfo_syscall
detection:
selection:
type: 'SYSCALL'
SYSCALL: 'sysinfo'
filter_optional_splunk:
exe|endswith: '/bin/splunkd'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Legitimate administrative activity
level: low
Convert to SIEM query
low
System Information Discovery - Auditd
Detects System Information Discovery commands
view Sigma YAML
title: System Information Discovery - Auditd
id: f34047d9-20d3-4e8b-8672-0a35cc50dc71
status: test
description: Detects System Information Discovery commands
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f296668303c29d3f4c07e42bdd2b28d8dd6625f9/atomics/T1082/T1082.md
author: Pawel Mazur
date: 2021-09-03
modified: 2023-03-06
tags:
- attack.discovery
- attack.t1082
logsource:
product: linux
service: auditd
detection:
selection_1:
type: PATH
name:
- /etc/lsb-release
- /etc/redhat-release
- /etc/issue
selection_2:
type: EXECVE
a0:
- uname
- uptime
- lsmod
- hostname
- env
selection_3:
type: EXECVE
a0: grep
a1|contains:
- vbox
- vm
- xen
- virtio
- hv
selection_4:
type: EXECVE
a0: kmod
a1: list
condition: 1 of selection_*
falsepositives:
- Likely
level: low
Convert to SIEM query
low
System Information Discovery Via Wmic.EXE
Detects the use of the WMI command-line (WMIC) utility to identify and display various system information,
including OS, CPU, GPU, disk drive names, memory capacity, display resolution, baseboard, BIOS,
and GPU driver products/versions.
view Sigma YAML
title: System Information Discovery Via Wmic.EXE
id: d85ecdd7-b855-4e6e-af59-d9c78b5b861e
related:
- id: 9d5a1274-922a-49d0-87f3-8c653483b909
type: derived
status: test
description: |
Detects the use of the WMI command-line (WMIC) utility to identify and display various system information,
including OS, CPU, GPU, disk drive names, memory capacity, display resolution, baseboard, BIOS,
and GPU driver products/versions.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/a2ccd19c37d0278b4ffa8583add3cf52060a5418/atomics/T1082/T1082.md#atomic-test-25---system-information-discovery-with-wmic
- https://nwgat.ninja/getting-system-information-with-wmic-on-windows/
- https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar
- https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/
- https://app.any.run/tasks/a6aa0057-82ec-451f-8f99-55650ca537da/
- https://www.virustotal.com/gui/file/d6f6bc10ae0e634ed4301d584f61418cee18e5d58ad9af72f8aa552dc4aaeca3/behavior
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-12-19
modified: 2024-01-15
tags:
- attack.discovery
- attack.t1082
- detection.threat-hunting
logsource:
category: process_creation
product: windows
detection:
selection_wmic:
- Description: 'WMI Commandline Utility'
- OriginalFileName: 'wmic.exe'
- Image|endswith: '\WMIC.exe'
selection_get:
CommandLine|contains: 'get'
selection_classes:
CommandLine|contains:
- 'baseboard'
- 'bios'
- 'cpu'
- 'diskdrive'
- 'logicaldisk'
- 'memphysical'
- 'os'
- 'path'
- 'startup'
- 'win32_videocontroller'
selection_attributes:
CommandLine|contains:
- 'caption'
- 'command'
- 'driverversion'
- 'maxcapacity'
- 'name'
- 'osarchitecture'
- 'product'
- 'size'
- 'smbiosbiosversion'
- 'version'
- 'videomodedescription'
filter_optional_vmtools:
ParentCommandLine|contains: '\VMware\VMware Tools\serviceDiscovery\scripts\'
condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
- VMWare Tools serviceDiscovery scripts
# Note: Might be upgraded to a medium detection rules after some time
level: low
Convert to SIEM query
low
System Information Discovery via Registry Queries
Detects attempts to query system information directly from the Windows Registry.
view Sigma YAML
title: System Information Discovery via Registry Queries
id: 0022869c-49f7-4ff2-ba03-85ac42ddac58
status: experimental
description: Detects attempts to query system information directly from the Windows Registry.
references:
- https://cert.gov.ua/article/6277849
- https://github.com/redcanaryco/atomic-red-team/blob/75fa21076dcefa348a7521403cdd6bfc4e88623c/atomics/T1082/T1082.md
- https://github.com/redcanaryco/atomic-red-team/blob/75fa21076dcefa348a7521403cdd6bfc4e88623c/atomics/T1124/T1124.md
author: lazarg
date: 2025-06-12
modified: 2025-10-25
tags:
- attack.discovery
- attack.t1082
logsource:
category: process_creation
product: windows
detection:
selection_cmd_reg:
Image|endswith: '\reg.exe'
CommandLine|contains: 'query'
CommandLine|contains|windash: '-v'
selection_cmd_powershell:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
CommandLine|contains:
- 'Get-ItemPropertyValue'
- 'gpv'
selection_keys:
CommandLine|contains:
- '\SOFTWARE\Microsoft\Windows Defender' # Details about defender state
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion' # Provides details about the OS
- '\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall' # Lists installed programs
- '\SYSTEM\CurrentControlSet\Control\TimeZoneInformation' # Contains time zone details
- '\SYSTEM\CurrentControlSet\Services' # Details about existing services
condition: 1 of selection_cmd_* and selection_keys
falsepositives:
- Unlikely
level: low
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_discovery_via_reg_queries/info.yml
simulation:
- type: atomic-red-team
name: System Information Discovery
technique: T1010
atomic_guid: 66703791-c902-4560-8770-42b8a91f7667
- type: atomic-red-team
name: Discover OS Product Name via Registry
technique: T1082
atomic_guid: be3b5fe3-a575-4fb8-83f6-ad4a68dd5ce7
- type: atomic-red-team
name: Discover OS Build Number via Registry
technique: T1082
atomic_guid: acfcd709-0013-4f1e-b9ee-bc1e7bafaaec
Convert to SIEM query
low
System Integrity Protection (SIP) Enumeration
Detects the use of csrutil to view the Configure System Integrity Protection (SIP) status. This technique is used in post-exploit scenarios.
view Sigma YAML
title: System Integrity Protection (SIP) Enumeration
id: 53821412-17b0-4147-ade0-14faae67d54b
status: test
description: |
Detects the use of csrutil to view the Configure System Integrity Protection (SIP) status. This technique is used in post-exploit scenarios.
references:
- https://ss64.com/osx/csrutil.html
- https://objective-see.org/blog/blog_0x6D.html
- https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/
- https://www.virustotal.com/gui/file/05a2adb266ec6c0ba9ed176d87d8530e71e845348c13caf9f60049760c312cd3/behavior
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2024-01-02
tags:
- attack.discovery
- attack.t1518.001
logsource:
product: macos
category: process_creation
detection:
# VT Query: behavior_processes:"csrutil status" p:5+ type:mac
selection:
Image|endswith: '/csrutil'
CommandLine|contains: 'status'
condition: selection
falsepositives:
- Legitimate administration activities
level: low
Convert to SIEM query
low
System Network Connections Discovery - Linux
Detects usage of system utilities to discover system network connections
view Sigma YAML
title: System Network Connections Discovery - Linux
id: 4c519226-f0cd-4471-bd2f-6fbb2bb68a79
status: test
description: Detects usage of system utilities to discover system network connections
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md
author: Daniil Yugoslavskiy, oscd.community
date: 2020-10-19
modified: 2023-01-17
tags:
- attack.discovery
- attack.t1049
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith:
- '/who'
- '/w'
- '/last'
- '/lsof'
- '/netstat'
filter_landscape_sysinfo:
ParentCommandLine|contains: '/usr/bin/landscape-sysinfo'
Image|endswith: '/who'
condition: selection and not 1 of filter_*
falsepositives:
- Legitimate activities
level: low
Convert to SIEM query
low
System Network Connections Discovery Via Net.EXE
Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
view Sigma YAML
title: System Network Connections Discovery Via Net.EXE
id: 1c67a717-32ba-409b-a45d-0fb704a73a81
status: test
description: Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-1---system-network-connections-discovery
author: frack113
date: 2021-12-10
modified: 2023-02-21
tags:
- attack.discovery
- attack.t1049
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\net.exe'
- '\net1.exe'
- OriginalFileName:
- 'net.exe'
- 'net1.exe'
selection_cli:
- CommandLine|endswith:
- ' use'
- ' sessions'
- CommandLine|contains:
- ' use '
- ' sessions '
condition: all of selection_*
falsepositives:
- Unknown
level: low
Convert to SIEM query
low
System Owner or User Discovery - Linux
Detects the execution of host or user discovery utilities such as "whoami", "hostname", "id", etc.
Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
view Sigma YAML
title: System Owner or User Discovery - Linux
id: 9a0d8ca0-2385-4020-b6c6-cb6153ca56f3
status: test
description: |
Detects the execution of host or user discovery utilities such as "whoami", "hostname", "id", etc.
Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md
author: Timur Zinniatullin, oscd.community
date: 2019-10-21
modified: 2025-06-04
tags:
- attack.discovery
- attack.t1033
logsource:
product: linux
service: auditd
detection:
selection:
type: 'EXECVE'
a0:
- 'hostname'
- 'id'
- 'last'
- 'uname'
- 'users'
- 'w'
- 'who'
- 'whoami'
condition: selection
falsepositives:
- Admin activity
level: low
Convert to SIEM query
low
Tap Driver Installation - Security
Detects the installation of a well-known TAP driver service. This could be a sign of potential preparation for data exfiltration using tunnelling techniques.
view Sigma YAML
title: Tap Driver Installation - Security
id: 9c8afa4d-0022-48f0-9456-3712466f9701
related:
- id: 8e4cf0e5-aa5d-4dc3-beff-dc26917744a9
type: derived
status: test
description: |
Detects the installation of a well-known TAP driver service. This could be a sign of potential preparation for data exfiltration using tunnelling techniques.
references:
- https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers
author: Daniil Yugoslavskiy, Ian Davis, oscd.community
date: 2019-10-24
modified: 2022-11-29
tags:
- attack.exfiltration
- attack.t1048
logsource:
product: windows
service: security
definition: 'Requirements: The System Security Extension audit subcategory need to be enabled to log the EID 4697'
detection:
selection:
EventID: 4697
ServiceFileName|contains: 'tap0901'
condition: selection
falsepositives:
- Legitimate OpenVPN TAP installation
level: low
Convert to SIEM query
low
Task Scheduler DLL Loaded By Application Located In Potentially Suspicious Location
Detects the loading of the "taskschd.dll" module from a process that located in a potentially suspicious or uncommon directory.
The loading of this DLL might indicate that the application have the capability to create a scheduled task via the "Schedule.Service" COM object.
Investigation of the loading application and its behavior is required to determining if its malicious.
view Sigma YAML
title: Task Scheduler DLL Loaded By Application Located In Potentially Suspicious Location
id: 3b92a1d0-8d4b-4d28-a1b4-1e29d49a6a3e
status: test
description: |
Detects the loading of the "taskschd.dll" module from a process that located in a potentially suspicious or uncommon directory.
The loading of this DLL might indicate that the application have the capability to create a scheduled task via the "Schedule.Service" COM object.
Investigation of the loading application and its behavior is required to determining if its malicious.
references:
- https://www.logpoint.com/en/blog/shenanigans-of-scheduled-tasks/
- https://x.com/Max_Mal_/status/1826179497084739829
author: Swachchhanda Shrawan Poudel
date: 2024-09-02
tags:
- attack.persistence
- attack.execution
- attack.privilege-escalation
- attack.t1053.005
- detection.threat-hunting
logsource:
category: image_load
product: windows
detection:
selection_dll:
- ImageLoaded|endswith: '\taskschd.dll'
- OriginalFileName: 'taskschd.dll'
selection_paths:
Image|contains:
- ':\Temp\'
- ':\Users\Public\'
- ':\Windows\Temp\'
- '\AppData\Local\Temp\'
- '\Desktop\'
- '\Downloads\'
condition: all of selection_*
falsepositives:
- Some installers might generate false positives, apply additional filters accordingly.
level: low
Convert to SIEM query
low
TeamViewer Log File Deleted
Detects the deletion of the TeamViewer log files which may indicate an attempt to destroy forensic evidence
view Sigma YAML
title: TeamViewer Log File Deleted
id: b1decb61-ed83-4339-8e95-53ea51901720
status: test
description: Detects the deletion of the TeamViewer log files which may indicate an attempt to destroy forensic evidence
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md
author: frack113
date: 2022-01-16
modified: 2023-02-15
tags:
- attack.stealth
- attack.t1070.004
logsource:
product: windows
category: file_delete
detection:
selection:
TargetFilename|contains: '\TeamViewer_'
TargetFilename|endswith: '.log'
filter:
Image: C:\Windows\system32\svchost.exe
condition: selection and not filter
falsepositives:
- Unknown
level: low
Convert to SIEM query
low
The Windows Defender Firewall Service Failed To Load Group Policy
Detects activity when The Windows Defender Firewall service failed to load Group Policy
view Sigma YAML
title: The Windows Defender Firewall Service Failed To Load Group Policy
id: 7ec15688-fd24-4177-ba43-1a950537ee39
status: test
description: Detects activity when The Windows Defender Firewall service failed to load Group Policy
references:
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
author: frack113
date: 2022-02-19
modified: 2023-01-17
tags:
- attack.defense-impairment
- attack.t1686.003
logsource:
product: windows
service: firewall-as
detection:
selection:
EventID: 2009 # The Windows Defender Firewall service failed to load Group Policy
condition: selection
level: low
Convert to SIEM query
low
USB Device Plugged
Detects plugged/unplugged USB devices
view Sigma YAML
title: USB Device Plugged
id: 1a4bd6e3-4c6e-405d-a9a3-53a116e341d4
status: test
description: Detects plugged/unplugged USB devices
references:
- https://df-stream.com/2014/01/the-windows-7-event-log-and-usb-device/
- https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/
author: Florian Roth (Nextron Systems)
date: 2017-11-09
modified: 2021-11-30
tags:
- attack.initial-access
- attack.t1200
logsource:
product: windows
service: driver-framework
definition: 'Requires enabling and collection of the Microsoft-Windows-DriverFrameworks-UserMode/Operational eventlog'
detection:
selection:
EventID:
- 2003 # Loading drivers
- 2100 # Pnp or power management
- 2102 # Pnp or power management
condition: selection
falsepositives:
- Legitimate administrative activity
level: low
Convert to SIEM query
low
Unattend.XML File Access Attempt
Detects attempts to access the "unattend.xml" file, where credentials might be stored.
This file is used during the unattended windows install process.
view Sigma YAML
title: Unattend.XML File Access Attempt
id: 76a26006-0942-430b-8249-bd51d448f8e5
status: test
description: |
Detects attempts to access the "unattend.xml" file, where credentials might be stored.
This file is used during the unattended windows install process.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md
author: frack113
date: 2024-07-22
tags:
- attack.credential-access
- attack.t1552.001
- detection.threat-hunting
logsource:
product: windows
category: file_access
definition: 'Requirements: Microsoft-Windows-Kernel-File ETW provider'
detection:
selection:
FileName|endswith: '\Panther\unattend.xml'
condition: selection
falsepositives:
- Unknown
level: low
Convert to SIEM query
low
Unauthorized System Time Modification
Detect scenarios where a potentially unauthorized application or user is modifying the system time.
view Sigma YAML
title: Unauthorized System Time Modification
id: faa031b5-21ed-4e02-8881-2591f98d82ed
status: test
description: Detect scenarios where a potentially unauthorized application or user is modifying the system time.
references:
- Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well)
- Live environment caused by malware
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4616
author: '@neu5ron'
date: 2019-02-05
modified: 2025-12-03
tags:
- attack.stealth
- attack.t1070.006
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : System > Audit Security State Change, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\System\Audit Security State Change'
detection:
selection:
EventID: 4616
filter_main_svchost:
ProcessName: 'C:\Windows\System32\svchost.exe'
SubjectUserSid: 'S-1-5-19'
filter_optional_vmtools:
ProcessName:
- 'C:\Program Files\VMware\VMware Tools\vmtoolsd.exe'
- 'C:\Program Files (x86)\VMware\VMware Tools\vmtoolsd.exe'
- 'C:\Windows\System32\VBoxService.exe'
- 'C:\Windows\System32\oobe\msoobe.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- HyperV or other virtualization technologies with binary not listed in filter portion of detection
level: low
Convert to SIEM query
low
Uncommon Process Access Rights For Target Image
Detects process access request to uncommon target images with a "PROCESS_ALL_ACCESS" access mask.
view Sigma YAML
title: Uncommon Process Access Rights For Target Image
id: a24e5861-c6ca-4fde-a93c-ba9256feddf0
status: test
description: |
Detects process access request to uncommon target images with a "PROCESS_ALL_ACCESS" access mask.
references:
- https://learn.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights
author: Nasreddine Bencherchali (Nextron Systems), frack113
date: 2024-05-27
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1055.011
logsource:
category: process_access
product: windows
detection:
selection:
TargetImage|endswith:
# Note: Add additional uncommon targets to increase coverage.
- '\calc.exe'
- '\calculator.exe'
- '\mspaint.exe'
- '\notepad.exe'
- '\ping.exe'
- '\wordpad.exe'
- '\write.exe'
GrantedAccess: '0x1FFFFF' # PROCESS_ALL_ACCESS - All possible access rights for a process object.
condition: selection
falsepositives:
- Unknown
# Note: please upgrade to a higher level after an initial test/tuning.
level: low
Convert to SIEM query
low
Unmount Share Via Net.EXE
Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation
view Sigma YAML
title: Unmount Share Via Net.EXE
id: cb7c4a03-2871-43c0-9bbb-18bbdb079896
status: test
description: Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md
author: oscd.community, @redcanary, Zach Stanford @svch0st
date: 2020-10-08
modified: 2023-02-21
tags:
- attack.stealth
- attack.t1070.005
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\net.exe'
- '\net1.exe'
- OriginalFileName:
- 'net.exe'
- 'net1.exe'
selection_cli:
CommandLine|contains|all:
- 'share'
- '/delete'
condition: all of selection*
falsepositives:
- Administrators or Power users may remove their shares via cmd line
level: low
Convert to SIEM query
low
Unusually Long PowerShell CommandLine
Detects unusually long PowerShell command lines with a length of 1000 characters or more
view Sigma YAML
title: Unusually Long PowerShell CommandLine
id: d0d28567-4b9a-45e2-8bbc-fb1b66a1f7f6
status: test
description: Detects unusually long PowerShell command lines with a length of 1000 characters or more
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
author: oscd.community, Natalia Shornikova
date: 2020-10-06
modified: 2023-04-14
tags:
- attack.execution
- attack.t1059.001
- detection.threat-hunting
logsource:
category: process_creation
product: windows
detection:
selection_powershell:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
- Description: 'Windows Powershell'
- Product: 'PowerShell Core 6'
selection_length:
CommandLine|re: '.{1000,}'
condition: all of selection_*
falsepositives:
- Unknown
level: low
Convert to SIEM query
low
Use Get-NetTCPConnection
Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
view Sigma YAML
title: Use Get-NetTCPConnection
id: b366adb4-d63d-422d-8a2c-186463b5ded0
status: test
description: Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-2---system-network-connections-discovery-with-powershell
author: frack113
date: 2021-12-10
modified: 2023-10-27
tags:
- attack.discovery
- attack.t1049
logsource:
product: windows
category: ps_classic_start
detection:
selection:
Data|contains: 'Get-NetTCPConnection'
condition: selection
falsepositives:
- Unknown
level: low
Convert to SIEM query
low
Use Get-NetTCPConnection - PowerShell Module
Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
view Sigma YAML
title: Use Get-NetTCPConnection - PowerShell Module
id: aff815cc-e400-4bf0-a47a-5d8a2407d4e1
status: test
description: Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-2---system-network-connections-discovery-with-powershell
author: frack113
date: 2021-12-10
modified: 2022-12-02
tags:
- attack.discovery
- attack.t1049
logsource:
product: windows
category: ps_module
definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
selection:
ContextInfo|contains: 'Get-NetTCPConnection'
condition: selection
falsepositives:
- Unknown
level: low
Convert to SIEM query
low
Use Of Hidden Paths Or Files
Detects calls to hidden files or files located in hidden directories in NIX systems.
view Sigma YAML
title: Use Of Hidden Paths Or Files
id: 9e1bef8d-0fff-46f6-8465-9aa54e128c1e
related:
- id: d08722cd-3d09-449a-80b4-83ea2d9d4616
type: similar
status: test
description: Detects calls to hidden files or files located in hidden directories in NIX systems.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md
author: David Burkett, @signalblur
date: 2022-12-30
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
product: linux
service: auditd
detection:
selection:
type: 'PATH'
name|contains: '/.'
filter:
name|contains:
- '/.cache/'
- '/.config/'
- '/.pyenv/'
- '/.rustup/toolchains'
condition: selection and not filter
falsepositives:
- Unknown
level: low
Convert to SIEM query
low
Use Of Remove-Item to Delete File - ScriptBlock
PowerShell Remove-Item with -Path to delete a file or a folder with "-Recurse"
view Sigma YAML
title: Use Of Remove-Item to Delete File - ScriptBlock
id: b8af5f36-1361-4ebe-9e76-e36128d947bf
status: test
description: PowerShell Remove-Item with -Path to delete a file or a folder with "-Recurse"
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md
- https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Remove-Item?view=powershell-5.1&viewFallbackFrom=powershell-7
author: frack113
date: 2022-01-15
modified: 2022-03-17
tags:
- attack.stealth
- attack.t1070.004
- detection.threat-hunting
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains:
- 'Remove-Item -Path '
- 'del -Path '
- 'erase -Path '
- 'rd -Path '
- 'ri -Path '
- 'rm -Path '
- 'rmdir -Path '
condition: selection
falsepositives:
- Legitimate PowerShell scripts
level: low
Convert to SIEM query
low
User with Privileges Logon
Detects logon with "Special groups" and "Special Privileges" can be thought of as Administrator groups or privileges.
view Sigma YAML
title: User with Privileges Logon
id: 94309181-d345-4cbf-b5fe-061769bdf9cb
status: test
description: Detects logon with "Special groups" and "Special Privileges" can be thought of as Administrator groups or privileges.
references:
- https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4672
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4964
author: frack113
date: 2022-10-14
modified: 2023-12-14
tags:
- attack.lateral-movement
- attack.credential-access
- attack.t1558
- attack.t1649
- attack.t1550
logsource:
service: security
product: windows
detection:
selection:
EventID:
- 4672
- 4964
filter_main_local_system:
SubjectUserSid: 'S-1-5-18'
filter_main_valid_account:
SubjectUserName|expand: '%Admins_Workstations%' # Set valid internal naming pattern or a list a valid account
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: low
Convert to SIEM query
low
Userdomain Variable Enumeration
Detects suspicious enumeration of the domain the user is associated with.
view Sigma YAML
title: Userdomain Variable Enumeration
id: 43311e65-84d8-42a5-b3d4-c94d9b67038f
status: test
description: Detects suspicious enumeration of the domain the user is associated with.
references:
- https://www.arxiv-vanity.com/papers/2008.04676/
- https://thedfirreport.com/2022/11/14/bumblebee-zeros-in-on-meterpreter/
author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io'
date: 2023-02-09
modified: 2024-08-01
tags:
- attack.discovery
- attack.t1016
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains: 'echo '
CommandLine|contains|expand: '%userdomain%'
condition: selection
falsepositives:
- Certain scripts or applications may leverage this.
level: low
Convert to SIEM query
low
Virtualbox Driver Installation or Starting of VMs
Adversaries can carry out malicious operations using a virtual instance to avoid detection. This rule is built to detect the registration of the Virtualbox driver or start of a Virtualbox VM.
view Sigma YAML
title: Virtualbox Driver Installation or Starting of VMs
id: bab049ca-7471-4828-9024-38279a4c04da
status: test
description: Adversaries can carry out malicious operations using a virtual instance to avoid detection. This rule is built to detect the registration of the Virtualbox driver or start of a Virtualbox VM.
references:
- https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/
- https://threatpost.com/maze-ransomware-ragnar-locker-virtual-machine/159350/
author: Janantha Marasinghe
date: 2020-09-26
modified: 2025-07-29
tags:
- attack.stealth
- attack.t1564.006
- attack.t1564
logsource:
category: process_creation
product: windows
detection:
selection_1:
CommandLine|contains:
- 'VBoxRT.dll,RTR3Init'
- 'VBoxC.dll'
- 'VBoxDrv.sys'
selection_2:
CommandLine|contains:
- 'startvm'
- 'controlvm'
condition: 1 of selection_*
falsepositives:
- This may have false positives on hosts where Virtualbox is legitimately being used for operations
level: low
Convert to SIEM query
low
Volume Shadow Copy Mount
Detects volume shadow copy mount via Windows event log
view Sigma YAML
title: Volume Shadow Copy Mount
id: f512acbf-e662-4903-843e-97ce4652b740
status: test
description: Detects volume shadow copy mount via Windows event log
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy
author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)
date: 2020-10-20
modified: 2022-12-25
tags:
- attack.credential-access
- attack.t1003.002
logsource:
product: windows
service: system
detection:
selection:
Provider_Name: Microsoft-Windows-Ntfs
EventID: 98
DeviceName|contains: HarddiskVolumeShadowCopy
condition: selection
falsepositives:
- Legitimate use of volume shadow copy mounts (backups maybe).
level: low
Convert to SIEM query
low
Vulnerable Driver Load By Name
Detects the load of known vulnerable drivers via the file name of the drivers.
view Sigma YAML
title: Vulnerable Driver Load By Name
id: 72cd00d6-490c-4650-86ff-1d11f491daa1
status: test
description: Detects the load of known vulnerable drivers via the file name of the drivers.
references:
- https://loldrivers.io/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-03
modified: 2023-12-02
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1543.003
- attack.t1068
logsource:
product: windows
category: driver_load
detection:
selection:
ImageLoaded|endswith:
- '\panmonfltx64.sys'
- '\dbutil.sys'
- '\fairplaykd.sys'
- '\nvaudio.sys'
- '\superbmc.sys'
- '\bsmi.sys'
- '\smarteio64.sys'
- '\bwrsh.sys'
- '\agent64.sys'
- '\asmmap64.sys'
- '\dellbios.sys'
- '\chaos-rootkit.sys'
- '\wcpu.sys'
- '\dh_kernel.sys'
- '\sbiosio64.sys'
- '\bw.sys'
- '\asrdrv102.sys'
- '\nt6.sys'
- '\mhyprot3.sys'
- '\winio64c.sys'
- '\asupio64.sys'
- '\blackbonedrv10.sys'
- '\d.sys'
- '\driver7-x86.sys'
- '\sfdrvx32.sys'
- '\enetechio64.sys'
- '\gdrv.sys'
- '\sysinfodetectorx64.sys'
- '\fh-ethercat_dio.sys'
- '\asromgdrv.sys'
- '\my.sys'
- '\dcprotect.sys'
- '\irec.sys'
- '\gedevdrv.sys'
- '\winio32a.sys'
- '\gvcidrv64.sys'
- '\winio32.sys'
- '\bs_hwmio64.sys'
- '\nstr.sys'
- '\inpoutx64.sys'
- '\hw.sys'
- '\winio64.sys'
- '\hpportiox64.sys'
- '\iobitunlocker.sys'
- '\b1.sys'
- '\aoddriver.sys'
- '\elbycdio.sys'
- '\protects.sys'
- '\kprocesshacker.sys'
- '\speedfan.sys'
- '\radhwmgr.sys'
- '\iscflashx64.sys'
- '\black.sys'
- '\b4.sys'
- '\hwos2ec10x64.sys'
- '\winflash64.sys'
- '\corsairllaccess64.sys'
- '\bs_i2cio.sys'
- '\d3.sys'
- '\windows-xp-64.sys'
- '\aswvmm.sys'
- '\bs_i2c64.sys'
- '\1.sys'
- '\nchgbios2x64.sys'
- '\cpuz141.sys'
- '\segwindrvx64.sys'
- '\tdeio64.sys'
- '\ntiolib.sys'
- '\gtckmdfbs.sys'
- '\iomap64.sys'
- '\avalueio.sys'
- '\semav6msr.sys'
- '\lgdcatcher.sys'
- '\b.sys'
- '\hwdetectng.sys'
- '\nt4.sys'
- '\tgsafe.sys'
- '\mydrivers.sys'
- '\eneio64.sys'
- '\procexp.sys'
- '\viragt64.sys'
- '\fpcie2com.sys'
- '\lenovodiagnosticsdriver.sys'
- '\cp2x72c.sys'
- '\kerneld.amd64'
- '\bs_def64.sys'
- '\piddrv.sys'
- '\amifldrv64.sys'
- '\cpuz_x64.sys'
- '\proxy32.sys'
- '\wsdkd.sys'
- '\t8.sys'
- '\ucorew64.sys'
- '\atszio.sys'
- '\lmiinfo.sys'
- '\80.sys'
- '\nt3.sys'
- '\ngiodriver.sys'
- '\lv561av.sys'
- '\gpcidrv64.sys'
- '\fd3b7234419fafc9bdd533f48896ed73_b816c5cd.sys'
- '\rtport.sys'
- '\full.sys'
- '\viragt.sys'
- '\fiddrv64.sys'
- '\cupfixerx64.sys'
- '\cpupress.sys'
- '\hwos2ec7x64.sys'
- '\driver7-x86-withoutdbg.sys'
- '\asrdrv10.sys'
- '\nvflsh64.sys'
- '\asrrapidstartdrv.sys'
- '\tmcomm.sys'
- '\wiseunlo.sys'
- '\rwdrv.sys'
- '\asio64.sys'
- '\nvoclock.sys'
- '\panio.sys'
- '\mtcbsv64.sys'
- '\amigendrv64.sys'
- '\capcom.sys'
- '\netflt.sys'
- '\phlashnt.sys'
- '\dbutil_2_3.sys'
- '\ni.sys'
- '\ntiolib_x64.sys'
- '\atszio64.sys'
- '\lgcoretemp.sys'
- '\lha.sys'
- '\phymem64.sys'
- '\dbutildrv2.sys'
- '\asrdrv103.sys'
- '\rtcore64.sys'
- '\bs_hwmio64_w10.sys'
- '\ene.sys'
- '\winio64b.sys'
- '\piddrv64.sys'
- '\directio32.sys'
- '\monitor_win10_x64.sys'
- '\nt5.sys'
- '\asrsmartconnectdrv.sys'
- '\rtif.sys'
- '\atillk64.sys'
- '\directio.sys'
- '\asribdrv.sys'
- '\kfeco11x64.sys'
- '\citmdrv_ia64.sys'
- '\sysdrv3s.sys'
- '\amp.sys'
- '\vboxdrv.sys'
- '\adv64drv.sys'
- '\hostnt.sys'
- '\phymem_ext64.sys'
- '\echo_driver.sys'
- '\winiodrv.sys'
- '\pdfwkrnl.sys'
- '\glckio2.sys'
- '\asrdrv106.sys'
- '\nscm.sys'
- '\bs_rcio64.sys'
- '\ncpl.sys'
- '\sandra.sys'
- '\fiddrv.sys'
- '\hwrwdrv.sys'
- '\mhyprot.sys'
- '\asrsetupdrv103.sys'
- '\iqvw64.sys'
- '\b3.sys'
- '\ssport.sys'
- '\bs_def.sys'
- '\computerz.sys'
- '\windows8-10-32.sys'
- '\nstrwsk.sys'
- '\lurker.sys'
- '\bsmemx64.sys'
- '\wyproxy64.sys'
- '\asio.sys'
- '\t3.sys'
- '\cpuz.sys'
- '\rtkio.sys'
- '\driver7-x64.sys'
- '\netfilterdrv.sys'
- '\ioaccess.sys'
- '\testbone.sys'
- '\gameink.sys'
- '\kevp64.sys'
- '\mhyprot2.sys'
- '\se64a.sys'
- '\vboxusb.sys'
- '\windows7-32.sys'
- '\vproeventmonitor.sys'
- '\winio64a.sys'
- '\asrdrv101.sys'
- '\netproxydriver.sys'
- '\elrawdsk.sys'
- '\zam64.sys'
- '\cg6kwin2k.sys'
- '\asupio.sys'
- '\stdcdrvws64.sys'
- '\81.sys'
- '\citmdrv_amd64.sys'
- '\amdryzenmasterdriver.sys'
- '\vmdrv.sys'
- '\sysinfo.sys'
- '\alsysio64.sys'
- '\directio64.sys'
- '\rzpnk.sys'
- '\amdpowerprofiler.sys'
- '\truesight.sys'
- '\wirwadrv.sys'
- '\phymemx64.sys'
- '\msio64.sys'
- '\sepdrv3_1.sys'
- '\gametersafe.sys'
- '\bs_rcio.sys'
- '\d4.sys'
- '\t.sys'
- '\eio.sys'
- '\nt2.sys'
- '\winring0.sys'
- '\physmem.sys'
- '\libnicm.sys'
- '\msio32.sys'
- '\asrautochkupddrv.sys'
- '\asio32.sys'
- '\etdsupp.sys'
- '\smep_namco.sys'
- '\bandai.sys'
- '\d2.sys'
- '\magdrvamd64.sys'
- '\nvflash.sys'
- '\goad.sys'
- '\proxy64.sys'
- '\amsdk.sys'
- '\kbdcap64.sys'
- '\vdbsv64.sys'
- '\pchunter.sys'
- '\sysconp.sys'
- '\dh_kernel_10.sys'
- '\msrhook.sys'
- '\bedaisy.sys'
- '\dcr.sys'
- '\panmonflt.sys'
- '\bsmixp64.sys'
- '\otipcibus.sys'
- '\fidpcidrv.sys'
- '\kfeco10x64.sys'
- '\asrdrv104.sys'
- '\c.sys'
- '\tdklib64.sys'
- '\bsmix64.sys'
- '\bs_flash64.sys'
- '\stdcdrv64.sys'
- '\naldrv.sys'
- '\ctiio64.sys'
- '\bwrs.sys'
- '\nicm.sys'
- '\winio32b.sys'
- '\paniox64.sys'
- '\ecsiodriverx64.sys'
- '\iomem64.sys'
- '\fidpcidrv64.sys'
- '\aswarpot.sys'
- '\bs_rciow1064.sys'
- '\asmio64.sys'
- '\openlibsys.sys'
- '\viraglt64.sys'
- '\dbk64.sys'
- '\t7.sys'
- '\atlaccess.sys'
- '\nbiolib_x64.sys'
- '\smep_capcom.sys'
- '\iqvw64e.sys'
condition: selection
falsepositives:
- False positives may occur if one of the vulnerable driver names mentioned above didn't change its name between versions. So always make sure that the driver being loaded is the legitimate one and the non vulnerable version.
- If you experience a lot of FP you could comment the driver name or its exact known legitimate location (when possible)
level: low
Convert to SIEM query
low
WMI Module Loaded By Uncommon Process
Detects WMI modules being loaded by an uncommon process
view Sigma YAML
title: WMI Module Loaded By Uncommon Process
id: 671bb7e3-a020-4824-a00e-2ee5b55f385e
status: test
description: Detects WMI modules being loaded by an uncommon process
references:
- https://threathunterplaybook.com/hunts/windows/190811-WMIModuleLoad/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019-08-10
modified: 2025-02-24
tags:
- attack.execution
- attack.t1047
- detection.threat-hunting
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith:
- '\fastprox.dll'
- '\wbemcomn.dll'
- '\wbemprox.dll'
- '\wbemsvc.dll'
- '\WmiApRpl.dll'
- '\wmiclnt.dll'
- '\WMINet_Utils.dll'
- '\wmiprov.dll'
- '\wmiutils.dll'
filter_main_generic:
Image|contains:
- ':\Program Files (x86)\'
- ':\Program Files\'
- ':\Windows\explorer.exe'
- ':\Windows\Microsoft.NET\Framework\'
- ':\Windows\Microsoft.NET\FrameworkArm\'
- ':\Windows\Microsoft.NET\FrameworkArm64\'
- ':\Windows\Microsoft.NET\Framework64\'
- ':\Windows\System32\'
- ':\Windows\SysWOW64\'
filter_optional_other:
Image|endswith:
- '\WindowsAzureGuestAgent.exe'
- '\WaAppAgent.exe'
filter_optional_thor:
Image|endswith:
- '\thor.exe'
- '\thor64.exe'
filter_optional_defender:
Image|endswith: '\MsMpEng.exe'
filter_optional_teams:
Image|contains:
- '\Microsoft\Teams\current\Teams.exe'
- '\Microsoft\Teams\Update.exe'
filter_optional_sysmon:
Image|endswith:
- ':\Windows\Sysmon.exe'
- ':\Windows\Sysmon64.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: low
Convert to SIEM query
low
WebDav Put Request
A General detection for WebDav user-agent being used to PUT files on a WebDav network share. This could be an indicator of exfiltration.
view Sigma YAML
title: WebDav Put Request
id: 705072a5-bb6f-4ced-95b6-ecfa6602090b
status: test
description: A General detection for WebDav user-agent being used to PUT files on a WebDav network share. This could be an indicator of exfiltration.
references:
- https://github.com/OTRF/detection-hackathon-apt29/issues/17
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-05-02
modified: 2024-03-13
tags:
- attack.exfiltration
- attack.t1048.003
logsource:
product: zeek
service: http
detection:
selection:
user_agent|contains: 'WebDAV'
method: 'PUT'
filter:
id.resp_h|cidr:
- '10.0.0.0/8'
- '127.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '169.254.0.0/16'
condition: selection and not filter
falsepositives:
- Unknown
level: low
Convert to SIEM query
low
Windows Defender Firewall Has Been Reset To Its Default Configuration
Detects activity when Windows Defender Firewall has been reset to its default configuration
view Sigma YAML
title: Windows Defender Firewall Has Been Reset To Its Default Configuration
id: 04b60639-39c0-412a-9fbe-e82499c881a3
status: test
description: Detects activity when Windows Defender Firewall has been reset to its default configuration
references:
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
author: frack113
date: 2022-02-19
modified: 2023-04-21
tags:
- attack.defense-impairment
- attack.t1686.003
logsource:
product: windows
service: firewall-as
detection:
selection:
EventID:
- 2032 # Windows Defender Firewall has been reset to its default configuration
- 2060 # Windows Defender Firewall has been reset to its default configuration. (Windows 11)
condition: selection
level: low
Convert to SIEM query
low
Windows Defender Submit Sample Feature Disabled
Detects disabling of the "Automatic Sample Submission" feature of Windows Defender.
view Sigma YAML
title: Windows Defender Submit Sample Feature Disabled
id: 91903aba-1088-42ee-b680-d6d94fe002b0
related:
- id: 1321dc4e-a1fe-481d-a016-52c45f0c8b4f
type: similar
- id: a3ab73f1-bd46-4319-8f06-4b20d0617886
type: similar
- id: 801bd44f-ceed-4eb6-887c-11544633c0aa
type: similar
status: stable
description: Detects disabling of the "Automatic Sample Submission" feature of Windows Defender.
references:
- https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide
- https://bidouillesecurity.com/disable-windows-defender-in-powershell/#DisableAntiSpyware
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-06
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: windows
service: windefend
detection:
selection:
EventID: 5007 # The antimalware platform configuration changed.
NewValue|contains: '\Real-Time Protection\SubmitSamplesConsent = 0x0'
condition: selection
falsepositives:
- Administrator activity (must be investigated)
level: low
Convert to SIEM query
low
Windows Event Auditing Disabled
Detects scenarios where system auditing (i.e.: Windows event log auditing) is disabled.
This may be used in a scenario where an entity would want to bypass local logging to evade detection when Windows event logging is enabled and reviewed.
Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc".
Please note, that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off specific GPO modifications - however, it is recommended to perform these modifications in Active Directory anyways.
view Sigma YAML
title: Windows Event Auditing Disabled
id: 69aeb277-f15f-4d2d-b32a-55e883609563
related:
- id: ab4561b1-6c7e-48a7-ad08-087cfb9ce8f1
type: derived
status: test
description: |
Detects scenarios where system auditing (i.e.: Windows event log auditing) is disabled.
This may be used in a scenario where an entity would want to bypass local logging to evade detection when Windows event logging is enabled and reviewed.
Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc".
Please note, that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off specific GPO modifications - however, it is recommended to perform these modifications in Active Directory anyways.
references:
- https://docs.google.com/presentation/d/1dkrldTTlN3La-OjWtkWJBb4hVk6vfsSMBFBERs6R8zA/edit
author: '@neu5ron, Nasreddine Bencherchali (Nextron Systems)'
date: 2017-11-19
modified: 2023-11-15
tags:
- attack.defense-impairment
- attack.t1685.001
logsource:
product: windows
service: security
definition: dfd8c0f4-e6ad-4e07-b91b-f2fca0ddef64
detection:
selection:
EventID: 4719
AuditPolicyChanges|contains:
- '%%8448' # This is "Success removed"
- '%%8450' # This is "Failure removed"
filter_main_guid:
# Note: We filter these GUID to avoid alert duplication as these are covered by ab4561b1-6c7e-48a7-ad08-087cfb9ce8f1
SubcategoryGuid:
- '{0CCE9210-69AE-11D9-BED3-505054503030}' # Audit Security State Change
- '{0CCE9211-69AE-11D9-BED3-505054503030}' # Audit Security System Extension
- '{0CCE9212-69AE-11D9-BED3-505054503030}' # Audit System Integrity
- '{0CCE9215-69AE-11D9-BED3-505054503030}' # Audit Logon
- '{0CCE9217-69AE-11D9-BED3-505054503030}' # Audit Account Lockout
- '{0CCE921B-69AE-11D9-BED3-505054503030}' # Audit Special Logon
- '{0CCE922B-69AE-11D9-BED3-505054503030}' # Audit Process Creation
- '{0CCE922F-69AE-11D9-BED3-505054503030}' # Audit Audit Policy Change
- '{0CCE9230-69AE-11D9-BED3-505054503030}' # Audit Authentication Policy Change
- '{0CCE9235-69AE-11D9-BED3-505054503030}' # Audit User Account Management
- '{0CCE9236-69AE-11D9-BED3-505054503030}' # Audit Computer Account Management
- '{0CCE9237-69AE-11D9-BED3-505054503030}' # Audit Security Group Management
- '{0CCE923F-69AE-11D9-BED3-505054503030}' # Audit Credential Validation
- '{0CCE9240-69AE-11D9-BED3-505054503030}' # Audit Kerberos Service Ticket Operations
- '{0CCE9242-69AE-11D9-BED3-505054503030}' # Audit Kerberos Authentication Service'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: low # Increase this after a testing period in your environment
Convert to SIEM query
low
Windows Firewall Settings Have Been Changed
Detects activity when the settings of the Windows firewall have been changed
view Sigma YAML
title: Windows Firewall Settings Have Been Changed
id: 00bb5bd5-1379-4fcf-a965-a5b6f7478064
status: test
description: Detects activity when the settings of the Windows firewall have been changed
references:
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2022-02-19
modified: 2023-04-21
tags:
- attack.defense-impairment
- attack.t1686.003
logsource:
product: windows
service: firewall-as
detection:
selection:
EventID:
- 2002 # A Windows Defender Firewall setting has changed.
- 2083 # A Windows Defender Firewall setting has changed. (Windows 11)
- 2003 # A Windows Firewall setting in the profile has changed
- 2082 # A Windows Defender Firewall setting in the %1 profile has changed. (Windows 11)
- 2008 # Windows Firewall Group Policy settings have changed. The new settings have been applied
# - 2010 # Network profile changed on an interface.
condition: selection
level: low
Convert to SIEM query
low
Windows MSIX Package Support Framework AI_STUBS Execution
Detects execution of Advanced Installer MSIX Package Support Framework (PSF) components, specifically AI_STUBS executables with original filename 'popupwrapper.exe'.
This activity may indicate malicious MSIX packages build with Advanced Installer leveraging the Package Support Framework to bypass application control restrictions.
view Sigma YAML
title: Windows MSIX Package Support Framework AI_STUBS Execution
id: af5732ed-764e-489d-826d-0447c8b36242
status: experimental
description: |
Detects execution of Advanced Installer MSIX Package Support Framework (PSF) components, specifically AI_STUBS executables with original filename 'popupwrapper.exe'.
This activity may indicate malicious MSIX packages build with Advanced Installer leveraging the Package Support Framework to bypass application control restrictions.
references:
- https://redcanary.com/blog/threat-intelligence/msix-installers/
- https://redcanary.com/threat-detection-report/techniques/installer-packages/
- https://learn.microsoft.com/en-us/windows/msix/package/package-support-framework
- https://www.splunk.com/en_us/blog/security/msix-weaponization-threat-detection-splunk.html
author: Michael Haag, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-03
tags:
- attack.execution
- attack.stealth
- attack.defense-impairment
- attack.t1218
- attack.t1553.005
- attack.t1204.002
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\AI_STUBS\AiStubX64Elevated.exe'
- '\AI_STUBS\AiStubX86Elevated.exe'
- '\AI_STUBS\AiStubX64.exe'
- '\AI_STUBS\AiStubX86.exe'
OriginalFileName: 'popupwrapper.exe'
condition: selection
falsepositives:
- Legitimate applications packaged with Advanced Installer using Package Support Framework
level: low
Convert to SIEM query
low
Windows Processes Suspicious Parent Directory
Detect suspicious parent processes of well-known Windows processes
view Sigma YAML
title: Windows Processes Suspicious Parent Directory
id: 96036718-71cc-4027-a538-d1587e0006a7
status: test
description: Detect suspicious parent processes of well-known Windows processes
references:
- https://web.archive.org/web/20180718061628/https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2
- https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/
- https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf
author: vburov
date: 2019-02-23
modified: 2025-03-06
tags:
- attack.stealth
- attack.t1036.003
- attack.t1036.005
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\svchost.exe'
- '\taskhost.exe'
- '\lsm.exe'
- '\lsass.exe'
- '\services.exe'
- '\lsaiso.exe'
- '\csrss.exe'
- '\wininit.exe'
- '\winlogon.exe'
filter_sys:
- ParentImage|endswith:
- '\SavService.exe'
- '\ngen.exe'
- ParentImage|contains:
- '\System32\'
- '\SysWOW64\'
filter_msmpeng:
ParentImage|contains:
- '\Windows Defender\'
- '\Microsoft Security Client\'
ParentImage|endswith: '\MsMpEng.exe'
filter_null:
- ParentImage: null
- ParentImage:
- ''
- '-'
condition: selection and not 1 of filter_*
falsepositives:
- Some security products seem to spawn these
level: low
Convert to SIEM query
low
Windows Service Terminated With Error
Detects Windows services that got terminated for whatever reason
view Sigma YAML
title: Windows Service Terminated With Error
id: acfa2210-0d71-4eeb-b477-afab494d596c
related:
- id: d6b5520d-3934-48b4-928c-2aa3f92d6963
type: similar
status: test
description: Detects Windows services that got terminated for whatever reason
references:
- https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-14
tags:
- attack.stealth
logsource:
product: windows
service: system
detection:
selection:
Provider_Name: 'Service Control Manager'
EventID: 7023 # The X Service service terminated with the following error
condition: selection
falsepositives:
- False positives could occur since service termination could happen due to multiple reasons
level: low
Convert to SIEM query
low
Windows Share Mount Via Net.EXE
Detects when a share is mounted using the "net.exe" utility
view Sigma YAML
title: Windows Share Mount Via Net.EXE
id: f117933c-980c-4f78-b384-e3d838111165
related:
- id: 3abd6094-7027-475f-9630-8ab9be7b9725
type: similar
status: test
description: Detects when a share is mounted using the "net.exe" utility
references:
- https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-02
modified: 2023-02-21
tags:
- attack.lateral-movement
- attack.t1021.002
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\net.exe'
- '\net1.exe'
- OriginalFileName:
- 'net.exe'
- 'net1.exe'
selection_cli:
CommandLine|contains:
- ' use '
- ' \\\\'
condition: all of selection_*
falsepositives:
- Legitimate activity by administrators and scripts
level: low
Convert to SIEM query
low
Winget Admin Settings Modification
Detects changes to the AppInstaller (winget) admin settings. Such as enabling local manifest installations or disabling installer hash checks
view Sigma YAML
title: Winget Admin Settings Modification
id: 6db5eaf9-88f7-4ed9-af7d-9ef2ad12f236
status: test
description: Detects changes to the AppInstaller (winget) admin settings. Such as enabling local manifest installations or disabling installer hash checks
references:
- https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget
- https://github.com/microsoft/winget-cli/blob/02d2f93807c9851d73eaacb4d8811a76b64b7b01/src/AppInstallerCommonCore/Public/winget/AdminSettings.h#L13
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-17
modified: 2023-08-17
tags:
- attack.persistence
- attack.defense-impairment
logsource:
product: windows
category: registry_set
detection:
selection:
Image|endswith: '\winget.exe'
TargetObject|startswith: '\REGISTRY\A\'
TargetObject|endswith: '\LocalState\admin_settings'
condition: selection
falsepositives:
- The event doesn't contain information about the type of change. False positives are expected with legitimate changes
level: low
Convert to SIEM query
low
bXOR Operator Usage In PowerShell Command Line - PowerShell Classic
Detects powershell execution with that make use of to the bxor (Bitwise XOR).
Attackers might use as an alternative obfuscation method to Base64 encoded commands.
Investigate the CommandLine and process tree to determine if the activity is malicious.
view Sigma YAML
title: bXOR Operator Usage In PowerShell Command Line - PowerShell Classic
id: 812837bb-b17f-45e9-8bd0-0ec35d2e3bd6
status: test
description: |
Detects powershell execution with that make use of to the bxor (Bitwise XOR).
Attackers might use as an alternative obfuscation method to Base64 encoded commands.
Investigate the CommandLine and process tree to determine if the activity is malicious.
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=46
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_arithmetic_operators?view=powershell-5.1
author: Teymur Kheirkhabarov, Harish Segar
date: 2020-06-29
modified: 2024-12-11
tags:
- attack.execution
- attack.t1059.001
- detection.threat-hunting
logsource:
product: windows
category: ps_classic_start
detection:
selection:
Data|contains|all:
- 'HostName=ConsoleHost'
- ' -bxor '
condition: selection
falsepositives:
- Unknown
level: low
Convert to SIEM query
Showing 301-341 of 341