Tool
SIEM
Sigma (generic) detection rules
1,492 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Expand any rule to see its raw YAML and convert it inline to native query syntax. Pick a platform above to browse every rule already rendered in that language.
◈
Detection rules
50 shown of 1,492
medium
Okta 2023 Breach Indicator Of Compromise
Detects new user account creation or activation with specific names related to the Okta Support System 2023 breach.
This rule can be enhanced by filtering out known and legitimate username used in your environnement.
view Sigma YAML
title: Okta 2023 Breach Indicator Of Compromise
id: 00a8e92a-776b-425f-80f2-82d8f8fab2e5
status: test
description: |
Detects new user account creation or activation with specific names related to the Okta Support System 2023 breach.
This rule can be enhanced by filtering out known and legitimate username used in your environnement.
author: Muhammad Faisal (@faisalusuf)
date: 2023-10-25
modified: 2026-04-27
references:
- https://www.beyondtrust.com/blog/entry/okta-support-unit-breach
- https://developer.okta.com/docs/reference/api/event-types/
tags:
- attack.credential-access
- detection.emerging-threats
logsource:
service: okta
product: okta
detection:
selection:
eventType:
- 'user.lifecycle.create'
- 'user.lifecycle.activate'
target.displayName|contains: 'svc_network_backup'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Okta API Token Created
Detects when a API token is created
view Sigma YAML
title: Okta API Token Created
id: 19951c21-229d-4ccb-8774-b993c3ff3c5c
status: test
description: Detects when a API token is created
references:
- https://developer.okta.com/docs/reference/api/system-log/
- https://developer.okta.com/docs/reference/api/event-types/
author: Austin Songer @austinsonger
date: 2021-09-12
modified: 2026-04-27
tags:
- attack.persistence
logsource:
product: okta
service: okta
detection:
selection:
eventType: system.api_token.create
condition: selection
falsepositives:
- Legitimate creation of an API token by authorized users
level: medium
Convert to SIEM query
medium
Okta API Token Revoked
Detects when a API Token is revoked.
view Sigma YAML
title: Okta API Token Revoked
id: cf1dbc6b-6205-41b4-9b88-a83980d2255b
status: test
description: Detects when a API Token is revoked.
references:
- https://developer.okta.com/docs/reference/api/system-log/
- https://developer.okta.com/docs/reference/api/event-types/
author: Austin Songer @austinsonger
date: 2021-09-12
modified: 2026-04-27
tags:
- attack.impact
logsource:
product: okta
service: okta
detection:
selection:
eventType: system.api_token.revoke
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Okta Admin Functions Access Through Proxy
Detects access to Okta admin functions through proxy.
view Sigma YAML
title: Okta Admin Functions Access Through Proxy
id: 9058ca8b-f397-4fd1-a9fa-2b7aad4d6309
status: test
description: Detects access to Okta admin functions through proxy.
references:
- https://www.beyondtrust.com/blog/entry/okta-support-unit-breach
- https://dataconomy.com/2023/10/23/okta-data-breach/
- https://blog.cloudflare.com/how-cloudflare-mitigated-yet-another-okta-compromise/
author: Muhammad Faisal @faisalusuf
date: 2023-10-25
tags:
- attack.credential-access
logsource:
service: okta
product: okta
detection:
selection:
debugContext.debugData.requestUri|contains: 'admin'
securityContext.isProxy: 'true'
condition: selection
falsepositives:
- False positives are expected if administrators access these function through proxy legitimatly. Apply additional filters if necessary
level: medium
Convert to SIEM query
medium
Okta Admin Role Assigned to an User or Group
Detects when an the Administrator role is assigned to an user or group.
view Sigma YAML
title: Okta Admin Role Assigned to an User or Group
id: 413d4a81-6c98-4479-9863-014785fd579c
status: test
description: Detects when an the Administrator role is assigned to an user or group.
references:
- https://developer.okta.com/docs/reference/api/system-log/
- https://developer.okta.com/docs/reference/api/event-types/
author: Austin Songer @austinsonger
date: 2021-09-12
modified: 2026-04-27
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1098.003
logsource:
product: okta
service: okta
detection:
selection:
eventType:
- group.privilege.grant
- user.account.privilege.grant
condition: selection
falsepositives:
- Administrator roles could be assigned to users or group by other admin users.
level: medium
Convert to SIEM query
medium
Okta Admin Role Assignment Created
Detects when a new admin role assignment is created. Which could be a sign of privilege escalation or persistence
view Sigma YAML
title: Okta Admin Role Assignment Created
id: 139bdd4b-9cd7-49ba-a2f4-744d0a8f5d8c
status: test
description: Detects when a new admin role assignment is created. Which could be a sign of privilege escalation or persistence
references:
- https://developer.okta.com/docs/reference/api/system-log/
- https://developer.okta.com/docs/reference/api/event-types/
author: Nikita Khalimonenkov
date: 2023-01-19
modified: 2026-04-27
tags:
- attack.persistence
logsource:
product: okta
service: okta
detection:
selection:
eventType: 'iam.resourceset.bindings.add'
condition: selection
falsepositives:
- Legitimate creation of a new admin role assignment
level: medium
Convert to SIEM query
medium
Okta Application Modified or Deleted
Detects when an application is modified or deleted.
view Sigma YAML
title: Okta Application Modified or Deleted
id: 7899144b-e416-4c28-b0b5-ab8f9e0a541d
status: test
description: Detects when an application is modified or deleted.
references:
- https://developer.okta.com/docs/reference/api/system-log/
- https://developer.okta.com/docs/reference/api/event-types/
author: Austin Songer @austinsonger
date: 2021-09-12
modified: 2026-04-27
tags:
- attack.impact
logsource:
product: okta
service: okta
detection:
selection:
eventType:
- application.lifecycle.update
- application.lifecycle.delete
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Okta Application Sign-On Policy Modified or Deleted
Detects when an application Sign-on Policy is modified or deleted.
view Sigma YAML
title: Okta Application Sign-On Policy Modified or Deleted
id: 8f668cc4-c18e-45fe-ad00-624a981cf88a
status: test
description: Detects when an application Sign-on Policy is modified or deleted.
references:
- https://developer.okta.com/docs/reference/api/system-log/
- https://developer.okta.com/docs/reference/api/event-types/
author: Austin Songer @austinsonger
date: 2021-09-12
modified: 2026-04-27
tags:
- attack.impact
logsource:
product: okta
service: okta
detection:
selection:
eventType:
- application.policy.sign_on.update
- application.policy.sign_on.rule.delete
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Okta Identity Provider Created
Detects when a new identity provider is created for Okta.
view Sigma YAML
title: Okta Identity Provider Created
id: 969c7590-8c19-4797-8c1b-23155de6e7ac
status: test
description: Detects when a new identity provider is created for Okta.
references:
- https://developer.okta.com/docs/reference/api/system-log/
- https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection
author: kelnage
date: 2023-09-07
modified: 2026-04-27
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1098.001
logsource:
product: okta
service: okta
detection:
selection:
eventType: 'system.idp.lifecycle.create'
condition: selection
falsepositives:
- When an admin creates a new, authorised identity provider.
level: medium
Convert to SIEM query
medium
Okta MFA Reset or Deactivated
Detects when an attempt at deactivating or resetting MFA.
view Sigma YAML
title: Okta MFA Reset or Deactivated
id: 50e068d7-1e6b-4054-87e5-0a592c40c7e0
status: test
description: Detects when an attempt at deactivating or resetting MFA.
references:
- https://developer.okta.com/docs/reference/api/system-log/
- https://developer.okta.com/docs/reference/api/event-types/
author: Austin Songer @austinsonger
date: 2021-09-21
modified: 2026-04-27
tags:
- attack.persistence
- attack.credential-access
- attack.defense-impairment
- attack.t1556.006
logsource:
product: okta
service: okta
detection:
selection:
eventType:
- user.mfa.factor.deactivate
- user.mfa.factor.reset_all
condition: selection
falsepositives:
- If a MFA reset or deactivated was performed by a system administrator.
level: medium
Convert to SIEM query
medium
Okta Network Zone Deactivated or Deleted
Detects when an Network Zone is Deactivated or Deleted.
view Sigma YAML
title: Okta Network Zone Deactivated or Deleted
id: 9f308120-69ed-4506-abde-ac6da81f4310
status: test
description: Detects when an Network Zone is Deactivated or Deleted.
references:
- https://developer.okta.com/docs/reference/api/system-log/
- https://developer.okta.com/docs/reference/api/event-types/
author: Austin Songer @austinsonger
date: 2021-09-12
modified: 2026-04-27
tags:
- attack.impact
logsource:
product: okta
service: okta
detection:
selection:
eventType:
- zone.deactivate
- zone.delete
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Okta Policy Rule Modified or Deleted
Detects when an Policy Rule is Modified or Deleted.
view Sigma YAML
title: Okta Policy Rule Modified or Deleted
id: 0c97c1d3-4057-45c9-b148-1de94b631931
status: test
description: Detects when an Policy Rule is Modified or Deleted.
references:
- https://developer.okta.com/docs/reference/api/system-log/
- https://developer.okta.com/docs/reference/api/event-types/
author: Austin Songer @austinsonger
date: 2021-09-12
modified: 2026-04-27
tags:
- attack.impact
logsource:
product: okta
service: okta
detection:
selection:
eventType:
- policy.rule.update
- policy.rule.delete
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Okta Security Threat Detected
Detects when an security threat is detected in Okta.
view Sigma YAML
title: Okta Security Threat Detected
id: 5c82f0b9-3c6d-477f-a318-0e14a1df73e0
status: test
description: Detects when an security threat is detected in Okta.
references:
- https://okta.github.io/okta-help/en/prod/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm
- https://developer.okta.com/docs/reference/api/system-log/
- https://developer.okta.com/docs/reference/api/event-types/
author: Austin Songer @austinsonger
date: 2021-09-12
modified: 2026-04-27
tags:
- attack.command-and-control
logsource:
product: okta
service: okta
detection:
selection:
eventType: security.threat.detected
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Okta Session Impersonation Granted From Untrusted Domain
Detects Okta session impersonation grant event where a user is granted the ability to impersonate another user's session.
This event type "user.session.impersonation.grant" signifies that someone has been given temporary access to act on behalf of another user account.
Threat actors may abuse this functionality to escalate privileges, access sensitive resources, or perform unauthorized actions while appearing to be the impersonated user.
Legitimate use cases are typically limited to Okta support scenarios or authorized administrative troubleshooting.
view Sigma YAML
title: Okta Session Impersonation Granted From Untrusted Domain
id: fe04b26b-0ac4-45d7-9404-4b9f16a440a9
status: experimental
description: |
Detects Okta session impersonation grant event where a user is granted the ability to impersonate another user's session.
This event type "user.session.impersonation.grant" signifies that someone has been given temporary access to act on behalf of another user account.
Threat actors may abuse this functionality to escalate privileges, access sensitive resources, or perform unauthorized actions while appearing to be the impersonated user.
Legitimate use cases are typically limited to Okta support scenarios or authorized administrative troubleshooting.
references:
- https://developer.okta.com/docs/reference/system-log-query/
- https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection
- https://support.okta.com/help/s/article/What-is-the-systemoktacom-Account-in-Syslog-Used-For
author: zendannyy
date: 2026-04-28
tags:
- attack.privilege-escalation
- attack.defense-impairment
- attack.t1484.002
- attack.initial-access
- attack.t1199
logsource:
service: okta
product: okta
detection:
selection:
eventType: 'user.session.impersonation.grant'
filter_main_okta:
actor.alternateId|contains: '[email protected]'
filter_main_company:
actor.alternateId|contains|expand: '%legtimate_identifiers%' # Your trusted domain goes here
condition: selection and not 1 of filter_main_*
falsepositives:
- The only legitimate use case here is an Okta support engineer actively working with an internal Okta Admin.
- This access is temporary and should be revoked once done with the support case.
- Apply additional filters if necessary
level: medium
Convert to SIEM query
medium
Okta Unauthorized Access to App
Detects when unauthorized access to app occurs.
view Sigma YAML
title: Okta Unauthorized Access to App
id: 6cc2b61b-d97e-42ef-a9dd-8aa8dc951657
status: test
description: Detects when unauthorized access to app occurs.
references:
- https://developer.okta.com/docs/reference/api/system-log/
- https://developer.okta.com/docs/reference/api/event-types/
author: Austin Songer @austinsonger
date: 2021-09-12
modified: 2026-04-27
tags:
- attack.impact
logsource:
product: okta
service: okta
detection:
selection:
displayMessage: User attempted unauthorized access to app
condition: selection
falsepositives:
- User might of believe that they had access.
level: medium
Convert to SIEM query
medium
Okta User Account Locked Out
Detects when an user account is locked out.
view Sigma YAML
title: Okta User Account Locked Out
id: 14701da0-4b0f-4ee6-9c95-2ffb4e73bb9a
status: test
description: Detects when an user account is locked out.
references:
- https://developer.okta.com/docs/reference/api/system-log/
- https://developer.okta.com/docs/reference/api/event-types/
author: Austin Songer @austinsonger
date: 2021-09-12
modified: 2026-04-27
tags:
- attack.impact
- attack.t1531
logsource:
product: okta
service: okta
detection:
selection:
displayMessage: Max sign in attempts exceeded
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Old TLS1.0/TLS1.1 Protocol Version Enabled
Detects applications or users re-enabling old TLS versions by setting the "Enabled" value to "1" for the "Protocols" registry key.
view Sigma YAML
title: Old TLS1.0/TLS1.1 Protocol Version Enabled
id: 439957a7-ad86-4a8f-9705-a28131c6821b
status: test
description: Detects applications or users re-enabling old TLS versions by setting the "Enabled" value to "1" for the "Protocols" registry key.
references:
- https://techcommunity.microsoft.com/t5/windows-it-pro-blog/tls-1-0-and-tls-1-1-soon-to-be-disabled-in-windows/ba-p/3887947
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-09-05
tags:
- attack.stealth
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains:
- '\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\'
- '\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\'
TargetObject|endswith: '\Enabled'
Details: 'DWORD (0x00000001)'
condition: selection
falsepositives:
- Legitimate enabling of the old tls versions due to incompatibility
level: medium
Convert to SIEM query
medium
OneNote Attachment File Dropped In Suspicious Location
Detects creation of files with the ".one"/".onepkg" extension in suspicious or uncommon locations. This could be a sign of attackers abusing OneNote attachments
view Sigma YAML
title: OneNote Attachment File Dropped In Suspicious Location
id: 7fd164ba-126a-4d9c-9392-0d4f7c243df0
status: test
description: Detects creation of files with the ".one"/".onepkg" extension in suspicious or uncommon locations. This could be a sign of attackers abusing OneNote attachments
references:
- https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/
- https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-22
modified: 2023-09-19
tags:
- attack.stealth
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|contains:
# Note: add more common locations for drops such as download folders and the like. Or baseline legitimate locations and alert on everything else
- '\AppData\Local\Temp\'
- '\Users\Public\'
- '\Windows\Temp\'
- ':\Temp\'
TargetFilename|endswith:
- '.one'
- '.onepkg'
filter_main_onenote:
Image|contains: ':\Program Files\Microsoft Office\'
Image|endswith: '\ONENOTE.EXE'
condition: selection and not 1 of filter_main_*
falsepositives:
- Legitimate usage of ".one" or ".onepkg" files from those locations
level: medium
Convert to SIEM query
medium
OpenEDR Spawning Command Shell
Detects the OpenEDR ssh-shellhost.exe spawning a command shell (cmd.exe) or PowerShell with PTY (pseudo-terminal) capabilities.
This may indicate remote command execution through OpenEDR's remote management features, which could be legitimate administrative activity or potential abuse of the remote access tool.
Threat actors may leverage OpenEDR's remote shell capabilities to execute commands on compromised systems, facilitating lateral movement or other command-and-control operations.
view Sigma YAML
title: OpenEDR Spawning Command Shell
id: 7f3a9c2d-4e8b-4a7f-9d3e-5c6f8a9b2e1d
status: experimental
description: |
Detects the OpenEDR ssh-shellhost.exe spawning a command shell (cmd.exe) or PowerShell with PTY (pseudo-terminal) capabilities.
This may indicate remote command execution through OpenEDR's remote management features, which could be legitimate administrative activity or potential abuse of the remote access tool.
Threat actors may leverage OpenEDR's remote shell capabilities to execute commands on compromised systems, facilitating lateral movement or other command-and-control operations.
author: '@kostastsale'
date: 2026-02-19
references:
- https://kostas-ts.medium.com/detecting-abuse-of-openedrs-permissive-edr-trial-a-security-researcher-s-perspective-fc55bf53972c
tags:
- attack.execution
- attack.t1059.003
- attack.lateral-movement
- attack.t1021.004
- attack.command-and-control
- attack.t1219
logsource:
product: windows
category: process_creation
detection:
selection_img:
ParentImage|endswith: '\ITSMService.exe'
Image|endswith: '\ssh-shellhost.exe'
CommandLine|contains: '--pty'
selection_cli_shell:
CommandLine|contains:
- 'bash'
- 'cmd'
- 'powershell'
- 'pwsh'
condition: all of selection_*
falsepositives:
- Legitimate use of OpenEDR for remote command execution
level: medium
Convert to SIEM query
medium
OpenSSH Server Listening On Socket
Detects scenarios where an attacker enables the OpenSSH server and server starts to listening on SSH socket.
view Sigma YAML
title: OpenSSH Server Listening On Socket
id: 3ce8e9a4-bc61-4c9b-8e69-d7e2492a8781
status: test
description: Detects scenarios where an attacker enables the OpenSSH server and server starts to listening on SSH socket.
references:
- https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/tree/master/TA0008-Lateral%20Movement/T1021.004-Remote%20Service%20SSH
- https://winaero.com/enable-openssh-server-windows-10/
- https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse
- https://virtualizationreview.com/articles/2020/05/21/ssh-server-on-windows-10.aspx
- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
author: mdecrevoisier
date: 2022-10-25
tags:
- attack.lateral-movement
- attack.t1021.004
logsource:
product: windows
service: openssh
detection:
selection:
EventID: 4
process: sshd
payload|startswith: 'Server listening on '
condition: selection
falsepositives:
- Legitimate administrator activity
level: medium
Convert to SIEM query
medium
Osacompile Execution By Potentially Suspicious Applet/Osascript
Detects potential suspicious applet or osascript executing "osacompile".
view Sigma YAML
title: Osacompile Execution By Potentially Suspicious Applet/Osascript
id: a753a6af-3126-426d-8bd0-26ebbcb92254
status: test
description: Detects potential suspicious applet or osascript executing "osacompile".
references:
- https://redcanary.com/blog/mac-application-bundles/
author: Sohan G (D4rkCiph3r), Red Canary (Idea)
date: 2023-04-03
tags:
- attack.execution
- attack.t1059.002
logsource:
category: process_creation
product: macos
detection:
selection:
ParentImage|endswith:
- '/applet'
- '/osascript'
CommandLine|contains: 'osacompile'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Outbound Network Connection To Public IP Via Winlogon
Detects a "winlogon.exe" process that initiate network communications with public IP addresses
view Sigma YAML
title: Outbound Network Connection To Public IP Via Winlogon
id: 7610a4ea-c06d-495f-a2ac-0a696abcfd3b
status: test
description: Detects a "winlogon.exe" process that initiate network communications with public IP addresses
references:
- https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/
author: Christopher Peacock @securepeacock, SCYTHE @scythe_io
date: 2023-04-28
modified: 2024-03-12
tags:
- attack.execution
- attack.command-and-control
- attack.stealth
- attack.t1218.011
logsource:
category: network_connection
product: windows
detection:
selection:
Image|endswith: '\winlogon.exe'
Initiated: 'true'
filter_main_local_ranges:
DestinationIp|cidr:
- '127.0.0.0/8'
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '169.254.0.0/16'
- '::1/128' # IPv6 loopback
- 'fe80::/10' # IPv6 link-local addresses
- 'fc00::/7' # IPv6 private addresses
condition: selection and not 1 of filter_main_*
falsepositives:
- Communication to other corporate systems that use IP addresses from public address spaces
level: medium
Convert to SIEM query
medium
Outlook Security Settings Updated - Registry
Detects changes to the registry values related to outlook security settings
view Sigma YAML
title: Outlook Security Settings Updated - Registry
id: c3cefdf4-6703-4e1c-bad8-bf422fc5015a
related:
- id: 6763c6c8-bd01-4687-bc8d-4fa52cf8ba08 # EnableUnsafeClientMailRules
type: similar
status: test
description: Detects changes to the registry values related to outlook security settings
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137/T1137.md
- https://learn.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings
author: frack113
date: 2021-12-28
modified: 2026-01-09
tags:
- attack.persistence
- attack.t1137
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains|all:
- '\SOFTWARE\Microsoft\Office\'
- '\Outlook\Security\'
filter_main_outlook:
Image|startswith:
- 'C:\Program Files\Microsoft Office\'
- 'C:\Program Files (x86)\Microsoft Office\'
Image|endswith: '\OUTLOOK.EXE'
condition: selection and not 1 of filter_main_*
falsepositives:
- Administrative activity
level: medium
Convert to SIEM query
medium
PAExec Service Installation
Detects PAExec service installation
view Sigma YAML
title: PAExec Service Installation
id: de7ce410-b3fb-4e8a-b38c-3b999e2c3420
status: test
description: Detects PAExec service installation
references:
- https://www.poweradmin.com/paexec/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-26
tags:
- attack.execution
- attack.t1569.002
logsource:
product: windows
service: system
detection:
selection_eid:
Provider_Name: 'Service Control Manager'
EventID: 7045
selection_image:
- ServiceName|startswith: 'PAExec-'
- ImagePath|startswith: 'C:\WINDOWS\PAExec-'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
PDQ Deploy Remote Adminstartion Tool Execution
Detect use of PDQ Deploy remote admin tool
view Sigma YAML
title: PDQ Deploy Remote Adminstartion Tool Execution
id: d679950c-abb7-43a6-80fb-2a480c4fc450
related:
- id: 12b8e9f5-96b2-41e1-9a42-8c6779a5c184
type: similar
status: test
description: Detect use of PDQ Deploy remote admin tool
references:
- https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1072/T1072.md
- https://www.pdq.com/pdq-deploy/
author: frack113
date: 2022-10-01
modified: 2023-01-30
tags:
- attack.execution
- attack.lateral-movement
- attack.t1072
logsource:
category: process_creation
product: windows
detection:
selection:
- Description: PDQ Deploy Console
- Product: PDQ Deploy
- Company: PDQ.com
- OriginalFileName: PDQDeployConsole.exe
condition: selection
falsepositives:
- Legitimate use
level: medium
Convert to SIEM query
medium
PSScriptPolicyTest Creation By Uncommon Process
Detects the creation of the "PSScriptPolicyTest" PowerShell script by an uncommon process. This file is usually generated by Microsoft Powershell to test against Applocker.
view Sigma YAML
title: PSScriptPolicyTest Creation By Uncommon Process
id: 1027d292-dd87-4a1a-8701-2abe04d7783c
status: test
description: Detects the creation of the "PSScriptPolicyTest" PowerShell script by an uncommon process. This file is usually generated by Microsoft Powershell to test against Applocker.
references:
- https://www.paloaltonetworks.com/blog/security-operations/stopping-powershell-without-powershell/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-01
modified: 2025-10-07
tags:
- attack.stealth
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|contains: '__PSScriptPolicyTest_'
filter_main_powershell:
Image:
- 'C:\Program Files\PowerShell\7-preview\pwsh.exe'
- 'C:\Program Files\PowerShell\7\pwsh.exe'
- 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe'
- 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
- 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe'
- 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
filter_main_pwsh_preview:
Image|contains:
- 'C:\Program Files\WindowsApps\Microsoft.PowerShellPreview'
- '\AppData\Local\Microsoft\WindowsApps\Microsoft.PowerShellPreview'
Image|endswith: '\pwsh.exe'
filter_main_generic:
Image:
- 'C:\Windows\System32\dsac.exe'
- 'C:\Windows\System32\sdiagnhost.exe'
- 'C:\Windows\System32\ServerManager.exe'
- 'C:\Windows\System32\wsmprovhost.exe'
- 'C:\Windows\SysWOW64\sdiagnhost.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
PST Export Alert Using New-ComplianceSearchAction
Alert when a user has performed an export to a search using 'New-ComplianceSearchAction' with the '-Export' flag. This detection will detect PST export even if the 'eDiscovery search or exported' alert is disabled in the O365.This rule will apply to ExchangePowerShell usage and from the cloud.
view Sigma YAML
title: PST Export Alert Using New-ComplianceSearchAction
id: 6897cd82-6664-11ed-9022-0242ac120002
related:
- id: 18b88d08-d73e-4f21-bc25-4b9892a4fdd0
type: similar
status: test
description: Alert when a user has performed an export to a search using 'New-ComplianceSearchAction' with the '-Export' flag. This detection will detect PST export even if the 'eDiscovery search or exported' alert is disabled in the O365.This rule will apply to ExchangePowerShell usage and from the cloud.
references:
- https://learn.microsoft.com/en-us/powershell/module/exchange/new-compliancesearchaction?view=exchange-ps
author: Nikita Khalimonenkov
date: 2022-11-17
tags:
- attack.collection
- attack.t1114
logsource:
service: threat_management
product: m365
detection:
selection:
eventSource: SecurityComplianceCenter
Payload|contains|all:
- 'New-ComplianceSearchAction'
- 'Export'
- 'pst'
condition: selection
falsepositives:
- Exporting a PST can be done for legitimate purposes by legitimate sources, but due to the sensitive nature of PST content, it must be monitored.
level: medium
Convert to SIEM query
medium
PST Export Alert Using eDiscovery Alert
Alert on when a user has performed an eDiscovery search or exported a PST file from the search. This PST file usually has sensitive information including email body content
view Sigma YAML
title: PST Export Alert Using eDiscovery Alert
id: 18b88d08-d73e-4f21-bc25-4b9892a4fdd0
related:
- id: 6897cd82-6664-11ed-9022-0242ac120002
type: similar
status: test
description: Alert on when a user has performed an eDiscovery search or exported a PST file from the search. This PST file usually has sensitive information including email body content
references:
- https://learn.microsoft.com/en-us/microsoft-365/compliance/alert-policies?view=o365-worldwide
author: Sorina Ionescu
date: 2022-02-08
modified: 2022-11-17
tags:
- attack.collection
- attack.t1114
logsource:
service: threat_management
product: m365
definition: Requires the 'eDiscovery search or exported' alert to be enabled
detection:
selection:
eventSource: SecurityComplianceCenter
eventName: 'eDiscovery search started or exported'
status: success
condition: selection
falsepositives:
- PST export can be done for legitimate purposes but due to the sensitive nature of its content it must be monitored.
level: medium
Convert to SIEM query
medium
PUA - AWS TruffleHog Execution
Detects the execution of TruffleHog, a popular open-source tool used for scanning repositories for secrets and sensitive information, within an AWS environment.
It has been reported to be used by threat actors for credential harvesting. All detections should be investigated to determine if the usage is authorized by security teams or potentially malicious.
view Sigma YAML
title: PUA - AWS TruffleHog Execution
id: a840e606-7c8c-4684-9bc1-eb6b6155127f
status: experimental
description: |
Detects the execution of TruffleHog, a popular open-source tool used for scanning repositories for secrets and sensitive information, within an AWS environment.
It has been reported to be used by threat actors for credential harvesting. All detections should be investigated to determine if the usage is authorized by security teams or potentially malicious.
references:
- https://github.com/trufflesecurity/trufflehog
- https://www.rapid7.com/blog/post/tr-crimson-collective-a-new-threat-group-observed-operating-in-the-cloud/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-10-21
tags:
- attack.credential-access
- attack.t1555
- attack.t1003
logsource:
product: aws
service: cloudtrail
detection:
selection:
userAgent: 'TruffleHog'
condition: selection
falsepositives:
- Legitimate use of TruffleHog by security teams for credential scanning.
level: medium
Convert to SIEM query
medium
PUA - AdFind.EXE Execution
Detects execution of Adfind.exe utility, which can be used for reconnaissance in an Active Directory environment
view Sigma YAML
title: PUA - AdFind.EXE Execution
id: 514e7e3e-b3b4-4a67-af60-be20f139198b
related:
- id: 455b9d50-15a1-4b99-853f-8d37655a4c1b
type: similar
status: experimental
description: Detects execution of Adfind.exe utility, which can be used for reconnaissance in an Active Directory environment
references:
- https://www.joeware.net/freetools/tools/adfind/
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.002/T1087.002.md
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-02-26
tags:
- attack.discovery
- attack.t1087.002
logsource:
product: windows
category: process_creation
detection:
selection:
- Image|endswith: '\AdFind.exe'
- OriginalFileName: 'AdFind.exe'
- Hashes|contains:
- 'IMPHASH=d144de8117df2beceaba2201ad304764'
- 'IMPHASH=12ce1c0f3f5837ecc18a3782408fa975'
- 'IMPHASH=bca5675746d13a1f246e2da3c2217492'
- 'IMPHASH=4fbf3f084fbbb2470b80b2013134df35'
- 'IMPHASH=49b639b4acbecc49d72a01f357aa4930'
- 'IMPHASH=53e117a96057eaf19c41380d0e87f1c2'
- 'IMPHASH=680dad9e300346e05a85023965867201'
- 'IMPHASH=21aa085d54992511b9f115355e468782'
condition: selection
falsepositives:
- Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_pua_adfind_execution/info.yml
Convert to SIEM query
medium
PUA - Advanced IP Scanner Execution
Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.
view Sigma YAML
title: PUA - Advanced IP Scanner Execution
id: bef37fa2-f205-4a7b-b484-0759bfd5f86f
status: test
description: Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.
references:
- https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/
- https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html
- https://labs.f-secure.com/blog/prelude-to-ransomware-systembc
- https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf
- https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer
- https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20IP%20Scanner
author: Nasreddine Bencherchali (Nextron Systems), @ROxPinTeddy
date: 2020-05-12
modified: 2023-02-07
tags:
- attack.discovery
- attack.t1046
- attack.t1135
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|contains: '\advanced_ip_scanner' # Covers also advanced_ip_scanner_console.exe
- OriginalFileName|contains: 'advanced_ip_scanner' # Covers also advanced_ip_scanner_console.exe
- Description|contains: 'Advanced IP Scanner'
selection_cli:
CommandLine|contains|all:
- '/portable'
- '/lng'
condition: 1 of selection_*
falsepositives:
- Legitimate administrative use
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner/info.yml
Convert to SIEM query
medium
PUA - Advanced IP/Port Scanner Update Check
Detect the update check performed by Advanced IP/Port Scanner utilities.
view Sigma YAML
title: PUA - Advanced IP/Port Scanner Update Check
id: 1a9bb21a-1bb5-42d7-aa05-3219c7c8f47d
status: test
description: Detect the update check performed by Advanced IP/Port Scanner utilities.
references:
- https://www.advanced-ip-scanner.com/
- https://www.advanced-port-scanner.com/
author: Axel Olsson
date: 2022-08-14
modified: 2024-02-15
tags:
- attack.discovery
- attack.reconnaissance
- attack.t1590
logsource:
category: proxy
detection:
selection:
# Example request: http://www.advanced-port-scanner.com/checkupdate.php?lng=en&ver=2-5-3680&beta=n&type=upd&rmode=p&product=aps
# Example request2: http://www.advanced-ip-scanner.com/checkupdate.php?lng=en&ver=2-5-3499&beta=n&type=upd&rmode=p&product=aips
c-uri|contains: '/checkupdate.php'
c-uri-query|contains|all:
- 'lng='
- 'ver='
- 'beta='
- 'type='
- 'rmode='
- 'product='
condition: selection
falsepositives:
- Expected if you legitimately use the Advanced IP or Port Scanner utilities in your environement.
level: medium
Convert to SIEM query
medium
PUA - Advanced Port Scanner Execution
Detects the use of Advanced Port Scanner.
view Sigma YAML
title: PUA - Advanced Port Scanner Execution
id: 54773c5f-f1cc-4703-9126-2f797d96a69d
status: test
description: Detects the use of Advanced Port Scanner.
references:
- https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20Port%20Scanner
author: Nasreddine Bencherchali (Nextron Systems)
date: 2021-12-18
modified: 2023-02-07
tags:
- attack.discovery
- attack.t1046
- attack.t1135
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|contains: '\advanced_port_scanner'
- OriginalFileName|contains: 'advanced_port_scanner' # Covers also advanced_port_scanner_console.exe
- Description|contains: 'Advanced Port Scanner'
selection_cli:
CommandLine|contains|all:
- '/portable'
- '/lng'
condition: 1 of selection_*
falsepositives:
- Legitimate administrative use
- Tools with similar commandline (very rare)
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_pua_advanced_port_scanner/info.yml
Convert to SIEM query
medium
PUA - AdvancedRun Execution
Detects the execution of AdvancedRun utility
view Sigma YAML
title: PUA - AdvancedRun Execution
id: d2b749ee-4225-417e-b20e-a8d2193cbb84
related:
- id: fa00b701-44c6-4679-994d-5a18afa8a707
type: similar
status: test
description: Detects the execution of AdvancedRun utility
references:
- https://twitter.com/splinter_code/status/1483815103279603714
- https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3
- https://www.elastic.co/security-labs/operation-bleeding-bear
- https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/
author: Florian Roth (Nextron Systems)
date: 2022-01-20
modified: 2023-02-21
tags:
- attack.execution
- attack.privilege-escalation
- attack.stealth
- attack.t1564.003
- attack.t1134.002
- attack.t1059.003
logsource:
product: windows
category: process_creation
detection:
selection:
- OriginalFileName: 'AdvancedRun.exe'
- CommandLine|contains|all:
- ' /EXEFilename '
- ' /Run'
- CommandLine|contains|all:
- ' /WindowState 0'
- ' /RunAs '
- ' /CommandLine '
condition: selection
falsepositives:
- Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_pua_advancedrun/info.yml
Convert to SIEM query
medium
PUA - CSExec Default Named Pipe
Detects default CSExec pipe creation
view Sigma YAML
title: PUA - CSExec Default Named Pipe
id: f318b911-ea88-43f4-9281-0de23ede628e
related:
- id: 9e77ed63-2ecf-4c7b-b09d-640834882028
type: obsolete
status: test
description: Detects default CSExec pipe creation
references:
- https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
- https://github.com/malcomvetter/CSExec
author: Nikita Nazarov, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-07
modified: 2023-11-30
tags:
- attack.lateral-movement
- attack.t1021.002
- attack.execution
- attack.t1569.002
logsource:
product: windows
category: pipe_created
definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
detection:
selection:
PipeName|contains: '\csexecsvc'
condition: selection
falsepositives:
- Legitimate Administrator activity
level: medium
Convert to SIEM query
medium
PUA - Mouse Lock Execution
In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool "Mouse Lock" as being used for both credential access and collection in security incidents.
view Sigma YAML
title: PUA - Mouse Lock Execution
id: c9192ad9-75e5-43eb-8647-82a0a5b493e3
status: test
description: In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool "Mouse Lock" as being used for both credential access and collection in security incidents.
references:
- https://github.com/klsecservices/Publications/blob/657deb6a6eb6e00669afd40173f425fb49682eaa/Incident-Response-Analyst-Report-2020.pdf
- https://sourceforge.net/projects/mouselock/
author: Cian Heasley
date: 2020-08-13
modified: 2023-02-21
tags:
- attack.credential-access
- attack.collection
- attack.t1056.002
logsource:
product: windows
category: process_creation
detection:
selection:
- Product|contains: 'Mouse Lock'
- Company|contains: 'Misc314'
- CommandLine|contains: 'Mouse Lock_'
condition: selection
falsepositives:
- Legitimate uses of Mouse Lock software
level: medium
Convert to SIEM query
medium
PUA - NimScan Execution
Detects usage of NimScan, a portscanner utility.
In early 2025, adversaries were observed using this utility to scan for open ports on remote hosts in a compromised environment.
This rule identifies the execution of NimScan based on the process image name and specific hash values associated with different versions of the tool.
view Sigma YAML
title: PUA - NimScan Execution
id: 4fd6b1c7-19b8-4488-97f6-00f0924991a3
status: test
description: |
Detects usage of NimScan, a portscanner utility.
In early 2025, adversaries were observed using this utility to scan for open ports on remote hosts in a compromised environment.
This rule identifies the execution of NimScan based on the process image name and specific hash values associated with different versions of the tool.
references:
- https://x.com/cyberfeeddigest/status/1887041526397587859
- https://github.com/elddy/NimScan
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-02-05
tags:
- attack.discovery
- attack.t1046
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\NimScan.exe' # Other metadata fields such as originalfilename and product were omitted because they were null
- Hashes|contains:
- 'IMPHASH=41BB1C7571B3A724EB83A1D2B96DBB8C' # v1.0.8
- 'IMPHASH=B1B6ADACB172795480179EFD18A29549' # v1.0.6
- 'IMPHASH=0D1F896DC7642AD8384F9042F30279C2' # v1.0.4 and v1.0.2
condition: selection
falsepositives:
- Legitimate administrator activity
level: medium
Convert to SIEM query
medium
PUA - NirCmd Execution
Detects the use of NirCmd tool for command execution, which could be the result of legitimate administrative activity
view Sigma YAML
title: PUA - NirCmd Execution
id: 4e2ed651-1906-4a59-a78a-18220fca1b22
status: test
description: Detects the use of NirCmd tool for command execution, which could be the result of legitimate administrative activity
references:
- https://www.nirsoft.net/utils/nircmd.html
- https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/
- https://www.nirsoft.net/utils/nircmd2.html#using
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-01-24
modified: 2023-02-13
tags:
- attack.execution
- attack.t1569.002
- attack.s0029
logsource:
category: process_creation
product: windows
detection:
selection_org:
- Image|endswith: '\NirCmd.exe'
- OriginalFileName: 'NirCmd.exe'
selection_cmd:
CommandLine|contains:
- ' execmd '
- '.exe script '
- '.exe shexec '
- ' runinteractive '
combo_exec:
CommandLine|contains:
- ' exec '
- ' exec2 '
combo_exec_params:
CommandLine|contains:
- ' show '
- ' hide '
condition: 1 of selection_* or all of combo_*
falsepositives:
- Legitimate use by administrators
level: medium
Convert to SIEM query
medium
PUA - Nmap/Zenmap Execution
Detects usage of namp/zenmap. Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation
view Sigma YAML
title: PUA - Nmap/Zenmap Execution
id: f6ecd1cf-19b8-4488-97f6-00f0924991a3
status: test
description: Detects usage of namp/zenmap. Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation
references:
- https://nmap.org/
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-3---port-scan-nmap-for-windows
author: frack113
date: 2021-12-10
modified: 2023-12-11
tags:
- attack.discovery
- attack.t1046
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith:
- '\nmap.exe'
- '\zennmap.exe'
- OriginalFileName:
- 'nmap.exe'
- 'zennmap.exe'
condition: selection
falsepositives:
- Legitimate administrator activity
level: medium
Convert to SIEM query
medium
PUA - PAExec Default Named Pipe
Detects PAExec default named pipe
view Sigma YAML
title: PUA - PAExec Default Named Pipe
id: f6451de4-df0a-41fa-8d72-b39f54a08db5
status: test
description: Detects PAExec default named pipe
references:
- https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/efa17a600b43c897b4b7463cc8541daa1987eeb4/Command%20and%20Control/C2-NamedPipe.md
- https://github.com/poweradminllc/PAExec
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-26
tags:
- attack.execution
- attack.t1569.002
logsource:
category: pipe_created
product: windows
definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
detection:
selection:
PipeName|startswith: '\PAExec'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
PUA - PingCastle Execution
Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level.
view Sigma YAML
title: PUA - PingCastle Execution
id: b1cb4ab6-ac31-43f4-adf1-d9d08957419c
related:
- id: b37998de-a70b-4f33-b219-ec36bf433dc0
type: derived
status: test
description: Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level.
references:
- https://github.com/vletoux/pingcastle
- https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/
- https://github.com/fengjixuchui/Start-ADEnum/blob/e237a739db98b6104427d833004836507da36a58/Functions/Start-ADEnum.ps1#L450
- https://github.com/lkys37en/Start-ADEnum/blob/5b42c54215fe5f57fc59abc52c20487d15764005/Functions/Start-ADEnum.ps1#L680
- https://github.com/projectHULK/AD_Recon/blob/dde2daba9b3393a9388cbebda87068972cc0bd3b/SecurityAssessment.ps1#L2699
- https://github.com/802-1x/Compliance/blob/2e53df8b6e89686a0b91116b3f42c8f717dca820/Ping%20Castle/Get-PingCastle-HTMLComplianceReport.ps1#L8
- https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1
author: Nasreddine Bencherchali (Nextron Systems), frack113
date: 2024-01-11
tags:
- attack.reconnaissance
- attack.t1595
logsource:
category: process_creation
product: windows
detection:
selection:
- Hashes|contains:
# PingCastle.exe
- 'MD5=f741f25ac909ee434e50812d436c73ff'
- 'MD5=d40acbfc29ee24388262e3d8be16f622'
- 'MD5=01bb2c16fadb992fa66228cd02d45c60'
- 'MD5=9e1b18e62e42b5444fc55b51e640355b'
- 'MD5=b7f8fe33ac471b074ca9e630ba0c7e79'
- 'MD5=324579d717c9b9b8e71d0269d13f811f'
- 'MD5=63257a1ddaf83cfa43fe24a3bc06c207'
- 'MD5=049e85963826b059c9bac273bb9c82ab'
- 'MD5=ecb98b7b4d4427eb8221381154ff4cb2'
- 'MD5=faf87749ac790ec3a10dd069d10f9d63'
- 'MD5=f296dba5d21ad18e6990b1992aea8f83'
- 'MD5=93ba94355e794b6c6f98204cf39f7a11'
- 'MD5=a258ef593ac63155523a461ecc73bdba'
- 'MD5=97000eb5d1653f1140ee3f47186463c4'
- 'MD5=95eb317fbbe14a82bd9fdf31c48b8d93'
- 'MD5=32fe9f0d2630ac40ea29023920f20f49'
- 'MD5=a05930dde939cfd02677fc18bb2b7df5'
- 'MD5=124283924e86933ff9054a549d3a268b'
- 'MD5=ceda6909b8573fdeb0351c6920225686'
- 'MD5=60ce120040f2cd311c810ae6f6bbc182'
- 'MD5=2f10cdc5b09100a260703a28eadd0ceb'
- 'MD5=011d967028e797a4c16d547f7ba1463f'
- 'MD5=2da9152c0970500c697c1c9b4a9e0360'
- 'MD5=b5ba72034b8f44d431f55275bace9f8b'
- 'MD5=d6ed9101df0f24e27ff92ddab42dacca'
- 'MD5=3ed3cdb6d12aa1ac562ad185cdbf2d1d'
- 'MD5=5e083cd0143ae95a6cb79b68c07ca573'
- 'MD5=28caff93748cb84be70486e79f04c2df'
- 'MD5=9d4f12c30f9b500f896efd1800e4dd11'
- 'MD5=4586f7dd14271ad65a5fb696b393f4c0'
- 'MD5=86ba9dddbdf49215145b5bcd081d4011'
- 'MD5=9dce0a481343874ef9a36c9a825ef991'
- 'MD5=85890f62e231ad964b1fda7a674747ec'
- 'MD5=599be548da6441d7fe3e9a1bb8cb0833'
- 'MD5=9b0c7fd5763f66e9b8c7b457fce53f96'
- 'MD5=32d45718164205aec3e98e0223717d1d'
- 'MD5=6ff5f373ee7f794cd17db50704d00ddb'
- 'MD5=88efbdf41f0650f8f58a3053b0ca0459'
- 'MD5=ef915f61f861d1fb7cbde9afd2e7bd93'
- 'MD5=781fa16511a595757154b4304d2dd350'
- 'MD5=5018ec39be0e296f4fc8c8575bfa8486'
- 'MD5=f4a84d6f1caf0875b50135423d04139f'
- 'SHA1=9c1431801fa6342ed68f047842b9a11778fc669b'
- 'SHA1=c36c862f40dad78cb065197aad15fef690c262f2'
- 'SHA1=bc8e23faea8b3c537f268b3e81d05b937012272d'
- 'SHA1=12e0357658614ff60d480d1a6709be68a2e40c5f'
- 'SHA1=18b33ab5719966393d424a3edbfa8dec225d98fa'
- 'SHA1=f14c9633040897d375e3069fddc71e859f283778'
- 'SHA1=08041b426c9f112ad2061bf3c8c718e34739d4fc'
- 'SHA1=7be77c885d0c9a4af4cecc64d512987cf93ba937'
- 'SHA1=72dbb719b05f89d9d2dbdf186714caf7639daa36'
- 'SHA1=5b1498beb2cfb4d971e377801e7abce62c0e315b'
- 'SHA1=292629c6ab33bddf123d26328025e2d157d9e8fc'
- 'SHA1=be59e621e83a2d4c87b0e6c69a2d22f175408b11'
- 'SHA1=0250ce9a716ab8cca1c70a9de4cbc49a51934995'
- 'SHA1=607e1fa810c799735221a609af3bfc405728c02d'
- 'SHA1=ab1c547f6d1c07a9e0a01e46adea3aae1cac12e3'
- 'SHA1=044cf5698a8e6b0aeba5acb56567f06366a9a70a'
- 'SHA1=ef2dea8c736d49607832986c6c2d6fdd68ba6491'
- 'SHA1=efffc2bfb8af2e3242233db9a7109b903fc3f178'
- 'SHA1=5a05d4320de9afbc84de8469dd02b3a109efb2d4'
- 'SHA1=a785d88cf8b862a420b9be793ee6a9616aa94c84'
- 'SHA1=5688d56cbaf0d934c4e37b112ba257e8fb63f4ea'
- 'SHA1=5cd2ada1c26815fbfd6a0cd746d5d429c0d83a17'
- 'SHA1=81d67b3d70c4e855cb11a453cc32997517708362'
- 'SHA1=9cffce9de95e0109f4dfecce0ab2cb0a59cc58ad'
- 'SHA1=09c6930d057f49c1c1e11cf9241fffc8c12df3a2'
- 'SHA1=e27bf7db8d96db9d4c8a06ee5e9b8e9fcb86ac92'
- 'SHA1=9e3c992415e390f9ada4d15c693b687f38a492d1'
- 'SHA1=3f34a5ee303d37916584c888c4928e1c1164f92a'
- 'SHA1=ea4c8c56a8f5c90a4c08366933e5fb2de611d0db'
- 'SHA1=3150f14508ee4cae19cf09083499d1cda8426540'
- 'SHA1=036ad9876fa552b1298c040e233d620ea44689c6'
- 'SHA1=3a3c1dcb146bb4616904157344ce1a82cd173bf5'
- 'SHA1=6230d6fca973fa26188dfbadede57afb4c15f75c'
- 'SHA1=8f7b2a9b8842f339b1e33602b7f926ab65de1a4d'
- 'SHA1=a586bb06b59a4736a47abff8423a54fe8e2c05c4'
- 'SHA1=c82152cddf9e5df49094686531872ecd545976db'
- 'SHA1=04c39ffc18533100aaa4f9c06baf2c719ac94a61'
- 'SHA1=e082affa5cdb2d46452c6601a9e85acb8446b836'
- 'SHA1=a075bfb6cf5c6451ce682197a87277c8bc188719'
- 'SHA1=34c0c5839af1c92bce7562b91418443a2044c90d'
- 'SHA1=74e10a9989e0ec8fe075537ac802bd3031ae7e08'
- 'SHA1=3a515551814775df0ccbe09f219bc972eae45a10'
- 'SHA256=90fd5b855b5107e7abaaefb6e658f50d5d6e08ac28e35f31d8b03dcabf77872b'
- 'SHA256=5836c24f233f77342fee825f3cad73caab7ab4fb65ec2aec309fd12bc1317e85'
- 'SHA256=e850e54b12331249c357a20604281b9abf8a91e6f3d957463fc625e6b126ef03'
- 'SHA256=9e752f29edcd0db9931c20b173eee8d4d8196f87382c68a6e7eb4c8a44d58795'
- 'SHA256=7a8c127d6c41f80d178d2315ed2f751ac91b1cd54d008af13680e04f068f426f'
- 'SHA256=9f65e1c142c4f814e056a197a2241fd09e09acf245c62897109871137321a72a'
- 'SHA256=c9b52d03c66d54d6391c643b3559184b1425c84a372081ec2bfed07ebf6af275'
- 'SHA256=1b96f6218498aa6baf6f6c15b8f99e542077e33feb1ab5472bbbf7d4de43eb6b'
- 'SHA256=768021fc242054decc280675750dec0a9e74e764b8646864c58756fa2386d2a2'
- 'SHA256=1e1b32bef31be040f0f038fcb5a2d68fb192daaef23c6167f91793d21e06ebae'
- 'SHA256=606bd75ed9d2d6107ea7ee67063d1761a99f2fb5e932c8344d11395d24587dd6'
- 'SHA256=b489d3cdd158f040322ae5c8d0139ad28eff743c738a10f2d0255c7e149bd92a'
- 'SHA256=ca7ecf04a8ad63aff330492c15270d56760cb223a607cdb1431fb00e1b9985d1'
- 'SHA256=9dc4fca72463078b70f6516559a179c78400b06534e63ee12fb38adbe2632559'
- 'SHA256=c00d2aee59bac087d769e09b5b7f832176f7714fefdc6af2502e6031e3eb37c2'
- 'SHA256=a8e96d564687064190eaf865774f773def05fdbf651aa5bbf66216c077b863ef'
- 'SHA256=84ed328cee2a0505e87662faf6fc57915e3a831c97ee88ad691f5c63522e139d'
- 'SHA256=c143de99c57965d3a44c1fce6a97c2773b050609c1ea7f45688a4ca2422a5524'
- 'SHA256=01d1efd5e552c59baa70c0778902233c05fde7de6e5cc156c62607df0804d36b'
- 'SHA256=9a8dfeb7e3174f3510691e2b32d0f9088e0ed67d9ed1b2afbe450d70dec2016b'
- 'SHA256=63b92a114075d855f706979d50ed3460fe39f8a2f5498b7657f0d14865117629'
- 'SHA256=2eb014130ff837b6481c26f0d0152f84de22ca7370b15a4f51921e0054a2a358'
- 'SHA256=7d5bb4271bf8ca2b63a59e731f3ec831dbda53adb8e28665e956afb4941f32ca'
- 'SHA256=e57098a75bf32e127c214b61bfba492d6b209e211f065fcc84ff10637a2143ea'
- 'SHA256=dd14dbcdbcfcf4bc108a926b9667af4944a3b6faf808cf1bb9a3a2554722e172'
- 'SHA256=dca2b1b824cb28bd15577eace45bde7ff8f8f44705b17085524659de31761de4'
- 'SHA256=8b95f339a07d59a8c8d8580283dffb9e8dfabdeb9171e42c948ab68c71afe7f2'
- 'SHA256=5428a840fab6ac4a0ecb2fc20dbc5f928432b00b9297dd1cb6e69336f44eba66'
- 'SHA256=e2517ae0fccaa4aefe039026a4fc855964f0c2a5f84177140200b0e58ddbfd27'
- 'SHA256=75d05880de2593480254181215dd9a0075373876f2f4a2a4a9a654b2e0729a41'
- 'SHA256=56490e14ce3817c3a1ddc0d97b96e90d6351bcd29914e7c9282f6a998cca84b1'
- 'SHA256=f25d0a5e77e4ed9e7c4204a33cfc8e46281b43adbee550b15701dd00f41bdbe0'
- 'SHA256=845a5fdcbb08e7efa7e0eabfcd881c9eebc0eec0a3a2f8689194e6b91b6eeaf8'
- 'SHA256=9a89e6652e563d26a3f328ba23d91f464c9549da734557c5a02559df24b2700d'
- 'SHA256=5614f2bc9b2ed414aab2c5c7997bdcbe8236e67ced8f91a63d1b6cfbe6e08726'
- 'SHA256=37bf92dcedb47a90d8d38ebda8d8dd168ef5803dcb01161f8cf6d68b70d49d90'
- 'SHA256=ec8590f91f5cc21e931c57345425f0625a6e37dfba026b222260450de40459f5'
- 'SHA256=3994eb72b1c227c593e14b8cad7001de11d1c247d4fbf84d0714bb8a17853140'
- 'SHA256=d654f870436d63c9d8e4390d9d4d898abdf0456736c7654d71cdf81a299c3f87'
- 'SHA256=63fbfabd4d8afb497dee47d112eb9d683671b75a8bf6407c4bd5027fd211b892'
- 'SHA256=47028053f05188e6a366fff19bedbcad2bc4daba8ff9e4df724b77d0181b7054'
- 'SHA256=7c1b1e8c880a30c43b3a52ee245f963a977e1f40284f4b83f4b9afe3821753dd'
- Image|endswith: '\PingCastle.exe'
- OriginalFileName: PingCastle.exe
- Product: 'Ping Castle'
- CommandLine|contains:
- '--scanner aclcheck'
- '--scanner antivirus'
- '--scanner computerversion'
- '--scanner foreignusers'
- '--scanner laps_bitlocker'
- '--scanner localadmin'
- '--scanner nullsession'
- '--scanner nullsession-trust'
- '--scanner oxidbindings'
- '--scanner remote'
- '--scanner share'
- '--scanner smb'
- '--scanner smb3querynetwork'
- '--scanner spooler'
- '--scanner startup'
- '--scanner zerologon'
- CommandLine|contains: '--no-enum-limit'
- CommandLine|contains|all:
- '--healthcheck'
- '--level Full'
- CommandLine|contains|all:
- '--healthcheck'
- '--server '
condition: selection
falsepositives:
- Unknown
# Note: As this is a PUA the level may vary depending on your environment. Reduce or increase the level as you see fit
level: medium
Convert to SIEM query
medium
PUA - Potential PE Metadata Tamper Using Rcedit
Detects the use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion.
view Sigma YAML
title: PUA - Potential PE Metadata Tamper Using Rcedit
id: 0c92f2e6-f08f-4b73-9216-ecb0ca634689
status: test
description: Detects the use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion.
references:
- https://security.stackexchange.com/questions/210843/is-it-possible-to-change-original-filename-of-an-exe
- https://www.virustotal.com/gui/file/02e8e8c5d430d8b768980f517b62d7792d690982b9ba0f7e04163cbc1a6e7915
- https://github.com/electron/rcedit
author: Micah Babinski
date: 2022-12-11
modified: 2023-03-05
tags:
- attack.stealth
- attack.t1036.003
- attack.t1036
- attack.t1027.005
- attack.t1027
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\rcedit-x64.exe'
- '\rcedit-x86.exe'
- Description: 'Edit resources of exe'
- Product: 'rcedit'
selection_flags:
CommandLine|contains: '--set-' # Covers multiple edit commands such as "--set-resource-string" or "--set-version-string"
selection_attributes:
CommandLine|contains:
- 'OriginalFileName'
- 'CompanyName'
- 'FileDescription'
- 'ProductName'
- 'ProductVersion'
- 'LegalCopyright'
condition: all of selection_*
falsepositives:
- Legitimate use of the tool by administrators or users to update metadata of a binary
level: medium
Convert to SIEM query
medium
PUA - Process Hacker Execution
Detects the execution of Process Hacker based on binary metadata information (Image, Hash, Imphash, etc).
Process Hacker is a tool to view and manipulate processes, kernel options and other low level options.
Threat actors abused older vulnerable versions to manipulate system processes.
view Sigma YAML
title: PUA - Process Hacker Execution
id: 811e0002-b13b-4a15-9d00-a613fce66e42
related:
- id: 5722dff1-4bdd-4949-86ab-fbaf707e767a
type: similar
status: test
description: |
Detects the execution of Process Hacker based on binary metadata information (Image, Hash, Imphash, etc).
Process Hacker is a tool to view and manipulate processes, kernel options and other low level options.
Threat actors abused older vulnerable versions to manipulate system processes.
references:
- https://processhacker.sourceforge.io/
- https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/
author: Florian Roth (Nextron Systems)
date: 2022-10-10
modified: 2024-11-23
tags:
- attack.discovery
- attack.persistence
- attack.privilege-escalation
- attack.stealth
- attack.t1622
- attack.t1564
- attack.t1543
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|contains: '\ProcessHacker_'
- Image|endswith: '\ProcessHacker.exe'
- OriginalFileName:
- 'ProcessHacker.exe'
- 'Process Hacker'
- Description: 'Process Hacker'
- Product: 'Process Hacker'
- Hashes|contains:
- 'MD5=68F9B52895F4D34E74112F3129B3B00D'
- 'MD5=B365AF317AE730A67C936F21432B9C71'
- 'SHA1=A0BDFAC3CE1880B32FF9B696458327CE352E3B1D'
- 'SHA1=C5E2018BF7C0F314FED4FD7FE7E69FA2E648359E'
- 'SHA256=D4A0FE56316A2C45B9BA9AC1005363309A3EDC7ACF9E4DF64D326A0FF273E80F'
- 'SHA256=BD2C2CF0631D881ED382817AFCCE2B093F4E412FFB170A719E2762F250ABFEA4'
- 'IMPHASH=3695333C60DEDECDCAFF1590409AA462'
- 'IMPHASH=04DE0AD9C37EB7BD52043D2ECAC958DF'
condition: selection
falsepositives:
- While sometimes 'Process Hacker is used by legitimate administrators, the execution of Process Hacker must be investigated and allowed on a case by case basis
level: medium
Convert to SIEM query
medium
PUA - Radmin Viewer Utility Execution
Detects the execution of Radmin which can be abused by an adversary to remotely control Windows machines
view Sigma YAML
title: PUA - Radmin Viewer Utility Execution
id: 5817e76f-4804-41e6-8f1d-5fa0b3ecae2d
status: test
description: Detects the execution of Radmin which can be abused by an adversary to remotely control Windows machines
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1072/T1072.md
- https://www.radmin.fr/
author: frack113
date: 2022-01-22
modified: 2023-12-11
tags:
- attack.execution
- attack.lateral-movement
- attack.t1072
logsource:
category: process_creation
product: windows
detection:
selection:
- Description: 'Radmin Viewer'
- Product: 'Radmin Viewer'
- OriginalFileName: 'Radmin.exe'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
PUA - RemCom Default Named Pipe
Detects default RemCom pipe creation
view Sigma YAML
title: PUA - RemCom Default Named Pipe
id: d36f87ea-c403-44d2-aa79-1a0ac7c24456
related:
- id: 9e77ed63-2ecf-4c7b-b09d-640834882028
type: obsolete
status: test
description: Detects default RemCom pipe creation
references:
- https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
- https://github.com/kavika13/RemCom
author: Nikita Nazarov, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-07
modified: 2023-11-30
tags:
- attack.lateral-movement
- attack.t1021.002
- attack.execution
- attack.t1569.002
logsource:
product: windows
category: pipe_created
definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
detection:
selection:
PipeName|contains: '\RemCom'
condition: selection
falsepositives:
- Legitimate Administrator activity
level: medium
Convert to SIEM query
medium
PUA - SoftPerfect Netscan Execution
Detects usage of SoftPerfect's "netscan.exe". An application for scanning networks.
It is actively used in-the-wild by threat actors to inspect and understand the network architecture of a victim.
view Sigma YAML
title: PUA - SoftPerfect Netscan Execution
id: ca387a8e-1c84-4da3-9993-028b45342d30
status: test
description: |
Detects usage of SoftPerfect's "netscan.exe". An application for scanning networks.
It is actively used in-the-wild by threat actors to inspect and understand the network architecture of a victim.
references:
- https://www.protect.airbus.com/blog/uncovering-cyber-intruders-netscan/
- https://secjoes-reports.s3.eu-central-1.amazonaws.com/Sockbot%2Bin%2BGoLand.pdf
- https://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue
- https://research.nccgroup.com/2022/07/13/climbing-mount-everest-black-byte-bytes-back/
- https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/
- https://www.softperfect.com/products/networkscanner/
author: '@d4ns4n_ (Wuerth-Phoenix)'
date: 2024-04-25
tags:
- attack.discovery
- attack.t1046
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\netscan.exe'
- Product: 'Network Scanner'
- Description: 'Application for scanning networks'
condition: selection
falsepositives:
- Legitimate administrator activity
level: medium
Convert to SIEM query
medium
PUA - Sysinternals Tools Execution - Registry
Detects the execution of some potentially unwanted tools such as PsExec, Procdump, etc. (part of the Sysinternals suite) via the creation of the "accepteula" registry key.
view Sigma YAML
title: PUA - Sysinternals Tools Execution - Registry
id: c7da8edc-49ae-45a2-9e61-9fd860e4e73d
related:
- id: 25ffa65d-76d8-4da5-a832-3f2b0136e133
type: derived
- id: 9841b233-8df8-4ad7-9133-b0b4402a9014
type: obsolete
status: test
description: Detects the execution of some potentially unwanted tools such as PsExec, Procdump, etc. (part of the Sysinternals suite) via the creation of the "accepteula" registry key.
references:
- https://twitter.com/Moti_B/status/1008587936735035392
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-24
modified: 2025-10-26
tags:
- attack.resource-development
- attack.t1588.002
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|contains:
- '\Active Directory Explorer'
- '\Handle'
- '\LiveKd'
- '\Process Explorer'
- '\ProcDump'
- '\PsExec'
- '\PsLoglist'
- '\PsPasswd'
- '\SDelete'
- '\Sysinternals' # Global level https://twitter.com/leonzandman/status/1561736801953382400
TargetObject|endswith: '\EulaAccepted'
condition: selection
falsepositives:
- Legitimate use of SysInternals tools. Filter the legitimate paths used in your environment
level: medium
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_pua_sysinternals_susp_execution_via_eula/info.yml
Convert to SIEM query
medium
PUA - System Informer Driver Load
Detects driver load of the System Informer tool
view Sigma YAML
title: PUA - System Informer Driver Load
id: 10cb6535-b31d-4512-9962-513dcbc42cc1
related:
- id: 67add051-9ee7-4ad3-93ba-42935615ae8d
type: similar
status: test
description: Detects driver load of the System Informer tool
references:
- https://systeminformer.sourceforge.io/
- https://github.com/winsiderss/systeminformer
author: Florian Roth (Nextron Systems)
date: 2023-05-08
modified: 2024-11-23
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1543
logsource:
category: driver_load
product: windows
detection:
selection:
- ImageLoaded|endswith: '\SystemInformer.sys'
- Hashes|contains:
- 'SHA256=8B9AD98944AC9886EA4CB07700E71B78BE4A2740934BB7E46CA3B56A7C59AD24'
- 'SHA256=A41348BEC147CA4D9EA2869817527EB5CEA2E20202AF599D2B30625433BCF454'
- 'SHA256=38EE0A88AF8535A11EFE8D8DA9C6812AA07067B75A64D99705A742589BDD846D'
- 'SHA256=A773891ACF203A7EB0C0D30942FB1347648F1CD918AE2BFD9A4857B4DCF5081B'
- 'SHA256=4C3B81AC88A987BBDF7D41FA0AECC2CEDF5B9BD2F45E7A21F376D05345FC211D'
- 'SHA256=3241BC14BEC51CE6A691B9A3562E5C1D52E9D057D27A3D67FD0B245C350B6D34'
- 'SHA256=047C42E9BBA28366868847C7DAFC1E043FB038C796422D37220493517D68EE89'
- 'SHA256=18931DC81E95D0020466FA091E16869DBE824E543A4C2C8FE644FA71A0F44FEB'
- 'SHA256=B4C2EF76C204273132FDE38F0DED641C2C5EE767652E64E4C4071A4A973B6C1B'
- 'SHA256=640954AFC268565F7DAA6E6F81A8EE05311E33E34332B501A3C3FE5B22ADEA97'
- 'SHA256=251BE949F662C838718F8AA0A5F8211FB90346D02BD63FF91E6B224E0E01B656'
- 'SHA256=E2606F272F7BA054DF16BE464FDA57211EF0D14A0D959F9C8DCB0575DF1186E4'
- 'SHA256=3A9E1D17BEEB514F1B9B3BACAEE7420285DE5CBDCE89C5319A992C6CBD1DE138'
condition: selection
falsepositives:
- System Informer is regularly used legitimately by system administrators or developers. Apply additional filters accordingly
level: medium
Convert to SIEM query
medium
PUA - System Informer Execution
Detects the execution of System Informer, a task manager tool to view and manipulate processes, kernel options and other low level operations
view Sigma YAML
title: PUA - System Informer Execution
id: 5722dff1-4bdd-4949-86ab-fbaf707e767a
related:
- id: 811e0002-b13b-4a15-9d00-a613fce66e42
type: similar
status: test
description: Detects the execution of System Informer, a task manager tool to view and manipulate processes, kernel options and other low level operations
references:
- https://github.com/winsiderss/systeminformer
author: Florian Roth (Nextron Systems)
date: 2023-05-08
modified: 2024-11-23
tags:
- attack.persistence
- attack.privilege-escalation
- attack.discovery
- attack.stealth
- attack.t1082
- attack.t1564
- attack.t1543
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\SystemInformer.exe'
- OriginalFileName: 'SystemInformer.exe'
- Description: 'System Informer'
- Product: 'System Informer'
- Hashes|contains:
# Note: add other hashes as needed
# 3.0.11077.6550
- 'MD5=19426363A37C03C3ED6FEDF57B6696EC'
- 'SHA1=8B12C6DA8FAC0D5E8AB999C31E5EA04AF32D53DC'
- 'SHA256=8EE9D84DE50803545937A63C686822388A3338497CDDB660D5D69CF68B68F287'
- 'IMPHASH=B68908ADAEB5D662F87F2528AF318F12'
condition: selection
falsepositives:
- System Informer is regularly used legitimately by system administrators or developers. Apply additional filters accordingly
level: medium
Convert to SIEM query
medium
PUA - TruffleHog Execution
Detects execution of TruffleHog, a tool used to search for secrets in different platforms like Git, Jira, Slack, SharePoint, etc. that could be used maliciously.
While it is a legitimate tool, intended for use in CI pipelines and security assessments,
It was observed in the Shai-Hulud malware campaign targeting npm packages to steal sensitive information.
view Sigma YAML
title: PUA - TruffleHog Execution
id: 44030449-b0df-4c94-aae1-502359ab28ee
related:
- id: d7a650c4-226c-451e-948f-cc490db506aa
type: similar
status: experimental
description: |
Detects execution of TruffleHog, a tool used to search for secrets in different platforms like Git, Jira, Slack, SharePoint, etc. that could be used maliciously.
While it is a legitimate tool, intended for use in CI pipelines and security assessments,
It was observed in the Shai-Hulud malware campaign targeting npm packages to steal sensitive information.
references:
- https://github.com/trufflesecurity/trufflehog
- https://www.getsafety.com/blog-posts/shai-hulud-npm-attack
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-09-24
tags:
- attack.discovery
- attack.credential-access
- attack.t1083
- attack.t1552.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith: '\trufflehog.exe'
selection_cli_platform:
CommandLine|contains:
- ' docker --image '
- ' Git '
- ' GitHub '
- ' Jira '
- ' Slack '
- ' Confluence '
- ' SharePoint '
- ' s3 '
- ' gcs '
selection_cli_verified:
CommandLine|contains: ' --results=verified'
condition: selection_img or all of selection_cli_*
falsepositives:
- Legitimate use of TruffleHog by security teams or developers.
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_pua_trufflehog/info.yml
Convert to SIEM query
Showing 651-700 of 1,492