Tool
SIEM
Sigma (generic) detection rules
1,492 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Expand any rule to see its raw YAML and convert it inline to native query syntax. Pick a platform above to browse every rule already rendered in that language.
Get the raw rules from SigmaHQ Detection Rules
The raw generic YAML, served by SigmaHQ. Pick a platform above to download a ready-to-deploy converted pack.
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance12
Resource Development10
Initial Access10
Execution30
Persistence43
Privilege Escalation20
Stealth83
Defense Impairment32
Credential Access35
Discovery33
Lateral Movement16
Collection20
Command and Control24
Exfiltration10
Impact18
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.
◈
Detection rules
50 shown of 1,492
medium
Moderate
High FP
SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code
Executes arbitrary PowerShell code using SyncAppvPublishingServer.vbs
view Sigma YAML
title: SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code
id: 36475a7d-0f6d-4dce-9b01-6aeb473bbaf1
status: test
description: Executes arbitrary PowerShell code using SyncAppvPublishingServer.vbs
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md
- https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/
author: frack113
date: 2021-07-16
modified: 2022-06-22
tags:
- attack.stealth
- attack.t1218
- attack.t1216
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- '\SyncAppvPublishingServer.vbs'
- ';' # at a minimum, a semi-colon is required
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Sysinternals PsService Execution
Detects usage of Sysinternals PsService which can be abused for service reconnaissance and tampering
view Sigma YAML
title: Sysinternals PsService Execution
id: 3371f518-5fe3-4cf6-a14b-2a0ae3fd8a4f
status: test
description: Detects usage of Sysinternals PsService which can be abused for service reconnaissance and tampering
references:
- https://learn.microsoft.com/en-us/sysinternals/downloads/psservice
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-16
modified: 2023-02-24
tags:
- attack.privilege-escalation
- attack.discovery
- attack.persistence
- attack.t1543.003
logsource:
category: process_creation
product: windows
detection:
selection:
- OriginalFileName: 'psservice.exe'
- Image|endswith:
- '\PsService.exe'
- '\PsService64.exe'
condition: selection
falsepositives:
- Legitimate use of PsService by an administrator
level: medium
Convert to SIEM query
medium
Moderate
High FP
Sysinternals PsSuspend Execution
Detects usage of Sysinternals PsSuspend which can be abused to suspend critical processes
view Sigma YAML
title: Sysinternals PsSuspend Execution
id: 48bbc537-b652-4b4e-bd1d-281172df448f
related:
- id: 4beb6ae0-f85b-41e2-8f18-8668abc8af78
type: similar
status: test
description: Detects usage of Sysinternals PsSuspend which can be abused to suspend critical processes
references:
- https://learn.microsoft.com/en-us/sysinternals/downloads/pssuspend
- https://twitter.com/0gtweet/status/1638069413717975046
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-23
tags:
- attack.privilege-escalation
- attack.discovery
- attack.persistence
- attack.t1543.003
logsource:
category: process_creation
product: windows
detection:
selection:
- OriginalFileName: 'pssuspend.exe'
- Image|endswith:
- '\pssuspend.exe'
- '\pssuspend64.exe'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Sysmon Configuration Change
Detects a Sysmon configuration change, which could be the result of a legitimate reconfiguration or someone trying manipulate the configuration
view Sigma YAML
title: Sysmon Configuration Change
id: 8ac03a65-6c84-4116-acad-dc1558ff7a77
status: test
description: Detects a Sysmon configuration change, which could be the result of a legitimate reconfiguration or someone trying manipulate the configuration
references:
- https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
author: frack113
date: 2022-01-12
tags:
- attack.defense-impairment
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 16
# To avoid FP just add
# filter:
# ConfigurationFileHash: 'SHA256=The_Hash_Of_Your_Valid_Config_XML'
# condition: selection and not filter
condition: selection
falsepositives:
- Legitimate administrative action
level: medium
regression_tests_path: regression_data/rules/windows/sysmon/sysmon_config_modification/info.yml
Convert to SIEM query
medium
Moderate
High FP
Sysmon Configuration Update
Detects updates to Sysmon's configuration. Attackers might update or replace the Sysmon configuration with a bare bone one to avoid monitoring without shutting down the service completely
view Sigma YAML
title: Sysmon Configuration Update
id: 87911521-7098-470b-a459-9a57fc80bdfd
status: test
description: Detects updates to Sysmon's configuration. Attackers might update or replace the Sysmon configuration with a bare bone one to avoid monitoring without shutting down the service completely
references:
- https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-09
modified: 2024-03-13
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_pe:
- Image|endswith:
- \Sysmon64.exe
- \Sysmon.exe
- Description: 'System activity monitor'
selection_cli:
CommandLine|contains|windash: '-c'
condition: all of selection_*
falsepositives:
- Legitimate administrators might use this command to update Sysmon configuration.
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Sysmon File Executable Creation Detected
Triggers on any Sysmon "FileExecutableDetected" event, which triggers every time a PE that is monitored by the config is created.
view Sigma YAML
title: Sysmon File Executable Creation Detected
id: 693a44e9-7f26-4cb6-b787-214867672d3a
status: test
description: Triggers on any Sysmon "FileExecutableDetected" event, which triggers every time a PE that is monitored by the config is created.
references:
- https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
- https://medium.com/@olafhartong/sysmon-15-0-file-executable-detected-40fd64349f36
author: frack113
date: 2023-07-20
tags:
- attack.defense-impairment
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 29 # this is fine, we want to match any FileExecutableDetected event
condition: selection
falsepositives:
- Unlikely
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Sysprep on AppData Folder
Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec)
view Sigma YAML
title: Sysprep on AppData Folder
id: d5b9ae7a-e6fc-405e-80ff-2ff9dcc64e7e
status: test
description: Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec)
references:
- https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets
- https://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b
author: Florian Roth (Nextron Systems)
date: 2018-06-22
modified: 2021-11-27
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\sysprep.exe'
CommandLine|contains: '\AppData\'
condition: selection
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
level: medium
Convert to SIEM query
medium
Moderate
High FP
System Disk And Volume Reconnaissance Via Wmic.EXE
An adversary might use WMI to discover information about the system, such as the volume name, size,
free space, and other disk information. This can be done using the 'wmic' command-line utility and has been
observed being used by threat actors such as Volt Typhoon.
view Sigma YAML
title: System Disk And Volume Reconnaissance Via Wmic.EXE
id: c79da740-5030-45ec-a2e0-479e824a562c
related:
- id: d85ecdd7-b855-4e6e-af59-d9c78b5b861e
type: similar
status: test
description: |
An adversary might use WMI to discover information about the system, such as the volume name, size,
free space, and other disk information. This can be done using the 'wmic' command-line utility and has been
observed being used by threat actors such as Volt Typhoon.
references:
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic
author: Stephen Lincoln '@slincoln-aiq' (AttackIQ)
date: 2024-02-02
modified: 2025-10-20
tags:
- attack.execution
- attack.discovery
- attack.t1047
- attack.t1082
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\WMIC.exe'
- OriginalFileName: 'wmic.exe'
selection_cli:
- CommandLine|contains:
- ' volumename'
- ' logicaldisk'
- CommandLine|contains|all:
- 'path'
- 'win32_logicaldisk'
- CommandLine|contains|all:
- ' volume'
- ' list '
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
System Information Discovery Using Ioreg
Detects the use of "ioreg" which will show I/O Kit registry information.
This process is used for system information discovery.
It has been observed in-the-wild by calling this process directly or using bash and grep to look for specific strings.
view Sigma YAML
title: System Information Discovery Using Ioreg
id: 2d5e7a8b-f484-4a24-945d-7f0efd52eab0
status: test
description: |
Detects the use of "ioreg" which will show I/O Kit registry information.
This process is used for system information discovery.
It has been observed in-the-wild by calling this process directly or using bash and grep to look for specific strings.
references:
- https://www.virustotal.com/gui/file/0373d78db6c3c0f6f6dcc409821bf89e1ad8c165d6f95c5c80ecdce2219627d7/behavior
- https://www.virustotal.com/gui/file/4ffdc72d1ff1ee8228e31691020fc275afd1baee5a985403a71ca8c7bd36e2e4/behavior
- https://www.virustotal.com/gui/file/5907d59ec1303cfb5c0a0f4aaca3efc0830707d86c732ba6b9e842b5730b95dc/behavior
- https://www.trendmicro.com/en_ph/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-12-20
modified: 2024-01-02
tags:
- attack.discovery
- attack.t1082
logsource:
product: macos
category: process_creation
detection:
# Examples:
# /bin/bash /bin/sh -c ioreg -l | grep -e 'VirtualBox' -e 'Oracle' -e 'VMware' -e 'Parallels' | wc -l
# /usr/sbin/ioreg ioreg -rd1 -w0 -c AppleAHCIDiskDriver
# /bin/bash /bin/sh -c ioreg -l | grep -e 'USB Vendor Name'
# ioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformSerialNumber/ { split($0, line, \"\\\"\"); printf(\"%s\", line[4]); }
selection_img:
- Image|endswith: '/ioreg'
- CommandLine|contains: 'ioreg'
selection_cmd1:
CommandLine|contains:
- '-l'
- '-c'
selection_cmd2:
CommandLine|contains:
- 'AppleAHCIDiskDriver'
- 'IOPlatformExpertDevice'
- 'Oracle'
- 'Parallels'
- 'USB Vendor Name'
- 'VirtualBox'
- 'VMware'
condition: all of selection_*
falsepositives:
- Legitimate administrative activities
level: medium
Convert to SIEM query
medium
Strong
High FP
System Information Discovery Using System_Profiler
Detects the execution of "system_profiler" with specific "Data Types" that have been seen being used by threat actors and malware. It provides system hardware and software configuration information.
This process is primarily used for system information discovery. However, "system_profiler" can also be used to determine if virtualization software is being run for defense evasion purposes.
view Sigma YAML
title: System Information Discovery Using System_Profiler
id: 4809c683-059b-4935-879d-36835986f8cf
status: test
description: |
Detects the execution of "system_profiler" with specific "Data Types" that have been seen being used by threat actors and malware. It provides system hardware and software configuration information.
This process is primarily used for system information discovery. However, "system_profiler" can also be used to determine if virtualization software is being run for defense evasion purposes.
references:
- https://www.trendmicro.com/en_za/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html
- https://www.sentinelone.com/wp-content/uploads/pdf-gen/1630910064/20-common-tools-techniques-used-by-macos-threat-actors-malware.pdf
- https://ss64.com/mac/system_profiler.html
- https://objective-see.org/blog/blog_0x62.html
- https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/
- https://gist.github.com/nasbench/9a1ba4bc7094ea1b47bc42bf172961af
author: Stephen Lincoln `@slincoln_aiq` (AttackIQ)
date: 2024-01-02
tags:
- attack.discovery
- attack.stealth
- attack.t1082
- attack.t1497.001
logsource:
product: macos
category: process_creation
detection:
selection_img:
- Image|endswith: '/system_profiler'
- CommandLine|contains: 'system_profiler'
selection_cmd:
# Note: This list is based on CTI reporting. Threat actors might use other data types. Please refere to https://gist.github.com/nasbench/9a1ba4bc7094ea1b47bc42bf172961af for a full list
CommandLine|contains:
- 'SPApplicationsDataType'
- 'SPHardwareDataType'
- 'SPNetworkDataType'
- 'SPUSBDataType'
condition: all of selection_*
falsepositives:
- Legitimate administrative activities
level: medium
Convert to SIEM query
medium
Strong
High FP
System Information Discovery Using sw_vers
Detects the use of "sw_vers" for system information discovery
view Sigma YAML
title: System Information Discovery Using sw_vers
id: 5de06a6f-673a-4fc0-8d48-bcfe3837b033
status: test
description: Detects the use of "sw_vers" for system information discovery
references:
- https://www.virustotal.com/gui/file/d3fa64f63563fe958b75238742d1e473800cb5f49f5cb79d38d4aa3c93709026/behavior
- https://www.virustotal.com/gui/file/03b71eaceadea05bc0eea5cddecaa05f245126d6b16cfcd0f3ba0442ac58dab3/behavior
- https://ss64.com/osx/sw_vers.html
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-12-20
tags:
- attack.discovery
- attack.t1082
logsource:
product: macos
category: process_creation
detection:
# VT Query: 'behavior_processes:"sw_vers" and (behavior_processes:"-productVersion" or behavior_processes:"-productName" or behavior_processes:"-buildVersion") tag:dmg p:5+'
selection_image:
Image|endswith: '/sw_vers'
selection_options:
CommandLine|contains:
- '-buildVersion'
- '-productName'
- '-productVersion'
condition: all of selection_*
falsepositives:
- Legitimate administrative activities
level: medium
Convert to SIEM query
medium
Strong
High FP
System Information Discovery Via Sysctl - MacOS
Detects the execution of "sysctl" with specific arguments that have been used by threat actors and malware. It provides system hardware information.
This process is primarily used to detect and avoid virtualization and analysis environments.
view Sigma YAML
title: System Information Discovery Via Sysctl - MacOS
id: 6ff08e55-ea53-4f27-94a1-eff92e6d9d5c
status: test
description: |
Detects the execution of "sysctl" with specific arguments that have been used by threat actors and malware. It provides system hardware information.
This process is primarily used to detect and avoid virtualization and analysis environments.
references:
- https://www.loobins.io/binaries/sysctl/#
- https://evasions.checkpoint.com/techniques/macos.html
- https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/
- https://www.sentinelone.com/labs/20-common-tools-techniques-used-by-macos-threat-actors-malware/
- https://objective-see.org/blog/blog_0x1E.html
- https://www.virustotal.com/gui/file/1c547a064494a35d6b5e6b459de183ab2720a22725e082bed6f6629211f7abc1/behavior
- https://www.virustotal.com/gui/file/b4b1fc65f87b3dcfa35e2dbe8e0a34ad9d8a400bec332025c0a2e200671038aa/behavior
author: Pratinav Chandra
date: 2024-05-27
tags:
- attack.stealth
- attack.t1497.001
- attack.discovery
- attack.t1082
logsource:
product: macos
category: process_creation
detection:
selection_img:
- Image|endswith: '/sysctl'
- CommandLine|contains: 'sysctl'
selection_cmd:
CommandLine|contains:
- 'hw.'
- 'kern.'
- 'machdep.'
condition: all of selection_*
falsepositives:
- Legitimate administrative activities
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
System Integrity Protection (SIP) Disabled
Detects the use of csrutil to disable the Configure System Integrity Protection (SIP). This technique is used in post-exploit scenarios.
view Sigma YAML
title: System Integrity Protection (SIP) Disabled
id: 3603f18a-ec15-43a1-9af2-d196c8a7fec6
status: test
description: |
Detects the use of csrutil to disable the Configure System Integrity Protection (SIP). This technique is used in post-exploit scenarios.
references:
- https://ss64.com/osx/csrutil.html
- https://objective-see.org/blog/blog_0x6D.html
- https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/
- https://www.virustotal.com/gui/file/05a2adb266ec6c0ba9ed176d87d8530e71e845348c13caf9f60049760c312cd3/behavior
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2024-01-02
tags:
- attack.discovery
- attack.t1518.001
logsource:
product: macos
category: process_creation
detection:
# VT Query: behavior_processes:"csrutil status" p:5+ type:mac
selection:
Image|endswith: '/csrutil'
CommandLine|contains: 'disable'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
System Language Discovery via Reg.Exe
Detects the usage of Reg.Exe to query system language settings.
Attackers may discover the system language to determine the geographic location of victims, customize payloads for specific regions,
or avoid targeting certain locales to evade detection.
view Sigma YAML
title: System Language Discovery via Reg.Exe
id: c43a5405-e8e1-4221-9ac9-dbe3fa14e886
status: experimental
description: |
Detects the usage of Reg.Exe to query system language settings.
Attackers may discover the system language to determine the geographic location of victims, customize payloads for specific regions,
or avoid targeting certain locales to evade detection.
references:
- https://scythe.io/threat-thursday/threatthursday-darkside-ransomware
author: Marco Pedrinazzi (@pedrinazziM) (InTheCyber)
date: 2026-01-09
tags:
- attack.discovery
- attack.t1614.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\reg.exe'
- OriginalFileName: 'reg.exe'
selection_cli:
CommandLine|contains|all:
- 'query'
- 'Control\Nls\Language'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_reg_system_language_discovery/info.yml
simulation:
- type: atomic-red-team
name: Discover System Language by Registry Query
technique: T1614.001
atomic_guid: 631d4cf1-42c9-4209-8fe9-6bd4de9421be
Convert to SIEM query
medium
Strong
Medium FP
System Scripts Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
view Sigma YAML
title: System Scripts Autorun Keys Modification
id: e7a2fd40-3ae1-4a85-bf80-15cf624fb1b1
related:
- id: 17f878b8-9968-4578-b814-c4217fc5768c
type: obsolete
status: test
description: Detects modification of autostart extensibility point (ASEP) in registry.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
- https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
- https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019-10-25
modified: 2023-08-17
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.001
logsource:
category: registry_set
product: windows
detection:
scripts_base:
TargetObject|contains: '\Software\Policies\Microsoft\Windows\System\Scripts'
scripts:
TargetObject|contains:
- '\Startup'
- '\Shutdown'
- '\Logon'
- '\Logoff'
filter:
Details: '(Empty)'
condition: scripts_base and scripts and not filter
falsepositives:
- Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
- Legitimate administrator sets up autorun keys for legitimate reason
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Systemd Service Creation
Detects a creation of systemd services which could be used by adversaries to execute malicious code.
view Sigma YAML
title: Systemd Service Creation
id: 1bac86ba-41aa-4f62-9d6b-405eac99b485
status: test
description: Detects a creation of systemd services which could be used by adversaries to execute malicious code.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.002/T1543.002.md
author: 'Pawel Mazur'
date: 2022-02-03
modified: 2022-02-06
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1543.002
logsource:
product: linux
service: auditd
detection:
path:
type: 'PATH'
nametype: 'CREATE'
name_1:
name|startswith:
- '/usr/lib/systemd/system/'
- '/etc/systemd/system/'
name_2:
name|contains: '/.config/systemd/user/'
condition: path and 1 of name_*
falsepositives:
- Admin work like legit service installs.
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
TacticalRMM Service Installation
Detects a TacticalRMM service installation. Tactical RMM is a remote monitoring & management tool.
view Sigma YAML
title: TacticalRMM Service Installation
id: 4bb79b62-ef12-4861-981d-2aab43fab642
status: test
description: Detects a TacticalRMM service installation. Tactical RMM is a remote monitoring & management tool.
references:
- https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-11-28
tags:
- attack.command-and-control
- attack.t1219.002
logsource:
product: windows
service: system
detection:
selection_root:
Provider_Name: 'Service Control Manager'
EventID: 7045
selection_service:
- ImagePath|contains: 'tacticalrmm.exe'
- ServiceName|contains: 'TacticalRMM Agent Service'
condition: all of selection_*
falsepositives:
- Legitimate use of the tool
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Tap Driver Installation
Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques
view Sigma YAML
title: Tap Driver Installation
id: 8e4cf0e5-aa5d-4dc3-beff-dc26917744a9
status: test
description: Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques
references:
- https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers
author: Daniil Yugoslavskiy, Ian Davis, oscd.community
date: 2019-10-24
modified: 2022-12-25
tags:
- attack.exfiltration
- attack.t1048
logsource:
product: windows
service: system
detection:
selection:
Provider_Name: 'Service Control Manager'
EventID: 7045
ImagePath|contains: 'tap0901'
condition: selection
falsepositives:
- Legitimate OpenVPN TAP installation
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Tap Installer Execution
Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques
view Sigma YAML
title: Tap Installer Execution
id: 99793437-3e16-439b-be0f-078782cf953d
status: test
description: Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques
references:
- https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers
author: Daniil Yugoslavskiy, Ian Davis, oscd.community
date: 2019-10-24
modified: 2023-12-11
tags:
- attack.exfiltration
- attack.t1048
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\tapinstall.exe'
filter_optional_avast:
Image|contains:
- ':\Program Files\Avast Software\SecureLine VPN\'
- ':\Program Files (x86)\Avast Software\SecureLine VPN\'
filter_optional_openvpn:
Image|contains: ':\Program Files\OpenVPN Connect\drivers\tap\'
filter_optional_protonvpn:
Image|contains: ':\Program Files (x86)\Proton Technologies\ProtonVPNTap\installer\'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Legitimate OpenVPN TAP installation
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
TeamViewer Domain Query By Non-TeamViewer Application
Detects DNS queries to a TeamViewer domain only resolved by a TeamViewer client by an image that isn't named TeamViewer (sometimes used by threat actors for obfuscation)
view Sigma YAML
title: TeamViewer Domain Query By Non-TeamViewer Application
id: 778ba9a8-45e4-4b80-8e3e-34a419f0b85e
status: test
description: Detects DNS queries to a TeamViewer domain only resolved by a TeamViewer client by an image that isn't named TeamViewer (sometimes used by threat actors for obfuscation)
references:
- https://www.teamviewer.com/en-us/
author: Florian Roth (Nextron Systems)
date: 2022-01-30
modified: 2023-09-18
tags:
- attack.command-and-control
- attack.t1219.002
logsource:
product: windows
category: dns_query
detection:
selection:
QueryName:
- 'taf.teamviewer.com'
- 'udp.ping.teamviewer.com'
filter_main_teamviewer:
# Note: To avoid evasion based on similar names. Best add full install location of TeamViewer
Image|contains: 'TeamViewer'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown binary names of TeamViewer
- Depending on the environment the rule might require some initial tuning before usage to avoid FP with third party applications
level: medium
Convert to SIEM query
medium
Moderate
High FP
TeamViewer Remote Session
Detects the creation of log files during a TeamViewer remote session
view Sigma YAML
title: TeamViewer Remote Session
id: 162ab1e4-6874-4564-853c-53ec3ab8be01
status: test
description: Detects the creation of log files during a TeamViewer remote session
references:
- https://www.teamviewer.com/en-us/
author: Florian Roth (Nextron Systems)
date: 2022-01-30
tags:
- attack.command-and-control
- attack.t1219.002
logsource:
product: windows
category: file_event
detection:
selection1:
TargetFilename|endswith:
- '\TeamViewer\RemotePrinting\tvprint.db'
- '\TeamViewer\TVNetwork.log'
selection2:
TargetFilename|contains|all:
- '\TeamViewer'
- '_Logfile.log'
condition: 1 of selection*
falsepositives:
- Legitimate uses of TeamViewer in an organisation
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Telegram API Access
Detects suspicious requests to Telegram API without the usual Telegram User-Agent
view Sigma YAML
title: Telegram API Access
id: b494b165-6634-483d-8c47-2026a6c52372
status: test
description: Detects suspicious requests to Telegram API without the usual Telegram User-Agent
references:
- https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/
- https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/
- https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/
author: Florian Roth (Nextron Systems)
date: 2018-06-05
modified: 2023-05-18
tags:
- attack.command-and-control
- attack.t1071.001
- attack.t1102.002
logsource:
category: proxy
detection:
selection:
cs-host: 'api.telegram.org' # Often used by Bots
filter:
c-useragent|contains:
# Used https://core.telegram.org/bots/samples for this list
- 'Telegram'
- 'Bot'
condition: selection and not filter
falsepositives:
- Legitimate use of Telegram bots in the company
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Telegram Bot API Request
Detects suspicious DNS queries to api.telegram.org used by Telegram Bots of any kind
view Sigma YAML
title: Telegram Bot API Request
id: c64c5175-5189-431b-a55e-6d9882158251
status: test
description: Detects suspicious DNS queries to api.telegram.org used by Telegram Bots of any kind
references:
- https://core.telegram.org/bots/faq
- https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/
- https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/
- https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/
author: Florian Roth (Nextron Systems)
date: 2018-06-05
modified: 2022-10-09
tags:
- attack.command-and-control
- attack.t1102.002
logsource:
category: dns
detection:
selection:
query: 'api.telegram.org' # Telegram Bot API Request https://core.telegram.org/bots/faq
condition: selection
falsepositives:
- Legitimate use of Telegram bots in the company
level: medium
Convert to SIEM query
medium
Moderate
High FP
Terminate Linux Process Via Kill
Detects usage of command line tools such as "kill", "pkill" or "killall" to terminate or signal a running process.
view Sigma YAML
title: Terminate Linux Process Via Kill
id: 64c41342-6b27-523b-5d3f-c265f3efcdb3
status: test
description: Detects usage of command line tools such as "kill", "pkill" or "killall" to terminate or signal a running process.
references:
- https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html
- https://www.cyberciti.biz/faq/how-force-kill-process-linux/
- https://www.geeksforgeeks.org/how-to-kill-processes-on-the-linux-desktop-with-xkill/
author: Tuan Le (NCSGroup)
date: 2023-03-16
modified: 2024-12-12
tags:
- attack.defense-impairment
- attack.t1685
- detection.threat-hunting
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith:
- '/kill'
- '/killall'
- '/pkill'
- '/xkill'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Testing Usage of Uncommonly Used Port
Adversaries may communicate using a protocol and port paring that are typically not associated.
For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443.
view Sigma YAML
title: Testing Usage of Uncommonly Used Port
id: adf876b3-f1f8-4aa9-a4e4-a64106feec06
status: test
description: |
Adversaries may communicate using a protocol and port paring that are typically not associated.
For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1571/T1571.md#atomic-test-1---testing-usage-of-uncommonly-used-port-with-powershell
- https://learn.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps
author: frack113
date: 2022-01-23
tags:
- attack.command-and-control
- attack.t1571
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- Test-NetConnection
- '-ComputerName '
- '-port '
filter:
ScriptBlockText|contains:
- ' 443 '
- ' 80 '
condition: selection and not filter
falsepositives:
- Legitimate administrative script
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Third Party Software DLL Sideloading
Detects DLL sideloading of DLLs that are part of third party software (zoom, discord....etc)
view Sigma YAML
title: Third Party Software DLL Sideloading
id: f9df325d-d7bc-4a32-8a1a-2cc61dcefc63
status: test
description: Detects DLL sideloading of DLLs that are part of third party software (zoom, discord....etc)
references:
- https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there)
author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
date: 2022-08-17
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
# Lenovo
selection_lenovo:
ImageLoaded|endswith: '\commfunc.dll'
filter_lenovo:
- ImageLoaded|contains: '\AppData\local\Google\Chrome\Application\'
- ImageLoaded|startswith:
- 'C:\Program Files\Lenovo\Communications Utility\'
- 'C:\Program Files (x86)\Lenovo\Communications Utility\'
# Toshiba
selection_toshiba:
ImageLoaded|endswith: '\tosbtkbd.dll'
filter_toshiba:
ImageLoaded|startswith:
- 'C:\Program Files\Toshiba\Bluetooth Toshiba Stack\'
- 'C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\'
# Zoom (FP with System32)
# selection_zoom:
# ImageLoaded|endswith: '\version.dll'
# filter_zoom:
# ImageLoaded|startswith: 'C:\Users\'
# ImageLoaded|contains: '\AppData\Roaming\Zoom\bin\'
condition: (selection_lenovo and not filter_lenovo) or (selection_toshiba and not filter_toshiba)
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Time Machine Backup Deletion Attempt Via Tmutil - MacOS
Detects deletion attempts of MacOS Time Machine backups via the native backup utility "tmutil".
An adversary may perform this action before launching a ransonware attack to prevent the victim from restoring their files.
view Sigma YAML
title: Time Machine Backup Deletion Attempt Via Tmutil - MacOS
id: 452df256-da78-427a-866f-49fa04417d74
status: test
description: |
Detects deletion attempts of MacOS Time Machine backups via the native backup utility "tmutil".
An adversary may perform this action before launching a ransonware attack to prevent the victim from restoring their files.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine
- https://www.loobins.io/binaries/tmutil/
author: Pratinav Chandra
date: 2024-05-29
tags:
- attack.impact
- attack.t1490
logsource:
category: process_creation
product: macos
detection:
selection_img:
- Image|endswith: '/tmutil'
- CommandLine|contains: 'tmutil'
selection_cmd:
CommandLine|contains: 'delete'
condition: all of selection_*
falsepositives:
- Legitimate activities
level: medium
Convert to SIEM query
medium
Moderate
High FP
Time Machine Backup Disabled Via Tmutil - MacOS
Detects disabling of Time Machine (Apple's automated backup utility software) via the native macOS backup utility "tmutil".
An attacker can use this to prevent backups from occurring.
view Sigma YAML
title: Time Machine Backup Disabled Via Tmutil - MacOS
id: 2c95fa8a-8b8d-4787-afce-7117ceb8e3da
status: test
description: |
Detects disabling of Time Machine (Apple's automated backup utility software) via the native macOS backup utility "tmutil".
An attacker can use this to prevent backups from occurring.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine
- https://www.loobins.io/binaries/tmutil/
author: Pratinav Chandra
date: 2024-05-29
tags:
- attack.impact
- attack.t1490
logsource:
category: process_creation
product: macos
detection:
selection_img:
- Image|endswith: '/tmutil'
- CommandLine|contains: 'tmutil'
selection_cmd:
CommandLine|contains: 'disable'
condition: all of selection_*
falsepositives:
- Legitimate administrator activity
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Tomcat WebServer Logs Deleted
Detects the deletion of tomcat WebServer logs which may indicate an attempt to destroy forensic evidence
view Sigma YAML
title: Tomcat WebServer Logs Deleted
id: 270185ff-5f50-4d6d-a27f-24c3b8c9fef8
status: test
description: Detects the deletion of tomcat WebServer logs which may indicate an attempt to destroy forensic evidence
references:
- Internal Research
- https://linuxhint.com/view-tomcat-logs-windows/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-16
tags:
- attack.stealth
- attack.t1070
logsource:
category: file_delete
product: windows
detection:
selection:
TargetFilename|contains|all:
- '\Tomcat'
- '\logs\'
TargetFilename|contains:
- 'catalina.'
- '_access_log.'
- 'localhost.'
condition: selection
falsepositives:
- During uninstallation of the tomcat server
- During log rotation
level: medium
Convert to SIEM query
medium
Moderate
High FP
Touch Suspicious Service File
Detects usage of the "touch" process in service file.
view Sigma YAML
title: Touch Suspicious Service File
id: 31545105-3444-4584-bebf-c466353230d2
status: test
description: Detects usage of the "touch" process in service file.
references:
- https://blogs.blackberry.com/
- https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-01-11
tags:
- attack.stealth
- attack.t1070.006
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith: '/touch'
CommandLine|contains: ' -t '
CommandLine|endswith: '.service'
condition: selection
falsepositives:
- Admin changing date of files.
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Transferring Files with Credential Data via Network Shares
Transferring files with well-known filenames (sensitive files with credential data) using network shares
view Sigma YAML
title: Transferring Files with Credential Data via Network Shares
id: 910ab938-668b-401b-b08c-b596e80fdca5
related:
- id: 2e69f167-47b5-4ae7-a390-47764529eff5
type: similar
status: test
description: Transferring files with well-known filenames (sensitive files with credential data) using network shares
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
author: Teymur Kheirkhabarov, oscd.community
date: 2019-10-22
modified: 2025-07-11
tags:
- attack.credential-access
- attack.t1003.002
- attack.t1003.001
- attack.t1003.003
logsource:
product: windows
service: security
detection:
selection_eid:
EventID: 5145
selection_object:
- RelativeTargetName|contains:
- '\mimidrv'
- '\lsass'
- '\windows\minidump\'
- '\hiberfil'
- '\sqldmpr'
- RelativeTargetName:
- 'Windows\NTDS\ntds.dit'
- 'Windows\System32\config\SAM'
- 'Windows\System32\config\SECURITY'
- 'Windows\System32\config\SYSTEM'
condition: all of selection_*
falsepositives:
- Transferring sensitive files for legitimate administration work by legitimate administrator
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Transferring Files with Credential Data via Network Shares - Zeek
Transferring files with well-known filenames (sensitive files with credential data) using network shares
view Sigma YAML
title: Transferring Files with Credential Data via Network Shares - Zeek
id: 2e69f167-47b5-4ae7-a390-47764529eff5
related:
- id: 910ab938-668b-401b-b08c-b596e80fdca5
type: similar
status: test
description: Transferring files with well-known filenames (sensitive files with credential data) using network shares
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
author: '@neu5ron, Teymur Kheirkhabarov, oscd.community'
date: 2020-04-02
modified: 2021-11-27
tags:
- attack.credential-access
- attack.t1003.002
- attack.t1003.001
- attack.t1003.003
logsource:
product: zeek
service: smb_files
detection:
selection:
name:
- '\mimidrv'
- '\lsass'
- '\windows\minidump\'
- '\hiberfil'
- '\sqldmpr'
- '\sam'
- '\ntds.dit'
- '\security'
condition: selection
falsepositives:
- Transferring sensitive files for legitimate administration work by legitimate administrator
level: medium
Convert to SIEM query
medium
Moderate
High FP
Troubleshooting Pack Cmdlet Execution
Detects execution of "TroubleshootingPack" cmdlets to leverage CVE-2022-30190 or action similar to "msdt" lolbin (as described in LOLBAS)
view Sigma YAML
title: Troubleshooting Pack Cmdlet Execution
id: 03409c93-a7c7-49ba-9a4c-a00badf2a153
status: test
description: Detects execution of "TroubleshootingPack" cmdlets to leverage CVE-2022-30190 or action similar to "msdt" lolbin (as described in LOLBAS)
references:
- https://twitter.com/nas_bench/status/1537919885031772161
- https://lolbas-project.github.io/lolbas/Binaries/Msdt/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-21
tags:
- attack.stealth
- attack.t1202
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- 'Invoke-TroubleshootingPack'
- 'C:\Windows\Diagnostics\System\PCW'
- '-AnswerFile'
- '-Unattended'
condition: selection
falsepositives:
- Legitimate usage of "TroubleshootingPack" cmdlet for troubleshooting purposes
level: medium
Convert to SIEM query
medium
Moderate
High FP
Tunneling Tool Execution
Detects the execution of well known tools that can be abused for data exfiltration and tunneling.
view Sigma YAML
title: Tunneling Tool Execution
id: c75309a3-59f8-4a8d-9c2c-4c927ad50555
status: test
description: Detects the execution of well known tools that can be abused for data exfiltration and tunneling.
author: Daniil Yugoslavskiy, oscd.community
references:
- https://www.microsoft.com/en-us/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/
date: 2019-10-24
modified: 2024-01-18
tags:
- attack.exfiltration
- attack.command-and-control
- attack.t1041
- attack.t1572
- attack.t1071.001
- detection.threat-hunting
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\httptunnel.exe'
- '\plink.exe'
- '\socat.exe'
- '\stunnel.exe'
condition: selection
falsepositives:
- Legitimate administrators using one of these tools
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
UAC Bypass via Windows Firewall Snap-In Hijack
Detects attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in
view Sigma YAML
title: UAC Bypass via Windows Firewall Snap-In Hijack
id: e52cb31c-10ed-4aea-bcb7-593c9f4a315b
status: test
description: Detects attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in
references:
- https://www.elastic.co/guide/en/security/current/uac-bypass-via-windows-firewall-snap-in-hijack.html#uac-bypass-via-windows-firewall-snap-in-hijack
author: Tim Rauch, Elastic (idea)
date: 2022-09-27
tags:
- attack.privilege-escalation
- attack.t1548
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\mmc.exe'
ParentCommandLine|contains: 'WF.msc'
filter:
Image|endswith: '\WerFault.exe'
condition: selection and not filter
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
UAC Disabled
Detects when an attacker tries to disable User Account Control (UAC) by setting the registry value "EnableLUA" to 0.
view Sigma YAML
title: UAC Disabled
id: 48437c39-9e5f-47fb-af95-3d663c3f2919
related:
- id: c5f6a85d-b647-40f7-bbad-c10b66bab038
type: similar
- id: 0d7ceeef-3539-4392-8953-3dc664912714
type: similar
status: stable
description: |
Detects when an attacker tries to disable User Account Control (UAC) by setting the registry value "EnableLUA" to 0.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/7e11e9b79583545f208a6dc3fa062f2ed443d999/atomics/T1548.002/T1548.002.md
author: frack113
date: 2022-01-05
modified: 2024-05-10
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA'
Details: 'DWORD (0x00000000)'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
UAC Notification Disabled
Detects when an attacker tries to disable User Account Control (UAC) notification by tampering with the "UACDisableNotify" value.
UAC is a critical security feature in Windows that prevents unauthorized changes to the operating system. It prompts the user for permission or an administrator password before allowing actions that could affect the system's operation or change settings that affect other users.
When "UACDisableNotify" is set to 1, UAC prompts are suppressed.
view Sigma YAML
title: UAC Notification Disabled
id: c5f6a85d-b647-40f7-bbad-c10b66bab038
related:
- id: 0d7ceeef-3539-4392-8953-3dc664912714
type: similar
- id: 48437c39-9e5f-47fb-af95-3d663c3f2919
type: similar
status: test
description: |
Detects when an attacker tries to disable User Account Control (UAC) notification by tampering with the "UACDisableNotify" value.
UAC is a critical security feature in Windows that prevents unauthorized changes to the operating system. It prompts the user for permission or an administrator password before allowing actions that could affect the system's operation or change settings that affect other users.
When "UACDisableNotify" is set to 1, UAC prompts are suppressed.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/7e11e9b79583545f208a6dc3fa062f2ed443d999/atomics/T1548.002/T1548.002.md
- https://securityintelligence.com/x-force/x-force-hive0129-targeting-financial-institutions-latam-banking-trojan/
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2024-05-10
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\Microsoft\Security Center\UACDisableNotify'
Details: 'DWORD (0x00000001)'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
UAC Secure Desktop Prompt Disabled
Detects when an attacker tries to change User Account Control (UAC) elevation request destination via the "PromptOnSecureDesktop" value.
The "PromptOnSecureDesktop" setting specifically determines whether UAC prompts are displayed on the secure desktop. The secure desktop is a separate desktop environment that's isolated from other processes running on the system. It's designed to prevent malicious software from intercepting or tampering with UAC prompts.
When "PromptOnSecureDesktop" is set to 0, UAC prompts are displayed on the user's current desktop instead of the secure desktop. This reduces the level of security because it potentially exposes the prompts to manipulation by malicious software.
view Sigma YAML
title: UAC Secure Desktop Prompt Disabled
id: 0d7ceeef-3539-4392-8953-3dc664912714
related:
- id: c5f6a85d-b647-40f7-bbad-c10b66bab038
type: similar
- id: 48437c39-9e5f-47fb-af95-3d663c3f2919
type: similar
status: test
description: |
Detects when an attacker tries to change User Account Control (UAC) elevation request destination via the "PromptOnSecureDesktop" value.
The "PromptOnSecureDesktop" setting specifically determines whether UAC prompts are displayed on the secure desktop. The secure desktop is a separate desktop environment that's isolated from other processes running on the system. It's designed to prevent malicious software from intercepting or tampering with UAC prompts.
When "PromptOnSecureDesktop" is set to 0, UAC prompts are displayed on the user's current desktop instead of the secure desktop. This reduces the level of security because it potentially exposes the prompts to manipulation by malicious software.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/7e11e9b79583545f208a6dc3fa062f2ed443d999/atomics/T1548.002/T1548.002.md
author: frack113
date: 2024-05-10
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop'
Details: 'DWORD (0x00000000)'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
UFW Disable Attempt
Detects attempts to disable the Uncomplicated Firewall (UFW) on Linux systems.
UFW is a popular firewall management tool that provides an easy-to-use interface for configuring firewall rules.
Disabling UFW can leave a system vulnerable to attacks, as it may allow unauthorized access to network services and resources.
view Sigma YAML
title: UFW Disable Attempt
id: 84c9e83c-599a-458a-a0cb-0ecce44e807a
status: test
description: |
Detects attempts to disable the Uncomplicated Firewall (UFW) on Linux systems.
UFW is a popular firewall management tool that provides an easy-to-use interface for configuring firewall rules.
Disabling UFW can leave a system vulnerable to attacks, as it may allow unauthorized access to network services and resources.
references:
- https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144
- https://manpages.debian.org/unstable/ufw/ufw-framework.8.en.html
- https://www.cyberciti.biz/faq/linux-disable-firewall-command/
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-01-18
modified: 2026-05-04
tags:
- attack.defense-impairment
- attack.t1686
logsource:
product: linux
category: process_creation
detection:
selection_ufw_init:
Image|endswith: '/ufw-init'
CommandLine|contains:
- ' force-stop' # same as stop, except does not check if the firewall is already loaded
- ' stop' # unloads the firewall
- ' flush' # flushes the built-in chains, deletes all non-built-in chains and resets the policy to ACCEPT
selection_ufw_disable:
CommandLine|contains|all:
# Covers both ufw disable and systemctl disable ufw
# systemctl disable ufw -- prevents UFW starting at boot, but does not stop the currently running instance of UFW
# ufw disable -- stops the currently running instance of UFW and prevents it from starting at boot
- 'ufw '
- 'disable'
condition: 1 of selection_*
falsepositives:
- Legitimate actions by system administrators to disable UFW.
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Uncommon Assistive Technology Applications Execution Via AtBroker.EXE
Detects the start of a non built-in assistive technology applications via "Atbroker.EXE".
view Sigma YAML
title: Uncommon Assistive Technology Applications Execution Via AtBroker.EXE
id: f24bcaea-0cd1-11eb-adc1-0242ac120002
status: test
description: Detects the start of a non built-in assistive technology applications via "Atbroker.EXE".
references:
- http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/
- https://lolbas-project.github.io/lolbas/Binaries/Atbroker/
author: Mateusz Wydra, oscd.community
date: 2020-10-12
modified: 2024-03-06
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\AtBroker.exe'
- OriginalFileName: 'AtBroker.exe'
selection_cli:
CommandLine|contains: 'start'
filter_main_builtin:
CommandLine|contains:
- 'animations'
- 'audiodescription'
- 'caretbrowsing'
- 'caretwidth'
- 'colorfiltering'
- 'cursorindicator'
- 'cursorscheme'
- 'filterkeys'
- 'focusborderheight'
- 'focusborderwidth'
- 'highcontrast'
- 'keyboardcues'
- 'keyboardpref'
- 'livecaptions'
- 'magnifierpane'
- 'messageduration'
- 'minimumhitradius'
- 'mousekeys'
- 'Narrator'
- 'osk'
- 'overlappedcontent'
- 'showsounds'
- 'soundsentry'
- 'speechreco'
- 'stickykeys'
- 'togglekeys'
- 'voiceaccess'
- 'windowarranging'
- 'windowtracking'
- 'windowtrackingtimeout'
- 'windowtrackingzorder'
filter_optional_java:
CommandLine|contains: 'Oracle_JavaAccessBridge'
condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Legitimate, non-default assistive technology applications execution
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Uncommon AddinUtil.EXE CommandLine Execution
Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with uncommon Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload.
view Sigma YAML
title: Uncommon AddinUtil.EXE CommandLine Execution
id: 4f2cd9b6-4a17-440f-bb2a-687abb65993a
status: test
description: |
Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with uncommon Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload.
references:
- https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html
author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri)
date: 2023-09-18
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\addinutil.exe'
- OriginalFileName: 'AddInUtil.exe'
selection_cli:
CommandLine|contains:
- '-AddInRoot:'
- '-PipelineRoot:'
filter_main_addinroot:
CommandLine|contains:
- '-AddInRoot:"C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA'
- '-AddInRoot:C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA'
- '-PipelineRoot:"C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA'
- '-PipelineRoot:C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA'
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Uncommon Child Process Of AddinUtil.EXE
Detects uncommon child processes of the Add-In deployment cache updating utility (AddInutil.exe) which could be a sign of potential abuse of the binary to proxy execution via a custom Addins.Store payload.
view Sigma YAML
title: Uncommon Child Process Of AddinUtil.EXE
id: b5746143-59d6-4603-8d06-acbd60e166ee
status: test
description: |
Detects uncommon child processes of the Add-In deployment cache updating utility (AddInutil.exe) which could be a sign of potential abuse of the binary to proxy execution via a custom Addins.Store payload.
references:
- https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html
author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri)
date: 2023-09-18
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\addinutil.exe'
filter_main_werfault:
Image|endswith:
- ':\Windows\System32\conhost.exe'
- ':\Windows\System32\werfault.exe'
- ':\Windows\SysWOW64\werfault.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Uncommon Child Process Of Appvlp.EXE
Detects uncommon child processes of Appvlp.EXE
Appvlp or the Application Virtualization Utility is included with Microsoft Office. Attackers are able to abuse "AppVLP" to execute shell commands.
Normally, this binary is used for Application Virtualization, but it can also be abused to circumvent the ASR file path rule folder
or to mark a file as a system file.
view Sigma YAML
title: Uncommon Child Process Of Appvlp.EXE
id: 9c7e131a-0f2c-4ae0-9d43-b04f4e266d43
status: test
description: |
Detects uncommon child processes of Appvlp.EXE
Appvlp or the Application Virtualization Utility is included with Microsoft Office. Attackers are able to abuse "AppVLP" to execute shell commands.
Normally, this binary is used for Application Virtualization, but it can also be abused to circumvent the ASR file path rule folder
or to mark a file as a system file.
references:
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Appvlp/
author: Sreeman
date: 2020-03-13
modified: 2023-11-09
tags:
- attack.stealth
- attack.t1218
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\appvlp.exe'
# Note: Filters based on data from EchoTrail: https://www.echotrail.io/insights/search/appvlp.exe/
filter_main_generic:
Image|endswith:
- ':\Windows\SysWOW64\rundll32.exe'
- ':\Windows\System32\rundll32.exe'
filter_optional_office_msoasb:
Image|contains: ':\Program Files\Microsoft Office'
Image|endswith: '\msoasb.exe'
filter_optional_office_skype:
Image|contains|all:
- ':\Program Files\Microsoft Office'
- '\SkypeSrv\'
Image|endswith: '\SKYPESERVER.EXE'
filter_optional_office_msouc:
Image|contains: ':\Program Files\Microsoft Office'
Image|endswith: '\MSOUC.EXE'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Uncommon Child Process Of BgInfo.EXE
Detects uncommon child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript
view Sigma YAML
title: Uncommon Child Process Of BgInfo.EXE
id: aaf46cdc-934e-4284-b329-34aa701e3771
related:
- id: 811f459f-9231-45d4-959a-0266c6311987
type: similar
status: test
description: Detects uncommon child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript
references:
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/
- https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/
author: Nasreddine Bencherchali (Nextron Systems), Beyu Denis, oscd.community
date: 2019-10-26
modified: 2023-08-16
tags:
- attack.execution
- attack.stealth
- attack.t1059.005
- attack.t1218
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\bginfo.exe'
- '\bginfo64.exe'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Uncommon Child Process Of Conhost.EXE
Detects uncommon "conhost" child processes. This could be a sign of "conhost" usage as a LOLBIN or potential process injection activity.
view Sigma YAML
title: Uncommon Child Process Of Conhost.EXE
id: 7dc2dedd-7603-461a-bc13-15803d132355
related:
- id: dfa03a09-8b92-4d83-8e74-f72839b1c407
type: similar
status: test
description: Detects uncommon "conhost" child processes. This could be a sign of "conhost" usage as a LOLBIN or potential process injection activity.
references:
- http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/
author: omkar72
date: 2020-10-25
modified: 2023-12-11
tags:
- attack.stealth
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\conhost.exe'
filter_main_conhost:
Image|endswith: ':\Windows\System32\conhost.exe'
filter_main_null:
Image: null
filter_main_empty:
Image: ''
filter_optional_provider:
Provider_Name: 'SystemTraceProvider-Process' # Race condition with SystemTrace doesn't provide all fields.
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Uncommon Child Process Of Defaultpack.EXE
Detects uncommon child processes of "DefaultPack.EXE" binary as a proxy to launch other programs
view Sigma YAML
title: Uncommon Child Process Of Defaultpack.EXE
id: b2309017-4235-44fe-b5af-b15363011957
status: test
description: Detects uncommon child processes of "DefaultPack.EXE" binary as a proxy to launch other programs
references:
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/DefaultPack/
- https://www.echotrail.io/insights/search/defaultpack.exe
author: frack113
date: 2022-12-31
modified: 2024-04-22
tags:
- attack.stealth
- attack.t1218
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\DefaultPack.exe'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Uncommon Child Process Spawned By Odbcconf.EXE
Detects an uncommon child process of "odbcconf.exe" binary which normally shouldn't have any child processes.
view Sigma YAML
title: Uncommon Child Process Spawned By Odbcconf.EXE
id: 8e3c7994-131e-4ba5-b6ea-804d49113a26
status: test
description: Detects an uncommon child process of "odbcconf.exe" binary which normally shouldn't have any child processes.
references:
- https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16
- https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/
- https://medium.com/@cyberjyot/t1218-008-dll-execution-using-odbcconf-exe-803fa9e08dac
author: Harjot Singh @cyb3rjy0t
date: 2023-05-22
tags:
- attack.stealth
- attack.t1218.008
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\odbcconf.exe'
condition: selection
falsepositives:
- In rare occurrences where "odbcconf" crashes. It might spawn a "werfault" process
- Other child processes will depend on the DLL being registered by actions like "regsvr". In case where the DLLs have external calls (which should be rare). Other child processes might spawn and additional filters need to be applied.
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Uncommon Child Processes Of SndVol.exe
Detects potentially uncommon child processes of SndVol.exe (the Windows volume mixer)
view Sigma YAML
title: Uncommon Child Processes Of SndVol.exe
id: ba42babc-0666-4393-a4f7-ceaf5a69191e
status: test
description: Detects potentially uncommon child processes of SndVol.exe (the Windows volume mixer)
references:
- https://twitter.com/Max_Mal_/status/1661322732456353792
author: X__Junior (Nextron Systems)
date: 2023-06-09
tags:
- attack.execution
logsource:
product: windows
category: process_creation
detection:
selection:
ParentImage|endswith: '\SndVol.exe'
filter_main_rundll32:
Image|endswith: '\rundll32.exe'
CommandLine|contains: ' shell32.dll,Control_RunDLL '
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Uncommon Connection to Active Directory Web Services
Detects uncommon network connections to the Active Directory Web Services (ADWS) from processes not typically associated with ADWS management.
view Sigma YAML
title: Uncommon Connection to Active Directory Web Services
id: b3ad3c0f-c949-47a1-a30e-b0491ccae876
status: test
description: |
Detects uncommon network connections to the Active Directory Web Services (ADWS) from processes not typically associated with ADWS management.
references:
- https://medium.com/falconforce/soaphound-tool-to-collect-active-directory-data-via-adws-165aca78288c
- https://github.com/FalconForceTeam/FalconFriday/blob/a9219dfcfd89836f34660223f47d766982bdce46/Discovery/ADWS_Connection_from_Unexpected_Binary-Win.md
author: '@kostastsale'
date: 2024-01-26
tags:
- attack.discovery
- attack.t1087
logsource:
category: network_connection
product: windows
detection:
selection:
Initiated: true
DestinationPort: 9389
filter_main_dsac:
Image: 'C:\Windows\system32\dsac.exe'
filter_main_ms_monitoring_agent:
Image: 'C:\Program Files\Microsoft Monitoring Agent\'
filter_main_powershell:
Image|startswith:
- 'C:\Program Files\PowerShell\7\pwsh.exe'
- 'C:\Program Files\PowerShell\7-preview\pwsh.ex'
- 'C:\Windows\System32\WindowsPowerShell\'
- 'C:\Windows\SysWOW64\WindowsPowerShell\'
condition: selection and not 1 of filter_main_*
falsepositives:
- ADWS is used by a number of legitimate applications that need to interact with Active Directory. These applications should be added to the allow-listing to avoid false positives.
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Uncommon Extension Shim Database Installation Via Sdbinst.EXE
Detects installation of a potentially suspicious new shim with an uncommon extension using sdbinst.exe.
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims
view Sigma YAML
title: Uncommon Extension Shim Database Installation Via Sdbinst.EXE
id: 18ee686c-38a3-4f65-9f44-48a077141f42
related:
- id: 517490a7-115a-48c6-8862-1a481504d5a8
type: derived
status: test
description: |
Detects installation of a potentially suspicious new shim with an uncommon extension using sdbinst.exe.
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims
references:
- https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
- https://github.com/nasbench/Misc-Research/blob/8ee690e43a379cbce8c9d61107442c36bd9be3d3/Other/Undocumented-Flags-Sdbinst.md
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-01
modified: 2024-01-10
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1546.011
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\sdbinst.exe'
- OriginalFileName: 'sdbinst.exe'
filter_main_legit_ext:
CommandLine|contains: '.sdb'
filter_main_legit_extensions:
# ParentImage|endswith: ':\Windows\System32\svchost.exe'
- CommandLine|endswith:
- ' -c'
- ' -f'
- ' -mm'
- ' -t'
- CommandLine|contains: ' -m -bg'
filter_main_null:
CommandLine: null
filter_main_empty:
CommandLine: ''
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
Showing 1301-1350 of 1,492