Tool
SIEM
Sigma (generic) detection rules
3,750 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Expand any rule to see its raw YAML and convert it inline to native query syntax. Pick a platform above to browse every rule already rendered in that language.
◈
Detection rules
50 shown of 3,750
high
File Encryption/Decryption Via Gpg4win From Suspicious Locations
Detects usage of Gpg4win to encrypt/decrypt files located in potentially suspicious locations.
view Sigma YAML
title: File Encryption/Decryption Via Gpg4win From Suspicious Locations
id: e1e0b7d7-e10b-4ee4-ac49-a4bda05d320d
status: test
description: Detects usage of Gpg4win to encrypt/decrypt files located in potentially suspicious locations.
references:
- https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html
- https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/
author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
date: 2022-11-30
modified: 2023-08-09
tags:
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection_metadata:
- Image|endswith:
- '\gpg.exe'
- '\gpg2.exe'
- Product: 'GNU Privacy Guard (GnuPG)'
- Description: 'GnuPG’s OpenPGP tool'
selection_cli:
CommandLine|contains: '-passphrase'
selection_paths:
CommandLine|contains:
- ':\PerfLogs\'
- ':\Temp\'
- ':\Users\Public\'
- ':\Windows\Temp\'
- '\AppData\Local\Temp\'
- '\AppData\Roaming\'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell
Detects the initial execution of "cmd.exe" which spawns "explorer.exe" with the appropriate command line arguments for opening the "My Computer" folder.
view Sigma YAML
title: File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell
id: c3d76afc-93df-461e-8e67-9b2bad3f2ac4
status: test
description: |
Detects the initial execution of "cmd.exe" which spawns "explorer.exe" with the appropriate command line arguments for opening the "My Computer" folder.
author: '@Kostastsale'
references:
- https://ss64.com/nt/shell.html
date: 2022-12-22
modified: 2024-08-23
tags:
- attack.discovery
- attack.t1135
logsource:
product: windows
category: process_creation
detection:
selection:
ParentImage|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
Image|endswith: '\explorer.exe'
CommandLine|contains: 'shell:mycomputerfolder'
condition: selection
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_explorer_folder_shortcut_via_shell_binary/info.yml
Convert to SIEM query
high
File In Suspicious Location Encoded To Base64 Via Certutil.EXE
Detects the execution of certutil with the "encode" flag to encode a file to base64 where the files are located in potentially suspicious locations
view Sigma YAML
title: File In Suspicious Location Encoded To Base64 Via Certutil.EXE
id: 82a6714f-4899-4f16-9c1e-9a333544d4c3
related:
- id: e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a
type: derived
status: test
description: Detects the execution of certutil with the "encode" flag to encode a file to base64 where the files are located in potentially suspicious locations
references:
- https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior
- https://www.virustotal.com/gui/file/427616528b7dbc4a6057ac89eb174a3a90f7abcf3f34e5a359b7a910d82f7a72/behavior
- https://www.virustotal.com/gui/file/34de4c8beded481a4084a1fd77855c3e977e8ac643e5c5842d0f15f7f9b9086f/behavior
- https://www.virustotal.com/gui/file/4abe1395a09fda06d897a9c4eb247278c1b6cddda5d126ce5b3f4f499e3b8fa2/behavior
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-15
modified: 2024-03-05
tags:
- attack.stealth
- attack.t1027
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\certutil.exe'
- OriginalFileName: 'CertUtil.exe'
selection_cli:
CommandLine|contains|windash: '-encode'
selection_extension:
CommandLine|contains:
# Note: Add more suspicious locations to increase coverage
- '\AppData\Roaming\'
- '\Desktop\'
- '\Local\Temp\'
- '\PerfLogs\'
- '\Users\Public\'
- '\Windows\Temp\'
- '$Recycle.Bin'
condition: all of selection_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location/info.yml
Convert to SIEM query
high
File With Suspicious Extension Downloaded Via Bitsadmin
Detects usage of bitsadmin downloading a file with a suspicious extension
view Sigma YAML
title: File With Suspicious Extension Downloaded Via Bitsadmin
id: 5b80a791-ad9b-4b75-bcc1-ad4e1e89c200
status: test
description: Detects usage of bitsadmin downloading a file with a suspicious extension
references:
- https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin
- https://isc.sans.edu/diary/22264
- https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-28
modified: 2023-05-30
tags:
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1197
- attack.s0190
- attack.t1036.003
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\bitsadmin.exe'
- OriginalFileName: 'bitsadmin.exe'
selection_flags:
CommandLine|contains:
- ' /transfer '
- ' /create '
- ' /addfile '
selection_extension:
CommandLine|contains:
- '.7z'
- '.asax'
- '.ashx'
- '.asmx'
- '.asp'
- '.aspx'
- '.bat'
- '.cfm'
- '.cgi'
- '.chm'
- '.cmd'
- '.dll'
- '.gif'
- '.jpeg'
- '.jpg'
- '.jsp'
- '.jspx'
- '.log'
- '.png'
- '.ps1'
- '.psm1'
- '.rar'
- '.scf'
- '.sct'
- '.txt'
- '.vbe'
- '.vbs'
- '.war'
- '.wsf'
- '.wsh'
- '.xll'
- '.zip'
condition: all of selection_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_extensions/info.yml
simulation:
- type: atomic-red-team
name: Windows - BITSAdmin BITS Download
technique: T1105
atomic_guid: a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b
Convert to SIEM query
high
File With Uncommon Extension Created By An Office Application
Detects the creation of files with an executable or script extension by an Office application.
view Sigma YAML
title: File With Uncommon Extension Created By An Office Application
id: c7a74c80-ba5a-486e-9974-ab9e682bc5e4
status: test
description: Detects the creation of files with an executable or script extension by an Office application.
references:
- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems)
date: 2021-08-23
modified: 2025-10-17
tags:
- attack.t1204.002
- attack.execution
logsource:
product: windows
category: file_event
detection:
# Note: Please add more file extensions to the logic of your choice.
selection1:
Image|endswith:
- '\excel.exe'
- '\msaccess.exe'
- '\mspub.exe'
- '\powerpnt.exe'
- '\visio.exe'
- '\winword.exe'
selection2:
TargetFilename|endswith:
- '.bat'
- '.cmd'
- '.com'
- '.dll'
- '.exe'
- '.hta'
- '.ocx'
- '.proj'
- '.ps1'
- '.scf'
- '.scr'
- '.sys'
- '.vbe'
- '.vbs'
- '.wsf'
- '.wsh'
filter_main_localassembly:
TargetFilename|contains: '\AppData\Local\assembly\tmp\'
TargetFilename|endswith: '.dll'
filter_optional_webservicecache: # matches e.g. directory with name *.microsoft.com
TargetFilename|contains|all:
- 'C:\Users\'
- '\AppData\Local\Microsoft\Office\'
- '\WebServiceCache\AllUsers'
TargetFilename|endswith: '.com'
filter_optional_webex:
Image|endswith: '\winword.exe'
TargetFilename|contains: '\AppData\Local\Temp\webexdelta\'
TargetFilename|endswith:
- '.dll'
- '.exe'
filter_optional_backstageinappnavcache: # matches e.g. C:\Users\xxxxx\AppData\Local\Microsoft\Office\16.0\BackstageInAppNavCache\[email protected]
TargetFilename|contains|all:
- 'C:\Users\'
- '\AppData\Local\Microsoft\Office\'
- '\BackstageInAppNavCache\'
TargetFilename|endswith: '.com'
condition: all of selection* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
FileFix - Command Evidence in TypedPaths
Detects commonly-used chained commands and strings in the most recent 'url' value of the 'TypedPaths' key, which could be indicative of a user being targeted by the FileFix technique.
view Sigma YAML
title: FileFix - Command Evidence in TypedPaths
id: 4fee3d51-8069-4a4c-a0f7-924fcaff2c70
related:
- id: 4be03877-d5b6-4520-85c9-a5911c0a656c
type: similar
status: experimental
description: |
Detects commonly-used chained commands and strings in the most recent 'url' value of the 'TypedPaths' key, which could be indicative of a user being targeted by the FileFix technique.
references:
- https://x.com/russianpanda9xx/status/1940831134759506029
- https://mrd0x.com/filefix-clickfix-alternative/
- https://www.scpx.com.au/2025/11/16/decades-old-finger-protocol-abused-in-clickfix-malware-attacks/
author: Alfie Champion (delivr.to), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-07-05
modified: 2025-11-19
tags:
- attack.execution
- attack.t1204.004
logsource:
category: registry_set
product: windows
detection:
selection_base:
TargetObject|endswith: '\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths\url1'
Details|contains|all:
- '#'
- 'http'
selection_cmd:
- Details|contains:
# Add more suspicious keywords
- 'account'
- 'anti-bot'
- 'botcheck'
- 'captcha'
- 'challenge'
- 'confirmation'
- 'fraud'
- 'human'
- 'identification'
- 'identificator'
- 'identity'
- 'robot'
- 'validation'
- 'verification'
- 'verify'
- Details|contains:
- '%comspec%'
- 'bitsadmin'
- 'certutil'
- 'cmd'
- 'cscript'
- 'curl'
- 'finger'
- 'mshta'
- 'powershell'
- 'pwsh'
- 'regsvr32'
- 'rundll32'
- 'schtasks'
- 'wget'
- 'wscript'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Findstr GPP Passwords
Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt.
view Sigma YAML
title: Findstr GPP Passwords
id: 91a2c315-9ee6-4052-a853-6f6a8238f90d
status: test
description: Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.006/T1552.006.md#atomic-test-1---gpp-passwords-findstr
author: frack113
date: 2021-12-27
modified: 2023-11-11
tags:
- attack.credential-access
- attack.t1552.006
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\find.exe'
- '\findstr.exe'
- OriginalFileName:
- 'FIND.EXE'
- 'FINDSTR.EXE'
selection_cli:
CommandLine|contains|all:
- 'cpassword'
- '\sysvol\'
- '.xml'
condition: all of selection_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords/info.yml
simulation:
- type: atomic-red-team
name: GPP Passwords (findstr)
technique: T1552.006
atomic_guid: 870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f
Convert to SIEM query
high
Finger.EXE Execution
Detects execution of the "finger.exe" utility.
Finger.EXE or "TCPIP Finger Command" is an old utility that is still present on modern Windows installation. It Displays information about users on a specified remote computer (typically a UNIX computer) that is running the finger service or daemon.
Due to the old nature of this utility and the rareness of machines having the finger service. Any execution of "finger.exe" can be considered "suspicious" and worth investigating.
view Sigma YAML
title: Finger.EXE Execution
id: af491bca-e752-4b44-9c86-df5680533dbc
related:
- id: c082c2b0-525b-4dbc-9a26-a57dc4692074
type: similar
- id: 2fdaf50b-9fd5-449f-ba69-f17248119af6
type: similar
status: test
description: |
Detects execution of the "finger.exe" utility.
Finger.EXE or "TCPIP Finger Command" is an old utility that is still present on modern Windows installation. It Displays information about users on a specified remote computer (typically a UNIX computer) that is running the finger service or daemon.
Due to the old nature of this utility and the rareness of machines having the finger service. Any execution of "finger.exe" can be considered "suspicious" and worth investigating.
references:
- https://twitter.com/bigmacjpg/status/1349727699863011328?s=12
- https://app.any.run/tasks/40115012-a919-4208-bfed-41e82cb3dadf/
- http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt
author: Florian Roth (Nextron Systems), omkar72, oscd.community
date: 2021-02-24
modified: 2024-06-27
tags:
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection:
- OriginalFileName: 'finger.exe'
- Image|endswith: '\finger.exe'
condition: selection
falsepositives:
- Admin activity (unclear what they do nowadays with finger.exe)
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_finger_execution/info.yml
Convert to SIEM query
high
Fireball Archer Install
Detects Archer malware invocation via rundll32
view Sigma YAML
title: Fireball Archer Install
id: 3d4aebe0-6d29-45b2-a8a4-3dfde586a26d
status: test
description: Detects Archer malware invocation via rundll32
references:
- https://www.virustotal.com/en/file/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022/analysis/
- https://www.hybrid-analysis.com/sample/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022?environmentId=100
author: Florian Roth (Nextron Systems)
date: 2017-06-03
modified: 2021-11-27
tags:
- attack.execution
- attack.stealth
- attack.t1218.011
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'rundll32.exe'
- 'InstallArcherSvc'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
First Time Seen Remote Named Pipe
This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes
view Sigma YAML
title: First Time Seen Remote Named Pipe
id: 52d8b0c6-53d6-439a-9e41-52ad442ad9ad
status: test
description: This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes
references:
- https://twitter.com/menasec1/status/1104489274387451904
author: Samir Bousseaden
date: 2019-04-03
modified: 2023-03-14
tags:
- attack.lateral-movement
- attack.t1021.002
logsource:
product: windows
service: security
definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
detection:
selection1:
EventID: 5145
ShareName: '\\\\\*\\IPC$' # looking for the string \\*\IPC$
false_positives:
RelativeTargetName:
- 'atsvc'
- 'samr'
- 'lsarpc'
- 'lsass'
- 'winreg'
- 'netlogon'
- 'srvsvc'
- 'protected_storage'
- 'wkssvc'
- 'browser'
- 'netdfs'
- 'svcctl'
- 'spoolss'
- 'ntsvcs'
- 'LSM_API_service'
- 'HydraLsPipe'
- 'TermSrv_API_service'
- 'MsFteWds'
- 'sql\query'
- 'eventlog'
condition: selection1 and not false_positives
falsepositives:
- Update the excluded named pipe to filter out any newly observed legit named pipe
level: high
Convert to SIEM query
high
First Time Seen Remote Named Pipe - Zeek
This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes
view Sigma YAML
title: First Time Seen Remote Named Pipe - Zeek
id: 021310d9-30a6-480a-84b7-eaa69aeb92bb
related:
- id: 52d8b0c6-53d6-439a-9e41-52ad442ad9ad
type: derived
status: test
description: This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes
references:
- https://twitter.com/menasec1/status/1104489274387451904
author: Samir Bousseaden, @neu5ron, Tim Shelton
date: 2020-04-02
modified: 2022-12-27
tags:
- attack.lateral-movement
- attack.t1021.002
logsource:
product: zeek
service: smb_files
detection:
selection:
path: '\\\\\*\\IPC$' # Looking for the string \\*\IPC$
filter_keywords:
- 'samr'
- 'lsarpc'
- 'winreg'
- 'netlogon'
- 'srvsvc'
- 'protected_storage'
- 'wkssvc'
- 'browser'
- 'netdfs'
- 'svcctl'
- 'spoolss'
- 'ntsvcs'
- 'LSM_API_service'
- 'HydraLsPipe'
- 'TermSrv_API_service'
- 'MsFteWds'
condition: selection and not 1 of filter_*
falsepositives:
- Update the excluded named pipe to filter out any newly observed legit named pipe
level: high
Convert to SIEM query
high
Flash Player Update from Suspicious Location
Detects a flashplayer update from an unofficial location
view Sigma YAML
title: Flash Player Update from Suspicious Location
id: 4922a5dd-6743-4fc2-8e81-144374280997
status: test
description: Detects a flashplayer update from an unofficial location
references:
- https://gist.github.com/roycewilliams/a723aaf8a6ac3ba4f817847610935cfb
author: Florian Roth (Nextron Systems)
date: 2017-10-25
modified: 2022-08-08
tags:
- attack.initial-access
- attack.stealth
- attack.t1189
- attack.execution
- attack.t1204.002
- attack.t1036.005
logsource:
category: proxy
detection:
selection:
- c-uri|contains: '/flash_install.php'
- c-uri|endswith: '/install_flash_player.exe'
filter:
cs-host|endswith: '.adobe.com'
condition: selection and not filter
falsepositives:
- Unknown flash download locations
level: high
Convert to SIEM query
high
Folder Removed From Exploit Guard ProtectedFolders List - Registry
Detects the removal of folders from the "ProtectedFolders" list of of exploit guard. This could indicate an attacker trying to launch an encryption process or trying to manipulate data inside of the protected folder
view Sigma YAML
title: Folder Removed From Exploit Guard ProtectedFolders List - Registry
id: 272e55a4-9e6b-4211-acb6-78f51f0b1b40
status: test
description: Detects the removal of folders from the "ProtectedFolders" list of of exploit guard. This could indicate an attacker trying to launch an encryption process or trying to manipulate data inside of the protected folder
references:
- https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-05
modified: 2023-02-08
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: registry_delete
product: windows
detection:
selection:
EventType: DeleteValue
TargetObject|contains: 'SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\ProtectedFolders'
condition: selection
falsepositives:
- Legitimate administrators removing applications (should always be investigated)
level: high
Convert to SIEM query
high
Forest Blizzard APT - Custom Protocol Handler Creation
Detects the setting of a custom protocol handler with the name "rogue".
Seen being created by Forest Blizzard APT as reported by MSFT.
view Sigma YAML
title: Forest Blizzard APT - Custom Protocol Handler Creation
id: 5cdeb555-65de-4767-99fe-e26807465148
status: test
description: |
Detects the setting of a custom protocol handler with the name "rogue".
Seen being created by Forest Blizzard APT as reported by MSFT.
references:
- https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-04-23
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.001
- detection.emerging-threats
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\PROTOCOLS\\Handler\rogue\CLSID'
Details: '{026CC6D7-34B2-33D5-B551-CA31EB6CE345}'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Forest Blizzard APT - Custom Protocol Handler DLL Registry Set
Detects the setting of the DLL that handles the custom protocol handler.
Seen being created by Forest Blizzard APT as reported by MSFT.
view Sigma YAML
title: Forest Blizzard APT - Custom Protocol Handler DLL Registry Set
id: d807056b-0e00-4cec-b7f8-b8b7518e382b
status: test
description: |
Detects the setting of the DLL that handles the custom protocol handler.
Seen being created by Forest Blizzard APT as reported by MSFT.
references:
- https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-04-23
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.001
- detection.emerging-threats
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\CLSID\{026CC6D7-34B2-33D5-B551-CA31EB6CE345}\Server'
Details|endswith: '.dll'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Forest Blizzard APT - File Creation Activity
Detects the creation of specific files inside of ProgramData directory.
These files were seen being created by Forest Blizzard as described by MSFT.
view Sigma YAML
title: Forest Blizzard APT - File Creation Activity
id: b92d1d19-f5c9-4ed6-bbd5-7476709dc389
status: test
description: |
Detects the creation of specific files inside of ProgramData directory.
These files were seen being created by Forest Blizzard as described by MSFT.
references:
- https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-04-23
modified: 2024-07-11
tags:
- attack.defense-impairment
- attack.t1685.001
- detection.emerging-threats
logsource:
category: file_event
product: windows
detection:
selection_programdata_driver_store:
TargetFilename|startswith:
- 'C:\ProgramData\Microsoft\v'
- 'C:\ProgramData\Adobe\v'
- 'C:\ProgramData\Comms\v'
- 'C:\ProgramData\Intel\v'
- 'C:\ProgramData\Kaspersky Lab\v'
- 'C:\ProgramData\Bitdefender\v'
- 'C:\ProgramData\ESET\v'
- 'C:\ProgramData\NVIDIA\v'
- 'C:\ProgramData\UbiSoft\v'
- 'C:\ProgramData\Steam\v'
TargetFilename|contains:
- '\prnms003.inf_'
- '\prnms009.inf_'
selection_programdata_main:
TargetFilename|startswith: 'C:\ProgramData\'
selection_programdata_files_1:
TargetFilename|endswith:
- '.save'
- '\doit.bat'
- '\execute.bat'
- '\servtask.bat'
# Hashes|contains: '7d51e5cc51c43da5deae5fbc2dce9b85c0656c465bb25ab6bd063a503c1806a9' # Uncommon this if you collect hash information inf file events
selection_programdata_files_2:
TargetFilename|contains: '\wayzgoose'
TargetFilename|endswith: '.dll'
condition: selection_programdata_driver_store or (selection_programdata_main and 1 of selection_programdata_files_*)
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Forest Blizzard APT - Process Creation Activity
Detects the execution of specific processes and command line combination.
These were seen being created by Forest Blizzard as described by MSFT.
view Sigma YAML
title: Forest Blizzard APT - Process Creation Activity
id: 07db928c-8632-488e-ac7d-3db847489175
status: experimental
description: |
Detects the execution of specific processes and command line combination.
These were seen being created by Forest Blizzard as described by MSFT.
references:
- https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-04-23
modified: 2025-01-22
tags:
- attack.execution
- detection.emerging-threats
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection_hashes:
Hashes|contains:
- 'SHA256=6b311c0a977d21e772ac4e99762234da852bbf84293386fbe78622a96c0b052f'
- 'SHA256=c60ead92cd376b689d1b4450f2578b36ea0bf64f3963cfa5546279fa4424c2a5'
selection_schtasks_create:
Image|endswith: '\schtasks.exe'
CommandLine|contains|all:
- 'Create'
- '/RU'
- 'SYSTEM'
- '\Microsoft\Windows\WinSrv'
CommandLine|contains:
- 'servtask.bat'
- 'execute.bat'
- 'doit.bat'
selection_schtasks_delete:
Image|endswith: '\schtasks.exe'
CommandLine|contains|all:
- 'Delete'
- '/F '
- '\Microsoft\Windows\WinSrv'
selection_powershell:
CommandLine|contains|all:
- 'Get-ChildItem'
- '.save'
- 'Compress-Archive -DestinationPath C:\ProgramData\'
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Forfiles.EXE Child Process Masquerading
Detects the execution of "forfiles" from a non-default location, in order to potentially spawn a custom "cmd.exe" from the current working directory.
view Sigma YAML
title: Forfiles.EXE Child Process Masquerading
id: f53714ec-5077-420e-ad20-907ff9bb2958
status: test
description: |
Detects the execution of "forfiles" from a non-default location, in order to potentially spawn a custom "cmd.exe" from the current working directory.
references:
- https://www.hexacorn.com/blog/2023/12/31/1-little-known-secret-of-forfiles-exe/
author: Nasreddine Bencherchali (Nextron Systems), Anish Bogati
date: 2024-01-05
tags:
- attack.stealth
- attack.t1036
logsource:
category: process_creation
product: windows
detection:
selection:
# Notes:
# - The parent must not have CLI options
# - The Child Image must be named "cmd" as its hardcoded in the "forfiles" binary
# - The Child CLI will always contains "/c echo" as its hardcoded in the original "forfiles" binary
ParentCommandLine|endswith:
- '.exe'
- '.exe"'
Image|endswith: '\cmd.exe'
CommandLine|startswith: '/c echo "'
filter_main_parent_not_sys:
ParentImage|contains:
- ':\Windows\System32\'
- ':\Windows\SysWOW64\'
ParentImage|endswith: '\forfiles.exe'
Image|contains:
- ':\Windows\System32\'
- ':\Windows\SysWOW64\'
Image|endswith: '\cmd.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Formbook Process Creation
Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.
view Sigma YAML
title: Formbook Process Creation
id: 032f5fb3-d959-41a5-9263-4173c802dc2b
status: test
description: Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.
references:
- https://inquest.net/blog/2018/06/22/a-look-at-formbook-stealer
- https://app.any.run/tasks/388d5802-aa48-4826-b069-250420504758/
- https://app.any.run/tasks/8e22486b-5edc-4cef-821c-373e945f296c/
- https://app.any.run/tasks/62bb01ae-25a4-4180-b278-8e464a90b8d7/
author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro
date: 2019-09-30
modified: 2022-10-06
tags:
- attack.resource-development
- attack.t1587.001
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection1:
# Parent command line should not contain a space value
# This avoids false positives not caused by process injection
# e.g. wscript.exe /B sysmon-install.vbs
ParentCommandLine|startswith:
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
ParentCommandLine|endswith: '.exe'
selection2:
- CommandLine|contains|all:
- '/c'
- 'del'
- 'C:\Users\'
- '\AppData\Local\Temp\'
- CommandLine|contains|all:
- '/c'
- 'del'
- 'C:\Users\'
- '\Desktop\'
- CommandLine|contains|all:
- '/C'
- 'type nul >'
- 'C:\Users\'
- '\Desktop\'
selection3:
CommandLine|endswith: '.exe'
condition: all of selection*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Fsutil Suspicious Invocation
Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc).
Might be used by ransomwares during the attack (seen by NotPetya and others).
view Sigma YAML
title: Fsutil Suspicious Invocation
id: add64136-62e5-48ea-807e-88638d02df1e
status: stable
description: |
Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc).
Might be used by ransomwares during the attack (seen by NotPetya and others).
references:
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070/T1070.md
- https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html
- https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md
- https://blog.cluster25.duskrise.com/2023/05/22/back-in-black-blackbyte-nt
author: Ecco, E.M. Anhaus, oscd.community
date: 2019-09-26
modified: 2023-09-09
tags:
- attack.impact
- attack.stealth
- attack.t1070
- attack.t1485
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\fsutil.exe'
- OriginalFileName: 'fsutil.exe'
selection_cli:
CommandLine|contains:
- 'deletejournal' # usn deletejournal ==> generally ransomware or attacker
- 'createjournal' # usn createjournal ==> can modify config to set it to a tiny size
- 'setZeroData' # file setZeroData ==> empties a file with zeroes
condition: all of selection_*
falsepositives:
- Admin activity
- Scripts and administrative tools used in the monitored environment
level: high
Convert to SIEM query
high
FunkLocker Ransomware File Creation
Detects the creation of files with the ".funksec" extension, which is appended to encrypted files by the FunkLocker ransomware.
view Sigma YAML
title: FunkLocker Ransomware File Creation
id: 2c76a22b-702d-48fd-8fa9-e41e2fe203b3
status: experimental
description: Detects the creation of files with the ".funksec" extension, which is appended to encrypted files by the FunkLocker ransomware.
references:
- https://www.broadcom.com/support/security-center/protection-bulletin/funksec-ransomware
- https://www.pcrisk.com/removal-guides/31853-funklocker-funksec-ransomware
author: Saiprashanth Pulisetti ( @Prashanthblogs)
date: 2025-08-08
tags:
- attack.impact
- attack.t1486
- detection.emerging-threats
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|endswith: '.funksec'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
GAC DLL Loaded Via Office Applications
Detects any GAC DLL being loaded by an Office Product
view Sigma YAML
title: GAC DLL Loaded Via Office Applications
id: 90217a70-13fc-48e4-b3db-0d836c5824ac
status: test
description: Detects any GAC DLL being loaded by an Office Product
references:
- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
author: Antonlovesdnb
date: 2020-02-19
modified: 2023-02-10
tags:
- attack.execution
- attack.t1204.002
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith:
- '\excel.exe'
- '\mspub.exe'
- '\onenote.exe'
- '\onenoteim.exe' # Just in case
- '\outlook.exe'
- '\powerpnt.exe'
- '\winword.exe'
ImageLoaded|startswith: 'C:\Windows\Microsoft.NET\assembly\GAC_MSIL'
condition: selection
falsepositives:
- Legitimate macro usage. Add the appropriate filter according to your environment
level: high
Convert to SIEM query
high
GALLIUM Artefacts - Builtin
Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.
view Sigma YAML
title: GALLIUM Artefacts - Builtin
id: 3db10f25-2527-4b79-8d4b-471eb900ee29
related:
- id: 440a56bf-7873-4439-940a-1c8a671073c2
type: derived
status: test
description: Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.
references:
- https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/
- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)
author: Tim Burrell
date: 2020-02-07
modified: 2023-01-02
tags:
- attack.credential-access
- attack.command-and-control
- attack.t1071
- detection.emerging-threats
logsource:
product: windows
service: dns-server-analytic
definition: 'Requirements: Microsoft-Windows-DNS-Server/Analytical ({EB79061A-A566-4698-9119-3ED2807060E7}) Event Log must be collected in order to receive the events.'
detection:
selection:
EventID: 257
QNAME:
- 'asyspy256.ddns.net'
- 'hotkillmail9sddcc.ddns.net'
- 'rosaf112.ddns.net'
- 'cvdfhjh1231.myftp.biz'
- 'sz2016rose.ddns.net'
- 'dffwescwer4325.myftp.biz'
- 'cvdfhjh1231.ddns.net'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
GALLIUM IOCs
Detects artifacts associated with GALLIUM cyber espionage group as reported by Microsoft Threat Intelligence Center in the December 2019 report.
view Sigma YAML
title: GALLIUM IOCs
id: 440a56bf-7873-4439-940a-1c8a671073c2
status: test
description: Detects artifacts associated with GALLIUM cyber espionage group as reported by Microsoft Threat Intelligence Center in the December 2019 report.
references:
- https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/
- https://github.com/Azure/Azure-Sentinel/blob/a02ce85c96f162de6f8cc06f07a53b6525f0ff7f/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/GalliumIOCs.yaml
author: Tim Burrell
date: 2020-02-07
modified: 2024-11-23
tags:
- attack.credential-access
- attack.command-and-control
- attack.t1212
- attack.t1071
- attack.g0093
- detection.emerging-threats
logsource:
product: windows
category: process_creation
detection:
selection:
Hashes|contains:
- 'SHA256=9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd'
- 'SHA256=7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b'
- 'SHA256=657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5'
- 'SHA256=2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29'
- 'SHA256=52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77'
- 'SHA256=a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3'
- 'SHA256=5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022'
- 'SHA256=6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883'
- 'SHA256=3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e'
- 'SHA256=1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7'
- 'SHA256=fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1'
- 'SHA256=7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c'
- 'SHA256=178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945'
- 'SHA256=51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9'
- 'SHA256=889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79'
- 'SHA256=332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf'
- 'SHA256=44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08'
- 'SHA256=63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef'
- 'SHA256=056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070'
- 'SHA1=53a44c2396d15c3a03723fa5e5db54cafd527635'
- 'SHA1=9c5e496921e3bc882dc40694f1dcc3746a75db19'
- 'SHA1=aeb573accfd95758550cf30bf04f389a92922844'
- 'SHA1=79ef78a797403a4ed1a616c68e07fff868a8650a'
- 'SHA1=4f6f38b4cec35e895d91c052b1f5a83d665c2196'
- 'SHA1=1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d'
- 'SHA1=e841a63e47361a572db9a7334af459ddca11347a'
- 'SHA1=c28f606df28a9bc8df75a4d5e5837fc5522dd34d'
- 'SHA1=2e94b305d6812a9f96e6781c888e48c7fb157b6b'
- 'SHA1=dd44133716b8a241957b912fa6a02efde3ce3025'
- 'SHA1=8793bf166cb89eb55f0593404e4e933ab605e803'
- 'SHA1=a39b57032dbb2335499a51e13470a7cd5d86b138'
- 'SHA1=41cc2b15c662bc001c0eb92f6cc222934f0beeea'
- 'SHA1=d209430d6af54792371174e70e27dd11d3def7a7'
- 'SHA1=1c6452026c56efd2c94cea7e0f671eb55515edb0'
- 'SHA1=c6b41d3afdcdcaf9f442bbe772f5da871801fd5a'
- 'SHA1=4923d460e22fbbf165bbbaba168e5a46b8157d9f'
- 'SHA1=f201504bd96e81d0d350c3a8332593ee1c9e09de'
- 'SHA1=ddd2db1127632a2a52943a2fe516a2e7d05d70d2'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Github High Risk Configuration Disabled
Detects when a user disables a critical security feature for an organization.
view Sigma YAML
title: Github High Risk Configuration Disabled
id: 8622c92d-c00e-463c-b09d-fd06166f6794
status: test
description: Detects when a user disables a critical security feature for an organization.
references:
- https://docs.github.com/en/organizations/managing-oauth-access-to-your-organizations-data/disabling-oauth-app-access-restrictions-for-your-organization
- https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#dependabot_alerts-category-actions
- https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository
- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise
author: Muhammad Faisal (@faisalusuf)
date: 2023-01-29
modified: 2024-07-22
tags:
- attack.credential-access
- attack.persistence
- attack.defense-impairment
- attack.t1556
logsource:
product: github
service: audit
definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'
detection:
selection:
action:
- 'business_advanced_security.disabled_for_new_repos'
- 'business_advanced_security.disabled_for_new_user_namespace_repos'
- 'business_advanced_security.disabled'
- 'business_advanced_security.user_namespace_repos_disabled'
- 'org.advanced_security_disabled_for_new_repos'
- 'org.advanced_security_disabled_on_all_repos'
- 'org.advanced_security_policy_selected_member_disabled'
- 'org.disable_oauth_app_restrictions'
- 'org.disable_two_factor_requirement'
- 'repo.advanced_security_disabled'
condition: selection
falsepositives:
- Approved administrator/owner activities.
level: high
Convert to SIEM query
high
Github Push Protection Disabled
Detects if the push protection feature is disabled for an organization, enterprise, repositories or custom pattern rules.
view Sigma YAML
title: Github Push Protection Disabled
id: ccd55945-badd-4bae-936b-823a735d37dd
status: test
description: Detects if the push protection feature is disabled for an organization, enterprise, repositories or custom pattern rules.
references:
- https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations
- https://thehackernews.com/2024/03/github-rolls-out-default-secret.html
author: Muhammad Faisal (@faisalusuf)
date: 2024-03-07
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: github
service: audit
definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'
detection:
selection:
action:
- 'business_secret_scanning_custom_pattern_push_protection.disabled'
- 'business_secret_scanning_push_protection.disable'
- 'business_secret_scanning_push_protection.disabled_for_new_repos'
- 'org.secret_scanning_custom_pattern_push_protection_disabled'
- 'org.secret_scanning_push_protection_disable'
- 'org.secret_scanning_push_protection_new_repos_disable'
- 'repository_secret_scanning_custom_pattern_push_protection.disabled'
condition: selection
falsepositives:
- Allowed administrative activities.
level: high
Convert to SIEM query
high
Github Secret Scanning Feature Disabled
Detects if the secret scanning feature is disabled for an enterprise or repository.
view Sigma YAML
title: Github Secret Scanning Feature Disabled
id: 3883d9a0-fd0f-440f-afbb-445a2a799bb8
status: test
description: Detects if the secret scanning feature is disabled for an enterprise or repository.
references:
- https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/about-secret-scanning
author: Muhammad Faisal (@faisalusuf)
date: 2024-03-07
modified: 2024-07-19
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: github
service: audit
definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'
detection:
selection:
action:
- 'business_secret_scanning.disable'
- 'business_secret_scanning.disabled_for_new_repos'
- 'repository_secret_scanning.disable'
- 'secret_scanning_new_repos.disable'
- 'secret_scanning.disable'
condition: selection
falsepositives:
- Allowed administrative activities.
level: high
Convert to SIEM query
high
Goofy Guineapig Backdoor IOC
Detects malicious indicators seen used by the Goofy Guineapig malware
view Sigma YAML
title: Goofy Guineapig Backdoor IOC
id: f0bafe60-1240-4798-9e60-4364b97e6bad
status: test
description: Detects malicious indicators seen used by the Goofy Guineapig malware
references:
- https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-14
tags:
- attack.execution
- detection.emerging-threats
- attack.stealth
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename:
- 'C:\ProgramData\GoogleUpdate\config.dat'
- 'C:\ProgramData\GoogleUpdate\GoogleUpdate.exe'
- 'C:\ProgramData\GoogleUpdate\GoogleUpdate\tmp.bat'
- 'C:\ProgramData\GoogleUpdate\goopdate.dll'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Goofy Guineapig Backdoor Potential C2 Communication
Detects potential C2 communication related to Goofy Guineapig backdoor
view Sigma YAML
title: Goofy Guineapig Backdoor Potential C2 Communication
id: 4f573bb6-701a-4b8d-91db-87ae106e9a61
status: test
description: Detects potential C2 communication related to Goofy Guineapig backdoor
references:
- https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-14
tags:
- attack.command-and-control
- detection.emerging-threats
logsource:
category: proxy
detection:
selection:
c-useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36'
cs-host: 'static.tcplog.com'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Grixba Malware Reconnaissance Activity
Detects execution of the Grixba reconnaissance tool based on suspicious command-line parameter combinations.
This tool is used by the Play ransomware group for network enumeration, data gathering, and event log clearing.
view Sigma YAML
title: Grixba Malware Reconnaissance Activity
id: af688c76-4ce4-4309-bfdd-e896f01acf27
status: experimental
description: |
Detects execution of the Grixba reconnaissance tool based on suspicious command-line parameter combinations.
This tool is used by the Play ransomware group for network enumeration, data gathering, and event log clearing.
references:
- https://fieldeffect.com/blog/grixba-play-ransomware-impersonates-sentinelone
- https://thedfirreport.com/2025/09/08/blurring-the-lines-intrusion-shows-connection-with-three-major-ransomware-gangs/
author: yxinmiracle, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-26
tags:
- attack.reconnaissance
- attack.t1595.001
- attack.discovery
- attack.t1046
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_mode_flag:
CommandLine|contains:
- '-m '
- '-mode '
- '-m:'
- '-mode:'
selection_input_flag:
CommandLine|contains:
- '-i '
- '-input '
- '-i:'
- '-input:'
selection_scan_value:
CommandLine|contains:
- 'scan '
- 'scanall '
selection_input_options:
CommandLine|contains:
- ':f '
- ':r '
- ':s '
- ' f '
- ' r '
- ' s '
condition: all of selection_*
falsepositives:
- Legitimate tools that use similar command-line argument structures (e.g., a tool with '--mode scan' and '--input file.txt') could trigger this rule. However, the specific combinations are indicative of reconnaissance or defense evasion.
level: high
regression_tests_path: regression_data/rules-emerging-threats/2025/Malware/Grixba/proc_creation_win_malware_grixba_recon/info.yml
Convert to SIEM query
high
Guacamole Two Users Sharing Session Anomaly
Detects suspicious session with two users present
view Sigma YAML
title: Guacamole Two Users Sharing Session Anomaly
id: 1edd77db-0669-4fef-9598-165bda82826d
status: test
description: Detects suspicious session with two users present
references:
- https://research.checkpoint.com/2020/apache-guacamole-rce/
author: Florian Roth (Nextron Systems)
date: 2020-07-03
modified: 2021-11-27
tags:
- attack.credential-access
- attack.t1212
logsource:
product: linux
service: guacamole
detection:
selection:
- '(2 users now present)'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
HKTL - SharpSuccessor Privilege Escalation Tool Execution
Detects the execution of SharpSuccessor, a tool used to exploit the BadSuccessor attack for privilege escalation in WinServer 2025 Active Directory environments.
Successful usage of this tool can let the attackers gain the domain admin privileges by exploiting the BadSuccessor vulnerability.
view Sigma YAML
title: HKTL - SharpSuccessor Privilege Escalation Tool Execution
id: 38a1ac5f-9c74-47d2-a345-dd6f5eb4e7c8
status: experimental
description: |
Detects the execution of SharpSuccessor, a tool used to exploit the BadSuccessor attack for privilege escalation in WinServer 2025 Active Directory environments.
Successful usage of this tool can let the attackers gain the domain admin privileges by exploiting the BadSuccessor vulnerability.
references:
- https://github.com/logangoins/SharpSuccessor
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-06-06
tags:
- attack.privilege-escalation
- attack.t1068
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\SharpSuccessor.exe'
- OriginalFileName: 'SharpSuccessor.exe'
- CommandLine|contains: 'SharpSuccessor'
- CommandLine|contains|all:
- ' add '
- ' /impersonate'
- ' /path'
- ' /account'
- ' /name'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
HTML Help HH.EXE Suspicious Child Process
Detects a suspicious child process of a Microsoft HTML Help (HH.exe)
view Sigma YAML
title: HTML Help HH.EXE Suspicious Child Process
id: 52cad028-0ff0-4854-8f67-d25dfcbc78b4
status: test
description: Detects a suspicious child process of a Microsoft HTML Help (HH.exe)
references:
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/
- https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7
- https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/
- https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37
author: Maxim Pavlunin, Nasreddine Bencherchali (Nextron Systems)
date: 2020-04-01
modified: 2023-04-12
tags:
- attack.execution
- attack.initial-access
- attack.stealth
- attack.t1047
- attack.t1059.001
- attack.t1059.003
- attack.t1059.005
- attack.t1059.007
- attack.t1218
- attack.t1218.001
- attack.t1218.010
- attack.t1218.011
- attack.t1566
- attack.t1566.001
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\hh.exe'
Image|endswith:
- '\CertReq.exe'
- '\CertUtil.exe'
- '\cmd.exe'
- '\cscript.exe'
- '\installutil.exe'
- '\MSbuild.exe'
- '\MSHTA.EXE'
- '\msiexec.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\schtasks.exe'
- '\wmic.exe'
- '\wscript.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
HTTP Logging Disabled On IIS Server
Detects changes to of the IIS server configuration in order to disable HTTP logging for successful requests.
view Sigma YAML
title: HTTP Logging Disabled On IIS Server
id: e8ebd53a-30c2-45bd-81bb-74befba07bdb
status: test
description: Detects changes to of the IIS server configuration in order to disable HTTP logging for successful requests.
references:
- https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis
- https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/
- https://learn.microsoft.com/en-us/iis/configuration/system.webserver/httplogging
author: frack113
date: 2024-10-06
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1685.001
- attack.t1505.004
logsource:
product: windows
service: iis-configuration
detection:
selection:
EventID: 29
Configuration: '/system.webServer/httpLogging/@dontLog'
NewValue: 'true'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Hack Tool User Agent
Detects suspicious user agent strings user by hack tools in proxy logs
view Sigma YAML
title: Hack Tool User Agent
id: c42a3073-30fb-48ae-8c99-c23ada84b103
status: test
description: Detects suspicious user agent strings user by hack tools in proxy logs
references:
- https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb
- http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules
author: Florian Roth (Nextron Systems)
date: 2017-07-08
modified: 2022-07-07
tags:
- attack.initial-access
- attack.t1190
- attack.credential-access
- attack.t1110
logsource:
category: proxy
detection:
selection:
c-useragent|contains:
# Vulnerability scanner and brute force tools
- '(hydra)'
- ' arachni/'
- ' BFAC '
- ' brutus '
- ' cgichk '
- 'core-project/1.0'
- ' crimscanner/'
- 'datacha0s'
- 'dirbuster'
- 'domino hunter'
- 'dotdotpwn'
- 'FHScan Core'
- 'floodgate'
- 'get-minimal'
- 'gootkit auto-rooter scanner'
- 'grendel-scan'
- ' inspath '
- 'internet ninja'
- 'jaascois'
- ' zmeu '
- 'masscan'
- ' metis '
- 'morfeus fucking scanner'
- 'n-stealth'
- 'nsauditor'
- 'pmafind'
- 'security scan'
- 'springenwerk'
- 'teh forest lobster'
- 'toata dragostea'
- ' vega/'
- 'voideye'
- 'webshag'
- 'webvulnscan'
- ' whcc/'
# SQL Injection
- ' Havij'
- 'absinthe'
- 'bsqlbf'
- 'mysqloit'
- 'pangolin'
- 'sql power injector'
- 'sqlmap'
- 'sqlninja'
- 'uil2pn'
# Hack tool
- 'ruler' # https://www.crowdstrike.com/blog/using-outlook-forms-lateral-movement-persistence/
- 'Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)' # SQLi Dumper
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
HackTool - ADCSPwn Execution
Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service
view Sigma YAML
title: HackTool - ADCSPwn Execution
id: cd8c163e-a19b-402e-bdd5-419ff5859f12
status: test
description: Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service
references:
- https://github.com/bats3c/ADCSPwn
author: Florian Roth (Nextron Systems)
date: 2021-07-31
modified: 2023-02-04
tags:
- attack.collection
- attack.credential-access
- attack.t1557.001
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- ' --adcs '
- ' --port '
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
HackTool - Bloodhound/Sharphound Execution
Detects command line parameters used by Bloodhound and Sharphound hack tools
view Sigma YAML
title: HackTool - Bloodhound/Sharphound Execution
id: f376c8a7-a2d0-4ddc-aa0c-16c17236d962
status: test
description: Detects command line parameters used by Bloodhound and Sharphound hack tools
references:
- https://github.com/BloodHoundAD/BloodHound
- https://github.com/BloodHoundAD/SharpHound
author: Florian Roth (Nextron Systems)
date: 2019-12-20
modified: 2023-02-04
tags:
- attack.discovery
- attack.t1087.001
- attack.t1087.002
- attack.t1482
- attack.t1069.001
- attack.t1069.002
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Product|contains: 'SharpHound'
- Description|contains: 'SharpHound'
- Company|contains:
- 'SpecterOps'
- 'evil corp'
- Image|contains:
- '\Bloodhound.exe'
- '\SharpHound.exe'
selection_cli_1:
CommandLine|contains:
- ' -CollectionMethod All '
- ' --CollectionMethods Session '
- ' --Loop --Loopduration '
- ' --PortScanTimeout '
- '.exe -c All -d '
- 'Invoke-Bloodhound'
- 'Get-BloodHoundData'
selection_cli_2:
CommandLine|contains|all:
- ' -JsonFolder '
- ' -ZipFileName '
selection_cli_3:
CommandLine|contains|all:
- ' DCOnly '
- ' --NoSaveCache '
condition: 1 of selection_*
falsepositives:
- Other programs that use these command line option and accepts an 'All' parameter
level: high
Convert to SIEM query
high
HackTool - CACTUSTORCH Remote Thread Creation
Detects remote thread creation from CACTUSTORCH as described in references.
view Sigma YAML
title: HackTool - CACTUSTORCH Remote Thread Creation
id: 2e4e488a-6164-4811-9ea1-f960c7359c40
status: test
description: Detects remote thread creation from CACTUSTORCH as described in references.
references:
- https://twitter.com/SBousseaden/status/1090588499517079552 # Deleted
- https://github.com/mdsecactivebreach/CACTUSTORCH
author: '@SBousseaden (detection), Thomas Patzke (rule)'
date: 2019-02-01
modified: 2023-05-05
tags:
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1055.012
- attack.t1059.005
- attack.t1059.007
- attack.t1218.005
logsource:
product: windows
category: create_remote_thread
detection:
selection:
SourceImage|endswith:
- '\System32\cscript.exe'
- '\System32\wscript.exe'
- '\System32\mshta.exe'
- '\winword.exe'
- '\excel.exe'
TargetImage|contains: '\SysWOW64\'
StartModule: null
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
HackTool - Certify Execution
Detects Certify a tool for Active Directory certificate abuse based on PE metadata characteristics and common command line arguments.
view Sigma YAML
title: HackTool - Certify Execution
id: 762f2482-ff21-4970-8939-0aa317a886bb
status: test
description: Detects Certify a tool for Active Directory certificate abuse based on PE metadata characteristics and common command line arguments.
references:
- https://github.com/GhostPack/Certify
author: pH-T (Nextron Systems)
date: 2023-04-17
modified: 2023-04-25
tags:
- attack.discovery
- attack.credential-access
- attack.t1649
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\Certify.exe'
- OriginalFileName: 'Certify.exe'
- Description|contains: 'Certify'
selection_cli_commands:
CommandLine|contains:
- '.exe cas '
- '.exe find '
- '.exe pkiobjects '
- '.exe request '
- '.exe download '
selection_cli_options:
CommandLine|contains:
- ' /vulnerable'
- ' /template:'
- ' /altname:'
- ' /domain:'
- ' /path:'
- ' /ca:'
condition: selection_img or all of selection_cli_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
HackTool - Certipy Execution
Detects Certipy execution, a tool for Active Directory Certificate Services enumeration and abuse based on PE metadata characteristics and common command line arguments.
view Sigma YAML
title: HackTool - Certipy Execution
id: 6938366d-8954-4ddc-baff-c830b3ba8fcd
status: test
description: |
Detects Certipy execution, a tool for Active Directory Certificate Services enumeration and abuse based on PE metadata characteristics and common command line arguments.
references:
- https://github.com/ly4k/Certipy
- https://research.ifcr.dk/certipy-4-0-esc9-esc10-bloodhound-gui-new-authentication-and-request-methods-and-more-7237d88061f7
author: pH-T (Nextron Systems), Sittikorn Sangrattanapitak
date: 2023-04-17
modified: 2024-10-08
tags:
- attack.discovery
- attack.credential-access
- attack.t1649
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\Certipy.exe'
- OriginalFileName: 'Certipy.exe'
- Description|contains: 'Certipy'
selection_cli_commands:
CommandLine|contains:
- ' account '
- ' auth '
# - ' ca ' # Too short to be used with just one CLI
- ' cert '
- ' find '
- ' forge '
- ' ptt '
- ' relay '
- ' req '
- ' shadow '
- ' template '
selection_cli_flags:
CommandLine|contains:
- ' -bloodhound'
- ' -ca-pfx '
- ' -dc-ip '
- ' -kirbi'
- ' -old-bloodhound'
- ' -pfx '
- ' -target'
- ' -template'
- ' -username '
- ' -vulnerable'
- 'auth -pfx'
- 'shadow auto'
- 'shadow list'
condition: selection_img or all of selection_cli_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
HackTool - CobaltStrike BOF Injection Pattern
Detects a typical pattern of a CobaltStrike BOF which inject into other processes
view Sigma YAML
title: HackTool - CobaltStrike BOF Injection Pattern
id: 09706624-b7f6-455d-9d02-adee024cee1d
status: test
description: Detects a typical pattern of a CobaltStrike BOF which inject into other processes
references:
- https://github.com/boku7/injectAmsiBypass
- https://github.com/boku7/spawn
author: Christian Burkard (Nextron Systems)
date: 2021-08-04
modified: 2023-11-28
tags:
- attack.execution
- attack.defense-impairment
- attack.t1106
- attack.t1685
logsource:
category: process_access
product: windows
detection:
selection:
CallTrace|re: '^C:\\Windows\\SYSTEM32\\ntdll\.dll\+[a-z0-9]{4,6}\|C:\\Windows\\System32\\KERNELBASE\.dll\+[a-z0-9]{4,6}\|UNKNOWN\([A-Z0-9]{16}\)$'
GrantedAccess:
- '0x1028'
- '0x1fffff'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
HackTool - CobaltStrike Malleable Profile Patterns - Proxy
Detects cobalt strike malleable profiles patterns (URI, User-Agents, Methods).
view Sigma YAML
title: HackTool - CobaltStrike Malleable Profile Patterns - Proxy
id: f3f21ce1-cdef-4bfc-8328-ed2e826f5fac
related:
- id: 953b895e-5cc9-454b-b183-7f3db555452e
type: obsolete
- id: 41b42a36-f62c-4c34-bd40-8cb804a34ad8
type: obsolete
- id: 37325383-740a-403d-b1a2-b2b4ab7992e7
type: obsolete
- id: c9b33401-cc6a-4cf6-83bb-57ddcb2407fc
type: obsolete
status: test
description: Detects cobalt strike malleable profiles patterns (URI, User-Agents, Methods).
references:
- https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/amazon.profile
- https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100
- https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/ocsp.profile
- https://github.com/yeyintminthuhtut/Malleable-C2-Profiles-Collection/
- https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/onedrive_getonly.profile
author: Markus Neis, Florian Roth (Nextron Systems)
date: 2024-02-15
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: proxy
detection:
selection_amazon_1:
c-useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko'
cs-method: 'GET'
c-uri: '/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books'
cs-host: 'www.amazon.com'
cs-cookie|endswith: '=csm-hit=s-24KU11BB82RZSYGJ3BDK|1419899012996'
selection_amazon_2:
c-useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko'
cs-method: 'POST'
c-uri: '/N4215/adj/amzn.us.sr.aps'
cs-host: 'www.amazon.com'
selection_generic_1:
c-useragent:
- 'Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)'
- 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E )'
- 'Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_08'
selection_generic_2:
c-useragent|endswith: '; MANM; MANM)'
selection_oscp:
c-uri|contains: '/oscp/'
cs-host: 'ocsp.verisign.com'
selection_onedrive:
cs-method: 'GET'
c-uri|endswith: '\?manifest=wac'
cs-host: 'onedrive.live.com'
filter_main_onedrive:
c-uri|startswith: 'http'
c-uri|contains: '://onedrive.live.com/'
condition: 1 of selection_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
HackTool - CoercedPotato Execution
Detects the use of CoercedPotato, a tool for privilege escalation
view Sigma YAML
title: HackTool - CoercedPotato Execution
id: e8d34729-86a4-4140-adfd-0a29c2106307
status: test
description: Detects the use of CoercedPotato, a tool for privilege escalation
references:
- https://github.com/hackvens/CoercedPotato
- https://blog.hackvens.fr/articles/CoercedPotato.html
author: Florian Roth (Nextron Systems)
date: 2023-10-11
modified: 2024-11-23
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1055
logsource:
category: process_creation
product: windows
detection:
selection_loader_img:
Image|endswith: '\CoercedPotato.exe'
selection_params:
CommandLine|contains: ' --exploitId '
selection_loader_imphash:
Hashes|contains:
- 'IMPHASH=A75D7669DB6B2E107A44C4057FF7F7D6'
- 'IMPHASH=F91624350E2C678C5DCBE5E1F24E22C9'
- 'IMPHASH=14C81850A079A87E83D50CA41C709A15'
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
HackTool - CoercedPotato Named Pipe Creation
Detects the pattern of a pipe name as used by the hack tool CoercedPotato
view Sigma YAML
title: HackTool - CoercedPotato Named Pipe Creation
id: 4d0083b3-580b-40da-9bba-626c19fe4033
status: test
description: Detects the pattern of a pipe name as used by the hack tool CoercedPotato
references:
- https://blog.hackvens.fr/articles/CoercedPotato.html
- https://github.com/hackvens/CoercedPotato
author: Florian Roth (Nextron Systems)
date: 2023-10-11
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1055
logsource:
product: windows
category: pipe_created
definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
detection:
selection:
PipeName|contains: '\coerced\'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
HackTool - Covenant PowerShell Launcher
Detects suspicious command lines used in Covenant luanchers
view Sigma YAML
title: HackTool - Covenant PowerShell Launcher
id: c260b6db-48ba-4b4a-a76f-2f67644e99d2
status: test
description: Detects suspicious command lines used in Covenant luanchers
references:
- https://posts.specterops.io/covenant-v0-5-eee0507b85ba
author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community
date: 2020-06-04
modified: 2023-02-21
tags:
- attack.execution
- attack.stealth
- attack.t1059.001
- attack.t1564.003
logsource:
category: process_creation
product: windows
detection:
selection_1:
CommandLine|contains|all:
- '-Sta'
- '-Nop'
- '-Window'
- 'Hidden'
CommandLine|contains:
- '-Command'
- '-EncodedCommand'
selection_2:
CommandLine|contains:
- 'sv o (New-Object IO.MemorySteam);sv d '
- 'mshta file.hta'
- 'GruntHTTP'
- '-EncodedCommand cwB2ACAAbwAgA'
condition: 1 of selection_*
level: high
Convert to SIEM query
high
HackTool - CrackMapExec Execution
This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.
view Sigma YAML
title: HackTool - CrackMapExec Execution
id: 42a993dd-bb3e-48c8-b372-4d6684c4106c
status: test
description: This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.
references:
- https://mpgn.gitbook.io/crackmapexec/smb-protocol/authentication/checking-credentials-local
- https://www.mandiant.com/resources/telegram-malware-iranian-espionage
- https://www.infosecmatter.com/crackmapexec-module-library/?cmem=mssql-mimikatz
- https://www.infosecmatter.com/crackmapexec-module-library/?cmem=smb-pe_inject
author: Florian Roth (Nextron Systems)
date: 2022-02-25
modified: 2023-03-08
tags:
- attack.execution
- attack.persistence
- attack.privilege-escalation
- attack.credential-access
- attack.discovery
- attack.t1047
- attack.t1053
- attack.t1059.003
- attack.t1059.001
- attack.t1110
- attack.t1201
logsource:
category: process_creation
product: windows
detection:
selection_binary:
Image|endswith: '\crackmapexec.exe'
selection_special:
CommandLine|contains: ' -M pe_inject '
selection_execute:
CommandLine|contains|all:
- ' --local-auth'
- ' -u '
- ' -x '
selection_hash:
CommandLine|contains|all:
- ' --local-auth'
- ' -u '
- ' -p '
- " -H 'NTHASH'"
selection_module_mssql:
CommandLine|contains|all:
- ' mssql '
- ' -u '
- ' -p '
- ' -M '
- ' -d '
selection_module_smb1:
CommandLine|contains|all:
- ' smb '
- ' -u '
- ' -H '
- ' -M '
- ' -o '
selection_module_smb2:
CommandLine|contains|all:
- ' smb '
- ' -u '
- ' -p '
- ' --local-auth'
part_localauth_1:
CommandLine|contains|all:
- ' --local-auth'
- ' -u '
- ' -p '
part_localauth_2:
CommandLine|contains|all:
- ' 10.'
- ' 192.168.'
- '/24 '
condition: 1 of selection_* or all of part_localauth*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
HackTool - CrackMapExec Execution Patterns
Detects various execution patterns of the CrackMapExec pentesting framework
view Sigma YAML
title: HackTool - CrackMapExec Execution Patterns
id: 058f4380-962d-40a5-afce-50207d36d7e2
status: stable
description: Detects various execution patterns of the CrackMapExec pentesting framework
references:
- https://github.com/byt3bl33d3r/CrackMapExec
author: Thomas Patzke
date: 2020-05-22
modified: 2023-11-06
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.t1047
- attack.t1053
- attack.t1059.003
- attack.t1059.001
- attack.s0106
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
# cme/protocols/smb/wmiexec.py (generalized execute_remote and execute_fileless)
- 'cmd.exe /Q /c * 1> \\\\*\\*\\* 2>&1'
# cme/protocols/smb/atexec.py:109 (fileless output via share)
- 'cmd.exe /C * > \\\\*\\*\\* 2>&1'
# cme/protocols/smb/atexec.py:111 (fileless output via share)
- 'cmd.exe /C * > *\\Temp\\* 2>&1'
# https://github.com/byt3bl33d3r/CrackMapExec/blob/d8c50c8cbaf36c29329078662473f75e440978d2/cme/helpers/powershell.py#L136 (PowerShell execution with obfuscation)
- 'powershell.exe -exec bypass -noni -nop -w 1 -C "'
# https://github.com/byt3bl33d3r/CrackMapExec/blob/d8c50c8cbaf36c29329078662473f75e440978d2/cme/helpers/powershell.py#L160 (PowerShell execution without obfuscation)
- 'powershell.exe -noni -nop -w 1 -enc '
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
HackTool - CrackMapExec File Indicators
Detects file creation events with filename patterns used by CrackMapExec.
view Sigma YAML
title: HackTool - CrackMapExec File Indicators
id: 736ffa74-5f6f-44ca-94ef-1c0df4f51d2a
related:
- id: 9433ff9c-5d3f-4269-99f8-95fc826ea489
type: obsolete
status: test
description: Detects file creation events with filename patterns used by CrackMapExec.
references:
- https://github.com/byt3bl33d3r/CrackMapExec/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-03-11
modified: 2024-06-27
tags:
- attack.credential-access
- attack.t1003.001
logsource:
product: windows
category: file_event
detection:
selection_path:
TargetFilename|startswith: 'C:\Windows\Temp\' # The disk extension is hardcoded in the tool.
selection_names_str:
TargetFilename|endswith:
- '\temp.ps1' # https://github.com/byt3bl33d3r/CrackMapExec/blob/3c3e412193cb6d3237abe90c543e5d995bfa4447/cme/modules/keepass_trigger.py#L42C41-L42C68
- '\msol.ps1' # https://github.com/byt3bl33d3r/CrackMapExec/blob/3c3e412193cb6d3237abe90c543e5d995bfa4447/cme/modules/msol.py#L48C98-L48C106
selection_names_re:
- TargetFilename|re: '\\[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\.txt$' # https://github.com/byt3bl33d3r/CrackMapExec/blob/3c3e412193cb6d3237abe90c543e5d995bfa4447/cme/protocols/wmi/wmiexec.py#L86
- TargetFilename|re: '\\[a-zA-Z]{8}\.tmp$' # https://github.com/byt3bl33d3r/CrackMapExec/blob/3c3e412193cb6d3237abe90c543e5d995bfa4447/cme/protocols/smb/atexec.py#L145C19-L146
condition: selection_path and 1 of selection_names_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
HackTool - CrackMapExec PowerShell Obfuscation
The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.
view Sigma YAML
title: HackTool - CrackMapExec PowerShell Obfuscation
id: 6f8b3439-a203-45dc-a88b-abf57ea15ccf
status: test
description: The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.
references:
- https://github.com/byt3bl33d3r/CrackMapExec
- https://github.com/byt3bl33d3r/CrackMapExec/blob/0a49f75347b625e81ee6aa8c33d3970b5515ea9e/cme/helpers/powershell.py#L242
author: Thomas Patzke
date: 2020-05-22
modified: 2023-02-21
tags:
- attack.execution
- attack.stealth
- attack.t1059.001
- attack.t1027.005
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_cli:
CommandLine|contains:
- 'join*split'
# Line 343ff
- '( $ShellId[1]+$ShellId[13]+''x'')'
- '( $PSHome[*]+$PSHOME[*]+'
- '( $env:Public[13]+$env:Public[5]+''x'')'
- '( $env:ComSpec[4,*,25]-Join'''')'
- '[1,3]+''x''-Join'''')'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
HackTool - CrackMapExec Process Patterns
Detects suspicious process patterns found in logs when CrackMapExec is used
view Sigma YAML
title: HackTool - CrackMapExec Process Patterns
id: f26307d8-14cd-47e3-a26b-4b4769f24af6
status: test
description: Detects suspicious process patterns found in logs when CrackMapExec is used
references:
- https://mpgn.gitbook.io/crackmapexec/smb-protocol/obtaining-credentials/dump-lsass
author: Florian Roth (Nextron Systems)
date: 2022-03-12
modified: 2023-02-13
tags:
- attack.credential-access
- attack.t1003.001
logsource:
product: windows
category: process_creation
detection:
selection_lsass_dump1:
CommandLine|contains|all:
- 'tasklist /fi '
- 'Imagename eq lsass.exe'
CommandLine|contains:
- 'cmd.exe /c '
- 'cmd.exe /r '
- 'cmd.exe /k '
- 'cmd /c '
- 'cmd /r '
- 'cmd /k '
User|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
selection_lsass_dump2:
CommandLine|contains|all:
- 'do rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump'
- '\Windows\Temp\'
- ' full'
- '%%B'
selection_procdump:
CommandLine|contains|all:
- 'tasklist /v /fo csv'
- 'findstr /i "lsass"'
condition: 1 of selection*
falsepositives:
- Unknown
level: high
Convert to SIEM query
Showing 501-550 of 3,750