Tool
SIEM
Sigma (generic) detection rules
3,750 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Expand any rule to see its raw YAML and convert it inline to native query syntax. Pick a platform above to browse every rule already rendered in that language.
Get the raw rules from SigmaHQ Detection Rules
The raw generic YAML, served by SigmaHQ. Pick a platform above to download a ready-to-deploy converted pack.
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance12
Resource Development10
Initial Access10
Execution30
Persistence43
Privilege Escalation20
Stealth83
Defense Impairment32
Credential Access35
Discovery33
Lateral Movement16
Collection20
Command and Control24
Exfiltration10
Impact18
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.
◈
Detection rules
50 shown of 3,750
medium
Moderate
Low FP
AWS CloudTrail Important Change
Detects disabling, deleting and updating of a Trail
view Sigma YAML
title: AWS CloudTrail Important Change
id: 4db60cc0-36fb-42b7-9b58-a5b53019fb74
status: test
description: Detects disabling, deleting and updating of a Trail
references:
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html
author: vitaliy0x1
date: 2020-01-21
modified: 2022-10-09
tags:
- attack.defense-impairment
- attack.t1685.002
logsource:
product: aws
service: cloudtrail
detection:
selection_source:
eventSource: cloudtrail.amazonaws.com
eventName:
- StopLogging
- UpdateTrail
- DeleteTrail
condition: selection_source
falsepositives:
- Valid change in a Trail
level: medium
Convert to SIEM query
medium
Strong
Low FP
AWS Console GetSigninToken Potential Abuse
Detects potentially suspicious events involving "GetSigninToken".
An adversary using the "aws_consoler" tool can leverage this console API to create temporary federated credential that help obfuscate which AWS credential is compromised (the original access key) and enables the adversary to pivot from the AWS CLI to console sessions without the need for MFA using the new access key issued in this request.
view Sigma YAML
title: AWS Console GetSigninToken Potential Abuse
id: f8103686-e3e8-46f3-be72-65f7fcb4aa53
status: test
description: |
Detects potentially suspicious events involving "GetSigninToken".
An adversary using the "aws_consoler" tool can leverage this console API to create temporary federated credential that help obfuscate which AWS credential is compromised (the original access key) and enables the adversary to pivot from the AWS CLI to console sessions without the need for MFA using the new access key issued in this request.
references:
- https://github.com/NetSPI/aws_consoler
- https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/
author: Chester Le Bron (@123Le_Bron)
date: 2024-02-26
tags:
- attack.lateral-movement
- attack.t1021.007
- attack.t1550.001
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: 'signin.amazonaws.com'
eventName: 'GetSigninToken'
filter_main_console_ua:
userAgent|contains: 'Jersey/${project.version}'
condition: selection and not 1 of filter_main_*
falsepositives:
- GetSigninToken events will occur when using AWS SSO portal to login and will generate false positives if you do not filter for the expected user agent(s), see filter. Non-SSO configured roles would be abnormal and should be investigated.
level: medium
Convert to SIEM query
medium
Moderate
Low FP
AWS Console Login Monitoring
Detects AWS console logins from countries and IP addresses that are not recognized as legitimate for the organization.
This alert can help identify potential unauthorized access attempts from unusual locations, which may indicate compromised credentials or malicious activity.
view Sigma YAML
title: AWS Console Login Monitoring
id: 313e72de-0c0d-4d65-8c95-87f4d546eceb
status: experimental
description: |
Detects AWS console logins from countries and IP addresses that are not recognized as legitimate for the organization.
This alert can help identify potential unauthorized access attempts from unusual locations, which may indicate compromised credentials or malicious activity.
references:
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-aws-console-sign-in-events.html
author: Ivan Saakov
date: 2025-10-19
tags:
- attack.privilege-escalation
- attack.initial-access
- attack.persistence
- attack.stealth
- attack.t1078.004
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventName: 'ConsoleLogin'
responseElements.ConsoleLogin: 'Success'
filter_main_country:
src_country|expand: '%Legitimate_Countries%' # Add legitimate countries here
filter_main_ip:
src_ip|expand: '%Legitimate_IP_Ranges%' # Add legitimate src_ip ranges here
condition: selection and not 1 of filter_main_*
falsepositives:
- Legitimate logins from trusted countries and IP addresses.
- Login through services hosted through cloud providers in other regions.
level: medium
Convert to SIEM query
medium
Moderate
Low FP
AWS ConsoleLogin Failed Authentication
Detects failed AWS console login attempts due to authentication failures. Monitoring these events is crucial for identifying potential brute-force attacks or unauthorized access attempts to AWS accounts.
view Sigma YAML
title: AWS ConsoleLogin Failed Authentication
id: 6393e346-1977-46ef-8987-ad414a145fad
status: experimental
description: |
Detects failed AWS console login attempts due to authentication failures. Monitoring these events is crucial for identifying potential brute-force attacks or unauthorized access attempts to AWS accounts.
references:
- https://naikordian.github.io/blog/posts/brute-force-aws-console/
- https://help.fortinet.com/fsiem/Public_Resource_Access/7_2_1/rules/PH_RULE_AWS_Management_Console_Brute_Force_of_Root_User_Identity.htm
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/aws_login_failure/aws_cloudtrail_events.json
author: Ivan Saakov, Nasreddine Bencherchali
date: 2025-10-19
tags:
- attack.credential-access
- attack.t1110
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventName: 'ConsoleLogin'
errorMessage: 'Failed authentication'
condition: selection
falsepositives:
- Legitimate failed login attempts by authorized users. Investigate the source of repeated failed login attempts.
level: medium
Convert to SIEM query
medium
Strong
Low FP
AWS EC2 Disable EBS Encryption
Identifies disabling of default Amazon Elastic Block Store (EBS) encryption in the current region.
Disabling default encryption does not change the encryption status of your existing volumes.
view Sigma YAML
title: AWS EC2 Disable EBS Encryption
id: 16124c2d-e40b-4fcc-8f2c-5ab7870a2223
status: stable
description: |
Identifies disabling of default Amazon Elastic Block Store (EBS) encryption in the current region.
Disabling default encryption does not change the encryption status of your existing volumes.
references:
- https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableEbsEncryptionByDefault.html
author: Sittikorn S
date: 2021-06-29
modified: 2021-08-20
tags:
- attack.impact
- attack.t1486
- attack.t1565
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: ec2.amazonaws.com
eventName: DisableEbsEncryptionByDefault
condition: selection
falsepositives:
- System Administrator Activities
- DEV, UAT, SAT environment. You should apply this rule with PROD account only.
level: medium
Convert to SIEM query
medium
Strong
Medium FP
AWS ECS Task Definition That Queries The Credential Endpoint
Detects when an Elastic Container Service (ECS) Task Definition includes a command to query the credential endpoint.
This can indicate a potential adversary adding a backdoor to establish persistence or escalate privileges.
view Sigma YAML
title: AWS ECS Task Definition That Queries The Credential Endpoint
id: b94bf91e-c2bf-4047-9c43-c6810f43baad
status: test
description: |
Detects when an Elastic Container Service (ECS) Task Definition includes a command to query the credential endpoint.
This can indicate a potential adversary adding a backdoor to establish persistence or escalate privileges.
references:
- https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ecs__backdoor_task_def/main.py
- https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_RegisterTaskDefinition.html
- https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html
author: Darin Smith
date: 2022-06-07
modified: 2023-04-24
tags:
- attack.persistence
- attack.t1525
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: 'ecs.amazonaws.com'
eventName:
- 'DescribeTaskDefinition'
- 'RegisterTaskDefinition'
- 'RunTask'
requestParameters.containerDefinitions.command|contains: '$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI'
condition: selection
falsepositives:
- Task Definition being modified to request credentials from the Task Metadata Service for valid reasons
level: medium
Convert to SIEM query
medium
Moderate
Low FP
AWS EFS Fileshare Modified or Deleted
Detects when a EFS Fileshare is modified or deleted.
You can't delete a file system that is in use.
If the file system has any mount targets, the adversary must first delete them, so deletion of a mount will occur before deletion of a fileshare.
view Sigma YAML
title: AWS EFS Fileshare Modified or Deleted
id: 25cb1ba1-8a19-4a23-a198-d252664c8cef
status: test
description: |
Detects when a EFS Fileshare is modified or deleted.
You can't delete a file system that is in use.
If the file system has any mount targets, the adversary must first delete them, so deletion of a mount will occur before deletion of a fileshare.
references:
- https://docs.aws.amazon.com/efs/latest/ug/API_DeleteFileSystem.html
author: Austin Songer @austinsonger
date: 2021-08-15
modified: 2022-10-09
tags:
- attack.impact
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: elasticfilesystem.amazonaws.com
eventName: DeleteFileSystem
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Low FP
AWS EFS Fileshare Mount Modified or Deleted
Detects when a EFS Fileshare Mount is modified or deleted. An adversary breaking any file system using the mount target that is being deleted, which might disrupt instances or applications using those mounts.
view Sigma YAML
title: AWS EFS Fileshare Mount Modified or Deleted
id: 6a7ba45c-63d8-473e-9736-2eaabff79964
status: test
description: Detects when a EFS Fileshare Mount is modified or deleted. An adversary breaking any file system using the mount target that is being deleted, which might disrupt instances or applications using those mounts.
references:
- https://docs.aws.amazon.com/efs/latest/ug/API_DeleteMountTarget.html
author: Austin Songer @austinsonger
date: 2021-08-15
modified: 2022-10-09
tags:
- attack.impact
- attack.t1485
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: elasticfilesystem.amazonaws.com
eventName: DeleteMountTarget
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Low FP
AWS EnableRegion Command Monitoring
Detects the use of the EnableRegion command in AWS CloudTrail logs.
While AWS has 30+ regions, some of them are enabled by default, others must be explicitly enabled in each account separately.
There may be situations where security monitoring does not cover some new AWS regions.
Monitoring the EnableRegion command is important for identifying potential persistence mechanisms employed by adversaries, as enabling additional regions can facilitate continued access and operations within an AWS environment.
view Sigma YAML
title: AWS EnableRegion Command Monitoring
id: a5ffb6ea-c784-4e01-b30a-deb6e58ca2ab
status: experimental
description: |
Detects the use of the EnableRegion command in AWS CloudTrail logs.
While AWS has 30+ regions, some of them are enabled by default, others must be explicitly enabled in each account separately.
There may be situations where security monitoring does not cover some new AWS regions.
Monitoring the EnableRegion command is important for identifying potential persistence mechanisms employed by adversaries, as enabling additional regions can facilitate continued access and operations within an AWS environment.
references:
- https://docs.aws.amazon.com/accounts/latest/reference/API_EnableRegion.html
- https://awscli.amazonaws.com/v2/documentation/api/2.14.0/reference/account/enable-region.html
author: Ivan Saakov, Sergey Zelenskiy
date: 2025-10-19
tags:
- attack.persistence
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventName: 'EnableRegion'
eventSource: 'account.amazonaws.com'
condition: selection
falsepositives:
- Legitimate use of the EnableRegion command by authorized administrators.
level: medium
Convert to SIEM query
medium
Strong
Low FP
AWS IAM Backdoor Users Keys
Detects AWS API key creation for a user by another user.
Backdoored users can be used to obtain persistence in the AWS environment.
Also with this alert, you can detect a flow of AWS keys in your org.
view Sigma YAML
title: AWS IAM Backdoor Users Keys
id: 0a5177f4-6ca9-44c2-aacf-d3f3d8b6e4d2
status: test
description: |
Detects AWS API key creation for a user by another user.
Backdoored users can be used to obtain persistence in the AWS environment.
Also with this alert, you can detect a flow of AWS keys in your org.
references:
- https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/iam__backdoor_users_keys/main.py
author: faloker
date: 2020-02-12
modified: 2022-10-09
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1098
logsource:
product: aws
service: cloudtrail
detection:
selection_source:
eventSource: iam.amazonaws.com
eventName: CreateAccessKey
filter:
userIdentity.arn|contains: responseElements.accessKey.userName
condition: selection_source and not filter
falsepositives:
- Adding user keys to their own accounts (the filter cannot cover all possible variants of user naming)
- AWS API keys legitimate exchange workflows
level: medium
Convert to SIEM query
medium
Moderate
Low FP
AWS Key Pair Import Activity
Detects the import of SSH key pairs into AWS EC2, which may indicate an attacker attempting to gain unauthorized access to instances. This activity could lead to initial access, persistence, or privilege escalation, potentially compromising sensitive data and operations.
view Sigma YAML
title: AWS Key Pair Import Activity
id: 92f84194-8d9a-4ee0-8699-c30bfac59780
status: experimental
description: |
Detects the import of SSH key pairs into AWS EC2, which may indicate an attacker attempting to gain unauthorized access to instances. This activity could lead to initial access, persistence, or privilege escalation, potentially compromising sensitive data and operations.
references:
- https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ImportKeyPair.html
author: Ivan Saakov
date: 2024-12-19
tags:
- attack.initial-access
- attack.stealth
- attack.t1078
- attack.persistence
- attack.privilege-escalation
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: 'ec2.amazonaws.com'
eventName: 'ImportKeyPair'
condition: selection
falsepositives:
- Legitimate administrative actions by authorized users importing keys for valid purposes.
- Automated processes for infrastructure setup may trigger this alert.
- Verify the user identity, user agent, and source IP address to ensure they are expected.
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
AWS RDS Master Password Change
Detects the change of database master password. It may be a part of data exfiltration.
view Sigma YAML
title: AWS RDS Master Password Change
id: 8a63cdd4-6207-414a-85bc-7e032bd3c1a2
status: test
description: Detects the change of database master password. It may be a part of data exfiltration.
references:
- https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/rds__explore_snapshots/main.py
author: faloker
date: 2020-02-12
modified: 2022-10-05
tags:
- attack.exfiltration
- attack.t1020
logsource:
product: aws
service: cloudtrail
detection:
selection_source:
eventSource: rds.amazonaws.com
responseElements.pendingModifiedValues.masterUserPassword|contains: '*'
eventName: ModifyDBInstance
condition: selection_source
falsepositives:
- Benign changes to a db instance
level: medium
Convert to SIEM query
medium
Moderate
Low FP
AWS Root Credentials
Detects AWS root account usage
view Sigma YAML
title: AWS Root Credentials
id: 8ad1600d-e9dc-4251-b0ee-a65268f29add
status: test
description: Detects AWS root account usage
references:
- https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html
author: vitaliy0x1
date: 2020-01-21
modified: 2022-10-09
tags:
- attack.privilege-escalation
- attack.initial-access
- attack.persistence
- attack.stealth
- attack.t1078.004
logsource:
product: aws
service: cloudtrail
detection:
selection_usertype:
userIdentity.type: Root
selection_eventtype:
eventType: AwsServiceEvent
condition: selection_usertype and not selection_eventtype
falsepositives:
- AWS Tasks That Require AWS Account Root User Credentials https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
AWS S3 Bucket Versioning Disable
Detects when S3 bucket versioning is disabled. Threat actors use this technique during AWS ransomware incidents prior to deleting S3 objects.
view Sigma YAML
title: AWS S3 Bucket Versioning Disable
id: a136ac98-b2bc-4189-a14d-f0d0388e57a7
status: test
description: Detects when S3 bucket versioning is disabled. Threat actors use this technique during AWS ransomware incidents prior to deleting S3 objects.
references:
- https://invictus-ir.medium.com/ransomware-in-the-cloud-7f14805bbe82
author: Sean Johnstone | Unit 42
date: 2023-10-28
tags:
- attack.impact
- attack.t1490
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: s3.amazonaws.com
eventName: PutBucketVersioning
requestParameters|contains: 'Suspended'
condition: selection
falsepositives:
- AWS administrator legitimately disabling bucket versioning
level: medium
Convert to SIEM query
medium
Moderate
Low FP
AWS SAML Provider Deletion Activity
Detects the deletion of an AWS SAML provider, potentially indicating malicious intent to disrupt administrative or security team access.
An attacker can remove the SAML provider for the information security team or a team of system administrators, to make it difficult for them to work and investigate at the time of the attack and after it.
view Sigma YAML
title: AWS SAML Provider Deletion Activity
id: ccd6a6c8-bb4e-4a91-9d2a-07e632819374
status: experimental
description: |
Detects the deletion of an AWS SAML provider, potentially indicating malicious intent to disrupt administrative or security team access.
An attacker can remove the SAML provider for the information security team or a team of system administrators, to make it difficult for them to work and investigate at the time of the attack and after it.
references:
- https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteSAMLProvider.html
author: Ivan Saakov
date: 2024-12-19
tags:
- attack.stealth
- attack.t1078.004
- attack.privilege-escalation
- attack.initial-access
- attack.persistence
- attack.t1531
- attack.impact
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: 'iam.amazonaws.com'
eventName: 'DeleteSAMLProvider'
status: 'success'
condition: selection
falsepositives:
- Automated processes using tools like Terraform may trigger this alert.
- Legitimate administrative actions by authorized system administrators could cause this alert. Verify the user identity, user agent, and hostname to ensure they are expected.
- Deletions by unfamiliar users should be investigated. If the behavior is known and expected, it can be exempted from the rule.
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
AWS STS GetCallerIdentity Enumeration Via TruffleHog
Detects the use of TruffleHog for AWS credential validation by identifying GetCallerIdentity API calls where the userAgent indicates TruffleHog.
Threat actors leverage TruffleHog to enumerate and validate exposed AWS keys.
Successful exploitation allows threat actors to confirm the validity of compromised AWS credentials, facilitating further unauthorized access and actions within the AWS environment.
view Sigma YAML
title: AWS STS GetCallerIdentity Enumeration Via TruffleHog
id: 9b1b8e9b-0a5d-4af1-9d2f-4c4b6e7c2c9d
status: experimental
description: |
Detects the use of TruffleHog for AWS credential validation by identifying GetCallerIdentity API calls where the userAgent indicates TruffleHog.
Threat actors leverage TruffleHog to enumerate and validate exposed AWS keys.
Successful exploitation allows threat actors to confirm the validity of compromised AWS credentials, facilitating further unauthorized access and actions within the AWS environment.
references:
- https://www.rapid7.com/blog/post/tr-crimson-collective-a-new-threat-group-observed-operating-in-the-cloud/
- https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html
- https://github.com/trufflesecurity/trufflehog
author: Adan Alvarez @adanalvarez
date: 2025-10-12
tags:
- attack.discovery
- attack.t1087.004
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: 'sts.amazonaws.com'
eventName: 'GetCallerIdentity'
userAgent|contains: 'TruffleHog'
condition: selection
falsepositives:
- Legitimate internal security scanning or key validation that intentionally uses TruffleHog. Authorize and filter known scanner roles, IP ranges, or assumed roles as needed.
level: medium
Convert to SIEM query
medium
Moderate
Low FP
AWS Snapshot Backup Exfiltration
Detects the modification of an EC2 snapshot's permissions to enable access from another account
view Sigma YAML
title: AWS Snapshot Backup Exfiltration
id: abae8fec-57bd-4f87-aff6-6e3db989843d
status: test
description: Detects the modification of an EC2 snapshot's permissions to enable access from another account
references:
- https://www.justice.gov/file/1080281/download
author: Darin Smith
date: 2021-05-17
modified: 2021-08-19
tags:
- attack.exfiltration
- attack.t1537
logsource:
product: aws
service: cloudtrail
detection:
selection_source:
eventSource: ec2.amazonaws.com
eventName: ModifySnapshotAttribute
condition: selection_source
falsepositives:
- Valid change to a snapshot's permissions
level: medium
Convert to SIEM query
medium
Moderate
Low FP
AWS Successful Console Login Without MFA
Detects successful AWS console logins that were performed without Multi-Factor Authentication (MFA).
This alert can be used to identify potential unauthorized access attempts, as logging in without MFA can indicate compromised credentials or misconfigured security settings.
view Sigma YAML
title: AWS Successful Console Login Without MFA
id: 77caf516-34e5-4df9-b4db-20744fea0a60
status: experimental
description: |
Detects successful AWS console logins that were performed without Multi-Factor Authentication (MFA).
This alert can be used to identify potential unauthorized access attempts, as logging in without MFA can indicate compromised credentials or misconfigured security settings.
references:
- https://securitylabs.datadoghq.com/cloud-security-atlas/vulnerabilities/iam-user-without-mfa/
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-aws-console-sign-in-events.html
author: Thuya@Hacktilizer, Ivan Saakov
date: 2025-10-18
modified: 2025-10-21
tags:
- attack.initial-access
- attack.persistence
- attack.privilege-escalation
- attack.stealth
- attack.t1078.004
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventName: 'ConsoleLogin'
additionalEventData.MFAUsed: 'NO'
responseElements.ConsoleLogin: 'Success'
condition: selection
falsepositives:
- Unlikely
level: medium
Convert to SIEM query
medium
Strong
Low FP
AWS Suspicious SAML Activity
Identifies when suspicious SAML activity has occurred in AWS. An adversary could gain backdoor access via SAML.
view Sigma YAML
title: AWS Suspicious SAML Activity
id: f43f5d2f-3f2a-4cc8-b1af-81fde7dbaf0e
status: test
description: Identifies when suspicious SAML activity has occurred in AWS. An adversary could gain backdoor access via SAML.
references:
- https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html
- https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html
author: Austin Songer
date: 2021-09-22
modified: 2022-12-18
tags:
- attack.initial-access
- attack.lateral-movement
- attack.persistence
- attack.privilege-escalation
- attack.stealth
- attack.t1078
- attack.t1548
- attack.t1550
- attack.t1550.001
logsource:
product: aws
service: cloudtrail
detection:
selection_sts:
eventSource: 'sts.amazonaws.com'
eventName: 'AssumeRoleWithSAML'
selection_iam:
eventSource: 'iam.amazonaws.com'
eventName: 'UpdateSAMLProvider'
condition: 1 of selection_*
falsepositives:
- Automated processes that uses Terraform may lead to false positives.
- SAML Provider could be updated by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- SAML Provider being updated from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Abusing Print Executable
Attackers can use print.exe for remote file copy
view Sigma YAML
title: Abusing Print Executable
id: bafac3d6-7de9-4dd9-8874-4a1194b493ed
status: test
description: Attackers can use print.exe for remote file copy
references:
- https://lolbas-project.github.io/lolbas/Binaries/Print/
- https://twitter.com/Oddvarmoe/status/985518877076541440
author: 'Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative'
date: 2020-10-05
modified: 2022-07-07
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\print.exe'
CommandLine|startswith: 'print'
CommandLine|contains|all:
- '/D'
- '.exe'
filter_print:
CommandLine|contains: 'print.exe'
condition: selection and not filter_print
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Access To Crypto Currency Wallets By Uncommon Applications
Detects file access requests to crypto currency files by uncommon processes.
Could indicate potential attempt of crypto currency wallet stealing.
view Sigma YAML
title: Access To Crypto Currency Wallets By Uncommon Applications
id: f41b0311-44f9-44f0-816d-dd45e39d4bc8
status: test
description: |
Detects file access requests to crypto currency files by uncommon processes.
Could indicate potential attempt of crypto currency wallet stealing.
references:
- Internal Research
author: X__Junior (Nextron Systems)
date: 2024-07-29
tags:
- attack.t1003
- attack.credential-access
logsource:
category: file_access
product: windows
definition: 'Requirements: Microsoft-Windows-Kernel-File ETW provider'
detection:
selection:
- FileName|contains:
- '\AppData\Roaming\Ethereum\keystore\'
- '\AppData\Roaming\EthereumClassic\keystore\'
- '\AppData\Roaming\monero\wallets\'
- FileName|endswith:
- '\AppData\Roaming\Bitcoin\wallet.dat'
- '\AppData\Roaming\BitcoinABC\wallet.dat'
- '\AppData\Roaming\BitcoinSV\wallet.dat'
- '\AppData\Roaming\DashCore\wallet.dat'
- '\AppData\Roaming\DogeCoin\wallet.dat'
- '\AppData\Roaming\Litecoin\wallet.dat'
- '\AppData\Roaming\Ripple\wallet.dat'
- '\AppData\Roaming\Zcash\wallet.dat'
filter_main_system:
Image: System
filter_main_generic:
# This filter is added to avoid large amount of FP with 3rd party software. You should remove this in favour of specific filter per-application
Image|startswith:
- 'C:\Program Files (x86)\'
- 'C:\Program Files\'
- 'C:\Windows\system32\'
- 'C:\Windows\SysWOW64\'
filter_optional_defender:
Image|startswith: 'C:\ProgramData\Microsoft\Windows Defender\'
Image|endswith:
- '\MpCopyAccelerator.exe'
- '\MsMpEng.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Antivirus, Anti-Spyware, Anti-Malware Software
- Backup software
- Legitimate software installed on partitions other than "C:\"
- Searching software such as "everything.exe"
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Access To Potentially Sensitive Sysvol Files By Uncommon Applications
Detects file access requests to potentially sensitive files hosted on the Windows Sysvol share.
view Sigma YAML
title: Access To Potentially Sensitive Sysvol Files By Uncommon Applications
id: d51694fe-484a-46ac-92d6-969e76d60d10
related:
- id: 8344c19f-a023-45ff-ad63-a01c5396aea0
type: derived
status: test
description: Detects file access requests to potentially sensitive files hosted on the Windows Sysvol share.
references:
- https://github.com/vletoux/pingcastle
author: frack113
date: 2023-12-21
modified: 2024-07-29
tags:
- attack.credential-access
- attack.t1552.006
logsource:
category: file_access
product: windows
definition: 'Requirements: Microsoft-Windows-Kernel-File ETW provider'
detection:
selection:
FileName|startswith: '\\'
FileName|contains|all:
- '\sysvol\'
- '\Policies\'
FileName|endswith:
- 'audit.csv'
- 'Files.xml'
- 'GptTmpl.inf'
- 'groups.xml'
- 'Registry.pol'
- 'Registry.xml'
- 'scheduledtasks.xml'
- 'scripts.ini'
- 'services.xml'
filter_main_generic:
Image|startswith:
- 'C:\Program Files (x86)\'
- 'C:\Program Files\'
- 'C:\Windows\system32\'
- 'C:\Windows\SysWOW64\'
filter_main_explorer:
Image: 'C:\Windows\explorer.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Access To Sysvol Policies Share By Uncommon Process
Detects file access requests to the Windows Sysvol Policies Share by uncommon processes
view Sigma YAML
title: Access To Sysvol Policies Share By Uncommon Process
id: 8344c19f-a023-45ff-ad63-a01c5396aea0
status: test
description: Detects file access requests to the Windows Sysvol Policies Share by uncommon processes
references:
- https://github.com/vletoux/pingcastle
author: frack113
date: 2023-12-21
tags:
- attack.credential-access
- attack.t1552.006
- detection.threat-hunting
logsource:
category: file_access
product: windows
definition: 'Requirements: Microsoft-Windows-Kernel-File ETW provider'
detection:
selection:
FileName|startswith: '\\'
FileName|contains|all:
- '\sysvol\'
- '\Policies\'
filter_main_generic:
Image|contains:
- ':\Program Files (x86)\'
- ':\Program Files\'
- ':\Windows\explorer.exe'
- ':\Windows\system32\'
- ':\Windows\SysWOW64\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Access To Windows Credential History File By Uncommon Applications
Detects file access requests to the Windows Credential History File by an uncommon application.
This can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::credhist" function
view Sigma YAML
title: Access To Windows Credential History File By Uncommon Applications
id: 7a2a22ea-a203-4cd3-9abf-20eb1c5c6cd2
status: test
description: |
Detects file access requests to the Windows Credential History File by an uncommon application.
This can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::credhist" function
references:
- https://tools.thehacker.recipes/mimikatz/modules/dpapi/credhist
- https://www.passcape.com/windows_password_recovery_dpapi_credhist
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-17
modified: 2024-07-29
tags:
- attack.credential-access
- attack.t1555.004
logsource:
category: file_access
product: windows
definition: 'Requirements: Microsoft-Windows-Kernel-File ETW provider'
detection:
selection:
FileName|endswith: '\Microsoft\Protect\CREDHIST'
filter_main_system_folders:
Image|startswith:
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
- 'C:\Windows\system32\'
- 'C:\Windows\SysWOW64\'
filter_main_explorer:
Image: 'C:\Windows\explorer.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
# Increase level after false positives filters are good enough
level: medium
Convert to SIEM query
medium
Moderate
High FP
Access To Windows DPAPI Master Keys By Uncommon Applications
Detects file access requests to the the Windows Data Protection API Master keys by an uncommon application.
This can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::masterkey" function
view Sigma YAML
title: Access To Windows DPAPI Master Keys By Uncommon Applications
id: 46612ae6-86be-4802-bc07-39b59feb1309
status: test
description: |
Detects file access requests to the the Windows Data Protection API Master keys by an uncommon application.
This can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::masterkey" function
references:
- http://blog.harmj0y.net/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/
- https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-17
modified: 2024-07-29
tags:
- attack.credential-access
- attack.t1555.004
logsource:
category: file_access
product: windows
definition: 'Requirements: Microsoft-Windows-Kernel-File ETW provider'
detection:
selection:
FileName|contains:
- '\Microsoft\Protect\S-1-5-18\' # For System32
- '\Microsoft\Protect\S-1-5-21-' # For Users
filter_system_folders:
Image|startswith:
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
- 'C:\Windows\system32\'
- 'C:\Windows\SysWOW64\'
condition: selection and not 1 of filter_*
falsepositives:
- Unknown
# Increase level after false positives filters are good enough
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Access of Sudoers File Content
Detects the execution of a text-based file access or inspection utilities to read the content of /etc/sudoers in order to potentially list all users that have sudo rights.
view Sigma YAML
title: Access of Sudoers File Content
id: 0f79c4d2-4e1f-4683-9c36-b5469a665e06
status: test
description: Detects the execution of a text-based file access or inspection utilities to read the content of /etc/sudoers in order to potentially list all users that have sudo rights.
references:
- https://github.com/sleventyeleven/linuxprivchecker/
author: Florian Roth (Nextron Systems)
date: 2022-06-20
modified: 2025-06-04
tags:
- attack.reconnaissance
- attack.t1592.004
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith:
- '/cat'
- '/ed'
- '/egrep'
- '/emacs'
- '/fgrep'
- '/grep'
- '/head'
- '/less'
- '/more'
- '/nano'
- '/tail'
CommandLine|contains: ' /etc/sudoers'
condition: selection
falsepositives:
- Legitimate administration activities
level: medium
Convert to SIEM query
medium
Moderate
High FP
Access to Browser Login Data
Adversaries may acquire credentials from web browsers by reading files specific to the target browser.
Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future.
Web browsers typically store the credentials in an encrypted format within a credential store.
view Sigma YAML
title: Access to Browser Login Data
id: fc028194-969d-4122-8abe-0470d5b8f12f
related:
- id: 98f4c75c-3089-44f3-b733-b327b9cd9c9d
type: obsolete
- id: 47147b5b-9e17-4d76-b8d2-7bac24c5ce1b
type: similar
status: test
description: |
Adversaries may acquire credentials from web browsers by reading files specific to the target browser.
Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future.
Web browsers typically store the credentials in an encrypted format within a credential store.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.003/T1555.003.md
author: frack113
date: 2022-01-30
tags:
- attack.credential-access
- attack.t1555.003
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_cmd:
ScriptBlockText|contains|all:
- Copy-Item
- '-Destination'
selection_path:
ScriptBlockText|contains:
- '\Opera Software\Opera Stable\Login Data'
- '\Mozilla\Firefox\Profiles'
- '\Microsoft\Edge\User Data\Default'
- '\Google\Chrome\User Data\Default\Login Data'
- '\Google\Chrome\User Data\Default\Login Data For Account'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Low FP
Account Created And Deleted By Non Approved Users
Detects accounts that are created or deleted by non-approved users.
view Sigma YAML
title: Account Created And Deleted By Non Approved Users
id: c98184ba-4a27-4e10-b7b7-da48e71f4d25
status: test
description: Detects accounts that are created or deleted by non-approved users.
references:
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-accounts
author: Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1'
date: 2022-08-11
modified: 2023-12-15
tags:
- attack.initial-access
- attack.persistence
- attack.privilege-escalation
- attack.stealth
- attack.t1078
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.message:
- Add user
- Delete user
Status: Sucess
valid_admin:
Initiatied.By|expand: '%ApprovedUserUpn%'
condition: selection and not valid_admin
falsepositives:
- Legit administrative action
level: medium
Convert to SIEM query
medium
Moderate
Low FP
Account Disabled or Blocked for Sign in Attempts
Detects when an account is disabled or blocked for sign in but tried to log in
view Sigma YAML
title: Account Disabled or Blocked for Sign in Attempts
id: 4afac85c-224a-4dd7-b1af-8da40e1c60bd
status: test
description: Detects when an account is disabled or blocked for sign in but tried to log in
references:
- https://learn.microsoft.com/en-gb/entra/architecture/security-operations-privileged-accounts
author: Yochana Henderson, '@Yochana-H'
date: 2022-06-17
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.stealth
- attack.t1078.004
logsource:
product: azure
service: signinlogs
detection:
selection:
ResultType: 50057
ResultDescription: Failure
condition: selection
falsepositives:
- Account disabled or blocked in error
- Automation account has been blocked or disabled
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Account Lockout
Identifies user account which has been locked because the user tried to sign in too many times with an incorrect user ID or password.
view Sigma YAML
title: Account Lockout
id: 2b7d6fc0-71ac-4cf7-8ed1-b5788ee5257a
status: test
description: Identifies user account which has been locked because the user tried to sign in too many times with an incorrect user ID or password.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts
author: AlertIQ
date: 2021-10-10
modified: 2022-12-25
tags:
- attack.credential-access
- attack.t1110
logsource:
product: azure
service: signinlogs
detection:
selection:
ResultType: 50053
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Low FP
Account Tampering - Suspicious Failed Logon Reasons
This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.
view Sigma YAML
title: Account Tampering - Suspicious Failed Logon Reasons
id: 9eb99343-d336-4020-a3cd-67f3819e68ee
status: test
description: This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.
references:
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4625
- https://twitter.com/SBousseaden/status/1101431884540710913
author: Florian Roth (Nextron Systems)
date: 2017-02-19
modified: 2025-10-17
tags:
- attack.persistence
- attack.privilege-escalation
- attack.initial-access
- attack.stealth
- attack.t1078
logsource:
product: windows
service: security
detection:
selection_eid:
EventID:
- 4625
- 4776
selection_status:
- Status:
- '0xC0000072' # User logon to account disabled by administrator
- '0xC000006F' # User logon outside authorized hours
- '0xC0000070' # User logon from unauthorized workstation
- '0xC0000413' # Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine
- '0xC000018C' # The logon request failed because the trust relationship between the primary domain and the trusted domain failed
- '0xC000015B' # The user has not been granted the requested logon type (aka logon right) at this machine
- SubStatus:
- '0xC0000072' # User logon to account disabled by administrator
- '0xC000006F' # User logon outside authorized hours
- '0xC0000070' # User logon from unauthorized workstation
- '0xC0000413' # Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine
- '0xC000018C' # The logon request failed because the trust relationship between the primary domain and the trusted domain failed
- '0xC000015B' # The user has not been granted the requested logon type (aka logon right) at this machine
filter:
SubjectUserSid: 'S-1-0-0'
condition: all of selection_* and not filter
falsepositives:
- User using a disabled account
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Activate Suppression of Windows Security Center Notifications
Detect set Notification_Suppress to 1 to disable the Windows security center notification
view Sigma YAML
title: Activate Suppression of Windows Security Center Notifications
id: 0c93308a-3f1b-40a9-b649-57ea1a1c1d63
status: test
description: Detect set Notification_Suppress to 1 to disable the Windows security center notification
references:
- https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md
author: frack113
date: 2022-08-19
modified: 2023-08-17
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: 'SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration\Notification_Suppress'
Details: DWORD (0x00000001)
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Active Directory Database Snapshot Via ADExplorer
Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.
view Sigma YAML
title: Active Directory Database Snapshot Via ADExplorer
id: 9212f354-7775-4e28-9c9f-8f0a4544e664
related:
- id: ef61af62-bc74-4f58-b49b-626448227652
type: derived
status: test
description: Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.
references:
- https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html
- https://learn.microsoft.com/de-de/sysinternals/downloads/adexplorer
- https://github.com/c3c/ADExplorerSnapshot.py/tree/f700904defac330802bbfedd1d8ffd9248f4ee24
- https://www.packetlabs.net/posts/scattered-spider-is-a-young-ransomware-gang-exploiting-large-corporations/
- https://www.nccgroup.com/us/research-blog/lapsus-recent-techniques-tactics-and-procedures/
- https://trustedsec.com/blog/adexplorer-on-engagements
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-14
modified: 2025-07-09
tags:
- attack.discovery
- attack.t1087.002
- attack.t1069.002
- attack.t1482
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\ADExp.exe'
- '\ADExplorer.exe'
- '\ADExplorer64.exe'
- '\ADExplorer64a.exe'
- OriginalFileName: 'AdExp'
- Description: 'Active Directory Editor'
- Product: 'Sysinternals ADExplorer'
selection_cli:
CommandLine|contains: 'snapshot'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Active Directory Structure Export Via Csvde.EXE
Detects the execution of "csvde.exe" in order to export organizational Active Directory structure.
view Sigma YAML
title: Active Directory Structure Export Via Csvde.EXE
id: e5d36acd-acb4-4c6f-a13f-9eb203d50099
status: test
description: Detects the execution of "csvde.exe" in order to export organizational Active Directory structure.
references:
- https://www.cybereason.com/blog/research/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms
- https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
- https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit
- https://redcanary.com/blog/msix-installers/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-14
tags:
- attack.exfiltration
- attack.discovery
- attack.t1087.002
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\csvde.exe'
- OriginalFileName: 'csvde.exe'
selection_remote:
CommandLine|contains: ' -f'
filter_import:
CommandLine|contains: ' -i'
condition: all of selection_* and not 1 of filter_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Active Directory Structure Export Via Ldifde.EXE
Detects the execution of "ldifde.exe" in order to export organizational Active Directory structure.
view Sigma YAML
title: Active Directory Structure Export Via Ldifde.EXE
id: 4f7a6757-ff79-46db-9687-66501a02d9ec
status: test
description: Detects the execution of "ldifde.exe" in order to export organizational Active Directory structure.
references:
- https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit
- https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-14
tags:
- attack.exfiltration
logsource:
category: process_creation
product: windows
detection:
selection_ldif:
- Image|endswith: '\ldifde.exe'
- OriginalFileName: 'ldifde.exe'
selection_cmd:
CommandLine|contains: '-f'
filter_import:
CommandLine|contains: ' -i'
condition: all of selection_* and not 1 of filter_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Low FP
Activity Performed by Terminated User
Detects when a Microsoft Cloud App Security reported for users whose account were terminated in Azure AD, but still perform activities in other platforms such as AWS or Salesforce.
This is especially relevant for users who use another account to manage resources, since these accounts are often not terminated when a user leaves the company.
view Sigma YAML
title: Activity Performed by Terminated User
id: 2e669ed8-742e-4fe5-b3c4-5a59b486c2ee
status: test
description: |
Detects when a Microsoft Cloud App Security reported for users whose account were terminated in Azure AD, but still perform activities in other platforms such as AWS or Salesforce.
This is especially relevant for users who use another account to manage resources, since these accounts are often not terminated when a user leaves the company.
references:
- https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy
- https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference
author: Austin Songer @austinsonger
date: 2021-08-23
modified: 2022-10-09
tags:
- attack.impact
logsource:
service: threat_management
product: m365
detection:
selection:
eventSource: SecurityComplianceCenter
eventName: 'Activity performed by terminated user'
status: success
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Low FP
Activity from Anonymous IP Addresses
Detects when a Microsoft Cloud App Security reported when users were active from an IP address that has been identified as an anonymous proxy IP address.
view Sigma YAML
title: Activity from Anonymous IP Addresses
id: d8b0a4fe-07a8-41be-bd39-b14afa025d95
status: test
description: Detects when a Microsoft Cloud App Security reported when users were active from an IP address that has been identified as an anonymous proxy IP address.
references:
- https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy
- https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference
author: Austin Songer @austinsonger
date: 2021-08-23
modified: 2022-10-09
tags:
- attack.command-and-control
- attack.t1573
logsource:
service: threat_management
product: m365
detection:
selection:
eventSource: SecurityComplianceCenter
eventName: 'Activity from anonymous IP addresses'
status: success
condition: selection
falsepositives:
- User using a VPN or Proxy
level: medium
Convert to SIEM query
medium
Moderate
Low FP
Activity from Infrequent Country
Detects when a Microsoft Cloud App Security reported when an activity occurs from a location that wasn't recently or never visited by any user in the organization.
view Sigma YAML
title: Activity from Infrequent Country
id: 0f2468a2-5055-4212-a368-7321198ee706
status: test
description: Detects when a Microsoft Cloud App Security reported when an activity occurs from a location that wasn't recently or never visited by any user in the organization.
references:
- https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy
- https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference
author: Austin Songer @austinsonger
date: 2021-08-23
modified: 2022-10-09
tags:
- attack.command-and-control
- attack.t1573
logsource:
service: threat_management
product: m365
detection:
selection:
eventSource: SecurityComplianceCenter
eventName: 'Activity from infrequent country'
status: success
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Low FP
Activity from Suspicious IP Addresses
Detects when a Microsoft Cloud App Security reported users were active from an IP address identified as risky by Microsoft Threat Intelligence.
These IP addresses are involved in malicious activities, such as Botnet C&C, and may indicate compromised account.
view Sigma YAML
title: Activity from Suspicious IP Addresses
id: a3501e8e-af9e-43c6-8cd6-9360bdaae498
status: test
description: |
Detects when a Microsoft Cloud App Security reported users were active from an IP address identified as risky by Microsoft Threat Intelligence.
These IP addresses are involved in malicious activities, such as Botnet C&C, and may indicate compromised account.
references:
- https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy
- https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference
author: Austin Songer @austinsonger
date: 2021-08-23
modified: 2022-10-09
tags:
- attack.command-and-control
- attack.t1573
logsource:
service: threat_detection
product: m365
detection:
selection:
eventSource: SecurityComplianceCenter
eventName: 'Activity from suspicious IP addresses'
status: success
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Add Debugger Entry To AeDebug For Persistence
Detects when an attacker adds a new "Debugger" value to the "AeDebug" key in order to achieve persistence which will get invoked when an application crashes
view Sigma YAML
title: Add Debugger Entry To AeDebug For Persistence
id: 092af964-4233-4373-b4ba-d86ea2890288
status: test
description: Detects when an attacker adds a new "Debugger" value to the "AeDebug" key in order to achieve persistence which will get invoked when an application crashes
references:
- https://persistence-info.github.io/Data/aedebug.html
- https://learn.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-21
modified: 2023-08-17
tags:
- attack.persistence
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug\Debugger'
Details|endswith: '.dll'
filter:
Details: '"C:\WINDOWS\system32\vsjitdebugger.exe" -p %ld -e %ld -j 0x%p'
condition: selection and not filter
falsepositives:
- Legitimate use of the key to setup a debugger. Which is often the case on developers machines
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Add DisallowRun Execution to Registry
Detect set DisallowRun to 1 to prevent user running specific computer program
view Sigma YAML
title: Add DisallowRun Execution to Registry
id: 275641a5-a492-45e2-a817-7c81e9d9d3e9
status: test
description: Detect set DisallowRun to 1 to prevent user running specific computer program
references:
- https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md
author: frack113
date: 2022-08-19
modified: 2023-08-17
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: 'Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun'
Details: 'DWORD (0x00000001)'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Add New Download Source To Winget
Detects usage of winget to add new additional download sources
view Sigma YAML
title: Add New Download Source To Winget
id: 05ebafc8-7aa2-4bcd-a269-2aec93f9e842
related:
- id: 81a0ecb5-0a41-4ba1-b2ba-c944eb92bfa2
type: similar
- id: c15a46a0-07d4-4c87-b4b6-89207835a83b
type: similar
status: test
description: Detects usage of winget to add new additional download sources
references:
- https://learn.microsoft.com/en-us/windows/package-manager/winget/source
- https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-17
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\winget.exe'
- OriginalFileName: 'winget.exe'
selection_cli:
CommandLine|contains|all:
- 'source '
- 'add '
condition: all of selection_*
falsepositives:
- False positive are expected with legitimate sources
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Add Port Monitor Persistence in Registry
Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation.
A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.
view Sigma YAML
title: Add Port Monitor Persistence in Registry
id: 944e8941-f6f6-4ee8-ac05-1c224e923c0e
status: test
description: |
Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation.
A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.010/T1547.010.md
author: frack113
date: 2021-12-30
modified: 2024-03-25
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.010
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\Control\Print\Monitors\'
Details|endswith: '.dll'
filter_optional_cutepdf:
Image: 'C:\Windows\System32\spoolsv.exe'
TargetObject|contains: '\Control\Print\Monitors\CutePDF Writer Monitor v4.0\Driver'
Details: 'cpwmon64_v40.dll'
User|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
filter_optional_monvnc:
TargetObject|contains: '\Control\Print\Monitors\MONVNC\Driver'
filter_optional_vnc:
TargetObject|contains|all:
- 'Control\Print\Environments\'
- '\Drivers\'
- '\VNC Printer'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Unknown
level: medium
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_add_port_monitor/info.yml
simulation:
- type: atomic-red-team
name: Add Port Monitor persistence in Registry
technique: T1547.010
atomic_guid: d34ef297-f178-4462-871e-9ce618d44e50
Convert to SIEM query
medium
Moderate
Medium FP
Add Potential Suspicious New Download Source To Winget
Detects usage of winget to add new potentially suspicious download sources
view Sigma YAML
title: Add Potential Suspicious New Download Source To Winget
id: c15a46a0-07d4-4c87-b4b6-89207835a83b
related:
- id: 05ebafc8-7aa2-4bcd-a269-2aec93f9e842
type: similar
- id: 81a0ecb5-0a41-4ba1-b2ba-c944eb92bfa2
type: similar
status: test
description: Detects usage of winget to add new potentially suspicious download sources
references:
- https://learn.microsoft.com/en-us/windows/package-manager/winget/source
- https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-17
modified: 2023-12-04
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\winget.exe'
- OriginalFileName: 'winget.exe'
selection_cli:
CommandLine|contains|all:
- 'source '
- 'add '
selection_source_direct_ip:
# This is a best effort. A better way to handle this is to limit it via whitelist. Check Group Policy for more details
CommandLine|re: '://\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Add Windows Capability Via PowerShell Cmdlet
Detects usage of the "Add-WindowsCapability" cmdlet to add Windows capabilities. Notable capabilities could be "OpenSSH" and others.
view Sigma YAML
title: Add Windows Capability Via PowerShell Cmdlet
id: b36d01a3-ddaf-4804-be18-18a6247adfcd
related:
- id: 155c7fd5-47b4-49b2-bbeb-eb4fab335429
type: similar
status: test
description: Detects usage of the "Add-WindowsCapability" cmdlet to add Windows capabilities. Notable capabilities could be "OpenSSH" and others.
references:
- https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=powershell
- https://www.virustotal.com/gui/file/af1c82237b6e5a3a7cdbad82cc498d298c67845d92971bada450023d1335e267/content
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-22
modified: 2023-05-09
tags:
- attack.execution
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_cmdlet:
CommandLine|contains: 'Add-WindowsCapability'
selection_capa:
CommandLine|contains: 'OpenSSH.' # For both "OpenSSH.Server" and "OpenSSH.Client"
condition: all of selection_*
falsepositives:
- Legitimate usage of the capabilities by administrators or users. Add additional filters accordingly.
level: medium
Convert to SIEM query
medium
Moderate
High FP
Add Windows Capability Via PowerShell Script
Detects usage of the "Add-WindowsCapability" cmdlet to add Windows capabilities. Notable capabilities could be "OpenSSH" and others.
view Sigma YAML
title: Add Windows Capability Via PowerShell Script
id: 155c7fd5-47b4-49b2-bbeb-eb4fab335429
related:
- id: b36d01a3-ddaf-4804-be18-18a6247adfcd
type: similar
status: test
description: Detects usage of the "Add-WindowsCapability" cmdlet to add Windows capabilities. Notable capabilities could be "OpenSSH" and others.
references:
- https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=powershell
- https://www.virustotal.com/gui/file/af1c82237b6e5a3a7cdbad82cc498d298c67845d92971bada450023d1335e267/content
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-22
modified: 2023-05-09
tags:
- attack.execution
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_cmdlet:
ScriptBlockText|contains: 'Add-WindowsCapability '
selection_capa:
ScriptBlockText|contains: '-Name OpenSSH.' # For both "OpenSSH.Server" and "OpenSSH.Client"
condition: all of selection_*
falsepositives:
- Legitimate usage of the capabilities by administrators or users. Add additional filters accordingly.
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Added Owner To Application
Detects when a new owner is added to an application. This gives that account privileges to make modifications and configuration changes to the application.
view Sigma YAML
title: Added Owner To Application
id: 74298991-9fc4-460e-a92e-511aa60baec1
status: test
description: Detects when a new owner is added to an application. This gives that account privileges to make modifications and configuration changes to the application.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#new-owner
author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'
date: 2022-06-02
tags:
- attack.t1552
- attack.credential-access
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.message: Add owner to application
condition: selection
falsepositives:
- When a new application owner is added by an administrator
level: medium
Convert to SIEM query
medium
Moderate
High FP
AddinUtil.EXE Execution From Uncommon Directory
Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) from a non-standard directory.
view Sigma YAML
title: AddinUtil.EXE Execution From Uncommon Directory
id: 6120ac2a-a34b-42c0-a9bd-1fb9f459f348
status: test
description: Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) from a non-standard directory.
references:
- https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html
author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri)
date: 2023-09-18
modified: 2025-02-24
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\addinutil.exe'
- OriginalFileName: 'AddInUtil.exe'
filter_main_legit_location:
Image|contains:
- ':\Windows\Microsoft.NET\Framework\'
- ':\Windows\Microsoft.NET\Framework64\'
- ':\Windows\Microsoft.NET\FrameworkArm\'
- ':\Windows\Microsoft.NET\FrameworkArm64\'
- ':\Windows\WinSxS\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Low FP
Addition of SID History to Active Directory Object
An attacker can use the SID history attribute to gain additional privileges.
view Sigma YAML
title: Addition of SID History to Active Directory Object
id: 2632954e-db1c-49cb-9936-67d1ef1d17d2
status: stable
description: An attacker can use the SID history attribute to gain additional privileges.
references:
- https://adsecurity.org/?p=1772
author: Thomas Patzke, @atc_project (improvements)
date: 2017-02-19
tags:
- attack.persistence
- attack.privilege-escalation
- attack.stealth
- attack.t1134.005
logsource:
product: windows
service: security
detection:
selection1:
EventID:
- 4765
- 4766
selection2:
EventID: 4738
selection3:
SidHistory:
- '-'
- '%%1793'
filter_null:
SidHistory:
condition: selection1 or (selection2 and not selection3 and not filter_null)
falsepositives:
- Migration of an account into a new domain
level: medium
Convert to SIEM query
medium
Moderate
High FP
Advanced IP Scanner - File Event
Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.
view Sigma YAML
title: Advanced IP Scanner - File Event
id: fed85bf9-e075-4280-9159-fbe8a023d6fa
related:
- id: bef37fa2-f205-4a7b-b484-0759bfd5f86f
type: derived
status: test
description: Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.
references:
- https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/
- https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html
- https://labs.f-secure.com/blog/prelude-to-ransomware-systembc
- https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf
- https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer
author: '@ROxPinTeddy'
date: 2020-05-12
modified: 2022-11-29
tags:
- attack.discovery
- attack.t1046
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|contains: '\AppData\Local\Temp\Advanced IP Scanner 2'
condition: selection
falsepositives:
- Legitimate administrative use
level: medium
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_advanced_ip_scanner/info.yml
Convert to SIEM query
Showing 1901-1950 of 3,750