Tool
SIEM
Sigma (generic) detection rules
3,751 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Expand any rule to see its raw YAML and convert it inline to native query syntax. Pick a platform above to browse every rule already rendered in that language.
Get the raw rules from SigmaHQ Detection Rules
The raw generic YAML, served by SigmaHQ. Pick a platform above to download a ready-to-deploy converted pack.
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance12
Resource Development10
Initial Access10
Execution30
Persistence43
Privilege Escalation20
Stealth83
Defense Impairment32
Credential Access35
Discovery33
Lateral Movement16
Collection20
Command and Control24
Exfiltration10
Impact18
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.
◈
Detection rules
50 shown of 3,751
medium
Moderate
High FP
Perl Inline Command Execution
Detects execution of perl using the "-e"/"-E" flags. This is could be used as a way to launch a reverse shell or execute live perl code.
view Sigma YAML
title: Perl Inline Command Execution
id: f426547a-e0f7-441a-b63e-854ac5bdf54d
status: test
description: Detects execution of perl using the "-e"/"-E" flags. This is could be used as a way to launch a reverse shell or execute live perl code.
references:
- https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
- https://www.revshells.com/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-02
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\perl.exe'
- OriginalFileName: 'perl.exe' # Also covers perlX.XX.exe
selection_cli:
CommandLine|contains: ' -e'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
High FP
Permission Check Via Accesschk.EXE
Detects the usage of the "Accesschk" utility, an access and privilege audit tool developed by SysInternal and often being abused by attacker to verify process privileges
view Sigma YAML
title: Permission Check Via Accesschk.EXE
id: c625d754-6a3d-4f65-9c9a-536aea960d37
status: test
description: Detects the usage of the "Accesschk" utility, an access and privilege audit tool developed by SysInternal and often being abused by attacker to verify process privileges
references:
- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment?slide=43
- https://www.youtube.com/watch?v=JGs-aKf2OtU&ab_channel=OFFZONEMOSCOW
- https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat
- https://github.com/gladiatx0r/Powerless/blob/04f553bbc0c65baf4e57344deff84e3f016e6b51/Powerless.bat
author: Teymur Kheirkhabarov (idea), Mangatas Tondang, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2020-10-13
modified: 2023-02-20
tags:
- attack.discovery
- attack.t1069.001
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Product|endswith: 'AccessChk'
- Description|contains: 'Reports effective permissions'
- Image|endswith:
- '\accesschk.exe'
- '\accesschk64.exe'
- OriginalFileName: 'accesschk.exe'
selection_cli:
CommandLine|contains: # These are the most common flags used with this tool. You could add other combinations if needed
- 'uwcqv '
- 'kwsu '
- 'qwsu '
- 'uwdqs '
condition: all of selection*
falsepositives:
- System administrator Usage
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Permission Misconfiguration Reconnaissance Via Findstr.EXE
Detects usage of findstr with the "EVERYONE" or "BUILTIN" keywords.
This was seen being used in combination with "icacls" and other utilities to spot misconfigured files or folders permissions.
view Sigma YAML
title: Permission Misconfiguration Reconnaissance Via Findstr.EXE
id: 47e4bab7-c626-47dc-967b-255608c9a920
status: test
description: |
Detects usage of findstr with the "EVERYONE" or "BUILTIN" keywords.
This was seen being used in combination with "icacls" and other utilities to spot misconfigured files or folders permissions.
references:
- https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-12
modified: 2023-11-11
tags:
- attack.credential-access
- attack.t1552.006
logsource:
category: process_creation
product: windows
detection:
selection_findstr_img:
- Image|endswith:
- '\find.exe'
- '\findstr.exe'
- OriginalFileName:
- 'FIND.EXE'
- 'FINDSTR.EXE'
selection_findstr_cli:
CommandLine|contains:
- '"Everyone"'
- "'Everyone'"
- '"BUILTIN\\"'
- "'BUILTIN\\'"
selection_special:
CommandLine|contains|all:
# Example CLI would be: icacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "Everyone"
# You could extend it for other groups and users
# Example: icacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users"
# Note: This selection only detects the command when executed from a handler such as a "cmd /c" or "powershell -c"
- 'icacls '
- 'findstr '
- 'Everyone'
condition: all of selection_findstr_* or selection_special
falsepositives:
- Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone/info.yml
Convert to SIEM query
medium
Strong
Medium FP
Persistence Via Disk Cleanup Handler - Autorun
Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence via autorun.
The disk cleanup manager is part of the operating system.
It displays the dialog box […] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI.
Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications.
Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler.
Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.
view Sigma YAML
title: Persistence Via Disk Cleanup Handler - Autorun
id: d4e2745c-f0c6-4bde-a3ab-b553b3f693cc
status: test
description: |
Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence via autorun.
The disk cleanup manager is part of the operating system.
It displays the dialog box […] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI.
Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications.
Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler.
Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.
references:
- https://persistence-info.github.io/Data/diskcleanuphandler.html
- https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-21
modified: 2023-08-17
tags:
- attack.persistence
logsource:
category: registry_set
product: windows
detection:
root:
TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\'
selection_autorun:
# Launching PreCleanupString / CleanupString programs w/o gui, i.e. while using e.g. /autoclean
TargetObject|contains: '\Autorun'
Details: 'DWORD (0x00000001)'
selection_pre_after:
TargetObject|contains:
- '\CleanupString'
- '\PreCleanupString'
Details|contains:
# Add more as you see fit
- 'cmd'
- 'powershell'
- 'rundll32'
- 'mshta'
- 'cscript'
- 'wscript'
- 'wsl'
- '\Users\Public\'
- '\Windows\TEMP\'
- '\Microsoft\Windows\Start Menu\Programs\Startup\'
condition: root and 1 of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Persistence Via New SIP Provider
Detects when an attacker register a new SIP provider for persistence and defense evasion
view Sigma YAML
title: Persistence Via New SIP Provider
id: 5a2b21ee-6aaa-4234-ac9d-59a59edf90a1
status: test
description: Detects when an attacker register a new SIP provider for persistence and defense evasion
references:
- https://persistence-info.github.io/Data/codesigning.html
- https://github.com/gtworek/PSBits/tree/master/SIP
- https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-21
modified: 2023-08-17
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1553.003
logsource:
category: registry_set
product: windows
detection:
selection_root:
TargetObject|contains:
- '\SOFTWARE\Microsoft\Cryptography\Providers\'
- '\SOFTWARE\Microsoft\Cryptography\OID\EncodingType'
- '\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\'
- '\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType'
selection_dll:
TargetObject|contains:
- '\Dll'
- '\$DLL'
filter:
Details:
# Add more legitimate SIP providers according to your env
- WINTRUST.DLL
- mso.dll
filter_poqexec:
Image: 'C:\Windows\System32\poqexec.exe'
TargetObject|contains: '\CryptSIPDll'
Details: 'C:\Windows\System32\PsfSip.dll'
condition: all of selection_* and not 1 of filter*
falsepositives:
- Legitimate SIP being registered by the OS or different software.
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Persistence Via Sudoers.d Files
Detects the creation or modification of files within the "sudoers.d" directory on Linux systems.
Such activity may indicate an attempt to establish or maintain privilege escalation by granting specific users elevated permissions.
Unauthorized changes to sudoers files are a common technique used by attackers to persist administrative access.
view Sigma YAML
title: Persistence Via Sudoers.d Files
id: ddb26b76-4447-4807-871f-1b035b2bfa5d
status: test
description: |
Detects the creation or modification of files within the "sudoers.d" directory on Linux systems.
Such activity may indicate an attempt to establish or maintain privilege escalation by granting specific users elevated permissions.
Unauthorized changes to sudoers files are a common technique used by attackers to persist administrative access.
references:
- https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/apps/deployer.sh
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-05
modified: 2026-03-18
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1548.003
logsource:
product: linux
category: file_event
detection:
selection:
TargetFilename|startswith: '/etc/sudoers.d/'
filter_main_dpkg:
Image|endswith: '/usr/bin/dpkg'
TargetFilename: '/etc/sudoers.d/README.dpkg-new'
condition: selection and not 1 of filter_main_*
falsepositives:
- Creation of legitimate files in sudoers.d folder as part of administrator work
level: medium
Convert to SIEM query
medium
Moderate
High FP
Persistence Via TypedPaths - CommandLine
Detects modification addition to the 'TypedPaths' key in the user or admin registry via the commandline. Which might indicate persistence attempt
view Sigma YAML
title: Persistence Via TypedPaths - CommandLine
id: ec88289a-7e1a-4cc3-8d18-bd1f60e4b9ba
status: test
description: Detects modification addition to the 'TypedPaths' key in the user or admin registry via the commandline. Which might indicate persistence attempt
references:
- https://twitter.com/dez_/status/1560101453150257154
- https://forensafe.com/blogs/typedpaths.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-22
tags:
- attack.persistence
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains: '\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Php Inline Command Execution
Detects execution of php using the "-r" flag. This is could be used as a way to launch a reverse shell or execute live php code.
view Sigma YAML
title: Php Inline Command Execution
id: d81871ef-5738-47ab-9797-7a9c90cd4bfb
status: test
description: Detects execution of php using the "-r" flag. This is could be used as a way to launch a reverse shell or execute live php code.
references:
- https://www.php.net/manual/en/features.commandline.php
- https://www.revshells.com/
- https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-02
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\php.exe'
- OriginalFileName: 'php.exe'
selection_cli:
CommandLine|contains: ' -r'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
PktMon.EXE Execution
Detects execution of PktMon, a tool that captures network packets.
view Sigma YAML
title: PktMon.EXE Execution
id: f956c7c1-0f60-4bc5-b7d7-b39ab3c08908
status: test
description: Detects execution of PktMon, a tool that captures network packets.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Pktmon/
author: frack113
date: 2022-03-17
modified: 2023-06-23
tags:
- attack.discovery
- attack.credential-access
- attack.t1040
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\pktmon.exe'
- OriginalFileName: 'PktMon.exe'
condition: selection
falsepositives:
- Legitimate use
level: medium
Convert to SIEM query
medium
Moderate
High FP
Pnscan Binary Data Transmission Activity
Detects command line patterns associated with the use of Pnscan for sending and receiving binary data across the network.
This behavior has been identified in a Linux malware campaign targeting Docker, Apache Hadoop, Redis, and Confluence and was previously used by the threat actor known as TeamTNT
view Sigma YAML
title: Pnscan Binary Data Transmission Activity
id: 97de11cd-4b67-4abf-9a8b-1020e670aa9e
status: test
description: |
Detects command line patterns associated with the use of Pnscan for sending and receiving binary data across the network.
This behavior has been identified in a Linux malware campaign targeting Docker, Apache Hadoop, Redis, and Confluence and was previously used by the threat actor known as TeamTNT
author: David Burkett (@signalblur)
date: 2024-04-16
references:
- https://www.cadosecurity.com/blog/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence
- https://intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf
- https://regex101.com/r/RugQYK/1
- https://www.virustotal.com/gui/file/beddf70a7bab805f0c0b69ac0989db6755949f9f68525c08cb874988353f78a9/content
tags:
- attack.discovery
- attack.t1046
logsource:
category: process_creation
product: linux
detection:
selection:
CommandLine|re: -(W|R)\s?(\s|"|')([0-9a-fA-F]{2}\s?){2,20}(\s|"|')
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Port Forwarding Activity Via SSH.EXE
Detects port forwarding activity via SSH.exe
view Sigma YAML
title: Port Forwarding Activity Via SSH.EXE
id: 327f48c1-a6db-4eb8-875a-f6981f1b0183
status: test
description: Detects port forwarding activity via SSH.exe
references:
- https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-12
modified: 2024-03-05
tags:
- attack.command-and-control
- attack.lateral-movement
- attack.t1572
- attack.t1021.001
- attack.t1021.004
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\ssh.exe'
CommandLine|contains|windash: ' -R '
condition: selection
falsepositives:
- Administrative activity using a remote port forwarding to a local port
level: medium
Convert to SIEM query
medium
Moderate
High FP
Portable Gpg.EXE Execution
Detects the execution of "gpg.exe" from uncommon location. Often used by ransomware and loaders to decrypt/encrypt data.
view Sigma YAML
title: Portable Gpg.EXE Execution
id: 77df53a5-1d78-4f32-bc5a-0e7465bd8f41
status: test
description: Detects the execution of "gpg.exe" from uncommon location. Often used by ransomware and loaders to decrypt/encrypt data.
references:
- https://www.trendmicro.com/vinfo/vn/threat-encyclopedia/malware/ransom.bat.zarlock.a
- https://securelist.com/locked-out/68960/
- https://github.com/redcanaryco/atomic-red-team/blob/c4097dc7ed14d7f7d08c89d148c4307097e8c294/atomics/T1486/T1486.md
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-06
modified: 2023-11-10
tags:
- attack.impact
- attack.t1486
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith:
- '\gpg.exe'
- '\gpg2.exe'
- OriginalFileName: 'gpg.exe'
- Description: 'GnuPG’s OpenPGP tool'
filter_main_legit_location:
Image|contains:
- ':\Program Files (x86)\GNU\GnuPG\bin\'
- ':\Program Files (x86)\GnuPG VS-Desktop\'
- ':\Program Files (x86)\GnuPG\bin\'
- ':\Program Files (x86)\Gpg4win\bin\'
condition: selection and not 1 of filter_main_*
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Possible DC Shadow Attack
Detects DCShadow via create new SPN
view Sigma YAML
title: Possible DC Shadow Attack
id: 32e19d25-4aed-4860-a55a-be99cb0bf7ed
related:
- id: 611eab06-a145-4dfa-a295-3ccc5c20f59a
type: derived
status: test
description: Detects DCShadow via create new SPN
references:
- https://twitter.com/gentilkiwi/status/1003236624925413376
- https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2
- https://web.archive.org/web/20180203014709/https://blog.alsid.eu/dcshadow-explained-4510f52fc19d?gi=c426ac876c48
author: Ilyas Ochkov, oscd.community, Chakib Gzenayi (@Chak092), Hosni Mribah
date: 2019-10-25
modified: 2022-10-17
tags:
- attack.credential-access
- attack.defense-impairment
- attack.t1207
logsource:
product: windows
service: security
definition: The "Audit Directory Service Changes" logging policy must be configured in order to receive events. Audit events are generated only for objects with configured system access control lists (SACLs). Audit events are generated only for objects with configured system access control lists (SACLs) and only when accessed in a manner that matches their SACL settings. This policy covers the following events ids - 5136, 5137, 5138, 5139, 5141. Note that the default policy does not cover User objects. For that a custom AuditRule need to be setup (See https://github.com/OTRF/Set-AuditRule)
detection:
selection1:
EventID: 4742
ServicePrincipalNames|contains: 'GC/'
selection2:
EventID: 5136
AttributeLDAPDisplayName: servicePrincipalName
AttributeValue|startswith: 'GC/'
condition: 1 of selection*
falsepositives:
- Valid on domain controllers; exclude known DCs
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Possible PrintNightmare Print Driver Install - CVE-2021-1675
Detects the remote installation of a print driver which is possible indication of the exploitation of PrintNightmare (CVE-2021-1675).
The occurrence of print drivers being installed remotely via RPC functions should be rare, as print drivers are normally installed locally and or through group policy.
view Sigma YAML
title: Possible PrintNightmare Print Driver Install - CVE-2021-1675
id: 7b33baef-2a75-4ca3-9da4-34f9a15382d8
related:
- id: 53389db6-ba46-48e3-a94c-e0f2cefe1583
type: derived
status: stable
description: |
Detects the remote installation of a print driver which is possible indication of the exploitation of PrintNightmare (CVE-2021-1675).
The occurrence of print drivers being installed remotely via RPC functions should be rare, as print drivers are normally installed locally and or through group policy.
references:
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29
- https://github.com/zeek/zeek/blob/691b099de13649d6576c7b9d637f8213ff818832/scripts/base/protocols/dce-rpc/consts.zeek
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
- https://github.com/corelight/CVE-2021-1675
- https://old.zeek.org/zeekweek2019/slides/bzar.pdf
- https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/
author: '@neu5ron (Nate Guagenti)'
date: 2021-08-23
modified: 2025-11-03
tags:
- attack.execution
- cve.2021-1678
- cve.2021-1675
- cve.2021-34527
- detection.emerging-threats
logsource:
product: zeek
service: dce_rpc
detection:
selection:
operation:
- 'RpcAsyncInstallPrinterDriverFromPackage' # "76f03f96-cdfd-44fc-a22c-64950a001209",0x3e
- 'RpcAsyncAddPrintProcessor' # "76f03f96-cdfd-44fc-a22c-64950a001209",0x2c
- 'RpcAddPrintProcessor' # "12345678-1234-abcd-ef00-0123456789ab",0x0e
- 'RpcAddPrinterDriverEx' # "12345678-1234-abcd-ef00-0123456789ab",0x59
- 'RpcAddPrinterDriver' # "12345678-1234-abcd-ef00-0123456789ab",0x09
- 'RpcAsyncAddPrinterDriver' # "76f03f96-cdfd-44fc-a22c-64950a001209",0x27
condition: selection
falsepositives:
- Legitimate remote alteration of a printer driver.
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potential AD User Enumeration From Non-Machine Account
Detects read access to a domain user from a non-machine account
view Sigma YAML
title: Potential AD User Enumeration From Non-Machine Account
id: ab6bffca-beff-4baa-af11-6733f296d57a
status: test
description: Detects read access to a domain user from a non-machine account
references:
- https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf
- http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html
- https://learn.microsoft.com/en-us/windows/win32/adschema/attributes-all # For further investigation of the accessed properties
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4662
author: Maxime Thiebaut (@0xThiebaut)
date: 2020-03-30
modified: 2022-11-08
tags:
- attack.discovery
- attack.t1087.002
logsource:
product: windows
service: security
definition: 'Requirements: The "Read all properties" permission on the user object needs to be audited for the "Everyone" principal'
detection:
selection:
EventID: 4662
# Using contains as the data commonly is structured as "%{bf967aba-0de6-11d0-a285-00aa003049e2}"
# The user class (https://learn.microsoft.com/en-us/windows/win32/adschema/c-user)
ObjectType|contains: 'bf967aba-0de6-11d0-a285-00aa003049e2'
AccessMask|endswith:
# Note: Since the Access Mask can have more than once permission we need to add all permutations that include the READ property
- '1?' # This covers all access masks that are 1 bytes or shorter and the "Read Property" itself
- '3?' # Read Property + Write Property
- '4?' # Read Property + Delete Tree
- '7?' # Read Property + Write Property + Delete Tree
- '9?' # Read Property + List Object
- 'B?' # Read Property + Write Property + List Object
- 'D?' # Read Property + Delete Tree + List Object
- 'F?' # Covers usage of all possible 2 bytes permissions with any or none of the single byte permissions
filter_main_machine_accounts:
SubjectUserName|endswith: '$' # Exclude machine accounts
filter_main_msql:
SubjectUserName|startswith: 'MSOL_' # https://learn.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-accounts-permissions#ad-ds-connector-account
condition: selection and not 1 of filter_main_*
falsepositives:
- Administrators configuring new users.
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential AMSI Bypass Script Using NULL Bits
Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities
view Sigma YAML
title: Potential AMSI Bypass Script Using NULL Bits
id: fa2559c8-1197-471d-9cdd-05a0273d4522
related:
- id: 92a974db-ab84-457f-9ec0-55db83d7a825
type: similar
status: test
description: Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities
references:
- https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-bypass-using-null-bits-satoshi
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-04
modified: 2023-05-09
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains:
- "if(0){{{0}}}' -f $(0 -as [char]) +"
- "#<NULL>"
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential AMSI Bypass Using NULL Bits
Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities
view Sigma YAML
title: Potential AMSI Bypass Using NULL Bits
id: 92a974db-ab84-457f-9ec0-55db83d7a825
related:
- id: fa2559c8-1197-471d-9cdd-05a0273d4522
type: similar
status: test
description: Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities
references:
- https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-bypass-using-null-bits-satoshi
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-04
modified: 2023-05-09
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|contains:
- "if(0){{{0}}}' -f $(0 -as [char]) +"
- "#<NULL>"
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potential APT FIN7 Exploitation Activity
Detects potential APT FIN7 exploitation activity as reported by Google.
In order to obtain initial access, FIN7 used compromised Remote Desktop Protocol (RDP) credentials to login to a target server and initiate specific Windows process chains.
view Sigma YAML
title: Potential APT FIN7 Exploitation Activity
id: 6676896b-2cce-422d-82af-5a1abe65e241
status: test
description: |
Detects potential APT FIN7 exploitation activity as reported by Google.
In order to obtain initial access, FIN7 used compromised Remote Desktop Protocol (RDP) credentials to login to a target server and initiate specific Windows process chains.
references:
- https://cloud.google.com/blog/topics/threat-intelligence/evolution-of-fin7/
author: Alex Walston (@4ayymm)
date: 2024-07-29
tags:
- attack.execution
- attack.t1059.001
- attack.t1059.003
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_notepad_plus:
ParentImage|endswith: '\notepad++.exe'
Image|endswith: '\cmd.exe'
selection_rdpinit:
ParentImage|endswith: '\rdpinit.exe'
Image|endswith: '\notepad++.exe'
condition: 1 of selection_*
falsepositives:
- Notepad++ can legitimately spawn cmd (Open Containing Folder in CMD)
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential APT-C-12 BlueMushroom DLL Load Activity Via Regsvr32
Detects potential BlueMushroom DLL loading activity via regsvr32 from AppData Local
view Sigma YAML
title: Potential APT-C-12 BlueMushroom DLL Load Activity Via Regsvr32
id: bd70d3f8-e60e-4d25-89f0-0b5a9cff20e0
status: test
description: Detects potential BlueMushroom DLL loading activity via regsvr32 from AppData Local
references:
- https://pbs.twimg.com/media/EF3yLGoWkAEGeLa?format=jpg
author: Florian Roth (Nextron Systems), Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
date: 2019-10-02
modified: 2023-03-29
tags:
- attack.stealth
- attack.t1218.010
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'regsvr32'
- '\AppData\Local\'
- '.dll'
- ',DllEntry'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Low FP
Potential AS-REP Roasting via Kerberos TGT Requests
Detects suspicious Kerberos TGT requests with pre-authentication disabled (Pre-Authentication Type = 0) and Ticket Encryption Type (0x17) i.e, RC4-HMAC.
This may indicate an AS-REP Roasting attack, where attackers request AS-REP messages for accounts without pre-authentication and attempt to crack the encrypted ticket offline to recover user passwords.
view Sigma YAML
title: Potential AS-REP Roasting via Kerberos TGT Requests
id: 3e2f1b2c-4d5e-11ee-be56-0242ac120002
status: experimental
description: |
Detects suspicious Kerberos TGT requests with pre-authentication disabled (Pre-Authentication Type = 0) and Ticket Encryption Type (0x17) i.e, RC4-HMAC.
This may indicate an AS-REP Roasting attack, where attackers request AS-REP messages for accounts without pre-authentication and attempt to crack the encrypted ticket offline to recover user passwords.
references:
- https://medium.com/system-weakness/detecting-as-rep-roasting-attacks-b5b3965f9714
- https://www.picussecurity.com/resource/blog/as-rep-roasting-attack-explained-mitre-attack-t1558.004
author: ANosir
date: 2025-05-22
modified: 2025-07-04
logsource:
product: windows
service: security
detection:
selection:
EventID: 4768
TicketEncryptionType: '0x17'
ServiceName: 'krbtgt'
PreAuthType: 0
condition: selection
falsepositives:
- Legacy systems or applications that legitimately use RC4 encryption
- Misconfigured accounts with pre-authentication disabled
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Potential AVKkid.DLL Sideloading
Detects potential DLL sideloading of "AVKkid.dll"
view Sigma YAML
title: Potential AVKkid.DLL Sideloading
id: 952ed57c-8f99-453d-aee0-53a49c22f95d
status: test
description: Detects potential DLL sideloading of "AVKkid.dll"
references:
- https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/
author: X__Junior (Nextron Systems)
date: 2023-08-03
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\AVKkid.dll'
filter_main_legit_path:
Image|contains:
- 'C:\Program Files (x86)\G DATA\'
- 'C:\Program Files\G DATA\'
Image|endswith: '\AVKKid.exe'
ImageLoaded|startswith:
- 'C:\Program Files (x86)\G DATA\'
- 'C:\Program Files\G DATA\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Potential Abuse of Linux Magic System Request Key
Detects the potential abuse of the Linux Magic SysRq (System Request) key by adversaries with root or sufficient privileges
to silently manipulate or destabilize a system. By writing to /proc/sysrq-trigger, they can crash the system, kill processes,
or disrupt forensic analysis—all while bypassing standard logging. Though intended for recovery and debugging, SysRq can be
misused as a stealthy post-exploitation tool. It is controlled via /proc/sys/kernel/sysrq or permanently through /etc/sysctl.conf.
view Sigma YAML
title: Potential Abuse of Linux Magic System Request Key
id: ea61bb82-a5e0-42e6-8537-91d29500f1b9
status: experimental
description: |
Detects the potential abuse of the Linux Magic SysRq (System Request) key by adversaries with root or sufficient privileges
to silently manipulate or destabilize a system. By writing to /proc/sysrq-trigger, they can crash the system, kill processes,
or disrupt forensic analysis—all while bypassing standard logging. Though intended for recovery and debugging, SysRq can be
misused as a stealthy post-exploitation tool. It is controlled via /proc/sys/kernel/sysrq or permanently through /etc/sysctl.conf.
references:
- https://www.kernel.org/doc/html/v4.10/_sources/admin-guide/sysrq.txt
- https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/4/html/reference_guide/s3-proc-sys-kernel
- https://www.splunk.com/en_us/blog/security/threat-update-awfulshred-script-wiper.html
author: Milad Cheraghi
date: 2025-05-23
tags:
- attack.execution
- attack.t1059.004
- attack.impact
- attack.t1529
- attack.t1489
- attack.t1499
logsource:
product: linux
service: auditd
definition: |
Required auditd configuration:
-w /proc/sysrq-trigger -p wa -k sysrq
-w /proc/sys/kernel/sysrq -p wa -k sysrq
detection:
selection:
type: 'PATH'
name|endswith:
# Enable
- '/sysrq'
- '/sysctl.conf'
# Execute
- '/sysrq-trigger'
condition: selection
falsepositives:
- Legitimate administrative activity
level: medium
Convert to SIEM query
medium
Strong
Low FP
Potential Access Token Abuse
Detects potential token impersonation and theft. Example, when using "DuplicateToken(Ex)" and "ImpersonateLoggedOnUser" with the "LOGON32_LOGON_NEW_CREDENTIALS flag".
view Sigma YAML
title: Potential Access Token Abuse
id: 02f7c9c1-1ae8-4c6a-8add-04693807f92f
status: test
description: Detects potential token impersonation and theft. Example, when using "DuplicateToken(Ex)" and "ImpersonateLoggedOnUser" with the "LOGON32_LOGON_NEW_CREDENTIALS flag".
references:
- https://www.elastic.co/fr/blog/how-attackers-abuse-access-token-manipulation
- https://www.manageengine.com/log-management/cyber-security/access-token-manipulation.html
author: Michaela Adams, Zach Mathis
date: 2022-11-06
modified: 2023-04-26
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1134.001
- stp.4u
logsource:
product: windows
service: security
detection:
selection:
EventID: 4624
LogonType: 9
LogonProcessName: 'Advapi'
AuthenticationPackageName: 'Negotiate'
ImpersonationLevel: '%%1833' # Impersonation
condition: selection
falsepositives:
- Anti-Virus
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potential Active Directory Enumeration Using AD Module - ProcCreation
Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.
view Sigma YAML
title: Potential Active Directory Enumeration Using AD Module - ProcCreation
id: 70bc5215-526f-4477-963c-a47a5c9ebd12
related:
- id: 9e620995-f2d8-4630-8430-4afd89f77604
type: similar
- id: 74176142-4684-4d8a-8b0a-713257e7df8e
type: similar
status: test
description: Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.
references:
- https://github.com/samratashok/ADModule
- https://twitter.com/cyb3rops/status/1617108657166061568?s=20
- https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges
author: frack113
date: 2023-01-22
tags:
- attack.reconnaissance
- attack.discovery
- attack.impact
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_cmdlet:
CommandLine|contains:
- 'Import-Module '
- 'ipmo '
selection_dll:
CommandLine|contains: 'Microsoft.ActiveDirectory.Management.dll'
condition: all of selection_*
falsepositives:
- Legitimate use of the library for administrative activity
level: medium
Convert to SIEM query
medium
Strong
High FP
Potential Active Directory Enumeration Using AD Module - PsModule
Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.
view Sigma YAML
title: Potential Active Directory Enumeration Using AD Module - PsModule
id: 74176142-4684-4d8a-8b0a-713257e7df8e
related:
- id: 70bc5215-526f-4477-963c-a47a5c9ebd12
type: similar
- id: 9e620995-f2d8-4630-8430-4afd89f77604
type: similar
status: test
description: Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.
references:
- https://github.com/samratashok/ADModule
- https://twitter.com/cyb3rops/status/1617108657166061568?s=20
- https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges
author: Nasreddine Bencherchali (Nextron Systems), frack113
date: 2023-01-22
tags:
- attack.reconnaissance
- attack.discovery
- attack.impact
logsource:
product: windows
category: ps_module
definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
selection_cmdlet:
Payload|contains:
- 'Import-Module '
- 'ipmo '
selection_dll:
Payload|contains: 'Microsoft.ActiveDirectory.Management.dll'
condition: all of selection_*
falsepositives:
- Legitimate use of the library for administrative activity
level: medium
Convert to SIEM query
medium
Strong
High FP
Potential Active Directory Enumeration Using AD Module - PsScript
Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.
view Sigma YAML
title: Potential Active Directory Enumeration Using AD Module - PsScript
id: 9e620995-f2d8-4630-8430-4afd89f77604
related:
- id: 70bc5215-526f-4477-963c-a47a5c9ebd12
type: similar
- id: 74176142-4684-4d8a-8b0a-713257e7df8e
type: similar
status: test
description: Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.
references:
- https://github.com/samratashok/ADModule
- https://twitter.com/cyb3rops/status/1617108657166061568?s=20
- https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges
author: frack113, Nasreddine Bencherchali
date: 2023-01-22
tags:
- attack.reconnaissance
- attack.discovery
- attack.impact
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enable'
detection:
selection_generic:
ScriptBlockText|contains|all:
- 'Import-Module '
- 'Microsoft.ActiveDirectory.Management.dll'
selection_specific:
ScriptBlockText|contains: 'ipmo Microsoft.ActiveDirectory.Management.dll'
condition: 1 of selection_*
falsepositives:
- Legitimate use of the library for administrative activity
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potential Active Directory Reconnaissance/Enumeration Via LDAP
Detects potential Active Directory enumeration via LDAP
view Sigma YAML
title: Potential Active Directory Reconnaissance/Enumeration Via LDAP
id: 31d68132-4038-47c7-8f8e-635a39a7c174
status: test
description: Detects potential Active Directory enumeration via LDAP
references:
- https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726
- https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1
- https://github.com/BloodHoundAD/SharpHound3/blob/7d96b991b1887ff50349ce59c80980bc0d95c86a/SharpHound3/LdapBuilder.cs
- https://medium.com/falconforce/falconfriday-detecting-active-directory-data-collection-0xff21-c22d1a57494c
- https://github.com/fox-it/BloodHound.py/blob/d65eb614831cd30f26028ccb072f5e77ca287e0b/bloodhound/ad/domain.py#L427
- https://ipurple.team/2024/07/15/sharphound-detection/
author: Adeem Mawani
date: 2021-06-22
modified: 2025-07-04
tags:
- attack.discovery
- attack.t1069.002
- attack.t1087.002
- attack.t1482
logsource:
product: windows
service: ldap
definition: 'Requirements: Microsoft-Windows-LDAP-Client/Debug ETW logging'
detection:
generic_search:
EventID: 30
SearchFilter|contains:
- '(groupType:1.2.840.113556.1.4.803:=2147483648)'
- '(groupType:1.2.840.113556.1.4.803:=2147483656)'
- '(groupType:1.2.840.113556.1.4.803:=2147483652)'
- '(groupType:1.2.840.113556.1.4.803:=2147483650)'
- '(sAMAccountType=805306369)'
- '(sAMAccountType=805306368)'
- '(sAMAccountType=536870913)'
- '(sAMAccountType=536870912)'
- '(sAMAccountType=268435457)'
- '(sAMAccountType=268435456)'
- '(objectCategory=groupPolicyContainer)'
- '(objectCategory=organizationalUnit)'
# - '(objectCategory=Computer)' Prone to false positives
- '(objectCategory=nTDSDSA)'
- '(objectCategory=server)'
- '(objectCategory=domain)'
- '(objectCategory=person)'
- '(objectCategory=group)'
- '(objectCategory=user)'
- '(objectClass=trustedDomain)'
- '(objectClass=computer)'
- '(objectClass=server)'
- '(objectClass=group)'
- '(objectClass=user)'
- '(primaryGroupID=521)'
- '(primaryGroupID=516)'
- '(primaryGroupID=515)'
- '(primaryGroupID=512)'
- 'Domain Admins'
- 'objectGUID=\*'
- '(schemaIDGUID=\*)'
- 'admincount=1'
distinguished_name_enumeration:
EventID: 30
SearchFilter: '(objectclass=\*)'
DistinguishedName|contains:
- 'CN=Domain Admins'
- 'CN=Enterprise Admins'
- 'CN=Group Policy Creator Owners'
suspicious_flag:
EventID: 30
SearchFilter|contains:
- '(userAccountControl:1.2.840.113556.1.4.803:=4194304)'
- '(userAccountControl:1.2.840.113556.1.4.803:=2097152)'
- '!(userAccountControl:1.2.840.113556.1.4.803:=1048574)'
- '(userAccountControl:1.2.840.113556.1.4.803:=524288)'
- '(userAccountControl:1.2.840.113556.1.4.803:=65536)'
- '(userAccountControl:1.2.840.113556.1.4.803:=8192)'
- '(userAccountControl:1.2.840.113556.1.4.803:=544)'
- '!(UserAccountControl:1.2.840.113556.1.4.803:=2)'
- 'msDS-AllowedToActOnBehalfOfOtherIdentity'
- 'msDS-AllowedToDelegateTo'
- 'msDS-GroupManagedServiceAccount'
- '(accountExpires=9223372036854775807)'
- '(accountExpires=0)'
- '(adminCount=1)'
- 'ms-MCS-AdmPwd'
narrow_down_filter:
EventID: 30
SearchFilter|contains:
- '(domainSid=*)'
- '(objectSid=*)'
condition: (generic_search and not narrow_down_filter) or suspicious_flag or distinguished_name_enumeration
level: medium
Convert to SIEM query
medium
Strong
High FP
Potential Amazon SSM Agent Hijacking
Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report.
view Sigma YAML
title: Potential Amazon SSM Agent Hijacking
id: d20ee2f4-822c-4827-9e15-41500b1fff10
status: test
description: Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report.
references:
- https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan
- https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/
- https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/
author: Muhammad Faisal
date: 2023-08-02
tags:
- attack.command-and-control
- attack.persistence
- attack.t1219.002
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\amazon-ssm-agent.exe'
CommandLine|contains|all:
- '-register '
- '-code '
- '-id '
- '-region '
condition: selection
falsepositives:
- Legitimate activity of system administrators
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potential Antivirus Software DLL Sideloading
Detects potential DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc
view Sigma YAML
title: Potential Antivirus Software DLL Sideloading
id: 552b6b65-df37-4d3e-a258-f2fc4771ae54
status: test
description: Detects potential DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc
references:
- https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there)
author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
date: 2022-08-17
modified: 2025-10-07
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
# Bitdefender
selection_bitdefender:
ImageLoaded|endswith: '\log.dll'
filter_log_dll_bitdefender:
ImageLoaded|startswith:
- 'C:\Program Files\Bitdefender Antivirus Free\'
- 'C:\Program Files (x86)\Bitdefender Antivirus Free\'
filter_log_dll_dell_sar:
Image: 'C:\Program Files\Dell\SARemediation\audit\TelemetryUtility.exe'
ImageLoaded:
- 'C:\Program Files\Dell\SARemediation\plugin\log.dll'
- 'C:\Program Files\Dell\SARemediation\audit\log.dll'
filter_log_dll_canon:
ImageLoaded|startswith: 'C:\Program Files\Canon\MyPrinter\'
filter_log_dll_avast:
ImageLoaded:
- 'C:\Program Files\AVAST Software\Avast\log.dll'
- 'C:\Program Files (x86)\AVAST Software\Avast\log.dll'
filter_log_dll_avg:
ImageLoaded:
- 'C:\Program Files\AVG\Antivirus\log.dll'
- 'C:\Program Files (x86)\AVG\Antivirus\log.dll'
# F-Secure
selection_fsecure:
ImageLoaded|endswith: '\qrt.dll'
filter_fsecure:
ImageLoaded|startswith:
- 'C:\Program Files\F-Secure\Anti-Virus\'
- 'C:\Program Files (x86)\F-Secure\Anti-Virus\'
# McAfee
selection_mcafee:
ImageLoaded|endswith:
- '\ashldres.dll'
- '\lockdown.dll'
- '\vsodscpl.dll'
filter_mcafee:
ImageLoaded|startswith:
- 'C:\Program Files\McAfee\'
- 'C:\Program Files (x86)\McAfee\'
# CyberArk
selection_cyberark:
ImageLoaded|endswith: '\vftrace.dll'
filter_cyberark:
ImageLoaded|startswith:
- 'C:\Program Files\CyberArk\Endpoint Privilege Manager\Agent\x32\'
- 'C:\Program Files (x86)\CyberArk\Endpoint Privilege Manager\Agent\x32\'
# Avast
selection_avast:
ImageLoaded|endswith: '\wsc.dll'
filter_wsc_dll_avast:
ImageLoaded|startswith:
- 'C:\program Files\AVAST Software\Avast\'
- 'C:\program Files (x86)\AVAST Software\Avast\'
filter_wsc_dll_avg:
ImageLoaded|startswith:
- 'C:\Program Files\AVG\Antivirus\'
- 'C:\Program Files (x86)\AVG\Antivirus\'
# ESET
selection_eset_deslock:
ImageLoaded|endswith: '\DLPPREM32.dll'
filter_eset_deslock:
ImageLoaded|startswith:
- 'C:\program Files\ESET'
- 'C:\program Files (x86)\ESET'
# Trend Micro Titanium
selection_titanium:
ImageLoaded|endswith: '\tmdbglog.dll'
filter_titanium:
ImageLoaded|startswith:
- 'C:\program Files\Trend Micro\Titanium\'
- 'C:\program Files (x86)\Trend Micro\Titanium\'
condition: (selection_bitdefender and not 1 of filter_log_dll_*)
or (selection_fsecure and not filter_fsecure)
or (selection_mcafee and not filter_mcafee)
or (selection_cyberark and not filter_cyberark)
or (selection_avast and not 1 of filter_wsc_dll_*)
or (selection_titanium and not filter_titanium)
or (selection_eset_deslock and not filter_eset_deslock)
falsepositives:
- Applications that load the same dlls mentioned in the detection section. Investigate them and filter them out if a lot FPs are caused.
- Dell SARemediation plugin folder (C:\Program Files\Dell\SARemediation\plugin\log.dll) is known to contain the 'log.dll' file.
- The Canon MyPrinter folder 'C:\Program Files\Canon\MyPrinter\' is known to contain the 'log.dll' file
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential Application Whitelisting Bypass via Dnx.EXE
Detects the execution of Dnx.EXE. The Dnx utility allows for the execution of C# code.
Attackers might abuse this in order to bypass application whitelisting.
view Sigma YAML
title: Potential Application Whitelisting Bypass via Dnx.EXE
id: 81ebd28b-9607-4478-bf06-974ed9d53ed7
status: test
description: |
Detects the execution of Dnx.EXE. The Dnx utility allows for the execution of C# code.
Attackers might abuse this in order to bypass application whitelisting.
references:
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/
- https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/
author: Beyu Denis, oscd.community
date: 2019-10-26
modified: 2024-04-24
tags:
- attack.stealth
- attack.t1218
- attack.t1027.004
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\dnx.exe'
condition: selection
falsepositives:
- Legitimate use of dnx.exe by legitimate user
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Potential Arbitrary Command Execution Via FTP.EXE
Detects execution of "ftp.exe" script with the "-s" or "/s" flag and any child processes ran by "ftp.exe".
view Sigma YAML
title: Potential Arbitrary Command Execution Via FTP.EXE
id: 06b401f4-107c-4ff9-947f-9ec1e7649f1e
status: test
description: Detects execution of "ftp.exe" script with the "-s" or "/s" flag and any child processes ran by "ftp.exe".
references:
- https://lolbas-project.github.io/lolbas/Binaries/Ftp/
author: Victor Sergeev, oscd.community
date: 2020-10-09
modified: 2024-04-23
tags:
- attack.execution
- attack.stealth
- attack.t1059
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\ftp.exe'
selection_child_img:
- Image|endswith: '\ftp.exe'
- OriginalFileName: 'ftp.exe'
selection_child_cli:
CommandLine|contains|windash: '-s:'
condition: selection_parent or all of selection_child_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential Arbitrary DLL Load Using Winword
Detects potential DLL sideloading using the Microsoft Office winword process via the '/l' flag.
view Sigma YAML
title: Potential Arbitrary DLL Load Using Winword
id: f7375e28-5c14-432f-b8d1-1db26c832df3
related:
- id: 2621b3a6-3840-4810-ac14-a02426086171
type: obsolete
status: test
description: Detects potential DLL sideloading using the Microsoft Office winword process via the '/l' flag.
references:
- https://github.com/D4Vinci/One-Lin3r/blob/9fdfa5f0b9c698dfbd4cdfe7d2473192777ae1c6/one_lin3r/core/liners/windows/cmd/dll_loader_word.py
author: Victor Sergeev, oscd.community
date: 2020-10-09
modified: 2023-03-29
tags:
- attack.stealth
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\WINWORD.exe'
- OriginalFileName: 'WinWord.exe'
selection_dll:
CommandLine|contains|all:
- '/l '
- '.dll'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential Arbitrary File Download Via Cmdl32.EXE
Detects execution of Cmdl32 with the "/vpn" and "/lan" flags.
Attackers can abuse this utility in order to download arbitrary files via a configuration file.
Inspect the location and the content of the file passed as an argument in order to determine if it is suspicious.
view Sigma YAML
title: Potential Arbitrary File Download Via Cmdl32.EXE
id: f37aba28-a9e6-4045-882c-d5004043b337
status: test
description: |
Detects execution of Cmdl32 with the "/vpn" and "/lan" flags.
Attackers can abuse this utility in order to download arbitrary files via a configuration file.
Inspect the location and the content of the file passed as an argument in order to determine if it is suspicious.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Cmdl32/
- https://twitter.com/SwiftOnSecurity/status/1455897435063074824
- https://github.com/LOLBAS-Project/LOLBAS/pull/151
author: frack113
date: 2021-11-03
modified: 2024-04-22
tags:
- attack.execution
- attack.stealth
- attack.t1218
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\cmdl32.exe'
- OriginalFileName: CMDL32.EXE
selection_cli:
CommandLine|contains|all:
- '/vpn'
- '/lan'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential Base64 Encoded User-Agent
Detects User Agent strings that end with an equal sign, which can be a sign of base64 encoding.
view Sigma YAML
title: Potential Base64 Encoded User-Agent
id: 894a8613-cf12-48b3-8e57-9085f54aa0c3
related:
- id: d443095b-a221-4957-a2c4-cd1756c9b747
type: derived
status: test
description: Detects User Agent strings that end with an equal sign, which can be a sign of base64 encoding.
references:
- https://blogs.jpcert.or.jp/en/2022/07/yamabot.html
- https://deviceatlas.com/blog/list-of-user-agent-strings#desktop
author: Florian Roth (Nextron Systems), Brian Ingram (update)
date: 2022-07-08
modified: 2023-05-04
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: proxy
detection:
selection:
c-useragent|endswith: '='
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Potential Binary Impersonating Sysinternals Tools
Detects binaries that use the same name as legitimate sysinternals tools to evade detection.
This rule looks for the execution of binaries that are named similarly to Sysinternals tools.
Adversary may rename their malicious tools as legitimate Sysinternals tools to evade detection.
view Sigma YAML
title: Potential Binary Impersonating Sysinternals Tools
id: 7cce6fc8-a07f-4d84-a53e-96e1879843c9
status: test
description: |
Detects binaries that use the same name as legitimate sysinternals tools to evade detection.
This rule looks for the execution of binaries that are named similarly to Sysinternals tools.
Adversary may rename their malicious tools as legitimate Sysinternals tools to evade detection.
references:
- https://learn.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite
author: frack113, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2021-12-20
modified: 2025-04-12
tags:
- attack.execution
- attack.stealth
- attack.t1218
- attack.t1202
- attack.t1036.005
logsource:
category: process_creation
product: windows
detection:
selection_exe:
Image|endswith:
- '\accesschk.exe'
- '\accesschk64.exe'
- '\AccessEnum.exe'
- '\ADExplorer.exe'
- '\ADExplorer64.exe'
- '\ADInsight.exe'
- '\ADInsight64.exe'
- '\adrestore.exe'
- '\adrestore64.exe'
- '\Autologon.exe'
- '\Autologon64.exe'
- '\Autoruns.exe'
- '\Autoruns64.exe'
- '\autorunsc.exe'
- '\autorunsc64.exe'
- '\Bginfo.exe'
- '\Bginfo64.exe'
- '\Cacheset.exe'
- '\Cacheset64.exe'
- '\Clockres.exe'
- '\Clockres64.exe'
- '\Contig.exe'
- '\Contig64.exe'
- '\Coreinfo.exe'
- '\Coreinfo64.exe'
- '\CPUSTRES.EXE'
- '\CPUSTRES64.EXE'
- '\ctrl2cap.exe'
- '\Dbgview.exe'
- '\dbgview64.exe'
- '\Desktops.exe'
- '\Desktops64.exe'
- '\disk2vhd.exe'
- '\disk2vhd64.exe'
- '\diskext.exe'
- '\diskext64.exe'
- '\Diskmon.exe'
- '\Diskmon64.exe'
- '\DiskView.exe'
- '\DiskView64.exe'
- '\du.exe'
- '\du64.exe'
- '\efsdump.exe'
- '\FindLinks.exe'
- '\FindLinks64.exe'
- '\handle.exe'
- '\handle64.exe'
- '\hex2dec.exe'
- '\hex2dec64.exe'
- '\junction.exe'
- '\junction64.exe'
- '\ldmdump.exe'
- '\listdlls.exe'
- '\listdlls64.exe'
- '\livekd.exe'
- '\livekd64.exe'
- '\loadOrd.exe'
- '\loadOrd64.exe'
- '\loadOrdC.exe'
- '\loadOrdC64.exe'
- '\logonsessions.exe'
- '\logonsessions64.exe'
- '\movefile.exe'
- '\movefile64.exe'
- '\notmyfault.exe'
- '\notmyfault64.exe'
- '\notmyfaultc.exe'
- '\notmyfaultc64.exe'
- '\ntfsinfo.exe'
- '\ntfsinfo64.exe'
- '\pendmoves.exe'
- '\pendmoves64.exe'
- '\pipelist.exe'
- '\pipelist64.exe'
- '\portmon.exe'
- '\procdump.exe'
- '\procdump64.exe'
- '\procexp.exe'
- '\procexp64.exe'
- '\Procmon.exe'
- '\Procmon64.exe'
- '\psExec.exe'
- '\psExec64.exe'
- '\psfile.exe'
- '\psfile64.exe'
- '\psGetsid.exe'
- '\psGetsid64.exe'
- '\psInfo.exe'
- '\psInfo64.exe'
- '\pskill.exe'
- '\pskill64.exe'
- '\pslist.exe'
- '\pslist64.exe'
- '\psLoggedon.exe'
- '\psLoggedon64.exe'
- '\psloglist.exe'
- '\psloglist64.exe'
- '\pspasswd.exe'
- '\pspasswd64.exe'
- '\psping.exe'
- '\psping64.exe'
- '\psService.exe'
- '\psService64.exe'
- '\psshutdown.exe'
- '\psshutdown64.exe'
- '\pssuspend.exe'
- '\pssuspend64.exe'
- '\RAMMap.exe'
- '\RAMMap64.exe'
- '\RDCMan.exe'
- '\RegDelNull.exe'
- '\RegDelNull64.exe'
- '\regjump.exe'
- '\ru.exe'
- '\ru64.exe'
- '\sdelete.exe'
- '\sdelete64.exe'
- '\ShareEnum.exe'
- '\ShareEnum64.exe'
- '\shellRunas.exe'
- '\sigcheck.exe'
- '\sigcheck64.exe'
- '\streams.exe'
- '\streams64.exe'
- '\strings.exe'
- '\strings64.exe'
- '\sync.exe'
- '\sync64.exe'
- '\Sysmon.exe'
- '\Sysmon64.exe'
- '\tcpvcon.exe'
- '\tcpvcon64.exe'
- '\tcpview.exe'
- '\tcpview64.exe'
- '\Testlimit.exe'
- '\Testlimit64.exe'
- '\vmmap.exe'
- '\vmmap64.exe'
- '\Volumeid.exe'
- '\Volumeid64.exe'
- '\whois.exe'
- '\whois64.exe'
- '\Winobj.exe'
- '\Winobj64.exe'
- '\ZoomIt.exe'
- '\ZoomIt64.exe'
selection_arm64:
Image|endswith:
- '\accesschk64a.exe'
- '\ADExplorer64a.exe'
- '\ADInsight64a.exe'
- '\adrestore64a.exe'
- '\Autologon64a.exe'
- '\Autoruns64a.exe'
- '\autorunsc64a.exe'
- '\Clockres64a.exe'
- '\Contig64a.exe'
- '\Coreinfo64a.exe'
- '\Dbgview64a.exe'
- '\disk2vhd64a.exe'
- '\diskext64a.exe'
- '\DiskView64a.exe'
- '\du64a.exe'
- '\FindLinks64a.exe'
- '\handle64a.exe'
- '\hex2dec64a.exe'
- '\junction64a.exe'
- '\LoadOrd64a.exe'
- '\LoadOrdC64a.exe'
- '\logonsessions64a.exe'
- '\movefile64a.exe'
- '\notmyfault64a.exe'
- '\notmyfaultc64a.exe'
- '\pendmoves64a.exe'
- '\pipelist64a.exe'
- '\procdump64a.exe'
- '\procexp64a.exe'
- '\Procmon64a.exe'
- '\PsExec64a.exe'
- '\psfile64a.exe'
- '\PsGetsid64a.exe'
- '\PsInfo64a.exe'
- '\pskill64a.exe'
- '\psloglist64a.exe'
- '\pspasswd64a.exe'
- '\psping64a.exe'
- '\PsService64a.exe'
- '\pssuspend64a.exe'
- '\RAMMap64a.exe'
- '\RegDelNull64a.exe'
- '\ru64a.exe'
- '\sdelete64a.exe'
- '\sigcheck64a.exe'
- '\streams64a.exe'
- '\strings64a.exe'
- '\sync64a.exe'
- '\Sysmon64a.exe'
- '\tcpvcon64a.exe'
- '\tcpview64a.exe'
- '\vmmap64a.exe'
- '\whois64a.exe'
- '\Winobj64a.exe'
- '\ZoomIt64a.exe'
filter_valid:
- Company:
- 'Sysinternals - www.sysinternals.com'
- 'Sysinternals'
- Product|startswith: 'Sysinternals'
filter_empty:
- Company: null
- Product: null
condition: 1 of selection_* and not 1 of filter_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potential Binary Or Script Dropper Via PowerShell
Detects PowerShell creating a binary executable or a script file.
view Sigma YAML
title: Potential Binary Or Script Dropper Via PowerShell
id: 7047d730-036f-4f40-b9d8-1c63e36d5e62
status: test
description: Detects PowerShell creating a binary executable or a script file.
references:
- https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-17
modified: 2025-07-04
tags:
- attack.persistence
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith:
- '\powershell.exe'
- '\powershell_ise.exe'
- '\pwsh.exe'
TargetFilename|endswith:
- '.bat'
- '.chm'
- '.cmd'
- '.com'
- '.dll'
- '.exe'
- '.hta'
- '.jar'
- '.js'
- '.ocx'
- '.scr'
- '.sys'
- '.vbe'
- '.vbs'
- '.wsf'
filter_main_user_temp:
TargetFilename|startswith: 'C:\Users\'
TargetFilename|contains: '\AppData\Local\Temp\'
TargetFilename|endswith:
- '.dll'
- '.exe'
filter_main_other_temp:
# Example: C:\Windows\Temp\0DA9758B-4649-4969-9409-5CBDF193FB53\TransmogProvider.dll
TargetFilename|startswith:
- 'C:\Windows\Temp\'
- 'C:\Windows\SystemTemp\'
TargetFilename|endswith:
- '.dll'
- '.exe'
filter_main_powershell_module:
TargetFilename|startswith: 'C:\Users\'
TargetFilename|contains: '\WindowsPowerShell\Modules\' # C:\Users\xxxx\Documents\WindowsPowerShell\Modules\powershell-yaml\0.4.12\lib\net47\PowerShellYamlSerializer.dll
TargetFilename|endswith: '.dll'
filter_main_nuget:
TargetFilename|startswith: 'C:\Program Files\PackageManagement\ProviderAssemblies\nuget\'
TargetFilename|endswith: '\Microsoft.PackageManagement.NuGetProvider.dll'
condition: selection and not 1 of filter_main_*
falsepositives:
- False positives will differ depending on the environment and scripts used. Apply additional filters accordingly.
level: medium
Convert to SIEM query
medium
Strong
High FP
Potential Binary Proxy Execution Via Cdb.EXE
Detects usage of "cdb.exe" to launch arbitrary processes or commands from a debugger script file
view Sigma YAML
title: Potential Binary Proxy Execution Via Cdb.EXE
id: b5c7395f-e501-4a08-94d4-57fe7a9da9d2
status: test
description: Detects usage of "cdb.exe" to launch arbitrary processes or commands from a debugger script file
references:
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/
- https://web.archive.org/web/20170715043507/http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html
- https://twitter.com/nas_bench/status/1534957360032120833
author: Beyu Denis, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2019-10-26
modified: 2024-04-22
tags:
- attack.execution
- attack.stealth
- attack.t1106
- attack.t1218
- attack.t1127
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\cdb.exe'
- OriginalFileName: 'CDB.Exe'
selection_cli:
CommandLine|contains:
- ' -c ' # Using a debugger script
- ' -cf '
condition: all of selection*
falsepositives:
- Legitimate use of debugging tools
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potential Binary Proxy Execution Via VSDiagnostics.EXE
Detects execution of "VSDiagnostics.exe" with the "start" command in order to launch and proxy arbitrary binaries.
view Sigma YAML
title: Potential Binary Proxy Execution Via VSDiagnostics.EXE
id: ac1c92b4-ac81-405a-9978-4604d78cc47e
status: test
description: Detects execution of "VSDiagnostics.exe" with the "start" command in order to launch and proxy arbitrary binaries.
references:
- https://twitter.com/0xBoku/status/1679200664013135872
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-03
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\VSDiagnostics.exe'
- OriginalFileName: 'VSDiagnostics.exe'
selection_cli_start:
CommandLine|contains: 'start'
selection_cli_launch:
CommandLine|contains:
- ' /launch:'
- ' -launch:'
condition: all of selection_*
falsepositives:
- Legitimate usage for tracing and diagnostics purposes
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential Browser Data Stealing
Adversaries may acquire credentials from web browsers by reading files specific to the target browser.
Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future.
Web browsers typically store the credentials in an encrypted format within a credential store.
view Sigma YAML
title: Potential Browser Data Stealing
id: 47147b5b-9e17-4d76-b8d2-7bac24c5ce1b
related:
- id: fc028194-969d-4122-8abe-0470d5b8f12f
type: derived
status: test
description: |
Adversaries may acquire credentials from web browsers by reading files specific to the target browser.
Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future.
Web browsers typically store the credentials in an encrypted format within a credential store.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.003/T1555.003.md
- https://www.cisa.gov/sites/default/files/2024-04/aa24-109a-stopransomware-akira-ransomware_2.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-23
modified: 2025-03-19
tags:
- attack.credential-access
- attack.t1555.003
logsource:
category: process_creation
product: windows
detection:
selection_cmd:
- CommandLine|contains:
- 'copy-item'
- 'copy '
- 'cpi '
- ' cp '
- 'move '
- 'move-item'
- ' mi '
- ' mv '
- Image|endswith:
- '\esentutl.exe' # akira ransomware
- '\xcopy.exe'
- '\robocopy.exe'
- OriginalFileName:
- 'esentutl.exe'
- 'XCOPY.EXE'
- 'robocopy.exe'
selection_path:
CommandLine|contains:
- '\Amigo\User Data'
- '\BraveSoftware\Brave-Browser\User Data'
- '\CentBrowser\User Data'
- '\Chromium\User Data'
- '\CocCoc\Browser\User Data'
- '\Comodo\Dragon\User Data'
- '\Elements Browser\User Data'
- '\Epic Privacy Browser\User Data'
- '\Google\Chrome Beta\User Data'
- '\Google\Chrome SxS\User Data'
- '\Google\Chrome\User Data\'
- '\Kometa\User Data'
- '\Maxthon5\Users'
- '\Microsoft\Edge\User Data'
- '\Mozilla\Firefox\Profiles'
- '\Nichrome\User Data'
- '\Opera Software\Opera GX Stable\'
- '\Opera Software\Opera Neon\User Data'
- '\Opera Software\Opera Stable\'
- '\Orbitum\User Data'
- '\QIP Surf\User Data'
- '\Sputnik\User Data'
- '\Torch\User Data'
- '\uCozMedia\Uran\User Data'
- '\Vivaldi\User Data'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potential CCleanerDU.DLL Sideloading
Detects potential DLL sideloading of "CCleanerDU.dll"
view Sigma YAML
title: Potential CCleanerDU.DLL Sideloading
id: 1fbc0671-5596-4e17-8682-f020a0b995dc
status: test
description: Detects potential DLL sideloading of "CCleanerDU.dll"
references:
- https://lab52.io/blog/2344-2/
author: X__Junior (Nextron Systems)
date: 2023-07-13
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\CCleanerDU.dll'
filter_main_path:
Image|startswith:
- 'C:\Program Files\CCleaner\'
- 'C:\Program Files (x86)\CCleaner\'
Image|endswith:
- '\CCleaner.exe'
- '\CCleaner64.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- False positives could occur from other custom installation paths. Apply additional filters accordingly.
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potential CCleanerReactivator.DLL Sideloading
Detects potential DLL sideloading of "CCleanerReactivator.dll"
view Sigma YAML
title: Potential CCleanerReactivator.DLL Sideloading
id: 3735d5ac-d770-4da0-99ff-156b180bc600
status: test
description: Detects potential DLL sideloading of "CCleanerReactivator.dll"
references:
- https://lab52.io/blog/2344-2/
author: X__Junior
date: 2023-07-13
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\CCleanerReactivator.dll'
filter_main_path:
Image|startswith:
- 'C:\Program Files\CCleaner\'
- 'C:\Program Files (x86)\CCleaner\'
Image|endswith: '\CCleanerReactivator.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- False positives could occur from other custom installation paths. Apply additional filters accordingly.
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential COM Object Hijacking Via TreatAs Subkey - Registry
Detects COM object hijacking via TreatAs subkey
view Sigma YAML
title: Potential COM Object Hijacking Via TreatAs Subkey - Registry
id: 9b0f8a61-91b2-464f-aceb-0527e0a45020
status: test
description: Detects COM object hijacking via TreatAs subkey
references:
- https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/
author: Kutepov Anton, oscd.community
date: 2019-10-23
modified: 2025-10-26
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.015
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains|all:
- 'HKU\'
- 'Classes\CLSID\'
- '\TreatAs'
filter_main_svchost:
# Example of target object by svchost
# TargetObject: HKU\S-1-5-21-1098798288-3663759343-897484398-1001_Classes\CLSID\{0003000A-0000-0000-C000-000000000046}\TreatAs
Image: 'C:\WINDOWS\system32\svchost.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Maybe some system utilities in rare cases use linking keys for backward compatibility
level: medium
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_persistence_com_key_linking/info.yml
simulation:
- type: atomic-red-team
name: COM hijacking via TreatAs
technique: T1546.015
atomic_guid: 33eacead-f117-4863-8eb0-5c6304fbfaa9
Convert to SIEM query
medium
Moderate
High FP
Potential COM Objects Download Cradles Usage - PS Script
Detects usage of COM objects that can be abused to download files in PowerShell by CLSID
view Sigma YAML
title: Potential COM Objects Download Cradles Usage - PS Script
id: 3c7d1587-3b13-439f-9941-7d14313dbdfe
related:
- id: 02b64f1b-3f33-4e67-aede-ef3b0a5a8fcf
type: similar
status: test
description: Detects usage of COM objects that can be abused to download files in PowerShell by CLSID
references:
- https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57
author: frack113
date: 2022-12-25
tags:
- attack.command-and-control
- attack.t1105
logsource:
product: windows
category: ps_script
definition: Script Block Logging must be enable
detection:
selection_1:
ScriptBlockText|contains: '[Type]::GetTypeFromCLSID('
selection_2:
ScriptBlockText|contains:
- '0002DF01-0000-0000-C000-000000000046'
- 'F6D90F16-9C73-11D3-B32E-00C04F990BB4'
- 'F5078F35-C551-11D3-89B9-0000F81FE221'
- '88d96a0a-f192-11d4-a65f-0040963251e5'
- 'AFBA6B42-5692-48EA-8141-DC517DCF0EF1'
- 'AFB40FFD-B609-40A3-9828-F88BBE11E4E3'
- '88d96a0b-f192-11d4-a65f-0040963251e5'
- '2087c2f4-2cef-4953-a8ab-66779b670495'
- '000209FF-0000-0000-C000-000000000046'
- '00024500-0000-0000-C000-000000000046'
condition: all of selection_*
falsepositives:
- Legitimate use of the library
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential COM Objects Download Cradles Usage - Process Creation
Detects usage of COM objects that can be abused to download files in PowerShell by CLSID
view Sigma YAML
title: Potential COM Objects Download Cradles Usage - Process Creation
id: 02b64f1b-3f33-4e67-aede-ef3b0a5a8fcf
related:
- id: 3c7d1587-3b13-439f-9941-7d14313dbdfe
type: similar
status: test
description: Detects usage of COM objects that can be abused to download files in PowerShell by CLSID
references:
- https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57
author: frack113
date: 2022-12-25
tags:
- attack.command-and-control
- attack.t1105
logsource:
product: windows
category: process_creation
detection:
selection_1:
CommandLine|contains: '[Type]::GetTypeFromCLSID('
selection_2:
CommandLine|contains:
- '0002DF01-0000-0000-C000-000000000046'
- 'F6D90F16-9C73-11D3-B32E-00C04F990BB4'
- 'F5078F35-C551-11D3-89B9-0000F81FE221'
- '88d96a0a-f192-11d4-a65f-0040963251e5'
- 'AFBA6B42-5692-48EA-8141-DC517DCF0EF1'
- 'AFB40FFD-B609-40A3-9828-F88BBE11E4E3'
- '88d96a0b-f192-11d4-a65f-0040963251e5'
- '2087c2f4-2cef-4953-a8ab-66779b670495'
- '000209FF-0000-0000-C000-000000000046'
- '00024500-0000-0000-C000-000000000046'
condition: all of selection_*
falsepositives:
- Legitimate use of the library
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potential CVE-2021-27905 Exploitation Attempt
Detects exploitation attempt of the CVE-2021-27905 which affects all Apache Solr versions prior to and including 8.8.1.
view Sigma YAML
title: Potential CVE-2021-27905 Exploitation Attempt
id: 0bbcd74b-0596-41a4-94a0-4e88a76ffdb3
status: test
description: Detects exploitation attempt of the CVE-2021-27905 which affects all Apache Solr versions prior to and including 8.8.1.
references:
- https://twitter.com/Al1ex4/status/1382981479727128580
- https://twitter.com/sec715/status/1373472323538362371
- https://nsfocusglobal.com/apache-solr-arbitrary-file-read-and-ssrf-vulnerability-threat-alert/
- https://mp.weixin.qq.com/s?__biz=Mzg3NDU2MTg0Ng==&mid=2247484117&idx=1&sn=2fdab8cbe4b873f8dd8abb35d935d186
- https://github.com/murataydemir/CVE-2021-27905
author: '@gott_cyber'
date: 2022-12-11
modified: 2023-03-24
tags:
- attack.initial-access
- attack.t1190
- cve.2021-27905
- detection.emerging-threats
logsource:
category: webserver
detection:
selection_request1:
cs-uri-query|contains|all:
- '/solr/'
- '/debug/dump?'
- 'param=ContentStream'
sc-status: 200
selection_request2:
cs-method: 'GET'
cs-uri-query|contains|all:
- '/solr/'
- 'command=fetchindex'
- 'masterUrl='
sc-status: 200
condition: 1 of selection_*
falsepositives:
- Vulnerability Scanners
level: medium
Convert to SIEM query
medium
Moderate
Low FP
Potential CVE-2021-42278 Exploitation Attempt
The attacker creates a computer object using those permissions with a password known to her.
After that she clears the attribute ServicePrincipalName on the computer object.
Because she created the object (CREATOR OWNER), she gets granted additional permissions and can do many changes to the object.
view Sigma YAML
title: Potential CVE-2021-42278 Exploitation Attempt
id: 44bbff3e-4ca3-452d-a49a-6efa4cafa06f
related:
- id: e80a0fee-1a62-4419-b31e-0d0db6e6013a
type: similar
status: test
description: |
The attacker creates a computer object using those permissions with a password known to her.
After that she clears the attribute ServicePrincipalName on the computer object.
Because she created the object (CREATOR OWNER), she gets granted additional permissions and can do many changes to the object.
references:
- https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/
author: frack113
date: 2021-12-15
modified: 2023-04-14
tags:
- attack.credential-access
- attack.t1558.003
- cve.2021-42278
- detection.emerging-threats
logsource:
product: windows
service: system
detection:
selection:
Provider_Name: 'Microsoft-Windows-Kerberos-Key-Distribution-Center' # Active Directory
EventID:
- 35 # PAC without attributes
- 36 # Ticket without a PAC
- 37 # Ticket without Requestor
- 38 # Requestor Mismatch
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Low FP
Potential CVE-2021-42287 Exploitation Attempt
The attacker creates a computer object using those permissions with a password known to her.
After that she clears the attribute ServicePrincipalName on the computer object.
Because she created the object (CREATOR OWNER), she gets granted additional permissions and can do many changes to the object.
view Sigma YAML
title: Potential CVE-2021-42287 Exploitation Attempt
id: e80a0fee-1a62-4419-b31e-0d0db6e6013a
related:
- id: 44bbff3e-4ca3-452d-a49a-6efa4cafa06f
type: similar
status: test
description: |
The attacker creates a computer object using those permissions with a password known to her.
After that she clears the attribute ServicePrincipalName on the computer object.
Because she created the object (CREATOR OWNER), she gets granted additional permissions and can do many changes to the object.
references:
- https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/
author: frack113
date: 2021-12-15
modified: 2023-04-14
tags:
- attack.credential-access
- attack.t1558.003
- detection.emerging-threats
- cve.2021-42287
logsource:
product: windows
service: system
detection:
selection:
Provider_Name: Microsoft-Windows-Directory-Services-SAM # Active Directory
EventID:
- 16990 # Object class and UserAccountControl validation failure
- 16991 # SAM Account Name validation failure
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potential CVE-2022-22954 Exploitation Attempt - VMware Workspace ONE Access Remote Code Execution
Detects potential exploitation attempt of CVE-2022-22954, a remote code execution vulnerability in VMware Workspace ONE Access and Identity Manager.
As reported by Morphisec, part of the attack chain, threat actors used PowerShell commands that executed as a child processes of the legitimate Tomcat "prunsrv.exe" process application.
view Sigma YAML
title: Potential CVE-2022-22954 Exploitation Attempt - VMware Workspace ONE Access Remote Code Execution
id: 5660d8db-6e25-411f-b92f-094420168a5d
status: test
description: |
Detects potential exploitation attempt of CVE-2022-22954, a remote code execution vulnerability in VMware Workspace ONE Access and Identity Manager.
As reported by Morphisec, part of the attack chain, threat actors used PowerShell commands that executed as a child processes of the legitimate Tomcat "prunsrv.exe" process application.
references:
- https://blog.morphisec.com/vmware-identity-manager-attack-backdoor
- https://github.com/DrorDvash/CVE-2022-22954_VMware_PoC
author: '@kostastsale'
date: 2022-04-25
tags:
- attack.execution
- attack.initial-access
- attack.t1059.006
- attack.t1190
- cve.2022-22954
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\prunsrv.exe'
selection_payload_pwsh:
Image|endswith: '\powershell.exe'
selection_payload_cmd:
Image|endswith: '\cmd.exe'
CommandLine|contains: '/c powershell'
condition: selection_parent and 1 of selection_payload_*
falsepositives:
- Some false positives are possible as part of a custom script implementation from admins executed with cmd.exe as the child process.
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Potential CVE-2023-2283 Exploitation
Detects potential exploitation attempt of CVE-2023-2283 an authentication bypass in libSSH. The exploitation method causes an error message stating that keys for curve25519 could not be generated. It is an error message that is a sign of an exploitation attempt. It is not a sign of a successful exploitation.
view Sigma YAML
title: Potential CVE-2023-2283 Exploitation
id: 8b244735-5833-4517-a45b-28d8c63924c0
status: test
description: Detects potential exploitation attempt of CVE-2023-2283 an authentication bypass in libSSH. The exploitation method causes an error message stating that keys for curve25519 could not be generated. It is an error message that is a sign of an exploitation attempt. It is not a sign of a successful exploitation.
references:
- https://twitter.com/kevin_backhouse/status/1666459308941357056?s=20
- https://git.libssh.org/projects/libssh.git/tree/src/curve25519.c#n420
- https://nvd.nist.gov/vuln/detail/CVE-2023-2283
- https://www.blumira.com/cve-2023-2283/
- https://github.com/github/securitylab/tree/1786eaae7f90d87ce633c46bbaa0691d2f9bf449/SecurityExploits/libssh/pubkey-auth-bypass-CVE-2023-2283
author: Florian Roth (Nextron Systems)
date: 2023-06-09
tags:
- attack.initial-access
- attack.t1190
- cve.2023-2283
- detection.emerging-threats
logsource:
product: linux
service: sshd
detection:
keywords:
- 'Failed to generate curve25519 keys'
condition: keywords
falsepositives:
- Errors with the initialization or generation of the X25519 elliptic curve keys may generate the same error message
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Potential CVE-2023-23397 Exploitation Attempt - SMB
Detects (failed) outbound connection attempts to internet facing SMB servers. This could be a sign of potential exploitation attempts of CVE-2023-23397.
view Sigma YAML
title: Potential CVE-2023-23397 Exploitation Attempt - SMB
id: de96b824-02b0-4241-9356-7e9b47f04bac
status: test
description: Detects (failed) outbound connection attempts to internet facing SMB servers. This could be a sign of potential exploitation attempts of CVE-2023-23397.
references:
- https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/
- https://github.com/nasbench/Misc-Research/blob/fc46f6da34ff7e0076da28fd3e66d6e1100f1c2f/ETW/Microsoft-Windows-SMBClient.md
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-05
modified: 2025-10-13
tags:
- attack.exfiltration
- cve.2023-23397
- detection.emerging-threats
logsource:
product: windows
service: smbclient-connectivity
detection:
selection:
# Author Note: You could adapt this rule to use the "ServerName" field and uncomment the commented EventIDs. But you need to provide your own filter for "trusted server names"
EventID:
# - 30800 # The server name cannot be resolved. (Doesn't contain the "ServerAddress" field)
- 30803 # Failed to establish a network connection.
- 30804 # A network connection was disconnected.
- 30806 # The client re-established its session to the server.
# - 31001 # Error (Doesn't contain the "ServerAddress" field)
filter_main_local_ips:
- ServerAddress|cidr:
# IPv4
- '10.0.0.0/8'
- '127.0.0.0/8'
- '169.254.0.0/16'
- '172.16.0.0/12'
- '192.168.0.0/16'
# IPv6
- '::1/128' # IPv6 loopback
- 'fe80::/10' # IPv6 link-local addresses
- 'fc00::/7' # IPv6 private addresses
- Address|startswith:
# This is for EventID 30804, which doesn't have the "ServerAddress" field, but a field called "Address" and it contains a socket address (IP:Port) and not an IP
# IPv4
- '10.'
- '127.'
- '169.254.'
- '172.'
- '192.168.'
# IPv6
- '::1'
- 'fe80::'
- 'fc00::'
# The filters below cover the XML raw log
- Address|contains:
# IPv6
- '00000000000000000000000000000001' # ::1 - IPv6 loopback
- 'FE80000000000000' # fe80:: - IPv6 link-local addresses
- 'FC00000000000000' # fc00:: - IPv6 private addresses
# IPv4
# The "?" are meant to represent the port
- '0200????C0A8' # 192.168.
- '0200????AC' # 172.
- '0200????0A' # 10.
- '0200????7F' # 127
- '0200????A9FE' # 169.254.
- ServerAddress|contains:
# IPv6
- '00000000000000000000000000000001' # ::1 - IPv6 loopback
- 'FE80000000000000' # fe80:: - IPv6 link-local addresses
- 'FC00000000000000' # fc00:: - IPv6 private addresses
# IPv4
# The "?" are meant to represent the port
- '0200????C0A8' # 192.168.
- '0200????AC' # 172.
- '0200????0A' # 10.
- '0200????7F' # 127
- '0200????A9FE' # 169.254.
- RemoteAddress|contains:
# IPv6
- '00000000000000000000000000000001' # ::1 - IPv6 loopback
- 'FE80000000000000' # fe80:: - IPv6 link-local addresses
- 'FC00000000000000' # fc00:: - IPv6 private addresses
# IPv4
# The "?" are meant to represent the port
- '0200????C0A8' # 192.168.
- '0200????AC' # 172.
- '0200????0A' # 10.
- '0200????7F' # 127
- '0200????A9FE' # 169.254.
condition: selection and not 1 of filter_main_*
falsepositives:
- Some false positives may occur from external trusted servers. Apply additional filters accordingly
level: medium
Convert to SIEM query
Showing 2601-2650 of 3,751