Sigma
Sigma detection rules
3,133 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Expand any rule to see its raw YAML and convert it inline to native syntax for Splunk, Microsoft Sentinel, Elastic, Microsoft Defender, and QRadar.
◈
Detection rules
50 shown of 3,133
critical
PwnDrp Access
Detects downloads from PwnDrp web servers developed for red team testing and most likely also used for criminal activity
view Sigma YAML
title: PwnDrp Access
id: 2b1ee7e4-89b6-4739-b7bb-b811b6607e5e
status: test
description: Detects downloads from PwnDrp web servers developed for red team testing and most likely also used for criminal activity
references:
- https://breakdev.org/pwndrop/
author: Florian Roth (Nextron Systems)
date: 2020-04-15
modified: 2021-11-27
tags:
- attack.command-and-control
- attack.t1071.001
- attack.t1102.001
- attack.t1102.003
logsource:
category: proxy
detection:
selection:
c-uri|contains: '/pwndrop/'
condition: selection
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Registry Entries For Azorult Malware
Detects the presence of a registry key created during Azorult execution
view Sigma YAML
title: Registry Entries For Azorult Malware
id: f7f9ab88-7557-4a69-b30e-0a8f91b3a0e7
status: test
description: Detects the presence of a registry key created during Azorult execution
references:
- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/trojan.win32.azoruit.a
author: Trent Liffick
date: 2020-05-08
modified: 2021-11-27
tags:
- attack.persistence
- attack.execution
- attack.defense-impairment
- attack.t1112
logsource:
product: windows
category: registry_event
detection:
selection:
EventID:
- 12
- 13
TargetObject|contains: 'SYSTEM\'
TargetObject|endswith: '\services\localNETService'
condition: selection
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Renamed Whoami Execution
Detects the execution of whoami that has been renamed to a different name to avoid detection
view Sigma YAML
title: Renamed Whoami Execution
id: f1086bf7-a0c4-4a37-9102-01e573caf4a0
status: test
description: Detects the execution of whoami that has been renamed to a different name to avoid detection
references:
- https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/
- https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/
author: Florian Roth (Nextron Systems)
date: 2021-08-12
modified: 2022-10-09
tags:
- attack.discovery
- attack.t1033
- car.2016-03-001
logsource:
category: process_creation
product: windows
detection:
selection:
OriginalFileName: 'whoami.exe'
filter:
Image|endswith: '\whoami.exe'
condition: selection and not filter
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Silence.EDA Detection
Detects Silence EmpireDNSAgent as described in the Group-IP report
view Sigma YAML
title: Silence.EDA Detection
id: 3ceb2083-a27f-449a-be33-14ec1b7cc973
status: test
description: Detects Silence EmpireDNSAgent as described in the Group-IP report
references:
- https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf
author: Alina Stepchenkova, Group-IB, oscd.community
date: 2019-11-01
modified: 2023-04-03
tags:
- attack.execution
- attack.t1059.001
- attack.command-and-control
- attack.t1071.004
- attack.t1572
- attack.impact
- attack.t1529
- attack.g0091
- attack.s0363
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
empire:
# better to randomise the order
ScriptBlockText|contains|all:
- 'System.Diagnostics.Process'
- 'Stop-Computer'
- 'Restart-Computer'
- 'Exception in execution'
- '$cmdargs'
- 'Close-Dnscat2Tunnel'
dnscat:
# better to randomise the order
ScriptBlockText|contains|all:
- 'set type=$LookupType`nserver'
- '$Command | nslookup 2>&1 | Out-String'
- 'New-RandomDNSField'
- '[Convert]::ToString($SYNOptions, 16)'
- '$Session.Dead = $True'
- '$Session["Driver"] -eq'
condition: empire and dnscat
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Sticky Key Like Backdoor Execution
Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen
view Sigma YAML
title: Sticky Key Like Backdoor Execution
id: 2fdefcb3-dbda-401e-ae23-f0db027628bc
related:
- id: baca5663-583c-45f9-b5dc-ea96a22ce542
type: derived
status: test
description: Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen
references:
- https://learn.microsoft.com/en-us/archive/blogs/jonathantrull/detecting-sticky-key-backdoors
author: Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community
date: 2018-03-15
modified: 2023-03-07
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.008
- car.2014-11-003
- car.2014-11-008
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\winlogon.exe'
Image|endswith:
- '\cmd.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\wscript.exe'
- '\wt.exe'
CommandLine|contains:
- 'sethc.exe'
- 'utilman.exe'
- 'osk.exe'
- 'Magnify.exe'
- 'Narrator.exe'
- 'DisplaySwitch.exe'
condition: selection
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Sticky Key Like Backdoor Usage - Registry
Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen
view Sigma YAML
title: Sticky Key Like Backdoor Usage - Registry
id: baca5663-583c-45f9-b5dc-ea96a22ce542
status: test
description: Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen
references:
- https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/
- https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/
author: Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community
date: 2018-03-15
modified: 2022-11-26
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.008
- car.2014-11-003
- car.2014-11-008
logsource:
category: registry_event
product: windows
detection:
selection_registry:
TargetObject|endswith:
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger'
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger'
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\Debugger'
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe\Debugger'
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Narrator.exe\Debugger'
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe\Debugger'
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atbroker.exe\Debugger'
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HelpPane.exe\Debugger'
condition: selection_registry
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Suspicious Child Process Of Veeam Dabatase
Detects suspicious child processes of the Veeam service process. This could indicate potential RCE or SQL Injection.
view Sigma YAML
title: Suspicious Child Process Of Veeam Dabatase
id: d55b793d-f847-4eea-b59a-5ab09908ac90
related:
- id: 869b9ca7-9ea2-4a5a-8325-e80e62f75445
type: similar
status: test
description: Detects suspicious child processes of the Veeam service process. This could indicate potential RCE or SQL Injection.
references:
- https://labs.withsecure.com/publications/fin7-target-veeam-servers
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-04
tags:
- attack.initial-access
- attack.persistence
- attack.privilege-escalation
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\sqlservr.exe'
ParentCommandLine|contains: 'VEEAMSQL'
selection_child_1:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\wsl.exe'
- '\wt.exe'
CommandLine|contains:
- '-ex '
- 'bypass'
- 'cscript'
- 'DownloadString'
- 'http://'
- 'https://'
- 'mshta'
- 'regsvr32'
- 'rundll32'
- 'wscript'
- 'copy '
selection_child_2:
Image|endswith:
- '\net.exe'
- '\net1.exe'
- '\netstat.exe'
- '\nltest.exe'
- '\ping.exe'
- '\tasklist.exe'
- '\whoami.exe'
condition: selection_parent and 1 of selection_child_*
level: critical
Convert to SIEM query
critical
Suspicious Cobalt Strike DNS Beaconing - DNS Client
Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons
view Sigma YAML
title: Suspicious Cobalt Strike DNS Beaconing - DNS Client
id: 0d18728b-f5bf-4381-9dcf-915539fff6c2
related:
- id: f356a9c4-effd-4608-bbf8-408afd5cd006
type: similar
status: test
description: Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons
references:
- https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns
- https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-16
tags:
- attack.t1071.004
- attack.command-and-control
logsource:
product: windows
service: dns-client
definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.'
detection:
selection_eid:
EventID: 3008
selection_query_1:
QueryName|startswith:
- 'aaa.stage.'
- 'post.1'
selection_query_2:
QueryName|contains: '.stage.123456.'
condition: selection_eid and 1 of selection_query_*
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Suspicious Cobalt Strike DNS Beaconing - Sysmon
Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons
view Sigma YAML
title: Suspicious Cobalt Strike DNS Beaconing - Sysmon
id: f356a9c4-effd-4608-bbf8-408afd5cd006
related:
- id: 0d18728b-f5bf-4381-9dcf-915539fff6c2
type: similar
status: test
description: Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons
references:
- https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns
- https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/
author: Florian Roth (Nextron Systems)
date: 2021-11-09
modified: 2023-01-16
tags:
- attack.command-and-control
- attack.t1071.004
logsource:
product: windows
category: dns_query
detection:
selection1:
QueryName|startswith:
- 'aaa.stage.'
- 'post.1'
selection2:
QueryName|contains: '.stage.123456.'
condition: 1 of selection*
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Suspicious PowerShell Mailbox Export to Share
Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations
view Sigma YAML
title: Suspicious PowerShell Mailbox Export to Share
id: 889719ef-dd62-43df-86c3-768fb08dc7c0
status: test
description: Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations
references:
- https://youtu.be/5mqid-7zp8k?t=2481
- https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html
- https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1
- https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/
author: Florian Roth (Nextron Systems)
date: 2021-08-07
modified: 2022-10-26
tags:
- attack.exfiltration
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'New-MailboxExportRequest'
- ' -Mailbox '
- ' -FilePath \\\\'
condition: selection
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Suspicious PowerShell Mailbox Export to Share - PS
Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations
view Sigma YAML
title: Suspicious PowerShell Mailbox Export to Share - PS
id: 4a241dea-235b-4a7e-8d76-50d817b146c4
related:
- id: 889719ef-dd62-43df-86c3-768fb08dc7c0
type: derived
status: test
description: Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations
references:
- https://youtu.be/5mqid-7zp8k?t=2481
- https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html
- https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1
- https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-26
tags:
- attack.exfiltration
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- 'New-MailboxExportRequest'
- ' -Mailbox '
- ' -FilePath \\\\'
condition: selection
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
TrustedPath UAC Bypass Pattern
Detects indicators of a UAC bypass method by mocking directories
view Sigma YAML
title: TrustedPath UAC Bypass Pattern
id: 4ac47ed3-44c2-4b1f-9d51-bf46e8914126
related:
- id: 0cbe38c0-270c-41d9-ab79-6e5a9a669290
type: similar
status: test
description: Detects indicators of a UAC bypass method by mocking directories
references:
- https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e
- https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows
- https://github.com/netero1010/TrustedPath-UACBypass-BOF
- https://x.com/Wietze/status/1933495426952421843
author: Florian Roth (Nextron Systems)
date: 2021-08-27
modified: 2025-06-17
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: process_creation
product: windows
detection:
selection:
Image|contains:
- 'C:\Windows \System32\'
- 'C:\Windows \SysWOW64\'
condition: selection
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
WCE wceaux.dll Access
Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host
view Sigma YAML
title: WCE wceaux.dll Access
id: 1de68c67-af5c-4097-9c85-fe5578e09e67
status: test
description: Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host
references:
- https://www.jpcert.or.jp/english/pub/sr/ir_research.html
- https://jpcertcc.github.io/ToolAnalysisResultSheet
author: Thomas Patzke
date: 2017-06-14
modified: 2025-01-30
tags:
- attack.credential-access
- attack.t1003
- attack.s0005
logsource:
product: windows
service: security
detection:
selection:
EventID:
- 4656
- 4663
ObjectName|endswith: '\wceaux.dll'
condition: selection
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
WMI Backdoor Exchange Transport Agent
Detects a WMI backdoor in Exchange Transport Agents via WMI event filters
view Sigma YAML
title: WMI Backdoor Exchange Transport Agent
id: 797011dc-44f4-4e6f-9f10-a8ceefbe566b
status: test
description: Detects a WMI backdoor in Exchange Transport Agents via WMI event filters
references:
- https://twitter.com/cglyer/status/1182389676876980224
- https://twitter.com/cglyer/status/1182391019633029120
author: Florian Roth (Nextron Systems)
date: 2019-10-11
modified: 2023-02-08
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.003
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\EdgeTransport.exe'
filter_conhost:
Image: 'C:\Windows\System32\conhost.exe'
filter_oleconverter: # FP also documented in https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=18
Image|startswith: 'C:\Program Files\Microsoft\Exchange Server\'
Image|endswith: '\Bin\OleConverter.exe'
condition: selection and not 1 of filter_*
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Webshell Remote Command Execution
Detects possible command execution by web application/web shell
view Sigma YAML
title: Webshell Remote Command Execution
id: c0d3734d-330f-4a03-aae2-65dacc6a8222
status: test
description: Detects possible command execution by web application/web shell
references:
- Personal Experience of the Author
- https://www.vaadata.com/blog/what-is-command-injection-exploitations-and-security-best-practices/
author: Ilyas Ochkov, Beyu Denis, oscd.community
date: 2019-10-12
modified: 2025-12-05
tags:
- attack.persistence
- attack.t1505.003
logsource:
product: linux
service: auditd
definition: |
Required auditd configuration:
-a always,exit -F arch=b32 -S execve -F euid=33 -k detect_execve_www
-a always,exit -F arch=b64 -S execve -F euid=33 -k detect_execve_www
-a always,exit -F arch=b32 -S execveat -F euid=33 -k detect_execve_www
-a always,exit -F arch=b64 -S execveat -F euid=33 -k detect_execve_www
Change the number "33" to the ID of your WebServer user. Default: www-data:x:33:33
detection:
selection:
type: 'SYSCALL'
SYSCALL:
- 'execve'
- 'execveat'
euid: 33
condition: selection
falsepositives:
- Admin activity
- Crazy web applications
level: critical
Convert to SIEM query
critical
Win Susp Computer Name Containing Samtheadmin
Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool
view Sigma YAML
title: Win Susp Computer Name Containing Samtheadmin
id: 39698b3f-da92-4bc6-bfb5-645a98386e45
status: test
description: Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool
references:
- https://twitter.com/malmoeb/status/1511760068743766026
- https://github.com/helloexp/0day/blob/614227a7b9beb0e91e7e2c6a5e532e6f7a8e883c/00-CVE_EXP/CVE-2021-42287/sam-the-admin/sam_the_admin.py
author: elhoim
date: 2022-09-09
modified: 2023-01-04
tags:
- attack.initial-access
- cve.2021-42278
- cve.2021-42287
- attack.persistence
- attack.privilege-escalation
- attack.stealth
- attack.t1078
logsource:
service: security
product: windows
detection:
# Not adding an EventID on purpose to try to match on any event in security (including use of account), not just 4741 (computer account created)
selection1:
SamAccountName|startswith: 'SAMTHEADMIN-'
SamAccountName|endswith: '$'
selection2:
TargetUserName|startswith: 'SAMTHEADMIN-'
TargetUserName|endswith: '$'
condition: 1 of selection*
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Windows Credential Editor Registry
Detects the use of Windows Credential Editor (WCE)
view Sigma YAML
title: Windows Credential Editor Registry
id: a6b33c02-8305-488f-8585-03cb2a7763f2
status: test
description: Detects the use of Windows Credential Editor (WCE)
references:
- https://www.ampliasecurity.com/research/windows-credentials-editor/
author: Florian Roth (Nextron Systems)
date: 2019-12-31
modified: 2021-11-27
tags:
- attack.credential-access
- attack.t1003.001
- attack.s0005
logsource:
category: registry_event
product: windows
detection:
selection:
TargetObject|contains: Services\WCESERVICE\Start
condition: selection
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Wmiexec Default Output File
Detects the creation of the default output filename used by the wmiexec tool
view Sigma YAML
title: Wmiexec Default Output File
id: 8d5aca11-22b3-4f22-b7ba-90e60533e1fb
status: test
description: Detects the creation of the default output filename used by the wmiexec tool
references:
- https://www.crowdstrike.com/blog/how-to-detect-and-prevent-impackets-wmiexec/
- https://github.com/fortra/impacket/blob/f4b848fa27654ca95bc0f4c73dbba8b9c2c9f30a/examples/wmiexec.py
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-02
modified: 2023-03-08
tags:
- attack.lateral-movement
- attack.execution
- attack.t1047
logsource:
category: file_event
product: windows
detection:
selection:
- TargetFilename|re: '\\Windows\\__1\d{9}\.\d{1,7}$' # Admin$
- TargetFilename|re: 'C:\\__1\d{9}\.\d{1,7}$' # C$
- TargetFilename|re: 'D:\\__1\d{9}\.\d{1,7}$' # D$
condition: selection
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Wmiprvse Wbemcomn DLL Hijack - File
Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario.
view Sigma YAML
title: Wmiprvse Wbemcomn DLL Hijack - File
id: 614a7e17-5643-4d89-b6fe-f9df1a79641c
status: test
description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario.
references:
- https://threathunterplaybook.com/hunts/windows/201009-RemoteWMIWbemcomnDLLHijack/notebook.html
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-10-12
modified: 2022-12-02
tags:
- attack.execution
- attack.t1047
- attack.lateral-movement
- attack.t1021.002
logsource:
product: windows
category: file_event
detection:
selection:
Image: System
TargetFilename|endswith: '\wbem\wbemcomn.dll'
condition: selection
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Zerologon Exploitation Using Well-known Tools
This rule is designed to detect attempts to exploit Zerologon (CVE-2020-1472) vulnerability using mimikatz zerologon module or other exploits from machine with "kali" hostname.
view Sigma YAML
title: Zerologon Exploitation Using Well-known Tools
id: 18f37338-b9bd-4117-a039-280c81f7a596
status: stable
description: This rule is designed to detect attempts to exploit Zerologon (CVE-2020-1472) vulnerability using mimikatz zerologon module or other exploits from machine with "kali" hostname.
references:
- https://www.secura.com/blog/zero-logon
- https://bi-zone.medium.com/hunting-for-zerologon-f65c61586382
author: 'Demyan Sokolin @_drd0c, Teymur Kheirkhabarov @HeirhabarovT, oscd.community'
date: 2020-10-13
modified: 2021-05-30
tags:
- attack.t1210
- attack.lateral-movement
logsource:
service: system
product: windows
detection:
selection:
EventID:
- 5805
- 5723
keywords:
- kali
- mimikatz
condition: selection and keywords
level: critical
Convert to SIEM query
high
.RDP File Created By Uncommon Application
Detects creation of a file with an ".rdp" extension by an application that doesn't commonly create such files.
view Sigma YAML
title: .RDP File Created By Uncommon Application
id: fccfb43e-09a7-4bd2-8b37-a5a7df33386d
related:
- id: f748c45a-f8d3-4e6f-b617-fe176f695b8f
type: derived
status: test
description: |
Detects creation of a file with an ".rdp" extension by an application that doesn't commonly create such files.
references:
- https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/
- https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-18
modified: 2024-11-01
tags:
- attack.stealth
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith: '.rdp'
Image|endswith:
# Covers browsers
- '\brave.exe'
- '\CCleaner Browser\Application\CCleanerBrowser.exe'
- '\chromium.exe'
- '\firefox.exe'
- '\Google\Chrome\Application\chrome.exe'
- '\iexplore.exe'
- '\microsoftedge.exe'
- '\msedge.exe'
- '\Opera.exe'
- '\Vivaldi.exe'
- '\Whale.exe'
# Covers email clients
- '\olk.exe' # Outlook
- '\Outlook.exe'
- '\RuntimeBroker.exe' # If the windows mail client is used
- '\Thunderbird.exe'
# Covers chat applications
- '\Discord.exe' # Should open the browser for download, but just in case.
- '\Keybase.exe'
- '\msteams.exe'
- '\Slack.exe'
- '\teams.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
AADInternals PowerShell Cmdlets Execution - ProccessCreation
Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.
view Sigma YAML
title: AADInternals PowerShell Cmdlets Execution - ProccessCreation
id: c86500e9-a645-4680-98d7-f882c70c1ea3
related:
- id: 91e69562-2426-42ce-a647-711b8152ced6
type: similar
status: test
description: Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.
references:
- https://o365blog.com/aadinternals/
- https://github.com/Gerenios/AADInternals
author: Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2022-12-23
modified: 2025-02-06
tags:
- attack.execution
- attack.reconnaissance
- attack.discovery
- attack.credential-access
- attack.impact
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\powershell_ise.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.Exe'
- 'pwsh.dll'
selection_cli:
CommandLine|contains:
# Since most of the cmdlets use a unique enough string which is "-AADInt" we only used that portion. For a complete list please check the references linked above
- 'Add-AADInt'
- 'ConvertTo-AADInt'
- 'Disable-AADInt'
- 'Enable-AADInt'
- 'Export-AADInt'
- 'Find-AADInt'
- 'Get-AADInt'
- 'Grant-AADInt'
- 'Initialize-AADInt'
- 'Install-AADInt'
- 'Invoke-AADInt'
- 'Join-AADInt'
- 'New-AADInt'
- 'Open-AADInt'
- 'Read-AADInt'
- 'Register-AADInt'
- 'Remove-AADInt'
- 'Reset-AADInt'
- 'Resolve-AADInt'
- 'Restore-AADInt'
- 'Save-AADInt'
- 'Search-AADInt'
- 'Send-AADInt'
- 'Set-AADInt'
- 'Start-AADInt'
- 'Unprotect-AADInt'
- 'Update-AADInt'
condition: all of selection_*
falsepositives:
- Legitimate use of the library for administrative activity
level: high
Convert to SIEM query
high
AADInternals PowerShell Cmdlets Execution - PsScript
Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.
view Sigma YAML
title: AADInternals PowerShell Cmdlets Execution - PsScript
id: 91e69562-2426-42ce-a647-711b8152ced6
related:
- id: c86500e9-a645-4680-98d7-f882c70c1ea3
type: similar
status: test
description: Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.
references:
- https://o365blog.com/aadinternals/
- https://github.com/Gerenios/AADInternals
author: Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2022-12-23
modified: 2025-02-06
tags:
- attack.execution
- attack.reconnaissance
- attack.discovery
- attack.credential-access
- attack.impact
logsource:
product: windows
category: ps_script
definition: Script Block Logging must be enable
detection:
selection:
ScriptBlockText|contains:
# Since most of the cmdlets use a unique enough string which is "-AADInt" we only used that portion. For a complete list please check the references linked above
- 'Add-AADInt'
- 'ConvertTo-AADInt'
- 'Disable-AADInt'
- 'Enable-AADInt'
- 'Export-AADInt'
- 'Find-AADInt'
- 'Get-AADInt'
- 'Grant-AADInt'
- 'Initialize-AADInt'
- 'Install-AADInt'
- 'Invoke-AADInt'
- 'Join-AADInt'
- 'New-AADInt'
- 'Open-AADInt'
- 'Read-AADInt'
- 'Register-AADInt'
- 'Remove-AADInt'
- 'Reset-AADInt'
- 'Resolve-AADInt'
- 'Restore-AADInt'
- 'Save-AADInt'
- 'Search-AADInt'
- 'Send-AADInt'
- 'Set-AADInt'
- 'Start-AADInt'
- 'Unprotect-AADInt'
- 'Update-AADInt'
condition: selection
falsepositives:
- Legitimate use of the library for administrative activity
level: high
Convert to SIEM query
high
AD Privileged Users or Groups Reconnaissance
Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs
view Sigma YAML
title: AD Privileged Users or Groups Reconnaissance
id: 35ba1d85-724d-42a3-889f-2e2362bcaf23
status: test
description: Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs
references:
- https://web.archive.org/web/20230329163438/https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html
author: Samir Bousseaden
date: 2019-04-03
modified: 2022-07-13
tags:
- attack.discovery
- attack.t1087.002
logsource:
product: windows
service: security
definition: 'Requirements: enable Object Access SAM on your Domain Controllers'
detection:
selection:
EventID: 4661
ObjectType:
- 'SAM_USER'
- 'SAM_GROUP'
selection_object:
- ObjectName|endswith:
- '-512'
- '-502'
- '-500'
- '-505'
- '-519'
- '-520'
- '-544'
- '-551'
- '-555'
- ObjectName|contains: 'admin'
filter:
SubjectUserName|endswith: '$'
condition: selection and selection_object and not filter
falsepositives:
- If source account name is not an admin then its super suspicious
level: high
Convert to SIEM query
high
ADCS Certificate Template Configuration Vulnerability with Risky EKU
Detects certificate creation with template allowing risk permission subject and risky EKU
view Sigma YAML
title: ADCS Certificate Template Configuration Vulnerability with Risky EKU
id: bfbd3291-de87-4b7c-88a2-d6a5deb28668
status: test
description: Detects certificate creation with template allowing risk permission subject and risky EKU
references:
- https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf
author: Orlinum , BlueDefenZer
date: 2021-11-17
modified: 2022-12-25
tags:
- attack.privilege-escalation
- attack.credential-access
logsource:
product: windows
service: security
definition: Certificate services loaded a template would trigger event ID 4898 and certificate Services template was updated would trigger event ID 4899. A risk permission seems to be coming if template contain specific flag with risky EKU.
detection:
selection10:
EventID: 4898
TemplateContent|contains:
- '1.3.6.1.5.5.7.3.2'
- '1.3.6.1.5.2.3.4'
- '1.3.6.1.4.1.311.20.2.2'
- '2.5.29.37.0'
selection11:
TemplateContent|contains: 'CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT'
selection20:
EventID: 4899
NewTemplateContent|contains:
- '1.3.6.1.5.5.7.3.2'
- '1.3.6.1.5.2.3.4'
- '1.3.6.1.4.1.311.20.2.2'
- '2.5.29.37.0'
selection21:
NewTemplateContent|contains: 'CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT'
condition: (selection10 and selection11) or (selection20 and selection21)
falsepositives:
- Administrator activity
- Proxy SSL certificate with subject modification
- Smart card enrollement
level: high
Convert to SIEM query
high
AMSI Bypass Pattern Assembly GetType
Detects code fragments found in small and obfuscated AMSI bypass PowerShell scripts
view Sigma YAML
title: AMSI Bypass Pattern Assembly GetType
id: e0d6c087-2d1c-47fd-8799-3904103c5a98
status: test
description: Detects code fragments found in small and obfuscated AMSI bypass PowerShell scripts
references:
- https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/
- https://twitter.com/cyb3rops/status/1588574518057979905?s=20&t=A7hh93ONM7ni1Rj1jO5OaA
author: Florian Roth (Nextron Systems)
date: 2022-11-09
tags:
- attack.defense-impairment
- attack.t1685
- attack.execution
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- '[Ref].Assembly.GetType'
- 'SetValue($null,$true)'
- 'NonPublic,Static'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
AMSI Disabled via Registry Modification
Detects attempts to disable AMSI (Anti-Malware Scan Interface) by modifying the AmsiEnable registry value.
Anti-Malware Scan Interface (AMSI) is a security feature in Windows that allows applications and services to integrate with anti-malware products for enhanced protection against malicious content.
Adversaries may attempt to disable AMSI to evade detection by security software, allowing them to execute malicious scripts or code without being scanned.
view Sigma YAML
title: AMSI Disabled via Registry Modification
id: aa37cbb0-da36-42cb-a90f-fdf216fc7467
related:
- id: 7dbbcac2-57a0-45ac-b306-ff30a8bd2981 # Windows AMSI Related Registry Tampering Via CommandLine
type: similar
status: experimental
description: |
Detects attempts to disable AMSI (Anti-Malware Scan Interface) by modifying the AmsiEnable registry value.
Anti-Malware Scan Interface (AMSI) is a security feature in Windows that allows applications and services to integrate with anti-malware products for enhanced protection against malicious content.
Adversaries may attempt to disable AMSI to evade detection by security software, allowing them to execute malicious scripts or code without being scanned.
references:
- https://mostafayahiax.medium.com/hunting-for-amsi-bypassing-methods-9886dda0bf9d
- https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal
- https://www.mdsec.co.uk/2019/02/macros-and-more-with-sharpshooter-v2-0/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-12-25
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\Software\Microsoft\Windows Script\Settings\AmsiEnable'
Details: 'DWORD (0x00000000)'
condition: selection
falsepositives:
- Unlikely
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_amsi_disable/info.yml
simulation:
- type: atomic-red-team
name: AMSI Bypass - Create AMSIEnable Reg Key
technique: T1562.001
atomic_guid: 728eca7b-0444-4f6f-ac36-437e3d751dc0
Convert to SIEM query
high
APT User Agent
Detects suspicious user agent strings used in APT malware in proxy logs
view Sigma YAML
title: APT User Agent
id: 6ec820f2-e963-4801-9127-d8b2dce4d31b
status: test
description: Detects suspicious user agent strings used in APT malware in proxy logs
references:
- Internal Research
author: Florian Roth (Nextron Systems), Markus Neis
date: 2019-11-12
modified: 2024-02-15
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: proxy
detection:
selection:
c-useragent:
# APT Related
- 'SJZJ (compatible; MSIE 6.0; Win32)' # APT Backspace
- 'Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0' # APT GrizzlySteppe - ChopStick - US CERT https://www.cisa.gov/news-events/alerts/2017/02/10/enhanced-analysis-grizzly-steppe
- 'User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC' # Comment Crew Miniasp
- 'Mozilla/4.0 (compatible; MSIE 7.4; Win32;32-bit)' # Comment Crew Miniasp
- 'webclient' # Naikon APT
- 'Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/200' # Naikon APT
- 'Mozilla/4.0 (compatible; MSI 6.0;' # SnowGlobe Babar - yes, it is cut
- 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0' # Sofacy - Xtunnel
- 'Mozilla/5.0 (Windows NT 6.2; WOW64; rv:20.0) Gecko/20100101 Firefox/' # Sofacy - Xtunnel
- 'Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/2' # Sofacy - Xtunnel
- 'Mozilla/4.0' # Derusbi backdoor ELF https://github.com/fideliscyber/indicators/tree/master/FTA-1021
- 'Netscape' # Unit78020 Malware
- 'Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/20100719 Firefox/1.0.7' # Unit78020 Malware
- 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Firefox/3.6.13 GTB7.1' # Winnti related
- 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)' # Winnti related
- 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NETCLR 2.0.50727)' # APT17
- 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; SV1)' # Bronze Butler - Daserf
- 'Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; SV1)' # Bronze Butler - Daserf
- 'Mozilla/4.0 (compatible; MSIE 8.0; Win32)' # TSCookie https://app.any.run/tasks/0996b314-5133-491b-8d23-d431ffdec597
- 'Mozilla v5.1 (Windows NT 6.1; rv:6.0.1) Gecko/20100101 Firefox/6.0.1' # Delphi downloader https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/
- 'Mozilla/6.1 (compatible; MSIE 9.0; Windows NT 5.3; Trident/5.0)' # VPNFilter https://blog.talosintelligence.com/2018/05/VPNFilter.html
- 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; InfoPath.1)' # Sofacy User-Agent https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/
- 'Mozilla/5.0 (Windows NT 6.1; WOW64) WinHttp/1.6.3.8 (WinHTTP/5.1) like Gecko' # Sofacy User-Agent https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/
- 'Mozilla v5.1 *' # Sofacy Zebrocy samples
- 'MSIE 8.0' # Sofacy Azzy Backdoor from https://www.hybrid-analysis.com/sample/a80e29c0757bee05338fd5c22a542d852ad86c477068e3eb4aacc1c3e59e2eef?environmentId=100
- 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)' # https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html
- 'Mozilla/4.0 (compatible; RMS)' # Attacks on industrial enterprises using RMS and TeamViewer - https://securelist.com/attacks-on-industrial-enterprises-using-rms-and-teamviewer/87104/
- 'Mozilla/4.0 (compatible; MSIE 6.0; DynGate)' # Attacks on industrial enterprises using RMS and TeamViewer - https://securelist.com/attacks-on-industrial-enterprises-using-rms-and-teamviewer/87104/
- 'O/9.27 (W; U; Z)' # Cmstar https://www.virustotal.com/#/file/e4328011bb2b04abc856ccd04404c9f95d67167f6c291d343e8ffa8aa2aa2099/details
- 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0; Trident/5.0*' # KerrDown UA
- 'Mozilla/5.0 (Windows NT 9; *' # Suspicious 'Windows NT 9' user agent - used by APT33 malware in 2018
- 'hots scot' # Unknown iOS zero-day implant https://twitter.com/craiu/status/1176437994288484352?s=20
- 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT)' # https://blog.telsy.com/meeting-powerband-the-apt33-net-powerton-variant/
- 'Mozilla/5.0 (Windows NT 6.1; WOW64) Chrome/28.0.1500.95 Safari/537.36' # Hidden Cobra malware
- 'Mozilla/5.0 (Windows NT 6.2; Win32; rv:47.0)' # Strong Pity loader https://twitter.com/VK_Intel/status/1264185981118406657
- 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1;' # Mustang Panda https://insights.oem.avira.com/new-wave-of-plugx-targets-hong-kong/
- 'Mozilla/5.0 (X11; Linux i686; rv:22.0) Firefox/22.0' # BackdoorDiplomacy https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/
- 'Mozilla/5.0 Chrome/72.0.3626.109 Safari/537.36' # SideWalk malware used by Sparkling Goblin
- 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:FTS_06) Gecko/22.36.35.06 Firefox/2.0' # LitePower stager used by WRITE https://securelist.com/wirtes-campaign-in-the-middle-east-living-off-the-land-since-at-least-2019/105044/
- 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Edg/100.0.1185.39' # https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/
- 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3; .NET4.0C; .NET4.0E)' # https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/
- 'Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 10.0; .NET4.0C; .NET4.0E; Tablet PC 2.0)' # PlugX backdoor https://unit42.paloaltonetworks.com/thor-plugx-variant/
- 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246001' # RedCurl Downloader APT https://www.facct.ru/blog/redcurl-2024
condition: selection
falsepositives:
- Old browsers
level: high
Convert to SIEM query
high
ASLR Disabled Via Sysctl or Direct Syscall - Linux
Detects actions that disable Address Space Layout Randomization (ASLR) in Linux, including:
- Use of the `personality` syscall with the ADDR_NO_RANDOMIZE flag (0x0040000)
- Modification of the /proc/sys/kernel/randomize_va_space file
- Execution of the `sysctl` command to set `kernel.randomize_va_space=0`
Disabling ASLR is often used by attackers during exploit development or to bypass memory protection mechanisms.
A successful use of these methods can reduce the effectiveness of ASLR and make memory corruption attacks more reliable.
view Sigma YAML
title: ASLR Disabled Via Sysctl or Direct Syscall - Linux
id: e497a24e-9345-4a62-9803-b06d7d7cb132
status: experimental
description: |
Detects actions that disable Address Space Layout Randomization (ASLR) in Linux, including:
- Use of the `personality` syscall with the ADDR_NO_RANDOMIZE flag (0x0040000)
- Modification of the /proc/sys/kernel/randomize_va_space file
- Execution of the `sysctl` command to set `kernel.randomize_va_space=0`
Disabling ASLR is often used by attackers during exploit development or to bypass memory protection mechanisms.
A successful use of these methods can reduce the effectiveness of ASLR and make memory corruption attacks more reliable.
references:
- https://github.com/CheraghiMilad/bypass-Neo23x0-auditd-config/blob/f1c478a37911a5447d5ffcd580f22b167bf3df14/personality-syscall/README.md
- https://man7.org/linux/man-pages/man2/personality.2.html
- https://manual.cs50.io/2/personality
- https://linux-audit.com/linux-aslr-and-kernelrandomize_va_space-setting/
author: Milad Cheraghi
date: 2025-05-26
modified: 2025-12-05
tags:
- attack.privilege-escalation
- attack.stealth
- attack.defense-impairment
- attack.t1685
- attack.t1055.009
logsource:
product: linux
service: auditd
detection:
selection_syscall:
type: 'SYSCALL'
SYSCALL: 'personality'
a0: 40000
selection_sysctl:
type: 'EXECVE'
a0: 'sysctl'
a1: '-w'
a2: 'kernel.randomize_va_space=0' # 0 = disable
condition: 1 of selection_*
falsepositives:
- Debugging or legitimate software testing
level: high
Convert to SIEM query
high
AWS Config Disabling Channel/Recorder
Detects AWS Config Service disabling
view Sigma YAML
title: AWS Config Disabling Channel/Recorder
id: 07330162-dba1-4746-8121-a9647d49d297
status: test
description: Detects AWS Config Service disabling
references:
- https://docs.aws.amazon.com/config/latest/developerguide/cloudtrail-log-files-for-aws-config.html
author: vitaliy0x1
date: 2020-01-21
modified: 2022-10-09
tags:
- attack.defense-impairment
- attack.t1685.002
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: 'config.amazonaws.com'
eventName:
- 'DeleteDeliveryChannel'
- 'StopConfigurationRecorder'
condition: selection
falsepositives:
- Valid change in AWS Config Service
level: high
Convert to SIEM query
high
AWS EC2 Startup Shell Script Change
Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM every time the specific instances are booted up.
view Sigma YAML
title: AWS EC2 Startup Shell Script Change
id: 1ab3c5ed-5baf-417b-bb6b-78ca33f6c3df
status: test
description: Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM every time the specific instances are booted up.
references:
- https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ec2__startup_shell_script/main.py#L9
author: faloker
date: 2020-02-12
modified: 2022-06-07
tags:
- attack.execution
- attack.t1059.001
- attack.t1059.003
- attack.t1059.004
logsource:
product: aws
service: cloudtrail
detection:
selection_source:
eventSource: ec2.amazonaws.com
requestParameters.attribute: 'userData'
eventName: ModifyInstanceAttribute
condition: selection_source
falsepositives:
- Valid changes to the startup script
level: high
Convert to SIEM query
high
AWS GuardDuty Detector Deleted Or Updated
Detects successful deletion or disabling of an AWS GuardDuty detector, possibly by an attacker trying to avoid detection of its malicious activities.
Upon deletion, GuardDuty stops monitoring the environment and all existing findings are lost.
Verify with the user identity that this activity is legitimate.
view Sigma YAML
title: AWS GuardDuty Detector Deleted Or Updated
id: d2656e78-c069-4571-8220-9e0ab5913f19
status: experimental
description: |
Detects successful deletion or disabling of an AWS GuardDuty detector, possibly by an attacker trying to avoid detection of its malicious activities.
Upon deletion, GuardDuty stops monitoring the environment and all existing findings are lost.
Verify with the user identity that this activity is legitimate.
references:
- https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DeleteDetector.html
- https://docs.aws.amazon.com/guardduty/latest/APIReference/API_UpdateDetector.html
- https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_suspend-disable.html
- https://docs.datadoghq.com/security/default_rules/719-39f-9cd/
- https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-guardduty-detector-is-enabled
- https://docs.stellarcyber.ai/5.2.x/Using/ML/Alert-Rule-Based-Potentially_Malicious_AWS_Activity.html
- https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon%20Web%20Services/Analytic%20Rules/AWS_GuardDutyDisabled.yaml
- https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml
- https://help.fortinet.com/fsiem/Public_Resource_Access/7_4_0/rules/PH_RULE_AWS_GuardDuty_Detector_Deletion.htm
- https://research.splunk.com/sources/5d8bd475-c8bc-4447-b27f-efa508728b90/
- https://suktech24.com/2025/07/17/aws-threat-detection-rule-guardduty-detector-disabled-or-suspended/
- https://www.atomicredteam.io/atomic-red-team/atomics/T156001#atomic-test-46---aws---guardduty-suspension-or-deletion
author: suktech24
date: 2025-11-27
tags:
- attack.defense-impairment
- attack.t1685
- attack.t1685.002
logsource:
product: aws
service: cloudtrail
detection:
selection_event_source:
eventSource: 'guardduty.amazonaws.com'
selection_action_delete:
eventName: 'DeleteDetector'
selection_action_update:
eventName: 'UpdateDetector'
requestParameters.enable: 'false'
selection_status_success:
errorCode: 'Success'
selection_status_null:
errorCode: null
condition: selection_event_source and 1 of selection_action_* and 1 of selection_status_*
falsepositives:
- Legitimate detector deletion by an admin (e.g., during account decommissioning).
- Temporary disablement for troubleshooting (verify via change management tickets).
- Automated deployment tools (e.g. Terraform) managing GuardDuty state.
level: high
Convert to SIEM query
high
AWS GuardDuty Important Change
Detects updates of the GuardDuty list of trusted IPs, perhaps to disable security alerts against malicious IPs.
view Sigma YAML
title: AWS GuardDuty Important Change
id: 6e61ee20-ce00-4f8d-8aee-bedd8216f7e3
status: test
description: Detects updates of the GuardDuty list of trusted IPs, perhaps to disable security alerts against malicious IPs.
references:
- https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/guardduty__whitelist_ip/main.py#L9
author: faloker
date: 2020-02-11
modified: 2022-10-09
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: aws
service: cloudtrail
detection:
selection_source:
eventSource: guardduty.amazonaws.com
eventName: CreateIPSet
condition: selection_source
falsepositives:
- Valid change in the GuardDuty (e.g. to ignore internal scanners)
level: high
Convert to SIEM query
high
AWS IAM S3Browser LoginProfile Creation
Detects S3 Browser utility performing reconnaissance looking for existing IAM Users without a LoginProfile defined then (when found) creating a LoginProfile.
view Sigma YAML
title: AWS IAM S3Browser LoginProfile Creation
id: db014773-b1d3-46bd-ba26-133337c0ffee
status: test
description: Detects S3 Browser utility performing reconnaissance looking for existing IAM Users without a LoginProfile defined then (when found) creating a LoginProfile.
references:
- https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor
author: [email protected] (@danielhbohannon)
date: 2023-05-17
tags:
- attack.execution
- attack.persistence
- attack.initial-access
- attack.privilege-escalation
- attack.stealth
- attack.t1059.009
- attack.t1078.004
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: 'iam.amazonaws.com'
eventName:
- 'GetLoginProfile'
- 'CreateLoginProfile'
userAgent|contains: 'S3 Browser'
condition: selection
falsepositives:
- Valid usage of S3 Browser for IAM LoginProfile listing and/or creation
level: high
Convert to SIEM query
high
AWS IAM S3Browser Templated S3 Bucket Policy Creation
Detects S3 browser utility creating Inline IAM policy containing default S3 bucket name placeholder value of "<YOUR-BUCKET-NAME>".
view Sigma YAML
title: AWS IAM S3Browser Templated S3 Bucket Policy Creation
id: db014773-7375-4f4e-b83b-133337c0ffee
status: test
description: Detects S3 browser utility creating Inline IAM policy containing default S3 bucket name placeholder value of "<YOUR-BUCKET-NAME>".
references:
- https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor
author: [email protected] (@danielhbohannon)
date: 2023-05-17
tags:
- attack.execution
- attack.stealth
- attack.t1059.009
- attack.persistence
- attack.initial-access
- attack.privilege-escalation
- attack.t1078.004
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: iam.amazonaws.com
eventName: PutUserPolicy
userAgent|contains: 'S3 Browser'
requestParameters|contains|all:
- '"arn:aws:s3:::<YOUR-BUCKET-NAME>/*"'
- '"s3:GetObject"'
- '"Allow"'
condition: selection
falsepositives:
- Valid usage of S3 browser with accidental creation of default Inline IAM policy without changing default S3 bucket name placeholder value
level: high
Convert to SIEM query
high
AWS IAM S3Browser User or AccessKey Creation
Detects S3 Browser utility creating IAM User or AccessKey.
view Sigma YAML
title: AWS IAM S3Browser User or AccessKey Creation
id: db014773-d9d9-4792-91e5-133337c0ffee
status: test
description: Detects S3 Browser utility creating IAM User or AccessKey.
references:
- https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor
author: [email protected] (@danielhbohannon)
date: 2023-05-17
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.initial-access
- attack.stealth
- attack.t1059.009
- attack.t1078.004
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: 'iam.amazonaws.com'
eventName:
- 'CreateUser'
- 'CreateAccessKey'
userAgent|contains: 'S3 Browser'
condition: selection
falsepositives:
- Valid usage of S3 Browser for IAM User and/or AccessKey creation
level: high
Convert to SIEM query
high
AWS Identity Center Identity Provider Change
Detects a change in the AWS Identity Center (FKA AWS SSO) identity provider.
A change in identity provider allows an attacker to establish persistent access or escalate privileges via user impersonation.
view Sigma YAML
title: AWS Identity Center Identity Provider Change
id: d3adb3ef-b7e7-4003-9092-1924c797db35
status: test
description: |
Detects a change in the AWS Identity Center (FKA AWS SSO) identity provider.
A change in identity provider allows an attacker to establish persistent access or escalate privileges via user impersonation.
references:
- https://docs.aws.amazon.com/singlesignon/latest/userguide/app-enablement.html
- https://docs.aws.amazon.com/singlesignon/latest/userguide/sso-info-in-cloudtrail.html
- https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiamidentitycentersuccessortoawssinglesign-on.html
author: Michael McIntyre @wtfender
date: 2023-09-27
tags:
- attack.persistence
- attack.credential-access
- attack.defense-impairment
- attack.t1556
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource:
- 'sso-directory.amazonaws.com'
- 'sso.amazonaws.com'
eventName:
- 'AssociateDirectory'
- 'DisableExternalIdPConfigurationForDirectory'
- 'DisassociateDirectory'
- 'EnableExternalIdPConfigurationForDirectory'
condition: selection
falsepositives:
- Authorized changes to the AWS account's identity provider
level: high
Convert to SIEM query
high
AWS KMS Imported Key Material Usage
Detects the import or deletion of key material in AWS KMS, which can be used as part of ransomware attacks. This activity is uncommon and provides a high certainty signal.
view Sigma YAML
title: AWS KMS Imported Key Material Usage
id: 1279262f-1464-422f-ac0d-5b545320c526
status: experimental
description: |
Detects the import or deletion of key material in AWS KMS, which can be used as part of ransomware attacks. This activity is uncommon and provides a high certainty signal.
references:
- https://www.chrisfarris.com/post/effective-aws-ransomware/
- https://docs.aws.amazon.com/kms/latest/developerguide/ct-importkeymaterial.html
- https://docs.aws.amazon.com/kms/latest/developerguide/ct-deleteimportedkeymaterial.html
author: toopricey
date: 2025-10-18
tags:
- attack.impact
- attack.t1486
- attack.resource-development
- attack.t1608.003
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: 'kms.amazonaws.com'
eventName:
- 'ImportKeyMaterial'
- 'DeleteImportedKeyMaterial'
condition: selection
falsepositives:
- Legitimate use cases for imported key material are rare, but may include, Organizations with hybrid cloud architectures that import external key material for compliance requirements.
- Development or testing environments that simulate external key management scenarios. Even in these cases, such activity is typically infrequent and should not add significant noise.
level: high
Convert to SIEM query
high
AWS SecurityHub Findings Evasion
Detects the modification of the findings on SecurityHub.
view Sigma YAML
title: AWS SecurityHub Findings Evasion
id: a607e1fe-74bf-4440-a3ec-b059b9103157
status: stable
description: Detects the modification of the findings on SecurityHub.
references:
- https://docs.aws.amazon.com/cli/latest/reference/securityhub/
author: Sittikorn S
date: 2021-06-28
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: securityhub.amazonaws.com
eventName:
- 'BatchUpdateFindings'
- 'DeleteInsight'
- 'UpdateFindings'
- 'UpdateInsight'
condition: selection
falsepositives:
- System or Network administrator behaviors
- DEV, UAT, SAT environment. You should apply this rule with PROD environment only.
level: high
Convert to SIEM query
high
AWS User Login Profile Was Modified
Detects activity when someone is changing passwords on behalf of other users.
An attacker with the "iam:UpdateLoginProfile" permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup.
view Sigma YAML
title: AWS User Login Profile Was Modified
id: 055fb148-60f8-462d-ad16-26926ce050f1
status: test
description: |
Detects activity when someone is changing passwords on behalf of other users.
An attacker with the "iam:UpdateLoginProfile" permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup.
references:
- https://github.com/RhinoSecurityLabs/AWS-IAM-Privilege-Escalation
author: toffeebr33k
date: 2021-08-09
modified: 2024-04-26
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1098
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: 'iam.amazonaws.com'
eventName: 'UpdateLoginProfile'
filter_main_user_identity:
userIdentity.arn|fieldref: requestParameters.userName
condition: selection and not 1 of filter_main_*
falsepositives:
- Legitimate user account administration
level: high
Convert to SIEM query
high
AWS VPC Flow Logs Deleted
Detects the deletion of one or more VPC Flow Logs in AWS Elastic Compute Cloud (EC2) through the DeleteFlowLogs API call.
Adversaries may delete flow logs to evade detection or remove evidence of network activity, hindering forensic investigations and visibility into malicious operations.
view Sigma YAML
title: AWS VPC Flow Logs Deleted
id: e386b9b5-af12-450e-afff-761730fb8a98
status: experimental
description: |
Detects the deletion of one or more VPC Flow Logs in AWS Elastic Compute Cloud (EC2) through the DeleteFlowLogs API call.
Adversaries may delete flow logs to evade detection or remove evidence of network activity, hindering forensic investigations and visibility into malicious operations.
references:
- https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html
- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-flow-logs.html
- https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion
author: Ivan Saakov
date: 2025-10-19
tags:
- attack.stealth
logsource:
product: aws
service: cloudtrail
detection:
selection_event_name:
eventName: 'DeleteFlowLogs'
selection_status_success:
errorCode: 'Success'
selection_status_null:
errorCode: null
condition: selection_event_name and 1 of selection_status_*
falsepositives:
- During maintenance operations or testing, authorized administrators may delete VPC Flow Logs as part of routine network management or cleanup activities.
level: high
Convert to SIEM query
high
Abusable DLL Potential Sideloading From Suspicious Location
Detects potential DLL sideloading of DLLs that are known to be abused from suspicious locations
view Sigma YAML
title: Abusable DLL Potential Sideloading From Suspicious Location
id: 799a5f48-0ac1-4e0f-9152-71d137d48c2a
status: test
description: Detects potential DLL sideloading of DLLs that are known to be abused from suspicious locations
references:
- https://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html
- https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/
author: X__Junior (Nextron Systems)
date: 2023-07-11
tags:
- attack.execution
- attack.t1059
logsource:
category: image_load
product: windows
detection:
selection_dll:
ImageLoaded|endswith:
# Note: Add more generic DLLs that cannot be pin-pointed to a single application
- '\coreclr.dll'
- '\facesdk.dll'
- '\HPCustPartUI.dll'
- '\libcef.dll'
- '\ZIPDLL.dll'
selection_folders_1:
ImageLoaded|contains:
- ':\Perflogs\'
- ':\Users\Public\'
- '\Temporary Internet'
- '\Windows\Temp\'
selection_folders_2:
- ImageLoaded|contains|all:
- ':\Users\'
- '\Favorites\'
- ImageLoaded|contains|all:
- ':\Users\'
- '\Favourites\'
- ImageLoaded|contains|all:
- ':\Users\'
- '\Contacts\'
- ImageLoaded|contains|all:
- ':\Users\'
- '\Pictures\'
condition: selection_dll and 1 of selection_folders_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Abuse of Service Permissions to Hide Services Via Set-Service
Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)
view Sigma YAML
title: Abuse of Service Permissions to Hide Services Via Set-Service
id: 514e4c3a-c77d-4cde-a00f-046425e2301e
related:
- id: a537cfc3-4297-4789-92b5-345bfd845ad0
type: derived
- id: 953945c5-22fe-4a92-9f8a-a9edc1e522da
type: similar
status: test
description: Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)
references:
- https://twitter.com/Alh4zr3d/status/1580925761996828672
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-17
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.011
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\pwsh.exe'
- OriginalFileName: 'pwsh.dll'
selection_sddl:
# Example would be: "D:(D;;DCLCWPDTSD;;;IU)(D;;DCLCWPDTSD;;;SU)(D;;DCLCWPDTSD;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
CommandLine|contains|all:
- 'Set-Service '
- 'DCLCWPDTSD'
selection_cmdlet:
CommandLine|contains:
- '-SecurityDescriptorSddl '
- '-sd '
condition: all of selection_*
falsepositives:
- Rare intended use of hidden services
level: high
Convert to SIEM query
high
Abuse of Service Permissions to Hide Services Via Set-Service - PS
Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)
view Sigma YAML
title: Abuse of Service Permissions to Hide Services Via Set-Service - PS
id: 953945c5-22fe-4a92-9f8a-a9edc1e522da
related:
- id: 514e4c3a-c77d-4cde-a00f-046425e2301e
type: similar
status: test
description: Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)
references:
- https://twitter.com/Alh4zr3d/status/1580925761996828672
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-17
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.011
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- 'Set-Service '
- 'DCLCWPDTSD'
ScriptBlockText|contains:
- '-SecurityDescriptorSddl '
- '-sd '
condition: selection
falsepositives:
- Rare intended use of hidden services
- Rare FP could occur due to the non linearity of the ScriptBlockText log
level: high
Convert to SIEM query
high
Abused Debug Privilege by Arbitrary Parent Processes
Detection of unusual child processes by different system processes
view Sigma YAML
title: Abused Debug Privilege by Arbitrary Parent Processes
id: d522eca2-2973-4391-a3e0-ef0374321dae
status: test
description: Detection of unusual child processes by different system processes
references:
- https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-74-638.jpg
author: 'Semanur Guneysu @semanurtg, oscd.community'
date: 2020-10-28
modified: 2022-11-11
tags:
- attack.privilege-escalation
- attack.t1548
logsource:
product: windows
category: process_creation
detection:
selection_parent:
ParentImage|endswith:
- '\winlogon.exe'
- '\services.exe'
- '\lsass.exe'
- '\csrss.exe'
- '\smss.exe'
- '\wininit.exe'
- '\spoolsv.exe'
- '\searchindexer.exe'
User|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- '\cmd.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
- 'Cmd.Exe'
filter:
CommandLine|contains|all:
- ' route '
- ' ADD '
condition: all of selection_* and not filter
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Account Created And Deleted Within A Close Time Frame
Detects when an account was created and deleted in a short period of time.
view Sigma YAML
title: Account Created And Deleted Within A Close Time Frame
id: 6f583da0-3a90-4566-a4ed-83c09fe18bbf
status: test
description: Detects when an account was created and deleted in a short period of time.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#short-lived-accounts
author: Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1', Tim Shelton
date: 2022-08-11
modified: 2022-08-18
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.stealth
- attack.t1078
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.message:
- Add user
- Delete user
Status: Success
condition: selection
falsepositives:
- Legit administrative action
level: high
Convert to SIEM query
high
Active Directory User Backdoors
Detects scenarios where one can control another users or computers account without having to use their credentials.
view Sigma YAML
title: Active Directory User Backdoors
id: 300bac00-e041-4ee2-9c36-e262656a6ecc
status: test
description: Detects scenarios where one can control another users or computers account without having to use their credentials.
references:
- https://msdn.microsoft.com/en-us/library/cc220234.aspx
- https://adsecurity.org/?p=3466
- https://blog.harmj0y.net/redteaming/another-word-on-delegation/
author: '@neu5ron'
date: 2017-04-13
modified: 2024-02-26
tags:
- attack.privilege-escalation
- attack.t1098
- attack.persistence
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Account Management > Audit User Account Management, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit User Account Management, DS Access > Audit Directory Service Changes, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\DS Access\Audit Directory Service Changes'
detection:
selection1:
EventID: 4738
filter_empty:
AllowedToDelegateTo:
- ''
- '-'
filter_null:
AllowedToDelegateTo: null
selection_5136_1:
EventID: 5136
AttributeLDAPDisplayName: 'msDS-AllowedToDelegateTo'
selection_5136_2:
EventID: 5136
ObjectClass: 'user'
AttributeLDAPDisplayName: 'servicePrincipalName'
selection_5136_3:
EventID: 5136
AttributeLDAPDisplayName: 'msDS-AllowedToActOnBehalfOfOtherIdentity'
condition: (selection1 and not 1 of filter_*) or 1 of selection_5136_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Activity From Anonymous IP Address
Identifies that users were active from an IP address that has been identified as an anonymous proxy IP address.
view Sigma YAML
title: Activity From Anonymous IP Address
id: be4d9c86-d702-4030-b52e-c7859110e5e8
status: test
description: Identifies that users were active from an IP address that has been identified as an anonymous proxy IP address.
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#activity-from-anonymous-ip-address
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-03
tags:
- attack.stealth
- attack.t1078
- attack.persistence
- attack.privilege-escalation
- attack.initial-access
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'riskyIPAddress'
condition: selection
falsepositives:
- We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
level: high
Convert to SIEM query
high
Add Debugger Entry To Hangs Key For Persistence
Detects when an attacker adds a new "Debugger" value to the "Hangs" key in order to achieve persistence which will get invoked when an application crashes
view Sigma YAML
title: Add Debugger Entry To Hangs Key For Persistence
id: 833ef470-fa01-4631-a79b-6f291c9ac498
status: test
description: Detects when an attacker adds a new "Debugger" value to the "Hangs" key in order to achieve persistence which will get invoked when an application crashes
references:
- https://persistence-info.github.io/Data/wer_debugger.html
- https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-21
modified: 2023-08-17
tags:
- attack.persistence
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Hangs\Debugger'
condition: selection
falsepositives:
- This value is not set by default but could be rarly used by administrators
level: high
Convert to SIEM query
high
Add Insecure Download Source To Winget
Detects usage of winget to add a new insecure (http) download source.
Winget will not allow the addition of insecure sources, hence this could indicate potential suspicious activity (or typos)
view Sigma YAML
title: Add Insecure Download Source To Winget
id: 81a0ecb5-0a41-4ba1-b2ba-c944eb92bfa2
related:
- id: 05ebafc8-7aa2-4bcd-a269-2aec93f9e842
type: similar
- id: c15a46a0-07d4-4c87-b4b6-89207835a83b
type: similar
status: test
description: |
Detects usage of winget to add a new insecure (http) download source.
Winget will not allow the addition of insecure sources, hence this could indicate potential suspicious activity (or typos)
references:
- https://learn.microsoft.com/en-us/windows/package-manager/winget/source
- https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-17
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\winget.exe'
- OriginalFileName: 'winget.exe'
selection_cli:
CommandLine|contains|all:
- 'source '
- 'add '
- 'http://'
condition: all of selection_*
falsepositives:
- False positives might occur if the users are unaware of such control checks
level: high
Convert to SIEM query
Showing 51-100 of 3,133