SOAR
Panther
3,750 rules · Sigma detections in Panther syntax
The same Sigma detection corpus, machine-rendered into Panther query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
◈
Detection rules
50 shown of 3,750
critical
AD Object WriteDAC Access
Detects WRITE_DAC access to a domain object
view Sigma YAML
title: AD Object WriteDAC Access
id: 028c7842-4243-41cd-be6f-12f3cf1a26c7
status: test
description: Detects WRITE_DAC access to a domain object
references:
- https://threathunterplaybook.com/hunts/windows/180815-ADObjectAccessReplication/notebook.html
- https://threathunterplaybook.com/library/windows/active_directory_replication.html
- https://threathunterplaybook.com/hunts/windows/190101-ADModDirectoryReplication/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019-09-12
modified: 2021-11-27
tags:
- attack.defense-impairment
- attack.t1222.001
logsource:
product: windows
service: security
detection:
selection:
EventID: 4662
ObjectServer: 'DS'
AccessMask: '0x40000'
ObjectType:
- '19195a5b-6da0-11d0-afd3-00c04fd930c9'
- 'domainDNS'
condition: selection
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
APT27 - Emissary Panda Activity
Detects the execution of DLL side-loading malware used by threat group Emissary Panda aka APT27
view Sigma YAML
title: APT27 - Emissary Panda Activity
id: 9aa01d62-7667-4d3b-acb8-8cb5103e2014
status: test
description: Detects the execution of DLL side-loading malware used by threat group Emissary Panda aka APT27
references:
- https://app.any.run/tasks/579e7587-f09d-4aae-8b07-472833262965
- https://twitter.com/cyb3rops/status/1168863899531132929
- https://research.nccgroup.com/2018/05/18/emissary-panda-a-potential-new-malicious-tool/
author: Florian Roth (Nextron Systems)
date: 2018-09-03
modified: 2023-03-09
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1574.001
- attack.g0027
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_sllauncher:
ParentImage|endswith: '\sllauncher.exe'
Image|endswith: '\svchost.exe'
selection_svchost:
ParentImage|contains: '\AppData\Roaming\'
Image|endswith: '\svchost.exe'
CommandLine|contains: '-k'
condition: 1 of selection_*
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
APT29 2018 Phishing Campaign CommandLine Indicators
Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant
view Sigma YAML
title: APT29 2018 Phishing Campaign CommandLine Indicators
id: 7453575c-a747-40b9-839b-125a0aae324b
related:
- id: 033fe7d6-66d1-4240-ac6b-28908009c71f
type: obsolete
status: stable
description: Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant
references:
- https://twitter.com/DrunkBinary/status/1063075530180886529
- https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/
- https://www.mandiant.com/resources/blog/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign
author: Florian Roth (Nextron Systems), @41thexplorer
date: 2018-11-20
modified: 2023-03-08
tags:
- attack.execution
- attack.stealth
- attack.t1218.011
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
- CommandLine|contains: '-noni -ep bypass $'
- CommandLine|contains|all:
- 'cyzfc.dat,'
- 'PointFunctionCall'
condition: selection
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
APT29 2018 Phishing Campaign File Indicators
Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant
view Sigma YAML
title: APT29 2018 Phishing Campaign File Indicators
id: 3a3f81ca-652c-482b-adeb-b1c804727f74
related:
- id: 7453575c-a747-40b9-839b-125a0aae324b # ProcessCreation
type: derived
status: stable
description: Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant
references:
- https://twitter.com/DrunkBinary/status/1063075530180886529
- https://www.mandiant.com/resources/blog/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign
author: '@41thexplorer'
date: 2018-11-20
modified: 2023-02-20
tags:
- attack.stealth
- attack.t1218.011
- detection.emerging-threats
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|contains:
- 'ds7002.lnk'
- 'ds7002.pdf'
- 'ds7002.zip'
condition: selection
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
APT31 Judgement Panda Activity
Detects APT31 Judgement Panda activity as described in the Crowdstrike 2019 Global Threat Report
view Sigma YAML
title: APT31 Judgement Panda Activity
id: 03e2746e-2b31-42f1-ab7a-eb39365b2422
status: test
description: Detects APT31 Judgement Panda activity as described in the Crowdstrike 2019 Global Threat Report
references:
- https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html
author: Florian Roth (Nextron Systems)
date: 2019-02-21
modified: 2023-03-10
tags:
- attack.collection
- attack.lateral-movement
- attack.credential-access
- attack.g0128
- attack.t1003.001
- attack.t1560.001
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_ldifde:
CommandLine|contains|all:
- 'ldifde'
- '-f -n'
- 'eprod.ldf'
selection_lateral_movement:
CommandLine|contains|all:
- 'copy \\\\'
- 'c$'
CommandLine|contains:
- '\aaaa\procdump64.exe'
- '\aaaa\netsess.exe'
- '\aaaa\7za.exe'
- '\c$\aaaa\'
condition: 1 of selection_*
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Active Directory Replication from Non Machine Account
Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.
view Sigma YAML
title: Active Directory Replication from Non Machine Account
id: 17d619c1-e020-4347-957e-1d1207455c93
status: test
description: Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.
references:
- https://threathunterplaybook.com/hunts/windows/180815-ADObjectAccessReplication/notebook.html
- https://threathunterplaybook.com/library/windows/active_directory_replication.html
- https://threathunterplaybook.com/hunts/windows/190101-ADModDirectoryReplication/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019-07-26
modified: 2021-11-27
tags:
- attack.credential-access
- attack.t1003.006
logsource:
product: windows
service: security
detection:
selection:
EventID: 4662
AccessMask: '0x100'
Properties|contains:
- '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2'
- '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2'
- '89e95b76-444d-4c62-991a-0facbeda640c'
filter:
- SubjectUserName|endswith: '$'
- SubjectUserName|startswith: 'MSOL_' # https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/reference-connect-accounts-permissions#ad-ds-connector-account
condition: selection and not filter
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Antivirus Exploitation Framework Detection
Detects a highly relevant Antivirus alert that reports an exploitation framework.
This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
view Sigma YAML
title: Antivirus Exploitation Framework Detection
id: 238527ad-3c2c-4e4f-a1f6-92fd63adb864
status: stable
description: |
Detects a highly relevant Antivirus alert that reports an exploitation framework.
This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
references:
- https://www.nextron-systems.com/?s=antivirus
- https://www.virustotal.com/gui/file/925b0b28472d4d79b4bf92050e38cc2b8f722691c713fc28743ac38551bc3797
- https://www.virustotal.com/gui/file/8f8daabe1c8ceb5710949283818e16c4aa8059bf2ce345e2f2c90b8692978424
- https://www.virustotal.com/gui/file/d9669f7e3eb3a9cdf6a750eeb2ba303b5ae148a43e36546896f1d1801e912466
author: Florian Roth (Nextron Systems), Arnim Rupp
date: 2018-09-09
modified: 2024-11-02
tags:
- attack.execution
- attack.t1203
- attack.command-and-control
- attack.t1219.002
logsource:
category: antivirus
detection:
selection:
Signature|contains:
- 'Backdoor.Cobalt'
- 'Brutel'
- 'BruteR'
- 'CobaltStr'
- 'CobaltStrike'
- 'COBEACON'
- 'Cometer'
- 'Exploit.Script.CVE'
- 'IISExchgSpawnCMD'
- 'Metasploit'
- 'Meterpreter'
- 'MeteTool'
- 'Mpreter'
- 'MsfShell'
- 'PowerSploit'
- 'Razy'
- 'Rozena'
- 'Sbelt'
- 'Seatbelt'
- 'Sliver'
- 'Swrort'
condition: selection
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Antivirus Password Dumper Detection
Detects a highly relevant Antivirus alert that reports a password dumper.
This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
view Sigma YAML
title: Antivirus Password Dumper Detection
id: 78cc2dd2-7d20-4d32-93ff-057084c38b93
status: stable
description: |
Detects a highly relevant Antivirus alert that reports a password dumper.
This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
references:
- https://www.nextron-systems.com/?s=antivirus
- https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619
- https://www.virustotal.com/gui/file/a4edfbd42595d5bddb442c82a02cf0aaa10893c1bf79ea08b9ce576f82749448
author: Florian Roth (Nextron Systems), Arnim Rupp
date: 2018-09-09
modified: 2024-11-02
tags:
- attack.credential-access
- attack.t1003
- attack.t1558
- attack.t1003.001
- attack.t1003.002
logsource:
category: antivirus
detection:
selection:
- Signature|startswith: 'PWS'
- Signature|contains:
- 'Certify'
- 'DCSync'
- 'DumpCreds'
- 'DumpLsass'
- 'DumpPert'
- 'HTool/WCE'
- 'Kekeo'
- 'Lazagne'
- 'LsassDump'
- 'Mimikatz'
- 'MultiDump'
- 'Nanodump'
- 'NativeDump'
- 'Outflank'
- 'PShlSpy'
- 'PSWTool'
- 'PWCrack'
- 'PWDump'
- 'PWS.'
- 'PWSX'
- 'pypykatz'
- 'Rubeus'
- 'SafetyKatz'
- 'SecurityTool'
- 'SharpChrome'
- 'SharpDPAPI'
- 'SharpDump'
- 'SharpKatz'
- 'SharpS.' # Sharpsploit, e.g. 530ea2ff9049f5dfdfa0a2e9c27c2e3c0685eb6cbdf85370c20a7bfae49f592d
- 'ShpKatz'
- 'TrickDump'
condition: selection
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection
Detects the suspicious file that is created from PoC code against Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 (PrinterNightmare), CVE-2021-1675 .
view Sigma YAML
title: Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection
id: 6fe1719e-ecdf-4caf-bffe-4f501cb0a561
status: stable
description: Detects the suspicious file that is created from PoC code against Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 (PrinterNightmare), CVE-2021-1675 .
references:
- https://twitter.com/mvelazco/status/1410291741241102338
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
author: Sittikorn S, Nuttakorn T, Tim Shelton
date: 2021-07-01
modified: 2023-10-23
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1055
- detection.emerging-threats
- cve.2021-34527
- cve.2021-1675
logsource:
category: antivirus
detection:
selection:
Filename|contains: ':\Windows\System32\spool\drivers\x64\'
keywords:
- 'File submitted to Symantec' # symantec fp, pending analysis, more generic
condition: selection and not keywords
falsepositives:
- Unlikely, or pending PSP analysis
level: critical
Convert to SIEM query
critical
Antivirus Ransomware Detection
Detects a highly relevant Antivirus alert that reports ransomware.
This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
view Sigma YAML
title: Antivirus Ransomware Detection
id: 4c6ca276-d4d0-4a8c-9e4c-d69832f8671f
status: test
description: |
Detects a highly relevant Antivirus alert that reports ransomware.
This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
references:
- https://www.nextron-systems.com/?s=antivirus
- https://www.virustotal.com/gui/file/43b0f7872900bd234975a0877744554f4f355dc57505517abd1ef611e1ce6916
- https://www.virustotal.com/gui/file/c312c05ddbd227cbb08958876df2b69d0f7c1b09e5689eb9d93c5b357f63eff7
- https://www.virustotal.com/gui/file/20179093c59bca3acc6ce9a4281e8462f577ffd29fd7bf51cf2a70d106062045
- https://www.virustotal.com/gui/file/554db97ea82f17eba516e6a6fdb9dc04b1d25580a1eb8cb755eeb260ad0bd61d
- https://www.virustotal.com/gui/file/69fe77dd558e281621418980040e2af89a2547d377d0f2875502005ce22bc95c
- https://www.virustotal.com/gui/file/6f0f20da34396166df352bf301b3c59ef42b0bc67f52af3d541b0161c47ede05
author: Florian Roth (Nextron Systems), Arnim Rupp
date: 2022-05-12
modified: 2024-11-02
tags:
- attack.t1486
- attack.impact
logsource:
category: antivirus
detection:
selection:
Signature|contains:
- 'BlackWorm'
- 'Chaos'
- 'Cobra'
- 'ContiCrypt'
- 'Crypter'
- 'CRYPTES'
- 'Cryptor'
- 'CylanCrypt'
- 'DelShad'
- 'Destructor'
- 'Filecoder'
- 'GandCrab'
- 'GrandCrab'
- 'Haperlock'
- 'Hiddentear'
- 'HydraCrypt'
- 'Krypt'
- 'Lockbit'
- 'Locker'
- 'Mallox'
- 'Phobos'
- 'Ransom'
- 'Ryuk'
- 'Ryzerlo'
- 'Stopcrypt'
- 'Tescrypt'
- 'TeslaCrypt'
- 'WannaCry'
- 'Xorist'
condition: selection
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Arcadyan Router Exploitations
Detects exploitation of vulnerabilities in Arcadyan routers as reported in CVE-2021-20090 and CVE-2021-20091.
view Sigma YAML
title: Arcadyan Router Exploitations
id: f0500377-bc70-425d-ac8c-e956cd906871
status: test
description: Detects exploitation of vulnerabilities in Arcadyan routers as reported in CVE-2021-20090 and CVE-2021-20091.
references:
- https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2
- https://www.tenable.com/security/research/tra-2021-13
- https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild
author: Bhabesh Raj
date: 2021-08-24
modified: 2023-01-02
tags:
- attack.initial-access
- attack.t1190
- cve.2021-20090
- cve.2021-20091
- detection.emerging-threats
logsource:
category: webserver
detection:
path_traversal:
# CVE-2021-20090 (Bypass Auth: Path Traversal)
cs-uri-query|contains: '..%2f'
config_file_inj:
cs-uri-query|contains|all:
# Chaining of CVE-2021-20090 (Bypass Auth) and CVE-2021-20091 (Config File Injection)
- '..%2f'
- 'apply_abstract.cgi'
noauth_list:
cs-uri-query|contains:
- '/images/'
- '/js/'
- '/css/'
- '/setup_top_login.htm'
- '/login.html'
- '/loginerror.html'
- '/loginexclude.html'
- '/loginlock.html'
condition: (path_traversal or config_file_inj) and noauth_list
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Audit CVE Event
Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited.
MS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability.
Unfortunately, that is about the only instance of CVEs being written to this log.
view Sigma YAML
title: Audit CVE Event
id: 48d91a3a-2363-43ba-a456-ca71ac3da5c2
status: test
description: |
Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited.
MS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability.
Unfortunately, that is about the only instance of CVEs being written to this log.
references:
- https://twitter.com/VM_vivisector/status/1217190929330655232
- https://twitter.com/DidierStevens/status/1217533958096924676
- https://twitter.com/FlemmingRiis/status/1217147415482060800
- https://www.youtube.com/watch?v=ebmW42YYveI # "CVEs in Windows Event Logs? What You Need to Know" by 13Cubed.
- https://nullsec.us/windows-event-log-audit-cve/
author: Florian Roth (Nextron Systems), Zach Mathis
date: 2020-01-15
modified: 2022-10-22
tags:
- attack.execution
- attack.stealth
- attack.t1203
- attack.privilege-escalation
- attack.t1068
- attack.t1211
- attack.credential-access
- attack.t1212
- attack.lateral-movement
- attack.t1210
- attack.impact
- attack.t1499.004
logsource:
product: windows
service: application
detection:
selection:
Provider_Name:
- 'Microsoft-Windows-Audit-CVE'
- 'Audit-CVE'
EventID: 1
condition: selection
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Bad Opsec Powershell Code Artifacts
focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including
Cobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads
that often undergo minimal changes by attackers due to bad opsec.
view Sigma YAML
title: Bad Opsec Powershell Code Artifacts
id: 8d31a8ce-46b5-4dd6-bdc3-680931f1db86
related:
- id: 73e733cc-1ace-3212-a107-ff2523cc9fc3
type: derived
status: test
description: |
focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including
Cobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads
that often undergo minimal changes by attackers due to bad opsec.
references:
- https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/
- https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/
- https://www.mdeditor.tw/pl/pgRt
author: 'ok @securonix invrep_de, oscd.community'
date: 2020-10-09
modified: 2022-12-25
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_module
definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
selection_4103:
Payload|contains:
- '$DoIt'
- 'harmj0y'
- 'mattifestation'
- '_RastaMouse'
- 'tifkin_'
- '0xdeadbeef'
condition: selection_4103
falsepositives:
- 'Moderate-to-low; Despite the shorter length/lower entropy for some of these, because of high specificity, fp appears to be fairly limited in many environments.'
level: critical
Convert to SIEM query
critical
Bitbucket Unauthorized Access To A Resource
Detects unauthorized access attempts to a resource.
view Sigma YAML
title: Bitbucket Unauthorized Access To A Resource
id: 7215374a-de4f-4b33-8ba5-70804c9251d3
status: test
description: Detects unauthorized access attempts to a resource.
references:
- https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html
author: Muhammad Faisal (@faisalusuf)
date: 2024-02-25
tags:
- attack.resource-development
- attack.t1586
logsource:
product: bitbucket
service: audit
definition: 'Requirements: "Advance" log level is required to receive these audit events.'
detection:
selection:
auditType.category: 'Security'
auditType.action: 'Unauthorized access to a resource'
condition: selection
falsepositives:
- Access attempts to non-existent repositories or due to outdated plugins. Usually "Anonymous" user is reported in the "author.name" field in most cases.
level: critical
Convert to SIEM query
critical
Bitbucket Unauthorized Full Data Export Triggered
Detects when full data export is attempted an unauthorized user.
view Sigma YAML
title: Bitbucket Unauthorized Full Data Export Triggered
id: 34d81081-03c9-4a7f-91c9-5e46af625cde
status: test
description: Detects when full data export is attempted an unauthorized user.
references:
- https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html
- https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html
author: Muhammad Faisal (@faisalusuf)
date: 2024-02-25
tags:
- attack.collection
- attack.resource-development
- attack.t1213.003
- attack.t1586
logsource:
product: bitbucket
service: audit
definition: 'Requirements: "Advance" log level is required to receive these audit events.'
detection:
selection:
auditType.category: 'Data pipeline'
auditType.action: 'Unauthorized full data export triggered'
condition: selection
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
COLDSTEEL RAT Cleanup Command Execution
Detects the creation of a "rundll32" process from the ColdSteel persistence service to initiate the cleanup command by calling one of its own exports. This functionality is not present in "MileStone2017" and some "MileStone2016" samples
view Sigma YAML
title: COLDSTEEL RAT Cleanup Command Execution
id: 88516f06-ebe0-47ad-858e-ae9fd060ddea
status: test
description: Detects the creation of a "rundll32" process from the ColdSteel persistence service to initiate the cleanup command by calling one of its own exports. This functionality is not present in "MileStone2017" and some "MileStone2016" samples
references:
- https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-30
tags:
- attack.persistence
- detection.emerging-threats
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\svchost.exe'
ParentCommandLine|contains:
- ' -k msupdate'
- ' -k msupdate2'
- ' -k alg'
Image|endswith: '\rundll32.exe'
CommandLine|contains:
- 'UpdateDriverForPlugAndPlayDevicesW'
- 'ServiceMain'
- 'DiUninstallDevice'
condition: selection
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
COLDSTEEL RAT Service Persistence Execution
Detects the creation of an "svchost" process with specific command line flags, that were seen present and used by ColdSteel RAT
view Sigma YAML
title: COLDSTEEL RAT Service Persistence Execution
id: 9f9cd389-cea0-4142-bf1a-a3fd424abedd
status: test
description: Detects the creation of an "svchost" process with specific command line flags, that were seen present and used by ColdSteel RAT
references:
- https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf
author: X__Junior (Nextron Systems)
date: 2023-04-30
tags:
- attack.persistence
- detection.emerging-threats
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\svchost.exe'
CommandLine|endswith:
- ' -k msupdate'
- ' -k msupdate2'
- ' -k alg'
condition: selection
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
CVE-2010-5278 Exploitation Attempt
MODx manager - Local File Inclusion:Directory traversal vulnerability in manager/controllers/default/resource/tvs.php in MODx Revolution 2.0.2-pl, and possibly earlier,
when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the class_key parameter.
view Sigma YAML
title: CVE-2010-5278 Exploitation Attempt
id: a4a899e8-fd7a-49dd-b5a8-7044def72d61
status: test
description: |
MODx manager - Local File Inclusion:Directory traversal vulnerability in manager/controllers/default/resource/tvs.php in MODx Revolution 2.0.2-pl, and possibly earlier,
when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the class_key parameter.
references:
- https://github.com/projectdiscovery/nuclei-templates
author: Subhash Popuri (@pbssubhash)
date: 2021-08-25
modified: 2023-01-02
tags:
- attack.initial-access
- attack.t1190
- cve.2010-5278
- detection.emerging-threats
logsource:
category: webserver
detection:
selection:
cs-uri-query|contains: /manager/controllers/default/resource/tvs.php?class_key=../../../../../../../../../../windows/win.ini%00
condition: selection
falsepositives:
- Scanning from Nuclei
- Unknown
level: critical
Convert to SIEM query
critical
CVE-2020-0688 Exchange Exploitation via Web Log
Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688
view Sigma YAML
title: CVE-2020-0688 Exchange Exploitation via Web Log
id: fce2c2e2-0fb5-41ab-a14c-5391e1fd70a5
status: test
description: Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688
references:
- https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/
author: Florian Roth (Nextron Systems)
date: 2020-02-29
modified: 2023-01-02
tags:
- attack.initial-access
- attack.t1190
- cve.2020-0688
- detection.emerging-threats
logsource:
category: webserver
detection:
selection1:
cs-method: 'GET'
cs-uri-query|contains:
- '/ecp/'
- '/owa/'
selection2:
cs-uri-query|contains: '__VIEWSTATE='
condition: all of selection*
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
CVE-2020-10148 SolarWinds Orion API Auth Bypass
Detects CVE-2020-10148 SolarWinds Orion API authentication bypass attempts
view Sigma YAML
title: CVE-2020-10148 SolarWinds Orion API Auth Bypass
id: 5a35116f-43bc-4901-b62d-ef131f42a9af
status: test
description: Detects CVE-2020-10148 SolarWinds Orion API authentication bypass attempts
references:
- https://kb.cert.org/vuls/id/843464
author: Bhabesh Raj, Tim Shelton
date: 2020-12-27
modified: 2023-01-02
tags:
- attack.initial-access
- attack.t1190
- cve.2020-10148
- detection.emerging-threats
logsource:
category: webserver
detection:
selection:
cs-uri-query|contains:
- '/WebResource.axd'
- '/ScriptResource.axd'
- '/i18n.ashx'
- '/Skipi18n'
selection2:
cs-uri-query|contains:
- '/SolarWinds/'
- '/api/'
valid_request_1:
cs-uri-query|contains: 'Orion/Skipi18n/Profiler/'
valid_request_2:
cs-uri-query|contains:
- 'css.i18n.ashx'
- 'js.i18n.ashx'
condition: all of selection* and not 1 of valid_request_*
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
CVE-2020-5902 F5 BIG-IP Exploitation Attempt
Detects the exploitation attempt of the vulnerability found in F5 BIG-IP and described in CVE-2020-5902
view Sigma YAML
title: CVE-2020-5902 F5 BIG-IP Exploitation Attempt
id: 44b53b1c-e60f-4a7b-948e-3435a7918478
status: test
description: Detects the exploitation attempt of the vulnerability found in F5 BIG-IP and described in CVE-2020-5902
references:
- https://support.f5.com/csp/article/K52145254
- https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/
- https://twitter.com/yorickkoster/status/1279709009151434754
- https://www.criticalstart.com/f5-big-ip-remote-code-execution-exploit/
author: Florian Roth (Nextron Systems)
date: 2020-07-05
modified: 2023-01-02
tags:
- attack.initial-access
- attack.t1190
- cve.2020-5902
- detection.emerging-threats
logsource:
category: webserver
detection:
selection_base:
cs-uri-query|contains:
- '/tmui/'
- '/hsqldb'
selection_traversal:
cs-uri-query|contains:
- '..;/'
- '.jsp/..'
condition: selection_base and selection_traversal
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
CVE-2021-1675 Print Spooler Exploitation
Detects driver load events print service operational log that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675
view Sigma YAML
title: CVE-2021-1675 Print Spooler Exploitation
id: f34d942d-c8c4-4f1f-b196-22471aecf10a
status: test
description: Detects driver load events print service operational log that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675
references:
- https://twitter.com/MalwareJake/status/1410421967463731200
author: Florian Roth (Nextron Systems)
date: 2021-07-01
modified: 2022-10-09
tags:
- attack.execution
- attack.t1569
- cve.2021-1675
- detection.emerging-threats
logsource:
product: windows
service: printservice-operational
detection:
selection:
EventID: 316
keywords:
- 'UNIDRV.DLL, kernelbase.dll, '
- ' 123 '
- ' 1234 '
- 'mimispool'
condition: selection and keywords
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
CVE-2021-1675 Print Spooler Exploitation Filename Pattern
Detects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675
view Sigma YAML
title: CVE-2021-1675 Print Spooler Exploitation Filename Pattern
id: 2131cfb3-8c12-45e8-8fa0-31f5924e9f07
status: test
description: Detects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675
references:
- https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/
- https://web.archive.org/web/20210701042336/https://github.com/afwu/PrintNightmare
- https://github.com/cube0x0/CVE-2021-1675
author: Florian Roth (Nextron Systems)
date: 2021-06-29
modified: 2022-12-25
tags:
- attack.execution
- attack.privilege-escalation
- attack.resource-development
- attack.t1587
- cve.2021-1675
- detection.emerging-threats
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|contains: 'C:\Windows\System32\spool\drivers\x64\3\old\1\123'
condition: selection
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
CVE-2021-1675 Print Spooler Exploitation IPC Access
Detects remote printer driver load from Detailed File Share in Security logs that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675 and CVE-2021-34527
view Sigma YAML
title: CVE-2021-1675 Print Spooler Exploitation IPC Access
id: 8fe1c584-ee61-444b-be21-e9054b229694
status: test
description: Detects remote printer driver load from Detailed File Share in Security logs that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675 and CVE-2021-34527
references:
- https://twitter.com/INIT_3/status/1410662463641731075
author: INIT_6
date: 2021-07-02
modified: 2022-10-05
tags:
- attack.execution
- attack.t1569
- cve.2021-1675
- cve.2021-34527
- detection.emerging-threats
logsource:
product: windows
service: security
detection:
selection:
EventID: 5145
ShareName: '\\\\\*\\IPC$' # looking for the string \\*\IPC$
RelativeTargetName: 'spoolss'
AccessMask: '0x3'
ObjectType: 'File'
condition: selection
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
CVE-2021-31979 CVE-2021-33771 Exploits
Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum
view Sigma YAML
title: CVE-2021-31979 CVE-2021-33771 Exploits
id: 32b5db62-cb5f-4266-9639-0fa48376ac00
status: test
description: Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum
references:
- https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/
- https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/
author: Sittikorn S, frack113
date: 2021-07-16
modified: 2023-08-17
tags:
- attack.initial-access
- attack.execution
- attack.credential-access
- attack.t1566
- attack.t1203
- cve.2021-33771
- cve.2021-31979
- detection.emerging-threats
# - threat_group.Sourgum
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|endswith:
- CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32\(Default)
- CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\(Default)
filter:
Details|endswith:
- system32\wbem\wmiutils.dll
- system32\wbem\wbemsvc.dll
condition: selection and not filter
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum
Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum
view Sigma YAML
title: CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum
id: ad7085ac-92e4-4b76-8ce2-276d2c0e68ef
status: test
description: Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum
references:
- https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/
- https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/
author: Sittikorn S
date: 2021-07-16
modified: 2022-10-09
tags:
- attack.initial-access
- attack.execution
- attack.credential-access
- attack.t1566
- attack.t1203
- cve.2021-33771
- cve.2021-31979
- detection.emerging-threats
# - threat_group.Sourgum
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|contains:
- 'C:\Windows\system32\physmem.sys'
- 'C:\Windows\System32\IME\IMEJP\imjpueact.dll'
- 'C:\Windows\system32\ime\IMETC\IMTCPROT.DLL'
- 'C:\Windows\system32\ime\SHARED\imecpmeid.dll'
- 'C:\Windows\system32\config\spp\ServiceState\Recovery\pac.dat'
- 'C:\Windows\system32\config\cy-GB\Setup\SKB\InputMethod\TupTask.dat'
- 'C:\Windows\system32\config\config\startwus.dat'
- 'C:\Windows\system32\ime\SHARED\WimBootConfigurations.ini'
- 'C:\Windows\system32\ime\IMEJP\WimBootConfigurations.ini'
- 'C:\Windows\system32\ime\IMETC\WimBootConfigurations.ini'
condition: selection
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
CVE-2021-33766 Exchange ProxyToken Exploitation
Detects the exploitation of Microsoft Exchange ProxyToken vulnerability as described in CVE-2021-33766
view Sigma YAML
title: CVE-2021-33766 Exchange ProxyToken Exploitation
id: 56973b50-3382-4b56-bdf5-f51a3183797a
status: test
description: Detects the exploitation of Microsoft Exchange ProxyToken vulnerability as described in CVE-2021-33766
references:
- https://www.zerodayinitiative.com/blog/2021/8/30/proxytoken-an-authentication-bypass-in-microsoft-exchange-server
author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Christian Burkard (Nextron Systems)
date: 2021-08-30
modified: 2023-01-02
tags:
- attack.initial-access
- attack.t1190
- cve.2021-33766
- detection.emerging-threats
logsource:
category: webserver
detection:
selection_1:
cs-method: 'POST'
cs-uri-query|contains|all:
- '/ecp/'
- '/RulesEditor/InboxRules.svc/NewObject'
sc-status: 500
selection_2:
cs-uri-query|contains|all:
- 'SecurityToken='
- '/ecp/'
sc-status: 500
condition: 1 of selection_*
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit
Detects an authentication bypass vulnerability affecting the REST API URLs in ADSelfService Plus (CVE-2021-40539).
view Sigma YAML
title: CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit
id: fcbb4a77-f368-4945-b046-4499a1da69d1
status: test
description: Detects an authentication bypass vulnerability affecting the REST API URLs in ADSelfService Plus (CVE-2021-40539).
references:
- https://therecord.media/cisa-warns-of-zoho-server-zero-day-exploited-in-the-wild/
- https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html
- https://us-cert.cisa.gov/ncas/alerts/aa21-259a
author: Sittikorn S, Nuttakorn Tungpoonsup
date: 2021-09-10
modified: 2023-01-02
tags:
- attack.initial-access
- attack.t1190
- attack.persistence
- attack.t1505.003
- cve.2021-40539
- detection.emerging-threats
logsource:
category: webserver
definition: 'Must be collect log from \ManageEngine\ADSelfService Plus\logs'
detection:
selection:
cs-uri-query|contains:
- '/help/admin-guide/Reports/ReportGenerate.jsp'
- '/RestAPI/LogonCustomization'
- '/RestAPI/Connection'
condition: selection
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
CVE-2023-23397 Exploitation Attempt
Detects outlook initiating connection to a WebDAV or SMB share, which could be a sign of CVE-2023-23397 exploitation.
view Sigma YAML
title: CVE-2023-23397 Exploitation Attempt
id: 73c59189-6a6d-4b9f-a748-8f6f9bbed75c
status: test
description: Detects outlook initiating connection to a WebDAV or SMB share, which could be a sign of CVE-2023-23397 exploitation.
author: Robert Lee @quantum_cookie
date: 2023-03-16
modified: 2023-03-22
references:
- https://www.trustedsec.com/blog/critical-outlook-vulnerability-in-depth-technical-analysis-and-recommendations-cve-2023-23397/
tags:
- attack.credential-access
- attack.initial-access
- cve.2023-23397
- detection.emerging-threats
logsource:
service: security
product: windows
definition: 'Requirements: SACLs must be enabled for "Query Value" on the registry keys used in this rule'
detection:
selection:
EventID:
- 4656
- 4663
ProcessName|endswith: '\OUTLOOK.EXE'
# Example: \REGISTRY\MACHINE\SYSTEM\CurrentControlSet001\Services\WebClient\NetworkProvider
ObjectName|contains|all:
- '\REGISTRY\MACHINE\SYSTEM'
- 'Services\'
ObjectName|endswith:
- 'WebClient\NetworkProvider'
- 'LanmanWorkstation\NetworkProvider'
AccessList|contains: '%%4416' # "Query key value"
condition: selection
falsepositives:
- Searchprotocolhost.exe likes to query these registry keys. To avoid false postives, it's better to filter out those events before they reach the SIEM
level: critical
Convert to SIEM query
critical
CVE-2024-1708 - ScreenConnect Path Traversal Exploitation - Security
This detects file modifications to ASPX and ASHX files within the root of the App_Extensions directory, which is allowed by a ZipSlip vulnerability in versions prior to 23.9.8. This occurs during exploitation of CVE-2024-1708.
This requires an Advanced Auditing policy to log a successful Windows Event ID 4663 events and with a SACL set on the directory.
view Sigma YAML
title: CVE-2024-1708 - ScreenConnect Path Traversal Exploitation - Security
id: 4c198a60-7d05-4daf-8bf7-4136fb6f5c62
related:
- id: 44d7af7e-88e6-4490-be11-55f7ff4d9fc1
type: similar
status: test
description: |
This detects file modifications to ASPX and ASHX files within the root of the App_Extensions directory, which is allowed by a ZipSlip vulnerability in versions prior to 23.9.8. This occurs during exploitation of CVE-2024-1708.
This requires an Advanced Auditing policy to log a successful Windows Event ID 4663 events and with a SACL set on the directory.
references:
- https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8
- https://www.cve.org/CVERecord?id=CVE-2024-1708
- https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass
author: Matt Anderson, Caleb Stewart, Huntress
date: 2024-02-20
tags:
- attack.initial-access
- attack.persistence
- cve.2024-1708
- detection.emerging-threats
logsource:
product: windows
service: security
definition: 'Requirements: SACLs must be enabled for the ScreenConnect directory'
detection:
selection:
EventID: 4663
ObjectType: 'File'
ProcessName|contains: 'ScreenConnect.Service.exe'
AccessMask: '0x6'
ObjectName|endswith:
- 'ScreenConnect\\App_Extensions\\*.ashx'
- 'ScreenConnect\\App_Extensions\\*.aspx'
filter_main_legit_extension:
ObjectName|contains: 'ScreenConnect\App_Extensions\\*\\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
CVE-2024-1709 - ScreenConnect Authentication Bypass Exploitation
Detects GET requests to '/SetupWizard.aspx/[anythinghere]' that indicate exploitation of the ScreenConnect vulnerability CVE-2024-1709.
view Sigma YAML
title: CVE-2024-1709 - ScreenConnect Authentication Bypass Exploitation
id: d27eabad-9068-401a-b0d6-9eac744d6e67
status: test
description: |
Detects GET requests to '/SetupWizard.aspx/[anythinghere]' that indicate exploitation of the ScreenConnect vulnerability CVE-2024-1709.
references:
- https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8
- https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass
- https://www.cve.org/CVERecord?id=CVE-2024-1709
author: Matt Anderson, Huntress
date: 2024-02-20
tags:
- attack.initial-access
- attack.persistence
- cve.2024-1709
- detection.emerging-threats
logsource:
category: webserver
detection:
selection:
cs-uri-stem|contains: '/SetupWizard.aspx/'
condition: selection
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Certificate Request Export to Exchange Webserver
Detects a write of an Exchange CSR to an untypical directory or with aspx name suffix which can be used to place a webshell
view Sigma YAML
title: Certificate Request Export to Exchange Webserver
id: b7bc7038-638b-4ffd-880c-292c692209ef
status: test
description: Detects a write of an Exchange CSR to an untypical directory or with aspx name suffix which can be used to place a webshell
references:
- https://twitter.com/GossiTheDog/status/1429175908905127938
author: Max Altgelt (Nextron Systems)
date: 2021-08-23
modified: 2023-01-23
tags:
- attack.persistence
- attack.t1505.003
logsource:
service: msexchange-management
product: windows
detection:
keywords_export_command:
'|all':
- 'New-ExchangeCertificate'
- ' -GenerateRequest'
- ' -BinaryEncoded'
- ' -RequestFile'
keywords_export_params:
- '\\\\localhost\\C$'
- '\\\\127.0.0.1\\C$'
- 'C:\\inetpub'
- '.aspx'
condition: keywords_export_command and keywords_export_params
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Citrix ADS Exploitation CVE-2020-8193 CVE-2020-8195
Detects exploitation attempt against Citrix Netscaler, Application Delivery Controller (ADS) and Citrix Gateway exploiting vulnerabilities reported as CVE-2020-8193 and CVE-2020-8195
view Sigma YAML
title: Citrix ADS Exploitation CVE-2020-8193 CVE-2020-8195
id: 0d0d9a8a-a49e-4e27-b061-7ce4b936cfb7
status: test
description: Detects exploitation attempt against Citrix Netscaler, Application Delivery Controller (ADS) and Citrix Gateway exploiting vulnerabilities reported as CVE-2020-8193 and CVE-2020-8195
references:
- https://support.citrix.com/article/CTX276688
- https://research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/
- https://dmaasland.github.io/posts/citrix.html
author: Florian Roth (Nextron Systems)
date: 2020-07-10
modified: 2023-01-02
tags:
- attack.initial-access
- attack.t1190
- cve.2020-8193
- cve.2020-8195
- detection.emerging-threats
logsource:
category: webserver
detection:
selection1:
cs-uri-query|contains: '/rapi/filedownload?filter=path:%2F'
selection2:
cs-uri-query|contains|all:
- '/pcidss/report'
- 'type=all_signatures'
- 'sig_name=_default_signature_'
condition: 1 of selection*
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Citrix Netscaler Attack CVE-2019-19781
Detects CVE-2019-19781 exploitation attempt against Citrix Netscaler, Application Delivery Controller and Citrix Gateway Attack
view Sigma YAML
title: Citrix Netscaler Attack CVE-2019-19781
id: ac5a6409-8c89-44c2-8d64-668c29a2d756
status: test
description: Detects CVE-2019-19781 exploitation attempt against Citrix Netscaler, Application Delivery Controller and Citrix Gateway Attack
references:
- https://support.citrix.com/article/CTX267679
- https://support.citrix.com/article/CTX267027
- https://isc.sans.edu/diary/25686
- https://twitter.com/mpgn_x64/status/1216787131210829826
- https://github.com/x1sec/CVE-2019-19781/blob/25f7ab97275b2d41800bb3414dac8ca3a78af7e5/CVE-2019-19781-DFIR.md
author: Arnim Rupp, Florian Roth
date: 2020-01-02
modified: 2023-01-02
tags:
- attack.initial-access
- attack.t1190
- cve.2019-19781
- detection.emerging-threats
logsource:
category: webserver
definition: 'Make sure that your Netscaler appliance logs all kinds of attacks (test with http://your-citrix-gw.net/robots.txt). The directory traversal with ../ might not be needed on certain cloud instances or for authenticated users, so we also check for direct paths. All scripts in portal/scripts are exploitable except logout.pl.'
detection:
selection_cs:
- cs-uri-query|contains: '/../vpns/'
- cs-uri-query|endswith: '/vpns/cfg/smb.conf'
selection_csall:
cs-uri-query|contains|all:
- '/vpns/portal/scripts/'
- '.pl'
condition: 1 of selection_*
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Cobalt Strike DNS Beaconing
Detects suspicious DNS queries known from Cobalt Strike beacons
view Sigma YAML
title: Cobalt Strike DNS Beaconing
id: 2975af79-28c4-4d2f-a951-9095f229df29
status: test
description: Detects suspicious DNS queries known from Cobalt Strike beacons
references:
- https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns
- https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/
author: Florian Roth (Nextron Systems)
date: 2018-05-10
modified: 2022-10-09
tags:
- attack.command-and-control
- attack.t1071.004
logsource:
category: dns
detection:
selection1:
query|startswith:
- 'aaa.stage.'
- 'post.1'
selection2:
query|contains: '.stage.123456.'
condition: 1 of selection*
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
CobaltStrike Named Pipe
Detects the creation of a named pipe as used by CobaltStrike
view Sigma YAML
title: CobaltStrike Named Pipe
id: d5601f8c-b26f-4ab0-9035-69e11a8d4ad2
related:
- id: 85adeb13-4fc9-4e68-8a4a-c7cb2c336eb7 # Patterns
type: similar
- id: 0e7163d4-9e19-4fa7-9be6-000c61aad77a # Regex
type: similar
status: test
description: Detects the creation of a named pipe as used by CobaltStrike
references:
- https://twitter.com/d4rksystem/status/1357010969264873472
- https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/
- https://github.com/SigmaHQ/sigma/issues/253
- https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/
- https://redcanary.com/threat-detection-report/threats/cobalt-strike/
author: Florian Roth (Nextron Systems), Wojciech Lesicki
date: 2021-05-25
modified: 2022-10-31
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1055
logsource:
product: windows
category: pipe_created
definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can always use Cobalt Strike, but also you can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
detection:
selection_MSSE:
PipeName|contains|all:
- '\MSSE-'
- '-server'
selection_postex:
PipeName|startswith: '\postex_' # Also include the pipe "\postex_ssh_"
selection_status:
PipeName|startswith: '\status_'
selection_msagent:
PipeName|startswith: '\msagent_'
selection_mojo:
PipeName|startswith: '\mojo_'
selection_interprocess:
PipeName|startswith: '\interprocess_'
selection_samr:
PipeName|startswith: '\samr_'
selection_netlogon:
PipeName|startswith: '\netlogon_'
selection_srvsvc:
PipeName|startswith: '\srvsvc_'
selection_lsarpc:
PipeName|startswith: '\lsarpc_'
selection_wkssvc:
PipeName|startswith: '\wkssvc_'
condition: 1 of selection*
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
CobaltStrike Named Pipe Pattern Regex
Detects the creation of a named pipe matching a pattern used by CobaltStrike Malleable C2 profiles
view Sigma YAML
title: CobaltStrike Named Pipe Pattern Regex
id: 0e7163d4-9e19-4fa7-9be6-000c61aad77a
related:
- id: 85adeb13-4fc9-4e68-8a4a-c7cb2c336eb7 # Patterns
type: similar
- id: d5601f8c-b26f-4ab0-9035-69e11a8d4ad2 # Generic
type: similar
status: test
description: Detects the creation of a named pipe matching a pattern used by CobaltStrike Malleable C2 profiles
references:
- https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
- https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752
author: Florian Roth (Nextron Systems)
date: 2021-07-30
modified: 2022-12-31
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1055
logsource:
product: windows
category: pipe_created
definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can always use Cobalt Strike, but also you can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
detection:
selection:
- PipeName|re: '\\mojo\.5688\.8052\.(?:183894939787088877|35780273329370473)[0-9a-f]{2}'
- PipeName|re: '\\wkssvc_?[0-9a-f]{2}'
- PipeName|re: '\\ntsvcs[0-9a-f]{2}'
- PipeName|re: '\\DserNamePipe[0-9a-f]{2}'
- PipeName|re: '\\SearchTextHarvester[0-9a-f]{2}'
- PipeName|re: '\\mypipe-(?:f|h)[0-9a-f]{2}'
- PipeName|re: '\\windows\.update\.manager[0-9a-f]{2,3}'
- PipeName|re: '\\ntsvcs_[0-9a-f]{2}'
- PipeName|re: '\\scerpc_?[0-9a-f]{2}'
- PipeName|re: '\\PGMessagePipe[0-9a-f]{2}'
- PipeName|re: '\\MsFteWds[0-9a-f]{2}'
- PipeName|re: '\\f4c3[0-9a-f]{2}'
- PipeName|re: '\\fullduplex_[0-9a-f]{2}'
- PipeName|re: '\\msrpc_[0-9a-f]{4}'
- PipeName|re: '\\win\\msrpc_[0-9a-f]{2}'
- PipeName|re: '\\f53f[0-9a-f]{2}'
- PipeName|re: '\\rpc_[0-9a-f]{2}'
- PipeName|re: '\\spoolss_[0-9a-f]{2}'
- PipeName|re: '\\Winsock2\\CatalogChangeListener-[0-9a-f]{3}-0,'
condition: selection
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
CobaltStrike Service Installations - System
Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement
view Sigma YAML
title: CobaltStrike Service Installations - System
id: 5a105d34-05fc-401e-8553-272b45c1522d
status: test
description: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement
references:
- https://www.sans.org/webcasts/119395
- https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/
- https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
author: Florian Roth (Nextron Systems), Wojciech Lesicki
date: 2021-05-26
modified: 2022-11-27
tags:
- attack.persistence
- attack.execution
- attack.privilege-escalation
- attack.lateral-movement
- attack.t1021.002
- attack.t1543.003
- attack.t1569.002
logsource:
product: windows
service: system
detection:
selection_id:
Provider_Name: 'Service Control Manager'
EventID: 7045
selection1:
ImagePath|contains|all:
- 'ADMIN$'
- '.exe'
selection2:
ImagePath|contains|all:
- '%COMSPEC%'
- 'start'
- 'powershell'
selection3:
ImagePath|contains: 'powershell -nop -w hidden -encodedcommand'
selection4:
ImagePath|base64offset|contains: "IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:"
condition: selection_id and (selection1 or selection2 or selection3 or selection4)
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Confluence Exploitation CVE-2019-3398
Detects the exploitation of the Confluence vulnerability described in CVE-2019-3398
view Sigma YAML
title: Confluence Exploitation CVE-2019-3398
id: e9bc39ae-978a-4e49-91ab-5bd481fc668b
status: test
description: Detects the exploitation of the Confluence vulnerability described in CVE-2019-3398
references:
- https://devcentral.f5.com/s/articles/confluence-arbitrary-file-write-via-path-traversal-cve-2019-3398-34181
author: Florian Roth (Nextron Systems)
date: 2020-05-26
modified: 2023-01-02
tags:
- attack.initial-access
- attack.t1190
- cve.2019-3398
- detection.emerging-threats
logsource:
category: webserver
detection:
selection:
cs-method: 'POST'
cs-uri-query|contains|all:
- '/upload.action'
- 'filename=../../../../'
condition: selection
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
CosmicDuke Service Installation
Detects the installation of a service named "javamtsup" on the system.
The CosmicDuke info stealer uses Windows services typically named "javamtsup" for persistence.
view Sigma YAML
title: CosmicDuke Service Installation
id: cb062102-587e-4414-8efa-dbe3c7bf19c6
related:
- id: 2cfe636e-317a-4bee-9f2c-1066d9f54d1a
type: derived
status: test
description: |
Detects the installation of a service named "javamtsup" on the system.
The CosmicDuke info stealer uses Windows services typically named "javamtsup" for persistence.
references:
- https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf
author: Florian Roth (Nextron Systems), Daniil Yugoslavskiy, oscd.community (update)
date: 2017-03-27
modified: 2022-10-09
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1543.003
- attack.t1569.002
- detection.emerging-threats
logsource:
product: windows
service: security
definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
selection:
EventID: 4697
ServiceName: 'javamtsup'
condition: selection
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
DNS RCE CVE-2020-1350
Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process
view Sigma YAML
title: DNS RCE CVE-2020-1350
id: b5281f31-f9cc-4d0d-95d0-45b91c45b487
status: test
description: Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process
references:
- https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/
- https://web.archive.org/web/20230329172447/https://blog.menasec.net/2019/02/threat-hunting-24-microsoft-windows-dns.html
author: Florian Roth (Nextron Systems)
date: 2020-07-15
modified: 2022-07-12
tags:
- attack.initial-access
- attack.t1190
- attack.execution
- attack.t1569.002
- cve.2020-1350
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\System32\dns.exe'
filter:
Image|endswith:
- '\System32\werfault.exe'
- '\System32\conhost.exe'
- '\System32\dnscmd.exe'
- '\System32\dns.exe'
condition: selection and not filter
falsepositives:
- Unknown but benign sub processes of the Windows DNS service dns.exe
level: critical
Convert to SIEM query
critical
DarkSide Ransomware Pattern
Detects DarkSide Ransomware and helpers
view Sigma YAML
title: DarkSide Ransomware Pattern
id: 965fff6c-1d7e-4e25-91fd-cdccd75f7d2c
status: test
description: Detects DarkSide Ransomware and helpers
references:
- https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html
- https://app.any.run/tasks/8b9a571b-bcc1-4783-ba32-df4ba623b9c0/
- https://www.joesandbox.com/analysis/411752/0/html#7048BB9A06B8F2DD9D24C77F389D7B2B58D2
author: Florian Roth (Nextron Systems)
date: 2021-05-14
tags:
- attack.execution
- attack.t1204
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection1:
CommandLine|contains:
- '=[char][byte](''0x''+'
- ' -work worker0 -path '
selection2:
ParentCommandLine|contains: 'DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}'
Image|contains: '\AppData\Local\Temp\'
condition: 1 of selection*
falsepositives:
- Unknown
- UAC bypass method used by other malware
level: critical
Convert to SIEM query
critical
DiagTrackEoP Default Login Username
Detects the default "UserName" used by the DiagTrackEoP POC
view Sigma YAML
title: DiagTrackEoP Default Login Username
id: 2111118f-7e46-4fc8-974a-59fd8ec95196
status: test
description: Detects the default "UserName" used by the DiagTrackEoP POC
references:
- https://github.com/Wh04m1001/DiagTrackEoP/blob/3a2fc99c9700623eb7dc7d4b5f314fd9ce5ef51f/main.cpp#L46
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-03
tags:
- attack.privilege-escalation
logsource:
product: windows
service: security
detection:
selection:
EventID: 4624
LogonType: 9
TargetOutboundUserName: 'thisisnotvaliduser'
condition: selection
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Diamond Sleet APT Scheduled Task Creation
Detects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability
view Sigma YAML
title: Diamond Sleet APT Scheduled Task Creation
id: 3b8e5084-4de9-449a-a40d-0e11014f2e2d
status: test
description: |
Detects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability
references:
- https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-10-24
tags:
- attack.execution
- attack.privilege-escalation
- attack.persistence
- attack.t1053.005
- detection.emerging-threats
logsource:
product: windows
service: security
definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection. We also recommend extracting the Command field from the embedded XML in the event data.'
detection:
selection:
EventID: 4698
TaskName: '\Windows TeamCity Settings User Interface'
TaskContent|contains: 'uTYNkfKxHiZrx3KJ'
condition: selection
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Droppers Exploiting CVE-2017-11882
Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe
view Sigma YAML
title: Droppers Exploiting CVE-2017-11882
id: 678eb5f4-8597-4be6-8be7-905e4234b53a
status: stable
description: Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe
references:
- https://www.hybrid-analysis.com/sample/2a4ae284c76f868fc51d3bb65da8caa6efacb707f265b25c30f34250b76b7507?environmentId=100
- https://www.linkedin.com/pulse/exploit-available-dangerous-ms-office-rce-vuln-called-thebenygreen-
- https://github.com/embedi/CVE-2017-11882
author: Florian Roth (Nextron Systems)
date: 2017-11-23
modified: 2021-11-27
tags:
- attack.execution
- attack.t1203
- attack.t1204.002
- attack.initial-access
- attack.t1566.001
- cve.2017-11882
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\EQNEDT32.EXE'
condition: selection
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
DumpStack.log Defender Evasion
Detects the use of the filename DumpStack.log to evade Microsoft Defender
view Sigma YAML
title: DumpStack.log Defender Evasion
id: 4f647cfa-b598-4e12-ad69-c68dd16caef8
status: test
description: Detects the use of the filename DumpStack.log to evade Microsoft Defender
references:
- https://twitter.com/mrd0x/status/1479094189048713219
author: Florian Roth (Nextron Systems)
date: 2022-01-06
modified: 2022-06-17
tags:
- attack.defense-impairment
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\DumpStack.log'
selection_download:
CommandLine|contains: ' -o DumpStack.log'
condition: 1 of selection*
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Elise Backdoor Activity
Detects Elise backdoor activity used by APT32
view Sigma YAML
title: Elise Backdoor Activity
id: e507feb7-5f73-4ef6-a970-91bb6f6d744f
status: test
description: Detects Elise backdoor activity used by APT32
references:
- https://community.rsa.com/community/products/netwitness/blog/2018/02/13/lotus-blossom-continues-asean-targeting
- https://web.archive.org/web/20200302083912/https://www.accenture.com/t20180127T003755Z_w_/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2018-01-31
modified: 2023-03-09
tags:
- attack.g0030
- attack.g0050
- attack.s0081
- attack.execution
- attack.t1059.003
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_other_svchost:
Image|endswith: '\Microsoft\Network\svchost.exe'
selection_other_del:
CommandLine|contains|all:
- '\Windows\Caches\NavShExt.dll'
- '/c del'
selection_dll_path:
CommandLine|endswith:
- '\AppData\Roaming\MICROS~1\Windows\Caches\NavShExt.dll'
- '\AppData\Roaming\Microsoft\Windows\Caches\NavShExt.dll'
selection_dll_function:
CommandLine|contains: ',Setting'
condition: 1 of selection_other_* or all of selection_dll_*
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Equation Group DLL_U Export Function Load
Detects a specific export function name used by one of EquationGroup tools
view Sigma YAML
title: Equation Group DLL_U Export Function Load
id: d465d1d8-27a2-4cca-9621-a800f37cf72e
status: stable
description: Detects a specific export function name used by one of EquationGroup tools
references:
- https://github.com/00derp/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type=
- https://twitter.com/cyb3rops/status/972186477512839170
author: Florian Roth (Nextron Systems)
date: 2019-03-04
modified: 2023-03-09
tags:
- attack.stealth
- attack.g0020
- attack.t1218.011
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
- CommandLine|contains: '-export dll_u'
- CommandLine|endswith:
- ',dll_u'
- ' dll_u'
condition: selection
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
EvilNum APT Golden Chickens Deployment Via OCX Files
Detects Golden Chickens deployment method as used by Evilnum and described in ESET July 2020 report
view Sigma YAML
title: EvilNum APT Golden Chickens Deployment Via OCX Files
id: 8acf3cfa-1e8c-4099-83de-a0c4038e18f0
status: test
description: Detects Golden Chickens deployment method as used by Evilnum and described in ESET July 2020 report
references:
- https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/
- https://app.any.run/tasks/33d37fdf-158d-4930-aa68-813e1d5eb8ba/
author: Florian Roth (Nextron Systems)
date: 2020-07-10
modified: 2023-03-09
tags:
- attack.stealth
- attack.t1218.011
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'regsvr32'
- '/s'
- '/i'
- '\AppData\Roaming\'
- '.ocx'
condition: selection
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Exchange Exploitation CVE-2021-28480
Detects successful exploitation of Exchange vulnerability as reported in CVE-2021-28480
view Sigma YAML
title: Exchange Exploitation CVE-2021-28480
id: a2a9d722-0acb-4096-bccc-daaf91a5037b
status: test
description: Detects successful exploitation of Exchange vulnerability as reported in CVE-2021-28480
references:
- https://twitter.com/GossiTheDog/status/1392965209132871683?s=20
author: Florian Roth (Nextron Systems)
date: 2021-05-14
modified: 2023-01-02
tags:
- attack.initial-access
- attack.t1190
- cve.2021-28480
- detection.emerging-threats
logsource:
category: webserver
detection:
selection:
cs-uri-query|contains: '/owa/calendar/a'
cs-method: 'POST'
filter_main_status:
sc-status: 503
condition: selection and not 1 of filter_*
falsepositives:
- Unknown
level: critical
Convert to SIEM query
Showing 1-50 of 3,750