SOAR
Panther
1,713 rules · Sigma detections in Panther syntax
The same Sigma detection corpus, machine-rendered into Panther query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
Download all 3,742 rules (.zip, 1.7 MB)
Every Panther query in this view, packaged to deploy.
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance12
Resource Development10
Initial Access10
Execution30
Persistence43
Privilege Escalation20
Stealth83
Defense Impairment32
Credential Access35
Discovery33
Lateral Movement16
Collection20
Command and Control24
Exfiltration10
Impact18
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.
◈
Detection rules
50 shown of 1,713
high
Moderate
Medium FP
UEFI Persistence Via Wpbbin - FileCreation
Detects creation of a file named "wpbbin" in the "%systemroot%\system32\" directory. Which could be indicative of UEFI based persistence method
view Sigma YAML
title: UEFI Persistence Via Wpbbin - FileCreation
id: e94b9ddc-eec5-4bb8-8a58-b9dc5f4e185f
status: test
description: Detects creation of a file named "wpbbin" in the "%systemroot%\system32\" directory. Which could be indicative of UEFI based persistence method
references:
- https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c
- https://persistence-info.github.io/Data/wpbbin.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-18
tags:
- attack.persistence
- attack.stealth
- attack.t1542.001
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename: 'C:\Windows\System32\wpbbin.exe'
condition: selection
falsepositives:
- Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip)
level: high
Convert to SIEM query
high
Moderate
Medium FP
UEFI Persistence Via Wpbbin - ProcessCreation
Detects execution of the binary "wpbbin" which is used as part of the UEFI based persistence method described in the reference section
view Sigma YAML
title: UEFI Persistence Via Wpbbin - ProcessCreation
id: 4abc0ec4-db5a-412f-9632-26659cddf145
status: test
description: Detects execution of the binary "wpbbin" which is used as part of the UEFI based persistence method described in the reference section
references:
- https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c
- https://persistence-info.github.io/Data/wpbbin.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-18
tags:
- attack.persistence
- attack.stealth
- attack.t1542.001
logsource:
product: windows
category: process_creation
detection:
selection:
Image: 'C:\Windows\System32\wpbbin.exe'
condition: selection
falsepositives:
- Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip)
level: high
Convert to SIEM query
high
Strong
Medium FP
UNC2452 Process Creation Patterns
Detects a specific process creation patterns as seen used by UNC2452 and provided by Microsoft as Microsoft Defender ATP queries
view Sigma YAML
title: UNC2452 Process Creation Patterns
id: 9be34ad0-b6a7-4fbd-91cf-fc7ec1047f5f
status: test
description: Detects a specific process creation patterns as seen used by UNC2452 and provided by Microsoft as Microsoft Defender ATP queries
references:
- https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
author: Florian Roth (Nextron Systems)
date: 2021-01-22
modified: 2024-09-12
tags:
- attack.execution
- attack.t1059.001
- detection.emerging-threats
# - sunburst
# - unc2452
logsource:
category: process_creation
product: windows
detection:
# To avoid writing complex condition. "selection_generic_1" and "selection_generic_2" are the same except for the extension used.
selection_generic_1:
CommandLine|contains:
- '7z.exe a -v500m -mx9 -r0 -p'
- '7z.exe a -mx9 -r0 -p'
CommandLine|contains|all:
- '.zip'
- '.txt'
selection_generic_2:
CommandLine|contains:
- '7z.exe a -v500m -mx9 -r0 -p'
- '7z.exe a -mx9 -r0 -p'
CommandLine|contains|all:
- '.zip'
- '.log'
selection_generic_3:
ParentCommandLine|contains|all:
- 'wscript.exe'
- '.vbs'
CommandLine|contains|all:
- 'rundll32.exe'
- 'C:\Windows'
- '.dll,Tk_'
selection_generic_4:
ParentImage|endswith: '\rundll32.exe'
ParentCommandLine|contains|all:
- 'C:\Windows'
- '.dll'
CommandLine|contains: 'cmd.exe /C '
selection_generic_5:
ParentImage|endswith: '\rundll32.exe'
Image|endswith: '\dllhost.exe'
CommandLine: ''
condition: 1 of selection_generic_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
UNC4841 - Barracuda ESG Exploitation Indicators
Detects file indicators as seen used by UNC4841 during their Barracuda ESG zero day exploitation.
view Sigma YAML
title: UNC4841 - Barracuda ESG Exploitation Indicators
id: 5627c337-a9b2-407a-a82d-5fd97035ff39
status: test
description: Detects file indicators as seen used by UNC4841 during their Barracuda ESG zero day exploitation.
references:
- https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-16
modified: 2025-08-19
tags:
- attack.execution
- attack.persistence
- detection.emerging-threats
- attack.stealth
logsource:
product: linux
category: file_event
detection:
selection:
TargetFilename|endswith:
- '/11111.tar'
- '/aacore.sh'
- '/appcheck.sh'
- '/autoins'
- '/BarracudaMailService'
- '/etc/cron.daily/core_check.sh'
- '/etc/cron.daily/core.sh'
- '/etc/cron.hourly/aacore.sh'
- '/etc/cron.hourly/appcheck.sh'
- '/etc/cron.hourly/core.sh'
- '/get_fs_info.pl'
- '/imgdata.jpg'
- '/install_att_v2.tar'
- '/install_bvp74_auth.tar'
- '/install_helo.tar'
- '/install_reuse.tar'
- '/intent_helo'
- '/intent_reuse'
- '/intentbas'
# - '/mknod'
- '/mod_attachment.lua'
- '/mod_content.lua'
- '/mod_require_helo.lua'
- '/mod_rtf'
- '/mod_sender.lua'
- '/mod_udp.so'
- '/nfsd_stub.ko'
- '/resize_reisertab'
- '/resize_risertab'
- '/resize2fstab'
- '/rverify'
- '/saslautchd'
- '/sendscd'
- '/snapshot.tar'
- '/tmp/p'
- '/tmp/p7'
- '/tmp/t'
- '/update_v2.sh'
- '/update_v31.sh'
- '/update_v35.sh'
- '/update_version'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
UNC4841 - Download Compressed Files From Temp.sh Using Wget
Detects execution of "wget" to download a ".zip" or ".rar" files from "temp.sh". As seen used by UNC4841 during their Barracuda ESG zero day exploitation.
view Sigma YAML
title: UNC4841 - Download Compressed Files From Temp.sh Using Wget
id: 60d050c4-e253-4d9a-b673-5ac100cfddfb
status: test
description: Detects execution of "wget" to download a ".zip" or ".rar" files from "temp.sh". As seen used by UNC4841 during their Barracuda ESG zero day exploitation.
references:
- https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-16
tags:
- attack.stealth
- attack.t1140
- detection.emerging-threats
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith: '/wget'
CommandLine|contains: 'https://temp.sh/'
CommandLine|endswith:
- '.rar'
- '.zip'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
UNC4841 - Download Tar File From Untrusted Direct IP Via Wget
Detects execution of "wget" to download a "tar" from an IP address that doesn't have a trusted certificate. As seen used by UNC4841 during their Barracuda ESG zero day exploitation.
view Sigma YAML
title: UNC4841 - Download Tar File From Untrusted Direct IP Via Wget
id: 23835beb-ec38-4e74-a5d4-b99af6684e91
status: test
description: Detects execution of "wget" to download a "tar" from an IP address that doesn't have a trusted certificate. As seen used by UNC4841 during their Barracuda ESG zero day exploitation.
references:
- https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-16
tags:
- attack.stealth
- attack.t1140
- detection.emerging-threats
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith: '/wget'
CommandLine|re: 'https://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
CommandLine|contains: '--no-check-certificate'
CommandLine|endswith: '.tar'
filter_main_local_ips:
# Note: Uncomment this filter if you want to exclude local IPs
CommandLine|contains:
- 'https://10.' # 10.0.0.0/8
- 'https://192.168.' # 192.168.0.0/16
- 'https://172.16.' # 172.16.0.0/12
- 'https://172.17.'
- 'https://172.18.'
- 'https://172.19.'
- 'https://172.20.'
- 'https://172.21.'
- 'https://172.22.'
- 'https://172.23.'
- 'https://172.24.'
- 'https://172.25.'
- 'https://172.26.'
- 'https://172.27.'
- 'https://172.28.'
- 'https://172.29.'
- 'https://172.30.'
- 'https://172.31.'
- 'https://127.' # 127.0.0.0/8
- 'https://169.254.' # 169.254.0.0/16
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
UNC4841 - Email Exfiltration File Pattern
Detects filename pattern of email related data used by UNC4841 for staging and exfiltration
view Sigma YAML
title: UNC4841 - Email Exfiltration File Pattern
id: 0785f462-60b0-4031-9ff4-b4f3a0ba589a
status: test
description: Detects filename pattern of email related data used by UNC4841 for staging and exfiltration
references:
- https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-16
tags:
- attack.execution
- attack.persistence
- detection.emerging-threats
- attack.stealth
logsource:
product: linux
category: file_event
detection:
selection:
TargetFilename|re: '/mail/tmp/[a-zA-Z0-9]{3}[0-9]{3}\.tar\.gz'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
UNC4841 - SSL Certificate Exfiltration Via Openssl
Detects the execution of "openssl" to connect to an IP address. This techniques was used by UNC4841 to exfiltrate SSL certificates and as a C2 channel with named pipes. Investigate commands executed in the temporal vicinity of this command.
view Sigma YAML
title: UNC4841 - SSL Certificate Exfiltration Via Openssl
id: 60911c07-f989-4362-84af-c609828ef829
status: test
description: Detects the execution of "openssl" to connect to an IP address. This techniques was used by UNC4841 to exfiltrate SSL certificates and as a C2 channel with named pipes. Investigate commands executed in the temporal vicinity of this command.
references:
- https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-16
tags:
- attack.stealth
- attack.t1140
- detection.emerging-threats
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith: '/openssl'
CommandLine|re: '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
CommandLine|contains|all:
- 's_client'
- '-quiet'
- '-connect'
CommandLine|contains:
- ':443'
- ':8080'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Uncommon Child Process Of Setres.EXE
Detects uncommon child process of Setres.EXE.
Setres.EXE is a Windows server only process and tool that can be used to set the screen resolution.
It can potentially be abused in order to launch any arbitrary file with a name containing the word "choice" from the current execution path.
view Sigma YAML
title: Uncommon Child Process Of Setres.EXE
id: 835e75bf-4bfd-47a4-b8a6-b766cac8bcb7
status: test
description: |
Detects uncommon child process of Setres.EXE.
Setres.EXE is a Windows server only process and tool that can be used to set the screen resolution.
It can potentially be abused in order to launch any arbitrary file with a name containing the word "choice" from the current execution path.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Setres/
- https://twitter.com/0gtweet/status/1583356502340870144
- https://strontic.github.io/xcyclopedia/library/setres.exe-0E30E4C09637D7A128A37B59A3BC4D09.html
- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)
author: '@gott_cyber, Nasreddine Bencherchali (Nextron Systems)'
date: 2022-12-11
modified: 2024-06-26
tags:
- attack.stealth
- attack.t1218
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\setres.exe'
Image|contains: '\choice'
filter_main_legit_location:
Image|endswith:
- 'C:\Windows\System32\choice.exe'
- 'C:\Windows\SysWOW64\choice.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
High FP
Uncommon Extension In Keyboard Layout IME File Registry Value
Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message.
Before doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named "Ime File" with a DLL path.
IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean.
view Sigma YAML
title: Uncommon Extension In Keyboard Layout IME File Registry Value
id: b888e3f2-224d-4435-b00b-9dd66e9ea1f1
related:
- id: 9d8f9bb8-01af-4e15-a3a2-349071530530
type: derived
status: test
description: |
Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message.
Before doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named "Ime File" with a DLL path.
IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean.
references:
- https://www.linkedin.com/pulse/guntior-story-advanced-bootkit-doesnt-rely-windows-disk-baranov-wue8e/
author: X__Junior (Nextron Systems)
date: 2023-11-21
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|contains|all:
- '\Control\Keyboard Layouts\'
- 'Ime File'
filter_main_known_extension:
Details|endswith: '.ime'
condition: selection and not 1 of filter_main_*
falsepositives:
- IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean.
level: high
Convert to SIEM query
high
Strong
Medium FP
Uncommon File Created In Office Startup Folder
Detects the creation of a file with an uncommon extension in an Office application startup folder
view Sigma YAML
title: Uncommon File Created In Office Startup Folder
id: a10a2c40-2c4d-49f8-b557-1a946bc55d9d
status: test
description: Detects the creation of a file with an uncommon extension in an Office application startup folder
references:
- https://app.any.run/tasks/d6fe6624-6ef8-485d-aa75-3d1bdda2a08c/
- http://addbalance.com/word/startup.htm
- https://answers.microsoft.com/en-us/msoffice/forum/all/document-in-word-startup-folder-doesnt-open-when/44ab0932-2917-4150-8cdc-2f2cf39e86f3
- https://en.wikipedia.org/wiki/List_of_Microsoft_Office_filename_extensions
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-05
modified: 2023-12-13
tags:
- attack.resource-development
- attack.t1587.001
logsource:
product: windows
category: file_event
detection:
selection_word_paths:
- TargetFilename|contains: '\Microsoft\Word\STARTUP'
- TargetFilename|contains|all:
- '\Office'
- '\Program Files'
- '\STARTUP'
filter_exclude_word_ext:
TargetFilename|endswith:
- '.docb' # Word binary document introduced in Microsoft Office 2007
- '.docm' # Word macro-enabled document; same as docx, but may contain macros and scripts
- '.docx' # Word document
- '.dotm' # Word macro-enabled template; same as dotx, but may contain macros and scripts
- '.mdb' # MS Access DB
- '.mdw' # MS Access DB
- '.pdf' # PDF documents
- '.wll' # Word add-in
- '.wwl' # Word add-in
selection_excel_paths:
- TargetFilename|contains: '\Microsoft\Excel\XLSTART'
- TargetFilename|contains|all:
- '\Office'
- '\Program Files'
- '\XLSTART'
filter_exclude_excel_ext:
TargetFilename|endswith:
- '.xll'
- '.xls'
- '.xlsm'
- '.xlsx'
- '.xlt'
- '.xltm'
- '.xlw'
filter_main_office_click_to_run:
Image|contains: ':\Program Files\Common Files\Microsoft Shared\ClickToRun\'
Image|endswith: '\OfficeClickToRun.exe'
filter_main_office_apps:
Image|contains:
- ':\Program Files\Microsoft Office\'
- ':\Program Files (x86)\Microsoft Office\'
Image|endswith:
- '\winword.exe'
- '\excel.exe'
condition: ((selection_word_paths and not filter_exclude_word_ext) or (selection_excel_paths and not filter_exclude_excel_ext)) and not 1 of filter_main_*
falsepositives:
- False positive might stem from rare extensions used by other Office utilities.
level: high
Convert to SIEM query
high
Strong
Medium FP
Uncommon File Created by Notepad++ Updater Gup.EXE
Detects when the Notepad++ updater (gup.exe) creates files in suspicious or uncommon locations.
This could indicate potential exploitation of the updater component to deliver unwanted malware or unwarranted files.
view Sigma YAML
title: Uncommon File Created by Notepad++ Updater Gup.EXE
id: 3b8f4c92-6a51-4d7e-9c3a-8e2d1f5a7b09
status: experimental
description: |
Detects when the Notepad++ updater (gup.exe) creates files in suspicious or uncommon locations.
This could indicate potential exploitation of the updater component to deliver unwanted malware or unwarranted files.
references:
- https://notepad-plus-plus.org/news/v889-released/
- https://www.heise.de/en/news/Notepad-updater-installed-malware-11109726.html
- https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
- https://www.validin.com/blog/exploring_notepad_plus_plus_network_indicators/
- https://securelist.com/notepad-supply-chain-attack/118708/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-02-03
modified: 2026-03-16
tags:
- attack.collection
- attack.credential-access
- attack.t1195.002
- attack.initial-access
- attack.t1557
logsource:
category: file_event
product: windows
detection:
selection:
Image|endswith: '\gup.exe'
filter_main_legit_paths:
TargetFilename|startswith:
- 'C:\Program Files\Notepad++\'
- 'C:\Program Files (x86)\Notepad++\'
filter_main_temp_update_installer:
TargetFilename|startswith: 'C:\Users\'
TargetFilename|contains|all:
- '\AppData\Local\Temp\'
- 'npp.'
- '.Installer.'
- '.exe'
filter_main_temp_generic_zip:
TargetFilename|startswith: 'C:\Users\'
TargetFilename|contains|all:
- '\AppData\Local\Temp\'
- '.zip'
filter_main_recycle_bin:
TargetFilename|startswith: 'C:\$Recycle.Bin\S-1-5-21'
filter_main_plugins:
- TargetFilename|contains:
- '\plugins\JsonTools\testfiles\'
- '\Notepad++\plugins\ComparePlugin\'
- TargetFilename|contains|all:
- 'npp.'
- '.portable.'
- '\plugins\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Custom or portable Notepad++ installations in non-standard directories.
- Legitimate update processes creating temporary files in unexpected locations.
level: high
Convert to SIEM query
high
Moderate
Medium FP
Uncommon File Creation By Mysql Daemon Process
Detects the creation of files with scripting or executable extensions by Mysql daemon.
Which could be an indicator of "User Defined Functions" abuse to download malware.
view Sigma YAML
title: Uncommon File Creation By Mysql Daemon Process
id: c61daa90-3c1e-4f18-af62-8f288b5c9aaf
status: test
description: |
Detects the creation of files with scripting or executable extensions by Mysql daemon.
Which could be an indicator of "User Defined Functions" abuse to download malware.
references:
- https://asec.ahnlab.com/en/58878/
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-mysql-malware-infection-via-user-defined-functions-udf/
author: Joseph Kamau
date: 2024-05-27
tags:
- attack.stealth
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith:
- \mysqld.exe
- \mysqld-nt.exe
TargetFilename|endswith:
- '.bat'
- '.dat'
- '.dll'
- '.exe'
- '.ps1'
- '.psm1'
- '.vbe'
- '.vbs'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Uncommon FileSystem Load Attempt By Format.com
Detects the execution of format.com with an uncommon filesystem selection that could indicate a defense evasion activity in which "format.com" is used to load malicious DLL files or other programs.
view Sigma YAML
title: Uncommon FileSystem Load Attempt By Format.com
id: 9fb6b26e-7f9e-4517-a48b-8cac4a1b6c60
status: test
description: |
Detects the execution of format.com with an uncommon filesystem selection that could indicate a defense evasion activity in which "format.com" is used to load malicious DLL files or other programs.
references:
- https://twitter.com/0gtweet/status/1477925112561209344
- https://twitter.com/wdormann/status/1478011052130459653?s=20
author: Florian Roth (Nextron Systems)
date: 2022-01-04
modified: 2024-05-13
tags:
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\format.com'
CommandLine|contains: '/fs:'
filter_main_known_fs:
CommandLine|contains:
- '/fs:exFAT'
- '/fs:FAT'
- '/fs:NTFS'
- '/fs:ReFS'
- '/fs:UDF'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Uncommon Microsoft Office Trusted Location Added
Detects changes to registry keys related to "Trusted Location" of Microsoft Office where the path is set to something uncommon. Attackers might add additional trusted locations to avoid macro security restrictions.
view Sigma YAML
title: Uncommon Microsoft Office Trusted Location Added
id: f742bde7-9528-42e5-bd82-84f51a8387d2
related:
- id: a0bed973-45fa-4625-adb5-6ecdf9be70ac
type: derived
status: test
description: Detects changes to registry keys related to "Trusted Location" of Microsoft Office where the path is set to something uncommon. Attackers might add additional trusted locations to avoid macro security restrictions.
references:
- Internal Research
- https://admx.help/?Category=Office2016&Policy=excel16.Office.Microsoft.Policies.Windows::L_TrustedLoc01
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-21
modified: 2023-09-29
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: 'Security\Trusted Locations\Location'
TargetObject|endswith: '\Path'
filter_exclude_known_paths:
Details|contains:
- '%APPDATA%\Microsoft\Templates'
- '%%APPDATA%%\Microsoft\Templates'
- '%APPDATA%\Microsoft\Word\Startup'
- '%%APPDATA%%\Microsoft\Word\Startup'
- ':\Program Files (x86)\Microsoft Office\root\Templates\'
- ':\Program Files\Microsoft Office (x86)\Templates'
- ':\Program Files\Microsoft Office\root\Templates\'
- ':\Program Files\Microsoft Office\Templates\'
filter_main_office_click_to_run:
Image|contains: ':\Program Files\Common Files\Microsoft Shared\ClickToRun\'
Image|endswith: '\OfficeClickToRun.exe'
filter_main_office_apps:
Image|contains:
- ':\Program Files\Microsoft Office\'
- ':\Program Files (x86)\Microsoft Office\'
condition: selection and not 1 of filter_main_* and not 1 of filter_exclude_*
falsepositives:
- Other unknown legitimate or custom paths need to be filtered to avoid false positives
level: high
Convert to SIEM query
high
Moderate
Medium FP
Uncommon Network Connection Initiated By Certutil.EXE
Detects a network connection initiated by the certutil.exe utility.
Attackers can abuse the utility in order to download malware or additional payloads.
view Sigma YAML
title: Uncommon Network Connection Initiated By Certutil.EXE
id: 0dba975d-a193-4ed1-a067-424df57570d1
status: test
description: |
Detects a network connection initiated by the certutil.exe utility.
Attackers can abuse the utility in order to download malware or additional payloads.
references:
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
author: frack113, Florian Roth (Nextron Systems)
date: 2022-09-02
modified: 2024-05-31
tags:
- attack.command-and-control
- attack.t1105
logsource:
category: network_connection
product: windows
detection:
selection:
Image|endswith: '\certutil.exe'
Initiated: 'true'
DestinationPort:
- 80
- 135
- 443
- 445
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Uncommon One Time Only Scheduled Task At 00:00
Detects scheduled task creation events that include suspicious actions, and is run once at 00:00
view Sigma YAML
title: Uncommon One Time Only Scheduled Task At 00:00
id: 970823b7-273b-460a-8afc-3a6811998529
status: test
description: Detects scheduled task creation events that include suspicious actions, and is run once at 00:00
references:
- https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte
author: pH-T (Nextron Systems)
date: 2022-07-15
modified: 2023-02-03
tags:
- attack.execution
- attack.persistence
- attack.privilege-escalation
- attack.t1053.005
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|contains: '\schtasks.exe'
- OriginalFileName: 'schtasks.exe'
selection_cli:
CommandLine|contains:
- 'wscript'
- 'vbscript'
- 'cscript'
- 'wmic '
- 'wmic.exe'
- 'regsvr32.exe'
- 'powershell'
- '\AppData\'
selection_time:
CommandLine|contains|all:
- 'once'
- '00:00'
condition: all of selection_*
falsepositives:
- Software installation
level: high
Convert to SIEM query
high
Moderate
Medium FP
Uncommon Svchost Command Line Parameter
Detects instances of svchost.exe running with an unusual or uncommon command line parameter by excluding known legitimate or common patterns.
This could point at a file masquerading as svchost, a process injection, or hollowing of a legitimate svchost instance.
view Sigma YAML
title: Uncommon Svchost Command Line Parameter
id: f17211f1-1f24-4d0c-829f-31e28dc93cdd
status: experimental
description: |
Detects instances of svchost.exe running with an unusual or uncommon command line parameter by excluding known legitimate or common patterns.
This could point at a file masquerading as svchost, a process injection, or hollowing of a legitimate svchost instance.
references:
- https://cardinalops.com/blog/the-art-of-anomaly-hunting-patterns-detection/
- https://www.security.com/threat-intelligence/blackbyte-exbyte-ransomware
- https://cloud.google.com/blog/topics/threat-intelligence/apt41-initiates-global-intrusion-campaign-using-multiple-exploits/
- https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064518/Carbanak_APT_eng.pdf
author: Liran Ravich
date: 2025-11-14
modified: 2026-03-23
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1036.005
- attack.t1055
- attack.t1055.012
logsource:
category: process_creation
product: windows
detection:
selection:
# Example of command to simulate: "C:\Windows\System32\svchost.exe" calc.exe
Image|endswith: '\svchost.exe'
filter_main_flags:
CommandLine|re: '-k\s\w{1,64}(?:\s?(?:-p|-s))?'
filter_main_empty:
CommandLine: ''
filter_main_null:
CommandLine: null
filter_optional_defender:
ParentImage|endswith: '\MsMpEng.exe'
CommandLine|contains: 'svchost.exe'
filter_optional_mrt:
ParentImage|endswith: '\MRT.exe'
CommandLine: 'svchost.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
Medium FP
Uncommon Userinit Child Process
Detects uncommon "userinit.exe" child processes, which could be a sign of uncommon shells or login scripts used for persistence.
view Sigma YAML
title: Uncommon Userinit Child Process
id: 0a98a10c-685d-4ab0-bddc-b6bdd1d48458
related:
- id: 21d856f9-9281-4ded-9377-51a1a6e2a432
type: similar
status: test
description: Detects uncommon "userinit.exe" child processes, which could be a sign of uncommon shells or login scripts used for persistence.
references:
- https://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html
- https://learn.microsoft.com/en-us/windows-server/administration/server-core/server-core-sconfig#powershell-is-the-default-shell-on-server-core
author: Tom Ueltschi (@c_APT_ure), Tim Shelton
date: 2019-01-12
modified: 2023-11-14
tags:
- attack.privilege-escalation
- attack.t1037.001
- attack.persistence
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\userinit.exe'
filter_main_explorer:
Image|endswith: ':\WINDOWS\explorer.exe'
filter_optional_logonscripts:
CommandLine|contains:
- 'netlogon.bat'
- 'UsrLogon.cmd'
filter_optional_windows_core:
# Note: This filter is mandatory on Windows Core machines as the default shell spawned by "userinit" is "powershell.exe".
# https://learn.microsoft.com/en-us/windows-server/administration/server-core/server-core-sconfig#powershell-is-the-default-shell-on-server-core
CommandLine: 'PowerShell.exe'
filter_optional_proquota:
Image|endswith:
- ':\Windows\System32\proquota.exe'
- ':\Windows\SysWOW64\proquota.exe'
filter_optional_citrix:
Image|endswith:
# As reported by https://github.com/SigmaHQ/sigma/issues/4569
- ':\Program Files (x86)\Citrix\HDX\bin\cmstart.exe' # https://support.citrix.com/article/CTX983798/purpose-of-cmstart-command
- ':\Program Files (x86)\Citrix\HDX\bin\icast.exe' # https://support.citrix.com/article/CTX983798/purpose-of-cmstart-command
- ':\Program Files (x86)\Citrix\System32\icast.exe'
- ':\Program Files\Citrix\HDX\bin\cmstart.exe' # https://support.citrix.com/article/CTX983798/purpose-of-cmstart-command
- ':\Program Files\Citrix\HDX\bin\icast.exe' # https://support.citrix.com/article/CTX983798/purpose-of-cmstart-command
- ':\Program Files\Citrix\System32\icast.exe'
filter_optional_image_null:
Image: null
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Legitimate logon scripts or custom shells may trigger false positives. Apply additional filters accordingly.
level: high
Convert to SIEM query
high
Moderate
Medium FP
Unfamiliar Sign-In Properties
Detects sign-in with properties that are unfamiliar to the user. The detection considers past sign-in history to look for anomalous sign-ins.
view Sigma YAML
title: Unfamiliar Sign-In Properties
id: 128faeef-79dd-44ca-b43c-a9e236a60f49
status: test
description: Detects sign-in with properties that are unfamiliar to the user. The detection considers past sign-in history to look for anomalous sign-ins.
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#unfamiliar-sign-in-properties
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-03
tags:
- attack.stealth
- attack.t1078
- attack.persistence
- attack.privilege-escalation
- attack.initial-access
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'unfamiliarFeatures'
condition: selection
falsepositives:
- User changing to a new device, location, browser, etc.
level: high
Convert to SIEM query
high
Moderate
High FP
Uninstall Crowdstrike Falcon Sensor
Adversaries may disable security tools to avoid possible detection of their tools and activities by uninstalling Crowdstrike Falcon
view Sigma YAML
title: Uninstall Crowdstrike Falcon Sensor
id: f0f7be61-9cf5-43be-9836-99d6ef448a18
status: test
description: Adversaries may disable security tools to avoid possible detection of their tools and activities by uninstalling Crowdstrike Falcon
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
author: frack113
date: 2021-07-12
modified: 2023-03-09
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- '\WindowsSensor.exe'
- ' /uninstall'
- ' /quiet'
condition: selection
falsepositives:
- Administrator might leverage the same command line for debugging or other purposes. However this action must be always investigated
level: high
Convert to SIEM query
high
Strong
High FP
Uninstall Sysinternals Sysmon
Detects the removal of Sysmon, which could be a potential attempt at defense evasion
view Sigma YAML
title: Uninstall Sysinternals Sysmon
id: 6a5f68d1-c4b5-46b9-94ee-5324892ea939
status: test
description: Detects the removal of Sysmon, which could be a potential attempt at defense evasion
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md#atomic-test-11---uninstall-sysmon
author: frack113
date: 2022-01-12
modified: 2024-03-13
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_pe:
- Image|endswith:
- \Sysmon64.exe
- \Sysmon.exe
- Description: 'System activity monitor'
selection_cli:
CommandLine|contains|windash: '-u'
condition: all of selection_*
falsepositives:
- Legitimate administrators might use this command to remove Sysmon for debugging purposes
level: high
Convert to SIEM query
high
Moderate
Medium FP
Unsigned Binary Loaded From Suspicious Location
Detects Code Integrity (CI) engine blocking processes from loading unsigned DLLs residing in suspicious locations
view Sigma YAML
title: Unsigned Binary Loaded From Suspicious Location
id: 8289bf8c-4aca-4f5a-9db3-dc3d7afe5c10
status: test
description: Detects Code Integrity (CI) engine blocking processes from loading unsigned DLLs residing in suspicious locations
references:
- https://github.com/nasbench/EVTX-ETW-Resources/blob/45fd5be71a51aa518b1b36d4e1f36af498084e27/ETWEventsList/CSV/Windows11/21H2/W11_21H2_Pro_20220719_22000.795/Providers/Microsoft-Windows-Security-Mitigations.csv
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-03
modified: 2022-09-28
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
product: windows
service: security-mitigations
detection:
selection:
EventID:
- 11
- 12
ImageName|contains:
- '\Users\Public\'
- '\PerfLogs\'
- '\Desktop\'
- '\Downloads\'
- '\AppData\Local\Temp\'
- 'C:\Windows\TEMP\'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Unsigned Mfdetours.DLL Sideloading
Detects DLL sideloading of unsigned "mfdetours.dll". Executing "mftrace.exe" can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution.
view Sigma YAML
title: Unsigned Mfdetours.DLL Sideloading
id: 948a0953-f287-4806-bbcb-3b2e396df89f
related:
- id: d2605a99-2218-4894-8fd3-2afb7946514d
type: similar
status: test
description: Detects DLL sideloading of unsigned "mfdetours.dll". Executing "mftrace.exe" can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution.
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-11
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\mfdetours.dll'
filter_main_legit_path:
ImageLoaded|contains: ':\Program Files (x86)\Windows Kits\10\bin\'
SignatureStatus: 'Valid'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
Medium FP
Unusual Child Process of dns.exe
Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
view Sigma YAML
title: Unusual Child Process of dns.exe
id: a4e3d776-f12e-42c2-8510-9e6ed1f43ec3
status: test
description: Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
references:
- https://www.elastic.co/guide/en/security/current/unusual-child-process-of-dns-exe.html
author: Tim Rauch, Elastic (idea)
date: 2022-09-27
modified: 2023-02-05
tags:
- attack.persistence
- attack.initial-access
- attack.t1133
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\dns.exe'
filter:
Image|endswith: '\conhost.exe'
condition: selection and not filter
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Unusual File Deletion by Dns.exe
Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
view Sigma YAML
title: Unusual File Deletion by Dns.exe
id: 8f0b1fb1-9bd4-4e74-8cdf-a8de4d2adfd0
related:
- id: 9f383dc0-fdeb-4d56-acbc-9f9f4f8f20f3 # FileChange version
type: similar
status: test
description: Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
references:
- https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns-exe.html
author: Tim Rauch (Nextron Systems), Elastic (idea)
date: 2022-09-27
modified: 2023-02-15
tags:
- attack.persistence
- attack.initial-access
- attack.t1133
logsource:
category: file_delete
product: windows
detection:
selection:
Image|endswith: '\dns.exe'
filter:
TargetFilename|endswith: '\dns.log'
condition: selection and not filter
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Unusual File Download from Direct IP Address
Detects the download of suspicious file type from URLs with IP
view Sigma YAML
title: Unusual File Download from Direct IP Address
id: 025bd229-fd1f-4fdb-97ab-20006e1a5368
status: test
description: Detects the download of suspicious file type from URLs with IP
references:
- https://github.com/trustedsec/SysmonCommunityGuide/blob/adcdfee20999f422b974c8d4149bf4c361237db7/chapters/file-stream-creation-hash.md
- https://labs.withsecure.com/publications/detecting-onenote-abuse
author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)
date: 2022-09-07
modified: 2023-02-10
tags:
- attack.stealth
- attack.t1564.004
logsource:
product: windows
category: create_stream_hash
detection:
selection:
Contents|re: 'http[s]?://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
TargetFilename|contains:
- '.ps1:Zone'
- '.bat:Zone'
- '.exe:Zone'
- '.vbe:Zone'
- '.vbs:Zone'
- '.dll:Zone'
- '.one:Zone'
- '.cmd:Zone'
- '.hta:Zone'
- '.xll:Zone'
- '.lnk:Zone'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Unusual File Modification by dns.exe
Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
view Sigma YAML
title: Unusual File Modification by dns.exe
id: 9f383dc0-fdeb-4d56-acbc-9f9f4f8f20f3
related:
- id: 8f0b1fb1-9bd4-4e74-8cdf-a8de4d2adfd0 # FileDelete version
type: similar
status: test
description: Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
references:
- https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns-exe.html
author: Tim Rauch (Nextron Systems), Elastic (idea)
date: 2022-09-27
tags:
- attack.persistence
- attack.initial-access
- attack.t1133
logsource:
category: file_change
product: windows
detection:
selection:
Image|endswith: '\dns.exe'
filter:
TargetFilename|endswith: '\dns.log'
condition: selection and not filter
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Ursnif Malware Download URL Pattern
Detects download of Ursnif malware done by dropper documents.
view Sigma YAML
title: Ursnif Malware Download URL Pattern
id: a36ce77e-30db-4ea0-8795-644d7af5dfb4
status: stable
description: Detects download of Ursnif malware done by dropper documents.
references:
- https://notebook.community/Cyb3rWard0g/HELK/docker/helk-jupyter/notebooks/sigma/proxy_ursnif_malware
author: Thomas Patzke
date: 2019-12-19
modified: 2022-08-15
logsource:
category: proxy
tags:
- attack.command-and-control
- attack.t1071.001
- detection.emerging-threats
detection:
selection:
c-uri|contains|all:
- '/'
- '.php\?l='
c-uri|endswith: '.cab'
sc-status: 200
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Ursnif Redirection Of Discovery Commands
Detects the redirection of Ursnif discovery commands as part of the initial execution of the malware.
view Sigma YAML
title: Ursnif Redirection Of Discovery Commands
id: 7aaa5739-12fc-41aa-b98b-23ec27d42bdf
status: test
description: |
Detects the redirection of Ursnif discovery commands as part of the initial execution of the malware.
references:
- Internal Research
author: '@kostastsale'
date: 2023-07-16
tags:
- attack.execution
- attack.t1059
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\explorer.exe'
Image|endswith: '\cmd.exe'
CommandLine|contains|all:
- '/C '
- ' >> *\AppData\local\temp\*.bin'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
Medium FP
Usage of Renamed Sysinternals Tools - RegistrySet
Detects non-sysinternals tools setting the "accepteula" key which normally is set on sysinternals tool execution
view Sigma YAML
title: Usage of Renamed Sysinternals Tools - RegistrySet
id: 8023f872-3f1d-4301-a384-801889917ab4
related:
- id: 25ffa65d-76d8-4da5-a832-3f2b0136e133
type: derived
- id: f50f3c09-557d-492d-81db-9064a8d4e211
type: similar
status: test
description: Detects non-sysinternals tools setting the "accepteula" key which normally is set on sysinternals tool execution
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-24
modified: 2023-08-17
tags:
- attack.resource-development
- attack.t1588.002
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|contains:
- '\PsExec'
- '\ProcDump'
- '\Handle'
- '\LiveKd'
- '\Process Explorer'
- '\PsLoglist'
- '\PsPasswd'
- '\Active Directory Explorer'
TargetObject|endswith: '\EulaAccepted'
filter_main_image_names:
Image|endswith:
- '\PsExec.exe'
- '\PsExec64.exe'
- '\procdump.exe'
- '\procdump64.exe'
- '\handle.exe'
- '\handle64.exe'
- '\livekd.exe'
- '\livekd64.exe'
- '\procexp.exe'
- '\procexp64.exe'
- '\psloglist.exe'
- '\psloglist64.exe'
- '\pspasswd.exe'
- '\pspasswd64.exe'
- '\ADExplorer.exe'
- '\ADExplorer64.exe'
filter_optional_null:
Image: null # Race condition with some logging tools
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
Low FP
Use of Legacy Authentication Protocols
Alert on when legacy authentication has been used on an account
view Sigma YAML
title: Use of Legacy Authentication Protocols
id: 60f6535a-760f-42a9-be3f-c9a0a025906e
status: test
description: Alert on when legacy authentication has been used on an account
references:
- https://learn.microsoft.com/en-gb/entra/architecture/security-operations-privileged-accounts
author: Yochana Henderson, '@Yochana-H'
date: 2022-06-17
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.credential-access
- attack.stealth
- attack.t1078.004
- attack.t1110
logsource:
product: azure
service: signinlogs
detection:
selection:
ActivityDetails: Sign-ins
ClientApp:
- Other client
- IMAP
- POP3
- MAPI
- SMTP
- Exchange ActiveSync
- Exchange Web Services
Username: 'UPN'
condition: selection
falsepositives:
- User has been put in acception group so they can use legacy authentication
level: high
Convert to SIEM query
high
Strong
High FP
Use of W32tm as Timer
When configured with suitable command line arguments, w32tm can act as a delay mechanism
view Sigma YAML
title: Use of W32tm as Timer
id: 6da2c9f5-7c53-401b-aacb-92c040ce1215
status: test
description: When configured with suitable command line arguments, w32tm can act as a delay mechanism
references:
- https://github.com/redcanaryco/atomic-red-team/blob/d0dad62dbcae9c60c519368e82c196a3db577055/atomics/T1124/T1124.md
- https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains
author: frack113
date: 2022-09-25
tags:
- attack.discovery
- attack.t1124
logsource:
category: process_creation
product: windows
detection:
selection_w32tm:
- Image|endswith: '\w32tm.exe'
- OriginalFileName: 'w32time.dll'
selection_cmd:
CommandLine|contains|all:
- '/stripchart'
- '/computer:'
- '/period:'
- '/dataonly'
- '/samples:'
condition: all of selection_*
falsepositives:
- Legitimate use
level: high
Convert to SIEM query
high
Strong
High FP
User Added To Highly Privileged Group
Detects addition of users to highly privileged groups via "Net" or "Add-LocalGroupMember".
view Sigma YAML
title: User Added To Highly Privileged Group
id: 10fb649c-3600-4d37-b1e6-56ea90bb7e09 # Privileged groups
related:
- id: ffa28e60-bdb1-46e0-9f82-05f7a61cc06e # Remote Desktop groups
type: similar
- id: ad720b90-25ad-43ff-9b5e-5c841facc8e5 # Admin groups
type: similar
status: test
description: Detects addition of users to highly privileged groups via "Net" or "Add-LocalGroupMember".
references:
- https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-02-23
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1098
logsource:
category: process_creation
product: windows
detection:
selection_main:
- CommandLine|contains|all:
# net.exe
- 'localgroup '
- ' /add'
- CommandLine|contains|all:
# powershell.exe
- 'Add-LocalGroupMember '
- ' -Group '
selection_group:
CommandLine|contains:
- 'Group Policy Creator Owners'
- 'Schema Admins'
condition: all of selection_*
falsepositives:
- Administrative activity that must be investigated
level: high
Convert to SIEM query
high
Moderate
Medium FP
User Added To Privilege Role
Detects when a user is added to a privileged role.
view Sigma YAML
title: User Added To Privilege Role
id: 49a268a4-72f4-4e38-8a7b-885be690c5b5
status: test
description: Detects when a user is added to a privileged role.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-identity-management#azure-ad-roles-assignment
author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
date: 2022-08-06
tags:
- attack.persistence
- attack.initial-access
- attack.privilege-escalation
- attack.stealth
- attack.t1078.004
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.message:
- Add eligible member (permanent)
- Add eligible member (eligible)
condition: selection
falsepositives:
- Legtimate administrator actions of adding members from a role
level: high
Convert to SIEM query
high
Strong
High FP
User Added to Remote Desktop Users Group
Detects addition of users to the local Remote Desktop Users group via "Net" or "Add-LocalGroupMember".
view Sigma YAML
title: User Added to Remote Desktop Users Group
id: ffa28e60-bdb1-46e0-9f82-05f7a61cc06e
related:
- id: ad720b90-25ad-43ff-9b5e-5c841facc8e5 # Admin groups
type: similar
- id: 10fb649c-3600-4d37-b1e6-56ea90bb7e09 # Privileged groups
type: similar
status: test
description: Detects addition of users to the local Remote Desktop Users group via "Net" or "Add-LocalGroupMember".
references:
- https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/
author: Florian Roth (Nextron Systems)
date: 2021-12-06
modified: 2022-09-09
tags:
- attack.initial-access
- attack.persistence
- attack.lateral-movement
- attack.t1133
- attack.t1136.001
- attack.t1021.001
logsource:
category: process_creation
product: windows
detection:
selection_main:
- CommandLine|contains|all:
- 'localgroup '
- ' /add'
- CommandLine|contains|all:
- 'Add-LocalGroupMember '
- ' -Group '
selection_group:
CommandLine|contains:
- 'Remote Desktop Users'
- 'Utilisateurs du Bureau à distance' # French for "Remote Desktop Users"
- 'Usuarios de escritorio remoto' # Spanish for "Remote Desktop Users"
condition: all of selection_*
falsepositives:
- Administrative activity
level: high
Convert to SIEM query
high
Moderate
Low FP
User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'
The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA.
view Sigma YAML
title: User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'
id: 6daac7fc-77d1-449a-a71a-e6b4d59a0e54
status: test
description: The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA.
references:
- https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1
author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community
date: 2019-10-24
modified: 2022-12-25
tags:
- attack.credential-access
- attack.lateral-movement
- attack.privilege-escalation
- attack.t1558.003
logsource:
product: windows
service: security
detection:
selection:
EventID: 4673
Service: 'LsaRegisterLogonProcess()'
Keywords: '0x8010000000000000' # failure
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Low FP
User Risk and MFA Registration Policy Updated
Detects changes and updates to the user risk and MFA registration policy.
Attackers can modified the policies to Bypass MFA, weaken security thresholds, facilitate further attacks, maintain persistence.
view Sigma YAML
title: User Risk and MFA Registration Policy Updated
id: d4c7758e-9417-4f2e-9109-6125d66dabef
status: test
description: |
Detects changes and updates to the user risk and MFA registration policy.
Attackers can modified the policies to Bypass MFA, weaken security thresholds, facilitate further attacks, maintain persistence.
references:
- https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-configure-mfa-policy
- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities
author: Harjot Singh (@cyb3rjy0t)
date: 2024-08-13
tags:
- attack.persistence
logsource:
product: azure
service: auditlogs
detection:
selection:
LoggedByService: 'AAD Management UX'
Category: 'Policy'
OperationName: 'Update User Risk and MFA Registration Policy'
condition: selection
falsepositives:
- Known updates by administrators.
level: high
Convert to SIEM query
high
Moderate
Medium FP
User Shell Folders Registry Modification via CommandLine
Detects modifications to User Shell Folders registry values via reg.exe or PowerShell, which could indicate persistence attempts.
Attackers may modify User Shell Folders registry values to point to malicious executables or scripts that will be executed during startup.
This technique is often used to maintain persistence on a compromised system by ensuring that malicious payloads are executed automatically.
view Sigma YAML
title: User Shell Folders Registry Modification via CommandLine
id: 8f3ab69a-aa22-4943-aa58-e0a52fdf6818
related:
- id: 9c226817-8dc9-46c2-a58d-66655aafd7dc
type: similar
status: experimental
description: |
Detects modifications to User Shell Folders registry values via reg.exe or PowerShell, which could indicate persistence attempts.
Attackers may modify User Shell Folders registry values to point to malicious executables or scripts that will be executed during startup.
This technique is often used to maintain persistence on a compromised system by ensuring that malicious payloads are executed automatically.
references:
- https://www.welivesecurity.com/en/eset-research/muddywater-snakes-riverbank/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-01-05
tags:
- attack.persistence
- attack.privilege-escalation
- attack.defense-impairment
- attack.t1547.001
- attack.t1112
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- '\reg.exe'
- OriginalFileName:
- 'powershell.exe'
- 'pwsh.dll'
- 'reg.exe'
selection_cli_action:
CommandLine|contains:
- ' add ' # reg.exe modification
- 'New-ItemProperty'
- 'Set-ItemProperty'
- 'si ' # short for Set-ItemProperty
selection_cli_paths_root:
CommandLine|contains:
- '\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders'
- '\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders'
selection_cli_paths_suffix:
CommandLine|contains: 'Startup' # covers both 'Startup' and 'Common Startup'
condition: all of selection_*
falsepositives:
- Usage of reg.exe or PowerShell to modify User Shell Folders for legitimate purposes; but rare.
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_user_shell_folders_registry_modification/info.yml
simulation:
- type: atomic-red-team
name: Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value
technique: T1547.001
atomic_guid: acfef903-7662-447e-a391-9c91c2f00f7b
Convert to SIEM query
high
Moderate
Medium FP
Users Added to Global or Device Admin Roles
Monitor and alert for users added to device admin roles.
view Sigma YAML
title: Users Added to Global or Device Admin Roles
id: 11c767ae-500b-423b-bae3-b234450736ed
status: test
description: Monitor and alert for users added to device admin roles.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#device-administrator-roles
author: Michael Epping, '@mepples21'
date: 2022-06-28
tags:
- attack.persistence
- attack.initial-access
- attack.privilege-escalation
- attack.stealth
- attack.t1078.004
logsource:
product: azure
service: auditlogs
detection:
selection:
Category: RoleManagement
OperationName|contains|all:
- 'Add'
- 'member to role'
TargetResources|contains:
- '7698a772-787b-4ac8-901f-60d6b08affd2'
- '62e90394-69f5-4237-9190-012177145e10'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Using SettingSyncHost.exe as LOLBin
Detects using SettingSyncHost.exe to run hijacked binary
view Sigma YAML
title: Using SettingSyncHost.exe as LOLBin
id: b2ddd389-f676-4ac4-845a-e00781a48e5f
status: test
description: Detects using SettingSyncHost.exe to run hijacked binary
references:
- https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin
author: Anton Kutepov, oscd.community
date: 2020-02-05
modified: 2021-11-27
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1574.008
logsource:
category: process_creation
product: windows
detection:
system_utility:
Image|startswith:
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
parent_is_settingsynchost:
ParentCommandLine|contains|all:
- 'cmd.exe /c'
- 'RoamDiag.cmd'
- '-outputpath'
condition: not system_utility and parent_is_settingsynchost
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
VBA DLL Loaded Via Office Application
Detects VB DLL's loaded by an office application. Which could indicate the presence of VBA Macros.
view Sigma YAML
title: VBA DLL Loaded Via Office Application
id: e6ce8457-68b1-485b-9bdd-3c2b5d679aa9
status: test
description: Detects VB DLL's loaded by an office application. Which could indicate the presence of VBA Macros.
references:
- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
author: Antonlovesdnb
date: 2020-02-19
modified: 2023-02-10
tags:
- attack.execution
- attack.t1204.002
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith:
- '\excel.exe'
- '\mspub.exe'
- '\onenote.exe'
- '\onenoteim.exe' # Just in case
- '\outlook.exe'
- '\powerpnt.exe'
- '\winword.exe'
ImageLoaded|endswith:
- '\VBE7.DLL'
- '\VBEUI.DLL'
- '\VBE7INTL.DLL'
condition: selection
falsepositives:
- Legitimate macro usage. Add the appropriate filter according to your environment
level: high
Convert to SIEM query
high
Strong
Medium FP
VBScript Payload Stored in Registry
Detects VBScript content stored into registry keys as seen being used by UNC2452 group
view Sigma YAML
title: VBScript Payload Stored in Registry
id: 46490193-1b22-4c29-bdd6-5bf63907216f
status: test
description: Detects VBScript content stored into registry keys as seen being used by UNC2452 group
references:
- https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
author: Florian Roth (Nextron Systems)
date: 2021-03-05
modified: 2023-08-17
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.001
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: 'Software\Microsoft\Windows\CurrentVersion'
Details|contains:
- 'vbscript:'
- 'jscript:'
- 'mshtml,'
- 'RunHTMLApplication'
- 'Execute('
- 'CreateObject'
- 'window.close'
filter:
TargetObject|contains: 'Software\Microsoft\Windows\CurrentVersion\Run'
filter_dotnet:
Image|endswith: '\msiexec.exe'
TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\'
Details|contains:
- '\Microsoft.NET\Primary Interop Assemblies\Microsoft.mshtml.dll'
- '<\Microsoft.mshtml,fileVersion='
- '_mshtml_dll_'
- '<\Microsoft.mshtml,culture='
condition: selection and not 1 of filter*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
VMMap Unsigned Dbghelp.DLL Potential Sideloading
Detects potential DLL sideloading of an unsigned dbghelp.dll by the Sysinternals VMMap.
view Sigma YAML
title: VMMap Unsigned Dbghelp.DLL Potential Sideloading
id: 273a8dd8-3742-4302-bcc7-7df5a80fe425
related:
- id: 98ffaed4-aec2-4e04-9b07-31492fe68b3d
type: similar
status: test
description: Detects potential DLL sideloading of an unsigned dbghelp.dll by the Sysinternals VMMap.
references:
- https://techcommunity.microsoft.com/t5/sysinternals-blog/zoomit-v7-1-procdump-2-0-for-linux-process-explorer-v17-05/ba-p/3884766
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-07-28
modified: 2023-09-05
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|contains: 'C:\Debuggers\dbghelp.dll'
Image|endswith:
- '\vmmap.exe'
- '\vmmap64.exe'
filter_main_signed:
Signed: 'true'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
VMToolsd Suspicious Child Process
Detects suspicious child process creations of VMware Tools process which may indicate persistence setup
view Sigma YAML
title: VMToolsd Suspicious Child Process
id: 5687f942-867b-4578-ade7-1e341c46e99a
status: test
description: Detects suspicious child process creations of VMware Tools process which may indicate persistence setup
references:
- https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/
- https://user-images.githubusercontent.com/61026070/136518004-b68cce7d-f9b8-4e9a-9b7b-53b1568a9a94.png
- https://github.com/vmware/open-vm-tools/blob/master/open-vm-tools/tools.conf
author: bohops, Bhabesh Raj
date: 2021-10-08
modified: 2023-07-25
tags:
- attack.execution
- attack.persistence
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\vmtoolsd.exe'
selection_img:
- Image|endswith:
- '\cmd.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\wscript.exe'
- OriginalFileName:
- 'Cmd.Exe'
- 'cscript.exe'
- 'MSHTA.EXE'
- 'PowerShell.EXE'
- 'pwsh.dll'
- 'REGSVR32.EXE'
- 'RUNDLL32.EXE'
- 'wscript.exe'
filter_main_vmwaretools_script:
Image|endswith: '\cmd.exe'
CommandLine|contains:
- '\VMware\VMware Tools\poweron-vm-default.bat'
- '\VMware\VMware Tools\poweroff-vm-default.bat'
- '\VMware\VMware Tools\resume-vm-default.bat'
- '\VMware\VMware Tools\suspend-vm-default.bat'
filter_main_empty:
Image|endswith: '\cmd.exe'
CommandLine: ''
filter_main_null:
Image|endswith: '\cmd.exe'
CommandLine: null
condition: all of selection* and not 1 of filter_main_*
falsepositives:
- Legitimate use by VM administrator
level: high
Convert to SIEM query
high
Moderate
Medium FP
VMware vCenter Server File Upload CVE-2021-22005
Detects exploitation attempts using file upload vulnerability CVE-2021-22005 in the VMWare vCenter Server.
view Sigma YAML
title: VMware vCenter Server File Upload CVE-2021-22005
id: b014ea07-8ea0-4859-b517-50a4e5b7ecec
status: test
description: Detects exploitation attempts using file upload vulnerability CVE-2021-22005 in the VMWare vCenter Server.
references:
- https://kb.vmware.com/s/article/85717
- https://www.tenable.com/blog/cve-2021-22005-critical-file-upload-vulnerability-in-vmware-vcenter-server
author: Sittikorn S
date: 2021-09-24
modified: 2023-01-02
tags:
- attack.initial-access
- attack.t1190
- cve.2021-22005
- detection.emerging-threats
logsource:
category: webserver
detection:
selection:
cs-method: 'POST'
cs-uri-query|contains: '/analytics/telemetry/ph/api/hyper/send?'
condition: selection
falsepositives:
- Vulnerability Scanning
level: high
Convert to SIEM query
high
Moderate
High FP
Veeam Backup Servers Credential Dumping Script Execution
Detects execution of a PowerShell script that contains calls to the "Veeam.Backup" class, in order to dump stored credentials.
view Sigma YAML
title: Veeam Backup Servers Credential Dumping Script Execution
id: 976d6e6f-a04b-4900-9713-0134a353e38b
status: test
description: Detects execution of a PowerShell script that contains calls to the "Veeam.Backup" class, in order to dump stored credentials.
references:
- https://www.pwndefend.com/2021/02/15/retrieving-passwords-from-veeam-backup-servers/
- https://labs.withsecure.com/publications/fin7-target-veeam-servers
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-04
tags:
- attack.credential-access
logsource:
product: windows
category: ps_script
definition: bade5735-5ab0-4aa7-a642-a11be0e40872
detection:
selection:
ScriptBlockText|contains|all:
- '[Credentials]'
- '[Veeam.Backup.Common.ProtectedStorage]::GetLocalString'
- 'Invoke-Sqlcmd'
- 'Veeam Backup and Replication'
condition: selection
falsepositives:
- Administrators backup scripts (must be investigated)
level: high
Convert to SIEM query
high
Moderate
High FP
VeeamBackup Database Credentials Dump Via Sqlcmd.EXE
Detects dump of credentials in VeeamBackup dbo
view Sigma YAML
title: VeeamBackup Database Credentials Dump Via Sqlcmd.EXE
id: b57ba453-b384-4ab9-9f40-1038086b4e53
status: test
description: Detects dump of credentials in VeeamBackup dbo
references:
- https://thedfirreport.com/2021/12/13/diavol-ransomware/
- https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html
author: frack113
date: 2021-12-20
modified: 2023-02-13
tags:
- attack.collection
- attack.t1005
logsource:
category: process_creation
product: windows
detection:
selection_tools:
Image|endswith: '\sqlcmd.exe'
selection_query:
CommandLine|contains|all:
- 'SELECT'
- 'TOP'
- '[VeeamBackup].[dbo].[Credentials]'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Vim GTFOBin Abuse - Linux
Detects the use of "vim" and it's siblings commands to execute a shell or proxy commands.
Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
view Sigma YAML
title: Vim GTFOBin Abuse - Linux
id: 7ab8f73a-fcff-428b-84aa-6a5ff7877dea
status: test
description: |
Detects the use of "vim" and it's siblings commands to execute a shell or proxy commands.
Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
references:
- https://gtfobins.github.io/gtfobins/vi/
- https://gtfobins.github.io/gtfobins/vim/
- https://gtfobins.github.io/gtfobins/rvim/
- https://gtfobins.github.io/gtfobins/vimdiff/
author: Nasreddine Bencherchali (Nextron Systems), Luc Génaux
date: 2022-12-28
modified: 2026-06-05
tags:
- attack.execution
- attack.discovery
- attack.t1059
- attack.t1083
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith:
- '/rvim'
- '/vi'
- '/vim'
- '/vimdiff'
CommandLine|contains:
- ' --cmd '
- ' -c'
selection_cli:
CommandLine|contains:
- ':!/'
- ':!$'
- ':!..'
- ':lua '
- ':py '
- ':shell'
- '/bin/bash'
- '/bin/dash'
- '/bin/fish'
- '/bin/sh'
- '/bin/csh'
- '/bin/ksh'
- '/bin/zsh'
- '/bin/tmux'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Visual Basic Command Line Compiler Usage
Detects successful code compilation via Visual Basic Command Line Compiler that utilizes Windows Resource to Object Converter.
view Sigma YAML
title: Visual Basic Command Line Compiler Usage
id: 7b10f171-7f04-47c7-9fa2-5be43c76e535
status: test
description: Detects successful code compilation via Visual Basic Command Line Compiler that utilizes Windows Resource to Object Converter.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Vbc/
author: 'Ensar Şamil, @sblmsrsn, @oscd_initiative'
date: 2020-10-07
modified: 2021-11-27
tags:
- attack.stealth
- attack.t1027.004
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\vbc.exe'
Image|endswith: '\cvtres.exe'
condition: selection
falsepositives:
- Utilization of this tool should not be seen in enterprise environment
level: high
Convert to SIEM query
Showing 1601-1650 of 1,713