SOAR
Panther
1,490 rules · Sigma detections in Panther syntax
The same Sigma detection corpus, machine-rendered into Panther query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
Download all 3,742 rules (.zip, 1.7 MB)
Every Panther query in this view, packaged to deploy.
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance12
Resource Development10
Initial Access10
Execution30
Persistence43
Privilege Escalation20
Stealth83
Defense Impairment32
Credential Access35
Discovery33
Lateral Movement16
Collection20
Command and Control24
Exfiltration10
Impact18
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.
◈
Detection rules
50 shown of 1,490
medium
Moderate
Medium FP
Uncommon Link.EXE Parent Process
Detects an uncommon parent process of "LINK.EXE".
Link.EXE in Microsoft incremental linker. Its a utility usually bundled with Visual Studio installation.
Multiple utilities often found in the same folder (editbin.exe, dumpbin.exe, lib.exe, etc) have a hardcode call to the "LINK.EXE" binary without checking its validity.
This would allow an attacker to sideload any binary with the name "link.exe" if one of the aforementioned tools get executed from a different location.
By filtering the known locations of such utilities we can spot uncommon parent process of LINK.EXE that might be suspicious or malicious.
view Sigma YAML
title: Uncommon Link.EXE Parent Process
id: 6e968eb1-5f05-4dac-94e9-fd0c5cb49fd6
status: test
description: |
Detects an uncommon parent process of "LINK.EXE".
Link.EXE in Microsoft incremental linker. Its a utility usually bundled with Visual Studio installation.
Multiple utilities often found in the same folder (editbin.exe, dumpbin.exe, lib.exe, etc) have a hardcode call to the "LINK.EXE" binary without checking its validity.
This would allow an attacker to sideload any binary with the name "link.exe" if one of the aforementioned tools get executed from a different location.
By filtering the known locations of such utilities we can spot uncommon parent process of LINK.EXE that might be suspicious or malicious.
references:
- https://twitter.com/0gtweet/status/1560732860935729152
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-22
modified: 2024-06-27
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\link.exe'
CommandLine|contains: 'LINK /' # Hardcoded command line when we call tools like dumpbin.exe, editbin.exe, lib.exe...etc
# Add other filters for other legitimate locations
filter_main_visual_studio:
ParentImage|startswith:
- 'C:\Program Files\Microsoft Visual Studio\'
- 'C:\Program Files (x86)\Microsoft Visual Studio\'
ParentImage|contains:
- '\VC\bin\'
- '\VC\Tools\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Uncommon New Firewall Rule Added In Windows Firewall Exception List
Detects when a rule has been added to the Windows Firewall exception list
view Sigma YAML
title: Uncommon New Firewall Rule Added In Windows Firewall Exception List
id: cde0a575-7d3d-4a49-9817-b8004a7bf105
status: test
description: Detects when a rule has been added to the Windows Firewall exception list
references:
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
author: frack113
date: 2022-02-19
modified: 2025-10-08
tags:
- attack.defense-impairment
- attack.t1686.003
logsource:
product: windows
service: firewall-as
detection:
selection:
EventID:
- 2004 # A rule has been added to the Windows Defender Firewall exception list
- 2071 # A rule has been added to the Windows Defender Firewall exception list. (Windows 11)
- 2097
filter_main_block:
Action: 2 # Block
filter_main_generic:
ApplicationPath|startswith:
- 'C:\Program Files (x86)\'
- 'C:\Program Files\'
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
- 'C:\Windows\WinSxS\'
filter_main_covered_paths:
# This filter is added to avoid duplicate alerting from 9e2575e7-2cb9-4da1-adc8-ed94221dca5e
ApplicationPath|contains:
- 'C:\PerfLogs\'
- 'C:\Temp\'
- 'C:\Tmp\'
- 'C:\Users\Public\'
- 'C:\Windows\Tasks\'
- 'C:\Windows\Temp\'
- '\AppData\Local\Temp\'
filter_main_system_dllhost:
ApplicationPath: 'System'
ModifyingApplication: 'C:\Windows\System32\dllhost.exe'
filter_main_tiworker:
ModifyingApplication|startswith: 'C:\Windows\WinSxS\'
ModifyingApplication|endswith: '\TiWorker.exe'
filter_main_null:
ApplicationPath: null
filter_optional_no_path:
# This filter filters a lot of FPs related to Windows Services
ModifyingApplication:
- 'C:\Windows\System32\svchost.exe'
- 'C:\Windows\System32\dllhost.exe'
ApplicationPath: ''
filter_optional_msmpeng:
- ModifyingApplication|startswith:
- 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
- 'C:\Program Files\Windows Defender\'
ModifyingApplication|endswith: '\MsMpEng.exe'
- ApplicationPath|startswith:
- 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
- 'C:\Program Files\Windows Defender\'
ApplicationPath|endswith: '\MsMpEng.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Uncommon Outbound Kerberos Connection
Detects uncommon outbound network activity via Kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.
view Sigma YAML
title: Uncommon Outbound Kerberos Connection
id: e54979bd-c5f9-4d6c-967b-a04b19ac4c74
related:
- id: eca91c7c-9214-47b9-b4c5-cb1d7e4f2350
type: similar
status: test
description: |
Detects uncommon outbound network activity via Kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.
references:
- https://github.com/GhostPack/Rubeus
author: Ilyas Ochkov, oscd.community
date: 2019-10-24
modified: 2024-03-15
tags:
- attack.credential-access
- attack.t1558
- attack.lateral-movement
- attack.t1550.003
logsource:
category: network_connection
product: windows
detection:
selection:
DestinationPort: 88
Initiated: 'true'
filter_main_lsass:
Image: 'C:\Windows\System32\lsass.exe'
filter_optional_chrome:
Image:
- 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
- 'C:\Program Files\Google\Chrome\Application\chrome.exe'
filter_optional_firefox:
Image:
- 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
- 'C:\Program Files\Mozilla Firefox\firefox.exe'
filter_optional_tomcat:
Image|endswith: '\tomcat\bin\tomcat8.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Web Browsers and third party application might generate similar activity. An initial baseline is required.
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Uncommon Outbound Kerberos Connection - Security
Detects uncommon outbound network activity via Kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.
view Sigma YAML
title: Uncommon Outbound Kerberos Connection - Security
id: eca91c7c-9214-47b9-b4c5-cb1d7e4f2350
related:
- id: e54979bd-c5f9-4d6c-967b-a04b19ac4c74
type: similar
status: test
description: |
Detects uncommon outbound network activity via Kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.
references:
- https://github.com/GhostPack/Rubeus
author: Ilyas Ochkov, oscd.community
date: 2019-10-24
modified: 2024-03-15
tags:
- attack.lateral-movement
- attack.credential-access
- attack.t1558.003
logsource:
product: windows
service: security
detection:
selection:
EventID: 5156
DestPort: 88
filter_main_lsass:
Application|startswith:
- '\device\harddiskvolume'
- 'C:'
Application|endswith: '\Windows\System32\lsass.exe'
filter_optional_chrome:
Application|startswith:
- '\device\harddiskvolume'
- 'C:'
Application|endswith:
- '\Program Files (x86)\Google\Chrome\Application\chrome.exe'
- '\Program Files\Google\Chrome\Application\chrome.exe'
filter_optional_firefox:
Application|startswith:
- '\device\harddiskvolume'
- 'C:'
Application|endswith:
- '\Program Files (x86)\Mozilla Firefox\firefox.exe'
- '\Program Files\Mozilla Firefox\firefox.exe'
filter_optional_tomcat:
Application|endswith: '\tomcat\bin\tomcat8.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Web Browsers and third party application might generate similar activity. An initial baseline is required.
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Uncommon PowerShell Hosts
Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
view Sigma YAML
title: Uncommon PowerShell Hosts
id: d7326048-328b-4d5e-98af-86e84b17c765
related:
- id: 64e8e417-c19a-475a-8d19-98ea705394cc
type: derived
status: test
description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
references:
- https://threathunterplaybook.com/hunts/windows/190815-RemoteServiceInstallation/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019-08-11
modified: 2025-10-22
tags:
- attack.execution
- attack.t1059.001
- detection.threat-hunting
logsource:
product: windows
category: ps_classic_start
detection:
selection:
Data|contains: 'HostApplication='
# Note: Powershell Logging Data is localized. Meaning that "HostApplication" field will be translated to a different field on a non english layout. This rule doesn't take this into account due to the sheer ammount of possibilities. It's up to the user to add these cases.
filter_main_ps:
Data|contains:
- 'HostApplication=?:/Windows/System32/WindowsPowerShell/v1.0/powershell' # In some cases powershell was invoked with inverted slashes
- 'HostApplication=?:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell' # In some cases powershell was invoked with inverted slashes
- 'HostApplication=?:\Windows\System32\sdiagnhost.exe'
- 'HostApplication=?:\Windows\System32\WindowsPowerShell\v1.0\powershell'
- 'HostApplication=?:\Windows\SysWOW64\sdiagnhost.exe'
- 'HostApplication=?:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell'
- 'HostApplication=powershell'
filter_optional_citrix:
Data|contains: 'Citrix\ConfigSync\ConfigSync.ps1'
filter_optional_hexnode:
Data|contains: 'HostApplication=C:\Hexnode\Hexnode Agent\Current\HexnodeAgent.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Programs using PowerShell directly without invocation of a dedicated interpreter
- MSP Detection Searcher
- Citrix ConfigSync.ps1
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Uncommon Service Installation Image Path
Detects uncommon service installation commands by looking at suspicious or uncommon image path values containing references to encoded powershell commands, temporary paths, etc.
view Sigma YAML
title: Uncommon Service Installation Image Path
id: 26481afe-db26-4228-b264-25a29fe6efc7
related:
- id: ca83e9f3-657a-45d0-88d6-c1ac280caf53
type: obsolete
- id: 1d61f71d-59d2-479e-9562-4ff5f4ead16b
type: derived
status: test
description: |
Detects uncommon service installation commands by looking at suspicious or uncommon image path values containing references to encoded powershell commands, temporary paths, etc.
references:
- Internal Research
author: Florian Roth (Nextron Systems)
date: 2022-03-18
modified: 2024-02-09
tags:
- attack.persistence
- attack.privilege-escalation
- car.2013-09-005
- attack.t1543.003
logsource:
product: windows
service: system
detection:
selection:
Provider_Name: 'Service Control Manager'
EventID: 7045
suspicious_paths:
ImagePath|contains:
- '\\\\.\\pipe'
- '\Users\Public\'
- '\Windows\Temp\'
suspicious_encoded_flag:
ImagePath|contains: ' -e'
suspicious_encoded_keywords:
ImagePath|contains:
- ' aQBlAHgA' # PowerShell encoded commands
- ' aWV4I' # PowerShell encoded commands
- ' IAB' # PowerShell encoded commands
- ' JAB' # PowerShell encoded commands
- ' PAA' # PowerShell encoded commands
- ' SQBFAFgA' # PowerShell encoded commands
- ' SUVYI' # PowerShell encoded commands
filter_optional_thor_remote:
ImagePath|startswith: 'C:\WINDOWS\TEMP\thor10-remote\thor64.exe'
filter_main_defender_def_updates:
ImagePath|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Definition Updates\'
condition: selection and ( suspicious_paths or all of suspicious_encoded_* ) and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Uncommon Sigverif.EXE Child Process
Detects uncommon child processes spawning from "sigverif.exe", which could indicate potential abuse of the latter as a living of the land binary in order to proxy execution.
view Sigma YAML
title: Uncommon Sigverif.EXE Child Process
id: 7d4aaec2-08ed-4430-8b96-28420e030e04
status: test
description: |
Detects uncommon child processes spawning from "sigverif.exe", which could indicate potential abuse of the latter as a living of the land binary in order to proxy execution.
references:
- https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/
- https://twitter.com/0gtweet/status/1457676633809330184
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-19
modified: 2024-08-27
tags:
- attack.stealth
- attack.t1216
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\sigverif.exe'
filter_main_werfault:
Image:
- 'C:\Windows\System32\WerFault.exe'
- 'C:\Windows\SysWOW64\WerFault.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Uncommon Svchost Parent Process
Detects an uncommon svchost parent process
view Sigma YAML
title: Uncommon Svchost Parent Process
id: 01d2e2a1-5f09-44f7-9fc1-24faa7479b6d
status: test
description: Detects an uncommon svchost parent process
references:
- Internal Research
author: Florian Roth (Nextron Systems)
date: 2017-08-15
modified: 2022-06-28
tags:
- attack.stealth
- attack.t1036.005
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\svchost.exe'
filter_main_generic:
ParentImage|endswith:
- '\Mrt.exe'
- '\MsMpEng.exe'
- '\ngen.exe'
- '\rpcnet.exe'
- '\services.exe'
- '\TiWorker.exe'
filter_main_parent_null:
ParentImage: null
filter_main_parent_empty:
ParentImage:
- '-'
- ''
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Uncommon System Information Discovery Via Wmic.EXE
Detects the use of the WMI command-line (WMIC) utility to identify and display various system information,
including OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS,
and GPU driver products/versions.
Some of these commands were used by Aurora Stealer in late 2022/early 2023.
view Sigma YAML
title: Uncommon System Information Discovery Via Wmic.EXE
id: 9d5a1274-922a-49d0-87f3-8c653483b909
related:
- id: d85ecdd7-b855-4e6e-af59-d9c78b5b861e
type: derived
status: test
description: |
Detects the use of the WMI command-line (WMIC) utility to identify and display various system information,
including OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS,
and GPU driver products/versions.
Some of these commands were used by Aurora Stealer in late 2022/early 2023.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/a2ccd19c37d0278b4ffa8583add3cf52060a5418/atomics/T1082/T1082.md#atomic-test-25---system-information-discovery-with-wmic
- https://nwgat.ninja/getting-system-information-with-wmic-on-windows/
- https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar
- https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/
- https://app.any.run/tasks/a6aa0057-82ec-451f-8f99-55650ca537da/
- https://www.virustotal.com/gui/file/d6f6bc10ae0e634ed4301d584f61418cee18e5d58ad9af72f8aa552dc4aaeca3/behavior
author: TropChaud
date: 2023-01-26
modified: 2023-12-19
tags:
- attack.discovery
- attack.t1082
logsource:
category: process_creation
product: windows
detection:
selection_wmic:
- Description: 'WMI Commandline Utility'
- OriginalFileName: 'wmic.exe'
- Image|endswith: '\WMIC.exe'
selection_commands:
CommandLine|contains:
- 'LOGICALDISK get Name,Size,FreeSpace'
- 'os get Caption,OSArchitecture,Version'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Unix Shell Configuration Modification
Detect unix shell configuration modification. Adversaries may establish persistence through executing malicious commands triggered when a new shell is opened.
view Sigma YAML
title: Unix Shell Configuration Modification
id: a94cdd87-6c54-4678-a6cc-2814ffe5a13d
related:
- id: e74e15cc-c4b6-4c80-b7eb-dfe49feb7fe9
type: obsolete
status: test
description: Detect unix shell configuration modification. Adversaries may establish persistence through executing malicious commands triggered when a new shell is opened.
references:
- https://objective-see.org/blog/blog_0x68.html
- https://web.archive.org/web/20221204161143/https://www.glitch-cat.com/p/green-lambert-and-attack
- https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat
author: Peter Matkovski, IAI
date: 2023-03-06
modified: 2023-03-15
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.004
logsource:
product: linux
service: auditd
detection:
selection:
type: 'PATH'
name:
- '/etc/shells'
- '/etc/profile'
- '/etc/profile.d/*'
- '/etc/bash.bashrc'
- '/etc/bashrc'
- '/etc/zsh/zprofile'
- '/etc/zsh/zshrc'
- '/etc/zsh/zlogin'
- '/etc/zsh/zlogout'
- '/etc/csh.cshrc'
- '/etc/csh.login'
- '/root/.bashrc'
- '/root/.bash_profile'
- '/root/.profile'
- '/root/.zshrc'
- '/root/.zprofile'
- '/home/*/.bashrc'
- '/home/*/.zshrc'
- '/home/*/.bash_profile'
- '/home/*/.zprofile'
- '/home/*/.profile'
- '/home/*/.bash_login'
- '/home/*/.bash_logout'
- '/home/*/.zlogin'
- '/home/*/.zlogout'
condition: selection
falsepositives:
- Admin or User activity are expected to generate some false positives
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Unsigned .node File Loaded
Detects the loading of unsigned .node files.
Adversaries may abuse a lack of .node integrity checking to execute arbitrary code inside of trusted applications such as Slack.
.node files are native add-ons for Electron-based applications, which are commonly used for desktop applications like Slack, Discord, and Visual Studio Code.
This technique has been observed in the DripLoader malware, which uses unsigned .node files to load malicious native code into Electron applications.
view Sigma YAML
title: Unsigned .node File Loaded
id: e5f5c693-52d7-4de5-88ae-afbfbce85595
status: experimental
description: |
Detects the loading of unsigned .node files.
Adversaries may abuse a lack of .node integrity checking to execute arbitrary code inside of trusted applications such as Slack.
.node files are native add-ons for Electron-based applications, which are commonly used for desktop applications like Slack, Discord, and Visual Studio Code.
This technique has been observed in the DripLoader malware, which uses unsigned .node files to load malicious native code into Electron applications.
references:
- https://www.coreycburton.com/blog/driploader-case-study
- https://github.com/CoreyCBurton/DripLoaderNG
- https://www.electronjs.org/docs/latest/tutorial/native-code-and-electron
author: Jonathan Beierle (@hullabrian)
date: 2025-11-22
tags:
- attack.execution
- attack.privilege-escalation
- attack.persistence
- attack.stealth
- attack.t1129
- attack.t1574.001
- attack.t1036.005
logsource:
category: image_load
product: windows
detection:
selection_node_extension:
ImageLoaded|endswith: '.node'
selection_status:
- Signed: 'false'
- SignatureStatus: 'Unavailable'
filter_optional_vscode_jupyter:
Image|endswith: '\Code.exe'
ImageLoaded|contains: '.vscode\extensions\ms-toolsai.jupyter-'
ImageLoaded|endswith:
- '\electron.napi.node'
- '\node.napi.glibc.node'
condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
- VsCode extensions or similar legitimate tools might use unsigned .node files. These should be investigated on a case-by-case basis, and whitelisted if determined to be benign.
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Unsigned AppX Installation Attempt Using Add-AppxPackage
Detects usage of the "Add-AppxPackage" or it's alias "Add-AppPackage" to install unsigned AppX packages
view Sigma YAML
title: Unsigned AppX Installation Attempt Using Add-AppxPackage
id: 37651c2a-42cd-4a69-ae0d-22a4349aa04a
related:
- id: 975b2262-9a49-439d-92a6-0709cccdf0b2
type: similar
- id: 9a025188-6f2d-42f8-bb2f-d3a83d24a5af
type: similar
status: test
description: Detects usage of the "Add-AppxPackage" or it's alias "Add-AppPackage" to install unsigned AppX packages
references:
- https://learn.microsoft.com/en-us/windows/msix/package/unsigned-package
- https://twitter.com/WindowsDocs/status/1620078135080325122
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-31
tags:
- attack.persistence
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_cmdlet:
CommandLine|contains:
- 'Add-AppPackage '
- 'Add-AppxPackage '
selection_flag:
CommandLine|contains: ' -AllowUnsigned'
condition: all of selection_*
falsepositives:
- Installation of unsigned packages for testing purposes
level: medium
Convert to SIEM query
medium
Moderate
High FP
Unsigned AppX Installation Attempt Using Add-AppxPackage - PsScript
Detects usage of the "Add-AppxPackage" or it's alias "Add-AppPackage" to install unsigned AppX packages
view Sigma YAML
title: Unsigned AppX Installation Attempt Using Add-AppxPackage - PsScript
id: 975b2262-9a49-439d-92a6-0709cccdf0b2
related:
- id: 37651c2a-42cd-4a69-ae0d-22a4349aa04a
type: similar
- id: 9a025188-6f2d-42f8-bb2f-d3a83d24a5af
type: similar
status: test
description: Detects usage of the "Add-AppxPackage" or it's alias "Add-AppPackage" to install unsigned AppX packages
references:
- https://learn.microsoft.com/en-us/windows/msix/package/unsigned-package
- https://twitter.com/WindowsDocs/status/1620078135080325122
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-31
tags:
- attack.persistence
- attack.stealth
logsource:
product: windows
category: ps_script
definition: Script Block Logging must be enable
detection:
selection_cmdlet:
ScriptBlockText|contains:
- 'Add-AppPackage '
- 'Add-AppxPackage '
selection_flag:
ScriptBlockText|contains: ' -AllowUnsigned'
condition: all of selection_*
falsepositives:
- Installation of unsigned packages for testing purposes
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Unsigned DLL Loaded by Windows Utility
Detects windows utilities loading an unsigned or untrusted DLL.
Adversaries often abuse those programs to proxy execution of malicious code.
view Sigma YAML
title: Unsigned DLL Loaded by Windows Utility
id: b5de0c9a-6f19-43e0-af4e-55ad01f550af
status: test
description: |
Detects windows utilities loading an unsigned or untrusted DLL.
Adversaries often abuse those programs to proxy execution of malicious code.
references:
- https://www.elastic.co/security-labs/Hunting-for-Suspicious-Windows-Libraries-for-Execution-and-Evasion
- https://akhere.hashnode.dev/hunting-unsigned-dlls-using-kql
- https://unit42.paloaltonetworks.com/unsigned-dlls/?web_view=true
author: Swachchhanda Shrawan Poudel
date: 2024-02-28
modified: 2025-10-07
tags:
- attack.stealth
- attack.t1218.011
- attack.t1218.010
logsource:
product: windows
category: image_load
detection:
selection:
Image|endswith:
# Note: Add additional utilities that allow the loading of DLLs
- '\InstallUtil.exe'
- '\RegAsm.exe'
- '\RegSvcs.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
filter_main_signed:
Signed: 'true'
filter_main_sig_status:
SignatureStatus:
- 'errorChaining'
- 'errorCode_endpoint'
- 'errorExpired'
- 'trusted'
- 'Valid'
filter_main_signed_null:
Signed: null
filter_main_signed_empty:
Signed:
- ''
- '-'
filter_main_sig_status_null:
SignatureStatus: null
filter_main_sig_status_empty:
SignatureStatus:
- ''
- '-'
filter_main_windows_installer:
Image:
- 'C:\Windows\SysWOW64\rundll32.exe'
- 'C:\Windows\System32\rundll32.exe'
ImageLoaded|startswith: 'C:\Windows\Installer\'
ImageLoaded|endswith:
- '.tmp-\Microsoft.Deployment.WindowsInstaller.dll'
- '.tmp-\Avira.OE.Setup.CustomActions.dll'
filter_main_assembly:
Image|startswith:
- 'C:\Windows\SysWOW64\'
- 'C:\Windows\System32\'
- 'C:\Windows\Microsoft.NET\Framework64'
Image|endswith: '\RegAsm.exe'
ImageLoaded|endswith: '.dll'
ImageLoaded|startswith: 'C:\Windows\assembly\NativeImages'
filter_optional_klite_codec:
Image:
- 'C:\Windows\SysWOW64\regsvr32.exe'
- 'C:\Windows\System32\regsvr32.exe'
ImageLoaded|startswith:
- 'C:\Program Files (x86)\K-Lite Codec Pack\'
- 'C:\Program Files\K-Lite Codec Pack\'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Unsigned Image Loaded Into LSASS Process
Loading unsigned image (DLL, EXE) into LSASS process
view Sigma YAML
title: Unsigned Image Loaded Into LSASS Process
id: 857c8db3-c89b-42fb-882b-f681c7cf4da2
status: test
description: Loading unsigned image (DLL, EXE) into LSASS process
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
author: Teymur Kheirkhabarov, oscd.community
date: 2019-10-22
modified: 2021-11-27
tags:
- attack.credential-access
- attack.t1003.001
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith: '\lsass.exe'
Signed: 'false'
condition: selection
falsepositives:
- Valid user connecting using RDP
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Unsigned Module Loaded by ClickOnce Application
Detects unsigned module load by ClickOnce application.
view Sigma YAML
title: Unsigned Module Loaded by ClickOnce Application
id: 060d5ad4-3153-47bb-8382-43e5e29eda92
status: test
description: Detects unsigned module load by ClickOnce application.
references:
- https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5
author: '@SerkinValery'
date: 2023-06-08
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection_path:
Image|contains: '\AppData\Local\Apps\2.0\'
selection_sig_status:
- Signed: 'false'
- SignatureStatus: 'Expired'
condition: all of selection_*
falsepositives:
- Unlikely
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Unsigned or Unencrypted SMB Connection to Share Established
Detects SMB server connections to shares without signing or encryption enabled.
This could indicate potential lateral movement activity using unsecured SMB shares.
view Sigma YAML
title: Unsigned or Unencrypted SMB Connection to Share Established
id: 8d91f6e4-9f3b-4c21-ae41-2c5b7d9f7a12
status: experimental
description: |
Detects SMB server connections to shares without signing or encryption enabled.
This could indicate potential lateral movement activity using unsecured SMB shares.
author: Mohamed Abdelghani
date: 2025-10-19
references:
- https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/overview-server-message-block-signing
tags:
- attack.lateral-movement
- attack.t1021.002
logsource:
product: windows
service: smbserver-connectivity
detection:
selection_shares:
EventID: 4000
ShareName|contains:
- 'IPC$'
- 'ADMIN$'
- 'C$'
selection_status:
- SigningUsed: 'false'
- EncyptionUsed: 'false' # Note: typo in the original event field name
filter_main_local_ips:
- ClientAddress|cidr:
# IPv4
# - '10.0.0.0/8'
- '127.0.0.0/8'
- '169.254.0.0/16'
# - '172.16.0.0/12'
# - '192.168.0.0/16'
# IPv6
- '::1/128' # IPv6 loopback
- 'fe80::/10' # IPv6 link-local addresses
- 'fc00::/7' # IPv6 private addresses
# The filters below cover the XML raw log
- ClientAddress|contains:
# IPv6
- '00000000000000000000000000000001' # ::1 - IPv6 loopback
- 'FE80000000000000' # fe80:: - IPv6 link-local addresses
- 'FC00000000000000' # fc00:: - IPv6 private addresses
# IPv4
# The "?" are meant to represent the port
# - '0200????C0A8' # 192.168.
# - '0200????AC' # 172.
# - '0200????0A' # 10.
- '0200????7F' # 127
- '0200????A9FE' # 169.254.
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Connections from local or private IP addresses to SMB shares without signing or encryption enabled for older systems or misconfigured environments. Apply additional tuning as needed.
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Unusual File Download From File Sharing Websites - File Stream
Detects the download of suspicious file type from a well-known file and paste sharing domain
view Sigma YAML
title: Unusual File Download From File Sharing Websites - File Stream
id: ae02ed70-11aa-4a22-b397-c0d0e8f6ea99
related:
- id: 52182dfb-afb7-41db-b4bc-5336cb29b464
type: similar
status: test
description: Detects the download of suspicious file type from a well-known file and paste sharing domain
references:
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015
- https://www.cisa.gov/uscert/ncas/alerts/aa22-321a
- https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
author: Florian Roth (Nextron Systems)
date: 2022-08-24
modified: 2025-12-10
tags:
- attack.stealth
- attack.s0139
- attack.t1564.004
logsource:
product: windows
category: create_stream_hash
detection:
selection_domain:
Contents|contains:
- '.githubusercontent.com' # Includes both gists and github repositories / Michael Haag (idea)
- 'anonfiles.com'
- 'cdn.discordapp.com'
- 'ddns.net'
- 'dl.dropboxusercontent.com'
- 'ghostbin.co'
- 'github.com'
- 'glitch.me'
- 'gofile.io'
- 'hastebin.com'
- 'mediafire.com'
- 'mega.nz'
- 'onrender.com'
- 'pages.dev'
- 'paste.ee'
- 'pastebin.com'
- 'pastebin.pl'
- 'pastetext.net'
- 'pixeldrain.com'
- 'privatlab.com'
- 'privatlab.net'
- 'send.exploit.in'
- 'sendspace.com'
- 'storage.googleapis.com'
- 'storjshare.io'
- 'supabase.co'
- 'temp.sh'
- 'transfer.sh'
- 'trycloudflare.com'
- 'ufile.io'
- 'w3spaces.com'
- 'workers.dev'
selection_extension:
TargetFilename|contains:
- '.bat:Zone'
- '.cmd:Zone'
- '.ps1:Zone'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Unusual Parent Process For Cmd.EXE
Detects suspicious parent process for cmd.exe
view Sigma YAML
title: Unusual Parent Process For Cmd.EXE
id: 4b991083-3d0e-44ce-8fc4-b254025d8d4b
status: test
description: Detects suspicious parent process for cmd.exe
references:
- https://www.elastic.co/guide/en/security/current/unusual-parent-process-for-cmd.exe.html
author: Tim Rauch, Elastic (idea)
date: 2022-09-21
modified: 2023-12-05
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\cmd.exe'
ParentImage|endswith:
- '\csrss.exe'
- '\ctfmon.exe'
- '\dllhost.exe'
- '\epad.exe'
- '\FlashPlayerUpdateService.exe'
- '\GoogleUpdate.exe'
- '\jucheck.exe'
- '\jusched.exe'
- '\LogonUI.exe'
- '\lsass.exe'
- '\regsvr32.exe'
- '\SearchIndexer.exe'
- '\SearchProtocolHost.exe'
- '\SIHClient.exe'
- '\sihost.exe'
- '\slui.exe'
- '\spoolsv.exe'
- '\sppsvc.exe'
- '\taskhostw.exe'
- '\unsecapp.exe'
- '\WerFault.exe'
- '\wermgr.exe'
- '\wlanext.exe'
- '\WUDFHost.exe'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Usage Of Web Request Commands And Cmdlets
Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via CommandLine
view Sigma YAML
title: Usage Of Web Request Commands And Cmdlets
id: 9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d
related:
- id: 1139d2e2-84b1-4226-b445-354492eba8ba
type: similar
- id: f67dbfce-93bc-440d-86ad-a95ae8858c90
type: obsolete
- id: cd5c8085-4070-4e22-908d-a5b3342deb74
type: obsolete
- id: 6e897651-f157-4d8f-aaeb-df8151488385
type: obsolete
status: test
description: Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via CommandLine
references:
- https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/
- https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell
- https://learn.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps
author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger
date: 2019-10-24
modified: 2025-10-20
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- '[System.Net.WebRequest]::create'
- 'curl '
- 'Invoke-RestMethod'
- 'Invoke-WebRequest'
- ' irm ' # Space before and after to avoid false positives with 'irm' as a substring
- 'iwr '
# - 'Net.WebClient' # There are various other rules that cover this, so it is commented out
- 'Resume-BitsTransfer'
- 'Start-BitsTransfer'
- 'wget '
- 'WinHttp.WinHttpRequest'
condition: selection
falsepositives:
- Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer.
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Usage Of Web Request Commands And Cmdlets - ScriptBlock
Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via PowerShell scriptblock logs
view Sigma YAML
title: Usage Of Web Request Commands And Cmdlets - ScriptBlock
id: 1139d2e2-84b1-4226-b445-354492eba8ba
related:
- id: 9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d
type: derived
status: test
description: Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via PowerShell scriptblock logs
references:
- https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/
- https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell
author: James Pemberton / @4A616D6573
date: 2019-10-24
modified: 2025-10-20
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains:
- '[System.Net.WebRequest]::create'
- 'curl '
- 'Invoke-RestMethod'
- 'Invoke-WebRequest'
- ' irm ' # Space before and after to avoid false positives with 'irm' as a substring
- 'iwr '
# - 'Net.WebClient' # There are various other rules that cover this, so it is commented out
- 'Resume-BitsTransfer'
- 'Start-BitsTransfer'
- 'wget '
- 'WinHttp.WinHttpRequest'
filter:
Path|startswith: 'C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\'
condition: selection and not filter
falsepositives:
- Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer.
level: medium
Convert to SIEM query
medium
Moderate
High FP
Use Icacls to Hide File to Everyone
Detect use of icacls to deny access for everyone in Users folder sometimes used to hide malicious files
view Sigma YAML
title: Use Icacls to Hide File to Everyone
id: 4ae81040-fc1c-4249-bfa3-938d260214d9
status: test
description: Detect use of icacls to deny access for everyone in Users folder sometimes used to hide malicious files
references:
- https://app.any.run/tasks/1df999e6-1cb8-45e3-8b61-499d1b7d5a9b/
author: frack113
date: 2022-07-18
modified: 2024-04-29
tags:
- attack.stealth
- attack.t1564.001
logsource:
category: process_creation
product: windows
detection:
selection_icacls:
- OriginalFileName: 'iCACLS.EXE'
- Image|endswith: '\icacls.exe'
selection_cmd: # icacls "C:\Users\admin\AppData\Local\37f92fe8-bcf0-4ee0-b8ba-561f797f5696" /deny *S-1-1-0:(OI)(CI)(DE,DC)
CommandLine|contains|all:
- '/deny'
- '*S-1-1-0:'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
High FP
Use NTFS Short Name in Command Line
Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection
view Sigma YAML
title: Use NTFS Short Name in Command Line
id: dd6b39d9-d9be-4a3b-8fe0-fe3c6a5c1795
related:
- id: 3ef5605c-9eb9-47b0-9a71-b727e6aa5c3b
type: similar
status: test
description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection
references:
- https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)
- https://twitter.com/jonasLyk/status/1555914501802921984
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-05
modified: 2022-09-21
tags:
- attack.stealth
- attack.t1564.004
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- '~1.exe'
- '~1.bat'
- '~1.msi'
- '~1.vbe'
- '~1.vbs'
- '~1.dll'
- '~1.ps1'
- '~1.js'
- '~1.hta'
- '~2.exe'
- '~2.bat'
- '~2.msi'
- '~2.vbe'
- '~2.vbs'
- '~2.dll'
- '~2.ps1'
- '~2.js'
- '~2.hta'
filter:
- ParentImage|endswith:
- '\WebEx\WebexHost.exe'
- '\thor\thor64.exe'
- CommandLine|contains: 'C:\xampp\vcredist\VCREDI~1.EXE'
condition: selection and not filter
falsepositives:
- Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process.
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Use NTFS Short Name in Image
Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image based detection
view Sigma YAML
title: Use NTFS Short Name in Image
id: 3ef5605c-9eb9-47b0-9a71-b727e6aa5c3b
related:
- id: dd6b39d9-d9be-4a3b-8fe0-fe3c6a5c1795
type: similar
status: test
description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image based detection
references:
- https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)
- https://twitter.com/jonasLyk/status/1555914501802921984
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-06
modified: 2023-07-20
tags:
- attack.stealth
- attack.t1564.004
logsource:
category: process_creation
product: windows
detection:
selection:
Image|contains:
- '~1.bat'
- '~1.dll'
- '~1.exe'
- '~1.hta'
- '~1.js'
- '~1.msi'
- '~1.ps1'
- '~1.tmp'
- '~1.vbe'
- '~1.vbs'
- '~2.bat'
- '~2.dll'
- '~2.exe'
- '~2.hta'
- '~2.js'
- '~2.msi'
- '~2.ps1'
- '~2.tmp'
- '~2.vbe'
- '~2.vbs'
filter_main_generic_parent:
ParentImage: 'C:\Windows\explorer.exe'
filter_optional_webex:
ParentImage|endswith: '\WebEx\WebexHost.exe'
filter_optional_thor:
ParentImage|endswith: '\thor\thor64.exe'
filter_optional_winzip:
Image: 'C:\PROGRA~1\WinZip\WZPREL~1.EXE'
filter_optional_vcred:
Image|endswith: '\VCREDI~1.EXE'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Software Installers
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Use Of The SFTP.EXE Binary As A LOLBIN
Detects the usage of the "sftp.exe" binary as a LOLBIN by abusing the "-D" flag
view Sigma YAML
title: Use Of The SFTP.EXE Binary As A LOLBIN
id: a85ffc3a-e8fd-4040-93bf-78aff284d801
status: test
description: Detects the usage of the "sftp.exe" binary as a LOLBIN by abusing the "-D" flag
references:
- https://github.com/LOLBAS-Project/LOLBAS/pull/264
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-11-10
tags:
- attack.execution
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\sftp.exe' # The "sftp.exe" located in the OpenSSH directory has no OriginalFileName :(
CommandLine|contains:
# Since "-D" is a valid flag for other usage we assume the user is going to enter a path
# Either a full one like "C:\Windows\System32\calc.exe" or a relative one "..\..\..\Windows\System32\calc.exe"
# In my testing you can't execute direct binaries by their name via this method (if you found a way please update the rule)
- ' -D ..'
- ' -D C:\'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Use Short Name Path in Command Line
Detects the use of short name paths (8.3 format) in command lines, which can be used to obfuscate paths or access restricted locations.
Windows creates short 8.3 filenames (like PROGRA~1) for compatibility with MS-DOS-based or 16-bit Windows programs.
When investigating, examine:
- Commands using short paths to access sensitive directories or files
- Web servers on Windows (especially Apache) where short filenames could bypass security controls
- Correlation with other suspicious behaviors
- baseline of short name usage in your environment and look for deviations
view Sigma YAML
title: Use Short Name Path in Command Line
id: 349d891d-fef0-4fe4-bc53-eee623a15969
related:
- id: a96970af-f126-420d-90e1-d37bf25e50e1
type: similar
status: test
description: |
Detects the use of short name paths (8.3 format) in command lines, which can be used to obfuscate paths or access restricted locations.
Windows creates short 8.3 filenames (like PROGRA~1) for compatibility with MS-DOS-based or 16-bit Windows programs.
When investigating, examine:
- Commands using short paths to access sensitive directories or files
- Web servers on Windows (especially Apache) where short filenames could bypass security controls
- Correlation with other suspicious behaviors
- baseline of short name usage in your environment and look for deviations
references:
- https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)
- https://twitter.com/frack113/status/1555830623633375232
author: frack113, Nasreddine Bencherchali
date: 2022-08-07
modified: 2025-10-22
tags:
- attack.stealth
- attack.t1564.004
- detection.threat-hunting
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- '~1\'
- '~2\'
filter_main_system_process:
ParentImage:
- 'C:\Windows\System32\Dism.exe'
- 'C:\Windows\System32\cleanmgr.exe'
filter_main_winget:
- ParentImage|endswith: '\winget.exe'
- ParentImage|contains: '\AppData\Local\Temp\WinGet\'
filter_main_csc:
ParentImage|startswith: 'C:\Windows\Microsoft.NET\Framework64\v'
ParentImage|endswith: '\csc.exe'
filter_main_installers:
- Image|contains|all:
- '\AppData\'
- '\Temp\'
- CommandLine|contains: '\AppData\Local\Temp\' # sometimes installers spawn other installers from temp folder
filter_optional_dopus:
ParentImage: 'C:\Program Files\GPSoftware\Directory Opus\dopus.exe'
filter_optional_aurora:
ParentImage|endswith:
- '\aurora-agent-64.exe'
- '\aurora-agent.exe'
filter_optional_thor:
ParentImage|endswith: '\thor\thor64.exe'
filter_optional_git:
CommandLine|contains:
- 'C:\Program Files\Git\post-install.bat'
- 'C:\Program Files\Git\cmd\scalar.exe'
filter_optional_webex:
- ParentImage|endswith: '\WebEx\webexhost.exe'
- CommandLine|contains: '\appdata\local\webex\webex64\meetings\wbxreport.exe'
filter_optional_veeam:
ParentImage|endswith: '\veeam.backup.shell.exe'
filter_optional_everything:
ParentImage|endswith: '\Everything\Everything.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Applications could use this notation occasionally which might generate some false positives. In that case investigate the parent and child process.
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Use Short Name Path in Image
Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image detection
view Sigma YAML
title: Use Short Name Path in Image
id: a96970af-f126-420d-90e1-d37bf25e50e1
related:
- id: 349d891d-fef0-4fe4-bc53-eee623a15969
type: similar
status: test
description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image detection
references:
- https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)
- https://twitter.com/frack113/status/1555830623633375232
author: frack113, Nasreddine Bencherchali
date: 2022-08-07
modified: 2025-10-20
tags:
- attack.stealth
- attack.t1564.004
logsource:
category: process_creation
product: windows
detection:
selection:
Image|contains:
- '~1\'
- '~2\'
filter_main_system_process:
ParentImage:
- 'C:\Windows\System32\Dism.exe'
- 'C:\Windows\System32\cleanmgr.exe' # Spawns DismHost.exe with a shortened username (if too long)
filter_main_installers:
- Image|contains|all:
- '\AppData\'
- '\Temp\'
- Image|endswith:
- '~1\unzip.exe'
- '~1\7zG.exe'
filter_optional_webex:
ParentImage|endswith: '\WebEx\WebexHost.exe' # Spawns a shortened version of the CLI and Image processes
filter_optional_thor:
ParentImage|endswith: '\thor\thor64.exe'
filter_optional_installshield:
- Product: 'InstallShield (R)'
- Description: 'InstallShield (R) Setup Engine'
- Company: 'InstallShield Software Corporation'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process.
level: medium
Convert to SIEM query
medium
Moderate
High FP
Use of FSharp Interpreters
Detects the execution of FSharp Interpreters "FsiAnyCpu.exe" and "FSi.exe"
Both can be used for AWL bypass and to execute F# code via scripts or inline.
view Sigma YAML
title: Use of FSharp Interpreters
id: b96b2031-7c17-4473-afe7-a30ce714db29
status: test
description: |
Detects the execution of FSharp Interpreters "FsiAnyCpu.exe" and "FSi.exe"
Both can be used for AWL bypass and to execute F# code via scripts or inline.
references:
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac
- https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/FsiAnyCpu/
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Fsi/
author: Christopher Peacock @SecurePeacock, SCYTHE @scythe_io
date: 2022-06-02
modified: 2024-04-23
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith:
- '\fsi.exe'
- '\fsianycpu.exe'
- OriginalFileName:
- 'fsi.exe'
- 'fsianycpu.exe'
condition: selection
falsepositives:
- Legitimate use by a software developer.
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Use of OpenConsole
Detects usage of OpenConsole binary as a LOLBIN to launch other binaries to bypass application Whitelisting
view Sigma YAML
title: Use of OpenConsole
id: 814c95cc-8192-4378-a70a-f1aafd877af1
status: test
description: Detects usage of OpenConsole binary as a LOLBIN to launch other binaries to bypass application Whitelisting
references:
- https://twitter.com/nas_bench/status/1537563834478645252
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-16
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection:
- OriginalFileName: 'OpenConsole.exe'
- Image|endswith: '\OpenConsole.exe'
filter:
Image|startswith: 'C:\Program Files\WindowsApps\Microsoft.WindowsTerminal' # We exclude the default path for WindowsTerminal
condition: selection and not filter
falsepositives:
- Legitimate use by an administrator
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Use of Pcalua For Execution
Detects execition of commands and binaries from the context of The program compatibility assistant (Pcalua.exe). This can be used as a LOLBIN in order to bypass application whitelisting.
view Sigma YAML
title: Use of Pcalua For Execution
id: 0955e4e1-c281-4fb9-9ee1-5ee7b4b754d2
related:
- id: fa47597e-90e9-41cd-ab72-c3b74cfb0d02
type: obsolete
status: test
description: Detects execition of commands and binaries from the context of The program compatibility assistant (Pcalua.exe). This can be used as a LOLBIN in order to bypass application whitelisting.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Pcalua/
- https://pentestlab.blog/2020/07/06/indirect-command-execution/
author: Nasreddine Bencherchali (Nextron Systems), E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
date: 2022-06-14
modified: 2023-01-04
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\pcalua.exe'
CommandLine|contains: ' -a' # No space after the flag because it accepts anything as long as there a "-a"
condition: selection
falsepositives:
- Legitimate use by a via a batch script or by an administrator.
level: medium
Convert to SIEM query
medium
Moderate
High FP
Use of Remote.exe
Remote.exe is part of WinDbg in the Windows SDK and can be used for AWL bypass and running remote files.
view Sigma YAML
title: Use of Remote.exe
id: 4eddc365-79b4-43ff-a9d7-99422dc34b93
status: test
description: Remote.exe is part of WinDbg in the Windows SDK and can be used for AWL bypass and running remote files.
references:
- https://blog.thecybersecuritytutor.com/Exeuction-AWL-Bypass-Remote-exe-LOLBin/
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Remote/
author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io'
date: 2022-06-02
tags:
- attack.execution
- attack.stealth
- attack.t1127
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\remote.exe'
- OriginalFileName: 'remote.exe'
condition: selection
falsepositives:
- Approved installs of Windows SDK with Debugging Tools for Windows (WinDbg).
level: medium
Convert to SIEM query
medium
Moderate
High FP
Use of Scriptrunner.exe
The "ScriptRunner.exe" binary can be abused to proxy execution through it and bypass possible whitelisting
view Sigma YAML
title: Use of Scriptrunner.exe
id: 64760eef-87f7-4ed3-93fd-655668ea9420
status: test
description: The "ScriptRunner.exe" binary can be abused to proxy execution through it and bypass possible whitelisting
references:
- https://lolbas-project.github.io/lolbas/Binaries/Scriptrunner/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-01
tags:
- attack.execution
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\ScriptRunner.exe'
- OriginalFileName: 'ScriptRunner.exe'
selection_cli:
CommandLine|contains: ' -appvscript '
condition: all of selection*
falsepositives:
- Legitimate use when App-v is deployed
level: medium
Convert to SIEM query
medium
Moderate
High FP
Use of TTDInject.exe
Detects the executiob of TTDInject.exe, which is used by Windows 10 v1809 and newer to debug time travel (underlying call of tttracer.exe)
view Sigma YAML
title: Use of TTDInject.exe
id: b27077d6-23e6-45d2-81a0-e2b356eea5fd
status: test
description: Detects the executiob of TTDInject.exe, which is used by Windows 10 v1809 and newer to debug time travel (underlying call of tttracer.exe)
references:
- https://lolbas-project.github.io/lolbas/Binaries/Ttdinject/
author: frack113
date: 2022-05-16
tags:
- attack.execution
- attack.stealth
- attack.t1127
logsource:
product: windows
category: process_creation
detection:
selection:
- Image|endswith: 'ttdinject.exe'
- OriginalFileName: 'TTDInject.EXE'
condition: selection
falsepositives:
- Legitimate use
level: medium
Convert to SIEM query
medium
Moderate
High FP
Use of UltraVNC Remote Access Software
An adversary may use legitimate desktop support and remote access software,to establish an interactive command and control channel to target systems within networks
view Sigma YAML
title: Use of UltraVNC Remote Access Software
id: 145322e4-0fd3-486b-81ca-9addc75736d8
status: test
description: An adversary may use legitimate desktop support and remote access software,to establish an interactive command and control channel to target systems within networks
references:
- https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1219/T1219.md
author: frack113
date: 2022-10-02
tags:
- attack.command-and-control
- attack.t1219.002
logsource:
category: process_creation
product: windows
detection:
selection:
- Description: VNCViewer
- Product: UltraVNC VNCViewer
- Company: UltraVNC
- OriginalFileName: VNCViewer.exe
condition: selection
falsepositives:
- Legitimate use
level: medium
Convert to SIEM query
medium
Moderate
High FP
Use of VSIISExeLauncher.exe
The "VSIISExeLauncher.exe" binary part of the Visual Studio/VS Code can be used to execute arbitrary binaries
view Sigma YAML
title: Use of VSIISExeLauncher.exe
id: 18749301-f1c5-4efc-a4c3-276ff1f5b6f8
status: test
description: The "VSIISExeLauncher.exe" binary part of the Visual Studio/VS Code can be used to execute arbitrary binaries
references:
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/VSIISExeLauncher/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-09
tags:
- attack.execution
- attack.stealth
- attack.t1127
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\VSIISExeLauncher.exe'
- OriginalFileName: 'VSIISExeLauncher.exe'
selection_cli:
CommandLine|contains:
- ' -p '
- ' -a '
condition: all of selection*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Use of VisualUiaVerifyNative.exe
VisualUiaVerifyNative.exe is a Windows SDK that can be used for AWL bypass and is listed in Microsoft's recommended block rules.
view Sigma YAML
title: Use of VisualUiaVerifyNative.exe
id: b30a8bc5-e21b-4ca2-9420-0a94019ac56a
status: test
description: VisualUiaVerifyNative.exe is a Windows SDK that can be used for AWL bypass and is listed in Microsoft's recommended block rules.
references:
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/VisualUiaVerifyNative/
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac
- https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/
- https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad
author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io'
date: 2022-06-01
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\VisualUiaVerifyNative.exe'
- OriginalFileName: 'VisualUiaVerifyNative.exe'
condition: selection
falsepositives:
- Legitimate testing of Microsoft UI parts.
level: medium
Convert to SIEM query
medium
Moderate
High FP
Use of Wfc.exe
The Workflow Command-line Compiler can be used for AWL bypass and is listed in Microsoft's recommended block rules.
view Sigma YAML
title: Use of Wfc.exe
id: 49be8799-7b4d-4fda-ad23-cafbefdebbc5
status: test
description: The Workflow Command-line Compiler can be used for AWL bypass and is listed in Microsoft's recommended block rules.
references:
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wfc/
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac
author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io'
date: 2022-06-01
tags:
- attack.execution
- attack.stealth
- attack.t1127
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\wfc.exe'
- OriginalFileName: 'wfc.exe'
condition: selection
falsepositives:
- Legitimate use by a software developer
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
User Access Blocked by Azure Conditional Access
Detect access has been blocked by Conditional Access policies.
The access policy does not allow token issuance which might be sights≈ of unauthorizeed login to valid accounts.
view Sigma YAML
title: User Access Blocked by Azure Conditional Access
id: 9a60e676-26ac-44c3-814b-0c2a8b977adf
status: test
description: |
Detect access has been blocked by Conditional Access policies.
The access policy does not allow token issuance which might be sights≈ of unauthorizeed login to valid accounts.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts
author: AlertIQ
date: 2021-10-10
modified: 2022-12-25
tags:
- attack.privilege-escalation
- attack.persistence
- attack.credential-access
- attack.initial-access
- attack.stealth
- attack.t1110
- attack.t1078.004
logsource:
product: azure
service: signinlogs
detection:
selection:
ResultType: 53003
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
User Added To Admin Group Via Dscl
Detects attempts to create and add an account to the admin group via "dscl"
view Sigma YAML
title: User Added To Admin Group Via Dscl
id: b743623c-2776-40e0-87b1-682b975d0ca5
related:
- id: 0c1ffcf9-efa9-436e-ab68-23a9496ebf5b
type: obsolete
status: test
description: Detects attempts to create and add an account to the admin group via "dscl"
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-2---create-local-account-with-admin-privileges---macos
- https://ss64.com/osx/dscl.html
author: Sohan G (D4rkCiph3r)
date: 2023-03-19
tags:
- attack.persistence
- attack.initial-access
- attack.privilege-escalation
- attack.stealth
- attack.t1078.003
logsource:
category: process_creation
product: macos
detection:
selection: # adds to admin group
Image|endswith: '/dscl'
CommandLine|contains|all:
- ' -append '
- ' /Groups/admin '
- ' GroupMembership '
condition: selection
falsepositives:
- Legitimate administration activities
level: medium
Convert to SIEM query
medium
Moderate
High FP
User Added To Admin Group Via DseditGroup
Detects attempts to create and/or add an account to the admin group, thus granting admin privileges.
view Sigma YAML
title: User Added To Admin Group Via DseditGroup
id: 5d0fdb62-f225-42fb-8402-3dfe64da468a
status: test
description: Detects attempts to create and/or add an account to the admin group, thus granting admin privileges.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-5---add-a-newexisting-user-to-the-admin-group-using-dseditgroup-utility---macos
- https://ss64.com/osx/dseditgroup.html
author: Sohan G (D4rkCiph3r)
date: 2023-08-22
tags:
- attack.persistence
- attack.initial-access
- attack.privilege-escalation
- attack.stealth
- attack.t1078.003
logsource:
category: process_creation
product: macos
detection:
selection:
Image|endswith: '/dseditgroup'
CommandLine|contains|all:
- ' -o edit ' # edit operation
- ' -a ' # username
- ' -t user'
- 'admin' # Group name
condition: selection
falsepositives:
- Legitimate administration activities
level: medium
Convert to SIEM query
medium
Moderate
High FP
User Added To Admin Group Via Sysadminctl
Detects attempts to create and add an account to the admin group via "sysadminctl"
view Sigma YAML
title: User Added To Admin Group Via Sysadminctl
id: 652c098d-dc11-4ba6-8566-c20e89042f2b
related:
- id: 0c1ffcf9-efa9-436e-ab68-23a9496ebf5b
type: obsolete
status: test
description: Detects attempts to create and add an account to the admin group via "sysadminctl"
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-3---create-local-account-with-admin-privileges-using-sysadminctl-utility---macos
- https://ss64.com/osx/sysadminctl.html
author: Sohan G (D4rkCiph3r)
date: 2023-03-19
tags:
- attack.persistence
- attack.initial-access
- attack.privilege-escalation
- attack.stealth
- attack.t1078.003
logsource:
category: process_creation
product: macos
detection:
selection:
# Creates and adds new user to admin group
Image|endswith: '/sysadminctl'
CommandLine|contains|all:
- ' -addUser '
- ' -admin '
condition: selection
falsepositives:
- Legitimate administration activities
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
User Added To Group With CA Policy Modification Access
Monitor and alert on group membership additions of groups that have CA policy modification access
view Sigma YAML
title: User Added To Group With CA Policy Modification Access
id: 91c95675-1f27-46d0-bead-d1ae96b97cd3
status: test
description: Monitor and alert on group membership additions of groups that have CA policy modification access
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access
author: Mark Morowczynski '@markmorow', Thomas Detzner '@tdetzner'
date: 2022-08-04
tags:
- attack.privilege-escalation
- attack.credential-access
- attack.persistence
- attack.defense-impairment
- attack.t1548
- attack.t1556
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.message: Add member from group
condition: selection
falsepositives:
- User removed from the group is approved
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
User Added To Root/Sudoers Group Using Usermod
Detects usage of the "usermod" binary to add users add users to the root or suoders groups
view Sigma YAML
title: User Added To Root/Sudoers Group Using Usermod
id: 6a50f16c-3b7b-42d1-b081-0fdd3ba70a73
status: test
description: Detects usage of the "usermod" binary to add users add users to the root or suoders groups
references:
- https://pberba.github.io/security/2021/11/23/linux-threat-hunting-for-persistence-account-creation-manipulation/
- https://www.configserverfirewall.com/ubuntu-linux/ubuntu-add-user-to-root-group/
author: TuanLe (GTSC)
date: 2022-12-21
tags:
- attack.privilege-escalation
- attack.persistence
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith: '/usermod'
CommandLine|contains:
- '-aG root'
- '-aG sudoers'
condition: selection
falsepositives:
- Legitimate administrator activities
level: medium
Convert to SIEM query
medium
Strong
Medium FP
User Added to Local Administrator Group
Detects the addition of a new member to the local administrator group, which could be legitimate activity or a sign of privilege escalation activity
view Sigma YAML
title: User Added to Local Administrator Group
id: c265cf08-3f99-46c1-8d59-328247057d57
status: stable
description: Detects the addition of a new member to the local administrator group, which could be legitimate activity or a sign of privilege escalation activity
references:
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4732
- https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers
author: Florian Roth (Nextron Systems)
date: 2017-03-14
modified: 2021-01-17
tags:
- attack.initial-access
- attack.privilege-escalation
- attack.stealth
- attack.t1078
- attack.persistence
- attack.t1098
logsource:
product: windows
service: security
detection:
selection_eid:
EventID: 4732
selection_group:
- TargetUserName|startswith: 'Administr'
- TargetSid: 'S-1-5-32-544'
filter_main_computer_accounts:
SubjectUserName|endswith: '$'
condition: all of selection_* and not 1 of filter_*
falsepositives:
- Legitimate administrative activity
level: medium
Convert to SIEM query
medium
Moderate
High FP
User Added to Local Administrators Group
Detects addition of users to the local administrator group via "Net" or "Add-LocalGroupMember".
view Sigma YAML
title: User Added to Local Administrators Group
id: ad720b90-25ad-43ff-9b5e-5c841facc8e5
related:
- id: ffa28e60-bdb1-46e0-9f82-05f7a61cc06e # Remote Desktop groups
type: similar
- id: 10fb649c-3600-4d37-b1e6-56ea90bb7e09 # Privileged groups
type: similar
status: test
description: Detects addition of users to the local administrator group via "Net" or "Add-LocalGroupMember".
references:
- https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-12
modified: 2023-03-02
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1098
logsource:
category: process_creation
product: windows
detection:
selection_main:
- CommandLine|contains|all:
# net.exe
- 'localgroup '
- ' /add'
- CommandLine|contains|all:
# powershell.exe
- 'Add-LocalGroupMember '
- ' -Group '
selection_group:
CommandLine|contains:
- ' administrators '
- ' administrateur' # Typo without an 'S' so we catch both
condition: all of selection_*
falsepositives:
- Administrative activity
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
User Added to an Administrator's Azure AD Role
User Added to an Administrator's Azure AD Role
view Sigma YAML
title: User Added to an Administrator's Azure AD Role
id: ebbeb024-5b1d-4e16-9c0c-917f86c708a7
status: test
description: User Added to an Administrator's Azure AD Role
references:
- https://m365internals.com/2021/07/13/what-ive-learned-from-doing-a-year-of-cloud-forensics-in-azure-ad/
author: Raphaël CALVET, @MetallicHack
date: 2021-10-04
modified: 2022-10-09
tags:
- attack.initial-access
- attack.persistence
- attack.privilege-escalation
- attack.stealth
- attack.t1098.003
- attack.t1078
logsource:
product: azure
service: activitylogs
detection:
selection:
Operation: 'Add member to role.'
Workload: 'AzureActiveDirectory'
ModifiedProperties{}.NewValue|endswith:
- 'Admins'
- 'Administrator'
condition: selection
falsepositives:
- PIM (Privileged Identity Management) generates this event each time 'eligible role' is enabled.
level: medium
Convert to SIEM query
medium
Moderate
High FP
User Discovery And Export Via Get-ADUser Cmdlet
Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file
view Sigma YAML
title: User Discovery And Export Via Get-ADUser Cmdlet
id: 1114e048-b69c-4f41-bc20-657245ae6e3f
related:
- id: c2993223-6da8-4b1a-88ee-668b8bf315e9
type: similar
status: test
description: Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file
references:
- http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
- https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-09
modified: 2022-11-17
tags:
- attack.discovery
- attack.t1033
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_cli:
CommandLine|contains|all:
- 'Get-ADUser '
- ' -Filter \*'
CommandLine|contains:
- ' > '
- ' | Select '
- 'Out-File'
- 'Set-Content'
- 'Add-Content'
condition: all of selection_*
falsepositives:
- Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often
level: medium
Convert to SIEM query
medium
Moderate
High FP
User Discovery And Export Via Get-ADUser Cmdlet - PowerShell
Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file
view Sigma YAML
title: User Discovery And Export Via Get-ADUser Cmdlet - PowerShell
id: c2993223-6da8-4b1a-88ee-668b8bf315e9
related:
- id: 1114e048-b69c-4f41-bc20-657245ae6e3f
type: similar
status: test
description: Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file
references:
- http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
- https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-11-17
tags:
- attack.discovery
- attack.t1033
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- 'Get-ADUser '
- ' -Filter \*'
ScriptBlockText|contains:
- ' > '
- ' | Select '
- 'Out-File'
- 'Set-Content'
- 'Add-Content'
condition: selection
falsepositives:
- Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often
level: medium
Convert to SIEM query
medium
Moderate
High FP
User Has Been Deleted Via Userdel
Detects execution of the "userdel" binary. Which is used to delete a user account and related files. This is sometimes abused by threat actors in order to cover their tracks
view Sigma YAML
title: User Has Been Deleted Via Userdel
id: 08f26069-6f80-474b-8d1f-d971c6fedea0
status: test
description: Detects execution of the "userdel" binary. Which is used to delete a user account and related files. This is sometimes abused by threat actors in order to cover their tracks
references:
- https://linuxize.com/post/how-to-delete-group-in-linux/
- https://www.cyberciti.biz/faq/linux-remove-user-command/
- https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/
- https://linux.die.net/man/8/userdel
author: Tuan Le (NCSGroup)
date: 2022-12-26
tags:
- attack.impact
- attack.t1531
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith: '/userdel'
condition: selection
falsepositives:
- Legitimate administrator activities
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
User Removed From Group With CA Policy Modification Access
Monitor and alert on group membership removal of groups that have CA policy modification access
view Sigma YAML
title: User Removed From Group With CA Policy Modification Access
id: 665e2d43-70dc-4ccc-9d27-026c9dd7ed9c
status: test
description: Monitor and alert on group membership removal of groups that have CA policy modification access
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access
author: Mark Morowczynski '@markmorow', Thomas Detzner '@tdetzner'
date: 2022-08-04
tags:
- attack.privilege-escalation
- attack.credential-access
- attack.persistence
- attack.defense-impairment
- attack.t1548
- attack.t1556
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.message: Remove member from group
condition: selection
falsepositives:
- User removed from the group is approved
level: medium
Convert to SIEM query
Showing 1351-1400 of 1,490