SOAR
Panther
3,743 rules · Sigma detections in Panther syntax
The same Sigma detection corpus, machine-rendered into Panther query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
Download all 3,742 rules (.zip, 1.7 MB)
Every Panther query in this view, packaged to deploy.
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance12
Resource Development10
Initial Access10
Execution30
Persistence43
Privilege Escalation20
Stealth83
Defense Impairment32
Credential Access35
Discovery33
Lateral Movement16
Collection20
Command and Control24
Exfiltration10
Impact18
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.
◈
Detection rules
50 shown of 3,743
medium
Strong
Medium FP
New Firewall Rule Added Via Netsh.EXE
Detects the addition of a new rule to the Windows firewall via netsh
view Sigma YAML
title: New Firewall Rule Added Via Netsh.EXE
id: cd5cfd80-aa5f-44c0-9c20-108c4ae12e3c
status: test
description: Detects the addition of a new rule to the Windows firewall via netsh
references:
- https://web.archive.org/web/20190508165435/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf
author: Markus Neis, Sander Wiebing
date: 2019-01-29
modified: 2023-02-10
tags:
- attack.defense-impairment
- attack.t1686.003
- attack.s0246
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\netsh.exe'
- OriginalFileName: 'netsh.exe'
selection_cli:
CommandLine|contains|all:
- ' firewall '
- ' add '
filter_optional_dropbox:
CommandLine|contains:
- 'advfirewall firewall add rule name=Dropbox dir=in action=allow "program=?:\Program Files (x86)\Dropbox\Client\Dropbox.exe" enable=yes profile=Any'
- 'advfirewall firewall add rule name=Dropbox dir=in action=allow "program=?:\Program Files\Dropbox\Client\Dropbox.exe" enable=yes profile=Any'
condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
- Legitimate administration activity
- Software installations
level: medium
Convert to SIEM query
medium
Strong
Medium FP
New Generic Credentials Added Via Cmdkey.EXE
Detects usage of "cmdkey.exe" to add generic credentials.
As an example, this can be used before connecting to an RDP session via command line interface.
view Sigma YAML
title: New Generic Credentials Added Via Cmdkey.EXE
id: b1ec66c6-f4d1-4b5c-96dd-af28ccae7727
status: test
description: |
Detects usage of "cmdkey.exe" to add generic credentials.
As an example, this can be used before connecting to an RDP session via command line interface.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-03
modified: 2024-03-05
tags:
- attack.credential-access
- attack.t1003.005
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\cmdkey.exe'
- OriginalFileName: 'cmdkey.exe'
selection_cli_generic:
CommandLine|contains|windash: ' -g' # Generic
selection_cli_user:
CommandLine|contains|windash: ' -u' # User
selection_cli_password:
CommandLine|contains|windash: ' -p' # Password
condition: all of selection_*
falsepositives:
- Legitimate usage for administration purposes
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_cmdkey_adding_generic_creds/info.yml
simulation:
- type: atomic-red-team
name: RDP to DomainController
technique: T1021.001
atomic_guid: 355d4632-8cb9-449d-91ce-b566d0253d3e
Convert to SIEM query
medium
Strong
Medium FP
New Kernel Driver Via SC.EXE
Detects creation of a new service (kernel driver) with the type "kernel"
view Sigma YAML
title: New Kernel Driver Via SC.EXE
id: 431a1fdb-4799-4f3b-91c3-a683b003fc49
status: test
description: Detects creation of a new service (kernel driver) with the type "kernel"
references:
- https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-14
modified: 2025-10-07
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1543.003
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\sc.exe'
CommandLine|contains:
- 'create'
- 'config'
CommandLine|contains|all:
- 'binPath'
- 'type'
- 'kernel'
filter_optional_avira_driver:
- CommandLine|contains|all:
- 'create netprotection_network_filter'
- 'type= kernel start= '
- 'binPath= System32\drivers\netprotection_network_filter'
- 'DisplayName= netprotection_network_filter'
- 'group= PNP_TDI tag= yes'
- CommandLine|contains|all:
- 'create avelam binpath=C:\Windows\system32\drivers\avelam.sys'
- 'type=kernel start=boot error=critical group=Early-Launch'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Rare legitimate installation of kernel drivers via sc.exe
level: medium
Convert to SIEM query
medium
Strong
Low FP
New Module Module Added To IIS Server
Detects the addition of a new module to an IIS server.
view Sigma YAML
title: New Module Module Added To IIS Server
id: dd857d3e-0c6e-457b-9b48-e82ae7f86bd7
status: test
description: Detects the addition of a new module to an IIS server.
references:
- https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis
- https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/
- https://www.microsoft.com/en-us/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/
- https://learn.microsoft.com/en-us/iis/get-started/introduction-to-iis/iis-modules-overview
author: frack113
date: 2024-10-06
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1685.001
- attack.t1505.004
logsource:
product: windows
service: iis-configuration
detection:
selection:
EventID: 29
Configuration|contains: '/system.webServer/modules/add'
filter_main_builtin:
NewValue:
- 'AnonymousAuthenticationModule'
- 'CustomErrorModule'
- 'DefaultDocumentModule'
- 'DirectoryListingModule'
- 'FileCacheModule'
- 'HttpCacheModule'
- 'HttpLoggingModule'
- 'ProtocolSupportModule'
- 'RequestFilteringModule'
- 'StaticCompressionModule'
- 'StaticFileModule'
- 'TokenCacheModule'
- 'UriCacheModule'
filter_main_remove:
NewValue: ''
condition: selection and not 1 of filter_main_*
falsepositives:
- Legitimate administrator activity
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
New MsDS-DelegatedManagedServiceAccount (DMSA) Object Created
Detects the creation of new msDS-DelegatedManagedServiceAccount objects, which could indicate potential abuse of privilege escalation vulnerabilities in Windows Server 2025.
The msDS-DelegatedManagedServiceAccount (DMSA) is a new object class introduced in Windows Server 2025 that allows administrators to delegate the management of service accounts to other users or groups.
Attackers may exploit this feature to create unauthorized service accounts with elevated privileges, leading to privilege escalation within the Active Directory environment.
It is highly suspicious if an msDS-DelegatedManagedServiceAccount object is created without proper authorization or in an unexpected context, such as by a non-administrative user or outside of normal administrative workflows.
So, it's a good idea to look out for accounts that are not typically responsible for service account creation to detect potential abuse of this feature.
view Sigma YAML
title: New MsDS-DelegatedManagedServiceAccount (DMSA) Object Created
id: e15bc294-ae2a-45ad-b7d6-637b33868bde
related:
- id: 02122374-b74e-495c-b285-9e4da973f3d6
type: similar
- id: 0ea8db81-2ff6-4525-9448-33bbe7effc13
type: similar
status: experimental
description: |
Detects the creation of new msDS-DelegatedManagedServiceAccount objects, which could indicate potential abuse of privilege escalation vulnerabilities in Windows Server 2025.
The msDS-DelegatedManagedServiceAccount (DMSA) is a new object class introduced in Windows Server 2025 that allows administrators to delegate the management of service accounts to other users or groups.
Attackers may exploit this feature to create unauthorized service accounts with elevated privileges, leading to privilege escalation within the Active Directory environment.
It is highly suspicious if an msDS-DelegatedManagedServiceAccount object is created without proper authorization or in an unexpected context, such as by a non-administrative user or outside of normal administrative workflows.
So, it's a good idea to look out for accounts that are not typically responsible for service account creation to detect potential abuse of this feature.
references:
- https://www.akamai.com/blog/security-research/abusing-dmsa-for-privilege-escalation-in-active-directory
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-05-24
tags:
- attack.privilege-escalation
- attack.initial-access
- attack.persistence
- attack.stealth
- attack.t1078.002
- attack.t1098
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Account Management > Audit User Account Management, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit User Account Management, DS Access > Audit Directory Service Changes, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\DS Access\Audit Directory Service Changes'
detection:
selection:
EventID: 5137
ObjectClass: 'msDS-DelegatedManagedServiceAccount'
filter_main_legitimate_accounts:
# Exclude modifications made by the system or legitimate administrative accounts
- SubjectAccountName: 'SYSTEM'
- SubjectAccountName|expand: '%Administrators%' # Add all members of the Administrators group to this placeholder
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
# The level is set to medium because while this is a significant event, it may not always indicate malicious activity. It requires further investigation to determine the context and intent behind the modification.
level: medium
Convert to SIEM query
medium
Moderate
Low FP
New Network Route Added
Detects the addition of a new network route to a route table in AWS.
view Sigma YAML
title: New Network Route Added
id: c803b2ce-c4a2-4836-beae-b112010390b1
status: test
description: |
Detects the addition of a new network route to a route table in AWS.
references:
- https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/
author: jamesc-grafana
date: 2024-07-11
tags:
- attack.defense-impairment
- attack.t1686.001
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: 'ec2.amazonaws.com'
eventName: 'CreateRoute'
condition: selection
falsepositives:
- New VPC Creation requiring setup of a new route table
- New subnets added requiring routing setup
level: medium
Convert to SIEM query
medium
Moderate
High FP
New Network Trace Capture Started Via Netsh.EXE
Detects the execution of netsh with the "trace" flag in order to start a network capture
view Sigma YAML
title: New Network Trace Capture Started Via Netsh.EXE
id: d3c3861d-c504-4c77-ba55-224ba82d0118
status: test
description: Detects the execution of netsh with the "trace" flag in order to start a network capture
references:
- https://blogs.msdn.microsoft.com/canberrapfe/2012/03/30/capture-a-network-trace-without-installing-anything-capture-a-network-trace-of-a-reboot/
- https://klausjochem.me/2016/02/03/netsh-the-cyber-attackers-tool-of-choice/
author: Kutepov Anton, oscd.community
date: 2019-10-24
modified: 2023-02-13
tags:
- attack.discovery
- attack.credential-access
- attack.t1040
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\netsh.exe'
- OriginalFileName: 'netsh.exe'
selection_cli:
CommandLine|contains|all:
- 'trace'
- 'start'
condition: all of selection_*
falsepositives:
- Legitimate administration activity
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
New Outlook Macro Created
Detects the creation of a macro file for Outlook.
view Sigma YAML
title: New Outlook Macro Created
id: 8c31f563-f9a7-450c-bfa8-35f8f32f1f61
related:
- id: 117d3d3a-755c-4a61-b23e-9171146d094c
type: derived
status: test
description: Detects the creation of a macro file for Outlook.
references:
- https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/
author: '@ScoubiMtl'
date: 2021-04-05
modified: 2023-02-08
tags:
- attack.privilege-escalation
- attack.persistence
- attack.command-and-control
- attack.t1137
- attack.t1008
- attack.t1546
logsource:
category: file_event
product: windows
detection:
selection:
Image|endswith: '\outlook.exe'
TargetFilename|endswith: '\Microsoft\Outlook\VbaProject.OTM'
condition: selection
falsepositives:
- User genuinely creates a VB Macro for their email
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
New PDQDeploy Service - Client Side
Detects PDQDeploy service installation on the target system.
When a package is deployed via PDQDeploy it installs a remote service on the target machine with the name "PDQDeployRunner-X" where "X" is an integer starting from 1
view Sigma YAML
title: New PDQDeploy Service - Client Side
id: b98a10af-1e1e-44a7-bab2-4cc026917648
status: test
description: |
Detects PDQDeploy service installation on the target system.
When a package is deployed via PDQDeploy it installs a remote service on the target machine with the name "PDQDeployRunner-X" where "X" is an integer starting from 1
references:
- https://documentation.pdq.com/PDQDeploy/13.0.3.0/index.html?windows-services.htm
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-22
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1543.003
logsource:
product: windows
service: system
detection:
selection_root:
Provider_Name: 'Service Control Manager'
EventID: 7045
selection_service:
- ImagePath|contains: 'PDQDeployRunner-'
- ServiceName|startswith: 'PDQDeployRunner-'
condition: all of selection_*
falsepositives:
- Legitimate use of the tool
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
New PDQDeploy Service - Server Side
Detects a PDQDeploy service installation which indicates that PDQDeploy was installed on the machines.
PDQDeploy can be abused by attackers to remotely install packages or execute commands on target machines
view Sigma YAML
title: New PDQDeploy Service - Server Side
id: ee9ca27c-9bd7-4cee-9b01-6e906be7cae3
status: test
description: |
Detects a PDQDeploy service installation which indicates that PDQDeploy was installed on the machines.
PDQDeploy can be abused by attackers to remotely install packages or execute commands on target machines
references:
- https://documentation.pdq.com/PDQDeploy/13.0.3.0/index.html?windows-services.htm
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-22
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1543.003
logsource:
product: windows
service: system
detection:
selection_root:
Provider_Name: 'Service Control Manager'
EventID: 7045
selection_service:
- ImagePath|contains: 'PDQDeployService.exe'
- ServiceName:
- 'PDQDeploy'
- 'PDQ Deploy'
condition: all of selection_*
falsepositives:
- Legitimate use of the tool
level: medium
Convert to SIEM query
medium
Strong
Medium FP
New Port Forwarding Rule Added Via Netsh.EXE
Detects the execution of netsh commands that configure a new port forwarding (PortProxy) rule
view Sigma YAML
title: New Port Forwarding Rule Added Via Netsh.EXE
id: 322ed9ec-fcab-4f67-9a34-e7c6aef43614
status: test
description: Detects the execution of netsh commands that configure a new port forwarding (PortProxy) rule
references:
- https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
- https://adepts.of0x.cc/netsh-portproxy-code/
- https://www.dfirnotes.net/portproxy_detection/
author: Florian Roth (Nextron Systems), omkar72, oscd.community, Swachchhanda Shrawan Poudel
date: 2019-01-29
modified: 2023-09-01
tags:
- attack.lateral-movement
- attack.command-and-control
- attack.t1090
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\netsh.exe'
- OriginalFileName: 'netsh.exe'
selection_cli_1:
CommandLine|contains|all:
- 'interface'
- 'portproxy'
- 'add'
- 'v4tov4'
selection_cli_2:
CommandLine|contains|all:
# Example: netsh I p a v l=8001 listena=127.0.0.1 connectp=80 c=192.168.1.1
- 'i ' # interface
- 'p ' # portproxy
- 'a ' # add
- 'v ' # v4tov4
selection_cli_3:
CommandLine|contains|all:
- 'connectp'
- 'listena'
- 'c='
condition: selection_img and 1 of selection_cli_*
falsepositives:
- Legitimate administration activity
- WSL2 network bridge PowerShell script used for WSL/Kubernetes/Docker (e.g. https://github.com/microsoft/WSL/issues/4150#issuecomment-504209723)
level: medium
Convert to SIEM query
medium
Moderate
High FP
New PortProxy Registry Entry Added
Detects the modification of the PortProxy registry key which is used for port forwarding.
view Sigma YAML
title: New PortProxy Registry Entry Added
id: a54f842a-3713-4b45-8c84-5f136fdebd3c
status: test
description: Detects the modification of the PortProxy registry key which is used for port forwarding.
references:
- https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
- https://adepts.of0x.cc/netsh-portproxy-code/
- https://www.dfirnotes.net/portproxy_detection/
author: Andreas Hunkeler (@Karneades)
date: 2021-06-22
modified: 2024-03-25
tags:
- attack.lateral-movement
- attack.command-and-control
- attack.t1090
logsource:
category: registry_event
product: windows
detection:
selection:
# Example: HKLM\System\CurrentControlSet\Services\PortProxy\v4tov4\tcp\0.0.0.0/1337
TargetObject|contains: '\Services\PortProxy\v4tov4\tcp\'
condition: selection
falsepositives:
- WSL2 network bridge PowerShell script used for WSL/Kubernetes/Docker (e.g. https://github.com/microsoft/WSL/issues/4150#issuecomment-504209723)
- Synergy Software KVM (https://symless.com/synergy)
level: medium
Convert to SIEM query
medium
Strong
Medium FP
New Remote Desktop Connection Initiated Via Mstsc.EXE
Detects the usage of "mstsc.exe" with the "/v" flag to initiate a connection to a remote server.
Adversaries may use valid accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
view Sigma YAML
title: New Remote Desktop Connection Initiated Via Mstsc.EXE
id: 954f0af7-62dd-418f-b3df-a84bc2c7a774
status: test
description: |
Detects the usage of "mstsc.exe" with the "/v" flag to initiate a connection to a remote server.
Adversaries may use valid accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc
author: frack113
date: 2022-01-07
modified: 2024-06-04
tags:
- attack.lateral-movement
- attack.t1021.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\mstsc.exe'
- OriginalFileName: 'mstsc.exe'
selection_cli:
CommandLine|contains|windash: ' /v:'
filter_optional_wsl:
# Example: mstsc.exe /v:XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX /hvsocketserviceid:XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX /silent /wslg /plugin:WSLDVC /wslgsharedmemorypath:WSL\XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX\wslg C:\ProgramData\Microsoft\WSL\wslg.rdp
ParentImage: 'C:\Windows\System32\lxss\wslhost.exe'
CommandLine|contains: 'C:\ProgramData\Microsoft\WSL\wslg.rdp'
condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
- WSL (Windows Sub System For Linux)
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
New Root Certificate Authority Added
Detects newly added root certificate authority to an AzureAD tenant to support certificate based authentication.
view Sigma YAML
title: New Root Certificate Authority Added
id: 4bb80281-3756-4ec8-a88e-523c5a6fda9e
status: test
description: Detects newly added root certificate authority to an AzureAD tenant to support certificate based authentication.
references:
- https://posts.specterops.io/passwordless-persistence-and-privilege-escalation-in-azure-98a01310be3f
- https://goodworkaround.com/2022/02/15/digging-into-azure-ad-certificate-based-authentication/
author: Harjot Shah Singh, '@cyb3rjy0t'
date: 2024-03-26
tags:
- attack.credential-access
- attack.persistence
- attack.privilege-escalation
- attack.defense-impairment
- attack.t1556
logsource:
product: azure
service: auditlogs
detection:
selection:
OperationName: 'Set Company Information'
TargetResources.modifiedProperties.newValue|contains: 'TrustedCAsForPasswordlessAuth'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
New Root Certificate Installed Via CertMgr.EXE
Detects execution of "certmgr" with the "add" flag in order to install a new certificate on the system.
Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
view Sigma YAML
title: New Root Certificate Installed Via CertMgr.EXE
id: ff992eac-6449-4c60-8c1d-91c9722a1d48
related:
- id: 42821614-9264-4761-acfc-5772c3286f76
type: derived
- id: 46591fae-7a4c-46ea-aec3-dff5e6d785dc
type: obsolete
status: test
description: |
Detects execution of "certmgr" with the "add" flag in order to install a new certificate on the system.
Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md
- https://securelist.com/to-crypt-or-to-mine-that-is-the-question/86307/
author: oscd.community, @redcanary, Zach Stanford @svch0st
date: 2023-03-05
tags:
- attack.defense-impairment
- attack.t1553.004
logsource:
category: process_creation
product: windows
detection:
# Example: CertMgr.exe /add CertificateFileName.cer /s /r localMachine root /all
selection_img:
- Image|endswith: '\CertMgr.exe'
- OriginalFileName: 'CERTMGT.EXE'
selection_cli:
CommandLine|contains|all:
- '/add'
- 'root'
condition: all of selection_*
falsepositives:
- Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP
level: medium
Convert to SIEM query
medium
Strong
Medium FP
New Root Certificate Installed Via Certutil.EXE
Detects execution of "certutil" with the "addstore" flag in order to install a new certificate on the system.
Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
view Sigma YAML
title: New Root Certificate Installed Via Certutil.EXE
id: d2125259-ddea-4c1c-9c22-977eb5b29cf0
related:
- id: 42821614-9264-4761-acfc-5772c3286f76
type: derived
- id: 46591fae-7a4c-46ea-aec3-dff5e6d785dc
type: obsolete
status: test
description: |
Detects execution of "certutil" with the "addstore" flag in order to install a new certificate on the system.
Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md
author: oscd.community, @redcanary, Zach Stanford @svch0st
date: 2023-03-05
modified: 2024-03-05
tags:
- attack.defense-impairment
- attack.t1553.004
logsource:
category: process_creation
product: windows
detection:
# Example: certutil -addstore -f -user ROOT CertificateFileName.der
selection_img:
- Image|endswith: '\certutil.exe'
- OriginalFileName: 'CertUtil.exe'
selection_cli_add:
CommandLine|contains|windash: '-addstore'
selection_cli_store:
CommandLine|contains: 'root'
condition: all of selection_*
falsepositives:
- Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_certificate_installation/info.yml
Convert to SIEM query
medium
Moderate
Medium FP
New Root or CA or AuthRoot Certificate to Store
Detects the addition of new root, CA or AuthRoot certificates to the Windows registry
view Sigma YAML
title: New Root or CA or AuthRoot Certificate to Store
id: d223b46b-5621-4037-88fe-fda32eead684
status: test
description: Detects the addition of new root, CA or AuthRoot certificates to the Windows registry
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md#atomic-test-6---add-root-certificate-to-currentuser-certificate-store
- https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec
author: frack113
date: 2022-04-04
modified: 2023-08-17
tags:
- attack.impact
- attack.t1490
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains:
- '\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\'
- '\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates\'
- '\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\'
- '\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\'
- '\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates\'
- '\SOFTWARE\Microsoft\EnterpriseCertificates\CA\Certificates\'
- '\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\'
- '\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\Certificates\'
- '\SOFTWARE\Microsoft\EnterpriseCertificates\AuthRoot\Certificates\'
TargetObject|endswith: '\Blob'
Details: 'Binary Data'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
New Self Extracting Package Created Via IExpress.EXE
Detects the "iexpress.exe" utility creating self-extracting packages.
Attackers where seen leveraging "iexpress" to compile packages on the fly via ".sed" files.
Investigate the command line options provided to "iexpress" and in case of a ".sed" file, check the contents and legitimacy of it.
view Sigma YAML
title: New Self Extracting Package Created Via IExpress.EXE
id: c2b478fc-09bf-40b2-8768-ab3ec8d61c9a
status: test
description: |
Detects the "iexpress.exe" utility creating self-extracting packages.
Attackers where seen leveraging "iexpress" to compile packages on the fly via ".sed" files.
Investigate the command line options provided to "iexpress" and in case of a ".sed" file, check the contents and legitimacy of it.
references:
- https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html
- https://en.wikipedia.org/wiki/IExpress
- https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/
- https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2024-02-05
tags:
- attack.stealth
- attack.t1218
- detection.threat-hunting
logsource:
category: process_creation
product: windows
detection:
selection_1_parent:
ParentImage|endswith: '\iexpress.exe'
selection_1_img:
- Image|endswith: '\makecab.exe'
- OriginalFileName: 'makecab.exe'
selection_2_img:
- Image|endswith: '\iexpress.exe'
- OriginalFileName: 'IEXPRESS.exe'
selection_2_cli:
CommandLine|contains: ' /n '
condition: all of selection_1_* or all of selection_2_*
falsepositives:
- Administrators building packages using iexpress.exe
level: medium
Convert to SIEM query
medium
Moderate
High FP
New User Created Via Net.EXE
Identifies the creation of local users via the net.exe command.
view Sigma YAML
title: New User Created Via Net.EXE
id: cd219ff3-fa99-45d4-8380-a7d15116c6dc
related:
- id: b9f0e6f5-09b4-4358-bae4-08408705bd5c
type: similar
status: test
description: Identifies the creation of local users via the net.exe command.
references:
- https://eqllib.readthedocs.io/en/latest/analytics/014c3f51-89c6-40f1-ac9c-5688f26090ab.html
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md
author: Endgame, JHasenbusch (adapted to Sigma for oscd.community)
date: 2018-10-30
modified: 2023-02-21
tags:
- attack.persistence
- attack.t1136.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\net.exe'
- '\net1.exe'
- OriginalFileName:
- 'net.exe'
- 'net1.exe'
selection_cli:
CommandLine|contains|all:
- 'user'
- 'add'
condition: all of selection_*
falsepositives:
- Legitimate user creation.
- Better use event IDs for user creation rather than command line rules.
level: medium
Convert to SIEM query
medium
Strong
Medium FP
New Virtual Smart Card Created Via TpmVscMgr.EXE
Detects execution of "Tpmvscmgr.exe" to create a new virtual smart card.
view Sigma YAML
title: New Virtual Smart Card Created Via TpmVscMgr.EXE
id: c633622e-cab9-4eaa-bb13-66a1d68b3e47
status: test
description: Detects execution of "Tpmvscmgr.exe" to create a new virtual smart card.
references:
- https://learn.microsoft.com/en-us/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-15
tags:
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith: '\tpmvscmgr.exe'
OriginalFileName: 'TpmVscMgr.exe'
selection_cli:
CommandLine|contains: 'create'
condition: all of selection_*
falsepositives:
- Legitimate usage by an administrator
level: medium
Convert to SIEM query
medium
Strong
Medium FP
New or Renamed User Account with '$' Character
Detects the creation of a user with the "$" character. This can be used by attackers to hide a user or trick detection systems that lack the parsing mechanisms.
view Sigma YAML
title: New or Renamed User Account with '$' Character
id: cfeed607-6aa4-4bbd-9627-b637deb723c8
status: test
description: |
Detects the creation of a user with the "$" character. This can be used by attackers to hide a user or trick detection systems that lack the parsing mechanisms.
references:
- https://twitter.com/SBousseaden/status/1387743867663958021
author: Ilyas Ochkov, oscd.community
date: 2019-10-25
modified: 2024-01-16
tags:
- attack.stealth
- attack.t1036
logsource:
product: windows
service: security
detection:
selection_create:
EventID: 4720 # create user
SamAccountName|contains: '$'
selection_rename:
EventID: 4781 # rename user
NewTargetUserName|contains: '$'
filter_main_homegroup:
EventID: 4720
TargetUserName: 'HomeGroupUser$'
condition: 1 of selection_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Node Process Executions
Detects the execution of other scripts using the Node executable packaged with Adobe Creative Cloud
view Sigma YAML
title: Node Process Executions
id: df1f26d3-bea7-4700-9ea2-ad3e990cf90e
status: test
description: Detects the execution of other scripts using the Node executable packaged with Adobe Creative Cloud
references:
- https://twitter.com/mttaggart/status/1511804863293784064
author: Max Altgelt (Nextron Systems)
date: 2022-04-06
tags:
- attack.execution
- attack.stealth
- attack.t1127
- attack.t1059.007
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\Adobe Creative Cloud Experience\libs\node.exe'
filter:
CommandLine|contains: 'Adobe Creative Cloud Experience\js' # Folder where Creative Cloud's JS resources are located
condition: selection and not filter
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Nohup Execution
Detects usage of nohup which could be leveraged by an attacker to keep a process running or break out from restricted environments
view Sigma YAML
title: Nohup Execution
id: e4ffe466-6ff8-48d4-94bd-e32d1a6061e2
status: test
description: Detects usage of nohup which could be leveraged by an attacker to keep a process running or break out from restricted environments
references:
- https://gtfobins.github.io/gtfobins/nohup/
- https://en.wikipedia.org/wiki/Nohup
- https://www.computerhope.com/unix/unohup.htm
author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io'
date: 2022-06-06
tags:
- attack.execution
- attack.t1059.004
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith: '/nohup'
condition: selection
falsepositives:
- Administrators or installed processes that leverage nohup
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Non-DLL Extension File Renamed With DLL Extension
Detects rename operations of files with non-DLL extensions to files with a DLL extension. This is often performed by malware in order to avoid initial detections based on extensions.
view Sigma YAML
title: Non-DLL Extension File Renamed With DLL Extension
id: bbfd974c-248e-4435-8de6-1e938c79c5c1
status: test
description: |
Detects rename operations of files with non-DLL extensions to files with a DLL extension. This is often performed by malware in order to avoid initial detections based on extensions.
references:
- https://twitter.com/ffforward/status/1481672378639912960
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036/T1036.md#atomic-test-1---system-file-copied-to-unusual-location
author: frack113
date: 2022-02-19
modified: 2023-11-11
tags:
- attack.stealth
- attack.t1036.008
- detection.threat-hunting
logsource:
product: windows
category: file_rename
definition: 'Requirements: Microsoft-Windows-Kernel-File Provider with at least the KERNEL_FILE_KEYWORD_RENAME_SETLINK_PATH keyword'
detection:
selection:
TargetFilename|endswith: '.dll'
filter_main_dll:
# Note: To avoid file renames
SourceFilename|endswith: '.dll'
filter_main_installers:
SourceFilename|endswith: '.tmp'
filter_main_empty_source:
SourceFilename: ''
filter_main_null_source:
SourceFilename: null
filter_main_tiworker:
Image|contains: ':\Windows\WinSxS\'
Image|endswith: '\TiWorker.exe'
filter_main_upgrade:
- Image|endswith: ':\Windows\System32\wuauclt.exe'
- TargetFilename|contains: ':\$WINDOWS.~BT\Sources\'
filter_main_generic:
Image|contains:
- ':\Program Files (x86)\'
- ':\Program Files\'
filter_optional_squirrel:
SourceFilename|contains: '\SquirrelTemp\temp'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Likely from installers and temporary locations
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Notepad++ Updater DNS Query to Uncommon Domains
Detects when the Notepad++ updater (gup.exe) makes DNS queries to domains that are not part of the known legitimate update infrastructure.
This could indicate potential exploitation of the updater mechanism or suspicious network activity that warrants further investigation.
view Sigma YAML
title: Notepad++ Updater DNS Query to Uncommon Domains
id: 2074e137-1b73-4e2d-88ba-5a3407dbdce0
status: experimental
description: |
Detects when the Notepad++ updater (gup.exe) makes DNS queries to domains that are not part of the known legitimate update infrastructure.
This could indicate potential exploitation of the updater mechanism or suspicious network activity that warrants further investigation.
references:
- https://notepad-plus-plus.org/news/v889-released/
- https://www.heise.de/en/news/Notepad-updater-installed-malware-11109726.html
- https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
- https://www.validin.com/blog/exploring_notepad_plus_plus_network_indicators/
- https://securelist.com/notepad-supply-chain-attack/118708/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-02-02
modified: 2026-03-16
tags:
- attack.collection
- attack.credential-access
- attack.t1195.002
- attack.initial-access
- attack.t1557
logsource:
category: dns_query
product: windows
detection:
selection:
Image|endswith: '\gup.exe'
filter_main_notepad_legit_domain:
QueryName: 'notepad-plus-plus.org'
filter_optional_sourceforge_legit_domain:
QueryName|endswith: '.sourceforge.net'
filter_optional_github_legit_domain:
- QueryName|endswith: '.githubusercontent.com'
- QueryName: 'github.com'
filter_optional_google_storage_legit_domain:
QueryName|endswith: '.googleapis.com'
filter_optional_uncommon_domains:
QueryName|endswith:
- '.azurewebsites.net'
- 'block.opendns.com'
- 'gateway.zscalerthree.net'
# Add other known legitimate domains if any
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Some legitimate network misconfigurations or proxy issues causing unexpected DNS queries.
- Other legitimate query to official domains not listed in the filter, needing tuning.
level: medium # can be upgraded to high after tuning with known legitimate DNS queries
Convert to SIEM query
medium
Moderate
High FP
Nslookup PowerShell Download Cradle
Detects a powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records.
view Sigma YAML
title: Nslookup PowerShell Download Cradle
id: 999bff6d-dc15-44c9-9f5c-e1051bfc86e1
related:
- id: 1b3b01c7-84e9-4072-86e5-fc285a41ff23
type: similar
status: test
description: Detects a powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records.
references:
- https://twitter.com/Alh4zr3d/status/1566489367232651264
author: Sai Prashanth Pulisetti @pulisettis, Aishwarya Singam
date: 2022-12-10
modified: 2025-02-25
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_classic_start
detection:
selection:
Data|contains|all:
- 'powershell'
- 'nslookup'
- '[1]'
Data|contains:
- '-q=txt http'
- '-querytype=txt http'
- '-type=txt http'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Nslookup PowerShell Download Cradle - ProcessCreation
Detects suspicious powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records
view Sigma YAML
title: Nslookup PowerShell Download Cradle - ProcessCreation
id: 1b3b01c7-84e9-4072-86e5-fc285a41ff23
related:
- id: 72671447-4352-4413-bb91-b85569687135
type: obsolete
- id: 999bff6d-dc15-44c9-9f5c-e1051bfc86e1
type: similar
status: test
description: Detects suspicious powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records
references:
- https://twitter.com/Alh4zr3d/status/1566489367232651264
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-05
modified: 2022-12-19
tags:
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|contains: '\nslookup.exe'
- OriginalFileName: '\nslookup.exe'
selection_cmd:
ParentImage|endswith:
- '\powershell.exe'
- '\pwsh.exe'
CommandLine|contains:
- ' -q=txt '
- ' -querytype=txt '
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Ntdsutil Abuse
Detects potential abuse of ntdsutil to dump ntds.dit database
view Sigma YAML
title: Ntdsutil Abuse
id: e6e88853-5f20-4c4a-8d26-cd469fd8d31f
status: test
description: Detects potential abuse of ntdsutil to dump ntds.dit database
references:
- https://twitter.com/mgreen27/status/1558223256704122882
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-14
tags:
- attack.credential-access
- attack.t1003.003
logsource:
product: windows
service: application
# warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
detection:
selection:
Provider_Name: 'ESENT'
EventID:
- 216
- 325
- 326
- 327
Data|contains: 'ntds.dit'
condition: selection
falsepositives:
- Legitimate backup operation/creating shadow copies
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Number Of Resource Creation Or Deployment Activities
Number of VM creations or deployment activities occur in Azure via the azureactivity log.
view Sigma YAML
title: Number Of Resource Creation Or Deployment Activities
id: d2d901db-7a75-45a1-bc39-0cbf00812192
status: test
description: Number of VM creations or deployment activities occur in Azure via the azureactivity log.
references:
- https://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/Creating_Anomalous_Number_Of_Resources_detection.yaml
author: sawwinnnaung
date: 2020-05-07
modified: 2023-10-11
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1098
logsource:
product: azure
service: activitylogs
detection:
keywords:
- Microsoft.Compute/virtualMachines/write
- Microsoft.Resources/deployments/write
condition: keywords
falsepositives:
- Valid change
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Obfuscated IP Download Activity
Detects use of an encoded/obfuscated version of an IP address (hex, octal...) in an URL combined with a download command
view Sigma YAML
title: Obfuscated IP Download Activity
id: cb5a2333-56cf-4562-8fcb-22ba1bca728d
status: test
description: Detects use of an encoded/obfuscated version of an IP address (hex, octal...) in an URL combined with a download command
references:
- https://h.43z.one/ipconverter/
- https://twitter.com/Yasser_Elsnbary/status/1553804135354564608
- https://twitter.com/fr0s7_/status/1712780207105404948
author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems)
date: 2022-08-03
modified: 2026-03-16
tags:
- attack.discovery
logsource:
category: process_creation
product: windows
detection:
selection_command:
CommandLine|contains:
- 'Invoke-WebRequest'
- 'iwr '
- 'Invoke-RestMethod'
- 'irm '
- 'wget '
- 'curl '
- 'DownloadFile'
- 'DownloadString'
selection_ip_1:
CommandLine|contains:
- ' 0x'
- '//0x'
- '.0x'
- '.00x'
selection_ip_2:
CommandLine|contains|all:
- 'http://%'
- '%2e'
selection_ip_3:
# http://81.4.31754
- CommandLine|re: 'https?://[0-9]{1,3}\.[0-9]{1,3}\.0[0-9]{3,4}'
# http://81.293898
- CommandLine|re: 'https?://[0-9]{1,3}\.0[0-9]{3,7}'
# http://1359248394
- CommandLine|re: 'https?://0[0-9]{3,11}'
# http://0121.04.0174.012
- CommandLine|re: 'https?://(?:0[0-9]{1,11}\.){3}0[0-9]{1,11}'
# http://012101076012
- CommandLine|re: 'https?://0[0-9]{1,11}'
# For octal format
- CommandLine|re: ' [0-7]{7,13}'
filter_main_valid_ip:
CommandLine|re: 'https?://(?:(?:25[0-5]|(?:2[0-4]|1\d|[1-9])?\d)(?:\.|\b)){4}'
condition: selection_command and 1 of selection_ip_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Obfuscated IP Via CLI
Detects usage of an encoded/obfuscated version of an IP address (hex, octal, etc.) via command line
view Sigma YAML
title: Obfuscated IP Via CLI
id: 56d19cb4-6414-4769-9644-1ed35ffbb148
status: test
description: Detects usage of an encoded/obfuscated version of an IP address (hex, octal, etc.) via command line
references:
- https://h.43z.one/ipconverter/
- https://twitter.com/Yasser_Elsnbary/status/1553804135354564608
author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
date: 2022-08-03
modified: 2026-03-16
tags:
- attack.discovery
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith:
- '\ping.exe'
- '\arp.exe'
selection_ip_1:
CommandLine|contains:
- ' 0x'
- '//0x'
- '.0x'
- '.00x'
selection_ip_2:
CommandLine|contains|all:
- 'http://%'
- '%2e'
selection_ip_3:
# http://81.4.31754
- CommandLine|re: 'https?://[0-9]{1,3}\.[0-9]{1,3}\.0[0-9]{3,4}'
# http://81.293898
- CommandLine|re: 'https?://[0-9]{1,3}\.0[0-9]{3,7}'
# http://1359248394
- CommandLine|re: 'https?://0[0-9]{3,11}'
# http://0121.04.0174.012
- CommandLine|re: 'https?://(?:0[0-9]{1,11}\.){3}0[0-9]{1,11}'
# http://012101076012
- CommandLine|re: 'https?://0[0-9]{1,11}'
# For octal format
- CommandLine|re: ' [0-7]{7,13}'
filter_main_valid_ip:
CommandLine|re: 'https?://(?:(?:25[0-5]|(?:2[0-4]|1\d|[1-9])?\d)(?:\.|\b)){4}'
condition: selection_img and 1 of selection_ip_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Office Application Initiated Network Connection Over Uncommon Ports
Detects an office suit application (Word, Excel, PowerPoint, Outlook) communicating to target systems over uncommon ports.
view Sigma YAML
title: Office Application Initiated Network Connection Over Uncommon Ports
id: 3b5ba899-9842-4bc2-acc2-12308498bf42
status: test
description: Detects an office suit application (Word, Excel, PowerPoint, Outlook) communicating to target systems over uncommon ports.
references:
- https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit
author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2023-07-12
modified: 2025-10-17
tags:
- attack.command-and-control
- attack.stealth
logsource:
category: network_connection
product: windows
detection:
selection:
Initiated: 'true'
Image|endswith:
- '\excel.exe'
- '\outlook.exe'
- '\powerpnt.exe'
- '\winword.exe'
- '\wordview.exe'
filter_main_common_ports:
DestinationPort:
- 53 # DNS
- 80 # HTTP
- 139 # NETBIOS
- 389 # LDAP
- 443 # HTTPS
- 445 # SMB
- 3268 # MSFT-GC
filter_main_outlook_ports:
Image|contains: ':\Program Files\Microsoft Office\'
Image|endswith: '\OUTLOOK.EXE'
DestinationPort:
- 143
- 465 # SMTP
- 587 # SMTP
- 993 # IMAP
- 995 # POP3
condition: selection and not 1 of filter_main_*
falsepositives:
- Other ports can be used, apply additional filters accordingly
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Office Application Initiated Network Connection To Non-Local IP
Detects an office application (Word, Excel, PowerPoint) that initiate a network connection to a non-private IP addresses.
This rule aims to detect traffic similar to one seen exploited in CVE-2021-42292.
This rule will require an initial baseline and tuning that is specific to your organization.
view Sigma YAML
title: Office Application Initiated Network Connection To Non-Local IP
id: 75e33ce3-ae32-4dcc-9aa8-a2a3029d6f84
status: test
description: |
Detects an office application (Word, Excel, PowerPoint) that initiate a network connection to a non-private IP addresses.
This rule aims to detect traffic similar to one seen exploited in CVE-2021-42292.
This rule will require an initial baseline and tuning that is specific to your organization.
references:
- https://corelight.com/blog/detecting-cve-2021-42292
- https://learn.microsoft.com/de-de/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide
author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth (Nextron Systems), Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
date: 2021-11-10
modified: 2025-10-17
tags:
- attack.execution
- attack.t1203
logsource:
category: network_connection
product: windows
detection:
selection:
Image|endswith:
- '\excel.exe'
- '\outlook.exe'
- '\powerpnt.exe'
- '\winword.exe'
- '\wordview.exe'
Initiated: 'true'
filter_main_local_ranges:
DestinationIp|cidr:
- '127.0.0.0/8'
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '169.254.0.0/16'
- '::1/128' # IPv6 loopback
- 'fe80::/10' # IPv6 link-local addresses
- 'fc00::/7' # IPv6 private addresses
filter_main_msrange_generic:
DestinationIp|cidr:
- '2.16.56.0/23' # Akamai International B.V.
- '2.17.248.0/21' # Akamai International B.V.
- '13.107.240.0/21' # Microsoft Corporation
- '20.184.0.0/13' # Microsoft Corporation
- '23.61.224.0/20' # Akamai-AS
- '20.192.0.0/10' # Microsoft Corporation
- '23.72.0.0/13' # Akamai International B.V.
- '23.3.88.0/22' # Akamai-AS
- '23.216.132.0/22' # Akamai-AS
- '40.76.0.0/14' # Microsoft Corporation
- '51.10.0.0/15' # Microsoft Corporation
- '51.103.0.0/16' # Microsoft Corporation
- '51.104.0.0/15' # Microsoft Corporation
- '51.142.136.0/22' # Microsoft Corporation - https://ipinfo.io/AS8075/51.140.0.0/14-51.142.136.0/22
- '52.160.0.0/11' # Microsoft Corporation - https://ipinfo.io/AS8075/52.160.0.0/11
- '95.101.96.0/21' # Akamai-As
- '204.79.197.0/24' # Microsoft Corporation
filter_main_msrange_exchange_1:
# Exchange Online
# "urls": [
# "outlook.cloud.microsoft",
# "outlook.office.com",
# "outlook.office365.com"
# ]
DestinationIp|cidr:
- '13.107.4.0/22'
- '13.107.6.152/31'
- '13.107.18.10/31'
- '13.107.42.0/23'
- '13.107.128.0/22'
- '23.35.224.0/20'
- '23.53.40.0/22'
- '23.103.160.0/20'
- '23.216.76.0/22'
- '40.96.0.0/13'
- '40.104.0.0/15'
- '52.96.0.0/14'
- '131.253.33.215/32'
- '132.245.0.0/16'
- '150.171.32.0/22'
- '204.79.197.215/32'
- '2603:1006::/40'
- '2603:1016::/36'
- '2603:1026::/36'
- '2603:1036::/36'
- '2603:1046::/36'
- '2603:1056::/36'
- '2620:1ec:4::152/128'
- '2620:1ec:4::153/128'
- '2620:1ec:c::10/128'
- '2620:1ec:c::11/128'
- '2620:1ec:d::10/128'
- '2620:1ec:d::11/128'
- '2620:1ec:8f0::/46'
- '2620:1ec:900::/46'
- '2620:1ec:a92::152/128'
- '2620:1ec:a92::153/128'
DestinationPort:
- 80
- 443
filter_main_msrange_exchange_2:
# Exchange Online
# "urls": [
# "outlook.office365.com",
# "smtp.office365.com"
# ]
DestinationIp|cidr:
- '13.107.6.152/31'
- '13.107.18.10/31'
- '13.107.128.0/22'
- '23.103.160.0/20'
- '40.96.0.0/13'
- '40.104.0.0/15'
- '52.96.0.0/14'
- '131.253.33.215/32'
- '132.245.0.0/16'
- '150.171.32.0/22'
- '204.79.197.215/32'
- '2603:1006::/40'
- '2603:1016::/36'
- '2603:1026::/36'
- '2603:1036::/36'
- '2603:1046::/36'
- '2603:1056::/36'
- '2620:1ec:4::152/128'
- '2620:1ec:4::153/128'
- '2620:1ec:c::10/128'
- '2620:1ec:c::11/128'
- '2620:1ec:d::10/128'
- '2620:1ec:d::11/128'
- '2620:1ec:8f0::/46'
- '2620:1ec:900::/46'
- '2620:1ec:a92::152/128'
- '2620:1ec:a92::153/128'
DestinationPort:
- 143
- 587
- 993
- 995
Protocol: 'tcp'
filter_main_msrange_exchange_3:
# Exchange Online
# "urls": [
# "*.protection.outlook.com"
# ]
DestinationIp|cidr:
- '40.92.0.0/15'
- '40.107.0.0/16'
- '52.100.0.0/14'
- '52.238.78.88/32'
- '104.47.0.0/17'
- '2a01:111:f400::/48'
- '2a01:111:f403::/48'
DestinationPort: 443
filter_main_msrange_exchange_4:
# Exchange Online
# "urls": [
# "*.mail.protection.outlook.com",
# "*.mx.microsoft"
# ]
DestinationIp|cidr:
- '40.92.0.0/15'
- '40.107.0.0/16'
- '52.100.0.0/14'
- '52.238.78.88/32'
- '104.47.0.0/17'
- '2a01:111:f400::/48'
- '2a01:111:f403::/48'
DestinationPort: 25
filter_main_msrange_sharepoint_1:
# SharePoint Online and OneDrive for Business",
# "urls": [
# "*.sharepoint.com"
# ]
DestinationIp|cidr:
- '13.107.136.0/22'
- '40.108.128.0/17'
- '52.104.0.0/14'
- '104.146.128.0/17'
- '150.171.40.0/22'
- '2603:1061:1300::/40'
- '2620:1ec:8f8::/46'
- '2620:1ec:908::/46'
- '2a01:111:f402::/48'
DestinationPort:
- 80
- 443
Protocol: 'tcp'
filter_main_msrange_office_1:
# Microsoft 365 Common and Office Online",
# "urls": [
# "*.officeapps.live.com",
# "*.online.office.com",
# "office.live.com",
# "office.com.akadns.net"
# ],
DestinationIp|cidr:
- '13.107.6.171/32'
- '13.107.18.15/32'
- '13.107.140.6/32'
- '20.64.0.0/10'
- '52.108.0.0/14'
- '52.244.37.168/32'
- '2603:1006:1400::/40'
- '2603:1016:2400::/40'
- '2603:1026:2400::/40'
- '2603:1036:2400::/40'
- '2603:1046:1400::/40'
- '2603:1056:1400::/40'
- '2603:1063:2000::/38'
- '2620:1ec:c::15/128'
- '2620:1ec:8fc::6/128'
- '2620:1ec:a92::171/128'
- '2a01:111:f100:2000::a83e:3019/128'
- '2a01:111:f100:2002::8975:2d79/128'
- '2a01:111:f100:2002::8975:2da8/128'
- '2a01:111:f100:7000::6fdd:6cd5/128'
- '2a01:111:f100:a004::bfeb:88cf/128'
DestinationPort:
- 80
- 443
Protocol: 'tcp'
filter_main_msrange_office_2:
# Microsoft 365 Common and Office Online
# "urls": [
# "*.auth.microsoft.com",
# "*.msftidentity.com",
# "*.msidentity.com",
# "account.activedirectory.windowsazure.com",
# "accounts.accesscontrol.windows.net",
# "adminwebservice.microsoftonline.com",
# "api.passwordreset.microsoftonline.com",
# "autologon.microsoftazuread-sso.com",
# "becws.microsoftonline.com",
# "ccs.login.microsoftonline.com",
# "clientconfig.microsoftonline-p.net",
# "cloudapp.azure.com",
# "companymanager.microsoftonline.com",
# "device.login.microsoftonline.com",
# "graph.microsoft.com",
# "graph.windows.net",
# "login-us.microsoftonline.com",
# "login.microsoft.com",
# "login.microsoftonline-p.com",
# "login.microsoftonline.com",
# "login.windows.net",
# "logincert.microsoftonline.com",
# "loginex.microsoftonline.com",
# "nexus.microsoftonline-p.com",
# "passwordreset.microsoftonline.com",
# "provisioningapi.microsoftonline.com",
# "web.core.windows.net",
# ]
DestinationIp|cidr:
- '172.128.0.0/10'
- '20.20.32.0/19'
- '20.103.156.88/32' # msn.com
- '20.190.128.0/18'
- '20.231.128.0/19'
- '40.126.0.0/18'
- '57.150.0.0/15'
- '2603:1006:2000::/48'
- '2603:1007:200::/48'
- '2603:1016:1400::/48'
- '2603:1017::/48'
- '2603:1026:3000::/48'
- '2603:1027:1::/48'
- '2603:1036:3000::/48'
- '2603:1037:1::/48'
- '2603:1046:2000::/48'
- '2603:1047:1::/48'
- '2603:1056:2000::/48'
- '2603:1057:2::/48'
DestinationPort:
- 80
- 443
Protocol: 'tcp'
filter_main_msrange_office_3:
# Microsoft 365 Common and Office Online
# "urls": [
# "*.compliance.microsoft.com",
# "*.data.microsoft.com",
# "*.protection.office.com",
# "*.security.microsoft.com",
# "compliance.microsoft.com",
# "defender.microsoft.com",
# "protection.office.com",
# "security.microsoft.com",
# "teams.microsoft.com",
# ]
DestinationIp|cidr:
- '13.64.0.0/11'
- '13.107.6.192/32'
- '13.107.9.192/32'
- '13.89.179.14/32'
- '20.40.0.0/14'
- '20.48.0.0/12'
- '20.64.0.0/12'
- '52.123.0.0/16'
- '52.108.0.0/14'
- '52.136.0.0/13'
- '57.150.0.0/15'
- '80.239.150.67/32' # Arelion Sweden AB
- '2620:1ec:4::192/128'
- '2620:1ec:a92::192/128'
DestinationPort: 443
Protocol: 'tcp'
filter_main_destination_host:
DestinationHostname|endswith: '.deploy.static.akamaitechnologies.com'
DestinationPort: 443
Protocol: 'tcp'
condition: selection and not 1 of filter_main_*
falsepositives:
- You may have to tune certain domains out that Excel may call out to, such as microsoft or other business use case domains.
- Office documents commonly have templates that refer to external addresses, like "sharepoint.ourcompany.com" may have to be tuned.
- It is highly recommended to baseline your activity and tune out common business use cases.
level: medium
Convert to SIEM query
medium
Moderate
High FP
Office Application Startup - Office Test
Detects the addition of office test registry that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started
view Sigma YAML
title: Office Application Startup - Office Test
id: 3d27f6dd-1c74-4687-b4fa-ca849d128d1c
status: test
description: Detects the addition of office test registry that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started
references:
- https://unit42.paloaltonetworks.com/unit42-technical-walkthrough-office-test-persistence-method-used-in-recent-sofacy-attacks/
author: omkar72
date: 2020-10-25
modified: 2023-11-08
tags:
- attack.persistence
- attack.t1137.002
logsource:
category: registry_event
product: windows
detection:
selection:
TargetObject|contains: '\Software\Microsoft\Office test\Special\Perf'
condition: selection
falsepositives:
- Unlikely
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Office Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry. Adversaries may modify these keys to execute malicious code when Office files are opened.
There are various legitimate add-ins that also use these keys and this filter list might not be exhaustive.
Thus, it is recommended to review and tune filters for your environment to reduce false positives before deploying to production.
view Sigma YAML
title: Office Autorun Keys Modification
id: baecf8fb-edbf-429f-9ade-31fc3f22b970
related:
- id: 17f878b8-9968-4578-b814-c4217fc5768c
type: obsolete
status: test
description: |
Detects modification of autostart extensibility point (ASEP) in registry. Adversaries may modify these keys to execute malicious code when Office files are opened.
There are various legitimate add-ins that also use these keys and this filter list might not be exhaustive.
Thus, it is recommended to review and tune filters for your environment to reduce false positives before deploying to production.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
- https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
- https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019-10-25
modified: 2026-01-09
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.001
logsource:
category: registry_set
product: windows
detection:
selection_office_root:
TargetObject|contains:
- '\Software\Wow6432Node\Microsoft\Office'
- '\Software\Microsoft\Office'
selection_office_details:
TargetObject|contains:
- '\Word\Addins'
- '\PowerPoint\Addins'
- '\Outlook\Addins'
- '\Onenote\Addins'
- '\Excel\Addins'
- '\Access\Addins'
- 'test\Special\Perf'
filter_main_empty:
Details: '(Empty)'
filter_main_null:
Details: null
filter_main_known_addins:
Image|startswith:
- 'C:\Program Files\Microsoft Office\'
- 'C:\Program Files (x86)\Microsoft Office\'
- 'C:\PROGRA~2\MICROS~2\Office'
- 'C:\Windows\System32\msiexec.exe'
- 'C:\Windows\SysWOW64\msiexec.exe'
- 'C:\Windows\System32\regsvr32.exe'
- 'C:\Windows\SysWOW64\regsvr32.exe '
TargetObject|contains:
# Remove any unused addins in your environment from the filter
# Known addins for excel
- '\Excel\Addins\AdHocReportingExcelClientLib.AdHocReportingExcelClientAddIn.1\'
- '\Excel\Addins\ExcelPlugInShell.PowerMapConnect\'
- '\Excel\Addins\NativeShim\'
- '\Excel\Addins\NativeShim.InquireConnector.1\'
- '\Excel\Addins\PowerPivotExcelClientAddIn.NativeEntry.1\'
# Known addins for outlook
- '\Outlook\AddIns\AccessAddin.DC\'
- '\Outlook\AddIns\ColleagueImport.ColleagueImportAddin\'
- '\Outlook\AddIns\EvernoteCC.EvernoteContactConnector\'
- '\Outlook\AddIns\EvernoteOLRD.Connect\'
# - '\Outlook\Addins\GrammarlyAddIn.Connect' # Uncomment if you use Grammarly
- '\Outlook\Addins\\OneNote.OutlookAddin'
- '\Outlook\Addins\DriveFSExtensionLib.Connect\' # An Outlook Add-in to talk with Google Drive
- '\Outlook\Addins\GoogleAppsSync.Connect\' # Google Apps Sync for Microsoft Outlook
- '\Outlook\Addins\Microsoft.VbaAddinForOutlook.1\'
- '\Outlook\Addins\OcOffice.OcForms\'
- '\Outlook\Addins\OscAddin.Connect\'
- '\Outlook\Addins\OutlookChangeNotifier.Connect\'
- '\Outlook\Addins\UCAddin.LyncAddin.1'
- '\Outlook\Addins\UCAddin.UCAddin.1'
- '\Outlook\Addins\UmOutlookAddin.FormRegionAddin\'
- 'AddinTakeNotesService\FriendlyName'
filter_main_officeclicktorun:
Image|startswith:
- 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
- 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\'
Image|endswith: '\OfficeClickToRun.exe'
filter_main_vsto:
Image|startswith:
- 'C:\Program Files\Common Files\Microsoft Shared\VSTO\'
- 'C:\Program Files (x86)\Microsoft Shared\VSTO\'
Image|endswith: '\VSTOInstaller.exe'
filter_optional_avg:
Image:
- 'C:\Program Files\AVG\Antivirus\RegSvr.exe'
- 'C:\Program Files\AVG\Antivirus\x86\RegSvr.exe'
TargetObject|contains: '\Microsoft\Office\Outlook\Addins\Antivirus.AsOutExt\'
filter_optional_avast:
Image:
- 'C:\Program Files\Avast Software\Avast\RegSvr.exe'
- 'C:\Program Files\Avast Software\Avast\x86\RegSvr.exe'
TargetObject|contains: '\Microsoft\Office\Outlook\Addins\Avast.AsOutExt\'
# These filters are not exhaustive, filter can be expanded based on environment
condition: all of selection_office_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Legitimate software or add-in installations and administrative configurations
- Automatic registry modifications during legitimate software installations
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Okta 2023 Breach Indicator Of Compromise
Detects new user account creation or activation with specific names related to the Okta Support System 2023 breach.
This rule can be enhanced by filtering out known and legitimate username used in your environnement.
view Sigma YAML
title: Okta 2023 Breach Indicator Of Compromise
id: 00a8e92a-776b-425f-80f2-82d8f8fab2e5
status: test
description: |
Detects new user account creation or activation with specific names related to the Okta Support System 2023 breach.
This rule can be enhanced by filtering out known and legitimate username used in your environnement.
author: Muhammad Faisal (@faisalusuf)
date: 2023-10-25
modified: 2026-04-27
references:
- https://www.beyondtrust.com/blog/entry/okta-support-unit-breach
- https://developer.okta.com/docs/reference/api/event-types/
tags:
- attack.credential-access
- detection.emerging-threats
logsource:
service: okta
product: okta
detection:
selection:
eventType:
- 'user.lifecycle.create'
- 'user.lifecycle.activate'
target.displayName|contains: 'svc_network_backup'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Okta API Token Created
Detects when a API token is created
view Sigma YAML
title: Okta API Token Created
id: 19951c21-229d-4ccb-8774-b993c3ff3c5c
status: test
description: Detects when a API token is created
references:
- https://developer.okta.com/docs/reference/api/system-log/
- https://developer.okta.com/docs/reference/api/event-types/
author: Austin Songer @austinsonger
date: 2021-09-12
modified: 2026-04-27
tags:
- attack.persistence
logsource:
product: okta
service: okta
detection:
selection:
eventType: system.api_token.create
condition: selection
falsepositives:
- Legitimate creation of an API token by authorized users
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Okta API Token Revoked
Detects when a API Token is revoked.
view Sigma YAML
title: Okta API Token Revoked
id: cf1dbc6b-6205-41b4-9b88-a83980d2255b
status: test
description: Detects when a API Token is revoked.
references:
- https://developer.okta.com/docs/reference/api/system-log/
- https://developer.okta.com/docs/reference/api/event-types/
author: Austin Songer @austinsonger
date: 2021-09-12
modified: 2026-04-27
tags:
- attack.impact
logsource:
product: okta
service: okta
detection:
selection:
eventType: system.api_token.revoke
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Okta Admin Functions Access Through Proxy
Detects access to Okta admin functions through proxy.
view Sigma YAML
title: Okta Admin Functions Access Through Proxy
id: 9058ca8b-f397-4fd1-a9fa-2b7aad4d6309
status: test
description: Detects access to Okta admin functions through proxy.
references:
- https://www.beyondtrust.com/blog/entry/okta-support-unit-breach
- https://dataconomy.com/2023/10/23/okta-data-breach/
- https://blog.cloudflare.com/how-cloudflare-mitigated-yet-another-okta-compromise/
author: Muhammad Faisal @faisalusuf
date: 2023-10-25
tags:
- attack.credential-access
logsource:
service: okta
product: okta
detection:
selection:
debugContext.debugData.requestUri|contains: 'admin'
securityContext.isProxy: 'true'
condition: selection
falsepositives:
- False positives are expected if administrators access these function through proxy legitimatly. Apply additional filters if necessary
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Okta Admin Role Assigned to an User or Group
Detects when an the Administrator role is assigned to an user or group.
view Sigma YAML
title: Okta Admin Role Assigned to an User or Group
id: 413d4a81-6c98-4479-9863-014785fd579c
status: test
description: Detects when an the Administrator role is assigned to an user or group.
references:
- https://developer.okta.com/docs/reference/api/system-log/
- https://developer.okta.com/docs/reference/api/event-types/
author: Austin Songer @austinsonger
date: 2021-09-12
modified: 2026-04-27
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1098.003
logsource:
product: okta
service: okta
detection:
selection:
eventType:
- group.privilege.grant
- user.account.privilege.grant
condition: selection
falsepositives:
- Administrator roles could be assigned to users or group by other admin users.
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Okta Admin Role Assignment Created
Detects when a new admin role assignment is created. Which could be a sign of privilege escalation or persistence
view Sigma YAML
title: Okta Admin Role Assignment Created
id: 139bdd4b-9cd7-49ba-a2f4-744d0a8f5d8c
status: test
description: Detects when a new admin role assignment is created. Which could be a sign of privilege escalation or persistence
references:
- https://developer.okta.com/docs/reference/api/system-log/
- https://developer.okta.com/docs/reference/api/event-types/
author: Nikita Khalimonenkov
date: 2023-01-19
modified: 2026-04-27
tags:
- attack.persistence
logsource:
product: okta
service: okta
detection:
selection:
eventType: 'iam.resourceset.bindings.add'
condition: selection
falsepositives:
- Legitimate creation of a new admin role assignment
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Okta Application Modified or Deleted
Detects when an application is modified or deleted.
view Sigma YAML
title: Okta Application Modified or Deleted
id: 7899144b-e416-4c28-b0b5-ab8f9e0a541d
status: test
description: Detects when an application is modified or deleted.
references:
- https://developer.okta.com/docs/reference/api/system-log/
- https://developer.okta.com/docs/reference/api/event-types/
author: Austin Songer @austinsonger
date: 2021-09-12
modified: 2026-04-27
tags:
- attack.impact
logsource:
product: okta
service: okta
detection:
selection:
eventType:
- application.lifecycle.update
- application.lifecycle.delete
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Okta Application Sign-On Policy Modified or Deleted
Detects when an application Sign-on Policy is modified or deleted.
view Sigma YAML
title: Okta Application Sign-On Policy Modified or Deleted
id: 8f668cc4-c18e-45fe-ad00-624a981cf88a
status: test
description: Detects when an application Sign-on Policy is modified or deleted.
references:
- https://developer.okta.com/docs/reference/api/system-log/
- https://developer.okta.com/docs/reference/api/event-types/
author: Austin Songer @austinsonger
date: 2021-09-12
modified: 2026-04-27
tags:
- attack.impact
logsource:
product: okta
service: okta
detection:
selection:
eventType:
- application.policy.sign_on.update
- application.policy.sign_on.rule.delete
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Okta Identity Provider Created
Detects when a new identity provider is created for Okta.
view Sigma YAML
title: Okta Identity Provider Created
id: 969c7590-8c19-4797-8c1b-23155de6e7ac
status: test
description: Detects when a new identity provider is created for Okta.
references:
- https://developer.okta.com/docs/reference/api/system-log/
- https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection
author: kelnage
date: 2023-09-07
modified: 2026-04-27
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1098.001
logsource:
product: okta
service: okta
detection:
selection:
eventType: 'system.idp.lifecycle.create'
condition: selection
falsepositives:
- When an admin creates a new, authorised identity provider.
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Okta MFA Reset or Deactivated
Detects when an attempt at deactivating or resetting MFA.
view Sigma YAML
title: Okta MFA Reset or Deactivated
id: 50e068d7-1e6b-4054-87e5-0a592c40c7e0
status: test
description: Detects when an attempt at deactivating or resetting MFA.
references:
- https://developer.okta.com/docs/reference/api/system-log/
- https://developer.okta.com/docs/reference/api/event-types/
author: Austin Songer @austinsonger
date: 2021-09-21
modified: 2026-04-27
tags:
- attack.persistence
- attack.credential-access
- attack.defense-impairment
- attack.t1556.006
logsource:
product: okta
service: okta
detection:
selection:
eventType:
- user.mfa.factor.deactivate
- user.mfa.factor.reset_all
condition: selection
falsepositives:
- If a MFA reset or deactivated was performed by a system administrator.
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Okta Network Zone Deactivated or Deleted
Detects when an Network Zone is Deactivated or Deleted.
view Sigma YAML
title: Okta Network Zone Deactivated or Deleted
id: 9f308120-69ed-4506-abde-ac6da81f4310
status: test
description: Detects when an Network Zone is Deactivated or Deleted.
references:
- https://developer.okta.com/docs/reference/api/system-log/
- https://developer.okta.com/docs/reference/api/event-types/
author: Austin Songer @austinsonger
date: 2021-09-12
modified: 2026-04-27
tags:
- attack.impact
logsource:
product: okta
service: okta
detection:
selection:
eventType:
- zone.deactivate
- zone.delete
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Okta Policy Rule Modified or Deleted
Detects when an Policy Rule is Modified or Deleted.
view Sigma YAML
title: Okta Policy Rule Modified or Deleted
id: 0c97c1d3-4057-45c9-b148-1de94b631931
status: test
description: Detects when an Policy Rule is Modified or Deleted.
references:
- https://developer.okta.com/docs/reference/api/system-log/
- https://developer.okta.com/docs/reference/api/event-types/
author: Austin Songer @austinsonger
date: 2021-09-12
modified: 2026-04-27
tags:
- attack.impact
logsource:
product: okta
service: okta
detection:
selection:
eventType:
- policy.rule.update
- policy.rule.delete
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Okta Security Threat Detected
Detects when an security threat is detected in Okta.
view Sigma YAML
title: Okta Security Threat Detected
id: 5c82f0b9-3c6d-477f-a318-0e14a1df73e0
status: test
description: Detects when an security threat is detected in Okta.
references:
- https://okta.github.io/okta-help/en/prod/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm
- https://developer.okta.com/docs/reference/api/system-log/
- https://developer.okta.com/docs/reference/api/event-types/
author: Austin Songer @austinsonger
date: 2021-09-12
modified: 2026-04-27
tags:
- attack.command-and-control
logsource:
product: okta
service: okta
detection:
selection:
eventType: security.threat.detected
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Okta Session Impersonation Granted From Untrusted Domain
Detects Okta session impersonation grant event where a user is granted the ability to impersonate another user's session.
This event type "user.session.impersonation.grant" signifies that someone has been given temporary access to act on behalf of another user account.
Threat actors may abuse this functionality to escalate privileges, access sensitive resources, or perform unauthorized actions while appearing to be the impersonated user.
Legitimate use cases are typically limited to Okta support scenarios or authorized administrative troubleshooting.
view Sigma YAML
title: Okta Session Impersonation Granted From Untrusted Domain
id: fe04b26b-0ac4-45d7-9404-4b9f16a440a9
status: experimental
description: |
Detects Okta session impersonation grant event where a user is granted the ability to impersonate another user's session.
This event type "user.session.impersonation.grant" signifies that someone has been given temporary access to act on behalf of another user account.
Threat actors may abuse this functionality to escalate privileges, access sensitive resources, or perform unauthorized actions while appearing to be the impersonated user.
Legitimate use cases are typically limited to Okta support scenarios or authorized administrative troubleshooting.
references:
- https://developer.okta.com/docs/reference/system-log-query/
- https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection
- https://support.okta.com/help/s/article/What-is-the-systemoktacom-Account-in-Syslog-Used-For
author: zendannyy
date: 2026-04-28
tags:
- attack.privilege-escalation
- attack.defense-impairment
- attack.t1484.002
- attack.initial-access
- attack.t1199
logsource:
service: okta
product: okta
detection:
selection:
eventType: 'user.session.impersonation.grant'
filter_main_okta:
actor.alternateId|contains: '[email protected]'
filter_main_company:
actor.alternateId|contains|expand: '%legtimate_identifiers%' # Your trusted domain goes here
condition: selection and not 1 of filter_main_*
falsepositives:
- The only legitimate use case here is an Okta support engineer actively working with an internal Okta Admin.
- This access is temporary and should be revoked once done with the support case.
- Apply additional filters if necessary
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Okta Unauthorized Access to App
Detects when unauthorized access to app occurs.
view Sigma YAML
title: Okta Unauthorized Access to App
id: 6cc2b61b-d97e-42ef-a9dd-8aa8dc951657
status: test
description: Detects when unauthorized access to app occurs.
references:
- https://developer.okta.com/docs/reference/api/system-log/
- https://developer.okta.com/docs/reference/api/event-types/
author: Austin Songer @austinsonger
date: 2021-09-12
modified: 2026-04-27
tags:
- attack.impact
logsource:
product: okta
service: okta
detection:
selection:
displayMessage: User attempted unauthorized access to app
condition: selection
falsepositives:
- User might of believe that they had access.
level: medium
Convert to SIEM query
Showing 2501-2550 of 3,743