SOAR
Panther
341 rules · Sigma detections in Panther syntax
The same Sigma detection corpus, machine-rendered into Panther query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
◈
Detection rules
50 shown of 341
low
A Member Was Added to a Security-Enabled Global Group
Detects activity when a member is added to a security-enabled global group
view Sigma YAML
title: A Member Was Added to a Security-Enabled Global Group
id: c43c26be-2e87-46c7-8661-284588c5a53e
related:
- id: 9cf01b6c-e723-4841-a868-6d7f8245ca6e
type: obsolete
status: stable
description: Detects activity when a member is added to a security-enabled global group
references:
- https://www.cisecurity.org/controls/cis-controls-list/
- https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
- https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632
author: Alexandr Yampolskyi, SOC Prime
date: 2023-04-26
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1098
logsource:
product: windows
service: security
detection:
selection:
EventID:
- 4728 # A member was added to a security-enabled global group
- 632 # Security Enabled Global Group Member Added
condition: selection
falsepositives:
- Unknown
level: low
Convert to SIEM query
low
A Member Was Removed From a Security-Enabled Global Group
Detects activity when a member is removed from a security-enabled global group
view Sigma YAML
title: A Member Was Removed From a Security-Enabled Global Group
id: 02c39d30-02b5-45d2-b435-8aebfe5a8629
related:
- id: 9cf01b6c-e723-4841-a868-6d7f8245ca6e
type: obsolete
status: stable
description: Detects activity when a member is removed from a security-enabled global group
references:
- https://www.cisecurity.org/controls/cis-controls-list/
- https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
- https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633
author: Alexandr Yampolskyi, SOC Prime
date: 2023-04-26
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1098
logsource:
product: windows
service: security
detection:
selection:
EventID:
- 633 # Security Enabled Global Group Member Removed
- 4729 # A member was removed from a security-enabled global group
condition: selection
falsepositives:
- Unknown
level: low
Convert to SIEM query
low
A Security-Enabled Global Group Was Deleted
Detects activity when a security-enabled global group is deleted
view Sigma YAML
title: A Security-Enabled Global Group Was Deleted
id: b237c54b-0f15-4612-a819-44b735e0de27
related:
- id: 9cf01b6c-e723-4841-a868-6d7f8245ca6e
type: obsolete
status: stable
description: Detects activity when a security-enabled global group is deleted
references:
- https://www.cisecurity.org/controls/cis-controls-list/
- https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
- https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634
author: Alexandr Yampolskyi, SOC Prime
date: 2023-04-26
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1098
logsource:
product: windows
service: security
detection:
selection:
EventID:
- 4730 # A security-enabled global group was deleted
- 634 # Security Enabled Global Group Deleted
condition: selection
falsepositives:
- Unknown
level: low
Convert to SIEM query
low
AD Groups Or Users Enumeration Using PowerShell - PoshModule
Adversaries may attempt to find domain-level groups and permission settings.
The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group.
Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.
view Sigma YAML
title: AD Groups Or Users Enumeration Using PowerShell - PoshModule
id: 815bfc17-7fc6-4908-a55e-2f37b98cedb4
status: test
description: |
Adversaries may attempt to find domain-level groups and permission settings.
The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group.
Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md
author: frack113
date: 2021-12-15
modified: 2023-01-20
tags:
- attack.discovery
- attack.t1069.001
logsource:
product: windows
category: ps_module
definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
selection_ad_principal:
- Payload|contains: 'get-ADPrincipalGroupMembership'
- ContextInfo|contains: 'get-ADPrincipalGroupMembership'
selection_get_aduser:
- Payload|contains|all:
- get-aduser
- '-f '
- '-pr '
- DoesNotRequirePreAuth
- ContextInfo|contains|all:
- get-aduser
- '-f '
- '-pr '
- DoesNotRequirePreAuth
condition: 1 of selection_*
falsepositives:
- Administrator script
level: low
Convert to SIEM query
low
AD Groups Or Users Enumeration Using PowerShell - ScriptBlock
Adversaries may attempt to find domain-level groups and permission settings.
The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group.
Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.
view Sigma YAML
title: AD Groups Or Users Enumeration Using PowerShell - ScriptBlock
id: 88f0884b-331d-403d-a3a1-b668cf035603
status: test
description: |
Adversaries may attempt to find domain-level groups and permission settings.
The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group.
Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md
author: frack113
date: 2021-12-15
modified: 2022-12-25
tags:
- attack.discovery
- attack.t1069.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
test_2:
ScriptBlockText|contains: get-ADPrincipalGroupMembership
test_7:
ScriptBlockText|contains|all:
- get-aduser
- '-f '
- '-pr '
- DoesNotRequirePreAuth
condition: 1 of test_*
falsepositives:
- Unknown
level: low
Convert to SIEM query
low
ADCS Certificate Template Configuration Vulnerability
Detects certificate creation with template allowing risk permission subject
view Sigma YAML
title: ADCS Certificate Template Configuration Vulnerability
id: 5ee3a654-372f-11ec-8d3d-0242ac130003
status: test
description: Detects certificate creation with template allowing risk permission subject
references:
- https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf
author: Orlinum , BlueDefenZer
date: 2021-11-17
modified: 2022-12-25
tags:
- attack.privilege-escalation
- attack.credential-access
logsource:
product: windows
service: security
definition: Certificate services loaded a template would trigger event ID 4898 and certificate Services template was updated would trigger event ID 4899. A risk permission seems to be coming if template contain specific flag.
detection:
selection1:
EventID: 4898
TemplateContent|contains: 'CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT'
selection2:
EventID: 4899
NewTemplateContent|contains: 'CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT'
condition: selection1 or selection2
falsepositives:
- Administrator activity
- Proxy SSL certificate with subject modification
- Smart card enrollement
level: low
Convert to SIEM query
low
ADS Zone.Identifier Deleted
Detects the deletion of the "Zone.Identifier" ADS. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps.
view Sigma YAML
title: ADS Zone.Identifier Deleted
id: 7eac0a16-5832-4e81-865f-0268a6d19e4b
related:
- id: 3109530e-ab47-4cc6-a953-cac5ebcc93ae
type: similar
status: test
description: Detects the deletion of the "Zone.Identifier" ADS. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps.
references:
- https://securityliterate.com/how-malware-abuses-the-zone-identifier-to-circumvent-detection-and-analysis/
author: frack113
date: 2023-09-04
tags:
- attack.stealth
- attack.t1070.004
- detection.threat-hunting
logsource:
product: windows
category: file_delete
detection:
selection:
TargetFilename|endswith: ':Zone.Identifier'
condition: selection
falsepositives:
- Likely
level: low
Convert to SIEM query
low
AWS EC2 VM Export Failure
An attempt to export an AWS EC2 instance has been detected. A VM Export might indicate an attempt to extract information from an instance.
view Sigma YAML
title: AWS EC2 VM Export Failure
id: 54b9a76a-3c71-4673-b4b3-2edb4566ea7b
status: test
description: An attempt to export an AWS EC2 instance has been detected. A VM Export might indicate an attempt to extract information from an instance.
references:
- https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance
author: Diogo Braz
date: 2020-04-16
modified: 2022-10-05
tags:
- attack.collection
- attack.t1005
- attack.exfiltration
- attack.t1537
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventName: 'CreateInstanceExportTask'
eventSource: 'ec2.amazonaws.com'
filter1:
errorMessage|contains: '*'
filter2:
errorCode|contains: '*'
filter3:
responseElements|contains: 'Failure'
condition: selection and not 1 of filter*
level: low
Convert to SIEM query
low
AWS EKS Cluster Created or Deleted
Identifies when an EKS cluster is created or deleted.
view Sigma YAML
title: AWS EKS Cluster Created or Deleted
id: 33d50d03-20ec-4b74-a74e-1e65a38af1c0
status: test
description: Identifies when an EKS cluster is created or deleted.
references:
- https://any-api.com/amazonaws_com/eks/docs/API_Description
author: Austin Songer
date: 2021-08-16
modified: 2022-10-09
tags:
- attack.impact
- attack.t1485
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: eks.amazonaws.com
eventName:
- CreateCluster
- DeleteCluster
condition: selection
falsepositives:
- EKS Cluster being created or deleted may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- EKS Cluster created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: low
Convert to SIEM query
low
AWS ElastiCache Security Group Created
Detects when an ElastiCache security group has been created.
view Sigma YAML
title: AWS ElastiCache Security Group Created
id: 4ae68615-866f-4304-b24b-ba048dfa5ca7
status: test
description: Detects when an ElastiCache security group has been created.
references:
- https://github.com/elastic/detection-rules/blob/598f3d7e0a63221c0703ad9a0ea7e22e7bc5961e/rules/integrations/aws/persistence_elasticache_security_group_creation.toml
author: Austin Songer @austinsonger
date: 2021-07-24
modified: 2022-10-09
tags:
- attack.persistence
- attack.t1136
- attack.t1136.003
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: elasticache.amazonaws.com
eventName: 'CreateCacheSecurityGroup'
condition: selection
falsepositives:
- A ElastiCache security group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: low
Convert to SIEM query
low
AWS ElastiCache Security Group Modified or Deleted
Identifies when an ElastiCache security group has been modified or deleted.
view Sigma YAML
title: AWS ElastiCache Security Group Modified or Deleted
id: 7c797da2-9cf2-4523-ba64-33b06339f0cc
status: test
description: Identifies when an ElastiCache security group has been modified or deleted.
references:
- https://github.com/elastic/detection-rules/blob/7d5efd68603f42be5e125b5a6a503b2ef3ac0f4e/rules/integrations/aws/impact_elasticache_security_group_modified_or_deleted.toml
author: Austin Songer @austinsonger
date: 2021-07-24
modified: 2022-10-09
tags:
- attack.impact
- attack.t1531
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: elasticache.amazonaws.com
eventName:
- 'DeleteCacheSecurityGroup'
- 'AuthorizeCacheSecurityGroupIngress'
- 'RevokeCacheSecurityGroupIngress'
- 'AuthorizeCacheSecurityGroupEgress'
- 'RevokeCacheSecurityGroupEgress'
condition: selection
falsepositives:
- A ElastiCache security group deletion may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security Group deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: low
Convert to SIEM query
low
AWS Glue Development Endpoint Activity
Detects possible suspicious glue development endpoint activity.
view Sigma YAML
title: AWS Glue Development Endpoint Activity
id: 4990c2e3-f4b8-45e3-bc3c-30b14ff0ed26
status: test
description: Detects possible suspicious glue development endpoint activity.
references:
- https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
- https://docs.aws.amazon.com/glue/latest/webapi/API_CreateDevEndpoint.html
author: Austin Songer @austinsonger
date: 2021-10-03
modified: 2022-12-18
tags:
- attack.privilege-escalation
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: 'glue.amazonaws.com'
eventName:
- 'CreateDevEndpoint'
- 'DeleteDevEndpoint'
- 'UpdateDevEndpoint'
condition: selection
falsepositives:
- Glue Development Endpoint Activity may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- If known behavior is causing false positives, it can be exempted from the rule.
level: low
Convert to SIEM query
low
AWS New Lambda Layer Attached
Detects when a user attached a Lambda layer to an existing Lambda function.
A malicious Lambda layer could execute arbitrary code in the context of the function's IAM role.
This would give an adversary access to resources that the function has access to.
view Sigma YAML
title: AWS New Lambda Layer Attached
id: 97fbabf8-8e1b-47a2-b7d5-a418d2b95e3d
status: test
description: |
Detects when a user attached a Lambda layer to an existing Lambda function.
A malicious Lambda layer could execute arbitrary code in the context of the function's IAM role.
This would give an adversary access to resources that the function has access to.
references:
- https://docs.aws.amazon.com/lambda/latest/dg/API_UpdateFunctionConfiguration.html
- https://github.com/clearvector/lambda-spy
author: Austin Songer
date: 2021-09-23
modified: 2025-03-17
tags:
- attack.privilege-escalation
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: lambda.amazonaws.com
eventName|startswith: 'UpdateFunctionConfiguration'
requestParameters.layers|contains: '*'
condition: selection
falsepositives:
- Lambda Layer being attached may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Lambda Layer being attached from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: low
Convert to SIEM query
low
AWS Route 53 Domain Transfer Lock Disabled
Detects when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar.
view Sigma YAML
title: AWS Route 53 Domain Transfer Lock Disabled
id: 3940b5f1-3f46-44aa-b746-ebe615b879e0
status: test
description: Detects when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar.
references:
- https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml
- https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html
- https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html
author: Elastic, Austin Songer @austinsonger
date: 2021-07-22
modified: 2022-10-09
tags:
- attack.persistence
- attack.privilege-escalation
- attack.credential-access
- attack.t1098
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: route53.amazonaws.com
eventName: DisableDomainTransferLock
condition: selection
falsepositives:
- A domain transfer lock may be disabled by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Activity from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: low
Convert to SIEM query
low
AWS Route 53 Domain Transferred to Another Account
Detects when a request has been made to transfer a Route 53 domain to another AWS account.
view Sigma YAML
title: AWS Route 53 Domain Transferred to Another Account
id: b056de1a-6e6e-4e40-a67e-97c9808cf41b
status: test
description: Detects when a request has been made to transfer a Route 53 domain to another AWS account.
references:
- https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml
author: Elastic, Austin Songer @austinsonger
date: 2021-07-22
modified: 2022-10-09
tags:
- attack.persistence
- attack.credential-access
- attack.privilege-escalation
- attack.t1098
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: route53.amazonaws.com
eventName: TransferDomainToAnotherAwsAccount
condition: selection
falsepositives:
- A domain may be transferred to another AWS account by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Domain transfers from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: low
Convert to SIEM query
low
AWS S3 Data Management Tampering
Detects when a user tampers with S3 data management in Amazon Web Services.
view Sigma YAML
title: AWS S3 Data Management Tampering
id: 78b3756a-7804-4ef7-8555-7b9024a02e2d
status: test
description: Detects when a user tampers with S3 data management in Amazon Web Services.
references:
- https://github.com/elastic/detection-rules/pull/1145/files
- https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html
- https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html
- https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html
- https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html
- https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html
- https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html
author: Austin Songer @austinsonger
date: 2021-07-24
modified: 2022-10-09
tags:
- attack.exfiltration
- attack.t1537
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: s3.amazonaws.com
eventName:
- PutBucketLogging
- PutBucketWebsite
- PutEncryptionConfiguration
- PutLifecycleConfiguration
- PutReplicationConfiguration
- ReplicateObject
- RestoreObject
condition: selection
falsepositives:
- A S3 configuration change may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. S3 configuration change from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: low
Convert to SIEM query
low
AWS STS AssumeRole Misuse
Identifies the suspicious use of AssumeRole. Attackers could move laterally and escalate privileges.
view Sigma YAML
title: AWS STS AssumeRole Misuse
id: 905d389b-b853-46d0-9d3d-dea0d3a3cd49
status: test
description: Identifies the suspicious use of AssumeRole. Attackers could move laterally and escalate privileges.
references:
- https://github.com/elastic/detection-rules/pull/1214
- https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html
author: Austin Songer @austinsonger
date: 2021-07-24
modified: 2022-10-09
tags:
- attack.lateral-movement
- attack.privilege-escalation
- attack.t1548
- attack.t1550
- attack.t1550.001
logsource:
product: aws
service: cloudtrail
detection:
selection:
userIdentity.type: AssumedRole
userIdentity.sessionContext.sessionIssuer.type: Role
condition: selection
falsepositives:
- AssumeRole may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- AssumeRole from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
- Automated processes that uses Terraform may lead to false positives.
level: low
Convert to SIEM query
low
AWS STS GetSessionToken Misuse
Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges.
view Sigma YAML
title: AWS STS GetSessionToken Misuse
id: b45ab1d2-712f-4f01-a751-df3826969807
status: test
description: Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges.
references:
- https://github.com/elastic/detection-rules/pull/1213
- https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html
author: Austin Songer @austinsonger
date: 2021-07-24
modified: 2022-10-09
tags:
- attack.lateral-movement
- attack.privilege-escalation
- attack.t1548
- attack.t1550
- attack.t1550.001
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: sts.amazonaws.com
eventName: GetSessionToken
userIdentity.type: IAMUser
condition: selection
falsepositives:
- GetSessionToken may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. GetSessionToken from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: low
Convert to SIEM query
low
Access To .Reg/.Hive Files By Uncommon Applications
Detects file access requests to files ending with either the ".hive"/".reg" extension, usually associated with Windows Registry backups.
view Sigma YAML
title: Access To .Reg/.Hive Files By Uncommon Applications
id: 337a31c6-46c4-46be-886a-260d7aa78cac
status: test
description: Detects file access requests to files ending with either the ".hive"/".reg" extension, usually associated with Windows Registry backups.
references:
- https://github.com/tccontre/Reg-Restore-Persistence-Mole
author: frack113
date: 2023-09-15
modified: 2024-07-29
tags:
- attack.defense-impairment
- attack.t1112
- attack.persistence
- detection.threat-hunting
logsource:
category: file_access
product: windows
definition: 'Requirements: Microsoft-Windows-Kernel-File ETW provider'
detection:
selection:
FileName|endswith:
- '.hive'
- '.reg'
filter_main_generic:
Image|startswith:
- 'C:\Program Files (x86)\'
- 'C:\Program Files\'
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Third party software installed in the user context might generate a lot of FPs. Heavy baselining and tuning might be required.
level: low
Convert to SIEM query
low
Access To ADMIN$ Network Share
Detects access to ADMIN$ network share
view Sigma YAML
title: Access To ADMIN$ Network Share
id: 098d7118-55bc-4912-a836-dc6483a8d150
status: test
description: Detects access to ADMIN$ network share
references:
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5140
author: Florian Roth (Nextron Systems)
date: 2017-03-04
modified: 2024-01-16
tags:
- attack.lateral-movement
- attack.t1021.002
logsource:
product: windows
service: security
definition: 'Requirements: The advanced audit policy setting "Object Access > Audit File Share" must be configured for Success/Failure'
detection:
selection:
EventID: 5140
ShareName: 'Admin$'
filter_main_computer_account:
SubjectUserName|endswith: '$'
condition: selection and not 1 of filter_*
falsepositives:
- Legitimate administrative activity
level: low
Convert to SIEM query
low
Access To Browser Credential Files By Uncommon Applications
Detects file access requests to browser credential stores by uncommon processes.
Could indicate potential attempt of credential stealing.
Requires heavy baselining before usage
view Sigma YAML
title: Access To Browser Credential Files By Uncommon Applications
id: 91cb43db-302a-47e3-b3c8-7ede481e27bf
related:
- id: 4b60e527-ec73-4b47-8cb3-f02ad927ca65
type: similar
status: test
description: |
Detects file access requests to browser credential stores by uncommon processes.
Could indicate potential attempt of credential stealing.
Requires heavy baselining before usage
references:
- https://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users
- https://github.com/lclevy/firepwd
author: frack113, X__Junior (Nextron Systems)
date: 2022-04-09
modified: 2024-07-29
tags:
- attack.t1003
- attack.credential-access
- detection.threat-hunting
logsource:
category: file_access
product: windows
definition: 'Requirements: Microsoft-Windows-Kernel-File ETW provider'
detection:
selection_ie:
FileName|endswith: '\Appdata\Local\Microsoft\Windows\WebCache\WebCacheV01.dat'
selection_firefox:
FileName|endswith:
- '\cookies.sqlite'
- '\places.sqlite'
- 'release\key3.db' # Firefox
- 'release\key4.db' # Firefox
- 'release\logins.json' # Firefox
selection_chromium:
FileName|contains:
- '\User Data\Default\Login Data'
- '\User Data\Local State'
filter_main_system:
Image: System
filter_main_generic:
# This filter is added to avoid large amount of FP with 3rd party software. You should remove this in favour of specific filter per-application
Image|startswith:
- 'C:\Program Files (x86)\'
- 'C:\Program Files\'
- 'C:\Windows\system32\'
- 'C:\Windows\SysWOW64\'
filter_optional_defender:
Image|startswith: 'C:\ProgramData\Microsoft\Windows Defender\'
Image|endswith:
- '\MpCopyAccelerator.exe'
- '\MsMpEng.exe'
filter_optional_thor:
Image|endswith:
- '\thor.exe'
- '\thor64.exe'
condition: 1 of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Antivirus, Anti-Spyware, Anti-Malware Software
- Backup software
- Legitimate software installed on partitions other than "C:\"
- Searching software such as "everything.exe"
level: low
Convert to SIEM query
low
Access To Browser Credential Files By Uncommon Applications - Security
Detects file access requests to browser credential stores by uncommon processes. Could indicate potential attempt of credential stealing This rule requires heavy baselining before usage.
view Sigma YAML
title: Access To Browser Credential Files By Uncommon Applications - Security
id: 4b60e527-ec73-4b47-8cb3-f02ad927ca65
related:
- id: 91cb43db-302a-47e3-b3c8-7ede481e27bf
type: similar
status: test
description: |
Detects file access requests to browser credential stores by uncommon processes. Could indicate potential attempt of credential stealing This rule requires heavy baselining before usage.
references:
- https://ipurple.team/2024/09/10/browser-stored-credentials/
author: Daniel Koifman (@Koifsec), Nasreddine Bencherchali
date: 2024-10-21
tags:
- attack.credential-access
- attack.t1555.003
- detection.threat-hunting
logsource:
product: windows
service: security
definition: 'Requirements: Audit File System subcategory must be enabled. Additionally, each listed ObjectName must have "List folder/read data" auditing enabled.'
detection:
selection_eid:
EventID: 4663
ObjectType: 'File'
# Note: This AccessMask requires enhancements. As this access can be combined with other requests. It should include all possible outcomes where READ access and similar are part of it.
AccessMask: '0x1'
selection_browser_chromium:
ObjectName|contains:
- '\User Data\Default\Login Data'
- '\User Data\Local State'
- '\User Data\Default\Network\Cookies'
selection_browser_firefox:
FileName|endswith:
- '\cookies.sqlite'
- '\places.sqlite'
- 'release\key3.db' # Firefox
- 'release\key4.db' # Firefox
- 'release\logins.json' # Firefox
filter_main_system:
ProcessName: System
filter_main_generic:
# This filter is added to avoid large amount of FP with 3rd party software. You should remove this in favour of specific filter per-application
ProcessName|startswith:
- 'C:\Program Files (x86)\'
- 'C:\Program Files\'
- 'C:\Windows\system32\'
- 'C:\Windows\SysWOW64\'
filter_optional_defender:
ProcessName|startswith: 'C:\ProgramData\Microsoft\Windows Defender\'
ProcessName|endswith:
- '\MpCopyAccelerator.exe'
- '\MsMpEng.exe'
condition: selection_eid and 1 of selection_browser_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: low
Convert to SIEM query
low
Access To Chromium Browsers Sensitive Files By Uncommon Applications
Detects file access requests to chromium based browser sensitive files by uncommon processes.
Could indicate potential attempt of stealing sensitive information.
view Sigma YAML
title: Access To Chromium Browsers Sensitive Files By Uncommon Applications
id: c5f37810-a85f-4186-81e9-33f23abb4141
status: test
description: |
Detects file access requests to chromium based browser sensitive files by uncommon processes.
Could indicate potential attempt of stealing sensitive information.
references:
- Internal Research
author: X__Junior (Nextron Systems)
date: 2024-07-29
tags:
- attack.t1003
- attack.credential-access
- detection.threat-hunting
logsource:
category: file_access
product: windows
definition: 'Requirements: Microsoft-Windows-Kernel-File ETW provider'
detection:
selection:
FileName|contains:
- '\User Data\Default\Cookies'
- '\User Data\Default\History'
- '\User Data\Default\Network\Cookies'
- '\User Data\Default\Web Data'
filter_main_system:
Image: System
filter_main_generic:
# This filter is added to avoid large amount of FP with 3rd party software. You should remove this in favour of specific filter per-application
Image|startswith:
- 'C:\Program Files (x86)\'
- 'C:\Program Files\'
- 'C:\Windows\system32\'
- 'C:\Windows\SysWOW64\'
filter_optional_defender:
Image|startswith: 'C:\ProgramData\Microsoft\Windows Defender\'
Image|endswith:
- '\MpCopyAccelerator.exe'
- '\MsMpEng.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Antivirus, Anti-Spyware, Anti-Malware Software
- Backup software
- Legitimate software installed on partitions other than "C:\"
- Searching software such as "everything.exe"
level: low
Convert to SIEM query
low
Access To Windows Outlook Mail Files By Uncommon Applications
Detects file access requests to Windows Outlook Mail by uncommon processes.
Could indicate potential attempt of credential stealing.
Requires heavy baselining before usage
view Sigma YAML
title: Access To Windows Outlook Mail Files By Uncommon Applications
id: fc3e237f-2fef-406c-b90d-b3ae7e02fa8f
status: test
description: |
Detects file access requests to Windows Outlook Mail by uncommon processes.
Could indicate potential attempt of credential stealing.
Requires heavy baselining before usage
references:
- https://darkdefender.medium.com/windows-10-mail-app-forensics-39025f5418d2
- https://github.com/redcanaryco/atomic-red-team/blob/58496ee3306e6e42a7054d36a94e6eb561ee3081/atomics/T1070.008/T1070.008.md#atomic-test-4---copy-and-modify-mailbox-data-on-windows
author: frack113
date: 2024-05-10
modified: 2024-07-29
tags:
- attack.stealth
- attack.t1070.008
- detection.threat-hunting
logsource:
category: file_access
product: windows
definition: 'Requirements: Microsoft-Windows-Kernel-File ETW provider'
detection:
selection_unistore:
FileName|contains: '\AppData\Local\Comms\Unistore\data'
selection_unistoredb:
FileName|endswith: '\AppData\Local\Comms\UnistoreDB\store.vol'
filter_main_system:
Image: 'System'
filter_main_generic:
# This filter is added to avoid large amount of FP with 3rd party software. You should remove this in favour of specific filter per-application
Image|startswith:
- 'C:\Program Files (x86)\'
- 'C:\Program Files\'
- 'C:\Windows\system32\'
- 'C:\Windows\SysWOW64\'
filter_optional_defender:
Image|startswith: 'C:\ProgramData\Microsoft\Windows Defender\'
Image|endswith:
- '\MpCopyAccelerator.exe'
- '\MsMpEng.exe'
filter_optional_thor:
Image|endswith:
- '\thor64.exe'
- '\thor.exe'
condition: 1 of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Antivirus, Anti-Spyware, Anti-Malware Software
- Backup software
- Legitimate software installed on partitions other than "C:\"
- Searching software such as "everything.exe"
# Note: Increase after initial baseline
level: low
Convert to SIEM query
low
Active Directory Certificate Services Denied Certificate Enrollment Request
Detects denied requests by Active Directory Certificate Services.
Example of these requests denial include issues with permissions on the certificate template or invalid signatures.
view Sigma YAML
title: Active Directory Certificate Services Denied Certificate Enrollment Request
id: 994bfd6d-0a2e-481e-a861-934069fcf5f5
status: test
description: |
Detects denied requests by Active Directory Certificate Services.
Example of these requests denial include issues with permissions on the certificate template or invalid signatures.
references:
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd299871(v=ws.10)
- https://www.gradenegger.eu/en/details-of-the-event-with-id-53-of-the-source-microsoft-windows-certificationauthority/
author: '@SerkinValery'
date: 2024-03-07
tags:
- attack.credential-access
- attack.defense-impairment
- attack.t1553.004
logsource:
product: windows
service: system
detection:
selection:
Provider_Name: 'Microsoft-Windows-CertificationAuthority'
EventID: 53
condition: selection
falsepositives:
- Unknown
level: low
Convert to SIEM query
low
Active Directory Computers Enumeration With Get-AdComputer
Detects usage of the "Get-AdComputer" to enumerate Computers or properties within Active Directory.
view Sigma YAML
title: Active Directory Computers Enumeration With Get-AdComputer
id: 36bed6b2-e9a0-4fff-beeb-413a92b86138
status: test
description: Detects usage of the "Get-AdComputer" to enumerate Computers or properties within Active Directory.
references:
- https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-adcomputer
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md
- https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1087.002/T1087.002.md
author: frack113
date: 2022-03-17
modified: 2023-07-08
tags:
- attack.discovery
- attack.t1018
- attack.t1087.002
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_cmdlet:
ScriptBlockText|contains: 'Get-AdComputer '
selection_option:
ScriptBlockText|contains:
- '-Filter '
- '-LDAPFilter '
- '-Properties '
condition: all of selection_*
falsepositives:
- Unknown
level: low
Convert to SIEM query
low
Active Directory Group Enumeration With Get-AdGroup
Detects usage of the "Get-AdGroup" cmdlet to enumerate Groups within Active Directory
view Sigma YAML
title: Active Directory Group Enumeration With Get-AdGroup
id: 8c3a6607-b7dc-4f0d-a646-ef38c00b76ee
status: test
description: Detects usage of the "Get-AdGroup" cmdlet to enumerate Groups within Active Directory
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md
author: frack113
date: 2022-03-17
modified: 2022-11-17
tags:
- attack.discovery
- attack.t1069.002
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- 'Get-AdGroup '
- '-Filter'
condition: selection
falsepositives:
- Unknown
level: low
Convert to SIEM query
low
Add or Remove Computer from DC
Detects the creation or removal of a computer. Can be used to detect attacks such as DCShadow via the creation of a new SPN.
view Sigma YAML
title: Add or Remove Computer from DC
id: 20d96d95-5a20-4cf1-a483-f3bda8a7c037
status: test
description: Detects the creation or removal of a computer. Can be used to detect attacks such as DCShadow via the creation of a new SPN.
references:
- https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4741
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4743
author: frack113
date: 2022-10-14
tags:
- attack.defense-impairment
- attack.t1207
logsource:
service: security
product: windows
detection:
selection:
EventID:
- 4741
- 4743
condition: selection
falsepositives:
- Unknown
level: low
Convert to SIEM query
low
Admin User Remote Logon
Detect remote login by Administrator user (depending on internal pattern).
view Sigma YAML
title: Admin User Remote Logon
id: 0f63e1ef-1eb9-4226-9d54-8927ca08520a
status: test
description: Detect remote login by Administrator user (depending on internal pattern).
references:
- https://car.mitre.org/wiki/CAR-2016-04-005
author: juju4
date: 2017-10-29
modified: 2022-10-09
tags:
- attack.privilege-escalation
- attack.persistence
- attack.lateral-movement
- attack.initial-access
- attack.stealth
- attack.t1078.001
- attack.t1078.002
- attack.t1078.003
- car.2016-04-005
logsource:
product: windows
service: security
definition: 'Requirements: Identifiable administrators usernames (pattern or special unique character. ex: "Admin-*"), internal policy mandating use only as secondary account'
detection:
selection:
EventID: 4624
LogonType: 10
AuthenticationPackageName: Negotiate
TargetUserName|startswith: 'Admin'
condition: selection
falsepositives:
- Legitimate administrative activity.
level: low
Convert to SIEM query
low
Amsi.DLL Load By Uncommon Process
Detects loading of Amsi.dll by uncommon processes
view Sigma YAML
title: Amsi.DLL Load By Uncommon Process
id: facd1549-e416-48e0-b8c4-41d7215eedc8
status: test
description: Detects loading of Amsi.dll by uncommon processes
references:
- https://infosecwriteups.com/amsi-bypass-new-way-2023-d506345944e9
- https://github.com/TheD1rkMtr/AMSI_patch
- https://github.com/surya-dev-singh/AmsiBypass-OpenSession
author: frack113
date: 2023-03-12
modified: 2025-02-24
tags:
- attack.impact
- attack.t1490
- detection.threat-hunting
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\amsi.dll'
filter_main_exact:
Image|endswith:
- ':\Windows\explorer.exe'
- ':\Windows\Sysmon64.exe'
filter_main_generic:
Image|contains:
- ':\Program Files (x86)\'
- ':\Program Files\'
- ':\Windows\System32\'
- ':\Windows\SysWOW64\'
- ':\Windows\WinSxS\'
filter_optional_defender:
Image|contains: ':\ProgramData\Microsoft\Windows Defender\Platform\'
Image|endswith: '\MsMpEng.exe'
filter_main_dotnet:
Image|contains:
- ':\Windows\Microsoft.NET\Framework\'
- ':\Windows\Microsoft.NET\Framework64\'
- ':\Windows\Microsoft.NET\FrameworkArm\'
- ':\Windows\Microsoft.NET\FrameworkArm64\'
Image|endswith: '\ngentask.exe'
filter_main_null:
Image: null
filter_main_empty:
Image: ''
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Legitimate third party apps installed in "ProgramData" and "AppData" might generate some false positives. Apply additional filters accordingly
level: low
Convert to SIEM query
low
Application Uninstalled
An application has been removed. Check if it is critical.
view Sigma YAML
title: Application Uninstalled
id: 570ae5ec-33dc-427c-b815-db86228ad43e
status: test
description: An application has been removed. Check if it is critical.
references:
- https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/Microsoft-Windows-MsiServer.xml
- https://learn.microsoft.com/en-us/windows/win32/msi/event-logging
author: frack113
date: 2022-01-28
modified: 2022-09-17
tags:
- attack.impact
- attack.t1489
logsource:
product: windows
service: application
detection:
selection:
Provider_Name: 'MsiInstaller'
EventID:
- 1034 # Windows Installer removed the product
- 11724 # Product Removal Successful
condition: selection
falsepositives:
- Unknown
# Level is low as it can be very verbose, you can use the top or less 10 "Product Name" to have a quick overview
level: low
Convert to SIEM query
low
Audio Capture
Detects attempts to record audio using the arecord and ecasound utilities.
view Sigma YAML
title: Audio Capture
id: a7af2487-9c2f-42e4-9bb9-ff961f0561d5
status: test
description: Detects attempts to record audio using the arecord and ecasound utilities.
references:
- https://linux.die.net/man/1/arecord
- https://linuxconfig.org/how-to-test-microphone-with-audio-linux-sound-architecture-alsa
- https://manpages.debian.org/unstable/ecasound/ecasound.1.en.html
- https://ecasound.seul.org/ecasound/Documentation/examples.html#fconversions
author: Pawel Mazur, Milad Cheraghi
date: 2021-09-04
modified: 2025-12-05
tags:
- attack.collection
- attack.t1123
logsource:
product: linux
service: auditd
detection:
selection_execve:
type: EXECVE
a0: arecord
a1: '-vv'
a2: '-fdat'
selection_syscall_memfd_create:
type: SYSCALL
exe|endswith: "/ecasound"
SYSCALL: 'memfd_create'
condition: 1 of selection_*
falsepositives:
- Unknown
level: low
Convert to SIEM query
low
Authentication Occuring Outside Normal Business Hours
Detects user signs ins outside of normal business hours.
view Sigma YAML
title: Authentication Occuring Outside Normal Business Hours
id: 160f24f3-e6cc-496d-8a3d-f5d06e4ad526
status: test
description: Detects user signs ins outside of normal business hours.
references:
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins
author: Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1'
date: 2022-08-11
modified: 2023-12-15
tags:
- attack.persistence
- attack.initial-access
- attack.privilege-escalation
- attack.stealth
- attack.t1078
logsource:
product: azure
service: signinlogs
detection:
selection:
Status: Sucess
# Countries you DO operate out of e,g GB, use list for mulitple
Location|expand: '%LegitCountries%'
# outside normal working hours
Date|expand: '%ClosingTime%'
condition: selection
falsepositives:
- User doing actual work outside of normal business hours.
level: low
Convert to SIEM query
low
Automated Collection Bookmarks Using Get-ChildItem PowerShell
Adversaries may enumerate browser bookmarks to learn more about compromised hosts.
Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about
internal network resources such as servers, tools/dashboards, or other related infrastructure.
view Sigma YAML
title: Automated Collection Bookmarks Using Get-ChildItem PowerShell
id: e0565f5d-d420-4e02-8a68-ac00d864f9cf
status: test
description: |
Adversaries may enumerate browser bookmarks to learn more about compromised hosts.
Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about
internal network resources such as servers, tools/dashboards, or other related infrastructure.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md
author: frack113
date: 2021-12-13
modified: 2022-12-25
tags:
- attack.discovery
- attack.t1217
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- 'Get-ChildItem'
- ' -Recurse '
- ' -Path '
- ' -Filter Bookmarks'
- ' -ErrorAction SilentlyContinue'
- ' -Force'
condition: selection
falsepositives:
- Unknown
level: low
Convert to SIEM query
low
Azure AD Only Single Factor Authentication Required
Detect when users are authenticating without MFA being required.
view Sigma YAML
title: Azure AD Only Single Factor Authentication Required
id: 28eea407-28d7-4e42-b0be-575d5ba60b2c
status: test
description: Detect when users are authenticating without MFA being required.
references:
- https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts
author: MikeDuddington, '@dudders1'
date: 2022-07-27
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.credential-access
- attack.stealth
- attack.defense-impairment
- attack.t1078.004
- attack.t1556.006
logsource:
product: azure
service: signinlogs
detection:
selection:
Status: 'Success'
AuthenticationRequirement: 'singleFactorAuthentication'
condition: selection
falsepositives:
- If this was approved by System Administrator.
level: low
Convert to SIEM query
low
Azure Container Registry Created or Deleted
Detects when a Container Registry is created or deleted.
view Sigma YAML
title: Azure Container Registry Created or Deleted
id: 93e0ef48-37c8-49ed-a02c-038aab23628e
status: test
description: Detects when a Container Registry is created or deleted.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
- https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
- https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
author: Austin Songer @austinsonger
date: 2021-08-07
modified: 2022-08-23
tags:
- attack.impact
- attack.t1485
- attack.t1496
- attack.t1489
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName:
- MICROSOFT.CONTAINERREGISTRY/REGISTRIES/WRITE
- MICROSOFT.CONTAINERREGISTRY/REGISTRIES/DELETE
condition: selection
falsepositives:
- Container Registry being created or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Container Registry created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: low
Convert to SIEM query
low
Azure Kubernetes Cluster Created or Deleted
Detects when a Azure Kubernetes Cluster is created or deleted.
view Sigma YAML
title: Azure Kubernetes Cluster Created or Deleted
id: 9541f321-7cba-4b43-80fc-fbd1fb922808
status: test
description: Detects when a Azure Kubernetes Cluster is created or deleted.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
- https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
- https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
author: Austin Songer @austinsonger
date: 2021-08-07
modified: 2022-08-23
tags:
- attack.impact
- attack.t1485
- attack.t1496
- attack.t1489
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName:
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/DELETE
condition: selection
falsepositives:
- Kubernetes cluster being created or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Kubernetes cluster created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: low
Convert to SIEM query
low
Azure Sign-In With Axios User Agent
Detects sign-in attempts in Azure/Entra ID logs where the user agent contains "axios",
indicating potential use of automated credential harvesting or AiTM phishing infrastructure.
Axios is a Node.js HTTP client abused to intercept and replay stolen credentials and MFA tokens.
When triaging results, analysts should:
- Check the sign-in risk level, MFA status, and conditional access results for signs of bypass.
- Look for sign-ins from unusual locations or IPs, especially if the same IP targets multiple accounts.
- Prioritize successful sign-ins over failed ones, as they may indicate a completed credential replay or AiTM attack.
view Sigma YAML
title: Azure Sign-In With Axios User Agent
id: ea1a07f0-3dac-47a2-aeb4-86f5379ba2b4
status: experimental
description: |
Detects sign-in attempts in Azure/Entra ID logs where the user agent contains "axios",
indicating potential use of automated credential harvesting or AiTM phishing infrastructure.
Axios is a Node.js HTTP client abused to intercept and replay stolen credentials and MFA tokens.
When triaging results, analysts should:
- Check the sign-in risk level, MFA status, and conditional access results for signs of bypass.
- Look for sign-ins from unusual locations or IPs, especially if the same IP targets multiple accounts.
- Prioritize successful sign-ins over failed ones, as they may indicate a completed credential replay or AiTM attack.
references:
- https://thehackernews.com/2025/09/axios-abuse-and-salty-2fa-kits-fuel.html
- https://www.proofpoint.com/us/blog/threat-insight/http-client-tools-exploitation-account-takeover-attacks
author: Marco Pedrinazzi (@pedrinazziM) (InTheCyber)
date: 2026-04-28
tags:
- attack.credential-access
- attack.collection
- attack.t1557
- detection.threat-hunting
logsource:
product: azure
service: signinlogs
detection:
selection:
userAgent|contains: 'axios'
condition: selection
falsepositives:
- Legitimate internal or third-party applications built with Node.js that use Axios as their HTTP client for authenticating against Azure/Entra ID.
level: low
Convert to SIEM query
low
BITS Client BitsProxy DLL Loaded By Uncommon Process
Detects an uncommon process loading the "BitsProxy.dll". This DLL is used when the BITS COM instance or API is used.
This detection can be used to hunt for uncommon processes loading this DLL in your environment. Which may indicate potential suspicious activity occurring.
view Sigma YAML
title: BITS Client BitsProxy DLL Loaded By Uncommon Process
id: e700ff14-1bff-4d1d-9438-738dff5f0466
status: experimental
description: |
Detects an uncommon process loading the "BitsProxy.dll". This DLL is used when the BITS COM instance or API is used.
This detection can be used to hunt for uncommon processes loading this DLL in your environment. Which may indicate potential suspicious activity occurring.
references:
- https://unicornofhunt.com/2025/05/22/When-Unicorns-Go-Quiet-BITS-Jobs-and-the-Art-of-Stealthy-Transfers/
author: UnicornOfHunt
date: 2025-06-04
tags:
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1197
- detection.threat-hunting
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\BitsProxy.dll'
filter_main_system:
Image:
- 'C:\Windows\System32\aitstatic.exe'
- 'C:\Windows\System32\bitsadmin.exe'
- 'C:\Windows\System32\desktopimgdownldr.exe'
- 'C:\Windows\System32\DeviceEnroller.exe'
- 'C:\Windows\System32\MDMAppInstaller.exe'
- 'C:\Windows\System32\ofdeploy.exe'
- 'C:\Windows\System32\RecoveryDrive.exe'
- 'C:\Windows\System32\Speech_OneCore\common\SpeechModelDownload.exe'
# - 'C:\Windows\System32\svchost.exe' # BITS Service - If you collect CommandLine info. Apply a filter for the specific BITS service.
- 'C:\Windows\SysWOW64\bitsadmin.exe'
- 'C:\Windows\SysWOW64\OneDriveSetup.exe'
- 'C:\Windows\SysWOW64\Speech_OneCore\Common\SpeechModelDownload.exe'
filter_optional_chrome:
Image: 'C:\Program Files\Google\Chrome\Application\chrome.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Allowed binaries in the environment that do BITS Jobs
level: low
Convert to SIEM query
low
Bash Interactive Shell
Detects execution of the bash shell with the interactive flag "-i".
view Sigma YAML
title: Bash Interactive Shell
id: 6104e693-a7d6-4891-86cb-49a258523559
status: test
description: Detects execution of the bash shell with the interactive flag "-i".
references:
- https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
- https://www.revshells.com/
- https://linux.die.net/man/1/bash
author: '@d4ns4n_'
date: 2023-04-07
tags:
- attack.execution
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/bash'
CommandLine|contains: ' -i '
condition: selection
falsepositives:
- Unknown
level: low
Convert to SIEM query
low
BitLockerTogo.EXE Execution
Detects the execution of "BitLockerToGo.EXE".
BitLocker To Go is BitLocker Drive Encryption on removable data drives. This feature includes the encryption of, USB flash drives, SD cards, External hard disk drives, Other drives that are formatted by using the NTFS, FAT16, FAT32, or exFAT file system.
This is a rarely used application and usage of it at all is worth investigating.
Malware such as Lumma stealer has been seen using this process as a target for process hollowing.
view Sigma YAML
title: BitLockerTogo.EXE Execution
id: 7f2376f9-42ee-4dfc-9360-fecff9a88fc8
status: test
description: |
Detects the execution of "BitLockerToGo.EXE".
BitLocker To Go is BitLocker Drive Encryption on removable data drives. This feature includes the encryption of, USB flash drives, SD cards, External hard disk drives, Other drives that are formatted by using the NTFS, FAT16, FAT32, or exFAT file system.
This is a rarely used application and usage of it at all is worth investigating.
Malware such as Lumma stealer has been seen using this process as a target for process hollowing.
references:
- https://tria.ge/240521-ynezpagf56/behavioral1
- https://any.run/report/6eea2773c1b4b5c6fb7c142933e220c96f9a4ec89055bf0cf54accdcde7df535/a407f006-ee45-420d-b576-f259094df091
- https://bazaar.abuse.ch/sample/8c75f8e94486f5bbf461505823f5779f328c5b37f1387c18791e0c21f3fdd576/
- https://bazaar.abuse.ch/sample/64e6605496919cd76554915cbed88e56fdec10dec6523918a631754664b8c8d3/
author: Josh Nickels, mttaggart
date: 2024-07-11
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\BitLockerToGo.exe'
condition: selection
falsepositives:
- Legitimate usage of BitLockerToGo.exe to encrypt portable devices.
level: low
Convert to SIEM query
low
Bitbucket Project Secret Scanning Allowlist Added
Detects when a secret scanning allowlist rule is added for projects.
view Sigma YAML
title: Bitbucket Project Secret Scanning Allowlist Added
id: 42ccce6d-7bd3-4930-95cd-e4d83fa94a30
status: test
description: Detects when a secret scanning allowlist rule is added for projects.
references:
- https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html
- https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html
author: Muhammad Faisal (@faisalusuf)
date: 2024-02-25
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: bitbucket
service: audit
definition: 'Requirements: "Basic" log level is required to receive these audit events.'
detection:
selection:
auditType.category: 'Projects'
auditType.action: 'Project secret scanning allowlist rule added'
condition: selection
falsepositives:
- Legitimate user activity.
level: low
Convert to SIEM query
low
Bitbucket Secret Scanning Rule Deleted
Detects when secret scanning rule is deleted for the project or repository.
view Sigma YAML
title: Bitbucket Secret Scanning Rule Deleted
id: ff91e3f0-ad15-459f-9a85-1556390c138d
status: test
description: Detects when secret scanning rule is deleted for the project or repository.
references:
- https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html
- https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html
author: Muhammad Faisal (@faisalusuf)
date: 2024-02-25
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: bitbucket
service: audit
definition: 'Requirements: "Basic" log level is required to receive these audit events.'
detection:
selection:
auditType.category:
- 'Projects'
- 'Repositories'
auditType.action:
- 'Project secret scanning rule deleted'
- 'Repository secret scanning rule deleted'
condition: selection
falsepositives:
- Legitimate user activity.
level: low
Convert to SIEM query
low
Browser Execution In Headless Mode
Detects execution of Chromium based browser in headless mode
view Sigma YAML
title: Browser Execution In Headless Mode
id: ef9dcfed-690c-4c5d-a9d1-482cd422225c
related:
- id: 0e8cfe08-02c9-4815-a2f8-0d157b7ed33e
type: derived
status: test
description: Detects execution of Chromium based browser in headless mode
references:
- https://twitter.com/mrd0x/status/1478234484881436672?s=12
- https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-09-12
tags:
- attack.command-and-control
- attack.stealth
- attack.t1105
- attack.t1564.003
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\brave.exe'
- '\chrome.exe'
- '\msedge.exe'
- '\opera.exe'
- '\vivaldi.exe'
CommandLine|contains: '--headless'
condition: selection
falsepositives:
- Unknown
level: low
Convert to SIEM query
low
CMD Shell Output Redirect
Detects the use of the redirection character ">" to redirect information on the command line.
This technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as "hostname" and "dir" to files for future exfiltration.
view Sigma YAML
title: CMD Shell Output Redirect
id: 4f4eaa9f-5ad4-410c-a4be-bc6132b0175a
related:
- id: 8e0bb260-d4b2-4fff-bb8d-3f82118e6892
type: similar
status: test
description: |
Detects the use of the redirection character ">" to redirect information on the command line.
This technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as "hostname" and "dir" to files for future exfiltration.
references:
- https://ss64.com/nt/syntax-redirection.html
author: frack113
date: 2022-01-22
modified: 2024-03-19
tags:
- attack.discovery
- attack.t1082
- detection.threat-hunting
logsource:
category: process_creation
product: windows
detection:
selection_cmd:
- OriginalFileName: 'Cmd.Exe'
- Image|endswith: '\cmd.exe'
selection_cli:
CommandLine|contains: '>'
filter_optional_idm_extension:
CommandLine|contains:
- 'C:\Program Files (x86)\Internet Download Manager\IDMMsgHost.exe'
- 'chrome-extension://'
- '\\.\pipe\chrome.nativeMessaging'
condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
- Internet Download Manager extensions use named pipes and redirection via CLI. Filter it out if you use it in your environment
level: low
Convert to SIEM query
low
CVE-2023-40477 Potential Exploitation - .REV File Creation
Detects the creation of ".rev" files by WinRAR. Could be indicative of potential exploitation of CVE-2023-40477. Look for a suspicious execution shortly after creation or a WinRAR application crash.
view Sigma YAML
title: CVE-2023-40477 Potential Exploitation - .REV File Creation
id: c3bd6c55-d495-4c34-918e-e03e8828c074
status: test
description: Detects the creation of ".rev" files by WinRAR. Could be indicative of potential exploitation of CVE-2023-40477. Look for a suspicious execution shortly after creation or a WinRAR application crash.
references:
- https://wildptr.io/winrar-cve-2023-40477-poc-new-vulnerability-winrar-security-research/
- https://github.com/wildptr-io/Winrar-CVE-2023-40477-POC
- https://www.rarlab.com/vuln_rev3_names.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-31
tags:
- attack.execution
- cve.2023-40477
- detection.emerging-threats
logsource:
category: file_event
product: windows
detection:
selection:
Image|endswith:
- '\explorer.exe' # When extracted via context menu
- '\WinRAR.exe'
TargetFilename|endswith: '.rev'
condition: selection
falsepositives:
- Legitimate extraction of multipart or recovery volumes ZIP files
level: low
Convert to SIEM query
low
Capabilities Discovery - Linux
Detects usage of "getcap" binary. This is often used during recon activity to determine potential binaries that can be abused as GTFOBins or other.
view Sigma YAML
title: Capabilities Discovery - Linux
id: d8d97d51-122d-4cdd-9e2f-01b4b4933530
status: test
description: Detects usage of "getcap" binary. This is often used during recon activity to determine potential binaries that can be abused as GTFOBins or other.
references:
- https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes
- https://github.com/carlospolop/PEASS-ng
- https://github.com/diego-treitos/linux-smart-enumeration
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-28
modified: 2026-01-24
tags:
- attack.discovery
- attack.t1083
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/getcap'
CommandLine|contains: ' -r '
condition: selection
falsepositives:
- Unknown
level: low
Convert to SIEM query
low
Change Default File Association Via Assoc
Detects file association changes using the builtin "assoc" command.
When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.
view Sigma YAML
title: Change Default File Association Via Assoc
id: 3d3aa6cd-6272-44d6-8afc-7e88dfef7061
related:
- id: ae6f14e6-14de-45b0-9f44-c0986f50dc89
type: similar
status: test
description: |
Detects file association changes using the builtin "assoc" command.
When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.001/T1546.001.md
author: Timur Zinniatullin, oscd.community
date: 2019-10-21
modified: 2023-03-06
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\cmd.exe'
- OriginalFileName: 'Cmd.Exe'
selection_cli:
CommandLine|contains: 'assoc'
condition: all of selection_*
falsepositives:
- Admin activity
level: low
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_cmd_assoc_execution/info.yml
Convert to SIEM query
low
Cisco BGP Authentication Failures
Detects BGP failures which may be indicative of brute force attacks to manipulate routing
view Sigma YAML
title: Cisco BGP Authentication Failures
id: 56fa3cd6-f8d6-4520-a8c7-607292971886
status: test
description: Detects BGP failures which may be indicative of brute force attacks to manipulate routing
references:
- https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf
author: Tim Brown
date: 2023-01-09
modified: 2023-01-23
tags:
- attack.initial-access
- attack.persistence
- attack.privilege-escalation
- attack.credential-access
- attack.collection
- attack.stealth
- attack.t1078
- attack.t1110
- attack.t1557
logsource:
product: cisco
service: bgp
definition: 'Requirements: cisco bgp logs need to be enabled and ingested'
detection:
keywords_bgp_cisco:
'|all':
- ':179' # Protocol
- 'IP-TCP-3-BADAUTH'
condition: keywords_bgp_cisco
falsepositives:
- Unlikely. Except due to misconfigurations
level: low
Convert to SIEM query
low
Cisco Collect Data
Collect pertinent data from the configuration files
view Sigma YAML
title: Cisco Collect Data
id: cd072b25-a418-4f98-8ebc-5093fb38fe1a
status: test
description: Collect pertinent data from the configuration files
references:
- https://blog.router-switch.com/2013/11/show-running-config/
- https://www.cisco.com/E-Learning/bulk/public/tac/cim/cib/using_cisco_ios_software/cmdrefs/show_startup-config.htm
- https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/config-mgmt/configuration/15-sy/config-mgmt-15-sy-book/cm-config-diff.html
author: Austin Clark
date: 2019-08-11
modified: 2023-01-04
tags:
- attack.discovery
- attack.credential-access
- attack.collection
- attack.t1087.001
- attack.t1552.001
- attack.t1005
logsource:
product: cisco
service: aaa
detection:
keywords:
- 'show running-config'
- 'show startup-config'
- 'show archive config'
- 'more'
condition: keywords
falsepositives:
- Commonly run by administrators
level: low
Convert to SIEM query
Showing 1-50 of 341