SOAR
Panther
3,750 rules · Sigma detections in Panther syntax
The same Sigma detection corpus, machine-rendered into Panther query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
◈
Detection rules
50 shown of 3,750
high
Peach Sandstorm APT Process Activity Indicators
Detects process creation activity related to Peach Sandstorm APT
view Sigma YAML
title: Peach Sandstorm APT Process Activity Indicators
id: 2e7bbd54-2f26-476e-b4a1-ba5f1a012614
status: test
description: Detects process creation activity related to Peach Sandstorm APT
references:
- https://twitter.com/MsftSecIntel/status/1737895710169628824
- https://www.virustotal.com/gui/file/364275326bbfc4a3b89233dabdaf3230a3d149ab774678342a40644ad9f8d614/details
author: X__Junior (Nextron Systems)
date: 2024-01-15
tags:
- attack.execution
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains: 'QP''s\*(58vaP!tF4'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Persistence Via Hhctrl.ocx
Detects when an attacker modifies the registry value of the "hhctrl" to point to a custom binary
view Sigma YAML
title: Persistence Via Hhctrl.ocx
id: f10ed525-97fe-4fed-be7c-2feecca941b1
status: test
description: Detects when an attacker modifies the registry value of the "hhctrl" to point to a custom binary
references:
- https://persistence-info.github.io/Data/hhctrl.html
- https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-21
modified: 2023-08-17
tags:
- attack.persistence
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\CLSID\{52A2AAAE-085D-4187-97EA-8C30DB990436}\InprocServer32\(Default)'
filter:
Details: 'C:\Windows\System32\hhctrl.ocx'
condition: selection and not filter
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Persistence and Execution at Scale via GPO Scheduled Task
Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale
view Sigma YAML
title: Persistence and Execution at Scale via GPO Scheduled Task
id: a8f29a7b-b137-4446-80a0-b804272f3da2
status: test
description: Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale
references:
- https://twitter.com/menasec1/status/1106899890377052160
- https://www.secureworks.com/blog/ransomware-as-a-distraction
- https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-0-16-1-scheduled-task-execution-at-scale-via-gpo.html
author: Samir Bousseaden
date: 2019-04-03
modified: 2024-09-04
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.lateral-movement
- attack.t1053.005
logsource:
product: windows
service: security
definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
detection:
selection_5136:
EventID: 5136
AttributeLDAPDisplayName:
- 'gPCMachineExtensionNames'
- 'gPCUserExtensionNames'
AttributeValue|contains:
- 'CAB54552-DEEA-4691-817E-ED4A4D1AFC72'
- 'AADCED64-746C-4633-A97C-D61349046527'
selection_5145:
EventID: 5145
ShareName|endswith: '\SYSVOL' # looking for the string \\*\SYSVOL
RelativeTargetName|endswith: 'ScheduledTasks.xml'
AccessList|contains:
- 'WriteData'
- '%%4417'
condition: 1 of selection_*
falsepositives:
- If the source IP is not localhost then it's super suspicious, better to monitor both local and remote changes to GPO scheduled tasks.
level: high
Convert to SIEM query
high
PetitPotam Suspicious Kerberos TGT Request
Detect suspicious Kerberos TGT requests.
Once an attacer obtains a computer certificate by abusing Active Directory Certificate Services in combination with PetitPotam, the next step would be to leverage the certificate for malicious purposes.
One way of doing this is to request a Kerberos Ticket Granting Ticket using a tool like Rubeus.
This request will generate a 4768 event with some unusual fields depending on the environment.
This analytic will require tuning, we recommend filtering Account_Name to the Domain Controller computer accounts.
view Sigma YAML
title: PetitPotam Suspicious Kerberos TGT Request
id: 6a53d871-682d-40b6-83e0-b7c1a6c4e3a5
status: test
description: |
Detect suspicious Kerberos TGT requests.
Once an attacer obtains a computer certificate by abusing Active Directory Certificate Services in combination with PetitPotam, the next step would be to leverage the certificate for malicious purposes.
One way of doing this is to request a Kerberos Ticket Granting Ticket using a tool like Rubeus.
This request will generate a 4768 event with some unusual fields depending on the environment.
This analytic will require tuning, we recommend filtering Account_Name to the Domain Controller computer accounts.
references:
- https://github.com/topotam/PetitPotam
- https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/
- https://github.com/splunk/security_content/blob/88d689fe8a055d8284337b9fad5d9152b42043db/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml
author: Mauricio Velazco, Michael Haag
date: 2021-09-02
modified: 2022-10-05
tags:
- attack.credential-access
- attack.t1187
logsource:
product: windows
service: security
definition: 'The advanced audit policy setting "Account Logon > Kerberos Authentication Service" must be configured for Success/Failure'
detection:
selection:
EventID: 4768
TargetUserName|endswith: '$'
CertThumbprint|contains: '*'
filter_local:
IpAddress: '::1'
filter_thumbprint:
CertThumbprint: ''
condition: selection and not 1 of filter_*
falsepositives:
- False positives are possible if the environment is using certificates for authentication. We recommend filtering Account_Name to the Domain Controller computer accounts.
level: high
Convert to SIEM query
high
Phishing Pattern ISO in Archive
Detects cases in which an ISO files is opend within an archiver like 7Zip or Winrar, which is a sign of phishing as threat actors put small ISO files in archives as email attachments to bypass certain filters and protective measures (mark of web)
view Sigma YAML
title: Phishing Pattern ISO in Archive
id: fcdf69e5-a3d3-452a-9724-26f2308bf2b1
status: test
description: Detects cases in which an ISO files is opend within an archiver like 7Zip or Winrar, which is a sign of phishing as threat actors put small ISO files in archives as email attachments to bypass certain filters and protective measures (mark of web)
references:
- https://twitter.com/1ZRR4H/status/1534259727059787783
- https://app.any.run/tasks/e1fe6a62-bce8-4323-a49a-63795d9afd5d/
author: Florian Roth (Nextron Systems)
date: 2022-06-07
tags:
- attack.initial-access
- attack.t1566
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\Winrar.exe'
- '\7zFM.exe'
- '\peazip.exe'
Image|endswith:
- '\isoburn.exe'
- '\PowerISO.exe'
- '\ImgBurn.exe'
condition: selection
falsepositives:
- Legitimate cases in which archives contain ISO or IMG files and the user opens the archive and the image via clicking and not extraction
level: high
Convert to SIEM query
high
Pikabot Fake DLL Extension Execution Via Rundll32.EXE
Detects specific process tree behavior linked to "rundll32" executions, wherein the associated DLL lacks a common ".dll" extension, often signaling potential Pikabot activity.
view Sigma YAML
title: Pikabot Fake DLL Extension Execution Via Rundll32.EXE
id: 1bf0ba65-9a39-42a2-9271-31d31bf2f0bf
status: test
description: |
Detects specific process tree behavior linked to "rundll32" executions, wherein the associated DLL lacks a common ".dll" extension, often signaling potential Pikabot activity.
references:
- https://github.com/pr0xylife/Pikabot
- https://tria.ge/231004-tp8k6sch9t/behavioral2
- https://www.virustotal.com/gui/file/56db0c4842a63234ab7fe2dda6eeb63aa7bb68f9a456985b519122f74dea37e2/behavior
- https://tria.ge/231212-r1bpgaefar/behavioral2
author: Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)
date: 2024-01-26
tags:
- attack.execution
- detection.emerging-threats
- attack.stealth
logsource:
product: windows
category: process_creation
detection:
selection:
ParentImage|endswith:
- '\cmd.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\wscript.exe'
Image|endswith: '\rundll32.exe'
CommandLine|contains:
- ':\ProgramData\'
- ':\Users\Public\'
- ':\Windows\Installer\'
- '\AppData\Local\Temp\'
- '\AppData\Roaming\'
filter_main_known_extension:
- CommandLine|contains:
- '.cpl '
- '.cpl,'
- '.dll '
- '.dll,'
- '.inf '
- '.inf,'
- CommandLine|endswith:
- '.cpl'
- '.cpl"'
- '.dll'
- '.dll"'
- '.inf'
- '.inf"'
- ".cpl'"
- ".dll'"
- ".inf'"
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Ping Hex IP
Detects a ping command that uses a hex encoded IP address
view Sigma YAML
title: Ping Hex IP
id: 1a0d4aba-7668-4365-9ce4-6d79ab088dfd
status: test
description: Detects a ping command that uses a hex encoded IP address
references:
- https://github.com/vysecurity/Aggressor-VYSEC/blob/0d61c80387b9432dab64b8b8a9fb52d20cfef80e/ping.cna
- https://twitter.com/vysecurity/status/977198418354491392
author: Florian Roth (Nextron Systems)
date: 2018-03-23
modified: 2025-10-17
tags:
- attack.stealth
- attack.t1140
- attack.t1027
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\ping.exe'
CommandLine|re: '0x[a-fA-F0-9]{8}'
condition: selection
falsepositives:
- Unlikely, because no sane admin pings IP addresses in a hexadecimal form
level: high
Convert to SIEM query
high
Pingback Backdoor Activity
Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report
view Sigma YAML
title: Pingback Backdoor Activity
id: b2400ffb-7680-47c0-b08a-098a7de7e7a9
related:
- id: 35a7dc42-bc6f-46e0-9f83-81f8e56c8d4b # DLL Load
type: similar
- id: 2bd63d53-84d4-4210-80ff-bf0658f1bf78 # File Indicators
type: similar
status: test
description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report
references:
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel
- https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406
author: Bhabesh Raj
date: 2021-05-05
modified: 2023-02-17
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1574.001
- detection.emerging-threats
logsource:
product: windows
category: process_creation
detection:
selection:
ParentImage|endswith: '\updata.exe'
CommandLine|contains|all:
- 'config'
- 'msdtc'
- 'start'
- 'auto'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Pingback Backdoor DLL Loading Activity
Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report
view Sigma YAML
title: Pingback Backdoor DLL Loading Activity
id: 35a7dc42-bc6f-46e0-9f83-81f8e56c8d4b
related:
- id: 35a7dc42-bc6f-46e0-9f83-81f8e56c8d4b # File indicators
type: similar
- id: b2400ffb-7680-47c0-b08a-098a7de7e7a9 # Process Creation
type: similar
status: test
description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report
references:
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel
- https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406
author: Bhabesh Raj
date: 2021-05-05
modified: 2023-02-17
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1574.001
- detection.emerging-threats
logsource:
product: windows
category: image_load
detection:
selection:
Image|endswith: '\msdtc.exe'
ImageLoaded: 'C:\Windows\oci.dll'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Pingback Backdoor File Indicators
Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report
view Sigma YAML
title: Pingback Backdoor File Indicators
id: 2bd63d53-84d4-4210-80ff-bf0658f1bf78
related:
- id: 35a7dc42-bc6f-46e0-9f83-81f8e56c8d4b # DLL Load
type: similar
- id: b2400ffb-7680-47c0-b08a-098a7de7e7a9 # Process Creation
type: similar
status: test
description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report
references:
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel
- https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406
author: Bhabesh Raj
date: 2021-05-05
modified: 2023-02-17
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1574.001
- detection.emerging-threats
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith: 'updata.exe'
TargetFilename: 'C:\Windows\oci.dll'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Possible CVE-2021-1675 Print Spooler Exploitation
Detects events of driver load errors in print service logs that could be a sign of successful exploitation attempts of print spooler vulnerability CVE-2021-1675
view Sigma YAML
title: Possible CVE-2021-1675 Print Spooler Exploitation
id: 4e64668a-4da1-49f5-a8df-9e2d5b866718
status: test
description: Detects events of driver load errors in print service logs that could be a sign of successful exploitation attempts of print spooler vulnerability CVE-2021-1675
references:
- https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/
- https://web.archive.org/web/20210701042336/https://github.com/afwu/PrintNightmare
- https://twitter.com/fuzzyf10w/status/1410202370835898371
author: Florian Roth (Nextron Systems), KevTheHermit, fuzzyf10w, Tim Shelton
date: 2021-06-30
modified: 2022-11-15
tags:
- attack.execution
- attack.t1569
- cve.2021-1675
- detection.emerging-threats
logsource:
product: windows
service: printservice-admin
detection:
selection:
EventID: 808
ErrorCode:
- '0x45A'
- '0x7e'
keywords:
- 'The print spooler failed to load a plug-in module'
# default file names used in PoC codes
- 'MyExploit.dll'
- 'evil.dll'
- '\addCube.dll'
- '\rev.dll'
- '\rev2.dll'
- '\main64.dll'
- '\mimilib.dll'
- '\mimispool.dll'
falsepositive:
- ' registration timed out' # ex: The print spooler failed to load a plug-in module PrintConfig registration timed out
condition: (selection or keywords) and not falsepositive
falsepositives:
- Problems with printer drivers
level: high
Convert to SIEM query
high
Possible DCSync Attack
Detects remote RPC calls to MS-DRSR from non DC hosts, which could indicate DCSync / DCShadow attacks.
view Sigma YAML
title: Possible DCSync Attack
id: 56fda488-113e-4ce9-8076-afc2457922c3
status: test
description: Detects remote RPC calls to MS-DRSR from non DC hosts, which could indicate DCSync / DCShadow attacks.
references:
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN
- https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-DRSR.md
- https://github.com/zeronetworks/rpcfirewall
- https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
- attack.t1033
- attack.discovery
logsource:
product: rpc_firewall
category: application
definition: 'Requirements: install and apply the RPC Firewall to all processes, enable DRSR UUID (e3514235-4b06-11d1-ab04-00c04fc2dcd2) for "dangerous" opcodes (not 0,1 or 12) only from trusted IPs (DCs)'
detection:
selection:
EventLog: RPCFW
EventID: 3
InterfaceUuid: e3514235-4b06-11d1-ab04-00c04fc2dcd2
filter:
OpNum:
- 0
- 1
- 12
condition: selection and not filter
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Possible Exploitation of Exchange RCE CVE-2021-42321
Detects log entries that appear in exploitation attempts against MS Exchange RCE CVE-2021-42321
view Sigma YAML
title: Possible Exploitation of Exchange RCE CVE-2021-42321
id: c92f1896-d1d2-43c3-92d5-7a5b35c217bb
status: test
description: Detects log entries that appear in exploitation attempts against MS Exchange RCE CVE-2021-42321
references:
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42321
author: 'Florian Roth (Nextron Systems), @testanull'
date: 2021-11-18
modified: 2022-07-12
tags:
- attack.lateral-movement
- attack.t1210
- detection.emerging-threats
logsource:
product: windows
service: msexchange-management
# warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
detection:
selection:
EventID:
- 6
- 8
Data|contains:
- 'Cmdlet failed. Cmdlet Get-App, '
- 'Task Get-App throwing unhandled exception: System.InvalidCastException:'
condition: selection
falsepositives:
- Unknown, please report false positives via https://github.com/SigmaHQ/sigma/issues
level: high
Convert to SIEM query
high
Possible Impacket SecretDump Remote Activity
Detect AD credential dumping using impacket secretdump HKTL
view Sigma YAML
title: Possible Impacket SecretDump Remote Activity
id: 252902e3-5830-4cf6-bf21-c22083dfd5cf
status: test
description: Detect AD credential dumping using impacket secretdump HKTL
references:
- https://web.archive.org/web/20230329153811/https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html
author: Samir Bousseaden, wagga
date: 2019-04-03
modified: 2022-08-11
tags:
- attack.credential-access
- attack.t1003.002
- attack.t1003.004
- attack.t1003.003
logsource:
product: windows
service: security
definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
detection:
selection:
EventID: 5145
ShareName: '\\\\\*\\ADMIN$' # looking for the string \\*\ADMIN$
RelativeTargetName|contains|all:
- 'SYSTEM32\'
- '.tmp'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Possible Impacket SecretDump Remote Activity - Zeek
Detect AD credential dumping using impacket secretdump HKTL. Based on the SIGMA rules/windows/builtin/win_impacket_secretdump.yml
view Sigma YAML
title: Possible Impacket SecretDump Remote Activity - Zeek
id: 92dae1ed-1c9d-4eff-a567-33acbd95b00e
status: test
description: 'Detect AD credential dumping using impacket secretdump HKTL. Based on the SIGMA rules/windows/builtin/win_impacket_secretdump.yml'
references:
- https://web.archive.org/web/20230329153811/https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html
author: 'Samir Bousseaden, @neu5ron'
date: 2020-03-19
modified: 2021-11-27
tags:
- attack.credential-access
- attack.t1003.002
- attack.t1003.004
- attack.t1003.003
logsource:
product: zeek
service: smb_files
detection:
selection:
path|contains|all:
- '\'
- 'ADMIN$'
name|contains: 'SYSTEM32\'
name|endswith: '.tmp'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Possible PetitPotam Coerce Authentication Attempt
Detect PetitPotam coerced authentication activity.
view Sigma YAML
title: Possible PetitPotam Coerce Authentication Attempt
id: 1ce8c8a3-2723-48ed-8246-906ac91061a6
status: test
description: Detect PetitPotam coerced authentication activity.
references:
- https://github.com/topotam/PetitPotam
- https://github.com/splunk/security_content/blob/0dd6de32de2118b2818550df9e65255f4109a56d/detections/endpoint/petitpotam_network_share_access_request.yml
author: Mauricio Velazco, Michael Haag
date: 2021-09-02
modified: 2022-08-11
tags:
- attack.credential-access
- attack.t1187
logsource:
product: windows
service: security
definition: 'The advanced audit policy setting "Object Access > Detailed File Share" must be configured for Success/Failure'
detection:
selection:
EventID: 5145
ShareName|startswith: '\\\\' # looking for the string \\somethink\IPC$
ShareName|endswith: '\IPC$'
RelativeTargetName: lsarpc
SubjectUserName: ANONYMOUS LOGON
condition: selection
falsepositives:
- Unknown. Feedback welcomed.
level: high
Convert to SIEM query
high
Possible Privilege Escalation via Weak Service Permissions
Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand
view Sigma YAML
title: Possible Privilege Escalation via Weak Service Permissions
id: d937b75f-a665-4480-88a5-2f20e9f9b22a
status: test
description: Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand
references:
- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
- https://pentestlab.blog/2017/03/30/weak-service-permissions/
author: Teymur Kheirkhabarov
date: 2019-10-26
modified: 2024-12-01
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.011
logsource:
category: process_creation
product: windows
detection:
scbynonadmin:
Image|endswith: '\sc.exe'
IntegrityLevel:
- 'Medium'
- 'S-1-16-8192'
selection_binpath:
CommandLine|contains|all:
- 'config'
- 'binPath'
selection_failure:
CommandLine|contains|all:
- 'failure'
- 'command'
condition: scbynonadmin and 1 of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Possible Shadow Credentials Added
Detects possible addition of shadow credentials to an active directory object.
view Sigma YAML
title: Possible Shadow Credentials Added
id: f598ea0c-c25a-4f72-a219-50c44411c791
status: test
description: Detects possible addition of shadow credentials to an active directory object.
references:
- https://www.elastic.co/guide/en/security/8.4/potential-shadow-credentials-added-to-ad-object.html
- https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/
- https://twitter.com/SBousseaden/status/1581300963650187264?
author: Nasreddine Bencherchali (Nextron Systems), Elastic (idea)
date: 2022-10-17
tags:
- attack.persistence
- attack.credential-access
- attack.defense-impairment
- attack.t1556
logsource:
product: windows
service: security
definition: The "Audit Directory Service Changes" logging policy must be configured in order to receive events. Audit events are generated only for objects with configured system access control lists (SACLs). Audit events are generated only for objects with configured system access control lists (SACLs) and only when accessed in a manner that matches their SACL settings. This policy covers the following events ids - 5136, 5137, 5138, 5139, 5141. Note that the default policy does not cover User objects. For that a custom AuditRule need to be setup (See https://github.com/OTRF/Set-AuditRule)
detection:
selection:
EventID: 5136
AttributeLDAPDisplayName: 'msDS-KeyCredentialLink'
# If you experience a lot of FP you could uncomment the selection below
# There could be other cases for other tooling add them accordingly
# AttributeValue|contains: 'B:828'
# OperationType: '%%14674' # Value Added
# As stated in the FP sections it's better to filter out the expected accounts that perform this operation to tighten the logic
# Uncomment the filter below and add the account name (or any other specific field) accordingly
# Don't forget to add it to the condition section below
# filter:
# SubjectUserName: "%name%"
condition: selection
falsepositives:
- Modifications in the msDS-KeyCredentialLink attribute can be done legitimately by the Azure AD Connect synchronization account or the ADFS service account. These accounts can be added as Exceptions. (From elastic FP section)
level: high
Convert to SIEM query
high
Potential ACTINIUM Persistence Activity
Detects specific process parameters as used by ACTINIUM scheduled task persistence creation.
view Sigma YAML
title: Potential ACTINIUM Persistence Activity
id: e1118a8f-82f5-44b3-bb6b-8a284e5df602
status: test
description: Detects specific process parameters as used by ACTINIUM scheduled task persistence creation.
references:
- https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations
author: Andreas Hunkeler (@Karneades)
date: 2022-02-07
modified: 2023-03-18
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1053
- attack.t1053.005
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'schtasks'
- 'create'
- 'wscript'
- ' /e:vbscript'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Potential AMSI Bypass Via .NET Reflection
Detects Request to "amsiInitFailed" that can be used to disable AMSI Scanning
view Sigma YAML
title: Potential AMSI Bypass Via .NET Reflection
id: 30edb182-aa75-42c0-b0a9-e998bb29067c
related:
- id: 4f927692-68b5-4267-871b-073c45f4f6fe
type: obsolete
status: test
description: Detects Request to "amsiInitFailed" that can be used to disable AMSI Scanning
references:
- https://s3cur3th1ssh1t.github.io/Bypass_AMSI_by_manual_modification/
- https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/
author: Markus Neis, @Kostastsale
date: 2018-08-17
modified: 2023-02-03
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection:
- CommandLine|contains|all:
- 'System.Management.Automation.AmsiUtils'
- 'amsiInitFailed'
- CommandLine|contains|all:
- '[Ref].Assembly.GetType'
- 'SetValue($null,$true)'
- 'NonPublic,Static'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Potential AMSI COM Server Hijacking
Detects changes to the AMSI come server registry key in order disable AMSI scanning functionalities. When AMSI attempts to starts its COM component, it will query its registered CLSID and return a non-existent COM server. This causes a load failure and prevents any scanning methods from being accessed, ultimately rendering AMSI useless
view Sigma YAML
title: Potential AMSI COM Server Hijacking
id: 160d2780-31f7-4922-8b3a-efce30e63e96
status: test
description: Detects changes to the AMSI come server registry key in order disable AMSI scanning functionalities. When AMSI attempts to starts its COM component, it will query its registered CLSID and return a non-existent COM server. This causes a load failure and prevents any scanning methods from being accessed, ultimately rendering AMSI useless
references:
- https://enigma0x3.net/2017/07/19/bypassing-amsi-via-com-server-hijacking/
- https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-comreg-bypass
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-04
modified: 2023-08-17
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32\(Default)'
filter:
Details: '%windir%\system32\amsi.dll'
condition: selection and not filter
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential APT FIN7 POWERHOLD Execution
Detects execution of the POWERHOLD script seen used by FIN7 as reported by WithSecureLabs
view Sigma YAML
title: Potential APT FIN7 POWERHOLD Execution
id: 71c432c4-e4da-4eab-ba49-e60ea9a81bca
status: test
description: Detects execution of the POWERHOLD script seen used by FIN7 as reported by WithSecureLabs
references:
- https://labs.withsecure.com/publications/fin7-target-veeam-servers
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-04
tags:
- attack.execution
- attack.t1059.001
- attack.g0046
- detection.emerging-threats
logsource:
product: windows
category: ps_script
definition: bade5735-5ab0-4aa7-a642-a11be0e40872
detection:
selection:
ScriptBlockText|contains|all:
- '$env:APPDATA'
- 'function MainPayload'
- '::WriteAllBytes'
- 'wscript.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential APT FIN7 Reconnaissance/POWERTRASH Related Activity
Detects specific command line execution used by FIN7 as reported by WithSecureLabs for reconnaissance and POWERTRASH execution
view Sigma YAML
title: Potential APT FIN7 Reconnaissance/POWERTRASH Related Activity
id: 911389c7-5ae3-43ea-bab3-a947ebdeb85e
status: test
description: Detects specific command line execution used by FIN7 as reported by WithSecureLabs for reconnaissance and POWERTRASH execution
references:
- https://labs.withsecure.com/publications/fin7-target-veeam-servers
- https://labs.withsecure.com/publications/fin7-target-veeam-servers/jcr:content/root/responsivegrid/responsivegrid/responsivegrid/image_253944286.img.png/1682500394900.png
- https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-04
tags:
- attack.execution
- attack.g0046
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_1:
CommandLine|contains|all:
- '-noni -nop -exe bypass -f \\\\'
- 'ADMIN$'
selection_2:
CommandLine|contains|all:
- '-ex bypass -noprof -nolog -nonint -f'
- 'C:\Windows\Temp\'
condition: 1 of selection_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Potential APT FIN7 Related PowerShell Script Created
Detects PowerShell script file creation with specific name or suffix which was seen being used often by FIN7 PowerShell scripts
view Sigma YAML
title: Potential APT FIN7 Related PowerShell Script Created
id: a88d9f45-ec8a-4b0e-85ee-c9f6a65e9128
status: test
description: Detects PowerShell script file creation with specific name or suffix which was seen being used often by FIN7 PowerShell scripts
references:
- https://labs.withsecure.com/publications/fin7-target-veeam-servers
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-04
tags:
- attack.execution
- attack.g0046
- detection.emerging-threats
logsource:
category: file_event
product: windows
detection:
selection:
- TargetFilename|endswith: '_64refl.ps1'
- TargetFilename: 'host_ip.ps1'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential APT Mustang Panda Activity Against Australian Gov
Detects specific command line execution used by Mustang Panda in a targeted attack against the Australian government as reported by Lab52
view Sigma YAML
title: Potential APT Mustang Panda Activity Against Australian Gov
id: 7806bb49-f653-48d3-a915-5115c1a85234
status: test
description: Detects specific command line execution used by Mustang Panda in a targeted attack against the Australian government as reported by Lab52
references:
- https://lab52.io/blog/new-mustang-pandas-campaing-against-australia/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-15
tags:
- attack.execution
- attack.g0129
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_1:
CommandLine|contains|all:
- 'copy SolidPDFCreator.dll'
- 'C:\Users\Public\Libraries\PhotoTvRHD\SolidPDFCreator.dll'
selection_2:
CommandLine|contains|all:
- 'reg '
- '\Windows\CurrentVersion\Run'
- 'SolidPDF'
- 'C:\Users\Public\Libraries\PhotoTvRHD\'
condition: 1 of selection_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Potential APT10 Cloud Hopper Activity
Detects potential process and execution activity related to APT10 Cloud Hopper operation
view Sigma YAML
title: Potential APT10 Cloud Hopper Activity
id: 966e4016-627f-44f7-8341-f394905c361f
status: test
description: Detects potential process and execution activity related to APT10 Cloud Hopper operation
references:
- https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
author: Florian Roth (Nextron Systems)
date: 2017-04-07
modified: 2023-03-08
tags:
- attack.execution
- attack.g0045
- attack.t1059.005
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_cscript:
Image|endswith: '\cscript.exe'
CommandLine|contains: '.vbs /shell '
selection_csvde:
CommandLine|contains|all:
- 'csvde -f C:\windows\web\'
- '.log'
condition: 1 of selection_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Potential Adplus.EXE Abuse
Detects execution of "AdPlus.exe", a binary that is part of the Windows SDK that can be used as a LOLBIN in order to dump process memory and execute arbitrary commands.
view Sigma YAML
title: Potential Adplus.EXE Abuse
id: 2f869d59-7f6a-4931-992c-cce556ff2d53
status: test
description: Detects execution of "AdPlus.exe", a binary that is part of the Windows SDK that can be used as a LOLBIN in order to dump process memory and execute arbitrary commands.
references:
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Adplus/
- https://twitter.com/nas_bench/status/1534916659676422152
- https://twitter.com/nas_bench/status/1534915321856917506
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-09
modified: 2023-06-23
tags:
- attack.execution
- attack.credential-access
- attack.t1003.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\adplus.exe'
- OriginalFileName: 'Adplus.exe'
selection_cli:
CommandLine|contains:
# Dump process memory
- ' -hang '
- ' -pn '
- ' -pmn '
- ' -p '
- ' -po '
# Using a config file
- ' -c '
# Execute commands inline
- ' -sc '
condition: all of selection_*
falsepositives:
- Legitimate usage of Adplus for debugging purposes
level: high
Convert to SIEM query
high
Potential Arbitrary Code Execution Via Node.EXE
Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc
view Sigma YAML
title: Potential Arbitrary Code Execution Via Node.EXE
id: 6640f31c-01ad-49b5-beb5-83498a5cd8bd
status: test
description: Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc
references:
- http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
- https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return
- https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/
- https://nodejs.org/api/cli.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-09
modified: 2023-02-03
tags:
- attack.execution
- attack.stealth
- attack.t1127
logsource:
category: process_creation
product: windows
detection:
selection_main:
Image|endswith: '\node.exe'
CommandLine|contains:
- ' -e '
- ' --eval '
# Add more pattern of abuse as actions
selection_action_reverse_shell:
CommandLine|contains|all:
- '.exec('
- 'net.socket'
- '.connect'
- 'child_process'
condition: selection_main and 1 of selection_action_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Potential Arbitrary Command Execution Using Msdt.EXE
Detects processes leveraging the "ms-msdt" handler or the "msdt.exe" binary to execute arbitrary commands as seen in the follina (CVE-2022-30190) vulnerability
view Sigma YAML
title: Potential Arbitrary Command Execution Using Msdt.EXE
id: 258fc8ce-8352-443a-9120-8a11e4857fa5
status: test
description: Detects processes leveraging the "ms-msdt" handler or the "msdt.exe" binary to execute arbitrary commands as seen in the follina (CVE-2022-30190) vulnerability
references:
- https://twitter.com/nao_sec/status/1530196847679401984
- https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/
- https://twitter.com/_JohnHammond/status/1531672601067675648
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-05-29
modified: 2024-03-13
tags:
- attack.stealth
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\msdt.exe'
- OriginalFileName: 'msdt.exe'
selection_cmd_inline:
CommandLine|contains: 'IT_BrowseForFile='
selection_cmd_answerfile_flag:
CommandLine|contains: ' PCWDiagnostic'
selection_cmd_answerfile_param:
CommandLine|contains|windash: ' -af '
condition: selection_img and (selection_cmd_inline or all of selection_cmd_answerfile_*)
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential Arbitrary File Download Using Office Application
Detects potential arbitrary file download using a Microsoft Office application
view Sigma YAML
title: Potential Arbitrary File Download Using Office Application
id: 4ae3e30b-b03f-43aa-87e3-b622f4048eed
related:
- id: 0c79148b-118e-472b-bdb7-9b57b444cc19
type: obsolete
status: test
description: Detects potential arbitrary file download using a Microsoft Office application
references:
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Winword/
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Powerpnt/
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Excel/
- https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191
author: Nasreddine Bencherchali (Nextron Systems), Beyu Denis, oscd.community
date: 2022-05-17
modified: 2023-06-22
tags:
- attack.stealth
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\EXCEL.EXE'
- '\POWERPNT.EXE'
- '\WINWORD.exe'
- OriginalFileName:
- 'Excel.exe'
- 'POWERPNT.EXE'
- 'WinWord.exe'
selection_http:
CommandLine|contains:
- 'http://'
- 'https://'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt
Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2021-26084
view Sigma YAML
title: Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt
id: 245f92e3-c4da-45f1-9070-bc552e06db11
status: test
description: Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2021-26084
references:
- https://nvd.nist.gov/vuln/detail/CVE-2021-26084
- https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html
- https://github.com/h3v0x/CVE-2021-26084_Confluence
author: Bhabesh Raj
date: 2021-09-08
modified: 2023-02-13
tags:
- attack.initial-access
- attack.execution
- attack.t1190
- attack.t1059
- cve.2021-26084
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
# Monitor suspicious child processes spawned by Confluence
ParentImage|endswith: '\Atlassian\Confluence\jre\bin\java.exe'
CommandLine|contains:
- 'certutil'
- 'cmd /c'
- 'cmd /k'
- 'cscript'
- 'curl'
- 'ipconfig'
- 'powershell'
- 'pwsh'
- 'regsvr32'
- 'rundll32'
- 'whoami'
- 'wscript'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential Attachment Manager Settings Associations Tamper
Detects tampering with attachment manager settings policies associations to lower the default file type risks (See reference for more information)
view Sigma YAML
title: Potential Attachment Manager Settings Associations Tamper
id: a9b6c011-ab69-4ddb-bc0a-c4f21c80ec47
status: test
description: Detects tampering with attachment manager settings policies associations to lower the default file type risks (See reference for more information)
references:
- https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738
- https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-01
modified: 2023-08-17
tags:
- attack.defense-impairment
logsource:
category: registry_set
product: windows
detection:
selection_main:
TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations\'
selection_value_default_file_type_rsik:
TargetObject|endswith: '\DefaultFileTypeRisk'
Details: 'DWORD (0x00006152)'
selection_value_low_risk_filetypes:
TargetObject|endswith: '\LowRiskFileTypes'
Details|contains: # Add more as you see fit
- '.zip;'
- '.rar;'
- '.exe;'
- '.bat;'
- '.com;'
- '.cmd;'
- '.reg;'
- '.msi;'
- '.htm;'
- '.html;'
condition: selection_main and 1 of selection_value_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Potential Attachment Manager Settings Attachments Tamper
Detects tampering with attachment manager settings policies attachments (See reference for more information)
view Sigma YAML
title: Potential Attachment Manager Settings Attachments Tamper
id: ee77a5db-b0f3-4be2-bfd4-b58be1c6b15a
status: test
description: Detects tampering with attachment manager settings policies attachments (See reference for more information)
references:
- https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738
- https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-01
modified: 2023-08-17
tags:
- attack.defense-impairment
logsource:
category: registry_set
product: windows
detection:
selection_main:
TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments\'
selection_value_hide_zone_info:
TargetObject|endswith: '\HideZoneInfoOnProperties'
Details: 'DWORD (0x00000001)' # On
selection_value_save_zone_info:
TargetObject|endswith: '\SaveZoneInformation'
Details: 'DWORD (0x00000002)' # Off
selection_value_scan_with_av:
TargetObject|endswith: '\ScanWithAntiVirus'
Details: 'DWORD (0x00000001)' # Disabled
condition: selection_main and 1 of selection_value_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Potential AutoLogger Sessions Tampering
Detects tampering with autologger trace sessions which is a technique used by attackers to disable logging.
The AutoLogger event tracing session records events up that occur early in the operating system boot process.
Applications and device drivers can use the AutoLogger session to capture traces before the user logs in, and also used by security solutions as telemetry source.
Adversaries may disable these sessions to evade detection and prevent security monitoring of early boot activities and system events.
view Sigma YAML
title: Potential AutoLogger Sessions Tampering
id: f37b4bce-49d0-4087-9f5b-58bffda77316
related:
- id: d7b81144-b866-48a4-9bcc-275dc69d870e
type: similar
status: test
description: |
Detects tampering with autologger trace sessions which is a technique used by attackers to disable logging.
The AutoLogger event tracing session records events up that occur early in the operating system boot process.
Applications and device drivers can use the AutoLogger session to capture traces before the user logs in, and also used by security solutions as telemetry source.
Adversaries may disable these sessions to evade detection and prevent security monitoring of early boot activities and system events.
references:
- https://twitter.com/MichalKoczwara/status/1553634816016498688
- https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
- https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf
- https://learn.microsoft.com/en-us/windows/win32/etw/configuring-and-starting-an-autologger-session
- https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-01
modified: 2025-12-26
tags:
- attack.defense-impairment
- attack.t1685.001
logsource:
category: registry_set
product: windows
detection:
selection_main:
TargetObject|contains: '\Control\WMI\Autologger\'
selection_values:
TargetObject|contains: # We only care about some autologger to avoid FP. Add more if you need
- '\EventLog-'
- '\Defender'
TargetObject|endswith:
- '\Enabled'
- '\Start'
Details: DWORD (0x00000000)
filter_main_wevtutil:
Image: 'C:\Windows\system32\wevtutil.exe'
filter_main_defender:
Image|startswith:
- 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
- 'C:\Program Files\Windows Defender\'
- 'C:\Program Files (x86)\Windows Defender\'
Image|endswith: '\MsMpEng.exe'
TargetObject|contains:
- '\DefenderApiLogger\'
- '\DefenderAuditLogger\'
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions/info.yml
simulation:
- type: atomic-red-team
name: Disable EventLog-Application Auto Logger Session Via Registry - Cmd
technique: T1562.001
atomic_guid: 653c6e17-14a2-4849-851d-f1c0cc8ea9ab
- type: atomic-red-team
name: Disable EventLog-Application Auto Logger Session Via Registry - PowerShell
technique: T1562.001
atomic_guid: da86f239-9bd3-4e85-92ed-4a94ef111a1c
- type: atomic-red-team
name: Disable EventLog-Application ETW Provider Via Registry - Cmd
technique: T1562.001
atomic_guid: 1cac9b54-810e-495c-8aac-989e0076583b
- type: atomic-red-team
name: Disable EventLog-Application ETW Provider Via Registry - PowerShell
technique: T1562.001
atomic_guid: 8f907648-1ebf-4276-b0f0-e2678ca474f0
Convert to SIEM query
high
Potential Baby Shark Malware Activity
Detects activity that could be related to Baby Shark malware
view Sigma YAML
title: Potential Baby Shark Malware Activity
id: 2b30fa36-3a18-402f-a22d-bf4ce2189f35
status: test
description: Detects activity that could be related to Baby Shark malware
references:
- https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/
author: Florian Roth (Nextron Systems)
date: 2019-02-24
modified: 2023-03-08
tags:
- attack.execution
- attack.discovery
- attack.stealth
- attack.t1012
- attack.t1059.003
- attack.t1059.001
- attack.t1218.005
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
- CommandLine|contains|all:
- 'powershell.exe mshta.exe http'
- '.hta'
- CommandLine|contains:
- 'reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default"'
- 'cmd.exe /c taskkill /im cmd.exe'
- "(New-Object System.Net.WebClient).UploadFile('http"
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential Base64 Decoded From Images
Detects the use of tail to extract bytes at an offset from an image and then decode the base64 value to create a new file with the decoded content. The detected execution is a bash one-liner.
view Sigma YAML
title: Potential Base64 Decoded From Images
id: 09a910bf-f71f-4737-9c40-88880ba5913d
status: test
description: |
Detects the use of tail to extract bytes at an offset from an image and then decode the base64 value to create a new file with the decoded content. The detected execution is a bash one-liner.
references:
- https://www.virustotal.com/gui/file/16bafdf741e7a13137c489f3c8db1334f171c7cb13b62617d691b0a64783cc48/behavior
- https://www.virustotal.com/gui/file/483fafc64a2b84197e1ef6a3f51e443f84dc5742602e08b9e8ec6ad690b34ed0/behavior
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-12-20
tags:
- attack.stealth
- attack.t1140
logsource:
product: macos
category: process_creation
detection:
# Example: /bin/bash sh -c tail -c +21453 '/Volumes/Installer/Installer.app/Contents/Resources/workout-logo.jpeg' | base64 --decode > /tmp/54A0A2CD-FAD1-4D4D-AAF5-5266F6344ABE.zip
# VT Query: 'behavior_processes:"tail" (behavior_processes:"jpeg" or behavior_processes:"jpg" or behavior_processes:"png" or behavior_processes:"gif") behavior_processes:"base64" behavior_processes:"--decode >" and tag:dmg'
selection_image:
Image|endswith: '/bash'
selection_view:
CommandLine|contains|all:
- 'tail'
- '-c'
selection_b64:
CommandLine|contains|all:
- 'base64'
- '-d' # Also covers "--decode"
- '>'
selection_files:
CommandLine|contains:
- '.avif'
- '.gif'
- '.jfif'
- '.jpeg'
- '.jpg'
- '.pjp'
- '.pjpeg'
- '.png'
- '.svg'
- '.webp'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential BearLPE Exploitation
Detects potential exploitation of the BearLPE exploit using Task Scheduler ".job" import arbitrary DACL write\par
view Sigma YAML
title: Potential BearLPE Exploitation
id: 931b6802-d6a6-4267-9ffa-526f57f22aaf
status: test
description: Detects potential exploitation of the BearLPE exploit using Task Scheduler ".job" import arbitrary DACL write\par
references:
- https://github.com/djhohnstein/polarbearrepo/blob/f26d3e008093cc5c835e92a7165170baf6713d43/bearlpe/polarbear/polarbear/exploit.cpp
author: Olaf Hartong
date: 2019-05-22
modified: 2023-01-26
tags:
- attack.persistence
- attack.execution
- attack.privilege-escalation
- attack.t1053.005
- car.2013-08-001
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\schtasks.exe'
- OriginalFileName: 'schtasks.exe'
selection_cli:
CommandLine|contains|all:
- '/change'
- '/TN'
- '/RU'
- '/RP'
condition: all of selection*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential BlackByte Ransomware Activity
Detects command line patterns used by BlackByte ransomware in different operations
view Sigma YAML
title: Potential BlackByte Ransomware Activity
id: 999e8307-a775-4d5f-addc-4855632335be
status: test
description: Detects command line patterns used by BlackByte ransomware in different operations
references:
- https://redcanary.com/blog/blackbyte-ransomware/
author: Florian Roth (Nextron Systems)
date: 2022-02-25
modified: 2023-02-08
tags:
- attack.execution
- attack.impact
- attack.stealth
- attack.t1485
- attack.t1498
- attack.t1059.001
- attack.t1140
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_1:
Image|startswith: 'C:\Users\Public\'
CommandLine|contains: ' -single '
selection_2:
CommandLine|contains:
- 'del C:\Windows\System32\Taskmgr.exe'
- ';Set-Service -StartupType Disabled $'
- 'powershell -command "$x =[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('
- ' do start wordpad.exe /p '
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential Bumblebee Remote Thread Creation
Detects remote thread injection events based on action seen used by bumblebee
view Sigma YAML
title: Potential Bumblebee Remote Thread Creation
id: 994cac2b-92c2-44bf-8853-14f6ca39fbda
status: test
description: Detects remote thread injection events based on action seen used by bumblebee
references:
- https://thedfirreport.com/2022/09/26/bumblebee-round-two/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-27
tags:
- attack.execution
- attack.stealth
- attack.t1218.011
- attack.t1059.001
- detection.emerging-threats
logsource:
product: windows
category: create_remote_thread
detection:
selection:
SourceImage|endswith:
- '\wabmig.exe'
- '\wab.exe'
- '\ImagingDevices.exe'
TargetImage|endswith: '\rundll32.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential COLDSTEEL Persistence Service DLL Creation
Detects the creation of a file in a specific location and with a specific name related to COLDSTEEL RAT
view Sigma YAML
title: Potential COLDSTEEL Persistence Service DLL Creation
id: 1fea93a2-1524-4a3c-9828-3aa0c2414e27
status: test
description: Detects the creation of a file in a specific location and with a specific name related to COLDSTEEL RAT
references:
- https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf
author: X__Junior (Nextron Systems)
date: 2023-04-30
tags:
- attack.persistence
- detection.emerging-threats
- attack.stealth
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|startswith: 'C:\Users\'
TargetFilename|endswith: '\AppData\Roaming\newdev.dll'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential COLDSTEEL Persistence Service DLL Load
Detects a suspicious DLL load by an "svchost" process based on location and name that might be related to ColdSteel RAT. This DLL location and name has been seen used by ColdSteel as the service DLL for its persistence mechanism
view Sigma YAML
title: Potential COLDSTEEL Persistence Service DLL Load
id: 1d7a57da-02e0-4f7f-92b1-c7b486ccfed5
status: test
description: |
Detects a suspicious DLL load by an "svchost" process based on location and name that might be related to ColdSteel RAT. This DLL location and name has been seen used by ColdSteel as the service DLL for its persistence mechanism
references:
- https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-02
tags:
- attack.persistence
- detection.emerging-threats
- attack.stealth
logsource:
product: windows
category: image_load
detection:
selection:
Image|endswith: '\svchost.exe'
ImageLoaded|endswith: '\AppData\Roaming\newdev.dll'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Potential COLDSTEEL RAT File Indicators
Detects the creation of a file named "dllhost.exe" in the "C:\users\public\Documents\" directory. Seen being used by the COLDSTEEL RAT in some of its variants.
view Sigma YAML
title: Potential COLDSTEEL RAT File Indicators
id: c708a93f-46b4-4674-a5b8-54aa6219c5fa
status: test
description: Detects the creation of a file named "dllhost.exe" in the "C:\users\public\Documents\" directory. Seen being used by the COLDSTEEL RAT in some of its variants.
references:
- https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-30
tags:
- attack.persistence
- detection.emerging-threats
- attack.stealth
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename: 'C:\users\public\Documents\dllhost.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential COLDSTEEL RAT Windows User Creation
Detects creation of a new user profile with a specific username, seen being used by some variants of the COLDSTEEL RAT.
view Sigma YAML
title: Potential COLDSTEEL RAT Windows User Creation
id: 95214813-4c7a-4a50-921b-ee5c538e1d16
status: test
description: Detects creation of a new user profile with a specific username, seen being used by some variants of the COLDSTEEL RAT.
references:
- https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-02
modified: 2023-08-17
tags:
- attack.persistence
- detection.emerging-threats
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains|all:
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-'
- '\ProfileImagePath'
Details|contains:
- 'ANONYMOUS'
- '_DomainUser_'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential CSharp Streamer RAT Loading .NET Executable Image
Detects potential CSharp Streamer RAT loading .NET executable image by using the default file name and path associated with the tool.
view Sigma YAML
title: Potential CSharp Streamer RAT Loading .NET Executable Image
id: 6f6afac3-8e7a-4e4b-9588-2608ffe08f82
status: test
description: |
Detects potential CSharp Streamer RAT loading .NET executable image by using the default file name and path associated with the tool.
references:
- https://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/#detections
- https://cyber.wtf/2023/12/06/the-csharp-streamer-rat/
author: Luca Di Bartolomeo
date: 2024-06-22
tags:
- attack.command-and-control
- attack.t1219.002
- detection.emerging-threats
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|re: '\\AppData\\Local\\Temp\\dat[0-9A-Z]{4}\.tmp'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential CVE-2021-26084 Exploitation Attempt
Detects potential exploitation of CVE-2021-260841 a Confluence RCE using OGNL injection
view Sigma YAML
title: Potential CVE-2021-26084 Exploitation Attempt
id: 38825179-3c78-4fed-b222-2e2166b926b1
status: test
description: Detects potential exploitation of CVE-2021-260841 a Confluence RCE using OGNL injection
references:
- https://github.com/TesterCC/exp_poc_library/blob/be61622600ec79d8fba2fa5f816a870715f0cb3b/exp_poc/CVE-2021-26084_Confluence_OGNL_injection/CVE-2021-26084.md
- https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md
- https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html
- https://mraddon.blog/2017/03/20/confluence-trick-to-create-pages-from-blueprint-templates/
author: Sittikorn S, Nuttakorn T
date: 2022-12-13
modified: 2023-03-24
tags:
- attack.initial-access
- attack.t1190
- cve.2021-26084
- detection.emerging-threats
logsource:
category: webserver
definition: 'Requirements: The POST request body data must be collected in order to make use of certain parts of this detection'
detection:
selection_main:
cs-method: 'POST'
sc-status: 200
cs-username: 'anonymous' # This string is used to reduce possible FP you could remove it to get authenticated attempts
selection_exploit_1:
cs-uri-query|contains|all:
- '/pages/createpage-entervariables.action'
- 'SpaceKey=x' # This URI assume that you can't have a space ID of "X"
selection_exploit_2_uri:
cs-uri-query|contains: '/doenterpagevariables.action'
selection_exploit_2_keyword:
- 'u0027' # This string should appear in the post body as a value of the parameter "queryString"
condition: selection_main and (selection_exploit_1 or all of selection_exploit_2_*)
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential CVE-2021-26857 Exploitation Attempt
Detects possible successful exploitation for vulnerability described in CVE-2021-26857 by looking for | abnormal subprocesses spawning by Exchange Server's Unified Messaging service
view Sigma YAML
title: Potential CVE-2021-26857 Exploitation Attempt
id: cd479ccc-d8f0-4c66-ba7d-e06286f3f887
status: stable
description: Detects possible successful exploitation for vulnerability described in CVE-2021-26857 by looking for | abnormal subprocesses spawning by Exchange Server's Unified Messaging service
references:
- https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
author: Bhabesh Raj
date: 2021-03-03
modified: 2023-02-07
tags:
- attack.t1203
- attack.execution
- cve.2021-26857
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\UMWorkerProcess.exe'
filter:
Image|endswith:
- 'wermgr.exe'
- 'WerFault.exe'
condition: selection and not filter
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential CVE-2021-40444 Exploitation Attempt
Detects potential exploitation of CVE-2021-40444 via suspicious process patterns seen in in-the-wild exploitations
view Sigma YAML
title: Potential CVE-2021-40444 Exploitation Attempt
id: 894397c6-da03-425c-a589-3d09e7d1f750
status: test
description: Detects potential exploitation of CVE-2021-40444 via suspicious process patterns seen in in-the-wild exploitations
references:
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444
- https://twitter.com/neonprimetime/status/1435584010202255375
- https://www.joesandbox.com/analysis/476188/1/iochtml
author: Florian Roth (Nextron Systems), @neonprimetime
date: 2021-09-08
modified: 2023-02-04
tags:
- attack.execution
- attack.t1059
- cve.2021-40444
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\control.exe'
ParentImage|endswith:
- '\winword.exe'
- '\powerpnt.exe'
- '\excel.exe'
filter:
CommandLine|endswith:
- '\control.exe input.dll'
- '\control.exe" input.dll'
condition: selection and not filter
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential CVE-2021-44228 Exploitation Attempt - VMware Horizon
Detects potential initial exploitation attempts against VMware Horizon deployments running a vulnerable versions of Log4j.
view Sigma YAML
title: Potential CVE-2021-44228 Exploitation Attempt - VMware Horizon
id: 3eb91f0a-0060-424a-a676-59f5fdd75610
status: test
description: |
Detects potential initial exploitation attempts against VMware Horizon deployments running a vulnerable versions of Log4j.
references:
- https://portswigger.net/daily-swig/vmware-horizon-under-attack-as-china-based-ransomware-group-targets-log4j-vulnerability
- https://twitter.com/TheDFIRReport/status/1482078434327244805
- https://www.pwndefend.com/2022/01/07/log4shell-exploitation-and-hunting-on-vmware-horizon-cve-2021-44228/
author: '@kostastsale'
date: 2022-01-14
tags:
- attack.initial-access
- attack.t1190
- cve.2021-44228
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\ws_TomcatService.exe'
filter_main_shells:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Potential CVE-2022-21587 Exploitation Attempt
Detects potential exploitation attempts of CVE-2022-21587 an arbitrary file upload vulnerability impacting Oracle E-Business Suite (EBS). CVE-2022-21587 can lead to unauthenticated remote code execution.
view Sigma YAML
title: Potential CVE-2022-21587 Exploitation Attempt
id: d033cb8a-8669-4a8e-a974-48d4185a8503
status: test
description: Detects potential exploitation attempts of CVE-2022-21587 an arbitrary file upload vulnerability impacting Oracle E-Business Suite (EBS). CVE-2022-21587 can lead to unauthenticated remote code execution.
references:
- https://www.rapid7.com/blog/post/2023/02/07/etr-cve-2022-21587-rapid7-observed-exploitation-of-oracle-e-business-suite-vulnerability/
- https://attackerkb.com/topics/Bkij5kK1qK/cve-2022-21587/rapid7-analysis
- https://github.com/hieuminhnv/CVE-2022-21587-POC
- https://blog.viettelcybersecurity.com/cve-2022-21587-oracle-e-business-suite-unauth-rce/
author: Isa Almannaei
date: 2023-02-13
tags:
- attack.initial-access
- attack.t1190
- cve.2022-21587
- detection.emerging-threats
logsource:
category: webserver
detection:
selection:
cs-method: 'POST'
cs-uri-query|contains:
- '/OA_HTML/BneViewerXMLService?bne:uueupload=TRUE'
- '/OA_HTML/BneUploaderService?bne:uueupload=TRUE'
- '/OA_HTML/BneDownloadService?bne:uueupload=TRUE'
- '/OA_HTML/BneOfflineLOVService?bne:uueupload=TRUE'
condition: selection
falsepositives:
- Vulnerability Scanners
level: high
Convert to SIEM query
high
Potential CVE-2022-26809 Exploitation Attempt
Detects suspicious remote procedure call (RPC) service anomalies based on the spawned sub processes (long shot to detect the exploitation of vulnerabilities like CVE-2022-26809)
view Sigma YAML
title: Potential CVE-2022-26809 Exploitation Attempt
id: a7cd7306-df8b-4398-b711-6f3e4935cf16
status: test
description: Detects suspicious remote procedure call (RPC) service anomalies based on the spawned sub processes (long shot to detect the exploitation of vulnerabilities like CVE-2022-26809)
references:
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809
- https://www.bleepingcomputer.com/startups/RpcSs.exe-14544.html
- https://twitter.com/cyb3rops/status/1514217991034097664
- https://www.securonix.com/blog/cve-2022-26809-remote-procedure-call-runtime-remote-code-execution-vulnerability-and-coverage/
author: Florian Roth (Nextron Systems)
date: 2022-04-13
modified: 2023-02-03
tags:
- attack.initial-access
- attack.t1190
- attack.execution
- attack.t1569.002
- cve.2022-26809
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage: 'C:\Windows\System32\svchost.exe'
ParentCommandLine|contains: '-k RPCSS'
condition: selection
falsepositives:
- Unknown
- Some cases in which the service spawned a werfault.exe process
level: high
Convert to SIEM query
Showing 951-1000 of 3,750