Tool
SIEM
Sigma (generic) detection rules
174 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Expand any rule to see its raw YAML and convert it inline to native query syntax. Pick a platform above to browse every rule already rendered in that language.
Get the raw rules from SigmaHQ Detection Rules
The raw generic YAML, served by SigmaHQ. Pick a platform above to download a ready-to-deploy converted pack.
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance12
Resource Development10
Initial Access10
Execution30
Persistence43
Privilege Escalation20
Stealth83
Defense Impairment32
Credential Access35
Discovery33
Lateral Movement16
Collection20
Command and Control24
Exfiltration10
Impact18
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.
◈
Detection rules
24 shown of 174
critical
Moderate
Medium FP
Suspicious Cobalt Strike DNS Beaconing - DNS Client
Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons
view Sigma YAML
title: Suspicious Cobalt Strike DNS Beaconing - DNS Client
id: 0d18728b-f5bf-4381-9dcf-915539fff6c2
related:
- id: f356a9c4-effd-4608-bbf8-408afd5cd006
type: similar
status: test
description: Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons
references:
- https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns
- https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-16
tags:
- attack.t1071.004
- attack.command-and-control
logsource:
product: windows
service: dns-client
definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.'
detection:
selection_eid:
EventID: 3008
selection_query_1:
QueryName|startswith:
- 'aaa.stage.'
- 'post.1'
selection_query_2:
QueryName|contains: '.stage.123456.'
condition: selection_eid and 1 of selection_query_*
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Moderate
High FP
Suspicious Cobalt Strike DNS Beaconing - Sysmon
Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons
view Sigma YAML
title: Suspicious Cobalt Strike DNS Beaconing - Sysmon
id: f356a9c4-effd-4608-bbf8-408afd5cd006
related:
- id: 0d18728b-f5bf-4381-9dcf-915539fff6c2
type: similar
status: test
description: Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons
references:
- https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns
- https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/
author: Florian Roth (Nextron Systems)
date: 2021-11-09
modified: 2023-01-16
tags:
- attack.command-and-control
- attack.t1071.004
logsource:
product: windows
category: dns_query
detection:
selection1:
QueryName|startswith:
- 'aaa.stage.'
- 'post.1'
selection2:
QueryName|contains: '.stage.123456.'
condition: 1 of selection*
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Moderate
High FP
Suspicious PowerShell Mailbox Export to Share
Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations
view Sigma YAML
title: Suspicious PowerShell Mailbox Export to Share
id: 889719ef-dd62-43df-86c3-768fb08dc7c0
status: test
description: Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations
references:
- https://youtu.be/5mqid-7zp8k?t=2481
- https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html
- https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1
- https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/
author: Florian Roth (Nextron Systems)
date: 2021-08-07
modified: 2022-10-26
tags:
- attack.exfiltration
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'New-MailboxExportRequest'
- ' -Mailbox '
- ' -FilePath \\\\'
condition: selection
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Moderate
High FP
Suspicious PowerShell Mailbox Export to Share - PS
Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations
view Sigma YAML
title: Suspicious PowerShell Mailbox Export to Share - PS
id: 4a241dea-235b-4a7e-8d76-50d817b146c4
related:
- id: 889719ef-dd62-43df-86c3-768fb08dc7c0
type: derived
status: test
description: Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations
references:
- https://youtu.be/5mqid-7zp8k?t=2481
- https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html
- https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1
- https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-26
tags:
- attack.exfiltration
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- 'New-MailboxExportRequest'
- ' -Mailbox '
- ' -FilePath \\\\'
condition: selection
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Moderate
High FP
TrustedPath UAC Bypass Pattern
Detects indicators of a UAC bypass method by mocking directories
view Sigma YAML
title: TrustedPath UAC Bypass Pattern
id: 4ac47ed3-44c2-4b1f-9d51-bf46e8914126
related:
- id: 0cbe38c0-270c-41d9-ab79-6e5a9a669290
type: similar
status: test
description: Detects indicators of a UAC bypass method by mocking directories
references:
- https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e
- https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows
- https://github.com/netero1010/TrustedPath-UACBypass-BOF
- https://x.com/Wietze/status/1933495426952421843
author: Florian Roth (Nextron Systems)
date: 2021-08-27
modified: 2025-06-17
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: process_creation
product: windows
detection:
selection:
Image|contains:
- 'C:\Windows \System32\'
- 'C:\Windows \SysWOW64\'
condition: selection
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Moderate
Medium FP
Turla Group Commands May 2020
Detects commands used by Turla group as reported by ESET in May 2020
view Sigma YAML
title: Turla Group Commands May 2020
id: 9e2e51c5-c699-4794-ba5a-29f5da40ac0c
status: test
description: Detects commands used by Turla group as reported by ESET in May 2020
references:
- https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf
author: Florian Roth (Nextron Systems)
date: 2020-05-26
modified: 2025-10-19
tags:
- attack.privilege-escalation
- attack.persistence
- attack.stealth
- attack.g0010
- attack.execution
- attack.t1059.001
- attack.t1053.005
- attack.t1027
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_cli_1:
CommandLine|contains:
- 'tracert -h 10 yahoo.com'
- '.WSqmCons))|iex;'
- 'Fr`omBa`se6`4Str`ing'
selection_cli_2:
CommandLine|re: 'net\s+use\s+https://docs.live.net'
CommandLine|contains: '@aol.co.uk'
condition: 1 of selection_*
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Moderate
High FP
Turla Group Lateral Movement
Detects automated lateral movement by Turla group
view Sigma YAML
title: Turla Group Lateral Movement
id: c601f20d-570a-4cde-a7d6-e17f99cb8e7f
status: test
description: Detects automated lateral movement by Turla group
references:
- https://securelist.com/the-epic-turla-operation/65545/
author: Markus Neis
date: 2017-11-07
modified: 2022-10-09
tags:
- attack.g0010
- attack.execution
- attack.t1059
- attack.lateral-movement
- attack.t1021.002
- attack.discovery
- attack.t1083
- attack.t1135
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine:
- 'net use \\\\%DomainController%\C$ "P@ssw0rd" *'
- 'dir c:\\*.doc* /s'
- 'dir %TEMP%\\*.exe'
condition: selection
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Moderate
Medium FP
Turla Group Named Pipes
Detects a named pipe used by Turla group samples
view Sigma YAML
title: Turla Group Named Pipes
id: 739915e4-1e70-4778-8b8a-17db02f66db1
status: test
description: Detects a named pipe used by Turla group samples
references:
- Internal Research
author: Markus Neis
date: 2017-11-06
modified: 2021-11-27
tags:
- attack.g0010
- attack.execution
- attack.t1106
- detection.emerging-threats
logsource:
product: windows
category: pipe_created
definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
detection:
selection:
PipeName:
- '\atctl' # https://www.virustotal.com/#/file/a4ddb2664a6c87a1d3c5da5a5a32a5df9a0b0c8f2e951811bd1ec1d44d42ccf1/detection
- '\comnap' # https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra
- '\iehelper' # ruag apt case
- '\sdlrpc' # project cobra https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra
- '\userpipe' # ruag apt case
# - '\rpc' # may cause too many false positives : http://kb.palisade.com/index.php?pg=kb.page&id=483
condition: selection
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Moderate
Low FP
Turla PNG Dropper Service
This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018
view Sigma YAML
title: Turla PNG Dropper Service
id: 1228f8e2-7e79-4dea-b0ad-c91f1d5016c1
status: test
description: This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018
references:
- https://research.nccgroup.com/2018/11/22/turla-png-dropper-is-back/
author: Florian Roth (Nextron Systems)
date: 2018-11-23
modified: 2021-11-30
tags:
- attack.privilege-escalation
- attack.persistence
- attack.g0010
- attack.t1543.003
- detection.emerging-threats
logsource:
product: windows
service: system
detection:
selection:
Provider_Name: 'Service Control Manager'
EventID: 7045
ServiceName: 'WerFaultSvc'
condition: selection
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Moderate
High FP
UNC2452 PowerShell Pattern
Detects a specific PowerShell command line pattern used by the UNC2452 actors as mentioned in Microsoft and Symantec reports
view Sigma YAML
title: UNC2452 PowerShell Pattern
id: b7155193-8a81-4d8f-805d-88de864ca50c
status: test
description: Detects a specific PowerShell command line pattern used by the UNC2452 actors as mentioned in Microsoft and Symantec reports
references:
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware
- https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md#atomic-test-7---create-a-process-using-wmi-query-and-an-encoded-command
author: Florian Roth (Nextron Systems)
date: 2021-01-20
modified: 2022-10-09
tags:
- attack.execution
- attack.t1059.001
- attack.t1047
- detection.emerging-threats
# - sunburst
logsource:
category: process_creation
product: windows
detection:
selection_cli_1:
CommandLine|contains|all:
- 'Invoke-WMIMethod win32_process -name create -argumentlist'
- 'rundll32 c:\windows'
selection_cli_2:
CommandLine|contains|all:
- 'wmic /node:'
- 'process call create "rundll32 c:\windows'
condition: 1 of selection_*
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Moderate
High FP
UNC4841 - Potential SEASPY Execution
Detects execution of specific named binaries which were used by UNC4841 to deploy their SEASPY backdoor
view Sigma YAML
title: UNC4841 - Potential SEASPY Execution
id: f6a711f3-d032-4f9e-890b-bbe776236c84
status: test
description: Detects execution of specific named binaries which were used by UNC4841 to deploy their SEASPY backdoor
references:
- https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-16
tags:
- attack.execution
- detection.emerging-threats
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith:
- '/BarracudaMailService'
- '/resize2fstab'
- '/resize_reisertab'
condition: selection
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Moderate
High FP
Ursnif Malware C2 URL Pattern
Detects Ursnif C2 traffic.
view Sigma YAML
title: Ursnif Malware C2 URL Pattern
id: 932ac737-33ca-4afd-9869-0d48b391fcc9
status: stable
description: Detects Ursnif C2 traffic.
references:
- https://www.fortinet.com/blog/threat-research/ursnif-variant-spreading-word-document.html
author: Thomas Patzke
date: 2019-12-19
modified: 2021-08-09
tags:
- attack.initial-access
- attack.t1566.001
- attack.execution
- attack.t1204.002
- attack.command-and-control
- attack.t1071.001
- detection.emerging-threats
logsource:
category: proxy
detection:
b64encoding:
c-uri|contains:
- '_2f'
- '_2b'
urlpatterns:
c-uri|contains|all:
- '.avi'
- '/images/'
condition: b64encoding and urlpatterns
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Moderate
Medium FP
WCE wceaux.dll Access
Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host
view Sigma YAML
title: WCE wceaux.dll Access
id: 1de68c67-af5c-4097-9c85-fe5578e09e67
status: test
description: Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host
references:
- https://www.jpcert.or.jp/english/pub/sr/ir_research.html
- https://jpcertcc.github.io/ToolAnalysisResultSheet
author: Thomas Patzke
date: 2017-06-14
modified: 2025-01-30
tags:
- attack.credential-access
- attack.t1003
- attack.s0005
logsource:
product: windows
service: security
detection:
selection:
EventID:
- 4656
- 4663
ObjectName|endswith: '\wceaux.dll'
condition: selection
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Strong
Medium FP
WMI Backdoor Exchange Transport Agent
Detects a WMI backdoor in Exchange Transport Agents via WMI event filters
view Sigma YAML
title: WMI Backdoor Exchange Transport Agent
id: 797011dc-44f4-4e6f-9f10-a8ceefbe566b
status: test
description: Detects a WMI backdoor in Exchange Transport Agents via WMI event filters
references:
- https://twitter.com/cglyer/status/1182389676876980224
- https://twitter.com/cglyer/status/1182391019633029120
author: Florian Roth (Nextron Systems)
date: 2019-10-11
modified: 2023-02-08
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.003
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\EdgeTransport.exe'
filter_conhost:
Image: 'C:\Windows\System32\conhost.exe'
filter_oleconverter: # FP also documented in https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=18
Image|startswith: 'C:\Program Files\Microsoft\Exchange Server\'
Image|endswith: '\Bin\OleConverter.exe'
condition: selection and not 1 of filter_*
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Moderate
High FP
WannaCry Ransomware Activity
Detects WannaCry ransomware activity
view Sigma YAML
title: WannaCry Ransomware Activity
id: 41d40bff-377a-43e2-8e1b-2e543069e079
status: test
description: Detects WannaCry ransomware activity
references:
- https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100
- https://x.com/nas_bench/status/1868639048484425963
author: Florian Roth (Nextron Systems), Tom U. @c_APT_ure (collection), oscd.community, Jonhnathan Ribeiro
date: 2019-01-16
modified: 2025-10-18
tags:
- attack.lateral-movement
- attack.defense-impairment
- attack.t1210
- attack.discovery
- attack.t1083
- attack.t1222.001
- attack.impact
- attack.t1486
- attack.t1490
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\tasksche.exe'
- '\mssecsvc.exe'
- '\taskdl.exe'
- '\taskhsvc.exe'
- '\taskse.exe'
- '\111.exe'
- '\lhdfrgui.exe'
# - '\diskpart.exe' # cannot be used in a rule of level critical
- '\linuxnew.exe'
- '\wannacry.exe'
- Image|contains: 'WanaDecryptor'
selection_cmd:
CommandLine|contains: '@[email protected]'
condition: 1 of selection_*
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Strong
Low FP
Webshell Remote Command Execution
Detects possible command execution by web application/web shell
view Sigma YAML
title: Webshell Remote Command Execution
id: c0d3734d-330f-4a03-aae2-65dacc6a8222
status: test
description: Detects possible command execution by web application/web shell
references:
- Personal Experience of the Author
- https://www.vaadata.com/blog/what-is-command-injection-exploitations-and-security-best-practices/
author: Ilyas Ochkov, Beyu Denis, oscd.community
date: 2019-10-12
modified: 2025-12-05
tags:
- attack.persistence
- attack.t1505.003
logsource:
product: linux
service: auditd
definition: |
Required auditd configuration:
-a always,exit -F arch=b32 -S execve -F euid=33 -k detect_execve_www
-a always,exit -F arch=b64 -S execve -F euid=33 -k detect_execve_www
-a always,exit -F arch=b32 -S execveat -F euid=33 -k detect_execve_www
-a always,exit -F arch=b64 -S execveat -F euid=33 -k detect_execve_www
Change the number "33" to the ID of your WebServer user. Default: www-data:x:33:33
detection:
selection:
type: 'SYSCALL'
SYSCALL:
- 'execve'
- 'execveat'
euid: 33
condition: selection
falsepositives:
- Admin activity
- Crazy web applications
level: critical
Convert to SIEM query
critical
Moderate
Medium FP
Win Susp Computer Name Containing Samtheadmin
Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool
view Sigma YAML
title: Win Susp Computer Name Containing Samtheadmin
id: 39698b3f-da92-4bc6-bfb5-645a98386e45
status: test
description: Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool
references:
- https://twitter.com/malmoeb/status/1511760068743766026
- https://github.com/helloexp/0day/blob/614227a7b9beb0e91e7e2c6a5e532e6f7a8e883c/00-CVE_EXP/CVE-2021-42287/sam-the-admin/sam_the_admin.py
author: elhoim
date: 2022-09-09
modified: 2023-01-04
tags:
- attack.initial-access
- cve.2021-42278
- cve.2021-42287
- attack.persistence
- attack.privilege-escalation
- attack.stealth
- attack.t1078
logsource:
service: security
product: windows
detection:
# Not adding an EventID on purpose to try to match on any event in security (including use of account), not just 4741 (computer account created)
selection1:
SamAccountName|startswith: 'SAMTHEADMIN-'
SamAccountName|endswith: '$'
selection2:
TargetUserName|startswith: 'SAMTHEADMIN-'
TargetUserName|endswith: '$'
condition: 1 of selection*
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Moderate
High FP
Windows Credential Editor Registry
Detects the use of Windows Credential Editor (WCE)
view Sigma YAML
title: Windows Credential Editor Registry
id: a6b33c02-8305-488f-8585-03cb2a7763f2
status: test
description: Detects the use of Windows Credential Editor (WCE)
references:
- https://www.ampliasecurity.com/research/windows-credentials-editor/
author: Florian Roth (Nextron Systems)
date: 2019-12-31
modified: 2021-11-27
tags:
- attack.credential-access
- attack.t1003.001
- attack.s0005
logsource:
category: registry_event
product: windows
detection:
selection:
TargetObject|contains: Services\WCESERVICE\Start
condition: selection
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Strong
Medium FP
Winnti Malware HK University Campaign
Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities
view Sigma YAML
title: Winnti Malware HK University Campaign
id: 3121461b-5aa0-4a41-b910-66d25524edbb
status: test
description: Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities
references:
- https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/
author: Florian Roth (Nextron Systems), Markus Neis
date: 2020-02-01
modified: 2021-11-27
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1574.001
- attack.g0044
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection1:
ParentImage|contains:
- 'C:\Windows\Temp'
- '\hpqhvind.exe'
Image|startswith: 'C:\ProgramData\DRM'
selection2:
ParentImage|startswith: 'C:\ProgramData\DRM'
Image|endswith: '\wmplayer.exe'
selection3:
ParentImage|endswith: '\Test.exe'
Image|endswith: '\wmplayer.exe'
selection4:
Image: 'C:\ProgramData\DRM\CLR\CLR.exe'
selection5:
ParentImage|startswith: 'C:\ProgramData\DRM\Windows'
Image|endswith: '\SearchFilterHost.exe'
condition: 1 of selection*
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Strong
Medium FP
Winnti Pipemon Characteristics
Detects specific process characteristics of Winnti Pipemon malware reported by ESET
view Sigma YAML
title: Winnti Pipemon Characteristics
id: 73d70463-75c9-4258-92c6-17500fe972f2
status: stable
description: Detects specific process characteristics of Winnti Pipemon malware reported by ESET
references:
- https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/
author: Florian Roth (Nextron Systems), oscd.community
date: 2020-07-30
modified: 2021-11-27
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1574.001
- attack.g0044
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_1:
CommandLine|contains: 'setup0.exe -p'
selection_2:
CommandLine|contains: 'setup.exe'
CommandLine|endswith:
- '-x:0'
- '-x:1'
- '-x:2'
condition: 1 of selection_*
falsepositives:
- Legitimate setups that use similar flags
level: critical
Convert to SIEM query
critical
Moderate
High FP
Wmiexec Default Output File
Detects the creation of the default output filename used by the wmiexec tool
view Sigma YAML
title: Wmiexec Default Output File
id: 8d5aca11-22b3-4f22-b7ba-90e60533e1fb
status: test
description: Detects the creation of the default output filename used by the wmiexec tool
references:
- https://www.crowdstrike.com/blog/how-to-detect-and-prevent-impackets-wmiexec/
- https://github.com/fortra/impacket/blob/f4b848fa27654ca95bc0f4c73dbba8b9c2c9f30a/examples/wmiexec.py
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-02
modified: 2023-03-08
tags:
- attack.lateral-movement
- attack.execution
- attack.t1047
logsource:
category: file_event
product: windows
detection:
selection:
- TargetFilename|re: '\\Windows\\__1\d{9}\.\d{1,7}$' # Admin$
- TargetFilename|re: 'C:\\__1\d{9}\.\d{1,7}$' # C$
- TargetFilename|re: 'D:\\__1\d{9}\.\d{1,7}$' # D$
condition: selection
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Moderate
Medium FP
Wmiprvse Wbemcomn DLL Hijack - File
Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario.
view Sigma YAML
title: Wmiprvse Wbemcomn DLL Hijack - File
id: 614a7e17-5643-4d89-b6fe-f9df1a79641c
status: test
description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario.
references:
- https://threathunterplaybook.com/hunts/windows/201009-RemoteWMIWbemcomnDLLHijack/notebook.html
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-10-12
modified: 2022-12-02
tags:
- attack.execution
- attack.t1047
- attack.lateral-movement
- attack.t1021.002
logsource:
product: windows
category: file_event
detection:
selection:
Image: System
TargetFilename|endswith: '\wbem\wbemcomn.dll'
condition: selection
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Moderate
Low FP
Zerologon Exploitation Using Well-known Tools
This rule is designed to detect attempts to exploit Zerologon (CVE-2020-1472) vulnerability using mimikatz zerologon module or other exploits from machine with "kali" hostname.
view Sigma YAML
title: Zerologon Exploitation Using Well-known Tools
id: 18f37338-b9bd-4117-a039-280c81f7a596
status: stable
description: This rule is designed to detect attempts to exploit Zerologon (CVE-2020-1472) vulnerability using mimikatz zerologon module or other exploits from machine with "kali" hostname.
references:
- https://www.secura.com/blog/zero-logon
- https://bi-zone.medium.com/hunting-for-zerologon-f65c61586382
author: 'Demyan Sokolin @_drd0c, Teymur Kheirkhabarov @HeirhabarovT, oscd.community'
date: 2020-10-13
modified: 2021-05-30
tags:
- attack.t1210
- attack.lateral-movement
logsource:
service: system
product: windows
detection:
selection:
EventID:
- 5805
- 5723
keywords:
- kali
- mimikatz
condition: selection and keywords
level: critical
Convert to SIEM query
critical
Moderate
Medium FP
ZxShell Malware
Detects a ZxShell start by the called and well-known function name
view Sigma YAML
title: ZxShell Malware
id: f0b70adb-0075-43b0-9745-e82a1c608fcc
status: test
description: Detects a ZxShell start by the called and well-known function name
references:
- https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100
- https://pub-7cb8ac806c1b4c4383e585c474a24719.r2.dev/116309e7121bc8b0e66e4166c06f7b818e1d3629.pdf
author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro
date: 2017-07-20
modified: 2021-11-27
tags:
- attack.execution
- attack.stealth
- attack.t1059.003
- attack.t1218.011
- attack.s0412
- attack.g0001
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\rundll32.exe'
CommandLine|contains:
- 'zxFunction'
- 'RemoteDiskXXXXX'
condition: selection
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
Showing 151-174 of 174