Tool
SIEM
Sigma (generic) detection rules
1,715 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Expand any rule to see its raw YAML and convert it inline to native query syntax. Pick a platform above to browse every rule already rendered in that language.
◈
Detection rules
50 shown of 1,715
high
OpenCanary - MSSQL Login Attempt Via SQLAuth
Detects instances where an MSSQL service on an OpenCanary node has had a login attempt using SQLAuth.
view Sigma YAML
title: OpenCanary - MSSQL Login Attempt Via SQLAuth
id: 3ec9a16d-0b4f-4967-9542-ebf38ceac7dd
status: test
description: |
Detects instances where an MSSQL service on an OpenCanary node has had a login attempt using SQLAuth.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
- attack.credential-access
- attack.collection
- attack.t1003
- attack.t1213
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 9001
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
OpenCanary - MSSQL Login Attempt Via Windows Authentication
Detects instances where an MSSQL service on an OpenCanary node has had a login attempt using Windows Authentication.
view Sigma YAML
title: OpenCanary - MSSQL Login Attempt Via Windows Authentication
id: 6e78f90f-0043-4a01-ac41-f97681613a66
status: test
description: |
Detects instances where an MSSQL service on an OpenCanary node has had a login attempt using Windows Authentication.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
- attack.credential-access
- attack.collection
- attack.t1003
- attack.t1213
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 9002
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
OpenCanary - MySQL Login Attempt
Detects instances where a MySQL service on an OpenCanary node has had a login attempt.
view Sigma YAML
title: OpenCanary - MySQL Login Attempt
id: e7d79a1b-25ed-4956-bd56-bd344fa8fd06
status: test
description: Detects instances where a MySQL service on an OpenCanary node has had a login attempt.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
- attack.credential-access
- attack.collection
- attack.t1003
- attack.t1213
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 8001
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
OpenCanary - NMAP FIN Scan
Detects instances where an OpenCanary node has been targeted by a NMAP FIN Scan
view Sigma YAML
title: OpenCanary - NMAP FIN Scan
id: eae8c0c8-e5da-450a-9d7d-66aa56cd26b6
status: experimental
description: Detects instances where an OpenCanary node has been targeted by a NMAP FIN Scan
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Marco Pedrinazzi (@pedrinazziM)
date: 2026-01-06
tags:
- attack.discovery
- attack.t1046
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 5005
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
OpenCanary - NMAP NULL Scan
Detects instances where an OpenCanary node has been targeted by a NMAP NULL Scan
view Sigma YAML
title: OpenCanary - NMAP NULL Scan
id: 68b8547b-107f-43f3-97fb-900a7d63c190
status: experimental
description: Detects instances where an OpenCanary node has been targeted by a NMAP NULL Scan
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Marco Pedrinazzi (@pedrinazziM)
date: 2026-01-06
tags:
- attack.discovery
- attack.t1046
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 5003
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
OpenCanary - NMAP OS Scan
Detects instances where an OpenCanary node has been targeted by a NMAP OS Scan
view Sigma YAML
title: OpenCanary - NMAP OS Scan
id: e8a677fd-248c-4eab-94df-de2f6f645884
status: experimental
description: Detects instances where an OpenCanary node has been targeted by a NMAP OS Scan
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Marco Pedrinazzi (@pedrinazziM)
date: 2026-01-06
tags:
- attack.discovery
- attack.t1046
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 5002
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
OpenCanary - NMAP XMAS Scan
Detects instances where an OpenCanary node has been targeted by a NMAP XMAS Scan
view Sigma YAML
title: OpenCanary - NMAP XMAS Scan
id: d7553d7b-f485-479c-b192-cdac6edd83a4
status: experimental
description: Detects instances where an OpenCanary node has been targeted by a NMAP XMAS Scan
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Marco Pedrinazzi (@pedrinazziM)
date: 2026-01-06
tags:
- attack.discovery
- attack.t1046
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 5004
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
OpenCanary - NTP Monlist Request
Detects instances where an NTP service on an OpenCanary node has had a NTP monlist request.
view Sigma YAML
title: OpenCanary - NTP Monlist Request
id: 7cded4b3-f09e-405a-b96f-24248433ba44
status: test
description: Detects instances where an NTP service on an OpenCanary node has had a NTP monlist request.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
- attack.impact
- attack.t1498
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 11001
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
OpenCanary - RDP New Connection Attempt
Detects instances where an RDP service on an OpenCanary node has had a connection attempt.
view Sigma YAML
title: OpenCanary - RDP New Connection Attempt
id: 598290cf-5932-45cd-9123-be1e05ab4f2e
status: experimental
description: Detects instances where an RDP service on an OpenCanary node has had a connection attempt.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Marco Pedrinazzi (@pedrinazziM)
date: 2026-01-06
tags:
- attack.initial-access
- attack.lateral-movement
- attack.persistence
- attack.t1133
- attack.t1021.001
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 14001
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
OpenCanary - REDIS Action Command Attempt
Detects instances where a REDIS service on an OpenCanary node has had an action command attempted.
view Sigma YAML
title: OpenCanary - REDIS Action Command Attempt
id: 547dfc53-ebf6-4afe-8d2e-793d9574975d
status: test
description: Detects instances where a REDIS service on an OpenCanary node has had an action command attempted.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
- attack.credential-access
- attack.collection
- attack.t1003
- attack.t1213
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 17001
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
OpenCanary - SIP Request
Detects instances where an SIP service on an OpenCanary node has had a SIP request.
view Sigma YAML
title: OpenCanary - SIP Request
id: e30de276-68ec-435c-ab99-ef3befec6c61
status: test
description: Detects instances where an SIP service on an OpenCanary node has had a SIP request.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
- attack.collection
- attack.t1123
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 15001
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
OpenCanary - SMB File Open Request
Detects instances where an SMB service on an OpenCanary node has had a file open request.
view Sigma YAML
title: OpenCanary - SMB File Open Request
id: 22777c9e-873a-4b49-855f-6072ab861a52
status: test
description: Detects instances where an SMB service on an OpenCanary node has had a file open request.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
- attack.lateral-movement
- attack.collection
- attack.t1021
- attack.t1005
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 5000
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
OpenCanary - SNMP OID Request
Detects instances where an SNMP service on an OpenCanary node has had an OID request.
view Sigma YAML
title: OpenCanary - SNMP OID Request
id: e9856028-fd4e-46e6-b3d1-10f7ceb95078
status: test
description: Detects instances where an SNMP service on an OpenCanary node has had an OID request.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
- attack.discovery
- attack.lateral-movement
- attack.t1016
- attack.t1021
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 13001
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
OpenCanary - SSH Login Attempt
Detects instances where an SSH service on an OpenCanary node has had a login attempt.
view Sigma YAML
title: OpenCanary - SSH Login Attempt
id: ff7139bc-fdb1-4437-92f2-6afefe8884cb
status: test
description: Detects instances where an SSH service on an OpenCanary node has had a login attempt.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
- attack.privilege-escalation
- attack.initial-access
- attack.lateral-movement
- attack.persistence
- attack.stealth
- attack.t1133
- attack.t1021
- attack.t1078
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 4002
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
OpenCanary - SSH New Connection Attempt
Detects instances where an SSH service on an OpenCanary node has had a connection attempt.
view Sigma YAML
title: OpenCanary - SSH New Connection Attempt
id: cd55f721-5623-4663-bd9b-5229cab5237d
status: test
description: Detects instances where an SSH service on an OpenCanary node has had a connection attempt.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
- attack.privilege-escalation
- attack.initial-access
- attack.lateral-movement
- attack.persistence
- attack.stealth
- attack.t1133
- attack.t1021
- attack.t1078
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 4000
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
OpenCanary - TFTP Request
Detects instances where a TFTP service on an OpenCanary node has had a request.
view Sigma YAML
title: OpenCanary - TFTP Request
id: b4e6b016-a2ac-4759-ad85-8000b300d61e
status: test
description: Detects instances where a TFTP service on an OpenCanary node has had a request.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
- attack.exfiltration
- attack.t1041
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 10001
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
OpenCanary - Telnet Login Attempt
Detects instances where a Telnet service on an OpenCanary node has had a login attempt.
view Sigma YAML
title: OpenCanary - Telnet Login Attempt
id: 512cff7a-683a-43ad-afe0-dd398e872f36
status: test
description: Detects instances where a Telnet service on an OpenCanary node has had a login attempt.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.command-and-control
- attack.stealth
- attack.t1133
- attack.t1078
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 6001
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
OpenCanary - VNC Connection Attempt
Detects instances where a VNC service on an OpenCanary node has had a connection attempt.
view Sigma YAML
title: OpenCanary - VNC Connection Attempt
id: 9db5446c-b44a-4291-8b89-fcab5609c3b3
status: test
description: Detects instances where a VNC service on an OpenCanary node has had a connection attempt.
references:
- https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
- https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
- attack.lateral-movement
- attack.t1021
logsource:
category: application
product: opencanary
detection:
selection:
logtype: 12001
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
OpenWith.exe Executes Specified Binary
The OpenWith.exe executes other binary
view Sigma YAML
title: OpenWith.exe Executes Specified Binary
id: cec8e918-30f7-4e2d-9bfa-a59cc97ae60f
status: test
description: The OpenWith.exe executes other binary
references:
- https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Openwith.yml
- https://twitter.com/harr0ey/status/991670870384021504
author: Beyu Denis, oscd.community (rule), @harr0ey (idea)
date: 2019-10-12
modified: 2021-11-27
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\OpenWith.exe'
CommandLine|contains: '/c'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Operation Wocao Activity
Detects activity mentioned in Operation Wocao report
view Sigma YAML
title: Operation Wocao Activity
id: 1cfac73c-be78-4f9a-9b08-5bde0c3953ab
related:
- id: 74ad4314-482e-4c3e-b237-3f7ed3b9ca8d
type: derived
status: test
description: Detects activity mentioned in Operation Wocao report
references:
- https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/
- https://twitter.com/SBousseaden/status/1207671369963646976
author: Florian Roth (Nextron Systems), frack113
date: 2019-12-20
modified: 2022-10-09
tags:
- attack.privilege-escalation
- attack.persistence
- attack.discovery
- attack.stealth
- attack.t1012
- attack.t1036.004
- attack.t1027
- attack.execution
- attack.t1053.005
- attack.t1059.001
- detection.emerging-threats
logsource:
category: process_creation
product: windows
definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
selection:
CommandLine|contains:
- 'checkadmin.exe 127.0.0.1 -all'
- 'netsh advfirewall firewall add rule name=powershell dir=in'
- 'cmd /c powershell.exe -ep bypass -file c:\s.ps1'
- '/tn win32times /f'
- 'create win32times binPath='
- '\c$\windows\system32\devmgr.dll'
- ' -exec bypass -enc JgAg'
- 'type *keepass\KeePass.config.xml'
- 'iie.exe iie.txt'
- 'reg query HKEY_CURRENT_USER\Software\\*\PuTTY\Sessions\'
condition: selection
falsepositives:
- Administrators that use checkadmin.exe tool to enumerate local administrators
level: high
Convert to SIEM query
high
Operation Wocao Activity - Security
Detects activity mentioned in Operation Wocao report
view Sigma YAML
title: Operation Wocao Activity - Security
id: 74ad4314-482e-4c3e-b237-3f7ed3b9ca8d
status: test
description: Detects activity mentioned in Operation Wocao report
references:
- https://web.archive.org/web/20200226212615/https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/
- https://web.archive.org/web/20200226212615/https://resources.fox-it.com/rs/170-CAK-271/images/201912_Report_Operation_Wocao.pdf
- https://twitter.com/SBousseaden/status/1207671369963646976
author: Florian Roth (Nextron Systems), frack113
date: 2019-12-20
modified: 2022-11-27
tags:
- attack.privilege-escalation
- attack.persistence
- attack.discovery
- attack.stealth
- attack.t1012
- attack.t1036.004
- attack.t1027
- attack.execution
- attack.t1053.005
- attack.t1059.001
- detection.emerging-threats
logsource:
product: windows
service: security
detection:
selection:
EventID: 4799
TargetUserName|startswith: 'Administr'
CallerProcessName|endswith: '\checkadmin.exe'
condition: selection
falsepositives:
- Administrators that use checkadmin.exe tool to enumerate local administrators
level: high
Convert to SIEM query
high
Operator Bloopers Cobalt Strike Commands
Detects use of Cobalt Strike commands accidentally entered in the CMD shell
view Sigma YAML
title: Operator Bloopers Cobalt Strike Commands
id: 647c7b9e-d784-4fda-b9a0-45c565a7b729
related:
- id: 4f154fb6-27d1-4813-a759-78b93e0b9c48
type: similar
status: test
description: Detects use of Cobalt Strike commands accidentally entered in the CMD shell
references:
- https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf
- https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/
- https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/
author: _pete_0, TheDFIRReport
date: 2022-05-06
modified: 2023-01-30
tags:
- attack.execution
- attack.t1059.003
- stp.1u
logsource:
category: process_creation
product: windows
detection:
selection_img:
- OriginalFileName: 'Cmd.Exe'
- Image|endswith: '\cmd.exe'
selection_cli:
CommandLine|startswith:
- 'cmd '
- 'cmd.exe'
- 'c:\windows\system32\cmd.exe'
CommandLine|contains:
- 'psinject'
- 'spawnas'
- 'make_token'
- 'remote-exec'
- 'rev2self'
- 'dcsync'
- 'logonpasswords'
- 'execute-assembly'
- 'getsystem'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Operator Bloopers Cobalt Strike Modules
Detects Cobalt Strike module/commands accidentally entered in CMD shell
view Sigma YAML
title: Operator Bloopers Cobalt Strike Modules
id: 4f154fb6-27d1-4813-a759-78b93e0b9c48
related:
- id: 647c7b9e-d784-4fda-b9a0-45c565a7b729
type: similar
status: test
description: Detects Cobalt Strike module/commands accidentally entered in CMD shell
references:
- https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf
- https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/
- https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/
author: _pete_0, TheDFIRReport
date: 2022-05-06
modified: 2023-01-30
tags:
- attack.execution
- attack.t1059.003
logsource:
category: process_creation
product: windows
detection:
selection_img:
- OriginalFileName: 'Cmd.Exe'
- Image|endswith: '\cmd.exe'
selection_cli:
CommandLine|contains:
- 'Invoke-UserHunter'
- 'Invoke-ShareFinder'
- 'Invoke-Kerberoast'
- 'Invoke-SMBAutoBrute'
- 'Invoke-Nightmare'
- 'zerologon'
- 'av_query'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Oracle WebLogic Exploit CVE-2020-14882
Detects exploitation attempts on WebLogic servers
view Sigma YAML
title: Oracle WebLogic Exploit CVE-2020-14882
id: 85d466b0-d74c-4514-84d3-2bdd3327588b
status: test
description: Detects exploitation attempts on WebLogic servers
references:
- https://isc.sans.edu/diary/26734
- https://twitter.com/jas502n/status/1321416053050667009?s=20
- https://twitter.com/sudo_sudoka/status/1323951871078223874
author: Florian Roth (Nextron Systems)
date: 2020-11-02
modified: 2023-01-02
tags:
- attack.t1190
- attack.initial-access
- cve.2020-14882
- detection.emerging-threats
logsource:
category: webserver
detection:
selection:
cs-uri-query|contains:
- '/console/images/%252E%252E%252Fconsole.portal'
- '/console/css/%2e'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Outbound Network Connection Initiated By Cmstp.EXE
Detects a network connection initiated by Cmstp.EXE
Its uncommon for "cmstp.exe" to initiate an outbound network connection. Investigate the source of such requests to determine if they are malicious.
view Sigma YAML
title: Outbound Network Connection Initiated By Cmstp.EXE
id: efafe0bf-4238-479e-af8f-797bd3490d2d
status: test
description: |
Detects a network connection initiated by Cmstp.EXE
Its uncommon for "cmstp.exe" to initiate an outbound network connection. Investigate the source of such requests to determine if they are malicious.
references:
- https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-30
modified: 2024-05-31
tags:
- attack.stealth
- attack.t1218.003
logsource:
category: network_connection
product: windows
detection:
selection:
Image|endswith: '\cmstp.exe'
Initiated: 'true'
filter_main_local_ranges:
DestinationIp|cidr:
- '127.0.0.0/8'
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '169.254.0.0/16'
- '::1/128' # IPv6 loopback
- 'fe80::/10' # IPv6 link-local addresses
- 'fc00::/7' # IPv6 private addresses
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
# Note: Please report any false positive seen in the wild to help tune the rule.
level: high
Convert to SIEM query
high
Outbound Network Connection Initiated By Microsoft Dialer
Detects outbound network connection initiated by Microsoft Dialer.
The Microsoft Dialer, also known as Phone Dialer, is a built-in utility application included in various versions of the Microsoft Windows operating system. Its primary function is to provide users with a graphical interface for managing phone calls via a modem or a phone line connected to the computer.
This is an outdated process in the current conext of it's usage and is a common target for info stealers for process injection, and is used to make C2 connections, common example is "Rhadamanthys"
view Sigma YAML
title: Outbound Network Connection Initiated By Microsoft Dialer
id: 37e4024a-6c80-4d8f-b95d-2e7e94f3a8d1
status: test
description: |
Detects outbound network connection initiated by Microsoft Dialer.
The Microsoft Dialer, also known as Phone Dialer, is a built-in utility application included in various versions of the Microsoft Windows operating system. Its primary function is to provide users with a graphical interface for managing phone calls via a modem or a phone line connected to the computer.
This is an outdated process in the current conext of it's usage and is a common target for info stealers for process injection, and is used to make C2 connections, common example is "Rhadamanthys"
references:
- https://tria.ge/240301-rk34sagf5x/behavioral2
- https://app.any.run/tasks/6720b85b-9c53-4a12-b1dc-73052a78477d
- https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/
- https://strontic.github.io/xcyclopedia/library/dialer.exe-0B69655F912619756C704A0BF716B61F.html
author: CertainlyP
date: 2024-04-26
tags:
- attack.execution
- attack.command-and-control
- attack.t1071.001
logsource:
category: network_connection
product: windows
detection:
selection:
Image|endswith: ':\Windows\System32\dialer.exe'
Initiated: 'true'
filter_main_local_ranges:
DestinationIp|cidr:
- '127.0.0.0/8'
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '169.254.0.0/16'
- '::1/128' # IPv6 loopback
- 'fe80::/10' # IPv6 link-local addresses
- 'fc00::/7' # IPv6 private addresses
condition: selection and not 1 of filter_main_*
falsepositives:
- In Modern Windows systems, unable to see legitimate usage of this process, However, if an organization has legitimate purpose for this there can be false positives.
level: high
Convert to SIEM query
high
Outbound Network Connection Initiated By Script Interpreter
Detects a script interpreter wscript/cscript opening a network connection to a non-local network. Adversaries may use script to download malicious payloads.
view Sigma YAML
title: Outbound Network Connection Initiated By Script Interpreter
id: 992a6cae-db6a-43c8-9cec-76d7195c96fc
related:
- id: 08249dc0-a28d-4555-8ba5-9255a198e08c
type: derived
status: test
description: Detects a script interpreter wscript/cscript opening a network connection to a non-local network. Adversaries may use script to download malicious payloads.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md
author: frack113, Florian Roth (Nextron Systems)
date: 2022-08-28
modified: 2024-03-13
tags:
- attack.command-and-control
- attack.t1105
logsource:
category: network_connection
product: windows
detection:
selection:
Initiated: 'true'
Image|endswith:
- '\wscript.exe'
- '\cscript.exe'
filter_main_local_ranges:
DestinationIp|cidr:
- '127.0.0.0/8'
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '169.254.0.0/16'
- '::1/128' # IPv6 loopback
- 'fe80::/10' # IPv6 link-local addresses
- 'fc00::/7' # IPv6 private addresses
filter_main_ms_ranges:
DestinationIp|cidr: '20.0.0.0/11' # Microsoft range, caused some FPs
condition: selection and not 1 of filter_main_*
falsepositives:
- Legitimate scripts
level: high
Convert to SIEM query
high
Outbound RDP Connections Over Non-Standard Tools
Detects Non-Standard tools initiating a connection over port 3389 indicating possible lateral movement.
An initial baseline is required before using this utility to exclude third party RDP tooling that you might use.
view Sigma YAML
title: Outbound RDP Connections Over Non-Standard Tools
id: ed74fe75-7594-4b4b-ae38-e38e3fd2eb23
status: test
description: |
Detects Non-Standard tools initiating a connection over port 3389 indicating possible lateral movement.
An initial baseline is required before using this utility to exclude third party RDP tooling that you might use.
references:
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
author: Markus Neis
date: 2019-05-15
modified: 2024-02-09
tags:
- attack.lateral-movement
- attack.t1021.001
- car.2013-07-002
logsource:
category: network_connection
product: windows
detection:
selection:
DestinationPort: 3389
Initiated: 'true'
filter_main_mstsc:
Image:
- 'C:\Windows\System32\mstsc.exe'
- 'C:\Windows\SysWOW64\mstsc.exe'
filter_optional_dns:
# Note: https://github.com/SigmaHQ/sigma/pull/2249
Image: 'C:\Windows\System32\dns.exe'
SourcePort: 53
Protocol: 'udp'
filter_optional_avast:
Image|endswith:
- '\Avast Software\Avast\AvastSvc.exe'
- '\Avast\AvastSvc.exe'
filter_optional_sysinternals_rdcman:
Image|endswith: '\RDCMan.exe'
filter_optional_chrome:
Image: 'C:\Program Files\Google\Chrome\Application\chrome.exe'
filter_optional_third_party:
Image|endswith:
- '\FSAssessment.exe'
- '\FSDiscovery.exe'
- '\MobaRTE.exe'
- '\mRemote.exe'
- '\mRemoteNG.exe'
- '\Passwordstate.exe'
- '\RemoteDesktopManager.exe'
- '\RemoteDesktopManager64.exe'
- '\RemoteDesktopManagerFree.exe'
- '\RSSensor.exe'
- '\RTS2App.exe'
- '\RTSApp.exe'
- '\spiceworks-finder.exe'
- '\Terminals.exe'
- '\ws_TunnelService.exe'
filter_optional_thor:
Image|endswith:
- '\thor.exe'
- '\thor64.exe'
filter_optional_splunk:
Image|startswith: 'C:\Program Files\SplunkUniversalForwarder\bin\'
filter_optional_sentinel_one:
Image|endswith: '\Ranger\SentinelRanger.exe'
filter_optional_firefox:
Image: 'C:\Program Files\Mozilla Firefox\firefox.exe'
filter_optional_tsplus: # Some RAS
Image:
- 'C:\Program Files\TSplus\Java\bin\HTML5service.exe'
- 'C:\Program Files (x86)\TSplus\Java\bin\HTML5service.exe'
filter_optional_null:
Image: null
filter_optional_empty:
Image: ''
filter_optional_unknown:
Image: '<unknown process>'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Third party RDP tools
level: high
Convert to SIEM query
high
Outdated Dependency Or Vulnerability Alert Disabled
Dependabot performs a scan to detect insecure dependencies, and sends Dependabot alerts.
This rule detects when an organization owner disables Dependabot alerts private repositories or Dependabot security updates for all repositories.
view Sigma YAML
title: Outdated Dependency Or Vulnerability Alert Disabled
id: 34e1c7d4-0cd5-419d-9f1b-1dad3f61018d
status: test
description: |
Dependabot performs a scan to detect insecure dependencies, and sends Dependabot alerts.
This rule detects when an organization owner disables Dependabot alerts private repositories or Dependabot security updates for all repositories.
author: Muhammad Faisal (@faisalusuf)
date: 2023-01-27
references:
- https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts
- https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization
tags:
- attack.initial-access
- attack.t1195.001
logsource:
product: github
service: audit
definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'
detection:
selection:
action:
- 'dependabot_alerts_new_repos.disable'
- 'dependabot_alerts.disable'
- 'dependabot_security_updates_new_repos.disable'
- 'dependabot_security_updates.disable'
- 'repository_vulnerability_alerts.disable'
condition: selection
falsepositives:
- Approved changes by the Organization owner. Please validate the 'actor' if authorized to make the changes.
level: high
Convert to SIEM query
high
Outlook EnableUnsafeClientMailRules Setting Enabled
Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros
view Sigma YAML
title: Outlook EnableUnsafeClientMailRules Setting Enabled
id: 55f0a3a1-846e-40eb-8273-677371b8d912
related:
- id: 6763c6c8-bd01-4687-bc8d-4fa52cf8ba08 # Registry variation
type: similar
status: test
description: Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros
references:
- https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html
- https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=44
- https://support.microsoft.com/en-us/topic/how-to-control-the-rule-actions-to-start-an-application-or-run-a-macro-in-outlook-2016-and-outlook-2013-e4964b72-173c-959d-5d7b-ead562979048
author: Markus Neis, Nasreddine Bencherchali (Nextron Systems)
date: 2018-12-27
modified: 2023-02-09
tags:
- attack.execution
- attack.stealth
- attack.t1059
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains: '\Outlook\Security\EnableUnsafeClientMailRules'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Outlook EnableUnsafeClientMailRules Setting Enabled - Registry
Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros
view Sigma YAML
title: Outlook EnableUnsafeClientMailRules Setting Enabled - Registry
id: 6763c6c8-bd01-4687-bc8d-4fa52cf8ba08
related:
- id: c3cefdf4-6703-4e1c-bad8-bf422fc5015a
type: similar
- id: 55f0a3a1-846e-40eb-8273-677371b8d912 # ProcCreation variation
type: similar
status: test
description: Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros
references:
- https://support.microsoft.com/en-us/topic/how-to-control-the-rule-actions-to-start-an-application-or-run-a-macro-in-outlook-2016-and-outlook-2013-e4964b72-173c-959d-5d7b-ead562979048
- https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=44
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-08
modified: 2023-08-17
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\Outlook\Security\EnableUnsafeClientMailRules'
Details: 'DWORD (0x00000001)'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Outlook Macro Execution Without Warning Setting Enabled
Detects the modification of Outlook security setting to allow unprompted execution of macros.
view Sigma YAML
title: Outlook Macro Execution Without Warning Setting Enabled
id: e3b50fa5-3c3f-444e-937b-0a99d33731cd
status: test
description: Detects the modification of Outlook security setting to allow unprompted execution of macros.
references:
- https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/
- https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53
author: '@ScoubiMtl'
date: 2021-04-05
modified: 2023-08-17
tags:
- attack.privilege-escalation
- attack.persistence
- attack.command-and-control
- attack.t1137
- attack.t1008
- attack.t1546
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\Outlook\Security\Level'
Details|contains: '0x00000001' # Enable all Macros
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
PCRE.NET Package Image Load
Detects processes loading modules related to PCRE.NET package
view Sigma YAML
title: PCRE.NET Package Image Load
id: 84b0a8f3-680b-4096-a45b-e9a89221727c
status: test
description: Detects processes loading modules related to PCRE.NET package
references:
- https://twitter.com/rbmaslen/status/1321859647091970051
- https://twitter.com/tifkin_/status/1321916444557365248
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-10-29
modified: 2022-10-09
tags:
- attack.execution
- attack.t1059
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|contains: \AppData\Local\Temp\ba9ea7344a4a5f591d6e5dc32a13494b\
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
PCRE.NET Package Temp Files
Detects processes creating temp files related to PCRE.NET package
view Sigma YAML
title: PCRE.NET Package Temp Files
id: 6e90ae7a-7cd3-473f-a035-4ebb72d961da
status: test
description: Detects processes creating temp files related to PCRE.NET package
references:
- https://twitter.com/rbmaslen/status/1321859647091970051
- https://twitter.com/tifkin_/status/1321916444557365248
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-10-29
modified: 2022-10-09
tags:
- attack.execution
- attack.t1059
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|contains: \AppData\Local\Temp\ba9ea7344a4a5f591d6e5dc32a13494b\
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
PDF File Created By RegEdit.EXE
Detects the creation of a file with the ".pdf" extension by the "RegEdit.exe" process.
This indicates that a user is trying to print/save a registry key as a PDF in order to potentially extract sensitive information and bypass defenses.
view Sigma YAML
title: PDF File Created By RegEdit.EXE
id: 145095eb-e273-443b-83d0-f9b519b7867b
status: test
description: |
Detects the creation of a file with the ".pdf" extension by the "RegEdit.exe" process.
This indicates that a user is trying to print/save a registry key as a PDF in order to potentially extract sensitive information and bypass defenses.
references:
- https://sensepost.com/blog/2024/dumping-lsa-secrets-a-story-about-task-decorrelation/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-07-08
tags:
- attack.stealth
logsource:
category: file_event
product: windows
detection:
selection:
Image|endswith: '\regedit.exe'
TargetFilename|endswith: '.pdf'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
PIM Alert Setting Changes To Disabled
Detects when PIM alerts are set to disabled.
view Sigma YAML
title: PIM Alert Setting Changes To Disabled
id: aeaef14c-e5bf-4690-a9c8-835caad458bd
status: test
description: Detects when PIM alerts are set to disabled.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-identity-management#azure-ad-roles-assignment
author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
date: 2022-08-09
tags:
- attack.initial-access
- attack.persistence
- attack.privilege-escalation
- attack.stealth
- attack.t1078
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.message: Disable PIM Alert
condition: selection
falsepositives:
- Administrator disabling PIM alerts as an active choice.
level: high
Convert to SIEM query
high
PIM Approvals And Deny Elevation
Detects when a PIM elevation is approved or denied. Outside of normal operations should be investigated.
view Sigma YAML
title: PIM Approvals And Deny Elevation
id: 039a7469-0296-4450-84c0-f6966b16dc6d
status: test
description: Detects when a PIM elevation is approved or denied. Outside of normal operations should be investigated.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-identity-management#azure-ad-roles-assignment
author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
date: 2022-08-09
tags:
- attack.persistence
- attack.initial-access
- attack.privilege-escalation
- attack.stealth
- attack.t1078.004
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.message: Request Approved/Denied
condition: selection
falsepositives:
- Actual admin using PIM.
level: high
Convert to SIEM query
high
PPL Tampering Via WerFaultSecure
Detects potential abuse of WerFaultSecure.exe to dump Protected Process Light (PPL) processes like LSASS or to freeze security solutions (EDR/antivirus).
This technique is used by tools such as EDR-Freeze and WSASS to bypass PPL protections and access sensitive information or disable security software.
Distinct command line patterns help identify the specific tool:
- WSASS usage typically shows: "WSASS.exe WerFaultSecure.exe [PID]" in ParentCommandLine
- EDR-Freeze usage typically shows: "EDR-Freeze_[version].exe [PID] [timeout]" in ParentCommandLine
Legitimate debugging operations using WerFaultSecure are rare in production environments and should be investigated.
view Sigma YAML
title: PPL Tampering Via WerFaultSecure
id: 1f0b4cac-9c81-41f4-95d0-8475ff46b3e2
related:
- id: 387df17d-3b04-448f-8669-9e7fd5e5fd8c
type: similar
- id: 8a2f4b1c-3d5e-4f7a-9b2c-1e4f6d8a9c2b
type: similar
status: experimental
description: |
Detects potential abuse of WerFaultSecure.exe to dump Protected Process Light (PPL) processes like LSASS or to freeze security solutions (EDR/antivirus).
This technique is used by tools such as EDR-Freeze and WSASS to bypass PPL protections and access sensitive information or disable security software.
Distinct command line patterns help identify the specific tool:
- WSASS usage typically shows: "WSASS.exe WerFaultSecure.exe [PID]" in ParentCommandLine
- EDR-Freeze usage typically shows: "EDR-Freeze_[version].exe [PID] [timeout]" in ParentCommandLine
Legitimate debugging operations using WerFaultSecure are rare in production environments and should be investigated.
references:
- https://www.zerosalarium.com/2025/09/EDR-Freeze-Puts-EDRs-Antivirus-Into-Coma.html
- https://github.com/TwoSevenOneT/EDR-Freeze/blob/a7f61030b36fbde89871f393488f7075d2aa89f6/EDR-Freeze.cpp#L53
- https://www.zerosalarium.com/2025/09/Dumping-LSASS-With-WER-On-Modern-Windows-11.html
- https://github.com/TwoSevenOneT/WSASS/blob/2c8fd9fa32143e7bc9f066e9511c6f8a57bc64b5/WSASS.cpp#L251
author: Jason (https://github.com/0xbcf)
date: 2025-09-23
modified: 2025-11-23
tags:
- attack.defense-impairment
- attack.t1685
- attack.credential-access
- attack.t1003.001
logsource:
category: process_creation
product: windows
detection:
selection_image:
- Image|endswith: '\WerFaultSecure.exe'
- OriginalFileName: 'WerFaultSecure.exe'
selection_args:
CommandLine|contains|all:
- ' /h '
- ' /pid ' # Antimalware or EDR process pid will be after this flag
- ' /tid '
- ' /encfile '
- ' /cancel '
- ' /type '
- ' 268310'
condition: all of selection_*
falsepositives:
- Legitimate usage of WerFaultSecure for debugging purposes
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_werfaultsecure_abuse/info.yml
Convert to SIEM query
high
PSAsyncShell - Asynchronous TCP Reverse Shell
Detects the use of PSAsyncShell an Asynchronous TCP Reverse Shell written in powershell
view Sigma YAML
title: PSAsyncShell - Asynchronous TCP Reverse Shell
id: afd3df04-948d-46f6-ae44-25966c44b97f
status: test
description: Detects the use of PSAsyncShell an Asynchronous TCP Reverse Shell written in powershell
references:
- https://github.com/JoelGMSec/PSAsyncShell
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-04
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains: 'PSAsyncShell'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
PSEXEC Remote Execution File Artefact
Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system
view Sigma YAML
title: PSEXEC Remote Execution File Artefact
id: 304afd73-55a5-4bb9-8c21-0b1fc84ea9e4
status: test
description: Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system
references:
- https://aboutdfir.com/the-key-to-identify-psexec/
- https://twitter.com/davisrichardg/status/1616518800584704028
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-21
modified: 2023-02-23
tags:
- attack.lateral-movement
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1136.002
- attack.t1543.003
- attack.t1570
- attack.s0029
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|startswith: 'C:\Windows\PSEXEC-'
TargetFilename|endswith: '.key'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
PSExec and WMI Process Creations Block
Detects blocking of process creations originating from PSExec and WMI commands
view Sigma YAML
title: PSExec and WMI Process Creations Block
id: 97b9ce1e-c5ab-11ea-87d0-0242ac130003
status: test
description: Detects blocking of process creations originating from PSExec and WMI commands
references:
- https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-process-creations-originating-from-psexec-and-wmi-commands
- https://twitter.com/duff22b/status/1280166329660497920
author: Bhabesh Raj
date: 2020-07-14
modified: 2022-12-25
tags:
- attack.execution
- attack.lateral-movement
- attack.t1047
- attack.t1569.002
logsource:
product: windows
service: windefend
definition: 'Requirements:Enabled Block process creations originating from PSExec and WMI commands from Attack Surface Reduction (GUID: d1e49aac-8f56-4280-b9ba-993a6d77406c)'
detection:
selection:
EventID: 1121
ProcessName|endswith:
- '\wmiprvse.exe'
- '\psexesvc.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
PUA - 3Proxy Execution
Detects the use of 3proxy, a tiny free proxy server
view Sigma YAML
title: PUA - 3Proxy Execution
id: f38a82d2-fba3-4781-b549-525efbec8506
status: test
description: Detects the use of 3proxy, a tiny free proxy server
references:
- https://github.com/3proxy/3proxy
- https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
author: Florian Roth (Nextron Systems)
date: 2022-09-13
modified: 2023-02-21
tags:
- attack.command-and-control
- attack.t1572
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith: '\3proxy.exe'
selection_pe:
Description: '3proxy - tiny proxy server'
selection_params: # param combos seen in the wild
CommandLine|contains: '.exe -i127.0.0.1 -p'
condition: 1 of selection_*
falsepositives:
- Administrative activity
level: high
Convert to SIEM query
high
PUA - AdFind Suspicious Execution
Detects AdFind execution with common flags seen used during attacks
view Sigma YAML
title: PUA - AdFind Suspicious Execution
id: 9a132afa-654e-11eb-ae93-0242ac130002
related:
- id: 455b9d50-15a1-4b99-853f-8d37655a4c1b
type: similar
- id: 75df3b17-8bcc-4565-b89b-c9898acef911
type: obsolete
status: test
description: Detects AdFind execution with common flags seen used during attacks
references:
- https://www.joeware.net/freetools/tools/adfind/
- https://thedfirreport.com/2020/05/08/adfind-recon/
- https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/
- https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
- https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx
- https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md
- https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1087.002/T1087.002.md#atomic-test-7---adfind---enumerate-active-directory-user-objects
author: Janantha Marasinghe (https://github.com/blueteam0ps), FPT.EagleEye Team, omkar72, oscd.community
date: 2021-02-02
modified: 2025-10-24
tags:
- attack.discovery
- attack.t1018
- attack.t1087.002
- attack.t1482
- attack.t1069.002
- stp.1u
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- 'domainlist'
- 'trustdmp'
- 'dcmodes'
- 'adinfo'
- '-sc dclist'
- 'computer_pwdnotreqd'
- 'objectcategory='
- '-subnets -f'
- 'name="Domain Admins"'
- '-sc u:'
- 'domainncs'
- 'dompol'
- ' oudmp '
- 'subnetdmp'
- 'gpodmp'
- 'fspdmp'
- 'users_noexpire'
- 'computers_active'
- 'computers_pwdnotreqd'
condition: selection
falsepositives:
- Legitimate admin activity
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage/info.yml
simulation:
- type: atomic-red-team
name: Adfind - Enumerate Active Directory Computer Objects
technique: T1018
atomic_guid: a889f5be-2d54-4050-bd05-884578748bb4
- type: atomic-red-team
name: Adfind - Enumerate Active Directory Domain Controller Objects
technique: T1018
atomic_guid: 5838c31e-a0e2-4b9f-b60a-d79d2cb7995e
Convert to SIEM query
high
PUA - AdvancedRun Suspicious Execution
Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts
view Sigma YAML
title: PUA - AdvancedRun Suspicious Execution
id: fa00b701-44c6-4679-994d-5a18afa8a707
related:
- id: d2b749ee-4225-417e-b20e-a8d2193cbb84
type: similar
status: test
description: Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts
references:
- https://twitter.com/splinter_code/status/1483815103279603714
- https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3
- https://www.elastic.co/security-labs/operation-bleeding-bear
- https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/
author: Florian Roth (Nextron Systems)
date: 2022-01-20
modified: 2023-02-21
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1134.002
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|contains:
- '/EXEFilename'
- '/CommandLine'
selection_runas:
- CommandLine|contains:
- ' /RunAs 8 '
- ' /RunAs 4 '
- ' /RunAs 10 '
- ' /RunAs 11 '
- CommandLine|endswith:
- '/RunAs 8'
- '/RunAs 4'
- '/RunAs 10'
- '/RunAs 11'
condition: all of selection*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user/info.yml
Convert to SIEM query
high
PUA - Chisel Tunneling Tool Execution
Detects usage of the Chisel tunneling tool via the commandline arguments
view Sigma YAML
title: PUA - Chisel Tunneling Tool Execution
id: 8b0e12da-d3c3-49db-bb4f-256703f380e5
related:
- id: cf93e05e-d798-4d9e-b522-b0248dc61eaf
type: similar
status: test
description: Detects usage of the Chisel tunneling tool via the commandline arguments
references:
- https://github.com/jpillora/chisel/
- https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/
- https://blog.sekoia.io/lucky-mouse-incident-response-to-detection-engineering/
author: Florian Roth (Nextron Systems)
date: 2022-09-13
modified: 2023-02-13
tags:
- attack.command-and-control
- attack.t1090.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith: '\chisel.exe'
selection_param1:
CommandLine|contains:
- 'exe client '
- 'exe server '
selection_param2:
CommandLine|contains:
- '-socks5'
- '-reverse'
- ' r:'
- ':127.0.0.1:'
- '-tls-skip-verify '
- ':socks'
condition: selection_img or all of selection_param*
falsepositives:
- Some false positives may occur with other tools with similar commandlines
level: high
Convert to SIEM query
high
PUA - CleanWipe Execution
Detects the use of CleanWipe a tool usually used to delete Symantec antivirus.
view Sigma YAML
title: PUA - CleanWipe Execution
id: f44800ac-38ec-471f-936e-3fa7d9c53100
status: test
description: Detects the use of CleanWipe a tool usually used to delete Symantec antivirus.
references:
- https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/CleanWipe
author: Nasreddine Bencherchali (Nextron Systems)
date: 2021-12-18
modified: 2023-02-14
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection1:
Image|endswith: '\SepRemovalToolNative_x64.exe'
selection2:
Image|endswith: '\CATClean.exe'
CommandLine|contains: '--uninstall'
selection3:
Image|endswith: '\NetInstaller.exe'
CommandLine|contains: '-r'
selection4:
Image|endswith: '\WFPUnins.exe'
CommandLine|contains|all:
- '/uninstall'
- '/enterprise'
condition: 1 of selection*
falsepositives:
- Legitimate administrative use (Should be investigated either way)
level: high
Convert to SIEM query
high
PUA - Crassus Execution
Detects Crassus, a Windows privilege escalation discovery tool, based on PE metadata characteristics.
view Sigma YAML
title: PUA - Crassus Execution
id: 2c32b543-1058-4808-91c6-5b31b8bed6c5
status: test
description: Detects Crassus, a Windows privilege escalation discovery tool, based on PE metadata characteristics.
references:
- https://github.com/vu-ls/Crassus
author: pH-T (Nextron Systems)
date: 2023-04-17
tags:
- attack.discovery
- attack.reconnaissance
- attack.t1590.001
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\Crassus.exe'
- OriginalFileName: 'Crassus.exe'
- Description|contains: 'Crassus'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
PUA - CsExec Execution
Detects the use of the lesser known remote execution tool named CsExec a PsExec alternative
view Sigma YAML
title: PUA - CsExec Execution
id: d08a2711-ee8b-4323-bdec-b7d85e892b31
status: test
description: Detects the use of the lesser known remote execution tool named CsExec a PsExec alternative
references:
- https://github.com/malcomvetter/CSExec
- https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/
author: Florian Roth (Nextron Systems)
date: 2022-08-22
modified: 2023-02-21
tags:
- attack.resource-development
- attack.t1587.001
- attack.execution
- attack.t1569.002
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\csexec.exe'
selection_pe:
Description: 'csexec'
condition: 1 of selection*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
PUA - DIT Snapshot Viewer
Detects the use of Ditsnap tool, an inspection tool for Active Directory database, ntds.dit.
view Sigma YAML
title: PUA - DIT Snapshot Viewer
id: d3b70aad-097e-409c-9df2-450f80dc476b
status: test
description: Detects the use of Ditsnap tool, an inspection tool for Active Directory database, ntds.dit.
references:
- https://thedfirreport.com/2020/06/21/snatch-ransomware/
- https://web.archive.org/web/20201124182207/https://github.com/yosqueoy/ditsnap
author: Furkan Caliskan (@caliskanfurkan_)
date: 2020-07-04
modified: 2023-02-21
tags:
- attack.credential-access
- attack.t1003.003
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\ditsnap.exe'
- CommandLine|contains: 'ditsnap.exe'
condition: selection
falsepositives:
- Legitimate admin usage
level: high
Convert to SIEM query
high
PUA - DefenderCheck Execution
Detects the use of DefenderCheck, a tool to evaluate the signatures used in Microsoft Defender. It can be used to figure out the strings / byte chains used in Microsoft Defender to detect a tool and thus used for AV evasion.
view Sigma YAML
title: PUA - DefenderCheck Execution
id: f0ca6c24-3225-47d5-b1f5-352bf07ecfa7
status: test
description: Detects the use of DefenderCheck, a tool to evaluate the signatures used in Microsoft Defender. It can be used to figure out the strings / byte chains used in Microsoft Defender to detect a tool and thus used for AV evasion.
references:
- https://github.com/matterpreter/DefenderCheck
author: Florian Roth (Nextron Systems)
date: 2022-08-30
modified: 2023-02-04
tags:
- attack.stealth
- attack.t1027.005
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\DefenderCheck.exe'
- Description: 'DefenderCheck'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
Showing 701-750 of 1,715