Tool
SIEM
Sigma (generic) detection rules
1,715 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Expand any rule to see its raw YAML and convert it inline to native query syntax. Pick a platform above to browse every rule already rendered in that language.
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
◈
Detection rules
50 shown of 1,715
high
Potential APT Mustang Panda Activity Against Australian Gov
Detects specific command line execution used by Mustang Panda in a targeted attack against the Australian government as reported by Lab52
view Sigma YAML
title: Potential APT Mustang Panda Activity Against Australian Gov
id: 7806bb49-f653-48d3-a915-5115c1a85234
status: test
description: Detects specific command line execution used by Mustang Panda in a targeted attack against the Australian government as reported by Lab52
references:
- https://lab52.io/blog/new-mustang-pandas-campaing-against-australia/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-15
tags:
- attack.execution
- attack.g0129
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_1:
CommandLine|contains|all:
- 'copy SolidPDFCreator.dll'
- 'C:\Users\Public\Libraries\PhotoTvRHD\SolidPDFCreator.dll'
selection_2:
CommandLine|contains|all:
- 'reg '
- '\Windows\CurrentVersion\Run'
- 'SolidPDF'
- 'C:\Users\Public\Libraries\PhotoTvRHD\'
condition: 1 of selection_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Potential APT10 Cloud Hopper Activity
Detects potential process and execution activity related to APT10 Cloud Hopper operation
view Sigma YAML
title: Potential APT10 Cloud Hopper Activity
id: 966e4016-627f-44f7-8341-f394905c361f
status: test
description: Detects potential process and execution activity related to APT10 Cloud Hopper operation
references:
- https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
author: Florian Roth (Nextron Systems)
date: 2017-04-07
modified: 2023-03-08
tags:
- attack.execution
- attack.g0045
- attack.t1059.005
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_cscript:
Image|endswith: '\cscript.exe'
CommandLine|contains: '.vbs /shell '
selection_csvde:
CommandLine|contains|all:
- 'csvde -f C:\windows\web\'
- '.log'
condition: 1 of selection_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Potential Adplus.EXE Abuse
Detects execution of "AdPlus.exe", a binary that is part of the Windows SDK that can be used as a LOLBIN in order to dump process memory and execute arbitrary commands.
view Sigma YAML
title: Potential Adplus.EXE Abuse
id: 2f869d59-7f6a-4931-992c-cce556ff2d53
status: test
description: Detects execution of "AdPlus.exe", a binary that is part of the Windows SDK that can be used as a LOLBIN in order to dump process memory and execute arbitrary commands.
references:
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Adplus/
- https://twitter.com/nas_bench/status/1534916659676422152
- https://twitter.com/nas_bench/status/1534915321856917506
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-09
modified: 2023-06-23
tags:
- attack.execution
- attack.credential-access
- attack.t1003.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\adplus.exe'
- OriginalFileName: 'Adplus.exe'
selection_cli:
CommandLine|contains:
# Dump process memory
- ' -hang '
- ' -pn '
- ' -pmn '
- ' -p '
- ' -po '
# Using a config file
- ' -c '
# Execute commands inline
- ' -sc '
condition: all of selection_*
falsepositives:
- Legitimate usage of Adplus for debugging purposes
level: high
Convert to SIEM query
high
Potential Arbitrary Code Execution Via Node.EXE
Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc
view Sigma YAML
title: Potential Arbitrary Code Execution Via Node.EXE
id: 6640f31c-01ad-49b5-beb5-83498a5cd8bd
status: test
description: Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc
references:
- http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
- https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return
- https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/
- https://nodejs.org/api/cli.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-09
modified: 2023-02-03
tags:
- attack.execution
- attack.stealth
- attack.t1127
logsource:
category: process_creation
product: windows
detection:
selection_main:
Image|endswith: '\node.exe'
CommandLine|contains:
- ' -e '
- ' --eval '
# Add more pattern of abuse as actions
selection_action_reverse_shell:
CommandLine|contains|all:
- '.exec('
- 'net.socket'
- '.connect'
- 'child_process'
condition: selection_main and 1 of selection_action_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Potential Arbitrary Command Execution Using Msdt.EXE
Detects processes leveraging the "ms-msdt" handler or the "msdt.exe" binary to execute arbitrary commands as seen in the follina (CVE-2022-30190) vulnerability
view Sigma YAML
title: Potential Arbitrary Command Execution Using Msdt.EXE
id: 258fc8ce-8352-443a-9120-8a11e4857fa5
status: test
description: Detects processes leveraging the "ms-msdt" handler or the "msdt.exe" binary to execute arbitrary commands as seen in the follina (CVE-2022-30190) vulnerability
references:
- https://twitter.com/nao_sec/status/1530196847679401984
- https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/
- https://twitter.com/_JohnHammond/status/1531672601067675648
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-05-29
modified: 2024-03-13
tags:
- attack.stealth
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\msdt.exe'
- OriginalFileName: 'msdt.exe'
selection_cmd_inline:
CommandLine|contains: 'IT_BrowseForFile='
selection_cmd_answerfile_flag:
CommandLine|contains: ' PCWDiagnostic'
selection_cmd_answerfile_param:
CommandLine|contains|windash: ' -af '
condition: selection_img and (selection_cmd_inline or all of selection_cmd_answerfile_*)
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential Arbitrary File Download Using Office Application
Detects potential arbitrary file download using a Microsoft Office application
view Sigma YAML
title: Potential Arbitrary File Download Using Office Application
id: 4ae3e30b-b03f-43aa-87e3-b622f4048eed
related:
- id: 0c79148b-118e-472b-bdb7-9b57b444cc19
type: obsolete
status: test
description: Detects potential arbitrary file download using a Microsoft Office application
references:
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Winword/
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Powerpnt/
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Excel/
- https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191
author: Nasreddine Bencherchali (Nextron Systems), Beyu Denis, oscd.community
date: 2022-05-17
modified: 2023-06-22
tags:
- attack.stealth
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\EXCEL.EXE'
- '\POWERPNT.EXE'
- '\WINWORD.exe'
- OriginalFileName:
- 'Excel.exe'
- 'POWERPNT.EXE'
- 'WinWord.exe'
selection_http:
CommandLine|contains:
- 'http://'
- 'https://'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt
Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2021-26084
view Sigma YAML
title: Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt
id: 245f92e3-c4da-45f1-9070-bc552e06db11
status: test
description: Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2021-26084
references:
- https://nvd.nist.gov/vuln/detail/CVE-2021-26084
- https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html
- https://github.com/h3v0x/CVE-2021-26084_Confluence
author: Bhabesh Raj
date: 2021-09-08
modified: 2023-02-13
tags:
- attack.initial-access
- attack.execution
- attack.t1190
- attack.t1059
- cve.2021-26084
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
# Monitor suspicious child processes spawned by Confluence
ParentImage|endswith: '\Atlassian\Confluence\jre\bin\java.exe'
CommandLine|contains:
- 'certutil'
- 'cmd /c'
- 'cmd /k'
- 'cscript'
- 'curl'
- 'ipconfig'
- 'powershell'
- 'pwsh'
- 'regsvr32'
- 'rundll32'
- 'whoami'
- 'wscript'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential Attachment Manager Settings Associations Tamper
Detects tampering with attachment manager settings policies associations to lower the default file type risks (See reference for more information)
view Sigma YAML
title: Potential Attachment Manager Settings Associations Tamper
id: a9b6c011-ab69-4ddb-bc0a-c4f21c80ec47
status: test
description: Detects tampering with attachment manager settings policies associations to lower the default file type risks (See reference for more information)
references:
- https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738
- https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-01
modified: 2023-08-17
tags:
- attack.defense-impairment
logsource:
category: registry_set
product: windows
detection:
selection_main:
TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations\'
selection_value_default_file_type_rsik:
TargetObject|endswith: '\DefaultFileTypeRisk'
Details: 'DWORD (0x00006152)'
selection_value_low_risk_filetypes:
TargetObject|endswith: '\LowRiskFileTypes'
Details|contains: # Add more as you see fit
- '.zip;'
- '.rar;'
- '.exe;'
- '.bat;'
- '.com;'
- '.cmd;'
- '.reg;'
- '.msi;'
- '.htm;'
- '.html;'
condition: selection_main and 1 of selection_value_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Potential Attachment Manager Settings Attachments Tamper
Detects tampering with attachment manager settings policies attachments (See reference for more information)
view Sigma YAML
title: Potential Attachment Manager Settings Attachments Tamper
id: ee77a5db-b0f3-4be2-bfd4-b58be1c6b15a
status: test
description: Detects tampering with attachment manager settings policies attachments (See reference for more information)
references:
- https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738
- https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-01
modified: 2023-08-17
tags:
- attack.defense-impairment
logsource:
category: registry_set
product: windows
detection:
selection_main:
TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments\'
selection_value_hide_zone_info:
TargetObject|endswith: '\HideZoneInfoOnProperties'
Details: 'DWORD (0x00000001)' # On
selection_value_save_zone_info:
TargetObject|endswith: '\SaveZoneInformation'
Details: 'DWORD (0x00000002)' # Off
selection_value_scan_with_av:
TargetObject|endswith: '\ScanWithAntiVirus'
Details: 'DWORD (0x00000001)' # Disabled
condition: selection_main and 1 of selection_value_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Potential AutoLogger Sessions Tampering
Detects tampering with autologger trace sessions which is a technique used by attackers to disable logging.
The AutoLogger event tracing session records events up that occur early in the operating system boot process.
Applications and device drivers can use the AutoLogger session to capture traces before the user logs in, and also used by security solutions as telemetry source.
Adversaries may disable these sessions to evade detection and prevent security monitoring of early boot activities and system events.
view Sigma YAML
title: Potential AutoLogger Sessions Tampering
id: f37b4bce-49d0-4087-9f5b-58bffda77316
related:
- id: d7b81144-b866-48a4-9bcc-275dc69d870e
type: similar
status: test
description: |
Detects tampering with autologger trace sessions which is a technique used by attackers to disable logging.
The AutoLogger event tracing session records events up that occur early in the operating system boot process.
Applications and device drivers can use the AutoLogger session to capture traces before the user logs in, and also used by security solutions as telemetry source.
Adversaries may disable these sessions to evade detection and prevent security monitoring of early boot activities and system events.
references:
- https://twitter.com/MichalKoczwara/status/1553634816016498688
- https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
- https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf
- https://learn.microsoft.com/en-us/windows/win32/etw/configuring-and-starting-an-autologger-session
- https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-01
modified: 2025-12-26
tags:
- attack.defense-impairment
- attack.t1685.001
logsource:
category: registry_set
product: windows
detection:
selection_main:
TargetObject|contains: '\Control\WMI\Autologger\'
selection_values:
TargetObject|contains: # We only care about some autologger to avoid FP. Add more if you need
- '\EventLog-'
- '\Defender'
TargetObject|endswith:
- '\Enabled'
- '\Start'
Details: DWORD (0x00000000)
filter_main_wevtutil:
Image: 'C:\Windows\system32\wevtutil.exe'
filter_main_defender:
Image|startswith:
- 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
- 'C:\Program Files\Windows Defender\'
- 'C:\Program Files (x86)\Windows Defender\'
Image|endswith: '\MsMpEng.exe'
TargetObject|contains:
- '\DefenderApiLogger\'
- '\DefenderAuditLogger\'
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions/info.yml
simulation:
- type: atomic-red-team
name: Disable EventLog-Application Auto Logger Session Via Registry - Cmd
technique: T1562.001
atomic_guid: 653c6e17-14a2-4849-851d-f1c0cc8ea9ab
- type: atomic-red-team
name: Disable EventLog-Application Auto Logger Session Via Registry - PowerShell
technique: T1562.001
atomic_guid: da86f239-9bd3-4e85-92ed-4a94ef111a1c
- type: atomic-red-team
name: Disable EventLog-Application ETW Provider Via Registry - Cmd
technique: T1562.001
atomic_guid: 1cac9b54-810e-495c-8aac-989e0076583b
- type: atomic-red-team
name: Disable EventLog-Application ETW Provider Via Registry - PowerShell
technique: T1562.001
atomic_guid: 8f907648-1ebf-4276-b0f0-e2678ca474f0
Convert to SIEM query
high
Potential Baby Shark Malware Activity
Detects activity that could be related to Baby Shark malware
view Sigma YAML
title: Potential Baby Shark Malware Activity
id: 2b30fa36-3a18-402f-a22d-bf4ce2189f35
status: test
description: Detects activity that could be related to Baby Shark malware
references:
- https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/
author: Florian Roth (Nextron Systems)
date: 2019-02-24
modified: 2023-03-08
tags:
- attack.execution
- attack.discovery
- attack.stealth
- attack.t1012
- attack.t1059.003
- attack.t1059.001
- attack.t1218.005
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
- CommandLine|contains|all:
- 'powershell.exe mshta.exe http'
- '.hta'
- CommandLine|contains:
- 'reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default"'
- 'cmd.exe /c taskkill /im cmd.exe'
- "(New-Object System.Net.WebClient).UploadFile('http"
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential Base64 Decoded From Images
Detects the use of tail to extract bytes at an offset from an image and then decode the base64 value to create a new file with the decoded content. The detected execution is a bash one-liner.
view Sigma YAML
title: Potential Base64 Decoded From Images
id: 09a910bf-f71f-4737-9c40-88880ba5913d
status: test
description: |
Detects the use of tail to extract bytes at an offset from an image and then decode the base64 value to create a new file with the decoded content. The detected execution is a bash one-liner.
references:
- https://www.virustotal.com/gui/file/16bafdf741e7a13137c489f3c8db1334f171c7cb13b62617d691b0a64783cc48/behavior
- https://www.virustotal.com/gui/file/483fafc64a2b84197e1ef6a3f51e443f84dc5742602e08b9e8ec6ad690b34ed0/behavior
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-12-20
tags:
- attack.stealth
- attack.t1140
logsource:
product: macos
category: process_creation
detection:
# Example: /bin/bash sh -c tail -c +21453 '/Volumes/Installer/Installer.app/Contents/Resources/workout-logo.jpeg' | base64 --decode > /tmp/54A0A2CD-FAD1-4D4D-AAF5-5266F6344ABE.zip
# VT Query: 'behavior_processes:"tail" (behavior_processes:"jpeg" or behavior_processes:"jpg" or behavior_processes:"png" or behavior_processes:"gif") behavior_processes:"base64" behavior_processes:"--decode >" and tag:dmg'
selection_image:
Image|endswith: '/bash'
selection_view:
CommandLine|contains|all:
- 'tail'
- '-c'
selection_b64:
CommandLine|contains|all:
- 'base64'
- '-d' # Also covers "--decode"
- '>'
selection_files:
CommandLine|contains:
- '.avif'
- '.gif'
- '.jfif'
- '.jpeg'
- '.jpg'
- '.pjp'
- '.pjpeg'
- '.png'
- '.svg'
- '.webp'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential BearLPE Exploitation
Detects potential exploitation of the BearLPE exploit using Task Scheduler ".job" import arbitrary DACL write\par
view Sigma YAML
title: Potential BearLPE Exploitation
id: 931b6802-d6a6-4267-9ffa-526f57f22aaf
status: test
description: Detects potential exploitation of the BearLPE exploit using Task Scheduler ".job" import arbitrary DACL write\par
references:
- https://github.com/djhohnstein/polarbearrepo/blob/f26d3e008093cc5c835e92a7165170baf6713d43/bearlpe/polarbear/polarbear/exploit.cpp
author: Olaf Hartong
date: 2019-05-22
modified: 2023-01-26
tags:
- attack.persistence
- attack.execution
- attack.privilege-escalation
- attack.t1053.005
- car.2013-08-001
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\schtasks.exe'
- OriginalFileName: 'schtasks.exe'
selection_cli:
CommandLine|contains|all:
- '/change'
- '/TN'
- '/RU'
- '/RP'
condition: all of selection*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential BlackByte Ransomware Activity
Detects command line patterns used by BlackByte ransomware in different operations
view Sigma YAML
title: Potential BlackByte Ransomware Activity
id: 999e8307-a775-4d5f-addc-4855632335be
status: test
description: Detects command line patterns used by BlackByte ransomware in different operations
references:
- https://redcanary.com/blog/blackbyte-ransomware/
author: Florian Roth (Nextron Systems)
date: 2022-02-25
modified: 2023-02-08
tags:
- attack.execution
- attack.impact
- attack.stealth
- attack.t1485
- attack.t1498
- attack.t1059.001
- attack.t1140
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_1:
Image|startswith: 'C:\Users\Public\'
CommandLine|contains: ' -single '
selection_2:
CommandLine|contains:
- 'del C:\Windows\System32\Taskmgr.exe'
- ';Set-Service -StartupType Disabled $'
- 'powershell -command "$x =[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('
- ' do start wordpad.exe /p '
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential Bumblebee Remote Thread Creation
Detects remote thread injection events based on action seen used by bumblebee
view Sigma YAML
title: Potential Bumblebee Remote Thread Creation
id: 994cac2b-92c2-44bf-8853-14f6ca39fbda
status: test
description: Detects remote thread injection events based on action seen used by bumblebee
references:
- https://thedfirreport.com/2022/09/26/bumblebee-round-two/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-27
tags:
- attack.execution
- attack.stealth
- attack.t1218.011
- attack.t1059.001
- detection.emerging-threats
logsource:
product: windows
category: create_remote_thread
detection:
selection:
SourceImage|endswith:
- '\wabmig.exe'
- '\wab.exe'
- '\ImagingDevices.exe'
TargetImage|endswith: '\rundll32.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential COLDSTEEL Persistence Service DLL Creation
Detects the creation of a file in a specific location and with a specific name related to COLDSTEEL RAT
view Sigma YAML
title: Potential COLDSTEEL Persistence Service DLL Creation
id: 1fea93a2-1524-4a3c-9828-3aa0c2414e27
status: test
description: Detects the creation of a file in a specific location and with a specific name related to COLDSTEEL RAT
references:
- https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf
author: X__Junior (Nextron Systems)
date: 2023-04-30
tags:
- attack.persistence
- detection.emerging-threats
- attack.stealth
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|startswith: 'C:\Users\'
TargetFilename|endswith: '\AppData\Roaming\newdev.dll'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential COLDSTEEL Persistence Service DLL Load
Detects a suspicious DLL load by an "svchost" process based on location and name that might be related to ColdSteel RAT. This DLL location and name has been seen used by ColdSteel as the service DLL for its persistence mechanism
view Sigma YAML
title: Potential COLDSTEEL Persistence Service DLL Load
id: 1d7a57da-02e0-4f7f-92b1-c7b486ccfed5
status: test
description: |
Detects a suspicious DLL load by an "svchost" process based on location and name that might be related to ColdSteel RAT. This DLL location and name has been seen used by ColdSteel as the service DLL for its persistence mechanism
references:
- https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-02
tags:
- attack.persistence
- detection.emerging-threats
- attack.stealth
logsource:
product: windows
category: image_load
detection:
selection:
Image|endswith: '\svchost.exe'
ImageLoaded|endswith: '\AppData\Roaming\newdev.dll'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Potential COLDSTEEL RAT File Indicators
Detects the creation of a file named "dllhost.exe" in the "C:\users\public\Documents\" directory. Seen being used by the COLDSTEEL RAT in some of its variants.
view Sigma YAML
title: Potential COLDSTEEL RAT File Indicators
id: c708a93f-46b4-4674-a5b8-54aa6219c5fa
status: test
description: Detects the creation of a file named "dllhost.exe" in the "C:\users\public\Documents\" directory. Seen being used by the COLDSTEEL RAT in some of its variants.
references:
- https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-30
tags:
- attack.persistence
- detection.emerging-threats
- attack.stealth
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename: 'C:\users\public\Documents\dllhost.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential COLDSTEEL RAT Windows User Creation
Detects creation of a new user profile with a specific username, seen being used by some variants of the COLDSTEEL RAT.
view Sigma YAML
title: Potential COLDSTEEL RAT Windows User Creation
id: 95214813-4c7a-4a50-921b-ee5c538e1d16
status: test
description: Detects creation of a new user profile with a specific username, seen being used by some variants of the COLDSTEEL RAT.
references:
- https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-02
modified: 2023-08-17
tags:
- attack.persistence
- detection.emerging-threats
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains|all:
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-'
- '\ProfileImagePath'
Details|contains:
- 'ANONYMOUS'
- '_DomainUser_'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential CSharp Streamer RAT Loading .NET Executable Image
Detects potential CSharp Streamer RAT loading .NET executable image by using the default file name and path associated with the tool.
view Sigma YAML
title: Potential CSharp Streamer RAT Loading .NET Executable Image
id: 6f6afac3-8e7a-4e4b-9588-2608ffe08f82
status: test
description: |
Detects potential CSharp Streamer RAT loading .NET executable image by using the default file name and path associated with the tool.
references:
- https://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/#detections
- https://cyber.wtf/2023/12/06/the-csharp-streamer-rat/
author: Luca Di Bartolomeo
date: 2024-06-22
tags:
- attack.command-and-control
- attack.t1219.002
- detection.emerging-threats
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|re: '\\AppData\\Local\\Temp\\dat[0-9A-Z]{4}\.tmp'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential CVE-2021-26084 Exploitation Attempt
Detects potential exploitation of CVE-2021-260841 a Confluence RCE using OGNL injection
view Sigma YAML
title: Potential CVE-2021-26084 Exploitation Attempt
id: 38825179-3c78-4fed-b222-2e2166b926b1
status: test
description: Detects potential exploitation of CVE-2021-260841 a Confluence RCE using OGNL injection
references:
- https://github.com/TesterCC/exp_poc_library/blob/be61622600ec79d8fba2fa5f816a870715f0cb3b/exp_poc/CVE-2021-26084_Confluence_OGNL_injection/CVE-2021-26084.md
- https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md
- https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html
- https://mraddon.blog/2017/03/20/confluence-trick-to-create-pages-from-blueprint-templates/
author: Sittikorn S, Nuttakorn T
date: 2022-12-13
modified: 2023-03-24
tags:
- attack.initial-access
- attack.t1190
- cve.2021-26084
- detection.emerging-threats
logsource:
category: webserver
definition: 'Requirements: The POST request body data must be collected in order to make use of certain parts of this detection'
detection:
selection_main:
cs-method: 'POST'
sc-status: 200
cs-username: 'anonymous' # This string is used to reduce possible FP you could remove it to get authenticated attempts
selection_exploit_1:
cs-uri-query|contains|all:
- '/pages/createpage-entervariables.action'
- 'SpaceKey=x' # This URI assume that you can't have a space ID of "X"
selection_exploit_2_uri:
cs-uri-query|contains: '/doenterpagevariables.action'
selection_exploit_2_keyword:
- 'u0027' # This string should appear in the post body as a value of the parameter "queryString"
condition: selection_main and (selection_exploit_1 or all of selection_exploit_2_*)
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential CVE-2021-26857 Exploitation Attempt
Detects possible successful exploitation for vulnerability described in CVE-2021-26857 by looking for | abnormal subprocesses spawning by Exchange Server's Unified Messaging service
view Sigma YAML
title: Potential CVE-2021-26857 Exploitation Attempt
id: cd479ccc-d8f0-4c66-ba7d-e06286f3f887
status: stable
description: Detects possible successful exploitation for vulnerability described in CVE-2021-26857 by looking for | abnormal subprocesses spawning by Exchange Server's Unified Messaging service
references:
- https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
author: Bhabesh Raj
date: 2021-03-03
modified: 2023-02-07
tags:
- attack.t1203
- attack.execution
- cve.2021-26857
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\UMWorkerProcess.exe'
filter:
Image|endswith:
- 'wermgr.exe'
- 'WerFault.exe'
condition: selection and not filter
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential CVE-2021-40444 Exploitation Attempt
Detects potential exploitation of CVE-2021-40444 via suspicious process patterns seen in in-the-wild exploitations
view Sigma YAML
title: Potential CVE-2021-40444 Exploitation Attempt
id: 894397c6-da03-425c-a589-3d09e7d1f750
status: test
description: Detects potential exploitation of CVE-2021-40444 via suspicious process patterns seen in in-the-wild exploitations
references:
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444
- https://twitter.com/neonprimetime/status/1435584010202255375
- https://www.joesandbox.com/analysis/476188/1/iochtml
author: Florian Roth (Nextron Systems), @neonprimetime
date: 2021-09-08
modified: 2023-02-04
tags:
- attack.execution
- attack.t1059
- cve.2021-40444
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\control.exe'
ParentImage|endswith:
- '\winword.exe'
- '\powerpnt.exe'
- '\excel.exe'
filter:
CommandLine|endswith:
- '\control.exe input.dll'
- '\control.exe" input.dll'
condition: selection and not filter
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential CVE-2021-44228 Exploitation Attempt - VMware Horizon
Detects potential initial exploitation attempts against VMware Horizon deployments running a vulnerable versions of Log4j.
view Sigma YAML
title: Potential CVE-2021-44228 Exploitation Attempt - VMware Horizon
id: 3eb91f0a-0060-424a-a676-59f5fdd75610
status: test
description: |
Detects potential initial exploitation attempts against VMware Horizon deployments running a vulnerable versions of Log4j.
references:
- https://portswigger.net/daily-swig/vmware-horizon-under-attack-as-china-based-ransomware-group-targets-log4j-vulnerability
- https://twitter.com/TheDFIRReport/status/1482078434327244805
- https://www.pwndefend.com/2022/01/07/log4shell-exploitation-and-hunting-on-vmware-horizon-cve-2021-44228/
author: '@kostastsale'
date: 2022-01-14
tags:
- attack.initial-access
- attack.t1190
- cve.2021-44228
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\ws_TomcatService.exe'
filter_main_shells:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Potential CVE-2022-21587 Exploitation Attempt
Detects potential exploitation attempts of CVE-2022-21587 an arbitrary file upload vulnerability impacting Oracle E-Business Suite (EBS). CVE-2022-21587 can lead to unauthenticated remote code execution.
view Sigma YAML
title: Potential CVE-2022-21587 Exploitation Attempt
id: d033cb8a-8669-4a8e-a974-48d4185a8503
status: test
description: Detects potential exploitation attempts of CVE-2022-21587 an arbitrary file upload vulnerability impacting Oracle E-Business Suite (EBS). CVE-2022-21587 can lead to unauthenticated remote code execution.
references:
- https://www.rapid7.com/blog/post/2023/02/07/etr-cve-2022-21587-rapid7-observed-exploitation-of-oracle-e-business-suite-vulnerability/
- https://attackerkb.com/topics/Bkij5kK1qK/cve-2022-21587/rapid7-analysis
- https://github.com/hieuminhnv/CVE-2022-21587-POC
- https://blog.viettelcybersecurity.com/cve-2022-21587-oracle-e-business-suite-unauth-rce/
author: Isa Almannaei
date: 2023-02-13
tags:
- attack.initial-access
- attack.t1190
- cve.2022-21587
- detection.emerging-threats
logsource:
category: webserver
detection:
selection:
cs-method: 'POST'
cs-uri-query|contains:
- '/OA_HTML/BneViewerXMLService?bne:uueupload=TRUE'
- '/OA_HTML/BneUploaderService?bne:uueupload=TRUE'
- '/OA_HTML/BneDownloadService?bne:uueupload=TRUE'
- '/OA_HTML/BneOfflineLOVService?bne:uueupload=TRUE'
condition: selection
falsepositives:
- Vulnerability Scanners
level: high
Convert to SIEM query
high
Potential CVE-2022-26809 Exploitation Attempt
Detects suspicious remote procedure call (RPC) service anomalies based on the spawned sub processes (long shot to detect the exploitation of vulnerabilities like CVE-2022-26809)
view Sigma YAML
title: Potential CVE-2022-26809 Exploitation Attempt
id: a7cd7306-df8b-4398-b711-6f3e4935cf16
status: test
description: Detects suspicious remote procedure call (RPC) service anomalies based on the spawned sub processes (long shot to detect the exploitation of vulnerabilities like CVE-2022-26809)
references:
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809
- https://www.bleepingcomputer.com/startups/RpcSs.exe-14544.html
- https://twitter.com/cyb3rops/status/1514217991034097664
- https://www.securonix.com/blog/cve-2022-26809-remote-procedure-call-runtime-remote-code-execution-vulnerability-and-coverage/
author: Florian Roth (Nextron Systems)
date: 2022-04-13
modified: 2023-02-03
tags:
- attack.initial-access
- attack.t1190
- attack.execution
- attack.t1569.002
- cve.2022-26809
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage: 'C:\Windows\System32\svchost.exe'
ParentCommandLine|contains: '-k RPCSS'
condition: selection
falsepositives:
- Unknown
- Some cases in which the service spawned a werfault.exe process
level: high
Convert to SIEM query
high
Potential CVE-2022-29072 Exploitation Attempt
Detects potential exploitation attempts of CVE-2022-29072, a 7-Zip privilege escalation and command execution vulnerability.
7-Zip version 21.07 and earlier on Windows allows privilege escalation (CVE-2022-29072) and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow.
The command runs in a child process under the 7zFM.exe process.
view Sigma YAML
title: Potential CVE-2022-29072 Exploitation Attempt
id: 9a4ccd1a-3526-4d99-b980-9f9c5d3a6ee3
status: test
description: |
Detects potential exploitation attempts of CVE-2022-29072, a 7-Zip privilege escalation and command execution vulnerability.
7-Zip version 21.07 and earlier on Windows allows privilege escalation (CVE-2022-29072) and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow.
The command runs in a child process under the 7zFM.exe process.
references:
- https://github.com/kagancapar/CVE-2022-29072
- https://twitter.com/kagancapar/status/1515219358234161153
author: frack113, @kostastsale
date: 2022-04-17
modified: 2024-08-15
tags:
- attack.execution
- cve.2022-29072
- detection.emerging-threats
logsource:
product: windows
category: process_creation
detection:
selection_parent:
ParentImage|endswith: '\7zFM.exe'
selection_img:
- Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'Cmd.Exe'
- 'PowerShell.EXE'
- 'pwsh.dll'
filter_main_extensions_and_flags:
- CommandLine|contains:
- ' /c '
- ' /k '
- ' /r '
- CommandLine|endswith:
- '.bat'
- '.cmd'
- '.ps1'
filter_main_null:
CommandLine: null
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential CVE-2022-46169 Exploitation Attempt
Detects potential exploitation attempts that target the Cacti Command Injection CVE-2022-46169
view Sigma YAML
title: Potential CVE-2022-46169 Exploitation Attempt
id: 738cb115-881f-4df3-82cc-56ab02fc5192
status: test
description: Detects potential exploitation attempts that target the Cacti Command Injection CVE-2022-46169
references:
- https://github.com/0xf4n9x/CVE-2022-46169
- https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf
- https://github.com/rapid7/metasploit-framework/pull/17407
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-27
modified: 2023-01-02
tags:
- attack.initial-access
- attack.t1190
- cve.2022-46169
- detection.emerging-threats
logsource:
category: webserver
detection:
selection:
# Check for the presence of the X-FORWARDED-FOR header pointing to the hostname of the server running Cacti (which indicate auth bypass)
# Check for previous requests indicating the bruteforce of the "local_data_ids" and "host_id"
cs-method: 'GET'
cs-uri-query|contains|all:
- '/remote_agent.php'
- 'action=polldata'
- 'poller_id='
cs-uri-query|contains:
# From https://github.com/rapid7/metasploit-framework/pull/17407/files#diff-972a47250ccd30b935a59e8871134956a15980df5b29f9d970414646704d5258R288
# Not tested could be shown in other format (update if you have more info)
- '| base64 -d | /bin/bash`'
- '%7C%20base64%20-d%20%7C%20%2Fbin%2Fbash%60' # URL encoded version
# Add more suspicious commands accordingly
- '`whoami'
- 'powershell'
- 'cmd'
- 'wget'
condition: selection
falsepositives:
- Web vulnerability scanners
level: high
Convert to SIEM query
high
Potential CVE-2023-21554 QueueJumper Exploitation
Detects potential exploitation of CVE-2023-21554 (dubbed QueueJumper)
view Sigma YAML
title: Potential CVE-2023-21554 QueueJumper Exploitation
id: 53207cc2-0745-4c19-bc72-80be1cc16b3f
status: test
description: Detects potential exploitation of CVE-2023-21554 (dubbed QueueJumper)
references:
- https://research.checkpoint.com/2023/queuejumper-critical-unauthorized-rce-vulnerability-in-msmq-service/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-12
tags:
- attack.privilege-escalation
- attack.execution
- cve.2023-21554
- detection.emerging-threats
logsource:
product: windows
category: process_creation
detection:
selection:
ParentImage|endswith: '\Windows\System32\mqsvc.exe'
Image|endswith:
- '\cmd.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\schtasks.exe'
- '\wmic.exe'
- '\wscript.exe'
- '\wsl.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential CVE-2023-23752 Exploitation Attempt
Detects the potential exploitation attempt of CVE-2023-23752 an Improper access check, in web service endpoints in Joomla
view Sigma YAML
title: Potential CVE-2023-23752 Exploitation Attempt
id: 0e1ebc5a-15d0-4bf6-8199-b2535397433a
status: test
description: Detects the potential exploitation attempt of CVE-2023-23752 an Improper access check, in web service endpoints in Joomla
references:
- https://xz.aliyun.com/t/12175
- https://twitter.com/momika233/status/1626464189261942786
author: Bhabesh Raj
date: 2023-02-23
tags:
- attack.initial-access
- attack.t1190
- cve.2023-23752
- detection.emerging-threats
logsource:
category: webserver
detection:
selection:
cs-method: 'GET'
cs-uri-query|contains|all:
- '/api/index.php/v1/'
- 'public=true'
condition: selection
falsepositives:
- Vulnerability scanners
level: high
Convert to SIEM query
high
Potential CVE-2023-25157 Exploitation Attempt
Detects a potential exploitation attempt of CVE-2023-25157 a SQL injection in GeoServer
view Sigma YAML
title: Potential CVE-2023-25157 Exploitation Attempt
id: c0341543-5ed0-4475-aabc-7eea8c52aa66
status: test
description: Detects a potential exploitation attempt of CVE-2023-25157 a SQL injection in GeoServer
references:
- https://github.com/win3zz/CVE-2023-25157
- https://twitter.com/parzel2/status/1665726454489915395
- https://github.com/advisories/GHSA-7g5f-wrx8-5ccf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-14
tags:
- attack.initial-access
- cve.2023-25157
- detection.emerging-threats
logsource:
category: webserver
detection:
selection_url:
cs-method: 'GET'
cs-uri-query|contains|all:
- '/geoserver/ows'
- 'CQL_FILTER='
cs-uri-query|contains:
# Abusable Filters/Function as reported in the Advisory
- 'PropertyIsLike'
- 'strEndsWith'
- 'strStartsWith'
- 'FeatureId'
- 'jsonArrayContains'
- 'DWithin'
selection_payload:
cs-uri-query|contains:
- '+--'
- '+AS+'
- '+OR+'
- 'FROM'
- 'ORDER+BY'
- 'SELECT'
- 'sleep%28'
- 'substring%28'
- 'UNION'
- 'WHERE'
condition: all of selection_*
falsepositives:
- Vulnerability scanners
level: high
Convert to SIEM query
high
Potential CVE-2023-25717 Exploitation Attempt
Detects a potential exploitation attempt of CVE-2023-25717 a Remote Code Execution via an unauthenticated HTTP GET Request, in Ruckus Wireless Admin
view Sigma YAML
title: Potential CVE-2023-25717 Exploitation Attempt
id: 043c1609-0e32-4462-a6f2-5a0c2da3fafe
status: test
description: Detects a potential exploitation attempt of CVE-2023-25717 a Remote Code Execution via an unauthenticated HTTP GET Request, in Ruckus Wireless Admin
references:
- https://cybir.com/2023/cve/proof-of-concept-ruckus-wireless-admin-10-4-unauthenticated-remote-code-execution-csrf-ssrf/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-30
tags:
- attack.initial-access
- attack.t1190
- cve.2023-25717
- detection.emerging-threats
logsource:
category: webserver
detection:
selection:
cs-method: 'GET'
cs-uri-query|contains|all:
- '/forms/doLogin'
- 'login_username'
- 'password'
cs-uri-query|contains:
- '$('
- '%24%28' # URL Encode version of "$("
condition: selection
falsepositives:
- Vulnerability scanners
- Some rare false positives may occur if the password contains the characters "$(". Apply addition indicators such as executed commands to remove FP
level: high
Convert to SIEM query
high
Potential CVE-2023-27363 Exploitation - HTA File Creation By FoxitPDFReader
Detects suspicious ".hta" file creation in the startup folder by Foxit Reader. This can be an indication of CVE-2023-27363 exploitation.
view Sigma YAML
title: Potential CVE-2023-27363 Exploitation - HTA File Creation By FoxitPDFReader
id: 9cae055f-e1d2-4f81-b8a5-1986a68cdd84
status: test
description: Detects suspicious ".hta" file creation in the startup folder by Foxit Reader. This can be an indication of CVE-2023-27363 exploitation.
references:
- https://github.com/j00sean/SecBugs/tree/ff72d553f75d93e1a0652830c0f74a71b3f19c46/CVEs/CVE-2023-27363
- https://www.zerodayinitiative.com/advisories/ZDI-23-491/
- https://www.tarlogic.com/blog/cve-2023-27363-foxit-reader/
author: Gregory
date: 2023-10-11
tags:
- attack.persistence
- attack.t1505.001
- cve.2023-27363
- detection.emerging-threats
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith: '\FoxitPDFReader.exe'
TargetFilename|contains: '\Microsoft\Windows\Start Menu\Programs\Startup\'
TargetFilename|endswith: '.hta'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential CVE-2023-36874 Exploitation - Fake Wermgr Execution
Detects the execution of a renamed "cmd", "powershell" or "powershell_ise" binary. Attackers were seen using these binaries in a renamed form as "wermgr.exe" in exploitation of CVE-2023-36874
view Sigma YAML
title: Potential CVE-2023-36874 Exploitation - Fake Wermgr Execution
id: 50dbc08b-60ce-40f1-a6b6-346497e34c88
status: test
description: Detects the execution of a renamed "cmd", "powershell" or "powershell_ise" binary. Attackers were seen using these binaries in a renamed form as "wermgr.exe" in exploitation of CVE-2023-36874
references:
- https://github.com/Wh04m1001/CVE-2023-36874
- https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-23
tags:
- attack.execution
- cve.2023-36874
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
OriginalFileName:
- 'Cmd.Exe'
- 'powershell_ise.EXE'
- 'powershell.exe'
Image|endswith: '\wermgr.exe'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Potential CVE-2023-36874 Exploitation - Fake Wermgr.Exe Creation
Detects the creation of a file named "wermgr.exe" being created in an uncommon directory. This could be a sign of potential exploitation of CVE-2023-36874.
view Sigma YAML
title: Potential CVE-2023-36874 Exploitation - Fake Wermgr.Exe Creation
id: ad0960eb-0015-4d16-be13-b3d9f18f1342
status: test
description: Detects the creation of a file named "wermgr.exe" being created in an uncommon directory. This could be a sign of potential exploitation of CVE-2023-36874.
references:
- https://github.com/Wh04m1001/CVE-2023-36874
- https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-23
modified: 2025-01-13
tags:
- attack.execution
- cve.2023-36874
- detection.emerging-threats
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|endswith: '\wermgr.exe'
filter_main_locations:
TargetFilename|contains:
- ':\$WINDOWS.~BT\NewOS\'
- ':\$WinREAgent\' # From "wuauclt.exe"
- ':\Windows\servicing\LCU\'
- ':\Windows\System32\'
- ':\Windows\SysWOW64\'
- ':\Windows\WinSxS\'
- ':\WUDownloadCache\' # Windows Update Download Cache
- ':\Windows\SoftwareDistribution\Download\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential CVE-2023-36884 Exploitation - Share Access
Detects access to a file share with a naming schema seen being used during exploitation of CVE-2023-36884
view Sigma YAML
title: Potential CVE-2023-36884 Exploitation - Share Access
id: 3df95076-9e78-4e63-accb-16699c3b74f8
status: test
description: Detects access to a file share with a naming schema seen being used during exploitation of CVE-2023-36884
references:
- https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-07-13
tags:
- attack.command-and-control
- cve.2023-36884
- detection.emerging-threats
logsource:
product: windows
service: security
definition: 'The advanced audit policy setting "Object Access > Audit File Share" must be configured for Success/Failure'
detection:
selection_eid:
EventID: 5140
selection_share_name:
ShareName|contains: '\MSHTML_C7\'
ShareName|re: '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
selection_share_path:
ShareLocalPath|contains: '\MSHTML_C7\'
ShareLocalPath|re: '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
condition: selection_eid and 1 of selection_share_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential CVE-2023-36884 Exploitation - URL Marker
Detects a unique URL marker seen being used by RomCom potentially exploiting CVE-2023-36884
view Sigma YAML
title: Potential CVE-2023-36884 Exploitation - URL Marker
id: e59f71ff-c042-4f7a-8a82-8f53beea817e
status: test
description: Detects a unique URL marker seen being used by RomCom potentially exploiting CVE-2023-36884
references:
- https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit
author: X__Junior
date: 2023-07-12
tags:
- attack.command-and-control
- cve.2023-36884
- detection.emerging-threats
logsource:
category: proxy
detection:
selection:
cs-method: 'GET'
c-uri|contains: '/MSHTML_C7/'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection
Detects potential exploitation attempts of CVE-2024-3400 - an OS command injection in Palo Alto GlobalProtect.
This detection looks for suspicious strings that indicate a potential directory traversal attempt or command injection.
view Sigma YAML
title: Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection
id: f130a5f1-73ba-42f0-bf1e-b66a8361cb8f
status: test
description: |
Detects potential exploitation attempts of CVE-2024-3400 - an OS command injection in Palo Alto GlobalProtect.
This detection looks for suspicious strings that indicate a potential directory traversal attempt or command injection.
references:
- https://security.paloaltonetworks.com/CVE-2024-3400
- https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/
- https://attackerkb.com/topics/SSTk336Tmf/cve-2024-3400/rapid7-analysis
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-04-18
modified: 2025-11-22
tags:
- attack.initial-access
- attack.persistence
- attack.privilege-escalation
- cve.2024-3400
- detection.emerging-threats
- attack.stealth
logsource:
category: appliance
product: paloalto
service: globalprotect
definition: 'Requirements: Palo Alto GlobalProtect "mp-log" and "gpsvc.log" log files need to be ingested'
detection:
keywords_generic:
- 'failed to unmarshal session(../'
- 'failed to unmarshal session(./../'
- 'failed to unmarshal session(/..'
- 'failed to unmarshal session(%2E%2E%2F'
- 'failed to unmarshal session(%2F%2E%2E'
- 'failed to unmarshal session(%2E%2F%2E%2E%2F'
- 'failed to unmarshal session(%252E%252E%252F'
- 'failed to unmarshal session(%252F%252E%252E'
- 'failed to unmarshal session(%252E%252F%252E%252E%252F'
keywords_telemetry_exploit:
- '{IFS}'
- 'base64'
- 'bash'
- 'curl'
- 'http'
keywords_telemetry_path:
- '/opt/panlogs/tmp/device_telemetry/'
condition: keywords_generic or (keywords_telemetry_exploit and keywords_telemetry_path)
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential CVE-2026-33829 Exploitation - Windows Snipping Tool Remote File Path URI
Detects potential exploitation of CVE-2026-33829, a vulnerability in the Windows Snipping Tool URI handler (ms-screensketch:).
An attacker can abuse the 'filePath' parameter to supply a UNC path or HTTP URL, causing SnippingTool.exe to initiate a connection to a remote resource.
When a UNC path is used (e.g. \\attacker.com\share), this triggers an outbound NTLM authentication attempt, allowing the attacker to capture or relay the victim's Net-NTLMv2 hash.
HTTP-based paths may result in remote file loading or server-side request forgery (SSRF)-style access.
The URI can be delivered via a malicious hyperlink, phishing email, or web page.
view Sigma YAML
title: Potential CVE-2026-33829 Exploitation - Windows Snipping Tool Remote File Path URI
id: 7c3a5b1d-9e2f-4a8c-b5d7-1e0f3c6a9b2d
status: test
description: |
Detects potential exploitation of CVE-2026-33829, a vulnerability in the Windows Snipping Tool URI handler (ms-screensketch:).
An attacker can abuse the 'filePath' parameter to supply a UNC path or HTTP URL, causing SnippingTool.exe to initiate a connection to a remote resource.
When a UNC path is used (e.g. \\attacker.com\share), this triggers an outbound NTLM authentication attempt, allowing the attacker to capture or relay the victim's Net-NTLMv2 hash.
HTTP-based paths may result in remote file loading or server-side request forgery (SSRF)-style access.
The URI can be delivered via a malicious hyperlink, phishing email, or web page.
references:
- https://x.com/BlackArrowSec/status/2044374743491424508
- https://x.com/SBousseaden/status/2044417029721997635
author: Samir Bousseaden, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-04-28
tags:
- attack.credential-access
- attack.t1187
- detection.emerging-threats
- cve.2026-33829
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\SnippingTool.exe'
CommandLine|contains:
# '\\\\' = literal double backslash (UNC path start); '%5C' and '%%5C' are URL-encoded variations of the same backslash character
- 'ms-screensketch:edit?&filePath=\\\\'
- 'ms-screensketch:edit?&filePath=%%5C'
- 'ms-screensketch:edit?&filePath=%5C'
- 'ms-screensketch:edit?&filePath=http'
condition: selection
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules-emerging-threats/2026/Exploits/CVE-2026-33829/proc_creation_win_exploit_cve_2026_33829/info.yml
Convert to SIEM query
high
Potential CVE-2303-36884 URL Request Pattern Traffic
Detects a specific URL pattern containing a specific extension and parameters pointing to an IP address. This pattern was seen being used by RomCOM potentially exploiting CVE-2023-36884
view Sigma YAML
title: Potential CVE-2303-36884 URL Request Pattern Traffic
id: d9365e39-febd-4a4b-8441-3ca91bb9d333
status: test
description: Detects a specific URL pattern containing a specific extension and parameters pointing to an IP address. This pattern was seen being used by RomCOM potentially exploiting CVE-2023-36884
references:
- https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit
author: X__Junior
date: 2023-07-12
tags:
- attack.command-and-control
- cve.2023-36884
- detection.emerging-threats
logsource:
category: proxy
detection:
# Examples:
# hxxp://74.50[.]94[.]156/MSHTML_C7/zip_k.asp?d=99.99.99.99.
# 104.234[.]239[.]26/share1/MSHTML_C7/1/99.99.99.99_a15fa_file001.htm?d=99.99.99.99_ a15fa_
selection:
cs-method: 'GET'
c-uri|re: '\.(zip|asp|htm|url|xml|chm|mht|vbs|search-ms)\?d=[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential Centos Web Panel Exploitation Attempt - CVE-2022-44877
Detects potential exploitation attempts that target the Centos Web Panel 7 Unauthenticated Remote Code Execution CVE-2022-44877
view Sigma YAML
title: Potential Centos Web Panel Exploitation Attempt - CVE-2022-44877
id: 1b2eeb27-949b-4704-8bfa-d8e5cfa045a1
status: test
description: Detects potential exploitation attempts that target the Centos Web Panel 7 Unauthenticated Remote Code Execution CVE-2022-44877
references:
- https://seclists.org/fulldisclosure/2023/Jan/1
- https://www.rapid7.com/blog/post/2023/01/19/etr-exploitation-of-control-web-panel-cve-2022-44877/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-20
tags:
- attack.initial-access
- attack.t1190
- cve.2022-44877
- detection.emerging-threats
logsource:
category: webserver
detection:
selection:
cs-method: 'POST'
cs-uri-query|contains|all:
- '/login/index.php'
- 'login='
cs-uri-query|contains:
# TOD: Include other commonly used reverse shells. Examples: https://www.revshells.com/
- 'login=$('
# Common keywords related to python reverse shells
- 'base64'
- 'subprocess'
- 'socket'
- '${IFS}' # Usage of the input field separator to avoid writing spaces
# B64 Encoded "python" with different offsets
- 'cHl0aG9u'
- 'B5dGhvb'
- 'weXRob2'
condition: selection
falsepositives:
- Web vulnerability scanners
level: high
Convert to SIEM query
high
Potential ClickFix Execution Pattern - Registry
Detects potential ClickFix malware execution patterns by monitoring registry modifications in RunMRU keys containing HTTP/HTTPS links.
ClickFix is known to be distributed through phishing campaigns and uses techniques like clipboard hijacking and fake CAPTCHA pages.
Through the fakecaptcha pages, the adversary tricks users into opening the Run dialog box and pasting clipboard-hijacked content,
such as one-liners that execute remotely hosted malicious files or scripts.
view Sigma YAML
title: Potential ClickFix Execution Pattern - Registry
id: f5fe36cf-f1ec-4c23-903d-09a3110f6bbb
related:
- id: d487ed4a-fd24-436d-a0b2-f4e95f7b2635
type: similar
status: experimental
description: |
Detects potential ClickFix malware execution patterns by monitoring registry modifications in RunMRU keys containing HTTP/HTTPS links.
ClickFix is known to be distributed through phishing campaigns and uses techniques like clipboard hijacking and fake CAPTCHA pages.
Through the fakecaptcha pages, the adversary tricks users into opening the Run dialog box and pasting clipboard-hijacked content,
such as one-liners that execute remotely hosted malicious files or scripts.
references:
- https://github.com/JohnHammond/recaptcha-phish
- https://www.zscaler.com/blogs/security-research/deepseek-lure-using-captchas-spread-malware
- https://www.threatdown.com/blog/clipboard-hijacker-tries-to-install-a-trojan/
- https://app.any.run/tasks/5c16b4db-4b36-4039-a0ed-9b09abff8be2
- https://www.esentire.com/security-advisories/netsupport-rat-clickfix-distribution
- https://medium.com/@boutnaru/the-windows-foreniscs-journey-run-mru-run-dialog-box-most-recently-used-57375a02d724
- https://unit42.paloaltonetworks.com/preventing-clickfix-attack-vector/
- https://medium.com/@poudelswachchhanda123/preventing-lnk-and-fakecaptcha-threats-a-system-hardening-approach-2f7b7ed2e493
- https://www.scpx.com.au/2025/11/16/decades-old-finger-protocol-abused-in-clickfix-malware-attacks/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-03-25
modified: 2025-11-19
tags:
- attack.execution
- attack.t1204.001
logsource:
category: registry_set
product: windows
detection:
selection_registry:
TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\'
selection_details:
Details|contains:
- 'http://'
- 'https://'
selection_susp_pattern:
- Details|contains:
# Add more suspicious keywords
- 'account'
- 'anti-bot'
- 'botcheck'
- 'captcha'
- 'challenge'
- 'confirmation'
- 'fraud'
- 'human'
- 'identification'
- 'identificator'
- 'identity'
- 'robot'
- 'validation'
- 'verification'
- 'verify'
- Details|contains:
- '%comspec%'
- 'bitsadmin'
- 'certutil'
- 'cmd'
- 'cscript'
- 'curl'
- 'finger'
- 'mshta'
- 'powershell'
- 'pwsh'
- 'regsvr32'
- 'rundll32'
- 'schtasks'
- 'wget'
- 'wscript'
condition: all of selection_*
falsepositives:
- Legitimate applications using RunMRU with HTTP links
level: high
Convert to SIEM query
high
Potential CobaltStrike Process Patterns
Detects potential process patterns related to Cobalt Strike beacon activity
view Sigma YAML
title: Potential CobaltStrike Process Patterns
id: f35c5d71-b489-4e22-a115-f003df287317
status: test
description: Detects potential process patterns related to Cobalt Strike beacon activity
references:
- https://hausec.com/2021/07/26/cobalt-strike-and-tradecraft/
- https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2021-07-27
modified: 2023-03-29
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection_generic_1:
CommandLine|endswith: 'cmd.exe /C whoami'
ParentImage|startswith: 'C:\Temp\'
selection_generic_2:
ParentImage|endswith:
- '\runonce.exe'
- '\dllhost.exe'
CommandLine|contains|all:
- 'cmd.exe /c echo'
- '> \\\\.\\pipe'
selection_conhost_1:
ParentCommandLine|contains|all:
- 'cmd.exe /C echo'
- ' > \\\\.\\pipe'
CommandLine|endswith: 'conhost.exe 0xffffffff -ForceV1'
selection_conhost_2:
ParentCommandLine|endswith: '/C whoami'
CommandLine|endswith: 'conhost.exe 0xffffffff -ForceV1'
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential CobaltStrike Service Installations - Registry
Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.
view Sigma YAML
title: Potential CobaltStrike Service Installations - Registry
id: 61a7697c-cb79-42a8-a2ff-5f0cdfae0130
status: test
description: |
Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.
references:
- https://www.sans.org/webcasts/tech-tuesday-workshop-cobalt-strike-detection-log-analysis-119395
author: Wojciech Lesicki
date: 2021-06-29
modified: 2024-03-25
tags:
- attack.persistence
- attack.execution
- attack.privilege-escalation
- attack.lateral-movement
- attack.t1021.002
- attack.t1543.003
- attack.t1569.002
logsource:
category: registry_set
product: windows
detection:
selection_key:
- TargetObject|contains: '\System\CurrentControlSet\Services'
- TargetObject|contains|all:
- '\System\ControlSet'
- '\Services'
selection_details:
- Details|contains|all:
- 'ADMIN$'
- '.exe'
- Details|contains|all:
- '%COMSPEC%'
- 'start'
- 'powershell'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image
Detects potential commandline obfuscation using unicode characters.
Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.
view Sigma YAML
title: Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image
id: 584bca0f-3608-4402-80fd-4075ff6072e3
related:
- id: e0552b19-5a83-4222-b141-b36184bb8d79
type: similar
- id: ad691d92-15f2-4181-9aa4-723c74f9ddc3 # RTLO
type: similar
- id: 2c0d2d7b-30d6-4d14-9751-7b9113042ab9
type: obsolete
status: test
description: |
Detects potential commandline obfuscation using unicode characters.
Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.
references:
- https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http
author: frack113, Florian Roth (Nextron Systems), Josh Nickels
date: 2024-09-02
modified: 2025-05-30
tags:
- attack.stealth
- attack.t1027
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith:
- '\cmd.exe'
- '\cscript.exe'
- '\powershell.exe'
- '\powershell_ise.exe'
- '\pwsh.exe'
- '\wscript.exe'
OriginalFileName:
- 'Cmd.EXE'
- 'cscript.exe'
- 'PowerShell.EXE'
- 'PowerShell_ISE.EXE'
- 'pwsh.dll'
- 'wscript.exe'
selection_special_chars:
CommandLine|contains:
# spacing modifier letters that get auto-replaced
- 'ˣ' # 0x02E3
- '˪' # 0x02EA
- 'ˢ' # 0x02E2
# Forward slash alternatives
- '∕' # 0x22FF
- '⁄' # 0x206F
# Hyphen alternatives
- '―' # 0x2015
- '—' # 0x2014
# Whitespace that don't work as path separator
- ' ' # 0x00A0
# Other
- '¯'
- '®'
- '¶'
# Unicode whitespace characters
- '⠀' # Braille Pattern Blank (Unicode: U+2800)
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential CommandLine Path Traversal Via Cmd.EXE
Detects potential path traversal attempt via cmd.exe. Could indicate possible command/argument confusion/hijacking
view Sigma YAML
title: Potential CommandLine Path Traversal Via Cmd.EXE
id: 087790e3-3287-436c-bccf-cbd0184a7db1
status: test
description: Detects potential path traversal attempt via cmd.exe. Could indicate possible command/argument confusion/hijacking
references:
- https://hackingiscool.pl/cmdhijack-command-argument-confusion-with-path-traversal-in-cmd-exe/
- https://twitter.com/Oddvarmoe/status/1270633613449723905
author: xknow @xknow_infosec, Tim Shelton
date: 2020-06-11
modified: 2023-03-06
tags:
- attack.execution
- attack.t1059.003
logsource:
category: process_creation
product: windows
detection:
selection_img:
- ParentImage|endswith: '\cmd.exe'
- Image|endswith: '\cmd.exe'
- OriginalFileName: 'cmd.exe'
selection_flags:
- ParentCommandLine|contains:
- '/c'
- '/k'
- '/r'
- CommandLine|contains:
- '/c'
- '/k'
- '/r'
selection_path_traversal:
- ParentCommandLine: '/../../'
- CommandLine|contains: '/../../'
filter_java:
CommandLine|contains: '\Tasktop\keycloak\bin\/../../jre\bin\java'
condition: all of selection_* and not 1 of filter_*
falsepositives:
- Java tools are known to produce false-positive when loading libraries
level: high
Convert to SIEM query
high
Potential Compromised 3CXDesktopApp Beaconing Activity - DNS
Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise
view Sigma YAML
title: Potential Compromised 3CXDesktopApp Beaconing Activity - DNS
id: bd03a0dc-5d93-49eb-b2e8-2dfd268600f8
related:
- id: 3c4b3bbf-36b4-470c-b6cf-f07e8b1c7e26 # Proxy C2
type: similar
- id: 76bc1601-9546-4b75-9419-06e0e8d10651 # Proxy GH
type: similar
- id: 51eecf75-d069-43c7-9ea2-63f75499edd4 # net_connection C2
type: similar
- id: 93bbde78-dc86-4e73-9ffc-ff8a384ca89c # ProcCreation Exec
type: similar
- id: 63f3605b-979f-48c2-b7cc-7f90523fed88 # ProcCreation ChildProc
type: similar
- id: e7581747-1e44-4d4b-85a6-0db0b4a00f2a # ProcCreation Update
type: similar
- id: d0b65ad3-e945-435e-a7a9-438e62dd48e9 # ImageLoad
type: similar
status: test
description: Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise
references:
- https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-29
modified: 2023-03-31
tags:
- attack.command-and-control
- detection.emerging-threats
logsource:
category: dns_query
product: windows
detection:
selection:
QueryName|contains:
- 'akamaicontainer.com'
- 'akamaitechcloudservices.com'
- 'azuredeploystore.com'
- 'azureonlinecloud.com'
- 'azureonlinestorage.com'
- 'dunamistrd.com'
- 'glcloudservice.com'
- 'journalide.org'
- 'msedgepackageinfo.com'
- 'msedgeupdate.net'
- 'msstorageazure.com'
- 'msstorageboxes.com'
- 'officeaddons.com'
- 'officestoragebox.com'
- 'pbxcloudeservices.com'
- 'pbxphonenetwork.com'
- 'pbxsources.com'
- 'qwepoi123098.com'
- 'sbmsa.wiki'
- 'sourceslabs.com'
- 'visualstudiofactory.com'
- 'zacharryblogs.com'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Potential Compromised 3CXDesktopApp Beaconing Activity - Netcon
Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise
view Sigma YAML
title: Potential Compromised 3CXDesktopApp Beaconing Activity - Netcon
id: 51eecf75-d069-43c7-9ea2-63f75499edd4
related:
- id: 3c4b3bbf-36b4-470c-b6cf-f07e8b1c7e26 # Proxy C2
type: similar
- id: 76bc1601-9546-4b75-9419-06e0e8d10651 # Proxy GH
type: similar
- id: bd03a0dc-5d93-49eb-b2e8-2dfd268600f8 # DNS C2
type: similar
- id: 93bbde78-dc86-4e73-9ffc-ff8a384ca89c # ProcCreation Exec
type: similar
- id: 63f3605b-979f-48c2-b7cc-7f90523fed88 # ProcCreation ChildProc
type: similar
- id: e7581747-1e44-4d4b-85a6-0db0b4a00f2a # ProcCreation Update
type: similar
- id: d0b65ad3-e945-435e-a7a9-438e62dd48e9 # ImageLoad
type: similar
status: test
description: Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise
references:
- https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-29
modified: 2023-03-31
tags:
- attack.command-and-control
- detection.emerging-threats
logsource:
category: network_connection
product: windows
detection:
selection:
Image|endswith: '\3CXDesktopApp.exe'
DestinationHostname|contains:
- 'akamaicontainer.com'
- 'akamaitechcloudservices.com'
- 'azuredeploystore.com'
- 'azureonlinecloud.com'
- 'azureonlinestorage.com'
- 'dunamistrd.com'
- 'glcloudservice.com'
- 'journalide.org'
- 'msedgepackageinfo.com'
- 'msstorageazure.com'
- 'msstorageboxes.com'
- 'officeaddons.com'
- 'officestoragebox.com'
- 'pbxcloudeservices.com'
- 'pbxphonenetwork.com'
- 'pbxsources.com'
- 'qwepoi123098.com'
- 'sbmsa.wiki'
- 'sourceslabs.com'
- 'visualstudiofactory.com'
- 'zacharryblogs.com'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Potential Compromised 3CXDesktopApp Beaconing Activity - Proxy
Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise
view Sigma YAML
title: Potential Compromised 3CXDesktopApp Beaconing Activity - Proxy
id: 3c4b3bbf-36b4-470c-b6cf-f07e8b1c7e26
related:
- id: 76bc1601-9546-4b75-9419-06e0e8d10651 # Proxy GH
type: similar
- id: bd03a0dc-5d93-49eb-b2e8-2dfd268600f8 # DNS C2
type: similar
- id: 51eecf75-d069-43c7-9ea2-63f75499edd4 # net_connection C2
type: similar
- id: 93bbde78-dc86-4e73-9ffc-ff8a384ca89c # ProcCreation Exec
type: similar
- id: 63f3605b-979f-48c2-b7cc-7f90523fed88 # ProcCreation ChildProc
type: similar
- id: e7581747-1e44-4d4b-85a6-0db0b4a00f2a # ProcCreation Update
type: similar
- id: d0b65ad3-e945-435e-a7a9-438e62dd48e9 # ImageLoad
type: similar
status: test
description: Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise
references:
- https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-29
modified: 2023-05-18
tags:
- attack.command-and-control
- detection.emerging-threats
logsource:
category: proxy
detection:
selection:
cs-host|contains:
- 'akamaicontainer.com'
- 'akamaitechcloudservices.com'
- 'azuredeploystore.com'
- 'azureonlinecloud.com'
- 'azureonlinestorage.com'
- 'dunamistrd.com'
- 'glcloudservice.com'
- 'journalide.org'
- 'msedgepackageinfo.com'
- 'msstorageazure.com'
- 'msstorageboxes.com'
- 'officeaddons.com'
- 'officestoragebox.com'
- 'pbxcloudeservices.com'
- 'pbxphonenetwork.com'
- 'pbxsources.com'
- 'qwepoi123098.com'
- 'sbmsa.wiki'
- 'sourceslabs.com'
- 'visualstudiofactory.com'
- 'zacharryblogs.com'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential Compromised 3CXDesktopApp Execution
Detects execution of known compromised version of 3CXDesktopApp
view Sigma YAML
title: Potential Compromised 3CXDesktopApp Execution
id: 93bbde78-dc86-4e73-9ffc-ff8a384ca89c
related:
- id: 3c4b3bbf-36b4-470c-b6cf-f07e8b1c7e26 # Proxy C2
type: similar
- id: 76bc1601-9546-4b75-9419-06e0e8d10651 # Proxy GH
type: similar
- id: bd03a0dc-5d93-49eb-b2e8-2dfd268600f8 # DNS C2
type: similar
- id: 51eecf75-d069-43c7-9ea2-63f75499edd4 # net_connection C2
type: similar
- id: 63f3605b-979f-48c2-b7cc-7f90523fed88 # ProcCreation ChildProc
type: similar
- id: e7581747-1e44-4d4b-85a6-0db0b4a00f2a # ProcCreation Update
type: similar
- id: d0b65ad3-e945-435e-a7a9-438e62dd48e9 # ImageLoad
type: similar
status: test
description: Detects execution of known compromised version of 3CXDesktopApp
references:
- https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-29
modified: 2024-11-23
tags:
- attack.stealth
- attack.t1218
- attack.execution
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_hashes:
Hashes|contains:
# 3CX Desktop 18.12.407
- 'SHA256=DDE03348075512796241389DFEA5560C20A3D2A2EAC95C894E7BBED5E85A0ACC'
- 'SHA256=54004DFAA48CA5FA91E3304FB99559A2395301C570026450882D6AAD89132A02'
- 'SHA256=D45674F941BE3CCA2FBC1AF42778043CC18CD86D95A2ECB9E6F0E212ED4C74AE'
- 'SHA1=480DC408EF50BE69EBCF84B95750F7E93A8A1859'
- 'SHA1=3B43A5D8B83C637D00D769660D01333E88F5A187'
- 'SHA1=6285FFB5F98D35CD98E78D48B63A05AF6E4E4DEA'
- 'MD5=BB915073385DD16A846DFA318AFA3C19'
- 'MD5=08D79E1FFFA244CC0DC61F7D2036ACA9'
- 'MD5=4965EDF659753E3C05D800C6C8A23A7A'
# 3CX Desktop 18.12.416
- 'SHA256=FAD482DED2E25CE9E1DD3D3ECC3227AF714BDFBBDE04347DBC1B21D6A3670405'
- 'SHA256=5D99EFA36F34AA6B43CD81E77544961C5C8D692C96059FEF92C2DF2624550734'
- 'SHA256=A60A61BF844BC181D4540C9FAC53203250A982E7C3AD6153869F01E19CC36203'
- 'SHA1=E272715737B51C01DC2BED0F0AEE2BF6FEEF25F1'
- 'SHA1=8433A94AEDB6380AC8D4610AF643FB0E5220C5CB'
- 'SHA1=413D9CBFCBF8D1E8304EAB0AA5484F5EEC5185F5'
- 'MD5=9833A4779B69B38E3E51F04E395674C6'
- 'MD5=704DB9184700481A56E5100FB56496CE'
- 'MD5=8EE6802F085F7A9DF7E0303E65722DC0'
# 3CXDesktopApp MSI
- 'SHA256=AA124A4B4DF12B34E74EE7F6C683B2EBEC4CE9A8EDCF9BE345823B4FDCF5D868'
- 'SHA256=59E1EDF4D82FAE4978E97512B0331B7EB21DD4B838B850BA46794D9C7A2C0983'
- 'SHA1=BEA77D1E59CF18DCE22AD9A2FAD52948FD7A9EFA'
- 'SHA1=BFECB8CE89A312D2EF4AFC64A63847AE11C6F69E'
- 'MD5=F3D4144860CA10BA60F7EF4D176CC736'
- 'MD5=0EEB1C0133EB4D571178B2D9D14CE3E9'
selection_pe_1:
- OriginalFileName: '3CXDesktopApp.exe'
- Image|endswith: '\3CXDesktopApp.exe'
- Product: '3CX Desktop App'
selection_pe_2:
FileVersion|contains: '18.12.'
condition: all of selection_pe_* or selection_hashes
falsepositives:
- Legitimate usage of 3CXDesktopApp
level: high
Convert to SIEM query
Showing 801-850 of 1,715