Tool
SIEM
Sigma (generic) detection rules
1,715 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Expand any rule to see its raw YAML and convert it inline to native query syntax. Pick a platform above to browse every rule already rendered in that language.
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
◈
Detection rules
50 shown of 1,715
high
Potential Persistence Via Powershell Search Order Hijacking - Task
Detects suspicious powershell execution via a schedule task where the command ends with an suspicious flags to hide the powershell instance instead of executeing scripts or commands. This could be a sign of persistence via PowerShell "Get-Variable" technique as seen being used in Colibri Loader
view Sigma YAML
title: Potential Persistence Via Powershell Search Order Hijacking - Task
id: b66474aa-bd92-4333-a16c-298155b120df
related:
- id: 6e8811ee-90ba-441e-8486-5653e68b2299
type: similar
status: test
description: Detects suspicious powershell execution via a schedule task where the command ends with an suspicious flags to hide the powershell instance instead of executeing scripts or commands. This could be a sign of persistence via PowerShell "Get-Variable" technique as seen being used in Colibri Loader
references:
- https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/
author: pH-T (Nextron Systems), Florian Roth (Nextron Systems)
date: 2022-04-08
modified: 2023-02-03
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1053.005
- attack.t1059.001
logsource:
product: windows
category: process_creation
detection:
selection:
ParentImage: 'C:\WINDOWS\System32\svchost.exe'
ParentCommandLine|contains|all:
- '-k netsvcs'
- '-s Schedule'
CommandLine|endswith:
- ' -windowstyle hidden'
- ' -w hidden'
- ' -ep bypass'
- ' -noni'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential Persistence Via Security Descriptors - ScriptBlock
Detects usage of certain functions and keywords that are used to manipulate security descriptors in order to potentially set a backdoor. As seen used in the DAMP project.
view Sigma YAML
title: Potential Persistence Via Security Descriptors - ScriptBlock
id: 2f77047c-e6e9-4c11-b088-a3de399524cd
status: test
description: Detects usage of certain functions and keywords that are used to manipulate security descriptors in order to potentially set a backdoor. As seen used in the DAMP project.
references:
- https://github.com/HarmJ0y/DAMP
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-05
tags:
- attack.persistence
- attack.privilege-escalation
- attack.defense-impairment
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- 'win32_Trustee'
- 'win32_Ace'
- '.AccessMask'
- '.AceType'
- '.SetSecurityDescriptor'
ScriptBlockText|contains:
- '\Lsa\JD'
- '\Lsa\Skew1'
- '\Lsa\Data'
- '\Lsa\GBG'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential Persistence Via Shim Database In Uncommon Location
Detects the installation of a new shim database where the file is located in a non-default location
view Sigma YAML
title: Potential Persistence Via Shim Database In Uncommon Location
id: 6b6976a3-b0e6-4723-ac24-ae38a737af41
status: test
description: Detects the installation of a new shim database where the file is located in a non-default location
references:
- https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
- https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/
- https://www.blackhat.com/docs/asia-14/materials/Erickson/Asia-14-Erickson-Persist-It-Using-And-Abusing-Microsofts-Fix-It-Patches.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-01
modified: 2023-08-17
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.011
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains|all:
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\'
- '\DatabasePath'
filter_main_known_locations:
Details|contains: ':\Windows\AppPatch\Custom'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential Persistence Via TypedPaths
Detects modification addition to the 'TypedPaths' key in the user or admin registry from a non standard application. Which might indicate persistence attempt
view Sigma YAML
title: Potential Persistence Via TypedPaths
id: 086ae989-9ca6-4fe7-895a-759c5544f247
status: test
description: Detects modification addition to the 'TypedPaths' key in the user or admin registry from a non standard application. Which might indicate persistence attempt
references:
- https://twitter.com/dez_/status/1560101453150257154
- https://forensafe.com/blogs/typedpaths.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-22
modified: 2023-08-17
tags:
- attack.persistence
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths\'
filter:
Image:
- 'C:\Windows\explorer.exe'
- 'C:\Windows\SysWOW64\explorer.exe'
condition: selection and not filter
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Potential Pikabot C2 Activity
Detects the execution of rundll32 that leads to an external network connection.
The malware Pikabot has been seen to use this technique to initiate C2-communication through hard-coded Windows binaries.
view Sigma YAML
title: Potential Pikabot C2 Activity
id: cae6cee6-0244-44d2-84ed-e65f548eb7dc
status: test
description: |
Detects the execution of rundll32 that leads to an external network connection.
The malware Pikabot has been seen to use this technique to initiate C2-communication through hard-coded Windows binaries.
references:
- https://www.virustotal.com/gui/file/d72af640b71b8e3eca3eba660dd7c7f029ff8852bcacaa379e7b6c57cf4d9b44
- https://www.virustotal.com/gui/file/6bb4cdbaef03b732a93559a58173e7f16b29bfb159a1065fae9185000ff23b4b
- https://github.com/pr0xylife/Pikabot/blob/7f7723a74ca325ec54c6e61e076acce9a4b20538/Pikabot_06.12.2023.txt
author: Andreas Braathen (mnemonic.io)
date: 2023-10-27
modified: 2024-01-26
tags:
- attack.command-and-control
- attack.t1573
- detection.emerging-threats
logsource:
product: windows
category: network_connection
definition: 'Requirements: By default the network_connection type event might not contain the ParentImage. Make sure you collect such fields in order to use this rule'
detection:
selection:
ParentImage|endswith: '\rundll32.exe'
Image|endswith:
# Note: Only add processes seen used by Pikabot to avoid collision with other strains of malware
- '\SearchFilterHost.exe'
- '\SearchProtocolHost.exe'
- '\sndvol.exe'
- '\wermgr.exe'
- '\wwahost.exe'
Protocol: tcp
Initiated: 'true'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Potential Pikabot Discovery Activity
Detects system discovery activity carried out by Pikabot, such as incl. network, user info and domain groups.
The malware Pikabot has been seen to use this technique as part of its C2-botnet registration with a short collection time frame (less than 1 minute).
view Sigma YAML
title: Potential Pikabot Discovery Activity
id: 698d4431-514f-4c82-af4d-cf573872a9f5
status: test
description: |
Detects system discovery activity carried out by Pikabot, such as incl. network, user info and domain groups.
The malware Pikabot has been seen to use this technique as part of its C2-botnet registration with a short collection time frame (less than 1 minute).
references:
- https://www.virustotal.com/gui/file/72f1a5476a845ea02344c9b7edecfe399f64b52409229edaf856fcb9535e3242
- https://tria.ge/231023-lpw85she57/behavioral2
author: Andreas Braathen (mnemonic.io)
date: 2023-10-27
modified: 2024-01-26
tags:
- attack.discovery
- attack.t1016
- attack.t1049
- attack.t1087
- detection.emerging-threats
logsource:
product: windows
category: process_creation
definition: 'Requirements: By default the process_creation type event might not contain the GrandParentImage. Make sure you collect such fields in order to use this rule'
detection:
selection_parent:
- GrandParentImage|endswith: '\rundll32.exe'
- ParentImage|endswith:
- '\SearchFilterHost.exe'
- '\SearchProtocolHost.exe'
selection_child:
CommandLine:
# Note: Only add strings as seen used by Pikabot to avoid collision with other strains of malware
- 'ipconfig.exe /all'
- 'netstat.exe -aon'
- 'whoami.exe /all'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Potential Pikabot Hollowing Activity
Detects the execution of rundll32 that leads to the invocation of legitimate Windows binaries.
The malware Pikabot has been seen to use this technique for process hollowing through hard-coded Windows binaries
view Sigma YAML
title: Potential Pikabot Hollowing Activity
id: d8937fe7-42d5-4b4d-8178-e089c908f63f
status: test
description: |
Detects the execution of rundll32 that leads to the invocation of legitimate Windows binaries.
The malware Pikabot has been seen to use this technique for process hollowing through hard-coded Windows binaries
references:
- https://www.virustotal.com/gui/file/b6e8910fb9b3bb1fcddefd35ff0ed8624930d30d6977e11808c8330415685a62
- https://www.virustotal.com/gui/file/6bb4cdbaef03b732a93559a58173e7f16b29bfb159a1065fae9185000ff23b4b
- https://github.com/pr0xylife/Pikabot/blob/7f7723a74ca325ec54c6e61e076acce9a4b20538/Pikabot_06.12.2023.txt
author: Andreas Braathen (mnemonic.io)
date: 2023-10-27
modified: 2024-01-26
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1055.012
- detection.emerging-threats
logsource:
product: windows
category: process_creation
detection:
selection:
ParentImage|endswith: '\rundll32.exe'
Image|endswith:
# Note: Only add processes seen used by Pikabot to avoid collision with other strains of malware
- '\SearchFilterHost.exe'
- '\SearchProtocolHost.exe'
- '\sndvol.exe'
- '\wermgr.exe'
- '\wwahost.exe'
filter_main_legit_sndvol:
Image|endswith: '\sndvol.exe'
ParentCommandLine|contains: 'mmsys.cpl'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Potential PlugX Activity
Detects the execution of an executable that is typically used by PlugX for DLL side loading starting from an uncommon location
view Sigma YAML
title: Potential PlugX Activity
id: aeab5ec5-be14-471a-80e8-e344418305c2
status: test
description: Detects the execution of an executable that is typically used by PlugX for DLL side loading starting from an uncommon location
references:
- http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/
- https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/
author: Florian Roth (Nextron Systems)
date: 2017-06-12
modified: 2023-02-03
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.s0013
- attack.t1574.001
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_cammute:
Image|endswith: '\CamMute.exe'
filter_cammute:
Image|contains:
- '\Lenovo\Communication Utility\'
- '\Lenovo\Communications Utility\'
selection_chrome_frame:
Image|endswith: '\chrome_frame_helper.exe'
filter_chrome_frame:
Image|contains: '\Google\Chrome\application\'
selection_devemu:
Image|endswith: '\dvcemumanager.exe'
filter_devemu:
Image|contains: '\Microsoft Device Emulator\'
selection_gadget:
Image|endswith: '\Gadget.exe'
filter_gadget:
Image|contains: '\Windows Media Player\'
selection_hcc:
Image|endswith: '\hcc.exe'
filter_hcc:
Image|contains: '\HTML Help Workshop\'
selection_hkcmd:
Image|endswith: '\hkcmd.exe'
filter_hkcmd:
Image|contains:
- '\System32\'
- '\SysNative\'
- '\SysWow64\'
selection_mc:
Image|endswith: '\Mc.exe'
filter_mc:
Image|contains:
- '\Microsoft Visual Studio'
- '\Microsoft SDK'
- '\Windows Kit'
selection_msmpeng:
Image|endswith: '\MsMpEng.exe'
filter_msmpeng:
Image|contains:
- '\Microsoft Security Client\'
- '\Windows Defender\'
- '\AntiMalware\'
selection_msseces:
Image|endswith: '\msseces.exe'
filter_msseces:
Image|contains:
- '\Microsoft Security Center\'
- '\Microsoft Security Client\'
- '\Microsoft Security Essentials\'
selection_oinfo:
Image|endswith: '\OInfoP11.exe'
filter_oinfo:
Image|contains: '\Common Files\Microsoft Shared\'
selection_oleview:
Image|endswith: '\OleView.exe'
filter_oleview:
Image|contains:
- '\Microsoft Visual Studio'
- '\Microsoft SDK'
- '\Windows Kit'
- '\Windows Resource Kit\'
selection_rc:
Image|endswith: '\rc.exe'
filter_rc:
Image|contains:
- '\Microsoft Visual Studio'
- '\Microsoft SDK'
- '\Windows Kit'
- '\Windows Resource Kit\'
- '\Microsoft.NET\'
condition: ( selection_cammute and not filter_cammute ) or ( selection_chrome_frame and not filter_chrome_frame ) or ( selection_devemu and not filter_devemu ) or ( selection_gadget and not filter_gadget ) or ( selection_hcc and not filter_hcc ) or ( selection_hkcmd and not filter_hkcmd ) or ( selection_mc and not filter_mc ) or ( selection_msmpeng and not filter_msmpeng ) or ( selection_msseces and not filter_msseces ) or ( selection_oinfo and not filter_oinfo ) or ( selection_oleview and not filter_oleview ) or ( selection_rc and not filter_rc )
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential PowerShell Command Line Obfuscation
Detects the PowerShell command lines with special characters
view Sigma YAML
title: Potential PowerShell Command Line Obfuscation
id: d7bcd677-645d-4691-a8d4-7a5602b780d1
status: test
description: Detects the PowerShell command lines with special characters
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=64
author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp)
date: 2020-10-15
modified: 2024-04-15
tags:
- attack.execution
- attack.stealth
- attack.t1027
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_re:
# TODO: Optimize for PySIGMA
- CommandLine|re: '\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+'
- CommandLine|re: '\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{'
- CommandLine|re: '\^.*\^.*\^.*\^.*\^'
- CommandLine|re: '`.*`.*`.*`.*`'
filter_optional_amazonSSM:
ParentImage: C:\Program Files\Amazon\SSM\ssm-document-worker.exe
filter_optional_defender_atp:
CommandLine|contains:
- 'new EventSource("Microsoft.Windows.Sense.Client.Management"'
- 'public static extern bool InstallELAMCertificateInfo(SafeFileHandle handle);'
condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
- Amazon SSM Document Worker
- Windows Defender ATP
level: high
Convert to SIEM query
high
Potential PowerShell Execution Policy Tampering - ProcCreation
Detects changes to the PowerShell execution policy registry key in order to bypass signing requirements for script execution from the CommandLine
view Sigma YAML
title: Potential PowerShell Execution Policy Tampering - ProcCreation
id: cf2e938e-9a3e-4fe8-a347-411642b28a9f
related:
- id: fad91067-08c5-4d1a-8d8c-d96a21b37814 # ProcCreation Registry
type: similar
- id: 87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180 # ProcCreation Cmdlet
type: similar
- id: 61d0475c-173f-4844-86f7-f3eebae1c66b # PowerShell ScriptBlock
type: similar
status: test
description: Detects changes to the PowerShell execution policy registry key in order to bypass signing requirements for script execution from the CommandLine
references:
- https://learn.microsoft.com/de-de/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.3
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-11
tags:
- attack.defense-impairment
logsource:
product: windows
category: process_creation
detection:
selection_path:
CommandLine|contains:
- '\ShellIds\Microsoft.PowerShell\ExecutionPolicy'
- '\Policies\Microsoft\Windows\PowerShell\ExecutionPolicy'
selection_values:
CommandLine|contains:
- 'Bypass'
- 'RemoteSigned'
- 'Unrestricted'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential PowerShell Execution Via DLL
Detects potential PowerShell execution from a DLL instead of the usual PowerShell process as seen used in PowerShdll.
This detection assumes that PowerShell commands are passed via the CommandLine.
view Sigma YAML
title: Potential PowerShell Execution Via DLL
id: 6812a10b-60ea-420c-832f-dfcc33b646ba
status: test
description: |
Detects potential PowerShell execution from a DLL instead of the usual PowerShell process as seen used in PowerShdll.
This detection assumes that PowerShell commands are passed via the CommandLine.
references:
- https://github.com/p3nt4/PowerShdll/blob/62cfa172fb4e1f7f4ac00ca942685baeb88ff356/README.md
author: Markus Neis, Nasreddine Bencherchali (Nextron Systems)
date: 2018-08-25
modified: 2024-03-07
tags:
- attack.stealth
- attack.t1218.011
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\InstallUtil.exe'
- '\RegAsm.exe'
- '\RegSvcs.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- OriginalFileName:
- 'InstallUtil.exe'
- 'RegAsm.exe'
- 'RegSvcs.exe'
- 'REGSVR32.EXE'
- 'RUNDLL32.EXE'
selection_cli:
CommandLine|contains:
- 'Default.GetString'
- 'DownloadString'
- 'FromBase64String'
- 'ICM '
- 'IEX '
- 'Invoke-Command'
- 'Invoke-Expression'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential PowerShell Obfuscation Via Reversed Commands
Detects the presence of reversed PowerShell commands in the CommandLine. This is often used as a method of obfuscation by attackers
view Sigma YAML
title: Potential PowerShell Obfuscation Via Reversed Commands
id: b6b49cd1-34d6-4ead-b1bf-176e9edba9a4
status: test
description: Detects the presence of reversed PowerShell commands in the CommandLine. This is often used as a method of obfuscation by attackers
references:
- https://2019.offzone.moscow/ru/report/hunting-for-powershell-abuses/
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=66
author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton
date: 2020-10-11
modified: 2023-05-31
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_cli:
CommandLine|contains:
- 'hctac'
- 'kaerb'
- 'dnammoc'
- 'ekovn' # Also covers 'ekovni'
- 'eliFd'
- 'rahc'
- 'etirw'
- 'golon'
- 'tninon'
- 'eddih'
- 'tpircS'
- 'ssecorp'
- 'llehsrewop'
- 'esnopser'
- 'daolnwod'
- 'tneilCbeW'
- 'tneilc'
- 'ptth'
- 'elifotevas'
- '46esab'
- 'htaPpmeTteG'
- 'tcejbO'
- 'maerts'
- 'hcaerof'
- 'retupmoc'
filter_main_encoded_keyword:
# We exclude usage of encoded commands as they might generate FPs as shown here:
# https://github.com/SigmaHQ/sigma/pull/2720
# https://github.com/SigmaHQ/sigma/issues/4270
CommandLine|contains:
- ' -EncodedCommand '
- ' -enc '
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Potential PowerShell Obfuscation Via WCHAR/CHAR
Detects suspicious encoded character syntax often used for defense evasion
view Sigma YAML
title: Potential PowerShell Obfuscation Via WCHAR/CHAR
id: e312efd0-35a1-407f-8439-b8d434b438a6
status: test
description: Detects suspicious encoded character syntax often used for defense evasion
references:
- https://twitter.com/0gtweet/status/1281103918693482496
author: Florian Roth (Nextron Systems)
date: 2020-07-09
modified: 2025-03-03
tags:
- attack.execution
- attack.stealth
- attack.t1059.001
- attack.t1027
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- '[char]0x'
- '(WCHAR)0x'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential Powershell ReverseShell Connection
Detects usage of the "TcpClient" class. Which can be abused to establish remote connections and reverse-shells. As seen used by the Nishang "Invoke-PowerShellTcpOneLine" reverse shell and other.
view Sigma YAML
title: Potential Powershell ReverseShell Connection
id: edc2f8ae-2412-4dfd-b9d5-0c57727e70be
status: stable
description: Detects usage of the "TcpClient" class. Which can be abused to establish remote connections and reverse-shells. As seen used by the Nishang "Invoke-PowerShellTcpOneLine" reverse shell and other.
references:
- https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/
- https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
- https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Shells/Invoke-PowerShellTcpOneLine.ps1
author: FPT.EagleEye, wagga, Nasreddine Bencherchali (Nextron Systems)
date: 2021-03-03
modified: 2023-04-05
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
selection_cli:
CommandLine|contains|all:
- ' Net.Sockets.TCPClient'
- '.GetStream('
- '.Write('
condition: all of selection_*
falsepositives:
- In rare administrative cases, this function might be used to check network connectivity
level: high
Convert to SIEM query
high
Potential PrintNightmare Exploitation Attempt
Detect DLL deletions from Spooler Service driver folder. This might be a potential exploitation attempt of CVE-2021-1675
view Sigma YAML
title: Potential PrintNightmare Exploitation Attempt
id: 5b2bbc47-dead-4ef7-8908-0cf73fcbecbf
status: test
description: Detect DLL deletions from Spooler Service driver folder. This might be a potential exploitation attempt of CVE-2021-1675
references:
- https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/
- https://github.com/cube0x0/CVE-2021-1675
author: Bhabesh Raj
date: 2021-07-01
modified: 2023-02-17
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574
- cve.2021-1675
- detection.emerging-threats
logsource:
category: file_delete
product: windows
detection:
selection:
Image|endswith: '\spoolsv.exe'
TargetFilename|contains: 'C:\Windows\System32\spool\drivers\x64\3\'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential Privilege Escalation Attempt Via .Exe.Local Technique
Detects potential privilege escalation attempt via the creation of the "*.Exe.Local" folder inside the "System32" directory in order to sideload "comctl32.dll"
view Sigma YAML
title: Potential Privilege Escalation Attempt Via .Exe.Local Technique
id: 07a99744-56ac-40d2-97b7-2095967b0e03
status: test
description: Detects potential privilege escalation attempt via the creation of the "*.Exe.Local" folder inside the "System32" directory in order to sideload "comctl32.dll"
references:
- https://github.com/binderlabs/DirCreate2System
- https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt
author: Nasreddine Bencherchali (Nextron Systems), Subhash P (@pbssubhash)
date: 2022-12-16
modified: 2022-12-19
tags:
- attack.persistence
- attack.privilege-escalation
- attack.stealth
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|startswith:
- 'C:\Windows\System32\logonUI.exe.local'
- 'C:\Windows\System32\werFault.exe.local'
- 'C:\Windows\System32\consent.exe.local'
- 'C:\Windows\System32\narrator.exe.local'
- 'C:\Windows\System32\wermgr.exe.local'
TargetFilename|endswith: '\comctl32.dll'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential Privilege Escalation To LOCAL SYSTEM
Detects unknown program using commandline flags usually used by tools such as PsExec and PAExec to start programs with SYSTEM Privileges
view Sigma YAML
title: Potential Privilege Escalation To LOCAL SYSTEM
id: 207b0396-3689-42d9-8399-4222658efc99
related:
- id: 8834e2f7-6b4b-4f09-8906-d2276470ee23 # PsExec specific rule
type: similar
status: test
description: Detects unknown program using commandline flags usually used by tools such as PsExec and PAExec to start programs with SYSTEM Privileges
references:
- https://learn.microsoft.com/en-us/sysinternals/downloads/psexec
- https://www.poweradmin.com/paexec/
- https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2021-05-22
modified: 2024-03-05
tags:
- attack.resource-development
- attack.t1587.001
logsource:
category: process_creation
product: windows
detection:
selection:
# Escalation to LOCAL_SYSTEM
CommandLine|contains|windash:
# Note that you don't need to add the ".exe" part when using psexec/paexec
# The "-" can also be replaced with "/"
# The order of args isn't important
# "cmd" can be replaced by "powershell", "pwsh" or any other console like software
- ' -s cmd'
- ' -s -i cmd'
- ' -i -s cmd'
# Pwsh (For PowerShell 7)
- ' -s pwsh'
- ' -s -i pwsh'
- ' -i -s pwsh'
# PowerShell (For PowerShell 5)
- ' -s powershell'
- ' -s -i powershell'
- ' -i -s powershell'
filter_main_exclude_coverage:
# This filter exclude strings covered by 8834e2f7-6b4b-4f09-8906-d2276470ee23
CommandLine|contains:
- 'paexec'
- 'PsExec'
- 'accepteula'
condition: selection and not 1 of filter_main_*
falsepositives:
- Weird admins that rename their tools
- Software companies that bundle PsExec/PAExec with their software and rename it, so that it is less embarrassing
level: high
Convert to SIEM query
high
Potential Privilege Escalation Using Symlink Between Osk and Cmd
Detects the creation of a symbolic link between "cmd.exe" and the accessibility on-screen keyboard binary (osk.exe) using "mklink". This technique provides an elevated command prompt to the user from the login screen without the need to log in.
view Sigma YAML
title: Potential Privilege Escalation Using Symlink Between Osk and Cmd
id: e9b61244-893f-427c-b287-3e708f321c6b
status: test
description: Detects the creation of a symbolic link between "cmd.exe" and the accessibility on-screen keyboard binary (osk.exe) using "mklink". This technique provides an elevated command prompt to the user from the login screen without the need to log in.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1546.008/T1546.008.md
- https://ss64.com/nt/mklink.html
author: frack113
date: 2022-12-11
modified: 2022-12-20
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.008
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\cmd.exe'
- OriginalFileName: 'Cmd.Exe'
selection_cli:
CommandLine|contains|all:
- 'mklink'
- '\osk.exe'
- '\cmd.exe'
condition: all of selection_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_cmd_mklink_osk_cmd/info.yml
Convert to SIEM query
high
Potential Privilege Escalation via Local Kerberos Relay over LDAP
Detects a suspicious local successful logon event where the Logon Package is Kerberos, the remote address is set to localhost, and the target user SID is the built-in local Administrator account.
This may indicate an attempt to leverage a Kerberos relay attack variant that can be used to elevate privilege locally from a domain joined limited user to local System privileges.
view Sigma YAML
title: Potential Privilege Escalation via Local Kerberos Relay over LDAP
id: 749c9f5e-b353-4b90-a9c1-05243357ca4b
status: test
description: |
Detects a suspicious local successful logon event where the Logon Package is Kerberos, the remote address is set to localhost, and the target user SID is the built-in local Administrator account.
This may indicate an attempt to leverage a Kerberos relay attack variant that can be used to elevate privilege locally from a domain joined limited user to local System privileges.
references:
- https://twitter.com/sbousseaden/status/1518976397364056071?s=12&t=qKO5eKHvWhAP19a50FTZ7g
- https://github.com/elastic/detection-rules/blob/5fe7833312031a4787e07893e27e4ea7a7665745/rules/_deprecated/privilege_escalation_krbrelayup_suspicious_logon.toml#L38
author: Elastic, @SBousseaden
date: 2022-04-27
modified: 2024-08-13
tags:
- attack.privilege-escalation
- attack.credential-access
- attack.t1548
logsource:
product: windows
service: security
detection:
selection:
EventID: 4624
LogonType: 3
AuthenticationPackageName: 'Kerberos'
IpAddress: '127.0.0.1'
TargetUserSid|startswith: 'S-1-5-21-'
TargetUserSid|endswith: '-500'
filter_main_ip_null:
IpPort: '0'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential Privilege Escalation via Service Permissions Weakness
Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level
view Sigma YAML
title: Potential Privilege Escalation via Service Permissions Weakness
id: 0f9c21f1-6a73-4b0e-9809-cb562cb8d981
status: test
description: Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level
references:
- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
- https://pentestlab.blog/2017/03/31/insecure-registry-permissions/
author: Teymur Kheirkhabarov
date: 2019-10-26
modified: 2024-12-01
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.011
logsource:
product: windows
category: process_creation
detection:
selection:
IntegrityLevel:
- 'Medium'
- 'S-1-16-8192'
CommandLine|contains|all:
- 'ControlSet'
- 'services'
CommandLine|contains:
- '\ImagePath'
- '\FailureCommand'
- '\ServiceDll'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential Process Injection Via Msra.EXE
Detects potential process injection via Microsoft Remote Asssistance (Msra.exe) by looking at suspicious child processes spawned from the aforementioned process. It has been a target used by many threat actors and used for discovery and persistence tactics
view Sigma YAML
title: Potential Process Injection Via Msra.EXE
id: 744a188b-0415-4792-896f-11ddb0588dbc
status: test
description: Detects potential process injection via Microsoft Remote Asssistance (Msra.exe) by looking at suspicious child processes spawned from the aforementioned process. It has been a target used by many threat actors and used for discovery and persistence tactics
references:
- https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/
- https://www.fortinet.com/content/dam/fortinet/assets/analyst-reports/ar-qakbot.pdf
author: Alexander McDonald
date: 2022-06-24
modified: 2023-02-03
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1055
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\msra.exe'
ParentCommandLine|endswith: 'msra.exe'
Image|endswith:
- '\arp.exe'
- '\cmd.exe'
- '\net.exe'
- '\netstat.exe'
- '\nslookup.exe'
- '\route.exe'
- '\schtasks.exe'
- '\whoami.exe'
condition: selection
falsepositives:
- Legitimate use of Msra.exe
level: high
Convert to SIEM query
high
Potential Provisioning Registry Key Abuse For Binary Proxy Execution
Detects potential abuse of the provisioning registry key for indirect command execution through "Provlaunch.exe".
view Sigma YAML
title: Potential Provisioning Registry Key Abuse For Binary Proxy Execution
id: 2a4b3e61-9d22-4e4a-b60f-6e8f0cde6f25
related:
- id: 7f5d1c9a-3e83-48df-95a7-2b98aae6c13c # CLI Generic
type: similar
- id: f9999590-1f94-4a34-a91e-951e47bedefd # CLI Abuse
type: similar
- id: 7021255e-5db3-4946-a8b9-0ba7a4644a69 # Registry
type: similar
status: test
description: Detects potential abuse of the provisioning registry key for indirect command execution through "Provlaunch.exe".
references:
- https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/
- https://twitter.com/0gtweet/status/1674399582162153472
author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel
date: 2023-08-08
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains: 'SOFTWARE\Microsoft\Provisioning\Commands\'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential Provisioning Registry Key Abuse For Binary Proxy Execution - REG
Detects potential abuse of the provisioning registry key for indirect command execution through "Provlaunch.exe".
view Sigma YAML
title: Potential Provisioning Registry Key Abuse For Binary Proxy Execution - REG
id: 7021255e-5db3-4946-a8b9-0ba7a4644a69
related:
- id: 7f5d1c9a-3e83-48df-95a7-2b98aae6c13c # CLI Generic
type: similar
- id: f9999590-1f94-4a34-a91e-951e47bedefd # CLI Abuse
type: similar
- id: 2a4b3e61-9d22-4e4a-b60f-6e8f0cde6f25 # CLI Registry
type: similar
status: test
description: Detects potential abuse of the provisioning registry key for indirect command execution through "Provlaunch.exe".
references:
- https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/
- https://twitter.com/0gtweet/status/1674399582162153472
author: Swachchhanda Shrawan Poudel
date: 2023-08-02
modified: 2023-08-17
tags:
- attack.stealth
- attack.t1218
logsource:
category: registry_set
product: windows
definition: 'Requirements: The registry key "\SOFTWARE\Microsoft\Provisioning\Commands\" and its subkey must be monitored'
detection:
selection:
TargetObject|contains: '\SOFTWARE\Microsoft\Provisioning\Commands\'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential PsExec Remote Execution
Detects potential psexec command that initiate execution on a remote systems via common commandline flags used by the utility
view Sigma YAML
title: Potential PsExec Remote Execution
id: ea011323-7045-460b-b2d7-0f7442ea6b38
status: test
description: Detects potential psexec command that initiate execution on a remote systems via common commandline flags used by the utility
references:
- https://learn.microsoft.com/en-us/sysinternals/downloads/psexec
- https://www.poweradmin.com/paexec/
- https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-28
modified: 2025-09-01
tags:
- attack.resource-development
- attack.t1587.001
logsource:
category: process_creation
product: windows
detection:
selection:
# Accepting EULA in commandline - often used in automated attacks
CommandLine|contains|all:
- 'accepteula'
- ' -u '
- ' -p '
- ' \\\\'
filter_main_localhost:
CommandLine|contains:
- '\\\\localhost'
- '\\\\127.'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential Qakbot Registry Activity
Detects a registry key used by IceID in a campaign that distributes malicious OneNote files
view Sigma YAML
title: Potential Qakbot Registry Activity
id: 1c8e96cd-2bed-487d-9de0-b46c90cade56
status: test
description: Detects a registry key used by IceID in a campaign that distributes malicious OneNote files
references:
- https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution
author: Hieu Tran
date: 2023-03-13
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: registry_event
product: windows
detection:
selection:
TargetObject|endswith: '\Software\firm\soft\Name'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential Qakbot Rundll32 Execution
Detects specific process tree behavior of a "rundll32" execution often linked with potential Qakbot activity.
view Sigma YAML
title: Potential Qakbot Rundll32 Execution
id: cf879ffb-793a-4753-9a14-bc8f37cc90df
status: test
description: Detects specific process tree behavior of a "rundll32" execution often linked with potential Qakbot activity.
references:
- https://github.com/pr0xylife/Qakbot/
author: X__Junior (Nextron Systems)
date: 2023-05-24
tags:
- attack.execution
- detection.emerging-threats
- attack.stealth
logsource:
product: windows
category: process_creation
detection:
selection_paths:
ParentImage|endswith:
# Note: Only add processes seen used by Qakbot to avoid collision with other strains of malware
- '\cmd.exe'
- '\cscript.exe'
- '\curl.exe'
- '\mshta.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\wscript.exe'
Image|endswith: '\rundll32.exe'
CommandLine|contains:
# Note: Only add paths seen used by Qakbot to avoid collision with other strains of malware
- ':\ProgramData\'
- ':\Users\Public\'
- '\AppData\Local\Temp\'
- '\AppData\Roaming\'
selection_extension:
CommandLine|contains: '.dll'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Potential RCE Exploitation Attempt In NodeJS
Detects process execution related errors in NodeJS. If the exceptions are caused due to user input then they may suggest an RCE vulnerability.
view Sigma YAML
title: Potential RCE Exploitation Attempt In NodeJS
id: 97661d9d-2beb-4630-b423-68985291a8af
status: test
description: Detects process execution related errors in NodeJS. If the exceptions are caused due to user input then they may suggest an RCE vulnerability.
references:
- https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs
author: Moti Harmats
date: 2023-02-11
tags:
- attack.initial-access
- attack.t1190
logsource:
category: application
product: nodejs
definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)'
detection:
keywords:
- 'node:child_process'
condition: keywords
falsepositives:
- Puppeteer invocation exceptions often contain child_process related errors, that doesn't necessarily mean that the app is vulnerable.
level: high
Convert to SIEM query
high
Potential RDP Tunneling Via Plink
Execution of plink to perform data exfiltration and tunneling
view Sigma YAML
title: Potential RDP Tunneling Via Plink
id: f38ce0b9-5e97-4b47-a211-7dc8d8b871da
related:
- id: f7d7ebd5-a016-46e2-9c54-f9932f2d386d # ssh.exe
type: similar
status: test
description: Execution of plink to perform data exfiltration and tunneling
references:
- https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/
author: Florian Roth (Nextron Systems)
date: 2022-08-04
modified: 2023-01-27
tags:
- attack.command-and-control
- attack.t1572
logsource:
category: process_creation
product: windows
detection:
selection_a:
Image|endswith: '\plink.exe'
CommandLine|contains: ':127.0.0.1:3389'
selection_b1:
Image|endswith: '\plink.exe'
CommandLine|contains: ':3389'
selection_b2:
CommandLine|contains:
- ' -P 443'
- ' -P 22'
condition: selection_a or all of selection_b*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential RDP Tunneling Via SSH
Execution of ssh.exe to perform data exfiltration and tunneling through RDP
view Sigma YAML
title: Potential RDP Tunneling Via SSH
id: f7d7ebd5-a016-46e2-9c54-f9932f2d386d
related:
- id: f38ce0b9-5e97-4b47-a211-7dc8d8b871da # plink.exe
type: similar
status: test
description: Execution of ssh.exe to perform data exfiltration and tunneling through RDP
references:
- https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-12
modified: 2023-01-25
tags:
- attack.command-and-control
- attack.t1572
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\ssh.exe'
CommandLine|contains: ':3389'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential Ransomware Activity Using LegalNotice Message
Detect changes to the "LegalNoticeCaption" or "LegalNoticeText" registry values where the message set contains keywords often used in ransomware ransom messages
view Sigma YAML
title: Potential Ransomware Activity Using LegalNotice Message
id: 8b9606c9-28be-4a38-b146-0e313cc232c1
status: test
description: Detect changes to the "LegalNoticeCaption" or "LegalNoticeText" registry values where the message set contains keywords often used in ransomware ransom messages
references:
- https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1491.001/T1491.001.md
author: frack113
date: 2022-12-11
modified: 2023-08-17
tags:
- attack.impact
- attack.t1491.001
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|contains:
- '\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption'
- '\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText'
Details|contains:
- 'encrypted'
- 'Unlock-Password'
- 'paying'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential Raspberry Robin Aclui Dll SideLoading
Detects potential sideloading of malicious "aclui.dll" by OleView.This behavior was observed in Raspberry-Robin variants reported by chekpoint research on Feburary 2024.
view Sigma YAML
title: Potential Raspberry Robin Aclui Dll SideLoading
id: 0f3a9db2-c17a-480e-a723-d1f1c547ab6a
status: test
description: |
Detects potential sideloading of malicious "aclui.dll" by OleView.This behavior was observed in Raspberry-Robin variants reported by chekpoint research on Feburary 2024.
references:
- https://research.checkpoint.com/2024/raspberry-robin-keeps-riding-the-wave-of-endless-1-days/
- https://globetech.biz/index.php/2023/05/19/evading-edr-by-dll-sideloading-in-csharp/
- https://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/
- https://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/
- https://strontic.github.io/xcyclopedia/library/aclui.dll-F883E9CA757B622B032FDCA5BF33D0DF.html
author: Swachchhanda Shrawan Poudel
date: 2024-07-31
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
- detection.emerging-threats
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith: '\OleView.exe'
ImageLoaded|endswith: '\aclui.dll'
filter_main_legit_oleview_paths:
Image|startswith:
- 'C:\Program Files (x86)\Windows Kits\'
- 'C:\Program Files\Microsoft SDKs\'
filter_optional_known_oleview_paths:
Image|contains: '\Windows Resource Kit\'
filter_main_is_signed:
Signed: 'true'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential Raspberry Robin CPL Execution Activity
Detects the execution of a ".CPL" file located in the user temp directory via the Shell32 DLL "Control_RunDLL" export function.
This behavior was observed in multiple Raspberry-Robin variants.
view Sigma YAML
title: Potential Raspberry Robin CPL Execution Activity
id: 92020b88-9caf-464f-bad8-cd0fb0aa2a81
status: test
description: |
Detects the execution of a ".CPL" file located in the user temp directory via the Shell32 DLL "Control_RunDLL" export function.
This behavior was observed in multiple Raspberry-Robin variants.
references:
- https://tria.ge/240226-fhbe7sdc39/behavioral1
- https://bazaar.abuse.ch/browse/signature/RaspberryRobin/
author: Swachchhanda Shrawan Poudel
date: 2024-03-07
tags:
- attack.execution
- attack.stealth
- attack.t1218.011
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
# Example: "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\xxxx\AppData\Local\Temp\xxxx.CPL"
selection_parent_img:
ParentImage|endswith:
- '\rundll32.exe'
- '\control.exe'
selection_img:
- Image|endswith: '\rundll32.exe'
- OriginalFileName: 'RUNDLL32.EXE'
selection_cli:
CommandLine|contains|all:
- 'shell32.dll'
- 'Control_RunDLL'
- '.CPL'
selection_path:
CommandLine|contains: '\AppData\Local\Temp\'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential Raspberry Robin Dot Ending File
Detects commandline containing reference to files ending with a "." This scheme has been seen used by raspberry-robin
view Sigma YAML
title: Potential Raspberry Robin Dot Ending File
id: a35c97c8-d9c4-4c89-a3e7-533dc0bcb73a
status: test
description: Detects commandline containing reference to files ending with a "." This scheme has been seen used by raspberry-robin
author: Nasreddine Bencherchali (Nextron Systems)
references:
- https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/
date: 2022-10-28
modified: 2023-02-05
tags:
- attack.execution
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
# Example 1: https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/10/fig-3f-raspberryrobin-runonce.png
# Example 2: https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/10/fig-5f-odbcconf.png
# Example 3: https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/10/fig-6f-fauppod-command-line.png
CommandLine|re: \\[a-zA-Z0-9]{1,32}\.[a-zA-Z0-9]{1,6}\.[ "']{1} # cannot match on end-of-line because of FPs with bind DNS notation
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential Rcdll.DLL Sideloading
Detects potential DLL sideloading of rcdll.dll
view Sigma YAML
title: Potential Rcdll.DLL Sideloading
id: 6e78b74f-c762-4800-82ad-f66787f10c8a
status: test
description: Detects potential DLL sideloading of rcdll.dll
references:
- https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html
author: X__Junior (Nextron Systems)
date: 2023-03-13
modified: 2023-03-15
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\rcdll.dll'
filter:
ImageLoaded|startswith:
- 'C:\Program Files (x86)\Microsoft Visual Studio\'
- 'C:\Program Files (x86)\Windows Kits\'
condition: selection and not filter
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential Recon Activity Using DriverQuery.EXE
Detect usage of the "driverquery" utility to perform reconnaissance on installed drivers
view Sigma YAML
title: Potential Recon Activity Using DriverQuery.EXE
id: 9fc3072c-dc8f-4bf7-b231-18950000fadd
related:
- id: a20def93-0709-4eae-9bd2-31206e21e6b2
type: similar
status: test
description: Detect usage of the "driverquery" utility to perform reconnaissance on installed drivers
references:
- https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/
- https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/
- https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-19
modified: 2023-09-29
tags:
- attack.discovery
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: 'driverquery.exe'
- OriginalFileName: 'drvqry.exe'
selection_parent:
- ParentImage|endswith:
- '\cscript.exe'
- '\mshta.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\wscript.exe'
- ParentImage|contains:
- '\AppData\Local\'
- '\Users\Public\'
- '\Windows\Temp\'
condition: all of selection_*
falsepositives:
- Legitimate usage by some scripts might trigger this as well
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_driverquery_recon/info.yml
Convert to SIEM query
high
Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE
Detects usage of cmdkey to look for cached credentials on the system
view Sigma YAML
title: Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE
id: 07f8bdc2-c9b3-472a-9817-5a670b872f53
status: test
description: Detects usage of cmdkey to look for cached credentials on the system
references:
- https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation
- https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx
- https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1003.005/T1003.005.md#atomic-test-1---cached-credential-dump-via-cmdkey
author: jmallette, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2019-01-16
modified: 2024-03-05
tags:
- attack.credential-access
- attack.t1003.005
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\cmdkey.exe'
- OriginalFileName: 'cmdkey.exe'
selection_cli:
CommandLine|contains|windash: ' -l'
condition: all of selection*
falsepositives:
- Legitimate administrative tasks
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_cmdkey_recon/info.yml
simulation:
- type: atomic-red-team
name: Cached Credential Dump via Cmdkey
technique: T1003.005
atomic_guid: 56506854-89d6-46a3-9804-b7fde90791f9
Convert to SIEM query
high
Potential Registry Persistence Attempt Via Windows Telemetry
Detects potential persistence behavior using the windows telemetry registry key.
Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections.
This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run.
The problem is, it will run any arbitrary command without restriction of location or type.
view Sigma YAML
title: Potential Registry Persistence Attempt Via Windows Telemetry
id: 73a883d0-0348-4be4-a8d8-51031c2564f8
related:
- id: 4e8d5fd3-c959-441f-a941-f73d0cdcdca5
type: obsolete
status: test
description: |
Detects potential persistence behavior using the windows telemetry registry key.
Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections.
This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run.
The problem is, it will run any arbitrary command without restriction of location or type.
references:
- https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/
author: Lednyov Alexey, oscd.community, Sreeman
date: 2020-10-16
modified: 2023-08-17
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1053.005
logsource:
category: registry_set
product: windows
definition: 'Requirements: Sysmon config that monitors \SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController subkey of the HKLM hives'
detection:
selection:
TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\'
TargetObject|endswith: '\Command'
Details|contains:
- '.bat'
- '.bin'
- '.cmd'
- '.dat'
- '.dll'
- '.exe'
- '.hta'
- '.jar'
- '.js'
- '.msi'
- '.ps'
- '.sh'
- '.vb'
filter_main_generic:
Details|contains:
- '\system32\CompatTelRunner.exe'
- '\system32\DeviceCensus.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential Remote PowerShell Session Initiated
Detects a process that initiated a network connection over ports 5985 or 5986 from a non-network service account.
This could potentially indicates a remote PowerShell connection.
view Sigma YAML
title: Potential Remote PowerShell Session Initiated
id: c539afac-c12a-46ed-b1bd-5a5567c9f045
status: test
description: |
Detects a process that initiated a network connection over ports 5985 or 5986 from a non-network service account.
This could potentially indicates a remote PowerShell connection.
references:
- https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019-09-12
modified: 2024-02-02
tags:
- attack.execution
- attack.t1059.001
- attack.lateral-movement
- attack.t1021.006
logsource:
category: network_connection
product: windows
detection:
selection:
DestinationPort:
- 5985
- 5986
Initiated: 'true' # only matches of the initiating system can be evaluated
SourceIsIpv6: 'false'
filter_main_service_users:
- User|contains: # covers many language settings for Network Service. Please expand
- 'NETWORK SERVICE'
- 'NETZWERKDIENST'
- 'SERVICIO DE RED'
- 'SERVIZIO DI RETE'
- User|contains|all:
- 'SERVICE R'
- 'SEAU'
filter_main_localhost:
SourceIp:
- '::1'
- '127.0.0.1'
DestinationIp:
- '::1'
- '127.0.0.1'
filter_optional_avast:
Image:
- 'C:\Program Files\Avast Software\Avast\AvastSvc.exe'
- 'C:\Program Files (x86)\Avast Software\Avast\AvastSvc.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Legitimate usage of remote PowerShell, e.g. remote administration and monitoring.
- Network Service user name of a not-covered localization
level: high
Convert to SIEM query
high
Potential Remote SquiblyTwo Technique Execution
Detects potential execution of the SquiblyTwo technique that leverages Windows Management Instrumentation (WMI)
to execute malicious code remotely. This technique bypasses application whitelisting by using wmic.exe to process
malicious XSL (eXtensible Stylesheet Language) scripts that can contain embedded JScript or VBScript.
The attack typically works by fetching XSL content from a remote source (using HTTP/HTTPS) and executing it
with full trust privileges directly in memory, avoiding disk-based detection mechanisms. This is a common
LOLBin (Living Off The Land Binary) technique used for defense evasion and code execution.
view Sigma YAML
title: Potential Remote SquiblyTwo Technique Execution
id: 8d63dadf-b91b-4187-87b6-34a1114577ea
related:
- id: 06ce37c2-61ab-4f05-9ff5-b1a96d18ae32
type: similar
- id: 05c36dd6-79d6-4a9a-97da-3db20298ab2d
type: similar
status: test
description: |
Detects potential execution of the SquiblyTwo technique that leverages Windows Management Instrumentation (WMI)
to execute malicious code remotely. This technique bypasses application whitelisting by using wmic.exe to process
malicious XSL (eXtensible Stylesheet Language) scripts that can contain embedded JScript or VBScript.
The attack typically works by fetching XSL content from a remote source (using HTTP/HTTPS) and executing it
with full trust privileges directly in memory, avoiding disk-based detection mechanisms. This is a common
LOLBin (Living Off The Land Binary) technique used for defense evasion and code execution.
references:
- https://web.archive.org/web/20190209154607/https://subt0x11.blogspot.com/2018/04/wmicexe-whitelisting-bypass-hacking.html
- https://twitter.com/mattifestation/status/986280382042595328 # Deleted
- https://atomicredteam.io/defense-evasion/T1220/
- https://lolbas-project.github.io/lolbas/Binaries/Wmic/
- https://x.com/byrne_emmy12099/status/1932346420226658668
author: Markus Neis, Florian Roth, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2019-01-16
modified: 2026-01-24
tags:
- attack.stealth
- attack.t1047
- attack.t1220
- attack.execution
- attack.t1059.005
- attack.t1059.007
logsource:
category: process_creation
product: windows
detection:
selection_pe:
- Image|endswith: '\wmic.exe'
- OriginalFileName: 'wmic.exe'
- Hashes|contains: # Sysmon field hashes contains all types
- 'IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E'
- 'IMPHASH=37777A96245A3C74EB217308F3546F4C'
- 'IMPHASH=9D87C9D67CE724033C0B40CC4CA1B206'
- 'IMPHASH=B12619881D79C3ACADF45E752A58554A'
- 'IMPHASH=16A48C3CABF98A9DC1BF02C07FE1EA00'
selection_cli:
CommandLine|contains|windash: '/format:'
CommandLine|contains:
- '://'
- '\\\\'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential RemoteFXvGPUDisablement.EXE Abuse
Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking.
view Sigma YAML
title: Potential RemoteFXvGPUDisablement.EXE Abuse
id: f65e22f9-819e-4f96-9c7b-498364ae7a25
related:
- id: a6fc3c46-23b8-4996-9ea2-573f4c4d88c5 # ProcCreation
type: similar
- id: 38a7625e-b2cb-485d-b83d-aff137d859f4 # PS Module
type: similar
- id: cacef8fc-9d3d-41f7-956d-455c6e881bc5 # PS ScriptBlock
type: similar
status: test
description: Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md
- https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2021-07-13
modified: 2023-05-09
tags:
- attack.stealth
- attack.t1218
logsource:
product: windows
service: powershell-classic
definition: fields have to be extract from event
detection:
selection:
Data|contains: 'ModuleContents=function Get-VMRemoteFXPhysicalVideoAdapter {'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell Module
Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking.
view Sigma YAML
title: Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell Module
id: 38a7625e-b2cb-485d-b83d-aff137d859f4
related:
- id: a6fc3c46-23b8-4996-9ea2-573f4c4d88c5 # ProcCreation
type: similar
- id: f65e22f9-819e-4f96-9c7b-498364ae7a25 # PS Classic
type: similar
- id: cacef8fc-9d3d-41f7-956d-455c6e881bc5 # PS ScriptBlock
type: similar
status: test
description: Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md
- https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1
author: Nasreddine Bencherchali (Nextron Systems), frack113
date: 2021-07-13
modified: 2023-05-09
tags:
- attack.stealth
- attack.t1218
logsource:
product: windows
category: ps_module
definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
selection:
Payload|contains: 'ModuleContents=function Get-VMRemoteFXPhysicalVideoAdapter {'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell ScriptBlock
Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking.
view Sigma YAML
title: Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell ScriptBlock
id: cacef8fc-9d3d-41f7-956d-455c6e881bc5
related:
- id: a6fc3c46-23b8-4996-9ea2-573f4c4d88c5 # ProcCreation
type: similar
- id: f65e22f9-819e-4f96-9c7b-498364ae7a25 # PS Classic
type: similar
- id: 38a7625e-b2cb-485d-b83d-aff137d859f4 # PS Module
type: similar
status: test
description: Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md
- https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-09
tags:
- attack.stealth
- attack.t1218
logsource:
product: windows
category: ps_script
definition: bade5735-5ab0-4aa7-a642-a11be0e40872
detection:
selection:
ScriptBlockText|startswith: 'function Get-VMRemoteFXPhysicalVideoAdapter {'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential Renamed Rundll32 Execution
Detects when 'DllRegisterServer' is called in the commandline and the image is not rundll32. This could mean that the 'rundll32' utility has been renamed in order to avoid detection
view Sigma YAML
title: Potential Renamed Rundll32 Execution
id: 2569ed8c-1147-498a-9b8c-2ad3656b10ed
related:
- id: 0ba1da6d-b6ce-4366-828c-18826c9de23e
type: derived
status: test
description: Detects when 'DllRegisterServer' is called in the commandline and the image is not rundll32. This could mean that the 'rundll32' utility has been renamed in order to avoid detection
references:
- https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20
- https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-22
modified: 2023-02-03
tags:
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains: 'DllRegisterServer'
filter:
Image|endswith: '\rundll32.exe'
condition: selection and not filter
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Potential RipZip Attack on Startup Folder
Detects a phishing attack which expands a ZIP file containing a malicious shortcut.
If the victim expands the ZIP file via the explorer process, then the explorer process expands the malicious ZIP file and drops a malicious shortcut redirected to a backdoor into the Startup folder.
Additionally, the file name of the malicious shortcut in Startup folder contains {0AFACED1-E828-11D1-9187-B532F1E9575D} meaning the folder shortcut operation.
view Sigma YAML
title: Potential RipZip Attack on Startup Folder
id: a6976974-ea6f-4e97-818e-ea08625c52cb
status: test
description: |
Detects a phishing attack which expands a ZIP file containing a malicious shortcut.
If the victim expands the ZIP file via the explorer process, then the explorer process expands the malicious ZIP file and drops a malicious shortcut redirected to a backdoor into the Startup folder.
Additionally, the file name of the malicious shortcut in Startup folder contains {0AFACED1-E828-11D1-9187-B532F1E9575D} meaning the folder shortcut operation.
references:
- https://twitter.com/jonasLyk/status/1549338335243534336?t=CrmPocBGLbDyE4p6zTX1cg&s=19
author: Greg (rule)
date: 2022-07-21
modified: 2023-01-05
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547
logsource:
category: file_event
product: windows
detection:
selection: # %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\target.lnk.{0AFACED1-E828-11D1-9187-B532F1E9575D}\target.lnk
TargetFilename|contains|all:
- '\Microsoft\Windows\Start Menu\Programs\Startup'
- '.lnk.{0AFACED1-E828-11D1-9187-B532F1E9575D}'
Image|endswith: '\explorer.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential RjvPlatform.DLL Sideloading From Non-Default Location
Detects potential DLL sideloading of "RjvPlatform.dll" by "SystemResetPlatform.exe" located in a non-default location.
view Sigma YAML
title: Potential RjvPlatform.DLL Sideloading From Non-Default Location
id: 0e0bc253-07ed-43f1-816d-e1b220fe8971
status: test
description: Detects potential DLL sideloading of "RjvPlatform.dll" by "SystemResetPlatform.exe" located in a non-default location.
references:
- https://twitter.com/0gtweet/status/1666716511988330499
author: X__Junior (Nextron Systems)
date: 2023-06-09
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\RjvPlatform.dll'
Image: '\SystemResetPlatform.exe'
filter_main_legit_path:
Image|startswith: 'C:\Windows\System32\SystemResetPlatform\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Potential Rundll32 Execution With DLL Stored In ADS
Detects execution of rundll32 where the DLL being called is stored in an Alternate Data Stream (ADS).
view Sigma YAML
title: Potential Rundll32 Execution With DLL Stored In ADS
id: 9248c7e1-2bf3-4661-a22c-600a8040b446
status: test
description: Detects execution of rundll32 where the DLL being called is stored in an Alternate Data Stream (ADS).
references:
- https://lolbas-project.github.io/lolbas/Binaries/Rundll32
author: Harjot Singh, '@cyb3rjy0t'
date: 2023-01-21
modified: 2026-03-16
tags:
- attack.stealth
- attack.t1564.004
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\rundll32.exe'
- OriginalFileName: 'RUNDLL32.EXE'
selection_cli:
# Example:
# rundll32 "C:\ads\file.txt:ADSDLL.dll",DllMain
# Note: This doesn't cover the use case where a full path for the DLL isn't used. As it requires a more expensive regex
CommandLine|re: '[Rr][Uu][Nn][Dd][Ll][Ll]32(?:\.[Ee][Xx][Ee])? \S+?\w:\S+?:'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential Ryuk Ransomware Activity
Detects Ryuk ransomware activity
view Sigma YAML
title: Potential Ryuk Ransomware Activity
id: c37510b8-2107-4b78-aa32-72f251e7a844
related:
- id: 58bf96d9-ff5f-44bd-8dcc-1c4f79bf3a27
type: similar
- id: 0acaad27-9f02-4136-a243-c357202edd74
type: obsolete
status: stable
description: Detects Ryuk ransomware activity
references:
- https://app.any.run/tasks/d860402c-3ff4-4c1f-b367-0237da714ed1/
- https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/
author: Florian Roth (Nextron Systems), Vasiliy Burov, Nasreddine Bencherchali (Nextron Systems)
date: 2019-12-16
modified: 2023-02-03
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.001
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_reg:
CommandLine|contains|all:
- 'Microsoft\Windows\CurrentVersion\Run'
- 'C:\users\Public\'
selection_del:
CommandLine|contains|all:
- 'del /s /f /q c:\'
- '\*.bac'
- '\*.bak'
- '\*.bkf'
selection_net:
Image|endswith:
- '\net.exe'
- '\net1.exe'
CommandLine|contains|all:
- ' stop '
- ' /y'
CommandLine|contains:
- 'samss'
- 'audioendpointbuilder'
- 'unistoresvc_'
- 'AcrSch2Svc'
condition: 1 of selection_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Potential SAM Database Dump
Detects the creation of files that look like exports of the local SAM (Security Account Manager)
view Sigma YAML
title: Potential SAM Database Dump
id: 4e87b8e2-2ee9-4b2a-a715-4727d297ece0
status: test
description: Detects the creation of files that look like exports of the local SAM (Security Account Manager)
references:
- https://github.com/search?q=CVE-2021-36934
- https://web.archive.org/web/20210725081645/https://github.com/cube0x0/CVE-2021-36934
- https://www.google.com/search?q=%22reg.exe+save%22+sam
- https://github.com/HuskyHacks/ShadowSteal
- https://github.com/FireFart/hivenightmare
author: Florian Roth (Nextron Systems)
date: 2022-02-11
modified: 2023-01-05
tags:
- attack.credential-access
- attack.t1003.002
logsource:
product: windows
category: file_event
detection:
selection:
- TargetFilename|endswith:
- '\Temp\sam'
- '\sam.sav'
- '\Intel\sam'
- '\sam.hive'
- '\Perflogs\sam'
- '\ProgramData\sam'
- '\Users\Public\sam'
- '\AppData\Local\sam'
- '\AppData\Roaming\sam'
- '_ShadowSteal.zip' # https://github.com/HuskyHacks/ShadowSteal
- '\Documents\SAM.export' # https://github.com/n3tsurge/CVE-2021-36934/
- ':\sam'
- TargetFilename|contains:
- '\hive_sam_' # https://github.com/FireFart/hivenightmare
- '\sam.save'
- '\sam.export'
- '\~reg_sam.save'
- '\sam_backup'
- '\sam.bck'
- '\sam.backup'
condition: selection
falsepositives:
- Rare cases of administrative activity
level: high
Convert to SIEM query
high
Potential SAP NetViewer Webshell Command Execution
Detects potential command execution via webshell in SAP NetViewer through JSP files with cmd parameter.
This rule is created to detect exploitation of vulnerabilities like CVE-2025-31324, which allows remote code execution via a webshell.
view Sigma YAML
title: Potential SAP NetViewer Webshell Command Execution
id: 94e12f41-6cb3-45c5-97b1-c783a7bf2e72
status: experimental
description: |
Detects potential command execution via webshell in SAP NetViewer through JSP files with cmd parameter.
This rule is created to detect exploitation of vulnerabilities like CVE-2025-31324, which allows remote code execution via a webshell.
references:
- https://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-05-14
tags:
- attack.persistence
- attack.t1505.003
- attack.initial-access
- attack.t1190
- detection.emerging-threats
- cve.2025-31324
logsource:
category: webserver
detection:
selection_uri:
cs-uri-stem|contains|all:
- '/irj/'
- '.jsp'
selection_query:
- cs-uri-query|startswith:
- 'cmd='
- 'command='
- 'exec_cmd='
- 'exec='
- cs-uri-query|contains:
- '/dev/tcp'
- '/etc/passwd'
- '%2fdev%2ftcp' # URL encoded of /dev/tcp
- '%2fetc%2fpasswd' # URL encoded of /etc/passwd
- '=uname'
- '=whoami'
- 'ifconfig'
- 'ping'
- 'pwd'
- cs-uri-query|contains|all:
- 'echo'
- 'base64'
condition: all of selection_*
falsepositives:
- Legitimate applications using cmd parameter for non-malicious purposes
level: high
Convert to SIEM query
high
Potential SNAKE Malware Installation Binary Indicator
Detects a specific binary name seen used by SNAKE malware during its installation as described by CISA in their report
view Sigma YAML
title: Potential SNAKE Malware Installation Binary Indicator
id: d91ff53f-fd0c-419d-a6b8-ae038d5c3733
status: test
description: Detects a specific binary name seen used by SNAKE malware during its installation as described by CISA in their report
references:
- https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-04
tags:
- attack.execution
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\jpsetup.exe'
- '\jpinst.exe'
filter_main_cli_name:
CommandLine:
- 'jpinst.exe'
- 'jpinst'
- 'jpsetup.exe'
- 'jpsetup'
filter_main_cli_empty:
CommandLine: ''
filter_main_cli_null:
CommandLine: null
condition: selection and not 1 of filter_main_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
Showing 951-1000 of 1,715