Tool
SIEM
Sigma (generic) detection rules
1,715 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Expand any rule to see its raw YAML and convert it inline to native query syntax. Pick a platform above to browse every rule already rendered in that language.
Get the raw rules from SigmaHQ Detection Rules
The raw generic YAML, served by SigmaHQ. Pick a platform above to download a ready-to-deploy converted pack.
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
◈
Detection rules
50 shown of 1,715
high
Ps.exe Renamed SysInternals Tool
Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report
view Sigma YAML
title: Ps.exe Renamed SysInternals Tool
id: 18da1007-3f26-470f-875d-f77faf1cab31
status: test
description: Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report
references:
- https://www.us-cert.gov/ncas/alerts/TA17-293A
author: Florian Roth (Nextron Systems)
date: 2017-10-22
modified: 2023-05-02
tags:
- attack.stealth
- attack.g0035
- attack.t1036.003
- car.2013-05-009
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'ps.exe -accepteula'
- '-s cmd /c netstat'
condition: selection
falsepositives:
- Renamed SysInternals tool
level: high
Convert to SIEM query
high
PsExec Service Child Process Execution as LOCAL SYSTEM
Detects suspicious launch of the PSEXESVC service on this system and a sub process run as LOCAL_SYSTEM (-s), which means that someone remotely started a command on this system running it with highest privileges and not only the privileges of the login user account (e.g. the administrator account)
view Sigma YAML
title: PsExec Service Child Process Execution as LOCAL SYSTEM
id: 7c0dcd3d-acf8-4f71-9570-f448b0034f94
related:
- id: fa91cc36-24c9-41ce-b3c8-3bbc3f2f67ba
type: similar
status: test
description: Detects suspicious launch of the PSEXESVC service on this system and a sub process run as LOCAL_SYSTEM (-s), which means that someone remotely started a command on this system running it with highest privileges and not only the privileges of the login user account (e.g. the administrator account)
references:
- https://learn.microsoft.com/en-us/sysinternals/downloads/psexec
author: Florian Roth (Nextron Systems)
date: 2022-07-21
modified: 2023-02-28
tags:
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage: 'C:\Windows\PSEXESVC.exe'
User|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
condition: selection
falsepositives:
- Users that debug Microsoft Intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension
level: high
Convert to SIEM query
high
PsExec/PAExec Escalation to LOCAL SYSTEM
Detects suspicious commandline flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights
view Sigma YAML
title: PsExec/PAExec Escalation to LOCAL SYSTEM
id: 8834e2f7-6b4b-4f09-8906-d2276470ee23
related:
- id: 207b0396-3689-42d9-8399-4222658efc99 # Generic rule based on similar cli flags
type: similar
status: test
description: Detects suspicious commandline flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights
references:
- https://learn.microsoft.com/en-us/sysinternals/downloads/psexec
- https://www.poweradmin.com/paexec/
- https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2021-11-23
modified: 2024-03-05
tags:
- attack.resource-development
- attack.t1587.001
logsource:
category: process_creation
product: windows
detection:
selection_sys: # Escalation to LOCAL_SYSTEM
CommandLine|contains|windash:
# Note that you don't need to add the ".exe" part when using psexec/paexec
# The "-" can also be replaced with "/"
# The order of args isn't important
# "cmd" can be replaced by "powershell", "pwsh" or any other console like software
- ' -s cmd'
- ' -s -i cmd'
- ' -i -s cmd'
# Pwsh (For PowerShell 7)
- ' -s pwsh'
- ' -s -i pwsh'
- ' -i -s pwsh'
# PowerShell (For PowerShell 5)
- ' -s powershell'
- ' -s -i powershell'
- ' -i -s powershell'
selection_other:
CommandLine|contains:
- 'psexec'
- 'paexec'
- 'accepteula'
condition: all of selection_*
falsepositives:
- Admins that use PsExec or PAExec to escalate to the SYSTEM account for maintenance purposes (rare)
- Users that debug Microsoft Intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension
level: high
Convert to SIEM query
high
Publicly Accessible RDP Service
Detects connections from routable IPs to an RDP listener. Which is indicative of a publicly-accessible RDP service.
view Sigma YAML
title: Publicly Accessible RDP Service
id: 1fc0809e-06bf-4de3-ad52-25e5263b7623
status: test
description: |
Detects connections from routable IPs to an RDP listener. Which is indicative of a publicly-accessible RDP service.
author: Josh Brower @DefensiveDepth
date: 2020-08-22
modified: 2024-03-13
tags:
- attack.lateral-movement
- attack.t1021.001
logsource:
product: zeek
service: rdp
detection:
selection:
id.orig_h|cidr:
- '::1/128' # IPv6 loopback
- '10.0.0.0/8'
- '127.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '169.254.0.0/16'
- '2620:83:8000::/48'
- 'fc00::/7' # IPv6 private addresses
- 'fe80::/10' # IPv6 link-local addresses
# approved_rdp:
# dst_ip:
# - x.x.x.x
condition: not selection # and not approved_rdp
falsepositives:
- Although it is recommended to NOT have RDP exposed to the internet, verify that this is a) allowed b) the server has not already been compromised via some brute force or remote exploit since it has been exposed to the internet. Work to secure the server if you are unable to remove it from being exposed to the internet.
level: high
Convert to SIEM query
high
Pulse Connect Secure RCE Attack CVE-2021-22893
This rule detects exploitation attempts using Pulse Connect Secure(PCS) vulnerability (CVE-2021-22893)
view Sigma YAML
title: Pulse Connect Secure RCE Attack CVE-2021-22893
id: 5525edac-f599-4bfd-b926-3fa69860e766
status: stable
description: This rule detects exploitation attempts using Pulse Connect Secure(PCS) vulnerability (CVE-2021-22893)
references:
- https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html
- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784
author: Sittikorn S
date: 2021-06-29
modified: 2023-01-02
tags:
- attack.initial-access
- attack.t1190
- cve.2021-22893
- detection.emerging-threats
logsource:
category: webserver
detection:
selection1:
cs-uri-query|contains:
- '/dana-na/auth/'
- '/dana-ws/'
- '/dana-cached/'
selection2:
cs-uri-query|contains:
- '?id='
- '?token='
- 'Secid_canceltoken.cgi'
- 'CGI::param'
- 'meeting'
- 'smb'
- 'namedusers'
- 'metric'
condition: all of selection*
falsepositives:
- Vulnerability Scanning
level: high
Convert to SIEM query
high
PwnKit Local Privilege Escalation
Detects potential PwnKit exploitation CVE-2021-4034 in auth logs
view Sigma YAML
title: PwnKit Local Privilege Escalation
id: 0506a799-698b-43b4-85a1-ac4c84c720e9
status: test
description: Detects potential PwnKit exploitation CVE-2021-4034 in auth logs
references:
- https://twitter.com/wdormann/status/1486161836961579020
author: Sreeman
date: 2022-01-26
modified: 2024-09-11
tags:
- attack.privilege-escalation
- attack.t1548.001
- detection.emerging-threats
- cve.2021-4034
logsource:
product: linux
service: auth
detection:
keywords:
'|all':
- 'pkexec'
- 'The value for environment variable XAUTHORITY contains suspicious content'
- '[USER=root] [TTY=/dev/pts/0]'
condition: keywords
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Python Function Execution Security Warning Disabled In Excel
Detects changes to the registry value "PythonFunctionWarnings" that would prevent any warnings or alerts from showing when Python functions are about to be executed.
Threat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet.
view Sigma YAML
title: Python Function Execution Security Warning Disabled In Excel
id: 023c654f-8f16-44d9-bb2b-00ff36a62af9
related:
- id: 17e53739-a1fc-4a62-b1b9-87711c2d5e44
type: similar
status: test
description: |
Detects changes to the registry value "PythonFunctionWarnings" that would prevent any warnings or alerts from showing when Python functions are about to be executed.
Threat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet.
references:
- https://support.microsoft.com/en-us/office/data-security-and-python-in-excel-33cc88a4-4a87-485e-9ff9-f35958278327
author: '@Kostastsale'
date: 2023-08-22
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- '\Microsoft\Office\'
- '\Excel\Security'
- 'PythonFunctionWarnings'
CommandLine|contains: ' 0'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Python Function Execution Security Warning Disabled In Excel - Registry
Detects changes to the registry value "PythonFunctionWarnings" that would prevent any warnings or alerts from showing when Python functions are about to be executed.
Threat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet.
view Sigma YAML
title: Python Function Execution Security Warning Disabled In Excel - Registry
id: 17e53739-a1fc-4a62-b1b9-87711c2d5e44
related:
- id: 023c654f-8f16-44d9-bb2b-00ff36a62af9
type: similar
status: test
description: |
Detects changes to the registry value "PythonFunctionWarnings" that would prevent any warnings or alerts from showing when Python functions are about to be executed.
Threat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet.
references:
- https://support.microsoft.com/en-us/office/data-security-and-python-in-excel-33cc88a4-4a87-485e-9ff9-f35958278327
author: Nasreddine Bencherchali (Nextron Systems), @Kostastsale
date: 2024-08-23
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\Microsoft\Office\'
TargetObject|endswith: '\Excel\Security\PythonFunctionWarnings'
Details: 'DWORD (0x00000001)'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Python One-Liners with Base64 Decoding
Detects Python one-liners that use base64 decoding functions in command line executions.
Malicious scripts or attackers often use python one-liners to decode and execute base64-encoded payloads, which is a common technique for obfuscation and evasion.
view Sigma YAML
title: Python One-Liners with Base64 Decoding
id: 50a0aa3d-ab16-4594-a8aa-5145a6e6792b
related:
- id: 55e862a8-dd9c-4651-807a-f21fcad56716
type: similar
status: experimental
description: |
Detects Python one-liners that use base64 decoding functions in command line executions.
Malicious scripts or attackers often use python one-liners to decode and execute base64-encoded payloads, which is a common technique for obfuscation and evasion.
references:
- https://docs.python.org/3/library/base64.html
- https://www.virustotal.com/gui/file/bc43e925d7b4b74319f6e74e836a96f1997ba404e14ac566cf12a21e9da463db/behavior
- https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites
author: Hugh Ryan (HueCodes), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-03-09
tags:
- attack.execution
- attack.stealth
- attack.t1059.006
- attack.t1027.010
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|contains: '\python'
- OriginalFileName|contains: 'python'
selection_cli:
CommandLine|contains|all:
- 'import'
- 'base64'
- ' -c'
CommandLine|contains:
- '.decode'
- 'b16decode'
- 'b32decode'
- 'b32hexdecode'
- 'b64decode'
- 'b85decode'
- 'z85decode'
condition: all of selection_*
falsepositives:
- Legitimate use of Python for decoding data, which is uncommon in typical enterprise environments but possible in development or data analysis contexts.
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_python_base64_encoded_execution/info.yml
Convert to SIEM query
high
Python One-Liners with Base64 Decoding - Linux
Detects the use of Python's base64 decoding functions in command line executions on Linux systems.
Malicious scripts often use python one-liners to decode and execute base64-encoded payloads, which is a common technique for obfuscation and evasion.
view Sigma YAML
title: Python One-Liners with Base64 Decoding - Linux
id: 55e862a8-dd9c-4651-807a-f21fcad56716
related:
- id: 50a0aa3d-ab16-4594-a8aa-5145a6e6792b
type: similar
status: experimental
description: |
Detects the use of Python's base64 decoding functions in command line executions on Linux systems.
Malicious scripts often use python one-liners to decode and execute base64-encoded payloads, which is a common technique for obfuscation and evasion.
references:
- https://docs.python.org/3/library/base64.html
- https://www.virustotal.com/gui/file/bc43e925d7b4b74319f6e74e836a96f1997ba404e14ac566cf12a21e9da463db/behavior
- https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites
author: Hugh Ryan (HueCodes), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-03-09
tags:
- attack.execution
- attack.stealth
- attack.t1059.006
- attack.t1027.010
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|contains: '/python'
selection_cli:
CommandLine|contains|all:
- 'import'
- 'base64'
- ' -c'
CommandLine|contains:
- '.decode'
- 'b16decode'
- 'b32decode'
- 'b32hexdecode'
- 'b64decode'
- 'b85decode'
- 'z85decode'
condition: all of selection_*
falsepositives:
- Legitimate use of Python for decoding data, which is uncommon in typical enterprise environments but possible in development or data analysis contexts.
level: high
Convert to SIEM query
high
Python Reverse Shell Execution Via PTY And Socket Modules
Detects the execution of python with calls to the socket and pty module in order to connect and spawn a potential reverse shell.
view Sigma YAML
title: Python Reverse Shell Execution Via PTY And Socket Modules
id: 32e62bc7-3de0-4bb1-90af-532978fe42c0
related:
- id: c4042d54-110d-45dd-a0e1-05c47822c937
type: similar
status: test
description: |
Detects the execution of python with calls to the socket and pty module in order to connect and spawn a potential reverse shell.
references:
- https://www.revshells.com/
author: '@d4ns4n_, Nasreddine Bencherchali (Nextron Systems)'
date: 2023-04-24
modified: 2024-11-04
tags:
- attack.execution
logsource:
category: process_creation
product: linux
detection:
selection:
Image|contains: 'python'
CommandLine|contains|all:
- ' -c '
- 'import'
- 'pty'
- 'socket'
- 'spawn'
- '.connect'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Python Spawning Pretty TTY on Windows
Detects python spawning a pretty tty
view Sigma YAML
title: Python Spawning Pretty TTY on Windows
id: 480e7e51-e797-47e3-8d72-ebfce65b6d8d
related:
- id: 899133d5-4d7c-4a7f-94ee-27355c879d90
type: derived
status: test
description: Detects python spawning a pretty tty
references:
- https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/
author: Nextron Systems
date: 2022-06-03
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith:
- 'python.exe' # no \ bc of e.g. ipython.exe
- 'python3.exe'
- 'python2.exe'
selection_cli_1:
CommandLine|contains|all:
- 'import pty'
- '.spawn('
selection_cli_2:
CommandLine|contains: 'from pty import spawn'
condition: selection_img and 1 of selection_cli_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Qakbot Regsvr32 Calc Pattern
Detects a specific command line of "regsvr32" where the "calc" keyword is used in conjunction with the "/s" flag. This behavior is often seen used by Qakbot
view Sigma YAML
title: Qakbot Regsvr32 Calc Pattern
id: 0033cf83-fb87-446d-9cac-43d63ad4d5a9
status: test
description: Detects a specific command line of "regsvr32" where the "calc" keyword is used in conjunction with the "/s" flag. This behavior is often seen used by Qakbot
references:
- https://github.com/pr0xylife/Qakbot/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-26
modified: 2024-03-05
tags:
- attack.execution
- detection.emerging-threats
- attack.stealth
logsource:
product: windows
category: process_creation
detection:
selection:
Image|endswith: '\regsvr32.exe'
CommandLine|contains|windash: ' -s'
CommandLine|endswith: ' calc'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Qakbot Uninstaller Execution
Detects the execution of the Qakbot uninstaller file mentioned in the USAO-CDCA document on the disruption of the Qakbot malware and botnet
view Sigma YAML
title: Qakbot Uninstaller Execution
id: bc309b7a-3c29-4937-a4a3-e232473f9168
status: test
description: Detects the execution of the Qakbot uninstaller file mentioned in the USAO-CDCA document on the disruption of the Qakbot malware and botnet
references:
- https://www.justice.gov/usao-cdca/divisions/national-security-division/qakbot-resources
- https://www.virustotal.com/gui/file/7cdee5a583eacf24b1f142413aabb4e556ccf4ef3a4764ad084c1526cc90e117/community
- https://www.virustotal.com/gui/file/fab408536aa37c4abc8be97ab9c1f86cb33b63923d423fdc2859eb9d63fa8ea0/community
author: Florian Roth (Nextron Systems)
date: 2023-08-31
modified: 2023-09-01
tags:
- attack.execution
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\QbotUninstall.exe'
- Hashes|contains:
- 'IMPHASH=E772C815072311D6FB8C3390743E6BE5'
- 'SHA256=423A9D13D410E2DC38EABB9FDF3121D2072472D0426260283A638B822DCD5180'
- 'SHA256=559CAE635F0D870652B9482EF436B31D4BB1A5A0F51750836F328D749291D0B6'
- 'SHA256=855EB5481F77DDE5AD8FA6E9D953D4AEBC280DDDF9461144B16ED62817CC5071'
- 'SHA256=FAB408536AA37C4ABC8BE97AB9C1F86CB33B63923D423FDC2859EB9D63FA8EA0'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Query Tor Onion Address - DNS Client
Detects DNS resolution of an .onion address related to Tor routing networks
view Sigma YAML
title: Query Tor Onion Address - DNS Client
id: 8384bd26-bde6-4da9-8e5d-4174a7a47ca2
related:
- id: b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544
type: similar
- id: a8322756-015c-42e7-afb1-436e85ed3ff5
type: similar
status: test
description: Detects DNS resolution of an .onion address related to Tor routing networks
references:
- https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/
- https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/ASimDNS/imDNS_TorProxies.yaml
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-02-20
modified: 2025-09-12
tags:
- attack.command-and-control
- attack.t1090.003
logsource:
product: windows
service: dns-client
definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.'
detection:
selection:
EventID: 3008
QueryName|endswith:
- '.hiddenservice.net'
- '.onion.ca'
- '.onion.cab'
- '.onion.casa'
- '.onion.city'
- '.onion.direct'
- '.onion.dog'
- '.onion.glass'
- '.onion.gq'
- '.onion.guide'
- '.onion.in.net'
- '.onion.ink'
- '.onion.it'
- '.onion.link'
- '.onion.lt'
- '.onion.lu'
- '.onion.ly'
- '.onion.mn'
- '.onion.network'
- '.onion.nu'
- '.onion.pet'
- '.onion.plus'
- '.onion.pt'
- '.onion.pw'
- '.onion.rip'
- '.onion.sh'
- '.onion.si'
- '.onion.to'
- '.onion.top'
- '.onion.ws'
- '.onion'
- '.s1.tor-gateways.de'
- '.s2.tor-gateways.de'
- '.s3.tor-gateways.de'
- '.s4.tor-gateways.de'
- '.s5.tor-gateways.de'
- '.t2w.pw'
- '.tor2web.ae.org'
- '.tor2web.blutmagie.de'
- '.tor2web.com'
- '.tor2web.fi'
- '.tor2web.io'
- '.tor2web.org'
- '.tor2web.xyz'
- '.torlink.co'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
RDP Connection Allowed Via Netsh.EXE
Detects usage of the netsh command to open and allow connections to port 3389 (RDP). As seen used by Sarwent Malware
view Sigma YAML
title: RDP Connection Allowed Via Netsh.EXE
id: 01aeb693-138d-49d2-9403-c4f52d7d3d62
status: test
description: Detects usage of the netsh command to open and allow connections to port 3389 (RDP). As seen used by Sarwent Malware
references:
- https://labs.sentinelone.com/sarwent-malware-updates-command-detonation/
author: Sander Wiebing
date: 2020-05-23
modified: 2023-12-11
tags:
- attack.defense-impairment
- attack.t1686.003
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\netsh.exe'
- OriginalFileName: 'netsh.exe'
selection_cli:
# Example:
# Old: netsh firewall add portopening TCP 3389 "Open Port 3389"
# New: netsh advfirewall firewall add rule name= "Open Port 3389" dir=in action=allow protocol=TCP localport=3389
CommandLine|contains|all:
- 'firewall '
- 'add '
- 'tcp '
- '3389'
CommandLine|contains:
- 'portopening'
- 'allow'
condition: all of selection_*
falsepositives:
- Legitimate administration activity
level: high
Convert to SIEM query
high
RDP Login from Localhost
RDP login with localhost source address may be a tunnelled login
view Sigma YAML
title: RDP Login from Localhost
id: 51e33403-2a37-4d66-a574-1fda1782cc31
status: test
description: RDP login with localhost source address may be a tunnelled login
references:
- https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
author: Thomas Patzke
date: 2019-01-28
modified: 2022-10-09
tags:
- attack.lateral-movement
- car.2013-07-002
- attack.t1021.001
logsource:
product: windows
service: security
detection:
selection:
EventID: 4624
LogonType: 10
IpAddress:
- '::1'
- '127.0.0.1'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
RDP Over Reverse SSH Tunnel
Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389
view Sigma YAML
title: RDP Over Reverse SSH Tunnel
id: 5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4
status: test
description: Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389
references:
- https://twitter.com/cyb3rops/status/1096842275437625346
author: Samir Bousseaden
date: 2019-02-16
modified: 2024-03-12
tags:
- attack.command-and-control
- attack.t1572
- attack.lateral-movement
- attack.t1021.001
- car.2013-07-002
logsource:
category: network_connection
product: windows
detection:
selection_img:
Image|endswith: '\svchost.exe'
Initiated: 'true'
SourcePort: 3389
selection_destination:
DestinationIp|cidr:
- '127.0.0.0/8'
- '::1/128'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
RDP Port Forwarding Rule Added Via Netsh.EXE
Detects the execution of netsh to configure a port forwarding of port 3389 (RDP) rule
view Sigma YAML
title: RDP Port Forwarding Rule Added Via Netsh.EXE
id: 782d6f3e-4c5d-4b8c-92a3-1d05fed72e63
status: test
description: Detects the execution of netsh to configure a port forwarding of port 3389 (RDP) rule
references:
- https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
author: Florian Roth (Nextron Systems), oscd.community
date: 2019-01-29
modified: 2023-02-13
tags:
- attack.lateral-movement
- attack.command-and-control
- attack.t1090
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\netsh.exe'
- OriginalFileName: 'netsh.exe'
selection_cli:
CommandLine|contains|all:
- ' i'
- ' p'
- '=3389'
- ' c'
condition: all of selection_*
falsepositives:
- Legitimate administration activity
level: high
Convert to SIEM query
high
RDP Sensitive Settings Changed
Detects tampering of RDP Terminal Service/Server sensitive settings.
Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc.
Below is a list of registry keys/values that are monitored by this rule:
- Shadow: Used to enable Remote Desktop shadowing, which allows an administrator to view or control a user's session.
- DisableRemoteDesktopAntiAlias: Disables anti-aliasing for remote desktop sessions.
- DisableSecuritySettings: Disables certain security settings for Remote Desktop connections.
- fAllowUnsolicited: Allows unsolicited remote assistance offers.
- fAllowUnsolicitedFullControl: Allows unsolicited remote assistance offers with full control.
- InitialProgram: Specifies a program to run automatically when a user logs on to a remote computer.
- ServiceDll: Used in RDP hijacking techniques to specify a custom DLL to be loaded by the Terminal Services service.
- SecurityLayer: Specifies the security layer used for RDP connections.
view Sigma YAML
title: RDP Sensitive Settings Changed
id: 3f6b7b62-61aa-45db-96bd-9c31b36b653c
related:
- id: 171b67e1-74b4-460e-8d55-b331f3e32d67
type: obsolete
- id: 41904ebe-d56c-4904-b9ad-7a77bdf154b3
type: obsolete
- id: a2863fbc-d5cb-48d5-83fb-d976d4b1743b
type: similar
status: test
description: |
Detects tampering of RDP Terminal Service/Server sensitive settings.
Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc.
Below is a list of registry keys/values that are monitored by this rule:
- Shadow: Used to enable Remote Desktop shadowing, which allows an administrator to view or control a user's session.
- DisableRemoteDesktopAntiAlias: Disables anti-aliasing for remote desktop sessions.
- DisableSecuritySettings: Disables certain security settings for Remote Desktop connections.
- fAllowUnsolicited: Allows unsolicited remote assistance offers.
- fAllowUnsolicitedFullControl: Allows unsolicited remote assistance offers with full control.
- InitialProgram: Specifies a program to run automatically when a user logs on to a remote computer.
- ServiceDll: Used in RDP hijacking techniques to specify a custom DLL to be loaded by the Terminal Services service.
- SecurityLayer: Specifies the security layer used for RDP connections.
references:
- http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/ # Contains description for most of the keys mentioned here (check it out if you want more information)
- http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/ # Related to the Shadow RPD technique
- https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services # Contains description for most of the keys mentioned here (check it out if you want more information)
- https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/
- https://blog.sekoia.io/darkgate-internals/
- https://blog.talosintelligence.com/understanding-the-phobos-affiliate-structure/
- https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-63---disable-remote-desktop-anti-alias-setting-through-registry
- https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-64---disable-remote-desktop-security-settings-through-registry
- https://github.com/redcanaryco/atomic-red-team/blob/dd526047b8c399c312fee47d1e6fb531164da54d/atomics/T1112/T1112.yaml#L790
- https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-terminalservices-rdp-winstationextensions-securitylayer
- https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html
- https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03 # Related to the Shadow RPD technique
- https://web.archive.org/web/20200929062532/https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html # Related to RDP hijacking via the "ServiceDll" key
- https://www.trendmicro.com/en_us/research/25/i/unmasking-the-gentlemen-ransomware.html
author: Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali
date: 2022-08-06
modified: 2025-11-22
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: registry_set
product: windows
detection:
selection_shadow:
TargetObject|contains:
- '\Control\Terminal Server\'
- '\Windows NT\Terminal Services\'
TargetObject|endswith: '\Shadow'
Details:
- 'DWORD (0x00000001)' # Full Control with user’s permission
- 'DWORD (0x00000002)' # Full Control without user’s permission
- 'DWORD (0x00000003)' # View Session with user’s permission
- 'DWORD (0x00000004)' # View Session without user’s permission
selection_terminal_services_key:
TargetObject|contains:
- '\Control\Terminal Server\'
- '\Windows NT\Terminal Services\'
TargetObject|endswith:
- '\DisableRemoteDesktopAntiAlias' # Disable anti-aliasing for remote desktop (DarkGate malware)
- '\DisableSecuritySettings' # Disable security settings, allowing access to programs/entire desktop (DarkGate malware)
- '\fAllowUnsolicited' # Allow unsolicited remote assistance offers
- '\fAllowUnsolicitedFullControl'
Details: 'DWORD (0x00000001)'
selection_tamper_only:
# Any changes to these keys should be suspicious and looked at
TargetObject|contains:
- '\Control\Terminal Server\InitialProgram' # This value can be set to specify a program to run automatically when a user logs on to a remote computer.
- '\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram' # This value can be set to specify a program to run automatically when a user logs on to a remote computer.
- '\services\TermService\Parameters\ServiceDll' # RDP hijacking
- '\Terminal Server\WinStations\RDP-Tcp\SecurityLayer'
- '\Windows NT\Terminal Services\InitialProgram' # This value can be set to specify a program to run automatically when a user logs on to a remote computer.
filter_main_securitylayer_tls:
TargetObject|endswith: '\SecurityLayer'
Details: 'DWORD (0x00000002)' # TLS Enabled
condition: (selection_shadow or selection_terminal_services_key or selection_tamper_only) and not 1 of filter_main_*
falsepositives:
- Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way)
level: high
Convert to SIEM query
high
RDP over Reverse SSH Tunnel WFP
Detects svchost hosting RDP termsvcs communicating with the loopback address
view Sigma YAML
title: RDP over Reverse SSH Tunnel WFP
id: 5bed80b6-b3e8-428e-a3ae-d3c757589e41
status: test
description: Detects svchost hosting RDP termsvcs communicating with the loopback address
references:
- https://twitter.com/SBousseaden/status/1096148422984384514
- https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/44fbe85f72ee91582876b49678f9a26292a155fb/Command%20and%20Control/DE_RDP_Tunnel_5156.evtx
author: Samir Bousseaden
date: 2019-02-16
modified: 2022-09-02
tags:
- attack.command-and-control
- attack.lateral-movement
- attack.t1090.001
- attack.t1090.002
- attack.t1021.001
- car.2013-07-002
logsource:
product: windows
service: security
detection:
selection:
EventID: 5156
sourceRDP:
SourcePort: 3389
DestAddress:
- '127.*'
- '::1'
destinationRDP:
DestPort: 3389
SourceAddress:
- '127.*'
- '::1'
filter_app_container:
FilterOrigin: 'AppContainer Loopback'
filter_thor: # checking BlueKeep vulnerability
Application|endswith:
- '\thor.exe'
- '\thor64.exe'
condition: selection and ( sourceRDP or destinationRDP ) and not 1 of filter*
falsepositives:
- Programs that connect locally to the RDP port
level: high
Convert to SIEM query
high
RDP to HTTP or HTTPS Target Ports
Detects svchost hosting RDP termsvcs communicating to target systems on TCP port 80 or 443
view Sigma YAML
title: RDP to HTTP or HTTPS Target Ports
id: b1e5da3b-ca8e-4adf-915c-9921f3d85481
status: test
description: Detects svchost hosting RDP termsvcs communicating to target systems on TCP port 80 or 443
references:
- https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg
- https://www.mandiant.com/resources/bypassing-network-restrictions-through-rdp-tunneling
author: Florian Roth (Nextron Systems)
date: 2022-04-29
modified: 2022-07-14
tags:
- attack.command-and-control
- attack.t1572
- attack.lateral-movement
- attack.t1021.001
- car.2013-07-002
logsource:
category: network_connection
product: windows
detection:
selection:
Image|endswith: '\svchost.exe'
Initiated: 'true'
SourcePort: 3389
DestinationPort:
- 80
- 443
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
RTCore Suspicious Service Installation
Detects the installation of RTCore service. Which could be an indication of Micro-Star MSI Afterburner vulnerable driver abuse
view Sigma YAML
title: RTCore Suspicious Service Installation
id: 91c49341-e2ef-40c0-ac45-49ec5c3fe26c
status: test
description: Detects the installation of RTCore service. Which could be an indication of Micro-Star MSI Afterburner vulnerable driver abuse
references:
- https://github.com/br-sn/CheekyBlinder/blob/e1764a8a0e7cda8a3716aefa35799f560686e01c/CheekyBlinder/CheekyBlinder.cpp
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-30
tags:
- attack.persistence
logsource:
product: windows
service: system
detection:
selection:
Provider_Name: 'Service Control Manager'
EventID: 7045
ServiceName: 'RTCore64'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Raccine Uninstall
Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool.
view Sigma YAML
title: Raccine Uninstall
id: a31eeaed-3fd5-478e-a8ba-e62c6b3f9ecc
status: test
description: Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool.
references:
- https://github.com/Neo23x0/Raccine
author: Florian Roth (Nextron Systems)
date: 2021-01-21
modified: 2022-10-09
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection1:
CommandLine|contains|all:
- 'taskkill '
- 'RaccineSettings.exe'
selection2:
CommandLine|contains|all:
- 'reg.exe'
- 'delete'
- 'Raccine Tray'
selection3:
CommandLine|contains|all:
- 'schtasks'
- '/DELETE'
- 'Raccine Rules Updater'
condition: 1 of selection*
falsepositives:
- Legitimate deinstallation by administrative staff
level: high
Convert to SIEM query
high
Rar Usage with Password and Compression Level
Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions.
view Sigma YAML
title: Rar Usage with Password and Compression Level
id: faa48cae-6b25-4f00-a094-08947fef582f
status: test
description: Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions.
references:
- https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/
- https://ss64.com/bash/rar.html
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md
author: '@ROxPinTeddy'
date: 2020-05-12
modified: 2022-03-16
tags:
- attack.collection
- attack.t1560.001
logsource:
category: process_creation
product: windows
detection:
selection_password:
CommandLine|contains: ' -hp'
selection_other:
CommandLine|contains:
- ' -m'
- ' a '
condition: selection_password and selection_other
falsepositives:
- Legitimate use of Winrar command line version
- Other command line tools, that use these flags
level: high
Convert to SIEM query
high
Rare Remote Thread Creation By Uncommon Source Image
Detects uncommon processes creating remote threads.
view Sigma YAML
title: Rare Remote Thread Creation By Uncommon Source Image
id: 02d1d718-dd13-41af-989d-ea85c7fab93f
related:
- id: 66d31e5f-52d6-40a4-9615-002d3789a119
type: derived
status: test
description: Detects uncommon processes creating remote threads.
references:
- Personal research, statistical analysis
- https://lolbas-project.github.io
author: Perez Diego (@darkquassar), oscd.community
date: 2019-10-27
modified: 2025-12-08
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1055
logsource:
product: windows
category: create_remote_thread
detection:
selection:
SourceImage|endswith:
- '\bash.exe'
- '\cscript.exe'
- '\cvtres.exe'
- '\defrag.exe'
- '\dialer.exe'
- '\dnx.exe'
- '\esentutl.exe'
- '\excel.exe'
- '\expand.exe'
- '\find.exe'
- '\findstr.exe'
- '\forfiles.exe'
- '\gpupdate.exe'
- '\hh.exe'
- '\installutil.exe'
- '\lync.exe'
- '\makecab.exe'
- '\mDNSResponder.exe'
- '\monitoringhost.exe' # Loads .NET CLR by default and thus a favorite for process injection for .NET in-memory offensive tools.
- '\msbuild.exe'
- '\mshta.exe'
- '\mspaint.exe'
- '\outlook.exe'
- '\ping.exe'
- '\provtool.exe'
- '\python.exe'
- '\regsvr32.exe'
- '\robocopy.exe'
- '\runonce.exe'
- '\sapcimc.exe'
- '\smartscreen.exe'
- '\spoolsv.exe'
- '\tstheme.exe'
- '\userinit.exe'
- '\vssadmin.exe'
- '\vssvc.exe'
- '\w3wp.exe'
- '\winscp.exe'
- '\winword.exe'
- '\wmic.exe'
- '\wscript.exe'
filter_main_conhost:
SourceImage:
- 'C:\Windows\System32\Defrag.exe'
- 'C:\Windows\System32\makecab.exe'
TargetImage: 'C:\Windows\System32\conhost.exe'
filter_main_provtol_svchost:
SourceImage: 'C:\Windows\System32\provtool.exe'
TargetImage: 'C:\Windows\System32\svchost.exe'
filter_main_provtool_system:
SourceImage: 'C:\Windows\System32\provtool.exe'
TargetImage: 'System'
filter_main_userinit:
SourceImage: 'C:\Windows\System32\userinit.exe'
TargetImage: 'C:\Windows\explorer.exe'
filter_main_winword:
SourceImage|endswith: '\WINWORD.EXE'
TargetImage|startswith:
- 'C:\Program Files (x86)\' # C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
- 'C:\Program Files\' # C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exe
filter_main_ms_office:
# Raised by following issue: https://github.com/SigmaHQ/sigma/issues/5529
SourceImage|startswith:
- 'C:\Program Files\Microsoft Office\'
- 'C:\Program Files (x86)\Microsoft Office\'
TargetImage: 'System'
filter_optional_explorer_vmtools:
SourceImage|endswith: '\SysWOW64\explorer.exe'
TargetImage:
- 'C:\Program Files (x86)\VMware\VMware Tools\vmtoolsd.exe'
- 'C:\Program Files\VMware\VMware Tools\vmtoolsd.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- This rule is best put in testing first in order to create a baseline that reflects the data in your environment.
level: high
Convert to SIEM query
high
Raspberry Robin Initial Execution From External Drive
Detects the initial execution of the Raspberry Robin malware from an external drive using "Cmd.EXE".
view Sigma YAML
title: Raspberry Robin Initial Execution From External Drive
id: 2c6bea3a-ef58-4f2e-a775-4928f6b7c58a
related:
- id: d52d2e87-eb03-4fac-961d-eb616da79788
type: similar
status: test
description: Detects the initial execution of the Raspberry Robin malware from an external drive using "Cmd.EXE".
references:
- https://redcanary.com/blog/raspberry-robin/
author: '@kostastsale'
date: 2022-05-06
tags:
- attack.execution
- attack.t1059.001
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\cmd.exe'
ParentCommandLine|contains: '/r'
ParentCommandLine|endswith:
- '.bin'
- '.ico'
- '.lnk'
- '.lo'
- '.sv'
- '.usb'
selection_child_img:
Image|endswith: '\msiexec.exe'
CommandLine|contains|windash: '/q'
selection_child_http:
CommandLine|contains:
- 'http:'
- 'https:'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Raspberry Robin Subsequent Execution of Commands
Detects raspberry robin subsequent execution of commands.
view Sigma YAML
title: Raspberry Robin Subsequent Execution of Commands
id: d52d2e87-eb03-4fac-961d-eb616da79788
related:
- id: 2c6bea3a-ef58-4f2e-a775-4928f6b7c58a
type: similar
status: test
description: Detects raspberry robin subsequent execution of commands.
references:
- https://redcanary.com/blog/raspberry-robin/
author: '@kostastsale'
date: 2022-05-06
tags:
- attack.execution
- attack.t1059.001
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\fodhelper.exe'
Image|endswith:
- '\rundll32.exe'
- '\regsvr32.exe'
CommandLine|contains|all:
- 'odbcconf.exe'
- 'regsvr'
- 'shellexec_rundll'
CommandLine|contains:
- 'installdriver'
- 'setfiledsndir'
- 'vkipdse'
CommandLine|endswith|windash:
- '/a'
- '/f'
- '/s'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Raw Paste Service Access
Detects direct access to raw pastes in different paste services often used by malware in their second stages to download malicious code in encrypted or encoded form
view Sigma YAML
title: Raw Paste Service Access
id: 5468045b-4fcc-4d1a-973c-c9c9578edacb
status: test
description: Detects direct access to raw pastes in different paste services often used by malware in their second stages to download malicious code in encrypted or encoded form
references:
- https://www.virustotal.com/gui/domain/paste.ee/relations
author: Florian Roth (Nextron Systems)
date: 2019-12-05
modified: 2023-01-19
tags:
- attack.command-and-control
- attack.t1071.001
- attack.t1102.001
- attack.t1102.003
logsource:
category: proxy
detection:
selection:
c-uri|contains:
- '.paste.ee/r/'
- '.pastebin.com/raw/'
- '.hastebin.com/raw/'
- '.ghostbin.co/paste/*/raw/'
- 'pastetext.net/'
- 'pastebin.pl/'
- 'paste.ee/'
condition: selection
falsepositives:
- User activity (e.g. developer that shared and copied code snippets and used the raw link instead of just copy & paste)
level: high
Convert to SIEM query
high
Recon Activity via SASec
Detects remote RPC calls to read information about scheduled tasks via SASec
view Sigma YAML
title: Recon Activity via SASec
id: 0a3ff354-93fc-4273-8a03-1078782de5b7
status: test
description: Detects remote RPC calls to read information about scheduled tasks via SASec
references:
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931
- https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md
- https://github.com/zeronetworks/rpcfirewall
- https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
- attack.discovery
logsource:
product: rpc_firewall
category: application
definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:378e52b0-c0a9-11cf-822d-00aa0051e40f"'
detection:
selection:
EventLog: RPCFW
EventID: 3
InterfaceUuid: 378e52b0-c0a9-11cf-822d-00aa0051e40f
filter:
OpNum:
- 0
- 1
condition: selection and not filter
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Reconnaissance Activity
Detects activity as "net user administrator /domain" and "net group domain admins /domain"
view Sigma YAML
title: Reconnaissance Activity
id: 968eef52-9cff-4454-8992-1e74b9cbad6c
status: test
description: Detects activity as "net user administrator /domain" and "net group domain admins /domain"
references:
- https://findingbad.blogspot.de/2017/01/hunting-what-does-it-look-like.html
author: Florian Roth (Nextron Systems), Jack Croock (method), Jonhnathan Ribeiro (improvements), oscd.community
date: 2017-03-07
modified: 2022-08-22
tags:
- attack.discovery
- attack.t1087.002
- attack.t1069.002
- attack.s0039
logsource:
product: windows
service: security
definition: The volume of Event ID 4661 is high on Domain Controllers and therefore "Audit SAM" and "Audit Kernel Object" advanced audit policy settings are not configured in the recommendations for server systems
detection:
selection:
EventID: 4661
AccessMask: '0x2d'
ObjectType:
- 'SAM_USER'
- 'SAM_GROUP'
ObjectName|startswith: 'S-1-5-21-'
ObjectName|endswith:
- '-500'
- '-512'
condition: selection
falsepositives:
- Administrator activity
level: high
Convert to SIEM query
high
RedMimicry Winnti Playbook Registry Manipulation
Detects actions caused by the RedMimicry Winnti playbook
view Sigma YAML
title: RedMimicry Winnti Playbook Registry Manipulation
id: 5b175490-b652-4b02-b1de-5b5b4083c5f8
status: test
description: Detects actions caused by the RedMimicry Winnti playbook
references:
- https://redmimicry.com
author: Alexander Rausch
date: 2020-06-24
modified: 2021-11-27
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
product: windows
category: registry_event
detection:
selection:
TargetObject|contains: HKLM\SOFTWARE\Microsoft\HTMLHelp\data
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
RedSun - Conhost.exe Spawned by TieringEngineService.exe
Detects two stages of the RedSun post-exploitation process chain that deliver a SYSTEM-level shell to the attacker's interactive session.
Observed process chain
services.exe
→ TieringEngineService.exe
→ conhost.exe (SYSTEM, CommandLine: bare path, no arguments)
→ cmd.exe / shell (SYSTEM, TerminalSessionId = attacker's session)
Stage 1 — TieringEngineService.exe spawns argument-less conhost.exe:
After winning the oplock + Cloud Files mount point race, the malicious TieringEngineService.exe (RedSun.exe copied to System32, started via CoCreateInstance
/ services.exe) detects it is NT AUTHORITY\SYSTEM and calls LaunchConsoleInSessionId().
This opens \\.\pipe\REDSUN, reads the attacker's session ID, duplicates the SYSTEM token, re-stamps it with that session ID via SetTokenInformation(TokenSessionId), then
calls CreateProcessAsUser to spawn conhost.exe with no arguments.
Stage 2 — Shell spawned from rogue conhost.exe (EDR sources with GrandParentImage):
The rogue SYSTEM conhost.exe spawns a shell (cmd.exe, PowerShell, etc.) as SYSTEM in the attacker's interactive session.
On EDR sources that expose GrandParentImage, the full three-level chain (TieringEngineService.exe → conhost.exe → shell) can be matched directly.
The legitimate TieringEngineService.exe is a headless COM server that is unlikely to spawn conhost.exe under normal conditions.
view Sigma YAML
title: RedSun - Conhost.exe Spawned by TieringEngineService.exe
id: 2ad78473-6978-40f5-b8f1-89c7e1c27a1a
status: experimental
description: |
Detects two stages of the RedSun post-exploitation process chain that deliver a SYSTEM-level shell to the attacker's interactive session.
Observed process chain
services.exe
→ TieringEngineService.exe
→ conhost.exe (SYSTEM, CommandLine: bare path, no arguments)
→ cmd.exe / shell (SYSTEM, TerminalSessionId = attacker's session)
Stage 1 — TieringEngineService.exe spawns argument-less conhost.exe:
After winning the oplock + Cloud Files mount point race, the malicious TieringEngineService.exe (RedSun.exe copied to System32, started via CoCreateInstance
/ services.exe) detects it is NT AUTHORITY\SYSTEM and calls LaunchConsoleInSessionId().
This opens \\.\pipe\REDSUN, reads the attacker's session ID, duplicates the SYSTEM token, re-stamps it with that session ID via SetTokenInformation(TokenSessionId), then
calls CreateProcessAsUser to spawn conhost.exe with no arguments.
Stage 2 — Shell spawned from rogue conhost.exe (EDR sources with GrandParentImage):
The rogue SYSTEM conhost.exe spawns a shell (cmd.exe, PowerShell, etc.) as SYSTEM in the attacker's interactive session.
On EDR sources that expose GrandParentImage, the full three-level chain (TieringEngineService.exe → conhost.exe → shell) can be matched directly.
The legitimate TieringEngineService.exe is a headless COM server that is unlikely to spawn conhost.exe under normal conditions.
references:
- https://github.com/Nightmare-Eclipse/RedSun
author: Swachchhanda Shrawan Poudel (Nextron Systems), @unresolvedhost
date: 2026-04-17
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1134.002
- attack.t1036.005
- detection.emerging-threats
logsource:
category: process_creation
product: windows
definition: 'Requirements: By default the process_creation type event might not contain the GrandParentImage. Make sure you collect such fields in order to use this rule'
detection:
# Stage 1: TieringEngineService.exe (malicious) spawns conhost.exe with no arguments
selection_tiering_to_conhost:
ParentImage|endswith: '\TieringEngineService.exe'
Image|endswith: '\conhost.exe'
CommandLine|endswith: 'conhost.exe"'
User|contains:
- 'AUTHORI'
- 'AUTORI'
- '$'
# Stage 2: full three-level chain for EDR sources that expose GrandParentImage
# GrandParent=TieringEngineService.exe, Parent=conhost.exe, Image=shell process
selection_shell_full_chain:
GrandParentImage|endswith: '\TieringEngineService.exe'
ParentImage|endswith: '\conhost.exe'
Image|endswith:
- '\cmd.exe'
- '\powershell_ise.exe'
- '\powershell.exe'
- '\pwsh.exe'
User|contains:
- 'AUTHORI'
- 'AUTORI'
- '$'
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Reg Add Suspicious Paths
Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys
view Sigma YAML
title: Reg Add Suspicious Paths
id: b7e2a8d4-74bb-4b78-adc9-3f92af2d4829
status: test
description: Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys
references:
- https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md
- https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.001/T1562.001.md
- https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-19
modified: 2022-10-10
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_reg:
- Image|endswith: '\reg.exe'
- OriginalFileName: 'reg.exe'
selection_path:
CommandLine|contains:
# Add more suspicious registry locations below
- '\AppDataLow\Software\Microsoft\'
- '\Policies\Microsoft\Windows\OOBE'
- '\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon'
- '\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon'
- '\CurrentControlSet\Control\SecurityProviders\WDigest'
- '\Microsoft\Windows Defender\'
condition: all of selection_*
falsepositives:
- Rare legitimate add to registry via cli (to these locations)
level: high
Convert to SIEM query
high
Regedit as Trusted Installer
Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe
view Sigma YAML
title: Regedit as Trusted Installer
id: 883835a7-df45-43e4-bf1d-4268768afda4
status: test
description: Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe
references:
- https://twitter.com/1kwpeter/status/1397816101455765504
author: Florian Roth (Nextron Systems)
date: 2021-05-27
modified: 2022-10-09
tags:
- attack.privilege-escalation
- attack.t1548
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\regedit.exe'
ParentImage|endswith:
- '\TrustedInstaller.exe'
- '\ProcessHacker.exe'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Register new Logon Process by Rubeus
Detects potential use of Rubeus via registered new trusted logon process
view Sigma YAML
title: Register new Logon Process by Rubeus
id: 12e6d621-194f-4f59-90cc-1959e21e69f7
status: test
description: Detects potential use of Rubeus via registered new trusted logon process
references:
- https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1
author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community
date: 2019-10-24
modified: 2022-10-09
tags:
- attack.lateral-movement
- attack.privilege-escalation
- attack.credential-access
- attack.t1558.003
logsource:
product: windows
service: security
detection:
selection:
EventID: 4611
LogonProcessName: 'User32LogonProcesss'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Registry Disable System Restore
Detects the modification of the registry to disable a system restore on the computer
view Sigma YAML
title: Registry Disable System Restore
id: 5de03871-5d46-4539-a82d-3aa992a69a83
related:
- id: 7c06ab9b-b1d2-4ba9-b06e-09491ded20d9
type: similar
status: test
description: Detects the modification of the registry to disable a system restore on the computer
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-9---disable-system-restore-through-registry
author: frack113
date: 2022-04-04
modified: 2023-08-17
tags:
- attack.impact
- attack.t1490
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains:
- '\Policies\Microsoft\Windows NT\SystemRestore'
- '\Microsoft\Windows NT\CurrentVersion\SystemRestore'
TargetObject|endswith:
- DisableConfig
- DisableSR
Details: 'DWORD (0x00000001)'
condition: selection
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_disable_system_restore/info.yml
simulation:
- type: atomic-red-team
name: Disable System Restore Through Registry
technique: T1490
atomic_guid: 66e647d1-8741-4e43-b7c1-334760c2047f
Convert to SIEM query
high
Registry Export of Third-Party Credentials
Detects the use of reg.exe to export registry paths associated with third-party credentials.
Credential stealers have been known to use this technique to extract sensitive information from the registry.
view Sigma YAML
title: Registry Export of Third-Party Credentials
id: cc1abf27-78a3-4ac5-a51c-f3070b1d8e40
related:
- id: 87a476dc-0079-4583-a985-dee7a20a03de
type: similar
status: experimental
description: |
Detects the use of reg.exe to export registry paths associated with third-party credentials.
Credential stealers have been known to use this technique to extract sensitive information from the registry.
references:
- https://www.virustotal.com/gui/file/fdc86a5b3d7df37a72c3272836f743747c47bfbc538f05af9ecf78547fa2e789/behavior
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-05-22
tags:
- attack.credential-access
- attack.t1552.002
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\reg.exe'
- OriginalFileName: 'reg.exe'
selection_cli_save:
CommandLine|contains:
- 'save'
- 'export'
selection_cli_path:
CommandLine|contains:
- '\Software\Aerofox\Foxmail\V3.1'
- '\Software\Aerofox\FoxmailPreview'
- '\Software\DownloadManager\Passwords'
- '\Software\FTPWare\COREFTP\Sites'
- '\Software\IncrediMail\Identities'
- '\Software\Martin Prikryl\WinSCP 2\Sessions'
- '\Software\Mobatek\MobaXterm'
- '\Software\OpenSSH\Agent\Keys'
- '\Software\OpenVPN-GUI\configs'
- '\Software\ORL\WinVNC3\Password'
- '\Software\Qualcomm\Eudora\CommandLine'
- '\Software\RealVNC\WinVNC4'
- '\Software\RimArts\B2\Settings'
- '\Software\SimonTatham\PuTTY\Sessions'
- '\Software\SimonTatham\PuTTY\SshHostKeys'
- '\Software\Sota\FFFTP'
- '\Software\TightVNC\Server'
- '\Software\WOW6432Node\Radmin\v3.0\Server\Parameters\Radmin'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Registry Modification for OCI DLL Redirection
Detects registry modifications related to 'OracleOciLib' and 'OracleOciLibPath' under 'MSDTC' settings.
Threat actors may modify these registry keys to redirect the loading of 'oci.dll' to a malicious DLL, facilitating phantom DLL hijacking via the MSDTC service.
view Sigma YAML
title: Registry Modification for OCI DLL Redirection
id: c0e0bdec-3e3d-47aa-9974-05539c999c89
status: experimental
description: |
Detects registry modifications related to 'OracleOciLib' and 'OracleOciLibPath' under 'MSDTC' settings.
Threat actors may modify these registry keys to redirect the loading of 'oci.dll' to a malicious DLL, facilitating phantom DLL hijacking via the MSDTC service.
references:
- https://www.crowdstrike.com/en-us/blog/4-ways-adversaries-hijack-dlls/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-01-24
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.defense-impairment
- attack.t1112
- attack.t1574.001
logsource:
category: registry_set
product: windows
detection:
selection_ocilib:
TargetObject|endswith: '\SOFTWARE\Microsoft\MSDTC\MTxOCI\OracleOciLib'
filter_main_ocilib_file:
# it is looking when oci.dll name is changed to something else like evil.dll
Details|contains: 'oci.dll'
selection_ocilibpath:
TargetObject|endswith: '\SOFTWARE\Microsoft\MSDTC\MTxOCI\OracleOciLibPath'
filter_main_ocilibpath:
# it is looking when oci.dll path is changed to something else like 'C:\Windows\Temp\'
Details|contains: '%SystemRoot%\System32\'
condition: (selection_ocilib and not filter_main_ocilib_file) or (selection_ocilibpath and not filter_main_ocilibpath)
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Registry Persistence Mechanisms in Recycle Bin
Detects persistence registry keys for Recycle Bin
view Sigma YAML
title: Registry Persistence Mechanisms in Recycle Bin
id: 277efb8f-60be-4f10-b4d3-037802f37167
status: test
description: Detects persistence registry keys for Recycle Bin
references:
- https://github.com/vxunderground/VXUG-Papers/blob/751edb8d50f95bd7baa730adf2c6c3bb1b034276/The%20Persistence%20Series/Persistence%20via%20Recycle%20Bin/Persistence_via_Recycle_Bin.pdf
- https://persistence-info.github.io/Data/recyclebin.html
- https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/
author: frack113
date: 2021-11-18
modified: 2022-12-06
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547
logsource:
category: registry_event
product: windows
detection:
selection_create:
EventType: RenameKey
NewName|contains: '\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open'
selection_set:
EventType: SetValue
TargetObject|contains: '\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open\command\(Default)'
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Registry Persistence via Explorer Run Key
Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder
view Sigma YAML
title: Registry Persistence via Explorer Run Key
id: b7916c2a-fa2f-4795-9477-32b731f70f11
status: test
description: Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder
references:
- https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/
author: Florian Roth (Nextron Systems), oscd.community
date: 2018-07-18
modified: 2023-12-11
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.001
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'
Details|contains:
- ':\$Recycle.bin\'
- ':\ProgramData\'
- ':\Temp\'
- ':\Users\Default\'
- ':\Users\Public\'
- ':\Windows\Temp\'
- '\AppData\Local\Temp\'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Registry Persistence via Service in Safe Mode
Detects the modification of the registry to allow a driver or service to persist in Safe Mode.
view Sigma YAML
title: Registry Persistence via Service in Safe Mode
id: 1547e27c-3974-43e2-a7d7-7f484fb928ec
status: test
description: Detects the modification of the registry to allow a driver or service to persist in Safe Mode.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-33---windows-add-registry-value-to-load-service-in-safe-mode-without-network
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-34---windows-add-registry-value-to-load-service-in-safe-mode-with-network
author: frack113
date: 2022-04-04
modified: 2025-10-22
tags:
- attack.stealth
- attack.t1564.001
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains:
- '\Control\SafeBoot\Minimal\'
- '\Control\SafeBoot\Network\'
TargetObject|endswith: '\(Default)'
Details: 'Service'
filter_optional_sophos:
Image: 'C:\WINDOWS\system32\msiexec.exe'
TargetObject|endswith:
- '\Control\SafeBoot\Minimal\SAVService\(Default)'
- '\Control\SafeBoot\Network\SAVService\(Default)'
filter_optional_mbamservice:
Image|endswith: '\MBAMInstallerService.exe'
TargetObject|endswith: '\MBAMService\(Default)'
Details: 'Service'
filter_optional_hexnode:
Image: 'C:\Hexnode\Hexnode Agent\Current\HexnodeAgent.exe'
TargetObject|endswith:
- '\Control\SafeBoot\Minimal\Hexnode Updater\(Default)'
- '\Control\SafeBoot\Network\Hexnode Updater\(Default)'
- '\Control\SafeBoot\Minimal\Hexnode Agent\(Default)'
- '\Control\SafeBoot\Network\Hexnode Agent\(Default)'
Details: 'Service'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode/info.yml
simulation:
- type: atomic-red-team
name: Windows Add Registry Value to Load Service in Safe Mode without Network
technique: T1112
atomic_guid: 1dd59fb3-1cb3-4828-805d-cf80b4c3bbb5
- type: atomic-red-team
name: Windows Add Registry Value to Load Service in Safe Mode with Network
technique: T1112
atomic_guid: c173c948-65e5-499c-afbe-433722ed5bd4
Convert to SIEM query
high
Regsvr32 DLL Execution With Suspicious File Extension
Detects the execution of REGSVR32.exe with DLL files masquerading as other files
view Sigma YAML
title: Regsvr32 DLL Execution With Suspicious File Extension
id: 089fc3d2-71e8-4763-a8a5-c97fbb0a403e
related:
- id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d
type: obsolete
status: test
description: Detects the execution of REGSVR32.exe with DLL files masquerading as other files
references:
- https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/
- https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html
- https://guides.lib.umich.edu/c.php?g=282942&p=1885348
- https://harfanglab.io/insidethelab/uac-0057-pressure-ukraine-poland/
author: Florian Roth (Nextron Systems), frack113
date: 2021-11-29
modified: 2025-08-27
tags:
- attack.stealth
- attack.t1218.010
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\regsvr32.exe'
- OriginalFileName: 'REGSVR32.EXE'
selection_cli:
CommandLine|endswith:
# Add more image extensions
# https://twitter.com/Max_Mal_/status/1542461200797163522/photo/3
- '.bin'
- '.bmp'
- '.cr2'
- '.dat'
- '.eps'
- '.gif'
- '.ico'
- '.jpeg'
- '.jpg'
- '.log'
- '.nef'
- '.orf'
- '.png'
- '.raw'
- '.rtf'
- '.sr2'
- '.temp'
- '.tif'
- '.tiff'
- '.tmp'
- '.txt'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Regsvr32 Execution From Highly Suspicious Location
Detects execution of regsvr32 where the DLL is located in a highly suspicious locations
view Sigma YAML
title: Regsvr32 Execution From Highly Suspicious Location
id: 327ff235-94eb-4f06-b9de-aaee571324be
status: test
description: Detects execution of regsvr32 where the DLL is located in a highly suspicious locations
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-26
tags:
- attack.stealth
- attack.t1218.010
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\regsvr32.exe'
- OriginalFileName: 'REGSVR32.EXE'
selection_path_1:
CommandLine|contains:
- ':\PerfLogs\'
- ':\Temp\'
- '\Windows\Registration\CRMLog'
- '\Windows\System32\com\dmp\'
- '\Windows\System32\FxsTmp\'
- '\Windows\System32\Microsoft\Crypto\RSA\MachineKeys\'
- '\Windows\System32\spool\drivers\color\'
- '\Windows\System32\spool\PRINTERS\'
- '\Windows\System32\spool\SERVERS\'
- '\Windows\System32\Tasks_Migrated\'
- '\Windows\System32\Tasks\Microsoft\Windows\SyncCenter\'
- '\Windows\SysWOW64\com\dmp\'
- '\Windows\SysWOW64\FxsTmp\'
- '\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System\'
- '\Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter\'
- '\Windows\Tasks\'
- '\Windows\Tracing\'
selection_path_2:
CommandLine|contains:
# This is to avoid collisions with CLI starting with "C:\"
- ' "C:\'
- ' C:\'
- " 'C:\\"
- 'D:\'
selection_exclude_known_dirs:
CommandLine|contains:
# Note: add additional locations that are related to third party applications
- 'C:\Program Files (x86)\'
- 'C:\Program Files\'
- 'C:\ProgramData\'
- 'C:\Users\'
# Note: The space added here are to avoid collisions with the "regsvr32" binary full path
- ' C:\Windows\'
- ' "C:\Windows\'
- " 'C:\\Windows\\"
filter_main_empty:
CommandLine: ''
filter_main_null:
CommandLine: null
condition: selection_img and (selection_path_1 or (selection_path_2 and not selection_exclude_known_dirs)) and not 1 of filter_main_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Rejetto HTTP File Server RCE
Detects attempts to exploit a Rejetto HTTP File Server (HFS) via CVE-2014-6287
view Sigma YAML
title: Rejetto HTTP File Server RCE
id: a133193c-2daa-4a29-8022-018695fcf0ae
status: test
description: Detects attempts to exploit a Rejetto HTTP File Server (HFS) via CVE-2014-6287
references:
- https://vk9-sec.com/hfs-code-execution-cve-2014-6287/
- https://www.exploit-db.com/exploits/39161
- https://github.com/Twigonometry/Cybersecurity-Notes/blob/c875b0f52df7d2c7a870e75e1f0c2679d417931d/Writeups/Hack%20the%20Box/Boxes/Optimum/10%20-%20Website.md
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-19
modified: 2023-01-02
tags:
- attack.persistence
- attack.initial-access
- attack.t1190
- attack.t1505.003
- cve.2014-6287
- detection.emerging-threats
logsource:
category: webserver
detection:
selection_search:
cs-uri-query|contains: '?search=%00{.'
selection_payload:
cs-uri-query|contains:
- 'save|' # Indication of saving a file which shouldn't be tested by vuln scanners
- 'powershell'
- 'cmd.exe'
- 'cmd /c'
- 'cmd /r'
- 'cmd /k'
- 'cscript'
- 'wscript'
- 'python'
- 'C:\Users\Public\'
- '%comspec%'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Relevant Anti-Virus Signature Keywords In Application Log
Detects potentially highly relevant antivirus events in the application log based on known virus signature names and malware keywords.
view Sigma YAML
title: Relevant Anti-Virus Signature Keywords In Application Log
id: 78bc5783-81d9-4d73-ac97-59f6db4f72a8
status: test
description: |
Detects potentially highly relevant antivirus events in the application log based on known virus signature names and malware keywords.
references:
- https://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31
- https://www.virustotal.com/gui/file/15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed
- https://www.virustotal.com/gui/file/5092b2672b4cb87a8dd1c2e6047b487b95995ad8ed5e9fc217f46b8bfb1b8c01
- https://www.nextron-systems.com/?s=antivirus
author: Florian Roth (Nextron Systems), Arnim Rupp
date: 2017-02-19
modified: 2024-12-25
tags:
- attack.resource-development
- attack.t1588
logsource:
product: windows
service: application
detection:
keywords:
- 'Adfind'
- 'ASP/BackDoor '
- 'ATK/'
- 'Backdoor.ASP'
- 'Backdoor.Cobalt'
- 'Backdoor.JSP'
- 'Backdoor.PHP'
- 'Blackworm'
- 'Brutel'
- 'BruteR'
- 'Chopper'
- 'Cobalt'
- 'COBEACON'
- 'Cometer'
- 'CRYPTES'
- 'Cryptor'
- 'Destructor'
- 'DumpCreds'
- 'Exploit.Script.CVE'
- 'FastReverseProxy'
- 'Filecoder'
- 'GrandCrab '
- 'HackTool'
- 'HKTL'
- 'HTool-'
- '/HTool'
- '.HTool'
- 'IISExchgSpawnCMD'
- 'Impacket'
- 'JSP/BackDoor '
- 'Keylogger'
- 'Koadic'
- 'Krypt'
- 'Lazagne'
- 'Metasploit'
- 'Meterpreter'
- 'MeteTool'
- 'mikatz'
- 'Mimikatz'
- 'Mpreter'
- 'MsfShell'
- 'Nighthawk'
- 'Packed.Generic.347'
- 'PentestPowerShell'
- 'Phobos'
- 'PHP/BackDoor '
- 'Potato'
- 'PowerSploit'
- 'PowerSSH'
- 'PshlSpy'
- 'PSWTool'
- 'PWCrack'
- 'PWDump'
- 'Ransom'
- 'Rozena'
- 'Ryzerlo'
- 'Sbelt'
- 'Seatbelt'
- 'SecurityTool '
- 'SharpDump'
- 'Shellcode'
- 'Sliver'
- 'Splinter'
- 'Swrort'
- 'Tescrypt'
- 'TeslaCrypt'
- 'TurtleLoader'
- 'Valyria'
- 'Webshell'
# - 'FRP.'
# - 'Locker'
# - 'PWS.'
# - 'PWSX'
# - 'Razy'
# - 'Ryuk'
filter_optional_generic:
- 'anti_ransomware_service.exe'
- 'Anti-Ransomware'
- 'Crack'
- 'cyber-protect-service.exe'
- 'encryptor'
- 'Keygen'
filter_optional_information:
Level: 4 # Information level
filter_optional_restartmanager:
Provider_Name: 'Microsoft-Windows-RestartManager'
condition: keywords and not 1 of filter_optional_*
falsepositives:
- Some software piracy tools (key generators, cracks) are classified as hack tools
level: high
Convert to SIEM query
high
Relevant ClamAV Message
Detects relevant ClamAV messages
view Sigma YAML
title: Relevant ClamAV Message
id: 36aa86ca-fd9d-4456-814e-d3b1b8e1e0bb
status: stable
description: Detects relevant ClamAV messages
references:
- https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/clam_av_rules.xml
author: Florian Roth (Nextron Systems)
date: 2017-03-01
tags:
- attack.resource-development
- attack.t1588.001
logsource:
product: linux
service: clamav
detection:
keywords:
- 'Trojan*FOUND'
- 'VirTool*FOUND'
- 'Webshell*FOUND'
- 'Rootkit*FOUND'
- 'Htran*FOUND'
condition: keywords
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Remote Access Tool - AnyDesk Silent Installation
Detects AnyDesk Remote Desktop silent installation. Which can be used by attackers to gain remote access.
view Sigma YAML
title: Remote Access Tool - AnyDesk Silent Installation
id: 114e7f1c-f137-48c8-8f54-3088c24ce4b9
status: test
description: Detects AnyDesk Remote Desktop silent installation. Which can be used by attackers to gain remote access.
references:
- https://twitter.com/TheDFIRReport/status/1423361119926816776?s=20
- https://support.anydesk.com/Automatic_Deployment
author: Ján Trenčanský
date: 2021-08-06
modified: 2023-03-05
tags:
- attack.command-and-control
- attack.t1219.002
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- '--install'
- '--start-with-win'
- '--silent'
condition: selection
falsepositives:
- Legitimate deployment of AnyDesk
level: high
Convert to SIEM query
high
Remote Access Tool - Anydesk Execution From Suspicious Folder
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
view Sigma YAML
title: Remote Access Tool - Anydesk Execution From Suspicious Folder
id: 065b00ca-5d5c-4557-ac95-64a6d0b64d86
related:
- id: b52e84a3-029e-4529-b09b-71d19dd27e94
type: similar
status: test
description: |
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows
- https://thedfirreport.com/2025/02/24/confluence-exploit-leads-to-lockbit-ransomware/
author: Florian Roth (Nextron Systems)
date: 2022-05-20
modified: 2025-02-24
tags:
- attack.command-and-control
- attack.t1219.002
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith:
- '\AnyDesk.exe'
- '\AnyDeskMSI.exe'
- Description: AnyDesk
- Product: AnyDesk
- Company: AnyDesk Software GmbH
filter:
Image|contains:
- '\AppData\'
- 'Program Files (x86)\AnyDesk'
- 'Program Files\AnyDesk'
condition: selection and not filter
falsepositives:
- Legitimate use of AnyDesk from a non-standard folder
level: high
Convert to SIEM query
high
Remote Access Tool - Renamed MeshAgent Execution - MacOS
Detects the execution of a renamed instance of the Remote Monitoring and Management (RMM) tool, MeshAgent.
RMM tools such as MeshAgent are commonly utilized by IT administrators for legitimate remote support and system management.
However, malicious actors may exploit these tools by renaming them to bypass detection mechanisms, enabling unauthorized access and control over compromised systems.
view Sigma YAML
title: Remote Access Tool - Renamed MeshAgent Execution - MacOS
id: bd3b5eaa-439d-4a42-8f35-a49f5c8a2582
related:
- id: b471f462-eb0d-4832-be35-28d94bdb4780
type: similar
- id: 22c45af6-f590-4d44-bab3-b5b2d2a2b6d9
type: derived
status: experimental
description: |
Detects the execution of a renamed instance of the Remote Monitoring and Management (RMM) tool, MeshAgent.
RMM tools such as MeshAgent are commonly utilized by IT administrators for legitimate remote support and system management.
However, malicious actors may exploit these tools by renaming them to bypass detection mechanisms, enabling unauthorized access and control over compromised systems.
references:
- https://www.huntress.com/blog/know-thy-enemy-a-novel-november-case-on-persistent-remote-access
- https://thecyberexpress.com/ukraine-hit-by-meshagent-malware-campaign/
- https://wazuh.com/blog/how-to-detect-meshagent-with-wazuh/
- https://www.security.com/threat-intelligence/medusa-ransomware-attacks
author: Norbert Jaśniewicz (AlphaSOC)
date: 2025-05-19
tags:
- attack.command-and-control
- attack.stealth
- attack.t1219.002
- attack.t1036.003
logsource:
category: process_creation
product: macos
detection:
selection_meshagent:
- CommandLine|contains: '--meshServiceName'
- OriginalFileName|contains: 'meshagent'
filter_main_legitimate:
Image|endswith:
- '/meshagent'
- '/meshagent_osx64'
condition: selection_meshagent and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
Showing 1101-1150 of 1,715