Tool
SIEM
Sigma (generic) detection rules
3,750 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Expand any rule to see its raw YAML and convert it inline to native query syntax. Pick a platform above to browse every rule already rendered in that language.
Get the raw rules from SigmaHQ Detection Rules
The raw generic YAML, served by SigmaHQ. Pick a platform above to download a ready-to-deploy converted pack.
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance12
Resource Development10
Initial Access10
Execution30
Persistence43
Privilege Escalation20
Stealth83
Defense Impairment32
Credential Access35
Discovery33
Lateral Movement16
Collection20
Command and Control24
Exfiltration10
Impact18
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.
◈
Detection rules
50 shown of 3,750
high
Strong
Medium FP
Raspberry Robin Initial Execution From External Drive
Detects the initial execution of the Raspberry Robin malware from an external drive using "Cmd.EXE".
view Sigma YAML
title: Raspberry Robin Initial Execution From External Drive
id: 2c6bea3a-ef58-4f2e-a775-4928f6b7c58a
related:
- id: d52d2e87-eb03-4fac-961d-eb616da79788
type: similar
status: test
description: Detects the initial execution of the Raspberry Robin malware from an external drive using "Cmd.EXE".
references:
- https://redcanary.com/blog/raspberry-robin/
author: '@kostastsale'
date: 2022-05-06
tags:
- attack.execution
- attack.t1059.001
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\cmd.exe'
ParentCommandLine|contains: '/r'
ParentCommandLine|endswith:
- '.bin'
- '.ico'
- '.lnk'
- '.lo'
- '.sv'
- '.usb'
selection_child_img:
Image|endswith: '\msiexec.exe'
CommandLine|contains|windash: '/q'
selection_child_http:
CommandLine|contains:
- 'http:'
- 'https:'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
Medium FP
Raspberry Robin Subsequent Execution of Commands
Detects raspberry robin subsequent execution of commands.
view Sigma YAML
title: Raspberry Robin Subsequent Execution of Commands
id: d52d2e87-eb03-4fac-961d-eb616da79788
related:
- id: 2c6bea3a-ef58-4f2e-a775-4928f6b7c58a
type: similar
status: test
description: Detects raspberry robin subsequent execution of commands.
references:
- https://redcanary.com/blog/raspberry-robin/
author: '@kostastsale'
date: 2022-05-06
tags:
- attack.execution
- attack.t1059.001
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\fodhelper.exe'
Image|endswith:
- '\rundll32.exe'
- '\regsvr32.exe'
CommandLine|contains|all:
- 'odbcconf.exe'
- 'regsvr'
- 'shellexec_rundll'
CommandLine|contains:
- 'installdriver'
- 'setfiledsndir'
- 'vkipdse'
CommandLine|endswith|windash:
- '/a'
- '/f'
- '/s'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
Raw Paste Service Access
Detects direct access to raw pastes in different paste services often used by malware in their second stages to download malicious code in encrypted or encoded form
view Sigma YAML
title: Raw Paste Service Access
id: 5468045b-4fcc-4d1a-973c-c9c9578edacb
status: test
description: Detects direct access to raw pastes in different paste services often used by malware in their second stages to download malicious code in encrypted or encoded form
references:
- https://www.virustotal.com/gui/domain/paste.ee/relations
author: Florian Roth (Nextron Systems)
date: 2019-12-05
modified: 2023-01-19
tags:
- attack.command-and-control
- attack.t1071.001
- attack.t1102.001
- attack.t1102.003
logsource:
category: proxy
detection:
selection:
c-uri|contains:
- '.paste.ee/r/'
- '.pastebin.com/raw/'
- '.hastebin.com/raw/'
- '.ghostbin.co/paste/*/raw/'
- 'pastetext.net/'
- 'pastebin.pl/'
- 'paste.ee/'
condition: selection
falsepositives:
- User activity (e.g. developer that shared and copied code snippets and used the raw link instead of just copy & paste)
level: high
Convert to SIEM query
high
Strong
Low FP
Recon Activity via SASec
Detects remote RPC calls to read information about scheduled tasks via SASec
view Sigma YAML
title: Recon Activity via SASec
id: 0a3ff354-93fc-4273-8a03-1078782de5b7
status: test
description: Detects remote RPC calls to read information about scheduled tasks via SASec
references:
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931
- https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md
- https://github.com/zeronetworks/rpcfirewall
- https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
- attack.discovery
logsource:
product: rpc_firewall
category: application
definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:378e52b0-c0a9-11cf-822d-00aa0051e40f"'
detection:
selection:
EventLog: RPCFW
EventID: 3
InterfaceUuid: 378e52b0-c0a9-11cf-822d-00aa0051e40f
filter:
OpNum:
- 0
- 1
condition: selection and not filter
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Low FP
Reconnaissance Activity
Detects activity as "net user administrator /domain" and "net group domain admins /domain"
view Sigma YAML
title: Reconnaissance Activity
id: 968eef52-9cff-4454-8992-1e74b9cbad6c
status: test
description: Detects activity as "net user administrator /domain" and "net group domain admins /domain"
references:
- https://findingbad.blogspot.de/2017/01/hunting-what-does-it-look-like.html
author: Florian Roth (Nextron Systems), Jack Croock (method), Jonhnathan Ribeiro (improvements), oscd.community
date: 2017-03-07
modified: 2022-08-22
tags:
- attack.discovery
- attack.t1087.002
- attack.t1069.002
- attack.s0039
logsource:
product: windows
service: security
definition: The volume of Event ID 4661 is high on Domain Controllers and therefore "Audit SAM" and "Audit Kernel Object" advanced audit policy settings are not configured in the recommendations for server systems
detection:
selection:
EventID: 4661
AccessMask: '0x2d'
ObjectType:
- 'SAM_USER'
- 'SAM_GROUP'
ObjectName|startswith: 'S-1-5-21-'
ObjectName|endswith:
- '-500'
- '-512'
condition: selection
falsepositives:
- Administrator activity
level: high
Convert to SIEM query
high
Moderate
High FP
RedMimicry Winnti Playbook Registry Manipulation
Detects actions caused by the RedMimicry Winnti playbook
view Sigma YAML
title: RedMimicry Winnti Playbook Registry Manipulation
id: 5b175490-b652-4b02-b1de-5b5b4083c5f8
status: test
description: Detects actions caused by the RedMimicry Winnti playbook
references:
- https://redmimicry.com
author: Alexander Rausch
date: 2020-06-24
modified: 2021-11-27
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
product: windows
category: registry_event
detection:
selection:
TargetObject|contains: HKLM\SOFTWARE\Microsoft\HTMLHelp\data
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
RedSun - Conhost.exe Spawned by TieringEngineService.exe
Detects two stages of the RedSun post-exploitation process chain that deliver a SYSTEM-level shell to the attacker's interactive session.
Observed process chain
services.exe
→ TieringEngineService.exe
→ conhost.exe (SYSTEM, CommandLine: bare path, no arguments)
→ cmd.exe / shell (SYSTEM, TerminalSessionId = attacker's session)
Stage 1 — TieringEngineService.exe spawns argument-less conhost.exe:
After winning the oplock + Cloud Files mount point race, the malicious TieringEngineService.exe (RedSun.exe copied to System32, started via CoCreateInstance
/ services.exe) detects it is NT AUTHORITY\SYSTEM and calls LaunchConsoleInSessionId().
This opens \\.\pipe\REDSUN, reads the attacker's session ID, duplicates the SYSTEM token, re-stamps it with that session ID via SetTokenInformation(TokenSessionId), then
calls CreateProcessAsUser to spawn conhost.exe with no arguments.
Stage 2 — Shell spawned from rogue conhost.exe (EDR sources with GrandParentImage):
The rogue SYSTEM conhost.exe spawns a shell (cmd.exe, PowerShell, etc.) as SYSTEM in the attacker's interactive session.
On EDR sources that expose GrandParentImage, the full three-level chain (TieringEngineService.exe → conhost.exe → shell) can be matched directly.
The legitimate TieringEngineService.exe is a headless COM server that is unlikely to spawn conhost.exe under normal conditions.
view Sigma YAML
title: RedSun - Conhost.exe Spawned by TieringEngineService.exe
id: 2ad78473-6978-40f5-b8f1-89c7e1c27a1a
status: experimental
description: |
Detects two stages of the RedSun post-exploitation process chain that deliver a SYSTEM-level shell to the attacker's interactive session.
Observed process chain
services.exe
→ TieringEngineService.exe
→ conhost.exe (SYSTEM, CommandLine: bare path, no arguments)
→ cmd.exe / shell (SYSTEM, TerminalSessionId = attacker's session)
Stage 1 — TieringEngineService.exe spawns argument-less conhost.exe:
After winning the oplock + Cloud Files mount point race, the malicious TieringEngineService.exe (RedSun.exe copied to System32, started via CoCreateInstance
/ services.exe) detects it is NT AUTHORITY\SYSTEM and calls LaunchConsoleInSessionId().
This opens \\.\pipe\REDSUN, reads the attacker's session ID, duplicates the SYSTEM token, re-stamps it with that session ID via SetTokenInformation(TokenSessionId), then
calls CreateProcessAsUser to spawn conhost.exe with no arguments.
Stage 2 — Shell spawned from rogue conhost.exe (EDR sources with GrandParentImage):
The rogue SYSTEM conhost.exe spawns a shell (cmd.exe, PowerShell, etc.) as SYSTEM in the attacker's interactive session.
On EDR sources that expose GrandParentImage, the full three-level chain (TieringEngineService.exe → conhost.exe → shell) can be matched directly.
The legitimate TieringEngineService.exe is a headless COM server that is unlikely to spawn conhost.exe under normal conditions.
references:
- https://github.com/Nightmare-Eclipse/RedSun
author: Swachchhanda Shrawan Poudel (Nextron Systems), @unresolvedhost
date: 2026-04-17
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1134.002
- attack.t1036.005
- detection.emerging-threats
logsource:
category: process_creation
product: windows
definition: 'Requirements: By default the process_creation type event might not contain the GrandParentImage. Make sure you collect such fields in order to use this rule'
detection:
# Stage 1: TieringEngineService.exe (malicious) spawns conhost.exe with no arguments
selection_tiering_to_conhost:
ParentImage|endswith: '\TieringEngineService.exe'
Image|endswith: '\conhost.exe'
CommandLine|endswith: 'conhost.exe"'
User|contains:
- 'AUTHORI'
- 'AUTORI'
- '$'
# Stage 2: full three-level chain for EDR sources that expose GrandParentImage
# GrandParent=TieringEngineService.exe, Parent=conhost.exe, Image=shell process
selection_shell_full_chain:
GrandParentImage|endswith: '\TieringEngineService.exe'
ParentImage|endswith: '\conhost.exe'
Image|endswith:
- '\cmd.exe'
- '\powershell_ise.exe'
- '\powershell.exe'
- '\pwsh.exe'
User|contains:
- 'AUTHORI'
- 'AUTORI'
- '$'
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
High FP
Reg Add Suspicious Paths
Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys
view Sigma YAML
title: Reg Add Suspicious Paths
id: b7e2a8d4-74bb-4b78-adc9-3f92af2d4829
status: test
description: Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys
references:
- https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md
- https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.001/T1562.001.md
- https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-19
modified: 2022-10-10
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_reg:
- Image|endswith: '\reg.exe'
- OriginalFileName: 'reg.exe'
selection_path:
CommandLine|contains:
# Add more suspicious registry locations below
- '\AppDataLow\Software\Microsoft\'
- '\Policies\Microsoft\Windows\OOBE'
- '\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon'
- '\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon'
- '\CurrentControlSet\Control\SecurityProviders\WDigest'
- '\Microsoft\Windows Defender\'
condition: all of selection_*
falsepositives:
- Rare legitimate add to registry via cli (to these locations)
level: high
Convert to SIEM query
high
Moderate
Medium FP
Regedit as Trusted Installer
Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe
view Sigma YAML
title: Regedit as Trusted Installer
id: 883835a7-df45-43e4-bf1d-4268768afda4
status: test
description: Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe
references:
- https://twitter.com/1kwpeter/status/1397816101455765504
author: Florian Roth (Nextron Systems)
date: 2021-05-27
modified: 2022-10-09
tags:
- attack.privilege-escalation
- attack.t1548
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\regedit.exe'
ParentImage|endswith:
- '\TrustedInstaller.exe'
- '\ProcessHacker.exe'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
Low FP
Register new Logon Process by Rubeus
Detects potential use of Rubeus via registered new trusted logon process
view Sigma YAML
title: Register new Logon Process by Rubeus
id: 12e6d621-194f-4f59-90cc-1959e21e69f7
status: test
description: Detects potential use of Rubeus via registered new trusted logon process
references:
- https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1
author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community
date: 2019-10-24
modified: 2022-10-09
tags:
- attack.lateral-movement
- attack.privilege-escalation
- attack.credential-access
- attack.t1558.003
logsource:
product: windows
service: security
detection:
selection:
EventID: 4611
LogonProcessName: 'User32LogonProcesss'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Registry Disable System Restore
Detects the modification of the registry to disable a system restore on the computer
view Sigma YAML
title: Registry Disable System Restore
id: 5de03871-5d46-4539-a82d-3aa992a69a83
related:
- id: 7c06ab9b-b1d2-4ba9-b06e-09491ded20d9
type: similar
status: test
description: Detects the modification of the registry to disable a system restore on the computer
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-9---disable-system-restore-through-registry
author: frack113
date: 2022-04-04
modified: 2023-08-17
tags:
- attack.impact
- attack.t1490
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains:
- '\Policies\Microsoft\Windows NT\SystemRestore'
- '\Microsoft\Windows NT\CurrentVersion\SystemRestore'
TargetObject|endswith:
- DisableConfig
- DisableSR
Details: 'DWORD (0x00000001)'
condition: selection
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_disable_system_restore/info.yml
simulation:
- type: atomic-red-team
name: Disable System Restore Through Registry
technique: T1490
atomic_guid: 66e647d1-8741-4e43-b7c1-334760c2047f
Convert to SIEM query
high
Moderate
Medium FP
Registry Export of Third-Party Credentials
Detects the use of reg.exe to export registry paths associated with third-party credentials.
Credential stealers have been known to use this technique to extract sensitive information from the registry.
view Sigma YAML
title: Registry Export of Third-Party Credentials
id: cc1abf27-78a3-4ac5-a51c-f3070b1d8e40
related:
- id: 87a476dc-0079-4583-a985-dee7a20a03de
type: similar
status: experimental
description: |
Detects the use of reg.exe to export registry paths associated with third-party credentials.
Credential stealers have been known to use this technique to extract sensitive information from the registry.
references:
- https://www.virustotal.com/gui/file/fdc86a5b3d7df37a72c3272836f743747c47bfbc538f05af9ecf78547fa2e789/behavior
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-05-22
tags:
- attack.credential-access
- attack.t1552.002
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\reg.exe'
- OriginalFileName: 'reg.exe'
selection_cli_save:
CommandLine|contains:
- 'save'
- 'export'
selection_cli_path:
CommandLine|contains:
- '\Software\Aerofox\Foxmail\V3.1'
- '\Software\Aerofox\FoxmailPreview'
- '\Software\DownloadManager\Passwords'
- '\Software\FTPWare\COREFTP\Sites'
- '\Software\IncrediMail\Identities'
- '\Software\Martin Prikryl\WinSCP 2\Sessions'
- '\Software\Mobatek\MobaXterm'
- '\Software\OpenSSH\Agent\Keys'
- '\Software\OpenVPN-GUI\configs'
- '\Software\ORL\WinVNC3\Password'
- '\Software\Qualcomm\Eudora\CommandLine'
- '\Software\RealVNC\WinVNC4'
- '\Software\RimArts\B2\Settings'
- '\Software\SimonTatham\PuTTY\Sessions'
- '\Software\SimonTatham\PuTTY\SshHostKeys'
- '\Software\Sota\FFFTP'
- '\Software\TightVNC\Server'
- '\Software\WOW6432Node\Radmin\v3.0\Server\Parameters\Radmin'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Registry Modification for OCI DLL Redirection
Detects registry modifications related to 'OracleOciLib' and 'OracleOciLibPath' under 'MSDTC' settings.
Threat actors may modify these registry keys to redirect the loading of 'oci.dll' to a malicious DLL, facilitating phantom DLL hijacking via the MSDTC service.
view Sigma YAML
title: Registry Modification for OCI DLL Redirection
id: c0e0bdec-3e3d-47aa-9974-05539c999c89
status: experimental
description: |
Detects registry modifications related to 'OracleOciLib' and 'OracleOciLibPath' under 'MSDTC' settings.
Threat actors may modify these registry keys to redirect the loading of 'oci.dll' to a malicious DLL, facilitating phantom DLL hijacking via the MSDTC service.
references:
- https://www.crowdstrike.com/en-us/blog/4-ways-adversaries-hijack-dlls/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-01-24
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.defense-impairment
- attack.t1112
- attack.t1574.001
logsource:
category: registry_set
product: windows
detection:
selection_ocilib:
TargetObject|endswith: '\SOFTWARE\Microsoft\MSDTC\MTxOCI\OracleOciLib'
filter_main_ocilib_file:
# it is looking when oci.dll name is changed to something else like evil.dll
Details|contains: 'oci.dll'
selection_ocilibpath:
TargetObject|endswith: '\SOFTWARE\Microsoft\MSDTC\MTxOCI\OracleOciLibPath'
filter_main_ocilibpath:
# it is looking when oci.dll path is changed to something else like 'C:\Windows\Temp\'
Details|contains: '%SystemRoot%\System32\'
condition: (selection_ocilib and not filter_main_ocilib_file) or (selection_ocilibpath and not filter_main_ocilibpath)
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
Medium FP
Registry Persistence Mechanisms in Recycle Bin
Detects persistence registry keys for Recycle Bin
view Sigma YAML
title: Registry Persistence Mechanisms in Recycle Bin
id: 277efb8f-60be-4f10-b4d3-037802f37167
status: test
description: Detects persistence registry keys for Recycle Bin
references:
- https://github.com/vxunderground/VXUG-Papers/blob/751edb8d50f95bd7baa730adf2c6c3bb1b034276/The%20Persistence%20Series/Persistence%20via%20Recycle%20Bin/Persistence_via_Recycle_Bin.pdf
- https://persistence-info.github.io/Data/recyclebin.html
- https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/
author: frack113
date: 2021-11-18
modified: 2022-12-06
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547
logsource:
category: registry_event
product: windows
detection:
selection_create:
EventType: RenameKey
NewName|contains: '\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open'
selection_set:
EventType: SetValue
TargetObject|contains: '\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open\command\(Default)'
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Registry Persistence via Explorer Run Key
Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder
view Sigma YAML
title: Registry Persistence via Explorer Run Key
id: b7916c2a-fa2f-4795-9477-32b731f70f11
status: test
description: Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder
references:
- https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/
author: Florian Roth (Nextron Systems), oscd.community
date: 2018-07-18
modified: 2023-12-11
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.001
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'
Details|contains:
- ':\$Recycle.bin\'
- ':\ProgramData\'
- ':\Temp\'
- ':\Users\Default\'
- ':\Users\Public\'
- ':\Windows\Temp\'
- '\AppData\Local\Temp\'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Registry Persistence via Service in Safe Mode
Detects the modification of the registry to allow a driver or service to persist in Safe Mode.
view Sigma YAML
title: Registry Persistence via Service in Safe Mode
id: 1547e27c-3974-43e2-a7d7-7f484fb928ec
status: test
description: Detects the modification of the registry to allow a driver or service to persist in Safe Mode.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-33---windows-add-registry-value-to-load-service-in-safe-mode-without-network
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-34---windows-add-registry-value-to-load-service-in-safe-mode-with-network
author: frack113
date: 2022-04-04
modified: 2025-10-22
tags:
- attack.stealth
- attack.t1564.001
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains:
- '\Control\SafeBoot\Minimal\'
- '\Control\SafeBoot\Network\'
TargetObject|endswith: '\(Default)'
Details: 'Service'
filter_optional_sophos:
Image: 'C:\WINDOWS\system32\msiexec.exe'
TargetObject|endswith:
- '\Control\SafeBoot\Minimal\SAVService\(Default)'
- '\Control\SafeBoot\Network\SAVService\(Default)'
filter_optional_mbamservice:
Image|endswith: '\MBAMInstallerService.exe'
TargetObject|endswith: '\MBAMService\(Default)'
Details: 'Service'
filter_optional_hexnode:
Image: 'C:\Hexnode\Hexnode Agent\Current\HexnodeAgent.exe'
TargetObject|endswith:
- '\Control\SafeBoot\Minimal\Hexnode Updater\(Default)'
- '\Control\SafeBoot\Network\Hexnode Updater\(Default)'
- '\Control\SafeBoot\Minimal\Hexnode Agent\(Default)'
- '\Control\SafeBoot\Network\Hexnode Agent\(Default)'
Details: 'Service'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode/info.yml
simulation:
- type: atomic-red-team
name: Windows Add Registry Value to Load Service in Safe Mode without Network
technique: T1112
atomic_guid: 1dd59fb3-1cb3-4828-805d-cf80b4c3bbb5
- type: atomic-red-team
name: Windows Add Registry Value to Load Service in Safe Mode with Network
technique: T1112
atomic_guid: c173c948-65e5-499c-afbe-433722ed5bd4
Convert to SIEM query
high
Moderate
High FP
Regsvr32 DLL Execution With Suspicious File Extension
Detects the execution of REGSVR32.exe with DLL files masquerading as other files
view Sigma YAML
title: Regsvr32 DLL Execution With Suspicious File Extension
id: 089fc3d2-71e8-4763-a8a5-c97fbb0a403e
related:
- id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d
type: obsolete
status: test
description: Detects the execution of REGSVR32.exe with DLL files masquerading as other files
references:
- https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/
- https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html
- https://guides.lib.umich.edu/c.php?g=282942&p=1885348
- https://harfanglab.io/insidethelab/uac-0057-pressure-ukraine-poland/
author: Florian Roth (Nextron Systems), frack113
date: 2021-11-29
modified: 2025-08-27
tags:
- attack.stealth
- attack.t1218.010
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\regsvr32.exe'
- OriginalFileName: 'REGSVR32.EXE'
selection_cli:
CommandLine|endswith:
# Add more image extensions
# https://twitter.com/Max_Mal_/status/1542461200797163522/photo/3
- '.bin'
- '.bmp'
- '.cr2'
- '.dat'
- '.eps'
- '.gif'
- '.ico'
- '.jpeg'
- '.jpg'
- '.log'
- '.nef'
- '.orf'
- '.png'
- '.raw'
- '.rtf'
- '.sr2'
- '.temp'
- '.tif'
- '.tiff'
- '.tmp'
- '.txt'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
Medium FP
Regsvr32 Execution From Highly Suspicious Location
Detects execution of regsvr32 where the DLL is located in a highly suspicious locations
view Sigma YAML
title: Regsvr32 Execution From Highly Suspicious Location
id: 327ff235-94eb-4f06-b9de-aaee571324be
status: test
description: Detects execution of regsvr32 where the DLL is located in a highly suspicious locations
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-26
tags:
- attack.stealth
- attack.t1218.010
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\regsvr32.exe'
- OriginalFileName: 'REGSVR32.EXE'
selection_path_1:
CommandLine|contains:
- ':\PerfLogs\'
- ':\Temp\'
- '\Windows\Registration\CRMLog'
- '\Windows\System32\com\dmp\'
- '\Windows\System32\FxsTmp\'
- '\Windows\System32\Microsoft\Crypto\RSA\MachineKeys\'
- '\Windows\System32\spool\drivers\color\'
- '\Windows\System32\spool\PRINTERS\'
- '\Windows\System32\spool\SERVERS\'
- '\Windows\System32\Tasks_Migrated\'
- '\Windows\System32\Tasks\Microsoft\Windows\SyncCenter\'
- '\Windows\SysWOW64\com\dmp\'
- '\Windows\SysWOW64\FxsTmp\'
- '\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System\'
- '\Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter\'
- '\Windows\Tasks\'
- '\Windows\Tracing\'
selection_path_2:
CommandLine|contains:
# This is to avoid collisions with CLI starting with "C:\"
- ' "C:\'
- ' C:\'
- " 'C:\\"
- 'D:\'
selection_exclude_known_dirs:
CommandLine|contains:
# Note: add additional locations that are related to third party applications
- 'C:\Program Files (x86)\'
- 'C:\Program Files\'
- 'C:\ProgramData\'
- 'C:\Users\'
# Note: The space added here are to avoid collisions with the "regsvr32" binary full path
- ' C:\Windows\'
- ' "C:\Windows\'
- " 'C:\\Windows\\"
filter_main_empty:
CommandLine: ''
filter_main_null:
CommandLine: null
condition: selection_img and (selection_path_1 or (selection_path_2 and not selection_exclude_known_dirs)) and not 1 of filter_main_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
Rejetto HTTP File Server RCE
Detects attempts to exploit a Rejetto HTTP File Server (HFS) via CVE-2014-6287
view Sigma YAML
title: Rejetto HTTP File Server RCE
id: a133193c-2daa-4a29-8022-018695fcf0ae
status: test
description: Detects attempts to exploit a Rejetto HTTP File Server (HFS) via CVE-2014-6287
references:
- https://vk9-sec.com/hfs-code-execution-cve-2014-6287/
- https://www.exploit-db.com/exploits/39161
- https://github.com/Twigonometry/Cybersecurity-Notes/blob/c875b0f52df7d2c7a870e75e1f0c2679d417931d/Writeups/Hack%20the%20Box/Boxes/Optimum/10%20-%20Website.md
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-19
modified: 2023-01-02
tags:
- attack.persistence
- attack.initial-access
- attack.t1190
- attack.t1505.003
- cve.2014-6287
- detection.emerging-threats
logsource:
category: webserver
detection:
selection_search:
cs-uri-query|contains: '?search=%00{.'
selection_payload:
cs-uri-query|contains:
- 'save|' # Indication of saving a file which shouldn't be tested by vuln scanners
- 'powershell'
- 'cmd.exe'
- 'cmd /c'
- 'cmd /r'
- 'cmd /k'
- 'cscript'
- 'wscript'
- 'python'
- 'C:\Users\Public\'
- '%comspec%'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Low FP
Relevant Anti-Virus Signature Keywords In Application Log
Detects potentially highly relevant antivirus events in the application log based on known virus signature names and malware keywords.
view Sigma YAML
title: Relevant Anti-Virus Signature Keywords In Application Log
id: 78bc5783-81d9-4d73-ac97-59f6db4f72a8
status: test
description: |
Detects potentially highly relevant antivirus events in the application log based on known virus signature names and malware keywords.
references:
- https://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31
- https://www.virustotal.com/gui/file/15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed
- https://www.virustotal.com/gui/file/5092b2672b4cb87a8dd1c2e6047b487b95995ad8ed5e9fc217f46b8bfb1b8c01
- https://www.nextron-systems.com/?s=antivirus
author: Florian Roth (Nextron Systems), Arnim Rupp
date: 2017-02-19
modified: 2024-12-25
tags:
- attack.resource-development
- attack.t1588
logsource:
product: windows
service: application
detection:
keywords:
- 'Adfind'
- 'ASP/BackDoor '
- 'ATK/'
- 'Backdoor.ASP'
- 'Backdoor.Cobalt'
- 'Backdoor.JSP'
- 'Backdoor.PHP'
- 'Blackworm'
- 'Brutel'
- 'BruteR'
- 'Chopper'
- 'Cobalt'
- 'COBEACON'
- 'Cometer'
- 'CRYPTES'
- 'Cryptor'
- 'Destructor'
- 'DumpCreds'
- 'Exploit.Script.CVE'
- 'FastReverseProxy'
- 'Filecoder'
- 'GrandCrab '
- 'HackTool'
- 'HKTL'
- 'HTool-'
- '/HTool'
- '.HTool'
- 'IISExchgSpawnCMD'
- 'Impacket'
- 'JSP/BackDoor '
- 'Keylogger'
- 'Koadic'
- 'Krypt'
- 'Lazagne'
- 'Metasploit'
- 'Meterpreter'
- 'MeteTool'
- 'mikatz'
- 'Mimikatz'
- 'Mpreter'
- 'MsfShell'
- 'Nighthawk'
- 'Packed.Generic.347'
- 'PentestPowerShell'
- 'Phobos'
- 'PHP/BackDoor '
- 'Potato'
- 'PowerSploit'
- 'PowerSSH'
- 'PshlSpy'
- 'PSWTool'
- 'PWCrack'
- 'PWDump'
- 'Ransom'
- 'Rozena'
- 'Ryzerlo'
- 'Sbelt'
- 'Seatbelt'
- 'SecurityTool '
- 'SharpDump'
- 'Shellcode'
- 'Sliver'
- 'Splinter'
- 'Swrort'
- 'Tescrypt'
- 'TeslaCrypt'
- 'TurtleLoader'
- 'Valyria'
- 'Webshell'
# - 'FRP.'
# - 'Locker'
# - 'PWS.'
# - 'PWSX'
# - 'Razy'
# - 'Ryuk'
filter_optional_generic:
- 'anti_ransomware_service.exe'
- 'Anti-Ransomware'
- 'Crack'
- 'cyber-protect-service.exe'
- 'encryptor'
- 'Keygen'
filter_optional_information:
Level: 4 # Information level
filter_optional_restartmanager:
Provider_Name: 'Microsoft-Windows-RestartManager'
condition: keywords and not 1 of filter_optional_*
falsepositives:
- Some software piracy tools (key generators, cracks) are classified as hack tools
level: high
Convert to SIEM query
high
Moderate
High FP
Relevant ClamAV Message
Detects relevant ClamAV messages
view Sigma YAML
title: Relevant ClamAV Message
id: 36aa86ca-fd9d-4456-814e-d3b1b8e1e0bb
status: stable
description: Detects relevant ClamAV messages
references:
- https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/clam_av_rules.xml
author: Florian Roth (Nextron Systems)
date: 2017-03-01
tags:
- attack.resource-development
- attack.t1588.001
logsource:
product: linux
service: clamav
detection:
keywords:
- 'Trojan*FOUND'
- 'VirTool*FOUND'
- 'Webshell*FOUND'
- 'Rootkit*FOUND'
- 'Htran*FOUND'
condition: keywords
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Remote Access Tool - AnyDesk Silent Installation
Detects AnyDesk Remote Desktop silent installation. Which can be used by attackers to gain remote access.
view Sigma YAML
title: Remote Access Tool - AnyDesk Silent Installation
id: 114e7f1c-f137-48c8-8f54-3088c24ce4b9
status: test
description: Detects AnyDesk Remote Desktop silent installation. Which can be used by attackers to gain remote access.
references:
- https://twitter.com/TheDFIRReport/status/1423361119926816776?s=20
- https://support.anydesk.com/Automatic_Deployment
author: Ján Trenčanský
date: 2021-08-06
modified: 2023-03-05
tags:
- attack.command-and-control
- attack.t1219.002
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- '--install'
- '--start-with-win'
- '--silent'
condition: selection
falsepositives:
- Legitimate deployment of AnyDesk
level: high
Convert to SIEM query
high
Strong
Medium FP
Remote Access Tool - Anydesk Execution From Suspicious Folder
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
view Sigma YAML
title: Remote Access Tool - Anydesk Execution From Suspicious Folder
id: 065b00ca-5d5c-4557-ac95-64a6d0b64d86
related:
- id: b52e84a3-029e-4529-b09b-71d19dd27e94
type: similar
status: test
description: |
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows
- https://thedfirreport.com/2025/02/24/confluence-exploit-leads-to-lockbit-ransomware/
author: Florian Roth (Nextron Systems)
date: 2022-05-20
modified: 2025-02-24
tags:
- attack.command-and-control
- attack.t1219.002
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith:
- '\AnyDesk.exe'
- '\AnyDeskMSI.exe'
- Description: AnyDesk
- Product: AnyDesk
- Company: AnyDesk Software GmbH
filter:
Image|contains:
- '\AppData\'
- 'Program Files (x86)\AnyDesk'
- 'Program Files\AnyDesk'
condition: selection and not filter
falsepositives:
- Legitimate use of AnyDesk from a non-standard folder
level: high
Convert to SIEM query
high
Moderate
High FP
Remote Access Tool - Renamed MeshAgent Execution - MacOS
Detects the execution of a renamed instance of the Remote Monitoring and Management (RMM) tool, MeshAgent.
RMM tools such as MeshAgent are commonly utilized by IT administrators for legitimate remote support and system management.
However, malicious actors may exploit these tools by renaming them to bypass detection mechanisms, enabling unauthorized access and control over compromised systems.
view Sigma YAML
title: Remote Access Tool - Renamed MeshAgent Execution - MacOS
id: bd3b5eaa-439d-4a42-8f35-a49f5c8a2582
related:
- id: b471f462-eb0d-4832-be35-28d94bdb4780
type: similar
- id: 22c45af6-f590-4d44-bab3-b5b2d2a2b6d9
type: derived
status: experimental
description: |
Detects the execution of a renamed instance of the Remote Monitoring and Management (RMM) tool, MeshAgent.
RMM tools such as MeshAgent are commonly utilized by IT administrators for legitimate remote support and system management.
However, malicious actors may exploit these tools by renaming them to bypass detection mechanisms, enabling unauthorized access and control over compromised systems.
references:
- https://www.huntress.com/blog/know-thy-enemy-a-novel-november-case-on-persistent-remote-access
- https://thecyberexpress.com/ukraine-hit-by-meshagent-malware-campaign/
- https://wazuh.com/blog/how-to-detect-meshagent-with-wazuh/
- https://www.security.com/threat-intelligence/medusa-ransomware-attacks
author: Norbert Jaśniewicz (AlphaSOC)
date: 2025-05-19
tags:
- attack.command-and-control
- attack.stealth
- attack.t1219.002
- attack.t1036.003
logsource:
category: process_creation
product: macos
detection:
selection_meshagent:
- CommandLine|contains: '--meshServiceName'
- OriginalFileName|contains: 'meshagent'
filter_main_legitimate:
Image|endswith:
- '/meshagent'
- '/meshagent_osx64'
condition: selection_meshagent and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Remote Access Tool - Renamed MeshAgent Execution - Windows
Detects the execution of a renamed instance of the Remote Monitoring and Management (RMM) tool, MeshAgent.
RMM tools such as MeshAgent are commonly utilized by IT administrators for legitimate remote support and system management.
However, malicious actors may exploit these tools by renaming them to bypass detection mechanisms, enabling unauthorized access and control over compromised systems.
view Sigma YAML
title: Remote Access Tool - Renamed MeshAgent Execution - Windows
id: b471f462-eb0d-4832-be35-28d94bdb4780
related:
- id: bd3b5eaa-439d-4a42-8f35-a49f5c8a2582
type: similar
- id: 2fbbe9ff-0afc-470b-bdc0-592198339968
type: derived
status: experimental
description: |
Detects the execution of a renamed instance of the Remote Monitoring and Management (RMM) tool, MeshAgent.
RMM tools such as MeshAgent are commonly utilized by IT administrators for legitimate remote support and system management.
However, malicious actors may exploit these tools by renaming them to bypass detection mechanisms, enabling unauthorized access and control over compromised systems.
references:
- https://www.huntress.com/blog/know-thy-enemy-a-novel-november-case-on-persistent-remote-access
- https://thecyberexpress.com/ukraine-hit-by-meshagent-malware-campaign/
- https://wazuh.com/blog/how-to-detect-meshagent-with-wazuh/
- https://www.security.com/threat-intelligence/medusa-ransomware-attacks
author: Norbert Jaśniewicz (AlphaSOC)
date: 2025-05-19
tags:
- attack.command-and-control
- attack.stealth
- attack.t1219.002
- attack.t1036.003
logsource:
category: process_creation
product: windows
detection:
selection_meshagent:
- CommandLine|contains: '--meshServiceName'
- OriginalFileName|contains: 'meshagent'
filter_main_legitimate:
Image|endswith: '\meshagent.exe'
condition: selection_meshagent and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Remote Access Tool - ScreenConnect Server Web Shell Execution
Detects potential web shell execution from the ScreenConnect server process.
view Sigma YAML
title: Remote Access Tool - ScreenConnect Server Web Shell Execution
id: b19146a3-25d4-41b4-928b-1e2a92641b1b
status: test
description: Detects potential web shell execution from the ScreenConnect server process.
references:
- https://blackpointcyber.com/resources/blog/breaking-through-the-screen/
- https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8
author: Jason Rathbun (Blackpoint Cyber)
date: 2024-02-26
tags:
- attack.initial-access
- attack.t1190
logsource:
product: windows
category: process_creation
detection:
selection:
ParentImage|endswith: '\ScreenConnect.Service.exe'
Image|endswith:
- '\cmd.exe'
- '\csc.exe'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
Medium FP
Remote AppX Package Downloaded from File Sharing or CDN Domain
Detects an appx package that was added to the pipeline of the "to be processed" packages which was downloaded from a file sharing or CDN domain.
view Sigma YAML
title: Remote AppX Package Downloaded from File Sharing or CDN Domain
id: 8b48ad89-10d8-4382-a546-50588c410f0d
status: test
description: |
Detects an appx package that was added to the pipeline of the "to be processed" packages which was downloaded from a file sharing or CDN domain.
references:
- https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
- https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting
- https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-11
modified: 2025-12-10
tags:
- attack.stealth
logsource:
product: windows
service: appxdeployment-server
detection:
selection:
EventID: 854
Path|contains:
- '.githubusercontent.com' # Includes both gists and github repositories / Michael Haag (idea)
- 'anonfiles.com'
- 'cdn.discordapp.com'
- 'ddns.net'
- 'dl.dropboxusercontent.com'
- 'ghostbin.co'
- 'github.com'
- 'glitch.me'
- 'gofile.io'
- 'hastebin.com'
- 'mediafire.com'
- 'mega.nz'
- 'onrender.com'
- 'pages.dev'
- 'paste.ee'
- 'pastebin.com'
- 'pastebin.pl'
- 'pastetext.net'
- 'privatlab.com'
- 'privatlab.net'
- 'send.exploit.in'
- 'sendspace.com'
- 'storage.googleapis.com'
- 'storjshare.io'
- 'supabase.co'
- 'temp.sh'
- 'transfer.sh'
- 'trycloudflare.com'
- 'ufile.io'
- 'w3spaces.com'
- 'workers.dev'
condition: selection
falsepositives:
- Unlikely, unless the organization uses file sharing or CDN services to distribute internal applications.
level: high
Convert to SIEM query
high
Moderate
High FP
Remote CHM File Download/Execution Via HH.EXE
Detects the usage of "hh.exe" to execute/download remotely hosted ".chm" files.
view Sigma YAML
title: Remote CHM File Download/Execution Via HH.EXE
id: f57c58b3-ee69-4ef5-9041-455bf39aaa89
status: test
description: Detects the usage of "hh.exe" to execute/download remotely hosted ".chm" files.
references:
- https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html
- https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md
- https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-29
modified: 2024-01-31
tags:
- attack.stealth
- attack.t1218.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- OriginalFileName: 'HH.exe'
- Image|endswith: '\hh.exe'
selection_cli:
CommandLine|contains:
- 'http://'
- 'https://'
- '\\\\'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Low FP
Remote DCOM/WMI Lateral Movement
Detects remote RPC calls that performs remote DCOM operations. These could be abused for lateral movement via DCOM or WMI.
view Sigma YAML
title: Remote DCOM/WMI Lateral Movement
id: 68050b10-e477-4377-a99b-3721b422d6ef
status: test
description: Detects remote RPC calls that performs remote DCOM operations. These could be abused for lateral movement via DCOM or WMI.
references:
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9
- https://github.com/zeronetworks/rpcfirewall
- https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
- attack.lateral-movement
- attack.execution
- attack.t1021.003
- attack.t1047
logsource:
product: rpc_firewall
category: application
definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:367abb81-9844-35f1-ad32-98f038001003'
detection:
selection:
EventLog: RPCFW
EventID: 3
InterfaceUuid:
- 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57
- 99fcfec4-5260-101b-bbcb-00aa0021347a
- 000001a0-0000-0000-c000-000000000046
- 00000131-0000-0000-c000-000000000046
- 00000143-0000-0000-c000-000000000046
- 00000000-0000-0000-c000-000000000046
condition: selection
falsepositives:
- Some administrative tasks on remote host
level: high
Convert to SIEM query
high
Strong
Low FP
Remote Encrypting File System Abuse
Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR
view Sigma YAML
title: Remote Encrypting File System Abuse
id: 5f92fff9-82e2-48eb-8fc1-8b133556a551
status: test
description: Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR
references:
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942
- https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-EFSR.md
- https://github.com/zeronetworks/rpcfirewall
- https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
- attack.lateral-movement
logsource:
product: rpc_firewall
category: application
definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:df1941c5-fe89-4e79-bf10-463657acf44d or c681d488-d850-11d0-8c52-00c04fd90f7e'
detection:
selection:
EventLog: RPCFW
EventID: 3
InterfaceUuid:
- df1941c5-fe89-4e79-bf10-463657acf44d
- c681d488-d850-11d0-8c52-00c04fd90f7e
condition: selection
falsepositives:
- Legitimate usage of remote file encryption
level: high
Convert to SIEM query
high
Strong
Low FP
Remote Event Log Recon
Detects remote RPC calls to get event log information via EVEN or EVEN6
view Sigma YAML
title: Remote Event Log Recon
id: 2053961f-44c7-4a64-b62d-f6e72800af0d
status: test
description: Detects remote RPC calls to get event log information via EVEN or EVEN6
references:
- https://github.com/zeronetworks/rpcfirewall
- https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
- attack.discovery
logsource:
product: rpc_firewall
category: application
definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:82273fdc-e32a-18c3-3f78-827929dc23ea and uuid:f6beaff7-1e19-4fbb-9f8f-b89e2018337c"'
detection:
selection:
EventLog: RPCFW
EventID: 3
InterfaceUuid:
- 82273fdc-e32a-18c3-3f78-827929dc23ea
- f6beaff7-1e19-4fbb-9f8f-b89e2018337c
condition: selection
falsepositives:
- Remote administrative tasks on Windows Events
level: high
Convert to SIEM query
high
Strong
Medium FP
Remote LSASS Process Access Through Windows Remote Management
Detects remote access to the LSASS process via WinRM. This could be a sign of credential dumping from tools like mimikatz.
view Sigma YAML
title: Remote LSASS Process Access Through Windows Remote Management
id: aa35a627-33fb-4d04-a165-d33b4afca3e8
status: stable
description: Detects remote access to the LSASS process via WinRM. This could be a sign of credential dumping from tools like mimikatz.
references:
- https://pentestlab.blog/2018/05/15/lateral-movement-winrm/
author: Patryk Prauze - ING Tech
date: 2019-05-20
modified: 2023-11-29
tags:
- attack.credential-access
- attack.execution
- attack.t1003.001
- attack.t1059.001
- attack.lateral-movement
- attack.t1021.006
- attack.s0002
logsource:
category: process_access
product: windows
detection:
selection:
TargetImage|endswith: '\lsass.exe'
SourceImage|endswith: ':\Windows\system32\wsmprovhost.exe'
filter_main_access:
GrantedAccess: '0x80000000'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
High FP
Remote PowerShell Session (PS Module)
Detects remote PowerShell sessions
view Sigma YAML
title: Remote PowerShell Session (PS Module)
id: 96b9f619-aa91-478f-bacb-c3e50f8df575
status: test
description: Detects remote PowerShell sessions
references:
- https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g, Tim Shelton
date: 2019-08-10
modified: 2023-01-20
tags:
- attack.execution
- attack.t1059.001
- attack.lateral-movement
- attack.t1021.006
logsource:
product: windows
category: ps_module
definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
selection:
ContextInfo|contains|all:
- ' = ServerRemoteHost ' # HostName: 'ServerRemoteHost' french : Nom d’hôte =
- 'wsmprovhost.exe' # HostApplication|contains: 'wsmprovhost.exe' french Application hôte =
filter_pwsh_archive:
ContextInfo|contains: '\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Archive\Microsoft.PowerShell.Archive.psm1'
condition: selection and not 1 of filter_*
falsepositives:
- Legitimate use remote PowerShell sessions
level: high
Convert to SIEM query
high
Strong
Low FP
Remote PowerShell Sessions Network Connections (WinRM)
Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986
view Sigma YAML
title: Remote PowerShell Sessions Network Connections (WinRM)
id: 13acf386-b8c6-4fe0-9a6e-c4756b974698
status: test
description: Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986
references:
- https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019-09-12
modified: 2022-10-09
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
service: security
detection:
selection:
EventID: 5156
DestPort:
- 5985
- 5986
LayerRTID: 44
condition: selection
falsepositives:
- Legitimate use of remote PowerShell execution
level: high
Convert to SIEM query
high
Strong
Low FP
Remote Printing Abuse for Lateral Movement
Detects remote RPC calls to possibly abuse remote printing service via MS-RPRN / MS-PAR
view Sigma YAML
title: Remote Printing Abuse for Lateral Movement
id: bc3a4b0c-e167-48e1-aa88-b3020950e560
status: test
description: Detects remote RPC calls to possibly abuse remote printing service via MS-RPRN / MS-PAR
references:
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8
- https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RPRN-PAR.md
- https://github.com/zeronetworks/rpcfirewall
- https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
- attack.lateral-movement
logsource:
product: rpc_firewall
category: application
definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:12345678-1234-abcd-ef00-0123456789ab or 76f03f96-cdfd-44fc-a22c-64950a001209 or ae33069b-a2a8-46ee-a235-ddfd339be281 or 0b6edbfa-4a24-4fc6-8a23-942b1eca65d1'
detection:
selection:
EventLog: RPCFW
EventID: 3
InterfaceUuid:
- 12345678-1234-abcd-ef00-0123456789ab
- 76f03f96-cdfd-44fc-a22c-64950a001209
- 0b6edbfa-4a24-4fc6-8a23-942b1eca65d1
- ae33069b-a2a8-46ee-a235-ddfd339be281
condition: selection
falsepositives:
- Actual printing
level: high
Convert to SIEM query
high
Strong
Low FP
Remote Registry Lateral Movement
Detects remote RPC calls to modify the registry and possible execute code
view Sigma YAML
title: Remote Registry Lateral Movement
id: 35c55673-84ca-4e99-8d09-e334f3c29539
status: test
description: Detects remote RPC calls to modify the registry and possible execute code
references:
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78
- https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md
- https://github.com/zeronetworks/rpcfirewall
- https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
- attack.lateral-movement
- attack.defense-impairment
- attack.t1112
- attack.persistence
logsource:
product: rpc_firewall
category: application
definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:338cd001-2244-31f1-aaaa-900038001003"'
detection:
selection:
EventLog: RPCFW
EventID: 3
InterfaceUuid: 338cd001-2244-31f1-aaaa-900038001003
OpNum:
- 6
- 7
- 8
- 13
- 18
- 19
- 21
- 22
- 23
- 35
condition: selection
falsepositives:
- Remote administration of registry values
level: high
Convert to SIEM query
high
Strong
Low FP
Remote Registry Recon
Detects remote RPC calls to collect information
view Sigma YAML
title: Remote Registry Recon
id: d8ffe17e-04be-4886-beb9-c1dd1944b9a8
status: test
description: Detects remote RPC calls to collect information
references:
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78
- https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md
- https://github.com/zeronetworks/rpcfirewall
- https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
- attack.discovery
logsource:
product: rpc_firewall
category: application
definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:338cd001-2244-31f1-aaaa-900038001003"'
detection:
selection:
EventLog: RPCFW
EventID: 3
InterfaceUuid: 338cd001-2244-31f1-aaaa-900038001003
filter:
OpNum:
- 6
- 7
- 8
- 13
- 18
- 19
- 21
- 22
- 23
- 35
condition: selection and not filter
falsepositives:
- Remote administration of registry values
level: high
Convert to SIEM query
high
Strong
Low FP
Remote Schedule Task Lateral Movement via ATSvc
Detects remote RPC calls to create or execute a scheduled task via ATSvc
view Sigma YAML
title: Remote Schedule Task Lateral Movement via ATSvc
id: 0fcd1c79-4eeb-4746-aba9-1b458f7a79cb
status: test
description: Detects remote RPC calls to create or execute a scheduled task via ATSvc
references:
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931
- https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md
- https://github.com/zeronetworks/rpcfirewall
- https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
- attack.privilege-escalation
- attack.lateral-movement
- attack.execution
- attack.persistence
- attack.t1053
- attack.t1053.002
logsource:
product: rpc_firewall
category: application
definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:1ff70682-0a51-30e8-076d-740be8cee98b"'
detection:
selection:
EventLog: RPCFW
EventID: 3
InterfaceUuid: 1ff70682-0a51-30e8-076d-740be8cee98b
OpNum:
- 0
- 1
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Low FP
Remote Schedule Task Lateral Movement via ITaskSchedulerService
Detects remote RPC calls to create or execute a scheduled task
view Sigma YAML
title: Remote Schedule Task Lateral Movement via ITaskSchedulerService
id: ace3ff54-e7fd-46bd-8ea0-74b49a0aca1d
status: test
description: Detects remote RPC calls to create or execute a scheduled task
references:
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931
- https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md
- https://github.com/zeronetworks/rpcfirewall
- https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.lateral-movement
- attack.t1053
- attack.t1053.002
logsource:
product: rpc_firewall
category: application
definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:86d35949-83c9-4044-b424-db363231fd0c"'
detection:
selection:
EventLog: RPCFW
EventID: 3
InterfaceUuid: 86d35949-83c9-4044-b424-db363231fd0c
OpNum:
- 1
- 3
- 4
- 10
- 11
- 12
- 13
- 14
- 15
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Low FP
Remote Schedule Task Lateral Movement via SASec
Detects remote RPC calls to create or execute a scheduled task via SASec
view Sigma YAML
title: Remote Schedule Task Lateral Movement via SASec
id: aff229ab-f8cd-447b-b215-084d11e79eb0
status: test
description: Detects remote RPC calls to create or execute a scheduled task via SASec
references:
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931
- https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md
- https://github.com/zeronetworks/rpcfirewall
- https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
- attack.privilege-escalation
- attack.lateral-movement
- attack.execution
- attack.persistence
- attack.t1053
- attack.t1053.002
logsource:
product: rpc_firewall
category: application
definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:378e52b0-c0a9-11cf-822d-00aa0051e40f"'
detection:
selection:
EventLog: RPCFW
EventID: 3
InterfaceUuid: 378e52b0-c0a9-11cf-822d-00aa0051e40f
OpNum:
- 0
- 1
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Low FP
Remote Schedule Task Recon via AtScv
Detects remote RPC calls to read information about scheduled tasks via AtScv
view Sigma YAML
title: Remote Schedule Task Recon via AtScv
id: f177f2bc-5f3e-4453-b599-57eefce9a59c
status: test
description: Detects remote RPC calls to read information about scheduled tasks via AtScv
references:
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931
- https://github.com/zeronetworks/rpcfirewall
- https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md
- https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
- attack.discovery
logsource:
product: rpc_firewall
category: application
definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:1ff70682-0a51-30e8-076d-740be8cee98b"'
detection:
selection:
EventLog: RPCFW
EventID: 3
InterfaceUuid: 1ff70682-0a51-30e8-076d-740be8cee98b
filter:
OpNum:
- 0
- 1
condition: selection and not filter
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Low FP
Remote Schedule Task Recon via ITaskSchedulerService
Detects remote RPC calls to read information about scheduled tasks
view Sigma YAML
title: Remote Schedule Task Recon via ITaskSchedulerService
id: 7f7c49eb-2977-4ac8-8ab0-ab1bae14730e
status: test
description: Detects remote RPC calls to read information about scheduled tasks
references:
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931
- https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md
- https://github.com/zeronetworks/rpcfirewall
- https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
- attack.discovery
logsource:
product: rpc_firewall
category: application
definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:86d35949-83c9-4044-b424-db363231fd0c"'
detection:
selection:
EventLog: RPCFW
EventID: 3
InterfaceUuid: 86d35949-83c9-4044-b424-db363231fd0c
filter:
OpNum:
- 1
- 3
- 4
- 10
- 11
- 12
- 13
- 14
- 15
condition: selection and not filter
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Low FP
Remote Server Service Abuse
Detects remote RPC calls to possibly abuse remote encryption service via MS-SRVS
view Sigma YAML
title: Remote Server Service Abuse
id: b6ea3cc7-542f-43ef-bbe4-980fbed444c7
status: test
description: Detects remote RPC calls to possibly abuse remote encryption service via MS-SRVS
references:
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9
- https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md
- https://github.com/zeronetworks/rpcfirewall
- https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
- attack.lateral-movement
logsource:
product: rpc_firewall
category: application
definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:4b324fc8-1670-01d3-1278-5a47bf6ee188'
detection:
selection:
EventLog: RPCFW
EventID: 3
InterfaceUuid: 4b324fc8-1670-01d3-1278-5a47bf6ee188
condition: selection
falsepositives:
- Legitimate remote share creation
level: high
Convert to SIEM query
high
Strong
Low FP
Remote Server Service Abuse for Lateral Movement
Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR
view Sigma YAML
title: Remote Server Service Abuse for Lateral Movement
id: 10018e73-06ec-46ec-8107-9172f1e04ff2
status: test
description: Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR
references:
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9
- https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SCMR.md
- https://github.com/zeronetworks/rpcfirewall
- https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
- attack.lateral-movement
- attack.execution
- attack.t1569.002
logsource:
product: rpc_firewall
category: application
definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:367abb81-9844-35f1-ad32-98f038001003'
detection:
selection:
EventLog: RPCFW
EventID: 3
InterfaceUuid: 367abb81-9844-35f1-ad32-98f038001003
condition: selection
falsepositives:
- Administrative tasks on remote services
level: high
Convert to SIEM query
high
Moderate
Medium FP
Remote Thread Created In KeePass.EXE
Detects remote thread creation in "KeePass.exe" which could indicates potential password dumping activity
view Sigma YAML
title: Remote Thread Created In KeePass.EXE
id: 77564cc2-7382-438b-a7f6-395c2ae53b9a
status: test
description: Detects remote thread creation in "KeePass.exe" which could indicates potential password dumping activity
references:
- https://www.cisa.gov/uscert/ncas/alerts/aa20-259a
- https://github.com/denandz/KeeFarce
- https://github.com/GhostPack/KeeThief
author: Timon Hackenjos
date: 2022-04-22
modified: 2023-05-05
tags:
- attack.credential-access
- attack.t1555.005
logsource:
product: windows
category: create_remote_thread
detection:
selection:
TargetImage|endswith: '\KeePass.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Remote Thread Creation In Mstsc.Exe From Suspicious Location
Detects remote thread creation in the "mstsc.exe" process by a process located in a potentially suspicious location.
This technique is often used by attackers in order to hook some APIs used by DLLs loaded by "mstsc.exe" during RDP authentications in order to steal credentials.
view Sigma YAML
title: Remote Thread Creation In Mstsc.Exe From Suspicious Location
id: c0aac16a-b1e7-4330-bab0-3c27bb4987c7
status: test
description: |
Detects remote thread creation in the "mstsc.exe" process by a process located in a potentially suspicious location.
This technique is often used by attackers in order to hook some APIs used by DLLs loaded by "mstsc.exe" during RDP authentications in order to steal credentials.
references:
- https://github.com/S12cybersecurity/RDPCredentialStealer/blob/1b8947cdd065a06c1b62e80967d3c7af895fcfed/APIHookInjectorBin/APIHookInjectorBin/Inject.h#L25
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-07-28
modified: 2024-01-22
tags:
- attack.credential-access
logsource:
product: windows
category: create_remote_thread
detection:
selection:
TargetImage|endswith: '\mstsc.exe'
SourceImage|contains:
- ':\Temp\'
- ':\Users\Public\'
- ':\Windows\PerfLogs\'
- ':\Windows\Tasks\'
- ':\Windows\Temp\'
- '\AppData\Local\Temp\'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Remote Thread Creation Ttdinject.exe Proxy
Detects a remote thread creation of Ttdinject.exe used as proxy
view Sigma YAML
title: Remote Thread Creation Ttdinject.exe Proxy
id: c15e99a3-c474-48ab-b9a7-84549a7a9d16
status: test
description: Detects a remote thread creation of Ttdinject.exe used as proxy
references:
- https://lolbas-project.github.io/lolbas/Binaries/Ttdinject/
author: frack113
date: 2022-05-16
modified: 2022-06-02
tags:
- attack.execution
- attack.stealth
- attack.t1127
logsource:
product: windows
category: create_remote_thread
detection:
selection:
SourceImage|endswith: '\ttdinject.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Remote XSL Execution Via Msxsl.EXE
Detects the execution of the "msxsl" binary with an "http" keyword in the command line. This might indicate a potential remote execution of XSL files.
view Sigma YAML
title: Remote XSL Execution Via Msxsl.EXE
id: 75d0a94e-6252-448d-a7be-d953dff527bb
status: test
description: Detects the execution of the "msxsl" binary with an "http" keyword in the command line. This might indicate a potential remote execution of XSL files.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1220/T1220.md
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msxsl/
author: Swachchhanda Shrawan Poudel
date: 2023-11-09
tags:
- attack.stealth
- attack.t1220
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\msxsl.exe'
CommandLine|contains: 'http'
condition: selection
falsepositives:
- Msxsl is not installed by default and is deprecated, so unlikely on most systems.
level: high
Convert to SIEM query
high
Moderate
High FP
RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesses
Detects calls to the AtomicTestHarnesses "Invoke-ATHRemoteFXvGPUDisablementCommand" which is designed to abuse the "RemoteFXvGPUDisablement.exe" binary to run custom PowerShell code via module load-order hijacking.
view Sigma YAML
title: RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesses
id: a6fc3c46-23b8-4996-9ea2-573f4c4d88c5
related:
- id: f65e22f9-819e-4f96-9c7b-498364ae7a25 # PS Classic
type: similar
- id: 38a7625e-b2cb-485d-b83d-aff137d859f4 # PS Module
type: similar
- id: cacef8fc-9d3d-41f7-956d-455c6e881bc5 # PS ScriptBlock
type: similar
status: test
description: Detects calls to the AtomicTestHarnesses "Invoke-ATHRemoteFXvGPUDisablementCommand" which is designed to abuse the "RemoteFXvGPUDisablement.exe" binary to run custom PowerShell code via module load-order hijacking.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md
- https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1
author: frack113
date: 2021-07-13
modified: 2023-05-09
tags:
- attack.stealth
- attack.t1218
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|contains:
- 'Invoke-ATHRemoteFXvGPUDisablementCommand'
- 'Invoke-ATHRemoteFXvGPUDisableme'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Remotely Hosted HTA File Executed Via Mshta.EXE
Detects execution of the "mshta" utility with an argument containing the "http" keyword, which could indicate that an attacker is executing a remotely hosted malicious hta file
view Sigma YAML
title: Remotely Hosted HTA File Executed Via Mshta.EXE
id: b98d0db6-511d-45de-ad02-e82a98729620
status: test
description: Detects execution of the "mshta" utility with an argument containing the "http" keyword, which could indicate that an attacker is executing a remotely hosted malicious hta file
references:
- https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-08
modified: 2023-02-06
tags:
- attack.execution
- attack.stealth
- attack.t1218.005
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\mshta.exe'
- OriginalFileName: 'MSHTA.EXE'
selection_cli:
CommandLine|contains:
- 'http://'
- 'https://'
- 'ftp://'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
Showing 1301-1350 of 3,750