Tool
SIEM
Sigma (generic) detection rules
3,750 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Expand any rule to see its raw YAML and convert it inline to native query syntax. Pick a platform above to browse every rule already rendered in that language.
Get the raw rules from SigmaHQ Detection Rules
The raw generic YAML, served by SigmaHQ. Pick a platform above to download a ready-to-deploy converted pack.
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance12
Resource Development10
Initial Access10
Execution30
Persistence43
Privilege Escalation20
Stealth83
Defense Impairment32
Credential Access35
Discovery33
Lateral Movement16
Collection20
Command and Control24
Exfiltration10
Impact18
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.
◈
Detection rules
50 shown of 3,750
high
Moderate
Medium FP
Symlink Etc Passwd
Detects suspicious command lines that look as if they would create symbolic links to /etc/passwd
view Sigma YAML
title: Symlink Etc Passwd
id: c67fc22a-0be5-4b4f-aad5-2b32c4b69523
status: test
description: Detects suspicious command lines that look as if they would create symbolic links to /etc/passwd
references:
- https://www.qualys.com/2021/05/04/21nails/21nails.txt
author: Florian Roth (Nextron Systems)
date: 2019-04-05
modified: 2021-11-27
tags:
- attack.t1204.001
- attack.execution
logsource:
product: linux
detection:
keywords:
- 'ln -s -f /etc/passwd'
- 'ln -s /etc/passwd'
condition: keywords
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
SysKey Registry Keys Access
Detects handle requests and access operations to specific registry keys to calculate the SysKey
view Sigma YAML
title: SysKey Registry Keys Access
id: 9a4ff3b8-6187-4fd2-8e8b-e0eae1129495
status: test
description: Detects handle requests and access operations to specific registry keys to calculate the SysKey
references:
- https://threathunterplaybook.com/hunts/windows/190625-RegKeyAccessSyskey/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019-08-12
modified: 2021-11-27
tags:
- attack.discovery
- attack.t1012
logsource:
product: windows
service: security
detection:
selection:
EventID:
- 4656
- 4663
ObjectType: 'key'
ObjectName|endswith:
- 'lsa\JD'
- 'lsa\GBG'
- 'lsa\Skew1'
- 'lsa\Data'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Sysinternals PsSuspend Suspicious Execution
Detects suspicious execution of Sysinternals PsSuspend, where the utility is used to suspend critical processes such as AV or EDR to bypass defenses
view Sigma YAML
title: Sysinternals PsSuspend Suspicious Execution
id: 4beb6ae0-f85b-41e2-8f18-8668abc8af78
related:
- id: 48bbc537-b652-4b4e-bd1d-281172df448f # Basic Execution
type: similar
status: test
description: Detects suspicious execution of Sysinternals PsSuspend, where the utility is used to suspend critical processes such as AV or EDR to bypass defenses
references:
- https://learn.microsoft.com/en-us/sysinternals/downloads/pssuspend
- https://twitter.com/0gtweet/status/1638069413717975046
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-23
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_img:
- OriginalFileName: 'pssuspend.exe'
- Image|endswith:
- '\pssuspend.exe'
- '\pssuspend64.exe'
selection_cli:
# Add more interesting/critical processes
CommandLine|contains: 'msmpeng.exe'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
Medium FP
Syslog Clearing or Removal Via System Utilities
Detects specific commands commonly used to remove or empty the syslog. Which is a technique often used by attacker as a method to hide their tracks
view Sigma YAML
title: Syslog Clearing or Removal Via System Utilities
id: 3fcc9b35-39e4-44c0-a2ad-9e82b6902b31
status: test
description: |
Detects specific commands commonly used to remove or empty the syslog. Which is a technique often used by attacker as a method to hide their tracks
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.002/T1070.002.md
- https://www.virustotal.com/gui/file/54d60fd58d7fa3475fa123985bfc1594df26da25c1f5fbc7dfdba15876dd8ac5/behavior
author: Max Altgelt (Nextron Systems), Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
date: 2021-10-15
modified: 2025-10-15
tags:
- attack.defense-impairment
- attack.t1685.006
logsource:
product: linux
category: process_creation
detection:
selection_file:
CommandLine|contains: '/var/log/syslog'
selection_command_rm:
# Examples:
# rm -f /var/log/syslog
Image|endswith: '/rm'
CommandLine|contains:
- ' -r '
- ' -f '
- ' -rf '
- '/var/log/syslog' # We use this to avoid re-writing a separate selection
selection_command_unlink:
# Examples:
# unlink /var/log/syslog
Image|endswith: '/unlink'
selection_command_mv:
# Examples:
# mv /var/log/syslog
Image|endswith: '/mv'
selection_command_truncate:
# Examples:
# truncate --size 0 /var/log/syslog
Image|endswith: '/truncate'
CommandLine|contains|all:
- '0 '
- '/var/log/syslog' # We use this to avoid re-writing a separate selection
CommandLine|contains:
- '-s '
- '-c '
- '--size'
selection_command_ln:
# Examples:
# ln -sfn /dev/null /var/log/syslog
Image|endswith: '/ln'
CommandLine|contains|all:
- '/dev/null '
- '/var/log/syslog' # We use this to avoid re-writing a separate selection
CommandLine|contains:
- '-sf '
- '-sfn '
- '-sfT '
selection_command_cp:
# Examples:
# cp /dev/null /var/log/syslog
Image|endswith: '/cp'
CommandLine|contains: '/dev/null'
selection_command_shred:
# Examples:
# shred -u /var/log/syslog
Image|endswith: '/shred'
CommandLine|contains: '-u '
selection_unique_other:
CommandLine|contains:
- ' > /var/log/syslog'
- ' >/var/log/syslog'
- ' >| /var/log/syslog' # redirection empties w spacing, noclobber
- ': > /var/log/syslog'
- ':> /var/log/syslog'
- ':>/var/log/syslog'
- '>|/var/log/syslog'
selection_unique_journalctl:
CommandLine|contains:
- 'journalctl --vacuum'
- 'journalctl --rotate' # archives current journal files and creates new empty ones
condition: (selection_file and 1 of selection_command_*) or 1 of selection_unique_*
falsepositives:
- Log rotation.
- Maintenance.
level: high
Convert to SIEM query
high
Moderate
Low FP
Sysmon Application Crashed
Detects application popup reporting a failure of the Sysmon service
view Sigma YAML
title: Sysmon Application Crashed
id: 4d7f1827-1637-4def-8d8a-fd254f9454df
status: test
description: Detects application popup reporting a failure of the Sysmon service
references:
- https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/1803/W10_1803_Pro_19700101_17134.1/WEPExplorer/Application%20Popup.xml#L36
author: Tim Shelton
date: 2022-04-26
modified: 2024-01-17
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: windows
service: system
detection:
selection:
Provider_Name: 'Application Popup'
EventID: 26
Caption:
- 'sysmon64.exe - Application Error'
- 'sysmon.exe - Application Error'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Sysmon Blocked Executable
Triggers on any Sysmon "FileBlockExecutable" event, which indicates a violation of the configured block policy
view Sigma YAML
title: Sysmon Blocked Executable
id: 23b71bc5-953e-4971-be4c-c896cda73fc2
status: test
description: Triggers on any Sysmon "FileBlockExecutable" event, which indicates a violation of the configured block policy
references:
- https://medium.com/@olafhartong/sysmon-14-0-fileblockexecutable-13d7ba3dff3e
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-16
modified: 2023-09-16
tags:
- attack.defense-impairment
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 27 # this is fine, we want to match any FileBlockExecutable event
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
Medium FP
Sysmon Blocked File Shredding
Triggers on any Sysmon "FileBlockShredding" event, which indicates a violation of the configured shredding policy.
view Sigma YAML
title: Sysmon Blocked File Shredding
id: c3e5c1b1-45e9-4632-b242-27939c170239
status: test
description: Triggers on any Sysmon "FileBlockShredding" event, which indicates a violation of the configured shredding policy.
references:
- https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
author: frack113
date: 2023-07-20
tags:
- attack.defense-impairment
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 28 # this is fine, we want to match any FileBlockShredding event
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
Medium FP
Sysmon Channel Reference Deletion
Potential threat actor tampering with Sysmon manifest and eventually disabling it
view Sigma YAML
title: Sysmon Channel Reference Deletion
id: 18beca67-ab3e-4ee3-ba7a-a46ca8d7d0cc
status: test
description: Potential threat actor tampering with Sysmon manifest and eventually disabling it
references:
- https://twitter.com/Flangvik/status/1283054508084473861
- https://twitter.com/SecurityJosh/status/1283027365770276866
- https://securityjosh.github.io/2020/04/23/Mute-Sysmon.html
- https://gist.github.com/Cyb3rWard0g/cf08c38c61f7e46e8404b38201ca01c8
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-07-14
modified: 2025-10-22
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
product: windows
service: security
detection:
selection1:
EventID: 4657
ObjectName|contains:
- 'WINEVT\Publishers\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'
- 'WINEVT\Channels\Microsoft-Windows-Sysmon/Operational'
ObjectValueName: 'Enabled'
NewValue: 0
selection2:
EventID: 4663
ObjectName|contains:
- 'WINEVT\Publishers\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'
- 'WINEVT\Channels\Microsoft-Windows-Sysmon/Operational'
AccessMask: '0x10000'
condition: 1 of selection*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Sysmon Configuration Error
Detects when an adversary is trying to hide it's action from Sysmon logging based on error messages
view Sigma YAML
title: Sysmon Configuration Error
id: 815cd91b-7dbc-4247-841a-d7dd1392b0a8
status: test
description: Detects when an adversary is trying to hide it's action from Sysmon logging based on error messages
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
- https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html
author: frack113
date: 2021-06-04
modified: 2022-07-07
tags:
- attack.stealth
- attack.t1564
logsource:
product: windows
category: sysmon_error
detection:
selection_error:
Description|contains:
- 'Failed to open service configuration with error'
- 'Failed to connect to the driver to update configuration'
filter_generic_english:
Description|contains|all:
- 'Failed to open service configuration with error'
- 'Last error: The media is write protected.'
filter_by_errorcode:
Description|contains:
- 'Failed to open service configuration with error 19'
- 'Failed to open service configuration with error 93'
condition: selection_error and not 1 of filter*
falsepositives:
- Legitimate administrative action
level: high
Convert to SIEM query
high
Strong
Low FP
Sysmon Configuration Modification
Detects when an attacker tries to hide from Sysmon by disabling or stopping it
view Sigma YAML
title: Sysmon Configuration Modification
id: 1f2b5353-573f-4880-8e33-7d04dcf97744
status: test
description: Detects when an attacker tries to hide from Sysmon by disabling or stopping it
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
- https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html
author: frack113
date: 2021-06-04
modified: 2022-08-02
tags:
- attack.stealth
- attack.t1564
logsource:
product: windows
category: sysmon_status
detection:
selection_stop:
State: Stopped
selection_conf:
- 'Sysmon config state changed'
filter:
State: Started
condition: 1 of selection_* and not filter
falsepositives:
- Legitimate administrative action
level: high
Convert to SIEM query
high
Moderate
High FP
Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE
Detects usage of "findstr" with the argument "385201". Which could indicate potential discovery of an installed Sysinternals Sysmon service using the default driver altitude (even if the name is changed).
view Sigma YAML
title: Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE
id: 37db85d1-b089-490a-a59a-c7b6f984f480
status: test
description: Detects usage of "findstr" with the argument "385201". Which could indicate potential discovery of an installed Sysinternals Sysmon service using the default driver altitude (even if the name is changed).
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md#atomic-test-5---security-software-discovery---sysmon-service
author: frack113
date: 2021-12-16
modified: 2023-11-14
tags:
- attack.discovery
- attack.t1518.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\find.exe'
- '\findstr.exe'
- OriginalFileName:
- 'FIND.EXE'
- 'FINDSTR.EXE'
selection_cli:
CommandLine|contains: ' 385201' # Sysmon driver default altitude
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Sysmon Driver Altitude Change
Detects changes in Sysmon driver altitude value.
If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.
view Sigma YAML
title: Sysmon Driver Altitude Change
id: 4916a35e-bfc4-47d0-8e25-a003d7067061
status: test
description: |
Detects changes in Sysmon driver altitude value.
If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.
references:
- https://posts.specterops.io/shhmon-silencing-sysmon-via-driver-unload-682b5be57650
- https://youtu.be/zSihR3lTf7g
author: B.Talebi
date: 2022-07-28
modified: 2024-03-25
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\Services\'
TargetObject|endswith: '\Instances\Sysmon Instance\Altitude'
condition: selection
falsepositives:
- Legitimate driver altitude change to hide sysmon
level: high
Convert to SIEM query
high
Moderate
High FP
Sysmon Driver Unloaded Via Fltmc.EXE
Detects possible Sysmon filter driver unloaded via fltmc.exe
view Sigma YAML
title: Sysmon Driver Unloaded Via Fltmc.EXE
id: 4d7cda18-1b12-4e52-b45c-d28653210df8
related:
- id: 4931188c-178e-4ee7-a348-39e8a7a56821 # Generic
type: similar
status: test
description: Detects possible Sysmon filter driver unloaded via fltmc.exe
references:
- https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon
author: Kirill Kiryanov, oscd.community
date: 2019-10-23
modified: 2023-02-13
tags:
- attack.stealth
- attack.defense-impairment
- attack.t1070
- attack.t1685
- attack.t1685.001
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\fltMC.exe'
- OriginalFileName: 'fltMC.exe'
selection_cli:
CommandLine|contains|all:
- 'unload'
- 'sysmon'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
High FP
System Control Panel Item Loaded From Uncommon Location
Detects image load events of system control panel items (.cpl) from uncommon or non-system locations that may indicate DLL sideloading or other abuse techniques.
view Sigma YAML
title: System Control Panel Item Loaded From Uncommon Location
id: 2b140a5c-dc02-4bb8-b6b1-8bdb45714cde
status: test
description: |
Detects image load events of system control panel items (.cpl) from uncommon or non-system locations that may indicate DLL sideloading or other abuse techniques.
references:
- https://www.hexacorn.com/blog/2024/01/06/1-little-known-secret-of-fondue-exe/
- https://www.hexacorn.com/blog/2024/01/01/1-little-known-secret-of-hdwwiz-exe/
- https://github.com/mhaskar/FsquirtCPLPoC
- https://securelist.com/sidewinder-apt/114089/
author: Anish Bogati
date: 2024-01-09
modified: 2026-02-17
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
product: windows
category: image_load
detection:
selection:
ImageLoaded|endswith:
- '\appwiz.cpl' # Usually loaded by fondue.exe
- '\bthprops.cpl' # Usually loaded by fsquirt.exe
- '\hdwwiz.cpl' # Usually loaded by hdwwiz.exe
filter_main_legit_location:
ImageLoaded|startswith:
- 'C:\Windows\Prefetch\'
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
- 'C:\Windows\WinSxS\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/image_load/image_load_side_load_cpl_from_non_system_location/info.yml
Convert to SIEM query
high
Strong
Medium FP
System File Execution Location Anomaly
Detects the execution of a Windows system binary that is usually located in the system folder from an uncommon location.
view Sigma YAML
title: System File Execution Location Anomaly
id: e4a6b256-3e47-40fc-89d2-7a477edd6915
related:
- id: be58d2e2-06c8-4f58-b666-b99f6dc3b6cd # Dedicated SvcHost rule
type: derived
status: test
description: |
Detects the execution of a Windows system binary that is usually located in the system folder from an uncommon location.
references:
- https://twitter.com/GelosSnake/status/934900723426439170
- https://asec.ahnlab.com/en/39828/
- https://www.splunk.com/en_us/blog/security/inno-setup-malware-redline-stealer-campaign.html
author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2017-11-27
modified: 2026-02-12
tags:
- attack.stealth
- attack.t1036
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\atbroker.exe'
- '\audiodg.exe'
- '\bcdedit.exe'
- '\bitsadmin.exe'
- '\certreq.exe'
- '\certutil.exe'
- '\cmstp.exe'
- '\conhost.exe'
- '\consent.exe'
- '\cscript.exe'
- '\csrss.exe'
- '\dashost.exe'
- '\defrag.exe'
- '\dfrgui.exe' # Was seen used by Lazarus Group - https://asec.ahnlab.com/en/39828/
- '\dism.exe'
- '\dllhost.exe'
- '\dllhst3g.exe'
- '\dwm.exe'
- '\eventvwr.exe'
- '\fsquirt.exe' # was seen used by sidewinder APT - https://securelist.com/sidewinder-apt/114089/
- '\finger.exe'
- '\logonui.exe'
- '\LsaIso.exe'
- '\lsass.exe'
- '\lsm.exe'
- '\msiexec.exe'
- '\ntoskrnl.exe'
- '\powershell_ise.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\runonce.exe'
- '\RuntimeBroker.exe'
- '\schtasks.exe'
- '\services.exe'
- '\sihost.exe'
- '\smartscreen.exe'
- '\smss.exe'
- '\spoolsv.exe'
- '\svchost.exe'
- '\taskhost.exe'
- '\taskhostw.exe'
- '\Taskmgr.exe'
- '\userinit.exe'
- '\werfault.exe'
- '\werfaultsecure.exe'
- '\wininit.exe'
- '\winlogon.exe'
- '\winver.exe'
- '\wlanext.exe'
- '\wscript.exe'
- '\wsl.exe'
- '\wsmprovhost.exe' # Was seen used by Lazarus Group - https://asec.ahnlab.com/en/39828/
filter_main_generic:
Image|startswith:
- 'C:\$WINDOWS.~BT\'
- 'C:\$WinREAgent\'
- 'C:\Windows\SoftwareDistribution\'
- 'C:\Windows\System32\'
- 'C:\Windows\SystemTemp\'
- 'C:\Windows\SysWOW64\'
- 'C:\Windows\uus\'
- 'C:\Windows\WinSxS\'
filter_optional_system32:
Image|contains: '\SystemRoot\System32\'
filter_main_powershell:
Image|contains:
- 'C:\Program Files\PowerShell\7\'
- 'C:\Program Files\PowerShell\7-preview\'
- 'C:\Program Files\WindowsApps\Microsoft.PowerShellPreview'
- '\AppData\Local\Microsoft\WindowsApps\Microsoft.PowerShellPreview' # pwsh installed from Microsoft Store
Image|endswith: '\pwsh.exe'
filter_main_wsl_programfiles:
Image|startswith:
- 'C:\Program Files\WindowsApps\MicrosoftCorporationII.WindowsSubsystemForLinux'
- 'C:\Program Files\WSL\'
Image|endswith: '\wsl.exe'
filter_main_wsl_appdata:
Image|startswith: C:\Users\'
Image|contains: '\AppData\Local\Microsoft\WindowsApps\'
Image|endswith: '\wsl.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly/info.yml
Convert to SIEM query
high
Moderate
Medium FP
System Restore Registry Modification via CommandLine
Detects system restore registry modification via command line, which can be used by adversaries to disable system restore on the computer.
view Sigma YAML
title: System Restore Registry Modification via CommandLine
id: 7c06ab9b-b1d2-4ba9-b06e-09491ded20d9
related:
- id: 5de03871-5d46-4539-a82d-3aa992a69a83
type: similar
status: experimental
description: |
Detects system restore registry modification via command line, which can be used by adversaries to disable system restore on the computer.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-9---disable-system-restore-through-registry
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-03-11
tags:
- attack.impact
- attack.t1490
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- '\reg.exe'
- OriginalFileName:
- 'powershell.exe'
- 'pwsh.dll'
- 'reg.exe'
selection_cli_action:
CommandLine|contains:
- ' add '
- 'Set-ItemProperty'
- 'New-ItemProperty'
selection_cli_reg_root:
CommandLine|contains:
- '\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore'
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore'
selection_cli_reg_key:
CommandLine|contains:
- 'DisableConfig'
- 'DisableSR'
condition: all of selection_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_reg_system_restore_modification/info.yml
simulation:
- type: atomic-red-team
name: Disable System Restore Through Registry
technique: T1490
atomic_guid: 66e647d1-8741-4e43-b7c1-334760c2047f
Convert to SIEM query
high
Moderate
Low FP
T1047 Wmiprvse Wbemcomn DLL Hijack
Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network for a WMI DLL Hijack scenario.
view Sigma YAML
title: T1047 Wmiprvse Wbemcomn DLL Hijack
id: f6c68d5f-e101-4b86-8c84-7d96851fd65c
status: test
description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network for a WMI DLL Hijack scenario.
references:
- https://threathunterplaybook.com/hunts/windows/201009-RemoteWMIWbemcomnDLLHijack/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)
date: 2020-10-12
modified: 2022-02-24
tags:
- attack.execution
- attack.t1047
- attack.lateral-movement
- attack.t1021.002
logsource:
product: windows
service: security
detection:
selection:
EventID: 5145
RelativeTargetName|endswith: '\wbem\wbemcomn.dll'
filter:
SubjectUserName|endswith: '$'
condition: selection and not filter
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
TAIDOOR RAT DLL Load
Detects specific process characteristics of Chinese TAIDOOR RAT malware load
view Sigma YAML
title: TAIDOOR RAT DLL Load
id: d1aa3382-abab-446f-96ea-4de52908210b
status: test
description: Detects specific process characteristics of Chinese TAIDOOR RAT malware load
references:
- https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a
author: Florian Roth (Nextron Systems)
date: 2020-07-30
modified: 2021-11-27
tags:
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1055.001
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection1:
CommandLine|contains:
- 'dll,MyStart'
- 'dll MyStart'
selection2a:
CommandLine|endswith: ' MyStart'
selection2b:
CommandLine|contains: 'rundll32.exe'
condition: selection1 or ( selection2a and selection2b )
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Tamper Windows Defender - PSClassic
Attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.
view Sigma YAML
title: Tamper Windows Defender - PSClassic
id: ec19ebab-72dc-40e1-9728-4c0b805d722c
related:
- id: 14c71865-6cd3-44ae-adaa-1db923fae5f2
type: similar
status: test
description: Attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2021-06-07
modified: 2024-01-02
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: windows
category: ps_classic_provider_start
detection:
selection_set_mppreference:
Data|contains: 'Set-MpPreference'
selection_options_bool_allow:
Data|contains:
- '-dbaf $true'
- '-dbaf 1'
- '-dbm $true'
- '-dbm 1'
- '-dips $true'
- '-dips 1'
- '-DisableArchiveScanning $true'
- '-DisableArchiveScanning 1'
- '-DisableBehaviorMonitoring $true'
- '-DisableBehaviorMonitoring 1'
- '-DisableBlockAtFirstSeen $true'
- '-DisableBlockAtFirstSeen 1'
- '-DisableCatchupFullScan $true'
- '-DisableCatchupFullScan 1'
- '-DisableCatchupQuickScan $true'
- '-DisableCatchupQuickScan 1'
- '-DisableIntrusionPreventionSystem $true'
- '-DisableIntrusionPreventionSystem 1'
- '-DisableIOAVProtection $true'
- '-DisableIOAVProtection 1'
- '-DisableRealtimeMonitoring $true'
- '-DisableRealtimeMonitoring 1'
- '-DisableRemovableDriveScanning $true'
- '-DisableRemovableDriveScanning 1'
- '-DisableScanningMappedNetworkDrivesForFullScan $true'
- '-DisableScanningMappedNetworkDrivesForFullScan 1'
- '-DisableScanningNetworkFiles $true'
- '-DisableScanningNetworkFiles 1'
- '-DisableScriptScanning $true'
- '-DisableScriptScanning 1'
- '-MAPSReporting $false'
- '-MAPSReporting 0'
- '-drdsc $true'
- '-drdsc 1'
- '-drtm $true'
- '-drtm 1'
- '-dscrptsc $true'
- '-dscrptsc 1'
- '-dsmndf $true'
- '-dsmndf 1'
- '-dsnf $true'
- '-dsnf 1'
- '-dss $true'
- '-dss 1'
selection_options_actions_func:
Data|contains:
- 'HighThreatDefaultAction Allow'
- 'htdefac Allow'
- 'LowThreatDefaultAction Allow'
- 'ltdefac Allow'
- 'ModerateThreatDefaultAction Allow'
- 'mtdefac Allow'
- 'SevereThreatDefaultAction Allow'
- 'stdefac Allow'
condition: selection_set_mppreference and 1 of selection_options_*
falsepositives:
- Legitimate PowerShell scripts that disable Windows Defender for troubleshooting purposes. Must be investigated.
level: high
Convert to SIEM query
high
Strong
Medium FP
Tamper Windows Defender - ScriptBlockLogging
Detects PowerShell scripts attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.
view Sigma YAML
title: Tamper Windows Defender - ScriptBlockLogging
id: 14c71865-6cd3-44ae-adaa-1db923fae5f2
related:
- id: ec19ebab-72dc-40e1-9728-4c0b805d722c
type: derived
status: test
description: Detects PowerShell scripts attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
- https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps
- https://bidouillesecurity.com/disable-windows-defender-in-powershell/
author: frack113, elhoim, Tim Shelton (fps, alias support), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)
date: 2022-01-16
modified: 2024-01-02
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_options_disabling_preference:
ScriptBlockText|contains: 'Set-MpPreference'
selection_options_disabling_function:
ScriptBlockText|contains:
- '-dbaf $true'
- '-dbaf 1'
- '-dbm $true'
- '-dbm 1'
- '-dips $true'
- '-dips 1'
- '-DisableArchiveScanning $true'
- '-DisableArchiveScanning 1'
- '-DisableBehaviorMonitoring $true'
- '-DisableBehaviorMonitoring 1'
- '-DisableBlockAtFirstSeen $true'
- '-DisableBlockAtFirstSeen 1'
- '-DisableCatchupFullScan $true'
- '-DisableCatchupFullScan 1'
- '-DisableCatchupQuickScan $true'
- '-DisableCatchupQuickScan 1'
- '-DisableIntrusionPreventionSystem $true'
- '-DisableIntrusionPreventionSystem 1'
- '-DisableIOAVProtection $true'
- '-DisableIOAVProtection 1'
- '-DisableRealtimeMonitoring $true'
- '-DisableRealtimeMonitoring 1'
- '-DisableRemovableDriveScanning $true'
- '-DisableRemovableDriveScanning 1'
- '-DisableScanningMappedNetworkDrivesForFullScan $true'
- '-DisableScanningMappedNetworkDrivesForFullScan 1'
- '-DisableScanningNetworkFiles $true'
- '-DisableScanningNetworkFiles 1'
- '-DisableScriptScanning $true'
- '-DisableScriptScanning 1'
- '-MAPSReporting $false'
- '-MAPSReporting 0'
- '-drdsc $true'
- '-drdsc 1'
- '-drtm $true'
- '-drtm 1'
- '-dscrptsc $true'
- '-dscrptsc 1'
- '-dsmndf $true'
- '-dsmndf 1'
- '-dsnf $true'
- '-dsnf 1'
- '-dss $true'
- '-dss 1'
selection_other_default_actions_allow:
ScriptBlockText|contains: 'Set-MpPreference'
selection_other_default_actions_func:
ScriptBlockText|contains:
- 'HighThreatDefaultAction Allow'
- 'htdefac Allow'
- 'LowThreatDefaultAction Allow'
- 'ltdefac Allow'
- 'ModerateThreatDefaultAction Allow'
- 'mtdefac Allow'
- 'SevereThreatDefaultAction Allow'
- 'stdefac Allow'
condition: all of selection_options_disabling_* or all of selection_other_default_actions_*
falsepositives:
- Legitimate PowerShell scripts that disable Windows Defender for troubleshooting purposes. Must be investigated.
level: high
Convert to SIEM query
high
Strong
High FP
Tamper Windows Defender Remove-MpPreference
Detects attempts to remove Windows Defender configurations using the 'MpPreference' cmdlet
view Sigma YAML
title: Tamper Windows Defender Remove-MpPreference
id: 07e3cb2c-0608-410d-be4b-1511cb1a0448
related:
- id: ae2bdd58-0681-48ac-be7f-58ab4e593458
type: similar
status: test
description: Detects attempts to remove Windows Defender configurations using the 'MpPreference' cmdlet
references:
- https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-05
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: windows
category: process_creation
detection:
selection_remove:
CommandLine|contains: 'Remove-MpPreference'
selection_tamper:
CommandLine|contains:
- '-ControlledFolderAccessProtectedFolders '
- '-AttackSurfaceReductionRules_Ids '
- '-AttackSurfaceReductionRules_Actions '
- '-CheckForSignaturesBeforeRunningScan '
condition: all of selection_*
falsepositives:
- Legitimate PowerShell scripts
level: high
Convert to SIEM query
high
Strong
High FP
Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging
Detects attempts to remove Windows Defender configuration using the 'MpPreference' cmdlet
view Sigma YAML
title: Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging
id: ae2bdd58-0681-48ac-be7f-58ab4e593458
related:
- id: 07e3cb2c-0608-410d-be4b-1511cb1a0448
type: similar
status: test
description: Detects attempts to remove Windows Defender configuration using the 'MpPreference' cmdlet
references:
- https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-05
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_remove:
ScriptBlockText|contains: 'Remove-MpPreference'
selection_tamper:
ScriptBlockText|contains:
- '-ControlledFolderAccessProtectedFolders '
- '-AttackSurfaceReductionRules_Ids '
- '-AttackSurfaceReductionRules_Actions '
- '-CheckForSignaturesBeforeRunningScan '
condition: all of selection_*
falsepositives:
- Legitimate PowerShell scripts
level: high
Convert to SIEM query
high
Strong
Medium FP
Tamper With Sophos AV Registry Keys
Detects tamper attempts to sophos av functionality via registry key modification
view Sigma YAML
title: Tamper With Sophos AV Registry Keys
id: 9f4662ac-17ca-43aa-8f12-5d7b989d0101
status: test
description: Detects tamper attempts to sophos av functionality via registry key modification
references:
- https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-02
modified: 2023-08-17
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains:
- '\Sophos Endpoint Defense\TamperProtection\Config\SAVEnabled'
- '\Sophos Endpoint Defense\TamperProtection\Config\SEDEnabled'
- '\Sophos\SAVService\TamperProtection\Enabled'
Details: DWORD (0x00000000)
condition: selection
falsepositives:
- Some FP may occur when the feature is disabled by the AV itself, you should always investigate if the action was legitimate
level: high
Convert to SIEM query
high
Moderate
High FP
Taskkill Symantec Endpoint Protection
Detects one of the possible scenarios for disabling Symantec Endpoint Protection.
Symantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism.
As a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service.
view Sigma YAML
title: Taskkill Symantec Endpoint Protection
id: 4a6713f6-3331-11ed-a261-0242ac120002
status: test
description: |
Detects one of the possible scenarios for disabling Symantec Endpoint Protection.
Symantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism.
As a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service.
references:
- https://www.exploit-db.com/exploits/37525
- https://community.spiceworks.com/topic/2195015-batch-script-to-uninstall-symantec-endpoint-protection
- https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?MessageKey=6ce94b67-74e1-4333-b16f-000b7fd874f0&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=digestviewer
author: Ilya Krestinichev, Florian Roth (Nextron Systems)
date: 2022-09-13
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'taskkill'
- ' /F '
- ' /IM '
- 'ccSvcHst.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Taskmgr as LOCAL_SYSTEM
Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM
view Sigma YAML
title: Taskmgr as LOCAL_SYSTEM
id: 9fff585c-c33e-4a86-b3cd-39312079a65f
status: test
description: Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM
references:
- Internal Research
author: Florian Roth (Nextron Systems)
date: 2018-03-18
modified: 2022-05-27
tags:
- attack.stealth
- attack.t1036
logsource:
category: process_creation
product: windows
detection:
selection:
User|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
Image|endswith: '\taskmgr.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Tasks Folder Evasion
The Tasks folder in system32 and syswow64 are globally writable paths.
Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application
in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr
view Sigma YAML
title: Tasks Folder Evasion
id: cc4e02ba-9c06-48e2-b09e-2500cace9ae0
status: test
description: |
The Tasks folder in system32 and syswow64 are globally writable paths.
Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application
in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr
references:
- https://twitter.com/subTee/status/1216465628946563073
- https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26
author: Sreeman
date: 2020-01-13
modified: 2022-12-25
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
product: windows
category: process_creation
detection:
selection1:
CommandLine|contains:
- 'echo '
- 'copy '
- 'type '
- 'file createnew'
selection2:
CommandLine|contains:
- ' C:\Windows\System32\Tasks\'
- ' C:\Windows\SysWow64\Tasks\'
condition: all of selection*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
TeamPCP LiteLLM Supply Chain Attack Persistence Indicators
Detects the creation of specific persistence files as observed in the LiteLLM PyPI supply chain attack.
In March 2026, a supply chain attack was discovered involving the popular open-source LLM framework LiteLLM by Threat Actor TeamPCP.
The malicious package harvests every credential on the system, encrypts and exfiltrates them, and installs a persistent C2 backdoor.
view Sigma YAML
title: TeamPCP LiteLLM Supply Chain Attack Persistence Indicators
id: 81c0b7f5-81c9-435e-a291-bc32fc2b72cd
status: experimental
description: |
Detects the creation of specific persistence files as observed in the LiteLLM PyPI supply chain attack.
In March 2026, a supply chain attack was discovered involving the popular open-source LLM framework LiteLLM by Threat Actor TeamPCP.
The malicious package harvests every credential on the system, encrypts and exfiltrates them, and installs a persistent C2 backdoor.
references:
- https://novasky.io/hunts/hunting-litellm-supply-chain
- https://www.virustotal.com/gui/file/71e35aef03099cd1f2d6446734273025a163597de93912df321ef118bf135238/
- https://huskyhacks.io/posts/litellm-cred-stealer/
- https://www.wiz.io/blog/threes-a-crowd-teampcp-trojanizes-litellm-in-continuation-of-campaign
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-03-30
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1543.002
- attack.initial-access
- attack.t1195.002
- detection.emerging-threats
logsource:
category: file_event
product: linux
detection:
selection:
Image|contains: '/python3'
TargetFilename|endswith:
- '/.config/sysmon/sysmon.py'
- '/.config/systemd/user/sysmon.service'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Low FP
Temporary Access Pass Added To An Account
Detects when a temporary access pass (TAP) is added to an account. TAPs added to priv accounts should be investigated
view Sigma YAML
title: Temporary Access Pass Added To An Account
id: fa84aaf5-8142-43cd-9ec2-78cfebf878ce
status: test
description: Detects when a temporary access pass (TAP) is added to an account. TAPs added to priv accounts should be investigated
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#changes-to-privileged-accounts
author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
date: 2022-08-10
tags:
- attack.privilege-escalation
- attack.initial-access
- attack.persistence
- attack.stealth
- attack.t1078.004
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.message: Admin registered security info
Status: Admin registered temporary access pass method for user
condition: selection
falsepositives:
- Administrator adding a legitimate temporary access pass
level: high
Convert to SIEM query
high
Strong
Medium FP
Terminal Server Client Connection History Cleared - Registry
Detects the deletion of registry keys containing the MSTSC connection history
view Sigma YAML
title: Terminal Server Client Connection History Cleared - Registry
id: 07bdd2f5-9c58-4f38-aec8-e101bb79ef8d
status: test
description: Detects the deletion of registry keys containing the MSTSC connection history
references:
- https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer
- http://woshub.com/how-to-clear-rdp-connections-history/
- https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html
author: Christian Burkard (Nextron Systems)
date: 2021-10-19
modified: 2023-02-08
tags:
- attack.persistence
- attack.stealth
- attack.defense-impairment
- attack.t1070
- attack.t1112
logsource:
category: registry_delete
product: windows
detection:
selection1:
EventType: DeleteValue
TargetObject|contains: '\Microsoft\Terminal Server Client\Default\MRU'
selection2:
EventType: DeleteKey
TargetObject|contains: '\Microsoft\Terminal Server Client\Servers\'
condition: 1 of selection*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Terminal Service Process Spawn
Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)
view Sigma YAML
title: Terminal Service Process Spawn
id: 1012f107-b8f1-4271-af30-5aed2de89b39
status: test
description: Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)
references:
- https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/rdp-stands-for-really-do-patch-understanding-the-wormable-rdp-vulnerability-cve-2019-0708/
author: Florian Roth (Nextron Systems)
date: 2019-05-22
modified: 2023-01-25
tags:
- attack.initial-access
- attack.t1190
- attack.lateral-movement
- attack.t1210
- car.2013-07-002
logsource:
product: windows
category: process_creation
detection:
selection:
ParentCommandLine|contains|all:
- '\svchost.exe'
- 'termsvcs'
filter_img:
Image|endswith:
- '\rdpclip.exe'
- ':\Windows\System32\csrss.exe'
- ':\Windows\System32\wininit.exe'
- ':\Windows\System32\winlogon.exe'
filter_null:
Image: null
condition: selection and not 1 of filter_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
TerraMaster TOS CVE-2020-28188
Detects the exploitation of the TerraMaster TOS vulnerability described in CVE-2020-28188
view Sigma YAML
title: TerraMaster TOS CVE-2020-28188
id: 15c312b9-00d0-4feb-8870-7d940a4bdc5e
status: test
description: Detects the exploitation of the TerraMaster TOS vulnerability described in CVE-2020-28188
references:
- https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/
- https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/
author: Bhabesh Raj
date: 2021-01-25
modified: 2023-01-02
tags:
- attack.t1190
- attack.initial-access
- cve.2020-28188
- detection.emerging-threats
logsource:
category: webserver
detection:
base_url:
cs-method: 'GET'
cs-uri-query|contains|all:
- '/include/makecvs.php'
- '?Event='
payload:
cs-uri-query|contains:
- 'curl'
- 'wget'
- '.py'
- '.sh'
- 'chmod'
- '_GET'
condition: base_url and payload
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
High FP
Time Travel Debugging Utility Usage
Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
view Sigma YAML
title: Time Travel Debugging Utility Usage
id: 0b4ae027-2a2d-4b93-8c7e-962caaba5b2a
related:
- id: e76c8240-d68f-4773-8880-5c6f63595aaf
type: derived
status: test
description: Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Tttracer/
- https://twitter.com/mattifestation/status/1196390321783025666
- https://twitter.com/oulusoyum/status/1191329746069655553
author: 'Ensar Şamil, @sblmsrsn, @oscd_initiative'
date: 2020-10-06
modified: 2022-10-09
tags:
- attack.credential-access
- attack.stealth
- attack.t1218
- attack.t1003.001
logsource:
product: windows
category: process_creation
detection:
selection:
ParentImage|endswith: '\tttracer.exe'
condition: selection
falsepositives:
- Legitimate usage by software developers/testers
level: high
Convert to SIEM query
high
Strong
High FP
Time Travel Debugging Utility Usage - Image
Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
view Sigma YAML
title: Time Travel Debugging Utility Usage - Image
id: e76c8240-d68f-4773-8880-5c6f63595aaf
status: test
description: Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Tttracer/
- https://twitter.com/mattifestation/status/1196390321783025666
- https://twitter.com/oulusoyum/status/1191329746069655553
author: 'Ensar Şamil, @sblmsrsn, @oscd_initiative'
date: 2020-10-06
modified: 2022-12-02
tags:
- attack.credential-access
- attack.stealth
- attack.t1218
- attack.t1003.001
logsource:
product: windows
category: image_load
detection:
selection:
ImageLoaded|endswith:
- '\ttdrecord.dll'
- '\ttdwriter.dll'
- '\ttdloader.dll'
condition: selection
falsepositives:
- Legitimate usage by software developers/testers
level: high
Convert to SIEM query
high
Moderate
Medium FP
Too Many Global Admins
Identifies an event where there are there are too many accounts assigned the Global Administrator role.
view Sigma YAML
title: Too Many Global Admins
id: 7bbc309f-e2b1-4eb1-8369-131a367d67d3
status: test
description: Identifies an event where there are there are too many accounts assigned the Global Administrator role.
references:
- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#there-are-too-many-global-administrators
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-14
tags:
- attack.initial-access
- attack.stealth
- attack.t1078
- attack.persistence
- attack.privilege-escalation
logsource:
product: azure
service: pim
detection:
selection:
riskEventType: 'tooManyGlobalAdminsAssignedToTenantAlertIncident'
condition: selection
falsepositives:
- Investigate if threshold setting in PIM is too low.
level: high
Convert to SIEM query
high
Moderate
High FP
Tor Client/Browser Execution
Detects the use of Tor or Tor-Browser to connect to onion routing networks
view Sigma YAML
title: Tor Client/Browser Execution
id: 62f7c9bf-9135-49b2-8aeb-1e54a6ecc13c
status: test
description: Detects the use of Tor or Tor-Browser to connect to onion routing networks
references:
- https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/
author: frack113
date: 2022-02-20
modified: 2025-10-27
tags:
- attack.command-and-control
- attack.t1090.003
logsource:
category: process_creation
product: windows
detection:
selection:
- Description: 'Tor Browser'
- Product: 'Tor Browser'
- Image|endswith:
- '\tor.exe'
- '\Tor Browser\Browser\firefox.exe'
condition: selection
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_browsers_tor_execution/info.yml
Convert to SIEM query
high
Moderate
High FP
Trickbot Malware Activity
Detects Trickbot malware process tree pattern in which "rundll32.exe" is a parent of "wermgr.exe"
view Sigma YAML
title: Trickbot Malware Activity
id: 58bf96d9-ff5f-44bd-8dcc-1c4f79bf3a27
related:
- id: c37510b8-2107-4b78-aa32-72f251e7a844
type: similar
status: stable
description: Detects Trickbot malware process tree pattern in which "rundll32.exe" is a parent of "wermgr.exe"
references:
- https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20
- https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/
author: Florian Roth (Nextron Systems)
date: 2020-11-26
modified: 2021-11-27
tags:
- attack.execution
- attack.t1559
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\wermgr.exe'
ParentImage|endswith: '\rundll32.exe'
ParentCommandLine|contains: 'DllRegisterServer'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Triple Cross eBPF Rootkit Default LockFile
Detects the creation of the file "rootlog" which is used by the TripleCross rootkit as a way to check if the backdoor is already running.
view Sigma YAML
title: Triple Cross eBPF Rootkit Default LockFile
id: c0239255-822c-4630-b7f1-35362bcb8f44
status: test
description: Detects the creation of the file "rootlog" which is used by the TripleCross rootkit as a way to check if the backdoor is already running.
references:
- https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/src/helpers/execve_hijack.c#L33
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-05
modified: 2022-12-31
tags:
- attack.stealth
logsource:
product: linux
category: file_event
detection:
selection:
TargetFilename: '/tmp/rootlog'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
Triple Cross eBPF Rootkit Default Persistence
Detects the creation of "ebpfbackdoor" files in both "cron.d" and "sudoers.d" directories. Which both are related to the TripleCross persistence method
view Sigma YAML
title: Triple Cross eBPF Rootkit Default Persistence
id: 1a2ea919-d11d-4d1e-8535-06cda13be20f
status: test
description: Detects the creation of "ebpfbackdoor" files in both "cron.d" and "sudoers.d" directories. Which both are related to the TripleCross persistence method
references:
- https://github.com/h3xduck/TripleCross/blob/12629558b8b0a27a5488a0b98f1ea7042e76f8ab/apps/deployer.sh
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-05
modified: 2022-12-31
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1053.003
logsource:
product: linux
category: file_event
detection:
selection:
TargetFilename|endswith: 'ebpfbackdoor'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
Medium FP
Triple Cross eBPF Rootkit Execve Hijack
Detects execution of a the file "execve_hijack" which is used by the Triple Cross rootkit as a way to elevate privileges
view Sigma YAML
title: Triple Cross eBPF Rootkit Execve Hijack
id: 0326c3c8-7803-4a0f-8c5c-368f747f7c3e
status: test
description: Detects execution of a the file "execve_hijack" which is used by the Triple Cross rootkit as a way to elevate privileges
references:
- https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/src/helpers/execve_hijack.c#L275
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-05
tags:
- attack.privilege-escalation
- attack.stealth
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/sudo'
CommandLine|contains: 'execve_hijack'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
Triple Cross eBPF Rootkit Install Commands
Detects default install commands of the Triple Cross eBPF rootkit based on the "deployer.sh" script
view Sigma YAML
title: Triple Cross eBPF Rootkit Install Commands
id: 22236d75-d5a0-4287-bf06-c93b1770860f
status: test
description: Detects default install commands of the Triple Cross eBPF rootkit based on the "deployer.sh" script
references:
- https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/apps/deployer.sh
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-05
tags:
- attack.stealth
- attack.t1014
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/sudo'
CommandLine|contains|all:
- ' tc '
- ' enp0s3 '
CommandLine|contains:
- ' qdisc '
- ' filter '
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
TropicTrooper Campaign November 2018
Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia
view Sigma YAML
title: TropicTrooper Campaign November 2018
id: 8c7090c3-e0a0-4944-bd08-08c3a0cecf79
status: stable
description: Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia
references:
- https://www.microsoft.com/en-us/security/blog/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/
author: '@41thexplorer, Microsoft Defender ATP'
date: 2019-11-12
modified: 2020-08-27
tags:
- attack.execution
- attack.t1059.001
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains: 'abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc'
condition: selection
level: high
Convert to SIEM query
high
Moderate
Medium FP
Trust Access Disable For VBApplications
Detects registry changes to Microsoft Office "AccessVBOM" to a value of "1" which disables trust access for VBA on the victim machine and lets attackers execute malicious macros without any Microsoft Office warnings.
view Sigma YAML
title: Trust Access Disable For VBApplications
id: 1a5c46e9-f32f-42f7-b2bc-6e9084db7fbf
related:
- id: 9b894e57-033f-46cf-b7fa-a52804181973
type: obsolete
status: test
description: Detects registry changes to Microsoft Office "AccessVBOM" to a value of "1" which disables trust access for VBA on the victim machine and lets attackers execute malicious macros without any Microsoft Office warnings.
references:
- https://twitter.com/inversecos/status/1494174785621819397
- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/
- https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/
author: Trent Liffick (@tliffick), Nasreddine Bencherchali (Nextron Systems)
date: 2020-05-22
modified: 2023-08-17
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\Security\AccessVBOM'
Details: 'DWORD (0x00000001)'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
Trusted Path Bypass via Windows Directory Spoofing
Detects DLLs loading from a spoofed Windows directory path with an extra space (e.g "C:\Windows \System32") which can bypass Windows trusted path verification.
This technique tricks Windows into treating the path as trusted, allowing malicious DLLs to load with high integrity privileges bypassing UAC.
view Sigma YAML
title: Trusted Path Bypass via Windows Directory Spoofing
id: 0cbe38c0-270c-41d9-ab79-6e5a9a669290
related:
- id: 4ac47ed3-44c2-4b1f-9d51-bf46e8914126
type: similar
status: experimental
description: |
Detects DLLs loading from a spoofed Windows directory path with an extra space (e.g "C:\Windows \System32") which can bypass Windows trusted path verification.
This technique tricks Windows into treating the path as trusted, allowing malicious DLLs to load with high integrity privileges bypassing UAC.
references:
- https://x.com/Wietze/status/1933495426952421843
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-06-17
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.007
- attack.t1548.002
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|contains:
- ':\Windows \System32\' # Note the space between "Windows" and "System32"
- ':\Windows \SysWOW64\' # Note the space between "Windows" and "SysWOW64"
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
Low FP
Turla Service Install
This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET
view Sigma YAML
title: Turla Service Install
id: 1df8b3da-b0ac-4d8a-b7c7-6cb7c24160e4
status: test
description: This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET
references:
- https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/
author: Florian Roth (Nextron Systems)
date: 2017-03-31
modified: 2021-11-30
tags:
- attack.privilege-escalation
- attack.persistence
- attack.g0010
- attack.t1543.003
- detection.emerging-threats
logsource:
product: windows
service: system
detection:
selection:
Provider_Name: 'Service Control Manager'
EventID: 7045
ServiceName:
- 'srservice'
- 'ipvpn'
- 'hkmsvc'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
UAC Bypass Abusing Winsat Path Parsing - File
Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)
view Sigma YAML
title: UAC Bypass Abusing Winsat Path Parsing - File
id: 155dbf56-e0a4-4dd0-8905-8a98705045e8
status: test
description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)
references:
- https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-30
modified: 2022-10-09
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|startswith: 'C:\Users\'
TargetFilename|endswith:
- '\AppData\Local\Temp\system32\winsat.exe'
- '\AppData\Local\Temp\system32\winmm.dll'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
UAC Bypass Abusing Winsat Path Parsing - Process
Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)
view Sigma YAML
title: UAC Bypass Abusing Winsat Path Parsing - Process
id: 7a01183d-71a2-46ad-ad5c-acd989ac1793
status: test
description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)
references:
- https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-30
modified: 2024-12-01
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: process_creation
product: windows
detection:
selection:
IntegrityLevel:
- 'High'
- 'System'
- 'S-1-16-16384' # System
- 'S-1-16-12288' # High
ParentImage|endswith: '\AppData\Local\Temp\system32\winsat.exe'
ParentCommandLine|contains: 'C:\Windows \system32\winsat.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
UAC Bypass Abusing Winsat Path Parsing - Registry
Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)
view Sigma YAML
title: UAC Bypass Abusing Winsat Path Parsing - Registry
id: 6597be7b-ac61-4ac8-bef4-d3ec88174853
status: test
description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)
references:
- https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-30
modified: 2023-08-17
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\Root\InventoryApplicationFile\winsat.exe|'
TargetObject|endswith: '\LowerCaseLongPath'
Details|startswith: 'c:\users\'
Details|endswith: '\appdata\local\temp\system32\winsat.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
UAC Bypass Tools Using ComputerDefaults
Detects tools such as UACMe used to bypass UAC with computerdefaults.exe (UACMe 59)
view Sigma YAML
title: UAC Bypass Tools Using ComputerDefaults
id: 3c05e90d-7eba-4324-9972-5d7f711a60a8
status: test
description: Detects tools such as UACMe used to bypass UAC with computerdefaults.exe (UACMe 59)
references:
- https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-31
modified: 2024-12-01
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: process_creation
product: windows
detection:
selection:
IntegrityLevel:
- 'High'
- 'System'
- 'S-1-16-16384' # System
- 'S-1-16-12288' # High
Image: 'C:\Windows\System32\ComputerDefaults.exe'
filter:
ParentImage|contains:
- ':\Windows\System32'
- ':\Program Files'
condition: selection and not filter
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
UAC Bypass Using .NET Code Profiler on MMC
Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe DLL hijacking (UACMe 39)
view Sigma YAML
title: UAC Bypass Using .NET Code Profiler on MMC
id: 93a19907-d4f9-4deb-9f91-aac4692776a6
status: test
description: Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe DLL hijacking (UACMe 39)
references:
- https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-30
modified: 2022-10-09
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|startswith: 'C:\Users\'
TargetFilename|endswith: '\AppData\Local\Temp\pe386.dll'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
UAC Bypass Using ChangePK and SLUI
Detects an UAC bypass that uses changepk.exe and slui.exe (UACMe 61)
view Sigma YAML
title: UAC Bypass Using ChangePK and SLUI
id: 503d581c-7df0-4bbe-b9be-5840c0ecc1fc
status: test
description: Detects an UAC bypass that uses changepk.exe and slui.exe (UACMe 61)
references:
- https://mattharr0ey.medium.com/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b
- https://github.com/hfiref0x/UACME
- https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf
author: Christian Burkard (Nextron Systems)
date: 2021-08-23
modified: 2024-12-01
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\changepk.exe'
ParentImage|endswith: '\slui.exe'
IntegrityLevel:
- 'High'
- 'System'
- 'S-1-16-16384' # System
- 'S-1-16-12288' # High
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
Showing 1701-1750 of 3,750