Tool
SIEM
Sigma (generic) detection rules
3,750 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Expand any rule to see its raw YAML and convert it inline to native query syntax. Pick a platform above to browse every rule already rendered in that language.
◈
Detection rules
50 shown of 3,750
high
Commvault QLogin Argument Injection Authentication Bypass (CVE-2025-57791)
Detects the use of argument injection in the Commvault qlogin command - potential exploitation for CVE-2025-57791.
An attacker can inject the `-localadmin` parameter via the password field to bypass authentication and gain a privileged token.
view Sigma YAML
title: Commvault QLogin Argument Injection Authentication Bypass (CVE-2025-57791)
id: ff0225a0-1d9a-4bae-ab26-6038b18bb6d4
status: experimental
description: |
Detects the use of argument injection in the Commvault qlogin command - potential exploitation for CVE-2025-57791.
An attacker can inject the `-localadmin` parameter via the password field to bypass authentication and gain a privileged token.
references:
- https://labs.watchtowr.com/guess-who-would-be-stupid-enough-to-rob-the-same-vault-twice-pre-auth-rce-chains-in-commvault/
author: X__Junior (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-10-20
tags:
- attack.initial-access
- attack.t1190
- detection.emerging-threats
- cve.2025-57791
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'qlogin'
- ' -cs '
- ' -localadmin'
- ' -clp '
- '_localadmin__'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Commvault QOperation Path Traversal Webshell Drop (CVE-2025-57790)
Detects the use of qoperation.exe with the -file argument to write a JSP file to the webroot, indicating a webshell drop.
This is a post-authentication step corresponding to CVE-2025-57790.
view Sigma YAML
title: Commvault QOperation Path Traversal Webshell Drop (CVE-2025-57790)
id: bd3b3fff-a018-4994-9876-68af5809160f
status: experimental
description: |
Detects the use of qoperation.exe with the -file argument to write a JSP file to the webroot, indicating a webshell drop.
This is a post-authentication step corresponding to CVE-2025-57790.
references:
- https://labs.watchtowr.com/guess-who-would-be-stupid-enough-to-rob-the-same-vault-twice-pre-auth-rce-chains-in-commvault/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-10-20
tags:
- attack.persistence
- attack.t1505.003
- detection.emerging-threats
- cve.2025-57790
logsource:
category: process_creation
product: windows
detection:
selection:
# qoperation execute -af F:\Program Files\Commvault\ContentStore\Reports\MetricsUpload\Upload\ABC1234\rekt.xml -file F:\Program Files\Commvault\ContentStore\Apache\webapps\ROOT\wT-poc.jsp
CommandLine|contains|all:
- 'qoperation'
- 'exec'
- ' -af '
- '.xml '
- '\Apache\webapps\ROOT\'
- '.jsp'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Conhost.exe CommandLine Path Traversal
detects the usage of path traversal in conhost.exe indicating possible command/argument confusion/hijacking
view Sigma YAML
title: Conhost.exe CommandLine Path Traversal
id: ee5e119b-1f75-4b34-add8-3be976961e39
status: test
description: detects the usage of path traversal in conhost.exe indicating possible command/argument confusion/hijacking
references:
- https://pentestlab.blog/2020/07/06/indirect-command-execution/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-14
tags:
- attack.execution
- attack.t1059.003
logsource:
category: process_creation
product: windows
detection:
selection:
ParentCommandLine|contains: 'conhost'
CommandLine|contains: '/../../'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Conti NTDS Exfiltration Command
Detects a command used by conti to exfiltrate NTDS
view Sigma YAML
title: Conti NTDS Exfiltration Command
id: aa92fd02-09f2-48b0-8a93-864813fb8f41
status: test
description: Detects a command used by conti to exfiltrate NTDS
references:
- https://twitter.com/vxunderground/status/1423336151860002816?s=20
- https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection
author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)
date: 2021-08-09
modified: 2022-10-09
tags:
- attack.collection
- attack.t1560
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- '7za.exe'
- '\\C$\\temp\\log.zip'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Conti Volume Shadow Listing
Detects a command used by conti to find volume shadow backups
view Sigma YAML
title: Conti Volume Shadow Listing
id: 7b30e0a7-c675-4b24-8a46-82fa67e2433d
status: test
description: Detects a command used by conti to find volume shadow backups
references:
- https://twitter.com/vxunderground/status/1423336151860002816?s=20
- https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection
author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)
date: 2021-08-09
tags:
- attack.t1587.001
- attack.resource-development
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'vssadmin list shadows'
- 'log.txt'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Control Panel Items
Detects the malicious use of a control panel item
view Sigma YAML
title: Control Panel Items
id: 0ba863e6-def5-4e50-9cea-4dd8c7dc46a4
status: test
description: Detects the malicious use of a control panel item
references:
- https://ired.team/offensive-security/code-execution/code-execution-through-control-panel-add-ins
author: Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_)
date: 2020-06-22
modified: 2023-10-11
tags:
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1218.002
- attack.persistence
- attack.t1546
logsource:
product: windows
category: process_creation
detection:
selection_reg_img:
- Image|endswith: '\reg.exe'
- OriginalFileName: 'reg.exe'
selection_reg_cli:
CommandLine|contains|all:
- 'add'
- 'CurrentVersion\Control Panel\CPLs'
selection_cpl:
CommandLine|endswith: '.cpl'
filter_cpl_sys:
CommandLine|contains:
- '\System32\'
- '%System%'
- '|C:\Windows\system32|'
filter_cpl_igfx:
CommandLine|contains|all:
- 'regsvr32 '
- ' /s '
- 'igfxCPL.cpl'
condition: all of selection_reg_* or (selection_cpl and not 1 of filter_cpl_*)
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE
Detects usage of the copy builtin cmd command to copy files with the ".dmp"/".dump" extension from a remote share
view Sigma YAML
title: Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE
id: 044ba588-dff4-4918-9808-3f95e8160606
status: test
description: Detects usage of the copy builtin cmd command to copy files with the ".dmp"/".dump" extension from a remote share
references:
- https://thedfirreport.com/2022/09/26/bumblebee-round-two/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-27
modified: 2023-09-12
tags:
- attack.credential-access
logsource:
category: process_creation
product: windows
detection:
# Example: copy \\<host>\\<folder>\\process.dmp C:\Users\process.dmp
selection_img:
- Image|endswith: '\cmd.exe'
- OriginalFileName: 'Cmd.Exe'
selection_cli:
CommandLine|contains|all:
- 'copy '
- ' \\\\'
CommandLine|contains:
- '.dmp'
- '.dump'
- '.hdmp'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Copy From VolumeShadowCopy Via Cmd.EXE
Detects the execution of the builtin "copy" command that targets a shadow copy (sometimes used to copy registry hives that are in use)
view Sigma YAML
title: Copy From VolumeShadowCopy Via Cmd.EXE
id: c73124a7-3e89-44a3-bdc1-25fe4df754b1
status: test
description: Detects the execution of the builtin "copy" command that targets a shadow copy (sometimes used to copy registry hives that are in use)
references:
- https://twitter.com/vxunderground/status/1423336151860002816?s=20
- https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection
- https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/
author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)
date: 2021-08-09
modified: 2023-03-07
tags:
- attack.impact
- attack.t1490
logsource:
category: process_creation
product: windows
detection:
selection:
# cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM\
# There is an additional "\" to escape the special "?"
CommandLine|contains|all:
- 'copy '
- '\\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy'
condition: selection
falsepositives:
- Backup scenarios using the commandline
level: high
Convert to SIEM query
high
Copy Passwd Or Shadow From TMP Path
Detects when the file "passwd" or "shadow" is copied from tmp path
view Sigma YAML
title: Copy Passwd Or Shadow From TMP Path
id: fa4aaed5-4fe0-498d-bbc0-08e3346387ba
status: test
description: Detects when the file "passwd" or "shadow" is copied from tmp path
references:
- https://blogs.blackberry.com/
- https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-01-31
tags:
- attack.credential-access
- attack.t1552.001
logsource:
product: linux
category: process_creation
detection:
selection_img:
Image|endswith: '/cp'
selection_path:
CommandLine|contains: '/tmp/'
selection_file:
CommandLine|contains:
- 'passwd'
- 'shadow'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Copying Sensitive Files with Credential Data
Files with well-known filenames (sensitive files with credential data) copying
view Sigma YAML
title: Copying Sensitive Files with Credential Data
id: e7be6119-fc37-43f0-ad4f-1f3f99be2f9f
status: test
description: Files with well-known filenames (sensitive files with credential data) copying
references:
- https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
- https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/
- https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Esentutl.yml
author: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
date: 2019-10-22
modified: 2024-06-04
tags:
- attack.credential-access
- attack.t1003.002
- attack.t1003.003
- car.2013-07-001
- attack.s0404
logsource:
category: process_creation
product: windows
detection:
selection_esent_img:
- Image|endswith: '\esentutl.exe'
- OriginalFileName: '\esentutl.exe'
selection_esent_cli:
CommandLine|contains|windash:
- 'vss'
- ' /m '
- ' /y '
selection_susp_paths:
CommandLine|contains:
- '\config\RegBack\sam'
- '\config\RegBack\security'
- '\config\RegBack\system'
- '\config\sam'
- '\config\security'
- '\config\system ' # space needed to avoid false positives with \config\systemprofile\
- '\repair\sam'
- '\repair\security'
- '\repair\system'
- '\windows\ntds\ntds.dit'
condition: all of selection_esent_* or selection_susp_paths
falsepositives:
- Copying sensitive files for legitimate use (eg. backup) or forensic investigation by legitimate incident responder or forensic investigator.
level: high
Convert to SIEM query
high
Create Volume Shadow Copy with Powershell
Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information
view Sigma YAML
title: Create Volume Shadow Copy with Powershell
id: afd12fed-b0ec-45c9-a13d-aa86625dac81
status: test
description: Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information
references:
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7
author: frack113
date: 2022-01-12
tags:
- attack.credential-access
- attack.t1003.003
- attack.ds0005
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- Win32_ShadowCopy
- ').Create('
- ClientAccessible
condition: selection
falsepositives:
- Legitimate PowerShell scripts
level: high
Convert to SIEM query
high
CreateDump Process Dump
Detects uses of the createdump.exe LOLOBIN utility to dump process memory
view Sigma YAML
title: CreateDump Process Dump
id: 515c8be5-e5df-4c5e-8f6d-a4a2f05e4b48
related:
- id: 1a1ed54a-2ba4-4221-94d5-01dee560d71e
type: similar
status: test
description: Detects uses of the createdump.exe LOLOBIN utility to dump process memory
references:
- https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/
- https://twitter.com/bopin2020/status/1366400799199272960
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-01-04
modified: 2022-08-19
tags:
- attack.stealth
- attack.t1036
- attack.t1003.001
- attack.credential-access
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\createdump.exe'
- OriginalFileName: 'FX_VER_INTERNALNAME_STR'
selection_cli:
CommandLine|contains:
- ' -u ' # Short version of '--full'
- ' --full '
- ' -f ' # Short version of '--name'
- ' --name '
- '.dmp '
condition: all of selection_*
falsepositives:
- Command lines that use the same flags
level: high
Convert to SIEM query
high
Creation Exe for Service with Unquoted Path
Adversaries may execute their own malicious payloads by hijacking vulnerable file path references.
Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
view Sigma YAML
title: Creation Exe for Service with Unquoted Path
id: 8c3c76ca-8f8b-4b1d-aaf3-81aebcd367c9
status: test
description: |
Adversaries may execute their own malicious payloads by hijacking vulnerable file path references.
Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.009/T1574.009.md
author: frack113
date: 2021-12-30
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.009
logsource:
product: windows
category: file_event
detection:
selection:
# Feel free to add more
TargetFilename: 'C:\program.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Creation of a Local Hidden User Account by Registry
Sysmon registry detection of a local hidden user account.
view Sigma YAML
title: Creation of a Local Hidden User Account by Registry
id: 460479f3-80b7-42da-9c43-2cc1d54dbccd
status: test
description: Sysmon registry detection of a local hidden user account.
references:
- https://twitter.com/SBousseaden/status/1387530414185664538
author: Christian Burkard (Nextron Systems)
date: 2021-05-03
modified: 2025-10-31
tags:
- attack.persistence
- attack.t1136.001
logsource:
product: windows
category: registry_event
detection:
selection:
TargetObject|contains: '\SAM\SAM\Domains\Account\Users\Names\'
TargetObject|endswith: '$\(Default)'
Image|endswith: '\lsass.exe'
condition: selection
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_event/registry_event_add_local_hidden_user/info.yml
simulation:
- type: atomic-red-team
name: Create Hidden User in Registry
technique: T1564.002
atomic_guid: 173126b7-afe4-45eb-8680-fa9f6400431c
Convert to SIEM query
high
Cred Dump Tools Dropped Files
Files with well-known filenames (parts of credential dump software or files produced by them) creation
view Sigma YAML
title: Cred Dump Tools Dropped Files
id: 8fbf3271-1ef6-4e94-8210-03c2317947f6
status: test
description: Files with well-known filenames (parts of credential dump software or files produced by them) creation
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
author: Teymur Kheirkhabarov, oscd.community
date: 2019-11-01
modified: 2025-10-25
tags:
- attack.credential-access
- attack.t1003.001
- attack.t1003.002
- attack.t1003.003
- attack.t1003.004
- attack.t1003.005
logsource:
category: file_event
product: windows
detection:
selection:
- TargetFilename|contains:
- '\fgdump-log'
- '\kirbi'
- '\pwdump'
- '\pwhashes'
- '\wce_ccache'
- '\wce_krbtkts'
- TargetFilename|endswith:
- '\cachedump.exe'
- '\cachedump64.exe'
- '\DumpExt.dll'
- '\DumpSvc.exe'
- '\Dumpy.exe'
- '\fgexec.exe'
- '\lsremora.dll'
- '\lsremora64.dll'
- '\NTDS.out'
- '\procdump.exe'
- '\procdump64.exe'
- '\procdump64a.exe'
- '\pstgdump.exe'
- '\pwdump.exe'
- '\SAM.out'
- '\SECURITY.out'
- '\servpw.exe'
- '\servpw64.exe'
- '\SYSTEM.out'
- '\test.pwd'
- '\wceaux.dll'
condition: selection
falsepositives:
- Legitimate Administrator using tool for password recovery
level: high
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files/info.yml
Convert to SIEM query
high
Credential Dumping Activity By Python Based Tool
Detects LSASS process access for potential credential dumping by a Python-like tool such as LaZagne or Pypykatz.
view Sigma YAML
title: Credential Dumping Activity By Python Based Tool
id: f8be3e82-46a3-4e4e-ada5-8e538ae8b9c9
related:
- id: 4b9a8556-99c4-470b-a40c-9c8d02c77ed0
type: obsolete
- id: 7186e989-4ed7-4f4e-a656-4674b9e3e48b
type: obsolete
status: stable
description: Detects LSASS process access for potential credential dumping by a Python-like tool such as LaZagne or Pypykatz.
references:
- https://twitter.com/bh4b3sh/status/1303674603819081728
- https://github.com/skelsec/pypykatz
author: Bhabesh Raj, Jonhnathan Ribeiro
date: 2023-11-27
modified: 2023-11-29
tags:
- attack.credential-access
- attack.t1003.001
- attack.s0349
logsource:
category: process_access
product: windows
detection:
selection:
TargetImage|endswith: '\lsass.exe'
CallTrace|contains|all:
- '_ctypes.pyd+'
- ':\Windows\System32\KERNELBASE.dll+'
- ':\Windows\SYSTEM32\ntdll.dll+'
CallTrace|contains:
- 'python27.dll+'
- 'python3*.dll+'
GrantedAccess: '0x1FFFFF'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Credential Dumping Attempt Via Svchost
Detects when a process tries to access the memory of svchost to potentially dump credentials.
view Sigma YAML
title: Credential Dumping Attempt Via Svchost
id: 174afcfa-6e40-4ae9-af64-496546389294
status: test
description: Detects when a process tries to access the memory of svchost to potentially dump credentials.
references:
- Internal Research
author: Florent Labouyrie
date: 2021-04-30
modified: 2022-10-09
tags:
- attack.privilege-escalation
- attack.t1548
logsource:
product: windows
category: process_access
detection:
selection:
TargetImage|endswith: '\svchost.exe'
GrantedAccess: '0x143a'
filter_main_known_processes:
SourceImage|endswith:
- '\services.exe'
- '\msiexec.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Credential Dumping Attempt Via WerFault
Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.
view Sigma YAML
title: Credential Dumping Attempt Via WerFault
id: e5b33f7d-eb93-48b6-9851-09e1e610b6d7
status: test
description: Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.
references:
- https://github.com/helpsystems/nanodump/commit/578116faea3d278d53d70ea932e2bbfe42569507
author: Florian Roth (Nextron Systems)
date: 2012-06-27
modified: 2023-11-29
tags:
- attack.credential-access
- attack.t1003.001
- attack.s0002
logsource:
category: process_access
product: windows
detection:
selection:
SourceImage|endswith: '\WerFault.exe'
TargetImage|endswith: '\lsass.exe'
GrantedAccess: '0x1FFFFF'
condition: selection
falsepositives:
- Actual failures in lsass.exe that trigger a crash dump (unlikely)
- Unknown cases in which WerFault accesses lsass.exe
level: high
Convert to SIEM query
high
Credential Dumping Tools Service Execution - Security
Detects well-known credential dumping tools execution via service execution events
view Sigma YAML
title: Credential Dumping Tools Service Execution - Security
id: f0d1feba-4344-4ca9-8121-a6c97bd6df52
related:
- id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed
type: derived
status: test
description: Detects well-known credential dumping tools execution via service execution events
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
author: Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
date: 2017-03-05
modified: 2022-11-29
tags:
- attack.credential-access
- attack.execution
- attack.t1003.001
- attack.t1003.002
- attack.t1003.004
- attack.t1003.005
- attack.t1003.006
- attack.t1569.002
- attack.s0005
logsource:
product: windows
service: security
definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
selection:
EventID: 4697
ServiceFileName|contains:
- 'cachedump'
- 'dumpsvc'
- 'fgexec'
- 'gsecdump'
- 'mimidrv'
- 'pwdump'
- 'servpw'
condition: selection
falsepositives:
- Legitimate Administrator using credential dumping tool for password recovery
level: high
Convert to SIEM query
high
Credential Dumping Tools Service Execution - System
Detects well-known credential dumping tools execution via service execution events
view Sigma YAML
title: Credential Dumping Tools Service Execution - System
id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed
status: test
description: Detects well-known credential dumping tools execution via service execution events
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
author: Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
date: 2017-03-05
modified: 2022-11-29
tags:
- attack.credential-access
- attack.execution
- attack.t1003.001
- attack.t1003.002
- attack.t1003.004
- attack.t1003.005
- attack.t1003.006
- attack.t1569.002
- attack.s0005
logsource:
product: windows
service: system
detection:
selection:
Provider_Name: 'Service Control Manager'
EventID: 7045
ImagePath|contains:
- 'cachedump'
- 'dumpsvc'
- 'fgexec'
- 'gsecdump'
- 'mimidrv'
- 'pwdump'
- 'servpw'
condition: selection
falsepositives:
- Legitimate Administrator using credential dumping tool for password recovery
level: high
Convert to SIEM query
high
Credentials In Files
Detecting attempts to extract passwords with grep and laZagne
view Sigma YAML
title: Credentials In Files
id: 53b1b378-9b06-4992-b972-dde6e423d2b4
status: test
description: Detecting attempts to extract passwords with grep and laZagne
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md
author: 'Igor Fits, Mikhail Larin, oscd.community'
date: 2020-10-19
modified: 2021-11-27
tags:
- attack.credential-access
- attack.t1552.001
logsource:
product: macos
category: process_creation
detection:
selection1:
Image|endswith: '/grep'
CommandLine|contains: 'password'
selection2:
CommandLine|contains: 'laZagne'
condition: 1 of selection*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Credentials In Files - Linux
Detecting attempts to extract passwords with grep
view Sigma YAML
title: Credentials In Files - Linux
id: df3fcaea-2715-4214-99c5-0056ea59eb35
status: test
description: 'Detecting attempts to extract passwords with grep'
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md
author: 'Igor Fits, oscd.community'
date: 2020-10-15
modified: 2023-04-30
tags:
- attack.credential-access
- attack.t1552.001
logsource:
product: linux
service: auditd
detection:
selection:
type: 'EXECVE'
keywords:
'|all':
- 'grep'
- 'password'
condition: selection and keywords
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Critical Hive In Suspicious Location Access Bits Cleared
Detects events from the Kernel-General ETW indicating that the access bits of a hive with a system like hive name located in the temp directory have been reset.
This occurs when an application tries to access a hive and the hive has not be recognized since the last 7 days (by default).
Registry hive dumping utilities such as QuarksPwDump were seen emitting this behavior.
view Sigma YAML
title: Critical Hive In Suspicious Location Access Bits Cleared
id: 39f919f3-980b-4e6f-a975-8af7e507ef2b
related:
- id: 839dd1e8-eda8-4834-8145-01beeee33acd
type: obsolete
status: test
description: |
Detects events from the Kernel-General ETW indicating that the access bits of a hive with a system like hive name located in the temp directory have been reset.
This occurs when an application tries to access a hive and the hive has not be recognized since the last 7 days (by default).
Registry hive dumping utilities such as QuarksPwDump were seen emitting this behavior.
references:
- https://github.com/nasbench/Misc-Research/blob/b20da2336de0f342d31ef4794959d28c8d3ba5ba/ETW/Microsoft-Windows-Kernel-General.md
author: Florian Roth (Nextron Systems)
date: 2017-05-15
modified: 2024-01-18
tags:
- attack.credential-access
- attack.t1003.002
logsource:
product: windows
service: system
detection:
selection:
EventID: 16
Provider_Name: Microsoft-Windows-Kernel-General
HiveName|contains:
- '\Temp\SAM'
- '\Temp\SECURITY'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Cross Site Scripting Strings
Detects XSS attempts injected via GET requests in access logs
view Sigma YAML
title: Cross Site Scripting Strings
id: 65354b83-a2ea-4ea6-8414-3ab38be0d409
status: test
description: Detects XSS attempts injected via GET requests in access logs
references:
- https://github.com/payloadbox/xss-payload-list
- https://portswigger.net/web-security/cross-site-scripting/contexts
author: Saw Win Naung, Nasreddine Bencherchali
date: 2021-08-15
modified: 2022-06-14
tags:
- attack.initial-access
- attack.t1189
logsource:
category: webserver
detection:
select_method:
cs-method: 'GET'
keywords:
- '=<script>'
- '=%3Cscript%3E'
- '=%253Cscript%253E'
- '<iframe '
- '%3Ciframe '
- '<svg '
- '%3Csvg '
- 'document.cookie'
- 'document.domain'
- ' onerror='
- ' onresize='
- ' onload="'
- 'onmouseover='
- '${alert'
- 'javascript:alert'
- 'javascript%3Aalert'
filter:
sc-status: 404
condition: select_method and keywords and not filter
falsepositives:
- JavaScripts,CSS Files and PNG files
- User searches in search boxes of the respective website
- Internal vulnerability scanners can cause some serious FPs when used, if you experience a lot of FPs due to this think of adding more filters such as "User Agent" strings and more response codes
level: high
Convert to SIEM query
high
Crypto Miner User Agent
Detects suspicious user agent strings used by crypto miners in proxy logs
view Sigma YAML
title: Crypto Miner User Agent
id: fa935401-513b-467b-81f4-f9e77aa0dd78
status: test
description: Detects suspicious user agent strings used by crypto miners in proxy logs
references:
- https://github.com/xmrig/xmrig/blob/da22b3e6c45825f3ac1f208255126cb8585cd4fc/src/base/kernel/Platform_win.cpp#L65
- https://github.com/xmrig/xmrig/blob/427b6516e0550200c17ca28675118f0fffcc323f/src/version.h
author: Florian Roth (Nextron Systems)
date: 2019-10-21
modified: 2021-11-27
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: proxy
detection:
selection:
c-useragent|startswith:
# XMRig
- 'XMRig '
# CCMiner
- 'ccminer'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Csc.EXE Execution Form Potentially Suspicious Parent
Detects a potentially suspicious parent of "csc.exe", which could be a sign of payload delivery.
view Sigma YAML
title: Csc.EXE Execution Form Potentially Suspicious Parent
id: b730a276-6b63-41b8-bcf8-55930c8fc6ee
status: test
description: Detects a potentially suspicious parent of "csc.exe", which could be a sign of payload delivery.
references:
- https://www.uptycs.com/blog/warzonerat-can-now-evade-with-process-hollowing
- https://reaqta.com/2017/11/short-journey-darkvnc/
- https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
date: 2019-02-11
modified: 2026-03-23
tags:
- attack.execution
- attack.stealth
- attack.t1059.005
- attack.t1059.007
- attack.t1218.005
- attack.t1027.004
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\csc.exe'
- OriginalFileName: 'csc.exe'
selection_parent_generic:
ParentImage|endswith:
- '\cscript.exe'
- '\excel.exe'
- '\mshta.exe'
- '\onenote.exe'
- '\outlook.exe'
- '\powerpnt.exe'
- '\winword.exe'
- '\wscript.exe'
selection_parent_powershell:
ParentImage|endswith:
- '\powershell.exe'
- '\pwsh.exe'
ParentCommandLine|contains:
- '-Encoded '
- 'FromBase64String'
selection_parent_susp_location:
- ParentCommandLine|re: '(?:[Pp]rogram[Dd]ata|%(?:[Ll]ocal)?[Aa]pp[Dd]ata%|\\[Aa]pp[Dd]ata\\(?:[Ll]ocal(?:[Ll]ow)?|[Rr]oaming))\\[^\\]{1,256}$'
- ParentCommandLine|contains:
- ':\PerfLogs\'
- ':\Users\Public\'
- ':\Windows\Temp\'
- '\Temporary Internet'
- ParentCommandLine|contains|all:
- ':\Users\'
- '\Favorites\'
- ParentCommandLine|contains|all:
- ':\Users\'
- '\Favourites\'
- ParentCommandLine|contains|all:
- ':\Users\'
- '\Contacts\'
- ParentCommandLine|contains|all:
- ':\Users\'
- '\Pictures\'
filter_main_programfiles:
# Note: this is a generic filter. You could baseline execution in your env for a more robust rule
ParentImage|startswith:
- 'C:\Program Files (x86)\' # https://twitter.com/gN3mes1s/status/1206874118282448897
- 'C:\Program Files\' # https://twitter.com/gN3mes1s/status/1206874118282448897
filter_main_sdiagnhost:
ParentImage: 'C:\Windows\System32\sdiagnhost.exe' # https://twitter.com/gN3mes1s/status/1206874118282448897
filter_main_w3p:
ParentImage: 'C:\Windows\System32\inetsrv\w3wp.exe' # https://twitter.com/gabriele_pippi/status/1206907900268072962
filter_optional_chocolatey:
ParentImage: 'C:\ProgramData\chocolatey\choco.exe' # Chocolatey https://chocolatey.org/
filter_optional_defender:
ParentCommandLine|contains: '\ProgramData\Microsoft\Windows Defender Advanced Threat Protection'
filter_optional_ansible:
# Note: As ansible is widely used we exclude it with this generic filter.
# A better option would be to filter based on script content basis or other marker while hunting
ParentCommandLine|contains:
# '{"failed":true,"msg":"Ansible requires PowerShell v3.0 or newer"}'
- 'JwB7ACIAZgBhAGkAbABlAGQAIgA6AHQAcgB1AGUALAAiAG0AcwBnACIAOgAiAEEAbgBzAGkAYgBsAGUAIAByAGUAcQB1AGkAcgBlAHMAIABQAG8AdwBlAHIAUwBoAGUAbABsACAAdgAzAC4AMAAgAG8AcgAgAG4AZQB3AGUAcgAiAH0AJw'
- 'cAewAiAGYAYQBpAGwAZQBkACIAOgB0AHIAdQBlACwAIgBtAHMAZwAiADoAIgBBAG4AcwBpAGIAbABlACAAcgBlAHEAdQBpAHIAZQBzACAAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAMwAuADAAIABvAHIAIABuAGUAdwBlAHIAIgB9ACcA'
- 'nAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnA'
condition: selection_img and 1 of selection_parent_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Cscript/Wscript Uncommon Script Extension Execution
Detects Wscript/Cscript executing a file with an uncommon (i.e. non-script) extension
view Sigma YAML
title: Cscript/Wscript Uncommon Script Extension Execution
id: 99b7460d-c9f1-40d7-a316-1f36f61d52ee
status: test
description: Detects Wscript/Cscript executing a file with an uncommon (i.e. non-script) extension
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-15
modified: 2023-06-19
tags:
- attack.execution
- attack.t1059.005
- attack.t1059.007
logsource:
category: process_creation
product: windows
detection:
selection_img:
- OriginalFileName:
- 'wscript.exe'
- 'cscript.exe'
- Image|endswith:
- '\wscript.exe'
- '\cscript.exe'
selection_extension:
CommandLine|contains:
# Note: add additional potential suspicious extension
# We could specify the "//E:" flag to avoid typos by admin. But since that's prone to blind spots via the creation of assoc it's better not to include it
- '.csv'
- '.dat'
- '.doc'
- '.gif'
- '.jpeg'
- '.jpg'
- '.png'
- '.ppt'
- '.txt'
- '.xls'
- '.xml'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Curl Download And Execute Combination
Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.
view Sigma YAML
title: Curl Download And Execute Combination
id: 21dd6d38-2b18-4453-9404-a0fe4a0cc288
status: test
description: Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.
references:
- https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983 # Dead Link
author: Sreeman, Nasreddine Bencherchali (Nextron Systems)
date: 2020-01-13
modified: 2024-03-05
tags:
- attack.stealth
- attack.t1218
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|windash: ' -c '
CommandLine|contains|all:
- 'curl '
- 'http'
- '-o'
- '&'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Custom File Open Handler Executes PowerShell
Detects the abuse of custom file open handler, executing powershell
view Sigma YAML
title: Custom File Open Handler Executes PowerShell
id: 7530b96f-ad8e-431d-a04d-ac85cc461fdc
status: test
description: Detects the abuse of custom file open handler, executing powershell
references:
- https://news.sophos.com/en-us/2022/02/01/solarmarker-campaign-used-novel-registry-changes-to-establish-persistence/?cmp=30728
author: CD_R0M_
date: 2022-06-11
modified: 2023-08-17
tags:
- attack.stealth
- attack.t1202
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: 'shell\open\command\'
Details|contains|all:
- 'powershell'
- '-command'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
DCOM InternetExplorer.Application Iertutil DLL Hijack - Security
Detects a threat actor creating a file named `iertutil.dll` in the `C:\Program Files\Internet Explorer\` directory over the network for a DCOM InternetExplorer DLL Hijack scenario.
view Sigma YAML
title: DCOM InternetExplorer.Application Iertutil DLL Hijack - Security
id: c39f0c81-7348-4965-ab27-2fde35a1b641
status: test
description: Detects a threat actor creating a file named `iertutil.dll` in the `C:\Program Files\Internet Explorer\` directory over the network for a DCOM InternetExplorer DLL Hijack scenario.
references:
- https://threathunterplaybook.com/hunts/windows/201009-RemoteDCOMIErtUtilDLLHijack/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)
date: 2020-10-12
modified: 2022-11-26
tags:
- attack.lateral-movement
- attack.t1021.002
- attack.t1021.003
logsource:
product: windows
service: security
detection:
selection:
EventID: 5145
RelativeTargetName|endswith: '\Internet Explorer\iertutil.dll'
filter:
SubjectUserName|endswith: '$'
condition: selection and not filter
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
DEWMODE Webshell Access
Detects access to DEWMODE webshell as described in FIREEYE report
view Sigma YAML
title: DEWMODE Webshell Access
id: fdf96c90-42d5-4406-8a9c-14a2c9a016b5
status: test
description: Detects access to DEWMODE webshell as described in FIREEYE report
references:
- https://www.mandiant.com/resources/blog/accellion-fta-exploited-for-data-theft-and-extortion
author: Florian Roth (Nextron Systems)
date: 2021-02-22
modified: 2023-01-02
tags:
- attack.persistence
- attack.t1505.003
- detection.emerging-threats
logsource:
category: webserver
detection:
selection1:
cs-uri-query|contains|all:
- '?dwn='
- '&fn='
- '.html?'
selection2:
cs-uri-query|contains|all:
- '&dwn='
- '?fn='
- '.html?'
condition: 1 of selection*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
DHCP Callout DLL Installation
Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)
view Sigma YAML
title: DHCP Callout DLL Installation
id: 9d3436ef-9476-4c43-acca-90ce06bdf33a
status: test
description: Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)
references:
- https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html
- https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx
- https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx
author: Dimitrios Slamaris
date: 2017-05-15
modified: 2023-08-17
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.defense-impairment
- attack.t1574.001
- attack.t1112
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith:
- '\Services\DHCPServer\Parameters\CalloutDlls'
- '\Services\DHCPServer\Parameters\CalloutEnabled'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
DHCP Server Error Failed Loading the CallOut DLL
This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded
view Sigma YAML
title: DHCP Server Error Failed Loading the CallOut DLL
id: 75edd3fd-7146-48e5-9848-3013d7f0282c
status: test
description: This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded
references:
- https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html
- https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx
- https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx
author: 'Dimitrios Slamaris, @atc_project (fix)'
date: 2017-05-15
modified: 2022-12-25
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
product: windows
service: system
detection:
selection:
EventID:
- 1031
- 1032
- 1034
Provider_Name: Microsoft-Windows-DHCP-Server
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
DHCP Server Loaded the CallOut DLL
This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded
view Sigma YAML
title: DHCP Server Loaded the CallOut DLL
id: 13fc89a9-971e-4ca6-b9dc-aa53a445bf40
status: test
description: This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded
references:
- https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html
- https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx
- https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx
author: Dimitrios Slamaris
date: 2017-05-15
modified: 2022-12-25
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
product: windows
service: system
detection:
selection:
EventID: 1033
Provider_Name: Microsoft-Windows-DHCP-Server
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
DLL Load via LSASS
Detects a method to load DLL via LSASS process using an undocumented Registry key
view Sigma YAML
title: DLL Load via LSASS
id: b3503044-60ce-4bf4-bbcb-e3db98788823
status: test
description: Detects a method to load DLL via LSASS process using an undocumented Registry key
references:
- https://blog.xpnsec.com/exploring-mimikatz-part-1/
- https://twitter.com/SBousseaden/status/1183745981189427200
author: Florian Roth (Nextron Systems)
date: 2019-10-16
modified: 2022-04-21
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1547.008
logsource:
category: registry_event
product: windows
detection:
selection:
TargetObject|contains:
- '\CurrentControlSet\Services\NTDS\DirectoryServiceExtPt'
- '\CurrentControlSet\Services\NTDS\LsaDbExtPt'
filter_domain_controller:
Image: 'C:\Windows\system32\lsass.exe'
Details:
- '%%systemroot%%\system32\ntdsa.dll'
- '%%systemroot%%\system32\lsadb.dll'
condition: selection and not 1 of filter_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
DLL Loaded From Suspicious Location Via Cmspt.EXE
Detects cmstp loading "dll" or "ocx" files from suspicious locations
view Sigma YAML
title: DLL Loaded From Suspicious Location Via Cmspt.EXE
id: 75e508f7-932d-4ebc-af77-269237a84ce1
status: test
description: Detects cmstp loading "dll" or "ocx" files from suspicious locations
references:
- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/TTPs/Defense%20Evasion/T1218%20-%20Signed%20Binary%20Proxy%20Execution/T1218.003%20-%20CMSTP/Procedures.yaml
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-30
modified: 2023-02-17
tags:
- attack.stealth
- attack.t1218.003
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith: '\cmstp.exe'
ImageLoaded|contains:
# Add more suspicious paths as you see fit in your env
- '\PerfLogs\'
- '\ProgramData\'
- '\Users\'
- '\Windows\Temp\'
- 'C:\Temp\'
ImageLoaded|endswith:
- '.dll'
- '.ocx'
condition: selection
falsepositives:
- Unikely
level: high
Convert to SIEM query
high
DLL Search Order Hijackig Via Additional Space in Path
Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...)
but with a space in order to trick DLL load search order and perform a "DLL Search Order Hijacking" attack
view Sigma YAML
title: DLL Search Order Hijackig Via Additional Space in Path
id: b6f91281-20aa-446a-b986-38a92813a18f
status: test
description: |
Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...)
but with a space in order to trick DLL load search order and perform a "DLL Search Order Hijacking" attack
references:
- https://twitter.com/cyb3rops/status/1552932770464292864
- https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-30
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|startswith:
- 'C:\Windows \'
- 'C:\Program Files \'
- 'C:\Program Files (x86) \'
TargetFilename|endswith: '.dll'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
DLL Sideloading Of ShellChromeAPI.DLL
Detects processes loading the non-existent DLL "ShellChromeAPI". One known example is the "DeviceEnroller" binary in combination with the "PhoneDeepLink" flag tries to load this DLL.
Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter
view Sigma YAML
title: DLL Sideloading Of ShellChromeAPI.DLL
id: ee4c5d06-3abc-48cc-8885-77f1c20f4451
related:
- id: e173ad47-4388-4012-ae62-bd13f71c18a8
type: similar
status: test
description: |
Detects processes loading the non-existent DLL "ShellChromeAPI". One known example is the "DeviceEnroller" binary in combination with the "PhoneDeepLink" flag tries to load this DLL.
Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter
references:
- https://mobile.twitter.com/0gtweet/status/1564131230941122561
- https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-01
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
# The DLL shouldn't exist on Windows anymore. If for some reason you still have it. You could filter out legitimate calls
ImageLoaded|endswith: '\ShellChromeAPI.dll'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
DLL Sideloading by VMware Xfer Utility
Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL
view Sigma YAML
title: DLL Sideloading by VMware Xfer Utility
id: ebea773c-a8f1-42ad-a856-00cb221966e8
status: test
description: Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL
references:
- https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-02
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
product: windows
category: process_creation
detection:
selection:
Image|endswith: '\VMwareXferlogs.exe'
filter: # VMware might be installed in another path so update the rule accordingly
Image|startswith: 'C:\Program Files\VMware\'
condition: selection and not filter
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
DNS Exfiltration and Tunneling Tools Execution
Well-known DNS Exfiltration tools execution
view Sigma YAML
title: DNS Exfiltration and Tunneling Tools Execution
id: 98a96a5a-64a0-4c42-92c5-489da3866cb0
status: test
description: Well-known DNS Exfiltration tools execution
references:
- https://github.com/iagox86/dnscat2
- https://github.com/yarrick/iodine
author: Daniil Yugoslavskiy, oscd.community
date: 2019-10-24
modified: 2021-11-27
tags:
- attack.exfiltration
- attack.t1048.001
- attack.command-and-control
- attack.t1071.004
- attack.t1132.001
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\iodine.exe'
- Image|contains: '\dnscat2'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
DNS HybridConnectionManager Service Bus
Detects Azure Hybrid Connection Manager services querying the Azure service bus service
view Sigma YAML
title: DNS HybridConnectionManager Service Bus
id: 7bd3902d-8b8b-4dd4-838a-c6862d40150d
status: test
description: Detects Azure Hybrid Connection Manager services querying the Azure service bus service
references:
- https://twitter.com/Cyb3rWard0g/status/1381642789369286662
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2021-04-12
modified: 2023-01-16
tags:
- attack.persistence
- attack.t1554
logsource:
product: windows
category: dns_query
detection:
selection:
QueryName|contains: 'servicebus.windows.net'
Image|contains: 'HybridConnectionManager'
condition: selection
falsepositives:
- Legitimate use of Azure Hybrid Connection Manager and the Azure Service Bus service
level: high
Convert to SIEM query
high
DNS Query To Katz Stealer Domains
Detects DNS queries to domains associated with Katz Stealer malware.
Katz Stealer is a malware variant that is known to be used for stealing sensitive information from compromised systems.
In Enterprise environments, DNS queries to these domains may indicate potential malicious activity or compromise.
view Sigma YAML
title: DNS Query To Katz Stealer Domains
id: 9c3d6e32-f4c8-4d73-8b8f-95c3b383a13c
related:
- id: 6b0c762f-0e1b-435f-a829-5943b08fe36a
type: similar
status: experimental
description: |
Detects DNS queries to domains associated with Katz Stealer malware.
Katz Stealer is a malware variant that is known to be used for stealing sensitive information from compromised systems.
In Enterprise environments, DNS queries to these domains may indicate potential malicious activity or compromise.
references:
- Internal Research
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-05-22
tags:
- attack.command-and-control
- attack.t1071.004
- detection.emerging-threats
logsource:
product: windows
category: dns_query
detection:
selection:
QueryName|contains:
- 'katz-panel.com'
- 'katz-stealer.com'
- 'katzstealer.com'
- 'twist2katz.com'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
DNS Query To Katz Stealer Domains - Network
Detects DNS queries to domains associated with Katz Stealer malware.
Katz Stealer is a malware variant that is known to be used for stealing sensitive information from compromised systems.
In Enterprise environments, DNS queries to these domains may indicate potential malicious activity or compromise.
view Sigma YAML
title: DNS Query To Katz Stealer Domains - Network
id: 6b0c762f-0e1b-435f-a829-5943b08fe36a
related:
- id: 9c3d6e32-f4c8-4d73-8b8f-95c3b383a13c
type: similar
status: experimental
description: |
Detects DNS queries to domains associated with Katz Stealer malware.
Katz Stealer is a malware variant that is known to be used for stealing sensitive information from compromised systems.
In Enterprise environments, DNS queries to these domains may indicate potential malicious activity or compromise.
references:
- Internal research
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-05-22
tags:
- attack.command-and-control
- attack.t1071.004
- detection.emerging-threats
logsource:
category: dns
detection:
selection:
query|contains:
- 'katz-panel.com'
- 'katz-stealer.com'
- 'katzstealer.com'
- 'twist2katz.com'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
DNS Query Tor .Onion Address - Sysmon
Detects DNS queries to an ".onion" address related to Tor routing networks
view Sigma YAML
title: DNS Query Tor .Onion Address - Sysmon
id: b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544
related:
- id: 8384bd26-bde6-4da9-8e5d-4174a7a47ca2
type: similar
- id: a8322756-015c-42e7-afb1-436e85ed3ff5
type: similar
status: test
description: Detects DNS queries to an ".onion" address related to Tor routing networks
references:
- https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/
- https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/ASimDNS/imDNS_TorProxies.yaml
author: frack113
date: 2022-02-20
modified: 2025-09-12
tags:
- attack.command-and-control
- attack.t1090.003
logsource:
product: windows
category: dns_query
detection:
selection:
QueryName|endswith:
- '.hiddenservice.net'
- '.onion.ca'
- '.onion.cab'
- '.onion.casa'
- '.onion.city'
- '.onion.direct'
- '.onion.dog'
- '.onion.glass'
- '.onion.gq'
- '.onion.ink'
- '.onion.it'
- '.onion.link'
- '.onion.lt'
- '.onion.lu'
- '.onion.nu'
- '.onion.pet'
- '.onion.plus'
- '.onion.rip'
- '.onion.sh'
- '.onion.to'
- '.onion.top'
- '.onion'
- '.s1.tor-gateways.de'
- '.s2.tor-gateways.de'
- '.s3.tor-gateways.de'
- '.s4.tor-gateways.de'
- '.s5.tor-gateways.de'
- '.t2w.pw'
- '.tor2web.ae.org'
- '.tor2web.blutmagie.de'
- '.tor2web.com'
- '.tor2web.fi'
- '.tor2web.io'
- '.tor2web.org'
- '.tor2web.xyz'
- '.torlink.co'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
DNS Query by Finger Utility
Detects DNS queries made by the finger utility, which can be abused by threat actors to retrieve remote commands for execution on Windows devices.
In one ClickFix malware campaign, adversaries leveraged the finger protocol to fetch commands from a remote server.
Since the finger utility is not commonly used in modern Windows environments, its presence already raises suspicion.
Investigating such DNS queries can also help identify potential malicious infrastructure used by threat actors for command and control (C2) communication.
view Sigma YAML
title: DNS Query by Finger Utility
id: c082c2b0-525b-4dbc-9a26-a57dc4692074
related:
- id: 2fdaf50b-9fd5-449f-ba69-f17248119af6
type: similar
- id: af491bca-e752-4b44-9c86-df5680533dbc
type: similar
status: experimental
description: |
Detects DNS queries made by the finger utility, which can be abused by threat actors to retrieve remote commands for execution on Windows devices.
In one ClickFix malware campaign, adversaries leveraged the finger protocol to fetch commands from a remote server.
Since the finger utility is not commonly used in modern Windows environments, its presence already raises suspicion.
Investigating such DNS queries can also help identify potential malicious infrastructure used by threat actors for command and control (C2) communication.
references:
- https://www.bleepingcomputer.com/news/security/decades-old-finger-protocol-abused-in-clickfix-malware-attacks/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-19
tags:
- attack.command-and-control
- attack.t1071.004
- attack.execution
- attack.t1059.003
logsource:
product: windows
category: dns_query
detection:
selection:
Image|endswith: '\finger.exe'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
DNS Query for Anonfiles.com Domain - DNS Client
Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes
view Sigma YAML
title: DNS Query for Anonfiles.com Domain - DNS Client
id: 29f171d7-aa47-42c7-9c7b-3c87938164d9
related:
- id: 065cceea-77ec-4030-9052-fc0affea7110
type: similar
status: test
description: Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes
references:
- https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-16
tags:
- attack.exfiltration
- attack.t1567.002
logsource:
product: windows
service: dns-client
definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.'
detection:
selection:
EventID: 3008
QueryName|contains: '.anonfiles.com'
condition: selection
falsepositives:
- Rare legitimate access to anonfiles.com
level: high
Convert to SIEM query
high
DNS Query for Anonfiles.com Domain - Sysmon
Detects DNS queries for "anonfiles.com", which is an anonymous file upload platform often used for malicious purposes
view Sigma YAML
title: DNS Query for Anonfiles.com Domain - Sysmon
id: 065cceea-77ec-4030-9052-fc0affea7110
related:
- id: 29f171d7-aa47-42c7-9c7b-3c87938164d9
type: similar
status: test
description: Detects DNS queries for "anonfiles.com", which is an anonymous file upload platform often used for malicious purposes
references:
- https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte
author: pH-T (Nextron Systems)
date: 2022-07-15
modified: 2023-01-16
tags:
- attack.exfiltration
- attack.t1567.002
logsource:
product: windows
category: dns_query
detection:
selection:
QueryName|contains: '.anonfiles.com'
condition: selection
falsepositives:
- Rare legitimate access to anonfiles.com
level: high
Convert to SIEM query
high
DNS Query to External Service Interaction Domains
Detects suspicious DNS queries to external service interaction domains often used for out-of-band interactions after successful RCE
view Sigma YAML
title: DNS Query to External Service Interaction Domains
id: aff715fa-4dd5-497a-8db3-910bea555566
status: test
description: |
Detects suspicious DNS queries to external service interaction domains often used for out-of-band interactions after successful RCE
references:
- https://twitter.com/breakersall/status/1533493587828260866
- https://www.bitdefender.com/en-us/blog/businessinsights/bitdefender-advisory-critical-unauthenticated-rce-windows-server-update-services-cve-2025-59287
- https://github.com/SigmaHQ/sigma/pull/5724#issuecomment-3466382234
author: Florian Roth (Nextron Systems), Matt Kelly (list of domains)
date: 2022-06-07
modified: 2026-01-24
tags:
- attack.initial-access
- attack.t1190
- attack.reconnaissance
- attack.t1595.002
logsource:
category: dns
detection:
selection:
query|endswith:
- '.burpcollaborator.net' # Portswigger Burpsuite Collaborator
- '.canarytokens.com' # Thinkst Canary Canarytokens
- '.ceye.io'
- '.ddns.1443.eu.org' # dig.pm
- '.ddns.bypass.eu.org' # dig.pm
- '.ddns.xn--gg8h.eu.org' # dig.pm
- '.digimg.store' # dnslog.ink
- '.dns.su18.org' # javaweb.org
- '.dnshook.site' # webhook.site
- '.dnslog.cn'
- '.dnslog.ink' # dnslog.ink
- '.instances.httpworkbench.com' # httpworkbench.com
- '.interact.sh' # Project Discovery Interactsh
- '.log.dnslog.pp.ua' # dnslog.org
- '.log.dnslog.qzz.io' # dnslog.org
- '.log.dnslogs.dpdns.org' # dnslog.org
- '.log.javaweb.org' # javaweb.org
- '.log.nat.cloudns.ph' # dnslog.org
- '.oast.fun' # Project Discovery Interactsh
- '.oast.live' # Project Discovery Interactsh
- '.oast.me' # Project Discovery Interactsh
- '.oast.online' # Project Discovery Interactsh
- '.oast.pro' # Project Discovery Interactsh
- '.oast.site' # Project Discovery Interactsh
- '.oastify.com' # Portswigger Burpsuite Collaborator
- '.p8.lol' # javaweb.org
- '.requestbin.net'
filter_main_polling:
query|contains: 'polling.oastify.com'
condition: selection and not 1 of filter_main_*
falsepositives:
- Legitimate security scanning.
level: high
Convert to SIEM query
high
DNS Server Error Failed Loading the ServerLevelPluginDLL
Detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded
view Sigma YAML
title: DNS Server Error Failed Loading the ServerLevelPluginDLL
id: cbe51394-cd93-4473-b555-edf0144952d9
related:
- id: e61e8a88-59a9-451c-874e-70fcc9740d67
type: derived
- id: f63b56ee-3f79-4b8a-97fb-5c48007e8573
type: derived
status: test
description: Detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded
references:
- https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
- https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx
- https://twitter.com/gentilkiwi/status/861641945944391680
author: Florian Roth (Nextron Systems)
date: 2017-05-08
modified: 2023-02-05
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
product: windows
service: dns-server
detection:
selection:
EventID:
- 150
- 770
- 771
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
DNS TXT Answer with Possible Execution Strings
Detects strings used in command execution in DNS TXT Answer
view Sigma YAML
title: DNS TXT Answer with Possible Execution Strings
id: 8ae51330-899c-4641-8125-e39f2e07da72
status: test
description: Detects strings used in command execution in DNS TXT Answer
references:
- https://twitter.com/stvemillertime/status/1024707932447854592
- https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Backdoors/DNS_TXT_Pwnage.ps1
author: Markus Neis
date: 2018-08-08
modified: 2021-11-27
tags:
- attack.command-and-control
- attack.t1071.004
logsource:
category: dns
detection:
selection:
record_type: 'TXT'
answer|contains:
- 'IEX'
- 'Invoke-Expression'
- 'cmd.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
Showing 351-400 of 3,750