Home/Sigma rules
Sigma

Sigma detection rules

70 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Severity critical high medium low all severities

Detection rules

20 shown of 70
critical
PwnDrp Access
Detects downloads from PwnDrp web servers developed for red team testing and most likely also used for criminal activity
status test author Florian Roth (Nextron Systems) id 2b1ee7e4-89b6-4739-b7bb-b811b6607e5e
view Sigma YAML 
title: PwnDrp Access
id: 2b1ee7e4-89b6-4739-b7bb-b811b6607e5e
status: test
description: Detects downloads from PwnDrp web servers developed for red team testing and most likely also used for criminal activity
references:
    - https://breakdev.org/pwndrop/
author: Florian Roth (Nextron Systems)
date: 2020-04-15
modified: 2021-11-27
tags:
    - attack.command-and-control
    - attack.t1071.001
    - attack.t1102.001
    - attack.t1102.003
logsource:
    category: proxy
detection:
    selection:
        c-uri|contains: '/pwndrop/'
    condition: selection
falsepositives:
    - Unknown
level: critical
critical
Registry Entries For Azorult Malware
Detects the presence of a registry key created during Azorult execution
status test author Trent Liffick id f7f9ab88-7557-4a69-b30e-0a8f91b3a0e7
view Sigma YAML 
title: Registry Entries For Azorult Malware
id: f7f9ab88-7557-4a69-b30e-0a8f91b3a0e7
status: test
description: Detects the presence of a registry key created during Azorult execution
references:
    - https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/trojan.win32.azoruit.a
author: Trent Liffick
date: 2020-05-08
modified: 2021-11-27
tags:
    - attack.persistence
    - attack.execution
    - attack.defense-impairment
    - attack.t1112
logsource:
    product: windows
    category: registry_event
detection:
    selection:
        EventID:
            - 12
            - 13
        TargetObject|contains: 'SYSTEM\'
        TargetObject|endswith: '\services\localNETService'
    condition: selection
falsepositives:
    - Unknown
level: critical
critical
Renamed Whoami Execution
Detects the execution of whoami that has been renamed to a different name to avoid detection
status test author Florian Roth (Nextron Systems) id f1086bf7-a0c4-4a37-9102-01e573caf4a0
view Sigma YAML 
title: Renamed Whoami Execution
id: f1086bf7-a0c4-4a37-9102-01e573caf4a0
status: test
description: Detects the execution of whoami that has been renamed to a different name to avoid detection
references:
    - https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/
    - https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/
author: Florian Roth (Nextron Systems)
date: 2021-08-12
modified: 2022-10-09
tags:
    - attack.discovery
    - attack.t1033
    - car.2016-03-001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        OriginalFileName: 'whoami.exe'
    filter:
        Image|endswith: '\whoami.exe'
    condition: selection and not filter
falsepositives:
    - Unknown
level: critical
critical
Silence.EDA Detection
Detects Silence EmpireDNSAgent as described in the Group-IP report
status test author Alina Stepchenkova, Group-IB, oscd.community id 3ceb2083-a27f-449a-be33-14ec1b7cc973
view Sigma YAML 
title: Silence.EDA Detection
id: 3ceb2083-a27f-449a-be33-14ec1b7cc973
status: test
description: Detects Silence EmpireDNSAgent as described in the Group-IP report
references:
    - https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf
author: Alina Stepchenkova, Group-IB, oscd.community
date: 2019-11-01
modified: 2023-04-03
tags:
    - attack.execution
    - attack.t1059.001
    - attack.command-and-control
    - attack.t1071.004
    - attack.t1572
    - attack.impact
    - attack.t1529
    - attack.g0091
    - attack.s0363
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    empire:
        # better to randomise the order
        ScriptBlockText|contains|all:
            - 'System.Diagnostics.Process'
            - 'Stop-Computer'
            - 'Restart-Computer'
            - 'Exception in execution'
            - '$cmdargs'
            - 'Close-Dnscat2Tunnel'
    dnscat:
        # better to randomise the order
        ScriptBlockText|contains|all:
            - 'set type=$LookupType`nserver'
            - '$Command | nslookup 2>&1 | Out-String'
            - 'New-RandomDNSField'
            - '[Convert]::ToString($SYNOptions, 16)'
            - '$Session.Dead = $True'
            - '$Session["Driver"] -eq'
    condition: empire and dnscat
falsepositives:
    - Unknown
level: critical
critical
Sticky Key Like Backdoor Execution
Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen
status test author Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community id 2fdefcb3-dbda-401e-ae23-f0db027628bc
view Sigma YAML 
title: Sticky Key Like Backdoor Execution
id: 2fdefcb3-dbda-401e-ae23-f0db027628bc
related:
    - id: baca5663-583c-45f9-b5dc-ea96a22ce542
      type: derived
status: test
description: Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen
references:
    - https://learn.microsoft.com/en-us/archive/blogs/jonathantrull/detecting-sticky-key-backdoors
author: Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community
date: 2018-03-15
modified: 2023-03-07
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1546.008
    - car.2014-11-003
    - car.2014-11-008
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\winlogon.exe'
        Image|endswith:
            - '\cmd.exe'
            - '\cscript.exe'
            - '\mshta.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\regsvr32.exe'
            - '\rundll32.exe'
            - '\wscript.exe'
            - '\wt.exe'
        CommandLine|contains:
            - 'sethc.exe'
            - 'utilman.exe'
            - 'osk.exe'
            - 'Magnify.exe'
            - 'Narrator.exe'
            - 'DisplaySwitch.exe'
    condition: selection
falsepositives:
    - Unlikely
level: critical
critical
Sticky Key Like Backdoor Usage - Registry
Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen
status test author Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community id baca5663-583c-45f9-b5dc-ea96a22ce542
view Sigma YAML 
title: Sticky Key Like Backdoor Usage - Registry
id: baca5663-583c-45f9-b5dc-ea96a22ce542
status: test
description: Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen
references:
    - https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/
    - https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/
author: Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community
date: 2018-03-15
modified: 2022-11-26
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1546.008
    - car.2014-11-003
    - car.2014-11-008
logsource:
    category: registry_event
    product: windows
detection:
    selection_registry:
        TargetObject|endswith:
            - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger'
            - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger'
            - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\Debugger'
            - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe\Debugger'
            - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Narrator.exe\Debugger'
            - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe\Debugger'
            - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atbroker.exe\Debugger'
            - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HelpPane.exe\Debugger'
    condition: selection_registry
falsepositives:
    - Unlikely
level: critical
critical
Suspicious Child Process Of Veeam Dabatase
Detects suspicious child processes of the Veeam service process. This could indicate potential RCE or SQL Injection.
status test author Nasreddine Bencherchali (Nextron Systems) id d55b793d-f847-4eea-b59a-5ab09908ac90
view Sigma YAML 
title: Suspicious Child Process Of Veeam Dabatase
id: d55b793d-f847-4eea-b59a-5ab09908ac90
related:
    - id: 869b9ca7-9ea2-4a5a-8325-e80e62f75445
      type: similar
status: test
description: Detects suspicious child processes of the Veeam service process. This could indicate potential RCE or SQL Injection.
references:
    - https://labs.withsecure.com/publications/fin7-target-veeam-servers
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-04
tags:
    - attack.initial-access
    - attack.persistence
    - attack.privilege-escalation
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith: '\sqlservr.exe'
        ParentCommandLine|contains: 'VEEAMSQL'
    selection_child_1:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\wsl.exe'
            - '\wt.exe'
        CommandLine|contains:
            - '-ex '
            - 'bypass'
            - 'cscript'
            - 'DownloadString'
            - 'http://'
            - 'https://'
            - 'mshta'
            - 'regsvr32'
            - 'rundll32'
            - 'wscript'
            - 'copy '
    selection_child_2:
        Image|endswith:
            - '\net.exe'
            - '\net1.exe'
            - '\netstat.exe'
            - '\nltest.exe'
            - '\ping.exe'
            - '\tasklist.exe'
            - '\whoami.exe'
    condition: selection_parent and 1 of selection_child_*
level: critical
critical
Suspicious Cobalt Strike DNS Beaconing - DNS Client
Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons
status test author Nasreddine Bencherchali (Nextron Systems) id 0d18728b-f5bf-4381-9dcf-915539fff6c2
view Sigma YAML 
title: Suspicious Cobalt Strike DNS Beaconing - DNS Client
id: 0d18728b-f5bf-4381-9dcf-915539fff6c2
related:
    - id: f356a9c4-effd-4608-bbf8-408afd5cd006
      type: similar
status: test
description: Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons
references:
    - https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns
    - https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-16
tags:
    - attack.t1071.004
    - attack.command-and-control
logsource:
    product: windows
    service: dns-client
    definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.'
detection:
    selection_eid:
        EventID: 3008
    selection_query_1:
        QueryName|startswith:
            - 'aaa.stage.'
            - 'post.1'
    selection_query_2:
        QueryName|contains: '.stage.123456.'
    condition: selection_eid and 1 of selection_query_*
falsepositives:
    - Unknown
level: critical
critical
Suspicious Cobalt Strike DNS Beaconing - Sysmon
Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons
status test author Florian Roth (Nextron Systems) id f356a9c4-effd-4608-bbf8-408afd5cd006
view Sigma YAML 
title: Suspicious Cobalt Strike DNS Beaconing - Sysmon
id: f356a9c4-effd-4608-bbf8-408afd5cd006
related:
    - id: 0d18728b-f5bf-4381-9dcf-915539fff6c2
      type: similar
status: test
description: Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons
references:
    - https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns
    - https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/
author: Florian Roth (Nextron Systems)
date: 2021-11-09
modified: 2023-01-16
tags:
    - attack.command-and-control
    - attack.t1071.004
logsource:
    product: windows
    category: dns_query
detection:
    selection1:
        QueryName|startswith:
            - 'aaa.stage.'
            - 'post.1'
    selection2:
        QueryName|contains: '.stage.123456.'
    condition: 1 of selection*
falsepositives:
    - Unknown
level: critical
critical
Suspicious PowerShell Mailbox Export to Share
Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations
status test author Florian Roth (Nextron Systems) id 889719ef-dd62-43df-86c3-768fb08dc7c0
view Sigma YAML 
title: Suspicious PowerShell Mailbox Export to Share
id: 889719ef-dd62-43df-86c3-768fb08dc7c0
status: test
description: Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations
references:
    - https://youtu.be/5mqid-7zp8k?t=2481
    - https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html
    - https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1
    - https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/
author: Florian Roth (Nextron Systems)
date: 2021-08-07
modified: 2022-10-26
tags:
    - attack.exfiltration
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - 'New-MailboxExportRequest'
            - ' -Mailbox '
            - ' -FilePath \\\\'
    condition: selection
falsepositives:
    - Unknown
level: critical
critical
Suspicious PowerShell Mailbox Export to Share - PS
Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations
status test author Nasreddine Bencherchali (Nextron Systems) id 4a241dea-235b-4a7e-8d76-50d817b146c4
view Sigma YAML 
title: Suspicious PowerShell Mailbox Export to Share - PS
id: 4a241dea-235b-4a7e-8d76-50d817b146c4
related:
    - id: 889719ef-dd62-43df-86c3-768fb08dc7c0
      type: derived
status: test
description: Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations
references:
    - https://youtu.be/5mqid-7zp8k?t=2481
    - https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html
    - https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1
    - https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-26
tags:
    - attack.exfiltration
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains|all:
            - 'New-MailboxExportRequest'
            - ' -Mailbox '
            - ' -FilePath \\\\'
    condition: selection
falsepositives:
    - Unknown
level: critical
critical
TrustedPath UAC Bypass Pattern
Detects indicators of a UAC bypass method by mocking directories
status test author Florian Roth (Nextron Systems) id 4ac47ed3-44c2-4b1f-9d51-bf46e8914126
view Sigma YAML 
title: TrustedPath UAC Bypass Pattern
id: 4ac47ed3-44c2-4b1f-9d51-bf46e8914126
related:
    - id: 0cbe38c0-270c-41d9-ab79-6e5a9a669290
      type: similar
status: test
description: Detects indicators of a UAC bypass method by mocking directories
references:
    - https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e
    - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows
    - https://github.com/netero1010/TrustedPath-UACBypass-BOF
    - https://x.com/Wietze/status/1933495426952421843
author: Florian Roth (Nextron Systems)
date: 2021-08-27
modified: 2025-06-17
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|contains:
            - 'C:\Windows \System32\'
            - 'C:\Windows \SysWOW64\'
    condition: selection
falsepositives:
    - Unknown
level: critical
critical
WCE wceaux.dll Access
Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host
status test author Thomas Patzke id 1de68c67-af5c-4097-9c85-fe5578e09e67
view Sigma YAML 
title: WCE wceaux.dll Access
id: 1de68c67-af5c-4097-9c85-fe5578e09e67
status: test
description: Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host
references:
    - https://www.jpcert.or.jp/english/pub/sr/ir_research.html
    - https://jpcertcc.github.io/ToolAnalysisResultSheet
author: Thomas Patzke
date: 2017-06-14
modified: 2025-01-30
tags:
    - attack.credential-access
    - attack.t1003
    - attack.s0005
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID:
            - 4656
            - 4663
        ObjectName|endswith: '\wceaux.dll'
    condition: selection
falsepositives:
    - Unknown
level: critical
critical
WMI Backdoor Exchange Transport Agent
Detects a WMI backdoor in Exchange Transport Agents via WMI event filters
status test author Florian Roth (Nextron Systems) id 797011dc-44f4-4e6f-9f10-a8ceefbe566b
view Sigma YAML 
title: WMI Backdoor Exchange Transport Agent
id: 797011dc-44f4-4e6f-9f10-a8ceefbe566b
status: test
description: Detects a WMI backdoor in Exchange Transport Agents via WMI event filters
references:
    - https://twitter.com/cglyer/status/1182389676876980224
    - https://twitter.com/cglyer/status/1182391019633029120
author: Florian Roth (Nextron Systems)
date: 2019-10-11
modified: 2023-02-08
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1546.003
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\EdgeTransport.exe'
    filter_conhost:
        Image: 'C:\Windows\System32\conhost.exe'
    filter_oleconverter:  # FP also documented in https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=18
        Image|startswith: 'C:\Program Files\Microsoft\Exchange Server\'
        Image|endswith: '\Bin\OleConverter.exe'
    condition: selection and not 1 of filter_*
falsepositives:
    - Unknown
level: critical
critical
Webshell Remote Command Execution
Detects possible command execution by web application/web shell
status test author Ilyas Ochkov, Beyu Denis, oscd.community id c0d3734d-330f-4a03-aae2-65dacc6a8222
view Sigma YAML 
title: Webshell Remote Command Execution
id: c0d3734d-330f-4a03-aae2-65dacc6a8222
status: test
description: Detects possible command execution by web application/web shell
references:
    - Personal Experience of the Author
    - https://www.vaadata.com/blog/what-is-command-injection-exploitations-and-security-best-practices/
author: Ilyas Ochkov, Beyu Denis, oscd.community
date: 2019-10-12
modified: 2025-12-05
tags:
    - attack.persistence
    - attack.t1505.003
logsource:
    product: linux
    service: auditd
    definition: |
        Required auditd configuration:
        -a always,exit -F arch=b32 -S execve -F euid=33 -k detect_execve_www
        -a always,exit -F arch=b64 -S execve -F euid=33 -k detect_execve_www
        -a always,exit -F arch=b32 -S execveat -F euid=33 -k detect_execve_www
        -a always,exit -F arch=b64 -S execveat -F euid=33 -k detect_execve_www
        Change the number "33" to the ID of your WebServer user. Default: www-data:x:33:33
detection:
    selection:
        type: 'SYSCALL'
        SYSCALL:
            - 'execve'
            - 'execveat'
        euid: 33
    condition: selection
falsepositives:
    - Admin activity
    - Crazy web applications
level: critical
critical
Win Susp Computer Name Containing Samtheadmin
Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool
status test author elhoim id 39698b3f-da92-4bc6-bfb5-645a98386e45
view Sigma YAML 
title: Win Susp Computer Name Containing Samtheadmin
id: 39698b3f-da92-4bc6-bfb5-645a98386e45
status: test
description: Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool
references:
    - https://twitter.com/malmoeb/status/1511760068743766026
    - https://github.com/helloexp/0day/blob/614227a7b9beb0e91e7e2c6a5e532e6f7a8e883c/00-CVE_EXP/CVE-2021-42287/sam-the-admin/sam_the_admin.py
author: elhoim
date: 2022-09-09
modified: 2023-01-04
tags:
    - attack.initial-access
    - cve.2021-42278
    - cve.2021-42287
    - attack.persistence
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1078
logsource:
    service: security
    product: windows
detection:
    # Not adding an EventID on purpose to try to match on any event in security (including use of account), not just 4741 (computer account created)
    selection1:
        SamAccountName|startswith: 'SAMTHEADMIN-'
        SamAccountName|endswith: '$'
    selection2:
        TargetUserName|startswith: 'SAMTHEADMIN-'
        TargetUserName|endswith: '$'
    condition: 1 of selection*
falsepositives:
    - Unknown
level: critical
critical
Windows Credential Editor Registry
Detects the use of Windows Credential Editor (WCE)
status test author Florian Roth (Nextron Systems) id a6b33c02-8305-488f-8585-03cb2a7763f2
view Sigma YAML 
title: Windows Credential Editor Registry
id: a6b33c02-8305-488f-8585-03cb2a7763f2
status: test
description: Detects the use of Windows Credential Editor (WCE)
references:
    - https://www.ampliasecurity.com/research/windows-credentials-editor/
author: Florian Roth (Nextron Systems)
date: 2019-12-31
modified: 2021-11-27
tags:
    - attack.credential-access
    - attack.t1003.001
    - attack.s0005
logsource:
    category: registry_event
    product: windows
detection:
    selection:
        TargetObject|contains: Services\WCESERVICE\Start
    condition: selection
falsepositives:
    - Unknown
level: critical
critical
Wmiexec Default Output File
Detects the creation of the default output filename used by the wmiexec tool
status test author Nasreddine Bencherchali (Nextron Systems) id 8d5aca11-22b3-4f22-b7ba-90e60533e1fb
view Sigma YAML 
title: Wmiexec Default Output File
id: 8d5aca11-22b3-4f22-b7ba-90e60533e1fb
status: test
description: Detects the creation of the default output filename used by the wmiexec tool
references:
    - https://www.crowdstrike.com/blog/how-to-detect-and-prevent-impackets-wmiexec/
    - https://github.com/fortra/impacket/blob/f4b848fa27654ca95bc0f4c73dbba8b9c2c9f30a/examples/wmiexec.py
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-02
modified: 2023-03-08
tags:
    - attack.lateral-movement
    - attack.execution
    - attack.t1047
logsource:
    category: file_event
    product: windows
detection:
    selection:
        - TargetFilename|re: '\\Windows\\__1\d{9}\.\d{1,7}$' # Admin$
        - TargetFilename|re: 'C:\\__1\d{9}\.\d{1,7}$' # C$
        - TargetFilename|re: 'D:\\__1\d{9}\.\d{1,7}$' # D$
    condition: selection
falsepositives:
    - Unlikely
level: critical
critical
Wmiprvse Wbemcomn DLL Hijack - File
Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario.
status test author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) id 614a7e17-5643-4d89-b6fe-f9df1a79641c
view Sigma YAML 
title: Wmiprvse Wbemcomn DLL Hijack - File
id: 614a7e17-5643-4d89-b6fe-f9df1a79641c
status: test
description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario.
references:
    - https://threathunterplaybook.com/hunts/windows/201009-RemoteWMIWbemcomnDLLHijack/notebook.html
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-10-12
modified: 2022-12-02
tags:
    - attack.execution
    - attack.t1047
    - attack.lateral-movement
    - attack.t1021.002
logsource:
    product: windows
    category: file_event
detection:
    selection:
        Image: System
        TargetFilename|endswith: '\wbem\wbemcomn.dll'
    condition: selection
falsepositives:
    - Unknown
level: critical
critical
Zerologon Exploitation Using Well-known Tools
This rule is designed to detect attempts to exploit Zerologon (CVE-2020-1472) vulnerability using mimikatz zerologon module or other exploits from machine with "kali" hostname.
status stable author Demyan Sokolin @_drd0c, Teymur Kheirkhabarov @HeirhabarovT, oscd.community id 18f37338-b9bd-4117-a039-280c81f7a596
view Sigma YAML 
title: Zerologon Exploitation Using Well-known Tools
id: 18f37338-b9bd-4117-a039-280c81f7a596
status: stable
description: This rule is designed to detect attempts to exploit Zerologon (CVE-2020-1472) vulnerability using mimikatz zerologon module or other exploits from machine with "kali" hostname.
references:
    - https://www.secura.com/blog/zero-logon
    - https://bi-zone.medium.com/hunting-for-zerologon-f65c61586382
author: 'Demyan Sokolin @_drd0c, Teymur Kheirkhabarov @HeirhabarovT, oscd.community'
date: 2020-10-13
modified: 2021-05-30
tags:
    - attack.t1210
    - attack.lateral-movement
logsource:
    service: system
    product: windows
detection:
    selection:
        EventID:
            - 5805
            - 5723
    keywords:
        - kali
        - mimikatz
    condition: selection and keywords
level: critical
Showing 51-70 of 70
Prev 2 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin