Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.
Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.
title: AADInternals PowerShell Cmdlets Execution - PsScript
id: 91e69562-2426-42ce-a647-711b8152ced6
related:
- id: c86500e9-a645-4680-98d7-f882c70c1ea3
type: similar
status: test
description: Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.
references:
- https://o365blog.com/aadinternals/
- https://github.com/Gerenios/AADInternals
author: Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2022-12-23
modified: 2025-02-06
tags:
- attack.execution
- attack.reconnaissance
- attack.discovery
- attack.credential-access
- attack.impact
logsource:
product: windows
category: ps_script
definition: Script Block Logging must be enable
detection:
selection:
ScriptBlockText|contains:
# Since most of the cmdlets use a unique enough string which is "-AADInt" we only used that portion. For a complete list please check the references linked above
- 'Add-AADInt'
- 'ConvertTo-AADInt'
- 'Disable-AADInt'
- 'Enable-AADInt'
- 'Export-AADInt'
- 'Find-AADInt'
- 'Get-AADInt'
- 'Grant-AADInt'
- 'Initialize-AADInt'
- 'Install-AADInt'
- 'Invoke-AADInt'
- 'Join-AADInt'
- 'New-AADInt'
- 'Open-AADInt'
- 'Read-AADInt'
- 'Register-AADInt'
- 'Remove-AADInt'
- 'Reset-AADInt'
- 'Resolve-AADInt'
- 'Restore-AADInt'
- 'Save-AADInt'
- 'Search-AADInt'
- 'Send-AADInt'
- 'Set-AADInt'
- 'Start-AADInt'
- 'Unprotect-AADInt'
- 'Update-AADInt'
condition: selection
falsepositives:
- Legitimate use of the library for administrative activity
level: high
high
AD Privileged Users or Groups Reconnaissance
Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs
status testauthor Samir Bousseadenid 35ba1d85-724d-42a3-889f-2e2362bcaf23
view Sigma YAML
title: AD Privileged Users or Groups Reconnaissance
id: 35ba1d85-724d-42a3-889f-2e2362bcaf23
status: test
description: Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs
references:
- https://web.archive.org/web/20230329163438/https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html
author: Samir Bousseaden
date: 2019-04-03
modified: 2022-07-13
tags:
- attack.discovery
- attack.t1087.002
logsource:
product: windows
service: security
definition: 'Requirements: enable Object Access SAM on your Domain Controllers'
detection:
selection:
EventID: 4661
ObjectType:
- 'SAM_USER'
- 'SAM_GROUP'
selection_object:
- ObjectName|endswith:
- '-512'
- '-502'
- '-500'
- '-505'
- '-519'
- '-520'
- '-544'
- '-551'
- '-555'
- ObjectName|contains: 'admin'
filter:
SubjectUserName|endswith: '$'
condition: selection and selection_object and not filter
falsepositives:
- If source account name is not an admin then its super suspicious
level: high
high
ADCS Certificate Template Configuration Vulnerability with Risky EKU
Detects certificate creation with template allowing risk permission subject and risky EKU
status testauthor Orlinum , BlueDefenZerid bfbd3291-de87-4b7c-88a2-d6a5deb28668
view Sigma YAML
title: ADCS Certificate Template Configuration Vulnerability with Risky EKU
id: bfbd3291-de87-4b7c-88a2-d6a5deb28668
status: test
description: Detects certificate creation with template allowing risk permission subject and risky EKU
references:
- https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf
author: Orlinum , BlueDefenZer
date: 2021-11-17
modified: 2022-12-25
tags:
- attack.privilege-escalation
- attack.credential-access
logsource:
product: windows
service: security
definition: Certificate services loaded a template would trigger event ID 4898 and certificate Services template was updated would trigger event ID 4899. A risk permission seems to be coming if template contain specific flag with risky EKU.
detection:
selection10:
EventID: 4898
TemplateContent|contains:
- '1.3.6.1.5.5.7.3.2'
- '1.3.6.1.5.2.3.4'
- '1.3.6.1.4.1.311.20.2.2'
- '2.5.29.37.0'
selection11:
TemplateContent|contains: 'CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT'
selection20:
EventID: 4899
NewTemplateContent|contains:
- '1.3.6.1.5.5.7.3.2'
- '1.3.6.1.5.2.3.4'
- '1.3.6.1.4.1.311.20.2.2'
- '2.5.29.37.0'
selection21:
NewTemplateContent|contains: 'CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT'
condition: (selection10 and selection11) or (selection20 and selection21)
falsepositives:
- Administrator activity
- Proxy SSL certificate with subject modification
- Smart card enrollement
level: high
high
AMSI Bypass Pattern Assembly GetType
Detects code fragments found in small and obfuscated AMSI bypass PowerShell scripts
status testauthor Florian Roth (Nextron Systems)id e0d6c087-2d1c-47fd-8799-3904103c5a98
view Sigma YAML
title: AMSI Bypass Pattern Assembly GetType
id: e0d6c087-2d1c-47fd-8799-3904103c5a98
status: test
description: Detects code fragments found in small and obfuscated AMSI bypass PowerShell scripts
references:
- https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/
- https://twitter.com/cyb3rops/status/1588574518057979905?s=20&t=A7hh93ONM7ni1Rj1jO5OaA
author: Florian Roth (Nextron Systems)
date: 2022-11-09
tags:
- attack.defense-impairment
- attack.t1685
- attack.execution
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- '[Ref].Assembly.GetType'
- 'SetValue($null,$true)'
- 'NonPublic,Static'
condition: selection
falsepositives:
- Unknown
level: high
high
AMSI Disabled via Registry Modification
Detects attempts to disable AMSI (Anti-Malware Scan Interface) by modifying the AmsiEnable registry value.
Anti-Malware Scan Interface (AMSI) is a security feature in Windows that allows applications and services to integrate with anti-malware products for enhanced protection against malicious content.
Adversaries may attempt to disable AMSI to evade detection by security software, allowing them to execute malicious scripts or code without being scanned.
status experimentalauthor Swachchhanda Shrawan Poudel (Nextron Systems)id aa37cbb0-da36-42cb-a90f-fdf216fc7467
view Sigma YAML
title: AMSI Disabled via Registry Modification
id: aa37cbb0-da36-42cb-a90f-fdf216fc7467
related:
- id: 7dbbcac2-57a0-45ac-b306-ff30a8bd2981 # Windows AMSI Related Registry Tampering Via CommandLine
type: similar
status: experimental
description: |
Detects attempts to disable AMSI (Anti-Malware Scan Interface) by modifying the AmsiEnable registry value.
Anti-Malware Scan Interface (AMSI) is a security feature in Windows that allows applications and services to integrate with anti-malware products for enhanced protection against malicious content.
Adversaries may attempt to disable AMSI to evade detection by security software, allowing them to execute malicious scripts or code without being scanned.
references:
- https://mostafayahiax.medium.com/hunting-for-amsi-bypassing-methods-9886dda0bf9d
- https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal
- https://www.mdsec.co.uk/2019/02/macros-and-more-with-sharpshooter-v2-0/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-12-25
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\Software\Microsoft\Windows Script\Settings\AmsiEnable'
Details: 'DWORD (0x00000000)'
condition: selection
falsepositives:
- Unlikely
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_amsi_disable/info.yml
simulation:
- type: atomic-red-team
name: AMSI Bypass - Create AMSIEnable Reg Key
technique: T1562.001
atomic_guid: 728eca7b-0444-4f6f-ac36-437e3d751dc0
high
APT User Agent
Detects suspicious user agent strings used in APT malware in proxy logs
status testauthor Florian Roth (Nextron Systems), Markus Neisid 6ec820f2-e963-4801-9127-d8b2dce4d31b
view Sigma YAML
title: APT User Agent
id: 6ec820f2-e963-4801-9127-d8b2dce4d31b
status: test
description: Detects suspicious user agent strings used in APT malware in proxy logs
references:
- Internal Research
author: Florian Roth (Nextron Systems), Markus Neis
date: 2019-11-12
modified: 2024-02-15
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: proxy
detection:
selection:
c-useragent:
# APT Related
- 'SJZJ (compatible; MSIE 6.0; Win32)' # APT Backspace
- 'Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0' # APT GrizzlySteppe - ChopStick - US CERT https://www.cisa.gov/news-events/alerts/2017/02/10/enhanced-analysis-grizzly-steppe
- 'User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC' # Comment Crew Miniasp
- 'Mozilla/4.0 (compatible; MSIE 7.4; Win32;32-bit)' # Comment Crew Miniasp
- 'webclient' # Naikon APT
- 'Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/200' # Naikon APT
- 'Mozilla/4.0 (compatible; MSI 6.0;' # SnowGlobe Babar - yes, it is cut
- 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0' # Sofacy - Xtunnel
- 'Mozilla/5.0 (Windows NT 6.2; WOW64; rv:20.0) Gecko/20100101 Firefox/' # Sofacy - Xtunnel
- 'Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/2' # Sofacy - Xtunnel
- 'Mozilla/4.0' # Derusbi backdoor ELF https://github.com/fideliscyber/indicators/tree/master/FTA-1021
- 'Netscape' # Unit78020 Malware
- 'Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/20100719 Firefox/1.0.7' # Unit78020 Malware
- 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Firefox/3.6.13 GTB7.1' # Winnti related
- 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)' # Winnti related
- 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NETCLR 2.0.50727)' # APT17
- 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; SV1)' # Bronze Butler - Daserf
- 'Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; SV1)' # Bronze Butler - Daserf
- 'Mozilla/4.0 (compatible; MSIE 8.0; Win32)' # TSCookie https://app.any.run/tasks/0996b314-5133-491b-8d23-d431ffdec597
- 'Mozilla v5.1 (Windows NT 6.1; rv:6.0.1) Gecko/20100101 Firefox/6.0.1' # Delphi downloader https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/
- 'Mozilla/6.1 (compatible; MSIE 9.0; Windows NT 5.3; Trident/5.0)' # VPNFilter https://blog.talosintelligence.com/2018/05/VPNFilter.html
- 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; InfoPath.1)' # Sofacy User-Agent https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/
- 'Mozilla/5.0 (Windows NT 6.1; WOW64) WinHttp/1.6.3.8 (WinHTTP/5.1) like Gecko' # Sofacy User-Agent https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/
- 'Mozilla v5.1 *' # Sofacy Zebrocy samples
- 'MSIE 8.0' # Sofacy Azzy Backdoor from https://www.hybrid-analysis.com/sample/a80e29c0757bee05338fd5c22a542d852ad86c477068e3eb4aacc1c3e59e2eef?environmentId=100
- 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)' # https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html
- 'Mozilla/4.0 (compatible; RMS)' # Attacks on industrial enterprises using RMS and TeamViewer - https://securelist.com/attacks-on-industrial-enterprises-using-rms-and-teamviewer/87104/
- 'Mozilla/4.0 (compatible; MSIE 6.0; DynGate)' # Attacks on industrial enterprises using RMS and TeamViewer - https://securelist.com/attacks-on-industrial-enterprises-using-rms-and-teamviewer/87104/
- 'O/9.27 (W; U; Z)' # Cmstar https://www.virustotal.com/#/file/e4328011bb2b04abc856ccd04404c9f95d67167f6c291d343e8ffa8aa2aa2099/details
- 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0; Trident/5.0*' # KerrDown UA
- 'Mozilla/5.0 (Windows NT 9; *' # Suspicious 'Windows NT 9' user agent - used by APT33 malware in 2018
- 'hots scot' # Unknown iOS zero-day implant https://twitter.com/craiu/status/1176437994288484352?s=20
- 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT)' # https://blog.telsy.com/meeting-powerband-the-apt33-net-powerton-variant/
- 'Mozilla/5.0 (Windows NT 6.1; WOW64) Chrome/28.0.1500.95 Safari/537.36' # Hidden Cobra malware
- 'Mozilla/5.0 (Windows NT 6.2; Win32; rv:47.0)' # Strong Pity loader https://twitter.com/VK_Intel/status/1264185981118406657
- 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1;' # Mustang Panda https://insights.oem.avira.com/new-wave-of-plugx-targets-hong-kong/
- 'Mozilla/5.0 (X11; Linux i686; rv:22.0) Firefox/22.0' # BackdoorDiplomacy https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/
- 'Mozilla/5.0 Chrome/72.0.3626.109 Safari/537.36' # SideWalk malware used by Sparkling Goblin
- 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:FTS_06) Gecko/22.36.35.06 Firefox/2.0' # LitePower stager used by WRITE https://securelist.com/wirtes-campaign-in-the-middle-east-living-off-the-land-since-at-least-2019/105044/
- 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Edg/100.0.1185.39' # https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/
- 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3; .NET4.0C; .NET4.0E)' # https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/
- 'Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 10.0; .NET4.0C; .NET4.0E; Tablet PC 2.0)' # PlugX backdoor https://unit42.paloaltonetworks.com/thor-plugx-variant/
- 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246001' # RedCurl Downloader APT https://www.facct.ru/blog/redcurl-2024
condition: selection
falsepositives:
- Old browsers
level: high
high
ASLR Disabled Via Sysctl or Direct Syscall - Linux
Detects actions that disable Address Space Layout Randomization (ASLR) in Linux, including:
- Use of the `personality` syscall with the ADDR_NO_RANDOMIZE flag (0x0040000)
- Modification of the /proc/sys/kernel/randomize_va_space file
- Execution of the `sysctl` command to set `kernel.randomize_va_space=0`
Disabling ASLR is often used by attackers during exploit development or to bypass memory protection mechanisms.
A successful use of these methods can reduce the effectiveness of ASLR and make memory corruption attacks more reliable.
status experimentalauthor Milad Cheraghiid e497a24e-9345-4a62-9803-b06d7d7cb132
view Sigma YAML
title: ASLR Disabled Via Sysctl or Direct Syscall - Linux
id: e497a24e-9345-4a62-9803-b06d7d7cb132
status: experimental
description: |
Detects actions that disable Address Space Layout Randomization (ASLR) in Linux, including:
- Use of the `personality` syscall with the ADDR_NO_RANDOMIZE flag (0x0040000)
- Modification of the /proc/sys/kernel/randomize_va_space file
- Execution of the `sysctl` command to set `kernel.randomize_va_space=0`
Disabling ASLR is often used by attackers during exploit development or to bypass memory protection mechanisms.
A successful use of these methods can reduce the effectiveness of ASLR and make memory corruption attacks more reliable.
references:
- https://github.com/CheraghiMilad/bypass-Neo23x0-auditd-config/blob/f1c478a37911a5447d5ffcd580f22b167bf3df14/personality-syscall/README.md
- https://man7.org/linux/man-pages/man2/personality.2.html
- https://manual.cs50.io/2/personality
- https://linux-audit.com/linux-aslr-and-kernelrandomize_va_space-setting/
author: Milad Cheraghi
date: 2025-05-26
modified: 2025-12-05
tags:
- attack.privilege-escalation
- attack.stealth
- attack.defense-impairment
- attack.t1685
- attack.t1055.009
logsource:
product: linux
service: auditd
detection:
selection_syscall:
type: 'SYSCALL'
SYSCALL: 'personality'
a0: 40000
selection_sysctl:
type: 'EXECVE'
a0: 'sysctl'
a1: '-w'
a2: 'kernel.randomize_va_space=0' # 0 = disable
condition: 1 of selection_*
falsepositives:
- Debugging or legitimate software testing
level: high
high
AWS Config Disabling Channel/Recorder
Detects AWS Config Service disabling
status testauthor vitaliy0x1id 07330162-dba1-4746-8121-a9647d49d297
Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM every time the specific instances are booted up.
status testauthor falokerid 1ab3c5ed-5baf-417b-bb6b-78ca33f6c3df
view Sigma YAML
title: AWS EC2 Startup Shell Script Change
id: 1ab3c5ed-5baf-417b-bb6b-78ca33f6c3df
status: test
description: Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM every time the specific instances are booted up.
references:
- https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ec2__startup_shell_script/main.py#L9
author: faloker
date: 2020-02-12
modified: 2022-06-07
tags:
- attack.execution
- attack.t1059.001
- attack.t1059.003
- attack.t1059.004
logsource:
product: aws
service: cloudtrail
detection:
selection_source:
eventSource: ec2.amazonaws.com
requestParameters.attribute: 'userData'
eventName: ModifyInstanceAttribute
condition: selection_source
falsepositives:
- Valid changes to the startup script
level: high
high
AWS GuardDuty Detector Deleted Or Updated
Detects successful deletion or disabling of an AWS GuardDuty detector, possibly by an attacker trying to avoid detection of its malicious activities.
Upon deletion, GuardDuty stops monitoring the environment and all existing findings are lost.
Verify with the user identity that this activity is legitimate.
status experimentalauthor suktech24id d2656e78-c069-4571-8220-9e0ab5913f19
view Sigma YAML
title: AWS GuardDuty Detector Deleted Or Updated
id: d2656e78-c069-4571-8220-9e0ab5913f19
status: experimental
description: |
Detects successful deletion or disabling of an AWS GuardDuty detector, possibly by an attacker trying to avoid detection of its malicious activities.
Upon deletion, GuardDuty stops monitoring the environment and all existing findings are lost.
Verify with the user identity that this activity is legitimate.
references:
- https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DeleteDetector.html
- https://docs.aws.amazon.com/guardduty/latest/APIReference/API_UpdateDetector.html
- https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_suspend-disable.html
- https://docs.datadoghq.com/security/default_rules/719-39f-9cd/
- https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-guardduty-detector-is-enabled
- https://docs.stellarcyber.ai/5.2.x/Using/ML/Alert-Rule-Based-Potentially_Malicious_AWS_Activity.html
- https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon%20Web%20Services/Analytic%20Rules/AWS_GuardDutyDisabled.yaml
- https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml
- https://help.fortinet.com/fsiem/Public_Resource_Access/7_4_0/rules/PH_RULE_AWS_GuardDuty_Detector_Deletion.htm
- https://research.splunk.com/sources/5d8bd475-c8bc-4447-b27f-efa508728b90/
- https://suktech24.com/2025/07/17/aws-threat-detection-rule-guardduty-detector-disabled-or-suspended/
- https://www.atomicredteam.io/atomic-red-team/atomics/T156001#atomic-test-46---aws---guardduty-suspension-or-deletion
author: suktech24
date: 2025-11-27
tags:
- attack.defense-impairment
- attack.t1685
- attack.t1685.002
logsource:
product: aws
service: cloudtrail
detection:
selection_event_source:
eventSource: 'guardduty.amazonaws.com'
selection_action_delete:
eventName: 'DeleteDetector'
selection_action_update:
eventName: 'UpdateDetector'
requestParameters.enable: 'false'
selection_status_success:
errorCode: 'Success'
selection_status_null:
errorCode: null
condition: selection_event_source and 1 of selection_action_* and 1 of selection_status_*
falsepositives:
- Legitimate detector deletion by an admin (e.g., during account decommissioning).
- Temporary disablement for troubleshooting (verify via change management tickets).
- Automated deployment tools (e.g. Terraform) managing GuardDuty state.
level: high
high
AWS GuardDuty Important Change
Detects updates of the GuardDuty list of trusted IPs, perhaps to disable security alerts against malicious IPs.
status testauthor falokerid 6e61ee20-ce00-4f8d-8aee-bedd8216f7e3
view Sigma YAML
title: AWS GuardDuty Important Change
id: 6e61ee20-ce00-4f8d-8aee-bedd8216f7e3
status: test
description: Detects updates of the GuardDuty list of trusted IPs, perhaps to disable security alerts against malicious IPs.
references:
- https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/guardduty__whitelist_ip/main.py#L9
author: faloker
date: 2020-02-11
modified: 2022-10-09
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: aws
service: cloudtrail
detection:
selection_source:
eventSource: guardduty.amazonaws.com
eventName: CreateIPSet
condition: selection_source
falsepositives:
- Valid change in the GuardDuty (e.g. to ignore internal scanners)
level: high
high
AWS IAM S3Browser LoginProfile Creation
Detects S3 Browser utility performing reconnaissance looking for existing IAM Users without a LoginProfile defined then (when found) creating a LoginProfile.
status testauthor daniel.bohannon@permiso.io (@danielhbohannon)id db014773-b1d3-46bd-ba26-133337c0ffee
view Sigma YAML
title: AWS IAM S3Browser LoginProfile Creation
id: db014773-b1d3-46bd-ba26-133337c0ffee
status: test
description: Detects S3 Browser utility performing reconnaissance looking for existing IAM Users without a LoginProfile defined then (when found) creating a LoginProfile.
references:
- https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor
author: daniel.bohannon@permiso.io (@danielhbohannon)
date: 2023-05-17
tags:
- attack.execution
- attack.persistence
- attack.initial-access
- attack.privilege-escalation
- attack.stealth
- attack.t1059.009
- attack.t1078.004
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: 'iam.amazonaws.com'
eventName:
- 'GetLoginProfile'
- 'CreateLoginProfile'
userAgent|contains: 'S3 Browser'
condition: selection
falsepositives:
- Valid usage of S3 Browser for IAM LoginProfile listing and/or creation
level: high
high
AWS IAM S3Browser Templated S3 Bucket Policy Creation
Detects S3 browser utility creating Inline IAM policy containing default S3 bucket name placeholder value of "<YOUR-BUCKET-NAME>".
status testauthor daniel.bohannon@permiso.io (@danielhbohannon)id db014773-7375-4f4e-b83b-133337c0ffee
view Sigma YAML
title: AWS IAM S3Browser Templated S3 Bucket Policy Creation
id: db014773-7375-4f4e-b83b-133337c0ffee
status: test
description: Detects S3 browser utility creating Inline IAM policy containing default S3 bucket name placeholder value of "<YOUR-BUCKET-NAME>".
references:
- https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor
author: daniel.bohannon@permiso.io (@danielhbohannon)
date: 2023-05-17
tags:
- attack.execution
- attack.stealth
- attack.t1059.009
- attack.persistence
- attack.initial-access
- attack.privilege-escalation
- attack.t1078.004
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: iam.amazonaws.com
eventName: PutUserPolicy
userAgent|contains: 'S3 Browser'
requestParameters|contains|all:
- '"arn:aws:s3:::<YOUR-BUCKET-NAME>/*"'
- '"s3:GetObject"'
- '"Allow"'
condition: selection
falsepositives:
- Valid usage of S3 browser with accidental creation of default Inline IAM policy without changing default S3 bucket name placeholder value
level: high
high
AWS IAM S3Browser User or AccessKey Creation
Detects S3 Browser utility creating IAM User or AccessKey.
status testauthor daniel.bohannon@permiso.io (@danielhbohannon)id db014773-d9d9-4792-91e5-133337c0ffee
view Sigma YAML
title: AWS IAM S3Browser User or AccessKey Creation
id: db014773-d9d9-4792-91e5-133337c0ffee
status: test
description: Detects S3 Browser utility creating IAM User or AccessKey.
references:
- https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor
author: daniel.bohannon@permiso.io (@danielhbohannon)
date: 2023-05-17
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.initial-access
- attack.stealth
- attack.t1059.009
- attack.t1078.004
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: 'iam.amazonaws.com'
eventName:
- 'CreateUser'
- 'CreateAccessKey'
userAgent|contains: 'S3 Browser'
condition: selection
falsepositives:
- Valid usage of S3 Browser for IAM User and/or AccessKey creation
level: high
high
AWS Identity Center Identity Provider Change
Detects a change in the AWS Identity Center (FKA AWS SSO) identity provider.
A change in identity provider allows an attacker to establish persistent access or escalate privileges via user impersonation.
status testauthor Michael McIntyre @wtfenderid d3adb3ef-b7e7-4003-9092-1924c797db35
view Sigma YAML
title: AWS Identity Center Identity Provider Change
id: d3adb3ef-b7e7-4003-9092-1924c797db35
status: test
description: |
Detects a change in the AWS Identity Center (FKA AWS SSO) identity provider.
A change in identity provider allows an attacker to establish persistent access or escalate privileges via user impersonation.
references:
- https://docs.aws.amazon.com/singlesignon/latest/userguide/app-enablement.html
- https://docs.aws.amazon.com/singlesignon/latest/userguide/sso-info-in-cloudtrail.html
- https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiamidentitycentersuccessortoawssinglesign-on.html
author: Michael McIntyre @wtfender
date: 2023-09-27
tags:
- attack.persistence
- attack.credential-access
- attack.defense-impairment
- attack.t1556
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource:
- 'sso-directory.amazonaws.com'
- 'sso.amazonaws.com'
eventName:
- 'AssociateDirectory'
- 'DisableExternalIdPConfigurationForDirectory'
- 'DisassociateDirectory'
- 'EnableExternalIdPConfigurationForDirectory'
condition: selection
falsepositives:
- Authorized changes to the AWS account's identity provider
level: high
high
AWS KMS Imported Key Material Usage
Detects the import or deletion of key material in AWS KMS, which can be used as part of ransomware attacks. This activity is uncommon and provides a high certainty signal.
status experimentalauthor toopriceyid 1279262f-1464-422f-ac0d-5b545320c526
view Sigma YAML
title: AWS KMS Imported Key Material Usage
id: 1279262f-1464-422f-ac0d-5b545320c526
status: experimental
description: |
Detects the import or deletion of key material in AWS KMS, which can be used as part of ransomware attacks. This activity is uncommon and provides a high certainty signal.
references:
- https://www.chrisfarris.com/post/effective-aws-ransomware/
- https://docs.aws.amazon.com/kms/latest/developerguide/ct-importkeymaterial.html
- https://docs.aws.amazon.com/kms/latest/developerguide/ct-deleteimportedkeymaterial.html
author: toopricey
date: 2025-10-18
tags:
- attack.impact
- attack.t1486
- attack.resource-development
- attack.t1608.003
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: 'kms.amazonaws.com'
eventName:
- 'ImportKeyMaterial'
- 'DeleteImportedKeyMaterial'
condition: selection
falsepositives:
- Legitimate use cases for imported key material are rare, but may include, Organizations with hybrid cloud architectures that import external key material for compliance requirements.
- Development or testing environments that simulate external key management scenarios. Even in these cases, such activity is typically infrequent and should not add significant noise.
level: high
high
AWS SecurityHub Findings Evasion
Detects the modification of the findings on SecurityHub.
status stableauthor Sittikorn Sid a607e1fe-74bf-4440-a3ec-b059b9103157
view Sigma YAML
title: AWS SecurityHub Findings Evasion
id: a607e1fe-74bf-4440-a3ec-b059b9103157
status: stable
description: Detects the modification of the findings on SecurityHub.
references:
- https://docs.aws.amazon.com/cli/latest/reference/securityhub/
author: Sittikorn S
date: 2021-06-28
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: securityhub.amazonaws.com
eventName:
- 'BatchUpdateFindings'
- 'DeleteInsight'
- 'UpdateFindings'
- 'UpdateInsight'
condition: selection
falsepositives:
- System or Network administrator behaviors
- DEV, UAT, SAT environment. You should apply this rule with PROD environment only.
level: high
high
AWS User Login Profile Was Modified
Detects activity when someone is changing passwords on behalf of other users.
An attacker with the "iam:UpdateLoginProfile" permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup.
status testauthor toffeebr33kid 055fb148-60f8-462d-ad16-26926ce050f1
view Sigma YAML
title: AWS User Login Profile Was Modified
id: 055fb148-60f8-462d-ad16-26926ce050f1
status: test
description: |
Detects activity when someone is changing passwords on behalf of other users.
An attacker with the "iam:UpdateLoginProfile" permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup.
references:
- https://github.com/RhinoSecurityLabs/AWS-IAM-Privilege-Escalation
author: toffeebr33k
date: 2021-08-09
modified: 2024-04-26
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1098
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: 'iam.amazonaws.com'
eventName: 'UpdateLoginProfile'
filter_main_user_identity:
userIdentity.arn|fieldref: requestParameters.userName
condition: selection and not 1 of filter_main_*
falsepositives:
- Legitimate user account administration
level: high
high
AWS VPC Flow Logs Deleted
Detects the deletion of one or more VPC Flow Logs in AWS Elastic Compute Cloud (EC2) through the DeleteFlowLogs API call.
Adversaries may delete flow logs to evade detection or remove evidence of network activity, hindering forensic investigations and visibility into malicious operations.
status experimentalauthor Ivan Saakovid e386b9b5-af12-450e-afff-761730fb8a98
view Sigma YAML
title: AWS VPC Flow Logs Deleted
id: e386b9b5-af12-450e-afff-761730fb8a98
status: experimental
description: |
Detects the deletion of one or more VPC Flow Logs in AWS Elastic Compute Cloud (EC2) through the DeleteFlowLogs API call.
Adversaries may delete flow logs to evade detection or remove evidence of network activity, hindering forensic investigations and visibility into malicious operations.
references:
- https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html
- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-flow-logs.html
- https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion
author: Ivan Saakov
date: 2025-10-19
tags:
- attack.stealth
logsource:
product: aws
service: cloudtrail
detection:
selection_event_name:
eventName: 'DeleteFlowLogs'
selection_status_success:
errorCode: 'Success'
selection_status_null:
errorCode: null
condition: selection_event_name and 1 of selection_status_*
falsepositives:
- During maintenance operations or testing, authorized administrators may delete VPC Flow Logs as part of routine network management or cleanup activities.
level: high
high
Abusable DLL Potential Sideloading From Suspicious Location
Detects potential DLL sideloading of DLLs that are known to be abused from suspicious locations
status testauthor X__Junior (Nextron Systems)id 799a5f48-0ac1-4e0f-9152-71d137d48c2a
view Sigma YAML
title: Abusable DLL Potential Sideloading From Suspicious Location
id: 799a5f48-0ac1-4e0f-9152-71d137d48c2a
status: test
description: Detects potential DLL sideloading of DLLs that are known to be abused from suspicious locations
references:
- https://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html
- https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/
author: X__Junior (Nextron Systems)
date: 2023-07-11
tags:
- attack.execution
- attack.t1059
logsource:
category: image_load
product: windows
detection:
selection_dll:
ImageLoaded|endswith:
# Note: Add more generic DLLs that cannot be pin-pointed to a single application
- '\coreclr.dll'
- '\facesdk.dll'
- '\HPCustPartUI.dll'
- '\libcef.dll'
- '\ZIPDLL.dll'
selection_folders_1:
ImageLoaded|contains:
- ':\Perflogs\'
- ':\Users\Public\'
- '\Temporary Internet'
- '\Windows\Temp\'
selection_folders_2:
- ImageLoaded|contains|all:
- ':\Users\'
- '\Favorites\'
- ImageLoaded|contains|all:
- ':\Users\'
- '\Favourites\'
- ImageLoaded|contains|all:
- ':\Users\'
- '\Contacts\'
- ImageLoaded|contains|all:
- ':\Users\'
- '\Pictures\'
condition: selection_dll and 1 of selection_folders_*
falsepositives:
- Unknown
level: high
high
Abuse of Service Permissions to Hide Services Via Set-Service
Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)
status testauthor Nasreddine Bencherchali (Nextron Systems)id 514e4c3a-c77d-4cde-a00f-046425e2301e
view Sigma YAML
title: Abuse of Service Permissions to Hide Services Via Set-Service
id: 514e4c3a-c77d-4cde-a00f-046425e2301e
related:
- id: a537cfc3-4297-4789-92b5-345bfd845ad0
type: derived
- id: 953945c5-22fe-4a92-9f8a-a9edc1e522da
type: similar
status: test
description: Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)
references:
- https://twitter.com/Alh4zr3d/status/1580925761996828672
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-17
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.011
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\pwsh.exe'
- OriginalFileName: 'pwsh.dll'
selection_sddl:
# Example would be: "D:(D;;DCLCWPDTSD;;;IU)(D;;DCLCWPDTSD;;;SU)(D;;DCLCWPDTSD;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
CommandLine|contains|all:
- 'Set-Service '
- 'DCLCWPDTSD'
selection_cmdlet:
CommandLine|contains:
- '-SecurityDescriptorSddl '
- '-sd '
condition: all of selection_*
falsepositives:
- Rare intended use of hidden services
level: high
high
Abuse of Service Permissions to Hide Services Via Set-Service - PS
Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)
status testauthor Nasreddine Bencherchali (Nextron Systems)id 953945c5-22fe-4a92-9f8a-a9edc1e522da
view Sigma YAML
title: Abuse of Service Permissions to Hide Services Via Set-Service - PS
id: 953945c5-22fe-4a92-9f8a-a9edc1e522da
related:
- id: 514e4c3a-c77d-4cde-a00f-046425e2301e
type: similar
status: test
description: Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)
references:
- https://twitter.com/Alh4zr3d/status/1580925761996828672
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-17
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.011
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- 'Set-Service '
- 'DCLCWPDTSD'
ScriptBlockText|contains:
- '-SecurityDescriptorSddl '
- '-sd '
condition: selection
falsepositives:
- Rare intended use of hidden services
- Rare FP could occur due to the non linearity of the ScriptBlockText log
level: high
high
Abused Debug Privilege by Arbitrary Parent Processes
Detection of unusual child processes by different system processes
status testauthor Semanur Guneysu @semanurtg, oscd.communityid d522eca2-2973-4391-a3e0-ef0374321dae
view Sigma YAML
title: Abused Debug Privilege by Arbitrary Parent Processes
id: d522eca2-2973-4391-a3e0-ef0374321dae
status: test
description: Detection of unusual child processes by different system processes
references:
- https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-74-638.jpg
author: 'Semanur Guneysu @semanurtg, oscd.community'
date: 2020-10-28
modified: 2022-11-11
tags:
- attack.privilege-escalation
- attack.t1548
logsource:
product: windows
category: process_creation
detection:
selection_parent:
ParentImage|endswith:
- '\winlogon.exe'
- '\services.exe'
- '\lsass.exe'
- '\csrss.exe'
- '\smss.exe'
- '\wininit.exe'
- '\spoolsv.exe'
- '\searchindexer.exe'
User|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- '\cmd.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
- 'Cmd.Exe'
filter:
CommandLine|contains|all:
- ' route '
- ' ADD '
condition: all of selection_* and not filter
falsepositives:
- Unknown
level: high
high
Account Created And Deleted Within A Close Time Frame
Detects when an account was created and deleted in a short period of time.
status testauthor Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1', Tim Sheltonid 6f583da0-3a90-4566-a4ed-83c09fe18bbf
view Sigma YAML
title: Account Created And Deleted Within A Close Time Frame
id: 6f583da0-3a90-4566-a4ed-83c09fe18bbf
status: test
description: Detects when an account was created and deleted in a short period of time.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#short-lived-accounts
author: Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1', Tim Shelton
date: 2022-08-11
modified: 2022-08-18
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.stealth
- attack.t1078
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.message:
- Add user
- Delete user
Status: Success
condition: selection
falsepositives:
- Legit administrative action
level: high
high
Active Directory User Backdoors
Detects scenarios where one can control another users or computers account without having to use their credentials.
status testauthor @neu5ronid 300bac00-e041-4ee2-9c36-e262656a6ecc
view Sigma YAML
title: Active Directory User Backdoors
id: 300bac00-e041-4ee2-9c36-e262656a6ecc
status: test
description: Detects scenarios where one can control another users or computers account without having to use their credentials.
references:
- https://msdn.microsoft.com/en-us/library/cc220234.aspx
- https://adsecurity.org/?p=3466
- https://blog.harmj0y.net/redteaming/another-word-on-delegation/
author: '@neu5ron'
date: 2017-04-13
modified: 2024-02-26
tags:
- attack.privilege-escalation
- attack.t1098
- attack.persistence
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Account Management > Audit User Account Management, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit User Account Management, DS Access > Audit Directory Service Changes, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\DS Access\Audit Directory Service Changes'
detection:
selection1:
EventID: 4738
filter_empty:
AllowedToDelegateTo:
- ''
- '-'
filter_null:
AllowedToDelegateTo: null
selection_5136_1:
EventID: 5136
AttributeLDAPDisplayName: 'msDS-AllowedToDelegateTo'
selection_5136_2:
EventID: 5136
ObjectClass: 'user'
AttributeLDAPDisplayName: 'servicePrincipalName'
selection_5136_3:
EventID: 5136
AttributeLDAPDisplayName: 'msDS-AllowedToActOnBehalfOfOtherIdentity'
condition: (selection1 and not 1 of filter_*) or 1 of selection_5136_*
falsepositives:
- Unknown
level: high
high
Activity From Anonymous IP Address
Identifies that users were active from an IP address that has been identified as an anonymous proxy IP address.
status testauthor Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'id be4d9c86-d702-4030-b52e-c7859110e5e8
view Sigma YAML
title: Activity From Anonymous IP Address
id: be4d9c86-d702-4030-b52e-c7859110e5e8
status: test
description: Identifies that users were active from an IP address that has been identified as an anonymous proxy IP address.
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#activity-from-anonymous-ip-address
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-03
tags:
- attack.stealth
- attack.t1078
- attack.persistence
- attack.privilege-escalation
- attack.initial-access
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'riskyIPAddress'
condition: selection
falsepositives:
- We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
level: high
high
Add Debugger Entry To Hangs Key For Persistence
Detects when an attacker adds a new "Debugger" value to the "Hangs" key in order to achieve persistence which will get invoked when an application crashes
status testauthor Nasreddine Bencherchali (Nextron Systems)id 833ef470-fa01-4631-a79b-6f291c9ac498
view Sigma YAML
title: Add Debugger Entry To Hangs Key For Persistence
id: 833ef470-fa01-4631-a79b-6f291c9ac498
status: test
description: Detects when an attacker adds a new "Debugger" value to the "Hangs" key in order to achieve persistence which will get invoked when an application crashes
references:
- https://persistence-info.github.io/Data/wer_debugger.html
- https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-21
modified: 2023-08-17
tags:
- attack.persistence
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Hangs\Debugger'
condition: selection
falsepositives:
- This value is not set by default but could be rarly used by administrators
level: high
high
Add Insecure Download Source To Winget
Detects usage of winget to add a new insecure (http) download source.
Winget will not allow the addition of insecure sources, hence this could indicate potential suspicious activity (or typos)
status testauthor Nasreddine Bencherchali (Nextron Systems)id 81a0ecb5-0a41-4ba1-b2ba-c944eb92bfa2
view Sigma YAML
title: Add Insecure Download Source To Winget
id: 81a0ecb5-0a41-4ba1-b2ba-c944eb92bfa2
related:
- id: 05ebafc8-7aa2-4bcd-a269-2aec93f9e842
type: similar
- id: c15a46a0-07d4-4c87-b4b6-89207835a83b
type: similar
status: test
description: |
Detects usage of winget to add a new insecure (http) download source.
Winget will not allow the addition of insecure sources, hence this could indicate potential suspicious activity (or typos)
references:
- https://learn.microsoft.com/en-us/windows/package-manager/winget/source
- https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-17
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\winget.exe'
- OriginalFileName: 'winget.exe'
selection_cli:
CommandLine|contains|all:
- 'source '
- 'add '
- 'http://'
condition: all of selection_*
falsepositives:
- False positives might occur if the users are unaware of such control checks
level: high
high
Add SafeBoot Keys Via Reg Utility
Detects execution of "reg.exe" commands with the "add" or "copy" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not
status testauthor Nasreddine Bencherchali (Nextron Systems)id d7662ff6-9e97-4596-a61d-9839e32dee8d
view Sigma YAML
title: Add SafeBoot Keys Via Reg Utility
id: d7662ff6-9e97-4596-a61d-9839e32dee8d
related:
- id: fc0e89b5-adb0-43c1-b749-c12a10ec37de
type: similar
status: test
description: Detects execution of "reg.exe" commands with the "add" or "copy" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not
references:
- https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-02
modified: 2024-03-19
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\reg.exe'
- OriginalFileName: 'reg.exe'
selection_safeboot:
CommandLine|contains: '\SYSTEM\CurrentControlSet\Control\SafeBoot'
selection_flag:
CommandLine|contains:
- ' copy '
- ' add '
condition: all of selection*
falsepositives:
- Unlikely
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_reg_add_safeboot/info.yml
high
Added Credentials to Existing Application
Detects when a new credential is added to an existing application. Any additional credentials added outside of expected processes could be a malicious actor using those credentials.
status testauthor Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'id cbb67ecc-fb70-4467-9350-c910bdf7c628
view Sigma YAML
title: Added Credentials to Existing Application
id: cbb67ecc-fb70-4467-9350-c910bdf7c628
status: test
description: Detects when a new credential is added to an existing application. Any additional credentials added outside of expected processes could be a malicious actor using those credentials.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-credentials
author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'
date: 2022-05-26
modified: 2025-07-18
tags:
- attack.privilege-escalation
- attack.t1098.001
- attack.persistence
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.message:
- Update application – Certificates and secrets management
- Update Service principal/Update Application
condition: selection
falsepositives:
- When credentials are added/removed as part of the normal working hours/workflows
level: high
high
Adwind RAT / JRAT File Artifact
Detects javaw.exe in AppData folder as used by Adwind / JRAT
status testauthor Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.communityid 0bcfabcb-7929-47f4-93d6-b33fb67d34d1
view Sigma YAML
title: Adwind RAT / JRAT File Artifact
id: 0bcfabcb-7929-47f4-93d6-b33fb67d34d1
related:
- id: 1fac1481-2dbc-48b2-9096-753c49b4ec71
type: derived
status: test
description: Detects javaw.exe in AppData folder as used by Adwind / JRAT
references:
- https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100
- https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf
author: Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community
date: 2017-11-10
modified: 2022-12-02
tags:
- attack.execution
- attack.t1059.005
- attack.t1059.007
logsource:
category: file_event
product: windows
detection:
selection:
- TargetFilename|contains|all:
- '\AppData\Roaming\Oracle\bin\java'
- '.exe'
- TargetFilename|contains|all:
- '\Retrive'
- '.vbs'
condition: selection
level: high
high
All Backups Deleted Via Wbadmin.EXE
Detects the deletion of all backups or system state backups via "wbadmin.exe".
This technique is used by numerous ransomware families and actors.
This may only be successful on server platforms that have Windows Backup enabled.
status testauthor frack113, Nasreddine Bencherchali (Nextron Systems)id 639c9081-f482-47d3-a0bd-ddee3d4ecd76
view Sigma YAML
title: All Backups Deleted Via Wbadmin.EXE
id: 639c9081-f482-47d3-a0bd-ddee3d4ecd76
related:
- id: 89f75308-5b1b-4390-b2d8-d6b2340efaf8
type: derived
status: test
description: |
Detects the deletion of all backups or system state backups via "wbadmin.exe".
This technique is used by numerous ransomware families and actors.
This may only be successful on server platforms that have Windows Backup enabled.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell
- https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md
- https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/
- https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted
- https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2021-12-13
modified: 2024-05-10
tags:
- attack.impact
- attack.t1490
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\wbadmin.exe'
- OriginalFileName: 'WBADMIN.EXE'
selection_cli:
CommandLine|contains|all:
- 'delete'
- 'backup' # Also covers "SYSTEMSTATEBACKUP"
CommandLine|contains: 'keepVersions:0'
condition: all of selection_*
falsepositives:
- Unknown
level: high
high
All Rules Have Been Deleted From The Windows Firewall Configuration
Detects when a all the rules have been deleted from the Windows Defender Firewall configuration
status testauthor frack113, Nasreddine Bencherchali (Nextron Systems)id 79609c82-a488-426e-abcf-9f341a39365d
view Sigma YAML
title: All Rules Have Been Deleted From The Windows Firewall Configuration
id: 79609c82-a488-426e-abcf-9f341a39365d
status: test
description: Detects when a all the rules have been deleted from the Windows Defender Firewall configuration
references:
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-17
modified: 2024-01-22
tags:
- attack.defense-impairment
- attack.t1686.003
logsource:
product: windows
service: firewall-as
detection:
selection:
EventID:
- 2033 # All rules have been deleted from the Windows Defender Firewall configuration on this computer
- 2059 # All rules have been deleted from the Windows Defender Firewall configuration on this computer. (Windows 11)
filter_main_svchost:
ModifyingApplication|endswith: ':\Windows\System32\svchost.exe'
filter_optional_msmpeng:
ModifyingApplication|contains|all:
- ':\ProgramData\Microsoft\Windows Defender\Platform\'
- '\MsMpEng.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
level: high
high
Allow Service Access Using Security Descriptor Tampering Via Sc.EXE
Detects suspicious DACL modifications to allow access to a service from a suspicious trustee. This can be used to override access restrictions set by previous ACLs.
status testauthor Nasreddine Bencherchali (Nextron Systems)id 6c8fbee5-dee8-49bc-851d-c3142d02aa47
view Sigma YAML
title: Allow Service Access Using Security Descriptor Tampering Via Sc.EXE
id: 6c8fbee5-dee8-49bc-851d-c3142d02aa47
related:
- id: a537cfc3-4297-4789-92b5-345bfd845ad0 # Generic SD tampering
type: similar
status: test
description: Detects suspicious DACL modifications to allow access to a service from a suspicious trustee. This can be used to override access restrictions set by previous ACLs.
references:
- https://twitter.com/0gtweet/status/1628720819537936386
- https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/
- https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-28
modified: 2025-10-22
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1543.003
logsource:
category: process_creation
product: windows
detection:
selection_sc:
- Image|endswith: '\sc.exe'
- OriginalFileName: 'sc.exe'
selection_sdset:
CommandLine|contains|all:
- 'sdset'
- 'A;' # Allow Access
selection_trustee:
CommandLine|contains:
- ';IU' # Interactively logged-on user
- ';SU' # Service logon user
- ';BA' # Built-in administrators
- ';SY' # Local system
- ';WD' # Everyone
filter_optional_hexnode:
ParentImage: 'C:\Hexnode\Hexnode Agent\Current\HexnodeAgent.exe'
condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high
high
Anomalous Token
Indicates that there are abnormal characteristics in the token such as an unusual token lifetime or a token that is played from an unfamiliar location.
status testauthor Mark Morowczynski '@markmorow'id 6555754e-5e7f-4a67-ad1c-4041c413a007
view Sigma YAML
title: Anomalous Token
id: 6555754e-5e7f-4a67-ad1c-4041c413a007
status: test
description: Indicates that there are abnormal characteristics in the token such as an unusual token lifetime or a token that is played from an unfamiliar location.
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anomalous-token
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow'
date: 2023-08-07
tags:
- attack.t1528
- attack.credential-access
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'anomalousToken'
condition: selection
falsepositives:
- We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
level: high
high
Anomalous User Activity
Indicates that there are anomalous patterns of behavior like suspicious changes to the directory.
status testauthor Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'id 258b6593-215d-4a26-a141-c8e31c1299a6
view Sigma YAML
title: Anomalous User Activity
id: 258b6593-215d-4a26-a141-c8e31c1299a6
status: test
description: Indicates that there are anomalous patterns of behavior like suspicious changes to the directory.
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anomalous-user-activity
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-03
tags:
- attack.privilege-escalation
- attack.t1098
- attack.persistence
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'anomalousUserActivity'
condition: selection
falsepositives:
- We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
level: high
high
Anonymous IP Address
Indicates sign-ins from an anonymous IP address, for example, using an anonymous browser or VPN.
status testauthor Gloria Lee, '@gleeiamglo'id 53acd925-2003-440d-a1f3-71a5253fe237
view Sigma YAML
title: Anonymous IP Address
id: 53acd925-2003-440d-a1f3-71a5253fe237
status: test
description: Indicates sign-ins from an anonymous IP address, for example, using an anonymous browser or VPN.
references:
- https://learn.microsoft.com/en-us/graph/api/resources/riskdetection?view=graph-rest-1.0
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anonymous-ip-address
author: Gloria Lee, '@gleeiamglo'
date: 2023-08-22
tags:
- attack.t1528
- attack.credential-access
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'anonymizedIPAddress'
condition: selection
falsepositives:
- We recommend investigating the sessions flagged by this detection in the context of other sign-ins
level: high
high
Antivirus Filter Driver Disallowed On Dev Drive - Registry
Detects activity that indicates a user disabling the ability for Antivirus mini filter to inspect a "Dev Drive".
status testauthor @kostastsale, Nasreddine Bencherchali (Nextron Systems)id 31e124fb-5dc4-42a0-83b3-44a69c77b271
view Sigma YAML
title: Antivirus Filter Driver Disallowed On Dev Drive - Registry
id: 31e124fb-5dc4-42a0-83b3-44a69c77b271
status: test
description: |
Detects activity that indicates a user disabling the ability for Antivirus mini filter to inspect a "Dev Drive".
references:
- https://twitter.com/0gtweet/status/1720419490519752955
author: '@kostastsale, Nasreddine Bencherchali (Nextron Systems)'
date: 2023-11-05
modified: 2024-08-16
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\FilterManager\FltmgrDevDriveAllowAntivirusFilter'
Details: 'DWORD (0x00000000)'
condition: selection
falsepositives:
- Unlikely
level: high
high
Antivirus Hacktool Detection
Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool.
This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
status stableauthor Florian Roth (Nextron Systems), Arnim Ruppid fa0c05b6-8ad3-468d-8231-c1cbccb64fba
view Sigma YAML
title: Antivirus Hacktool Detection
id: fa0c05b6-8ad3-468d-8231-c1cbccb64fba
status: stable
description: |
Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool.
This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
references:
- https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/
- https://www.nextron-systems.com/?s=antivirus
author: Florian Roth (Nextron Systems), Arnim Rupp
date: 2021-08-16
modified: 2024-11-02
tags:
- attack.execution
- attack.t1204
logsource:
category: antivirus
detection:
selection:
- Signature|startswith:
- 'ATK/' # Sophos
- 'Exploit.Script.CVE'
- 'HKTL'
- 'HTOOL'
- 'PWS.'
- 'PWSX'
- 'SecurityTool'
# - 'FRP.'
- Signature|contains:
- 'Adfind'
- 'Brutel'
- 'BruteR'
- 'Cobalt'
- 'COBEACON'
- 'Cometer'
- 'DumpCreds'
- 'FastReverseProxy'
- 'Hacktool'
- 'Havoc'
- 'Impacket'
- 'Keylogger'
- 'Koadic'
- 'Mimikatz'
- 'Nighthawk'
- 'PentestPowerShell'
- 'Potato'
- 'PowerSploit'
- 'PowerSSH'
- 'PshlSpy'
- 'PSWTool'
- 'PWCrack'
- 'PWDump'
- 'Rozena'
- 'Rusthound'
- 'Sbelt'
- 'Seatbelt'
- 'SecurityTool'
- 'SharpDump'
- 'SharpHound'
- 'Shellcode'
- 'Sliver'
- 'Snaffler'
- 'SOAPHound'
- 'Splinter'
- 'Swrort'
- 'TurtleLoader'
condition: selection
falsepositives:
- Unlikely
level: high
high
Antivirus Relevant File Paths Alerts
Detects an Antivirus alert in a highly relevant file path or with a relevant file name.
This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
status testauthor Florian Roth (Nextron Systems), Arnim Ruppid c9a88268-0047-4824-ba6e-4d81ce0b907c
view Sigma YAML
title: Antivirus Relevant File Paths Alerts
id: c9a88268-0047-4824-ba6e-4d81ce0b907c
status: test
description: |
Detects an Antivirus alert in a highly relevant file path or with a relevant file name.
This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
references:
- https://www.nextron-systems.com/?s=antivirus
author: Florian Roth (Nextron Systems), Arnim Rupp
date: 2018-09-09
modified: 2024-11-02
tags:
- attack.resource-development
- attack.t1588
logsource:
category: antivirus
detection:
selection_path:
Filename|contains:
- ':\PerfLogs\'
- ':\Temp\'
- ':\Users\Default\'
- ':\Users\Public\'
- ':\Windows\'
- '/www/'
# - '\Client\'
- '\inetpub\'
- '\tsclient\'
- 'apache'
- 'nginx'
- 'tomcat'
- 'weblogic'
selection_ext:
Filename|endswith:
- '.asax'
- '.ashx'
- '.asmx'
- '.asp'
- '.aspx'
- '.bat'
- '.cfm'
- '.cgi'
- '.chm'
- '.cmd'
- '.dat'
- '.ear'
- '.gif'
- '.hta'
- '.jpeg'
- '.jpg'
- '.jsp'
- '.jspx'
- '.lnk'
- '.msc'
- '.php'
- '.pl'
- '.png'
- '.ps1'
- '.psm1'
- '.py'
- '.pyc'
- '.rb'
- '.scf'
- '.sct'
- '.sh'
- '.svg'
- '.txt'
- '.vbe'
- '.vbs'
- '.war'
- '.wll'
- '.wsf'
- '.wsh'
- '.xll'
- '.xml'
condition: 1 of selection_*
falsepositives:
- Unlikely
level: high
high
Antivirus Web Shell Detection
Detects a highly relevant Antivirus alert that reports a web shell.
It's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big WebShell repository from e.g. github and checking the matches.
This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
status testauthor Florian Roth (Nextron Systems), Arnim Ruppid fdf135a2-9241-4f96-a114-bb404948f736
view Sigma YAML
title: Antivirus Web Shell Detection
id: fdf135a2-9241-4f96-a114-bb404948f736
status: test
description: |
Detects a highly relevant Antivirus alert that reports a web shell.
It's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big WebShell repository from e.g. github and checking the matches.
This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
references:
- https://www.nextron-systems.com/?s=antivirus
- https://github.com/tennc/webshell
- https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection
- https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection
- https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection
- https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection
- https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection
- https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection
- https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection
- https://www.virustotal.com/gui/file/13ae8bfbc02254b389ab052aba5e1ba169b16a399d9bc4cb7414c4a73cd7dc78/detection
author: Florian Roth (Nextron Systems), Arnim Rupp
date: 2018-09-09
modified: 2024-11-02
tags:
- attack.persistence
- attack.t1505.003
logsource:
category: antivirus
detection:
selection:
- Signature|startswith:
- 'ASP.'
- 'IIS/BackDoor'
- 'JAVA/Backdoor'
- 'JSP.'
- 'Perl.'
- 'PHP.'
- 'Troj/ASP'
- 'Troj/JSP'
- 'Troj/PHP'
- 'VBS/Uxor' # looking for 'VBS/' would also find downloader's and droppers meant for desktops
- Signature|contains:
- 'ASP_' # looking for 'VBS_' would also find downloader's and droppers meant for desktops
- 'ASP:'
- 'ASP.Agent'
- 'ASP/'
# - 'ASP/Agent'
- 'Aspdoor'
- 'ASPXSpy'
- 'Backdoor.ASP'
- 'Backdoor.Java'
- 'Backdoor.JSP'
- 'Backdoor.PHP'
- 'Backdoor.VBS'
- 'Backdoor/ASP'
- 'Backdoor/Java'
- 'Backdoor/JSP'
- 'Backdoor/PHP'
- 'Backdoor/VBS'
- 'C99shell'
- 'Chopper'
- 'filebrowser'
- 'JSP_'
- 'JSP:'
- 'JSP.Agent'
- 'JSP/'
# - 'JSP/Agent'
- 'Perl:'
- 'Perl/'
- 'PHP_'
- 'PHP:'
- 'PHP.Agent'
- 'PHP/'
# - 'PHP/Agent'
- 'PHPShell'
- 'PShlSpy'
- 'SinoChoper'
- 'Trojan.ASP'
- 'Trojan.JSP'
- 'Trojan.PHP'
- 'Trojan.VBS'
- 'VBS.Agent'
- 'VBS/Agent'
- 'Webshell'
condition: selection
falsepositives:
- Unlikely
level: high
high
Apache Segmentation Fault
Detects a segmentation fault error message caused by a crashing apache worker process
status testauthor Florian Roth (Nextron Systems)id 1da8ce0b-855d-4004-8860-7d64d42063b1
view Sigma YAML
title: Apache Segmentation Fault
id: 1da8ce0b-855d-4004-8860-7d64d42063b1
status: test
description: Detects a segmentation fault error message caused by a crashing apache worker process
references:
- http://www.securityfocus.com/infocus/1633
author: Florian Roth (Nextron Systems)
date: 2017-02-28
modified: 2021-11-27
tags:
- attack.impact
- attack.t1499.004
logsource:
service: apache
definition: 'Requirements: Must be able to collect the error.log file'
detection:
keywords:
- 'exit signal Segmentation Fault'
condition: keywords
falsepositives:
- Unknown
level: high
high
App Granted Microsoft Permissions
Detects when an application is granted delegated or app role permissions for Microsoft Graph, Exchange, Sharepoint, or Azure AD
status testauthor Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'id c1d147ae-a951-48e5-8b41-dcd0170c7213
view Sigma YAML
title: App Granted Microsoft Permissions
id: c1d147ae-a951-48e5-8b41-dcd0170c7213
status: test
description: Detects when an application is granted delegated or app role permissions for Microsoft Graph, Exchange, Sharepoint, or Azure AD
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-granted-highly-privileged-permissions
author: Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'
date: 2022-07-10
tags:
- attack.credential-access
- attack.t1528
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.message:
- Add delegated permission grant
- Add app role assignment to service principal
condition: selection
falsepositives:
- When the permission is legitimately needed for the app
level: high
high
App Granted Privileged Delegated Or App Permissions
Detects when administrator grants either application permissions (app roles) or highly privileged delegated permissions
status testauthor Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'id 5aecf3d5-f8a0-48e7-99be-3a759df7358f
view Sigma YAML
title: App Granted Privileged Delegated Or App Permissions
id: 5aecf3d5-f8a0-48e7-99be-3a759df7358f
related:
- id: ba2a7c80-027b-460f-92e2-57d113897dbc
type: obsolete
status: test
description: Detects when administrator grants either application permissions (app roles) or highly privileged delegated permissions
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-granted-highly-privileged-permissions
author: Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'
date: 2022-07-28
modified: 2023-03-29
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1098.003
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.message: Add app role assignment to service principal
condition: selection
falsepositives:
- When the permission is legitimately needed for the app
level: high
high
AppX Located in Known Staging Directory Added to Deployment Pipeline
Detects an appx package that was added to the pipeline of the "to be processed" packages that is located in a known folder often used as a staging directory.
status testauthor Nasreddine Bencherchali (Nextron Systems)id 5cdeaf3d-1489-477c-95ab-c318559fc051
view Sigma YAML
title: AppX Located in Known Staging Directory Added to Deployment Pipeline
id: 5cdeaf3d-1489-477c-95ab-c318559fc051
status: test
description: |
Detects an appx package that was added to the pipeline of the "to be processed" packages that is located in a known folder often used as a staging directory.
references:
- https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
- https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting
- https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-11
tags:
- attack.stealth
logsource:
product: windows
service: appxdeployment-server
detection:
selection_eid:
EventID: 854
selection_paths_forward:
Path|contains: # Paths can be written using forward slash if the "file://" protocol is used
- ':/Perflogs/'
- ':/Users/Public/'
- ':/Windows/Temp/'
- '/AppdData/Local/Temp/'
- '/Desktop/'
- '/Downloads/'
selection_paths_back:
Path|contains: # Paths can be written using forward slash if the "file://" protocol is used
- ':\PerfLogs\'
- ':\Users\Public\'
- ':\Windows\Temp\'
- '\AppdData\Local\Temp\'
- '\Desktop\'
- '\Downloads\'
condition: selection_eid and 1 of selection_paths_*
falsepositives:
- Unknown
level: high
high
Application AppID Uri Configuration Changes
Detects when a configuration change is made to an applications AppID URI.
status testauthor Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'id 1b45b0d1-773f-4f23-aedc-814b759563b1
view Sigma YAML
title: Application AppID Uri Configuration Changes
id: 1b45b0d1-773f-4f23-aedc-814b759563b1
status: test
description: Detects when a configuration change is made to an applications AppID URI.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#appid-uri-added-modified-or-removed
author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'
date: 2022-06-02
tags:
- attack.initial-access
- attack.persistence
- attack.credential-access
- attack.privilege-escalation
- attack.stealth
- attack.t1552
- attack.t1078.004
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.message:
- Update Application
- Update Service principal
condition: selection
falsepositives:
- When and administrator is making legitimate AppID URI configuration changes to an application. This should be a planned event.
level: high
high
Application URI Configuration Changes
Detects when a configuration change is made to an applications URI.
URIs for domain names that no longer exist (dangling URIs), not using HTTPS, wildcards at the end of the domain, URIs that are no unique to that app, or URIs that point to domains you do not control should be investigated.
status testauthor Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'id 0055ad1f-be85-4798-83cf-a6da17c993b3
view Sigma YAML
title: Application URI Configuration Changes
id: 0055ad1f-be85-4798-83cf-a6da17c993b3
status: test
description: |
Detects when a configuration change is made to an applications URI.
URIs for domain names that no longer exist (dangling URIs), not using HTTPS, wildcards at the end of the domain, URIs that are no unique to that app, or URIs that point to domains you do not control should be investigated.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-configuration-changes
author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'
date: 2022-06-02
tags:
- attack.initial-access
- attack.stealth
- attack.t1528
- attack.t1078.004
- attack.persistence
- attack.credential-access
- attack.privilege-escalation
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.message: Update Application Sucess- Property Name AppAddress
condition: selection
falsepositives:
- When and administrator is making legitimate URI configuration changes to an application. This should be a planned event.
level: high
high
Arbitrary File Download Via IMEWDBLD.EXE
Detects usage of "IMEWDBLD.exe" to download arbitrary files
status testauthor Swachchhanda Shrawan Poudelid 863218bd-c7d0-4c52-80cd-0a96c09f54af
view Sigma YAML
title: Arbitrary File Download Via IMEWDBLD.EXE
id: 863218bd-c7d0-4c52-80cd-0a96c09f54af
related:
- id: 8d7e392e-9b28-49e1-831d-5949c6281228
type: derived
status: test
description: Detects usage of "IMEWDBLD.exe" to download arbitrary files
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download
- https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/
author: Swachchhanda Shrawan Poudel
date: 2023-11-09
tags:
- attack.execution
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\IMEWDBLD.exe'
- OriginalFileName: 'imewdbld.exe'
selection_cli:
CommandLine|contains:
- 'http://'
- 'https://'
condition: all of selection_*
falsepositives:
- Unknown
# Note: Please reduce this to medium if you find legitimate use case of this utility with a URL
level: high