Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Detects successful installation of Atera Remote Monitoring & Management (RMM) agent as recently found to be used by Conti operators
status testauthor Bhabesh Rajid 87261fb2-69d0-42fe-b9de-88c6b5f65a43
view Sigma YAML
title: Atera Agent Installation
id: 87261fb2-69d0-42fe-b9de-88c6b5f65a43
status: test
description: Detects successful installation of Atera Remote Monitoring & Management (RMM) agent as recently found to be used by Conti operators
references:
- https://www.advintel.io/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent
author: Bhabesh Raj
date: 2021-09-01
modified: 2022-12-25
tags:
- attack.command-and-control
- attack.t1219.002
logsource:
service: application
product: windows
detection:
selection:
EventID: 1033
Provider_Name: MsiInstaller
Message|contains: AteraAgent
condition: selection
falsepositives:
- Legitimate Atera agent installation
level: high
high
Attempts of Kerberos Coercion Via DNS SPN Spoofing
Detects the presence of "UWhRC....AAYBAAAA" pattern in command line.
The pattern "1UWhRCAAAAA..BAAAA" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure.
Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts.
It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records
to spoof Service Principal Names (SPNs) and redirect authentication requests like in CVE-2025-33073.
If you see this pattern in the command line, it is likely an attempt to add spoofed Service Principal Names (SPNs) to DNS records,
or checking for the presence of such records through the `nslookup` command.
status experimentalauthor Swachchhanda Shrawan Poudel (Nextron Systems)id 0ed99dda-6a35-11ef-8c99-0242ac120002
view Sigma YAML
title: Attempts of Kerberos Coercion Via DNS SPN Spoofing
id: 0ed99dda-6a35-11ef-8c99-0242ac120002
related:
- id: b07e58cf-cacc-4135-8473-ccb2eba63dd2
type: similar
status: experimental
description: |
Detects the presence of "UWhRC....AAYBAAAA" pattern in command line.
The pattern "1UWhRCAAAAA..BAAAA" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure.
Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts.
It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records
to spoof Service Principal Names (SPNs) and redirect authentication requests like in CVE-2025-33073.
If you see this pattern in the command line, it is likely an attempt to add spoofed Service Principal Names (SPNs) to DNS records,
or checking for the presence of such records through the `nslookup` command.
references:
- https://www.synacktiv.com/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025
- https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-06-20
tags:
- attack.collection
- attack.credential-access
- attack.persistence
- attack.privilege-escalation
- attack.t1557.001
- attack.t1187
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'UWhRCA'
- 'BAAAA'
condition: selection
falsepositives:
- Unknown
level: high
high
Atypical Travel
Identifies two sign-ins originating from geographically distant locations, where at least one of the locations may also be atypical for the user, given past behavior.
status testauthor Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'id 1a41023f-1e70-4026-921a-4d9341a9038e
view Sigma YAML
title: Atypical Travel
id: 1a41023f-1e70-4026-921a-4d9341a9038e
status: test
description: Identifies two sign-ins originating from geographically distant locations, where at least one of the locations may also be atypical for the user, given past behavior.
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#atypical-travel
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-03
tags:
- attack.stealth
- attack.t1078
- attack.persistence
- attack.privilege-escalation
- attack.initial-access
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'unlikelyTravel'
condition: selection
falsepositives:
- We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
level: high
high
Audit Policy Tampering Via Auditpol
Threat actors can use auditpol binary to change audit policy configuration to impair detection capability.
This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.
status testauthor Janantha Marasinghe (https://github.com/blueteam0ps)id 0a13e132-651d-11eb-ae93-0242ac130002
view Sigma YAML
title: Audit Policy Tampering Via Auditpol
id: 0a13e132-651d-11eb-ae93-0242ac130002
related:
- id: c6c56ada-612b-42d1-9a29-adad3c5c2c1e # Old auditpol
type: similar
status: test
description: |
Threat actors can use auditpol binary to change audit policy configuration to impair detection capability.
This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.
references:
- https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
author: Janantha Marasinghe (https://github.com/blueteam0ps)
date: 2021-02-02
modified: 2023-02-22
tags:
- attack.defense-impairment
- attack.t1685.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\auditpol.exe'
- OriginalFileName: 'AUDITPOL.EXE'
selection_cli:
CommandLine|contains:
- 'disable' # disables a specific audit policy
- 'clear' # delete or clears audit policy
- 'remove' # removes an audit policy
- 'restore' # restores an audit policy
condition: all of selection_*
falsepositives:
- Administrator or administrator scripts might leverage the flags mentioned in the detection section. Either way, it should always be monitored
level: high
high
Audit Policy Tampering Via NT Resource Kit Auditpol
Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability.
This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.
status testauthor Nasreddine Bencherchali (Nextron Systems)id c6c56ada-612b-42d1-9a29-adad3c5c2c1e
view Sigma YAML
title: Audit Policy Tampering Via NT Resource Kit Auditpol
id: c6c56ada-612b-42d1-9a29-adad3c5c2c1e
related:
- id: 0a13e132-651d-11eb-ae93-0242ac130002 # New auditpol version
type: similar
status: test
description: |
Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability.
This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.
references:
- https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Windows%202000%20Resource%20Kit%20Tools/AuditPol
author: Nasreddine Bencherchali (Nextron Systems)
date: 2021-12-18
modified: 2023-02-21
tags:
- attack.defense-impairment
- attack.t1685.001
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- '/logon:none'
- '/system:none'
- '/sam:none'
- '/privilege:none'
- '/object:none'
- '/process:none'
- '/policy:none'
condition: selection
falsepositives:
- The old auditpol utility isn't available by default on recent versions of Windows as it was replaced by a newer version. The FP rate should be very low except for tools that use a similar flag structure
level: high
high
Audit Rules Deleted Via Auditctl
Detects the execution of 'auditctl' with the '-D' command line parameter, which deletes all configured audit rules and watches on Linux systems.
This technique is commonly used by attackers to disable audit logging and cover their tracks by removing monitoring capabilities.
Removal of audit rules can significantly impair detection of malicious activities on the affected system.
status experimentalauthor Mohamed LAKRIid bed26dea-4525-47f4-b24a-76e30e44ffb0
view Sigma YAML
title: Audit Rules Deleted Via Auditctl
id: bed26dea-4525-47f4-b24a-76e30e44ffb0
status: experimental
description: |
Detects the execution of 'auditctl' with the '-D' command line parameter, which deletes all configured audit rules and watches on Linux systems.
This technique is commonly used by attackers to disable audit logging and cover their tracks by removing monitoring capabilities.
Removal of audit rules can significantly impair detection of malicious activities on the affected system.
references:
- https://www.atomicredteam.io/atomic-red-team/atomics/T1562.012
- https://linux.die.net/man/8/auditct
author: Mohamed LAKRI
date: 2025-10-17
tags:
- attack.defense-impairment
- attack.t1685.004
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith: '/auditctl'
CommandLine|re: '-D'
condition: selection
falsepositives:
- An administrator troubleshooting. Investigate all attempts.
level: high
high
Auditing Configuration Changes on Linux Host
Detect changes in auditd configuration files
status testauthor Mikhail Larin, oscd.communityid 977ef627-4539-4875-adf4-ed8f780c4922
Indicates that the user's valid credentials have been leaked.
status testauthor Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'id 19128e5e-4743-48dc-bd97-52e5775af817
view Sigma YAML
title: Azure AD Account Credential Leaked
id: 19128e5e-4743-48dc-bd97-52e5775af817
status: test
description: Indicates that the user's valid credentials have been leaked.
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#leaked-credentials
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-03
tags:
- attack.t1589
- attack.reconnaissance
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'leakedCredentials'
condition: selection
falsepositives:
- A rare hash collision.
level: high
high
Azure AD Threat Intelligence
Indicates user activity that is unusual for the user or consistent with known attack patterns.
status testauthor Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'id a2cb56ff-4f46-437a-a0fa-ffa4d1303cba
view Sigma YAML
title: Azure AD Threat Intelligence
id: a2cb56ff-4f46-437a-a0fa-ffa4d1303cba
status: test
description: Indicates user activity that is unusual for the user or consistent with known attack patterns.
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-sign-in
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-user
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-07
tags:
- attack.stealth
- attack.t1078
- attack.persistence
- attack.privilege-escalation
- attack.initial-access
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'investigationsThreatIntelligence'
condition: selection
falsepositives:
- We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
level: high
high
Azure Login Bypassing Conditional Access Policies
Detects a successful login to the Microsoft Intune Company Portal which could allow bypassing Conditional Access Policies and InTune device trust using a tool like TokenSmith.
status experimentalauthor Josh Nickels, Marius Rothenbücherid 13f2d3f5-6497-44a7-bf5f-dc13ffafe5dc
view Sigma YAML
title: Azure Login Bypassing Conditional Access Policies
id: 13f2d3f5-6497-44a7-bf5f-dc13ffafe5dc
status: experimental
description: |
Detects a successful login to the Microsoft Intune Company Portal which could allow bypassing Conditional Access Policies and InTune device trust using a tool like TokenSmith.
author: Josh Nickels, Marius Rothenbücher
references:
- https://labs.jumpsec.com/tokensmith-bypassing-intune-compliant-device-conditional-access/
- https://github.com/JumpsecLabs/TokenSmith
date: 2025-01-08
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.stealth
- attack.t1078
logsource:
service: audit
product: m365
detection:
selection:
Operation: 'UserLoggedIn'
ApplicationId: '9ba1a5c7-f17a-4de9-a1f1-6178c8d51223'
ResultStatus: 'Success'
RequestType: 'Cmsi:Cmsi'
filter_main_bjectid:
ObjectId: '0000000a-0000-0000-c000-000000000000' # Microsoft Intune seen when mobile devices are enrolled
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
high
Azure Subscription Permission Elevation Via ActivityLogs
Detects when a user has been elevated to manage all Azure Subscriptions.
This change should be investigated immediately if it isn't planned.
This setting could allow an attacker access to Azure subscriptions in your environment.
status testauthor Austin Songer @austinsongerid 09438caa-07b1-4870-8405-1dbafe3dad95
view Sigma YAML
title: Azure Subscription Permission Elevation Via ActivityLogs
id: 09438caa-07b1-4870-8405-1dbafe3dad95
status: test
description: |
Detects when a user has been elevated to manage all Azure Subscriptions.
This change should be investigated immediately if it isn't planned.
This setting could allow an attacker access to Azure subscriptions in your environment.
references:
- https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftauthorization
author: Austin Songer @austinsonger
date: 2021-11-26
modified: 2022-08-23
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.stealth
- attack.t1078.004
logsource:
product: azure
service: activitylogs
detection:
selection:
operationName: MICROSOFT.AUTHORIZATION/ELEVATEACCESS/ACTION
condition: selection
falsepositives:
- If this was approved by System Administrator.
level: high
high
Azure Subscription Permission Elevation Via AuditLogs
Detects when a user has been elevated to manage all Azure Subscriptions.
This change should be investigated immediately if it isn't planned.
This setting could allow an attacker access to Azure subscriptions in your environment.
status testauthor Austin Songer @austinsongerid ca9bf243-465e-494a-9e54-bf9fc239057d
view Sigma YAML
title: Azure Subscription Permission Elevation Via AuditLogs
id: ca9bf243-465e-494a-9e54-bf9fc239057d
status: test
description: |
Detects when a user has been elevated to manage all Azure Subscriptions.
This change should be investigated immediately if it isn't planned.
This setting could allow an attacker access to Azure subscriptions in your environment.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#assignment-and-elevation
author: Austin Songer @austinsonger
date: 2021-11-26
modified: 2022-12-25
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.stealth
- attack.t1078
logsource:
product: azure
service: auditlogs
detection:
selection:
Category: 'Administrative'
OperationName: 'Assigns the caller to user access admin'
condition: selection
falsepositives:
- If this was approved by System Administrator.
level: high
high
BITS Transfer Job Download From Direct IP
Detects a BITS transfer job downloading file(s) from a direct IP address.
status testauthor Nasreddine Bencherchali (Nextron Systems)id 90f138c1-f578-4ac3-8c49-eecfd847c8b7
view Sigma YAML
title: BITS Transfer Job Download From Direct IP
id: 90f138c1-f578-4ac3-8c49-eecfd847c8b7
related:
- id: 99c840f2-2012-46fd-9141-c761987550ef
type: similar
status: test
description: Detects a BITS transfer job downloading file(s) from a direct IP address.
references:
- https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin
- https://isc.sans.edu/diary/22264
- https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
- https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-11
modified: 2023-03-27
tags:
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1197
logsource:
product: windows
service: bits-client
detection:
selection:
EventID: 16403
RemoteName|contains:
- 'http://1'
- 'http://2'
- 'http://3'
- 'http://4'
- 'http://5'
- 'http://6'
- 'http://7'
- 'http://8'
- 'http://9'
- 'https://1'
- 'https://2'
- 'https://3'
- 'https://4'
- 'https://5'
- 'https://6'
- 'https://7'
- 'https://8'
- 'https://9'
filter_optional_local_networks:
RemoteName|contains:
- '://10.' # 10.0.0.0/8
- '://192.168.' # 192.168.0.0/16
- '://172.16.' # 172.16.0.0/12
- '://172.17.'
- '://172.18.'
- '://172.19.'
- '://172.20.'
- '://172.21.'
- '://172.22.'
- '://172.23.'
- '://172.24.'
- '://172.25.'
- '://172.26.'
- '://172.27.'
- '://172.28.'
- '://172.29.'
- '://172.30.'
- '://172.31.'
- '://127.' # 127.0.0.0/8
- '://169.254.' # 169.254.0.0/16
filter_optional_seven_zip:
RemoteName|contains:
# For https://7-zip.org/
- 'https://7-'
- 'http://7-'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high
high
BITS Transfer Job Download From File Sharing Domains
Detects BITS transfer job downloading files from a file sharing domain.
status testauthor Florian Roth (Nextron Systems)id d635249d-86b5-4dad-a8c7-d7272b788586
Detects BitLocker Access Agent Update Utility (baaupdate.exe) loading DLLs from suspicious locations that are publicly writable which could indicate an attempt to lateral movement via BitLocker DCOM & COM Hijacking.
This technique abuses COM Classes configured as INTERACTIVE USER to spawn processes in the context of the logged-on user's session. Specifically, it targets the BDEUILauncher Class (CLSID ab93b6f1-be76-4185-a488-a9001b105b94)
which can launch BaaUpdate.exe, which is vulnerable to COM Hijacking when started with input parameters. This allows attackers to execute code in the user's context without needing to steal credentials or use additional techniques to compromise the account.
status experimentalauthor Swachchhanda Shrawan Poudel (Nextron Systems)id 6e8fe0a8-ba0b-4a93-8f9e-82657e7a5984
view Sigma YAML
title: BaaUpdate.exe Suspicious DLL Load
id: 6e8fe0a8-ba0b-4a93-8f9e-82657e7a5984
related:
- id: 9f38c1db-e2ae-40bf-81d0-5b68f73fb512 # Suspicious BitLocker Access Agent Update Utility Execution
type: similar
status: experimental
description: |
Detects BitLocker Access Agent Update Utility (baaupdate.exe) loading DLLs from suspicious locations that are publicly writable which could indicate an attempt to lateral movement via BitLocker DCOM & COM Hijacking.
This technique abuses COM Classes configured as INTERACTIVE USER to spawn processes in the context of the logged-on user's session. Specifically, it targets the BDEUILauncher Class (CLSID ab93b6f1-be76-4185-a488-a9001b105b94)
which can launch BaaUpdate.exe, which is vulnerable to COM Hijacking when started with input parameters. This allows attackers to execute code in the user's context without needing to steal credentials or use additional techniques to compromise the account.
references:
- https://github.com/rtecCyberSec/BitlockMove
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-10-18
tags:
- attack.stealth
- attack.t1218
- attack.lateral-movement
- attack.t1021.003
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith: '\BaaUpdate.exe'
ImageLoaded|endswith: '.dll'
ImageLoaded|contains:
- ':\Perflogs\'
- ':\Users\Default\'
- ':\Users\Public\'
- ':\Windows\Temp\'
- '\AppData\Local\Temp\'
- '\AppData\Roaming\'
- '\Contacts\'
- '\Favorites\'
- '\Favourites\'
- '\Links\'
- '\Music\'
- '\Pictures\'
- '\ProgramData\'
- '\Temporary Internet'
- '\Videos\'
condition: selection
falsepositives:
- Unknown
level: high
high
Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Detects attackers using tooling with bad opsec defaults.
E.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run.
One trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.
status testauthor Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems)id a7c3d773-caef-227e-a7e7-c2f13c622329
view Sigma YAML
title: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
id: a7c3d773-caef-227e-a7e7-c2f13c622329
related:
- id: f5647edc-a7bf-4737-ab50-ef8c60dc3add
type: obsolete
status: test
description: |
Detects attackers using tooling with bad opsec defaults.
E.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run.
One trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.
references:
- https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/
- https://www.cobaltstrike.com/help-opsec
- https://twitter.com/CyberRaiju/status/1251492025678983169
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32
- https://learn.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool
- https://learn.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool
author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems)
date: 2020-10-23
modified: 2024-08-15
tags:
- attack.stealth
- attack.t1218.011
logsource:
category: process_creation
product: windows
detection:
selection_werfault:
Image|endswith: '\WerFault.exe'
CommandLine|endswith: 'WerFault.exe'
selection_rundll32:
Image|endswith: '\rundll32.exe'
CommandLine|endswith: 'rundll32.exe'
selection_regsvcs:
Image|endswith: '\regsvcs.exe'
CommandLine|endswith: 'regsvcs.exe'
selection_regasm:
Image|endswith: '\regasm.exe'
CommandLine|endswith: 'regasm.exe'
selection_regsvr32:
Image|endswith: '\regsvr32.exe'
CommandLine|endswith: 'regsvr32.exe'
filter_optional_edge_update:
ParentImage|contains: '\AppData\Local\Microsoft\EdgeUpdate\Install\{'
Image|endswith: '\rundll32.exe'
CommandLine|endswith: 'rundll32.exe'
filter_optional_chromium_installer:
# As reported in https://github.com/SigmaHQ/sigma/issues/4570 and others
ParentImage|contains:
- '\AppData\Local\BraveSoftware\Brave-Browser\Application\'
- '\AppData\Local\Google\Chrome\Application\'
ParentImage|endswith: '\Installer\setup.exe'
ParentCommandLine|contains: '--uninstall '
Image|endswith: '\rundll32.exe'
CommandLine|endswith: 'rundll32.exe'
condition: 1 of selection_* and not 1 of filter_optional_*
falsepositives:
- Unlikely
level: high
high
Base64 Encoded PowerShell Command Detected
Detects usage of the "FromBase64String" function in the commandline which is used to decode a base64 encoded string
status testauthor Florian Roth (Nextron Systems)id e32d4572-9826-4738-b651-95fa63747e8a
view Sigma YAML
title: Base64 Encoded PowerShell Command Detected
id: e32d4572-9826-4738-b651-95fa63747e8a
status: test
description: Detects usage of the "FromBase64String" function in the commandline which is used to decode a base64 encoded string
references:
- https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639
author: Florian Roth (Nextron Systems)
date: 2020-01-29
modified: 2023-01-26
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1140
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains: '::FromBase64String('
condition: selection
falsepositives:
- Administrative script libraries
level: high
high
Base64 MZ Header In CommandLine
Detects encoded base64 MZ header in the commandline
status testauthor Nasreddine Bencherchali (Nextron Systems)id 22e58743-4ac8-4a9f-bf19-00a0428d8c5f
view Sigma YAML
title: Base64 MZ Header In CommandLine
id: 22e58743-4ac8-4a9f-bf19-00a0428d8c5f
status: test
description: Detects encoded base64 MZ header in the commandline
references:
- https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-12
tags:
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- 'TVqQAAMAAAAEAAAA' # MZ..........
- 'TVpQAAIAAAAEAA8A'
- 'TVqAAAEAAAAEABAA'
- 'TVoAAAAAAAAAAAAA'
- 'TVpTAQEAAAAEAAAA'
condition: selection
falsepositives:
- Unlikely
level: high
high
Binary Padding - Linux
Adversaries may use binary padding to add junk data and change the on-disk representation of malware.
This rule detect using dd and truncate to add a junk data to file.
status testauthor Igor Fits, oscd.communityid c52a914f-3d8b-4b2a-bb75-b3991e75f8ba
view Sigma YAML
title: Binary Padding - Linux
id: c52a914f-3d8b-4b2a-bb75-b3991e75f8ba
status: test
description: |
Adversaries may use binary padding to add junk data and change the on-disk representation of malware.
This rule detect using dd and truncate to add a junk data to file.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.001/T1027.001.md
author: Igor Fits, oscd.community
date: 2020-10-13
modified: 2023-05-03
tags:
- attack.stealth
- attack.t1027.001
logsource:
product: linux
service: auditd
detection:
selection_execve:
type: 'EXECVE'
keywords_truncate:
'|all':
- 'truncate'
- '-s'
keywords_dd:
'|all':
- 'dd'
- 'if='
keywords_filter:
- 'of='
condition: selection_execve and (keywords_truncate or (keywords_dd and not keywords_filter))
falsepositives:
- Unknown
level: high
simulation:
- type: atomic-red-team
name: Pad Binary to Change Hash - Linux/macOS dd
technique: T1027.001
atomic_guid: ffe2346c-abd5-4b45-a713-bf5f1ebd573a
high
Binary Padding - MacOS
Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.
status testauthor Igor Fits, Mikhail Larin, oscd.communityid 95361ce5-c891-4b0a-87ca-e24607884a96
view Sigma YAML
title: Binary Padding - MacOS
id: 95361ce5-c891-4b0a-87ca-e24607884a96
status: test
description: Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.001/T1027.001.md
- https://linux.die.net/man/1/truncate
- https://linux.die.net/man/1/dd
author: 'Igor Fits, Mikhail Larin, oscd.community'
date: 2020-10-19
modified: 2023-02-17
tags:
- attack.stealth
- attack.t1027.001
logsource:
product: macos
category: process_creation
detection:
selection_truncate:
Image|endswith: '/truncate'
CommandLine|contains: '-s +'
selection_dd:
Image|endswith: '/dd'
CommandLine|contains:
- 'if=/dev/zero' # if input is not /dev/zero, then there is no null padding
- 'if=/dev/random' # high-quality random data
- 'if=/dev/urandom' # low-quality random data
condition: 1 of selection_*
falsepositives:
- Legitimate script work
level: high
high
Bitbucket Full Data Export Triggered
Detects when full data export is attempted.
status testauthor Muhammad Faisal (@faisalusuf)id 195e1b9d-bfc2-4ffa-ab4e-35aef69815f8
view Sigma YAML
title: Bitbucket Full Data Export Triggered
id: 195e1b9d-bfc2-4ffa-ab4e-35aef69815f8
status: test
description: Detects when full data export is attempted.
references:
- https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html
- https://confluence.atlassian.com/adminjiraserver0811/importing-and-exporting-data-1019391889.html
author: Muhammad Faisal (@faisalusuf)
date: 2024-02-25
tags:
- attack.collection
- attack.t1213.003
logsource:
product: bitbucket
service: audit
definition: 'Requirements: "Advance" log level is required to receive these audit events.'
detection:
selection:
auditType.category: 'Data pipeline'
auditType.action: 'Full data export triggered'
condition: selection
falsepositives:
- Legitimate user activity.
level: high
high
Bitbucket Secret Scanning Exempt Repository Added
Detects when a repository is exempted from secret scanning feature.
status testauthor Muhammad Faisal (@faisalusuf)id b91e8d5e-0033-44fe-973f-b730316f23a1
view Sigma YAML
title: Bitbucket Secret Scanning Exempt Repository Added
id: b91e8d5e-0033-44fe-973f-b730316f23a1
status: test
description: Detects when a repository is exempted from secret scanning feature.
references:
- https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html
- https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html
author: Muhammad Faisal (@faisalusuf)
date: 2024-02-25
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: bitbucket
service: audit
definition: 'Requirements: "Basic" log level is required to receive these audit events.'
detection:
selection:
auditType.category: 'Repositories'
auditType.action: 'Secret scanning exempt repository added'
condition: selection
falsepositives:
- Legitimate user activity.
level: high
high
Bitsadmin to Uncommon IP Server Address
Detects Bitsadmin connections to IP addresses instead of FQDN names
status testauthor Florian Roth (Nextron Systems)id 8ccd35a2-1c7c-468b-b568-ac6cdf80eec3
Detects Bitsadmin connections to domains with uncommon TLDs
status testauthor Florian Roth (Nextron Systems), Tim Sheltonid 9eb68894-7476-4cd6-8752-23b51f5883a7
view Sigma YAML
title: Bitsadmin to Uncommon TLD
id: 9eb68894-7476-4cd6-8752-23b51f5883a7
status: test
description: Detects Bitsadmin connections to domains with uncommon TLDs
references:
- https://twitter.com/jhencinski/status/1102695118455349248
- https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/
author: Florian Roth (Nextron Systems), Tim Shelton
date: 2019-03-07
modified: 2023-05-17
tags:
- attack.command-and-control
- attack.execution
- attack.stealth
- attack.t1071.001
- attack.persistence
- attack.t1197
- attack.s0190
logsource:
category: proxy
detection:
selection:
c-useragent|startswith: 'Microsoft BITS/'
falsepositives:
cs-host|endswith:
- '.com'
- '.net'
- '.org'
- '.scdn.co' # spotify streaming
- '.sfx.ms' # Microsoft domain, example request: https://oneclient.sfx.ms/PreSignInSettings/Prod/2022-08-15-21-xx-xx/PreSignInSettingsConfig.json
condition: selection and not falsepositives
falsepositives:
- Rare programs that use Bitsadmin and update from regional TLDs e.g. .uk or .ca
level: high
high
BloodHound Collection Files
Detects default file names outputted by the BloodHound collection tool SharpHound
status testauthor C.J. Mayid 02773bed-83bf-469f-b7ff-e676e7d78bab
view Sigma YAML
title: BloodHound Collection Files
id: 02773bed-83bf-469f-b7ff-e676e7d78bab
status: test
description: Detects default file names outputted by the BloodHound collection tool SharpHound
references:
- https://academy.hackthebox.com/course/preview/active-directory-bloodhound/bloodhound--data-collection
author: C.J. May
date: 2022-08-09
modified: 2026-02-19
tags:
- attack.discovery
- attack.t1087.001
- attack.t1087.002
- attack.t1482
- attack.t1069.001
- attack.t1069.002
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith:
- 'BloodHound.zip'
- '_computers.json'
- '_containers.json'
# - '_domains.json' # prone to false positives with ProbabilisticRevealTokenRegistry function in Google Chrome
- '_gpos.json'
- '_groups.json'
- '_ous.json'
- '_users.json'
filter_optional_ms_winapps:
Image|endswith: '\svchost.exe'
TargetFilename|startswith: 'C:\Program Files\WindowsApps\Microsoft.'
TargetFilename|endswith: '\pocket_containers.json'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Some false positives may arise in some environment and this may require some tuning. Add additional filters or reduce level depending on the level of noise
level: high
high
Boot Configuration Tampering Via Bcdedit.EXE
Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware.
status stableauthor E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.communityid 1444443e-6757-43e4-9ea4-c8fc705f79a2
view Sigma YAML
title: Boot Configuration Tampering Via Bcdedit.EXE
id: 1444443e-6757-43e4-9ea4-c8fc705f79a2
status: stable
description: Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md
- https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html
author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
date: 2019-10-24
modified: 2023-02-15
tags:
- attack.impact
- attack.t1490
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\bcdedit.exe'
- OriginalFileName: 'bcdedit.exe'
selection_set:
CommandLine|contains: 'set'
selection_cli:
- CommandLine|contains|all:
- 'bootstatuspolicy'
- 'ignoreallfailures'
- CommandLine|contains|all:
- 'recoveryenabled'
- 'no'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
simulation:
- type: atomic-red-team
name: Windows - Disable Windows Recovery Console Repair
technique: T1490
atomic_guid: cf21060a-80b3-4238-a595-22525de4ab81
high
Buffer Overflow Attempts
Detects buffer overflow attempts in Unix system log files
status testauthor Florian Roth (Nextron Systems)id 18b042f0-2ecd-4b6e-9f8d-aa7a7e7de781
view Sigma YAML
title: Buffer Overflow Attempts
id: 18b042f0-2ecd-4b6e-9f8d-aa7a7e7de781
status: test
description: Detects buffer overflow attempts in Unix system log files
references:
- https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/attack_rules.xml # OSSEC attack detection rules​:contentReference[oaicite:6]{index=6}​:contentReference[oaicite:7]{index=7}
- https://docs.oracle.com/cd/E19683-01/816-4883/6mb2joatd/index.html # Exec stack syslog message (noexec_user_stack)​:contentReference[oaicite:8]{index=8}
- https://www.giac.org/paper/gcih/266/review-ftp-protocol-cyber-defense-initiative/102802 # WU-FTPD exploit "0bin0sh" analysis​:contentReference[oaicite:9]{index=9}
- https://blu.org/mhonarc/discuss/2001/04/msg00285.php # RPC.statd exploit attempt log example​:contentReference[oaicite:10]{index=10}
- https://rapid7.com/blog/post/2019/02/19/stack-based-buffer-overflow-attacks-what-you-need-to-know/ # Stack smashing protector alert example​:contentReference[oaicite:11]{index=11}
author: Florian Roth (Nextron Systems)
date: 2017-03-01
modified: 2025-03-17
tags:
- attack.t1068
- attack.privilege-escalation
logsource:
product: linux
detection:
keywords:
- 'attempt to execute code on stack by'
- '0bin0sh1'
# - 'rpc.statd[\d+]: gethostbyname error for' # it's an expensive regex and produces questionable results
- 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' # this can cause false positives in Base64 encoded data
- 'stack smashing detected'
condition: keywords
falsepositives:
- Base64 encoded data in log entries
level: high
high
Bulk Deletion Changes To Privileged Account Permissions
Detects when a user is removed from a privileged role. Bulk changes should be investigated.
status testauthor Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'id 102e11e3-2db5-4c9e-bc26-357d42585d21
view Sigma YAML
title: Bulk Deletion Changes To Privileged Account Permissions
id: 102e11e3-2db5-4c9e-bc26-357d42585d21
status: test
description: Detects when a user is removed from a privileged role. Bulk changes should be investigated.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-identity-management#azure-ad-roles-assignment
author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
date: 2022-08-05
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1098
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.message:
- Remove eligible member (permanent)
- Remove eligible member (eligible)
condition: selection
falsepositives:
- Legtimate administrator actions of removing members from a role
level: high
high
Bypass UAC Using DelegateExecute
Bypasses User Account Control using a fileless method
status testauthor frack113id 46dd5308-4572-4d12-aa43-8938f0184d4f
view Sigma YAML
title: Bypass UAC Using DelegateExecute
id: 46dd5308-4572-4d12-aa43-8938f0184d4f
status: test
description: Bypasses User Account Control using a fileless method
references:
- https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand
- https://devblogs.microsoft.com/oldnewthing/20100312-01/?p=14623
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-7---bypass-uac-using-sdclt-delegateexecute
author: frack113
date: 2022-01-05
modified: 2023-08-17
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\open\command\DelegateExecute'
Details: (Empty)
condition: selection
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute/info.yml
simulation:
- type: atomic-red-team
name: Bypass UAC using sdclt DelegateExecute
technique: T1548.002
atomic_guid: 3be891eb-4608-4173-87e8-78b494c029b7
high
Bypass UAC Using Event Viewer
Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification
status testauthor frack113id 674202d0-b22a-4af4-ae5f-2eda1f3da1af
view Sigma YAML
title: Bypass UAC Using Event Viewer
id: 674202d0-b22a-4af4-ae5f-2eda1f3da1af
status: test
description: Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification
references:
- https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-1---bypass-uac-using-event-viewer-cmd
author: frack113
date: 2022-01-05
modified: 2023-08-17
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.010
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '_Classes\mscfile\shell\open\command\(Default)'
filter:
Details|startswith: '%SystemRoot%\system32\mmc.exe "%1" %'
condition: selection and not filter
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer/info.yml
simulation:
- type: atomic-red-team
name: Bypass UAC using Event Viewer (cmd)
technique: T1548.002
atomic_guid: 5073adf8-9a50-4bd9-b298-a9bd2ead8af9
high
Bypass UAC Using SilentCleanup Task
Detects the setting of the environement variable "windir" to a non default value.
Attackers often abuse this variable in order to trigger a UAC bypass via the "SilentCleanup" task.
The SilentCleanup task located in %windir%\system32\cleanmgr.exe is an auto-elevated task that can be abused to elevate any file with administrator privileges without prompting UAC.
status testauthor frack113, Nextron Systemsid 724ea201-6514-4f38-9739-e5973c34f49a
view Sigma YAML
title: Bypass UAC Using SilentCleanup Task
id: 724ea201-6514-4f38-9739-e5973c34f49a
status: test
description: |
Detects the setting of the environement variable "windir" to a non default value.
Attackers often abuse this variable in order to trigger a UAC bypass via the "SilentCleanup" task.
The SilentCleanup task located in %windir%\system32\cleanmgr.exe is an auto-elevated task that can be abused to elevate any file with administrator privileges without prompting UAC.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-9---bypass-uac-using-silentcleanup-task
- https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/
- https://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign
author: frack113, Nextron Systems
date: 2022-01-06
modified: 2024-01-30
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\Environment\windir'
filter_main_default:
Details: '%SystemRoot%'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task/info.yml
simulation:
- type: atomic-red-team
name: Bypass UAC using SilentCleanup Task
technique: T1548.002
atomic_guid: 28104f8a-4ff1-4582-bcf6-699dce156608
high
Bypass UAC via CMSTP
Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files
status testauthor E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.communityid e66779cc-383e-4224-a3a4-267eeb585c40
view Sigma YAML
title: Bypass UAC via CMSTP
id: e66779cc-383e-4224-a3a4-267eeb585c40
status: test
description: Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files
references:
- https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.003/T1218.003.md
- https://lolbas-project.github.io/lolbas/Binaries/Cmstp/
author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
date: 2019-10-24
modified: 2022-08-30
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1548.002
- attack.t1218.003
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\cmstp.exe'
- OriginalFileName: 'CMSTP.EXE'
selection_cli:
CommandLine|contains:
- '/s'
- '-s'
- '/au'
- '-au'
- '/ni'
- '-ni'
condition: all of selection*
falsepositives:
- Legitimate use of cmstp.exe utility by legitimate user
level: high
high
Bypass UAC via Fodhelper.exe
Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.
status testauthor E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.communityid 7f741dcf-fc22-4759-87b4-9ae8376676a2
view Sigma YAML
title: Bypass UAC via Fodhelper.exe
id: 7f741dcf-fc22-4759-87b4-9ae8376676a2
status: test
description: Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.
references:
- https://eqllib.readthedocs.io/en/latest/analytics/e491ce22-792f-11e9-8f5c-d46d6d62a49e.html
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md
author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community
date: 2019-10-24
modified: 2021-11-27
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\fodhelper.exe'
condition: selection
falsepositives:
- Legitimate use of fodhelper.exe utility by legitimate user
level: high
high
Bypass UAC via WSReset.exe
Detects use of WSReset.exe to bypass User Account Control (UAC). Adversaries use this technique to execute privileged processes.
status testauthor E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community, Florian Rothid d797268e-28a9-49a7-b9a8-2f5039011c5c
view Sigma YAML
title: Bypass UAC via WSReset.exe
id: d797268e-28a9-49a7-b9a8-2f5039011c5c
related:
- id: bdc8918e-a1d5-49d1-9db7-ea0fd91aa2ae
type: obsolete
status: test
description: Detects use of WSReset.exe to bypass User Account Control (UAC). Adversaries use this technique to execute privileged processes.
references:
- https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html
- https://lolbas-project.github.io/lolbas/Binaries/Wsreset/
- https://www.activecyber.us/activelabs/windows-uac-bypass
- https://twitter.com/ReaQta/status/1222548288731217921
author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community, Florian Roth
date: 2019-10-24
modified: 2022-05-13
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\wsreset.exe'
filter:
- Image|endswith: '\conhost.exe'
- OriginalFileName: 'CONHOST.EXE'
condition: selection and not filter
falsepositives:
- Unknown sub processes of Wsreset.exe
level: high
high
CMSTP Execution Process Access
Detects various indicators of Microsoft Connection Manager Profile Installer execution
status stableauthor Nik Seetharamanid 3b4b232a-af90-427c-a22f-30b0c0837b95
view Sigma YAML
title: CMSTP Execution Process Access
id: 3b4b232a-af90-427c-a22f-30b0c0837b95
status: stable
description: Detects various indicators of Microsoft Connection Manager Profile Installer execution
references:
- https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
author: Nik Seetharaman
date: 2018-07-16
modified: 2021-06-27
tags:
- attack.stealth
- attack.t1218.003
- attack.execution
- attack.t1559.001
- attack.g0069
- attack.g0080
- car.2019-04-001
logsource:
product: windows
category: process_access
detection:
# Process Access Call Trace
selection:
CallTrace|contains: 'cmlua.dll'
condition: selection
falsepositives:
- Legitimate CMSTP use (unlikely in modern enterprise environments)
level: high
high
CMSTP Execution Process Creation
Detects various indicators of Microsoft Connection Manager Profile Installer execution
status stableauthor Nik Seetharamanid 7d4cdc5a-0076-40ca-aac8-f7e714570e47
view Sigma YAML
title: CMSTP Execution Process Creation
id: 7d4cdc5a-0076-40ca-aac8-f7e714570e47
status: stable
description: Detects various indicators of Microsoft Connection Manager Profile Installer execution
references:
- https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
author: Nik Seetharaman
date: 2018-07-16
modified: 2020-12-23
tags:
- attack.execution
- attack.stealth
- attack.t1218.003
- attack.g0069
- car.2019-04-001
logsource:
category: process_creation
product: windows
detection:
# CMSTP Spawning Child Process
selection:
ParentImage|endswith: '\cmstp.exe'
condition: selection
falsepositives:
- Legitimate CMSTP use (unlikely in modern enterprise environments)
level: high
high
CMSTP Execution Registry Event
Detects various indicators of Microsoft Connection Manager Profile Installer execution
status stableauthor Nik Seetharamanid b6d235fc-1d38-4b12-adbe-325f06728f37
view Sigma YAML
title: CMSTP Execution Registry Event
id: b6d235fc-1d38-4b12-adbe-325f06728f37
status: stable
description: Detects various indicators of Microsoft Connection Manager Profile Installer execution
references:
- https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
author: Nik Seetharaman
date: 2018-07-16
modified: 2020-12-23
tags:
- attack.execution
- attack.stealth
- attack.t1218.003
- attack.g0069
- car.2019-04-001
logsource:
category: registry_event
product: windows
detection:
selection:
TargetObject|contains: '\cmmgr32.exe'
condition: selection
falsepositives:
- Legitimate CMSTP use (unlikely in modern enterprise environments)
level: high
high
CMSTP UAC Bypass via COM Object Access
Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)
status stableauthor Nik Seetharaman, Christian Burkard (Nextron Systems)id 4b60e6f2-bf39-47b4-b4ea-398e33cfe253
view Sigma YAML
title: CMSTP UAC Bypass via COM Object Access
id: 4b60e6f2-bf39-47b4-b4ea-398e33cfe253
status: stable
description: Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)
references:
- https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
- https://twitter.com/hFireF0X/status/897640081053364225
- https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf
- https://github.com/hfiref0x/UACME
author: Nik Seetharaman, Christian Burkard (Nextron Systems)
date: 2019-07-31
modified: 2024-12-01
tags:
- attack.execution
- attack.privilege-escalation
- attack.stealth
- attack.t1548.002
- attack.t1218.003
- attack.g0069
- car.2019-04-001
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\DllHost.exe'
ParentCommandLine|contains:
- ' /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}' # cmstplua.dll
- ' /Processid:{3E000D72-A845-4CD9-BD83-80C07C3B881F}' # CMLUAUTIL
- ' /Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}' # EditionUpgradeManagerObj.dll
- ' /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}' # colorui.dll
- ' /Processid:{E9495B87-D950-4AB5-87A5-FF6D70BF3E90}' # wscui.cpl
IntegrityLevel:
- 'High'
- 'System'
- 'S-1-16-16384' # System
- 'S-1-16-12288' # High
condition: selection
falsepositives:
- Legitimate CMSTP use (unlikely in modern enterprise environments)
level: high
high
COM Hijack via Sdclt
Detects changes to 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute'
status testauthor Omkar Gudhateid 07743f65-7ec9-404a-a519-913db7118a8d
view Sigma YAML
title: COM Hijack via Sdclt
id: 07743f65-7ec9-404a-a519-913db7118a8d
status: test
description: Detects changes to 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute'
references:
- http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass
- https://www.exploit-db.com/exploits/47696
author: Omkar Gudhate
date: 2020-09-27
modified: 2023-09-28
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1546
- attack.t1548
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\Software\Classes\Folder\shell\open\command\DelegateExecute'
condition: selection
falsepositives:
- Unknown
level: high
high
COM Object Hijacking Via Modification Of Default System CLSID Default Value
Detects potential COM object hijacking via modification of default system CLSID.
status experimentalauthor Nasreddine Bencherchali (Nextron Systems)id 790317c0-0a36-4a6a-a105-6e576bf99a14
view Sigma YAML
title: COM Object Hijacking Via Modification Of Default System CLSID Default Value
id: 790317c0-0a36-4a6a-a105-6e576bf99a14
related:
- id: 3d968d17-ffa4-4bc0-bfdc-f139de76ce77
type: obsolete
- id: a0ff33d8-79e4-4cef-b4f3-9dc4133ccd12
type: obsolete
status: experimental
description: Detects potential COM object hijacking via modification of default system CLSID.
references:
- https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ (idea)
- https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/
- https://blog.talosintelligence.com/uat-5647-romcom/
- https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/darkhotel-a-cluster-of-groups-united-by-common-techniques
- https://threatbook.io/blog/Analysis-of-APT-C-60-Attack-on-South-Korea
- https://catalyst.prodaft.com/public/report/inside-the-latest-espionage-campaign-of-nebulous-mantis
- https://github.com/rtecCyberSec/BitlockMove
- https://cert.gov.ua/article/6284080
- https://securelist.com/forumtroll-apt-hacking-team-dante-spyware/117851/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-07-16
modified: 2025-11-10
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.015
logsource:
category: registry_set
product: windows
detection:
selection_target_root:
TargetObject|contains: '\CLSID\'
TargetObject|endswith:
- '\InprocServer32\(Default)'
- '\LocalServer32\(Default)'
selection_target_builtin_clsid:
TargetObject|contains:
# Note: Add other legitimate CLSID
- '\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\'
- '\{2155fee3-2419-4373-b102-6843707eb41f}\'
- '\{4590f811-1d3a-11d0-891f-00aa004b2e24}\'
- '\{4de225bf-cf59-4cfc-85f7-68b90f185355}\'
- '\{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}\'
- '\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}\'
- '\{F82B4EF1-93A9-4DDE-8015-F7950A1A6E31}\'
- '\{7849596a-48ea-486e-8937-a2a3009f31a9}\'
- '\{0b91a74b-ad7c-4a9d-b563-29eef9167172}\'
- '\{603D3801-BD81-11d0-A3A5-00C04FD706EC}\'
- '\{30D49246-D217-465F-B00B-AC9DDD652EB7}\'
- '\{A7A63E5C-3877-4840-8727-C1EA9D7A4D50}\'
- '\{2227A280-3AEA-1069-A2DE-08002B30309D}\'
- '\{2DEA658F-54C1-4227-AF9B-260AB5FC3543}\'
- '\{AA509086-5Ca9-4C25-8F95-589D3C07B48A}\'
selection_susp_location_1:
Details|contains:
# Note: Add more suspicious paths and locations
- ':\Perflogs\'
- '\AppData\Local\'
- '\Desktop\'
- '\Downloads\'
- '\Microsoft\Windows\Start Menu\Programs\Startup\'
- '\System32\spool\drivers\color\' # as seen in the knotweed blog
- '\Temporary Internet'
- '\Users\Public\'
- '\Windows\Temp\'
- '%appdata%'
- '%temp%'
- '%tmp%'
selection_susp_location_2:
- Details|contains|all:
- ':\Users\'
- '\Favorites\'
- Details|contains|all:
- ':\Users\'
- '\Favourites\'
- Details|contains|all:
- ':\Users\'
- '\Contacts\'
- Details|contains|all:
- ':\Users\'
- '\Pictures\'
condition: all of selection_target_* and 1 of selection_susp_location_*
falsepositives:
- Unlikely
level: high
high
Cab File Extraction Via Wusa.EXE From Potentially Suspicious Paths
Detects the execution of the "wusa.exe" (Windows Update Standalone Installer) utility to extract ".cab" files using the "/extract" argument from potentially suspicious paths.
status testauthor Nasreddine Bencherchali (Nextron Systems)id c74c0390-3e20-41fd-a69a-128f0275a5ea
view Sigma YAML
title: Cab File Extraction Via Wusa.EXE From Potentially Suspicious Paths
id: c74c0390-3e20-41fd-a69a-128f0275a5ea
related:
- id: 59b39960-5f9d-4a49-9cef-1e4d2c1d0cb9
type: derived
status: test
description: |
Detects the execution of the "wusa.exe" (Windows Update Standalone Installer) utility to extract ".cab" files using the "/extract" argument from potentially suspicious paths.
references:
- https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html
- https://www.echotrail.io/insights/search/wusa.exe/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-05
modified: 2023-11-28
tags:
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection_root:
Image|endswith: '\wusa.exe'
CommandLine|contains: '/extract:'
selection_paths:
CommandLine|contains:
- ':\PerfLogs\'
- ':\Users\Public\'
- ':\Windows\Temp\'
- '\Appdata\Local\Temp\'
# - '\Desktop\'
# - '\Downloads\'
condition: all of selection_*
falsepositives:
- Unknown
level: high
high
Capsh Shell Invocation - Linux
Detects the use of the "capsh" utility to invoke a shell.
status testauthor Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)id db1ac3be-f606-4e3a-89e0-9607cbe6b98a
view Sigma YAML
title: Capsh Shell Invocation - Linux
id: db1ac3be-f606-4e3a-89e0-9607cbe6b98a
status: test
description: |
Detects the use of the "capsh" utility to invoke a shell.
references:
- https://gtfobins.github.io/gtfobins/capsh/#shell
- https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
date: 2024-09-02
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/capsh'
CommandLine|endswith: ' --'
condition: selection
falsepositives:
- Unknown
level: high
high
Change Default File Association To Executable Via Assoc
Detects when a program changes the default file association of any extension to an executable.
When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.
status testauthor Nasreddine Bencherchali (Nextron Systems)id ae6f14e6-14de-45b0-9f44-c0986f50dc89
view Sigma YAML
title: Change Default File Association To Executable Via Assoc
id: ae6f14e6-14de-45b0-9f44-c0986f50dc89
related:
- id: 3d3aa6cd-6272-44d6-8afc-7e88dfef7061
type: derived
status: test
description: |
Detects when a program changes the default file association of any extension to an executable.
When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.
references:
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/assoc
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-28
modified: 2023-03-06
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\cmd.exe'
- OriginalFileName: 'Cmd.Exe'
selection_cli:
CommandLine|contains|all:
- 'assoc '
- 'exefile'
filter:
CommandLine|contains: '.exe=exefile'
condition: all of selection_* and not filter
falsepositives:
- Unknown
level: high
high
Change User Account Associated with the FAX Service
Detect change of the user account associated with the FAX service to avoid the escalation problem.
status testauthor frack113id e3fdf743-f05b-4051-990a-b66919be1743
view Sigma YAML
title: Change User Account Associated with the FAX Service
id: e3fdf743-f05b-4051-990a-b66919be1743
status: test
description: Detect change of the user account associated with the FAX service to avoid the escalation problem.
references:
- https://twitter.com/dottor_morte/status/1544652325570191361
- https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf
author: frack113
date: 2022-07-17
modified: 2022-12-30
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject: HKLM\System\CurrentControlSet\Services\Fax\ObjectName
filter:
Details|contains: NetworkService
condition: selection and not filter
falsepositives:
- Unknown
level: high
high
Change Winevt Channel Access Permission Via Registry
Detects tampering with the "ChannelAccess" registry key in order to change access to Windows event channel.
status testauthor frack113id 7d9263bd-dc47-4a58-bc92-5474abab390c
view Sigma YAML
title: Change Winevt Channel Access Permission Via Registry
id: 7d9263bd-dc47-4a58-bc92-5474abab390c
status: test
description: Detects tampering with the "ChannelAccess" registry key in order to change access to Windows event channel.
references:
- https://app.any.run/tasks/77b2e328-8f36-46b2-b2e2-8a80398217ab/
- https://learn.microsoft.com/en-us/windows/win32/api/winevt/
- https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/
author: frack113
date: 2022-09-17
modified: 2024-03-25
tags:
- attack.defense-impairment
- attack.t1685.001
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\'
TargetObject|endswith: '\ChannelAccess'
# Add more interesting combinations if you found them
Details|contains:
- '(A;;0x1;;;LA)' # Local administrator having GENERIC ALL
- '(A;;0x1;;;SY)' # Local System having GENERIC ALL
- '(A;;0x5;;;BA)' # Built-in administrators having GENERIC ALL and GENERIC WRITE
filter_main_trustedinstaller:
Image: 'C:\Windows\servicing\TrustedInstaller.exe'
filter_main_tiworker:
Image|startswith: 'C:\Windows\WinSxS\'
Image|endswith: '\TiWorker.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
high
Change the Fax Dll
Detect possible persistence using Fax DLL load when service restart
status testauthor frack113id 9e3357ba-09d4-4fbd-a7c5-ad6386314513
view Sigma YAML
title: Change the Fax Dll
id: 9e3357ba-09d4-4fbd-a7c5-ad6386314513
status: test
description: Detect possible persistence using Fax DLL load when service restart
references:
- https://twitter.com/dottor_morte/status/1544652325570191361
- https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf
author: frack113
date: 2022-07-17
modified: 2022-12-30
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|contains|all:
- '\Software\Microsoft\Fax\Device Providers\'
- '\ImageName'
filter:
Details: '%systemroot%\system32\fxst30.dll' # Windows 10
condition: selection and not filter
falsepositives:
- Unknown
level: high
high
Changes To PIM Settings
Detects when changes are made to PIM roles
status testauthor Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'id db6c06c4-bf3b-421c-aa88-15672b88c743
view Sigma YAML
title: Changes To PIM Settings
id: db6c06c4-bf3b-421c-aa88-15672b88c743
status: test
description: Detects when changes are made to PIM roles
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-identity-management#azure-ad-roles-assignment
author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
date: 2022-08-09
tags:
- attack.initial-access
- attack.privilege-escalation
- attack.persistence
- attack.stealth
- attack.t1078.004
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.message: Update role setting in PIM
condition: selection
falsepositives:
- Legit administrative PIM setting configuration changes
level: high