Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Detects a threat actor creating a file named `iertutil.dll` in the `C:\Program Files\Internet Explorer\` directory over the network for a DCOM InternetExplorer DLL Hijack scenario.
status testauthor Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)id c39f0c81-7348-4965-ab27-2fde35a1b641
view Sigma YAML
title: DCOM InternetExplorer.Application Iertutil DLL Hijack - Security
id: c39f0c81-7348-4965-ab27-2fde35a1b641
status: test
description: Detects a threat actor creating a file named `iertutil.dll` in the `C:\Program Files\Internet Explorer\` directory over the network for a DCOM InternetExplorer DLL Hijack scenario.
references:
- https://threathunterplaybook.com/hunts/windows/201009-RemoteDCOMIErtUtilDLLHijack/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)
date: 2020-10-12
modified: 2022-11-26
tags:
- attack.lateral-movement
- attack.t1021.002
- attack.t1021.003
logsource:
product: windows
service: security
detection:
selection:
EventID: 5145
RelativeTargetName|endswith: '\Internet Explorer\iertutil.dll'
filter:
SubjectUserName|endswith: '$'
condition: selection and not filter
falsepositives:
- Unknown
level: high
high
DHCP Callout DLL Installation
Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)
status testauthor Dimitrios Slamarisid 9d3436ef-9476-4c43-acca-90ce06bdf33a
view Sigma YAML
title: DHCP Callout DLL Installation
id: 9d3436ef-9476-4c43-acca-90ce06bdf33a
status: test
description: Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)
references:
- https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html
- https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx
- https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx
author: Dimitrios Slamaris
date: 2017-05-15
modified: 2023-08-17
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.defense-impairment
- attack.t1574.001
- attack.t1112
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith:
- '\Services\DHCPServer\Parameters\CalloutDlls'
- '\Services\DHCPServer\Parameters\CalloutEnabled'
condition: selection
falsepositives:
- Unknown
level: high
high
DHCP Server Error Failed Loading the CallOut DLL
This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded
status testauthor Dimitrios Slamaris, @atc_project (fix)id 75edd3fd-7146-48e5-9848-3013d7f0282c
view Sigma YAML
title: DHCP Server Error Failed Loading the CallOut DLL
id: 75edd3fd-7146-48e5-9848-3013d7f0282c
status: test
description: This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded
references:
- https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html
- https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx
- https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx
author: 'Dimitrios Slamaris, @atc_project (fix)'
date: 2017-05-15
modified: 2022-12-25
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
product: windows
service: system
detection:
selection:
EventID:
- 1031
- 1032
- 1034
Provider_Name: Microsoft-Windows-DHCP-Server
condition: selection
falsepositives:
- Unknown
level: high
high
DHCP Server Loaded the CallOut DLL
This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded
status testauthor Dimitrios Slamarisid 13fc89a9-971e-4ca6-b9dc-aa53a445bf40
view Sigma YAML
title: DHCP Server Loaded the CallOut DLL
id: 13fc89a9-971e-4ca6-b9dc-aa53a445bf40
status: test
description: This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded
references:
- https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html
- https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx
- https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx
author: Dimitrios Slamaris
date: 2017-05-15
modified: 2022-12-25
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
product: windows
service: system
detection:
selection:
EventID: 1033
Provider_Name: Microsoft-Windows-DHCP-Server
condition: selection
falsepositives:
- Unknown
level: high
high
DLL Load via LSASS
Detects a method to load DLL via LSASS process using an undocumented Registry key
status testauthor Florian Roth (Nextron Systems)id b3503044-60ce-4bf4-bbcb-e3db98788823
view Sigma YAML
title: DLL Load via LSASS
id: b3503044-60ce-4bf4-bbcb-e3db98788823
status: test
description: Detects a method to load DLL via LSASS process using an undocumented Registry key
references:
- https://blog.xpnsec.com/exploring-mimikatz-part-1/
- https://twitter.com/SBousseaden/status/1183745981189427200
author: Florian Roth (Nextron Systems)
date: 2019-10-16
modified: 2022-04-21
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1547.008
logsource:
category: registry_event
product: windows
detection:
selection:
TargetObject|contains:
- '\CurrentControlSet\Services\NTDS\DirectoryServiceExtPt'
- '\CurrentControlSet\Services\NTDS\LsaDbExtPt'
filter_domain_controller:
Image: 'C:\Windows\system32\lsass.exe'
Details:
- '%%systemroot%%\system32\ntdsa.dll'
- '%%systemroot%%\system32\lsadb.dll'
condition: selection and not 1 of filter_*
falsepositives:
- Unknown
level: high
high
DLL Loaded From Suspicious Location Via Cmspt.EXE
Detects cmstp loading "dll" or "ocx" files from suspicious locations
status testauthor Nasreddine Bencherchali (Nextron Systems)id 75e508f7-932d-4ebc-af77-269237a84ce1
view Sigma YAML
title: DLL Loaded From Suspicious Location Via Cmspt.EXE
id: 75e508f7-932d-4ebc-af77-269237a84ce1
status: test
description: Detects cmstp loading "dll" or "ocx" files from suspicious locations
references:
- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/TTPs/Defense%20Evasion/T1218%20-%20Signed%20Binary%20Proxy%20Execution/T1218.003%20-%20CMSTP/Procedures.yaml
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-30
modified: 2023-02-17
tags:
- attack.stealth
- attack.t1218.003
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith: '\cmstp.exe'
ImageLoaded|contains:
# Add more suspicious paths as you see fit in your env
- '\PerfLogs\'
- '\ProgramData\'
- '\Users\'
- '\Windows\Temp\'
- 'C:\Temp\'
ImageLoaded|endswith:
- '.dll'
- '.ocx'
condition: selection
falsepositives:
- Unikely
level: high
high
DLL Search Order Hijackig Via Additional Space in Path
Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...)
but with a space in order to trick DLL load search order and perform a "DLL Search Order Hijacking" attack
status testauthor frack113, Nasreddine Bencherchali (Nextron Systems)id b6f91281-20aa-446a-b986-38a92813a18f
view Sigma YAML
title: DLL Search Order Hijackig Via Additional Space in Path
id: b6f91281-20aa-446a-b986-38a92813a18f
status: test
description: |
Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...)
but with a space in order to trick DLL load search order and perform a "DLL Search Order Hijacking" attack
references:
- https://twitter.com/cyb3rops/status/1552932770464292864
- https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-30
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|startswith:
- 'C:\Windows \'
- 'C:\Program Files \'
- 'C:\Program Files (x86) \'
TargetFilename|endswith: '.dll'
condition: selection
falsepositives:
- Unknown
level: high
high
DLL Sideloading Of ShellChromeAPI.DLL
Detects processes loading the non-existent DLL "ShellChromeAPI". One known example is the "DeviceEnroller" binary in combination with the "PhoneDeepLink" flag tries to load this DLL.
Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter
status testauthor Nasreddine Bencherchali (Nextron Systems)id ee4c5d06-3abc-48cc-8885-77f1c20f4451
view Sigma YAML
title: DLL Sideloading Of ShellChromeAPI.DLL
id: ee4c5d06-3abc-48cc-8885-77f1c20f4451
related:
- id: e173ad47-4388-4012-ae62-bd13f71c18a8
type: similar
status: test
description: |
Detects processes loading the non-existent DLL "ShellChromeAPI". One known example is the "DeviceEnroller" binary in combination with the "PhoneDeepLink" flag tries to load this DLL.
Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter
references:
- https://mobile.twitter.com/0gtweet/status/1564131230941122561
- https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-01
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
# The DLL shouldn't exist on Windows anymore. If for some reason you still have it. You could filter out legitimate calls
ImageLoaded|endswith: '\ShellChromeAPI.dll'
condition: selection
falsepositives:
- Unknown
level: high
high
DLL Sideloading by VMware Xfer Utility
Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL
status testauthor Nasreddine Bencherchali (Nextron Systems)id ebea773c-a8f1-42ad-a856-00cb221966e8
view Sigma YAML
title: DLL Sideloading by VMware Xfer Utility
id: ebea773c-a8f1-42ad-a856-00cb221966e8
status: test
description: Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL
references:
- https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-02
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
product: windows
category: process_creation
detection:
selection:
Image|endswith: '\VMwareXferlogs.exe'
filter: # VMware might be installed in another path so update the rule accordingly
Image|startswith: 'C:\Program Files\VMware\'
condition: selection and not filter
falsepositives:
- Unlikely
level: high
high
DNS Exfiltration and Tunneling Tools Execution
Well-known DNS Exfiltration tools execution
status testauthor Daniil Yugoslavskiy, oscd.communityid 98a96a5a-64a0-4c42-92c5-489da3866cb0
Detects Azure Hybrid Connection Manager services querying the Azure service bus service
status testauthor Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)id 7bd3902d-8b8b-4dd4-838a-c6862d40150d
view Sigma YAML
title: DNS HybridConnectionManager Service Bus
id: 7bd3902d-8b8b-4dd4-838a-c6862d40150d
status: test
description: Detects Azure Hybrid Connection Manager services querying the Azure service bus service
references:
- https://twitter.com/Cyb3rWard0g/status/1381642789369286662
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2021-04-12
modified: 2023-01-16
tags:
- attack.persistence
- attack.t1554
logsource:
product: windows
category: dns_query
detection:
selection:
QueryName|contains: 'servicebus.windows.net'
Image|contains: 'HybridConnectionManager'
condition: selection
falsepositives:
- Legitimate use of Azure Hybrid Connection Manager and the Azure Service Bus service
level: high
high
DNS Query Tor .Onion Address - Sysmon
Detects DNS queries to an ".onion" address related to Tor routing networks
status testauthor frack113id b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544
Detects DNS queries made by the finger utility, which can be abused by threat actors to retrieve remote commands for execution on Windows devices.
In one ClickFix malware campaign, adversaries leveraged the finger protocol to fetch commands from a remote server.
Since the finger utility is not commonly used in modern Windows environments, its presence already raises suspicion.
Investigating such DNS queries can also help identify potential malicious infrastructure used by threat actors for command and control (C2) communication.
status experimentalauthor Swachchhanda Shrawan Poudel (Nextron Systems)id c082c2b0-525b-4dbc-9a26-a57dc4692074
view Sigma YAML
title: DNS Query by Finger Utility
id: c082c2b0-525b-4dbc-9a26-a57dc4692074
related:
- id: 2fdaf50b-9fd5-449f-ba69-f17248119af6
type: similar
- id: af491bca-e752-4b44-9c86-df5680533dbc
type: similar
status: experimental
description: |
Detects DNS queries made by the finger utility, which can be abused by threat actors to retrieve remote commands for execution on Windows devices.
In one ClickFix malware campaign, adversaries leveraged the finger protocol to fetch commands from a remote server.
Since the finger utility is not commonly used in modern Windows environments, its presence already raises suspicion.
Investigating such DNS queries can also help identify potential malicious infrastructure used by threat actors for command and control (C2) communication.
references:
- https://www.bleepingcomputer.com/news/security/decades-old-finger-protocol-abused-in-clickfix-malware-attacks/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-19
tags:
- attack.command-and-control
- attack.t1071.004
- attack.execution
- attack.t1059.003
logsource:
product: windows
category: dns_query
detection:
selection:
Image|endswith: '\finger.exe'
condition: selection
falsepositives:
- Unlikely
level: high
high
DNS Query for Anonfiles.com Domain - DNS Client
Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes
status testauthor Nasreddine Bencherchali (Nextron Systems)id 29f171d7-aa47-42c7-9c7b-3c87938164d9
view Sigma YAML
title: DNS Query for Anonfiles.com Domain - DNS Client
id: 29f171d7-aa47-42c7-9c7b-3c87938164d9
related:
- id: 065cceea-77ec-4030-9052-fc0affea7110
type: similar
status: test
description: Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes
references:
- https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-16
tags:
- attack.exfiltration
- attack.t1567.002
logsource:
product: windows
service: dns-client
definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.'
detection:
selection:
EventID: 3008
QueryName|contains: '.anonfiles.com'
condition: selection
falsepositives:
- Rare legitimate access to anonfiles.com
level: high
high
DNS Query for Anonfiles.com Domain - Sysmon
Detects DNS queries for "anonfiles.com", which is an anonymous file upload platform often used for malicious purposes
status testauthor pH-T (Nextron Systems)id 065cceea-77ec-4030-9052-fc0affea7110
view Sigma YAML
title: DNS Query for Anonfiles.com Domain - Sysmon
id: 065cceea-77ec-4030-9052-fc0affea7110
related:
- id: 29f171d7-aa47-42c7-9c7b-3c87938164d9
type: similar
status: test
description: Detects DNS queries for "anonfiles.com", which is an anonymous file upload platform often used for malicious purposes
references:
- https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte
author: pH-T (Nextron Systems)
date: 2022-07-15
modified: 2023-01-16
tags:
- attack.exfiltration
- attack.t1567.002
logsource:
product: windows
category: dns_query
detection:
selection:
QueryName|contains: '.anonfiles.com'
condition: selection
falsepositives:
- Rare legitimate access to anonfiles.com
level: high
high
DNS Query to External Service Interaction Domains
Detects suspicious DNS queries to external service interaction domains often used for out-of-band interactions after successful RCE
status testauthor Florian Roth (Nextron Systems), Matt Kelly (list of domains)id aff715fa-4dd5-497a-8db3-910bea555566
DNS Server Error Failed Loading the ServerLevelPluginDLL
Detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded
status testauthor Florian Roth (Nextron Systems)id cbe51394-cd93-4473-b555-edf0144952d9
view Sigma YAML
title: DNS Server Error Failed Loading the ServerLevelPluginDLL
id: cbe51394-cd93-4473-b555-edf0144952d9
related:
- id: e61e8a88-59a9-451c-874e-70fcc9740d67
type: derived
- id: f63b56ee-3f79-4b8a-97fb-5c48007e8573
type: derived
status: test
description: Detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded
references:
- https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
- https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx
- https://twitter.com/gentilkiwi/status/861641945944391680
author: Florian Roth (Nextron Systems)
date: 2017-05-08
modified: 2023-02-05
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
product: windows
service: dns-server
detection:
selection:
EventID:
- 150
- 770
- 771
condition: selection
falsepositives:
- Unknown
level: high
high
DNS TXT Answer with Possible Execution Strings
Detects strings used in command execution in DNS TXT Answer
status testauthor Markus Neisid 8ae51330-899c-4641-8125-e39f2e07da72
view Sigma YAML
title: DNS TXT Answer with Possible Execution Strings
id: 8ae51330-899c-4641-8125-e39f2e07da72
status: test
description: Detects strings used in command execution in DNS TXT Answer
references:
- https://twitter.com/stvemillertime/status/1024707932447854592
- https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Backdoors/DNS_TXT_Pwnage.ps1
author: Markus Neis
date: 2018-08-08
modified: 2021-11-27
tags:
- attack.command-and-control
- attack.t1071.004
logsource:
category: dns
detection:
selection:
record_type: 'TXT'
answer|contains:
- 'IEX'
- 'Invoke-Expression'
- 'cmd.exe'
condition: selection
falsepositives:
- Unknown
level: high
high
DPAPI Backup Keys And Certificate Export Activity IOC
Detects file names with specific patterns seen generated and used by tools such as Mimikatz and DSInternals related to exported or stolen DPAPI backup keys and certificates.
status testauthor Nounou Mbeiri, Nasreddine Bencherchali (Nextron Systems)id 7892ec59-c5bb-496d-8968-e5d210ca3ac4
view Sigma YAML
title: DPAPI Backup Keys And Certificate Export Activity IOC
id: 7892ec59-c5bb-496d-8968-e5d210ca3ac4
status: test
description: |
Detects file names with specific patterns seen generated and used by tools such as Mimikatz and DSInternals related to exported or stolen DPAPI backup keys and certificates.
references:
- https://www.dsinternals.com/en/dpapi-backup-key-theft-auditing/
- https://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.Common/Data/DPAPI/DPAPIBackupKey.cs#L28-L32
author: Nounou Mbeiri, Nasreddine Bencherchali (Nextron Systems)
date: 2024-06-26
tags:
- attack.credential-access
- attack.t1555
- attack.t1552.004
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|contains:
- 'ntds_capi_'
- 'ntds_legacy_'
- 'ntds_unknown_'
TargetFilename|endswith:
- '.cer'
- '.key'
- '.pfx'
- '.pvk'
condition: selection
falsepositives:
- Unlikely
level: high
Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files.
The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.
status testauthor Nasreddine Bencherchali (Nextron Systems), Nounou Mbeiriid 43d91656-a9b2-4541-b7e2-6a9bd3a13f4e
view Sigma YAML
title: DSInternals Suspicious PowerShell Cmdlets
id: 43d91656-a9b2-4541-b7e2-6a9bd3a13f4e
related:
- id: 846c7a87-8e14-4569-9d49-ecfd4276a01c
type: similar
status: test
description: |
Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files.
The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.
references:
- https://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.PowerShell/DSInternals.psd1
author: Nasreddine Bencherchali (Nextron Systems), Nounou Mbeiri
date: 2024-06-26
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|contains:
- 'Add-ADDBSidHistory'
- 'Add-ADNgcKey'
- 'Add-ADReplNgcKey'
- 'ConvertFrom-ADManagedPasswordBlob'
- 'ConvertFrom-GPPrefPassword'
- 'ConvertFrom-ManagedPasswordBlob'
- 'ConvertFrom-UnattendXmlPassword'
- 'ConvertFrom-UnicodePassword'
- 'ConvertTo-AADHash'
- 'ConvertTo-GPPrefPassword'
- 'ConvertTo-KerberosKey'
- 'ConvertTo-LMHash'
- 'ConvertTo-MsoPasswordHash'
- 'ConvertTo-NTHash'
- 'ConvertTo-OrgIdHash'
- 'ConvertTo-UnicodePassword'
- 'Disable-ADDBAccount'
- 'Enable-ADDBAccount'
- 'Get-ADDBAccount'
- 'Get-ADDBBackupKey'
- 'Get-ADDBDomainController'
- 'Get-ADDBGroupManagedServiceAccount'
- 'Get-ADDBKdsRootKey'
- 'Get-ADDBSchemaAttribute'
- 'Get-ADDBServiceAccount'
- 'Get-ADDefaultPasswordPolicy'
- 'Get-ADKeyCredential' # Covers 'Get-ADKeyCredentialLink'
- 'Get-ADPasswordPolicy'
- 'Get-ADReplAccount'
- 'Get-ADReplBackupKey'
- 'Get-ADReplicationAccount'
- 'Get-ADSIAccount'
- 'Get-AzureADUserEx'
- 'Get-BootKey'
- 'Get-KeyCredential'
- 'Get-LsaBackupKey'
- 'Get-LsaPolicy' # Covers 'Get-LsaPolicyInformation'
- 'Get-SamPasswordPolicy'
- 'Get-SysKey'
- 'Get-SystemKey'
- 'New-ADDBRestoreFromMediaScript'
- 'New-ADKeyCredential' # Covers 'New-ADKeyCredentialLink'
- 'New-ADNgcKey'
- 'New-NTHashSet'
- 'Remove-ADDBObject'
- 'Save-DPAPIBlob'
- 'Set-ADAccountPasswordHash'
- 'Set-ADDBAccountPassword' # Covers 'Set-ADDBAccountPasswordHash'
- 'Set-ADDBBootKey'
- 'Set-ADDBDomainController'
- 'Set-ADDBPrimaryGroup'
- 'Set-ADDBSysKey'
- 'Set-AzureADUserEx'
- 'Set-LsaPolicy' # Covers 'Set-LSAPolicyInformation'
- 'Set-SamAccountPasswordHash'
- 'Set-WinUserPasswordHash'
- 'Test-ADDBPasswordQuality'
- 'Test-ADPasswordQuality'
- 'Test-ADReplPasswordQuality'
- 'Test-PasswordQuality'
- 'Unlock-ADDBAccount'
- 'Write-ADNgcKey'
- 'Write-ADReplNgcKey'
condition: selection
falsepositives:
- Legitimate usage of DSInternals for administration or audit purpose.
level: high
Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files.
The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.
status testauthor Nasreddine Bencherchali (Nextron Systems)id 846c7a87-8e14-4569-9d49-ecfd4276a01c
view Sigma YAML
title: DSInternals Suspicious PowerShell Cmdlets - ScriptBlock
id: 846c7a87-8e14-4569-9d49-ecfd4276a01c
related:
- id: 43d91656-a9b2-4541-b7e2-6a9bd3a13f4e
type: similar
status: test
description: |
Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files.
The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.
references:
- https://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.PowerShell/DSInternals.psd1
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-06-26
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains:
- 'Add-ADDBSidHistory'
- 'Add-ADNgcKey'
- 'Add-ADReplNgcKey'
- 'ConvertFrom-ADManagedPasswordBlob'
- 'ConvertFrom-GPPrefPassword'
- 'ConvertFrom-ManagedPasswordBlob'
- 'ConvertFrom-UnattendXmlPassword'
- 'ConvertFrom-UnicodePassword'
- 'ConvertTo-AADHash'
- 'ConvertTo-GPPrefPassword'
- 'ConvertTo-KerberosKey'
- 'ConvertTo-LMHash'
- 'ConvertTo-MsoPasswordHash'
- 'ConvertTo-NTHash'
- 'ConvertTo-OrgIdHash'
- 'ConvertTo-UnicodePassword'
- 'Disable-ADDBAccount'
- 'Enable-ADDBAccount'
- 'Get-ADDBAccount'
- 'Get-ADDBBackupKey'
- 'Get-ADDBDomainController'
- 'Get-ADDBGroupManagedServiceAccount'
- 'Get-ADDBKdsRootKey'
- 'Get-ADDBSchemaAttribute'
- 'Get-ADDBServiceAccount'
- 'Get-ADDefaultPasswordPolicy'
- 'Get-ADKeyCredential' # Covers 'Get-ADKeyCredentialLink'
- 'Get-ADPasswordPolicy'
- 'Get-ADReplAccount'
- 'Get-ADReplBackupKey'
- 'Get-ADReplicationAccount'
- 'Get-ADSIAccount'
- 'Get-AzureADUserEx'
- 'Get-BootKey'
- 'Get-KeyCredential'
- 'Get-LsaBackupKey'
- 'Get-LsaPolicy' # Covers 'Get-LsaPolicyInformation'
- 'Get-SamPasswordPolicy'
- 'Get-SysKey'
- 'Get-SystemKey'
- 'New-ADDBRestoreFromMediaScript'
- 'New-ADKeyCredential' # Covers 'New-ADKeyCredentialLink'
- 'New-ADNgcKey'
- 'New-NTHashSet'
- 'Remove-ADDBObject'
- 'Save-DPAPIBlob'
- 'Set-ADAccountPasswordHash'
- 'Set-ADDBAccountPassword' # Covers 'Set-ADDBAccountPasswordHash'
- 'Set-ADDBBootKey'
- 'Set-ADDBDomainController'
- 'Set-ADDBPrimaryGroup'
- 'Set-ADDBSysKey'
- 'Set-AzureADUserEx'
- 'Set-LsaPolicy' # Covers 'Set-LSAPolicyInformation'
- 'Set-SamAccountPasswordHash'
- 'Set-WinUserPasswordHash'
- 'Test-ADDBPasswordQuality'
- 'Test-ADPasswordQuality'
- 'Test-ADReplPasswordQuality'
- 'Test-PasswordQuality'
- 'Unlock-ADDBAccount'
- 'Write-ADNgcKey'
- 'Write-ADReplNgcKey'
condition: selection
falsepositives:
- Legitimate usage of DSInternals for administration or audit purpose.
level: high
high
Default Cobalt Strike Certificate
Detects the presence of default Cobalt Strike certificate in the HTTPS traffic
status testauthor Bhabesh Rajid 7100f7e3-92ce-4584-b7b7-01b40d3d4118
view Sigma YAML
title: Default Cobalt Strike Certificate
id: 7100f7e3-92ce-4584-b7b7-01b40d3d4118
status: test
description: Detects the presence of default Cobalt Strike certificate in the HTTPS traffic
references:
- https://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468
author: Bhabesh Raj
date: 2021-06-23
modified: 2022-10-09
tags:
- attack.command-and-control
- attack.s0154
logsource:
product: zeek
service: x509
detection:
selection:
certificate.serial: 8BB00EE
condition: selection
falsepositives:
- Unknown
level: high
high
Default RDP Port Changed to Non Standard Port
Detects changes to the default RDP port.
Remote desktop is a common feature in operating systems. It allows a user to log into a remote system using an interactive session with a graphical user interface.
Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).
status testauthor frack113id 509e84b9-a71a-40e0-834f-05470369bd1e
view Sigma YAML
title: Default RDP Port Changed to Non Standard Port
id: 509e84b9-a71a-40e0-834f-05470369bd1e
status: test
description: |
Detects changes to the default RDP port.
Remote desktop is a common feature in operating systems. It allows a user to log into a remote system using an interactive session with a graphical user interface.
Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md
author: frack113
date: 2022-01-01
modified: 2024-03-25
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.010
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\Control\Terminal Server\WinStations\RDP-Tcp\PortNumber'
filter_main_port:
Details: DWORD (0x00000d3d) # 3389
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_change_rdp_port/info.yml
simulation:
- type: atomic-red-team
name: Changing RDP Port to Non Standard Port via Powershell
technique: T1021.001
atomic_guid: 2f840dd4-8a2e-4f44-beb3-6b2399ea3771
- type: atomic-red-team
name: Changing RDP Port to Non Standard Port via Command_Prompt
technique: T1021.001
atomic_guid: 74ace21e-a31c-4f7d-b540-53e4eb6d1f73
high
Delegated Permissions Granted For All Users
Detects when highly privileged delegated permissions are granted on behalf of all users
status testauthor Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'id a6355fbe-f36f-45d8-8efc-ab42465cbc52
view Sigma YAML
title: Delegated Permissions Granted For All Users
id: a6355fbe-f36f-45d8-8efc-ab42465cbc52
status: test
description: Detects when highly privileged delegated permissions are granted on behalf of all users
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-granted-highly-privileged-permissions
author: Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'
date: 2022-07-28
tags:
- attack.credential-access
- attack.t1528
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.message: Add delegated permission grant
condition: selection
falsepositives:
- When the permission is legitimately needed for the app
level: high
high
Delete All Scheduled Tasks
Detects the usage of schtasks with the delete flag and the asterisk symbol to delete all tasks from the schedule of the local computer, including tasks scheduled by other users.
status testauthor Nasreddine Bencherchali (Nextron Systems)id 220457c1-1c9f-4c2e-afe6-9598926222c1
view Sigma YAML
title: Delete All Scheduled Tasks
id: 220457c1-1c9f-4c2e-afe6-9598926222c1
status: test
description: Detects the usage of schtasks with the delete flag and the asterisk symbol to delete all tasks from the schedule of the local computer, including tasks scheduled by other users.
references:
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-delete
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-09
tags:
- attack.impact
- attack.t1489
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\schtasks.exe'
CommandLine|contains|all:
- ' /delete '
- '/tn \*'
- ' /f'
condition: selection
falsepositives:
- Unlikely
level: high
high
Delete Important Scheduled Task
Detects when adversaries stop services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities
status testauthor Nasreddine Bencherchali (Nextron Systems)id dbc1f800-0fe0-4bc0-9c66-292c2abe3f78
view Sigma YAML
title: Delete Important Scheduled Task
id: dbc1f800-0fe0-4bc0-9c66-292c2abe3f78
related:
- id: 9e3cb244-bdb8-4632-8c90-6079c8f4f16d # TaskScheduler EventLog
type: similar
- id: 7595ba94-cf3b-4471-aa03-4f6baa9e5fad # Security-Audting Eventlog
type: similar
status: test
description: Detects when adversaries stop services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-09
modified: 2026-03-11
tags:
- attack.impact
- attack.t1489
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\schtasks.exe'
- OriginalFileName: 'schtasks.exe'
selection_cli_delete:
CommandLine|contains|windash: '/delete'
selection_cli_task:
CommandLine|contains:
# Add more important tasks
- '\Windows\BitLocker'
- '\Windows\ExploitGuard'
- '\Windows\SystemRestore\SR'
- '\Windows\UpdateOrchestrator\'
- '\Windows\Windows Defender\'
- '\Windows\WindowsBackup\'
- '\Windows\WindowsUpdate\'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_schtasks_delete/info.yml
high
Delete Volume Shadow Copies Via WMI With PowerShell
Shadow Copies deletion using operating systems utilities via PowerShell
status stableauthor frack113id 87df9ee1-5416-453a-8a08-e8d4a51e9ce1
view Sigma YAML
title: Delete Volume Shadow Copies Via WMI With PowerShell
id: 87df9ee1-5416-453a-8a08-e8d4a51e9ce1
status: stable
description: Shadow Copies deletion using operating systems utilities via PowerShell
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md
- https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods
author: frack113
date: 2021-06-03
modified: 2023-10-27
tags:
- attack.impact
- attack.t1490
logsource:
product: windows
category: ps_classic_start
detection:
selection:
Data|contains|all:
- 'Get-WmiObject'
- 'Win32_ShadowCopy'
Data|contains:
- 'Delete()'
- 'Remove-WmiObject'
condition: selection
falsepositives:
- Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason
level: high
high
Deletion of Volume Shadow Copies via WMI with PowerShell
Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil
status testauthor Tim Rauch, Elastic (idea)id 21ff4ca9-f13a-41ad-b828-0077b2af2e40
view Sigma YAML
title: Deletion of Volume Shadow Copies via WMI with PowerShell
id: 21ff4ca9-f13a-41ad-b828-0077b2af2e40
related:
- id: e17121b4-ef2a-4418-8a59-12fb1631fa9e
type: derived
- id: c1337eb8-921a-4b59-855b-4ba188ddcc42
type: similar
status: test
description: Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell
- https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html
author: Tim Rauch, Elastic (idea)
date: 2022-09-20
modified: 2022-12-30
tags:
- attack.impact
- attack.t1490
logsource:
category: process_creation
product: windows
detection:
selection_get:
CommandLine|contains:
- 'Get-WmiObject'
- 'gwmi'
- 'Get-CimInstance'
- 'gcim'
selection_shadowcopy:
CommandLine|contains: 'Win32_ShadowCopy'
selection_delete:
CommandLine|contains:
- '.Delete()'
- 'Remove-WmiObject'
- 'rwmi'
- 'Remove-CimInstance'
- 'rcim'
condition: all of selection*
falsepositives:
- Unknown
level: high
high
Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script
Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil
status testauthor Tim Rauch, frack113id c1337eb8-921a-4b59-855b-4ba188ddcc42
view Sigma YAML
title: Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script
id: c1337eb8-921a-4b59-855b-4ba188ddcc42
related:
- id: e17121b4-ef2a-4418-8a59-12fb1631fa9e
type: derived
- id: 21ff4ca9-f13a-41ad-b828-0077b2af2e40
type: similar
status: test
description: Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell
- https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html
author: Tim Rauch, frack113
date: 2022-09-20
modified: 2022-12-02
tags:
- attack.impact
- attack.t1490
logsource:
category: ps_script
product: windows
detection:
selection_get:
ScriptBlockText|contains:
- 'Get-WmiObject'
- 'gwmi'
- 'Get-CimInstance'
- 'gcim'
selection_shadowcopy:
ScriptBlockText|contains: 'Win32_ShadowCopy'
selection_delete:
ScriptBlockText|contains:
- '.Delete()'
- 'Remove-WmiObject'
- 'rwmi'
- 'Remove-CimInstance'
- 'rcim'
condition: all of selection*
falsepositives:
- Unknown
level: high
high
Deny Service Access Using Security Descriptor Tampering Via Sc.EXE
Detects suspicious DACL modifications to deny access to a service that affects critical trustees. This can be used to hide services or make them unstoppable.
status testauthor Jonhnathan Ribeiro, oscd.communityid 99cf1e02-00fb-4c0d-8375-563f978dfd37
view Sigma YAML
title: Deny Service Access Using Security Descriptor Tampering Via Sc.EXE
id: 99cf1e02-00fb-4c0d-8375-563f978dfd37
related:
- id: 98c5aeef-32d5-492f-b174-64a691896d25 # Generic SD tampering
type: similar
- id: a537cfc3-4297-4789-92b5-345bfd845ad0 # Specific Technique
type: similar
status: test
description: Detects suspicious DACL modifications to deny access to a service that affects critical trustees. This can be used to hide services or make them unstoppable.
references:
- https://www.sans.org/blog/red-team-tactics-hiding-windows-services/
- https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/
- https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings
author: Jonhnathan Ribeiro, oscd.community
date: 2020-10-16
modified: 2023-02-28
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1543.003
logsource:
category: process_creation
product: windows
detection:
selection_sc:
- Image|endswith: '\sc.exe'
- OriginalFileName: 'sc.exe'
selection_sdset:
CommandLine|contains|all:
- 'sdset'
- 'D;' # Deny Access
selection_trustee:
CommandLine|contains:
- ';IU' # Interactively logged-on user
- ';SU' # Service logon user
- ';BA' # Built-in administrators
- ';SY' # Local system
- ';WD' # Everyone
condition: all of selection_*
falsepositives:
- Unknown
level: high
high
Devcon Execution Disabling VMware VMCI Device
Detects execution of devcon.exe with commands that disable the VMware Virtual Machine Communication Interface (VMCI) device.
This can be legitimate during VMware Tools troubleshooting or driver conflicts, but may also indicate malware attempting to hijack communication with the hardware via the VMCI device.
This has been used to facilitate VMware ESXi vulnerability exploits to escape VMs and execute code on the ESXi host.
status experimentalauthor Matt Anderson, Dray Agha, Anna Pham (Huntress)id 85f520e7-6f5e-43ca-874c-222e5bf9c0de
view Sigma YAML
title: Devcon Execution Disabling VMware VMCI Device
id: 85f520e7-6f5e-43ca-874c-222e5bf9c0de
status: experimental
description: |
Detects execution of devcon.exe with commands that disable the VMware Virtual Machine Communication Interface (VMCI) device.
This can be legitimate during VMware Tools troubleshooting or driver conflicts, but may also indicate malware attempting to hijack communication with the hardware via the VMCI device.
This has been used to facilitate VMware ESXi vulnerability exploits to escape VMs and execute code on the ESXi host.
references:
- https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/devcon
- https://communities.vmware.com/t5/VMware-Workstation-Pro/VMCI-driver-issues/td-p/2866060
- https://github.com/search?q=devcon+disable+VMWVMCIHOSTDEV
- https://huntress.com/blog/esxi-vm-escape-exploit
author: Matt Anderson, Dray Agha, Anna Pham (Huntress)
date: 2026-01-02
tags:
- attack.persistence
- attack.privilege-escalation
- attack.defense-impairment
- attack.t1543.003
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\devcon.exe'
- OriginalFileName: 'DevCon.exe'
selection_action:
CommandLine|contains: ' disable '
selection_vmci_pci:
CommandLine|contains:
- '15AD&DEV_0740' # VMware VMCI PCI device (Vendor 0x15AD = VMware, Device 0x0740 = VMCI)
- 'VMWVMCIHOSTDEV' # VMware VMCI root host device driver name
condition: all of selection_*
falsepositives:
- Legitimate VMware administration, Tools installation/uninstallation, or troubleshooting driver conflicts.
- Automated scripts in virtualized environments for device cleanup.
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_devcon_disable_vmci_driver/info.yml
high
Devtoolslauncher.exe Executes Specified Binary
The Devtoolslauncher.exe executes other binary
status testauthor Beyu Denis, oscd.community (rule), @_felamos (idea)id cc268ac1-42d9-40fd-9ed3-8c4e1a5b87e6
view Sigma YAML
title: Devtoolslauncher.exe Executes Specified Binary
id: cc268ac1-42d9-40fd-9ed3-8c4e1a5b87e6
status: test
description: The Devtoolslauncher.exe executes other binary
references:
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Devtoolslauncher/
- https://twitter.com/_felamos/status/1179811992841797632
author: Beyu Denis, oscd.community (rule), @_felamos (idea)
date: 2019-10-12
modified: 2021-11-27
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\devtoolslauncher.exe'
CommandLine|contains: 'LaunchForDeploy'
condition: selection
falsepositives:
- Legitimate use of devtoolslauncher.exe by legitimate user
level: high
high
Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE
Detects both of CVE-2022-30190 (Follina) and DogWalk vulnerabilities exploiting msdt.exe binary to load the "sdiageng.dll" library
status testauthor Greg (rule)id ec8c4047-fad9-416a-8c81-0f479353d7f6
view Sigma YAML
title: Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE
id: ec8c4047-fad9-416a-8c81-0f479353d7f6
status: test
description: Detects both of CVE-2022-30190 (Follina) and DogWalk vulnerabilities exploiting msdt.exe binary to load the "sdiageng.dll" library
references:
- https://www.securonix.com/blog/detecting-microsoft-msdt-dogwalk/
author: Greg (rule)
date: 2022-06-17
modified: 2023-02-17
tags:
- attack.stealth
- attack.t1202
- cve.2022-30190
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith: '\msdt.exe'
ImageLoaded|endswith: '\sdiageng.dll'
condition: selection
falsepositives:
- Unknown
level: high
high
Directory Service Restore Mode(DSRM) Registry Value Tampering
Detects changes to "DsrmAdminLogonBehavior" registry value.
During a Domain Controller (DC) promotion, administrators create a Directory Services Restore Mode (DSRM) local administrator account with a password that rarely changes. The DSRM account is an “Administrator” account that logs in with the DSRM mode when the server is booting up to restore AD backups or recover the server from a failure.
Attackers could abuse DSRM account to maintain their persistence and access to the organization's Active Directory.
If the "DsrmAdminLogonBehavior" value is set to "0", the administrator account can only be used if the DC starts in DSRM.
If the "DsrmAdminLogonBehavior" value is set to "1", the administrator account can only be used if the local AD DS service is stopped.
If the "DsrmAdminLogonBehavior" value is set to "2", the administrator account can always be used.
status testauthor Nischal Khadgiid b61e87c0-50db-4b2e-8986-6a2be94b33b0
view Sigma YAML
title: Directory Service Restore Mode(DSRM) Registry Value Tampering
id: b61e87c0-50db-4b2e-8986-6a2be94b33b0
related:
- id: 53ad8e36-f573-46bf-97e4-15ba5bf4bb51
type: similar
status: test
description: |
Detects changes to "DsrmAdminLogonBehavior" registry value.
During a Domain Controller (DC) promotion, administrators create a Directory Services Restore Mode (DSRM) local administrator account with a password that rarely changes. The DSRM account is an “Administrator” account that logs in with the DSRM mode when the server is booting up to restore AD backups or recover the server from a failure.
Attackers could abuse DSRM account to maintain their persistence and access to the organization's Active Directory.
If the "DsrmAdminLogonBehavior" value is set to "0", the administrator account can only be used if the DC starts in DSRM.
If the "DsrmAdminLogonBehavior" value is set to "1", the administrator account can only be used if the local AD DS service is stopped.
If the "DsrmAdminLogonBehavior" value is set to "2", the administrator account can always be used.
references:
- https://adsecurity.org/?p=1785
- https://www.sentinelone.com/blog/detecting-dsrm-account-misconfigurations/
- https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/dsrm-credentials
author: Nischal Khadgi
date: 2024-07-11
tags:
- attack.credential-access
- attack.persistence
- attack.defense-impairment
- attack.t1556
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\Control\Lsa\DsrmAdminLogonBehavior'
filter_main_default_value:
Details: 'DWORD (0x00000000)' # Default value
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
high
Disable Important Scheduled Task
Detects when adversaries stop services or processes by disabling their respective scheduled tasks in order to conduct data destructive activities
status testauthor frack113, Nasreddine Bencherchali (Nextron Systems), X__Juniorid 9ac94dc8-9042-493c-ba45-3b5e7c86b980
view Sigma YAML
title: Disable Important Scheduled Task
id: 9ac94dc8-9042-493c-ba45-3b5e7c86b980
related:
- id: 7595ba94-cf3b-4471-aa03-4f6baa9e5fad # Security-Audting Eventlog
type: similar
- id: 9e3cb244-bdb8-4632-8c90-6079c8f4f16d # TaskScheduler EventLog
type: similar
status: test
description: Detects when adversaries stop services or processes by disabling their respective scheduled tasks in order to conduct data destructive activities
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task
- https://twitter.com/MichalKoczwara/status/1553634816016498688
- https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
author: frack113, Nasreddine Bencherchali (Nextron Systems), X__Junior
date: 2021-12-26
modified: 2026-03-11
tags:
- attack.impact
- attack.t1489
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\schtasks.exe'
- OriginalFileName: 'schtasks.exe'
selection_cli_disable:
CommandLine|contains|windash: '/disable'
selection_cli_task:
CommandLine|contains:
# Add more important tasks
- '\Windows\BitLocker'
- '\Windows\ExploitGuard'
- '\Windows\ExploitGuard\ExploitGuard MDM policy Refresh'
- '\Windows\SystemRestore\SR'
- '\Windows\UpdateOrchestrator\'
- '\Windows\Windows Defender\'
- '\Windows\WindowsBackup\'
- '\Windows\WindowsUpdate\'
condition: all of selection_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_schtasks_disable/info.yml
simulation:
- type: atomic-red-team
name: Windows - Disable the SR scheduled task
technique: T1490
atomic_guid: 1c68c68d-83a4-4981-974e-8993055fa034
high
Disable Macro Runtime Scan Scope
Detects tampering with the MacroRuntimeScanScope registry key to disable runtime scanning of enabled macros
status testauthor Nasreddine Bencherchali (Nextron Systems)id ab871450-37dc-4a3a-997f-6662aa8ae0f1
view Sigma YAML
title: Disable Macro Runtime Scan Scope
id: ab871450-37dc-4a3a-997f-6662aa8ae0f1
description: Detects tampering with the MacroRuntimeScanScope registry key to disable runtime scanning of enabled macros
status: test
date: 2022-10-25
modified: 2023-08-17
author: Nasreddine Bencherchali (Nextron Systems)
references:
- https://www.microsoft.com/en-us/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/
- https://admx.help/?Category=Office2016&Policy=office16.Office.Microsoft.Policies.Windows::L_MacroRuntimeScanScope
- https://github.com/S3cur3Th1sSh1t/OffensiveVBA/blob/28cc6a2802d8176195ac19b3c8e9a749009a82a3/src/AMSIbypasses.vba
tags:
- attack.defense-impairment
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|contains|all:
- '\SOFTWARE\'
- '\Microsoft\Office\'
- '\Common\Security'
TargetObject|endswith: '\MacroRuntimeScanScope'
Details: DWORD (0x00000000)
condition: selection
falsepositives:
- Unknown
level: high
high
Disable PUA Protection on Windows Defender
Detects disabling Windows Defender PUA protection
status testauthor Austin Songer @austinsongerid 8ffc5407-52e3-478f-9596-0a7371eafe13
view Sigma YAML
title: Disable PUA Protection on Windows Defender
id: 8ffc5407-52e3-478f-9596-0a7371eafe13
status: test
description: Detects disabling Windows Defender PUA protection
references:
- https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html
author: Austin Songer @austinsonger
date: 2021-08-04
modified: 2023-08-17
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\Policies\Microsoft\Windows Defender\PUAProtection'
Details: 'DWORD (0x00000000)'
condition: selection
falsepositives:
- Unknown
level: high
high
Disable Powershell Command History
Detects scripts or commands that disabled the Powershell command history by removing psreadline module
status testauthor Ali Alwashaliid 602f5669-6927-4688-84db-0d4b7afb2150
view Sigma YAML
title: Disable Powershell Command History
id: 602f5669-6927-4688-84db-0d4b7afb2150
status: test
description: Detects scripts or commands that disabled the Powershell command history by removing psreadline module
references:
- https://twitter.com/DissectMalware/status/1062879286749773824
author: Ali Alwashali
date: 2022-08-21
tags:
- attack.stealth
- attack.t1070.003
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- Remove-Module
- psreadline
condition: selection
falsepositives:
- Legitimate script that disables the command history
level: high
Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stop writing events.
status testauthor Ilyas Ochkov, oscd.communityid 919f2ef0-be2d-4a7a-b635-eb2b41fde044
view Sigma YAML
title: Disable Security Events Logging Adding Reg Key MiniNt
id: 919f2ef0-be2d-4a7a-b635-eb2b41fde044
status: test
description: Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stop writing events.
references:
- https://twitter.com/0gtweet/status/1182516740955226112
- https://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/
author: Ilyas Ochkov, oscd.community
date: 2019-10-25
modified: 2021-11-27
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1685.001
- attack.t1112
- car.2022-03-001
logsource:
category: registry_event
product: windows
detection:
selection:
# Sysmon gives us HKLM\SYSTEM\CurrentControlSet\.. if ControlSetXX is the selected one
- TargetObject: 'HKLM\SYSTEM\CurrentControlSet\Control\MiniNt'
EventType: 'CreateKey' # we don't want deletekey
# key rename
- NewName: 'HKLM\SYSTEM\CurrentControlSet\Control\MiniNt'
condition: selection
falsepositives:
- Unknown
level: high
high
Disable System Firewall
Detects disabling of system firewalls which could be used by adversaries to bypass controls that limit usage of the network.
status testauthor Pawel Mazurid 53059bc0-1472-438b-956a-7508a94a91f0
view Sigma YAML
title: Disable System Firewall
id: 53059bc0-1472-438b-956a-7508a94a91f0
status: test
description: Detects disabling of system firewalls which could be used by adversaries to bypass controls that limit usage of the network.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md
- https://firewalld.org/documentation/man-pages/firewall-cmd.html
author: 'Pawel Mazur'
date: 2022-01-22
tags:
- attack.defense-impairment
- attack.t1686
logsource:
product: linux
service: auditd
detection:
selection:
type: 'SERVICE_STOP'
unit:
- 'firewalld'
- 'iptables'
- 'ufw'
condition: selection
falsepositives:
- Admin activity
level: high
high
Disable Windows Defender AV Security Monitoring
Detects attackers attempting to disable Windows Defender using Powershell
status testauthor ok @securonix invrep-de, oscd.community, frack113id a7ee1722-c3c5-aeff-3212-c777e4733217
view Sigma YAML
title: Disable Windows Defender AV Security Monitoring
id: a7ee1722-c3c5-aeff-3212-c777e4733217
status: test
description: Detects attackers attempting to disable Windows Defender using Powershell
references:
- https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/
- https://rvsec0n.wordpress.com/2020/01/24/malwares-that-bypass-windows-defender/
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
author: 'ok @securonix invrep-de, oscd.community, frack113'
date: 2020-10-12
modified: 2022-11-18
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_pwsh_binary:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_pwsh_cli:
CommandLine|contains:
- '-DisableBehaviorMonitoring $true'
- '-DisableRuntimeMonitoring $true'
selection_sc_binary:
- Image|endswith: '\sc.exe'
- OriginalFileName: 'sc.exe'
selection_sc_tamper_cmd_stop:
CommandLine|contains|all:
- 'stop'
- 'WinDefend'
selection_sc_tamper_cmd_delete:
CommandLine|contains|all:
- 'delete'
- 'WinDefend'
selection_sc_tamper_cmd_disabled:
CommandLine|contains|all:
- 'config'
- 'WinDefend'
- 'start=disabled'
condition: all of selection_pwsh_* or (selection_sc_binary and 1 of selection_sc_tamper_*)
falsepositives:
- 'Minimal, for some older versions of dev tools, such as pycharm, developers were known to sometimes disable Windows Defender to improve performance, but this generally is not considered a good security practice.'
level: high
high
Disable Windows Defender Functionalities Via Registry Keys
Detects when attackers or tools disable Windows Defender functionalities via the Windows registry
status testauthor AlertIQ, Ján Trenčanský, frack113, Nasreddine Bencherchali, Swachchhanda Shrawan Poudelid 0eb46774-f1ab-4a74-8238-1155855f2263
view Sigma YAML
title: Disable Windows Defender Functionalities Via Registry Keys
id: 0eb46774-f1ab-4a74-8238-1155855f2263
related:
- id: a64e4198-c1c8-46a5-bc9c-324c86455fd4
type: obsolete
- id: fd115e64-97c7-491f-951c-fc8da7e042fa
type: obsolete
status: test
description: Detects when attackers or tools disable Windows Defender functionalities via the Windows registry
references:
- https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
- https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105
- https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker
- https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html
- https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html
- https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html
- https://securelist.com/key-group-ransomware-samples-and-telegram-schemes/114025/
author: AlertIQ, Ján Trenčanský, frack113, Nasreddine Bencherchali, Swachchhanda Shrawan Poudel
date: 2022-08-01
modified: 2024-10-07
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: windows
category: registry_set
detection:
selection_main:
TargetObject|contains:
- '\SOFTWARE\Microsoft\Windows Defender\'
- '\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\'
- '\SOFTWARE\Policies\Microsoft\Windows Defender\'
selection_dword_1:
TargetObject|endswith:
- '\DisableAntiSpyware'
- '\DisableAntiVirus'
- '\DisableBehaviorMonitoring'
- '\DisableBlockAtFirstSeen'
- '\DisableEnhancedNotifications'
- '\DisableIntrusionPreventionSystem'
- '\DisableIOAVProtection'
- '\DisableOnAccessProtection'
- '\DisableRealtimeMonitoring'
- '\DisableScanOnRealtimeEnable'
- '\DisableScriptScanning'
Details: 'DWORD (0x00000001)'
selection_dword_0:
TargetObject|endswith:
- '\DisallowExploitProtectionOverride'
- '\Features\TamperProtection'
- '\MpEngine\MpEnablePus'
- '\PUAProtection'
- '\Signature Update\ForceUpdateFromMU'
- '\SpyNet\SpynetReporting'
- '\SpyNet\SubmitSamplesConsent'
- '\Windows Defender Exploit Guard\Controlled Folder Access\EnableControlledFolderAccess'
Details: 'DWORD (0x00000000)'
filter_optional_symantec:
Image|startswith: 'C:\Program Files\Symantec\Symantec Endpoint Protection\'
Image|endswith: '\sepWscSvc64.exe'
condition: selection_main and 1 of selection_dword_* and not 1 of filter_optional_*
falsepositives:
- Administrator actions via the Windows Defender interface
- Third party Antivirus
level: high
high
Disable Windows Event Logging Via Registry
Detects tampering with the "Enabled" registry key in order to disable Windows logging of a Windows event channel
status testauthor frack113, Nasreddine Bencherchali (Nextron Systems)id 2f78da12-f7c7-430b-8b19-a28f269b77a3
view Sigma YAML
title: Disable Windows Event Logging Via Registry
id: 2f78da12-f7c7-430b-8b19-a28f269b77a3
status: test
description: Detects tampering with the "Enabled" registry key in order to disable Windows logging of a Windows event channel
references:
- https://twitter.com/WhichbufferArda/status/1543900539280293889
- https://github.com/DebugPrivilege/CPP/blob/c39d365617dbfbcb01fffad200d52b6239b2918c/Windows%20Defender/RestoreDefenderConfig.cpp
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-04
modified: 2024-03-25
tags:
- attack.defense-impairment
- attack.t1685.001
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\'
TargetObject|endswith: '\Enabled'
Details: 'DWORD (0x00000000)'
filter_main_wevutil:
Image: 'C:\Windows\system32\wevtutil.exe' # FP generated during installation of manifests via wevtutil
filter_main_iis:
Image|startswith: 'C:\Windows\winsxs\'
Image|endswith: '\TiWorker.exe' # Many different TargetObjects
filter_main_svchost:
Image: 'C:\Windows\System32\svchost.exe'
TargetObject|contains:
- '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-FileInfoMinifilter'
- '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-ASN1\'
- '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Kernel-AppCompat\'
- '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Runtime\Error\'
- '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-CAPI2/Operational\'
filter_main_trusted_installer:
Image: C:\Windows\servicing\TrustedInstaller.exe
TargetObject|contains: '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Compat-Appraiser'
filter_optional_empty: # This filter is related to aurora. Should be removed when fix is deployed. # TODO: Remove later
Image: ''
filter_optional_null: # This filter is related to aurora. Should be removed when fix is deployed. # TODO: Remove later
Image: null
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Rare falsepositives may occur from legitimate administrators disabling specific event log for troubleshooting
level: high
high
Disable Windows IIS HTTP Logging
Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union)
status testauthor frack113id e4ed6030-ffe5-4e6a-8a8a-ab3c1ab9d94e
view Sigma YAML
title: Disable Windows IIS HTTP Logging
id: e4ed6030-ffe5-4e6a-8a8a-ab3c1ab9d94e
status: test
description: Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union)
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.002/T1562.002.md#atomic-test-1---disable-windows-iis-http-logging
author: frack113
date: 2022-01-09
modified: 2023-01-22
tags:
- attack.defense-impairment
- attack.t1685.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\appcmd.exe'
- OriginalFileName: 'appcmd.exe'
selection_cli:
CommandLine|contains|all:
- 'set'
- 'config'
- 'section:httplogging'
- 'dontLog:true'
condition: all of selection_*
falsepositives:
- Unknown
level: high
high
Disable of ETW Trace - Powershell
Detects usage of powershell cmdlets to disable or remove ETW trace sessions
status testauthor Nasreddine Bencherchali (Nextron Systems)id 115fdba9-f017-42e6-84cf-d5573bf2ddf8
view Sigma YAML
title: Disable of ETW Trace - Powershell
id: 115fdba9-f017-42e6-84cf-d5573bf2ddf8
related:
- id: a238b5d0-ce2d-4414-a676-7a531b3d13d6
type: derived
status: test
description: Detects usage of powershell cmdlets to disable or remove ETW trace sessions
references:
- https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-28
modified: 2022-11-25
tags:
- attack.stealth
- attack.defense-impairment
- attack.t1070
- attack.t1685
- car.2016-04-002
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_pwsh_remove: # Autologger provider removal
ScriptBlockText|contains: 'Remove-EtwTraceProvider '
selection_pwsh_set: # Provider “Enable” property modification
ScriptBlockText|contains|all:
- 'Set-EtwTraceProvider '
- '0x11'
condition: 1 of selection*
falsepositives:
- Unknown
level: high