Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
status testauthor Florian Roth (Nextron Systems)id d26ce60c-2151-403c-9a42-49420d87b5e4
view Sigma YAML
title: HackTool Service Registration or Execution
id: d26ce60c-2151-403c-9a42-49420d87b5e4
status: test
description: Detects installation or execution of services
references:
- Internal Research
author: Florian Roth (Nextron Systems)
date: 2022-03-21
modified: 2023-08-07
tags:
- attack.execution
- attack.t1569.002
- attack.s0029
logsource:
product: windows
service: system
detection:
selection_eid:
Provider_Name: 'Service Control Manager'
EventID:
- 7045
- 7036
selection_service_name:
ServiceName|contains:
- 'cachedump'
- 'DumpSvc'
- 'gsecdump'
- 'pwdump'
- 'UACBypassedService'
- 'WCE SERVICE'
- 'WCESERVICE'
- 'winexesvc'
selection_service_image:
ImagePath|contains: 'bypass' # https://gist.github.com/tyranid/c24cfd1bd141d14d4925043ee7e03c82#file-scmuacbypass-cpp-L159
condition: selection_eid and 1 of selection_service_*
falsepositives:
- Unknown
level: high
high
Hacktool - EDR-Freeze Execution
Detects execution of EDR-Freeze, a tool that exploits the MiniDumpWriteDump function and WerFaultSecure.exe to suspend EDR and Antivirus processes on Windows.
EDR-Freeze leverages a race-condition attack to put security processes into a dormant state by suspending WerFaultSecure at the moment it freezes the target process.
This technique does not require kernel-level exploits or BYOVD, but instead abuses user-mode functionality to temporarily disable monitoring by EDR or Antimalware solutions.
status experimentalauthor Swachchhanda Shrawan Poudel (Nextron Systems)id c598cc0c-9e70-4852-b9eb-8921af79f598
view Sigma YAML
title: Hacktool - EDR-Freeze Execution
id: c598cc0c-9e70-4852-b9eb-8921af79f598
status: experimental
description: |
Detects execution of EDR-Freeze, a tool that exploits the MiniDumpWriteDump function and WerFaultSecure.exe to suspend EDR and Antivirus processes on Windows.
EDR-Freeze leverages a race-condition attack to put security processes into a dormant state by suspending WerFaultSecure at the moment it freezes the target process.
This technique does not require kernel-level exploits or BYOVD, but instead abuses user-mode functionality to temporarily disable monitoring by EDR or Antimalware solutions.
references:
- https://www.zerosalarium.com/2025/09/EDR-Freeze-Puts-EDRs-Antivirus-Into-Coma.html
- https://github.com/TwoSevenOneT/EDR-Freeze
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-09-24
modified: 2025-11-27
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|contains:
- '\EDR-Freeze'
- '\EDRFreeze'
Image|endswith: '.exe'
selection_imphash:
Hashes|contains:
- 'IMPHASH=1195F7935954A2CD09157390C33F8E8C'
- 'IMPHASH=129F58DE3D687FB7F012BF6C3D679997'
- 'IMPHASH=2C617A175D0086251642C6619F7CC8BA'
- 'IMPHASH=8828F0B906F7844358FB92A899E9520F'
- 'IMPHASH=AF76D95157EC554DC1EF178E4E66D447'
- 'IMPHASH=E1B04316B61ACA31DD52ABBEC0A37FD5'
- 'IMPHASH=8B2D5B54AFCFEC60D54F6B31D80ED4A0'
- 'IMPHASH=AB8BB31EDD91D2A05FE7B62A535E9EB7'
condition: 1 of selection_*
falsepositives:
- Unlikely
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_hktl_edr_freeze/info.yml
high
Hacktool Execution - PE Metadata
Detects the execution of different Windows based hacktools via PE metadata (company, product, etc.) even if the files have been renamed
status testauthor Florian Roth (Nextron Systems)id 37c1333a-a0db-48be-b64b-7393b2386e3b
view Sigma YAML
title: Hacktool Execution - PE Metadata
id: 37c1333a-a0db-48be-b64b-7393b2386e3b
status: test
description: Detects the execution of different Windows based hacktools via PE metadata (company, product, etc.) even if the files have been renamed
references:
- https://github.com/cube0x0
- https://www.virustotal.com/gui/search/metadata%253ACube0x0/files
author: Florian Roth (Nextron Systems)
date: 2022-04-27
modified: 2024-01-15
tags:
- attack.credential-access
- attack.resource-development
- attack.t1588.002
- attack.t1003
logsource:
category: process_creation
product: windows
detection:
selection:
Company: 'Cube0x0' # Detects the use of tools created by a well-known hacktool producer named "Cube0x0", which includes his handle in all binaries as company information in the PE headers (SharpPrintNightmare, KrbRelay, SharpMapExec, etc.)
condition: selection
falsepositives:
- Unlikely
level: high
high
Hacktool Ruler
This events that are generated when using the hacktool Ruler by Sensepost
status testauthor Florian Roth (Nextron Systems)id 24549159-ac1b-479c-8175-d42aea947cae
view Sigma YAML
title: Hacktool Ruler
id: 24549159-ac1b-479c-8175-d42aea947cae
status: test
description: This events that are generated when using the hacktool Ruler by Sensepost
references:
- https://github.com/sensepost/ruler
- https://github.com/sensepost/ruler/issues/47
- https://github.com/staaldraad/go-ntlm/blob/cd032d41aa8ce5751c07cb7945400c0f5c81e2eb/ntlm/ntlmv1.go#L427
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4776
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4624
author: Florian Roth (Nextron Systems)
date: 2017-05-31
modified: 2022-10-09
tags:
- attack.discovery
- attack.execution
- attack.collection
- attack.lateral-movement
- attack.t1087
- attack.t1114
- attack.t1059
- attack.t1550.002
logsource:
product: windows
service: security
detection:
selection1:
EventID: 4776
Workstation: 'RULER'
selection2:
EventID:
- 4624
- 4625
WorkstationName: 'RULER'
condition: (1 of selection*)
falsepositives:
- Go utilities that use staaldraad awesome NTLM library
level: high
high
Hidden Local User Creation
Detects the creation of a local hidden user account which should not happen for event ID 4720.
status testauthor Christian Burkard (Nextron Systems)id 7b449a5e-1db5-4dd0-a2dc-4e3a67282538
view Sigma YAML
title: Hidden Local User Creation
id: 7b449a5e-1db5-4dd0-a2dc-4e3a67282538
status: test
description: Detects the creation of a local hidden user account which should not happen for event ID 4720.
references:
- https://twitter.com/SBousseaden/status/1387743867663958021
author: Christian Burkard (Nextron Systems)
date: 2021-05-03
modified: 2024-01-16
tags:
- attack.persistence
- attack.t1136.001
logsource:
product: windows
service: security
detection:
selection:
EventID: 4720
TargetUserName|endswith: '$'
filter_main_homegroup:
TargetUserName: 'HomeGroupUser$'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
high
Hide Schedule Task Via Index Value Tamper
Detects when the "index" value of a scheduled task is modified from the registry
Which effectively hides it from any tooling such as "schtasks /query" (Read the referenced link for more information about the effects of this technique)
status testauthor Nasreddine Bencherchali (Nextron Systems)id 5b16df71-8615-4f7f-ac9b-6c43c0509e61
view Sigma YAML
title: Hide Schedule Task Via Index Value Tamper
id: 5b16df71-8615-4f7f-ac9b-6c43c0509e61
related:
- id: acd74772-5f88-45c7-956b-6a7b36c294d2
type: similar
- id: 526cc8bc-1cdc-48ad-8b26-f19bff969cec
type: similar
status: test
description: |
Detects when the "index" value of a scheduled task is modified from the registry
Which effectively hides it from any tooling such as "schtasks /query" (Read the referenced link for more information about the effects of this technique)
references:
- https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-26
modified: 2023-08-17
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains|all:
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\'
- 'Index'
Details: DWORD (0x00000000)
condition: selection
falsepositives:
- Unlikely
level: high
high
Hiding User Account Via SpecialAccounts Registry Key
Detects modifications to the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to "0" in order to hide user account from being listed on the logon screen.
status testauthor Nasreddine Bencherchali (Nextron Systems), frack113id f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd
view Sigma YAML
title: Hiding User Account Via SpecialAccounts Registry Key
id: f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd
related:
- id: 8a58209c-7ae6-4027-afb0-307a78e4589a
type: obsolete
- id: 9ec9fb1b-e059-4489-9642-f270c207923d
type: similar
status: test
description: Detects modifications to the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to "0" in order to hide user account from being listed on the logon screen.
references:
- https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/
- https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1564.002/T1564.002.md#atomic-test-3---create-hidden-user-in-registry
author: Nasreddine Bencherchali (Nextron Systems), frack113
date: 2022-07-12
modified: 2023-01-26
tags:
- attack.stealth
- attack.t1564.002
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList'
Details: 'DWORD (0x00000000)'
condition: selection
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_special_accounts/info.yml
simulation:
- type: atomic-red-team
name: Create Hidden User in Registry
technique: T1564.002
atomic_guid: 173126b7-afe4-45eb-8680-fa9f6400431c
high
Hijack Legit RDP Session to Move Laterally
Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder
status testauthor Samir Bousseadenid 52753ea4-b3a0-4365-910d-36cff487b789
view Sigma YAML
title: Hijack Legit RDP Session to Move Laterally
id: 52753ea4-b3a0-4365-910d-36cff487b789
status: test
description: Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder
author: Samir Bousseaden
references:
- Internal Research
date: 2019-02-21
modified: 2021-11-27
tags:
- attack.command-and-control
- attack.t1219.002
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith: '\mstsc.exe'
TargetFilename|contains: '\Microsoft\Windows\Start Menu\Programs\Startup\'
condition: selection
falsepositives:
- Unlikely
level: high
high
History File Deletion
Detects events in which a history file gets deleted, e.g. the ~/bash_history to remove traces of malicious activity
status testauthor Florian Roth (Nextron Systems)id 1182f3b3-e716-4efa-99ab-d2685d04360f
view Sigma YAML
title: History File Deletion
id: 1182f3b3-e716-4efa-99ab-d2685d04360f
status: test
description: Detects events in which a history file gets deleted, e.g. the ~/bash_history to remove traces of malicious activity
references:
- https://github.com/sleventyeleven/linuxprivchecker/
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md
author: Florian Roth (Nextron Systems)
date: 2022-06-20
modified: 2022-09-15
tags:
- attack.impact
- attack.t1565.001
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith:
- '/rm'
- '/unlink'
- '/shred'
selection_history:
- CommandLine|contains:
- '/.bash_history'
- '/.zsh_history'
- CommandLine|endswith:
- '_history'
- '.history'
- 'zhistory'
condition: all of selection*
falsepositives:
- Legitimate administration activities
level: high
high
HybridConnectionManager Service Installation
Rule to detect the Hybrid Connection Manager service installation.
status testauthor Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)id 0ee4d8a5-4e67-4faf-acfa-62a78457d1f2
view Sigma YAML
title: HybridConnectionManager Service Installation
id: 0ee4d8a5-4e67-4faf-acfa-62a78457d1f2
status: test
description: Rule to detect the Hybrid Connection Manager service installation.
references:
- https://twitter.com/Cyb3rWard0g/status/1381642789369286662
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2021-04-12
modified: 2022-10-09
tags:
- attack.persistence
- attack.t1554
logsource:
product: windows
service: security
definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
selection:
EventID: 4697
ServiceName: HybridConnectionManager
ServiceFileName|contains: HybridConnectionManager
condition: selection
falsepositives:
- Legitimate use of Hybrid Connection Manager via Azure function apps.
level: high
high
HybridConnectionManager Service Installation - Registry
Detects the installation of the Azure Hybrid Connection Manager service to allow remote code execution from Azure function.
status testauthor Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)id ac8866c7-ce44-46fd-8c17-b24acff96ca8
view Sigma YAML
title: HybridConnectionManager Service Installation - Registry
id: ac8866c7-ce44-46fd-8c17-b24acff96ca8
status: test
description: Detects the installation of the Azure Hybrid Connection Manager service to allow remote code execution from Azure function.
references:
- https://twitter.com/Cyb3rWard0g/status/1381642789369286662
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2021-04-12
modified: 2022-11-27
tags:
- attack.resource-development
- attack.t1608
logsource:
category: registry_event
product: windows
detection:
selection1:
TargetObject|contains: '\Services\HybridConnectionManager'
selection2:
EventType: SetValue
Details|contains: 'Microsoft.HybridConnectionManager.Listener.exe'
condition: selection1 or selection2
falsepositives:
- Unknown
level: high
high
HybridConnectionManager Service Running
Rule to detect the Hybrid Connection Manager service running on an endpoint.
status testauthor Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)id b55d23e5-6821-44ff-8a6e-67218891e49f
view Sigma YAML
title: HybridConnectionManager Service Running
id: b55d23e5-6821-44ff-8a6e-67218891e49f
status: test
description: Rule to detect the Hybrid Connection Manager service running on an endpoint.
references:
- https://twitter.com/Cyb3rWard0g/status/1381642789369286662
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2021-04-12
modified: 2024-08-05
tags:
- attack.persistence
- attack.t1554
logsource:
product: windows
service: microsoft-servicebus-client # Change to servicebus-client once validators are up to date
detection:
selection:
EventID:
- 40300
- 40301
- 40302
keywords:
- 'HybridConnection'
- 'sb://'
- 'servicebus.windows.net'
- 'HybridConnectionManage'
condition: selection and keywords
falsepositives:
- Legitimate use of Hybrid Connection Manager via Azure function apps.
level: high
high
Hypervisor Enforced Paging Translation Disabled
Detects changes to the "DisableHypervisorEnforcedPagingTranslation" registry value. Where the it is set to "1" in order to disable the Hypervisor Enforced Paging Translation feature.
status testauthor Nasreddine Bencherchali (Nextron Systems)id 7f2954d2-99c2-4d42-a065-ca36740f187b
view Sigma YAML
title: Hypervisor Enforced Paging Translation Disabled
id: 7f2954d2-99c2-4d42-a065-ca36740f187b
status: test
description: |
Detects changes to the "DisableHypervisorEnforcedPagingTranslation" registry value. Where the it is set to "1" in order to disable the Hypervisor Enforced Paging Translation feature.
references:
- https://twitter.com/standa_t/status/1808868985678803222
- https://github.com/AaLl86/WindowsInternals/blob/070dc4f317726dfb6ffd2b7a7c121a33a8659b5e/Slides/Hypervisor-enforced%20Paging%20Translation%20-%20The%20end%20of%20non%20data-driven%20Kernel%20Exploits%20(Recon2024).pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-07-05
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\DisableHypervisorEnforcedPagingTranslation'
Details: 'DWORD (0x00000001)'
condition: selection
falsepositives:
- Unknown
level: high
high
Hypervisor-protected Code Integrity (HVCI) Related Registry Tampering Via CommandLine
Detects the tampering of Hypervisor-protected Code Integrity (HVCI) related registry values via command line tool reg.exe.
HVCI uses virtualization-based security to protect code integrity by ensuring that only trusted code can run in kernel mode.
Adversaries may tamper with HVCI to load malicious or unsigned drivers, which can be used to escalate privileges, maintain persistence, or evade security mechanisms.
status experimentalauthor Swachchhanda Shrawan Poudel (Nextron Systems)id 6225c53a-a96e-4235-b28f-8d7997cd96eb
view Sigma YAML
title: Hypervisor-protected Code Integrity (HVCI) Related Registry Tampering Via CommandLine
id: 6225c53a-a96e-4235-b28f-8d7997cd96eb
related:
- id: 8b7273a4-ba5d-4d8a-b04f-11f2900d043a
type: similar
status: experimental
description: |
Detects the tampering of Hypervisor-protected Code Integrity (HVCI) related registry values via command line tool reg.exe.
HVCI uses virtualization-based security to protect code integrity by ensuring that only trusted code can run in kernel mode.
Adversaries may tamper with HVCI to load malicious or unsigned drivers, which can be used to escalate privileges, maintain persistence, or evade security mechanisms.
references:
- https://www.sophos.com/en-us/blog/sharpening-the-knife-gold-blades-strategic-evolution
- https://learn.microsoft.com/en-us/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-01-26
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- '\reg.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
- 'reg.exe'
selection_cli:
CommandLine|contains:
- 'add '
- 'New-ItemProperty '
- 'Set-ItemProperty '
- 'si ' # SetItem Alias
selection_cli_base:
CommandLine|contains: '\DeviceGuard'
selection_cli_key:
CommandLine|contains:
- 'EnableVirtualizationBasedSecurity'
- 'HypervisorEnforcedCodeIntegrity'
condition: all of selection_*
falsepositives:
- Legitimate system administration tasks that require disabling HVCI for troubleshooting purposes when certain drivers or applications are incompatible with it.
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_hvci_registry_tampering/info.yml
simulation:
- type: atomic-red-team
name: Disable Hypervisor-Enforced Code Integrity (HVCI)
technique: T1562.001
atomic_guid: 70bd71e6-eba4-4e00-92f7-617911dbe020
high
IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols
Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My Computer" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally.
status testauthor Nasreddine Bencherchali (Nextron Systems), Michael Haag (idea)id 3fd4c8d7-8362-4557-a8e6-83b29cc0d724
view Sigma YAML
title: IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols
id: 3fd4c8d7-8362-4557-a8e6-83b29cc0d724
related:
- id: 10344bb3-7f65-46c2-b915-2d00d47be5b0
type: similar
status: test
description: |
Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My Computer" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally.
references:
- https://twitter.com/M_haggis/status/1699056847154725107
- https://twitter.com/JAMESWT_MHT/status/1699042827261391247
- https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries
- https://www.virustotal.com/gui/file/339ff720c74dc44265b917b6d3e3ba0411d61f3cd3c328e9a2bae81592c8a6e5/content
author: Nasreddine Bencherchali (Nextron Systems), Michael Haag (idea)
date: 2023-09-05
tags:
- attack.stealth
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|contains: '\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults'
TargetObject|endswith:
- '\http'
- '\https'
Details|contains: 'DWORD (0x00000000)'
condition: selection
falsepositives:
- Unknown
level: high
high
IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI
Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My Computer" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally.
status testauthor Nasreddine Bencherchali (Nextron Systems)id 10344bb3-7f65-46c2-b915-2d00d47be5b0
view Sigma YAML
title: IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI
id: 10344bb3-7f65-46c2-b915-2d00d47be5b0
related:
- id: 3fd4c8d7-8362-4557-a8e6-83b29cc0d724
type: similar
status: test
description: |
Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My Computer" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally.
references:
- https://twitter.com/M_haggis/status/1699056847154725107
- https://twitter.com/JAMESWT_MHT/status/1699042827261391247
- https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries
- https://www.virustotal.com/gui/file/339ff720c74dc44265b917b6d3e3ba0411d61f3cd3c328e9a2bae81592c8a6e5/content
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-09-05
tags:
- attack.execution
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- '\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults'
- 'http'
- ' 0'
condition: selection
falsepositives:
- Unknown
level: high
high
ISO File Created Within Temp Folders
Detects the creation of a ISO file in the Outlook temp folder or in the Appdata temp folder. Typical of Qakbot TTP from end-July 2022.
status testauthor @sam0x90id 2f9356ae-bf43-41b8-b858-4496d83b2acb
view Sigma YAML
title: ISO File Created Within Temp Folders
id: 2f9356ae-bf43-41b8-b858-4496d83b2acb
status: test
description: Detects the creation of a ISO file in the Outlook temp folder or in the Appdata temp folder. Typical of Qakbot TTP from end-July 2022.
references:
- https://twitter.com/Sam0x90/status/1552011547974696960
- https://securityaffairs.co/wordpress/133680/malware/dll-sideloading-spread-qakbot.html
- https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image
author: '@sam0x90'
date: 2022-07-30
tags:
- attack.initial-access
- attack.t1566.001
logsource:
category: file_event
product: windows
detection:
selection_1:
TargetFilename|contains|all:
- '\AppData\Local\Temp\'
- '.zip\'
TargetFilename|endswith: '.iso'
selection_2:
TargetFilename|contains: '\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\'
TargetFilename|endswith: '.iso'
condition: 1 of selection*
falsepositives:
- Potential FP by sysadmin opening a zip file containing a legitimate ISO file
level: high
high
ImagingDevices Unusual Parent/Child Processes
Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) process as seen being used with Bumblebee activity
status testauthor Nasreddine Bencherchali (Nextron Systems)id f11f2808-adb4-46c0-802a-8660db50fa99
view Sigma YAML
title: ImagingDevices Unusual Parent/Child Processes
id: f11f2808-adb4-46c0-802a-8660db50fa99
status: test
description: Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) process as seen being used with Bumblebee activity
references:
- https://thedfirreport.com/2022/09/26/bumblebee-round-two/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-27
modified: 2022-12-29
tags:
- attack.execution
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith:
# Add more if known
- \WmiPrvSE.exe
- \svchost.exe
- \dllhost.exe
Image|endswith: '\ImagingDevices.exe'
selection_child:
# You can add specific suspicious child processes (such as cmd, powershell...) to increase the accuracy
ParentImage|endswith: '\ImagingDevices.exe'
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
high
Impacket PsExec Execution
Detects execution of Impacket's psexec.py.
status testauthor Bhabesh Rajid 32d56ea1-417f-44ff-822b-882873f5f43b
view Sigma YAML
title: Impacket PsExec Execution
id: 32d56ea1-417f-44ff-822b-882873f5f43b
status: test
description: Detects execution of Impacket's psexec.py.
references:
- https://web.archive.org/web/20230329171218/https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html
author: Bhabesh Raj
date: 2020-12-14
modified: 2022-09-22
tags:
- attack.lateral-movement
- attack.t1021.002
logsource:
product: windows
service: security
definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
detection:
selection1:
EventID: 5145
ShareName: '\\\\\*\\IPC$' # looking for the string \\*\IPC$
RelativeTargetName|contains:
- 'RemCom_stdin'
- 'RemCom_stdout'
- 'RemCom_stderr'
condition: selection1
falsepositives:
- Unknown
level: high
high
Important Scheduled Task Deleted or Disabled
Detects when adversaries try to stop system services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities
status testauthor frack113id 9e3cb244-bdb8-4632-8c90-6079c8f4f16d
view Sigma YAML
title: Important Scheduled Task Deleted or Disabled
id: 9e3cb244-bdb8-4632-8c90-6079c8f4f16d
related:
- id: dbc1f800-0fe0-4bc0-9c66-292c2abe3f78 # ProcCreation schtasks delete
type: similar
- id: 7595ba94-cf3b-4471-aa03-4f6baa9e5fad # Security-Audting Eventlog
type: similar
- id: 9ac94dc8-9042-493c-ba45-3b5e7c86b980 # ProcCreation schtasks disable
type: similar
status: test
description: |
Detects when adversaries try to stop system services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities
references:
- https://www.socinvestigation.com/most-common-windows-event-ids-to-hunt-mind-map/
author: frack113
date: 2023-01-13
modified: 2026-03-11
tags:
- attack.impact
- attack.t1489
logsource:
product: windows
service: taskscheduler
definition: 'Requirements: The "Microsoft-Windows-TaskScheduler/Operational" is disabled by default and needs to be enabled in order for this detection to trigger'
detection:
selection:
EventID:
- 141 # Task Deleted
- 142 # Task Disabled
TaskName|contains:
- '\Windows\SystemRestore\SR'
- '\Windows\Windows Defender\'
- '\Windows\BitLocker'
- '\Windows\WindowsBackup\'
- '\Windows\WindowsUpdate\'
- '\Windows\UpdateOrchestrator\'
- '\Windows\ExploitGuard'
filter_main_user:
UserName|contains:
- 'AUTHORI'
- 'AUTORI'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete_or_disable/info.yml
simulation:
- type: atomic-red-team
name: Windows - Disable the SR scheduled task
technique: T1490
atomic_guid: 1c68c68d-83a4-4981-974e-8993055fa034
high
Important Scheduled Task Deleted/Disabled
Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities
status testauthor Nasreddine Bencherchali (Nextron Systems)id 7595ba94-cf3b-4471-aa03-4f6baa9e5fad
view Sigma YAML
title: Important Scheduled Task Deleted/Disabled
id: 7595ba94-cf3b-4471-aa03-4f6baa9e5fad
related:
- id: dbc1f800-0fe0-4bc0-9c66-292c2abe3f78 # ProcCreation schtasks delete
type: similar
- id: 9ac94dc8-9042-493c-ba45-3b5e7c86b980 # ProcCreation schtasks disable
type: similar
- id: 9e3cb244-bdb8-4632-8c90-6079c8f4f16d # TaskScheduler EventLog
type: similar
status: test
description: Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities
references:
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4699
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4701
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-05
modified: 2023-03-13
tags:
- attack.execution
- attack.privilege-escalation
- attack.persistence
- attack.t1053.005
logsource:
product: windows
service: security
definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection. We also recommend extracting the Command field from the embedded XML in the event data.'
detection:
selection:
EventID:
- 4699 # Task Deleted Event
- 4701 # Task Disabled Event
TaskName|contains:
# Add more important tasks
- '\Windows\SystemRestore\SR'
- '\Windows\Windows Defender\'
- '\Windows\BitLocker'
- '\Windows\WindowsBackup\'
- '\Windows\WindowsUpdate\'
- '\Windows\UpdateOrchestrator\Schedule'
- '\Windows\ExploitGuard'
filter_main_defender_update:
EventID: 4699
SubjectUserName|endswith: '$' # False positives during upgrades of Defender, where its tasks get removed and added
TaskName|contains: '\Windows\Windows Defender\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable/info.yml
simulation:
- type: atomic-red-team
name: Windows - Disable the SR scheduled task
technique: T1490
atomic_guid: 1c68c68d-83a4-4981-974e-8993055fa034
high
Important Windows Event Auditing Disabled
Detects scenarios where system auditing for important events such as "Process Creation" or "Logon" events is disabled.
status testauthor Nasreddine Bencherchali (Nextron Systems)id ab4561b1-6c7e-48a7-ad08-087cfb9ce8f1
view Sigma YAML
title: Important Windows Event Auditing Disabled
id: ab4561b1-6c7e-48a7-ad08-087cfb9ce8f1
related:
- id: 69aeb277-f15f-4d2d-b32a-55e883609563
type: derived
status: test
description: Detects scenarios where system auditing for important events such as "Process Creation" or "Logon" events is disabled.
references:
- https://docs.google.com/presentation/d/1dkrldTTlN3La-OjWtkWJBb4hVk6vfsSMBFBERs6R8zA/edit
- https://github.com/SigmaHQ/sigma/blob/ad1bfd3d28aa0ccc9656240f845022518ef65a2e/documentation/logsource-guides/windows/service/security.md
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-20
modified: 2023-11-17
tags:
- attack.defense-impairment
- attack.t1685.001
logsource:
product: windows
service: security
definition: dfd8c0f4-e6ad-4e07-b91b-f2fca0ddef64
detection:
selection_state_success_and_failure:
EventID: 4719
SubcategoryGuid:
# Note: Add or remove GUID as you see fit in your env
- '{0CCE9210-69AE-11D9-BED3-505054503030}' # Audit Security State Change
- '{0CCE9211-69AE-11D9-BED3-505054503030}' # Audit Security System Extension
- '{0CCE9212-69AE-11D9-BED3-505054503030}' # Audit System Integrity
- '{0CCE9215-69AE-11D9-BED3-505054503030}' # Audit Logon
- '{0CCE921B-69AE-11D9-BED3-505054503030}' # Audit Special Logon
- '{0CCE922B-69AE-11D9-BED3-505054503030}' # Audit Process Creation
- '{0CCE922F-69AE-11D9-BED3-505054503030}' # Audit Audit Policy Change
- '{0CCE9230-69AE-11D9-BED3-505054503030}' # Audit Authentication Policy Change
- '{0CCE9235-69AE-11D9-BED3-505054503030}' # Audit User Account Management
- '{0CCE9236-69AE-11D9-BED3-505054503030}' # Audit Computer Account Management
- '{0CCE9237-69AE-11D9-BED3-505054503030}' # Audit Security Group Management
- '{0CCE923F-69AE-11D9-BED3-505054503030}' # Audit Credential Validation
- '{0CCE9240-69AE-11D9-BED3-505054503030}' # Audit Kerberos Service Ticket Operations
- '{0CCE9242-69AE-11D9-BED3-505054503030}' # Audit Kerberos Authentication Service
AuditPolicyChanges|contains:
- '%%8448' # This is "Success removed"
- '%%8450' # This is "Failure removed"
selection_state_success_only:
EventID: 4719
SubcategoryGuid: '{0CCE9217-69AE-11D9-BED3-505054503030}' # Audit Account Lockout
AuditPolicyChanges|contains: '%%8448'
condition: 1 of selection_*
falsepositives:
- Unlikely
level: high
high
Important Windows Eventlog Cleared
Detects the clearing of one of the Windows Core Eventlogs. e.g. caused by "wevtutil cl" command execution
status testauthor Florian Roth (Nextron Systems), Tim Shelton, Nasreddine Bencherchali (Nextron Systems)id 100ef69e-3327-481c-8e5c-6d80d9507556
view Sigma YAML
title: Important Windows Eventlog Cleared
id: 100ef69e-3327-481c-8e5c-6d80d9507556
related:
- id: a62b37e0-45d3-48d9-a517-90c1a1b0186b
type: derived
status: test
description: Detects the clearing of one of the Windows Core Eventlogs. e.g. caused by "wevtutil cl" command execution
references:
- https://twitter.com/deviouspolack/status/832535435960209408
- https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100
author: Florian Roth (Nextron Systems), Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
date: 2022-05-17
modified: 2023-11-15
tags:
- attack.defense-impairment
- attack.t1685.005
- car.2016-04-002
logsource:
product: windows
service: system
detection:
selection:
EventID: 104
Provider_Name: 'Microsoft-Windows-Eventlog'
Channel:
- 'Microsoft-Windows-PowerShell/Operational'
- 'Microsoft-Windows-Sysmon/Operational'
- 'PowerShellCore/Operational'
- 'Security'
- 'System'
- 'Windows PowerShell'
condition: selection
falsepositives:
- Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)
- System provisioning (system reset before the golden image creation)
level: high
high
Important Windows Service Terminated Unexpectedly
Detects important or interesting Windows services that got terminated unexpectedly.
status testauthor Nasreddine Bencherchali (Nextron Systems)id 56abae0c-6212-4b97-adc0-0b559bb950c3
view Sigma YAML
title: Important Windows Service Terminated Unexpectedly
id: 56abae0c-6212-4b97-adc0-0b559bb950c3
status: test
description: Detects important or interesting Windows services that got terminated unexpectedly.
references:
- https://www.randori.com/blog/vulnerability-analysis-queuejumper-cve-2023-21554/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-14
tags:
- attack.stealth
logsource:
product: windows
service: system
detection:
selection_eid:
Provider_Name: 'Service Control Manager'
EventID: 7034 # The X service terminated unexpectedly. It has done this Y time(s).
selection_name:
# Note that these names contained in "param1" are "Display Names" and are language specific. If you're using a non-english system these can and will be different
- param1|contains: 'Message Queuing'
# Use this If you collect the binary value provided from this event, which is the wide hex encoded value of the service name.
- Binary|contains:
- '4d0053004d005100' # MSMQ (Microsoft Message Queuing). Encoded in upper case just in case
- '6d0073006d007100' # msmq
condition: all of selection_*
falsepositives:
- Rare false positives could occur since service termination could happen due to multiple reasons
level: high
high
Important Windows Service Terminated With Error
Detects important or interesting Windows services that got terminated for whatever reason
status testauthor Nasreddine Bencherchali (Nextron Systems)id d6b5520d-3934-48b4-928c-2aa3f92d6963
view Sigma YAML
title: Important Windows Service Terminated With Error
id: d6b5520d-3934-48b4-928c-2aa3f92d6963
related:
- id: acfa2210-0d71-4eeb-b477-afab494d596c
type: similar
status: test
description: Detects important or interesting Windows services that got terminated for whatever reason
references:
- https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-14
tags:
- attack.stealth
logsource:
product: windows
service: system
detection:
selection_eid:
Provider_Name: 'Service Control Manager'
EventID: 7023 # The X Service service terminated with the following error
selection_name:
- param1|contains:
# Note that these names are "Display Names" and are language specific. If you're using a non-english system these can and will be different
- ' Antivirus'
- ' Firewall'
- 'Application Guard'
- 'BitLocker Drive Encryption Service'
- 'Encrypting File System'
- 'Microsoft Defender'
- 'Threat Protection'
- 'Windows Event Log'
# Use this If you collect the binary value provided from this event, which is the wide hex encoded value of the service name.
- Binary|contains:
- '770069006e0064006500660065006e006400' # windefend (Microsoft Defender Antivirus Service)
- '4500760065006e0074004c006f006700' # EventLog
- '6d0070007300730076006300' # mpssvc (Windows Defender Firewall)
- '530065006e0073006500' # Sense (Windows Defender Advanced Threat Protection Service)
- '450046005300' # EFS (Encrypting File System)
- '420044004500530056004300' # BDESVC (BitLocker Drive Encryption Service)
condition: all of selection_*
falsepositives:
- Rare false positives could occur since service termination could happen due to multiple reasons
level: high
high
Imports Registry Key From an ADS
Detects the import of a alternate datastream to the registry with regedit.exe.
status testauthor Oddvar Moe, Sander Wiebing, oscd.communityid 0b80ade5-6997-4b1d-99a1-71701778ea61
view Sigma YAML
title: Imports Registry Key From an ADS
id: 0b80ade5-6997-4b1d-99a1-71701778ea61
related:
- id: 73bba97f-a82d-42ce-b315-9182e76c57b1
type: similar
status: test
description: Detects the import of a alternate datastream to the registry with regedit.exe.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Regedit/
- https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
author: Oddvar Moe, Sander Wiebing, oscd.community
date: 2020-10-12
modified: 2024-03-13
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\regedit.exe'
- OriginalFileName: 'REGEDIT.EXE'
selection_cli:
CommandLine|contains:
- ' /i '
- '.reg'
CommandLine|re: ':[^ \\]'
filter:
CommandLine|contains|windash:
- ' -e '
- ' -a '
- ' -c '
condition: all of selection_* and not filter
falsepositives:
- Unknown
level: high
high
Impossible Travel
Identifies user activities originating from geographically distant locations within a time period shorter than the time it takes to travel from the first location to the second.
status testauthor Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'id b2572bf9-e20a-4594-b528-40bde666525a
view Sigma YAML
title: Impossible Travel
id: b2572bf9-e20a-4594-b528-40bde666525a
status: test
description: Identifies user activities originating from geographically distant locations within a time period shorter than the time it takes to travel from the first location to the second.
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#impossible-travel
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-03
tags:
- attack.stealth
- attack.t1078
- attack.persistence
- attack.privilege-escalation
- attack.initial-access
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'impossibleTravel'
condition: selection
falsepositives:
- Connecting to a VPN, performing activity and then dropping and performing additional activity.
level: high
high
Inline Python Execution - Spawn Shell Via OS System Library
Detects execution of inline Python code via the "-c" in order to call the "system" function from the "os" library, and spawn a shell.
status testauthor Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)id 2d2f44ff-4611-4778-a8fc-323a0e9850cc
view Sigma YAML
title: Inline Python Execution - Spawn Shell Via OS System Library
id: 2d2f44ff-4611-4778-a8fc-323a0e9850cc
status: test
description: |
Detects execution of inline Python code via the "-c" in order to call the "system" function from the "os" library, and spawn a shell.
references:
- https://gtfobins.github.io/gtfobins/python/#shell
author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
date: 2024-09-02
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: linux
detection:
selection_img:
- Image|endswith:
- '/python'
- '/python2'
- '/python3'
- Image|contains:
- '/python2.' # python image is always of the form ../python3.10; ../python is just a symlink
- '/python3.'
selection_cli:
CommandLine|contains|all:
- ' -c '
- 'os.system('
CommandLine|contains:
- '/bin/bash'
- '/bin/dash'
- '/bin/fish'
- '/bin/sh'
- '/bin/zsh'
condition: all of selection_*
falsepositives:
- Unknown
level: high
high
Installation of WSL Kali-Linux
Detects installation of Kali Linux distribution through Windows Subsystem for Linux (WSL).
Attackers may use Kali Linux WSL to leverage its penetration testing tools and capabilities for malicious purposes.
status experimentalauthor Swachchhanda Shrawan Poudel (Nextron Systems)id eca8ae39-5c3c-4321-b538-9e64fe25822e
view Sigma YAML
title: Installation of WSL Kali-Linux
id: eca8ae39-5c3c-4321-b538-9e64fe25822e
status: experimental
description: |
Detects installation of Kali Linux distribution through Windows Subsystem for Linux (WSL).
Attackers may use Kali Linux WSL to leverage its penetration testing tools and capabilities for malicious purposes.
references:
- https://medium.com/@redfanatic7/running-kali-linux-on-windows-51ad95166e6e
- https://learn.microsoft.com/en-us/windows/wsl/install
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-10-10
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection_wsl_img:
- Image|endswith: '\wsl.exe'
- OriginalFileName: 'wsl'
selection_wsl_install:
CommandLine|contains:
- ' --install '
- ' -i '
selection_wsl_kali:
CommandLine|contains: 'kali'
condition: all of selection_wsl_*
falsepositives:
- Legitimate installation or usage of Kali Linux WSL by administrators or security teams
level: high
high
Interactive AT Job
Detects an interactive AT job, which may be used as a form of privilege escalation.
status testauthor E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.communityid 60fc936d-2eb0-4543-8a13-911c750a1dfc
view Sigma YAML
title: Interactive AT Job
id: 60fc936d-2eb0-4543-8a13-911c750a1dfc
status: test
description: Detects an interactive AT job, which may be used as a form of privilege escalation.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.002/T1053.002.md
- https://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html
author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
date: 2019-10-24
modified: 2021-11-27
tags:
- attack.persistence
- attack.execution
- attack.privilege-escalation
- attack.t1053.002
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\at.exe'
CommandLine|contains: 'interactive'
condition: selection
falsepositives:
- Unlikely (at.exe deprecated as of Windows 8)
level: high
simulation:
- type: atomic-red-team
name: At.exe Scheduled task
technique: T1053.002
atomic_guid: 4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8
high
Invalid PIM License
Identifies when an organization doesn't have the proper license for PIM and is out of compliance.
status testauthor Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'id 58af08eb-f9e1-43c8-9805-3ad9b0482bd8
view Sigma YAML
title: Invalid PIM License
id: 58af08eb-f9e1-43c8-9805-3ad9b0482bd8
status: test
description: Identifies when an organization doesn't have the proper license for PIM and is out of compliance.
references:
- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#the-organization-doesnt-have-microsoft-entra-premium-p2-or-microsoft-entra-id-governance
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-14
tags:
- attack.initial-access
- attack.stealth
- attack.t1078
- attack.persistence
- attack.privilege-escalation
logsource:
product: azure
service: pim
detection:
selection:
riskEventType: 'invalidLicenseAlertIncident'
condition: selection
falsepositives:
- Investigate if licenses have expired.
level: high
high
Invoke-Obfuscation CLIP+ Launcher
Detects Obfuscated use of Clip.exe to execute PowerShell
status testauthor Jonathan Cheong, oscd.communityid b222df08-0e07-11eb-adc1-0242ac120002
Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block cited in the reference section below
status testauthor Daniel Bohannon (@Mandiant/@FireEye), oscd.communityid 2f211361-7dce-442d-b78a-c04039677378
view Sigma YAML
title: Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module
id: 2f211361-7dce-442d-b78a-c04039677378
related:
- id: 1b9dc62e-6e9e-42a3-8990-94d7a10007f7
type: derived
status: test
description: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block cited in the reference section below
references:
- https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888
author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community
date: 2019-11-08
modified: 2022-12-31
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_module
definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
selection_payload:
- Payload|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\['
- Payload|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\['
- Payload|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\['
- Payload|re: '\$env:ComSpec\[(\s*\d{1,3}\s*,){2}'
- Payload|re: '\*mdr\*\W\s*\)\.Name'
- Payload|re: '\$VerbosePreference\.ToString\('
- Payload|re: '\[String\]\s*\$VerbosePreference'
condition: selection_payload
falsepositives:
- Unknown
level: high
Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references
status testauthor Daniel Bohannon (@Mandiant/@FireEye), oscd.communityid fd0f5778-d3cb-4c9a-9695-66759d04702a
view Sigma YAML
title: Invoke-Obfuscation Obfuscated IEX Invocation - Security
id: fd0f5778-d3cb-4c9a-9695-66759d04702a
related:
- id: 51aa9387-1c53-4153-91cc-d73c59ae1ca9
type: derived
status: test
description: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references
references:
- https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888
author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community
date: 2019-11-08
modified: 2022-11-27
tags:
- attack.stealth
- attack.t1027
logsource:
product: windows
service: security
definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
selection_eid:
EventID: 4697
selection_servicefilename:
- ServiceFileName|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\['
- ServiceFileName|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\['
- ServiceFileName|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\['
- ServiceFileName|re: '\$env:ComSpec\[(\s*\d{1,3}\s*,){2}'
- ServiceFileName|re: '\\*mdr\*\W\s*\)\.Name'
- ServiceFileName|re: '\$VerbosePreference\.ToString\('
- ServiceFileName|re: '\String\]\s*\$VerbosePreference'
condition: all of selection_*
falsepositives:
- Unknown
level: high
high
Invoke-Obfuscation Obfuscated IEX Invocation - System
Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references
status testauthor Daniel Bohannon (@Mandiant/@FireEye), oscd.communityid 51aa9387-1c53-4153-91cc-d73c59ae1ca9
view Sigma YAML
title: Invoke-Obfuscation Obfuscated IEX Invocation - System
id: 51aa9387-1c53-4153-91cc-d73c59ae1ca9
status: test
description: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references
references:
- https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888
author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community
date: 2019-11-08
modified: 2022-11-27
tags:
- attack.stealth
- attack.t1027
logsource:
product: windows
service: system
detection:
selection_eid:
EventID: 7045
selection_imagepath:
- ImagePath|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\['
- ImagePath|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\['
- ImagePath|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\['
- ImagePath|re: '\$env:ComSpec\[(\s*\d{1,3}\s*,){2}'
- ImagePath|re: '\\*mdr\*\W\s*\)\.Name'
- ImagePath|re: '\$VerbosePreference\.ToString\('
- ImagePath|re: '\String\]\s*\$VerbosePreference'
condition: all of selection_*
falsepositives:
- Unknown
level: high
high
Invoke-Obfuscation STDIN+ Launcher
Detects Obfuscated use of stdin to execute PowerShell
status testauthor Jonathan Cheong, oscd.communityid 6c96fc76-0eb1-11eb-adc1-0242ac120002
view Sigma YAML
title: Invoke-Obfuscation STDIN+ Launcher
id: 6c96fc76-0eb1-11eb-adc1-0242ac120002
status: test
description: Detects Obfuscated use of stdin to execute PowerShell
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task 25)
author: Jonathan Cheong, oscd.community
date: 2020-10-15
modified: 2024-04-15
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
# Example 1: c:\windows\sYstEm32\CmD.eXE /C"echO\Invoke-Expression (New-Object Net.WebClient).DownloadString | POwersHELl -NoEXiT -"
# Example 2: c:\WiNDOws\sysTEm32\cmd.EXe /C " ECHo Invoke-Expression (New-Object Net.WebClient).DownloadString | POwersHELl -nol ${EXEcUtIONCONTeXT}.INvOkEComMANd.InvOKEScRIPt( $InpUt )"
CommandLine|re: 'cmd.{0,5}(?:/c|/r).+powershell.+(?:\$\{?input\}?|noexit).+\"'
condition: selection
falsepositives:
- Unknown
level: high