Home/Sigma rules
Sigma

Sigma detection rules

1,345 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Severity critical high medium low all severities

Detection rules

50 shown of 1,345
medium
Internet Explorer Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
status test author Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) id a80f662f-022f-4429-9b8c-b1a41aaa6688
view Sigma YAML 
title: Internet Explorer Autorun Keys Modification
id: a80f662f-022f-4429-9b8c-b1a41aaa6688
related:
    - id: 17f878b8-9968-4578-b814-c4217fc5768c
      type: obsolete
status: test
description: Detects modification of autostart extensibility point (ASEP) in registry.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
    - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019-10-25
modified: 2023-08-17
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
logsource:
    category: registry_set
    product: windows
detection:
    ie:
        TargetObject|contains:
            - '\Software\Wow6432Node\Microsoft\Internet Explorer'
            - '\Software\Microsoft\Internet Explorer'
    ie_details:
        TargetObject|contains:
            - '\Toolbar'
            - '\Extensions'
            - '\Explorer Bars'
    filter_empty:
        Details: '(Empty)'
    filter_extensions:
        TargetObject|contains:
            - '\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}'
            - '\Extensions\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}'
            - '\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}'
            - '\Extensions\{A95fe080-8f5d-11d2-a20b-00aa003c157a}'
    filter_toolbar:
        TargetObject|endswith:
            - '\Toolbar\ShellBrowser\ITBar7Layout'
            - '\Toolbar\ShowDiscussionButton'
            - '\Toolbar\Locked'
    condition: ie and ie_details and not 1 of filter_*
falsepositives:
    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
    - Legitimate administrator sets up autorun keys for legitimate reason
level: medium
medium
Internet Explorer DisableFirstRunCustomize Enabled
Detects changes to the Internet Explorer "DisableFirstRunCustomize" value, which prevents Internet Explorer from running the first run wizard the first time a user starts the browser after installing Internet Explorer or Windows.
status test author Nasreddine Bencherchali (Nextron Systems) id ab567429-1dfb-4674-b6d2-979fd2f9d125
view Sigma YAML 
title: Internet Explorer DisableFirstRunCustomize Enabled
id: ab567429-1dfb-4674-b6d2-979fd2f9d125
status: test
description: |
    Detects changes to the Internet Explorer "DisableFirstRunCustomize" value, which prevents Internet Explorer from running the first run wizard the first time a user starts the browser after installing Internet Explorer or Windows.
references:
    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf
    - https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/
    - https://admx.help/?Category=InternetExplorer&Policy=Microsoft.Policies.InternetExplorer::NoFirstRunCustomise
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-16
modified: 2025-10-07
tags:
    - attack.defense-impairment
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|endswith: '\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize'
        Details:
            - 'DWORD (0x00000001)' # Home Page
            - 'DWORD (0x00000002)' # Welcome To IE
    filter_main_generic:
        Image:
            - 'C:\Windows\explorer.exe'
            - 'C:\Windows\System32\ie4uinit.exe'
    filter_optional_avira:
        Image|contains|all:
            - '\Temp\'
            - '\.cr\avira_'
        Details|contains: 'DWORD (0x00000001)'
    filter_optional_foxit:
        Image:
            - 'C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe'
            - 'C:\Program Files\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe'
        Details|contains: 'DWORD (0x00000001)'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - As this is controlled by group policy as well as user settings. Some false positives may occur.
level: medium
medium
Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)
Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)
status test author Thomas Patzke id 2afafd61-6aae-4df4-baed-139fa1f4c345
view Sigma YAML 
title: Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)
id: 2afafd61-6aae-4df4-baed-139fa1f4c345
status: test
description: Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)
references:
    - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm
author: Thomas Patzke
date: 2019-01-16
modified: 2022-03-11
tags:
    - attack.credential-access
    - attack.t1003.003
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\ntdsutil.exe'
    condition: selection
falsepositives:
    - NTDS maintenance
level: medium
medium
Invoke-Obfuscation COMPRESS OBFUSCATION
Detects Obfuscated Powershell via COMPRESS OBFUSCATION
status test author Timur Zinniatullin, oscd.community id 7eedcc9d-9fdb-4d94-9c54-474e8affc0c7
view Sigma YAML 
title: Invoke-Obfuscation COMPRESS OBFUSCATION
id: 7eedcc9d-9fdb-4d94-9c54-474e8affc0c7
status: test
description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 19)
author: Timur Zinniatullin, oscd.community
date: 2020-10-18
modified: 2022-12-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - 'new-object'
            - 'text.encoding]::ascii'
        CommandLine|contains:
            - 'system.io.compression.deflatestream'
            - 'system.io.streamreader'
            - 'readtoend('
    condition: selection
falsepositives:
    - Unknown
level: medium
medium
Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell
Detects Obfuscated Powershell via COMPRESS OBFUSCATION
status test author Timur Zinniatullin, oscd.community id 20e5497e-331c-4cd5-8d36-935f6e2a9a07
view Sigma YAML 
title: Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell
id: 20e5497e-331c-4cd5-8d36-935f6e2a9a07
status: test
description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 19)
author: Timur Zinniatullin, oscd.community
date: 2020-10-18
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_4104:
        ScriptBlockText|contains|all:
            - 'new-object'
            - 'text.encoding]::ascii'
        ScriptBlockText|contains:
            - 'system.io.compression.deflatestream'
            - 'system.io.streamreader'
        ScriptBlockText|endswith: 'readtoend'
    condition: selection_4104
falsepositives:
    - Unknown
level: medium
medium
Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module
Detects Obfuscated Powershell via COMPRESS OBFUSCATION
status test author Timur Zinniatullin, oscd.community id 7034cbbb-cc55-4dc2-8dad-36c0b942e8f1
view Sigma YAML 
title: Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module
id: 7034cbbb-cc55-4dc2-8dad-36c0b942e8f1
related:
    - id: 20e5497e-331c-4cd5-8d36-935f6e2a9a07
      type: derived
status: test
description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 19)
author: Timur Zinniatullin, oscd.community
date: 2020-10-18
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_module
    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
    selection_4103:
        Payload|contains|all:
            - 'new-object'
            - 'text.encoding]::ascii'
        Payload|contains:
            - 'system.io.compression.deflatestream'
            - 'system.io.streamreader'
        Payload|endswith: 'readtoend'
    condition: selection_4103
falsepositives:
    - Unknown
level: medium
medium
Invoke-Obfuscation COMPRESS OBFUSCATION - Security
Detects Obfuscated Powershell via COMPRESS OBFUSCATION
status test author Timur Zinniatullin, oscd.community id 7a922f1b-2635-4d6c-91ef-af228b198ad3
view Sigma YAML 
title: Invoke-Obfuscation COMPRESS OBFUSCATION - Security
id: 7a922f1b-2635-4d6c-91ef-af228b198ad3
related:
    - id: 175997c5-803c-4b08-8bb0-70b099f47595
      type: derived
status: test
description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 19)
author: Timur Zinniatullin, oscd.community
date: 2020-10-18
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    service: security
    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
    selection:
        EventID: 4697
        ServiceFileName|contains|all:
            - 'new-object'
            - 'text.encoding]::ascii'
            - 'readtoend'
        ServiceFileName|contains:
            - 'system.io.compression.deflatestream'
            - 'system.io.streamreader'
    condition: selection
falsepositives:
    - Unknown
level: medium
medium
Invoke-Obfuscation COMPRESS OBFUSCATION - System
Detects Obfuscated Powershell via COMPRESS OBFUSCATION
status test author Timur Zinniatullin, oscd.community id 175997c5-803c-4b08-8bb0-70b099f47595
view Sigma YAML 
title: Invoke-Obfuscation COMPRESS OBFUSCATION - System
id: 175997c5-803c-4b08-8bb0-70b099f47595
status: test
description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 19)
author: Timur Zinniatullin, oscd.community
date: 2020-10-18
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    service: system
detection:
    selection:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
        ImagePath|contains|all:
            - 'new-object'
            - 'text.encoding]::ascii'
            - 'readtoend'
        ImagePath|contains:
            - ':system.io.compression.deflatestream'
            - 'system.io.streamreader'
    condition: selection
falsepositives:
    - Unknown
level: medium
medium
Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell
Detects Obfuscated Powershell via RUNDLL LAUNCHER
status test author Timur Zinniatullin, oscd.community id e6cb92b4-b470-4eb8-8a9d-d63e8583aae0
view Sigma YAML 
title: Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell
id: e6cb92b4-b470-4eb8-8a9d-d63e8583aae0
status: test
description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 23)
author: Timur Zinniatullin, oscd.community
date: 2020-10-18
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_4104:
        ScriptBlockText|contains|all:
            - 'rundll32.exe'
            - 'shell32.dll'
            - 'shellexec_rundll'
            - 'powershell'
    condition: selection_4104
falsepositives:
    - Unknown
level: medium
medium
Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module
Detects Obfuscated Powershell via RUNDLL LAUNCHER
status test author Timur Zinniatullin, oscd.community id a23791fe-8846-485a-b16b-ca691e1b03d4
view Sigma YAML 
title: Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module
id: a23791fe-8846-485a-b16b-ca691e1b03d4
related:
    - id: e6cb92b4-b470-4eb8-8a9d-d63e8583aae0
      type: derived
status: test
description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 23)
author: Timur Zinniatullin, oscd.community
date: 2020-10-18
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_module
    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
    selection_4103:
        Payload|contains|all:
            - 'rundll32.exe'
            - 'shell32.dll'
            - 'shellexec_rundll'
            - 'powershell'
    condition: selection_4103
falsepositives:
    - Unknown
level: medium
medium
Invoke-Obfuscation RUNDLL LAUNCHER - Security
Detects Obfuscated Powershell via RUNDLL LAUNCHER
status test author Timur Zinniatullin, oscd.community id f241cf1b-3a6b-4e1a-b4f9-133c00dd95ca
view Sigma YAML 
title: Invoke-Obfuscation RUNDLL LAUNCHER - Security
id: f241cf1b-3a6b-4e1a-b4f9-133c00dd95ca
related:
    - id: 11b52f18-aaec-4d60-9143-5dd8cc4706b9
      type: derived
status: test
description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 23)
author: Timur Zinniatullin, oscd.community
date: 2020-10-18
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    service: security
    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
    selection:
        EventID: 4697
        ServiceFileName|contains|all:
            - 'rundll32.exe'
            - 'shell32.dll'
            - 'shellexec_rundll'
            - 'powershell'
    condition: selection
falsepositives:
    - Unknown
level: medium
medium
Invoke-Obfuscation RUNDLL LAUNCHER - System
Detects Obfuscated Powershell via RUNDLL LAUNCHER
status test author Timur Zinniatullin, oscd.community id 11b52f18-aaec-4d60-9143-5dd8cc4706b9
view Sigma YAML 
title: Invoke-Obfuscation RUNDLL LAUNCHER - System
id: 11b52f18-aaec-4d60-9143-5dd8cc4706b9
status: test
description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task 23)
author: Timur Zinniatullin, oscd.community
date: 2020-10-18
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    service: system
detection:
    selection:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
        ImagePath|contains|all:
            - 'rundll32.exe'
            - 'shell32.dll'
            - 'shellexec_rundll'
            - 'powershell'
    condition: selection
falsepositives:
    - Unknown
level: medium
medium
JAMF MDM Potential Suspicious Child Process
Detects potential suspicious child processes of "jamf". Could be a sign of potential abuse of Jamf as a C2 server as seen by Typhon MythicAgent.
status test author Nasreddine Bencherchali (Nextron Systems) id 2316929c-01aa-438c-970f-099145ab1ee6
view Sigma YAML 
title: JAMF MDM Potential Suspicious Child Process
id: 2316929c-01aa-438c-970f-099145ab1ee6
status: test
description: Detects potential suspicious child processes of "jamf". Could be a sign of potential abuse of Jamf as a C2 server as seen by Typhon MythicAgent.
references:
    - https://github.com/MythicAgents/typhon/
    - https://www.zoocoup.org/casper/jamf_cheatsheet.pdf
    - https://docs.jamf.com/10.30.0/jamf-pro/administrator-guide/Components_Installed_on_Managed_Computers.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-22
tags:
    - attack.execution
logsource:
    category: process_creation
    product: macos
detection:
    selection:
        ParentImage|endswith: '/jamf'
        Image|endswith:
            # Note: Add additional binaries/commands that are uncommon during your typical admin usage of Jamf
            - '/bash'
            - '/sh'
    condition: selection
falsepositives:
    - Legitimate execution of custom scripts or commands by Jamf administrators. Apply additional filters accordingly
level: medium
medium
Java Running with Remote Debugging
Detects a JAVA process running with remote debugging allowing more than just localhost to connect
status test author Florian Roth (Nextron Systems) id 8f88e3f6-2a49-48f5-a5c4-2f7eedf78710
view Sigma YAML 
title: Java Running with Remote Debugging
id: 8f88e3f6-2a49-48f5-a5c4-2f7eedf78710
status: test
description: Detects a JAVA process running with remote debugging allowing more than just localhost to connect
references:
    - https://dzone.com/articles/remote-debugging-java-applications-with-jdwp
author: Florian Roth (Nextron Systems)
date: 2019-01-16
modified: 2023-02-01
tags:
    - attack.t1203
    - attack.execution
logsource:
    category: process_creation
    product: windows
detection:
    selection_jdwp_transport:
        CommandLine|contains: 'transport=dt_socket,address='
    selection_old_jvm_version:
        CommandLine|contains:
            - 'jre1.'
            - 'jdk1.'
    exclusion:
        CommandLine|contains:
            - 'address=127.0.0.1'
            - 'address=localhost'
    condition: all of selection_* and not exclusion
falsepositives:
    - Unknown
level: medium
medium
Kerberoasting Activity - Initial Query
This rule will collect the data needed to start looking into possible kerberoasting activity. Further analysis or computation within the query is needed focusing on requests from one specific host/IP towards multiple service names within a time period of 5 seconds. You can then set a threshold for the number of requests and time between the requests to turn this into an alert.
status test author @kostastsale id d04ae2b8-ad54-4de0-bd87-4bc1da66aa59
view Sigma YAML 
title: Kerberoasting Activity - Initial Query
id: d04ae2b8-ad54-4de0-bd87-4bc1da66aa59
status: test
description: |
    This rule will collect the data needed to start looking into possible kerberoasting activity.
    Further analysis or computation within the query is needed focusing on requests from one specific host/IP towards multiple service names within a time period of 5 seconds.
    You can then set a threshold for the number of requests and time between the requests to turn this into an alert.
references:
    - https://www.trustedsec.com/blog/art_of_kerberoast/
    - https://adsecurity.org/?p=3513
author: '@kostastsale'
date: 2022-01-21
modified: 2025-10-19
tags:
    - attack.credential-access
    - attack.t1558.003
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4769
        Status: '0x0' # Translated as status from failure code field. Query only for successes
        TicketEncryptionType: '0x17' # RC4 ticket encryption type
    filter_main_krbtgt:
        ServiceName|endswith:
            - 'krbtgt' # Ignore requests for the krbtgt service
            - '$' # Ignore requests from service names that end with $ which are associated with genuine kerberos traffic
    filter_main_machine_accounts:
        TargetUserName|contains: '$@' # Ignore requests from machines
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Legacy applications.
level: medium
medium
Kerberos Network Traffic RC4 Ticket Encryption
Detects kerberos TGS request using RC4 encryption which may be indicative of kerberoasting
status test author sigma id 503fe26e-b5f2-4944-a126-eab405cc06e5
view Sigma YAML 
title: Kerberos Network Traffic RC4 Ticket Encryption
id: 503fe26e-b5f2-4944-a126-eab405cc06e5
status: test
description: Detects kerberos TGS request using RC4 encryption which may be indicative of kerberoasting
references:
    - https://adsecurity.org/?p=3458
author: sigma
date: 2020-02-12
modified: 2021-11-27
tags:
    - attack.credential-access
    - attack.t1558.003
logsource:
    product: zeek
    service: kerberos
detection:
    selection:
        request_type: 'TGS'
        cipher: 'rc4-hmac'
    computer_acct:
        service|startswith: '$'
    condition: selection and not computer_acct
falsepositives:
    - Normal enterprise SPN requests activity
level: medium
medium
Kubernetes Admission Controller Modification
Detects when a modification (create, update or replace) action is taken that affects mutating or validating webhook configurations, as they can be used by an adversary to achieve persistence or exfiltrate access credentials.
status test author kelnage id eed82177-38f5-4299-8a76-098d50d225ab
view Sigma YAML 
title: Kubernetes Admission Controller Modification
id: eed82177-38f5-4299-8a76-098d50d225ab
related:
    - id: 6ad91e31-53df-4826-bd27-0166171c8040
      type: similar
status: test
description: |
    Detects when a modification (create, update or replace) action is taken that affects mutating or validating webhook configurations, as they can be used by an adversary to achieve persistence or exfiltrate access credentials.
references:
    - https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/
    - https://security.padok.fr/en/blog/kubernetes-webhook-attackers
author: kelnage
date: 2024-07-11
tags:
    - attack.privilege-escalation
    - attack.initial-access
    - attack.persistence
    - attack.stealth
    - attack.t1078
    - attack.credential-access
    - attack.t1552
    - attack.t1552.007
logsource:
    product: kubernetes
    service: audit
detection:
    selection:
        objectRef.apiGroup: 'admissionregistration.k8s.io'
        objectRef.resource:
            - 'mutatingwebhookconfigurations'
            - 'validatingwebhookconfigurations'
        verb:
            - 'create'
            - 'delete'
            - 'patch'
            - 'replace'
            - 'update'
    condition: selection
falsepositives:
    - Modifying the Kubernetes Admission Controller may need to be done by a system administrator.
    - Automated processes may need to take these actions and may need to be filtered.
level: medium
medium
Kubernetes CronJob/Job Modification
Detects when a Kubernetes CronJob or Job is created or modified. A Kubernetes Job creates one or more pods to accomplish a specific task, and a CronJob creates Jobs on a recurring schedule. An adversary can take advantage of this Kubernetes object to schedule Jobs to run containers that execute malicious code within a cluster, allowing them to achieve persistence.
status test author kelnage id 0c9b3bda-41a6-4442-9345-356ae86343dc
view Sigma YAML 
title: Kubernetes CronJob/Job Modification
id: 0c9b3bda-41a6-4442-9345-356ae86343dc
related:
    - id: cd3a808c-c7b7-4c50-a2f3-f4cfcd436435
      type: similar
status: test
description: |
    Detects when a Kubernetes CronJob or Job is created or modified.
    A Kubernetes Job creates one or more pods to accomplish a specific task, and a CronJob creates Jobs on a recurring schedule.
    An adversary can take advantage of this Kubernetes object to schedule Jobs to run containers that execute malicious code within a cluster, allowing them to achieve persistence.
references:
    - https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/
    - https://www.redhat.com/en/blog/protecting-kubernetes-against-mitre-attck-persistence#technique-33-kubernetes-cronjob
author: kelnage
date: 2024-07-11
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
logsource:
    product: kubernetes
    service: audit
detection:
    selection:
        objectRef.apiGroup: 'batch'
        objectRef.resource:
            - 'cronjobs'
            - 'jobs'
        verb:
            - 'create'
            - 'delete'
            - 'patch'
            - 'replace'
            - 'update'
    condition: selection
falsepositives:
    - Modifying a Kubernetes Job or CronJob may need to be done by a system administrator.
    - Automated processes may need to take these actions and may need to be filtered.
level: medium
medium
Kubernetes Events Deleted
Detects when events are deleted in Kubernetes. An adversary may delete Kubernetes events in an attempt to evade detection.
status test author Leo Tsaousis (@laripping) id 3132570d-cab2-4561-9ea6-1743644b2290
view Sigma YAML 
title: Kubernetes Events Deleted
id: 3132570d-cab2-4561-9ea6-1743644b2290
related:
    - id: 225d8b09-e714-479c-a0e4-55e6f29adf35
      type: derived
status: test
description: |
    Detects when events are deleted in Kubernetes.
    An adversary may delete Kubernetes events in an attempt to evade detection.
references:
    - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Delete%20K8S%20events/
author: Leo Tsaousis (@laripping)
date: 2024-03-26
tags:
    - attack.stealth
    - attack.t1070
logsource:
    category: application
    product: kubernetes
    service: audit
detection:
    selection:
        verb: 'delete'
        objectRef.resource: 'events'
    condition: selection
falsepositives:
    - Unknown
level: medium
medium
Kubernetes Potential Enumeration Activity
Detects potential Kubernetes enumeration or attack activity via the audit log. This includes the execution of common shells, utilities, or specialized tools like 'Rakkess' (access_matrix) and 'TruffleHog' via Kubernetes API requests. Attackers use these methods to perform reconnaissance (enumeration), secret harvesting, or execute code (exec) within a cluster.
status experimental author uniqu3-us3r id 597a7e84-187d-458b-9e4f-2f5a0e676711
view Sigma YAML 
title: Kubernetes Potential Enumeration Activity
id: 597a7e84-187d-458b-9e4f-2f5a0e676711
status: experimental
description: |
    Detects potential Kubernetes enumeration or attack activity via the audit log.
    This includes the execution of common shells, utilities, or specialized tools like 'Rakkess' (access_matrix) and 'TruffleHog' via Kubernetes API requests.
    Attackers use these methods to perform reconnaissance (enumeration), secret harvesting, or execute code (exec) within a cluster.
references:
    - https://www.nccgroup.com/research/detection-engineering-for-kubernetes-clusters/
    - https://github.com/trufflesecurity/trufflehog
    - https://github.com/corneliusweig/rakkess
author: uniqu3-us3r
date: 2026-04-28
tags:
    - attack.execution
    - attack.discovery
    - attack.t1609
    - attack.t1613
logsource:
    product: kubernetes
    service: audit
detection:
    selection_status:
        responseStatus.code: 'ALLOW'
    selection_request_uri:
        requestURI|contains:
            # Shells Encoded
            - '%2fbin%2fash'
            - '%2fbin%2fbash'
            - '%2fbin%2fbusybox'
            - '%2fbin%2fdash'
            - '%2fbin%2fsh'
            - '%2fbin%2fzsh'
            # Shells Plain
            - '/bin/ash'
            - '/bin/bash'
            - '/bin/busybox'
            - '/bin/dash'
            - '/bin/sh'
            - '/bin/zsh'
            # Tools Encoded
            - '%2fusr%2fbin%2fcurl'
            - '%2fusr%2fbin%2fkubectl'
            - '%2fusr%2fbin%2fperl'
            - '%2fusr%2fbin%2fpython'
            - '%2fusr%2fbin%2fwget'
            # Tools Plain
            - '/usr/bin/curl'
            - '/usr/bin/kubectl'
            - '/usr/bin/perl'
            - '/usr/bin/python'
            - '/usr/bin/wget'
    selection_request_user_agent:
        userAgent|contains:
            - 'access_matrix'  # Rakkess
            - 'trufflehog'     # Secret scanning tool
            - 'azurehound'     # Azure/Cloud discovery
            - 'micro-scanner'  # Vulnerability scanning
    condition: selection_status and 1 of selection_request_*
falsepositives:
    - Authorized administrative maintenance via kubectl
    - Automated internal infrastructure monitoring and certificate rotation
    - Security-approved vulnerability or secret scanning in DevSecOps pipelines
level: medium
medium
Kubernetes Rolebinding Modification
Detects when a Kubernetes Rolebinding is created or modified.
status test author kelnage id 10b97915-ec8d-455f-a815-9a78926585f6
view Sigma YAML 
title: Kubernetes Rolebinding Modification
id: 10b97915-ec8d-455f-a815-9a78926585f6
related:
    - id: 0322d9f2-289a-47c2-b5e1-b63c90901a3e
      type: similar
status: test
description: |
    Detects when a Kubernetes Rolebinding is created or modified.
references:
    - https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/
    - https://medium.com/@seifeddinerajhi/kubernetes-rbac-privilege-escalation-exploits-and-mitigations-26c07629eeab
author: kelnage
date: 2024-07-11
tags:
    - attack.privilege-escalation
logsource:
    product: kubernetes
    service: audit
detection:
    selection:
        objectRef.apiGroup: 'rbac.authorization.k8s.io'
        objectRef.resource:
            - 'clusterrolebindings'
            - 'rolebindings'
        verb:
            - 'create'
            - 'delete'
            - 'patch'
            - 'replace'
            - 'update'
    condition: selection
falsepositives:
    - Modifying a Kubernetes Rolebinding may need to be done by a system administrator.
    - Automated processes may need to take these actions and may need to be filtered.
level: medium
medium
Kubernetes Secrets Modified or Deleted
Detects when Kubernetes Secrets are Modified or Deleted.
status test author kelnage id 58d31a75-a4f8-4c40-985b-373d58162ca2
view Sigma YAML 
title: Kubernetes Secrets Modified or Deleted
id: 58d31a75-a4f8-4c40-985b-373d58162ca2
related:
    - id: 2f0bae2d-bf20-4465-be86-1311addebaa3
      type: similar
status: test
description: |
    Detects when Kubernetes Secrets are Modified or Deleted.
references:
    - https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/
    - https://commandk.dev/blog/guide-to-audit-k8s-secrets-for-compliance/
author: kelnage
date: 2024-07-11
tags:
    - attack.credential-access
logsource:
    product: kubernetes
    service: audit
detection:
    selection:
        objectRef.resource: 'secrets'
        verb:
            - 'create'
            - 'delete'
            - 'patch'
            - 'replace'
            - 'update'
    condition: selection
falsepositives:
    - Secrets being modified or deleted may be performed by a system administrator.
    - Automated processes may need to take these actions and may need to be filtered.
level: medium
medium
LOLBAS Data Exfiltration by DataSvcUtil.exe
Detects when a user performs data exfiltration by using DataSvcUtil.exe
status test author Ialle Teixeira @teixeira0xfffff, Austin Songer @austinsonger id e290b10b-1023-4452-a4a9-eb31a9013b3a
view Sigma YAML 
title: LOLBAS Data Exfiltration by DataSvcUtil.exe
id: e290b10b-1023-4452-a4a9-eb31a9013b3a
status: test
description: Detects when a user performs data exfiltration by using DataSvcUtil.exe
references:
    - https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6
    - https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe
    - https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services
    - https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services
    - https://lolbas-project.github.io/lolbas/Binaries/DataSvcUtil/
author: Ialle Teixeira @teixeira0xfffff, Austin Songer @austinsonger
date: 2021-09-30
modified: 2022-05-16
tags:
    - attack.exfiltration
    - attack.t1567
logsource:
    category: process_creation
    product: windows
detection:
    selection_cli:
        CommandLine|contains:
            - '/in:'
            - '/out:'
            - '/uri:'
    selection_img:
        - Image|endswith: '\DataSvcUtil.exe'
        - OriginalFileName: 'DataSvcUtil.exe'
    condition: all of selection*
falsepositives:
    - DataSvcUtil.exe being used may be performed by a system administrator.
    - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
    - DataSvcUtil.exe being executed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
medium
LOLBIN Execution From Abnormal Drive
Detects LOLBINs executing from an abnormal or uncommon drive such as a mounted ISO.
status test author Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Angelo Violetti - SEC Consult '@angelo_violetti', Aaron Herman id d4ca7c59-e9e4-42d8-bf57-91a776efcb87
view Sigma YAML 
title: LOLBIN Execution From Abnormal Drive
id: d4ca7c59-e9e4-42d8-bf57-91a776efcb87
related:
    - id: 5b80cf53-3a46-4adc-960b-05ec19348d74
      type: similar
status: test
description: Detects LOLBINs executing from an abnormal or uncommon drive such as a mounted ISO.
references:
    - https://thedfirreport.com/2021/12/13/diavol-ransomware/
    - https://www.scythe.io/library/threat-emulation-qakbot
    - https://sec-consult.com/blog/detail/bumblebee-hunting-with-a-velociraptor/
author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Angelo Violetti - SEC Consult '@angelo_violetti', Aaron Herman
date: 2022-01-25
modified: 2023-08-29
tags:
    - attack.stealth
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        # Note: add more lolbins for additional coverage
        - Image|endswith:
              - '\calc.exe'
              - '\certutil.exe'
              - '\cmstp.exe'
              - '\cscript.exe'
              - '\installutil.exe'
              - '\mshta.exe'
              - '\regsvr32.exe'
              - '\rundll32.exe'
              - '\wscript.exe'
        - OriginalFileName:
              - 'CALC.EXE'
              - 'CertUtil.exe'
              - 'CMSTP.EXE'
              - 'cscript.exe'
              - 'installutil.exe'
              - 'MSHTA.EXE'
              - 'REGSVR32.EXE'
              - 'RUNDLL32.EXE'
              - 'wscript.exe'
    filter_main_currentdirectory:
        CurrentDirectory|contains: 'C:\'
    filter_main_empty:
        CurrentDirectory: ''
    filter_main_null:
        CurrentDirectory: null
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Rare false positives could occur on servers with multiple drives.
level: medium
medium
LSA PPL Protection Setting Modification via CommandLine
Detects modification of LSA PPL protection settings via CommandLine. It may indicate an attempt to disable protection and enable credential dumping tools to access LSASS process memory.
status test author Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems) id 8c0eca51-0f88-4db2-9183-fdfb10c703f9
view Sigma YAML 
title: LSA PPL Protection Setting Modification via CommandLine
id: 8c0eca51-0f88-4db2-9183-fdfb10c703f9
status: test
description: |
    Detects modification of LSA PPL protection settings via CommandLine.
    It may indicate an attempt to disable protection and enable credential dumping tools to access LSASS process memory.
references:
    - https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/
    - https://github.com/shoober420/windows11-scripts/blob/38d83331738cd713ccb42f2c4557d17a27aefd98/Windows11Tweaks.bat#L1825
author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2022-03-22
modified: 2026-03-13
tags:
    - attack.defense-impairment
    - attack.t1689
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\reg.exe'
              - '\powershell.exe'
              - '\pwsh.exe'
        - OriginalFileName:
              - 'reg.exe'
              - 'powershell.exe'
              - 'pwsh.dll'
    selection_cli_action:
        CommandLine|contains|all:
            - 'ControlSet'
            - '\Control\Lsa'
        CommandLine|contains:
            - 'Set-ItemProperty'
            - 'New-ItemProperty'
            - ' add '
    selection_key:
        CommandLine|contains:
            - 'IsPplAutoEnabled'
            - 'RunAsPPL'
            - 'RunAsPPLBoot'
    condition: all of selection_*
falsepositives:
    - Unlikely
level: medium
medium
LSASS Access From Non System Account
Detects potential mimikatz-like tools accessing LSASS from non system account
status test author Roberto Rodriguez @Cyb3rWard0g id 962fe167-e48d-4fd6-9974-11e5b9a5d6d1
view Sigma YAML 
title: LSASS Access From Non System Account
id: 962fe167-e48d-4fd6-9974-11e5b9a5d6d1
status: test
description: Detects potential mimikatz-like tools accessing LSASS from non system account
references:
    - https://threathunterplaybook.com/hunts/windows/170105-LSASSMemoryReadAccess/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019-06-20
modified: 2023-12-11
tags:
    - attack.credential-access
    - attack.t1003.001
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID:
            - 4663
            - 4656
        AccessMask:
            - '0x100000'
            - '0x1010'    # car.2019-04-004
            - '0x1400'
            - '0x1410'    # car.2019-04-004
            - '0x1418'    # car.2019-04-004
            - '0x1438'    # car.2019-04-004
            - '0x143a'    # car.2019-04-004
            - '0x1f0fff'
            - '0x1f1fff'
            - '0x1f2fff'
            - '0x1f3fff'
            - '0x40'
            - '143a'    # car.2019-04-004
            - '1f0fff'
            - '1f1fff'
            - '1f2fff'
            - '1f3fff'
            # - '0x1000'  # minimum access requirements to query basic info from service
        ObjectType: 'Process'
        ObjectName|endswith: '\lsass.exe'
    filter_main_service_account:
        SubjectUserName|endswith: '$'
    filter_main_generic:
        ProcessName|contains:
            # Legitimate AV and EDR solutions
            - ':\Program Files\'
            - ':\Program Files (x86)\'
    filter_main_wmiprvse:
        ProcessName: 'C:\Windows\System32\wbem\WmiPrvSE.exe'
        AccessMask: '0x1410'
    filter_optional_steam:
        ProcessName|contains: '\SteamLibrary\steamapps\'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: medium
medium
Launch Agent/Daemon Execution Via Launchctl
Detects the execution of programs as Launch Agents or Launch Daemons using launchctl on macOS.
status test author Pratinav Chandra id ae9d710f-dcd1-4f75-a0a5-93a73b5dda0e
view Sigma YAML 
title: Launch Agent/Daemon Execution Via Launchctl
id: ae9d710f-dcd1-4f75-a0a5-93a73b5dda0e
status: test
description: Detects the execution of programs as Launch Agents or Launch Daemons using launchctl on macOS.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1569.001/T1569.001.md
    - https://www.sentinelone.com/labs/20-common-tools-techniques-used-by-macos-threat-actors-malware/
    - https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/
    - https://www.trendmicro.com/en_us/research/18/d/new-macos-backdoor-linked-to-oceanlotus-found.html
    - https://www.loobins.io/binaries/launchctl/
author: Pratinav Chandra
date: 2024-05-13
tags:
    - attack.privilege-escalation
    - attack.execution
    - attack.persistence
    - attack.t1569.001
    - attack.t1543.001
    - attack.t1543.004
logsource:
    category: process_creation
    product: macos
detection:
    selection:
        Image|endswith: '/launchctl'
        CommandLine|contains:
            - 'submit'
            - 'load'
            - 'start'
    condition: selection
falsepositives:
    - Legitimate administration activities is expected to trigger false positives. Investigate the command line being passed to determine if the service or launch agent are suspicious.
level: medium
medium
Launch-VsDevShell.PS1 Proxy Execution
Detects the use of the 'Launch-VsDevShell.ps1' Microsoft signed script to execute commands.
status test author Nasreddine Bencherchali (Nextron Systems) id 45d3a03d-f441-458c-8883-df101a3bb146
view Sigma YAML 
title: Launch-VsDevShell.PS1 Proxy Execution
id: 45d3a03d-f441-458c-8883-df101a3bb146
status: test
description: Detects the use of the 'Launch-VsDevShell.ps1' Microsoft signed script to execute commands.
references:
    - https://twitter.com/nas_bench/status/1535981653239255040
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-19
tags:
    - attack.stealth
    - attack.t1216.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_script:
        CommandLine|contains: 'Launch-VsDevShell.ps1'
    selection_flags:
        CommandLine|contains:
            - 'VsWherePath '
            - 'VsInstallationPath '
    condition: all of selection_*
falsepositives:
    - Legitimate usage of the script by a developer
level: medium
medium
Linux Base64 Encoded Pipe to Shell
Detects suspicious process command line that uses base64 encoded input for execution with a shell
status test author pH-T (Nextron Systems) id ba592c6d-6888-43c3-b8c6-689b8fe47337
view Sigma YAML 
title: Linux Base64 Encoded Pipe to Shell
id: ba592c6d-6888-43c3-b8c6-689b8fe47337
status: test
description: Detects suspicious process command line that uses base64 encoded input for execution with a shell
references:
    - https://github.com/arget13/DDexec
    - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
author: pH-T (Nextron Systems)
date: 2022-07-26
modified: 2023-06-16
tags:
    - attack.stealth
    - attack.t1140
logsource:
    product: linux
    category: process_creation
detection:
    selection_base64:
        CommandLine|contains: 'base64 '
    selection_exec:
        - CommandLine|contains:
              - '| bash '
              - '| sh '
              - '|bash '
              - '|sh '
        - CommandLine|endswith:
              - ' |sh'
              - '| bash'
              - '| sh'
              - '|bash'
    condition: all of selection_*
falsepositives:
    - Legitimate administration activities
level: medium
medium
Linux Base64 Encoded Shebang In CLI
Detects the presence of a base64 version of the shebang in the commandline, which could indicate a malicious payload about to be decoded
status test author Nasreddine Bencherchali (Nextron Systems) id fe2f9663-41cb-47e2-b954-8a228f3b9dff
view Sigma YAML 
title: Linux Base64 Encoded Shebang In CLI
id: fe2f9663-41cb-47e2-b954-8a228f3b9dff
status: test
description: Detects the presence of a base64 version of the shebang in the commandline, which could indicate a malicious payload about to be decoded
references:
    - https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html
    - https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-15
tags:
    - attack.stealth
    - attack.t1140
logsource:
    product: linux
    category: process_creation
detection:
    selection:
        CommandLine|contains:
            - "IyEvYmluL2Jhc2" # Note: #!/bin/bash"
            - "IyEvYmluL2Rhc2" # Note: #!/bin/dash"
            - "IyEvYmluL3pza" # Note: #!/bin/zsh"
            - "IyEvYmluL2Zpc2" # Note: #!/bin/fish
            - "IyEvYmluL3No" # Note: # !/bin/sh"
    condition: selection
falsepositives:
    - Legitimate administration activities
level: medium
medium
Linux Doas Conf File Creation
Detects the creation of doas.conf file in linux host platform.
status stable author Sittikorn S, Teoderick Contreras id 00eee2a5-fdb0-4746-a21d-e43fbdea5681
view Sigma YAML 
title: Linux Doas Conf File Creation
id: 00eee2a5-fdb0-4746-a21d-e43fbdea5681
status: stable
description: Detects the creation of doas.conf file in linux host platform.
references:
    - https://research.splunk.com/endpoint/linux_doas_conf_file_creation/
    - https://www.makeuseof.com/how-to-install-and-use-doas/
author: Sittikorn S, Teoderick Contreras
date: 2022-01-20
modified: 2022-12-31
tags:
    - attack.privilege-escalation
    - attack.t1548
logsource:
    product: linux
    category: file_event
detection:
    selection:
        TargetFilename|endswith: '/etc/doas.conf'
    condition: selection
falsepositives:
    - Unlikely
level: medium
medium
Linux Logs Clearing Attempts
Detects logs clearing attempts on Linux systems via utilities such as 'rm', 'rmdir', 'shred', and 'unlink' targeting log files and directories. Adversaries often try to clear logs to cover their tracks after performing malicious activities.
status stable author Ömer Günal, oscd.community id 80915f59-9b56-4616-9de0-fd0dea6c12fe
view Sigma YAML 
title: Linux Logs Clearing Attempts
id: 80915f59-9b56-4616-9de0-fd0dea6c12fe
status: stable
description: |
    Detects logs clearing attempts on Linux systems via utilities such as 'rm', 'rmdir', 'shred', and 'unlink' targeting log files and directories.
    Adversaries often try to clear logs to cover their tracks after performing malicious activities.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.002/T1070.002.md
author: Ömer Günal, oscd.community
date: 2020-10-07
modified: 2026-03-18
tags:
    - attack.defense-impairment
    - attack.t1685.006
logsource:
    product: linux
    category: process_creation
detection:
    selection:
        Image|endswith:
            - '/rm'    # covers /rmdir as well
            - '/rmdir'
            - '/shred'
            - '/unlink'
        CommandLine|contains:
            - '/var/log'
            - '/var/spool/mail'
    filter_main_legit_systat:
        Image|endswith: '/rm'
        CommandLine|startswith: 'rm -f /var/log/sysstat/'
    filter_main_dmseg:
        Image|endswith: '/rm'
        CommandLine|startswith: 'rm -f -- /var/log//dmesg' # // before dmesg is not typo
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Legitimate administration activities
level: medium
medium
Linux Shell Pipe to Shell
Detects suspicious process command line that starts with a shell that executes something and finally gets piped into another shell
status test author Florian Roth (Nextron Systems) id 880973f3-9708-491c-a77b-2a35a1921158
view Sigma YAML 
title: Linux Shell Pipe to Shell
id: 880973f3-9708-491c-a77b-2a35a1921158
status: test
description: Detects suspicious process command line that starts with a shell that executes something and finally gets piped into another shell
references:
    - Internal Research
author: Florian Roth (Nextron Systems)
date: 2022-03-14
modified: 2022-07-26
tags:
    - attack.stealth
    - attack.t1140
logsource:
    product: linux
    category: process_creation
detection:
    selection:
        CommandLine|startswith:
            - 'sh -c '
            - 'bash -c '
    selection_exec:
        - CommandLine|contains:
              - '| bash '
              - '| sh '
              - '|bash '
              - '|sh '
        - CommandLine|endswith:
              - '| bash'
              - '| sh'
              - '|bash'
              - ' |sh'
    condition: all of selection*
falsepositives:
    - Legitimate software that uses these patterns
level: medium
medium
LiveKD Driver Creation
Detects the creation of the LiveKD driver, which is used for live kernel debugging
status test author Nasreddine Bencherchali (Nextron Systems) id 16fe46bb-4f64-46aa-817d-ff7bec4a2352
view Sigma YAML 
title: LiveKD Driver Creation
id: 16fe46bb-4f64-46aa-817d-ff7bec4a2352
status: test
description: Detects the creation of the LiveKD driver, which is used for live kernel debugging
references:
    - Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-16
tags:
    - attack.privilege-escalation
    - attack.stealth
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename: 'C:\Windows\System32\drivers\LiveKdD.SYS'
        Image|endswith:
            - '\livekd.exe'
            - '\livek64.exe'
    condition: selection
falsepositives:
    - Legitimate usage of LiveKD for debugging purposes will also trigger this
level: medium
medium
LoadBalancer Security Group Modification
Detects changes to the security groups associated with an Elastic Load Balancer (ELB) or Application Load Balancer (ALB). This can indicate that a misconfiguration allowing more traffic into the system than required, or could indicate that an attacker is attempting to enable new connections into a VPC or subnet controlled by the account.
status test author jamesc-grafana id 7a4409fc-f8ca-45f6-8006-127d779eaad9
view Sigma YAML 
title: LoadBalancer Security Group Modification
id: 7a4409fc-f8ca-45f6-8006-127d779eaad9
status: test
description: |
    Detects changes to the security groups associated with an Elastic Load Balancer (ELB) or Application Load Balancer (ALB).
    This can indicate that a misconfiguration allowing more traffic into the system than required, or could indicate that an attacker is attempting to enable new connections into a VPC or subnet controlled by the account.
references:
    - https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/
author: jamesc-grafana
date: 2024-07-11
tags:
    - attack.initial-access
    - attack.t1190
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource: 'elasticloadbalancing.amazonaws.com'
        eventName:
            - 'ApplySecurityGroupsToLoadBalancer'
            - 'SetSecurityGroups'
    condition: selection
falsepositives:
    - Repurposing of an ELB or ALB to serve a different or additional application
    - Changes to security groups to allow for new services to be deployed
level: medium
medium
Loaded Module Enumeration Via Tasklist.EXE
Detects the enumeration of a specific DLL or EXE being used by a binary via "tasklist.exe". This is often used by attackers in order to find the specific process identifier (PID) that is using the DLL in question. In order to dump the process memory or perform other nefarious actions.
status test author Swachchhanda Shrawan Poudel id 34275eb8-fa19-436b-b959-3d9ecd53fa1f
view Sigma YAML 
title: Loaded Module Enumeration Via Tasklist.EXE
id: 34275eb8-fa19-436b-b959-3d9ecd53fa1f
status: test
description: |
    Detects the enumeration of a specific DLL or EXE being used by a binary via "tasklist.exe".
    This is often used by attackers in order to find the specific process identifier (PID) that is using the DLL in question.
    In order to dump the process memory or perform other nefarious actions.
references:
    - https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/
    - https://pentestlab.blog/tag/svchost/
author: Swachchhanda Shrawan Poudel
date: 2024-02-12
modified: 2024-03-13
tags:
    - attack.t1003
    - attack.credential-access
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        - Image|endswith: '\tasklist.exe'
        - OriginalFileName: 'tasklist.exe'
    selection_flags:
        CommandLine|contains|windash: '-m'
    selection_module:
        # Note: add other interesting modules or binaries
        CommandLine|contains: 'rdpcorets.dll'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium
medium
Local File Read Using Curl.EXE
Detects execution of "curl.exe" with the "file://" protocol handler in order to read local files.
status test author Nasreddine Bencherchali (Nextron Systems) id aa6f6ea6-0676-40dd-b510-6e46f02d8867
view Sigma YAML 
title: Local File Read Using Curl.EXE
id: aa6f6ea6-0676-40dd-b510-6e46f02d8867
status: test
description: Detects execution of "curl.exe" with the "file://" protocol handler in order to read local files.
references:
    - https://curl.se/docs/manpage.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-07-27
tags:
    - attack.execution
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        - Image|endswith: '\curl.exe'
        - OriginalFileName: 'curl.exe'
    selection_cli:
        CommandLine|contains: 'file:///'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_curl_local_file_read/info.yml
medium
Local Network Connection Initiated By Script Interpreter
Detects a script interpreter (Wscript/Cscript) initiating a local network connection to download or execute a script hosted on a shared folder.
status test author frack113 id 08249dc0-a28d-4555-8ba5-9255a198e08c
view Sigma YAML 
title: Local Network Connection Initiated By Script Interpreter
id: 08249dc0-a28d-4555-8ba5-9255a198e08c
related:
    - id: 992a6cae-db6a-43c8-9cec-76d7195c96fc
      type: derived
status: test
description: |
    Detects a script interpreter (Wscript/Cscript) initiating a local network connection to download or execute a script hosted on a shared folder.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md
author: frack113
date: 2022-08-28
modified: 2024-05-31
tags:
    - attack.command-and-control
    - attack.t1105
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        Image|endswith:
            - '\wscript.exe'
            - '\cscript.exe'
        # Note: This list is added to avoid duplicate alerting with 992a6cae-db6a-43c8-9cec-76d7195c96fc
        DestinationIp|cidr:
            - '127.0.0.0/8'
            - '10.0.0.0/8'
            - '172.16.0.0/12'
            - '192.168.0.0/16'
            - '169.254.0.0/16'
            - '::1/128'  # IPv6 loopback
            - 'fe80::/10'  # IPv6 link-local addresses
            - 'fc00::/7'  # IPv6 private addresses
    condition: selection
falsepositives:
    - Legitimate scripts
level: medium
medium
Logged-On User Password Change Via Ksetup.EXE
Detects password change for the logged-on user's via "ksetup.exe"
status test author Nasreddine Bencherchali (Nextron Systems) id c9783e20-4793-4164-ba96-d9ee483992c4
view Sigma YAML 
title: Logged-On User Password Change Via Ksetup.EXE
id: c9783e20-4793-4164-ba96-d9ee483992c4
status: test
description: Detects password change for the logged-on user's via "ksetup.exe"
references:
    - https://learn.microsoft.com/en-gb/windows-server/administration/windows-commands/ksetup
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-06
tags:
    - attack.execution
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\ksetup.exe'
        - OriginalFileName: 'ksetup.exe'
    selection_cli:
        CommandLine|contains: ' /ChangePassword '
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium
medium
Login to Disabled Account
Detect failed attempts to sign in to disabled accounts.
status test author AlertIQ id 908655e0-25cf-4ae1-b775-1c8ce9cf43d8
view Sigma YAML 
title: Login to Disabled Account
id: 908655e0-25cf-4ae1-b775-1c8ce9cf43d8
status: test
description: Detect failed attempts to sign in to disabled accounts.
references:
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts
author: AlertIQ
date: 2021-10-10
modified: 2022-12-25
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.initial-access
    - attack.stealth
    - attack.t1078.004
logsource:
    product: azure
    service: signinlogs
detection:
    selection:
        ResultType: 50057
        ResultDescription: 'User account is disabled. The account has been disabled by an administrator.'
    condition: selection
falsepositives:
    - Unknown
level: medium
medium
Logon from a Risky IP Address
Detects when a Microsoft Cloud App Security reported when a user signs into your sanctioned apps from a risky IP address.
status test author Austin Songer @austinsonger id c191e2fa-f9d6-4ccf-82af-4f2aba08359f
view Sigma YAML 
title: Logon from a Risky IP Address
id: c191e2fa-f9d6-4ccf-82af-4f2aba08359f
status: test
description: Detects when a Microsoft Cloud App Security reported when a user signs into your sanctioned apps from a risky IP address.
references:
    - https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy
    - https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference
author: Austin Songer @austinsonger
date: 2021-08-23
modified: 2022-10-09
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.initial-access
    - attack.stealth
    - attack.t1078
logsource:
    service: threat_management
    product: m365
detection:
    selection:
        eventSource: SecurityComplianceCenter
        eventName: 'Log on from a risky IP address'
        status: success
    condition: selection
falsepositives:
    - Unknown
level: medium
medium
Lolbin Runexehelper Use As Proxy
Detect usage of the "runexehelper.exe" binary as a proxy to launch other programs
status test author frack113 id cd71385d-fd9b-4691-9b98-2b1f7e508714
view Sigma YAML 
title: Lolbin Runexehelper Use As Proxy
id: cd71385d-fd9b-4691-9b98-2b1f7e508714
status: test
description: Detect usage of the "runexehelper.exe" binary as a proxy to launch other programs
references:
    - https://twitter.com/0gtweet/status/1206692239839289344
    - https://lolbas-project.github.io/lolbas/Binaries/Runexehelper/
author: frack113
date: 2022-12-29
tags:
    - attack.stealth
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\runexehelper.exe'
    condition: selection
falsepositives:
    - Unknown
level: medium
medium
Lolbin Unregmp2.exe Use As Proxy
Detect usage of the "unregmp2.exe" binary as a proxy to launch a custom version of "wmpnscfg.exe"
status test author frack113 id 727454c0-d851-48b0-8b89-385611ab0704
view Sigma YAML 
title: Lolbin Unregmp2.exe Use As Proxy
id: 727454c0-d851-48b0-8b89-385611ab0704
status: test
description: Detect usage of the "unregmp2.exe" binary as a proxy to launch a custom version of "wmpnscfg.exe"
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Unregmp2/
author: frack113
date: 2022-12-29
modified: 2024-06-04
tags:
    - attack.stealth
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\unregmp2.exe'
        - OriginalFileName: 'unregmp2.exe'
    selection_cmd:
        CommandLine|contains|windash: ' /HideWMP'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium
medium
MITRE BZAR Indicators for Execution
Windows DCE-RPC functions which indicate an execution techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE
status test author @neu5ron, SOC Prime id b640c0b8-87f8-4daa-aef8-95a24261dd1d
view Sigma YAML 
title: MITRE BZAR Indicators for Execution
id: b640c0b8-87f8-4daa-aef8-95a24261dd1d
status: test
description: 'Windows DCE-RPC functions which indicate an execution techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE'
references:
    - https://github.com/mitre-attack/bzar#indicators-for-attck-execution
author: '@neu5ron, SOC Prime'
date: 2020-03-19
modified: 2021-11-27
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.t1047
    - attack.t1053.002
    - attack.t1569.002
logsource:
    product: zeek
    service: dce_rpc
detection:
    op1:
        endpoint: 'JobAdd'
        operation: 'atsvc'
    op2:
        endpoint: 'ITaskSchedulerService'
        operation: 'SchRpcEnableTask'
    op3:
        endpoint: 'ITaskSchedulerService'
        operation: 'SchRpcRegisterTask'
    op4:
        endpoint: 'ITaskSchedulerService'
        operation: 'SchRpcRun'
    op5:
        endpoint: 'IWbemServices'
        operation: 'ExecMethod'
    op6:
        endpoint: 'IWbemServices'
        operation: 'ExecMethodAsync'
    op7:
        endpoint: 'svcctl'
        operation: 'CreateServiceA'
    op8:
        endpoint: 'svcctl'
        operation: 'CreateServiceW'
    op9:
        endpoint: 'svcctl'
        operation: 'StartServiceA'
    op10:
        endpoint: 'svcctl'
        operation: 'StartServiceW'
    condition: 1 of op*
falsepositives:
    - Windows administrator tasks or troubleshooting
    - Windows management scripts or software
level: medium
medium
MITRE BZAR Indicators for Persistence
Windows DCE-RPC functions which indicate a persistence techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE.
status test author @neu5ron, SOC Prime id 53389db6-ba46-48e3-a94c-e0f2cefe1583
view Sigma YAML 
title: MITRE BZAR Indicators for Persistence
id: 53389db6-ba46-48e3-a94c-e0f2cefe1583
status: test
description: 'Windows DCE-RPC functions which indicate a persistence techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE.'
references:
    - https://github.com/mitre-attack/bzar#indicators-for-attck-persistence
author: '@neu5ron, SOC Prime'
date: 2020-03-19
modified: 2021-11-27
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.004
logsource:
    product: zeek
    service: dce_rpc
detection:
    op1:
        endpoint: 'spoolss'
        operation: 'RpcAddMonitor'
    op2:
        endpoint: 'spoolss'
        operation: 'RpcAddPrintProcessor'
    op3:
        endpoint: 'IRemoteWinspool'
        operation: 'RpcAsyncAddMonitor'
    op4:
        endpoint: 'IRemoteWinspool'
        operation: 'RpcAsyncAddPrintProcessor'
    op5:
        endpoint: 'ISecLogon'
        operation: 'SeclCreateProcessWithLogonW'
    op6:
        endpoint: 'ISecLogon'
        operation: 'SeclCreateProcessWithLogonExW'
    condition: 1 of op*
falsepositives:
    - Windows administrator tasks or troubleshooting
    - Windows management scripts or software
level: medium
medium
MMC Loading Script Engines DLLs
Detects when the Microsoft Management Console (MMC) loads the DLL libraries like vbscript, jscript etc which might indicate an attempt to execute malicious scripts within a trusted system process for bypassing application whitelisting or defense evasion.
status experimental author Swachchhanda Shrawan Poudel (Nextron Systems) id a9c73e8b-3b2d-4c45-8ef2-5f9a9c9998ad
view Sigma YAML 
title: MMC Loading Script Engines DLLs
id: a9c73e8b-3b2d-4c45-8ef2-5f9a9c9998ad
status: experimental
description: |
    Detects when the Microsoft Management Console (MMC) loads the DLL libraries like vbscript, jscript etc which might indicate an attempt
    to execute malicious scripts within a trusted system process for bypassing application whitelisting or defense evasion.
references:
    - https://tria.ge/241015-l98snsyeje/behavioral2
    - https://www.elastic.co/security-labs/grimresource
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-02-05
tags:
    - attack.execution
    - attack.stealth
    - attack.t1059.005
    - attack.t1218.014
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith: '\mmc.exe'
        ImageLoaded|endswith:
            - '\vbscript.dll'
            - '\jscript.dll'
            - '\jscript9.dll'
    condition: selection
falsepositives:
    - Legitimate MMC operations or extensions loading these libraries
level: medium
medium
MSExchange Transport Agent Installation
Detects the Installation of a Exchange Transport Agent
status test author Tobias Michalski (Nextron Systems) id 83809e84-4475-4b69-bc3e-4aad8568612f
view Sigma YAML 
title: MSExchange Transport Agent Installation
id: 83809e84-4475-4b69-bc3e-4aad8568612f
related:
    - id: 83809e84-4475-4b69-bc3e-4aad8568612f
      type: similar
status: test
description: Detects the Installation of a Exchange Transport Agent
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=7
author: Tobias Michalski (Nextron Systems)
date: 2021-06-08
modified: 2022-10-09
tags:
    - attack.persistence
    - attack.t1505.002
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        CommandLine|contains: 'Install-TransportAgent'
    condition: selection
falsepositives:
    - Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this.
level: medium
medium
MSExchange Transport Agent Installation - Builtin
Detects the Installation of a Exchange Transport Agent
status test author Tobias Michalski (Nextron Systems) id 4fe151c2-ecf9-4fae-95ae-b88ec9c2fca6
view Sigma YAML 
title: MSExchange Transport Agent Installation - Builtin
id: 4fe151c2-ecf9-4fae-95ae-b88ec9c2fca6
related:
    - id: 83809e84-4475-4b69-bc3e-4aad8568612f
      type: derived
status: test
description: Detects the Installation of a Exchange Transport Agent
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=7
author: Tobias Michalski (Nextron Systems)
date: 2021-06-08
modified: 2022-11-27
tags:
    - attack.persistence
    - attack.t1505.002
logsource:
    product: windows
    service: msexchange-management
detection:
    selection:
        - 'Install-TransportAgent'
    condition: selection
falsepositives:
    - Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this.
level: medium
medium
MSI Installation From Suspicious Locations
Detects MSI package installation from suspicious locations
status test author Nasreddine Bencherchali (Nextron Systems) id c7c8aa1c-5aff-408e-828b-998e3620b341
view Sigma YAML 
title: MSI Installation From Suspicious Locations
id: c7c8aa1c-5aff-408e-828b-998e3620b341
status: test
description: Detects MSI package installation from suspicious locations
references:
    - https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-31
modified: 2023-10-23
tags:
    - attack.execution
logsource:
    product: windows
    service: application
    # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
detection:
    selection:
        Provider_Name: 'MsiInstaller'
        EventID:
            - 1040
            - 1042
        Data|contains:
            # Add more suspicious paths
            - ':\Windows\TEMP\'
            - '\\\\'
            - '\Desktop\'
            - '\PerfLogs\'
            - '\Users\Public\'
            # - '\AppData\Local\Temp\'  # too many FPs
            # - '\Downloads\'  # too many FPs, typical legitimate staging directory
    filter_winget:
        Data|contains: '\AppData\Local\Temp\WinGet\'
    filter_updhealthtools:
        Data|contains: 'C:\Windows\TEMP\UpdHealthTools.msi'
    condition: selection and not 1 of filter_*
falsepositives:
    - False positives may occur if you allow installation from folders such as the desktop, the public folder or remote shares. A baseline is required before production use.
level: medium
medium
MSI Installation From Web
Detects installation of a remote msi file from web.
status test author Stamatis Chatzimangou id 5594e67a-7f92-4a04-b65d-1a42fd824a60
view Sigma YAML 
title: MSI Installation From Web
id: 5594e67a-7f92-4a04-b65d-1a42fd824a60
status: test
description: Detects installation of a remote msi file from web.
references:
    - https://twitter.com/_st0pp3r_/status/1583922009842802689
author: Stamatis Chatzimangou
date: 2022-10-23
tags:
    - attack.stealth
    - attack.t1218
    - attack.t1218.007
logsource:
    product: windows
    service: application
    # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
detection:
    selection:
        Provider_Name: 'MsiInstaller'
        EventID:
            - 1040
            - 1042
        Data|contains: '://'
    condition: selection
falsepositives:
    - Unknown
level: medium
Showing 451-500 of 1,345
Prev 10 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin