Home/Sigma rules
Sigma

Sigma detection rules

1,345 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Severity critical high medium low all severities

Detection rules

50 shown of 1,345
medium
MSSQL Destructive Query
Detects the invocation of MS SQL transactions that are destructive towards table or database data, such as "DROP TABLE" or "DROP DATABASE".
status experimental author Daniel Degasperi '@d4ns4n_' id 00321fee-ca72-4cce-b011-5415af3b9960
view Sigma YAML 
title: MSSQL Destructive Query
id: 00321fee-ca72-4cce-b011-5415af3b9960
status: experimental
description: |
    Detects the invocation of MS SQL transactions that are destructive towards table or database data, such as "DROP TABLE" or "DROP DATABASE".
references:
    - https://learn.microsoft.com/en-us/sql/t-sql/statements/drop-table-transact-sql?view=sql-server-ver16
    - https://learn.microsoft.com/en-us/sql/t-sql/statements/drop-database-transact-sql?view=sql-server-ver16
    - https://learn.microsoft.com/en-us/sql/t-sql/statements/truncate-table-transact-sql?view=sql-server-ver16
author: Daniel Degasperi '@d4ns4n_'
date: 2025-06-04
tags:
    - attack.exfiltration
    - attack.impact
    - attack.t1485
logsource:
    product: windows
    service: application
    definition: 'Requirements: MSSQL audit policy must be enabled in order to receive this event (event id 33205)'
detection:
    selection:
        Provider_Name: 'MSSQLSERVER$AUDIT'
        EventID: 33205
        Data|contains:
            - 'statement:TRUNCATE TABLE'
            - 'statement:DROP TABLE'
            - 'statement:DROP DATABASE'
    condition: selection
falsepositives:
    - Legitimate transaction from a sysadmin.
level: medium
medium
MSSQL Server Failed Logon From External Network
Detects failed logon attempts from clients with external network IP to an MSSQL server. This can be a sign of a bruteforce attack.
status test author j4son id ebfe73c2-5bc9-4ed9-aaa8-8b54b2b4777d
view Sigma YAML 
title: MSSQL Server Failed Logon From External Network
id: ebfe73c2-5bc9-4ed9-aaa8-8b54b2b4777d
related:
    - id: 218d2855-2bba-4f61-9c85-81d0ea63ac71
      type: similar
status: test
description: Detects failed logon attempts from clients with external network IP to an MSSQL server. This can be a sign of a bruteforce attack.
references:
    - https://cybersecthreat.com/2020/07/08/enable-mssql-authentication-log-to-eventlog/
    - https://www.experts-exchange.com/questions/27800944/EventID-18456-Failed-to-open-the-explicitly-specified-database.html
author: j4son
date: 2023-10-11
modified: 2025-05-28
tags:
    - attack.credential-access
    - attack.t1110
logsource:
    product: windows
    service: application
    definition: 'Requirements: Must enable MSSQL authentication.'
detection:
    selection:
        Provider_Name|contains: 'MSSQL' # Note: We use contains to account for other third party providers - See https://github.com/SigmaHQ/sigma/issues/4876
        EventID: 18456
    filter_main_local_ips:
        Data|contains:
            - 'CLIENT: 10.' # filter_range_IP: 10.0.0.0/8
            - 'CLIENT: 172.16.' # filter_range_IP: 172.16.0.0/12
            - 'CLIENT: 172.17.'
            - 'CLIENT: 172.18.'
            - 'CLIENT: 172.19.'
            - 'CLIENT: 172.20.'
            - 'CLIENT: 172.21.'
            - 'CLIENT: 172.22.'
            - 'CLIENT: 172.23.'
            - 'CLIENT: 172.24.'
            - 'CLIENT: 172.25.'
            - 'CLIENT: 172.26.'
            - 'CLIENT: 172.27.'
            - 'CLIENT: 172.28.'
            - 'CLIENT: 172.29.'
            - 'CLIENT: 172.30.'
            - 'CLIENT: 172.31.'
            - 'CLIENT: 192.168.' # filter_range_IP: 192.168.0.0/16
            - 'CLIENT: 127.' # filter_loop_back: 127.0.0.0/8
            - 'CLIENT: 169.254.' # fileter_link-local_addressing: 169.254.0.0/16
            - 'CLIENT: <local machine>'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium
medium
MacOS Emond Launch Daemon
Detects additions to the Emond Launch Daemon that adversaries may use to gain persistence and elevate privileges.
status test author Alejandro Ortuno, oscd.community id 23c43900-e732-45a4-8354-63e4a6c187ce
view Sigma YAML 
title: MacOS Emond Launch Daemon
id: 23c43900-e732-45a4-8354-63e4a6c187ce
status: test
description: Detects additions to the Emond Launch Daemon that adversaries may use to gain persistence and elevate privileges.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.014/T1546.014.md
    - https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124
author: Alejandro Ortuno, oscd.community
date: 2020-10-23
modified: 2021-11-27
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1546.014
logsource:
    category: file_event
    product: macos
detection:
    selection_1:
        TargetFilename|contains: '/etc/emond.d/rules/'
        TargetFilename|endswith: '.plist'
    selection_2:
        TargetFilename|contains: '/private/var/db/emondClients/'
    condition: 1 of selection_*
falsepositives:
    - Legitimate administration activities
level: medium
medium
MacOS Scripting Interpreter AppleScript
Detects execution of AppleScript of the macOS scripting language AppleScript.
status test author Alejandro Ortuno, oscd.community id 1bc2e6c5-0885-472b-bed6-be5ea8eace55
view Sigma YAML 
title: MacOS Scripting Interpreter AppleScript
id: 1bc2e6c5-0885-472b-bed6-be5ea8eace55
status: test
description: Detects execution of AppleScript of the macOS scripting language AppleScript.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.002/T1059.002.md
    - https://redcanary.com/blog/applescript/
author: Alejandro Ortuno, oscd.community
date: 2020-10-21
modified: 2023-02-01
tags:
    - attack.execution
    - attack.t1059.002
logsource:
    category: process_creation
    product: macos
detection:
    selection:
        Image|endswith: '/osascript'
        CommandLine|contains:
            - ' -e '
            - '.scpt'
            - '.js'
    condition: selection
falsepositives:
    - Application installers might contain scripts as part of the installation process.
level: medium
medium
Malicious Driver Load By Name
Detects loading of known malicious drivers via the file name of the drivers.
status test author Nasreddine Bencherchali (Nextron Systems) id 39b64854-5497-4b57-a448-40977b8c9679
view Sigma YAML 
title: Malicious Driver Load By Name
id: 39b64854-5497-4b57-a448-40977b8c9679
status: test
description: Detects loading of known malicious drivers via the file name of the drivers.
references:
    - https://loldrivers.io/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-03
modified: 2023-12-02
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1543.003
    - attack.t1068
logsource:
    product: windows
    category: driver_load
detection:
    selection:
        ImageLoaded|endswith:
            - '\wfshbr64.sys'
            - '\ktmutil7odm.sys'
            - '\ktes.sys'
            - '\a26363e7b02b13f2b8d697abb90cd5c3.sys'
            - '\kt2.sys'
            - '\4748696211bd56c2d93c21cab91e82a5.sys'
            - '\malicious.sys'
            - '\a236e7d654cd932b7d11cb604629a2d0.sys'
            - '\spwizimgvt.sys'
            - '\c94f405c5929cfcccc8ad00b42c95083.sys'
            - '\fur.sys'
            - '\wantd.sys'
            - '\windbg.sys'
            - '\4118b86e490aed091b1a219dba45f332.sys'
            - '\gmer64.sys'
            - '\1fc7aeeff3ab19004d2e53eae8160ab1.sys'
            - '\poortry2.sys'
            - '\wintapix.sys'
            - '\daxin_blank6.sys'
            - '\6771b13a53b9c7449d4891e427735ea2.sys'
            - '\blacklotus_driver.sys'
            - '\air_system10.sys'
            - '\dkrtk.sys'
            - '\7.sys'
            - '\sense5ext.sys'
            - '\ktgn.sys'
            - '\ndislan.sys'
            - '\nlslexicons0024uvn.sys'
            - '\be6318413160e589080df02bb3ca6e6a.sys'
            - '\4.sys'
            - '\wantd_2.sys'
            - '\e29f6311ae87542b3d693c1f38e4e3ad.sys'
            - '\daxin_blank3.sys'
            - '\gftkyj64.sys'
            - '\daxin_blank2.sys'
            - '\wantd_4.sys'
            - '\reddriver.sys'
            - '\834761775.sys'
            - '\mlgbbiicaihflrnh.sys'
            - '\mjj0ge.sys'
            - '\daxin_blank.sys'
            - '\daxin_blank5.sys'
            - '\poortry1.sys'
            - '\msqpq.sys'
            - '\mimidrv.sys'
            - '\e939448b28a4edc81f1f974cebf6e7d2.sys'
            - '\prokiller64.sys'
            - '\nodedriver.sys'
            - '\wantd_3.sys'
            - '\lctka.sys'
            - '\kapchelper_x64.sys'
            - '\daxin_blank4.sys'
            - '\a9df5964635ef8bd567ae487c3d214c4.sys'
            - '\wantd_6.sys'
            - '\ntbios.sys'
            - '\wantd_5.sys'
            - '\pciecubed.sys'
            - '\mimikatz.sys'
            - '\nqrmq.sys'
            - '\2.sys'
            - '\poortry.sys'
            - '\ntbios_2.sys'
            - '\fgme.sys'
            - '\telephonuafy.sys'
            - '\typelibde.sys'
            - '\daxin_blank1.sys'
            - '\ef0e1725aaf0c6c972593f860531a2ea.sys'
            - '\5a4fe297c7d42539303137b6d75b150d.sys'
    condition: selection
falsepositives:
    - False positives may occur if one of the vulnerable driver names mentioned above didn't change its name between versions. So always make sure that the driver being loaded is the legitimate one and the non vulnerable version.
    - If you experience a lot of FP you could comment the driver name or its exact known legitimate location (when possible)
level: medium
medium
Malicious PE Execution by Microsoft Visual Studio Debugger
There is an option for a MS VS Just-In-Time Debugger "vsjitdebugger.exe" to launch specified executable and attach a debugger. This option may be used adversaries to execute malicious code by signed verified binary. The debugger is installed alongside with Microsoft Visual Studio package.
status test author Agro (@agro_sev), Ensar Şamil (@sblmsrsn), oscd.community id 15c7904e-6ad1-4a45-9b46-5fb25df37fd2
view Sigma YAML 
title: Malicious PE Execution by Microsoft Visual Studio Debugger
id: 15c7904e-6ad1-4a45-9b46-5fb25df37fd2
status: test
description: |
  There is an option for a MS VS Just-In-Time Debugger "vsjitdebugger.exe" to launch specified executable and attach a debugger.
  This option may be used adversaries to execute malicious code by signed verified binary.
  The debugger is installed alongside with Microsoft Visual Studio package.
references:
    - https://twitter.com/pabraeken/status/990758590020452353
    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vsjitdebugger/
    - https://learn.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019
author: Agro (@agro_sev), Ensar Şamil (@sblmsrsn), oscd.community
date: 2020-10-14
modified: 2022-10-09
tags:
    - attack.stealth
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\vsjitdebugger.exe'
    reduction1:
        Image|endswith: '\vsimmersiveactivatehelper*.exe'
    reduction2:
        Image|endswith: '\devenv.exe'
    condition: selection and not (reduction1 or reduction2)
falsepositives:
    - The process spawned by vsjitdebugger.exe is uncommon.
level: medium
medium
Malicious PowerShell Keywords
Detects keywords from well-known PowerShell exploitation frameworks
status test author Sean Metcalf (source), Florian Roth (Nextron Systems) id f62176f3-8128-4faa-bf6c-83261322e5eb
view Sigma YAML 
title: Malicious PowerShell Keywords
id: f62176f3-8128-4faa-bf6c-83261322e5eb
status: test
description: Detects keywords from well-known PowerShell exploitation frameworks
references:
    - https://adsecurity.org/?p=2921
author: Sean Metcalf (source), Florian Roth (Nextron Systems)
date: 2017-03-05
modified: 2023-06-20
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains:
            - 'AdjustTokenPrivileges'
            - 'IMAGE_NT_OPTIONAL_HDR64_MAGIC'
            # - 'LSA_UNICODE_STRING'
            - 'Metasploit'
            - 'Microsoft.Win32.UnsafeNativeMethods'
            - 'Mimikatz'
            - 'MiniDumpWriteDump'
            - 'PAGE_EXECUTE_READ'
            - 'ReadProcessMemory.Invoke'
            - 'SE_PRIVILEGE_ENABLED'
            - 'SECURITY_DELEGATION'
            - 'TOKEN_ADJUST_PRIVILEGES'
            - 'TOKEN_ALL_ACCESS'
            - 'TOKEN_ASSIGN_PRIMARY'
            - 'TOKEN_DUPLICATE'
            - 'TOKEN_ELEVATION'
            - 'TOKEN_IMPERSONATE'
            - 'TOKEN_INFORMATION_CLASS'
            - 'TOKEN_PRIVILEGES'
            - 'TOKEN_QUERY'
    condition: selection
falsepositives:
    - Depending on the scripts, this rule might require some initial tuning to fit the environment
level: medium
medium
Manipulation of User Computer or Group Security Principals Across AD
Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain..
status test author frack113 id b29a93fb-087c-4b5b-a84d-ee3309e69d08
view Sigma YAML 
title: Manipulation of User Computer or Group Security Principals Across AD
id: b29a93fb-087c-4b5b-a84d-ee3309e69d08
status: test
description: |
    Adversaries may create a domain account to maintain access to victim systems.
    Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain..
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.002/T1136.002.md#atomic-test-3---create-a-new-domain-account-using-powershell
    - https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=net-8.0
author: frack113
date: 2021-12-28
tags:
    - attack.persistence
    - attack.t1136.002
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains: System.DirectoryServices.AccountManagement
    condition: selection
falsepositives:
    - Legitimate administrative script
level: medium
medium
Masquerading as Linux Crond Process
Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed.
status test author Timur Zinniatullin, oscd.community id 9d4548fa-bba0-4e88-bd66-5d5bf516cda0
view Sigma YAML 
title: Masquerading as Linux Crond Process
id: 9d4548fa-bba0-4e88-bd66-5d5bf516cda0
status: test
description: |
  Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation.
  Several different variations of this technique have been observed.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/8a82e9b66a5b4f4bc5b91089e9f24e0544f20ad7/atomics/T1036.003/T1036.003.md#atomic-test-2---masquerading-as-linux-crond-process
author: Timur Zinniatullin, oscd.community
date: 2019-10-21
modified: 2023-08-22
tags:
    - attack.stealth
    - attack.t1036.003
logsource:
    product: linux
    service: auditd
detection:
    selection:
        type: 'execve'
        a0: 'cp'
        a1: '/bin/sh'
        a2|endswith: '/crond'
    condition: selection
level: medium
medium
Mesh Agent Service Installation
Detects a Mesh Agent service installation. Mesh Agent is used to remotely manage computers
status test author Nasreddine Bencherchali (Nextron Systems) id e0d1ad53-c7eb-48ec-a87a-72393cc6cedc
view Sigma YAML 
title: Mesh Agent Service Installation
id: e0d1ad53-c7eb-48ec-a87a-72393cc6cedc
status: test
description: Detects a Mesh Agent service installation. Mesh Agent is used to remotely manage computers
references:
    - https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-11-28
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    product: windows
    service: system
detection:
    selection_root:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
    selection_service:
        - ImagePath|contains: 'MeshAgent.exe'
        - ServiceName|contains: 'Mesh Agent'
    condition: all of selection_*
falsepositives:
    - Legitimate use of the tool
level: medium
medium
Microsoft 365 - Impossible Travel Activity
Detects when a Microsoft Cloud App Security reported a risky sign-in attempt due to a login associated with an impossible travel.
status test author Austin Songer @austinsonger id d7eab125-5f94-43df-8710-795b80fa1189
view Sigma YAML 
title: Microsoft 365 - Impossible Travel Activity
id: d7eab125-5f94-43df-8710-795b80fa1189
status: test
description: Detects when a Microsoft Cloud App Security reported a risky sign-in attempt due to a login associated with an impossible travel.
references:
    - https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy
    - https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference
author: Austin Songer @austinsonger
date: 2020-07-06
modified: 2021-11-27
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.initial-access
    - attack.stealth
    - attack.t1078
logsource:
    service: threat_management
    product: m365
detection:
    selection:
        eventSource: SecurityComplianceCenter
        eventName: 'Impossible travel activity'
        status: success
    condition: selection
falsepositives:
    - Unknown
level: medium
medium
Microsoft 365 - Potential Ransomware Activity
Detects when a Microsoft Cloud App Security reported when a user uploads files to the cloud that might be infected with ransomware.
status test author austinsonger id bd132164-884a-48f1-aa2d-c6d646b04c69
view Sigma YAML 
title: Microsoft 365 - Potential Ransomware Activity
id: bd132164-884a-48f1-aa2d-c6d646b04c69
status: test
description: Detects when a Microsoft Cloud App Security reported when a user uploads files to the cloud that might be infected with ransomware.
references:
    - https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy
    - https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference
author: austinsonger
date: 2021-08-19
modified: 2022-10-09
tags:
    - attack.impact
    - attack.t1486
logsource:
    service: threat_management
    product: m365
detection:
    selection:
        eventSource: SecurityComplianceCenter
        eventName: 'Potential ransomware activity'
        status: success
    condition: selection
falsepositives:
    - Unknown
level: medium
medium
Microsoft 365 - Unusual Volume of File Deletion
Detects when a Microsoft Cloud App Security reported a user has deleted a unusual a large volume of files.
status test author austinsonger id 78a34b67-3c39-4886-8fb4-61c46dc18ecd
view Sigma YAML 
title: Microsoft 365 - Unusual Volume of File Deletion
id: 78a34b67-3c39-4886-8fb4-61c46dc18ecd
status: test
description: Detects when a Microsoft Cloud App Security reported a user has deleted a unusual a large volume of files.
references:
    - https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy
    - https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference
author: austinsonger
date: 2021-08-19
modified: 2022-10-09
tags:
    - attack.impact
    - attack.t1485
logsource:
    service: threat_management
    product: m365
detection:
    selection:
        eventSource: SecurityComplianceCenter
        eventName: 'Unusual volume of file deletion'
        status: success
    condition: selection
falsepositives:
    - Unknown
level: medium
medium
Microsoft 365 - User Restricted from Sending Email
Detects when a Security Compliance Center reported a user who exceeded sending limits of the service policies and because of this has been restricted from sending email.
status test author austinsonger id ff246f56-7f24-402a-baca-b86540e3925c
view Sigma YAML 
title: Microsoft 365 - User Restricted from Sending Email
id: ff246f56-7f24-402a-baca-b86540e3925c
status: test
description: Detects when a Security Compliance Center reported a user who exceeded sending limits of the service policies and because of this has been restricted from sending email.
references:
    - https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy
    - https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference
author: austinsonger
date: 2021-08-19
modified: 2022-10-09
tags:
    - attack.initial-access
    - attack.t1199
logsource:
    service: threat_management
    product: m365
detection:
    selection:
        eventSource: SecurityComplianceCenter
        eventName: 'User restricted from sending email'
        status: success
    condition: selection
falsepositives:
    - Unknown
level: medium
medium
Microsoft Excel Add-In Loaded From Uncommon Location
Detects Microsoft Excel loading an Add-In (.xll) file from an uncommon location
status test author Nasreddine Bencherchali (Nextron Systems) id af4c4609-5755-42fe-8075-4effb49f5d44
view Sigma YAML 
title: Microsoft Excel Add-In Loaded From Uncommon Location
id: af4c4609-5755-42fe-8075-4effb49f5d44
related:
    - id: c5f4b5cb-4c25-4249-ba91-aa03626e3185
      type: derived
status: test
description: Detects Microsoft Excel loading an Add-In (.xll) file from an uncommon location
references:
    - https://www.mandiant.com/resources/blog/lnk-between-browsers
    - https://wazuh.com/blog/detecting-xll-files-used-for-dropping-fin7-jssloader-with-wazuh/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-12
tags:
    - attack.execution
    - attack.t1204.002
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith: '\excel.exe'
        ImageLoaded|contains:
            # Note: Add or remove locations from this list based on your internal policy
            - '\Desktop\'
            - '\Downloads\'
            - '\Perflogs\'
            - '\Temp\'
            - '\Users\Public\'
            - '\Windows\Tasks\'
        ImageLoaded|endswith: '.xll'
    condition: selection
falsepositives:
    - Some tuning might be required to allow or remove certain locations used by the rule if you consider them as safe locations
level: medium
medium
Microsoft Sync Center Suspicious Network Connections
Detects suspicious connections from Microsoft Sync Center to non-private IPs.
status test author elhoim id 9f2cc74d-78af-4eb2-bb64-9cd1d292b87b
view Sigma YAML 
title: Microsoft Sync Center Suspicious Network Connections
id: 9f2cc74d-78af-4eb2-bb64-9cd1d292b87b
status: test
description: Detects suspicious connections from Microsoft Sync Center to non-private IPs.
references:
    - https://redcanary.com/blog/intelligence-insights-november-2021/
author: elhoim
date: 2022-04-28
modified: 2024-03-12
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1055
    - attack.t1218
    - attack.execution
logsource:
    product: windows
    category: network_connection
detection:
    selection:
        Image|endswith: '\mobsync.exe'
    filter_main_local_ranges:
        DestinationIp|cidr:
            - '127.0.0.0/8'
            - '10.0.0.0/8'
            - '172.16.0.0/12'
            - '192.168.0.0/16'
            - '169.254.0.0/16'
            - '::1/128'  # IPv6 loopback
            - 'fe80::/10'  # IPv6 link-local addresses
            - 'fc00::/7'  # IPv6 private addresses
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium
medium
Microsoft Teams Sensitive File Access By Uncommon Applications
Detects file access attempts to sensitive Microsoft teams files (leveldb, cookies) by an uncommon process.
status test author @SerkinValery id 65744385-8541-44a6-8630-ffc824d7d4cc
view Sigma YAML 
title: Microsoft Teams Sensitive File Access By Uncommon Applications
id: 65744385-8541-44a6-8630-ffc824d7d4cc
status: test
description: |
    Detects file access attempts to sensitive Microsoft teams files (leveldb, cookies) by an uncommon process.
references:
    - https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/
    - https://www.vectra.ai/blog/undermining-microsoft-teams-security-by-mining-tokens
author: '@SerkinValery'
date: 2024-07-22
tags:
    - attack.credential-access
    - attack.t1528
logsource:
    product: windows
    category: file_access
    definition: 'Requirements: Microsoft-Windows-Kernel-File ETW provider'
detection:
    selection:
        FileName|contains:
            - '\Microsoft\Teams\Cookies'
            - '\Microsoft\Teams\Local Storage\leveldb'
    filter_main_legit_location:
        # Note: its best to filter the full path to avoid false negatives
        Image|endswith: '\Microsoft\Teams\current\Teams.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium
medium
Microsoft VBA For Outlook Addin Loaded Via Outlook
Detects outlvba (Microsoft VBA for Outlook Addin) DLL being loaded by the outlook process
status test author Nasreddine Bencherchali (Nextron Systems) id 9a0b8719-cd3c-4f0a-90de-765a4cb3f5ed
view Sigma YAML 
title: Microsoft VBA For Outlook Addin Loaded Via Outlook
id: 9a0b8719-cd3c-4f0a-90de-765a4cb3f5ed
status: test
description: Detects outlvba (Microsoft VBA for Outlook Addin) DLL being loaded by the outlook process
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=58
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-08
modified: 2024-03-12
tags:
    - attack.execution
    - attack.t1204.002
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith: '\outlook.exe'
        ImageLoaded|endswith: '\outlvba.dll'
    condition: selection
falsepositives:
    - Legitimate macro usage. Add the appropriate filter according to your environment
level: medium
medium
Modify Group Policy Settings
Detect malicious GPO modifications can be used to implement many other malicious behaviors.
status test author frack113 id ada4b0c4-758b-46ac-9033-9004613a150d
view Sigma YAML 
title: Modify Group Policy Settings
id: ada4b0c4-758b-46ac-9033-9004613a150d
related:
    - id: b7216a7d-687e-4c8d-82b1-3080b2ad961f
      type: similar
status: test
description: Detect malicious GPO modifications can be used to implement many other malicious behaviors.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1484.001/T1484.001.md
author: frack113
date: 2022-08-19
tags:
    - attack.privilege-escalation
    - attack.defense-impairment
    - attack.t1484.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_reg:
        - Image|endswith: '\reg.exe'
        - OriginalFileName: 'reg.exe'
    selection_path:
        CommandLine|contains: '\SOFTWARE\Policies\Microsoft\Windows\System'
    selection_key:
        CommandLine|contains:
            - GroupPolicyRefreshTimeDC
            - GroupPolicyRefreshTimeOffsetDC
            - GroupPolicyRefreshTime
            - GroupPolicyRefreshTimeOffset
            - EnableSmartScreen
            - ShellSmartScreenLevel
    condition: all of selection_*
falsepositives:
    - Legitimate use
level: medium
medium
Modify Group Policy Settings - ScriptBlockLogging
Detect malicious GPO modifications can be used to implement many other malicious behaviors.
status test author frack113 id b7216a7d-687e-4c8d-82b1-3080b2ad961f
view Sigma YAML 
title: Modify Group Policy Settings - ScriptBlockLogging
id: b7216a7d-687e-4c8d-82b1-3080b2ad961f
related:
    - id: ada4b0c4-758b-46ac-9033-9004613a150d
      type: similar
status: test
description: Detect malicious GPO modifications can be used to implement many other malicious behaviors.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1484.001/T1484.001.md
author: frack113
date: 2022-08-19
tags:
    - attack.privilege-escalation
    - attack.defense-impairment
    - attack.t1484.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_path:
        ScriptBlockText|contains: \SOFTWARE\Policies\Microsoft\Windows\System
    selection_key:
        ScriptBlockText|contains:
            - GroupPolicyRefreshTimeDC
            - GroupPolicyRefreshTimeOffsetDC
            - GroupPolicyRefreshTime
            - GroupPolicyRefreshTimeOffset
            - EnableSmartScreen
            - ShellSmartScreenLevel
    condition: all of selection_*
falsepositives:
    - Legitimate use
level: medium
medium
Modify System Firewall
Detects the removal of system firewall rules. Adversaries may only delete or modify a specific system firewall rule to bypass controls limiting network usage or access. Detection rules that match only on the disabling of firewalls will miss this.
status test author IAI id 323ff3f5-0013-4847-bbd4-250b5edb62cc
view Sigma YAML 
title: Modify System Firewall
id: 323ff3f5-0013-4847-bbd4-250b5edb62cc
related:
    - id: 53059bc0-1472-438b-956a-7508a94a91f0
      type: similar
status: test
description: |
    Detects the removal of system firewall rules. Adversaries may only delete or modify a specific system firewall rule to bypass controls limiting network usage or access.
    Detection rules that match only on the disabling of firewalls will miss this.
references:
    - https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html
    - https://blog.aquasec.com/container-security-tnt-container-attack
    - https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/configuring_and_managing_networking/getting-started-with-nftables_configuring-and-managing-networking
author: IAI
date: 2023-03-06
modified: 2025-10-12
tags:
    - attack.defense-impairment
    - attack.t1686
logsource:
    product: linux
    service: auditd
detection:
    selection1:
        type: 'EXECVE'
        a0: 'iptables'
        a1|contains: 'DROP'
    selection2:
        type: 'EXECVE'
        a0: 'firewall-cmd'
        a1|contains: 'remove'
    selection3:
        type: 'EXECVE'
        a0: 'ufw'
        a1|contains: 'delete'
    selection4:
        type: 'EXECVE'
        a0: 'nft'
        a1|contains:
            - 'delete'
            - 'flush'
    condition: 1 of selection*
falsepositives:
    - Legitimate admin activity
level: medium
medium
Modifying Crontab
Detects suspicious modification of crontab file.
status test author Pawel Mazur id af202fd3-7bff-4212-a25a-fb34606cfcbe
view Sigma YAML 
title: Modifying Crontab
id: af202fd3-7bff-4212-a25a-fb34606cfcbe
status: test
description: Detects suspicious modification of crontab file.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.003/T1053.003.md
author: Pawel Mazur
date: 2022-04-16
tags:
    - attack.privilege-escalation
    - attack.execution
    - attack.persistence
    - attack.t1053.003
logsource:
    product: linux
    service: cron
detection:
    keywords:
        - 'REPLACE'
    condition: keywords
falsepositives:
    - Legitimate modification of crontab
level: medium
medium
Monitoring For Persistence Via BITS
BITS will allow you to schedule a command to execute after a successful download to notify you that the job is finished. When the job runs on the system the command specified in the BITS job will be executed. This can be abused by actors to create a backdoor within the system and for persistence. It will be chained in a BITS job to schedule the download of malware/additional binaries and execute the program after being downloaded.
status test author Sreeman id b9cbbc17-d00d-4e3d-a827-b06d03d2380d
view Sigma YAML 
title: Monitoring For Persistence Via BITS
id: b9cbbc17-d00d-4e3d-a827-b06d03d2380d
status: test
description: |
    BITS will allow you to schedule a command to execute after a successful download to notify you that the job is finished.
    When the job runs on the system the command specified in the BITS job will be executed.
    This can be abused by actors to create a backdoor within the system and for persistence.
    It will be chained in a BITS job to schedule the download of malware/additional binaries and execute the program after being downloaded.
references:
    - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
    - http://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html
    - https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394
author: Sreeman
date: 2020-10-29
modified: 2024-01-25
tags:
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1197
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        - Image|endswith: '\bitsadmin.exe'
        - OriginalFileName: 'bitsadmin.exe'
    selection_cli_notify_1:
        CommandLine|contains: '/SetNotifyCmdLine'
    selection_cli_notify_2:
        CommandLine|contains:
            - '%COMSPEC%'
            - 'cmd.exe'
            - 'regsvr32.exe'
    selection_cli_add_1:
        CommandLine|contains: '/Addfile'
    selection_cli_add_2:
        CommandLine|contains:
            - 'http:'
            - 'https:'
            - 'ftp:'
            - 'ftps:'
    condition: selection_img and (all of selection_cli_notify_* or all of selection_cli_add_*)
falsepositives:
    - Unknown
level: medium
medium
Mount Execution With Hidepid Parameter
Detects execution of the "mount" command with "hidepid" parameter to make invisible processes to other users from the system
status test author Joseliyo Sanchez, @Joseliyo_Jstnk id ec52985a-d024-41e3-8ff6-14169039a0b3
view Sigma YAML 
title: Mount Execution With Hidepid Parameter
id: ec52985a-d024-41e3-8ff6-14169039a0b3
status: test
description: Detects execution of the "mount" command with "hidepid" parameter to make invisible processes to other users from the system
references:
    - https://blogs.blackberry.com/
    - https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/
    - https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-01-12
tags:
    - attack.credential-access
    - attack.stealth
    - attack.t1564
logsource:
    product: linux
    category: process_creation
detection:
    selection:
        Image|endswith: '/mount'
        CommandLine|contains|all:
            - 'hidepid=2'
            - ' -o '
    condition: selection
falsepositives:
    - Unknown
level: medium
medium
MsiExec Web Install
Detects suspicious msiexec process starts with web addresses as parameter
status test author Florian Roth (Nextron Systems) id f7b5f842-a6af-4da5-9e95-e32478f3cd2f
view Sigma YAML 
title: MsiExec Web Install
id: f7b5f842-a6af-4da5-9e95-e32478f3cd2f
related:
    - id: 8150732a-0c9d-4a99-82b9-9efb9b90c40c
      type: similar
status: test
description: Detects suspicious msiexec process starts with web addresses as parameter
references:
    - https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/
author: Florian Roth (Nextron Systems)
date: 2018-02-09
modified: 2022-01-07
tags:
    - attack.stealth
    - attack.t1218.007
    - attack.command-and-control
    - attack.t1105
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - ' msiexec'
            - '://'
    condition: selection
falsepositives:
    - False positives depend on scripts and administrative tools used in the monitored environment
level: medium
medium
Msiexec Quiet Installation
Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)
status test author frack113 id 79a87aa6-e4bd-42fc-a5bb-5e6fbdcd62f5
view Sigma YAML 
title: Msiexec Quiet Installation
id: 79a87aa6-e4bd-42fc-a5bb-5e6fbdcd62f5
status: test
description: |
    Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.
    Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)
references:
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md
    - https://twitter.com/_st0pp3r_/status/1583914244344799235
author: frack113
date: 2022-01-16
modified: 2024-12-01
tags:
    - attack.stealth
    - attack.t1218.007
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\msiexec.exe'
        - OriginalFileName: 'msiexec.exe'
    selection_cli:
        # Note that there is no space before and after the arguments because it's possible to write a commandline as such
        # Example: msiexec -q/i [MSI Package]
        CommandLine|contains|windash:
            - '-i'
            - '-package'
            - '-a'
            - '-j'
    selection_quiet:
        CommandLine|contains|windash: '-q'
    filter_user_temp:
        # The %temp% is a very common location for installers
        ParentImage|startswith: 'C:\Users\'
        ParentImage|contains: '\AppData\Local\Temp\'
    filter_system_temp:
        ParentImage|startswith: 'C:\Windows\Temp\'
    filter_ccm:
        ParentImage: 'C:\Windows\CCM\Ccm32BitLauncher.exe'
        IntegrityLevel:
            - 'System'
            - 'S-1-16-16384'
    condition: all of selection_* and not 1 of filter_*
falsepositives:
    - WindowsApps installing updates via the quiet flag
level: medium
medium
Msxsl.EXE Execution
Detects the execution of the MSXSL utility. This can be used to execute Extensible Stylesheet Language (XSL) files. These files are commonly used to describe the processing and rendering of data within XML files. Adversaries can abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.
status test author Timur Zinniatullin, oscd.community id 9e50a8b3-dd05-4eb8-9153-bdb6b79d50b0
view Sigma YAML 
title: Msxsl.EXE Execution
id: 9e50a8b3-dd05-4eb8-9153-bdb6b79d50b0
status: test
description: |
    Detects the execution of the MSXSL utility. This can be used to execute Extensible Stylesheet Language (XSL) files. These files are commonly used to describe the processing and rendering of data within XML files.
    Adversaries can abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1220/T1220.md
    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msxsl/
author: Timur Zinniatullin, oscd.community
date: 2019-10-21
modified: 2023-11-09
tags:
    - attack.stealth
    - attack.t1220
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\msxsl.exe'
    condition: selection
falsepositives:
    - Msxsl is not installed by default and is deprecated, so unlikely on most systems.
# Note: If you levreage this utility please consider adding additional filters. As this is looking for "any" type of execition
level: medium
medium
Multi Factor Authentication Disabled For User Account
Detects changes to the "StrongAuthenticationRequirement" value, where the state is set to "0" or "Disabled". Threat actors were seen disabling multi factor authentication for users in order to maintain or achieve access to the account. Also see in SIM Swap attacks.
status test author Harjot Singh (@cyb3rjy0t) id b18454c8-0be3-41f7-86bc-9c614611b839
view Sigma YAML 
title: Multi Factor Authentication Disabled For User Account
id: b18454c8-0be3-41f7-86bc-9c614611b839
status: test
description: |
    Detects changes to the "StrongAuthenticationRequirement" value, where the state is set to "0" or "Disabled".
    Threat actors were seen disabling multi factor authentication for users in order to maintain or achieve access to the account. Also see in SIM Swap attacks.
references:
    - https://www.sans.org/blog/defending-against-scattered-spider-and-the-com-with-cybercrime-intelligence/
author: Harjot Singh (@cyb3rjy0t)
date: 2024-08-21
tags:
    - attack.credential-access
    - attack.persistence
logsource:
    product: azure
    service: auditlogs
    definition: 'Requirements: The TargetResources array needs to be mapped accurately in order for this rule to work'
detection:
    selection:
        LoggedByService: 'Core Directory'
        Category: 'UserManagement'
        OperationName: 'Update user'
        TargetResources.ModifiedProperties.DisplayName: 'StrongAuthenticationRequirement'
        TargetResources.ModifiedProperties.NewValue|contains: "State\":0"
    condition: selection
falsepositives:
    - Legitimate authorized activity.
level: medium
medium
Multifactor Authentication Denied
User has indicated they haven't instigated the MFA prompt and could indicate an attacker has the password for the account.
status test author AlertIQ id e40f4962-b02b-4192-9bfe-245f7ece1f99
view Sigma YAML 
title: Multifactor Authentication Denied
id: e40f4962-b02b-4192-9bfe-245f7ece1f99
status: test
description: User has indicated they haven't instigated the MFA prompt and could indicate an attacker has the password for the account.
references:
    - https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
author: AlertIQ
date: 2022-03-24
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.initial-access
    - attack.credential-access
    - attack.stealth
    - attack.t1078.004
    - attack.t1110
    - attack.t1621
logsource:
    product: azure
    service: signinlogs
detection:
    selection:
        AuthenticationRequirement: 'multiFactorAuthentication'
        Status|contains: 'MFA Denied'
    condition: selection
falsepositives:
    - Users actually login but miss-click into the Deny button when MFA prompt.
level: medium
medium
Multifactor Authentication Interrupted
Identifies user login with multifactor authentication failures, which might be an indication an attacker has the password for the account but can't pass the MFA challenge.
status test author AlertIQ id 5496ff55-42ec-4369-81cb-00f417029e25
view Sigma YAML 
title: Multifactor Authentication Interrupted
id: 5496ff55-42ec-4369-81cb-00f417029e25
status: test
description: Identifies user login with multifactor authentication failures, which might be an indication an attacker has the password for the account but can't pass the MFA challenge.
references:
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts
author: AlertIQ
date: 2021-10-10
modified: 2022-12-18
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.initial-access
    - attack.credential-access
    - attack.stealth
    - attack.t1078.004
    - attack.t1110
    - attack.t1621
logsource:
    product: azure
    service: signinlogs
detection:
    selection_50074:
        ResultType: 50074
        ResultDescription|contains: 'Strong Auth required'
    selection_500121:
        ResultType: 500121
        ResultDescription|contains: 'Authentication failed during strong authentication request'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: medium
medium
NTLM Brute Force
Detects common NTLM brute force device names
status test author Jerry Shockley '@jsh0x' id 9c8acf1a-cbf9-4db6-b63c-74baabe03e59
view Sigma YAML 
title: NTLM Brute Force
id: 9c8acf1a-cbf9-4db6-b63c-74baabe03e59
status: test
description: Detects common NTLM brute force device names
references:
    - https://www.varonis.com/blog/investigate-ntlm-brute-force
author: Jerry Shockley '@jsh0x'
date: 2022-02-02
tags:
    - attack.credential-access
    - attack.t1110
logsource:
    product: windows
    service: ntlm
    definition: Requires events from Microsoft-Windows-NTLM/Operational
detection:
    selection:
        EventID: 8004
    devicename:
        WorkstationName:
            - 'Rdesktop'
            - 'Remmina'
            - 'Freerdp'
            - 'Windows7'
            - 'Windows8'
            - 'Windows2012'
            - 'Windows2016'
            - 'Windows2019'
    condition: selection and devicename
falsepositives:
    - Systems with names equal to the spoofed ones used by the brute force tools
level: medium
medium
NTLMv1 Logon Between Client and Server
Detects the reporting of NTLMv1 being used between a client and server. NTLMv1 is insecure as the underlying encryption algorithms can be brute-forced by modern hardware.
status test author Tim Shelton, Nasreddine Bencherchali (Nextron Systems) id e9d4ab66-a532-4ef7-a502-66a9e4a34f5d
view Sigma YAML 
title: NTLMv1 Logon Between Client and Server
id: e9d4ab66-a532-4ef7-a502-66a9e4a34f5d
status: test
description: Detects the reporting of NTLMv1 being used between a client and server. NTLMv1 is insecure as the underlying encryption algorithms can be brute-forced by modern hardware.
references:
    - https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/22H2/W10_22H2_Pro_20230321_19045.2728/WEPExplorer/LsaSrv.xml
author: Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
date: 2022-04-26
modified: 2023-06-06
tags:
    - attack.lateral-movement
    - attack.t1550.002
logsource:
    product: windows
    service: system
detection:
    selection:
        Provider_Name: "LsaSrv"
        EventID:
            - 6038
            - 6039
    condition: selection
falsepositives:
    - Environments that use NTLMv1
level: medium
medium
NetSupport Manager Service Install
Detects NetSupport Manager service installation on the target system.
status test author Nasreddine Bencherchali (Nextron Systems) id 2d510d8d-912b-45c5-b1df-36faa3d8c3f4
view Sigma YAML 
title: NetSupport Manager Service Install
id: 2d510d8d-912b-45c5-b1df-36faa3d8c3f4
status: test
description: Detects NetSupport Manager service installation on the target system.
references:
    - http://resources.netsupportsoftware.com/resources/manualpdfs/nsm_manual_uk.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-31
tags:
    - attack.persistence
logsource:
    product: windows
    service: system
detection:
    # Example:
    #   <EventData>
    #       <Data Name="ServiceName">Client32</Data>
    #       <Data Name="ImagePath">"C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe" /* *</Data>
    #       <Data Name="ServiceType">user mode service</Data>
    #       <Data Name="StartType">auto start</Data>
    #       <Data Name="AccountName">LocalSystem</Data>
    #   </EventData>
    selection_root:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
    selection_service:
        - ImagePath|contains: '\NetSupport Manager\client32.exe'
        - ServiceName: 'Client32'
    condition: all of selection_*
falsepositives:
    - Legitimate use of the tool
level: medium
medium
Netcat The Powershell Version
Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network
status test author frack113 id c5b20776-639a-49bf-94c7-84f912b91c15
view Sigma YAML 
title: Netcat The Powershell Version
id: c5b20776-639a-49bf-94c7-84f912b91c15
related:
    - id: bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2
      type: derived
status: test
description: Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network
references:
    - https://nmap.org/ncat/
    - https://github.com/besimorhino/powercat
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md
author: frack113
date: 2021-07-21
modified: 2023-10-27
tags:
    - attack.command-and-control
    - attack.execution
    - attack.t1095
    - attack.t1059.001
logsource:
    product: windows
    category: ps_classic_start
detection:
    selection:
        Data|contains:
            - 'powercat '
            - 'powercat.ps1'
    condition: selection
falsepositives:
    - Unknown
level: medium
medium
Netsh Allow Group Policy on Microsoft Defender Firewall
Adversaries may modify system firewalls in order to bypass controls limiting network usage
status test author frack113 id 347906f3-e207-4d18-ae5b-a9403d6bcdef
view Sigma YAML 
title: Netsh Allow Group Policy on Microsoft Defender Firewall
id: 347906f3-e207-4d18-ae5b-a9403d6bcdef
status: test
description: Adversaries may modify system firewalls in order to bypass controls limiting network usage
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-3---allow-smb-and-rdp-on-microsoft-defender-firewall
    - https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior
author: frack113
date: 2022-01-09
modified: 2023-02-14
tags:
    - attack.defense-impairment
    - attack.t1686.003
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\netsh.exe'
        - OriginalFileName: 'netsh.exe'
    selection_cli:
        CommandLine|contains|all:
            - 'advfirewall'
            - 'firewall'
            - 'set'
            - 'rule'
            - 'group='
            - 'new'
            - 'enable=Yes'
    condition: all of selection_*
falsepositives:
    - Legitimate administration activity
level: medium
medium
Network Communication Initiated To Portmap.IO Domain
Detects an executable accessing the portmap.io domain, which could be a sign of forbidden C2 traffic or data exfiltration by malicious actors
status test author Florian Roth (Nextron Systems) id 07837ab9-60e1-481f-a74d-c31fb496a94c
view Sigma YAML 
title: Network Communication Initiated To Portmap.IO Domain
id: 07837ab9-60e1-481f-a74d-c31fb496a94c
status: test
description: Detects an executable accessing the portmap.io domain, which could be a sign of forbidden C2 traffic or data exfiltration by malicious actors
references:
    - https://portmap.io/
    - https://github.com/rapid7/metasploit-framework/issues/11337
    - https://pro.twitter.com/JaromirHorejsi/status/1795001037746761892/photo/2
author: Florian Roth (Nextron Systems)
date: 2024-05-31
tags:
    - attack.t1041
    - attack.command-and-control
    - attack.t1090.002
    - attack.exfiltration
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        DestinationHostname|endswith: '.portmap.io'
    condition: selection
falsepositives:
    - Legitimate use of portmap.io domains
level: medium
medium
Network Connection Initiated By Regsvr32.EXE
Detects a network connection initiated by "Regsvr32.exe"
status test author Dmitriy Lifanov, oscd.community id c7e91a02-d771-4a6d-a700-42587e0b1095
view Sigma YAML 
title: Network Connection Initiated By Regsvr32.EXE
id: c7e91a02-d771-4a6d-a700-42587e0b1095
status: test
description: Detects a network connection initiated by "Regsvr32.exe"
references:
    - https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/
    - https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
author: Dmitriy Lifanov, oscd.community
date: 2019-10-25
modified: 2023-09-18
tags:
    - attack.execution
    - attack.stealth
    - attack.t1559.001
    - attack.t1218.010
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        Image|endswith: '\regsvr32.exe'
    condition: selection
falsepositives:
    - Unknown
level: medium
medium
Network Connection Initiated To AzureWebsites.NET By Non-Browser Process
Detects an initiated network connection by a non browser process on the system to "azurewebsites.net". The latter was often used by threat actors as a malware hosting and exfiltration site.
status test author Nasreddine Bencherchali (Nextron Systems) id 5c80b618-0dbb-46e6-acbb-03d90bcb6d83
view Sigma YAML 
title: Network Connection Initiated To AzureWebsites.NET By Non-Browser Process
id: 5c80b618-0dbb-46e6-acbb-03d90bcb6d83
related:
    - id: e043f529-8514-4205-8ab0-7f7d2927b400
      type: derived
status: test
description: |
    Detects an initiated network connection by a non browser process on the system to "azurewebsites.net". The latter was often used by threat actors as a malware hosting and exfiltration site.
references:
    - https://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/
    - https://symantec-enterprise-blogs.security.com/threat-intelligence/harvester-new-apt-attacks-asia
    - https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/
    - https://intezer.com/blog/research/how-we-escaped-docker-in-azure-functions/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-06-24
modified: 2024-07-16
tags:
    - attack.command-and-control
    - attack.t1102
    - attack.t1102.001
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        DestinationHostname|endswith: 'azurewebsites.net'
    # Note: Add/Remove browsers/applications that you don't use or those that have custom install locations
    # Note: To avoid complex conditions the filters for some apps are generic by name only. A custom tuning is recommended for best results
    filter_main_chrome:
        Image:
            - 'C:\Program Files\Google\Chrome\Application\chrome.exe'
            - 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
    filter_main_chrome_appdata:
        Image|startswith: 'C:\Users\'
        Image|endswith: '\AppData\Local\Google\Chrome\Application\chrome.exe'
    filter_main_firefox:
        Image:
            - 'C:\Program Files\Mozilla Firefox\firefox.exe'
            - 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
    filter_main_firefox_appdata:
        Image|startswith: 'C:\Users\'
        Image|endswith: '\AppData\Local\Mozilla Firefox\firefox.exe'
    filter_main_ie:
        Image:
            - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
            - 'C:\Program Files\Internet Explorer\iexplore.exe'
    filter_main_edge_1:
        - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
        - Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
        - Image:
              - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
              - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
    filter_main_edge_2:
        Image|startswith:
            - 'C:\Program Files (x86)\Microsoft\EdgeCore\'
            - 'C:\Program Files\Microsoft\EdgeCore\'
        Image|endswith:
            - '\msedge.exe'
            - '\msedgewebview2.exe'
    filter_main_safari:
        Image|contains:
            - 'C:\Program Files (x86)\Safari\'
            - 'C:\Program Files\Safari\'
        Image|endswith: '\safari.exe'
    filter_main_defender:
        Image|contains:
            - 'C:\Program Files\Windows Defender Advanced Threat Protection\'
            - 'C:\Program Files\Windows Defender\'
            - 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
        Image|endswith:
            - '\MsMpEng.exe' # Microsoft Defender executable
            - '\MsSense.exe' # Windows Defender Advanced Threat Protection Service Executable
    filter_main_prtg:
        # Paessler's PRTG Network Monitor
        Image|endswith:
            - 'C:\Program Files (x86)\PRTG Network Monitor\PRTG Probe.exe'
            - 'C:\Program Files\PRTG Network Monitor\PRTG Probe.exe'
    filter_main_brave:
        Image|startswith: 'C:\Program Files\BraveSoftware\'
        Image|endswith: '\brave.exe'
    filter_main_maxthon:
        Image|contains: '\AppData\Local\Maxthon\'
        Image|endswith: '\maxthon.exe'
    filter_main_opera:
        Image|contains: '\AppData\Local\Programs\Opera\'
        Image|endswith: '\opera.exe'
    filter_main_seamonkey:
        Image|startswith:
            - 'C:\Program Files\SeaMonkey\'
            - 'C:\Program Files (x86)\SeaMonkey\'
        Image|endswith: '\seamonkey.exe'
    filter_main_vivaldi:
        Image|contains: '\AppData\Local\Vivaldi\'
        Image|endswith: '\vivaldi.exe'
    filter_main_whale:
        Image|startswith:
            - 'C:\Program Files\Naver\Naver Whale\'
            - 'C:\Program Files (x86)\Naver\Naver Whale\'
        Image|endswith: '\whale.exe'
    # Note: The TOR browser shouldn't be something you allow in your corporate network.
    # filter_main_tor:
    #     Image|contains: '\Tor Browser\'
    filter_main_whaterfox:
        Image|startswith:
            - 'C:\Program Files\Waterfox\'
            - 'C:\Program Files (x86)\Waterfox\'
        Image|endswith: '\Waterfox.exe'
    filter_main_slimbrowser:
        Image|startswith:
            - 'C:\Program Files\SlimBrowser\'
            - 'C:\Program Files (x86)\SlimBrowser\'
        Image|endswith: '\slimbrowser.exe'
    filter_main_flock:
        Image|contains: '\AppData\Local\Flock\'
        Image|endswith: '\Flock.exe'
    filter_main_phoebe:
        Image|contains: '\AppData\Local\Phoebe\'
        Image|endswith: '\Phoebe.exe'
    filter_main_falkon:
        Image|startswith:
            - 'C:\Program Files\Falkon\'
            - 'C:\Program Files (x86)\Falkon\'
        Image|endswith: '\falkon.exe'
    filter_main_qtweb:
        Image|startswith:
            - 'C:\Program Files (x86)\QtWeb\'
            - 'C:\Program Files\QtWeb\'
        Image|endswith: '\QtWeb.exe'
    filter_main_avant:
        Image|startswith:
            - 'C:\Program Files (x86)\Avant Browser\'
            - 'C:\Program Files\Avant Browser\'
        Image|endswith: '\avant.exe'
    filter_main_discord:
        Image|contains: '\AppData\Local\Discord\'
        Image|endswith: '\Discord.exe'
    filter_main_null:
        Image: null
    filter_main_empty:
        Image: ''
    # filter_optional_qlik:
    #     Image|endswith: '\Engine.exe' # Process from qlik.com app
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium
medium
Network Connection Initiated To BTunnels Domains
Detects network connections to BTunnels domains initiated by a process on the system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
status test author Kamran Saifullah id 9e02c8ec-02b9-43e8-81eb-34a475ba7965
view Sigma YAML 
title: Network Connection Initiated To BTunnels Domains
id: 9e02c8ec-02b9-43e8-81eb-34a475ba7965
status: test
description: |
    Detects network connections to BTunnels domains initiated by a process on the system.
    Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
references:
    - https://defr0ggy.github.io/research/Utilizing-BTunnel-For-Data-Exfiltration/
author: Kamran Saifullah
date: 2024-09-13
tags:
    - attack.exfiltration
    - attack.command-and-control
    - attack.t1567
    - attack.t1572
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        DestinationHostname|endswith: '.btunnel.co.in'
    condition: selection
falsepositives:
    - Legitimate use of BTunnels will also trigger this.
level: medium
medium
Network Connection Initiated To Cloudflared Tunnels Domains
Detects network connections to Cloudflared tunnels domains initiated by a process on the system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
status test author Kamran Saifullah, Nasreddine Bencherchali (Nextron Systems) id 7cd1dcdc-6edf-4896-86dc-d1f19ad64903
view Sigma YAML 
title: Network Connection Initiated To Cloudflared Tunnels Domains
id: 7cd1dcdc-6edf-4896-86dc-d1f19ad64903
related:
    - id: a1d9eec5-33b2-4177-8d24-27fe754d0812
      type: derived
status: test
description: |
    Detects network connections to Cloudflared tunnels domains initiated by a process on the system.
    Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
references:
    - https://defr0ggy.github.io/research/Abusing-Cloudflared-A-Proxy-Service-To-Host-Share-Applications/
    - https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/
    - Internal Research
author: Kamran Saifullah, Nasreddine Bencherchali (Nextron Systems)
date: 2024-05-27
tags:
    - attack.exfiltration
    - attack.command-and-control
    - attack.t1567
    - attack.t1572
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        DestinationHostname|endswith:
            - '.v2.argotunnel.com'
            - 'protocol-v2.argotunnel.com'
            - 'trycloudflare.com'
            - 'update.argotunnel.com'
    condition: selection
falsepositives:
    - Legitimate use of cloudflare tunnels will also trigger this.
level: medium
medium
Network Connection Initiated To DevTunnels Domain
Detects network connections to Devtunnels domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
status test author Kamran Saifullah id 9501f8e6-8e3d-48fc-a8a6-1089dd5d7ef4
view Sigma YAML 
title: Network Connection Initiated To DevTunnels Domain
id: 9501f8e6-8e3d-48fc-a8a6-1089dd5d7ef4
related:
    - id: 4b657234-038e-4ad5-997c-4be42340bce4 # Net Connection VsCode
      type: similar
    - id: b3e6418f-7c7a-4fad-993a-93b65027a9f1 # DNS VsCode
      type: similar
    - id: 1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b # DNS DevTunnels
      type: similar
status: test
description: |
    Detects network connections to Devtunnels domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
references:
    - https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2
    - https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security
    - https://cydefops.com/devtunnels-unleashed
author: Kamran Saifullah
date: 2023-11-20
tags:
    - attack.exfiltration
    - attack.command-and-control
    - attack.t1567.001
    - attack.t1572
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        DestinationHostname|endswith: '.devtunnels.ms'
    condition: selection
falsepositives:
    - Legitimate use of Devtunnels will also trigger this.
level: medium
medium
Network Connection Initiated To Visual Studio Code Tunnels Domain
Detects network connections to Visual Studio Code tunnel domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
status test author Kamran Saifullah id 4b657234-038e-4ad5-997c-4be42340bce4
view Sigma YAML 
title: Network Connection Initiated To Visual Studio Code Tunnels Domain
id: 4b657234-038e-4ad5-997c-4be42340bce4
related:
    - id: 9501f8e6-8e3d-48fc-a8a6-1089dd5d7ef4 # Net Connection DevTunnels
      type: similar
    - id: b3e6418f-7c7a-4fad-993a-93b65027a9f1 # DNS VsCode
      type: similar
    - id: 1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b # DNS DevTunnels
      type: similar
status: test
description: |
    Detects network connections to Visual Studio Code tunnel domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
references:
    - https://ipfyx.fr/post/visual-studio-code-tunnel/
    - https://badoption.eu/blog/2023/01/31/code_c2.html
    - https://cydefops.com/vscode-data-exfiltration
author: Kamran Saifullah
date: 2023-11-20
tags:
    - attack.exfiltration
    - attack.command-and-control
    - attack.t1567
    - attack.t1572
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        DestinationHostname|endswith: '.tunnels.api.visualstudio.com'
    condition: selection
falsepositives:
    - Legitimate use of Visual Studio Code tunnel will also trigger this.
level: medium
medium
New AWS Lambda Function URL Configuration Created
Detects when a user creates a Lambda function URL configuration, which could be used to expose the function to the internet and potentially allow unauthorized access to the function's IAM role for AWS API calls. This could give an adversary access to the privileges associated with the Lambda service role that is attached to that function.
status experimental author Ivan Saakov id ec541962-c05a-4420-b9ea-84de072d18f4
view Sigma YAML 
title: New AWS Lambda Function URL Configuration Created
id: ec541962-c05a-4420-b9ea-84de072d18f4
status: experimental
description: |
    Detects when a user creates a Lambda function URL configuration, which could be used to expose the function to the internet and potentially allow unauthorized access to the function's IAM role for AWS API calls.
    This could give an adversary access to the privileges associated with the Lambda service role that is attached to that function.
references:
    - https://docs.aws.amazon.com/lambda/latest/dg/API_CreateFunctionUrlConfig.html
    - https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-lambda-privesc
    - https://www.wiz.io/blog/how-to-set-secure-defaults-on-aws
author: Ivan Saakov
date: 2024-12-19
tags:
    - attack.initial-access
    - attack.privilege-escalation
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource: lambda.amazonaws.com
        eventName: 'CreateFunctionUrlConfig'
    condition: selection
falsepositives:
    - Creating a Lambda function URL configuration may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
    - Creating a Lambda function URL configuration from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
medium
New BgInfo.EXE Custom DB Path Registry Configuration
Detects setting of a new registry database value related to BgInfo configuration. Attackers can for example set this value to save the results of the commands executed by BgInfo in order to exfiltrate information.
status test author Nasreddine Bencherchali (Nextron Systems) id 53330955-dc52-487f-a3a2-da24dcff99b5
view Sigma YAML 
title: New BgInfo.EXE Custom DB Path Registry Configuration
id: 53330955-dc52-487f-a3a2-da24dcff99b5
status: test
description: Detects setting of a new registry database value related to BgInfo configuration. Attackers can for example set this value to save the results of the commands executed by BgInfo in order to exfiltrate information.
references:
    - Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-16
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: '\Software\Winternals\BGInfo\Database'
    condition: selection
falsepositives:
    - Legitimate use of external DB to save the results
level: medium
medium
New BgInfo.EXE Custom VBScript Registry Configuration
Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom VBScript via "BgInfo.exe"
status test author Nasreddine Bencherchali (Nextron Systems) id 992dd79f-dde8-4bb0-9085-6350ba97cfb3
view Sigma YAML 
title: New BgInfo.EXE Custom VBScript Registry Configuration
id: 992dd79f-dde8-4bb0-9085-6350ba97cfb3
related:
    - id: cd277474-5c52-4423-a52b-ac2d7969902f
      type: similar
status: test
description: Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom VBScript via "BgInfo.exe"
references:
    - Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-16
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: '\Software\Winternals\BGInfo\UserFields\'
        Details|startswith: '4' # WMI
    condition: selection
falsepositives:
    - Legitimate VBScript
level: medium
medium
New BgInfo.EXE Custom WMI Query Registry Configuration
Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom WMI query via "BgInfo.exe"
status test author Nasreddine Bencherchali (Nextron Systems) id cd277474-5c52-4423-a52b-ac2d7969902f
view Sigma YAML 
title: New BgInfo.EXE Custom WMI Query Registry Configuration
id: cd277474-5c52-4423-a52b-ac2d7969902f
related:
    - id: 992dd79f-dde8-4bb0-9085-6350ba97cfb3
      type: similar
status: test
description: Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom WMI query via "BgInfo.exe"
references:
    - Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-16
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: '\Software\Winternals\BGInfo\UserFields\'
        Details|startswith: '6' # WMI
    condition: selection
falsepositives:
    - Legitimate WMI query
level: medium
medium
New CA Policy by Non-approved Actor
Monitor and alert on conditional access changes.
status test author Corissa Koopmans, '@corissalea' id 0922467f-db53-4348-b7bf-dee8d0d348c6
view Sigma YAML 
title: New CA Policy by Non-approved Actor
id: 0922467f-db53-4348-b7bf-dee8d0d348c6
status: test
description: Monitor and alert on conditional access changes.
references:
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure
author: Corissa Koopmans, '@corissalea'
date: 2022-07-18
tags:
    - attack.privilege-escalation
    - attack.t1548
logsource:
    product: azure
    service: auditlogs
detection:
    selection:
        properties.message: Add conditional access policy
    condition: selection
falsepositives:
    - Misconfigured role permissions
    - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
level: medium
medium
New Capture Session Launched Via DXCap.EXE
Detects the execution of "DXCap.EXE" with the "-c" flag, which allows a user to launch any arbitrary binary or windows package through DXCap itself. This can be abused to potentially bypass application whitelisting.
status test author Beyu Denis, oscd.community, Nasreddine Bencherchali (Nextron Systems) id 60f16a96-db70-42eb-8f76-16763e333590
view Sigma YAML 
title: New Capture Session Launched Via DXCap.EXE
id: 60f16a96-db70-42eb-8f76-16763e333590
status: test
description: |
    Detects the execution of "DXCap.EXE" with the "-c" flag, which allows a user to launch any arbitrary binary or windows package through DXCap itself. This can be abused to potentially bypass application whitelisting.
references:
    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dxcap/
    - https://twitter.com/harr0ey/status/992008180904419328
author: Beyu Denis, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2019-10-26
modified: 2022-06-09
tags:
    - attack.stealth
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\DXCap.exe'
        - OriginalFileName: 'DXCap.exe'
    selection_cli:
        CommandLine|contains: ' -c ' # The ".exe" is not required to run the binary
    condition: all of selection*
falsepositives:
    - Legitimate execution of dxcap.exe by legitimate user
level: medium
medium
New Custom Shim Database Created
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time.
status test author frack113, Nasreddine Bencherchali (Nextron Systems) id ee63c85c-6d51-4d12-ad09-04e25877a947
view Sigma YAML 
title: New Custom Shim Database Created
id: ee63c85c-6d51-4d12-ad09-04e25877a947
status: test
description: |
    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.
    The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-2---new-shim-database-files-created-in-the-default-shim-database-directory
    - https://www.mandiant.com/resources/blog/fin7-shim-databases-persistence
    - https://liberty-shell.com/sec/2020/02/25/shim-persistence/
    - https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2021-12-29
modified: 2023-12-06
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.009
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|contains:
            - ':\Windows\apppatch\Custom\'
            - ':\Windows\apppatch\CustomSDB\'
    condition: selection
falsepositives:
    - Legitimate custom SHIM installations will also trigger this rule
level: medium
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_creation_new_shim_database/info.yml
medium
New DLL Added to AppCertDlls Registry Key
Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer.
status test author Ilyas Ochkov, oscd.community id 6aa1d992-5925-4e9f-a49b-845e51d1de01
view Sigma YAML 
title: New DLL Added to AppCertDlls Registry Key
id: 6aa1d992-5925-4e9f-a49b-845e51d1de01
status: test
description: |
  Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation
  by causing a malicious DLL to be loaded and run in the context of separate processes on the computer.
references:
    - http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/
    - https://eqllib.readthedocs.io/en/latest/analytics/14f90406-10a0-4d36-a672-31cabe149f2f.html
author: Ilyas Ochkov, oscd.community
date: 2019-10-25
modified: 2021-11-27
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1546.009
logsource:
    category: registry_event
    product: windows
detection:
    selection:
        # Sysmon gives us HKLM\SYSTEM\CurrentControlSet\.. if ControlSetXX is the selected one
        - TargetObject: 'HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls'
        # key rename
        - NewName: 'HKLM\SYSTEM\CurentControlSet\Control\Session Manager\AppCertDlls'
    condition: selection
falsepositives:
    - Unknown
level: medium
Showing 501-550 of 1,345
Prev 11 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin