Home/Sigma rules
Sigma

Sigma detection rules

1,345 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Severity critical high medium low all severities

Detection rules

50 shown of 1,345
medium
New DLL Added to AppInit_DLLs Registry Key
DLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll
status test author Ilyas Ochkov, oscd.community, Tim Shelton id 4f84b697-c9ed-4420-8ab5-e09af5b2345d
view Sigma YAML 
title: New DLL Added to AppInit_DLLs Registry Key
id: 4f84b697-c9ed-4420-8ab5-e09af5b2345d
status: test
description: DLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll
references:
    - https://eqllib.readthedocs.io/en/latest/analytics/822dc4c5-b355-4df8-bd37-29c458997b8f.html
author: Ilyas Ochkov, oscd.community, Tim Shelton
date: 2019-10-25
modified: 2022-12-25
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1546.010
logsource:
    category: registry_event
    product: windows
detection:
    selection:
        - TargetObject|endswith:
              - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls'
              - '\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls'
        # Key Rename
        - NewName|endswith:
              - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls'
              - '\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls'
    filter:
        Details: '(Empty)'
    condition: selection and not filter
falsepositives:
    - Unknown
level: medium
medium
New DLL Registered Via Odbcconf.EXE
Detects execution of "odbcconf" with "REGSVR" in order to register a new DLL (equivalent to running regsvr32). Attackers abuse this to install and run malicious DLLs.
status test author Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community, Nasreddine Bencherchali (Nextron Systems) id 9f0a8bf3-a65b-440a-8c1e-5cb1547c8e70
view Sigma YAML 
title: New DLL Registered Via Odbcconf.EXE
id: 9f0a8bf3-a65b-440a-8c1e-5cb1547c8e70
related:
    - id: ba4cfc11-d0fa-4d94-bf20-7c332c412e76
      type: similar
status: test
description: Detects execution of "odbcconf" with "REGSVR" in order to register a new DLL (equivalent to running regsvr32). Attackers abuse this to install and run malicious DLLs.
references:
    - https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16
    - https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/
    - https://redcanary.com/blog/raspberry-robin/
    - https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176
    - https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/
    - https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html
author: Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-22
tags:
    - attack.stealth
    - attack.t1218.008
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\odbcconf.exe'
        - OriginalFileName: 'odbcconf.exe'
    selection_cli:
        # Note: The "/A" flag is not required to call a specific action
        CommandLine|contains|all:
            - 'REGSVR '
            - '.dll'
    condition: all of selection_*
falsepositives:
    - Legitimate DLLs being registered via "odbcconf" will generate false positives. Investigate the path of the DLL and its content to determine if the action is authorized.
level: medium
medium
New DMSA Service Account Created in Specific OUs
Detects the creation of a dMSASvc account using the New-ADServiceAccount cmdlet in certain OUs. The fact that the Cmdlet is used to create a dMSASvc account in a specific OU is highly suspicious. It is a pattern trying to exploit the BadSuccessor privilege escalation vulnerability in Windows Server 2025. On top of that, if the user that is creating the dMSASvc account is not a legitimate administrator or does not have the necessary permissions, it is a strong signal of an attempted or successful abuse of the BaDSuccessor vulnerability for privilege escalation within the Windows Server 2025 Active Directory environment.
status experimental author Swachchhanda Shrawan Poudel (Nextron Systems) id 0ea8db81-2ff6-4525-9448-33bbe7effc13
view Sigma YAML 
title: New DMSA Service Account Created in Specific OUs
id: 0ea8db81-2ff6-4525-9448-33bbe7effc13
related:
    - id: e15bc294-ae2a-45ad-b7d6-637b33868bde # Windows Security Creation of New MsDS-DelegatedManagedServiceAccount (DMSA) Object
      type: similar
    - id: 02122374-b74e-495c-b285-9e4da973f3d6 # ScriptBlockText Detection
      type: similar
status: experimental
description: |
    Detects the creation of a dMSASvc account using the New-ADServiceAccount cmdlet in certain OUs.
    The fact that the Cmdlet is used to create a dMSASvc account in a specific OU is highly suspicious.
    It is a pattern trying to exploit the BadSuccessor privilege escalation vulnerability in Windows Server 2025.
    On top of that, if the user that is creating the dMSASvc account is not a legitimate administrator or does not have the necessary permissions,
    it is a strong signal of an attempted or successful abuse of the BaDSuccessor vulnerability for privilege escalation within the Windows Server 2025 Active Directory environment.
references:
    - https://www.akamai.com/blog/security-research/abusing-bad-successor-for-privilege-escalation-in-active-directory
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-05-24
tags:
    - attack.privilege-escalation
    - attack.initial-access
    - attack.persistence
    - attack.stealth
    - attack.t1078.002
    - attack.t1098
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\powershell.exe'
              - '\pwsh.exe'
              - '\powershell_ise.exe'
        - OriginalFileName:
              - 'powershell.exe'
              - 'pwsh.dll'
              - 'powershell_ise.exe'
    selection_cli:
        CommandLine|contains|all:
            - 'New-ADServiceAccount'
            - '-CreateDelegatedServiceAccount'
            - '-path'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium
medium
New Federated Domain Added
Detects the addition of a new Federated Domain.
status test author Splunk Threat Research Team (original rule), Harjot Singh @cyb3rjy0t (sigma rule) id 58f88172-a73d-442b-94c9-95eaed3cbb36
view Sigma YAML 
title: New Federated Domain Added
id: 58f88172-a73d-442b-94c9-95eaed3cbb36
related:
    - id: 42127bdd-9133-474f-a6f1-97b6c08a4339
      type: similar
status: test
description: Detects the addition of a new Federated Domain.
references:
    - https://research.splunk.com/cloud/e155876a-6048-11eb-ae93-0242ac130002/
    - https://o365blog.com/post/aadbackdoor/
author: Splunk Threat Research Team (original rule), Harjot Singh @cyb3rjy0t (sigma rule)
date: 2023-09-18
tags:
    - attack.privilege-escalation
    - attack.defense-impairment
    - attack.t1484.002
logsource:
    service: audit
    product: m365
detection:
    selection_domain:
        Operation|contains: 'domain'
    selection_operation:
        Operation|contains:
            - 'add'
            - 'new'
    condition: all of selection_*
falsepositives:
    - The creation of a new Federated domain is not necessarily malicious, however these events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a similar or different cloud provider.
level: medium
medium
New Federated Domain Added - Exchange
Detects the addition of a new Federated Domain.
status test author Splunk Threat Research Team (original rule), '@ionsor (rule)' id 42127bdd-9133-474f-a6f1-97b6c08a4339
view Sigma YAML 
title: New Federated Domain Added - Exchange
id: 42127bdd-9133-474f-a6f1-97b6c08a4339
related:
    - id: 58f88172-a73d-442b-94c9-95eaed3cbb36
      type: similar
status: test
description: Detects the addition of a new Federated Domain.
references:
    - https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf
    - https://us-cert.cisa.gov/ncas/alerts/aa21-008a
    - https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html
    - https://www.sygnia.co/golden-saml-advisory
    - https://o365blog.com/post/aadbackdoor/
author: Splunk Threat Research Team (original rule), '@ionsor (rule)'
date: 2022-02-08
tags:
    - attack.persistence
    - attack.t1136.003
logsource:
    service: exchange
    product: m365
detection:
    selection:
        eventSource: Exchange
        eventName: 'Add-FederatedDomain'
        status: success
    condition: selection
falsepositives:
    - The creation of a new Federated domain is not necessarily malicious, however these events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a similar or different cloud provider.
level: medium
medium
New File Exclusion Added To Time Machine Via Tmutil - MacOS
Detects the addition of a new file or path exclusion to MacOS Time Machine via the "tmutil" utility. An adversary could exclude a path from Time Machine backups to prevent certain files from being backed up.
status test author Pratinav Chandra id 9acf45ed-3a26-4062-bf08-56857613eb52
view Sigma YAML 
title: New File Exclusion Added To Time Machine Via Tmutil - MacOS
id: 9acf45ed-3a26-4062-bf08-56857613eb52
status: test
description: |
    Detects the addition of a new file or path exclusion to MacOS Time Machine via the "tmutil" utility.
    An adversary could exclude a path from Time Machine backups to prevent certain files from being backed up.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine
    - https://www.loobins.io/binaries/tmutil/
author: Pratinav Chandra
date: 2024-05-29
tags:
    - attack.impact
    - attack.t1490
logsource:
    category: process_creation
    product: macos
detection:
    selection_img:
        - Image|endswith: '/tmutil'
        - CommandLine|contains: 'tmutil'
    selection_cmd:
        CommandLine|contains: 'addexclusion'
    condition: all of selection_*
falsepositives:
    - Legitimate administrator activity
level: medium
medium
New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE
Detects the addition of a new "Allow" firewall rule by the WMI process (WmiPrvSE.EXE). This can occur if an attacker leverages PowerShell cmdlets such as "New-NetFirewallRule", or directly uses WMI CIM classes such as "MSFT_NetFirewallRule".
status test author frack113, Nasreddine Bencherchali (Nextron Systems) id eca81e8d-09e1-4d04-8614-c91f44fd0519
view Sigma YAML 
title: New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE
id: eca81e8d-09e1-4d04-8614-c91f44fd0519
status: test
description: |
    Detects the addition of a new "Allow" firewall rule by the WMI process (WmiPrvSE.EXE).
    This can occur if an attacker leverages PowerShell cmdlets such as "New-NetFirewallRule", or directly uses WMI CIM classes such as "MSFT_NetFirewallRule".
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-24---set-a-firewall-rule-using-new-netfirewallrule
    - https://malware.news/t/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/72170
    - https://cybersecuritynews.com/rhysida-ransomware-attacking-windows/
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2024-05-10
tags:
    - attack.defense-impairment
    - attack.t1686.003
logsource:
    product: windows
    service: firewall-as
detection:
    selection:
        EventID:
            - 2004 # A rule has been added to the Windows Defender Firewall exception list
            - 2071 # A rule has been added to the Windows Defender Firewall exception list. (Windows 11)
            - 2097
        Action: 3 # Allow
        ModifyingApplication|endswith: ':\Windows\System32\wbem\WmiPrvSE.exe'
    condition: selection
falsepositives:
    - Administrator scripts or activity.
level: medium
medium
New Firewall Rule Added Via Netsh.EXE
Detects the addition of a new rule to the Windows firewall via netsh
status test author Markus Neis, Sander Wiebing id cd5cfd80-aa5f-44c0-9c20-108c4ae12e3c
view Sigma YAML 
title: New Firewall Rule Added Via Netsh.EXE
id: cd5cfd80-aa5f-44c0-9c20-108c4ae12e3c
status: test
description: Detects the addition of a new rule to the Windows firewall via netsh
references:
    - https://web.archive.org/web/20190508165435/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf
author: Markus Neis, Sander Wiebing
date: 2019-01-29
modified: 2023-02-10
tags:
    - attack.defense-impairment
    - attack.t1686.003
    - attack.s0246
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\netsh.exe'
        - OriginalFileName: 'netsh.exe'
    selection_cli:
        CommandLine|contains|all:
            - ' firewall '
            - ' add '
    filter_optional_dropbox:
        CommandLine|contains:
            - 'advfirewall firewall add rule name=Dropbox dir=in action=allow "program=?:\Program Files (x86)\Dropbox\Client\Dropbox.exe" enable=yes profile=Any'
            - 'advfirewall firewall add rule name=Dropbox dir=in action=allow "program=?:\Program Files\Dropbox\Client\Dropbox.exe" enable=yes profile=Any'
    condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
    - Legitimate administration activity
    - Software installations
level: medium
medium
New Generic Credentials Added Via Cmdkey.EXE
Detects usage of "cmdkey.exe" to add generic credentials. As an example, this can be used before connecting to an RDP session via command line interface.
status test author frack113, Nasreddine Bencherchali (Nextron Systems) id b1ec66c6-f4d1-4b5c-96dd-af28ccae7727
view Sigma YAML 
title: New Generic Credentials Added Via Cmdkey.EXE
id: b1ec66c6-f4d1-4b5c-96dd-af28ccae7727
status: test
description: |
    Detects usage of "cmdkey.exe" to add generic credentials.
    As an example, this can be used before connecting to an RDP session via command line interface.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-03
modified: 2024-03-05
tags:
    - attack.credential-access
    - attack.t1003.005
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\cmdkey.exe'
        - OriginalFileName: 'cmdkey.exe'
    selection_cli_generic:
        CommandLine|contains|windash: ' -g' # Generic
    selection_cli_user:
        CommandLine|contains|windash: ' -u' # User
    selection_cli_password:
        CommandLine|contains|windash: ' -p' # Password
    condition: all of selection_*
falsepositives:
    - Legitimate usage for administration purposes
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_cmdkey_adding_generic_creds/info.yml
simulation:
    - type: atomic-red-team
      name: RDP to DomainController
      technique: T1021.001
      atomic_guid: 355d4632-8cb9-449d-91ce-b566d0253d3e
medium
New Kernel Driver Via SC.EXE
Detects creation of a new service (kernel driver) with the type "kernel"
status test author Nasreddine Bencherchali (Nextron Systems) id 431a1fdb-4799-4f3b-91c3-a683b003fc49
view Sigma YAML 
title: New Kernel Driver Via SC.EXE
id: 431a1fdb-4799-4f3b-91c3-a683b003fc49
status: test
description: Detects creation of a new service (kernel driver) with the type "kernel"
references:
    - https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-14
modified: 2025-10-07
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1543.003
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\sc.exe'
        CommandLine|contains:
            - 'create'
            - 'config'
        CommandLine|contains|all:
            - 'binPath'
            - 'type'
            - 'kernel'
    filter_optional_avira_driver:
        - CommandLine|contains|all:
              - 'create netprotection_network_filter'
              - 'type= kernel start= '
              - 'binPath= System32\drivers\netprotection_network_filter'
              - 'DisplayName= netprotection_network_filter'
              - 'group= PNP_TDI tag= yes'
        - CommandLine|contains|all:
              - 'create avelam binpath=C:\Windows\system32\drivers\avelam.sys'
              - 'type=kernel start=boot error=critical group=Early-Launch'
    condition: selection and not 1 of filter_optional_*
falsepositives:
    - Rare legitimate installation of kernel drivers via sc.exe
level: medium
medium
New Module Module Added To IIS Server
Detects the addition of a new module to an IIS server.
status test author frack113 id dd857d3e-0c6e-457b-9b48-e82ae7f86bd7
view Sigma YAML 
title: New Module Module Added To IIS Server
id: dd857d3e-0c6e-457b-9b48-e82ae7f86bd7
status: test
description: Detects the addition of a new module to an IIS server.
references:
    - https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis
    - https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/
    - https://www.microsoft.com/en-us/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/
    - https://learn.microsoft.com/en-us/iis/get-started/introduction-to-iis/iis-modules-overview
author: frack113
date: 2024-10-06
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1685.001
    - attack.t1505.004
logsource:
    product: windows
    service: iis-configuration
detection:
    selection:
        EventID: 29
        Configuration|contains: '/system.webServer/modules/add'
    filter_main_builtin:
        NewValue:
            - 'AnonymousAuthenticationModule'
            - 'CustomErrorModule'
            - 'DefaultDocumentModule'
            - 'DirectoryListingModule'
            - 'FileCacheModule'
            - 'HttpCacheModule'
            - 'HttpLoggingModule'
            - 'ProtocolSupportModule'
            - 'RequestFilteringModule'
            - 'StaticCompressionModule'
            - 'StaticFileModule'
            - 'TokenCacheModule'
            - 'UriCacheModule'
    filter_main_remove:
        NewValue: ''
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Legitimate administrator activity
level: medium
medium
New Network Route Added
Detects the addition of a new network route to a route table in AWS.
status test author jamesc-grafana id c803b2ce-c4a2-4836-beae-b112010390b1
view Sigma YAML 
title: New Network Route Added
id: c803b2ce-c4a2-4836-beae-b112010390b1
status: test
description: |
    Detects the addition of a new network route to a route table in AWS.
references:
    - https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/
author: jamesc-grafana
date: 2024-07-11
tags:
    - attack.defense-impairment
    - attack.t1686.001
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource: 'ec2.amazonaws.com'
        eventName: 'CreateRoute'
    condition: selection
falsepositives:
    - New VPC Creation requiring setup of a new route table
    - New subnets added requiring routing setup
level: medium
medium
New Network Trace Capture Started Via Netsh.EXE
Detects the execution of netsh with the "trace" flag in order to start a network capture
status test author Kutepov Anton, oscd.community id d3c3861d-c504-4c77-ba55-224ba82d0118
view Sigma YAML 
title: New Network Trace Capture Started Via Netsh.EXE
id: d3c3861d-c504-4c77-ba55-224ba82d0118
status: test
description: Detects the execution of netsh with the "trace" flag in order to start a network capture
references:
    - https://blogs.msdn.microsoft.com/canberrapfe/2012/03/30/capture-a-network-trace-without-installing-anything-capture-a-network-trace-of-a-reboot/
    - https://klausjochem.me/2016/02/03/netsh-the-cyber-attackers-tool-of-choice/
author: Kutepov Anton, oscd.community
date: 2019-10-24
modified: 2023-02-13
tags:
    - attack.discovery
    - attack.credential-access
    - attack.t1040
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\netsh.exe'
        - OriginalFileName: 'netsh.exe'
    selection_cli:
        CommandLine|contains|all:
            - 'trace'
            - 'start'
    condition: all of selection_*
falsepositives:
    - Legitimate administration activity
level: medium
medium
New Outlook Macro Created
Detects the creation of a macro file for Outlook.
status test author @ScoubiMtl id 8c31f563-f9a7-450c-bfa8-35f8f32f1f61
view Sigma YAML 
title: New Outlook Macro Created
id: 8c31f563-f9a7-450c-bfa8-35f8f32f1f61
related:
    - id: 117d3d3a-755c-4a61-b23e-9171146d094c
      type: derived
status: test
description: Detects the creation of a macro file for Outlook.
references:
    - https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/
author: '@ScoubiMtl'
date: 2021-04-05
modified: 2023-02-08
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.command-and-control
    - attack.t1137
    - attack.t1008
    - attack.t1546
logsource:
    category: file_event
    product: windows
detection:
    selection:
        Image|endswith: '\outlook.exe'
        TargetFilename|endswith: '\Microsoft\Outlook\VbaProject.OTM'
    condition: selection
falsepositives:
    - User genuinely creates a VB Macro for their email
level: medium
medium
New PDQDeploy Service - Client Side
Detects PDQDeploy service installation on the target system. When a package is deployed via PDQDeploy it installs a remote service on the target machine with the name "PDQDeployRunner-X" where "X" is an integer starting from 1
status test author Nasreddine Bencherchali (Nextron Systems) id b98a10af-1e1e-44a7-bab2-4cc026917648
view Sigma YAML 
title: New PDQDeploy Service - Client Side
id: b98a10af-1e1e-44a7-bab2-4cc026917648
status: test
description: |
    Detects PDQDeploy service installation on the target system.
    When a package is deployed via PDQDeploy it installs a remote service on the target machine with the name "PDQDeployRunner-X" where "X" is an integer starting from 1
references:
    - https://documentation.pdq.com/PDQDeploy/13.0.3.0/index.html?windows-services.htm
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-22
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1543.003
logsource:
    product: windows
    service: system
detection:
    selection_root:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
    selection_service:
        - ImagePath|contains: 'PDQDeployRunner-'
        - ServiceName|startswith: 'PDQDeployRunner-'
    condition: all of selection_*
falsepositives:
    - Legitimate use of the tool
level: medium
medium
New PDQDeploy Service - Server Side
Detects a PDQDeploy service installation which indicates that PDQDeploy was installed on the machines. PDQDeploy can be abused by attackers to remotely install packages or execute commands on target machines
status test author Nasreddine Bencherchali (Nextron Systems) id ee9ca27c-9bd7-4cee-9b01-6e906be7cae3
view Sigma YAML 
title: New PDQDeploy Service - Server Side
id: ee9ca27c-9bd7-4cee-9b01-6e906be7cae3
status: test
description: |
    Detects a PDQDeploy service installation which indicates that PDQDeploy was installed on the machines.
    PDQDeploy can be abused by attackers to remotely install packages or execute commands on target machines
references:
    - https://documentation.pdq.com/PDQDeploy/13.0.3.0/index.html?windows-services.htm
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-22
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1543.003
logsource:
    product: windows
    service: system
detection:
    selection_root:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
    selection_service:
        - ImagePath|contains: 'PDQDeployService.exe'
        - ServiceName:
              - 'PDQDeploy'
              - 'PDQ Deploy'
    condition: all of selection_*
falsepositives:
    - Legitimate use of the tool
level: medium
medium
New Port Forwarding Rule Added Via Netsh.EXE
Detects the execution of netsh commands that configure a new port forwarding (PortProxy) rule
status test author Florian Roth (Nextron Systems), omkar72, oscd.community, Swachchhanda Shrawan Poudel id 322ed9ec-fcab-4f67-9a34-e7c6aef43614
view Sigma YAML 
title: New Port Forwarding Rule Added Via Netsh.EXE
id: 322ed9ec-fcab-4f67-9a34-e7c6aef43614
status: test
description: Detects the execution of netsh commands that configure a new port forwarding (PortProxy) rule
references:
    - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
    - https://adepts.of0x.cc/netsh-portproxy-code/
    - https://www.dfirnotes.net/portproxy_detection/
author: Florian Roth (Nextron Systems), omkar72, oscd.community, Swachchhanda Shrawan Poudel
date: 2019-01-29
modified: 2023-09-01
tags:
    - attack.lateral-movement
    - attack.command-and-control
    - attack.t1090
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\netsh.exe'
        - OriginalFileName: 'netsh.exe'
    selection_cli_1:
        CommandLine|contains|all:
            - 'interface'
            - 'portproxy'
            - 'add'
            - 'v4tov4'
    selection_cli_2:
        CommandLine|contains|all:
            # Example: netsh I p a v l=8001 listena=127.0.0.1 connectp=80 c=192.168.1.1
            - 'i ' # interface
            - 'p ' # portproxy
            - 'a ' # add
            - 'v ' # v4tov4
    selection_cli_3:
        CommandLine|contains|all:
            - 'connectp'
            - 'listena'
            - 'c='
    condition: selection_img and 1 of selection_cli_*
falsepositives:
    - Legitimate administration activity
    - WSL2 network bridge PowerShell script used for WSL/Kubernetes/Docker (e.g. https://github.com/microsoft/WSL/issues/4150#issuecomment-504209723)
level: medium
medium
New PortProxy Registry Entry Added
Detects the modification of the PortProxy registry key which is used for port forwarding.
status test author Andreas Hunkeler (@Karneades) id a54f842a-3713-4b45-8c84-5f136fdebd3c
view Sigma YAML 
title: New PortProxy Registry Entry Added
id: a54f842a-3713-4b45-8c84-5f136fdebd3c
status: test
description: Detects the modification of the PortProxy registry key which is used for port forwarding.
references:
    - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
    - https://adepts.of0x.cc/netsh-portproxy-code/
    - https://www.dfirnotes.net/portproxy_detection/
author: Andreas Hunkeler (@Karneades)
date: 2021-06-22
modified: 2024-03-25
tags:
    - attack.lateral-movement
    - attack.command-and-control
    - attack.t1090
logsource:
    category: registry_event
    product: windows
detection:
    selection:
        # Example: HKLM\System\CurrentControlSet\Services\PortProxy\v4tov4\tcp\0.0.0.0/1337
        TargetObject|contains: '\Services\PortProxy\v4tov4\tcp\'
    condition: selection
falsepositives:
    - WSL2 network bridge PowerShell script used for WSL/Kubernetes/Docker (e.g. https://github.com/microsoft/WSL/issues/4150#issuecomment-504209723)
    - Synergy Software KVM (https://symless.com/synergy)
level: medium
medium
New Process Created Via Wmic.EXE
Detects new process creation using WMIC via the "process call create" flag
status test author Michael Haag, Florian Roth (Nextron Systems), juju4, oscd.community id 526be59f-a573-4eea-b5f7-f0973207634d
view Sigma YAML 
title: New Process Created Via Wmic.EXE
id: 526be59f-a573-4eea-b5f7-f0973207634d
related:
    - id: 3c89a1e8-0fba-449e-8f1b-8409d6267ec8 # For suspicious process creation
      type: derived
status: test
description: Detects new process creation using WMIC via the "process call create" flag
references:
    - https://www.sans.org/blog/wmic-for-incident-response/
    - https://github.com/redcanaryco/atomic-red-team/blob/84215139ee5127f8e3a117e063b604812bd71928/atomics/T1047/T1047.md#atomic-test-5---wmi-execute-local-process
author: Michael Haag, Florian Roth (Nextron Systems), juju4, oscd.community
date: 2019-01-16
modified: 2023-02-14
tags:
    - attack.execution
    - attack.t1047
    - car.2016-03-002
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\wmic.exe'
        - OriginalFileName: 'wmic.exe'
    selection_cli:
        CommandLine|contains|all:
            - 'process'
            - 'call'
            - 'create'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium
medium
New Remote Desktop Connection Initiated Via Mstsc.EXE
Detects the usage of "mstsc.exe" with the "/v" flag to initiate a connection to a remote server. Adversaries may use valid accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
status test author frack113 id 954f0af7-62dd-418f-b3df-a84bc2c7a774
view Sigma YAML 
title: New Remote Desktop Connection Initiated Via Mstsc.EXE
id: 954f0af7-62dd-418f-b3df-a84bc2c7a774
status: test
description: |
    Detects the usage of "mstsc.exe" with the "/v" flag to initiate a connection to a remote server.
    Adversaries may use valid accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc
author: frack113
date: 2022-01-07
modified: 2024-06-04
tags:
    - attack.lateral-movement
    - attack.t1021.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\mstsc.exe'
        - OriginalFileName: 'mstsc.exe'
    selection_cli:
        CommandLine|contains|windash: ' /v:'
    filter_optional_wsl:
        # Example: mstsc.exe /v:XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX /hvsocketserviceid:XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX /silent /wslg /plugin:WSLDVC /wslgsharedmemorypath:WSL\XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX\wslg C:\ProgramData\Microsoft\WSL\wslg.rdp
        ParentImage: 'C:\Windows\System32\lxss\wslhost.exe'
        CommandLine|contains: 'C:\ProgramData\Microsoft\WSL\wslg.rdp'
    condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
    - WSL (Windows Sub System For Linux)
level: medium
medium
New Root Certificate Authority Added
Detects newly added root certificate authority to an AzureAD tenant to support certificate based authentication.
status test author Harjot Shah Singh, '@cyb3rjy0t' id 4bb80281-3756-4ec8-a88e-523c5a6fda9e
view Sigma YAML 
title: New Root Certificate Authority Added
id: 4bb80281-3756-4ec8-a88e-523c5a6fda9e
status: test
description: Detects newly added root certificate authority to an AzureAD tenant to support certificate based authentication.
references:
    - https://posts.specterops.io/passwordless-persistence-and-privilege-escalation-in-azure-98a01310be3f
    - https://goodworkaround.com/2022/02/15/digging-into-azure-ad-certificate-based-authentication/
author: Harjot Shah Singh, '@cyb3rjy0t'
date: 2024-03-26
tags:
    - attack.credential-access
    - attack.persistence
    - attack.privilege-escalation
    - attack.defense-impairment
    - attack.t1556
logsource:
    product: azure
    service: auditlogs
detection:
    selection:
        OperationName: 'Set Company Information'
        TargetResources.modifiedProperties.newValue|contains: 'TrustedCAsForPasswordlessAuth'
    condition: selection
falsepositives:
    - Unknown
level: medium
medium
New Root Certificate Installed Via CertMgr.EXE
Detects execution of "certmgr" with the "add" flag in order to install a new certificate on the system. Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
status test author oscd.community, @redcanary, Zach Stanford @svch0st id ff992eac-6449-4c60-8c1d-91c9722a1d48
view Sigma YAML 
title: New Root Certificate Installed Via CertMgr.EXE
id: ff992eac-6449-4c60-8c1d-91c9722a1d48
related:
    - id: 42821614-9264-4761-acfc-5772c3286f76
      type: derived
    - id: 46591fae-7a4c-46ea-aec3-dff5e6d785dc
      type: obsolete
status: test
description: |
    Detects execution of "certmgr" with the "add" flag in order to install a new certificate on the system.
    Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md
    - https://securelist.com/to-crypt-or-to-mine-that-is-the-question/86307/
author: oscd.community, @redcanary, Zach Stanford @svch0st
date: 2023-03-05
tags:
    - attack.defense-impairment
    - attack.t1553.004
logsource:
    category: process_creation
    product: windows
detection:
    # Example: CertMgr.exe /add CertificateFileName.cer /s /r localMachine root /all
    selection_img:
        - Image|endswith: '\CertMgr.exe'
        - OriginalFileName: 'CERTMGT.EXE'
    selection_cli:
        CommandLine|contains|all:
            - '/add'
            - 'root'
    condition: all of selection_*
falsepositives:
    - Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP
level: medium
medium
New Root Certificate Installed Via Certutil.EXE
Detects execution of "certutil" with the "addstore" flag in order to install a new certificate on the system. Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
status test author oscd.community, @redcanary, Zach Stanford @svch0st id d2125259-ddea-4c1c-9c22-977eb5b29cf0
view Sigma YAML 
title: New Root Certificate Installed Via Certutil.EXE
id: d2125259-ddea-4c1c-9c22-977eb5b29cf0
related:
    - id: 42821614-9264-4761-acfc-5772c3286f76
      type: derived
    - id: 46591fae-7a4c-46ea-aec3-dff5e6d785dc
      type: obsolete
status: test
description: |
    Detects execution of "certutil" with the "addstore" flag in order to install a new certificate on the system.
    Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md
author: oscd.community, @redcanary, Zach Stanford @svch0st
date: 2023-03-05
modified: 2024-03-05
tags:
    - attack.defense-impairment
    - attack.t1553.004
logsource:
    category: process_creation
    product: windows
detection:
    # Example: certutil -addstore -f -user ROOT CertificateFileName.der
    selection_img:
        - Image|endswith: '\certutil.exe'
        - OriginalFileName: 'CertUtil.exe'
    selection_cli_add:
        CommandLine|contains|windash: '-addstore'
    selection_cli_store:
        CommandLine|contains: 'root'
    condition: all of selection_*
falsepositives:
    - Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_certificate_installation/info.yml
medium
New Root or CA or AuthRoot Certificate to Store
Detects the addition of new root, CA or AuthRoot certificates to the Windows registry
status test author frack113 id d223b46b-5621-4037-88fe-fda32eead684
view Sigma YAML 
title: New Root or CA or AuthRoot Certificate to Store
id: d223b46b-5621-4037-88fe-fda32eead684
status: test
description: Detects the addition of new root, CA or AuthRoot certificates to the Windows registry
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md#atomic-test-6---add-root-certificate-to-currentuser-certificate-store
    - https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec
author: frack113
date: 2022-04-04
modified: 2023-08-17
tags:
    - attack.impact
    - attack.t1490
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains:
            - '\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\'
            - '\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates\'
            - '\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\'
            - '\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\'
            - '\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates\'
            - '\SOFTWARE\Microsoft\EnterpriseCertificates\CA\Certificates\'
            - '\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\'
            - '\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\Certificates\'
            - '\SOFTWARE\Microsoft\EnterpriseCertificates\AuthRoot\Certificates\'
        TargetObject|endswith: '\Blob'
        Details: 'Binary Data'
    condition: selection
falsepositives:
    - Unknown
level: medium
medium
New User Created Via Net.EXE
Identifies the creation of local users via the net.exe command.
status test author Endgame, JHasenbusch (adapted to Sigma for oscd.community) id cd219ff3-fa99-45d4-8380-a7d15116c6dc
view Sigma YAML 
title: New User Created Via Net.EXE
id: cd219ff3-fa99-45d4-8380-a7d15116c6dc
related:
    - id: b9f0e6f5-09b4-4358-bae4-08408705bd5c
      type: similar
status: test
description: Identifies the creation of local users via the net.exe command.
references:
    - https://eqllib.readthedocs.io/en/latest/analytics/014c3f51-89c6-40f1-ac9c-5688f26090ab.html
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md
author: Endgame, JHasenbusch (adapted to Sigma for oscd.community)
date: 2018-10-30
modified: 2023-02-21
tags:
    - attack.persistence
    - attack.t1136.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\net.exe'
              - '\net1.exe'
        - OriginalFileName:
              - 'net.exe'
              - 'net1.exe'
    selection_cli:
        CommandLine|contains|all:
            - 'user'
            - 'add'
    condition: all of selection_*
falsepositives:
    - Legitimate user creation.
    - Better use event IDs for user creation rather than command line rules.
level: medium
medium
New Virtual Smart Card Created Via TpmVscMgr.EXE
Detects execution of "Tpmvscmgr.exe" to create a new virtual smart card.
status test author Nasreddine Bencherchali (Nextron Systems) id c633622e-cab9-4eaa-bb13-66a1d68b3e47
view Sigma YAML 
title: New Virtual Smart Card Created Via TpmVscMgr.EXE
id: c633622e-cab9-4eaa-bb13-66a1d68b3e47
status: test
description: Detects execution of "Tpmvscmgr.exe" to create a new virtual smart card.
references:
    - https://learn.microsoft.com/en-us/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-15
tags:
    - attack.execution
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith: '\tpmvscmgr.exe'
        OriginalFileName: 'TpmVscMgr.exe'
    selection_cli:
        CommandLine|contains: 'create'
    condition: all of selection_*
falsepositives:
    - Legitimate usage by an administrator
level: medium
medium
New or Renamed User Account with '$' Character
Detects the creation of a user with the "$" character. This can be used by attackers to hide a user or trick detection systems that lack the parsing mechanisms.
status test author Ilyas Ochkov, oscd.community id cfeed607-6aa4-4bbd-9627-b637deb723c8
view Sigma YAML 
title: New or Renamed User Account with '$' Character
id: cfeed607-6aa4-4bbd-9627-b637deb723c8
status: test
description: |
    Detects the creation of a user with the "$" character. This can be used by attackers to hide a user or trick detection systems that lack the parsing mechanisms.
references:
    - https://twitter.com/SBousseaden/status/1387743867663958021
author: Ilyas Ochkov, oscd.community
date: 2019-10-25
modified: 2024-01-16
tags:
    - attack.stealth
    - attack.t1036
logsource:
    product: windows
    service: security
detection:
    selection_create:
        EventID: 4720 # create user
        SamAccountName|contains: '$'
    selection_rename:
        EventID: 4781 # rename user
        NewTargetUserName|contains: '$'
    filter_main_homegroup:
        EventID: 4720
        TargetUserName: 'HomeGroupUser$'
    condition: 1 of selection_* and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium
medium
Node Process Executions
Detects the execution of other scripts using the Node executable packaged with Adobe Creative Cloud
status test author Max Altgelt (Nextron Systems) id df1f26d3-bea7-4700-9ea2-ad3e990cf90e
view Sigma YAML 
title: Node Process Executions
id: df1f26d3-bea7-4700-9ea2-ad3e990cf90e
status: test
description: Detects the execution of other scripts using the Node executable packaged with Adobe Creative Cloud
references:
    - https://twitter.com/mttaggart/status/1511804863293784064
author: Max Altgelt (Nextron Systems)
date: 2022-04-06
tags:
    - attack.execution
    - attack.stealth
    - attack.t1127
    - attack.t1059.007
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\Adobe Creative Cloud Experience\libs\node.exe'
    filter:
        CommandLine|contains: 'Adobe Creative Cloud Experience\js' # Folder where Creative Cloud's JS resources are located
    condition: selection and not filter
falsepositives:
    - Unknown
level: medium
medium
Nohup Execution
Detects usage of nohup which could be leveraged by an attacker to keep a process running or break out from restricted environments
status test author Christopher Peacock @SecurePeacock, SCYTHE @scythe_io id e4ffe466-6ff8-48d4-94bd-e32d1a6061e2
view Sigma YAML 
title: Nohup Execution
id: e4ffe466-6ff8-48d4-94bd-e32d1a6061e2
status: test
description: Detects usage of nohup which could be leveraged by an attacker to keep a process running or break out from restricted environments
references:
    - https://gtfobins.github.io/gtfobins/nohup/
    - https://en.wikipedia.org/wiki/Nohup
    - https://www.computerhope.com/unix/unohup.htm
author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io'
date: 2022-06-06
tags:
    - attack.execution
    - attack.t1059.004
logsource:
    product: linux
    category: process_creation
detection:
    selection:
        Image|endswith: '/nohup'
    condition: selection
falsepositives:
    - Administrators or installed processes that leverage nohup
level: medium
medium
Notepad++ Updater DNS Query to Uncommon Domains
Detects when the Notepad++ updater (gup.exe) makes DNS queries to domains that are not part of the known legitimate update infrastructure. This could indicate potential exploitation of the updater mechanism or suspicious network activity that warrants further investigation.
status experimental author Swachchhanda Shrawan Poudel (Nextron Systems) id 2074e137-1b73-4e2d-88ba-5a3407dbdce0
view Sigma YAML 
title: Notepad++ Updater DNS Query to Uncommon Domains
id: 2074e137-1b73-4e2d-88ba-5a3407dbdce0
status: experimental
description: |
    Detects when the Notepad++ updater (gup.exe) makes DNS queries to domains that are not part of the known legitimate update infrastructure.
    This could indicate potential exploitation of the updater mechanism or suspicious network activity that warrants further investigation.
references:
    - https://notepad-plus-plus.org/news/v889-released/
    - https://www.heise.de/en/news/Notepad-updater-installed-malware-11109726.html
    - https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
    - https://www.validin.com/blog/exploring_notepad_plus_plus_network_indicators/
    - https://securelist.com/notepad-supply-chain-attack/118708/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-02-02
modified: 2026-03-16
tags:
    - attack.collection
    - attack.credential-access
    - attack.t1195.002
    - attack.initial-access
    - attack.t1557
logsource:
    category: dns_query
    product: windows
detection:
    selection:
        Image|endswith: '\gup.exe'
    filter_main_notepad_legit_domain:
        QueryName: 'notepad-plus-plus.org'
    filter_optional_sourceforge_legit_domain:
        QueryName|endswith: '.sourceforge.net'
    filter_optional_github_legit_domain:
        - QueryName|endswith: '.githubusercontent.com'
        - QueryName: 'github.com'
    filter_optional_google_storage_legit_domain:
        QueryName|endswith: '.googleapis.com'
    filter_optional_uncommon_domains:
        QueryName|endswith:
            - '.azurewebsites.net'
            - 'block.opendns.com'
            - 'gateway.zscalerthree.net'
    # Add other known legitimate domains if any
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Some legitimate network misconfigurations or proxy issues causing unexpected DNS queries.
    - Other legitimate query to official domains not listed in the filter, needing tuning.
level: medium # can be upgraded to high after tuning with known legitimate DNS queries
medium
Nslookup PowerShell Download Cradle
Detects a powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records.
status test author Sai Prashanth Pulisetti @pulisettis, Aishwarya Singam id 999bff6d-dc15-44c9-9f5c-e1051bfc86e1
view Sigma YAML 
title: Nslookup PowerShell Download Cradle
id: 999bff6d-dc15-44c9-9f5c-e1051bfc86e1
related:
    - id: 1b3b01c7-84e9-4072-86e5-fc285a41ff23
      type: similar
status: test
description: Detects a powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records.
references:
    - https://twitter.com/Alh4zr3d/status/1566489367232651264
author: Sai Prashanth Pulisetti @pulisettis, Aishwarya Singam
date: 2022-12-10
modified: 2025-02-25
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_classic_start
detection:
    selection:
        Data|contains|all:
            - 'powershell'
            - 'nslookup'
            - '[1]'
        Data|contains:
            - '-q=txt http'
            - '-querytype=txt http'
            - '-type=txt http'
    condition: selection
falsepositives:
    - Unknown
level: medium
medium
Nslookup PowerShell Download Cradle - ProcessCreation
Detects suspicious powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records
status test author Nasreddine Bencherchali (Nextron Systems) id 1b3b01c7-84e9-4072-86e5-fc285a41ff23
view Sigma YAML 
title: Nslookup PowerShell Download Cradle - ProcessCreation
id: 1b3b01c7-84e9-4072-86e5-fc285a41ff23
related:
    - id: 72671447-4352-4413-bb91-b85569687135
      type: obsolete
    - id: 999bff6d-dc15-44c9-9f5c-e1051bfc86e1
      type: similar
status: test
description: Detects suspicious powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records
references:
    - https://twitter.com/Alh4zr3d/status/1566489367232651264
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-05
modified: 2022-12-19
tags:
    - attack.stealth
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|contains: '\nslookup.exe'
        - OriginalFileName: '\nslookup.exe'
    selection_cmd:
        ParentImage|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
        CommandLine|contains:
            - ' -q=txt '
            - ' -querytype=txt '
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium
medium
Ntdsutil Abuse
Detects potential abuse of ntdsutil to dump ntds.dit database
status test author Nasreddine Bencherchali (Nextron Systems) id e6e88853-5f20-4c4a-8d26-cd469fd8d31f
view Sigma YAML 
title: Ntdsutil Abuse
id: e6e88853-5f20-4c4a-8d26-cd469fd8d31f
status: test
description: Detects potential abuse of ntdsutil to dump ntds.dit database
references:
    - https://twitter.com/mgreen27/status/1558223256704122882
    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-14
tags:
    - attack.credential-access
    - attack.t1003.003
logsource:
    product: windows
    service: application
    # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
detection:
    selection:
        Provider_Name: 'ESENT'
        EventID:
            - 216
            - 325
            - 326
            - 327
        Data|contains: 'ntds.dit'
    condition: selection
falsepositives:
    - Legitimate backup operation/creating shadow copies
level: medium
medium
Number Of Resource Creation Or Deployment Activities
Number of VM creations or deployment activities occur in Azure via the azureactivity log.
status test author sawwinnnaung id d2d901db-7a75-45a1-bc39-0cbf00812192
view Sigma YAML 
title: Number Of Resource Creation Or Deployment Activities
id: d2d901db-7a75-45a1-bc39-0cbf00812192
status: test
description: Number of VM creations or deployment activities occur in Azure via the azureactivity log.
references:
    - https://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/Creating_Anomalous_Number_Of_Resources_detection.yaml
author: sawwinnnaung
date: 2020-05-07
modified: 2023-10-11
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1098
logsource:
    product: azure
    service: activitylogs
detection:
    keywords:
        - Microsoft.Compute/virtualMachines/write
        - Microsoft.Resources/deployments/write
    condition: keywords
falsepositives:
    - Valid change
level: medium
medium
Obfuscated IP Download Activity
Detects use of an encoded/obfuscated version of an IP address (hex, octal...) in an URL combined with a download command
status test author Florian Roth (Nextron Systems), X__Junior (Nextron Systems) id cb5a2333-56cf-4562-8fcb-22ba1bca728d
view Sigma YAML 
title: Obfuscated IP Download Activity
id: cb5a2333-56cf-4562-8fcb-22ba1bca728d
status: test
description: Detects use of an encoded/obfuscated version of an IP address (hex, octal...) in an URL combined with a download command
references:
    - https://h.43z.one/ipconverter/
    - https://twitter.com/Yasser_Elsnbary/status/1553804135354564608
    - https://twitter.com/fr0s7_/status/1712780207105404948
author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems)
date: 2022-08-03
modified: 2026-03-16
tags:
    - attack.discovery
logsource:
    category: process_creation
    product: windows
detection:
    selection_command:
        CommandLine|contains:
            - 'Invoke-WebRequest'
            - 'iwr '
            - 'Invoke-RestMethod'
            - 'irm '
            - 'wget '
            - 'curl '
            - 'DownloadFile'
            - 'DownloadString'
    selection_ip_1:
        CommandLine|contains:
            - ' 0x'
            - '//0x'
            - '.0x'
            - '.00x'
    selection_ip_2:
        CommandLine|contains|all:
            - 'http://%'
            - '%2e'
    selection_ip_3:
        # http://81.4.31754
        - CommandLine|re: 'https?://[0-9]{1,3}\.[0-9]{1,3}\.0[0-9]{3,4}'
        # http://81.293898
        - CommandLine|re: 'https?://[0-9]{1,3}\.0[0-9]{3,7}'
        # http://1359248394
        - CommandLine|re: 'https?://0[0-9]{3,11}'
        # http://0121.04.0174.012
        - CommandLine|re: 'https?://(?:0[0-9]{1,11}\.){3}0[0-9]{1,11}'
        # http://012101076012
        - CommandLine|re: 'https?://0[0-9]{1,11}'
        # For octal format
        - CommandLine|re: ' [0-7]{7,13}'
    filter_main_valid_ip:
        CommandLine|re: 'https?://(?:(?:25[0-5]|(?:2[0-4]|1\d|[1-9])?\d)(?:\.|\b)){4}'
    condition: selection_command and 1 of selection_ip_* and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium
medium
Obfuscated IP Via CLI
Detects usage of an encoded/obfuscated version of an IP address (hex, octal, etc.) via command line
status test author Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) id 56d19cb4-6414-4769-9644-1ed35ffbb148
view Sigma YAML 
title: Obfuscated IP Via CLI
id: 56d19cb4-6414-4769-9644-1ed35ffbb148
status: test
description: Detects usage of an encoded/obfuscated version of an IP address (hex, octal, etc.) via command line
references:
    - https://h.43z.one/ipconverter/
    - https://twitter.com/Yasser_Elsnbary/status/1553804135354564608
author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
date: 2022-08-03
modified: 2026-03-16
tags:
    - attack.discovery
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith:
            - '\ping.exe'
            - '\arp.exe'
    selection_ip_1:
        CommandLine|contains:
            - ' 0x'
            - '//0x'
            - '.0x'
            - '.00x'
    selection_ip_2:
        CommandLine|contains|all:
            - 'http://%'
            - '%2e'
    selection_ip_3:
        # http://81.4.31754
        - CommandLine|re: 'https?://[0-9]{1,3}\.[0-9]{1,3}\.0[0-9]{3,4}'
        # http://81.293898
        - CommandLine|re: 'https?://[0-9]{1,3}\.0[0-9]{3,7}'
        # http://1359248394
        - CommandLine|re: 'https?://0[0-9]{3,11}'
        # http://0121.04.0174.012
        - CommandLine|re: 'https?://(?:0[0-9]{1,11}\.){3}0[0-9]{1,11}'
        # http://012101076012
        - CommandLine|re: 'https?://0[0-9]{1,11}'
        # For octal format
        - CommandLine|re: ' [0-7]{7,13}'
    filter_main_valid_ip:
        CommandLine|re: 'https?://(?:(?:25[0-5]|(?:2[0-4]|1\d|[1-9])?\d)(?:\.|\b)){4}'
    condition: selection_img and 1 of selection_ip_* and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium
medium
Office Application Initiated Network Connection Over Uncommon Ports
Detects an office suit application (Word, Excel, PowerPoint, Outlook) communicating to target systems over uncommon ports.
status test author X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) id 3b5ba899-9842-4bc2-acc2-12308498bf42
view Sigma YAML 
title: Office Application Initiated Network Connection Over Uncommon Ports
id: 3b5ba899-9842-4bc2-acc2-12308498bf42
status: test
description: Detects an office suit application (Word, Excel, PowerPoint, Outlook) communicating to target systems over uncommon ports.
references:
    - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit
author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2023-07-12
modified: 2025-10-17
tags:
    - attack.command-and-control
    - attack.stealth
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        Image|endswith:
            - '\excel.exe'
            - '\outlook.exe'
            - '\powerpnt.exe'
            - '\winword.exe'
            - '\wordview.exe'
    filter_main_common_ports:
        DestinationPort:
            - 53 # DNS
            - 80 # HTTP
            - 139 # NETBIOS
            - 389 # LDAP
            - 443 # HTTPS
            - 445 # SMB
            - 3268 # MSFT-GC
    filter_main_outlook_ports:
        Image|contains: ':\Program Files\Microsoft Office\'
        Image|endswith: '\OUTLOOK.EXE'
        DestinationPort:
            - 143
            - 465 # SMTP
            - 587 # SMTP
            - 993 # IMAP
            - 995 # POP3
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Other ports can be used, apply additional filters accordingly
level: medium
medium
Office Application Initiated Network Connection To Non-Local IP
Detects an office application (Word, Excel, PowerPoint) that initiate a network connection to a non-private IP addresses. This rule aims to detect traffic similar to one seen exploited in CVE-2021-42292. This rule will require an initial baseline and tuning that is specific to your organization.
status test author Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth (Nextron Systems), Tim Shelton, Nasreddine Bencherchali (Nextron Systems) id 75e33ce3-ae32-4dcc-9aa8-a2a3029d6f84
view Sigma YAML 
title: Office Application Initiated Network Connection To Non-Local IP
id: 75e33ce3-ae32-4dcc-9aa8-a2a3029d6f84
status: test
description: |
    Detects an office application (Word, Excel, PowerPoint)  that initiate a network connection to a non-private IP addresses.
    This rule aims to detect traffic similar to one seen exploited in CVE-2021-42292.
    This rule will require an initial baseline and tuning that is specific to your organization.
references:
    - https://corelight.com/blog/detecting-cve-2021-42292
    - https://learn.microsoft.com/de-de/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide
author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth (Nextron Systems), Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
date: 2021-11-10
modified: 2025-10-17
tags:
    - attack.execution
    - attack.t1203
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Image|endswith:
            - '\excel.exe'
            - '\outlook.exe'
            - '\powerpnt.exe'
            - '\winword.exe'
            - '\wordview.exe'
        Initiated: 'true'
    filter_main_local_ranges:
        DestinationIp|cidr:
            - '127.0.0.0/8'
            - '10.0.0.0/8'
            - '172.16.0.0/12'
            - '192.168.0.0/16'
            - '169.254.0.0/16'
            - '::1/128'  # IPv6 loopback
            - 'fe80::/10'  # IPv6 link-local addresses
            - 'fc00::/7'  # IPv6 private addresses
    filter_main_msrange_generic:
        DestinationIp|cidr:
            - '2.16.56.0/23' # Akamai International B.V.
            - '2.17.248.0/21' # Akamai International B.V.
            - '13.107.240.0/21' # Microsoft Corporation
            - '20.184.0.0/13' # Microsoft Corporation
            - '23.61.224.0/20' # Akamai-AS
            - '20.192.0.0/10' # Microsoft Corporation
            - '23.72.0.0/13' # Akamai International B.V.
            - '23.3.88.0/22' # Akamai-AS
            - '23.216.132.0/22' # Akamai-AS
            - '40.76.0.0/14' # Microsoft Corporation
            - '51.10.0.0/15' # Microsoft Corporation
            - '51.103.0.0/16' # Microsoft Corporation
            - '51.104.0.0/15' # Microsoft Corporation
            - '51.142.136.0/22' # Microsoft Corporation - https://ipinfo.io/AS8075/51.140.0.0/14-51.142.136.0/22
            - '52.160.0.0/11' # Microsoft Corporation - https://ipinfo.io/AS8075/52.160.0.0/11
            - '95.101.96.0/21' # Akamai-As
            - '204.79.197.0/24' # Microsoft Corporation
    filter_main_msrange_exchange_1:
        # Exchange Online
        # "urls": [
        #       "outlook.cloud.microsoft",
        #       "outlook.office.com",
        #       "outlook.office365.com"
        # ]
        DestinationIp|cidr:
            - '13.107.4.0/22'
            - '13.107.6.152/31'
            - '13.107.18.10/31'
            - '13.107.42.0/23'
            - '13.107.128.0/22'
            - '23.35.224.0/20'
            - '23.53.40.0/22'
            - '23.103.160.0/20'
            - '23.216.76.0/22'
            - '40.96.0.0/13'
            - '40.104.0.0/15'
            - '52.96.0.0/14'
            - '131.253.33.215/32'
            - '132.245.0.0/16'
            - '150.171.32.0/22'
            - '204.79.197.215/32'
            - '2603:1006::/40'
            - '2603:1016::/36'
            - '2603:1026::/36'
            - '2603:1036::/36'
            - '2603:1046::/36'
            - '2603:1056::/36'
            - '2620:1ec:4::152/128'
            - '2620:1ec:4::153/128'
            - '2620:1ec:c::10/128'
            - '2620:1ec:c::11/128'
            - '2620:1ec:d::10/128'
            - '2620:1ec:d::11/128'
            - '2620:1ec:8f0::/46'
            - '2620:1ec:900::/46'
            - '2620:1ec:a92::152/128'
            - '2620:1ec:a92::153/128'
        DestinationPort:
            - 80
            - 443
    filter_main_msrange_exchange_2:
        # Exchange Online
        # "urls": [
        #       "outlook.office365.com",
        #       "smtp.office365.com"
        # ]
        DestinationIp|cidr:
            - '13.107.6.152/31'
            - '13.107.18.10/31'
            - '13.107.128.0/22'
            - '23.103.160.0/20'
            - '40.96.0.0/13'
            - '40.104.0.0/15'
            - '52.96.0.0/14'
            - '131.253.33.215/32'
            - '132.245.0.0/16'
            - '150.171.32.0/22'
            - '204.79.197.215/32'
            - '2603:1006::/40'
            - '2603:1016::/36'
            - '2603:1026::/36'
            - '2603:1036::/36'
            - '2603:1046::/36'
            - '2603:1056::/36'
            - '2620:1ec:4::152/128'
            - '2620:1ec:4::153/128'
            - '2620:1ec:c::10/128'
            - '2620:1ec:c::11/128'
            - '2620:1ec:d::10/128'
            - '2620:1ec:d::11/128'
            - '2620:1ec:8f0::/46'
            - '2620:1ec:900::/46'
            - '2620:1ec:a92::152/128'
            - '2620:1ec:a92::153/128'
        DestinationPort:
            - 143
            - 587
            - 993
            - 995
        Protocol: 'tcp'
    filter_main_msrange_exchange_3:
        # Exchange Online
        # "urls": [
        #       "*.protection.outlook.com"
        #  ]
        DestinationIp|cidr:
            - '40.92.0.0/15'
            - '40.107.0.0/16'
            - '52.100.0.0/14'
            - '52.238.78.88/32'
            - '104.47.0.0/17'
            - '2a01:111:f400::/48'
            - '2a01:111:f403::/48'
        DestinationPort: 443
    filter_main_msrange_exchange_4:
        # Exchange Online
        # "urls": [
        #       "*.mail.protection.outlook.com",
        #       "*.mx.microsoft"
        #  ]
        DestinationIp|cidr:
            - '40.92.0.0/15'
            - '40.107.0.0/16'
            - '52.100.0.0/14'
            - '52.238.78.88/32'
            - '104.47.0.0/17'
            - '2a01:111:f400::/48'
            - '2a01:111:f403::/48'
        DestinationPort: 25
    filter_main_msrange_sharepoint_1:
        # SharePoint Online and OneDrive for Business",
        # "urls": [
        #       "*.sharepoint.com"
        # ]
        DestinationIp|cidr:
            - '13.107.136.0/22'
            - '40.108.128.0/17'
            - '52.104.0.0/14'
            - '104.146.128.0/17'
            - '150.171.40.0/22'
            - '2603:1061:1300::/40'
            - '2620:1ec:8f8::/46'
            - '2620:1ec:908::/46'
            - '2a01:111:f402::/48'
        DestinationPort:
            - 80
            - 443
        Protocol: 'tcp'
    filter_main_msrange_office_1:
        # Microsoft 365 Common and Office Online",
        # "urls": [
        #       "*.officeapps.live.com",
        #       "*.online.office.com",
        #       "office.live.com",
        #       "office.com.akadns.net"
        # ],
        DestinationIp|cidr:
            - '13.107.6.171/32'
            - '13.107.18.15/32'
            - '13.107.140.6/32'
            - '20.64.0.0/10'
            - '52.108.0.0/14'
            - '52.244.37.168/32'
            - '2603:1006:1400::/40'
            - '2603:1016:2400::/40'
            - '2603:1026:2400::/40'
            - '2603:1036:2400::/40'
            - '2603:1046:1400::/40'
            - '2603:1056:1400::/40'
            - '2603:1063:2000::/38'
            - '2620:1ec:c::15/128'
            - '2620:1ec:8fc::6/128'
            - '2620:1ec:a92::171/128'
            - '2a01:111:f100:2000::a83e:3019/128'
            - '2a01:111:f100:2002::8975:2d79/128'
            - '2a01:111:f100:2002::8975:2da8/128'
            - '2a01:111:f100:7000::6fdd:6cd5/128'
            - '2a01:111:f100:a004::bfeb:88cf/128'
        DestinationPort:
            - 80
            - 443
        Protocol: 'tcp'
    filter_main_msrange_office_2:
        # Microsoft 365 Common and Office Online
        # "urls": [
        #       "*.auth.microsoft.com",
        #       "*.msftidentity.com",
        #       "*.msidentity.com",
        #       "account.activedirectory.windowsazure.com",
        #       "accounts.accesscontrol.windows.net",
        #       "adminwebservice.microsoftonline.com",
        #       "api.passwordreset.microsoftonline.com",
        #       "autologon.microsoftazuread-sso.com",
        #       "becws.microsoftonline.com",
        #       "ccs.login.microsoftonline.com",
        #       "clientconfig.microsoftonline-p.net",
        #       "cloudapp.azure.com",
        #       "companymanager.microsoftonline.com",
        #       "device.login.microsoftonline.com",
        #       "graph.microsoft.com",
        #       "graph.windows.net",
        #       "login-us.microsoftonline.com",
        #       "login.microsoft.com",
        #       "login.microsoftonline-p.com",
        #       "login.microsoftonline.com",
        #       "login.windows.net",
        #       "logincert.microsoftonline.com",
        #       "loginex.microsoftonline.com",
        #       "nexus.microsoftonline-p.com",
        #       "passwordreset.microsoftonline.com",
        #       "provisioningapi.microsoftonline.com",
        #       "web.core.windows.net",
        # ]
        DestinationIp|cidr:
            - '172.128.0.0/10'
            - '20.20.32.0/19'
            - '20.103.156.88/32' # msn.com
            - '20.190.128.0/18'
            - '20.231.128.0/19'
            - '40.126.0.0/18'
            - '57.150.0.0/15'
            - '2603:1006:2000::/48'
            - '2603:1007:200::/48'
            - '2603:1016:1400::/48'
            - '2603:1017::/48'
            - '2603:1026:3000::/48'
            - '2603:1027:1::/48'
            - '2603:1036:3000::/48'
            - '2603:1037:1::/48'
            - '2603:1046:2000::/48'
            - '2603:1047:1::/48'
            - '2603:1056:2000::/48'
            - '2603:1057:2::/48'
        DestinationPort:
            - 80
            - 443
        Protocol: 'tcp'
    filter_main_msrange_office_3:
        # Microsoft 365 Common and Office Online
        #  "urls": [
        #       "*.compliance.microsoft.com",
        #       "*.data.microsoft.com",
        #       "*.protection.office.com",
        #       "*.security.microsoft.com",
        #       "compliance.microsoft.com",
        #       "defender.microsoft.com",
        #       "protection.office.com",
        #       "security.microsoft.com",
        #       "teams.microsoft.com",
        #  ]
        DestinationIp|cidr:
            - '13.64.0.0/11'
            - '13.107.6.192/32'
            - '13.107.9.192/32'
            - '13.89.179.14/32'
            - '20.40.0.0/14'
            - '20.48.0.0/12'
            - '20.64.0.0/12'
            - '52.123.0.0/16'
            - '52.108.0.0/14'
            - '52.136.0.0/13'
            - '57.150.0.0/15'
            - '80.239.150.67/32' # Arelion Sweden AB
            - '2620:1ec:4::192/128'
            - '2620:1ec:a92::192/128'
        DestinationPort: 443
        Protocol: 'tcp'
    filter_main_destination_host:
        DestinationHostname|endswith: '.deploy.static.akamaitechnologies.com'
        DestinationPort: 443
        Protocol: 'tcp'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - You may have to tune certain domains out that Excel may call out to, such as microsoft or other business use case domains.
    - Office documents commonly have templates that refer to external addresses, like "sharepoint.ourcompany.com" may have to be tuned.
    - It is highly recommended to baseline your activity and tune out common business use cases.
level: medium
medium
Office Application Startup - Office Test
Detects the addition of office test registry that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started
status test author omkar72 id 3d27f6dd-1c74-4687-b4fa-ca849d128d1c
view Sigma YAML 
title: Office Application Startup - Office Test
id: 3d27f6dd-1c74-4687-b4fa-ca849d128d1c
status: test
description: Detects the addition of office test registry that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started
references:
    - https://unit42.paloaltonetworks.com/unit42-technical-walkthrough-office-test-persistence-method-used-in-recent-sofacy-attacks/
author: omkar72
date: 2020-10-25
modified: 2023-11-08
tags:
    - attack.persistence
    - attack.t1137.002
logsource:
    category: registry_event
    product: windows
detection:
    selection:
        TargetObject|contains: '\Software\Microsoft\Office test\Special\Perf'
    condition: selection
falsepositives:
    - Unlikely
level: medium
medium
Office Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry. Adversaries may modify these keys to execute malicious code when Office files are opened. There are various legitimate add-ins that also use these keys and this filter list might not be exhaustive. Thus, it is recommended to review and tune filters for your environment to reduce false positives before deploying to production.
status test author Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) id baecf8fb-edbf-429f-9ade-31fc3f22b970
view Sigma YAML 
title: Office Autorun Keys Modification
id: baecf8fb-edbf-429f-9ade-31fc3f22b970
related:
    - id: 17f878b8-9968-4578-b814-c4217fc5768c
      type: obsolete
status: test
description: |
    Detects modification of autostart extensibility point (ASEP) in registry. Adversaries may modify these keys to execute malicious code when Office files are opened.
    There are various legitimate add-ins that also use these keys and this filter list might not be exhaustive.
    Thus, it is recommended to review and tune filters for your environment to reduce false positives before deploying to production.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
    - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019-10-25
modified: 2026-01-09
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
logsource:
    category: registry_set
    product: windows
detection:
    selection_office_root:
        TargetObject|contains:
            - '\Software\Wow6432Node\Microsoft\Office'
            - '\Software\Microsoft\Office'
    selection_office_details:
        TargetObject|contains:
            - '\Word\Addins'
            - '\PowerPoint\Addins'
            - '\Outlook\Addins'
            - '\Onenote\Addins'
            - '\Excel\Addins'
            - '\Access\Addins'
            - 'test\Special\Perf'
    filter_main_empty:
        Details: '(Empty)'
    filter_main_null:
        Details: null
    filter_main_known_addins:
        Image|startswith:
            - 'C:\Program Files\Microsoft Office\'
            - 'C:\Program Files (x86)\Microsoft Office\'
            - 'C:\PROGRA~2\MICROS~2\Office'
            - 'C:\Windows\System32\msiexec.exe'
            - 'C:\Windows\SysWOW64\msiexec.exe'
            - 'C:\Windows\System32\regsvr32.exe'
            - 'C:\Windows\SysWOW64\regsvr32.exe '
        TargetObject|contains:
            # Remove any unused addins in your environment from the filter
            # Known addins for excel
            - '\Excel\Addins\AdHocReportingExcelClientLib.AdHocReportingExcelClientAddIn.1\'
            - '\Excel\Addins\ExcelPlugInShell.PowerMapConnect\'
            - '\Excel\Addins\NativeShim\'
            - '\Excel\Addins\NativeShim.InquireConnector.1\'
            - '\Excel\Addins\PowerPivotExcelClientAddIn.NativeEntry.1\'
            # Known addins for outlook
            - '\Outlook\AddIns\AccessAddin.DC\'
            - '\Outlook\AddIns\ColleagueImport.ColleagueImportAddin\'
            - '\Outlook\AddIns\EvernoteCC.EvernoteContactConnector\'
            - '\Outlook\AddIns\EvernoteOLRD.Connect\'
            # - '\Outlook\Addins\GrammarlyAddIn.Connect' # Uncomment if you use Grammarly
            - '\Outlook\Addins\\OneNote.OutlookAddin'
            - '\Outlook\Addins\DriveFSExtensionLib.Connect\' # An Outlook Add-in to talk with Google Drive
            - '\Outlook\Addins\GoogleAppsSync.Connect\' # Google Apps Sync for Microsoft Outlook
            - '\Outlook\Addins\Microsoft.VbaAddinForOutlook.1\'
            - '\Outlook\Addins\OcOffice.OcForms\'
            - '\Outlook\Addins\OscAddin.Connect\'
            - '\Outlook\Addins\OutlookChangeNotifier.Connect\'
            - '\Outlook\Addins\UCAddin.LyncAddin.1'
            - '\Outlook\Addins\UCAddin.UCAddin.1'
            - '\Outlook\Addins\UmOutlookAddin.FormRegionAddin\'
            - 'AddinTakeNotesService\FriendlyName'
    filter_main_officeclicktorun:
        Image|startswith:
            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\'
        Image|endswith: '\OfficeClickToRun.exe'
    filter_main_vsto:
        Image|startswith:
            - 'C:\Program Files\Common Files\Microsoft Shared\VSTO\'
            - 'C:\Program Files (x86)\Microsoft Shared\VSTO\'
        Image|endswith: '\VSTOInstaller.exe'
    filter_optional_avg:
        Image:
            - 'C:\Program Files\AVG\Antivirus\RegSvr.exe'
            - 'C:\Program Files\AVG\Antivirus\x86\RegSvr.exe'
        TargetObject|contains: '\Microsoft\Office\Outlook\Addins\Antivirus.AsOutExt\'
    filter_optional_avast:
        Image:
            - 'C:\Program Files\Avast Software\Avast\RegSvr.exe'
            - 'C:\Program Files\Avast Software\Avast\x86\RegSvr.exe'
        TargetObject|contains: '\Microsoft\Office\Outlook\Addins\Avast.AsOutExt\'
    # These filters are not exhaustive, filter can be expanded based on environment
    condition: all of selection_office_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Legitimate software or add-in installations and administrative configurations
    - Automatic registry modifications during legitimate software installations
level: medium
medium
Okta API Token Created
Detects when a API token is created
status test author Austin Songer @austinsonger id 19951c21-229d-4ccb-8774-b993c3ff3c5c
view Sigma YAML 
title: Okta API Token Created
id: 19951c21-229d-4ccb-8774-b993c3ff3c5c
status: test
description: Detects when a API token is created
references:
    - https://developer.okta.com/docs/reference/api/system-log/
    - https://developer.okta.com/docs/reference/api/event-types/
author: Austin Songer @austinsonger
date: 2021-09-12
modified: 2026-04-27
tags:
    - attack.persistence
logsource:
    product: okta
    service: okta
detection:
    selection:
        eventType: system.api_token.create
    condition: selection
falsepositives:
    - Legitimate creation of an API token by authorized users
level: medium
medium
Okta API Token Revoked
Detects when a API Token is revoked.
status test author Austin Songer @austinsonger id cf1dbc6b-6205-41b4-9b88-a83980d2255b
view Sigma YAML 
title: Okta API Token Revoked
id: cf1dbc6b-6205-41b4-9b88-a83980d2255b
status: test
description: Detects when a API Token is revoked.
references:
    - https://developer.okta.com/docs/reference/api/system-log/
    - https://developer.okta.com/docs/reference/api/event-types/
author: Austin Songer @austinsonger
date: 2021-09-12
modified: 2026-04-27
tags:
    - attack.impact
logsource:
    product: okta
    service: okta
detection:
    selection:
        eventType: system.api_token.revoke
    condition: selection
falsepositives:
    - Unknown

level: medium
medium
Okta Admin Functions Access Through Proxy
Detects access to Okta admin functions through proxy.
status test author Muhammad Faisal @faisalusuf id 9058ca8b-f397-4fd1-a9fa-2b7aad4d6309
view Sigma YAML 
title: Okta Admin Functions Access Through Proxy
id: 9058ca8b-f397-4fd1-a9fa-2b7aad4d6309
status: test
description: Detects access to Okta admin functions through proxy.
references:
    - https://www.beyondtrust.com/blog/entry/okta-support-unit-breach
    - https://dataconomy.com/2023/10/23/okta-data-breach/
    - https://blog.cloudflare.com/how-cloudflare-mitigated-yet-another-okta-compromise/
author: Muhammad Faisal @faisalusuf
date: 2023-10-25
tags:
    - attack.credential-access
logsource:
    service: okta
    product: okta
detection:
    selection:
        debugContext.debugData.requestUri|contains: 'admin'
        securityContext.isProxy: 'true'
    condition: selection
falsepositives:
    - False positives are expected if administrators access these function through proxy legitimatly. Apply additional filters if necessary
level: medium
medium
Okta Admin Role Assigned to an User or Group
Detects when an the Administrator role is assigned to an user or group.
status test author Austin Songer @austinsonger id 413d4a81-6c98-4479-9863-014785fd579c
view Sigma YAML 
title: Okta Admin Role Assigned to an User or Group
id: 413d4a81-6c98-4479-9863-014785fd579c
status: test
description: Detects when an the Administrator role is assigned to an user or group.
references:
    - https://developer.okta.com/docs/reference/api/system-log/
    - https://developer.okta.com/docs/reference/api/event-types/
author: Austin Songer @austinsonger
date: 2021-09-12
modified: 2026-04-27
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1098.003
logsource:
    product: okta
    service: okta
detection:
    selection:
        eventType:
            - group.privilege.grant
            - user.account.privilege.grant
    condition: selection
falsepositives:
    - Administrator roles could be assigned to users or group by other admin users.

level: medium
medium
Okta Admin Role Assignment Created
Detects when a new admin role assignment is created. Which could be a sign of privilege escalation or persistence
status test author Nikita Khalimonenkov id 139bdd4b-9cd7-49ba-a2f4-744d0a8f5d8c
view Sigma YAML 
title: Okta Admin Role Assignment Created
id: 139bdd4b-9cd7-49ba-a2f4-744d0a8f5d8c
status: test
description: Detects when a new admin role assignment is created. Which could be a sign of privilege escalation or persistence
references:
    - https://developer.okta.com/docs/reference/api/system-log/
    - https://developer.okta.com/docs/reference/api/event-types/
author: Nikita Khalimonenkov
date: 2023-01-19
modified: 2026-04-27
tags:
    - attack.persistence
logsource:
    product: okta
    service: okta
detection:
    selection:
        eventType: 'iam.resourceset.bindings.add'
    condition: selection
falsepositives:
    - Legitimate creation of a new admin role assignment
level: medium
medium
Okta Application Modified or Deleted
Detects when an application is modified or deleted.
status test author Austin Songer @austinsonger id 7899144b-e416-4c28-b0b5-ab8f9e0a541d
view Sigma YAML 
title: Okta Application Modified or Deleted
id: 7899144b-e416-4c28-b0b5-ab8f9e0a541d
status: test
description: Detects when an application is modified or deleted.
references:
    - https://developer.okta.com/docs/reference/api/system-log/
    - https://developer.okta.com/docs/reference/api/event-types/
author: Austin Songer @austinsonger
date: 2021-09-12
modified: 2026-04-27
tags:
    - attack.impact
logsource:
    product: okta
    service: okta
detection:
    selection:
        eventType:
            - application.lifecycle.update
            - application.lifecycle.delete
    condition: selection
falsepositives:
    - Unknown

level: medium
medium
Okta Application Sign-On Policy Modified or Deleted
Detects when an application Sign-on Policy is modified or deleted.
status test author Austin Songer @austinsonger id 8f668cc4-c18e-45fe-ad00-624a981cf88a
view Sigma YAML 
title: Okta Application Sign-On Policy Modified or Deleted
id: 8f668cc4-c18e-45fe-ad00-624a981cf88a
status: test
description: Detects when an application Sign-on Policy is modified or deleted.
references:
    - https://developer.okta.com/docs/reference/api/system-log/
    - https://developer.okta.com/docs/reference/api/event-types/
author: Austin Songer @austinsonger
date: 2021-09-12
modified: 2026-04-27
tags:
    - attack.impact
logsource:
    product: okta
    service: okta
detection:
    selection:
        eventType:
            - application.policy.sign_on.update
            - application.policy.sign_on.rule.delete
    condition: selection
falsepositives:
    - Unknown
level: medium
medium
Okta Identity Provider Created
Detects when a new identity provider is created for Okta.
status test author kelnage id 969c7590-8c19-4797-8c1b-23155de6e7ac
view Sigma YAML 
title: Okta Identity Provider Created
id: 969c7590-8c19-4797-8c1b-23155de6e7ac
status: test
description: Detects when a new identity provider is created for Okta.
references:
    - https://developer.okta.com/docs/reference/api/system-log/
    - https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection
author: kelnage
date: 2023-09-07
modified: 2026-04-27
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1098.001
logsource:
    product: okta
    service: okta
detection:
    selection:
        eventType: 'system.idp.lifecycle.create'
    condition: selection
falsepositives:
    - When an admin creates a new, authorised identity provider.
level: medium
medium
Okta MFA Reset or Deactivated
Detects when an attempt at deactivating or resetting MFA.
status test author Austin Songer @austinsonger id 50e068d7-1e6b-4054-87e5-0a592c40c7e0
view Sigma YAML 
title: Okta MFA Reset or Deactivated
id: 50e068d7-1e6b-4054-87e5-0a592c40c7e0
status: test
description: Detects when an attempt at deactivating  or resetting MFA.
references:
    - https://developer.okta.com/docs/reference/api/system-log/
    - https://developer.okta.com/docs/reference/api/event-types/
author: Austin Songer @austinsonger
date: 2021-09-21
modified: 2026-04-27
tags:
    - attack.persistence
    - attack.credential-access
    - attack.defense-impairment
    - attack.t1556.006
logsource:
    product: okta
    service: okta
detection:
    selection:
        eventType:
            - user.mfa.factor.deactivate
            - user.mfa.factor.reset_all
    condition: selection
falsepositives:
    - If a MFA reset or deactivated was performed by a system administrator.
level: medium
medium
Okta Network Zone Deactivated or Deleted
Detects when an Network Zone is Deactivated or Deleted.
status test author Austin Songer @austinsonger id 9f308120-69ed-4506-abde-ac6da81f4310
view Sigma YAML 
title: Okta Network Zone Deactivated or Deleted
id: 9f308120-69ed-4506-abde-ac6da81f4310
status: test
description: Detects when an Network Zone is Deactivated or Deleted.
references:
    - https://developer.okta.com/docs/reference/api/system-log/
    - https://developer.okta.com/docs/reference/api/event-types/
author: Austin Songer @austinsonger
date: 2021-09-12
modified: 2026-04-27
tags:
    - attack.impact
logsource:
    product: okta
    service: okta
detection:
    selection:
        eventType:
            - zone.deactivate
            - zone.delete
    condition: selection
falsepositives:
    - Unknown

level: medium
Showing 551-600 of 1,345
Prev 12 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin