Home/Sigma rules
Sigma

Sigma detection rules

1,345 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Severity critical high medium low all severities

Detection rules

50 shown of 1,345
medium
Add Potential Suspicious New Download Source To Winget
Detects usage of winget to add new potentially suspicious download sources
status test author Nasreddine Bencherchali (Nextron Systems) id c15a46a0-07d4-4c87-b4b6-89207835a83b
view Sigma YAML 
title: Add Potential Suspicious New Download Source To Winget
id: c15a46a0-07d4-4c87-b4b6-89207835a83b
related:
    - id: 05ebafc8-7aa2-4bcd-a269-2aec93f9e842
      type: similar
    - id: 81a0ecb5-0a41-4ba1-b2ba-c944eb92bfa2
      type: similar
status: test
description: Detects usage of winget to add new potentially suspicious download sources
references:
    - https://learn.microsoft.com/en-us/windows/package-manager/winget/source
    - https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-17
modified: 2023-12-04
tags:
    - attack.execution
    - attack.t1059
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\winget.exe'
        - OriginalFileName: 'winget.exe'
    selection_cli:
        CommandLine|contains|all:
            - 'source '
            - 'add '
    selection_source_direct_ip:
        # This is a best effort. A better way to handle this is to limit it via whitelist. Check Group Policy for more details
        CommandLine|re: '://\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium
medium
Add Windows Capability Via PowerShell Cmdlet
Detects usage of the "Add-WindowsCapability" cmdlet to add Windows capabilities. Notable capabilities could be "OpenSSH" and others.
status test author Nasreddine Bencherchali (Nextron Systems) id b36d01a3-ddaf-4804-be18-18a6247adfcd
view Sigma YAML 
title: Add Windows Capability Via PowerShell Cmdlet
id: b36d01a3-ddaf-4804-be18-18a6247adfcd
related:
    - id: 155c7fd5-47b4-49b2-bbeb-eb4fab335429
      type: similar
status: test
description: Detects usage of the "Add-WindowsCapability" cmdlet to add Windows capabilities. Notable capabilities could be "OpenSSH" and others.
references:
    - https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=powershell
    - https://www.virustotal.com/gui/file/af1c82237b6e5a3a7cdbad82cc498d298c67845d92971bada450023d1335e267/content
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-22
modified: 2023-05-09
tags:
    - attack.execution
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        - Image|endswith:
              - '\powershell.exe'
              - '\pwsh.exe'
        - OriginalFileName:
              - 'PowerShell.EXE'
              - 'pwsh.dll'
    selection_cmdlet:
        CommandLine|contains: 'Add-WindowsCapability'
    selection_capa:
        CommandLine|contains: 'OpenSSH.' # For both "OpenSSH.Server" and "OpenSSH.Client"
    condition: all of selection_*
falsepositives:
    - Legitimate usage of the capabilities by administrators or users. Add additional filters accordingly.
level: medium
medium
Add Windows Capability Via PowerShell Script
Detects usage of the "Add-WindowsCapability" cmdlet to add Windows capabilities. Notable capabilities could be "OpenSSH" and others.
status test author Nasreddine Bencherchali (Nextron Systems) id 155c7fd5-47b4-49b2-bbeb-eb4fab335429
view Sigma YAML 
title: Add Windows Capability Via PowerShell Script
id: 155c7fd5-47b4-49b2-bbeb-eb4fab335429
related:
    - id: b36d01a3-ddaf-4804-be18-18a6247adfcd
      type: similar
status: test
description: Detects usage of the "Add-WindowsCapability" cmdlet to add Windows capabilities. Notable capabilities could be "OpenSSH" and others.
references:
    - https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=powershell
    - https://www.virustotal.com/gui/file/af1c82237b6e5a3a7cdbad82cc498d298c67845d92971bada450023d1335e267/content
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-22
modified: 2023-05-09
tags:
    - attack.execution
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_cmdlet:
        ScriptBlockText|contains: 'Add-WindowsCapability '
    selection_capa:
        ScriptBlockText|contains: '-Name OpenSSH.' # For both "OpenSSH.Server" and "OpenSSH.Client"
    condition: all of selection_*
falsepositives:
    - Legitimate usage of the capabilities by administrators or users. Add additional filters accordingly.
level: medium
medium
Added Owner To Application
Detects when a new owner is added to an application. This gives that account privileges to make modifications and configuration changes to the application.
status test author Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' id 74298991-9fc4-460e-a92e-511aa60baec1
view Sigma YAML 
title: Added Owner To Application
id: 74298991-9fc4-460e-a92e-511aa60baec1
status: test
description: Detects when a new owner is added to an application. This gives that account privileges to make modifications and configuration changes to the application.
references:
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#new-owner
author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'
date: 2022-06-02
tags:
    - attack.t1552
    - attack.credential-access
logsource:
    product: azure
    service: auditlogs
detection:
    selection:
        properties.message: Add owner to application
    condition: selection
falsepositives:
    - When a new application owner is added by an administrator
level: medium
medium
AddinUtil.EXE Execution From Uncommon Directory
Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) from a non-standard directory.
status test author Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri) id 6120ac2a-a34b-42c0-a9bd-1fb9f459f348
view Sigma YAML 
title: AddinUtil.EXE Execution From Uncommon Directory
id: 6120ac2a-a34b-42c0-a9bd-1fb9f459f348
status: test
description: Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) from a non-standard directory.
references:
    - https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html
author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri)
date: 2023-09-18
modified: 2025-02-24
tags:
    - attack.stealth
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\addinutil.exe'
        - OriginalFileName: 'AddInUtil.exe'
    filter_main_legit_location:
        Image|contains:
            - ':\Windows\Microsoft.NET\Framework\'
            - ':\Windows\Microsoft.NET\Framework64\'
            - ':\Windows\Microsoft.NET\FrameworkArm\'
            - ':\Windows\Microsoft.NET\FrameworkArm64\'
            - ':\Windows\WinSxS\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium
medium
Addition of SID History to Active Directory Object
An attacker can use the SID history attribute to gain additional privileges.
status stable author Thomas Patzke, @atc_project (improvements) id 2632954e-db1c-49cb-9936-67d1ef1d17d2
view Sigma YAML 
title: Addition of SID History to Active Directory Object
id: 2632954e-db1c-49cb-9936-67d1ef1d17d2
status: stable
description: An attacker can use the SID history attribute to gain additional privileges.
references:
    - https://adsecurity.org/?p=1772
author: Thomas Patzke, @atc_project (improvements)
date: 2017-02-19
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1134.005
logsource:
    product: windows
    service: security
detection:
    selection1:
        EventID:
            - 4765
            - 4766
    selection2:
        EventID: 4738
    selection3:
        SidHistory:
            - '-'
            - '%%1793'
    filter_null:
        SidHistory:
    condition: selection1 or (selection2 and not selection3 and not filter_null)
falsepositives:
    - Migration of an account into a new domain
level: medium
medium
Advanced IP Scanner - File Event
Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.
status test author @ROxPinTeddy id fed85bf9-e075-4280-9159-fbe8a023d6fa
view Sigma YAML 
title: Advanced IP Scanner - File Event
id: fed85bf9-e075-4280-9159-fbe8a023d6fa
related:
    - id: bef37fa2-f205-4a7b-b484-0759bfd5f86f
      type: derived
status: test
description: Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.
references:
    - https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/
    - https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html
    - https://labs.f-secure.com/blog/prelude-to-ransomware-systembc
    - https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf
    - https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer
author: '@ROxPinTeddy'
date: 2020-05-12
modified: 2022-11-29
tags:
    - attack.discovery
    - attack.t1046
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|contains: '\AppData\Local\Temp\Advanced IP Scanner 2'
    condition: selection
falsepositives:
    - Legitimate administrative use
level: medium
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_advanced_ip_scanner/info.yml
medium
AgentExecutor PowerShell Execution
Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument
status test author Nasreddine Bencherchali (Nextron Systems), memory-shards id 7efd2c8d-8b18-45b7-947d-adfe9ed04f61
view Sigma YAML 
title: AgentExecutor PowerShell Execution
id: 7efd2c8d-8b18-45b7-947d-adfe9ed04f61
related:
    - id: c0b40568-b1e9-4b03-8d6c-b096da6da9ab
      type: similar
status: test
description: Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument
author: Nasreddine Bencherchali (Nextron Systems), memory-shards
references:
    - https://twitter.com/lefterispan/status/1286259016436514816
    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/
    - https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension
    - https://twitter.com/jseerden/status/1247985304667066373/photo/1
date: 2022-12-24
modified: 2024-08-07
tags:
    - attack.stealth
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image: '\AgentExecutor.exe'
        - OriginalFileName: 'AgentExecutor.exe'
    selection_cli:
        # Example:
        #   AgentExecutor.exe -powershell [scriptPath] [outputFilePath] [errorFilePath] [timeoutFilePath] [timeoutSeconds] [powershellPath] [enforceSignatureCheck] [runAs32BitOn64]
        # Note:
        #   - If [timeoutSeconds] is NULL then it defaults to 60000
        #   - If [enforceSignatureCheck] is:
        #       - "NULL" or "1" then a PowerShell instance is spawned with the args: "-NoProfile -executionPolicy allsigned -file "
        #       - Else a PowerShell instance is spawned with the args: "-NoProfile -executionPolicy bypass -file "
        #   - [powershellPath] is always concatendated to "powershell.exe"
        CommandLine|contains:
            - ' -powershell' # Also covers the "-powershellDetection" flag
            - ' -remediationScript'
    filter_main_intune:
        ParentImage|endswith: '\Microsoft.Management.Services.IntuneWindowsAgent.exe'
    condition: all of selection_* and not 1 of filter_main_*
falsepositives:
    - Legitimate use via Intune management. You exclude script paths and names to reduce FP rate
level: medium
medium
Allow RDP Remote Assistance Feature
Detect enable rdp feature to allow specific user to rdp connect on the targeted machine
status test author frack113 id 37b437cf-3fc5-4c8e-9c94-1d7c9aff842b
view Sigma YAML 
title: Allow RDP Remote Assistance Feature
id: 37b437cf-3fc5-4c8e-9c94-1d7c9aff842b
status: test
description: Detect enable rdp feature to allow specific user to rdp connect on the targeted machine
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md
author: frack113
date: 2022-08-19
modified: 2023-08-17
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: 'System\CurrentControlSet\Control\Terminal Server\fAllowToGetHelp'
        Details: DWORD (0x00000001)
    condition: selection
falsepositives:
    - Legitimate use of the feature (alerts should be investigated either way)
level: medium
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature/info.yml
simulation:
    - type: atomic-red-team
      name: Allow RDP Remote Assistance Feature
      technique: T1112
      atomic_guid: 86677d0e-0b5e-4a2b-b302-454175f9aa9e
medium
Alternate PowerShell Hosts - PowerShell Module
Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
status test author Roberto Rodriguez @Cyb3rWard0g id 64e8e417-c19a-475a-8d19-98ea705394cc
view Sigma YAML 
title: Alternate PowerShell Hosts - PowerShell Module
id: 64e8e417-c19a-475a-8d19-98ea705394cc
status: test
description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
references:
    - https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019-08-11
modified: 2025-10-17
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_module
    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
    selection:
        ContextInfo|contains: '*'
    filter_powershell:
        # This filter covers the following use cases
        #   - When powershell is called directly from commandline via keyword powershell or powershell.exe
        #   - Or called via path but not with full "".exe". Example: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell
        ContextInfo|contains:
            - '= powershell' # Host Application=...powershell.exe or Application hote=...powershell.exe in French Win10 event
            - '= C:\Windows\System32\WindowsPowerShell\v1.0\powershell'
            - '= C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell'
            # In some cases powershell was invoked with inverted slashes
            - '= C:/Windows/System32/WindowsPowerShell/v1.0/powershell'
            - '= C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell'
            # In some cases \??\C:.. is used
            - '= \\\?\?\C:Windows\System32\WindowsPowerShell\v1.0\powershell'
            - '= \\\?\?\C:Windows\SysWOW64\WindowsPowerShell\v1.0\powershell'
    filter_sdiagnhost:
        ContextInfo|contains: '= C:\WINDOWS\System32\sdiagnhost.exe -Embedding' # When MSDT is launched for example
    filter_citrix:
        ContextInfo|contains: 'ConfigSyncRun.exe'
    filter_adace:  # Active Directory Administrative Center Enhancements
        ContextInfo|contains: 'C:\Windows\system32\dsac.exe'
    filter_winrm:
        ContextInfo|contains: 'C:\Windows\system32\wsmprovhost.exe -Embedding'
    filter_help_update:
        Payload|contains:
            - 'Update-Help'
            - 'Failed to update Help for the module'
    condition: selection and not 1 of filter_*
falsepositives:
    - Programs using PowerShell directly without invocation of a dedicated interpreter
    - MSP Detection Searcher
    - Citrix ConfigSync.ps1
level: medium
medium
Alternate PowerShell Hosts Pipe
Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
status test author Roberto Rodriguez @Cyb3rWard0g, Tim Shelton id 58cb02d5-78ce-4692-b3e1-dce850aae41a
view Sigma YAML 
title: Alternate PowerShell Hosts Pipe
id: 58cb02d5-78ce-4692-b3e1-dce850aae41a
related:
    - id: ac7102b4-9e1e-4802-9b4f-17c5524c015c
      type: derived
status: test
description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
references:
    - https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html
    - https://threathunterplaybook.com/hunts/windows/190410-LocalPwshExecution/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g, Tim Shelton
date: 2019-09-12
modified: 2025-10-07
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: pipe_created
    definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
detection:
    selection:
        PipeName|startswith: '\PSHost'
    filter_main_generic:
        - Image|contains:
              - ':\Program Files\PowerShell\7-preview\pwsh.exe' # Powershell 7
              - ':\Program Files\PowerShell\7\pwsh.exe' # Powershell 7
              - ':\Windows\system32\dsac.exe'
              - ':\Windows\system32\inetsrv\w3wp.exe'   # this is sad :,( but it triggers FPs on Exchange servers
              - ':\Windows\System32\sdiagnhost.exe'
              - ':\Windows\system32\ServerManager.exe'
              - ':\Windows\system32\wbem\wmiprvse.exe'
              - ':\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe'
              - ':\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
              - ':\Windows\System32\wsmprovhost.exe'
              - ':\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe'
              - ':\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
        - Image|contains|all:
              - 'C:\Program Files\WindowsApps\Microsoft.PowerShellPreview'
              - '\pwsh.exe'
        - Image|contains|all:
              - '\AppData\Local\Microsoft\WindowsApps\Microsoft.PowerShellPreview'
              - '\pwsh.exe'
    filter_optional_sqlserver: # Microsoft SQL Server\130\Tools\
        Image|startswith:
            - 'C:\Program Files (x86)\'
            - 'C:\Program Files\'
        Image|contains: '\Microsoft SQL Server\'
        Image|endswith: '\Tools\Binn\SQLPS.exe'
    filter_optional_azure_connected_machine_agent:
        # Azure Connected Machine Agent (https://devblogs.microsoft.com/powershell/azure-policy-guest-configuration-client/)
        Image|startswith: 'C:\Program Files\AzureConnectedMachineAgent\GCArcService'
        Image|endswith: '\GC\gc_worker.exe'
    filter_optional_citrix:
        Image|startswith: 'C:\Program Files\Citrix\'
    filter_optional_exchange:
        Image|startswith: 'C:\Program Files\Microsoft\Exchange Server\'
    filter_main_null:
        Image: null
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Programs using PowerShell directly without invocation of a dedicated interpreter.
level: medium
medium
Always Install Elevated MSI Spawned Cmd And Powershell
Detects Windows Installer service (msiexec.exe) spawning "cmd" or "powershell"
status test author Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community id 1e53dd56-8d83-4eb4-a43e-b790a05510aa
view Sigma YAML 
title: Always Install Elevated MSI Spawned Cmd And Powershell
id: 1e53dd56-8d83-4eb4-a43e-b790a05510aa
status: test
description: Detects Windows Installer service (msiexec.exe) spawning "cmd" or "powershell"
references:
    - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-50-638.jpg
author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community
date: 2020-10-13
modified: 2022-10-20
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        - Image|endswith:
              - '\cmd.exe'
              - '\powershell.exe'
              - '\pwsh.exe'
        - OriginalFileName:
              - 'Cmd.Exe'
              - 'PowerShell.EXE'
              - 'pwsh.dll'
    selection_parent:
        ParentImage|contains|all:
            - '\Windows\Installer\'
            - 'msi'
        ParentImage|endswith: 'tmp'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium
medium
Always Install Elevated Windows Installer
Detects Windows Installer service (msiexec.exe) trying to install MSI packages with SYSTEM privilege
status test author Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community id cd951fdc-4b2f-47f5-ba99-a33bf61e3770
view Sigma YAML 
title: Always Install Elevated Windows Installer
id: cd951fdc-4b2f-47f5-ba99-a33bf61e3770
status: test
description: Detects Windows Installer service (msiexec.exe) trying to install MSI packages with SYSTEM privilege
references:
    - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-48-638.jpg
author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community
date: 2020-10-13
modified: 2024-12-01
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    product: windows
    category: process_creation
detection:
    selection_user:
        User|contains: # covers many language settings
            - 'AUTHORI'
            - 'AUTORI'
    selection_image_1:
        Image|contains|all:
            - '\Windows\Installer\'
            - 'msi'
        Image|endswith: 'tmp'
    selection_image_2:
        Image|endswith: '\msiexec.exe'
        IntegrityLevel:
            - 'System'
            - 'S-1-16-16384'
    filter_installer:
        ParentImage: 'C:\Windows\System32\services.exe'
    filter_repair:
        - CommandLine|endswith: '\system32\msiexec.exe /V' # ignore "repair option"
        - ParentCommandLine|endswith: '\system32\msiexec.exe /V' # ignore "repair option"
    filter_sophos:
        ParentImage|startswith: 'C:\ProgramData\Sophos\'
    filter_avira:
        ParentImage|startswith: 'C:\ProgramData\Avira\'
    filter_avast:
        ParentImage|startswith:
            - 'C:\Program Files\Avast Software\'
            - 'C:\Program Files (x86)\Avast Software\'
    filter_google_update:
        ParentImage|startswith:
            - 'C:\Program Files\Google\Update\'
            - 'C:\Program Files (x86)\Google\Update\'
    condition: 1 of selection_image_* and selection_user and not 1 of filter_*
falsepositives:
    - System administrator usage
    - Anti virus products
    - WindowsApps located in "C:\Program Files\WindowsApps\"
level: medium
medium
Amsi.DLL Loaded Via LOLBIN Process
Detects loading of "Amsi.dll" by a living of the land process. This could be an indication of a "PowerShell without PowerShell" attack
status test author Nasreddine Bencherchali (Nextron Systems) id 6ec86d9e-912e-4726-91a2-209359b999b9
view Sigma YAML 
title: Amsi.DLL Loaded Via LOLBIN Process
id: 6ec86d9e-912e-4726-91a2-209359b999b9
status: test
description: Detects loading of "Amsi.dll" by a living of the land process. This could be an indication of a "PowerShell without PowerShell" attack
references:
    - Internal Research
    - https://www.paloaltonetworks.com/blog/security-operations/stopping-powershell-without-powershell/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-01
modified: 2025-10-07
tags:
    - attack.defense-impairment
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith: '\amsi.dll'
        Image|endswith:
            # TODO: Add more interesting processes
            - '\ExtExport.exe'
            - '\odbcconf.exe'
            # - '\regsvr32.exe' # legitimately calls amsi.dll
            - '\rundll32.exe'
    condition: selection
falsepositives:
    - Unknown
level: medium
medium
Anydesk Remote Access Software Service Installation
Detects the installation of the anydesk software service. Which could be an indication of anydesk abuse if you the software isn't already used.
status test author Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems) id 530a6faa-ff3d-4022-b315-50828e77eef5
view Sigma YAML 
title: Anydesk Remote Access Software Service Installation
id: 530a6faa-ff3d-4022-b315-50828e77eef5
status: test
description: Detects the installation of the anydesk software service. Which could be an indication of anydesk abuse if you the software isn't already used.
references:
    - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/
    - https://thedfirreport.com/2025/02/24/confluence-exploit-leads-to-lockbit-ransomware/
author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2022-08-11
modified: 2025-02-24
tags:
    - attack.persistence
logsource:
    product: windows
    service: system
detection:
    selection_provider:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
    selection_service:
        - ServiceName|contains|all:
              - 'AnyDesk' # Covers both AnyDesk Service and AnyDesk MSI Service
              - 'Service'
        - ImagePath|contains: 'AnyDesk'
    condition: all of selection_*
falsepositives:
    - Legitimate usage of the anydesk tool
level: medium
medium
Anydesk Temporary Artefact
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
status test author frack113 id 0b9ad457-2554-44c1-82c2-d56a99c42377
view Sigma YAML 
title: Anydesk Temporary Artefact
id: 0b9ad457-2554-44c1-82c2-d56a99c42377
status: test
description: |
    An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
    These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
    Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows
author: frack113
date: 2022-02-11
modified: 2024-07-20
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|contains:
            - '\AppData\Roaming\AnyDesk\user.conf'
            - '\AppData\Roaming\AnyDesk\system.conf'
    condition: selection
falsepositives:
    - Legitimate use
level: medium
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_anydesk_artefact/info.yml
medium
Apache Threading Error
Detects an issue in apache logs that reports threading related errors
status test author Florian Roth (Nextron Systems) id e9a2b582-3f6a-48ac-b4a1-6849cdc50b3c
view Sigma YAML 
title: Apache Threading Error
id: e9a2b582-3f6a-48ac-b4a1-6849cdc50b3c
status: test
description: Detects an issue in apache logs that reports threading related errors
references:
    - https://github.com/hannob/apache-uaf/blob/da40f2be3684c8095ec6066fa68eb5c07a086233/README.md
author: Florian Roth (Nextron Systems)
date: 2019-01-22
modified: 2021-11-27
tags:
    - attack.initial-access
    - attack.lateral-movement
    - attack.t1190
    - attack.t1210
logsource:
    service: apache
    definition: 'Requirements: Must be able to collect the error.log file'
detection:
    keywords:
        - '__pthread_tpp_change_priority: Assertion `new_prio == -1 || (new_prio >= fifo_min_prio && new_prio <= fifo_max_prio)'
    condition: keywords
falsepositives:
    - 3rd party apache modules - https://bz.apache.org/bugzilla/show_bug.cgi?id=46185
level: medium
medium
App Assigned To Azure RBAC/Microsoft Entra Role
Detects when an app is assigned Azure AD roles, such as global administrator, or Azure RBAC roles, such as subscription owner.
status test author Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow' id b04934b2-0a68-4845-8a19-bdfed3a68a7a
view Sigma YAML 
title: App Assigned To Azure RBAC/Microsoft Entra Role
id: b04934b2-0a68-4845-8a19-bdfed3a68a7a
status: test
description: Detects when an app is assigned Azure AD roles, such as global administrator, or Azure RBAC roles, such as subscription owner.
references:
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#service-principal-assigned-to-a-role
author: Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'
date: 2022-07-19
modified: 2024-11-04
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1098.003
logsource:
    product: azure
    service: auditlogs
detection:
    selection:
        targetResources.type: 'Service Principal'
        properties.message:
            - Add member to role
            - Add eligible member to role
            - Add scoped member to role
    condition: selection
falsepositives:
    - When the permission is legitimately needed for the app
level: medium
medium
AppLocker Prevented Application or Script from Running
Detects when AppLocker prevents the execution of an Application, DLL, Script, MSI, or Packaged-App from running.
status test author Pushkarev Dmitry id 401e5d00-b944-11ea-8f9a-00163ecd60ae
view Sigma YAML 
title: AppLocker Prevented Application or Script from Running
id: 401e5d00-b944-11ea-8f9a-00163ecd60ae
status: test
description: |
    Detects when AppLocker prevents the execution of an Application, DLL, Script, MSI, or Packaged-App from running.
references:
    - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/what-is-applocker
    - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-event-viewer-with-applocker
    - https://nxlog.co/documentation/nxlog-user-guide/applocker.html
author: Pushkarev Dmitry
date: 2020-06-28
modified: 2025-12-03
tags:
    - attack.execution
    - attack.t1204.002
    - attack.t1059.001
    - attack.t1059.003
    - attack.t1059.005
    - attack.t1059.006
    - attack.t1059.007
logsource:
    product: windows
    service: applocker
detection:
    selection:
        EventID:
            - 8004 # EXE and DLL
            - 8007 # MSI and Script
            - 8022 # Packaged app execution
            - 8025 # Packaged app deployment
    condition: selection
falsepositives:
    - Unlikely, since this event notifies about blocked application execution. Tune your applocker rules to avoid blocking legitimate applications.
level: medium
medium
AppX Located in Uncommon Directory Added to Deployment Pipeline
Detects an appx package that was added to the pipeline of the "to be processed" packages that is located in uncommon locations.
status test author Nasreddine Bencherchali (Nextron Systems) id c977cb50-3dff-4a9f-b873-9290f56132f1
view Sigma YAML 
title: AppX Located in Uncommon Directory Added to Deployment Pipeline
id: c977cb50-3dff-4a9f-b873-9290f56132f1
status: test
description: |
    Detects an appx package that was added to the pipeline of the "to be processed" packages that is located in uncommon locations.
references:
    - Internal Research
    - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
    - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting
    - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-11
modified: 2025-12-03
tags:
    - attack.stealth
logsource:
    product: windows
    service: appxdeployment-server
detection:
    selection:
        EventID: 854
    filter_main_generic:
        Path|contains:
            # Paths can be written using forward slash if the "file://" protocol is used
            - ':/Program%20Files' # Also covers 'file:///C:/Program%20Files%20(x86)/'
            - ':/Windows/System32/'
            - ':\Program Files (x86)\'
            - ':\Program Files\'
            - ':\Windows\ImmersiveControlPanel\'
            - ':\Windows\PrintDialog\'
            - ':\Windows\SystemApps\'
            - 'AppData/Local/Temp/WinGet/Microsoft.Winget.Source'
            - 'x-windowsupdate://'
    filter_main_specific:
        Path|contains:
            - 'https://installer.teams.static.microsoft/'
            - 'https://res.cdn.office.net' # Example https://res.cdn.office.net/nativehost/5mttl/installer/v2/1.2025.617.100/Microsoft.OutlookForWindows_x64.msix
            - 'https://statics.teams.cdn.live.net/'
            - 'https://statics.teams.cdn.office.net/'
            - 'microsoft.com' # Example: https://go.microsoft.com/fwlink/?linkid=2160968
    filter_optional_onedrive:
        Path|contains: 'AppData\Local\Microsoft\OneDrive\'
    filter_optional_winget:
        Path|contains:
            - 'AppData/Local/Temp/WinGet/Microsoft.Winget.Source'
            - 'AppData\Local\Temp\WinGet\Microsoft.Winget.Source'
    filter_optional_x_windowsupdate:
        Path|contains: 'x-windowsupdate://'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: medium
medium
AppX Package Deployment Failed Due to Signing Requirements
Detects an appx package deployment / installation with the error code "0x80073cff" which indicates that the package didn't meet the signing requirements.
status test author Nasreddine Bencherchali (Nextron Systems) id 898d5fc9-fbc3-43de-93ad-38e97237c344
view Sigma YAML 
title: AppX Package Deployment Failed Due to Signing Requirements
id: 898d5fc9-fbc3-43de-93ad-38e97237c344
status: test
description: |
    Detects an appx package deployment / installation with the error code "0x80073cff" which indicates that the package didn't meet the signing requirements.
references:
    - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
    - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting
    - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-11
modified: 2025-12-03
tags:
    - attack.stealth
logsource:
    product: windows
    service: appxdeployment-server
detection:
    selection:
        EventID: 401
        ErrorCode: '0x80073cff' # Check ref section to learn more about this error code
    condition: selection
falsepositives:
    - Legitimate AppX packages not signed by MS used part of an enterprise.
level: medium
medium
AppX Package Installation Attempts Via AppInstaller.EXE
Detects DNS queries made by "AppInstaller.EXE". The AppInstaller is the default handler for the "ms-appinstaller" URI. It attempts to load/install a package from the referenced URL
status test author frack113 id 7cff77e1-9663-46a3-8260-17f2e1aa9d0a
view Sigma YAML 
title: AppX Package Installation Attempts Via AppInstaller.EXE
id: 7cff77e1-9663-46a3-8260-17f2e1aa9d0a
related:
    - id: 180c7c5c-d64b-4a63-86e9-68910451bc8b
      type: derived
status: test
description: |
    Detects DNS queries made by "AppInstaller.EXE". The AppInstaller is the default handler for the "ms-appinstaller" URI. It attempts to load/install a package from the referenced URL
references:
    - https://twitter.com/notwhickey/status/1333900137232523264
    - https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/
author: frack113
date: 2021-11-24
modified: 2023-11-09
tags:
    - attack.command-and-control
    - attack.t1105
logsource:
    product: windows
    category: dns_query
detection:
    selection:
        Image|startswith: 'C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_'
        Image|endswith: '\AppInstaller.exe'
    condition: selection
falsepositives:
    - Unknown
level: medium
medium
Application Removed Via Wmic.EXE
Detects the removal or uninstallation of an application via "Wmic.EXE".
status test author frack113 id b53317a0-8acf-4fd1-8de8-a5401e776b96
view Sigma YAML 
title: Application Removed Via Wmic.EXE
id: b53317a0-8acf-4fd1-8de8-a5401e776b96
related:
    - id: 847d5ff3-8a31-4737-a970-aeae8fe21765 # Uninstall Security Products
      type: derived
status: test
description: Detects the removal or uninstallation of an application via "Wmic.EXE".
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md#atomic-test-10---application-uninstall-using-wmic
author: frack113
date: 2022-01-28
modified: 2024-07-02
tags:
    - attack.execution
    - attack.t1047
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\WMIC.exe'
        - OriginalFileName: 'wmic.exe'
    selection_cli:
        CommandLine|contains|all:
            - 'call'
            - 'uninstall'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium
medium
Application Terminated Via Wmic.EXE
Detects calls to the "terminate" function via wmic in order to kill an application
status test author Nasreddine Bencherchali (Nextron Systems) id 49d9671b-0a0a-4c09-8280-d215bfd30662
view Sigma YAML 
title: Application Terminated Via Wmic.EXE
id: 49d9671b-0a0a-4c09-8280-d215bfd30662
related:
    - id: 847d5ff3-8a31-4737-a970-aeae8fe21765 # Uninstall Security Products
      type: derived
status: test
description: Detects calls to the "terminate" function via wmic in order to kill an application
references:
    - https://cyble.com/blog/lockfile-ransomware-using-proxyshell-attack-to-deploy-ransomware/
    - https://www.bitdefender.com/files/News/CaseStudies/study/377/Bitdefender-Whitepaper-WMI-creat4871-en-EN-GenericUse.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-09-11
tags:
    - attack.execution
    - attack.t1047
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\WMIC.exe'
        - OriginalFileName: 'wmic.exe'
    selection_cli:
        CommandLine|contains|all:
            - 'call'
            - 'terminate'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium
medium
Application Using Device Code Authentication Flow
Device code flow is an OAuth 2.0 protocol flow specifically for input constrained devices and is not used in all environments. If this type of flow is seen in the environment and not being used in an input constrained device scenario, further investigation is warranted. This can be a misconfigured application or potentially something malicious.
status test author Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' id 248649b7-d64f-46f0-9fb2-a52774166fb5
view Sigma YAML 
title: Application Using Device Code Authentication Flow
id: 248649b7-d64f-46f0-9fb2-a52774166fb5
status: test
description: |
    Device code flow is an OAuth 2.0 protocol flow specifically for input constrained devices and is not used in all environments.
    If this type of flow is seen in the environment and not being used in an input constrained device scenario, further investigation is warranted.
    This can be a misconfigured application or potentially something malicious.
references:
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-authentication-flows
author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'
date: 2022-06-01
tags:
    - attack.stealth
    - attack.t1078
    - attack.persistence
    - attack.privilege-escalation
    - attack.initial-access
logsource:
    product: azure
    service: signinlogs
detection:
    selection:
        properties.message: Device Code
    condition: selection
falsepositives:
    - Applications that are input constrained will need to use device code flow and are valid authentications.
level: medium
medium
Applications That Are Using ROPC Authentication Flow
Resource owner password credentials (ROPC) should be avoided if at all possible as this requires the user to expose their current password credentials to the application directly. The application then uses those credentials to authenticate the user against the identity provider.
status test author Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' id 55695bc0-c8cf-461f-a379-2535f563c854
view Sigma YAML 
title: Applications That Are Using ROPC Authentication Flow
id: 55695bc0-c8cf-461f-a379-2535f563c854
status: test
description: |
    Resource owner password credentials (ROPC) should be avoided if at all possible as this requires the user to expose their current password credentials to the application directly.
    The application then uses those credentials to authenticate the user against the identity provider.
references:
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-authentication-flows
author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'
date: 2022-06-01
tags:
    - attack.stealth
    - attack.t1078
    - attack.persistence
    - attack.privilege-escalation
    - attack.initial-access
logsource:
    product: azure
    service: signinlogs
detection:
    selection:
        properties.message: ROPC
    condition: selection
falsepositives:
    - Applications that are being used as part of automated testing or a legacy application that cannot use any other modern authentication flow
level: medium
medium
Arbitrary Binary Execution Using GUP Utility
Detects execution of the Notepad++ updater (gup) to launch other commands or executables
status test author Nasreddine Bencherchali (Nextron Systems) id d65aee4d-2292-4cea-b832-83accd6cfa43
view Sigma YAML 
title: Arbitrary Binary Execution Using GUP Utility
id: d65aee4d-2292-4cea-b832-83accd6cfa43
status: test
description: Detects execution of the Notepad++ updater (gup) to launch other commands or executables
references:
    - https://twitter.com/nas_bench/status/1535322445439180803
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-10
modified: 2023-03-02
tags:
    - attack.execution
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\gup.exe'
        Image|endswith: '\explorer.exe'
    filter:
        Image|endswith: '\explorer.exe'
        CommandLine|contains: '\Notepad++\notepad++.exe'
    filter_parent:
        ParentImage|contains: '\Notepad++\updater\'
    filter_null:
        CommandLine: null
    condition: selection and not 1 of filter*
falsepositives:
    - Other parent binaries using GUP not currently identified
level: medium
medium
Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE
Detects execution of arbitrary DLLs or unsigned code via a ".csproj" files via Dotnet.EXE.
status test author Beyu Denis, oscd.community id d80d5c81-04ba-45b4-84e4-92eba40e0ad3
view Sigma YAML 
title: Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE
id: d80d5c81-04ba-45b4-84e4-92eba40e0ad3
status: test
description: Detects execution of arbitrary DLLs or unsigned code via a ".csproj" files via Dotnet.EXE.
references:
    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dotnet/
    - https://twitter.com/_felamos/status/1204705548668555264
    - https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/
author: Beyu Denis, oscd.community
date: 2020-10-18
modified: 2025-10-08
tags:
    - attack.stealth
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\dotnet.exe'
        - OriginalFileName: '.NET Host'
    selection_cli:
        CommandLine|endswith:
            - '.csproj'
            - '.csproj"'
            - '.dll'
            - '.dll"'
            - ".csproj'"
            - ".dll'"
    filter_optional_notepadplus_plus:
        ParentImage:
            - 'C:\Program Files (x86)\Notepad++\notepad++.exe'
            - 'C:\Program Files\Notepad++\notepad++.exe'
        CommandLine|contains|all:
            - 'C:\ProgramData\CSScriptNpp\'
            - '-cscs_path:'
            - '\cs-script\cscs.dll'
    condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
    - Legitimate administrator usage
level: medium
medium
Arbitrary File Download Via ConfigSecurityPolicy.EXE
Detects the execution of "ConfigSecurityPolicy.EXE", a binary part of Windows Defender used to manage settings in Windows Defender. Users can configure different pilot collections for each of the co-management workloads. It can be abused by attackers in order to upload or download files.
status test author frack113 id 1f0f6176-6482-4027-b151-00071af39d7e
view Sigma YAML 
title: Arbitrary File Download Via ConfigSecurityPolicy.EXE
id: 1f0f6176-6482-4027-b151-00071af39d7e
status: test
description: |
    Detects the execution of "ConfigSecurityPolicy.EXE", a binary part of Windows Defender used to manage settings in Windows Defender.
    Users can configure different pilot collections for each of the co-management workloads.
    It can be abused by attackers in order to upload or download files.
references:
    - https://lolbas-project.github.io/lolbas/Binaries/ConfigSecurityPolicy/
author: frack113
date: 2021-11-26
modified: 2022-05-16
tags:
    - attack.exfiltration
    - attack.t1567
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - CommandLine|contains: ConfigSecurityPolicy.exe
        - Image|endswith: '\ConfigSecurityPolicy.exe'
        - OriginalFileName: 'ConfigSecurityPolicy.exe'
    selection_url:
        CommandLine|contains:
            - 'ftp://'
            - 'http://'
            - 'https://'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium
medium
Arbitrary File Download Via GfxDownloadWrapper.EXE
Detects execution of GfxDownloadWrapper.exe with a URL as an argument to download file.
status test author Victor Sergeev, oscd.community id eee00933-a761-4cd0-be70-c42fe91731e7
view Sigma YAML 
title: Arbitrary File Download Via GfxDownloadWrapper.EXE
id: eee00933-a761-4cd0-be70-c42fe91731e7
status: test
description: Detects execution of GfxDownloadWrapper.exe with a URL as an argument to download file.
references:
    - https://lolbas-project.github.io/lolbas/HonorableMentions/GfxDownloadWrapper/
author: Victor Sergeev, oscd.community
date: 2020-10-09
modified: 2023-10-18
tags:
    - attack.command-and-control
    - attack.t1105
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\GfxDownloadWrapper.exe'
        CommandLine|contains:
            - 'http://'
            - 'https://'
    filter_main_known_urls:
        CommandLine|contains: 'https://gameplayapi.intel.com/'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium
medium
Arbitrary File Download Via MSEDGE_PROXY.EXE
Detects usage of "msedge_proxy.exe" to download arbitrary files
status test author Swachchhanda Shrawan Poudel id e84d89c4-f544-41ca-a6af-4b92fd38b023
view Sigma YAML 
title: Arbitrary File Download Via MSEDGE_PROXY.EXE
id: e84d89c4-f544-41ca-a6af-4b92fd38b023
status: test
description: Detects usage of "msedge_proxy.exe" to download arbitrary files
references:
    - https://lolbas-project.github.io/lolbas/Binaries/msedge_proxy/
author: Swachchhanda Shrawan Poudel
date: 2023-11-09
tags:
    - attack.execution
    - attack.stealth
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\msedge_proxy.exe'
        - OriginalFileName: 'msedge_proxy.exe'
    selection_cli:
        CommandLine|contains:
            - 'http://'
            - 'https://'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium
medium
Arbitrary File Download Via MSOHTMED.EXE
Detects usage of "MSOHTMED" to download arbitrary files
status test author Nasreddine Bencherchali (Nextron Systems) id 459f2f98-397b-4a4a-9f47-6a5ec2f1c69d
view Sigma YAML 
title: Arbitrary File Download Via MSOHTMED.EXE
id: 459f2f98-397b-4a4a-9f47-6a5ec2f1c69d
status: test
description: Detects usage of "MSOHTMED" to download arbitrary files
references:
    - https://github.com/LOLBAS-Project/LOLBAS/pull/238/files
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-19
modified: 2023-11-09
tags:
    - attack.execution
    - attack.stealth
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\MSOHTMED.exe'
        - OriginalFileName: 'MsoHtmEd.exe'
    selection_cli:
        CommandLine|contains:
            - 'ftp://'
            - 'http://'
            - 'https://'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium
medium
Arbitrary File Download Via MSPUB.EXE
Detects usage of "MSPUB" (Microsoft Publisher) to download arbitrary files
status test author Nasreddine Bencherchali (Nextron Systems) id 3b3c7f55-f771-4dd6-8a6e-08d057a17caf
view Sigma YAML 
title: Arbitrary File Download Via MSPUB.EXE
id: 3b3c7f55-f771-4dd6-8a6e-08d057a17caf
status: test
description: Detects usage of "MSPUB" (Microsoft Publisher) to download arbitrary files
references:
    - https://github.com/LOLBAS-Project/LOLBAS/pull/238/files
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-19
modified: 2023-02-08
tags:
    - attack.execution
    - attack.stealth
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\MSPUB.exe'
        - OriginalFileName: 'MSPUB.exe'
    selection_cli:
        CommandLine|contains:
            - 'ftp://'
            - 'http://'
            - 'https://'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium
medium
Arbitrary File Download Via PresentationHost.EXE
Detects usage of "PresentationHost" which is a utility that runs ".xbap" (Browser Applications) files to download arbitrary files
status test author Nasreddine Bencherchali (Nextron Systems) id b124ddf4-778d-418e-907f-6dd3fc0d31cd
view Sigma YAML 
title: Arbitrary File Download Via PresentationHost.EXE
id: b124ddf4-778d-418e-907f-6dd3fc0d31cd
status: test
description: Detects usage of "PresentationHost" which is a utility that runs ".xbap" (Browser Applications) files to download arbitrary files
references:
    - https://github.com/LOLBAS-Project/LOLBAS/pull/239/files
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-19
modified: 2023-11-09
tags:
    - attack.execution
    - attack.stealth
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\presentationhost.exe'
        - OriginalFileName: 'PresentationHost.exe'
    selection_cli:
        CommandLine|contains:
            - 'http://'
            - 'https://'
            - 'ftp://'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium
medium
Arbitrary File Download Via Squirrel.EXE
Detects the usage of the "Squirrel.exe" to download arbitrary files. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)
status test author Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community id 1e75c1cc-c5d4-42aa-ac3d-91b0b68b3b4c
view Sigma YAML 
title: Arbitrary File Download Via Squirrel.EXE
id: 1e75c1cc-c5d4-42aa-ac3d-91b0b68b3b4c
related:
    - id: 45239e6a-b035-4aaf-b339-8ad379fcb67e
      type: similar
    - id: fa4b21c9-0057-4493-b289-2556416ae4d7
      type: obsolete
status: test
description: |
    Detects the usage of the "Squirrel.exe" to download arbitrary files. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)
references:
    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/
    - http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/
    - http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/
author: Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community
date: 2022-06-09
modified: 2023-11-09
tags:
    - attack.execution
    - attack.stealth
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith:
            - '\squirrel.exe'
            - '\update.exe'
    selection_download_cli:
        CommandLine|contains:
            - ' --download '
            - ' --update '
            - ' --updateRollback='
    selection_download_http_keyword:
        CommandLine|contains: 'http'
    condition: all of selection_*
falsepositives:
    - Expected FP with some Electron based applications such as (1Clipboard, Beaker Browser, Caret, Discord, GitHub Desktop, etc.)
level: medium
medium
Arbitrary MSI Download Via Devinit.EXE
Detects a certain command line flag combination used by "devinit.exe", which can be abused as a LOLBIN to download arbitrary MSI packages on a Windows system
status test author Florian Roth (Nextron Systems) id 90d50722-0483-4065-8e35-57efaadd354d
view Sigma YAML 
title: Arbitrary MSI Download Via Devinit.EXE
id: 90d50722-0483-4065-8e35-57efaadd354d
status: test
description: Detects a certain command line flag combination used by "devinit.exe", which can be abused as a LOLBIN to download arbitrary MSI packages on a Windows system
references:
    - https://twitter.com/mrd0x/status/1460815932402679809
    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Devinit/
author: Florian Roth (Nextron Systems)
date: 2022-01-11
modified: 2023-04-06
tags:
    - attack.execution
    - attack.stealth
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - ' -t msi-install '
            - ' -i http'
    condition: selection
falsepositives:
    - Unknown
level: medium
medium
Arbitrary Shell Command Execution Via Settingcontent-Ms
The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create "shortcuts" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.
status test author Sreeman id 24de4f3b-804c-4165-b442-5a06a2302c7e
view Sigma YAML 
title: Arbitrary Shell Command Execution Via Settingcontent-Ms
id: 24de4f3b-804c-4165-b442-5a06a2302c7e
status: test
description: The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create "shortcuts" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.
references:
    - https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39
author: Sreeman
date: 2020-03-13
modified: 2022-04-14
tags:
    - attack.t1204
    - attack.t1566.001
    - attack.execution
    - attack.initial-access
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains: '.SettingContent-ms'
    filter:
        CommandLine|contains: 'immersivecontrolpanel'
    condition: selection and not filter
falsepositives:
    - Unknown
level: medium
medium
AspNetCompiler Execution
Detects execution of "aspnet_compiler.exe" which can be abused to compile and execute C# code.
status test author frack113 id a01b8329-5953-4f73-ae2d-aa01e1f35f00
view Sigma YAML 
title: AspNetCompiler Execution
id: a01b8329-5953-4f73-ae2d-aa01e1f35f00 # Exec
related:
    - id: 9ccba514-7cb6-4c5c-b377-700758f2f120 # SuspChild
      type: similar
    - id: 4c7f49ee-2638-43bb-b85b-ce676c30b260 # TMP File
      type: similar
    - id: 9f50fe98-fe5c-4a2d-86c7-fad7f63ed622 # Susp Paths
      type: similar
status: test
description: Detects execution of "aspnet_compiler.exe" which can be abused to compile and execute C# code.
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/
    - https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/
author: frack113
date: 2021-11-24
modified: 2025-02-24
tags:
    - attack.execution
    - attack.stealth
    - attack.t1127
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|contains:
            - ':\Windows\Microsoft.NET\Framework\'
            - ':\Windows\Microsoft.NET\Framework64\'
            - ':\Windows\Microsoft.NET\FrameworkArm\'
            - ':\Windows\Microsoft.NET\FrameworkArm64\'
        Image|endswith: '\aspnet_compiler.exe'
    condition: selection
falsepositives:
    - Unknown
level: medium
medium
Assembly DLL Creation Via AspNetCompiler
Detects the creation of new DLL assembly files by "aspnet_compiler.exe", which could be a sign of "aspnet_compiler" abuse to proxy execution through a build provider.
status test author Nasreddine Bencherchali (Nextron Systems) id 4c7f49ee-2638-43bb-b85b-ce676c30b260
view Sigma YAML 
title: Assembly DLL Creation Via AspNetCompiler
id: 4c7f49ee-2638-43bb-b85b-ce676c30b260 # TMP File
related:
    - id: 9ccba514-7cb6-4c5c-b377-700758f2f120 # SuspChild
      type: similar
    - id: 9f50fe98-fe5c-4a2d-86c7-fad7f63ed622 # Susp Paths
      type: similar
    - id: a01b8329-5953-4f73-ae2d-aa01e1f35f00 # Exec
      type: similar
status: test
description: |
    Detects the creation of new DLL assembly files by "aspnet_compiler.exe", which could be a sign of "aspnet_compiler" abuse to proxy execution through a build provider.
references:
    - Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-14
tags:
    - attack.execution
logsource:
    product: windows
    category: file_event
detection:
    selection:
        Image|endswith: '\aspnet_compiler.exe'
        TargetFilename|contains|all:
            - '\Temporary ASP.NET Files\'
            - '\assembly\tmp\'
            - '.dll'
    condition: selection
falsepositives:
    - Legitimate assembly compilation using a build provider
level: medium
medium
Assembly Loading Via CL_LoadAssembly.ps1
Detects calls to "LoadAssemblyFromPath" or "LoadAssemblyFromNS" that are part of the "CL_LoadAssembly.ps1" script. This can be abused to load different assemblies and bypass App locker controls.
status test author frack113, Nasreddine Bencherchali (Nextron Systems) id c57872c7-614f-4d7f-a40d-b78c8df2d30d
view Sigma YAML 
title: Assembly Loading Via CL_LoadAssembly.ps1
id: c57872c7-614f-4d7f-a40d-b78c8df2d30d
status: test
description: Detects calls to "LoadAssemblyFromPath" or "LoadAssemblyFromNS" that are part of the "CL_LoadAssembly.ps1" script. This can be abused to load different assemblies and bypass App locker controls.
references:
    - https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/
    - https://lolbas-project.github.io/lolbas/Scripts/CL_LoadAssembly/
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2022-05-21
modified: 2023-08-17
tags:
    - attack.stealth
    - attack.t1216
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        # Note: As this function is usually called from within powershell, classical process creation even would not catch it. This will only catch inline calls via "-Command" or "-ScriptBlock" flags for example.
        CommandLine|contains:
            - 'LoadAssemblyFromPath '
            - 'LoadAssemblyFromNS '
    condition: selection
falsepositives:
    - Unknown
level: medium
medium
Atbroker Registry Change
Detects creation/modification of Assistive Technology applications and persistence with usage of 'at'
status test author Mateusz Wydra, oscd.community id 9577edbb-851f-4243-8c91-1d5b50c1a39b
view Sigma YAML 
title: Atbroker Registry Change
id: 9577edbb-851f-4243-8c91-1d5b50c1a39b
status: test
description: Detects creation/modification of Assistive Technology applications and persistence with usage of 'at'
references:
    - http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/
    - https://lolbas-project.github.io/lolbas/Binaries/Atbroker/
author: Mateusz Wydra, oscd.community
date: 2020-10-13
modified: 2023-01-19
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1218
    - attack.persistence
    - attack.t1547
logsource:
    category: registry_event
    product: windows
detection:
    selection:
        TargetObject|contains:
            - 'Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs'
            - 'Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration'
    filter_atbroker:
        Image: 'C:\Windows\system32\atbroker.exe'
        TargetObject|contains: '\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration'
        Details: '(Empty)'
    filter_uninstallers:
        Image|startswith: 'C:\Windows\Installer\MSI'
        TargetObject|contains: 'Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs'
    condition: selection and not 1 of filter_*
falsepositives:
    - Creation of non-default, legitimate at usage
level: medium
medium
Audio Capture via PowerShell
Detects audio capture via PowerShell Cmdlet.
status test author E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community, Nasreddine Bencherchali (Nextron Systems) id 932fb0d8-692b-4b0f-a26e-5643a50fe7d6
view Sigma YAML 
title: Audio Capture via PowerShell
id: 932fb0d8-692b-4b0f-a26e-5643a50fe7d6
status: test
description: Detects audio capture via PowerShell Cmdlet.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md
    - https://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html
    - https://github.com/frgnca/AudioDeviceCmdlets
author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2019-10-24
modified: 2023-04-06
tags:
    - attack.collection
    - attack.t1123
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            - 'WindowsAudioDevice-Powershell-Cmdlet'
            - 'Toggle-AudioDevice'
            - 'Get-AudioDevice '
            - 'Set-AudioDevice '
            - 'Write-AudioDevice '
    condition: selection
falsepositives:
    - Legitimate audio capture by legitimate user.
level: medium
medium
Audio Capture via SoundRecorder
Detect attacker collecting audio via SoundRecorder application.
status test author E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community id 83865853-59aa-449e-9600-74b9d89a6d6e
view Sigma YAML 
title: Audio Capture via SoundRecorder
id: 83865853-59aa-449e-9600-74b9d89a6d6e
status: test
description: Detect attacker collecting audio via SoundRecorder application.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md
    - https://eqllib.readthedocs.io/en/latest/analytics/f72a98cb-7b3d-4100-99c3-a138b6e9ff6e.html
author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
date: 2019-10-24
modified: 2021-11-27
tags:
    - attack.collection
    - attack.t1123
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\SoundRecorder.exe'
        CommandLine|contains: '/FILE'
    condition: selection
falsepositives:
    - Legitimate audio capture by legitimate user.
level: medium
medium
Authentications To Important Apps Using Single Factor Authentication
Detect when authentications to important application(s) only required single-factor authentication
status test author MikeDuddington, '@dudders1' id f272fb46-25f2-422c-b667-45837994980f
view Sigma YAML 
title: Authentications To Important Apps Using Single Factor Authentication
id: f272fb46-25f2-422c-b667-45837994980f
status: test
description: Detect when authentications to important application(s) only required single-factor authentication
references:
    - https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts
author: MikeDuddington, '@dudders1'
date: 2022-07-28
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.initial-access
    - attack.stealth
    - attack.t1078
logsource:
    product: azure
    service: signinlogs
detection:
    selection:
        Status: 'Success'
        AppId: 'Insert Application ID use OR for multiple'
        AuthenticationRequirement: 'singleFactorAuthentication'
    condition: selection
falsepositives:
    - If this was approved by System Administrator.
level: medium
medium
Automated Collection Command PowerShell
Once established within a system or network, an adversary may use automated techniques for collecting internal data.
status test author frack113 id c1dda054-d638-4c16-afc8-53e007f3fbc5
view Sigma YAML 
title: Automated Collection Command PowerShell
id: c1dda054-d638-4c16-afc8-53e007f3fbc5
status: test
description: Once established within a system or network, an adversary may use automated techniques for collecting internal data.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md
author: frack113
date: 2021-07-28
modified: 2022-12-25
tags:
    - attack.collection
    - attack.t1119
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_ext:
        ScriptBlockText|contains:
            - '.doc'
            - '.docx'
            - '.xls'
            - '.xlsx'
            - '.ppt'
            - '.pptx'
            - '.rtf'
            - '.pdf'
            - '.txt'
    selection_cmd:
        ScriptBlockText|contains|all:
            - 'Get-ChildItem'
            - ' -Recurse '
            - ' -Include '
    condition: all of selection*
falsepositives:
    - Unknown
level: medium
medium
Automated Collection Command Prompt
Once established within a system or network, an adversary may use automated techniques for collecting internal data.
status test author frack113 id f576a613-2392-4067-9d1a-9345fb58d8d1
view Sigma YAML 
title: Automated Collection Command Prompt
id: f576a613-2392-4067-9d1a-9345fb58d8d1
status: test
description: Once established within a system or network, an adversary may use automated techniques for collecting internal data.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md
author: frack113
date: 2021-07-28
modified: 2022-11-11
tags:
    - attack.collection
    - attack.t1119
    - attack.credential-access
    - attack.t1552.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_ext:
        CommandLine|contains:
            - '.doc'
            - '.docx'
            - '.xls'
            - '.xlsx'
            - '.ppt'
            - '.pptx'
            - '.rtf'
            - '.pdf'
            - '.txt'
    selection_other_dir:
        CommandLine|contains|all:
            - 'dir '
            - ' /b '
            - ' /s '
    selection_other_findstr:
        OriginalFileName: 'FINDSTR.EXE'
        CommandLine|contains:
            - ' /e '
            - ' /si '
    condition: selection_ext and 1 of selection_other_*
falsepositives:
    - Unknown
level: medium
medium
Azure AD Health Monitoring Agent Registry Keys Access
This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent. This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent.
status test author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC id ff151c33-45fa-475d-af4f-c2f93571f4fe
view Sigma YAML 
title: Azure AD Health Monitoring Agent Registry Keys Access
id: ff151c33-45fa-475d-af4f-c2f93571f4fe
status: test
description: |
    This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent.
    This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent.
references:
    - https://o365blog.com/post/hybridhealthagent/
    - https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_monitoring_agent.yml
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
date: 2021-08-26
modified: 2022-10-09
tags:
    - attack.discovery
    - attack.t1012
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID:
            - 4656
            - 4663
        ObjectType: 'Key'
        ObjectName: '\REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent'
    filter:
        ProcessName|contains:
            - 'Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe'
            - 'Microsoft.Identity.Health.Adfs.InsightsService.exe'
            - 'Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe'
            - 'Microsoft.Identity.Health.Adfs.PshSurrogate.exe'
            - 'Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe'
    condition: selection and not filter
falsepositives:
    - Unknown
level: medium
medium
Azure AD Health Service Agents Registry Keys Access
This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS). Information from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation). This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\SOFTWARE\Microsoft\ADHealthAgent. Make sure you set the SACL to propagate to its sub-keys.
status test author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC id 1d2ab8ac-1a01-423b-9c39-001510eae8e8
view Sigma YAML 
title: Azure AD Health Service Agents Registry Keys Access
id: 1d2ab8ac-1a01-423b-9c39-001510eae8e8
status: test
description: |
    This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS).
    Information from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation).
    This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\SOFTWARE\Microsoft\ADHealthAgent.
    Make sure you set the SACL to propagate to its sub-keys.
references:
    - https://o365blog.com/post/hybridhealthagent/
    - https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_service_agent.yml
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
date: 2021-08-26
modified: 2022-10-09
tags:
    - attack.discovery
    - attack.t1012
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID:
            - 4656
            - 4663
        ObjectType: 'Key'
        ObjectName: '\REGISTRY\MACHINE\SOFTWARE\Microsoft\ADHealthAgent'
    filter:
        ProcessName|contains:
            - 'Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe'
            - 'Microsoft.Identity.Health.Adfs.InsightsService.exe'
            - 'Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe'
            - 'Microsoft.Identity.Health.Adfs.PshSurrogate.exe'
            - 'Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe'
    condition: selection and not filter
falsepositives:
    - Unknown
level: medium
medium
Azure Active Directory Hybrid Health AD FS New Server
This detection uses azureactivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service. A threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server. This can be done programmatically via HTTP requests to Azure.
status test author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC id 288a39fc-4914-4831-9ada-270e9dc12cb4
view Sigma YAML 
title: Azure Active Directory Hybrid Health AD FS New Server
id: 288a39fc-4914-4831-9ada-270e9dc12cb4
status: test
description: |
    This detection uses azureactivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service.
    A threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server.
    This can be done programmatically via HTTP requests to Azure.
references:
    - https://o365blog.com/post/hybridhealthagent/
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
date: 2021-08-26
modified: 2023-10-11
tags:
    - attack.defense-impairment
    - attack.t1578
logsource:
    product: azure
    service: activitylogs
detection:
    selection:
        CategoryValue: 'Administrative'
        ResourceProviderValue: 'Microsoft.ADHybridHealthService'
        ResourceId|contains: 'AdFederationService'
        OperationNameValue: 'Microsoft.ADHybridHealthService/services/servicemembers/action'
    condition: selection
falsepositives:
    - Legitimate AD FS servers added to an AAD Health AD FS service instance
level: medium
medium
Azure Active Directory Hybrid Health AD FS Service Delete
This detection uses azureactivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant. A threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs. The health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure.
status test author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC id 48739819-8230-4ee3-a8ea-e0289d1fb0ff
view Sigma YAML 
title: Azure Active Directory Hybrid Health AD FS Service Delete
id: 48739819-8230-4ee3-a8ea-e0289d1fb0ff
status: test
description: |
    This detection uses azureactivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant.
    A threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs.
    The health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure.
references:
    - https://o365blog.com/post/hybridhealthagent/
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
date: 2021-08-26
modified: 2023-10-11
tags:
    - attack.defense-impairment
    - attack.t1578.003
logsource:
    product: azure
    service: activitylogs
detection:
    selection:
        CategoryValue: 'Administrative'
        ResourceProviderValue: 'Microsoft.ADHybridHealthService'
        ResourceId|contains: 'AdFederationService'
        OperationNameValue: 'Microsoft.ADHybridHealthService/services/delete'
    condition: selection
falsepositives:
    - Legitimate AAD Health AD FS service instances being deleted in a tenant
level: medium
Showing 51-100 of 1,345
Prev 2 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin