Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Computer Discovery And Export Via Get-ADComputer Cmdlet
Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file
status testauthor Nasreddine Bencherchali (Nextron Systems)id 435e10e4-992a-4281-96f3-38b11106adde
view Sigma YAML
title: Computer Discovery And Export Via Get-ADComputer Cmdlet
id: 435e10e4-992a-4281-96f3-38b11106adde
related:
- id: db885529-903f-4c5d-9864-28fe199e6370
type: similar
status: test
description: Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file
references:
- http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
- https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/
- https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-11-10
modified: 2022-11-17
tags:
- attack.discovery
- attack.t1033
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_cli:
CommandLine|contains|all:
- 'Get-ADComputer '
- ' -Filter \*'
CommandLine|contains:
- ' > '
- ' | Select '
- 'Out-File'
- 'Set-Content'
- 'Add-Content'
condition: all of selection_*
falsepositives:
- Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often
level: medium
medium
Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell
Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file
status testauthor Nasreddine Bencherchali (Nextron Systems)id db885529-903f-4c5d-9864-28fe199e6370
view Sigma YAML
title: Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell
id: db885529-903f-4c5d-9864-28fe199e6370
related:
- id: 435e10e4-992a-4281-96f3-38b11106adde
type: similar
status: test
description: Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file
references:
- http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
- https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/
- https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-11-17
tags:
- attack.discovery
- attack.t1033
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- 'Get-ADComputer '
- ' -Filter \*'
ScriptBlockText|contains:
- ' | Select '
- 'Out-File'
- 'Set-Content'
- 'Add-Content'
condition: selection
falsepositives:
- Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often
level: medium
medium
Computer Password Change Via Ksetup.EXE
Detects password change for the computer's domain account or host principal via "ksetup.exe"
status testauthor Nasreddine Bencherchali (Nextron Systems)id de16d92c-c446-4d53-8938-10aeef41c8b6
view Sigma YAML
title: Computer Password Change Via Ksetup.EXE
id: de16d92c-c446-4d53-8938-10aeef41c8b6
status: test
description: Detects password change for the computer's domain account or host principal via "ksetup.exe"
references:
- https://twitter.com/Oddvarmoe/status/1641712700605513729
- https://learn.microsoft.com/en-gb/windows-server/administration/windows-commands/ksetup
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-06
tags:
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\ksetup.exe'
- OriginalFileName: 'ksetup.exe'
selection_cli:
CommandLine|contains: ' /setcomputerpassword '
condition: all of selection_*
falsepositives:
- Unknown
level: medium
medium
Computer System Reconnaissance Via Wmic.EXE
Detects execution of wmic utility with the "computersystem" flag in order to obtain information about the machine such as the domain, username, model, etc.
status testauthor Nasreddine Bencherchali (Nextron Systems)id 9d7ca793-f6bd-471c-8d0f-11e68b2f0d2f
view Sigma YAML
title: Computer System Reconnaissance Via Wmic.EXE
id: 9d7ca793-f6bd-471c-8d0f-11e68b2f0d2f
status: test
description: Detects execution of wmic utility with the "computersystem" flag in order to obtain information about the machine such as the domain, username, model, etc.
references:
- https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-08
modified: 2023-02-14
tags:
- attack.discovery
- attack.execution
- attack.t1047
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\wmic.exe'
- OriginalFileName: 'wmic.exe'
selection_cli:
CommandLine|contains: 'computersystem'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
medium
Conhost Spawned By Uncommon Parent Process
Detects when the Console Window Host (conhost.exe) process is spawned by an uncommon parent process, which could be indicative of potential code injection activity.
status testauthor Tim Rauch, Elastic (idea)id cbb9e3d1-2386-4e59-912e-62f1484f7a89
view Sigma YAML
title: Conhost Spawned By Uncommon Parent Process
id: cbb9e3d1-2386-4e59-912e-62f1484f7a89
status: test
description: Detects when the Console Window Host (conhost.exe) process is spawned by an uncommon parent process, which could be indicative of potential code injection activity.
references:
- https://www.elastic.co/guide/en/security/current/conhost-spawned-by-suspicious-parent-process.html
author: Tim Rauch, Elastic (idea)
date: 2022-09-28
modified: 2025-03-06
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\conhost.exe'
ParentImage|endswith:
- '\explorer.exe'
# - '\csrss.exe' # Legitimate parent as seen in EchoTrail https://www.echotrail.io/insights/search/csrss.exe
# - '\ctfmon.exe' # Seen several times in a testing environment
# - '\dllhost.exe' # FP on clean system from grandparent 'svchost.exe -k DcomLaunch -p'
- '\lsass.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\services.exe'
- '\smss.exe'
- '\spoolsv.exe'
- '\svchost.exe'
- '\userinit.exe'
# - '\wermgr.exe' # Legitimate parent as seen in EchoTrail https://www.echotrail.io/insights/search/wermgr.exe
- '\wininit.exe'
- '\winlogon.exe'
filter_main_svchost:
ParentCommandLine|contains:
- '-k apphost -s AppHostSvc'
- '-k imgsvc'
- '-k localService -p -s RemoteRegistry'
- '-k LocalSystemNetworkRestricted -p -s NgcSvc'
- '-k NetSvcs -p -s NcaSvc'
- '-k netsvcs -p -s NetSetupSvc'
- '-k netsvcs -p -s wlidsvc'
- '-k NetworkService -p -s DoSvc'
- '-k wsappx -p -s AppXSvc'
- '-k wsappx -p -s ClipSVC'
- '-k wusvcs -p -s WaaSMedicSvc'
filter_optional_dropbox:
ParentCommandLine|contains:
- 'C:\Program Files (x86)\Dropbox\Client\'
- 'C:\Program Files\Dropbox\Client\'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: medium
medium
Console CodePage Lookup Via CHCP
Detects use of chcp to look up the system locale value as part of host discovery
status testauthor _pete_0, TheDFIRReportid 7090adee-82e2-4269-bd59-80691e7c6338
view Sigma YAML
title: Console CodePage Lookup Via CHCP
id: 7090adee-82e2-4269-bd59-80691e7c6338
status: test
description: Detects use of chcp to look up the system locale value as part of host discovery
references:
- https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/chcp
author: _pete_0, TheDFIRReport
date: 2022-02-21
modified: 2024-03-05
tags:
- attack.discovery
- attack.t1614.001
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\cmd.exe'
ParentCommandLine|contains|windash:
- ' -c '
- ' -r '
- ' -k '
Image|endswith: '\chcp.com'
CommandLine|endswith:
- 'chcp'
- 'chcp '
- 'chcp '
condition: selection
falsepositives:
- During Anaconda update the 'conda.exe' process will eventually execution the 'chcp' command.
- Discord was seen using chcp to look up code pages
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup/info.yml
medium
ConvertTo-SecureString Cmdlet Usage Via CommandLine
Detects usage of the "ConvertTo-SecureString" cmdlet via the commandline. Which is fairly uncommon and could indicate potential suspicious activity
status testauthor Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Sheltonid 74403157-20f5-415d-89a7-c505779585cf
view Sigma YAML
title: ConvertTo-SecureString Cmdlet Usage Via CommandLine
id: 74403157-20f5-415d-89a7-c505779585cf
status: test
description: Detects usage of the "ConvertTo-SecureString" cmdlet via the commandline. Which is fairly uncommon and could indicate potential suspicious activity
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/convertto-securestring?view=powershell-7.3#examples
author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton
date: 2020-10-11
modified: 2023-02-01
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_cli:
CommandLine|contains: 'ConvertTo-SecureString'
condition: all of selection_*
falsepositives:
- Legitimate use to pass password to different powershell commands
level: medium
medium
Copy From Or To Admin Share Or Sysvol Folder
Detects a copy command or a copy utility execution to or from an Admin share or remote
status testauthor Florian Roth (Nextron Systems), oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Nasreddine Bencherchaliid 855bc8b5-2ae8-402e-a9ed-b889e6df1900
view Sigma YAML
title: Copy From Or To Admin Share Or Sysvol Folder
id: 855bc8b5-2ae8-402e-a9ed-b889e6df1900
status: test
description: Detects a copy command or a copy utility execution to or from an Admin share or remote
references:
- https://twitter.com/SBousseaden/status/1211636381086339073
- https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
- https://www.elastic.co/guide/en/security/current/remote-file-copy-to-a-hidden-share.html
- https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/
author: Florian Roth (Nextron Systems), oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Nasreddine Bencherchali
date: 2019-12-30
modified: 2025-10-22
tags:
- attack.lateral-movement
- attack.collection
- attack.exfiltration
- attack.t1039
- attack.t1048
- attack.t1021.002
logsource:
category: process_creation
product: windows
detection:
selection_target:
CommandLine|contains:
- '\\\\*\\*$' # example \\SVR_NAME\ADMIN$
- '\Sysvol\'
selection_other_tools:
- Image|endswith:
- '\robocopy.exe'
- '\xcopy.exe'
- OriginalFileName:
- 'robocopy.exe'
- 'XCOPY.EXE'
selection_cmd_img:
- Image|endswith: '\cmd.exe'
- OriginalFileName: 'Cmd.Exe'
selection_cmd_cli:
CommandLine|contains: 'copy'
selection_pwsh_img:
- Image|contains:
- '\powershell_ise.exe'
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'powershell_ise.exe'
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_pwsh_cli:
CommandLine|contains:
- 'copy-item'
- 'copy '
- 'cpi '
- ' cp '
- 'move '
- ' move-item'
- ' mi '
- ' mv '
condition: selection_target and (selection_other_tools or all of selection_cmd_* or all of selection_pwsh_*)
falsepositives:
- Administrative scripts
level: medium
medium
Crash Dump Created By Operating System
Detects "BugCheck" errors indicating the system rebooted due to a crash, capturing the bugcheck code, dump file path, and report ID.
status experimentalauthor Jason Mullid 882fbe50-d8d7-4e29-ae80-0648a8556866
view Sigma YAML
title: Crash Dump Created By Operating System
id: 882fbe50-d8d7-4e29-ae80-0648a8556866
related:
- id: 2ff692c2-4594-41ec-8fcb-46587de769e0
type: similar
status: experimental
description: Detects "BugCheck" errors indicating the system rebooted due to a crash, capturing the bugcheck code, dump file path, and report ID.
references:
- https://www.sans.edu/cyber-research/from-crash-compromise-unlocking-potential-windows-crash-dumps-offensive-security/
- https://jasonmull.com/articles/offensive/2025-05-12-windows-crash-dumps-offensive-security/
author: Jason Mull
date: 2025-05-12
tags:
- attack.credential-access
- attack.collection
- attack.t1003.002
- attack.t1005
logsource:
product: windows
service: system
detection:
selection:
Provider_Name: 'Microsoft-Windows-WER-SystemErrorReporting'
EventID: 1001
condition: selection
level: medium
medium
CrashControl CrashDump Disabled
Detects disabling the CrashDump per registry (as used by HermeticWiper)
status testauthor Tobias Michalski (Nextron Systems)id 2ff692c2-4594-41ec-8fcb-46587de769e0
view Sigma YAML
title: CrashControl CrashDump Disabled
id: 2ff692c2-4594-41ec-8fcb-46587de769e0
status: test
description: Detects disabling the CrashDump per registry (as used by HermeticWiper)
references:
- https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/
author: Tobias Michalski (Nextron Systems)
date: 2022-02-24
modified: 2023-08-17
tags:
- attack.persistence
- attack.stealth
- attack.defense-impairment
- attack.t1564
- attack.t1112
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|contains: 'SYSTEM\CurrentControlSet\Control\CrashControl'
Details: 'DWORD (0x00000000)'
condition: selection
falsepositives:
- Legitimate disabling of crashdumps
level: medium
medium
Created Files by Microsoft Sync Center
This rule detects suspicious files created by Microsoft Sync Center (mobsync)
status testauthor elhoimid 409f8a98-4496-4aaa-818a-c931c0a8b832
view Sigma YAML
title: Created Files by Microsoft Sync Center
id: 409f8a98-4496-4aaa-818a-c931c0a8b832
status: test
description: This rule detects suspicious files created by Microsoft Sync Center (mobsync)
references:
- https://redcanary.com/blog/intelligence-insights-november-2021/
author: elhoim
date: 2022-04-28
modified: 2022-06-02
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1055
- attack.t1218
- attack.execution
logsource:
product: windows
category: file_event
detection:
selection_mobsync:
Image|endswith: '\mobsync.exe'
filter_created_file:
TargetFilename|endswith:
- '.dll'
- '.exe'
condition: selection_mobsync and filter_created_file
falsepositives:
- Unknown
level: medium
medium
Creation Of An User Account
Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.
status testauthor Marie Euler, Pawel Mazurid 759d0d51-bc99-4b5e-9add-8f5b2c8e7512
view Sigma YAML
title: Creation Of An User Account
id: 759d0d51-bc99-4b5e-9add-8f5b2c8e7512
status: test
description: Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.
references:
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-understanding_audit_log_files
- https://access.redhat.com/articles/4409591#audit-record-types-2
- https://www.youtube.com/watch?v=VmvY5SQm5-Y&ab_channel=M45C07
author: Marie Euler, Pawel Mazur
date: 2020-05-18
modified: 2022-12-20
tags:
- attack.t1136.001
- attack.persistence
logsource:
product: linux
service: auditd
detection:
selection_syscall_record_type:
type: 'SYSCALL'
exe|endswith: '/useradd'
selection_add_user_record_type:
type: 'ADD_USER' # This is logged without having to configure audit rules on both Ubuntu and Centos
condition: 1 of selection_*
falsepositives:
- Admin activity
level: medium
medium
Creation Of Non-Existent System DLL
Detects creation of specific system DLL files that are usually not present on the system (or at least not in system directories) but may be loaded by legitimate processes.
Phantom DLL hijacking involves placing malicious DLLs with names of non-existent system binaries in locations where legitimate applications may search for them, leading to execution of the malicious DLLs.
Thus, the creation of such DLLs may indicate preparation for phantom DLL hijacking attacks.
status testauthor Nasreddine Bencherchali (Nextron Systems), fornotesid df6ecb8b-7822-4f4b-b412-08f524b4576c
view Sigma YAML
title: Creation Of Non-Existent System DLL
id: df6ecb8b-7822-4f4b-b412-08f524b4576c
related:
- id: 6b98b92b-4f00-4f62-b4fe-4d1920215771 # ImageLoad rule
type: similar
status: test
description: |
Detects creation of specific system DLL files that are usually not present on the system (or at least not in system directories) but may be loaded by legitimate processes.
Phantom DLL hijacking involves placing malicious DLLs with names of non-existent system binaries in locations where legitimate applications may search for them, leading to execution of the malicious DLLs.
Thus, the creation of such DLLs may indicate preparation for phantom DLL hijacking attacks.
references:
- http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html
- https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/
- https://decoded.avast.io/martinchlumecky/png-steganography/
- https://github.com/blackarrowsec/redteam-research/tree/26e6fc0c0d30d364758fa11c2922064a9a7fd309/LPE%20via%20StorSvc
- https://github.com/Wh04m1001/SysmonEoP
- https://itm4n.github.io/cdpsvc-dll-hijacking/
- https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992
- https://securelist.com/passiveneuron-campaign-with-apt-implants-and-cobalt-strike/117745/
- https://www.crowdstrike.com/en-us/blog/4-ways-adversaries-hijack-dlls/
- https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
- https://www.hexacorn.com/blog/2025/06/14/wermgr-exe-boot-offdmpsvc-dll-lolbin/
- https://www.hexacorn.com/blog/2025/06/14/wpr-exe-boottrace-phantom-dll-axeonoffhelper-dll-lolbin/
- https://x.com/0gtweet/status/1564131230941122561
author: Nasreddine Bencherchali (Nextron Systems), fornotes
date: 2022-12-01
modified: 2026-01-24
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith:
- ':\Windows\System32\axeonoffhelper.dll'
- ':\Windows\System32\cdpsgshims.dll'
- ':\Windows\System32\oci.dll'
- ':\Windows\System32\offdmpsvc.dll'
- ':\Windows\System32\shellchromeapi.dll'
- ':\Windows\System32\TSMSISrv.dll'
- ':\Windows\System32\TSVIPSrv.dll'
- ':\Windows\System32\wbem\wbemcomn.dll'
- ':\Windows\System32\WLBSCTRL.dll'
- ':\Windows\System32\wow64log.dll'
- ':\Windows\System32\WptsExtensions.dll'
- '\SprintCSP.dll'
condition: selection
falsepositives:
- Unknown
level: medium
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_create_non_existent_dlls/info.yml
medium
Creation Of Pod In System Namespace
Detects deployments of pods within the kube-system namespace, which could be intended to imitate system pods.
System pods, created by controllers such as Deployments or DaemonSets have random suffixes in their names.
Attackers can use this fact and name their backdoor pods as if they were created by these controllers to avoid detection.
Deployment of such a backdoor container e.g. named kube-proxy-bv61v, could be attempted in the kube-system namespace alongside the other administrative containers.
status testauthor Leo Tsaousis (@laripping)id a80d927d-ac6e-443f-a867-e8d6e3897318
view Sigma YAML
title: Creation Of Pod In System Namespace
id: a80d927d-ac6e-443f-a867-e8d6e3897318
status: test
description: |
Detects deployments of pods within the kube-system namespace, which could be intended to imitate system pods.
System pods, created by controllers such as Deployments or DaemonSets have random suffixes in their names.
Attackers can use this fact and name their backdoor pods as if they were created by these controllers to avoid detection.
Deployment of such a backdoor container e.g. named kube-proxy-bv61v, could be attempted in the kube-system namespace alongside the other administrative containers.
references:
- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Pod%20or%20container%20name%20similarily/
author: Leo Tsaousis (@laripping)
date: 2024-03-26
tags:
- attack.stealth
- attack.t1036.005
logsource:
category: application
product: kubernetes
service: audit
detection:
selection:
verb: 'create'
objectRef.resource: 'pods'
objectRef.namespace: kube-system
condition: selection
falsepositives:
- System components such as daemon-set-controller and kube-scheduler also create pods in the kube-system namespace
level: medium
medium
Creation Of a Suspicious ADS File Outside a Browser Download
Detects the creation of a suspicious ADS (Alternate Data Stream) file by software other than browsers
status testauthor frack113id 573df571-a223-43bc-846e-3f98da481eca
view Sigma YAML
title: Creation Of a Suspicious ADS File Outside a Browser Download
id: 573df571-a223-43bc-846e-3f98da481eca
status: test
description: Detects the creation of a suspicious ADS (Alternate Data Stream) file by software other than browsers
references:
- https://www.bleepingcomputer.com/news/security/exploited-windows-zero-day-lets-javascript-files-bypass-security-warnings/
author: frack113
date: 2022-10-22
modified: 2023-06-12
tags:
- attack.stealth
logsource:
product: windows
category: create_stream_hash
detection:
selection:
Contents|startswith: '[ZoneTransfer] ZoneId=3'
TargetFilename|endswith: ':Zone.Identifier'
TargetFilename|contains:
- '.exe'
- '.scr'
- '.bat'
- '.cmd'
- '.docx'
- '.hta'
- '.jse'
- '.lnk'
- '.pptx'
- '.ps'
- '.reg'
- '.sct'
- '.vb'
- '.wsc'
- '.wsf'
- '.xlsx'
filter_optional_brave:
Image|endswith: '\brave.exe'
filter_optional_chrome:
Image:
- 'C:\Program Files\Google\Chrome\Application\chrome.exe'
- 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
filter_optional_firefox:
Image:
- 'C:\Program Files\Mozilla Firefox\firefox.exe'
- 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
filter_optional_ie:
Image:
- 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
- 'C:\Program Files\Internet Explorer\iexplore.exe'
filter_optional_maxthon:
Image|endswith: '\maxthon.exe'
filter_optional_edge_1:
- Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
- Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
- Image:
- 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
- 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
filter_optional_edge_2:
Image|startswith:
- 'C:\Program Files (x86)\Microsoft\EdgeCore\'
- 'C:\Program Files\Microsoft\EdgeCore\'
Image|endswith:
- '\msedge.exe'
- '\msedgewebview2.exe'
filter_optional_opera:
Image|endswith: '\opera.exe'
filter_optional_safari:
Image|endswith: '\safari.exe'
filter_optional_seamonkey:
Image|endswith: '\seamonkey.exe'
filter_optional_vivaldi:
Image|endswith: '\vivaldi.exe'
filter_optional_whale:
Image|endswith: '\whale.exe'
filter_optional_snipping_tool:
Image|startswith: 'C:\Program Files\WindowsApps\Microsoft.ScreenSketch_'
Image|endswith: '\SnippingTool\SnippingTool.exe'
TargetFilename|startswith: 'C:\Users\'
TargetFilename|contains|all:
- '\AppData\Local\Packages\Microsoft.ScreenSketch_'
- '\TempState\Screenshot '
TargetFilename|endswith: '.png:Zone.Identifier'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Other legitimate browsers not currently included in the filter (please add them)
- Legitimate downloads via scripting or command-line tools (Investigate to determine if it's legitimate)
level: medium
medium
Creation of WerFault.exe/Wer.dll in Unusual Folder
Detects the creation of a file named "WerFault.exe" or "wer.dll" in an uncommon folder, which could be a sign of WerFault DLL hijacking.
status testauthor frack113id 28a452f3-786c-4fd8-b8f2-bddbe9d616d1
view Sigma YAML
title: Creation of WerFault.exe/Wer.dll in Unusual Folder
id: 28a452f3-786c-4fd8-b8f2-bddbe9d616d1
status: test
description: Detects the creation of a file named "WerFault.exe" or "wer.dll" in an uncommon folder, which could be a sign of WerFault DLL hijacking.
references:
- https://www.bleepingcomputer.com/news/security/hackers-are-now-hiding-malware-in-windows-event-logs/
author: frack113
date: 2022-05-09
modified: 2025-12-03
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith:
- '\WerFault.exe'
- '\wer.dll'
filter_main_known_locations:
TargetFilename|startswith:
- 'C:\Windows\SoftwareDistribution\'
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
- 'C:\Windows\WinSxS\'
- 'C:\Windows\UUS\arm64\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
medium
Creation of a Diagcab
Detects the creation of diagcab file, which could be caused by some legitimate installer or is a sign of exploitation (review the filename and its location)
status testauthor frack113id 3d0ed417-3d94-4963-a562-4a92c940656a
view Sigma YAML
title: Creation of a Diagcab
id: 3d0ed417-3d94-4963-a562-4a92c940656a
status: test
description: Detects the creation of diagcab file, which could be caused by some legitimate installer or is a sign of exploitation (review the filename and its location)
references:
- https://threadreaderapp.com/thread/1533879688141086720.html
author: frack113
date: 2022-06-08
tags:
- attack.resource-development
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith: '.diagcab'
condition: selection
falsepositives:
- Legitimate microsoft diagcab
level: medium
medium
CredUI.DLL Loaded By Uncommon Process
Detects loading of "credui.dll" and related DLLs by an uncommon process. Attackers might leverage this DLL for potential use of "CredUIPromptForCredentials" or "CredUnPackAuthenticationBufferW".
status testauthor Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)id 9ae01559-cf7e-4f8e-8e14-4c290a1b4784
view Sigma YAML
title: CredUI.DLL Loaded By Uncommon Process
id: 9ae01559-cf7e-4f8e-8e14-4c290a1b4784
status: test
description: Detects loading of "credui.dll" and related DLLs by an uncommon process. Attackers might leverage this DLL for potential use of "CredUIPromptForCredentials" or "CredUnPackAuthenticationBufferW".
references:
- https://securitydatasets.com/notebooks/atomic/windows/credential_access/SDWIN-201020013208.html
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password
- https://learn.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa
- https://github.com/S12cybersecurity/RDPCredentialStealer
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-10-20
modified: 2025-12-09
tags:
- attack.credential-access
- attack.collection
- attack.t1056.002
logsource:
category: image_load
product: windows
detection:
selection:
- ImageLoaded|endswith:
- '\credui.dll'
- '\wincredui.dll'
- OriginalFileName:
- 'credui.dll'
- 'wincredui.dll'
filter_main_generic:
Image|startswith:
- 'C:\Program Files (x86)\'
- 'C:\Program Files\'
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
- 'C:\Windows\SystemApps\'
filter_main_full:
Image:
- 'C:\Windows\explorer.exe'
- 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe'
- 'C:\Windows\regedit.exe' # This FP is triggered for example when choosing the "Connect Network Registry" from the menu
filter_optional_opera:
Image|endswith: '\opera_autoupdate.exe'
filter_optional_process_explorer:
Image|endswith:
- '\procexp64.exe'
- '\procexp.exe'
filter_optional_teams:
Image|startswith: 'C:\Users\'
Image|contains: '\AppData\Local\Microsoft\Teams\'
Image|endswith: '\Teams.exe'
filter_optional_onedrive:
Image|startswith: 'C:\Users\'
Image|contains: '\AppData\Local\Microsoft\OneDrive\'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Other legitimate processes loading those DLLs in your environment.
level: medium
medium
Credential Manager Access By Uncommon Applications
Detects suspicious processes based on name and location that access the windows credential manager and vault.
Which can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::cred" function
status testauthor Nasreddine Bencherchali (Nextron Systems)id 407aecb1-e762-4acf-8c7b-d087bcff3bb6
view Sigma YAML
title: Credential Manager Access By Uncommon Applications
id: 407aecb1-e762-4acf-8c7b-d087bcff3bb6
status: test
description: |
Detects suspicious processes based on name and location that access the windows credential manager and vault.
Which can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::cred" function
references:
- https://hunter2.gitbook.io/darthsidious/privilege-escalation/mimikatz
- https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-11
modified: 2024-07-29
tags:
- attack.t1003
- attack.credential-access
logsource:
category: file_access
product: windows
definition: 'Requirements: Microsoft-Windows-Kernel-File ETW provider'
detection:
selection:
FileName|contains:
- '\AppData\Local\Microsoft\Credentials\'
- '\AppData\Roaming\Microsoft\Credentials\'
- '\AppData\Local\Microsoft\Vault\'
- '\ProgramData\Microsoft\Vault\'
filter_system_folders:
Image|startswith:
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
- 'C:\Windows\system32\'
- 'C:\Windows\SysWOW64\'
condition: selection and not 1 of filter_*
falsepositives:
- Legitimate software installed by the users for example in the "AppData" directory may access these files (for any reason).
# Increase level after false positives filters are good enough
level: medium
medium
Credentials from Password Stores - Keychain
Detects passwords dumps from Keychain
status testauthor Tim Ismilyaev, oscd.community, Florian Roth (Nextron Systems)id b120b587-a4c2-4b94-875d-99c9807d6955
Cscript/Wscript Potentially Suspicious Child Process
Detects potentially suspicious child processes of Wscript/Cscript. These include processes such as rundll32 with uncommon exports or PowerShell spawning rundll32 or regsvr32.
Malware such as Pikabot and Qakbot were seen using similar techniques as well as many others.
status testauthor Nasreddine Bencherchali (Nextron Systems), Alejandro Houspanossian ('@lekz86')id b6676963-0353-4f88-90f5-36c20d443c6a
view Sigma YAML
title: Cscript/Wscript Potentially Suspicious Child Process
id: b6676963-0353-4f88-90f5-36c20d443c6a
status: test
description: |
Detects potentially suspicious child processes of Wscript/Cscript. These include processes such as rundll32 with uncommon exports or PowerShell spawning rundll32 or regsvr32.
Malware such as Pikabot and Qakbot were seen using similar techniques as well as many others.
references:
- Internal Research
- https://github.com/pr0xylife/Pikabot/blob/fc58126127adf0f65e78f4eec59675523f48f086/Pikabot_30.10.2023.txt
- https://github.com/pr0xylife/Pikabot/blob/fc58126127adf0f65e78f4eec59675523f48f086/Pikabot_22.12.2023.txt
author: Nasreddine Bencherchali (Nextron Systems), Alejandro Houspanossian ('@lekz86')
date: 2023-05-15
modified: 2024-01-02
tags:
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith:
- '\wscript.exe'
- '\cscript.exe'
selection_cli_script_main:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
# Note: Add other combinations that are suspicious
selection_cli_script_option_mshta:
CommandLine|contains|all:
- 'mshta'
- 'http'
selection_cli_script_option_other:
CommandLine|contains:
- 'rundll32'
- 'regsvr32'
- 'msiexec'
selection_cli_standalone:
Image|endswith: '\rundll32.exe'
filter_main_rundll32_known_exports:
Image|endswith: '\rundll32.exe'
CommandLine|contains:
- 'UpdatePerUserSystemParameters'
- 'PrintUIEntry'
- 'ClearMyTracksByProcess'
condition: selection_parent and ( selection_cli_standalone or (selection_cli_script_main and 1 of selection_cli_script_option_*) ) and not 1 of filter_main_*
falsepositives:
- Some false positives might occur with admin or third party software scripts. Investigate and apply additional filters accordingly.
level: medium
medium
Curl Web Request With Potential Custom User-Agent
Detects execution of "curl.exe" with a potential custom "User-Agent". Attackers can leverage this to download or exfiltrate data via "curl" to a domain that only accept specific "User-Agent" strings
status testauthor Nasreddine Bencherchali (Nextron Systems)id 85de1f22-d189-44e4-8239-dc276b45379b
view Sigma YAML
title: Curl Web Request With Potential Custom User-Agent
id: 85de1f22-d189-44e4-8239-dc276b45379b
status: test
description: Detects execution of "curl.exe" with a potential custom "User-Agent". Attackers can leverage this to download or exfiltrate data via "curl" to a domain that only accept specific "User-Agent" strings
references:
- https://labs.withsecure.com/publications/fin7-target-veeam-servers
- https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-07-27
modified: 2025-12-11
tags:
- attack.execution
logsource:
category: process_creation
product: windows
detection:
# Example: This command line would trigger the rule
# curl.exe -H "User-Agent: EvilAgent" http://malicious.example.com
selection_img:
- Image|endswith: '\curl.exe'
- OriginalFileName: 'curl.exe'
selection_header_flag_1:
CommandLine|re: '\s-H\s' # Must be Regex as the flag needs to be case sensitive
selection_header_flag_2:
CommandLine|contains: '--header'
selection_user_agent:
CommandLine|contains: 'User-Agent:'
condition: selection_img and 1 of selection_header_* and selection_user_agent
falsepositives:
- Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_curl_custom_user_agent/info.yml
medium
CurrentControlSet Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
status testauthor Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)id f674e36a-4b91-431e-8aef-f8a96c2aca35
view Sigma YAML
title: CurrentControlSet Autorun Keys Modification
id: f674e36a-4b91-431e-8aef-f8a96c2aca35
related:
- id: 17f878b8-9968-4578-b814-c4217fc5768c
type: obsolete
status: test
description: Detects modification of autostart extensibility point (ASEP) in registry.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
- https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
- https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019-10-25
modified: 2023-08-17
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.001
logsource:
category: registry_set
product: windows
detection:
system_control_base:
TargetObject|contains: '\SYSTEM\CurrentControlSet\Control'
system_control_keys:
TargetObject|contains:
- '\Terminal Server\WinStations\RDP-Tcp\InitialProgram'
- '\Terminal Server\Wds\rdpwd\StartupPrograms'
- '\SecurityProviders\SecurityProviders'
- '\SafeBoot\AlternateShell'
- '\Print\Providers'
- '\Print\Monitors'
- '\NetworkProvider\Order'
- '\Lsa\Notification Packages'
- '\Lsa\Authentication Packages'
- '\BootVerificationProgram\ImagePath'
filter_empty:
Details: '(Empty)'
filter_cutepdf:
Image: 'C:\Windows\System32\spoolsv.exe'
TargetObject|contains: '\Print\Monitors\CutePDF Writer Monitor'
Details:
- 'cpwmon64_v40.dll'
- 'CutePDF Writer'
filter_onenote:
Image: C:\Windows\System32\spoolsv.exe
TargetObject|contains: 'Print\Monitors\Appmon\Ports\Microsoft.Office.OneNote_'
User|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
filter_poqexec:
Image: 'C:\Windows\System32\poqexec.exe'
TargetObject|endswith: '\NetworkProvider\Order\ProviderOrder'
filter_realvnc:
Image: 'C:\Windows\System32\spoolsv.exe'
TargetObject|endswith: '\Print\Monitors\MONVNC\Driver'
Details: 'VNCpm.dll'
condition: all of system_control_* and not 1 of filter_*
falsepositives:
- Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
- Legitimate administrator sets up autorun keys for legitimate reason
level: medium
medium
CurrentVersion Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
status testauthor Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)id 20f0ee37-5942-4e45-b7d5-c5b5db9df5cd
Detects modification of autostart extensibility point (ASEP) in registry.
status testauthor Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)id cbf93e5d-ca6c-4722-8bea-e9119007c248
view Sigma YAML
title: CurrentVersion NT Autorun Keys Modification
id: cbf93e5d-ca6c-4722-8bea-e9119007c248
related:
- id: 17f878b8-9968-4578-b814-c4217fc5768c
type: obsolete
status: test
description: Detects modification of autostart extensibility point (ASEP) in registry.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
- https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
- https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019-10-25
modified: 2025-10-22
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.001
logsource:
category: registry_set
product: windows
detection:
selection_nt_current_version_base:
TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion'
selection_nt_current_version:
TargetObject|contains:
- '\Winlogon\VmApplet'
- '\Winlogon\Userinit'
- '\Winlogon\Taskman'
- '\Winlogon\Shell'
- '\Winlogon\GpExtensions'
- '\Winlogon\AppSetup'
- '\Winlogon\AlternateShells\AvailableShells'
- '\Windows\IconServiceLib'
- '\Windows\Appinit_Dlls'
- '\Image File Execution Options' # Covered in better details in 36803969-5421-41ec-b92f-8500f79c23b0
- '\Font Drivers'
- '\Drivers32'
- '\Windows\Run'
- '\Windows\Load'
filter_main_empty:
Details: '(Empty)'
filter_main_null:
Details: null
filter_main_poqexec:
Image: 'C:\Windows\System32\poqexec.exe'
filter_main_legitimate_subkey: # Legitimately used subkeys of \Image File Execution Options, which are not used for persistence (see https://pentestlab.blog/2020/01/13/persistence-image-file-execution-options-injection/)
TargetObject|contains: '\Image File Execution Options\'
TargetObject|endswith:
- '\DisableExceptionChainValidation'
- '\MitigationOptions'
filter_main_security_extension_dc:
Image: 'C:\Windows\system32\svchost.exe'
TargetObject|contains:
- '\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\PreviousPolicyAreas'
- '\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\MaxNoGPOListChangesInterval'
Details:
- 'DWORD (0x00000001)'
- 'DWORD (0x00000009)'
- 'DWORD (0x000003c0)'
filter_main_runtimebroker:
Image: 'C:\Windows\System32\RuntimeBroker.exe'
TargetObject|contains: '\runtimebroker.exe\Microsoft.Windows.ShellExperienceHost'
filter_optional_edge:
Image|startswith: 'C:\Program Files (x86)\Microsoft\Temp\'
Image|endswith: '\MicrosoftEdgeUpdate.exe'
filter_optional_avguard:
Image|startswith:
- 'C:\Program Files (x86)\Avira\Antivirus\avguard.exe'
- 'C:\Program Files\Avira\Antivirus\avguard.exe'
TargetObject|contains: 'SOFTWARE\WOW6432Node\Avira\Antivirus\Overwrite_Keys\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\'
TargetObject|endswith:
- '\userinit\UseAsDefault'
- '\shell\UseAsDefault'
Details:
- 'explorer.exe'
- 'C:\Windows\system32\userinit.exe,'
filter_optional_msoffice:
- TargetObject|contains:
- '\ClickToRunStore\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\'
- '\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows NT\CurrentVersion\'
- Image:
- 'C:\Program Files\Microsoft Office\root\integration\integrator.exe'
- 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe'
filter_optional_officeclicktorun:
Image|startswith:
- 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
- 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\'
Image|endswith: '\OfficeClickToRun.exe'
filter_optional_ngen:
Image|startswith: 'C:\Windows\Microsoft.NET\Framework'
Image|endswith: '\ngen.exe'
filter_optional_onedrive:
Image|endswith: '\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe'
TargetObject|endswith: '\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Update Binary'
Details|startswith: 'C:\Windows\system32\cmd.exe /q /c del /q "C:\Users\'
Details|endswith: '\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe"'
condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
- Legitimate administrator sets up autorun keys for legitimate reason
level: medium
medium
DCERPC SMB Spoolss Named Pipe
Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.
status testauthor OTR (Open Threat Research)id 214e8f95-100a-4e04-bb31-ef6cba8ce07e
view Sigma YAML
title: DCERPC SMB Spoolss Named Pipe
id: 214e8f95-100a-4e04-bb31-ef6cba8ce07e
status: test
description: Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.
references:
- https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1
- https://dirkjanm.io/a-different-way-of-abusing-zerologon/
- https://twitter.com/_dirkjan/status/1309214379003588608
author: OTR (Open Threat Research)
date: 2018-11-28
modified: 2022-08-11
tags:
- attack.lateral-movement
- attack.t1021.002
logsource:
product: windows
service: security
detection:
selection:
EventID: 5145
ShareName: '\\\\\*\\IPC$' # looking for the string \\*\IPC$
RelativeTargetName: spoolss
condition: selection
falsepositives:
- 'Domain Controllers acting as printer servers too? :)'
level: medium
medium
DLL Execution Via Register-cimprovider.exe
Detects using register-cimprovider.exe to execute arbitrary dll file.
status testauthor Ivan Dyachkov, Yulia Fomina, oscd.communityid a2910908-e86f-4687-aeba-76a5f996e652
view Sigma YAML
title: DLL Execution Via Register-cimprovider.exe
id: a2910908-e86f-4687-aeba-76a5f996e652
status: test
description: Detects using register-cimprovider.exe to execute arbitrary dll file.
references:
- https://twitter.com/PhilipTsukerman/status/992021361106268161
- https://lolbas-project.github.io/lolbas/Binaries/Register-cimprovider/
author: Ivan Dyachkov, Yulia Fomina, oscd.community
date: 2020-10-07
modified: 2021-11-27
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1574
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\register-cimprovider.exe'
CommandLine|contains|all:
- '-path'
- 'dll'
condition: selection
falsepositives:
- Unknown
level: medium
medium
DLL Execution via Rasautou.exe
Detects using Rasautou.exe for loading arbitrary .DLL specified in -d option and executes the export specified in -p.
status testauthor Julia Fomina, oscd.communityid cd3d1298-eb3b-476c-ac67-12847de55813
view Sigma YAML
title: DLL Execution via Rasautou.exe
id: cd3d1298-eb3b-476c-ac67-12847de55813
status: test
description: Detects using Rasautou.exe for loading arbitrary .DLL specified in -d option and executes the export specified in -p.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Rasautou/
- https://github.com/fireeye/DueDLLigence
- https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html
author: Julia Fomina, oscd.community
date: 2020-10-09
tags:
- attack.stealth
- attack.t1218
logsource:
product: windows
category: process_creation
definition: Since options '-d' and '-p' were removed in Windows 10 this rule is relevant only for Windows before 10. And as Windows 7 doesn't log command line in 4688 by default, to detect this attack you need Sysmon 1 configured or KB3004375 installed for command-line auditing (https://support.microsoft.com/en-au/help/3004375/microsoft-security-advisory-update-to-improve-windows-command-line-aud)
detection:
selection_img:
- Image|endswith: '\rasautou.exe'
- OriginalFileName: 'rasdlui.exe'
selection_cli:
CommandLine|contains|all:
- ' -d '
- ' -p '
condition: all of selection*
falsepositives:
- Unlikely
level: medium
medium
DLL Load By System Process From Suspicious Locations
Detects when a system process (i.e. located in system32, syswow64, etc.) loads a DLL from a suspicious location or a location with permissive permissions such as "C:\Users\Public"
status testauthor Nasreddine Bencherchali (Nextron Systems)id 9e9a9002-56c4-40fd-9eff-e4b09bfa5f6c
view Sigma YAML
title: DLL Load By System Process From Suspicious Locations
id: 9e9a9002-56c4-40fd-9eff-e4b09bfa5f6c
status: test
description: Detects when a system process (i.e. located in system32, syswow64, etc.) loads a DLL from a suspicious location or a location with permissive permissions such as "C:\Users\Public"
references:
- https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC (Idea)
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-17
modified: 2023-09-18
tags:
- attack.stealth
- attack.t1070
logsource:
product: windows
category: image_load
detection:
selection:
Image|startswith: 'C:\Windows\'
ImageLoaded|startswith:
# TODO: Add more suspicious paths as you see fit in your env
- 'C:\Users\Public\'
- 'C:\PerfLogs\'
condition: selection
falsepositives:
- Unknown
level: medium
medium
DLL Loaded via CertOC.EXE
Detects when a user installs certificates by using CertOC.exe to loads the target DLL file.
status testauthor Austin Songer @austinsongerid 242301bc-f92f-4476-8718-78004a6efd9f
view Sigma YAML
title: DLL Loaded via CertOC.EXE
id: 242301bc-f92f-4476-8718-78004a6efd9f
related:
- id: 84232095-ecca-4015-b0d7-7726507ee793
type: similar
status: test
description: Detects when a user installs certificates by using CertOC.exe to loads the target DLL file.
references:
- https://twitter.com/sblmsrsn/status/1445758411803480072?s=20
- https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2
- https://lolbas-project.github.io/lolbas/Binaries/Certoc/
author: Austin Songer @austinsonger
date: 2021-10-23
modified: 2024-03-05
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\certoc.exe'
- OriginalFileName: 'CertOC.exe'
selection_cli:
CommandLine|contains|windash: ' -LoadDLL '
condition: all of selection_*
falsepositives:
- Unknown
level: medium
medium
DMSA Service Account Created in Specific OUs - PowerShell
Detects the creation of a dMSA service account using the New-ADServiceAccount cmdlet in certain OUs.
The fact that the cmdlet is used to create a dMSASvc account in a specific OU is highly suspicious.
It is a pattern trying to exploit the BadSuccessor privilege escalation vulnerability in Windows Server 2025.
On top of that, if the user that is creating the dMSASvc account is not a legitimate administrator or does not have the necessary permissions,
it is a strong signal of an attempted or successful abuse of the BaDSuccessor vulnerability for privilege escalation within the Windows Server 2025 Active Directory environment.
status experimentalauthor Swachchhanda Shrawan Poudel (Nextron Systems)id 02122374-b74e-495c-b285-9e4da973f3d6
view Sigma YAML
title: DMSA Service Account Created in Specific OUs - PowerShell
id: 02122374-b74e-495c-b285-9e4da973f3d6
related:
- id: e15bc294-ae2a-45ad-b7d6-637b33868bde # Windows Security Creation of New MsDS-DelegatedManagedServiceAccount (DMSA) Object
type: similar
- id: 0ea8db81-2ff6-4525-9448-33bbe7effc13 # Process Creation Detection
type: similar
status: experimental
description: |
Detects the creation of a dMSA service account using the New-ADServiceAccount cmdlet in certain OUs.
The fact that the cmdlet is used to create a dMSASvc account in a specific OU is highly suspicious.
It is a pattern trying to exploit the BadSuccessor privilege escalation vulnerability in Windows Server 2025.
On top of that, if the user that is creating the dMSASvc account is not a legitimate administrator or does not have the necessary permissions,
it is a strong signal of an attempted or successful abuse of the BaDSuccessor vulnerability for privilege escalation within the Windows Server 2025 Active Directory environment.
references:
- https://www.akamai.com/blog/security-research/abusing-bad-successor-for-privilege-escalation-in-active-directory
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-05-24
tags:
- attack.privilege-escalation
- attack.initial-access
- attack.persistence
- attack.stealth
- attack.t1078.002
- attack.t1098
logsource:
category: ps_script
product: windows
detection:
selection:
ScriptBlockText|contains|all:
- 'New-ADServiceAccount'
- '-CreateDelegatedServiceAccount'
- '-path'
condition: selection
falsepositives:
- Unknown
level: medium
medium
DNS Query Request By Regsvr32.EXE
Detects DNS queries initiated by "Regsvr32.exe"
status testauthor Dmitriy Lifanov, oscd.communityid 36e037c4-c228-4866-b6a3-48eb292b9955
view Sigma YAML
title: DNS Query Request By Regsvr32.EXE
id: 36e037c4-c228-4866-b6a3-48eb292b9955
related:
- id: c7e91a02-d771-4a6d-a700-42587e0b1095
type: derived
status: test
description: Detects DNS queries initiated by "Regsvr32.exe"
references:
- https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/
- https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
author: Dmitriy Lifanov, oscd.community
date: 2019-10-25
modified: 2023-09-18
tags:
- attack.execution
- attack.stealth
- attack.t1559.001
- attack.t1218.010
logsource:
category: dns_query
product: windows
detection:
selection:
Image|endswith: '\regsvr32.exe'
condition: selection
falsepositives:
- Unknown
level: medium
medium
DNS Query To AzureWebsites.NET By Non-Browser Process
Detects a DNS query by a non browser process on the system to "azurewebsites.net". The latter was often used by threat actors as a malware hosting and exfiltration site.
status testauthor Nasreddine Bencherchali (Nextron Systems)id e043f529-8514-4205-8ab0-7f7d2927b400
view Sigma YAML
title: DNS Query To AzureWebsites.NET By Non-Browser Process
id: e043f529-8514-4205-8ab0-7f7d2927b400
related:
- id: 5c80b618-0dbb-46e6-acbb-03d90bcb6d83
type: derived
status: test
description: |
Detects a DNS query by a non browser process on the system to "azurewebsites.net". The latter was often used by threat actors as a malware hosting and exfiltration site.
references:
- https://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/
- https://symantec-enterprise-blogs.security.com/threat-intelligence/harvester-new-apt-attacks-asia
- https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/
- https://intezer.com/blog/research/how-we-escaped-docker-in-azure-functions/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-06-24
tags:
- attack.command-and-control
- attack.t1219.002
logsource:
product: windows
category: dns_query
detection:
selection:
QueryName|endswith: 'azurewebsites.net'
filter_optional_chrome:
Image:
- 'C:\Program Files\Google\Chrome\Application\chrome.exe'
- 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
filter_optional_firefox:
Image:
- 'C:\Program Files\Mozilla Firefox\firefox.exe'
- 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
filter_optional_ie:
Image:
- 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
- 'C:\Program Files\Internet Explorer\iexplore.exe'
filter_optional_edge_1:
- Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
- Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
- Image:
- 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
- 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
filter_optional_edge_2:
Image|startswith:
- 'C:\Program Files (x86)\Microsoft\EdgeCore\'
- 'C:\Program Files\Microsoft\EdgeCore\'
Image|endswith:
- '\msedge.exe'
- '\msedgewebview2.exe'
filter_optional_safari:
Image|endswith: '\safari.exe'
filter_optional_defender:
Image|endswith:
- '\MsMpEng.exe' # Microsoft Defender executable
- '\MsSense.exe' # Windows Defender Advanced Threat Protection Service Executable
filter_optional_brave:
Image|endswith: '\brave.exe'
Image|startswith: 'C:\Program Files\BraveSoftware\'
filter_optional_maxthon:
Image|contains: '\AppData\Local\Maxthon\'
Image|endswith: '\maxthon.exe'
filter_optional_opera:
Image|contains: '\AppData\Local\Programs\Opera\'
Image|endswith: '\opera.exe'
filter_optional_seamonkey:
Image|startswith:
- 'C:\Program Files\SeaMonkey\'
- 'C:\Program Files (x86)\SeaMonkey\'
Image|endswith: '\seamonkey.exe'
filter_optional_vivaldi:
Image|contains: '\AppData\Local\Vivaldi\'
Image|endswith: '\vivaldi.exe'
filter_optional_whale:
Image|startswith:
- 'C:\Program Files\Naver\Naver Whale\'
- 'C:\Program Files (x86)\Naver\Naver Whale\'
Image|endswith: '\whale.exe'
filter_optional_tor:
Image|contains: '\Tor Browser\'
filter_optional_whaterfox:
Image|startswith:
- 'C:\Program Files\Waterfox\'
- 'C:\Program Files (x86)\Waterfox\'
Image|endswith: '\Waterfox.exe'
filter_optional_midori:
Image|contains: '\AppData\Local\Programs\midori-ng\'
Image|endswith: '\Midori Next Generation.exe'
filter_optional_slimbrowser:
Image|startswith:
- 'C:\Program Files\SlimBrowser\'
- 'C:\Program Files (x86)\SlimBrowser\'
Image|endswith: '\slimbrowser.exe'
filter_optional_flock:
Image|contains: '\AppData\Local\Flock\'
Image|endswith: '\Flock.exe'
filter_optional_phoebe:
Image|contains: '\AppData\Local\Phoebe\'
Image|endswith: '\Phoebe.exe'
filter_optional_falkon:
Image|startswith:
- 'C:\Program Files\Falkon\'
- 'C:\Program Files (x86)\Falkon\'
Image|endswith: '\falkon.exe'
filter_optional_avant:
Image|startswith:
- 'C:\Program Files (x86)\Avant Browser\'
- 'C:\Program Files\Avant Browser\'
Image|endswith: '\avant.exe'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Likely with other browser software. Apply additional filters for any other browsers you might use.
level: medium
medium
DNS Query To Common Malware Hosting and Shortener Services
Detects DNS queries to domains commonly used by threat actors to host malware payloads or redirect through URL shorteners.
These include platforms like Cloudflare Workers, TryCloudflare, InfinityFree, and URL shorteners such as tinyurl and lihi.cc.
Such DNS activity can indicate potential delivery or command-and-control communication attempts.
status experimentalauthor Ahmed Nosir (@egycondor)id f8c1e80b-c73a-476a-ae24-6c72528b1521
view Sigma YAML
title: DNS Query To Common Malware Hosting and Shortener Services
id: f8c1e80b-c73a-476a-ae24-6c72528b1521
status: experimental
description: |
Detects DNS queries to domains commonly used by threat actors to host malware payloads or redirect through URL shorteners.
These include platforms like Cloudflare Workers, TryCloudflare, InfinityFree, and URL shorteners such as tinyurl and lihi.cc.
Such DNS activity can indicate potential delivery or command-and-control communication attempts.
references:
- https://cloud.google.com/blog/topics/threat-intelligence/apt41-innovative-tactics
author: Ahmed Nosir (@egycondor)
date: 2025-06-02
tags:
- attack.command-and-control
- attack.t1071.004
logsource:
product: windows
category: dns_query
detection:
selection:
QueryName|contains:
- 'msapp.workers.dev'
- 'trycloudflare.com'
- 'infinityfreeapp.com'
- 'my5353.com'
- 'reurl.cc'
- 'lihi.cc'
- 'tinyurl.com'
condition: selection
falsepositives:
- Legitimate use of these services is possible but rare in enterprise environments
level: medium
medium
DNS Query To Devtunnels Domain
Detects DNS query requests to Devtunnels domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
status testauthor citron_ninjaid 1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b
view Sigma YAML
title: DNS Query To Devtunnels Domain
id: 1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b
related:
- id: 9501f8e6-8e3d-48fc-a8a6-1089dd5d7ef4 # Net Connection DevTunnels
type: similar
- id: 4b657234-038e-4ad5-997c-4be42340bce4 # Net Connection VsCode
type: similar
- id: b3e6418f-7c7a-4fad-993a-93b65027a9f1 # DNS VsCode
type: similar
status: test
description: |
Detects DNS query requests to Devtunnels domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
references:
- https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2
- https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security
- https://cydefops.com/devtunnels-unleashed
author: citron_ninja
date: 2023-10-25
modified: 2023-11-20
tags:
- attack.command-and-control
- attack.t1071.001
- attack.t1572
logsource:
category: dns_query
product: windows
detection:
selection:
QueryName|endswith: '.devtunnels.ms'
condition: selection
falsepositives:
- Legitimate use of Devtunnels will also trigger this.
level: medium
medium
DNS Query To MEGA Hosting Website
Detects DNS queries for subdomains related to MEGA sharing website
status testauthor Aaron Greetham (@beardofbinary) - NCC Groupid 613c03ba-0779-4a53-8a1f-47f914a4ded3
view Sigma YAML
title: DNS Query To MEGA Hosting Website
id: 613c03ba-0779-4a53-8a1f-47f914a4ded3
related:
- id: 66474410-b883-415f-9f8d-75345a0a66a6
type: similar
status: test
description: Detects DNS queries for subdomains related to MEGA sharing website
references:
- https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/
author: Aaron Greetham (@beardofbinary) - NCC Group
date: 2021-05-26
modified: 2023-09-18
tags:
- attack.exfiltration
- attack.t1567.002
logsource:
product: windows
category: dns_query
detection:
selection:
QueryName|contains: 'userstorage.mega.co.nz'
condition: selection
falsepositives:
- Legitimate DNS queries and usage of Mega
level: medium
medium
DNS Query To MEGA Hosting Website - DNS Client
Detects DNS queries for subdomains related to MEGA sharing website
status testauthor Nasreddine Bencherchali (Nextron Systems)id 66474410-b883-415f-9f8d-75345a0a66a6
view Sigma YAML
title: DNS Query To MEGA Hosting Website - DNS Client
id: 66474410-b883-415f-9f8d-75345a0a66a6
related:
- id: 613c03ba-0779-4a53-8a1f-47f914a4ded3
type: similar
status: test
description: Detects DNS queries for subdomains related to MEGA sharing website
references:
- https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-16
tags:
- attack.exfiltration
- attack.t1567.002
logsource:
product: windows
service: dns-client
definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.'
detection:
selection:
EventID: 3008
QueryName|contains: 'userstorage.mega.co.nz'
condition: selection
falsepositives:
- Legitimate DNS queries and usage of Mega
level: medium
medium
DNS Query To Put.io - DNS Client
Detects DNS queries for subdomains related to "Put.io" sharing website.
status testauthor Omar Khaled (@beacon_exe)id 8b69fd42-9dad-4674-abef-7fdef43ef92a
view Sigma YAML
title: DNS Query To Put.io - DNS Client
id: 8b69fd42-9dad-4674-abef-7fdef43ef92a
status: test
description: Detects DNS queries for subdomains related to "Put.io" sharing website.
references:
- https://darkatlas.io/blog/medusa-ransomware-group-opsec-failure
author: Omar Khaled (@beacon_exe)
date: 2024-08-23
tags:
- attack.command-and-control
logsource:
product: windows
service: dns-client
definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.'
detection:
selection:
EventID: 3008
QueryName|contains:
- 'api.put.io'
- 'upload.put.io'
condition: selection
falsepositives:
- Legitimate DNS queries and usage of Put.io
level: medium
medium
DNS Query To Remote Access Software Domain From Non-Browser App
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
status testauthor frack113, Connor Martinid 4d07b1f4-cb00-4470-b9f8-b0191d48ff52
view Sigma YAML
title: DNS Query To Remote Access Software Domain From Non-Browser App
id: 4d07b1f4-cb00-4470-b9f8-b0191d48ff52
related:
- id: 71ba22cb-8a01-42e2-a6dd-5bf9b547498f
type: obsolete
- id: 7c4cf8e0-1362-48b2-a512-b606d2065d7d
type: obsolete
- id: ed785237-70fa-46f3-83b6-d264d1dc6eb4
type: obsolete
status: test
description: |
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution
- https://redcanary.com/blog/misbehaving-rats/
- https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a
- https://blog.sekoia.io/scattered-spider-laying-new-eggs/
- https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist#disable-quick-assist-within-your-organization
author: frack113, Connor Martin
date: 2022-07-11
modified: 2024-12-17
tags:
- attack.command-and-control
- attack.t1219.002
logsource:
product: windows
category: dns_query
detection:
selection_generic:
QueryName|endswith:
- 'agent.jumpcloud.com'
- 'agentreporting.atera.com'
- 'ammyy.com'
- 'api.parsec.app'
- 'api.playanext.com'
- 'api.splashtop.com'
- 'app.atera.com'
- 'assist.zoho.com'
- 'authentication.logmeininc.com'
- 'beyondtrustcloud.com'
- 'cdn.kaseya.net'
- 'client.teamviewer.com'
- 'comserver.corporate.beanywhere.com'
- 'control.connectwise.com'
- 'downloads.zohocdn.com'
- 'dwservice.net'
- 'express.gotoassist.com'
- 'getgo.com'
- 'getscreen.me' # https://x.com/malmoeb/status/1868757130624614860?s=12&t=C0_T_re0wRP_NfKa27Xw9w
- 'integratedchat.teamviewer.com'
- 'join.zoho.com'
- 'kickstart.jumpcloud.com'
- 'license.bomgar.com'
- 'logmein-gateway.com'
- 'logmein.com'
- 'logmeincdn.http.internapcdn.net'
- 'n-able.com'
- 'net.anydesk.com'
- 'netsupportsoftware.com' # For NetSupport Manager RAT
- 'parsecusercontent.com'
- 'pubsub.atera.com'
- 'relay.kaseya.net'
- 'relay.screenconnect.com'
- 'relay.splashtop.com'
- 'remoteassistance.support.services.microsoft.com' # Quick Assist Application
- 'remotedesktop-pa.googleapis.com'
- 'remoteutilities.com' # Usage of Remote Utilities RAT
- 'secure.logmeinrescue.com'
- 'services.vnc.com'
- 'static.remotepc.com'
- 'swi-rc.com'
- 'swi-tc.com'
- 'tailscale.com' # Scattered Spider threat group used this RMM tool
- 'telemetry.servers.qetqo.com'
- 'tmate.io'
- 'twingate.com' # Scattered Spider threat group used this RMM tool
- 'zohoassist.com'
selection_rustdesk: # https://twitter.com/malmoeb/status/1668504345132822531?s=20 and https://www.adamsdesk.com/posts/rustdesk-not-connecting/ mention this pattern
QueryName|endswith: '.rustdesk.com'
QueryName|startswith: 'rs-'
# Exclude browsers for legitimate visits of the domains mentioned above
# Add missing browsers you use and exclude the ones you don't
filter_optional_chrome:
Image:
- 'C:\Program Files\Google\Chrome\Application\chrome.exe'
- 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
filter_optional_firefox:
Image:
- 'C:\Program Files\Mozilla Firefox\firefox.exe'
- 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
filter_optional_ie:
Image:
- 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
- 'C:\Program Files\Internet Explorer\iexplore.exe'
filter_optional_edge_1:
- Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
- Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
- Image:
- 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
- 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
filter_optional_edge_2:
Image|startswith:
- 'C:\Program Files (x86)\Microsoft\EdgeCore\'
- 'C:\Program Files\Microsoft\EdgeCore\'
Image|endswith:
- '\msedge.exe'
- '\msedgewebview2.exe'
filter_optional_safari:
Image|endswith: '\safari.exe'
filter_optional_defender:
Image|endswith:
- '\MsMpEng.exe' # Microsoft Defender executable
- '\MsSense.exe' # Windows Defender Advanced Threat Protection Service Executable
filter_optional_brave:
Image|endswith: '\brave.exe'
Image|startswith: 'C:\Program Files\BraveSoftware\'
filter_optional_maxthon:
Image|contains: '\AppData\Local\Maxthon\'
Image|endswith: '\maxthon.exe'
filter_optional_opera:
Image|contains: '\AppData\Local\Programs\Opera\'
Image|endswith: '\opera.exe'
filter_optional_seamonkey:
Image|startswith:
- 'C:\Program Files\SeaMonkey\'
- 'C:\Program Files (x86)\SeaMonkey\'
Image|endswith: '\seamonkey.exe'
filter_optional_vivaldi:
Image|contains: '\AppData\Local\Vivaldi\'
Image|endswith: '\vivaldi.exe'
filter_optional_whale:
Image|startswith:
- 'C:\Program Files\Naver\Naver Whale\'
- 'C:\Program Files (x86)\Naver\Naver Whale\'
Image|endswith: '\whale.exe'
filter_optional_tor:
Image|contains: '\Tor Browser\'
filter_optional_whaterfox:
Image|startswith:
- 'C:\Program Files\Waterfox\'
- 'C:\Program Files (x86)\Waterfox\'
Image|endswith: '\Waterfox.exe'
filter_optional_midori:
Image|contains: '\AppData\Local\Programs\midori-ng\'
Image|endswith: '\Midori Next Generation.exe'
filter_optional_slimbrowser:
Image|startswith:
- 'C:\Program Files\SlimBrowser\'
- 'C:\Program Files (x86)\SlimBrowser\'
Image|endswith: '\slimbrowser.exe'
filter_optional_flock:
Image|contains: '\AppData\Local\Flock\'
Image|endswith: '\Flock.exe'
filter_optional_phoebe:
Image|contains: '\AppData\Local\Phoebe\'
Image|endswith: '\Phoebe.exe'
filter_optional_falkon:
Image|startswith:
- 'C:\Program Files\Falkon\'
- 'C:\Program Files (x86)\Falkon\'
Image|endswith: '\falkon.exe'
filter_optional_avant:
Image|startswith:
- 'C:\Program Files (x86)\Avant Browser\'
- 'C:\Program Files\Avant Browser\'
Image|endswith: '\avant.exe'
condition: 1 of selection_* and not 1 of filter_optional_*
falsepositives:
- Likely with other browser software. Apply additional filters for any other browsers you might use.
level: medium
medium
DNS Query To Visual Studio Code Tunnels Domain
Detects DNS query requests to Visual Studio Code tunnel domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
status testauthor citron_ninjaid b3e6418f-7c7a-4fad-993a-93b65027a9f1
view Sigma YAML
title: DNS Query To Visual Studio Code Tunnels Domain
id: b3e6418f-7c7a-4fad-993a-93b65027a9f1
related:
- id: 9501f8e6-8e3d-48fc-a8a6-1089dd5d7ef4 # Net Connection DevTunnels
type: similar
- id: 4b657234-038e-4ad5-997c-4be42340bce4 # Net Connection VsCode
type: similar
- id: 1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b # DNS DevTunnels
type: similar
status: test
description: |
Detects DNS query requests to Visual Studio Code tunnel domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
references:
- https://ipfyx.fr/post/visual-studio-code-tunnel/
- https://badoption.eu/blog/2023/01/31/code_c2.html
- https://cydefops.com/vscode-data-exfiltration
author: citron_ninja
date: 2023-10-25
modified: 2023-11-20
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
product: windows
category: dns_query
detection:
selection:
QueryName|endswith: '.tunnels.api.visualstudio.com'
condition: selection
falsepositives:
- Legitimate use of Visual Studio Code tunnel will also trigger this.
level: medium
medium
DNS TOR Proxies
Identifies IPs performing DNS lookups associated with common Tor proxies.
status testauthor Saw Winn Naung , Azure-Sentinelid a8322756-015c-42e7-afb1-436e85ed3ff5
Detects when a user enables DNS-over-HTTPS.
This can be used to hide internet activity or be used to hide the process of exfiltrating data.
With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors.
status testauthor Austin Songerid 04b45a8a-d11d-49e4-9acc-4a1b524407a5
view Sigma YAML
title: DNS-over-HTTPS Enabled by Registry
id: 04b45a8a-d11d-49e4-9acc-4a1b524407a5
status: test
description: |
Detects when a user enables DNS-over-HTTPS.
This can be used to hide internet activity or be used to hide the process of exfiltrating data.
With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors.
references:
- https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html
- https://github.com/elastic/detection-rules/issues/1371
- https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode
- https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS
author: Austin Songer
date: 2021-07-22
modified: 2023-08-17
tags:
- attack.persistence
- attack.stealth
- attack.defense-impairment
- attack.t1140
- attack.t1112
logsource:
product: windows
category: registry_set
detection:
selection_edge:
TargetObject|endswith: '\SOFTWARE\Policies\Microsoft\Edge\BuiltInDnsClientEnabled'
Details: DWORD (0x00000001)
selection_chrome:
TargetObject|endswith: '\SOFTWARE\Google\Chrome\DnsOverHttpsMode'
Details: 'secure'
selection_firefox:
TargetObject|endswith: '\SOFTWARE\Policies\Mozilla\Firefox\DNSOverHTTPS\Enabled'
Details: DWORD (0x00000001)
condition: 1 of selection_*
falsepositives:
- Unlikely
level: medium
medium
DPAPI Domain Master Key Backup Attempt
Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller.
status testauthor Roberto Rodriguez @Cyb3rWard0gid 39a94fd1-8c9a-4ff6-bf22-c058762f8014
view Sigma YAML
title: DPAPI Domain Master Key Backup Attempt
id: 39a94fd1-8c9a-4ff6-bf22-c058762f8014
status: test
description: Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller.
references:
- https://threathunterplaybook.com/hunts/windows/190620-DomainDPAPIBackupKeyExtraction/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019-08-10
modified: 2023-03-15
tags:
- attack.credential-access
- attack.t1003.004
logsource:
product: windows
service: security
detection:
selection:
EventID: 4692
condition: selection
falsepositives:
- If a computer is a member of a domain, DPAPI has a backup mechanism to allow unprotection of the data. Which will trigger this event.
level: medium
medium
Data Exfiltration to Unsanctioned Apps
Detects when a Microsoft Cloud App Security reported when a user or IP address uses an app that is not sanctioned to perform an activity that resembles an attempt to exfiltrate information from your organization.
status testauthor Austin Songer @austinsongerid 2b669496-d215-47d8-bd9a-f4a45bf07cda
view Sigma YAML
title: Data Exfiltration to Unsanctioned Apps
id: 2b669496-d215-47d8-bd9a-f4a45bf07cda
status: test
description: Detects when a Microsoft Cloud App Security reported when a user or IP address uses an app that is not sanctioned to perform an activity that resembles an attempt to exfiltrate information from your organization.
references:
- https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy
- https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference
author: Austin Songer @austinsonger
date: 2021-08-23
modified: 2022-10-09
tags:
- attack.exfiltration
- attack.t1537
logsource:
service: threat_management
product: m365
detection:
selection:
eventSource: SecurityComplianceCenter
eventName: 'Data exfiltration to unsanctioned apps'
status: success
condition: selection
falsepositives:
- Unknown
level: medium
medium
Data Exfiltration with Wget
Detects attempts to post the file with the usage of wget utility.
The adversary can bypass the permission restriction with the misconfigured sudo permission for wget utility which could allow them to read files like /etc/shadow.
status testauthor Pawel Mazurid cb39d16b-b3b6-4a7a-8222-1cf24b686ffc
view Sigma YAML
title: Data Exfiltration with Wget
id: cb39d16b-b3b6-4a7a-8222-1cf24b686ffc
status: test
description: |
Detects attempts to post the file with the usage of wget utility.
The adversary can bypass the permission restriction with the misconfigured sudo permission for wget utility which could allow them to read files like /etc/shadow.
references:
- https://linux.die.net/man/1/wget
- https://gtfobins.github.io/gtfobins/wget/
author: 'Pawel Mazur'
date: 2021-11-18
modified: 2022-12-25
tags:
- attack.exfiltration
- attack.t1048.003
logsource:
product: linux
service: auditd
detection:
selection:
type: EXECVE
a0: wget
a1|startswith: '--post-file='
condition: selection
falsepositives:
- Legitimate usage of wget utility to post a file
level: medium
medium
Data Export From MSSQL Table Via BCP.EXE
Detects the execution of the BCP utility in order to export data from the database.
Attackers were seen saving their malware to a database column or table and then later extracting it via "bcp.exe" into a file.
title: Data Export From MSSQL Table Via BCP.EXE
id: c615d676-f655-46b9-b913-78729021e5d7
status: test
description: |
Detects the execution of the BCP utility in order to export data from the database.
Attackers were seen saving their malware to a database column or table and then later extracting it via "bcp.exe" into a file.
references:
- https://docs.microsoft.com/en-us/sql/tools/bcp-utility
- https://asec.ahnlab.com/en/61000/
- https://asec.ahnlab.com/en/78944/
- https://www.huntress.com/blog/attacking-mssql-servers
- https://www.huntress.com/blog/attacking-mssql-servers-pt-ii
- https://news.sophos.com/en-us/2024/08/07/sophos-mdr-hunt-tracks-mimic-ransomware-campaign-against-organizations-in-india/
- https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/
author: Omar Khaled (@beacon_exe), MahirAli Khan (in/mahiralikhan), Nasreddine Bencherchali (Nextron Systems)
date: 2024-08-20
tags:
- attack.execution
- attack.exfiltration
- attack.t1048
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\bcp.exe'
- OriginalFileName: 'BCP.exe'
selection_cli:
CommandLine|contains:
- ' out ' # Export data from a table
- ' queryout ' # Export data based on a SQL query
condition: all of selection_*
falsepositives:
- Legitimate data export operations.
level: medium
medium
Delete Defender Scan ShellEx Context Menu Registry Key
Detects deletion of registry key that adds 'Scan with Defender' option in context menu. Attackers may use this to make it harder for users to scan files that are suspicious.
status experimentalauthor Matt Anderson (Huntress)id 72a0369a-2576-4aaf-bfc9-6bb24a574ac6
view Sigma YAML
title: Delete Defender Scan ShellEx Context Menu Registry Key
id: 72a0369a-2576-4aaf-bfc9-6bb24a574ac6
related:
- id: b9e8c7d6-a5f4-4e3d-8b1a-9f0c8d7e6a5b
type: similar
status: experimental
description: Detects deletion of registry key that adds 'Scan with Defender' option in context menu. Attackers may use this to make it harder for users to scan files that are suspicious.
references:
- https://research.splunk.com/endpoint/395ed5fe-ad13-4366-9405-a228427bdd91/
- https://winaero.com/how-to-delete-scan-with-windows-defender-from-context-menu-in-windows-10/
- https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
- https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/
author: 'Matt Anderson (Huntress)'
date: 2025-07-11
modified: 2025-10-07
tags:
- attack.defense-impairment
logsource:
category: registry_delete
product: windows
detection:
selection:
TargetObject|contains: 'shellex\ContextMenuHandlers\EPP'
filter_main_defender:
Image|startswith:
- 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
- 'C:\Program Files\Windows Defender\'
- 'C:\Program Files (x86)\Windows Defender\'
Image|endswith: '\MsMpEng.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unlikely as this weakens defenses and normally would not be done even if using another AV.
level: medium
medium
Deleted Data Overwritten Via Cipher.EXE
Detects usage of the "cipher" built-in utility in order to overwrite deleted data from disk.
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives
status testauthor frack113id 4b046706-5789-4673-b111-66f25fe99534
view Sigma YAML
title: Deleted Data Overwritten Via Cipher.EXE
id: 4b046706-5789-4673-b111-66f25fe99534
status: test
description: |
Detects usage of the "cipher" built-in utility in order to overwrite deleted data from disk.
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md#atomic-test-3---overwrite-deleted-data-on-c-drive
author: frack113
date: 2021-12-26
modified: 2023-02-21
tags:
- attack.impact
- attack.t1485
logsource:
category: process_creation
product: windows
detection:
selection_img:
- OriginalFileName: 'CIPHER.EXE'
- Image|endswith: '\cipher.exe'
selection_cli:
CommandLine|contains: ' /w:'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_cipher_overwrite_deleted_data/info.yml
simulation:
- type: atomic-red-team
name: Overwrite deleted data on C drive
technique: T1485
atomic_guid: 321fd25e-0007-417f-adec-33232252be19
medium
Denied Access To Remote Desktop
This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop.
Often, this event can be generated by attackers when searching for available windows servers in the network.
status testauthor Pushkarev Dmitryid 8e5c03fa-b7f0-11ea-b242-07e0576828d9
view Sigma YAML
title: Denied Access To Remote Desktop
id: 8e5c03fa-b7f0-11ea-b242-07e0576828d9
status: test
description: |
This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop.
Often, this event can be generated by attackers when searching for available windows servers in the network.
references:
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4825
author: Pushkarev Dmitry
date: 2020-06-27
modified: 2021-11-27
tags:
- attack.lateral-movement
- attack.t1021.001
logsource:
product: windows
service: security
detection:
selection:
EventID: 4825
condition: selection
falsepositives:
- Valid user was not added to RDP group
level: medium
medium
Deployment AppX Package Was Blocked By AppLocker
Detects an appx package deployment that was blocked by AppLocker policy.
status testauthor frack113id 6ae53108-c3a0-4bee-8f45-c7591a2c337f
view Sigma YAML
title: Deployment AppX Package Was Blocked By AppLocker
id: 6ae53108-c3a0-4bee-8f45-c7591a2c337f
status: test
description: Detects an appx package deployment that was blocked by AppLocker policy.
references:
- https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting
- https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv
author: frack113
date: 2023-01-11
tags:
- attack.stealth
logsource:
product: windows
service: appxdeployment-server
detection:
selection:
EventID: 412
condition: selection
falsepositives:
- Unlikely, since this event notifies about blocked application deployment. Tune your applocker rules to avoid blocking legitimate applications.
level: medium