Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Deployment Of The AppX Package Was Blocked By The Policy
Detects an appx package deployment that was blocked by the local computer policy.
The following events indicate that an AppX package deployment was blocked by a policy:
- Event ID 441: The package deployment operation is blocked by the "Allow deployment operations in special profiles" policy
- Event ID 442: Deployments to non-system volumes are blocked by the "Disable deployment of Windows Store apps to non-system volumes" policy."
- Event ID 453: Package blocked by a platform policy.
- Event ID 454: Package blocked by a platform policy.
status testauthor frack113id e021bbb5-407f-41f5-9dc9-1864c45a7a51
view Sigma YAML
title: Deployment Of The AppX Package Was Blocked By The Policy
id: e021bbb5-407f-41f5-9dc9-1864c45a7a51
status: test
description: |
Detects an appx package deployment that was blocked by the local computer policy.
The following events indicate that an AppX package deployment was blocked by a policy:
- Event ID 441: The package deployment operation is blocked by the "Allow deployment operations in special profiles" policy
- Event ID 442: Deployments to non-system volumes are blocked by the "Disable deployment of Windows Store apps to non-system volumes" policy."
- Event ID 453: Package blocked by a platform policy.
- Event ID 454: Package blocked by a platform policy.
references:
- https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting
- https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv
author: frack113
date: 2023-01-11
tags:
- attack.defense-impairment
logsource:
product: windows
service: appxdeployment-server
detection:
selection:
EventID:
- 441 # The package deployment operation is blocked by the "Allow deployment operations in special profiles" policy
- 442 # Deployments to non-system volumes are blocked by the "Disable deployment of Windows Store apps to non-system volumes" policy."
- 453 # Package blocked by a platform policy
- 454 # Package blocked by a platform policy
condition: selection
falsepositives:
- Unlikely, since this event notifies about blocked application deployment. Tune your applocker rules to avoid blocking legitimate applications.
level: medium
medium
Desktop.INI Created by Uncommon Process
Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.
status testauthor Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO)id 81315b50-6b60-4d8f-9928-3466e1022515
view Sigma YAML
title: Desktop.INI Created by Uncommon Process
id: 81315b50-6b60-4d8f-9928-3466e1022515
status: test
description: Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.
references:
- https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/
author: Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO)
date: 2020-03-19
modified: 2025-12-09
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.009
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith: '\desktop.ini'
filter_main_generic:
Image|startswith:
- 'C:\Windows\'
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
filter_main_upgrade:
TargetFilename|startswith: 'C:\$WINDOWS.~BT\NewOS\'
filter_optional_jetbrains:
Image|startswith: 'C:\Users\'
Image|endswith: '\AppData\Local\JetBrains\Toolbox\bin\7z.exe'
TargetFilename|contains: '\JetBrains\apps\'
filter_optional_onedrive:
Image|startswith: 'C:\Users\'
Image|contains: '\AppData\Local\Microsoft\OneDrive\'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Operations performed through Windows SCCM or equivalent
- Read only access list authority
level: medium
medium
Detected Windows Software Discovery
Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.
status testauthor Nikita Nazarov, oscd.communityid e13f668e-7f95-443d-98d2-1816a7648a7b
view Sigma YAML
title: Detected Windows Software Discovery
id: e13f668e-7f95-443d-98d2-1816a7648a7b
related:
- id: 2650dd1a-eb2a-412d-ac36-83f06c4f2282
type: derived
status: test
description: Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md
- https://github.com/harleyQu1nn/AggressorScripts # AVQuery.cna
author: Nikita Nazarov, oscd.community
date: 2020-10-16
modified: 2022-10-09
tags:
- attack.discovery
- attack.t1518
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\reg.exe' # Example: reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer" /v svcVersion
CommandLine|contains|all:
- 'query'
- '\software\'
- '/v'
- 'svcversion'
condition: selection
falsepositives:
- Legitimate administration activities
level: medium
medium
Detected Windows Software Discovery - PowerShell
Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.
status testauthor Nikita Nazarov, oscd.communityid 2650dd1a-eb2a-412d-ac36-83f06c4f2282
view Sigma YAML
title: Detected Windows Software Discovery - PowerShell
id: 2650dd1a-eb2a-412d-ac36-83f06c4f2282
status: test
description: Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md
- https://github.com/harleyQu1nn/AggressorScripts # AVQuery.cna
author: Nikita Nazarov, oscd.community
date: 2020-10-16
modified: 2022-12-02
tags:
- attack.discovery
- attack.t1518
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
# Example: Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize
- 'get-itemProperty'
- '\software\'
- 'select-object'
- 'format-table'
condition: selection
falsepositives:
- Legitimate administration activities
level: medium
medium
Detection of PowerShell Execution via Sqlps.exe
This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server.
Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.
status testauthor Agro (@agro_sev) oscd.communityid 0152550d-3a26-4efd-9f0e-54a0b28ae2f3
view Sigma YAML
title: Detection of PowerShell Execution via Sqlps.exe
id: 0152550d-3a26-4efd-9f0e-54a0b28ae2f3
status: test
description: |
This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server.
Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.
references:
- https://learn.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqlps/
- https://twitter.com/bryon_/status/975835709587075072
author: 'Agro (@agro_sev) oscd.community'
date: 2020-10-10
modified: 2022-12-09
tags:
- attack.execution
- attack.stealth
- attack.t1059.001
- attack.t1127
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\sqlps.exe'
selection_image:
- Image|endswith: '\sqlps.exe'
- OriginalFileName: 'sqlps.exe'
filter_image:
ParentImage|endswith: '\sqlagent.exe'
condition: selection_parent or (selection_image and not filter_image)
falsepositives:
- Direct PS command execution through SQLPS.exe is uncommon, childprocess sqlps.exe spawned by sqlagent.exe is a legitimate action.
level: medium
medium
Device Installation Blocked
Detects an installation of a device that is forbidden by the system policy
status testauthor frack113id c9eb55c3-b468-40ab-9089-db2862e42137
view Sigma YAML
title: Device Installation Blocked
id: c9eb55c3-b468-40ab-9089-db2862e42137
status: test
description: Detects an installation of a device that is forbidden by the system policy
references:
- https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6423
author: frack113
date: 2022-10-14
tags:
- attack.initial-access
- attack.t1200
logsource:
service: security
product: windows
detection:
selection:
EventID: 6423
condition: selection
falsepositives:
- Unknown
level: medium
medium
Device Registration or Join Without MFA
Monitor and alert for device registration or join events where MFA was not performed.
status testauthor Michael Epping, '@mepples21'id 5afa454e-030c-4ab4-9253-a90aa7fcc581
view Sigma YAML
title: Device Registration or Join Without MFA
id: 5afa454e-030c-4ab4-9253-a90aa7fcc581
status: test
description: Monitor and alert for device registration or join events where MFA was not performed.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#device-registrations-and-joins-outside-policy
author: Michael Epping, '@mepples21'
date: 2022-06-28
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.stealth
- attack.t1078.004
logsource:
product: azure
service: signinlogs
detection:
selection:
ResourceDisplayName: 'Device Registration Service'
conditionalAccessStatus: 'success'
filter_mfa:
AuthenticationRequirement: 'multiFactorAuthentication'
condition: selection and not filter_mfa
falsepositives:
- Unknown
level: medium
medium
DeviceCredentialDeployment Execution
Detects the execution of DeviceCredentialDeployment to hide a process from view.
status testauthor Nasreddine Bencherchali (Nextron Systems)id b8b1b304-a60f-4999-9a6e-c547bde03ffd
view Sigma YAML
title: DeviceCredentialDeployment Execution
id: b8b1b304-a60f-4999-9a6e-c547bde03ffd
status: test
description: |
Detects the execution of DeviceCredentialDeployment to hide a process from view.
references:
- https://github.com/LOLBAS-Project/LOLBAS/pull/147
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-19
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\DeviceCredentialDeployment.exe'
condition: selection
falsepositives:
- Unlikely
level: medium
medium
Direct Autorun Keys Modification
Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.
status testauthor Victor Sergeev, Daniil Yugoslavskiy, oscd.community, Swachchhanda Shrawan Poudel (Nextron Systems)id 24357373-078f-44ed-9ac4-6d334a668a11
view Sigma YAML
title: Direct Autorun Keys Modification
id: 24357373-078f-44ed-9ac4-6d334a668a11
status: test
description: Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
- https://github.com/HackTricks-wiki/hacktricks/blob/e4c7b21b8f36c97c35b7c622732b38a189ce18f7/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2019-10-25
modified: 2026-01-05
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\reg.exe'
- OriginalFileName: 'reg.exe'
selection_cli_add:
CommandLine|contains: 'add' # to avoid intersection with discovery tactic rules
selection_cli_keys:
CommandLine|contains: # need to improve this list, there are plenty of ASEP reg keys
- '\software\Microsoft\Windows\CurrentVersion\Run' # Also covers the strings "RunOnce", "RunOnceEx", "RunServices", "RunServicesOnce"
- '\software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run'
- '\software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'
- '\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit'
- '\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell'
- '\software\Microsoft\Windows NT\CurrentVersion\Windows'
- '\system\CurrentControlSet\Control\SafeBoot\AlternateShell'
condition: all of selection_*
falsepositives:
- Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons.
- Legitimate administrator sets up autorun keys for legitimate reasons.
- Discord
level: medium
medium
DirectorySearcher Powershell Exploitation
Enumerates Active Directory to determine computers that are joined to the domain
status testauthor frack113id 1f6399cf-2c80-4924-ace1-6fcff3393480
view Sigma YAML
title: DirectorySearcher Powershell Exploitation
id: 1f6399cf-2c80-4924-ace1-6fcff3393480
status: test
description: Enumerates Active Directory to determine computers that are joined to the domain
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md#atomic-test-15---enumerate-domain-computers-within-active-directory-using-directorysearcher
author: frack113
date: 2022-02-12
tags:
- attack.discovery
- attack.t1018
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- 'New-Object '
- 'System.DirectoryServices.DirectorySearcher'
- '.PropertiesToLoad.Add'
- '.findall()'
- 'Properties.name'
condition: selection
falsepositives:
- Unknown
level: medium
medium
Disable Administrative Share Creation at Startup
Administrative shares are hidden network shares created by Microsoft Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system
status testauthor frack113id c7dcacd0-cc59-4004-b0a4-1d6cdebe6f3e
view Sigma YAML
title: Disable Administrative Share Creation at Startup
id: c7dcacd0-cc59-4004-b0a4-1d6cdebe6f3e
status: test
description: Administrative shares are hidden network shares created by Microsoft Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md#atomic-test-4---disable-administrative-share-creation-at-startup
author: frack113
date: 2022-01-16
modified: 2024-03-25
tags:
- attack.stealth
- attack.t1070.005
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\Services\LanmanServer\Parameters\'
TargetObject|endswith:
- '\AutoShareWks'
- '\AutoShareServer'
Details: 'DWORD (0x00000000)'
condition: selection
falsepositives:
- Unknown
level: medium
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_disable_administrative_share/info.yml
simulation:
- type: atomic-red-team
name: Disable Administrative Share Creation at Startup
technique: T1070.005
atomic_guid: 99c657aa-ebeb-4179-a665-69288fdd12b8
medium
Disable Exploit Guard Network Protection on Windows Defender
Detects disabling Windows Defender Exploit Guard Network Protection
status testauthor Austin Songer @austinsongerid bf9e1387-b040-4393-9851-1598f8ecfae9
view Sigma YAML
title: Disable Exploit Guard Network Protection on Windows Defender
id: bf9e1387-b040-4393-9851-1598f8ecfae9
status: test
description: Detects disabling Windows Defender Exploit Guard Network Protection
references:
- https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html
author: Austin Songer @austinsonger
date: 2021-08-04
modified: 2023-08-17
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: 'SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection\DisallowExploitProtectionOverride'
Details: 'DWORD (00000001)'
condition: selection
falsepositives:
- Unknown
level: medium
medium
Disable Internal Tools or Feature in Registry
Detects registry modifications that change features of internal Windows tools (malware like Agent Tesla uses this technique)
status testauthor frack113, Nasreddine Bencherchali (Nextron Systems), CrimpSecid e2482f8d-3443-4237-b906-cc145d87a076
view Sigma YAML
title: Disable Internal Tools or Feature in Registry
id: e2482f8d-3443-4237-b906-cc145d87a076
status: test
description: Detects registry modifications that change features of internal Windows tools (malware like Agent Tesla uses this technique)
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md
- https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions
- https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html
- https://www.malwarebytes.com/blog/detections/pum-optional-nodispbackgroundpage
- https://www.malwarebytes.com/blog/detections/pum-optional-nodispcpl
- https://bazaar.abuse.ch/sample/7bde840c7e8c36dce4c3bac937bcf39f36a6f118001b406bfbbc25451ce44fb4/
author: frack113, Nasreddine Bencherchali (Nextron Systems), CrimpSec
date: 2022-03-18
modified: 2025-06-04
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: registry_set
product: windows
detection:
selection_set_1:
TargetObject|endswith:
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisableCMD'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\StartMenuLogOff'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableChangePassword'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableLockWorkstation'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskmgr'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCPL'
- 'SOFTWARE\Policies\Microsoft\Windows\Explorer\DisableNotificationCenter'
- 'SOFTWARE\Policies\Microsoft\Windows\System\DisableCMD'
Details: 'DWORD (0x00000001)'
selection_set_0:
TargetObject|endswith:
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin'
- 'Software\Microsoft\Windows\CurrentVersion\Policies\System\InactivityTimeoutSecs'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\ToastEnabled'
- 'SYSTEM\CurrentControlSet\Control\Storage\Write Protection'
- 'SYSTEM\CurrentControlSet\Control\StorageDevicePolicies\WriteProtect'
Details: 'DWORD (0x00000000)'
condition: 1 of selection_set_*
falsepositives:
- Legitimate admin script
level: medium
medium
Disable Microsoft Defender Firewall via Registry
Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage
status testauthor frack113id 974515da-6cc5-4c95-ae65-f97f9150ec7f
view Sigma YAML
title: Disable Microsoft Defender Firewall via Registry
id: 974515da-6cc5-4c95-ae65-f97f9150ec7f
status: test
description: Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-2---disable-microsoft-defender-firewall-via-registry
author: frack113
date: 2022-01-09
modified: 2024-03-25
tags:
- attack.defense-impairment
- attack.t1686.003
logsource:
category: registry_set
product: windows
detection:
selection:
# HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall
# HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall
# HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall
TargetObject|contains: '\Services\SharedAccess\Parameters\FirewallPolicy\'
TargetObject|endswith: '\EnableFirewall'
Details: 'DWORD (0x00000000)'
condition: selection
falsepositives:
- Unknown
level: medium
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_disable_defender_firewall/info.yml
simulation:
- type: atomic-red-team
name: Disable Microsoft Defender Firewall via Registry
technique: T1562.004
atomic_guid: afedc8c4-038c-4d82-b3e5-623a95f8a612
medium
Disable Or Stop Services
Detects the usage of utilities such as 'systemctl', 'service'...etc to stop or disable tools and services on Linux systems.
Attackers may stop or disable security tools and services to evade detection, maintain persistence, or disrupt system operations.
status testauthor Nasreddine Bencherchali (Nextron Systems)id de25eeb8-3655-4643-ac3a-b662d3f26b6b
view Sigma YAML
title: Disable Or Stop Services
id: de25eeb8-3655-4643-ac3a-b662d3f26b6b
status: test
description: |
Detects the usage of utilities such as 'systemctl', 'service'...etc to stop or disable tools and services on Linux systems.
Attackers may stop or disable security tools and services to evade detection, maintain persistence, or disrupt system operations.
references:
- https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-15
modified: 2025-03-18
tags:
- attack.defense-impairment
- attack.t1685
- attack.impact
- attack.t1489
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith:
- '/service'
- '/systemctl'
- '/chkconfig'
CommandLine|contains:
- ' stop '
- ' disable '
filter_main_legit_snapd:
Image|endswith: '/systemctl'
CommandLine|contains:
- '--no-reload disable snap-snapd-'
- ' stop snap-snapd-'
filter_main_ssh_preinstall:
Image|endswith: '/systemctl'
ParentCommandLine|contains: 'tmp.ci/preinst upgrade'
CommandLine|contains|all:
- ' stop '
- 'ssh.'
filter_main_ubuntu_upgrade:
ParentCommandLine|contains: '/dpkg/info/ubuntu-pro-client.prerm upgrade'
Image|endswith: '/systemctl'
filter_optional_aws_agent:
Image|endswith: '/systemctl'
CommandLine|endswith: 'snap.amazon-ssm-agent.amazon-ssm-agent.service'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Legitimate administration activities
- Some false positives are to be expected. Apply additional filters as needed before pushing to production.
level: medium
medium
Disable Privacy Settings Experience in Registry
Detects registry modifications that disable Privacy Settings Experience
status testauthor frack113id 0372e1f9-0fd2-40f7-be1b-a7b2b848fa7b
Detects the execution of the hdiutil utility in order to create a disk image.
status testauthor Omar Khaled (@beacon_exe)id 1cf98dc2-fcb0-47c9-8aea-654c9284d1ae
view Sigma YAML
title: Disk Image Creation Via Hdiutil - MacOS
id: 1cf98dc2-fcb0-47c9-8aea-654c9284d1ae
status: test
description: Detects the execution of the hdiutil utility in order to create a disk image.
references:
- https://www.loobins.io/binaries/hdiutil/
- https://www.sentinelone.com/blog/from-the-front-linesunsigned-macos-orat-malware-gambles-for-the-win/
- https://ss64.com/mac/hdiutil.html
author: Omar Khaled (@beacon_exe)
date: 2024-08-10
tags:
- attack.exfiltration
logsource:
product: macos
category: process_creation
detection:
selection:
Image|endswith: /hdiutil
CommandLine|contains: 'create'
condition: selection
falsepositives:
- Legitimate usage of hdiutil by administrators and users.
level: medium
medium
Disk Image Mounting Via Hdiutil - MacOS
Detects the execution of the hdiutil utility in order to mount disk images.
status testauthor Omar Khaled (@beacon_exe)id bf241472-f014-4f01-a869-96f99330ca8c
view Sigma YAML
title: Disk Image Mounting Via Hdiutil - MacOS
id: bf241472-f014-4f01-a869-96f99330ca8c
status: test
description: Detects the execution of the hdiutil utility in order to mount disk images.
references:
- https://www.loobins.io/binaries/hdiutil/
- https://www.sentinelone.com/blog/from-the-front-linesunsigned-macos-orat-malware-gambles-for-the-win/
- https://ss64.com/mac/hdiutil.html
author: Omar Khaled (@beacon_exe)
date: 2024-08-10
tags:
- attack.initial-access
- attack.collection
- attack.t1566.001
- attack.t1560.001
logsource:
product: macos
category: process_creation
detection:
selection:
Image|endswith: /hdiutil
CommandLine|contains:
- 'attach '
- 'mount '
condition: selection
falsepositives:
- Legitimate usage of hdiutil by administrators and users.
level: medium
medium
Diskshadow Script Mode - Execution From Potential Suspicious Location
Detects execution of "Diskshadow.exe" in script mode using the "/s" flag where the script is located in a potentially suspicious location.
status testauthor Nasreddine Bencherchali (Nextron Systems)id fa1a7e52-3d02-435b-81b8-00da14dd66c1
view Sigma YAML
title: Diskshadow Script Mode - Execution From Potential Suspicious Location
id: fa1a7e52-3d02-435b-81b8-00da14dd66c1
related:
- id: 1dde5376-a648-492e-9e54-4241dd9b0c7f # Diskshadow Script Mode - Uncommon Script Extension Execution
type: similar
- id: 9f546b25-5f12-4c8d-8532-5893dcb1e4b8 # Potentially Suspicious Child Process Of DiskShadow.EXE
type: similar
- id: 56b1dde8-b274-435f-a73a-fb75eb81262a # Diskshadow Child Process Spawned
type: similar
- id: 0c2f8629-7129-4a8a-9897-7e0768f13ff2 # Diskshadow Script Mode Execution
type: similar
status: test
description: Detects execution of "Diskshadow.exe" in script mode using the "/s" flag where the script is located in a potentially suspicious location.
references:
- https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/
- https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration
- https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow
- https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf
- https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware
- https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-09-15
modified: 2024-03-05
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
- OriginalFileName: 'diskshadow.exe'
- Image|endswith: '\diskshadow.exe'
selection_cli:
CommandLine|contains|windash: '-s '
selection_paths:
CommandLine|contains:
# Note: Add additional susp paths based on your org needs
- ':\Temp\'
- ':\Windows\Temp\'
- '\AppData\Local\'
- '\AppData\Roaming\'
- '\ProgramData\'
- '\Users\Public\'
condition: all of selection_*
falsepositives:
- False positives may occur if you execute the script from one of the paths mentioned in the rule. Apply additional filters that fits your org needs.
level: medium
Detects execution of "Diskshadow.exe" in script mode to execute an script with a potentially uncommon extension.
Initial baselining of the allowed extension list is required.
status testauthor Nasreddine Bencherchali (Nextron Systems)id 1dde5376-a648-492e-9e54-4241dd9b0c7f
view Sigma YAML
title: Diskshadow Script Mode - Uncommon Script Extension Execution
id: 1dde5376-a648-492e-9e54-4241dd9b0c7f
related:
- id: fa1a7e52-3d02-435b-81b8-00da14dd66c1 # Diskshadow Script Mode - Execution From Potential Suspicious Location
type: similar
- id: 9f546b25-5f12-4c8d-8532-5893dcb1e4b8 # Potentially Suspicious Child Process Of DiskShadow.EXE
type: similar
- id: 56b1dde8-b274-435f-a73a-fb75eb81262a # Diskshadow Child Process Spawned
type: similar
- id: 0c2f8629-7129-4a8a-9897-7e0768f13ff2 # Diskshadow Script Mode Execution
type: similar
status: test
description: |
Detects execution of "Diskshadow.exe" in script mode to execute an script with a potentially uncommon extension.
Initial baselining of the allowed extension list is required.
references:
- https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/
- https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration
- https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow
- https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf
- https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware
- https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-09-15
modified: 2024-03-05
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
- OriginalFileName: 'diskshadow.exe'
- Image|endswith: '\diskshadow.exe'
selection_flag:
CommandLine|contains|windash: '-s '
filter_main_ext:
# Note: can be changed to an "endswith" to avoid rare FPs. But you need to account for quoted paths
# Note: Using the ".txt" is based on the MS documentation example. Best add the extension you use internally before using this rule
CommandLine|contains: '.txt'
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- False postitve might occur with legitimate or uncommon extensions used internally. Initial baseline is required.
level: medium
medium
Dism Remove Online Package
Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
status testauthor frack113id 43e32da2-fdd0-4156-90de-50dfd62636f9
view Sigma YAML
title: Dism Remove Online Package
id: 43e32da2-fdd0-4156-90de-50dfd62636f9
status: test
description: Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md#atomic-test-26---disable-windows-defender-with-dism
- https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html
author: frack113
date: 2022-01-16
modified: 2022-08-26
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_dismhost:
Image|endswith: '\DismHost.exe'
ParentCommandLine|contains|all:
- '/Online'
- '/Disable-Feature'
# - '/FeatureName:'
# - '/Remove'
# /NoRestart
# /quiet
selection_dism:
Image|endswith: '\Dism.exe'
CommandLine|contains|all:
- '/Online'
- '/Disable-Feature'
# - '/FeatureName:'
# - '/Remove'
# /NoRestart
# /quiet
condition: 1 of selection_*
falsepositives:
- Legitimate script
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_dism_remove/info.yml
simulation:
- type: atomic-red-team
name: Disable Windows Defender with DISM
technique: T1562.001
atomic_guid: 871438ac-7d6e-432a-b27d-3e7db69faf58
medium
Displaying Hidden Files Feature Disabled
Detects modifications to the "Hidden" and "ShowSuperHidden" explorer registry values in order to disable showing of hidden files and system files.
This technique is abused by several malware families to hide their files from normal users.
status testauthor frack113id 5a5152f1-463f-436b-b2f5-8eceb3964b42
view Sigma YAML
title: Displaying Hidden Files Feature Disabled
id: 5a5152f1-463f-436b-b2f5-8eceb3964b42
status: test
description: |
Detects modifications to the "Hidden" and "ShowSuperHidden" explorer registry values in order to disable showing of hidden files and system files.
This technique is abused by several malware families to hide their files from normal users.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md#atomic-test-8---hide-files-through-registry
author: frack113
date: 2022-04-02
modified: 2024-03-26
tags:
- attack.stealth
- attack.t1564.001
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith:
- '\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden'
- '\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden'
Details: 'DWORD (0x00000000)'
condition: selection
falsepositives:
- Unknown
level: medium
medium
Django Framework Exceptions
Detects suspicious Django web application framework exceptions that could indicate exploitation attempts
status stableauthor Thomas Patzkeid fd435618-981e-4a7c-81f8-f78ce480d616
Detects MsiExec loading a DLL and calling its DllUnregisterServer function
status testauthor frack113id 84f52741-8834-4a8c-a413-2eb2269aa6c8
view Sigma YAML
title: DllUnregisterServer Function Call Via Msiexec.EXE
id: 84f52741-8834-4a8c-a413-2eb2269aa6c8
status: test
description: Detects MsiExec loading a DLL and calling its DllUnregisterServer function
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md
- https://lolbas-project.github.io/lolbas/Binaries/Msiexec/
- https://twitter.com/_st0pp3r_/status/1583914515996897281
author: frack113
date: 2022-04-24
modified: 2024-03-13
tags:
- attack.stealth
- attack.t1218.007
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\msiexec.exe'
- OriginalFileName: '\msiexec.exe'
selection_flag:
CommandLine|contains|windash: ' -z '
selection_dll:
CommandLine|contains: '.dll'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
medium
Domain Trust Discovery Via Dsquery
Detects execution of "dsquery.exe" for domain trust discovery
status testauthor E.M. Anhaus, Tony Lambert, oscd.community, omkar72id 3bad990e-4848-4a78-9530-b427d854aac0
view Sigma YAML
title: Domain Trust Discovery Via Dsquery
id: 3bad990e-4848-4a78-9530-b427d854aac0
related:
- id: b23fcb74-b1cb-4ff7-a31d-bfe2a7ba453b
type: similar
- id: 77815820-246c-47b8-9741-e0def3f57308
type: obsolete
status: test
description: Detects execution of "dsquery.exe" for domain trust discovery
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1482/T1482.md
- https://posts.specterops.io/an-introduction-to-manual-active-directory-querying-with-dsquery-and-ldapsearch-84943c13d7eb?gi=41b97a644843
author: E.M. Anhaus, Tony Lambert, oscd.community, omkar72
date: 2019-10-24
modified: 2023-02-02
tags:
- attack.discovery
- attack.t1482
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\dsquery.exe'
- OriginalFileName: 'dsquery.exe'
selection_cli:
CommandLine|contains: 'trustedDomain'
condition: all of selection_*
falsepositives:
- Legitimate use of the utilities by legitimate user for legitimate reason
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_dsquery_domain_trust_discovery/info.yml
simulation:
- type: atomic-red-team
name: Windows - Discover domain trusts with dsquery
technique: T1482
atomic_guid: 4700a710-c821-4e17-a3ec-9e4c81d6845f
medium
DotNET Assembly DLL Loaded Via Office Application
Detects any assembly DLL being loaded by an Office Product
status testauthor Antonlovesdnbid ff0f2b05-09db-4095-b96d-1b75ca24894a
view Sigma YAML
title: DotNET Assembly DLL Loaded Via Office Application
id: ff0f2b05-09db-4095-b96d-1b75ca24894a
status: test
description: Detects any assembly DLL being loaded by an Office Product
references:
- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
author: Antonlovesdnb
date: 2020-02-19
modified: 2023-03-29
tags:
- attack.execution
- attack.t1204.002
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith:
- '\excel.exe'
- '\mspub.exe'
- '\onenote.exe'
- '\onenoteim.exe' # Just in case
- '\outlook.exe'
- '\powerpnt.exe'
- '\winword.exe'
ImageLoaded|startswith: 'C:\Windows\assembly\'
condition: selection
falsepositives:
- Unknown
level: medium
medium
Download File To Potentially Suspicious Directory Via Wget
Detects the use of wget to download content to a suspicious directory
status testauthor Joseliyo Sanchez, @Joseliyo_Jstnkid cf610c15-ed71-46e1-bdf8-2bd1a99de6c4
view Sigma YAML
title: Download File To Potentially Suspicious Directory Via Wget
id: cf610c15-ed71-46e1-bdf8-2bd1a99de6c4
status: test
description: Detects the use of wget to download content to a suspicious directory
references:
- https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
- https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/
- https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
- https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-06-02
tags:
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith: '/wget'
selection_output:
- CommandLine|re: '\s-O\s' # We use regex to ensure a case sensitive argument detection
- CommandLine|contains: '--output-document'
selection_path:
CommandLine|contains: '/tmp/'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
medium
Download from Suspicious Dyndns Hosts
Detects download of certain file types from hosts with dynamic DNS names (selected list)
status testauthor Florian Roth (Nextron Systems)id 195c1119-ef07-4909-bb12-e66f5e07bf3c
Detects execution of "odbcconf" with "INSTALLDRIVER" which installs a new ODBC driver. Attackers abuse this to install and run malicious DLLs.
status testauthor Nasreddine Bencherchali (Nextron Systems)id 3f5491e2-8db8-496b-9e95-1029fce852d4
view Sigma YAML
title: Driver/DLL Installation Via Odbcconf.EXE
id: 3f5491e2-8db8-496b-9e95-1029fce852d4
related:
- id: cb0fe7c5-f3a3-484d-aa25-d350a7912729
type: similar
status: test
description: Detects execution of "odbcconf" with "INSTALLDRIVER" which installs a new ODBC driver. Attackers abuse this to install and run malicious DLLs.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/
- https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176
- https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-22
tags:
- attack.stealth
- attack.t1218.008
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\odbcconf.exe'
- OriginalFileName: 'odbcconf.exe'
selection_cli:
# Note: The "/A" flag is not required to call a specific action
CommandLine|contains|all:
- 'INSTALLDRIVER '
- '.dll'
condition: all of selection_*
falsepositives:
- Legitimate driver DLLs being registered via "odbcconf" will generate false positives. Investigate the path of the DLL and its contents to determine if the action is authorized.
level: medium
medium
DriverQuery.EXE Execution
Detect usage of the "driverquery" utility. Which can be used to perform reconnaissance on installed drivers
status testauthor Nasreddine Bencherchali (Nextron Systems)id a20def93-0709-4eae-9bd2-31206e21e6b2
view Sigma YAML
title: DriverQuery.EXE Execution
id: a20def93-0709-4eae-9bd2-31206e21e6b2
related:
- id: 9fc3072c-dc8f-4bf7-b231-18950000fadd
type: similar
status: test
description: Detect usage of the "driverquery" utility. Which can be used to perform reconnaissance on installed drivers
references:
- https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/
- https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/
- https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-19
modified: 2023-09-29
tags:
- attack.discovery
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: 'driverquery.exe'
- OriginalFileName: 'drvqry.exe'
filter_main_other: # These are covered in 9fc3072c-dc8f-4bf7-b231-18950000fadd to avoid duplicate alerting
- ParentImage|endswith:
- '\cscript.exe'
- '\mshta.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\wscript.exe'
- ParentImage|contains:
- '\AppData\Local\'
- '\Users\Public\'
- '\Windows\Temp\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Legitimate use by third party tools in order to investigate installed drivers
level: medium # Level could be reduced to low if this utility is often used in your environment
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_driverquery_usage/info.yml
medium
Drop Binaries Into Spool Drivers Color Folder
Detects the creation of suspcious binary files inside the "\windows\system32\spool\drivers\color\" as seen in the blog referenced below
status testauthor Nasreddine Bencherchali (Nextron Systems)id ce7066a6-508a-42d3-995b-2952c65dc2ce
view Sigma YAML
title: Drop Binaries Into Spool Drivers Color Folder
id: ce7066a6-508a-42d3-995b-2952c65dc2ce
status: test
description: Detects the creation of suspcious binary files inside the "\windows\system32\spool\drivers\color\" as seen in the blog referenced below
references:
- https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-28
tags:
- attack.stealth
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|startswith: 'C:\Windows\System32\spool\drivers\color\'
TargetFilename|endswith:
- '.dll'
- '.exe'
- '.sys'
condition: selection
falsepositives:
- Unknown
level: medium
medium
Dropping Of Password Filter DLL
Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS
status testauthor Sreemanid b7966f4a-b333-455b-8370-8ca53c229762
view Sigma YAML
title: Dropping Of Password Filter DLL
id: b7966f4a-b333-455b-8370-8ca53c229762
status: test
description: Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS
references:
- https://pentestlab.blog/2020/02/10/credential-access-password-filter-dll/
- https://github.com/3gstudent/PasswordFilter/tree/master/PasswordFilter
author: Sreeman
date: 2020-10-29
modified: 2022-10-09
tags:
- attack.persistence
- attack.credential-access
- attack.defense-impairment
- attack.t1556.002
logsource:
category: process_creation
product: windows
detection:
selection_cmdline:
CommandLine|contains|all:
- 'HKLM\SYSTEM\CurrentControlSet\Control\Lsa'
- 'scecli\0*'
- 'reg add'
condition: selection_cmdline
falsepositives:
- Unknown
level: medium
medium
Dump Credentials from Windows Credential Manager With PowerShell
Adversaries may search for common password storage locations to obtain user credentials.
Passwords are stored in several places on a system, depending on the operating system or application holding the credentials.
status testauthor frack113id 99c49d9c-34ea-45f7-84a7-4751ae6b2cbc
view Sigma YAML
title: Dump Credentials from Windows Credential Manager With PowerShell
id: 99c49d9c-34ea-45f7-84a7-4751ae6b2cbc
status: test
description: |
Adversaries may search for common password storage locations to obtain user credentials.
Passwords are stored in several places on a system, depending on the operating system or application holding the credentials.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555/T1555.md
author: frack113
date: 2021-12-20
modified: 2022-12-25
tags:
- attack.credential-access
- attack.t1555
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_kiddie:
ScriptBlockText|contains:
- 'Get-PasswordVaultCredentials'
- 'Get-CredManCreds'
selection_rename_Password:
ScriptBlockText|contains|all:
- 'New-Object'
- 'Windows.Security.Credentials.PasswordVault'
selection_rename_credman:
ScriptBlockText|contains|all:
- 'New-Object'
- 'Microsoft.CSharp.CSharpCodeProvider'
- '[System.Runtime.InteropServices.RuntimeEnvironment]::GetRuntimeDirectory())'
- 'Collections.ArrayList'
- 'System.CodeDom.Compiler.CompilerParameters'
condition: 1 of selection_*
falsepositives:
- Unknown
level: medium
medium
Dump Ntds.dit To Suspicious Location
Detects potential abuse of ntdsutil to dump ntds.dit database to a suspicious location
status testauthor Nasreddine Bencherchali (Nextron Systems)id 94dc4390-6b7c-4784-8ffc-335334404650
view Sigma YAML
title: Dump Ntds.dit To Suspicious Location
id: 94dc4390-6b7c-4784-8ffc-335334404650
status: test
description: Detects potential abuse of ntdsutil to dump ntds.dit database to a suspicious location
references:
- https://twitter.com/mgreen27/status/1558223256704122882
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-14
modified: 2023-10-23
tags:
- attack.execution
logsource:
product: windows
service: application
# warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
detection:
selection_root:
Provider_Name: 'ESENT'
EventID: 325 # New Database Created
Data|contains: 'ntds.dit'
selection_paths:
Data|contains:
# Add more locations that you don't use in your env or that are just suspicious
- ':\ntds.dit'
- '\Appdata\'
- '\Desktop\'
- '\Downloads\'
- '\Perflogs\'
- '\Temp\'
- '\Users\Public\'
condition: all of selection_*
falsepositives:
- Legitimate backup operation/creating shadow copies
level: medium
medium
DumpMinitool Execution
Detects the use of "DumpMinitool.exe" a tool that allows the dump of process memory via the use of the "MiniDumpWriteDump"
title: DumpMinitool Execution
id: dee0a7a3-f200-4112-a99b-952196d81e42
status: test
description: Detects the use of "DumpMinitool.exe" a tool that allows the dump of process memory via the use of the "MiniDumpWriteDump"
references:
- https://twitter.com/mrd0x/status/1511415432888131586
- https://twitter.com/mrd0x/status/1511489821247684615
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/DumpMinitool/
- https://gist.github.com/nasbench/6d58c3c125e2fa1b8f7a09754c1b087f
author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)
date: 2022-04-06
modified: 2023-04-12
tags:
- attack.stealth
- attack.t1036
- attack.t1003.001
- attack.credential-access
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\DumpMinitool.exe'
- '\DumpMinitool.x86.exe'
- '\DumpMinitool.arm64.exe'
- OriginalFileName:
- 'DumpMinitool.exe'
- 'DumpMinitool.x86.exe'
- 'DumpMinitool.arm64.exe'
selection_cli:
CommandLine|contains:
- ' Full'
- ' Mini'
- ' WithHeap'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
medium
Dumping Process via Sqldumper.exe
Detects process dump via legitimate sqldumper.exe binary
status testauthor Kirill Kiryanov, oscd.communityid 23ceaf5c-b6f1-4a32-8559-f2ff734be516
view Sigma YAML
title: Dumping Process via Sqldumper.exe
id: 23ceaf5c-b6f1-4a32-8559-f2ff734be516
status: test
description: Detects process dump via legitimate sqldumper.exe binary
references:
- https://twitter.com/countuponsec/status/910977826853068800
- https://twitter.com/countuponsec/status/910969424215232518
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/
author: Kirill Kiryanov, oscd.community
date: 2020-10-08
modified: 2021-11-27
tags:
- attack.credential-access
- attack.t1003.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\sqldumper.exe'
CommandLine|contains:
- '0x0110'
- '0x01100:40'
condition: selection
falsepositives:
- Legitimate MSSQL Server actions
level: medium
medium
Dynamic .NET Compilation Via Csc.EXE
Detects execution of "csc.exe" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages.
status testauthor Florian Roth (Nextron Systems), X__Junior (Nextron Systems)id dcaa3f04-70c3-427a-80b4-b870d73c94c4
view Sigma YAML
title: Dynamic .NET Compilation Via Csc.EXE
id: dcaa3f04-70c3-427a-80b4-b870d73c94c4
status: test
description: Detects execution of "csc.exe" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages.
references:
- https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/
- https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf
- https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/
- https://twitter.com/gN3mes1s/status/1206874118282448897
- https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1027.004/T1027.004.md#atomic-test-1---compile-after-delivery-using-cscexe
author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems)
date: 2019-08-24
modified: 2026-03-23
tags:
- attack.stealth
- attack.t1027.004
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith: '\csc.exe'
selection_susp_location_1:
CommandLine|contains:
- ':\Perflogs\'
- ':\Users\Public\'
- '\AppData\Local\Temp\' # User execution
- '\Temporary Internet'
- '\Windows\Temp\' # Admin execution
selection_susp_location_2:
- CommandLine|contains|all:
- ':\Users\'
- '\Favorites\'
- CommandLine|contains|all:
- ':\Users\'
- '\Favourites\'
- CommandLine|contains|all:
- ':\Users\'
- '\Contacts\'
- CommandLine|contains|all:
- ':\Users\'
- '\Pictures\'
selection_susp_location_3:
CommandLine|re: '(?:[Pp]rogram[Dd]ata|%(?:[Ll]ocal)?[Aa]pp[Dd]ata%|\\[Aa]pp[Dd]ata\\(?:[Ll]ocal(?:[Ll]ow)?|[Rr]oaming))\\[^\\]{1,256}$'
filter_main_programfiles:
# Note: this is a generic filter. You could baseline execution in your env for a more robust rule
ParentImage|startswith:
- 'C:\Program Files (x86)\' # https://twitter.com/gN3mes1s/status/1206874118282448897
- 'C:\Program Files\' # https://twitter.com/gN3mes1s/status/1206874118282448897
filter_main_sdiagnhost:
ParentImage: 'C:\Windows\System32\sdiagnhost.exe' # https://twitter.com/gN3mes1s/status/1206874118282448897
filter_main_w3p:
ParentImage: 'C:\Windows\System32\inetsrv\w3wp.exe' # https://twitter.com/gabriele_pippi/status/1206907900268072962
filter_optional_chocolatey:
ParentImage: # Chocolatey https://chocolatey.org/
- 'C:\ProgramData\chocolatey\choco.exe'
- 'C:\ProgramData\chocolatey\tools\shimgen.exe'
filter_optional_defender:
ParentCommandLine|contains: '\ProgramData\Microsoft\Windows Defender Advanced Threat Protection'
filter_optional_ansible:
# Note: As ansible is widely used we exclude it with this generic filter.
# A better option would be to filter based on script content basis or other marker while hunting
ParentCommandLine|contains:
# '{"failed":true,"msg":"Ansible requires PowerShell v3.0 or newer"}'
- 'JwB7ACIAZgBhAGkAbABlAGQAIgA6AHQAcgB1AGUALAAiAG0AcwBnACIAOgAiAEEAbgBzAGkAYgBsAGUAIAByAGUAcQB1AGkAcgBlAHMAIABQAG8AdwBlAHIAUwBoAGUAbABsACAAdgAzAC4AMAAgAG8AcgAgAG4AZQB3AGUAcgAiAH0AJw'
- 'cAewAiAGYAYQBpAGwAZQBkACIAOgB0AHIAdQBlACwAIgBtAHMAZwAiADoAIgBBAG4AcwBpAGIAbABlACAAcgBlAHEAdQBpAHIAZQBzACAAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAMwAuADAAIABvAHIAIABuAGUAdwBlAHIAIgB9ACcA'
- 'nAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnA'
condition: selection_img and 1 of selection_susp_location_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Legitimate software from program files - https://twitter.com/gN3mes1s/status/1206874118282448897
- Legitimate Microsoft software - https://twitter.com/gabriele_pippi/status/1206907900268072962
- Ansible
level: medium
medium
ESXi Account Creation Via ESXCLI
Detects user account creation on ESXi system via esxcli
status testauthor Cedric Maurugeonid b28e4eb3-8bbc-4f0c-819f-edfe8e2f25db
view Sigma YAML
title: ESXi Account Creation Via ESXCLI
id: b28e4eb3-8bbc-4f0c-819f-edfe8e2f25db
status: test
description: Detects user account creation on ESXi system via esxcli
references:
- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_system.html
author: Cedric Maurugeon
date: 2023-08-22
tags:
- attack.persistence
- attack.execution
- attack.t1136
- attack.t1059.012
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/esxcli'
CommandLine|contains|all:
- 'system '
- 'account '
- 'add '
condition: selection
falsepositives:
- Legitimate administration activities
level: medium
medium
ESXi Network Configuration Discovery Via ESXCLI
Detects execution of the "esxcli" command with the "network" flag in order to retrieve information about the network configuration.
status testauthor Cedric Maurugeonid 33e814e0-1f00-4e43-9c34-31fb7ae2b174
view Sigma YAML
title: ESXi Network Configuration Discovery Via ESXCLI
id: 33e814e0-1f00-4e43-9c34-31fb7ae2b174
status: test
description: Detects execution of the "esxcli" command with the "network" flag in order to retrieve information about the network configuration.
references:
- https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/
- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_network.html
author: Cedric Maurugeon
date: 2023-09-04
tags:
- attack.discovery
- attack.execution
- attack.t1033
- attack.t1007
- attack.t1059.012
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith: '/esxcli'
CommandLine|contains: 'network'
selection_cli:
CommandLine|contains:
- ' get'
- ' list'
condition: all of selection_*
falsepositives:
- Legitimate administration activities
# Note: level can be reduced to low in some envs
level: medium
medium
ESXi Storage Information Discovery Via ESXCLI
Detects execution of the "esxcli" command with the "storage" flag in order to retrieve information about the storage status and other related information. Seen used by malware such as DarkSide and LockBit.
status testauthor Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeonid f41dada5-3f56-4232-8503-3fb7f9cf2d60
view Sigma YAML
title: ESXi Storage Information Discovery Via ESXCLI
id: f41dada5-3f56-4232-8503-3fb7f9cf2d60
status: test
description: Detects execution of the "esxcli" command with the "storage" flag in order to retrieve information about the storage status and other related information. Seen used by malware such as DarkSide and LockBit.
references:
- https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html
- https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html
- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_storage.html
author: Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeon
date: 2023-09-04
tags:
- attack.discovery
- attack.execution
- attack.t1033
- attack.t1007
- attack.t1059.012
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith: '/esxcli'
CommandLine|contains: 'storage'
selection_cli:
CommandLine|contains:
- ' get'
- ' list'
condition: all of selection_*
falsepositives:
- Legitimate administration activities
# Note: level can be reduced to low in some envs
level: medium
medium
ESXi Syslog Configuration Change Via ESXCLI
Detects changes to the ESXi syslog configuration via "esxcli"
status testauthor Cedric Maurugeonid 38eb1dbb-011f-40b1-a126-cf03a0210563
view Sigma YAML
title: ESXi Syslog Configuration Change Via ESXCLI
id: 38eb1dbb-011f-40b1-a126-cf03a0210563
status: test
description: Detects changes to the ESXi syslog configuration via "esxcli"
references:
- https://support.solarwinds.com/SuccessCenter/s/article/Configure-ESXi-Syslog-to-LEM?language=en_US
- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_system.html
author: Cedric Maurugeon
date: 2023-09-04
tags:
- attack.execution
- attack.defense-impairment
- attack.t1685
- attack.t1690
- attack.t1059.012
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/esxcli'
CommandLine|contains|all:
- 'system'
- 'syslog'
- 'config'
CommandLine|contains: ' set'
condition: selection
falsepositives:
- Legitimate administrative activities
level: medium
medium
ESXi System Information Discovery Via ESXCLI
Detects execution of the "esxcli" command with the "system" flag in order to retrieve information about the different component of the system. Such as accounts, modules, NTP, etc.
status testauthor Cedric Maurugeonid e80273e1-9faf-40bc-bd85-dbaff104c4e9
view Sigma YAML
title: ESXi System Information Discovery Via ESXCLI
id: e80273e1-9faf-40bc-bd85-dbaff104c4e9
status: test
description: Detects execution of the "esxcli" command with the "system" flag in order to retrieve information about the different component of the system. Such as accounts, modules, NTP, etc.
references:
- https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/
- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_system.html
author: Cedric Maurugeon
date: 2023-09-04
tags:
- attack.discovery
- attack.execution
- attack.t1033
- attack.t1007
- attack.t1059.012
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith: '/esxcli'
CommandLine|contains: 'system'
selection_cli:
CommandLine|contains:
- ' get'
- ' list'
condition: all of selection_*
falsepositives:
- Legitimate administration activities
level: medium
medium
ESXi VM Kill Via ESXCLI
Detects execution of the "esxcli" command with the "vm" and "kill" flag in order to kill/shutdown a specific VM.
status testauthor Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeonid 2992ac4d-31e9-4325-99f2-b18a73221bb2
view Sigma YAML
title: ESXi VM Kill Via ESXCLI
id: 2992ac4d-31e9-4325-99f2-b18a73221bb2
status: test
description: Detects execution of the "esxcli" command with the "vm" and "kill" flag in order to kill/shutdown a specific VM.
references:
- https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/
- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_vm.html
- https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/
- https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html
author: Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeon
date: 2023-09-04
tags:
- attack.execution
- attack.impact
- attack.t1059.012
- attack.t1529
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/esxcli'
CommandLine|contains|all:
- 'vm process'
- 'kill'
condition: selection
falsepositives:
- Legitimate administration activities
level: medium