Home/Sigma rules
Sigma

Sigma detection rules

3,132 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Severity critical high medium low all severities

Detection rules

50 shown of 3,132
high
Control Panel Items
Detects the malicious use of a control panel item
status test author Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_) id 0ba863e6-def5-4e50-9cea-4dd8c7dc46a4
view Sigma YAML 
title: Control Panel Items
id: 0ba863e6-def5-4e50-9cea-4dd8c7dc46a4
status: test
description: Detects the malicious use of a control panel item
references:
    - https://ired.team/offensive-security/code-execution/code-execution-through-control-panel-add-ins
author: Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_)
date: 2020-06-22
modified: 2023-10-11
tags:
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1218.002
    - attack.persistence
    - attack.t1546
logsource:
    product: windows
    category: process_creation
detection:
    selection_reg_img:
        - Image|endswith: '\reg.exe'
        - OriginalFileName: 'reg.exe'
    selection_reg_cli:
        CommandLine|contains|all:
            - 'add'
            - 'CurrentVersion\Control Panel\CPLs'
    selection_cpl:
        CommandLine|endswith: '.cpl'
    filter_cpl_sys:
        CommandLine|contains:
            - '\System32\'
            - '%System%'
            - '|C:\Windows\system32|'
    filter_cpl_igfx:
        CommandLine|contains|all:
            - 'regsvr32 '
            - ' /s '
            - 'igfxCPL.cpl'
    condition: all of selection_reg_* or (selection_cpl and not 1 of filter_cpl_*)
falsepositives:
    - Unknown
level: high
high
Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE
Detects usage of the copy builtin cmd command to copy files with the ".dmp"/".dump" extension from a remote share
status test author Nasreddine Bencherchali (Nextron Systems) id 044ba588-dff4-4918-9808-3f95e8160606
view Sigma YAML 
title: Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE
id: 044ba588-dff4-4918-9808-3f95e8160606
status: test
description: Detects usage of the copy builtin cmd command to copy files with the ".dmp"/".dump" extension from a remote share
references:
    - https://thedfirreport.com/2022/09/26/bumblebee-round-two/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-27
modified: 2023-09-12
tags:
    - attack.credential-access
logsource:
    category: process_creation
    product: windows
detection:
    # Example: copy \\<host>\\<folder>\\process.dmp C:\Users\process.dmp
    selection_img:
        - Image|endswith: '\cmd.exe'
        - OriginalFileName: 'Cmd.Exe'
    selection_cli:
        CommandLine|contains|all:
            - 'copy '
            - ' \\\\'
        CommandLine|contains:
            - '.dmp'
            - '.dump'
            - '.hdmp'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
high
Copy From VolumeShadowCopy Via Cmd.EXE
Detects the execution of the builtin "copy" command that targets a shadow copy (sometimes used to copy registry hives that are in use)
status test author Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems) id c73124a7-3e89-44a3-bdc1-25fe4df754b1
view Sigma YAML 
title: Copy From VolumeShadowCopy Via Cmd.EXE
id: c73124a7-3e89-44a3-bdc1-25fe4df754b1
status: test
description: Detects the execution of the builtin "copy" command that targets a shadow copy (sometimes used to copy registry hives that are in use)
references:
    - https://twitter.com/vxunderground/status/1423336151860002816?s=20
    - https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection
    - https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/
author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)
date: 2021-08-09
modified: 2023-03-07
tags:
    - attack.impact
    - attack.t1490
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        # cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM\
        # There is an additional "\" to escape the special "?"
        CommandLine|contains|all:
            - 'copy '
            - '\\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy'
    condition: selection
falsepositives:
    - Backup scenarios using the commandline
level: high
high
Copy Passwd Or Shadow From TMP Path
Detects when the file "passwd" or "shadow" is copied from tmp path
status test author Joseliyo Sanchez, @Joseliyo_Jstnk id fa4aaed5-4fe0-498d-bbc0-08e3346387ba
view Sigma YAML 
title: Copy Passwd Or Shadow From TMP Path
id: fa4aaed5-4fe0-498d-bbc0-08e3346387ba
status: test
description: Detects when the file "passwd" or "shadow" is copied from tmp path
references:
    - https://blogs.blackberry.com/
    - https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-01-31
tags:
    - attack.credential-access
    - attack.t1552.001
logsource:
    product: linux
    category: process_creation
detection:
    selection_img:
        Image|endswith: '/cp'
    selection_path:
        CommandLine|contains: '/tmp/'
    selection_file:
        CommandLine|contains:
            - 'passwd'
            - 'shadow'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
high
Copying Sensitive Files with Credential Data
Files with well-known filenames (sensitive files with credential data) copying
status test author Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community id e7be6119-fc37-43f0-ad4f-1f3f99be2f9f
view Sigma YAML 
title: Copying Sensitive Files with Credential Data
id: e7be6119-fc37-43f0-ad4f-1f3f99be2f9f
status: test
description: Files with well-known filenames (sensitive files with credential data) copying
references:
    - https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
    - https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/
    - https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Esentutl.yml
author: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
date: 2019-10-22
modified: 2024-06-04
tags:
    - attack.credential-access
    - attack.t1003.002
    - attack.t1003.003
    - car.2013-07-001
    - attack.s0404
logsource:
    category: process_creation
    product: windows
detection:
    selection_esent_img:
        - Image|endswith: '\esentutl.exe'
        - OriginalFileName: '\esentutl.exe'
    selection_esent_cli:
        CommandLine|contains|windash:
            - 'vss'
            - ' /m '
            - ' /y '
    selection_susp_paths:
        CommandLine|contains:
            - '\config\RegBack\sam'
            - '\config\RegBack\security'
            - '\config\RegBack\system'
            - '\config\sam'
            - '\config\security'
            - '\config\system '        # space needed to avoid false positives with \config\systemprofile\
            - '\repair\sam'
            - '\repair\security'
            - '\repair\system'
            - '\windows\ntds\ntds.dit'
    condition: all of selection_esent_* or selection_susp_paths
falsepositives:
    - Copying sensitive files for legitimate use (eg. backup) or forensic investigation by legitimate incident responder or forensic investigator.
level: high
high
Create Volume Shadow Copy with Powershell
Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information
status test author frack113 id afd12fed-b0ec-45c9-a13d-aa86625dac81
view Sigma YAML 
title: Create Volume Shadow Copy with Powershell
id: afd12fed-b0ec-45c9-a13d-aa86625dac81
status: test
description: Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information
references:
    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7
author: frack113
date: 2022-01-12
tags:
    - attack.credential-access
    - attack.t1003.003
    - attack.ds0005
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains|all:
            - Win32_ShadowCopy
            - ').Create('
            - ClientAccessible
    condition: selection
falsepositives:
    - Legitimate PowerShell scripts
level: high
high
CreateDump Process Dump
Detects uses of the createdump.exe LOLOBIN utility to dump process memory
status test author Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) id 515c8be5-e5df-4c5e-8f6d-a4a2f05e4b48
view Sigma YAML 
title: CreateDump Process Dump
id: 515c8be5-e5df-4c5e-8f6d-a4a2f05e4b48
related:
    - id: 1a1ed54a-2ba4-4221-94d5-01dee560d71e
      type: similar
status: test
description: Detects uses of the createdump.exe LOLOBIN utility to dump process memory
references:
    - https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/
    - https://twitter.com/bopin2020/status/1366400799199272960
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-01-04
modified: 2022-08-19
tags:
    - attack.stealth
    - attack.t1036
    - attack.t1003.001
    - attack.credential-access
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\createdump.exe'
        - OriginalFileName: 'FX_VER_INTERNALNAME_STR'
    selection_cli:
        CommandLine|contains:
            - ' -u ' # Short version of '--full'
            - ' --full '
            - ' -f ' # Short version of '--name'
            - ' --name '
            - '.dmp '
    condition: all of selection_*
falsepositives:
    - Command lines that use the same flags
level: high
high
Creation Exe for Service with Unquoted Path
Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
status test author frack113 id 8c3c76ca-8f8b-4b1d-aaf3-81aebcd367c9
view Sigma YAML 
title: Creation Exe for Service with Unquoted Path
id: 8c3c76ca-8f8b-4b1d-aaf3-81aebcd367c9
status: test
description: |
    Adversaries may execute their own malicious payloads by hijacking vulnerable file path references.
    Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.009/T1574.009.md
author: frack113
date: 2021-12-30
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.009
logsource:
    product: windows
    category: file_event
detection:
    selection:
        # Feel free to add more
        TargetFilename: 'C:\program.exe'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Creation of a Local Hidden User Account by Registry
Sysmon registry detection of a local hidden user account.
status test author Christian Burkard (Nextron Systems) id 460479f3-80b7-42da-9c43-2cc1d54dbccd
view Sigma YAML 
title: Creation of a Local Hidden User Account by Registry
id: 460479f3-80b7-42da-9c43-2cc1d54dbccd
status: test
description: Sysmon registry detection of a local hidden user account.
references:
    - https://twitter.com/SBousseaden/status/1387530414185664538
author: Christian Burkard (Nextron Systems)
date: 2021-05-03
modified: 2025-10-31
tags:
    - attack.persistence
    - attack.t1136.001
logsource:
    product: windows
    category: registry_event
detection:
    selection:
        TargetObject|contains: '\SAM\SAM\Domains\Account\Users\Names\'
        TargetObject|endswith: '$\(Default)'
        Image|endswith: '\lsass.exe'
    condition: selection
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_event/registry_event_add_local_hidden_user/info.yml
simulation:
    - type: atomic-red-team
      name: Create Hidden User in Registry
      technique: T1564.002
      atomic_guid: 173126b7-afe4-45eb-8680-fa9f6400431c
high
Cred Dump Tools Dropped Files
Files with well-known filenames (parts of credential dump software or files produced by them) creation
status test author Teymur Kheirkhabarov, oscd.community id 8fbf3271-1ef6-4e94-8210-03c2317947f6
view Sigma YAML 
title: Cred Dump Tools Dropped Files
id: 8fbf3271-1ef6-4e94-8210-03c2317947f6
status: test
description: Files with well-known filenames (parts of credential dump software or files produced by them) creation
references:
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
author: Teymur Kheirkhabarov, oscd.community
date: 2019-11-01
modified: 2025-10-25
tags:
    - attack.credential-access
    - attack.t1003.001
    - attack.t1003.002
    - attack.t1003.003
    - attack.t1003.004
    - attack.t1003.005
logsource:
    category: file_event
    product: windows
detection:
    selection:
        - TargetFilename|contains:
              - '\fgdump-log'
              - '\kirbi'
              - '\pwdump'
              - '\pwhashes'
              - '\wce_ccache'
              - '\wce_krbtkts'
        - TargetFilename|endswith:
              - '\cachedump.exe'
              - '\cachedump64.exe'
              - '\DumpExt.dll'
              - '\DumpSvc.exe'
              - '\Dumpy.exe'
              - '\fgexec.exe'
              - '\lsremora.dll'
              - '\lsremora64.dll'
              - '\NTDS.out'
              - '\procdump.exe'
              - '\procdump64.exe'
              - '\procdump64a.exe'
              - '\pstgdump.exe'
              - '\pwdump.exe'
              - '\SAM.out'
              - '\SECURITY.out'
              - '\servpw.exe'
              - '\servpw64.exe'
              - '\SYSTEM.out'
              - '\test.pwd'
              - '\wceaux.dll'
    condition: selection
falsepositives:
    - Legitimate Administrator using tool for password recovery
level: high
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files/info.yml
high
Credential Dumping Activity By Python Based Tool
Detects LSASS process access for potential credential dumping by a Python-like tool such as LaZagne or Pypykatz.
status stable author Bhabesh Raj, Jonhnathan Ribeiro id f8be3e82-46a3-4e4e-ada5-8e538ae8b9c9
view Sigma YAML 
title: Credential Dumping Activity By Python Based Tool
id: f8be3e82-46a3-4e4e-ada5-8e538ae8b9c9
related:
    - id: 4b9a8556-99c4-470b-a40c-9c8d02c77ed0
      type: obsolete
    - id: 7186e989-4ed7-4f4e-a656-4674b9e3e48b
      type: obsolete
status: stable
description: Detects LSASS process access for potential credential dumping by a Python-like tool such as LaZagne or Pypykatz.
references:
    - https://twitter.com/bh4b3sh/status/1303674603819081728
    - https://github.com/skelsec/pypykatz
author: Bhabesh Raj, Jonhnathan Ribeiro
date: 2023-11-27
modified: 2023-11-29
tags:
    - attack.credential-access
    - attack.t1003.001
    - attack.s0349
logsource:
    category: process_access
    product: windows
detection:
    selection:
        TargetImage|endswith: '\lsass.exe'
        CallTrace|contains|all:
            - '_ctypes.pyd+'
            - ':\Windows\System32\KERNELBASE.dll+'
            - ':\Windows\SYSTEM32\ntdll.dll+'
        CallTrace|contains:
            - 'python27.dll+'
            - 'python3*.dll+'
        GrantedAccess: '0x1FFFFF'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Credential Dumping Attempt Via Svchost
Detects when a process tries to access the memory of svchost to potentially dump credentials.
status test author Florent Labouyrie id 174afcfa-6e40-4ae9-af64-496546389294
view Sigma YAML 
title: Credential Dumping Attempt Via Svchost
id: 174afcfa-6e40-4ae9-af64-496546389294
status: test
description: Detects when a process tries to access the memory of svchost to potentially dump credentials.
references:
    - Internal Research
author: Florent Labouyrie
date: 2021-04-30
modified: 2022-10-09
tags:
    - attack.privilege-escalation
    - attack.t1548
logsource:
    product: windows
    category: process_access
detection:
    selection:
        TargetImage|endswith: '\svchost.exe'
        GrantedAccess: '0x143a'
    filter_main_known_processes:
        SourceImage|endswith:
            - '\services.exe'
            - '\msiexec.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high
high
Credential Dumping Attempt Via WerFault
Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.
status test author Florian Roth (Nextron Systems) id e5b33f7d-eb93-48b6-9851-09e1e610b6d7
view Sigma YAML 
title: Credential Dumping Attempt Via WerFault
id: e5b33f7d-eb93-48b6-9851-09e1e610b6d7
status: test
description: Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.
references:
    - https://github.com/helpsystems/nanodump/commit/578116faea3d278d53d70ea932e2bbfe42569507
author: Florian Roth (Nextron Systems)
date: 2012-06-27
modified: 2023-11-29
tags:
    - attack.credential-access
    - attack.t1003.001
    - attack.s0002
logsource:
    category: process_access
    product: windows
detection:
    selection:
        SourceImage|endswith: '\WerFault.exe'
        TargetImage|endswith: '\lsass.exe'
        GrantedAccess: '0x1FFFFF'
    condition: selection
falsepositives:
    - Actual failures in lsass.exe that trigger a crash dump (unlikely)
    - Unknown cases in which WerFault accesses lsass.exe
level: high
high
Credential Dumping Tools Service Execution - Security
Detects well-known credential dumping tools execution via service execution events
status test author Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community id f0d1feba-4344-4ca9-8121-a6c97bd6df52
view Sigma YAML 
title: Credential Dumping Tools Service Execution - Security
id: f0d1feba-4344-4ca9-8121-a6c97bd6df52
related:
    - id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed
      type: derived
status: test
description: Detects well-known credential dumping tools execution via service execution events
references:
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
author: Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
date: 2017-03-05
modified: 2022-11-29
tags:
    - attack.credential-access
    - attack.execution
    - attack.t1003.001
    - attack.t1003.002
    - attack.t1003.004
    - attack.t1003.005
    - attack.t1003.006
    - attack.t1569.002
    - attack.s0005
logsource:
    product: windows
    service: security
    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
    selection:
        EventID: 4697
        ServiceFileName|contains:
            - 'cachedump'
            - 'dumpsvc'
            - 'fgexec'
            - 'gsecdump'
            - 'mimidrv'
            - 'pwdump'
            - 'servpw'
    condition: selection
falsepositives:
    - Legitimate Administrator using credential dumping tool for password recovery
level: high
high
Credential Dumping Tools Service Execution - System
Detects well-known credential dumping tools execution via service execution events
status test author Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community id 4976aa50-8f41-45c6-8b15-ab3fc10e79ed
view Sigma YAML 
title: Credential Dumping Tools Service Execution - System
id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed
status: test
description: Detects well-known credential dumping tools execution via service execution events
references:
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
author: Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
date: 2017-03-05
modified: 2022-11-29
tags:
    - attack.credential-access
    - attack.execution
    - attack.t1003.001
    - attack.t1003.002
    - attack.t1003.004
    - attack.t1003.005
    - attack.t1003.006
    - attack.t1569.002
    - attack.s0005
logsource:
    product: windows
    service: system
detection:
    selection:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
        ImagePath|contains:
            - 'cachedump'
            - 'dumpsvc'
            - 'fgexec'
            - 'gsecdump'
            - 'mimidrv'
            - 'pwdump'
            - 'servpw'
    condition: selection
falsepositives:
    - Legitimate Administrator using credential dumping tool for password recovery
level: high
high
Credentials In Files
Detecting attempts to extract passwords with grep and laZagne
status test author Igor Fits, Mikhail Larin, oscd.community id 53b1b378-9b06-4992-b972-dde6e423d2b4
view Sigma YAML 
title: Credentials In Files
id: 53b1b378-9b06-4992-b972-dde6e423d2b4
status: test
description: Detecting attempts to extract passwords with grep and laZagne
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md
author: 'Igor Fits, Mikhail Larin, oscd.community'
date: 2020-10-19
modified: 2021-11-27
tags:
    - attack.credential-access
    - attack.t1552.001
logsource:
    product: macos
    category: process_creation
detection:
    selection1:
        Image|endswith: '/grep'
        CommandLine|contains: 'password'
    selection2:
        CommandLine|contains: 'laZagne'
    condition: 1 of selection*
falsepositives:
    - Unknown
level: high
high
Credentials In Files - Linux
Detecting attempts to extract passwords with grep
status test author Igor Fits, oscd.community id df3fcaea-2715-4214-99c5-0056ea59eb35
view Sigma YAML 
title: Credentials In Files - Linux
id: df3fcaea-2715-4214-99c5-0056ea59eb35
status: test
description: 'Detecting attempts to extract passwords with grep'
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md
author: 'Igor Fits, oscd.community'
date: 2020-10-15
modified: 2023-04-30
tags:
    - attack.credential-access
    - attack.t1552.001
logsource:
    product: linux
    service: auditd
detection:
    selection:
        type: 'EXECVE'
    keywords:
        '|all':
            - 'grep'
            - 'password'
    condition: selection and keywords
falsepositives:
    - Unknown
level: high
high
Critical Hive In Suspicious Location Access Bits Cleared
Detects events from the Kernel-General ETW indicating that the access bits of a hive with a system like hive name located in the temp directory have been reset. This occurs when an application tries to access a hive and the hive has not be recognized since the last 7 days (by default). Registry hive dumping utilities such as QuarksPwDump were seen emitting this behavior.
status test author Florian Roth (Nextron Systems) id 39f919f3-980b-4e6f-a975-8af7e507ef2b
view Sigma YAML 
title: Critical Hive In Suspicious Location Access Bits Cleared
id: 39f919f3-980b-4e6f-a975-8af7e507ef2b
related:
    - id: 839dd1e8-eda8-4834-8145-01beeee33acd
      type: obsolete
status: test
description: |
    Detects events from the Kernel-General ETW indicating that the access bits of a hive with a system like hive name located in the temp directory have been reset.
    This occurs when an application tries to access a hive and the hive has not be recognized since the last 7 days (by default).
    Registry hive dumping utilities such as QuarksPwDump were seen emitting this behavior.
references:
    - https://github.com/nasbench/Misc-Research/blob/b20da2336de0f342d31ef4794959d28c8d3ba5ba/ETW/Microsoft-Windows-Kernel-General.md
author: Florian Roth (Nextron Systems)
date: 2017-05-15
modified: 2024-01-18
tags:
    - attack.credential-access
    - attack.t1003.002
logsource:
    product: windows
    service: system
detection:
    selection:
        EventID: 16
        Provider_Name: Microsoft-Windows-Kernel-General
        HiveName|contains:
            - '\Temp\SAM'
            - '\Temp\SECURITY'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Cross Site Scripting Strings
Detects XSS attempts injected via GET requests in access logs
status test author Saw Win Naung, Nasreddine Bencherchali id 65354b83-a2ea-4ea6-8414-3ab38be0d409
view Sigma YAML 
title: Cross Site Scripting Strings
id: 65354b83-a2ea-4ea6-8414-3ab38be0d409
status: test
description: Detects XSS attempts injected via GET requests in access logs
references:
    - https://github.com/payloadbox/xss-payload-list
    - https://portswigger.net/web-security/cross-site-scripting/contexts
author: Saw Win Naung, Nasreddine Bencherchali
date: 2021-08-15
modified: 2022-06-14
tags:
    - attack.initial-access
    - attack.t1189
logsource:
    category: webserver
detection:
    select_method:
        cs-method: 'GET'
    keywords:
        - '=<script>'
        - '=%3Cscript%3E'
        - '=%253Cscript%253E'
        - '<iframe '
        - '%3Ciframe '
        - '<svg '
        - '%3Csvg '
        - 'document.cookie'
        - 'document.domain'
        - ' onerror='
        - ' onresize='
        - ' onload="'
        - 'onmouseover='
        - '${alert'
        - 'javascript:alert'
        - 'javascript%3Aalert'
    filter:
        sc-status: 404
    condition: select_method and keywords and not filter
falsepositives:
    - JavaScripts,CSS Files and PNG files
    - User searches in search boxes of the respective website
    - Internal vulnerability scanners can cause some serious FPs when used, if you experience a lot of FPs due to this think of adding more filters such as "User Agent" strings and more response codes
level: high
high
Crypto Miner User Agent
Detects suspicious user agent strings used by crypto miners in proxy logs
status test author Florian Roth (Nextron Systems) id fa935401-513b-467b-81f4-f9e77aa0dd78
view Sigma YAML 
title: Crypto Miner User Agent
id: fa935401-513b-467b-81f4-f9e77aa0dd78
status: test
description: Detects suspicious user agent strings used by crypto miners in proxy logs
references:
    - https://github.com/xmrig/xmrig/blob/da22b3e6c45825f3ac1f208255126cb8585cd4fc/src/base/kernel/Platform_win.cpp#L65
    - https://github.com/xmrig/xmrig/blob/427b6516e0550200c17ca28675118f0fffcc323f/src/version.h
author: Florian Roth (Nextron Systems)
date: 2019-10-21
modified: 2021-11-27
tags:
    - attack.command-and-control
    - attack.t1071.001
logsource:
    category: proxy
detection:
    selection:
        c-useragent|startswith:
        # XMRig
            - 'XMRig '
        # CCMiner
            - 'ccminer'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Csc.EXE Execution Form Potentially Suspicious Parent
Detects a potentially suspicious parent of "csc.exe", which could be a sign of payload delivery.
status test author Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) id b730a276-6b63-41b8-bcf8-55930c8fc6ee
view Sigma YAML 
title: Csc.EXE Execution Form Potentially Suspicious Parent
id: b730a276-6b63-41b8-bcf8-55930c8fc6ee
status: test
description: Detects a potentially suspicious parent of "csc.exe", which could be a sign of payload delivery.
references:
    - https://www.uptycs.com/blog/warzonerat-can-now-evade-with-process-hollowing
    - https://reaqta.com/2017/11/short-journey-darkvnc/
    - https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
date: 2019-02-11
modified: 2026-03-23
tags:
    - attack.execution
    - attack.stealth
    - attack.t1059.005
    - attack.t1059.007
    - attack.t1218.005
    - attack.t1027.004
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\csc.exe'
        - OriginalFileName: 'csc.exe'
    selection_parent_generic:
        ParentImage|endswith:
            - '\cscript.exe'
            - '\excel.exe'
            - '\mshta.exe'
            - '\onenote.exe'
            - '\outlook.exe'
            - '\powerpnt.exe'
            - '\winword.exe'
            - '\wscript.exe'
    selection_parent_powershell:
        ParentImage|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
        ParentCommandLine|contains:
            - '-Encoded '
            - 'FromBase64String'
    selection_parent_susp_location:
        - ParentCommandLine|re: '(?:[Pp]rogram[Dd]ata|%(?:[Ll]ocal)?[Aa]pp[Dd]ata%|\\[Aa]pp[Dd]ata\\(?:[Ll]ocal(?:[Ll]ow)?|[Rr]oaming))\\[^\\]{1,256}$'
        - ParentCommandLine|contains:
              - ':\PerfLogs\'
              - ':\Users\Public\'
              - ':\Windows\Temp\'
              - '\Temporary Internet'
        - ParentCommandLine|contains|all:
              - ':\Users\'
              - '\Favorites\'
        - ParentCommandLine|contains|all:
              - ':\Users\'
              - '\Favourites\'
        - ParentCommandLine|contains|all:
              - ':\Users\'
              - '\Contacts\'
        - ParentCommandLine|contains|all:
              - ':\Users\'
              - '\Pictures\'
    filter_main_programfiles:
        # Note: this is a generic filter. You could baseline execution in your env for a more robust rule
        ParentImage|startswith:
            - 'C:\Program Files (x86)\' # https://twitter.com/gN3mes1s/status/1206874118282448897
            - 'C:\Program Files\' # https://twitter.com/gN3mes1s/status/1206874118282448897
    filter_main_sdiagnhost:
        ParentImage: 'C:\Windows\System32\sdiagnhost.exe' # https://twitter.com/gN3mes1s/status/1206874118282448897
    filter_main_w3p:
        ParentImage: 'C:\Windows\System32\inetsrv\w3wp.exe' # https://twitter.com/gabriele_pippi/status/1206907900268072962
    filter_optional_chocolatey:
        ParentImage: 'C:\ProgramData\chocolatey\choco.exe' # Chocolatey https://chocolatey.org/
    filter_optional_defender:
        ParentCommandLine|contains: '\ProgramData\Microsoft\Windows Defender Advanced Threat Protection'
    filter_optional_ansible:
        # Note: As ansible is widely used we exclude it with this generic filter.
        # A better option would be to filter based on script content basis or other marker while hunting
        ParentCommandLine|contains:
            # '{"failed":true,"msg":"Ansible requires PowerShell v3.0 or newer"}'
            - 'JwB7ACIAZgBhAGkAbABlAGQAIgA6AHQAcgB1AGUALAAiAG0AcwBnACIAOgAiAEEAbgBzAGkAYgBsAGUAIAByAGUAcQB1AGkAcgBlAHMAIABQAG8AdwBlAHIAUwBoAGUAbABsACAAdgAzAC4AMAAgAG8AcgAgAG4AZQB3AGUAcgAiAH0AJw'
            - 'cAewAiAGYAYQBpAGwAZQBkACIAOgB0AHIAdQBlACwAIgBtAHMAZwAiADoAIgBBAG4AcwBpAGIAbABlACAAcgBlAHEAdQBpAHIAZQBzACAAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAMwAuADAAIABvAHIAIABuAGUAdwBlAHIAIgB9ACcA'
            - 'nAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnA'
    condition: selection_img and 1 of selection_parent_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: high
high
Cscript/Wscript Uncommon Script Extension Execution
Detects Wscript/Cscript executing a file with an uncommon (i.e. non-script) extension
status test author Nasreddine Bencherchali (Nextron Systems) id 99b7460d-c9f1-40d7-a316-1f36f61d52ee
view Sigma YAML 
title: Cscript/Wscript Uncommon Script Extension Execution
id: 99b7460d-c9f1-40d7-a316-1f36f61d52ee
status: test
description: Detects Wscript/Cscript executing a file with an uncommon (i.e. non-script) extension
references:
    - Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-15
modified: 2023-06-19
tags:
    - attack.execution
    - attack.t1059.005
    - attack.t1059.007
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - OriginalFileName:
              - 'wscript.exe'
              - 'cscript.exe'
        - Image|endswith:
              - '\wscript.exe'
              - '\cscript.exe'
    selection_extension:
        CommandLine|contains:
            # Note: add additional potential suspicious extension
            # We could specify the "//E:" flag to avoid typos by admin. But since that's prone to blind spots via the creation of assoc it's better not to include it
            - '.csv'
            - '.dat'
            - '.doc'
            - '.gif'
            - '.jpeg'
            - '.jpg'
            - '.png'
            - '.ppt'
            - '.txt'
            - '.xls'
            - '.xml'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
high
Curl Download And Execute Combination
Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.
status test author Sreeman, Nasreddine Bencherchali (Nextron Systems) id 21dd6d38-2b18-4453-9404-a0fe4a0cc288
view Sigma YAML 
title: Curl Download And Execute Combination
id: 21dd6d38-2b18-4453-9404-a0fe4a0cc288
status: test
description: Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.
references:
    - https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983 # Dead Link
author: Sreeman, Nasreddine Bencherchali (Nextron Systems)
date: 2020-01-13
modified: 2024-03-05
tags:
    - attack.stealth
    - attack.t1218
    - attack.command-and-control
    - attack.t1105
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|windash: ' -c '
        CommandLine|contains|all:
            - 'curl '
            - 'http'
            - '-o'
            - '&'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Custom File Open Handler Executes PowerShell
Detects the abuse of custom file open handler, executing powershell
status test author CD_R0M_ id 7530b96f-ad8e-431d-a04d-ac85cc461fdc
view Sigma YAML 
title: Custom File Open Handler Executes PowerShell
id: 7530b96f-ad8e-431d-a04d-ac85cc461fdc
status: test
description: Detects the abuse of custom file open handler, executing powershell
references:
    - https://news.sophos.com/en-us/2022/02/01/solarmarker-campaign-used-novel-registry-changes-to-establish-persistence/?cmp=30728
author: CD_R0M_
date: 2022-06-11
modified: 2023-08-17
tags:
    - attack.stealth
    - attack.t1202
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: 'shell\open\command\'
        Details|contains|all:
            - 'powershell'
            - '-command'
    condition: selection
falsepositives:
    - Unknown
level: high
high
DCOM InternetExplorer.Application Iertutil DLL Hijack - Security
Detects a threat actor creating a file named `iertutil.dll` in the `C:\Program Files\Internet Explorer\` directory over the network for a DCOM InternetExplorer DLL Hijack scenario.
status test author Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR) id c39f0c81-7348-4965-ab27-2fde35a1b641
view Sigma YAML 
title: DCOM InternetExplorer.Application Iertutil DLL Hijack - Security
id: c39f0c81-7348-4965-ab27-2fde35a1b641
status: test
description: Detects a threat actor creating a file named `iertutil.dll` in the `C:\Program Files\Internet Explorer\` directory over the network for a DCOM InternetExplorer DLL Hijack scenario.
references:
    - https://threathunterplaybook.com/hunts/windows/201009-RemoteDCOMIErtUtilDLLHijack/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)
date: 2020-10-12
modified: 2022-11-26
tags:
    - attack.lateral-movement
    - attack.t1021.002
    - attack.t1021.003
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 5145
        RelativeTargetName|endswith: '\Internet Explorer\iertutil.dll'
    filter:
        SubjectUserName|endswith: '$'
    condition: selection and not filter
falsepositives:
    - Unknown
level: high
high
DHCP Callout DLL Installation
Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)
status test author Dimitrios Slamaris id 9d3436ef-9476-4c43-acca-90ce06bdf33a
view Sigma YAML 
title: DHCP Callout DLL Installation
id: 9d3436ef-9476-4c43-acca-90ce06bdf33a
status: test
description: Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)
references:
    - https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html
    - https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx
    - https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx
author: Dimitrios Slamaris
date: 2017-05-15
modified: 2023-08-17
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.defense-impairment
    - attack.t1574.001
    - attack.t1112
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith:
            - '\Services\DHCPServer\Parameters\CalloutDlls'
            - '\Services\DHCPServer\Parameters\CalloutEnabled'
    condition: selection
falsepositives:
    - Unknown
level: high
high
DHCP Server Error Failed Loading the CallOut DLL
This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded
status test author Dimitrios Slamaris, @atc_project (fix) id 75edd3fd-7146-48e5-9848-3013d7f0282c
view Sigma YAML 
title: DHCP Server Error Failed Loading the CallOut DLL
id: 75edd3fd-7146-48e5-9848-3013d7f0282c
status: test
description: This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded
references:
    - https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html
    - https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx
    - https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx
author: 'Dimitrios Slamaris, @atc_project (fix)'
date: 2017-05-15
modified: 2022-12-25
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    product: windows
    service: system
detection:
    selection:
        EventID:
            - 1031
            - 1032
            - 1034
        Provider_Name: Microsoft-Windows-DHCP-Server
    condition: selection
falsepositives:
    - Unknown
level: high
high
DHCP Server Loaded the CallOut DLL
This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded
status test author Dimitrios Slamaris id 13fc89a9-971e-4ca6-b9dc-aa53a445bf40
view Sigma YAML 
title: DHCP Server Loaded the CallOut DLL
id: 13fc89a9-971e-4ca6-b9dc-aa53a445bf40
status: test
description: This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded
references:
    - https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html
    - https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx
    - https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx
author: Dimitrios Slamaris
date: 2017-05-15
modified: 2022-12-25
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    product: windows
    service: system
detection:
    selection:
        EventID: 1033
        Provider_Name: Microsoft-Windows-DHCP-Server
    condition: selection
falsepositives:
    - Unknown
level: high
high
DLL Load via LSASS
Detects a method to load DLL via LSASS process using an undocumented Registry key
status test author Florian Roth (Nextron Systems) id b3503044-60ce-4bf4-bbcb-e3db98788823
view Sigma YAML 
title: DLL Load via LSASS
id: b3503044-60ce-4bf4-bbcb-e3db98788823
status: test
description: Detects a method to load DLL via LSASS process using an undocumented Registry key
references:
    - https://blog.xpnsec.com/exploring-mimikatz-part-1/
    - https://twitter.com/SBousseaden/status/1183745981189427200
author: Florian Roth (Nextron Systems)
date: 2019-10-16
modified: 2022-04-21
tags:
    - attack.privilege-escalation
    - attack.execution
    - attack.persistence
    - attack.t1547.008
logsource:
    category: registry_event
    product: windows
detection:
    selection:
        TargetObject|contains:
            - '\CurrentControlSet\Services\NTDS\DirectoryServiceExtPt'
            - '\CurrentControlSet\Services\NTDS\LsaDbExtPt'
    filter_domain_controller:
        Image: 'C:\Windows\system32\lsass.exe'
        Details:
            - '%%systemroot%%\system32\ntdsa.dll'
            - '%%systemroot%%\system32\lsadb.dll'
    condition: selection and not 1 of filter_*
falsepositives:
    - Unknown
level: high
high
DLL Loaded From Suspicious Location Via Cmspt.EXE
Detects cmstp loading "dll" or "ocx" files from suspicious locations
status test author Nasreddine Bencherchali (Nextron Systems) id 75e508f7-932d-4ebc-af77-269237a84ce1
view Sigma YAML 
title: DLL Loaded From Suspicious Location Via Cmspt.EXE
id: 75e508f7-932d-4ebc-af77-269237a84ce1
status: test
description: Detects cmstp loading "dll" or "ocx" files from suspicious locations
references:
    - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/TTPs/Defense%20Evasion/T1218%20-%20Signed%20Binary%20Proxy%20Execution/T1218.003%20-%20CMSTP/Procedures.yaml
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-30
modified: 2023-02-17
tags:
    - attack.stealth
    - attack.t1218.003
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith: '\cmstp.exe'
        ImageLoaded|contains:
            # Add more suspicious paths as you see fit in your env
            - '\PerfLogs\'
            - '\ProgramData\'
            - '\Users\'
            - '\Windows\Temp\'
            - 'C:\Temp\'
        ImageLoaded|endswith:
            - '.dll'
            - '.ocx'
    condition: selection
falsepositives:
    - Unikely
level: high
high
DLL Search Order Hijackig Via Additional Space in Path
Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...) but with a space in order to trick DLL load search order and perform a "DLL Search Order Hijacking" attack
status test author frack113, Nasreddine Bencherchali (Nextron Systems) id b6f91281-20aa-446a-b986-38a92813a18f
view Sigma YAML 
title: DLL Search Order Hijackig Via Additional Space in Path
id: b6f91281-20aa-446a-b986-38a92813a18f
status: test
description: |
    Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...)
    but with a space in order to trick DLL load search order and perform a "DLL Search Order Hijacking" attack
references:
    - https://twitter.com/cyb3rops/status/1552932770464292864
    - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-30
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|startswith:
            - 'C:\Windows \'
            - 'C:\Program Files \'
            - 'C:\Program Files (x86) \'
        TargetFilename|endswith: '.dll'
    condition: selection
falsepositives:
    - Unknown
level: high
high
DLL Sideloading Of ShellChromeAPI.DLL
Detects processes loading the non-existent DLL "ShellChromeAPI". One known example is the "DeviceEnroller" binary in combination with the "PhoneDeepLink" flag tries to load this DLL. Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter
status test author Nasreddine Bencherchali (Nextron Systems) id ee4c5d06-3abc-48cc-8885-77f1c20f4451
view Sigma YAML 
title: DLL Sideloading Of ShellChromeAPI.DLL
id: ee4c5d06-3abc-48cc-8885-77f1c20f4451
related:
    - id: e173ad47-4388-4012-ae62-bd13f71c18a8
      type: similar
status: test
description: |
    Detects processes loading the non-existent DLL "ShellChromeAPI". One known example is the "DeviceEnroller" binary in combination with the "PhoneDeepLink" flag tries to load this DLL.
    Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter
references:
    - https://mobile.twitter.com/0gtweet/status/1564131230941122561
    - https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-01
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        # The DLL shouldn't exist on Windows anymore. If for some reason you still have it. You could filter out legitimate calls
        ImageLoaded|endswith: '\ShellChromeAPI.dll'
    condition: selection
falsepositives:
    - Unknown
level: high
high
DLL Sideloading by VMware Xfer Utility
Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL
status test author Nasreddine Bencherchali (Nextron Systems) id ebea773c-a8f1-42ad-a856-00cb221966e8
view Sigma YAML 
title: DLL Sideloading by VMware Xfer Utility
id: ebea773c-a8f1-42ad-a856-00cb221966e8
status: test
description: Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL
references:
    - https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-02
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        Image|endswith: '\VMwareXferlogs.exe'
    filter: # VMware might be installed in another path so update the rule accordingly
        Image|startswith: 'C:\Program Files\VMware\'
    condition: selection and not filter
falsepositives:
    - Unlikely
level: high
high
DNS Exfiltration and Tunneling Tools Execution
Well-known DNS Exfiltration tools execution
status test author Daniil Yugoslavskiy, oscd.community id 98a96a5a-64a0-4c42-92c5-489da3866cb0
view Sigma YAML 
title: DNS Exfiltration and Tunneling Tools Execution
id: 98a96a5a-64a0-4c42-92c5-489da3866cb0
status: test
description: Well-known DNS Exfiltration tools execution
references:
    - https://github.com/iagox86/dnscat2
    - https://github.com/yarrick/iodine
author: Daniil Yugoslavskiy, oscd.community
date: 2019-10-24
modified: 2021-11-27
tags:
    - attack.exfiltration
    - attack.t1048.001
    - attack.command-and-control
    - attack.t1071.004
    - attack.t1132.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\iodine.exe'
        - Image|contains: '\dnscat2'
    condition: selection
falsepositives:
    - Unlikely
level: high
high
DNS HybridConnectionManager Service Bus
Detects Azure Hybrid Connection Manager services querying the Azure service bus service
status test author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) id 7bd3902d-8b8b-4dd4-838a-c6862d40150d
view Sigma YAML 
title: DNS HybridConnectionManager Service Bus
id: 7bd3902d-8b8b-4dd4-838a-c6862d40150d
status: test
description: Detects Azure Hybrid Connection Manager services querying the Azure service bus service
references:
    - https://twitter.com/Cyb3rWard0g/status/1381642789369286662
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2021-04-12
modified: 2023-01-16
tags:
    - attack.persistence
    - attack.t1554
logsource:
    product: windows
    category: dns_query
detection:
    selection:
        QueryName|contains: 'servicebus.windows.net'
        Image|contains: 'HybridConnectionManager'
    condition: selection
falsepositives:
    - Legitimate use of Azure Hybrid Connection Manager and the Azure Service Bus service
level: high
high
DNS Query Tor .Onion Address - Sysmon
Detects DNS queries to an ".onion" address related to Tor routing networks
status test author frack113 id b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544
view Sigma YAML 
title: DNS Query Tor .Onion Address - Sysmon
id: b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544
related:
    - id: 8384bd26-bde6-4da9-8e5d-4174a7a47ca2
      type: similar
    - id: a8322756-015c-42e7-afb1-436e85ed3ff5
      type: similar
status: test
description: Detects DNS queries to an ".onion" address related to Tor routing networks
references:
    - https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/
    - https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/ASimDNS/imDNS_TorProxies.yaml
author: frack113
date: 2022-02-20
modified: 2025-09-12
tags:
    - attack.command-and-control
    - attack.t1090.003
logsource:
    product: windows
    category: dns_query
detection:
    selection:
        QueryName|endswith:
            - '.hiddenservice.net'
            - '.onion.ca'
            - '.onion.cab'
            - '.onion.casa'
            - '.onion.city'
            - '.onion.direct'
            - '.onion.dog'
            - '.onion.glass'
            - '.onion.gq'
            - '.onion.ink'
            - '.onion.it'
            - '.onion.link'
            - '.onion.lt'
            - '.onion.lu'
            - '.onion.nu'
            - '.onion.pet'
            - '.onion.plus'
            - '.onion.rip'
            - '.onion.sh'
            - '.onion.to'
            - '.onion.top'
            - '.onion'
            - '.s1.tor-gateways.de'
            - '.s2.tor-gateways.de'
            - '.s3.tor-gateways.de'
            - '.s4.tor-gateways.de'
            - '.s5.tor-gateways.de'
            - '.t2w.pw'
            - '.tor2web.ae.org'
            - '.tor2web.blutmagie.de'
            - '.tor2web.com'
            - '.tor2web.fi'
            - '.tor2web.io'
            - '.tor2web.org'
            - '.tor2web.xyz'
            - '.torlink.co'
    condition: selection
falsepositives:
    - Unknown
level: high
high
DNS Query by Finger Utility
Detects DNS queries made by the finger utility, which can be abused by threat actors to retrieve remote commands for execution on Windows devices. In one ClickFix malware campaign, adversaries leveraged the finger protocol to fetch commands from a remote server. Since the finger utility is not commonly used in modern Windows environments, its presence already raises suspicion. Investigating such DNS queries can also help identify potential malicious infrastructure used by threat actors for command and control (C2) communication.
status experimental author Swachchhanda Shrawan Poudel (Nextron Systems) id c082c2b0-525b-4dbc-9a26-a57dc4692074
view Sigma YAML 
title: DNS Query by Finger Utility
id: c082c2b0-525b-4dbc-9a26-a57dc4692074
related:
    - id: 2fdaf50b-9fd5-449f-ba69-f17248119af6
      type: similar
    - id: af491bca-e752-4b44-9c86-df5680533dbc
      type: similar
status: experimental
description: |
    Detects DNS queries made by the finger utility, which can be abused by threat actors to retrieve remote commands for execution on Windows devices.
    In one ClickFix malware campaign, adversaries leveraged the finger protocol to fetch commands from a remote server.
    Since the finger utility is not commonly used in modern Windows environments, its presence already raises suspicion.
    Investigating such DNS queries can also help identify potential malicious infrastructure used by threat actors for command and control (C2) communication.
references:
    - https://www.bleepingcomputer.com/news/security/decades-old-finger-protocol-abused-in-clickfix-malware-attacks/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-19
tags:
    - attack.command-and-control
    - attack.t1071.004
    - attack.execution
    - attack.t1059.003
logsource:
    product: windows
    category: dns_query
detection:
    selection:
        Image|endswith: '\finger.exe'
    condition: selection
falsepositives:
    - Unlikely
level: high
high
DNS Query for Anonfiles.com Domain - DNS Client
Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes
status test author Nasreddine Bencherchali (Nextron Systems) id 29f171d7-aa47-42c7-9c7b-3c87938164d9
view Sigma YAML 
title: DNS Query for Anonfiles.com Domain - DNS Client
id: 29f171d7-aa47-42c7-9c7b-3c87938164d9
related:
    - id: 065cceea-77ec-4030-9052-fc0affea7110
      type: similar
status: test
description: Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes
references:
    - https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-16
tags:
    - attack.exfiltration
    - attack.t1567.002
logsource:
    product: windows
    service: dns-client
    definition: 'Requirements: Microsoft-Windows-DNS Client Events/Operational Event Log must be enabled/collected in order to receive the events.'
detection:
    selection:
        EventID: 3008
        QueryName|contains: '.anonfiles.com'
    condition: selection
falsepositives:
    - Rare legitimate access to anonfiles.com
level: high
high
DNS Query for Anonfiles.com Domain - Sysmon
Detects DNS queries for "anonfiles.com", which is an anonymous file upload platform often used for malicious purposes
status test author pH-T (Nextron Systems) id 065cceea-77ec-4030-9052-fc0affea7110
view Sigma YAML 
title: DNS Query for Anonfiles.com Domain - Sysmon
id: 065cceea-77ec-4030-9052-fc0affea7110
related:
    - id: 29f171d7-aa47-42c7-9c7b-3c87938164d9
      type: similar
status: test
description: Detects DNS queries for "anonfiles.com", which is an anonymous file upload platform often used for malicious purposes
references:
    - https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte
author: pH-T (Nextron Systems)
date: 2022-07-15
modified: 2023-01-16
tags:
    - attack.exfiltration
    - attack.t1567.002
logsource:
    product: windows
    category: dns_query
detection:
    selection:
        QueryName|contains: '.anonfiles.com'
    condition: selection
falsepositives:
    - Rare legitimate access to anonfiles.com
level: high
high
DNS Query to External Service Interaction Domains
Detects suspicious DNS queries to external service interaction domains often used for out-of-band interactions after successful RCE
status test author Florian Roth (Nextron Systems), Matt Kelly (list of domains) id aff715fa-4dd5-497a-8db3-910bea555566
view Sigma YAML 
title: DNS Query to External Service Interaction Domains
id: aff715fa-4dd5-497a-8db3-910bea555566
status: test
description: |
    Detects suspicious DNS queries to external service interaction domains often used for out-of-band interactions after successful RCE
references:
    - https://twitter.com/breakersall/status/1533493587828260866
    - https://www.bitdefender.com/en-us/blog/businessinsights/bitdefender-advisory-critical-unauthenticated-rce-windows-server-update-services-cve-2025-59287
    - https://github.com/SigmaHQ/sigma/pull/5724#issuecomment-3466382234
author: Florian Roth (Nextron Systems), Matt Kelly (list of domains)
date: 2022-06-07
modified: 2026-01-24
tags:
    - attack.initial-access
    - attack.t1190
    - attack.reconnaissance
    - attack.t1595.002
logsource:
    category: dns
detection:
    selection:
        query|endswith:
            - '.burpcollaborator.net' # Portswigger Burpsuite Collaborator
            - '.canarytokens.com' # Thinkst Canary Canarytokens
            - '.ceye.io'
            - '.ddns.1443.eu.org' # dig.pm
            - '.ddns.bypass.eu.org' # dig.pm
            - '.ddns.xn--gg8h.eu.org' # dig.pm
            - '.digimg.store' # dnslog.ink
            - '.dns.su18.org' # javaweb.org
            - '.dnshook.site' # webhook.site
            - '.dnslog.cn'
            - '.dnslog.ink' # dnslog.ink
            - '.instances.httpworkbench.com' # httpworkbench.com
            - '.interact.sh' # Project Discovery Interactsh
            - '.log.dnslog.pp.ua' # dnslog.org
            - '.log.dnslog.qzz.io' # dnslog.org
            - '.log.dnslogs.dpdns.org' # dnslog.org
            - '.log.javaweb.org' # javaweb.org
            - '.log.nat.cloudns.ph' # dnslog.org
            - '.oast.fun' # Project Discovery Interactsh
            - '.oast.live' # Project Discovery Interactsh
            - '.oast.me' # Project Discovery Interactsh
            - '.oast.online' # Project Discovery Interactsh
            - '.oast.pro' # Project Discovery Interactsh
            - '.oast.site' # Project Discovery Interactsh
            - '.oastify.com' # Portswigger Burpsuite Collaborator
            - '.p8.lol' # javaweb.org
            - '.requestbin.net'
    filter_main_polling:
        query|contains: 'polling.oastify.com'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Legitimate security scanning.
level: high
high
DNS Server Error Failed Loading the ServerLevelPluginDLL
Detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded
status test author Florian Roth (Nextron Systems) id cbe51394-cd93-4473-b555-edf0144952d9
view Sigma YAML 
title: DNS Server Error Failed Loading the ServerLevelPluginDLL
id: cbe51394-cd93-4473-b555-edf0144952d9
related:
    - id: e61e8a88-59a9-451c-874e-70fcc9740d67
      type: derived
    - id: f63b56ee-3f79-4b8a-97fb-5c48007e8573
      type: derived
status: test
description: Detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded
references:
    - https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
    - https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx
    - https://twitter.com/gentilkiwi/status/861641945944391680
author: Florian Roth (Nextron Systems)
date: 2017-05-08
modified: 2023-02-05
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    product: windows
    service: dns-server
detection:
    selection:
        EventID:
            - 150
            - 770
            - 771
    condition: selection
falsepositives:
    - Unknown
level: high
high
DNS TXT Answer with Possible Execution Strings
Detects strings used in command execution in DNS TXT Answer
status test author Markus Neis id 8ae51330-899c-4641-8125-e39f2e07da72
view Sigma YAML 
title: DNS TXT Answer with Possible Execution Strings
id: 8ae51330-899c-4641-8125-e39f2e07da72
status: test
description: Detects strings used in command execution in DNS TXT Answer
references:
    - https://twitter.com/stvemillertime/status/1024707932447854592
    - https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Backdoors/DNS_TXT_Pwnage.ps1
author: Markus Neis
date: 2018-08-08
modified: 2021-11-27
tags:
    - attack.command-and-control
    - attack.t1071.004
logsource:
    category: dns
detection:
    selection:
        record_type: 'TXT'
        answer|contains:
            - 'IEX'
            - 'Invoke-Expression'
            - 'cmd.exe'
    condition: selection
falsepositives:
    - Unknown
level: high
high
DPAPI Backup Keys And Certificate Export Activity IOC
Detects file names with specific patterns seen generated and used by tools such as Mimikatz and DSInternals related to exported or stolen DPAPI backup keys and certificates.
status test author Nounou Mbeiri, Nasreddine Bencherchali (Nextron Systems) id 7892ec59-c5bb-496d-8968-e5d210ca3ac4
view Sigma YAML 
title: DPAPI Backup Keys And Certificate Export Activity IOC
id: 7892ec59-c5bb-496d-8968-e5d210ca3ac4
status: test
description: |
    Detects file names with specific patterns seen generated and used by tools such as Mimikatz and DSInternals related to exported or stolen DPAPI backup keys and certificates.
references:
    - https://www.dsinternals.com/en/dpapi-backup-key-theft-auditing/
    - https://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.Common/Data/DPAPI/DPAPIBackupKey.cs#L28-L32
author: Nounou Mbeiri, Nasreddine Bencherchali (Nextron Systems)
date: 2024-06-26
tags:
    - attack.credential-access
    - attack.t1555
    - attack.t1552.004
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|contains:
            - 'ntds_capi_'
            - 'ntds_legacy_'
            - 'ntds_unknown_'
        TargetFilename|endswith:
            - '.cer'
            - '.key'
            - '.pfx'
            - '.pvk'
    condition: selection
falsepositives:
    - Unlikely
level: high
high
DPAPI Domain Backup Key Extraction
Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers
status test author Roberto Rodriguez @Cyb3rWard0g id 4ac1f50b-3bd0-4968-902d-868b4647937e
view Sigma YAML 
title: DPAPI Domain Backup Key Extraction
id: 4ac1f50b-3bd0-4968-902d-868b4647937e
status: test
description: Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers
references:
    - https://threathunterplaybook.com/hunts/windows/190620-DomainDPAPIBackupKeyExtraction/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019-06-20
modified: 2022-02-24
tags:
    - attack.credential-access
    - attack.t1003.004
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4662
        ObjectType: 'SecretObject'
        AccessMask: '0x2'
        ObjectName|contains: 'BCKUPKEY'
    condition: selection
falsepositives:
    - Unknown
level: high
high
DSInternals Suspicious PowerShell Cmdlets
Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files. The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.
status test author Nasreddine Bencherchali (Nextron Systems), Nounou Mbeiri id 43d91656-a9b2-4541-b7e2-6a9bd3a13f4e
view Sigma YAML 
title: DSInternals Suspicious PowerShell Cmdlets
id: 43d91656-a9b2-4541-b7e2-6a9bd3a13f4e
related:
    - id: 846c7a87-8e14-4569-9d49-ecfd4276a01c
      type: similar
status: test
description: |
    Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files.
    The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.
references:
    - https://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.PowerShell/DSInternals.psd1
author: Nasreddine Bencherchali (Nextron Systems), Nounou Mbeiri
date: 2024-06-26
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        CommandLine|contains:
            - 'Add-ADDBSidHistory'
            - 'Add-ADNgcKey'
            - 'Add-ADReplNgcKey'
            - 'ConvertFrom-ADManagedPasswordBlob'
            - 'ConvertFrom-GPPrefPassword'
            - 'ConvertFrom-ManagedPasswordBlob'
            - 'ConvertFrom-UnattendXmlPassword'
            - 'ConvertFrom-UnicodePassword'
            - 'ConvertTo-AADHash'
            - 'ConvertTo-GPPrefPassword'
            - 'ConvertTo-KerberosKey'
            - 'ConvertTo-LMHash'
            - 'ConvertTo-MsoPasswordHash'
            - 'ConvertTo-NTHash'
            - 'ConvertTo-OrgIdHash'
            - 'ConvertTo-UnicodePassword'
            - 'Disable-ADDBAccount'
            - 'Enable-ADDBAccount'
            - 'Get-ADDBAccount'
            - 'Get-ADDBBackupKey'
            - 'Get-ADDBDomainController'
            - 'Get-ADDBGroupManagedServiceAccount'
            - 'Get-ADDBKdsRootKey'
            - 'Get-ADDBSchemaAttribute'
            - 'Get-ADDBServiceAccount'
            - 'Get-ADDefaultPasswordPolicy'
            - 'Get-ADKeyCredential' # Covers 'Get-ADKeyCredentialLink'
            - 'Get-ADPasswordPolicy'
            - 'Get-ADReplAccount'
            - 'Get-ADReplBackupKey'
            - 'Get-ADReplicationAccount'
            - 'Get-ADSIAccount'
            - 'Get-AzureADUserEx'
            - 'Get-BootKey'
            - 'Get-KeyCredential'
            - 'Get-LsaBackupKey'
            - 'Get-LsaPolicy' # Covers 'Get-LsaPolicyInformation'
            - 'Get-SamPasswordPolicy'
            - 'Get-SysKey'
            - 'Get-SystemKey'
            - 'New-ADDBRestoreFromMediaScript'
            - 'New-ADKeyCredential' # Covers 'New-ADKeyCredentialLink'
            - 'New-ADNgcKey'
            - 'New-NTHashSet'
            - 'Remove-ADDBObject'
            - 'Save-DPAPIBlob'
            - 'Set-ADAccountPasswordHash'
            - 'Set-ADDBAccountPassword' # Covers 'Set-ADDBAccountPasswordHash'
            - 'Set-ADDBBootKey'
            - 'Set-ADDBDomainController'
            - 'Set-ADDBPrimaryGroup'
            - 'Set-ADDBSysKey'
            - 'Set-AzureADUserEx'
            - 'Set-LsaPolicy' # Covers 'Set-LSAPolicyInformation'
            - 'Set-SamAccountPasswordHash'
            - 'Set-WinUserPasswordHash'
            - 'Test-ADDBPasswordQuality'
            - 'Test-ADPasswordQuality'
            - 'Test-ADReplPasswordQuality'
            - 'Test-PasswordQuality'
            - 'Unlock-ADDBAccount'
            - 'Write-ADNgcKey'
            - 'Write-ADReplNgcKey'
    condition: selection
falsepositives:
    - Legitimate usage of DSInternals for administration or audit purpose.
level: high
high
DSInternals Suspicious PowerShell Cmdlets - ScriptBlock
Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files. The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.
status test author Nasreddine Bencherchali (Nextron Systems) id 846c7a87-8e14-4569-9d49-ecfd4276a01c
view Sigma YAML 
title: DSInternals Suspicious PowerShell Cmdlets - ScriptBlock
id: 846c7a87-8e14-4569-9d49-ecfd4276a01c
related:
    - id: 43d91656-a9b2-4541-b7e2-6a9bd3a13f4e
      type: similar
status: test
description: |
    Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files.
    The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.
references:
    - https://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.PowerShell/DSInternals.psd1
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-06-26
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains:
            - 'Add-ADDBSidHistory'
            - 'Add-ADNgcKey'
            - 'Add-ADReplNgcKey'
            - 'ConvertFrom-ADManagedPasswordBlob'
            - 'ConvertFrom-GPPrefPassword'
            - 'ConvertFrom-ManagedPasswordBlob'
            - 'ConvertFrom-UnattendXmlPassword'
            - 'ConvertFrom-UnicodePassword'
            - 'ConvertTo-AADHash'
            - 'ConvertTo-GPPrefPassword'
            - 'ConvertTo-KerberosKey'
            - 'ConvertTo-LMHash'
            - 'ConvertTo-MsoPasswordHash'
            - 'ConvertTo-NTHash'
            - 'ConvertTo-OrgIdHash'
            - 'ConvertTo-UnicodePassword'
            - 'Disable-ADDBAccount'
            - 'Enable-ADDBAccount'
            - 'Get-ADDBAccount'
            - 'Get-ADDBBackupKey'
            - 'Get-ADDBDomainController'
            - 'Get-ADDBGroupManagedServiceAccount'
            - 'Get-ADDBKdsRootKey'
            - 'Get-ADDBSchemaAttribute'
            - 'Get-ADDBServiceAccount'
            - 'Get-ADDefaultPasswordPolicy'
            - 'Get-ADKeyCredential' # Covers 'Get-ADKeyCredentialLink'
            - 'Get-ADPasswordPolicy'
            - 'Get-ADReplAccount'
            - 'Get-ADReplBackupKey'
            - 'Get-ADReplicationAccount'
            - 'Get-ADSIAccount'
            - 'Get-AzureADUserEx'
            - 'Get-BootKey'
            - 'Get-KeyCredential'
            - 'Get-LsaBackupKey'
            - 'Get-LsaPolicy' # Covers 'Get-LsaPolicyInformation'
            - 'Get-SamPasswordPolicy'
            - 'Get-SysKey'
            - 'Get-SystemKey'
            - 'New-ADDBRestoreFromMediaScript'
            - 'New-ADKeyCredential' # Covers 'New-ADKeyCredentialLink'
            - 'New-ADNgcKey'
            - 'New-NTHashSet'
            - 'Remove-ADDBObject'
            - 'Save-DPAPIBlob'
            - 'Set-ADAccountPasswordHash'
            - 'Set-ADDBAccountPassword' # Covers 'Set-ADDBAccountPasswordHash'
            - 'Set-ADDBBootKey'
            - 'Set-ADDBDomainController'
            - 'Set-ADDBPrimaryGroup'
            - 'Set-ADDBSysKey'
            - 'Set-AzureADUserEx'
            - 'Set-LsaPolicy' # Covers 'Set-LSAPolicyInformation'
            - 'Set-SamAccountPasswordHash'
            - 'Set-WinUserPasswordHash'
            - 'Test-ADDBPasswordQuality'
            - 'Test-ADPasswordQuality'
            - 'Test-ADReplPasswordQuality'
            - 'Test-PasswordQuality'
            - 'Unlock-ADDBAccount'
            - 'Write-ADNgcKey'
            - 'Write-ADReplNgcKey'
    condition: selection
falsepositives:
    - Legitimate usage of DSInternals for administration or audit purpose.
level: high
high
Default Cobalt Strike Certificate
Detects the presence of default Cobalt Strike certificate in the HTTPS traffic
status test author Bhabesh Raj id 7100f7e3-92ce-4584-b7b7-01b40d3d4118
view Sigma YAML 
title: Default Cobalt Strike Certificate
id: 7100f7e3-92ce-4584-b7b7-01b40d3d4118
status: test
description: Detects the presence of default Cobalt Strike certificate in the HTTPS traffic
references:
    - https://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468
author: Bhabesh Raj
date: 2021-06-23
modified: 2022-10-09
tags:
    - attack.command-and-control
    - attack.s0154
logsource:
    product: zeek
    service: x509
detection:
    selection:
        certificate.serial: 8BB00EE
    condition: selection
falsepositives:
    - Unknown
level: high
high
Default RDP Port Changed to Non Standard Port
Detects changes to the default RDP port. Remote desktop is a common feature in operating systems. It allows a user to log into a remote system using an interactive session with a graphical user interface. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).
status test author frack113 id 509e84b9-a71a-40e0-834f-05470369bd1e
view Sigma YAML 
title: Default RDP Port Changed to Non Standard Port
id: 509e84b9-a71a-40e0-834f-05470369bd1e
status: test
description: |
    Detects changes to the default RDP port.
    Remote desktop is a common feature in operating systems. It allows a user to log into a remote system using an interactive session with a graphical user interface.
    Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md
author: frack113
date: 2022-01-01
modified: 2024-03-25
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.010
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: '\Control\Terminal Server\WinStations\RDP-Tcp\PortNumber'
    filter_main_port:
        Details: DWORD (0x00000d3d) # 3389
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_change_rdp_port/info.yml
simulation:
    - type: atomic-red-team
      name: Changing RDP Port to Non Standard Port via Powershell
      technique: T1021.001
      atomic_guid: 2f840dd4-8a2e-4f44-beb3-6b2399ea3771
    - type: atomic-red-team
      name: Changing RDP Port to Non Standard Port via Command_Prompt
      technique: T1021.001
      atomic_guid: 74ace21e-a31c-4f7d-b540-53e4eb6d1f73
high
Delegated Permissions Granted For All Users
Detects when highly privileged delegated permissions are granted on behalf of all users
status test author Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow' id a6355fbe-f36f-45d8-8efc-ab42465cbc52
view Sigma YAML 
title: Delegated Permissions Granted For All Users
id: a6355fbe-f36f-45d8-8efc-ab42465cbc52
status: test
description: Detects when highly privileged delegated permissions are granted on behalf of all users
references:
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-granted-highly-privileged-permissions
author: Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'
date: 2022-07-28
tags:
    - attack.credential-access
    - attack.t1528
logsource:
    product: azure
    service: auditlogs
detection:
    selection:
        properties.message: Add delegated permission grant
    condition: selection
falsepositives:
    - When the permission is legitimately needed for the app
level: high
high
Delete All Scheduled Tasks
Detects the usage of schtasks with the delete flag and the asterisk symbol to delete all tasks from the schedule of the local computer, including tasks scheduled by other users.
status test author Nasreddine Bencherchali (Nextron Systems) id 220457c1-1c9f-4c2e-afe6-9598926222c1
view Sigma YAML 
title: Delete All Scheduled Tasks
id: 220457c1-1c9f-4c2e-afe6-9598926222c1
status: test
description: Detects the usage of schtasks with the delete flag and the asterisk symbol to delete all tasks from the schedule of the local computer, including tasks scheduled by other users.
references:
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-delete
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-09
tags:
    - attack.impact
    - attack.t1489
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\schtasks.exe'
        CommandLine|contains|all:
            - ' /delete '
            - '/tn \*'
            - ' /f'
    condition: selection
falsepositives:
    - Unlikely
level: high
Showing 201-250 of 3,132
Prev 5 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin