Home/Sigma rules
Sigma

Sigma detection rules

87 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Severity critical high medium low all severities

Detection rules

50 shown of 87
critical
CobaltStrike Service Installations - System
Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement
status test author Florian Roth (Nextron Systems), Wojciech Lesicki id 5a105d34-05fc-401e-8553-272b45c1522d
view Sigma YAML 
title: CobaltStrike Service Installations - System
id: 5a105d34-05fc-401e-8553-272b45c1522d
status: test
description: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement
references:
    - https://www.sans.org/webcasts/119395
    - https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/
    - https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
author: Florian Roth (Nextron Systems), Wojciech Lesicki
date: 2021-05-26
modified: 2022-11-27
tags:
    - attack.persistence
    - attack.execution
    - attack.privilege-escalation
    - attack.lateral-movement
    - attack.t1021.002
    - attack.t1543.003
    - attack.t1569.002
logsource:
    product: windows
    service: system
detection:
    selection_id:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
    selection1:
        ImagePath|contains|all:
            - 'ADMIN$'
            - '.exe'
    selection2:
        ImagePath|contains|all:
            - '%COMSPEC%'
            - 'start'
            - 'powershell'
    selection3:
        ImagePath|contains: 'powershell -nop -w hidden -encodedcommand'
    selection4:
        ImagePath|base64offset|contains: "IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:"
    condition: selection_id and (selection1 or selection2 or selection3 or selection4)
falsepositives:
    - Unknown
level: critical
critical
Potential DCOM InternetExplorer.Application DLL Hijack
Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class over the network
status test author Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga id 2f7979ae-f82b-45af-ac1d-2b10e93b0baa
view Sigma YAML 
title: Potential DCOM InternetExplorer.Application DLL Hijack
id: 2f7979ae-f82b-45af-ac1d-2b10e93b0baa
related:
    - id: e554f142-5cf3-4e55-ace9-a1b59e0def65
      type: obsolete
    - id: f354eba5-623b-450f-b073-0b5b2773b6aa
      type: similar
status: test
description: Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class over the network
references:
    - https://threathunterplaybook.com/hunts/windows/201009-RemoteDCOMIErtUtilDLLHijack/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga
date: 2020-10-12
modified: 2022-12-18
tags:
    - attack.lateral-movement
    - attack.t1021.002
    - attack.t1021.003
logsource:
    product: windows
    category: file_event
detection:
    selection:
        Image: System
        TargetFilename|endswith: '\Internet Explorer\iertutil.dll'
    condition: selection
falsepositives:
    - Unknown
level: critical
critical
Potential DCOM InternetExplorer.Application DLL Hijack - Image Load
Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class
status test author Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga id f354eba5-623b-450f-b073-0b5b2773b6aa
view Sigma YAML 
title: Potential DCOM InternetExplorer.Application DLL Hijack - Image Load
id: f354eba5-623b-450f-b073-0b5b2773b6aa
related:
    - id: e554f142-5cf3-4e55-ace9-a1b59e0def65
      type: obsolete
    - id: 2f7979ae-f82b-45af-ac1d-2b10e93b0baa
      type: similar
status: test
description: Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class
references:
    - https://threathunterplaybook.com/hunts/windows/201009-RemoteDCOMIErtUtilDLLHijack/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga
date: 2020-10-12
modified: 2022-12-18
tags:
    - attack.lateral-movement
    - attack.t1021.002
    - attack.t1021.003
logsource:
    product: windows
    category: image_load
detection:
    selection:
        Image|endswith: '\Internet Explorer\iexplore.exe'
        ImageLoaded|endswith: '\Internet Explorer\iertutil.dll'
    condition: selection
falsepositives:
    - Unknown
level: critical
critical
Wmiprvse Wbemcomn DLL Hijack - File
Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario.
status test author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) id 614a7e17-5643-4d89-b6fe-f9df1a79641c
view Sigma YAML 
title: Wmiprvse Wbemcomn DLL Hijack - File
id: 614a7e17-5643-4d89-b6fe-f9df1a79641c
status: test
description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario.
references:
    - https://threathunterplaybook.com/hunts/windows/201009-RemoteWMIWbemcomnDLLHijack/notebook.html
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-10-12
modified: 2022-12-02
tags:
    - attack.execution
    - attack.t1047
    - attack.lateral-movement
    - attack.t1021.002
logsource:
    product: windows
    category: file_event
detection:
    selection:
        Image: System
        TargetFilename|endswith: '\wbem\wbemcomn.dll'
    condition: selection
falsepositives:
    - Unknown
level: critical
high
BaaUpdate.exe Suspicious DLL Load
Detects BitLocker Access Agent Update Utility (baaupdate.exe) loading DLLs from suspicious locations that are publicly writable which could indicate an attempt to lateral movement via BitLocker DCOM & COM Hijacking. This technique abuses COM Classes configured as INTERACTIVE USER to spawn processes in the context of the logged-on user's session. Specifically, it targets the BDEUILauncher Class (CLSID ab93b6f1-be76-4185-a488-a9001b105b94) which can launch BaaUpdate.exe, which is vulnerable to COM Hijacking when started with input parameters. This allows attackers to execute code in the user's context without needing to steal credentials or use additional techniques to compromise the account.
status experimental author Swachchhanda Shrawan Poudel (Nextron Systems) id 6e8fe0a8-ba0b-4a93-8f9e-82657e7a5984
view Sigma YAML 
title: BaaUpdate.exe Suspicious DLL Load
id: 6e8fe0a8-ba0b-4a93-8f9e-82657e7a5984
related:
    - id: 9f38c1db-e2ae-40bf-81d0-5b68f73fb512 # Suspicious BitLocker Access Agent Update Utility Execution
      type: similar
status: experimental
description: |
    Detects BitLocker Access Agent Update Utility (baaupdate.exe) loading DLLs from suspicious locations that are publicly writable which could indicate an attempt to lateral movement via BitLocker DCOM & COM Hijacking.
    This technique abuses COM Classes configured as INTERACTIVE USER to spawn processes in the context of the logged-on user's session. Specifically, it targets the BDEUILauncher Class (CLSID ab93b6f1-be76-4185-a488-a9001b105b94)
    which can launch BaaUpdate.exe, which is vulnerable to COM Hijacking when started with input parameters. This allows attackers to execute code in the user's context without needing to steal credentials or use additional techniques to compromise the account.
references:
    - https://github.com/rtecCyberSec/BitlockMove
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-10-18
tags:
    - attack.stealth
    - attack.t1218
    - attack.lateral-movement
    - attack.t1021.003
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith: '\BaaUpdate.exe'
        ImageLoaded|endswith: '.dll'
        ImageLoaded|contains:
            - ':\Perflogs\'
            - ':\Users\Default\'
            - ':\Users\Public\'
            - ':\Windows\Temp\'
            - '\AppData\Local\Temp\'
            - '\AppData\Roaming\'
            - '\Contacts\'
            - '\Favorites\'
            - '\Favourites\'
            - '\Links\'
            - '\Music\'
            - '\Pictures\'
            - '\ProgramData\'
            - '\Temporary Internet'
            - '\Videos\'
    condition: selection
falsepositives:
    - Unknown
level: high
high
CobaltStrike Service Installations - Security
Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement
status test author Florian Roth (Nextron Systems), Wojciech Lesicki id d7a95147-145f-4678-b85d-d1ff4a3bb3f6
view Sigma YAML 
title: CobaltStrike Service Installations - Security
id: d7a95147-145f-4678-b85d-d1ff4a3bb3f6
related:
    - id: 5a105d34-05fc-401e-8553-272b45c1522d
      type: derived
status: test
description: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement
references:
    - https://www.sans.org/webcasts/119395
    - https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/
    - https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
author: Florian Roth (Nextron Systems), Wojciech Lesicki
date: 2021-05-26
modified: 2022-11-27
tags:
    - attack.persistence
    - attack.execution
    - attack.privilege-escalation
    - attack.lateral-movement
    - attack.t1021.002
    - attack.t1543.003
    - attack.t1569.002
logsource:
    product: windows
    service: security
    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
    event_id:
        EventID: 4697
    selection1:
        ServiceFileName|contains|all:
            - 'ADMIN$'
            - '.exe'
    selection2:
        ServiceFileName|contains|all:
            - '%COMSPEC%'
            - 'start'
            - 'powershell'
    selection3:
        ServiceFileName|contains: 'powershell -nop -w hidden -encodedcommand'
    selection4:
        ServiceFileName|base64offset|contains: "IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:"
    condition: event_id and 1 of selection*
falsepositives:
    - Unknown
level: high
high
DCOM InternetExplorer.Application Iertutil DLL Hijack - Security
Detects a threat actor creating a file named `iertutil.dll` in the `C:\Program Files\Internet Explorer\` directory over the network for a DCOM InternetExplorer DLL Hijack scenario.
status test author Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR) id c39f0c81-7348-4965-ab27-2fde35a1b641
view Sigma YAML 
title: DCOM InternetExplorer.Application Iertutil DLL Hijack - Security
id: c39f0c81-7348-4965-ab27-2fde35a1b641
status: test
description: Detects a threat actor creating a file named `iertutil.dll` in the `C:\Program Files\Internet Explorer\` directory over the network for a DCOM InternetExplorer DLL Hijack scenario.
references:
    - https://threathunterplaybook.com/hunts/windows/201009-RemoteDCOMIErtUtilDLLHijack/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)
date: 2020-10-12
modified: 2022-11-26
tags:
    - attack.lateral-movement
    - attack.t1021.002
    - attack.t1021.003
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 5145
        RelativeTargetName|endswith: '\Internet Explorer\iertutil.dll'
    filter:
        SubjectUserName|endswith: '$'
    condition: selection and not filter
falsepositives:
    - Unknown
level: high
high
First Time Seen Remote Named Pipe
This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes
status test author Samir Bousseaden id 52d8b0c6-53d6-439a-9e41-52ad442ad9ad
view Sigma YAML 
title: First Time Seen Remote Named Pipe
id: 52d8b0c6-53d6-439a-9e41-52ad442ad9ad
status: test
description: This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes
references:
    - https://twitter.com/menasec1/status/1104489274387451904
author: Samir Bousseaden
date: 2019-04-03
modified: 2023-03-14
tags:
    - attack.lateral-movement
    - attack.t1021.002
logsource:
    product: windows
    service: security
    definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
detection:
    selection1:
        EventID: 5145
        ShareName: '\\\\\*\\IPC$' # looking for the string \\*\IPC$
    false_positives:
        RelativeTargetName:
            - 'atsvc'
            - 'samr'
            - 'lsarpc'
            - 'lsass'
            - 'winreg'
            - 'netlogon'
            - 'srvsvc'
            - 'protected_storage'
            - 'wkssvc'
            - 'browser'
            - 'netdfs'
            - 'svcctl'
            - 'spoolss'
            - 'ntsvcs'
            - 'LSM_API_service'
            - 'HydraLsPipe'
            - 'TermSrv_API_service'
            - 'MsFteWds'
            - 'sql\query'
            - 'eventlog'
    condition: selection1 and not false_positives
falsepositives:
    - Update the excluded named pipe to filter out any newly observed legit named pipe
level: high
high
First Time Seen Remote Named Pipe - Zeek
This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes
status test author Samir Bousseaden, @neu5ron, Tim Shelton id 021310d9-30a6-480a-84b7-eaa69aeb92bb
view Sigma YAML 
title: First Time Seen Remote Named Pipe - Zeek
id: 021310d9-30a6-480a-84b7-eaa69aeb92bb
related:
    - id: 52d8b0c6-53d6-439a-9e41-52ad442ad9ad
      type: derived
status: test
description: This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes
references:
    - https://twitter.com/menasec1/status/1104489274387451904
author: Samir Bousseaden, @neu5ron, Tim Shelton
date: 2020-04-02
modified: 2022-12-27
tags:
    - attack.lateral-movement
    - attack.t1021.002
logsource:
    product: zeek
    service: smb_files
detection:
    selection:
        path: '\\\\\*\\IPC$' # Looking for the string \\*\IPC$
    filter_keywords:
        - 'samr'
        - 'lsarpc'
        - 'winreg'
        - 'netlogon'
        - 'srvsvc'
        - 'protected_storage'
        - 'wkssvc'
        - 'browser'
        - 'netdfs'
        - 'svcctl'
        - 'spoolss'
        - 'ntsvcs'
        - 'LSM_API_service'
        - 'HydraLsPipe'
        - 'TermSrv_API_service'
        - 'MsFteWds'
    condition: selection and not 1 of filter_*
falsepositives:
    - Update the excluded named pipe to filter out any newly observed legit named pipe
level: high
high
HackTool - NetExec Execution
Detects execution of the hacktool NetExec. NetExec (formerly CrackMapExec) is a widely used post-exploitation tool designed for Active Directory penetration testing and network enumeration In enterprise environments, the use of NetExec is considered suspicious or potentially malicious because it enables attackers to enumerate hosts, exploit network services, and move laterally across systems. Threat actors and red teams commonly use NetExec to identify vulnerable systems, harvest credentials, and execute commands remotely.
status experimental author Chirag Damani id 7638e5fe-600c-4289-a968-f49dd537ec7d
view Sigma YAML 
title: HackTool - NetExec Execution
id: 7638e5fe-600c-4289-a968-f49dd537ec7d
status: experimental
description: |
    Detects execution of the hacktool NetExec.
    NetExec (formerly CrackMapExec) is a widely used post-exploitation tool designed for Active Directory penetration testing and network enumeration
    In enterprise environments, the use of NetExec is considered suspicious or potentially malicious because it enables attackers to enumerate hosts, exploit network services, and move laterally across systems.
    Threat actors and red teams commonly use NetExec to identify vulnerable systems, harvest credentials, and execute commands remotely.
references:
    - https://thedfirreport.com/2025/12/17/cats-got-your-files-lynx-ransomware/
    - https://github.com/Pennyw0rth/NetExec
    - https://www.netexec.wiki/
author: Chirag Damani
date: 2026-03-29
tags:
    - attack.discovery
    - attack.t1018
    - attack.lateral-movement
    - attack.t1021
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\nxc.exe'
        CommandLine|contains:
            - ' ftp '
            - ' ldap '
            - ' mssql '
            - ' nfs '
            - ' rdp '
            - ' smb '
            - ' ssh '
            - ' vnc '
            - ' winrm '
            - ' wmi '
    condition: selection
falsepositives:
    - Legitimate use of NetExec by security professionals or system administrators for network assessment and management.
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_hktl_netexec/info.yml
high
HackTool - NetExec File Indicators
Detects file creation events indicating NetExec (nxc.exe) execution on the local machine. NetExec is a PyInstaller-bundled binary that extracts its embedded data files to a "_MEI<random>" directory under the Temp folder upon execution. Files dropped under the "\nxc\" sub-directory of that extraction path are unique to NetExec and serve as reliable on-disk indicators of execution. NetExec (formerly CrackMapExec) is a widely used post-exploitation and lateral movement tool used for Active Directory enumeration, credential harvesting, and remote code execution.
status experimental author Swachchhanda Shrawan Poudel (Nextron Systems) id efc21479-9e83-41da-8cf1-122e06ba8db3
view Sigma YAML 
title: HackTool - NetExec File Indicators
id: efc21479-9e83-41da-8cf1-122e06ba8db3
status: experimental
description: |
    Detects file creation events indicating NetExec (nxc.exe) execution on the local machine.
    NetExec is a PyInstaller-bundled binary that extracts its embedded data files to a "_MEI<random>" directory
    under the Temp folder upon execution. Files dropped under the "\nxc\" sub-directory of that
    extraction path are unique to NetExec and serve as reliable on-disk indicators of execution.
    NetExec (formerly CrackMapExec) is a widely used post-exploitation and lateral movement tool used for
    Active Directory enumeration, credential harvesting, and remote code execution.
references:
    - https://github.com/Pennyw0rth/NetExec
    - https://www.netexec.wiki/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-04-08
tags:
    - attack.execution
    - attack.lateral-movement
    - attack.discovery
    - attack.t1021.002
    - attack.t1059.005
logsource:
    product: windows
    category: file_event
detection:
    selection:
        - Image|contains: '\nxc-windows-latest\'
        - TargetFilename|contains|all:
              - '\Temp\_MEI'
              - '\nxc\data\'
    condition: selection
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_hktl_netexec_file_indicators/info.yml
high
HackTool - Potential Impacket Lateral Movement Activity
Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework
status stable author Ecco, oscd.community, Jonhnathan Ribeiro, Tim Rauch id 10c14723-61c7-4c75-92ca-9af245723ad2
view Sigma YAML 
title: HackTool - Potential Impacket Lateral Movement Activity
id: 10c14723-61c7-4c75-92ca-9af245723ad2
related:
    - id: e31f89f7-36fb-4697-8ab6-48823708353b
      type: obsolete
status: stable
description: Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework
references:
    - https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/wmiexec.py
    - https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/atexec.py
    - https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/smbexec.py
    - https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/dcomexec.py
    - https://www.elastic.co/guide/en/security/current/suspicious-cmd-execution-via-wmi.html
author: Ecco, oscd.community, Jonhnathan Ribeiro, Tim Rauch
date: 2019-09-03
modified: 2023-02-21
tags:
    - attack.execution
    - attack.t1047
    - attack.lateral-movement
    - attack.t1021.003
logsource:
    category: process_creation
    product: windows
detection:
    selection_other:
        # *** wmiexec.py
        #    parent is wmiprvse.exe
        #    examples:
        #       cmd.exe /Q /c whoami 1> \\127.0.0.1\ADMIN$\__1567439113.54 2>&1
        #       cmd.exe /Q /c cd  1> \\127.0.0.1\ADMIN$\__1567439113.54 2>&1
        # *** dcomexec.py -object MMC20
        #   parent is mmc.exe
        #   example:
        #       "C:\Windows\System32\cmd.exe" /Q /c cd  1> \\127.0.0.1\ADMIN$\__1567442499.05 2>&1
        # *** dcomexec.py -object ShellBrowserWindow
        #  runs %SystemRoot%\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c08afd90-f2a1-11d1-8455-00a0c91f3880} but parent command is explorer.exe
        #  example:
        #   "C:\Windows\System32\cmd.exe" /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__1567520103.71 2>&1
        # *** smbexec.py
        #   parent is services.exe
        #   example:
        #       C:\Windows\system32\cmd.exe /Q /c echo tasklist ^> \\127.0.0.1\C$\__output 2^>^&1 > C:\Windows\TEMP\execute.bat & C:\Windows\system32\cmd.exe /Q /c C:\Windows\TEMP\execute.bat & del C:\Windows\TEMP\execute.bat
        ParentImage|endswith:
            - '\wmiprvse.exe'        # wmiexec
            - '\mmc.exe'        # dcomexec MMC
            - '\explorer.exe'        # dcomexec ShellBrowserWindow
            - '\services.exe'        # smbexec
        CommandLine|contains|all:
            - 'cmd.exe'
            - '/Q'
            - '/c'
            - '\\\\127.0.0.1\\'
            - '&1'
    selection_atexec:
        ParentCommandLine|contains:
            - 'svchost.exe -k netsvcs'       # atexec on win10 (parent is "C:\Windows\system32\svchost.exe -k netsvcs")
            - 'taskeng.exe'       # atexec on win7 (parent is "taskeng.exe {AFA79333-694C-4BEE-910E-E57D9A3518F6} S-1-5-18:NT AUTHORITY\System:Service:")
            # cmd.exe /C tasklist /m > C:\Windows\Temp\bAJrYQtL.tmp 2>&1
        CommandLine|contains|all:
            - 'cmd.exe'
            - '/C'
            - 'Windows\Temp\'
            - '&1'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: high
high
HackTool - SharpMove Tool Execution
Detects the execution of SharpMove, a .NET utility performing multiple tasks such as "Task Creation", "SCM" query, VBScript execution using WMI via its PE metadata and command line options.
status test author Luca Di Bartolomeo (CrimpSec) id 055fb54c-a8f4-4aee-bd44-f74cf30a0d9d
view Sigma YAML 
title: HackTool - SharpMove Tool Execution
id: 055fb54c-a8f4-4aee-bd44-f74cf30a0d9d
status: test
description: |
    Detects the execution of SharpMove, a .NET utility performing multiple tasks such as "Task Creation", "SCM" query, VBScript execution using WMI via its PE metadata and command line options.
references:
    - https://github.com/0xthirteen/SharpMove/
    - https://pentestlab.blog/tag/sharpmove/
author: Luca Di Bartolomeo (CrimpSec)
date: 2024-01-29
tags:
    - attack.lateral-movement
    - attack.t1021.002
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\SharpMove.exe'
        - OriginalFileName: SharpMove.exe
    selection_cli_computer:
        # In its current implementation the "computername" flag is required in all actions
        CommandLine|contains: 'computername='
    selection_cli_actions:
        CommandLine|contains:
            - 'action=create'
            - 'action=dcom'
            - 'action=executevbs'
            - 'action=hijackdcom'
            - 'action=modschtask'
            - 'action=modsvc'
            - 'action=query'
            - 'action=scm'
            - 'action=startservice'
            - 'action=taskscheduler'
    condition: selection_img or all of selection_cli_*
falsepositives:
    - Unknown
level: high
high
Impacket PsExec Execution
Detects execution of Impacket's psexec.py.
status test author Bhabesh Raj id 32d56ea1-417f-44ff-822b-882873f5f43b
view Sigma YAML 
title: Impacket PsExec Execution
id: 32d56ea1-417f-44ff-822b-882873f5f43b
status: test
description: Detects execution of Impacket's psexec.py.
references:
    - https://web.archive.org/web/20230329171218/https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html
author: Bhabesh Raj
date: 2020-12-14
modified: 2022-09-22
tags:
    - attack.lateral-movement
    - attack.t1021.002
logsource:
    product: windows
    service: security
    definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
detection:
    selection1:
        EventID: 5145
        ShareName: '\\\\\*\\IPC$' # looking for the string \\*\IPC$
        RelativeTargetName|contains:
            - 'RemCom_stdin'
            - 'RemCom_stdout'
            - 'RemCom_stderr'
    condition: selection1
falsepositives:
    - Unknown
level: high
high
MMC Spawning Windows Shell
Detects a Windows command line executable started from MMC
status test author Karneades, Swisscom CSIRT id 05a2ab7e-ce11-4b63-86db-ab32e763e11d
view Sigma YAML 
title: MMC Spawning Windows Shell
id: 05a2ab7e-ce11-4b63-86db-ab32e763e11d
status: test
description: Detects a Windows command line executable started from MMC
references:
    - https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
author: Karneades, Swisscom CSIRT
date: 2019-08-05
modified: 2022-07-14
tags:
    - attack.lateral-movement
    - attack.t1021.003
logsource:
    category: process_creation
    product: windows
detection:
    selection1:
        ParentImage|endswith: '\mmc.exe'
    selection2:
        - Image|endswith:
              - '\cmd.exe'
              - '\powershell.exe'
              - '\pwsh.exe'
              - '\wscript.exe'
              - '\cscript.exe'
              - '\sh.exe'
              - '\bash.exe'
              - '\reg.exe'
              - '\regsvr32.exe'
        - Image|contains: '\BITSADMIN'
    condition: all of selection*
level: high
high
MMC20 Lateral Movement
Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of "-Embedding" as a child of svchost.exe
status test author @2xxeformyshirt (Security Risk Advisors) - rule; Teymur Kheirkhabarov (idea) id f1f3bf22-deb2-418d-8cce-e1a45e46a5bd
view Sigma YAML 
title: MMC20 Lateral Movement
id: f1f3bf22-deb2-418d-8cce-e1a45e46a5bd
status: test
description: Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of "-Embedding" as a child of svchost.exe
references:
    - https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
    - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view?usp=sharing
author: '@2xxeformyshirt (Security Risk Advisors) - rule; Teymur Kheirkhabarov (idea)'
date: 2020-03-04
modified: 2021-11-27
tags:
    - attack.execution
    - attack.lateral-movement
    - attack.t1021.003
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\svchost.exe'
        Image|endswith: '\mmc.exe'
        CommandLine|contains: '-Embedding'
    condition: selection
falsepositives:
    - Unlikely
level: high
high
Metasploit Or Impacket Service Installation Via SMB PsExec
Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation
status test author Bartlomiej Czyz, Relativity id 6fb63b40-e02a-403e-9ffd-3bcc1d749442
view Sigma YAML 
title: Metasploit Or Impacket Service Installation Via SMB PsExec
id: 6fb63b40-e02a-403e-9ffd-3bcc1d749442
related:
    - id: 1a17ce75-ff0d-4f02-9709-2b7bb5618cf0
      type: derived
status: test
description: Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation
references:
    - https://bczyz1.github.io/2021/01/30/psexec.html
author: Bartlomiej Czyz, Relativity
date: 2021-01-21
modified: 2022-10-05
tags:
    - attack.lateral-movement
    - attack.t1021.002
    - attack.t1570
    - attack.execution
    - attack.t1569.002
logsource:
    product: windows
    service: security
    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
    selection:
        EventID: 4697
        ServiceFileName|re: '^%systemroot%\\[a-zA-Z]{8}\.exe$'
        ServiceName|re: '(^[a-zA-Z]{4}$)|(^[a-zA-Z]{8}$)|(^[a-zA-Z]{16}$)'
        ServiceStartType: 3  # on-demand start, see https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4697
        ServiceType: '0x10'
    filter:
        ServiceName: 'PSEXESVC'
    condition: selection and not filter
falsepositives:
    - Possible, different agents with a 8 character binary and a 4, 8 or 16 character service name
level: high
high
Metasploit SMB Authentication
Alerts on Metasploit host's authentications on the domain.
status test author Chakib Gzenayi (@Chak092), Hosni Mribah id 72124974-a68b-4366-b990-d30e0b2a190d
view Sigma YAML 
title: Metasploit SMB Authentication
id: 72124974-a68b-4366-b990-d30e0b2a190d
status: test
description: Alerts on Metasploit host's authentications on the domain.
references:
    - https://github.com/rapid7/metasploit-framework/blob/1416b5776d963f21b7b5b45d19f3e961201e0aed/lib/rex/proto/smb/client.rb
author: Chakib Gzenayi (@Chak092), Hosni Mribah
date: 2020-05-06
modified: 2024-01-25
tags:
    - attack.lateral-movement
    - attack.t1021.002
logsource:
    product: windows
    service: security
detection:
    selection1:
        EventID:
            - 4625
            - 4624
        LogonType: 3
        AuthenticationPackageName: 'NTLM'
        WorkstationName|re: '^[A-Za-z0-9]{16}$'
    selection2:
        EventID: 4776
        Workstation|re: '^[A-Za-z0-9]{16}$'
    condition: 1 of selection*
falsepositives:
    - Linux hostnames composed of 16 characters.
level: high
high
OpenCanary - FTP Login Attempt
Detects instances where an FTP service on an OpenCanary node has had a login attempt.
status test author Security Onion Solutions id 6991bc2b-ae2e-447f-bc55-3a1ba04c14e5
view Sigma YAML 
title: OpenCanary - FTP Login Attempt
id: 6991bc2b-ae2e-447f-bc55-3a1ba04c14e5
status: test
description: Detects instances where an FTP service on an OpenCanary node has had a login attempt.
references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
    - attack.initial-access
    - attack.exfiltration
    - attack.lateral-movement
    - attack.t1190
    - attack.t1021
logsource:
    category: application
    product: opencanary
detection:
    selection:
        logtype: 2000
    condition: selection
falsepositives:
    - Unlikely
level: high
high
OpenCanary - RDP New Connection Attempt
Detects instances where an RDP service on an OpenCanary node has had a connection attempt.
status experimental author Marco Pedrinazzi (@pedrinazziM) id 598290cf-5932-45cd-9123-be1e05ab4f2e
view Sigma YAML 
title: OpenCanary - RDP New Connection Attempt
id: 598290cf-5932-45cd-9123-be1e05ab4f2e
status: experimental
description: Detects instances where an RDP service on an OpenCanary node has had a connection attempt.
references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Marco Pedrinazzi (@pedrinazziM)
date: 2026-01-06
tags:
    - attack.initial-access
    - attack.lateral-movement
    - attack.persistence
    - attack.t1133
    - attack.t1021.001
logsource:
    category: application
    product: opencanary
detection:
    selection:
        logtype: 14001
    condition: selection
falsepositives:
    - Unlikely
level: high
high
OpenCanary - SMB File Open Request
Detects instances where an SMB service on an OpenCanary node has had a file open request.
status test author Security Onion Solutions id 22777c9e-873a-4b49-855f-6072ab861a52
view Sigma YAML 
title: OpenCanary - SMB File Open Request
id: 22777c9e-873a-4b49-855f-6072ab861a52
status: test
description: Detects instances where an SMB service on an OpenCanary node has had a file open request.
references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
    - attack.lateral-movement
    - attack.collection
    - attack.t1021
    - attack.t1005
logsource:
    category: application
    product: opencanary
detection:
    selection:
        logtype: 5000
    condition: selection
falsepositives:
    - Unlikely
level: high
high
OpenCanary - SNMP OID Request
Detects instances where an SNMP service on an OpenCanary node has had an OID request.
status test author Security Onion Solutions id e9856028-fd4e-46e6-b3d1-10f7ceb95078
view Sigma YAML 
title: OpenCanary - SNMP OID Request
id: e9856028-fd4e-46e6-b3d1-10f7ceb95078
status: test
description: Detects instances where an SNMP service on an OpenCanary node has had an OID request.
references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
    - attack.discovery
    - attack.lateral-movement
    - attack.t1016
    - attack.t1021
logsource:
    category: application
    product: opencanary
detection:
    selection:
        logtype: 13001
    condition: selection
falsepositives:
    - Unlikely
level: high
high
OpenCanary - SSH Login Attempt
Detects instances where an SSH service on an OpenCanary node has had a login attempt.
status test author Security Onion Solutions id ff7139bc-fdb1-4437-92f2-6afefe8884cb
view Sigma YAML 
title: OpenCanary - SSH Login Attempt
id: ff7139bc-fdb1-4437-92f2-6afefe8884cb
status: test
description: Detects instances where an SSH service on an OpenCanary node has had a login attempt.
references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
    - attack.privilege-escalation
    - attack.initial-access
    - attack.lateral-movement
    - attack.persistence
    - attack.stealth
    - attack.t1133
    - attack.t1021
    - attack.t1078
logsource:
    category: application
    product: opencanary
detection:
    selection:
        logtype: 4002
    condition: selection
falsepositives:
    - Unlikely
level: high
high
OpenCanary - SSH New Connection Attempt
Detects instances where an SSH service on an OpenCanary node has had a connection attempt.
status test author Security Onion Solutions id cd55f721-5623-4663-bd9b-5229cab5237d
view Sigma YAML 
title: OpenCanary - SSH New Connection Attempt
id: cd55f721-5623-4663-bd9b-5229cab5237d
status: test
description: Detects instances where an SSH service on an OpenCanary node has had a connection attempt.
references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
    - attack.privilege-escalation
    - attack.initial-access
    - attack.lateral-movement
    - attack.persistence
    - attack.stealth
    - attack.t1133
    - attack.t1021
    - attack.t1078
logsource:
    category: application
    product: opencanary
detection:
    selection:
        logtype: 4000
    condition: selection
falsepositives:
    - Unlikely
level: high
high
OpenCanary - VNC Connection Attempt
Detects instances where a VNC service on an OpenCanary node has had a connection attempt.
status test author Security Onion Solutions id 9db5446c-b44a-4291-8b89-fcab5609c3b3
view Sigma YAML 
title: OpenCanary - VNC Connection Attempt
id: 9db5446c-b44a-4291-8b89-fcab5609c3b3
status: test
description: Detects instances where a VNC service on an OpenCanary node has had a connection attempt.
references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
    - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
author: Security Onion Solutions
date: 2024-03-08
tags:
    - attack.lateral-movement
    - attack.t1021
logsource:
    category: application
    product: opencanary
detection:
    selection:
        logtype: 12001
    condition: selection
falsepositives:
    - Unlikely
level: high
high
Outbound RDP Connections Over Non-Standard Tools
Detects Non-Standard tools initiating a connection over port 3389 indicating possible lateral movement. An initial baseline is required before using this utility to exclude third party RDP tooling that you might use.
status test author Markus Neis id ed74fe75-7594-4b4b-ae38-e38e3fd2eb23
view Sigma YAML 
title: Outbound RDP Connections Over Non-Standard Tools
id: ed74fe75-7594-4b4b-ae38-e38e3fd2eb23
status: test
description: |
    Detects Non-Standard tools initiating a connection over port 3389 indicating possible lateral movement.
    An initial baseline is required before using this utility to exclude third party RDP tooling that you might use.
references:
    - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
author: Markus Neis
date: 2019-05-15
modified: 2024-02-09
tags:
    - attack.lateral-movement
    - attack.t1021.001
    - car.2013-07-002
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        DestinationPort: 3389
        Initiated: 'true'
    filter_main_mstsc:
        Image:
            - 'C:\Windows\System32\mstsc.exe'
            - 'C:\Windows\SysWOW64\mstsc.exe'
    filter_optional_dns:
        # Note: https://github.com/SigmaHQ/sigma/pull/2249
        Image: 'C:\Windows\System32\dns.exe'
        SourcePort: 53
        Protocol: 'udp'
    filter_optional_avast:
        Image|endswith:
            - '\Avast Software\Avast\AvastSvc.exe'
            - '\Avast\AvastSvc.exe'
    filter_optional_sysinternals_rdcman:
        Image|endswith: '\RDCMan.exe'
    filter_optional_chrome:
        Image: 'C:\Program Files\Google\Chrome\Application\chrome.exe'
    filter_optional_third_party:
        Image|endswith:
            - '\FSAssessment.exe'
            - '\FSDiscovery.exe'
            - '\MobaRTE.exe'
            - '\mRemote.exe'
            - '\mRemoteNG.exe'
            - '\Passwordstate.exe'
            - '\RemoteDesktopManager.exe'
            - '\RemoteDesktopManager64.exe'
            - '\RemoteDesktopManagerFree.exe'
            - '\RSSensor.exe'
            - '\RTS2App.exe'
            - '\RTSApp.exe'
            - '\spiceworks-finder.exe'
            - '\Terminals.exe'
            - '\ws_TunnelService.exe'
    filter_optional_thor:
        Image|endswith:
            - '\thor.exe'
            - '\thor64.exe'
    filter_optional_splunk:
        Image|startswith: 'C:\Program Files\SplunkUniversalForwarder\bin\'
    filter_optional_sentinel_one:
        Image|endswith: '\Ranger\SentinelRanger.exe'
    filter_optional_firefox:
        Image: 'C:\Program Files\Mozilla Firefox\firefox.exe'
    filter_optional_tsplus:  # Some RAS
        Image:
            - 'C:\Program Files\TSplus\Java\bin\HTML5service.exe'
            - 'C:\Program Files (x86)\TSplus\Java\bin\HTML5service.exe'
    filter_optional_null:
        Image: null
    filter_optional_empty:
        Image: ''
    filter_optional_unknown:
        Image: '<unknown process>'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Third party RDP tools
level: high
high
Potential CobaltStrike Service Installations - Registry
Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.
status test author Wojciech Lesicki id 61a7697c-cb79-42a8-a2ff-5f0cdfae0130
view Sigma YAML 
title: Potential CobaltStrike Service Installations - Registry
id: 61a7697c-cb79-42a8-a2ff-5f0cdfae0130
status: test
description: |
    Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.
references:
    - https://www.sans.org/webcasts/tech-tuesday-workshop-cobalt-strike-detection-log-analysis-119395
author: Wojciech Lesicki
date: 2021-06-29
modified: 2024-03-25
tags:
    - attack.persistence
    - attack.execution
    - attack.privilege-escalation
    - attack.lateral-movement
    - attack.t1021.002
    - attack.t1543.003
    - attack.t1569.002
logsource:
    category: registry_set
    product: windows
detection:
    selection_key:
        - TargetObject|contains: '\System\CurrentControlSet\Services'
        - TargetObject|contains|all:
              - '\System\ControlSet'
              - '\Services'
    selection_details:
        - Details|contains|all:
              - 'ADMIN$'
              - '.exe'
        - Details|contains|all:
              - '%COMSPEC%'
              - 'start'
              - 'powershell'
    condition: all of selection_*
falsepositives:
    - Unlikely
level: high
high
Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp
Detects suspicious child processes of Excel which could be an indicator of lateral movement leveraging the "ActivateMicrosoftApp" Excel DCOM object.
status test author Aaron Stratton id 551d9c1f-816c-445b-a7a6-7a3864720d60
view Sigma YAML 
title: Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp
id: 551d9c1f-816c-445b-a7a6-7a3864720d60
status: test
description: |
    Detects suspicious child processes of Excel which could be an indicator of lateral movement leveraging the "ActivateMicrosoftApp" Excel DCOM object.
references:
    - https://posts.specterops.io/lateral-movement-abuse-the-power-of-dcom-excel-application-3c016d0d9922
    - https://github.com/grayhatkiller/SharpExShell
    - https://learn.microsoft.com/en-us/office/vba/api/excel.xlmsapplication
author: Aaron Stratton
date: 2023-11-13
tags:
    - attack.t1021.003
    - attack.lateral-movement
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith: '\excel.exe'
    selection_child:
        - OriginalFileName:
          - 'foxprow.exe'
          - 'schdplus.exe'
          - 'winproj.exe'
        - Image|endswith:
          - '\foxprow.exe'
          - '\schdplus.exe'
          - '\winproj.exe'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
high
Potential Remote PowerShell Session Initiated
Detects a process that initiated a network connection over ports 5985 or 5986 from a non-network service account. This could potentially indicates a remote PowerShell connection.
status test author Roberto Rodriguez @Cyb3rWard0g id c539afac-c12a-46ed-b1bd-5a5567c9f045
view Sigma YAML 
title: Potential Remote PowerShell Session Initiated
id: c539afac-c12a-46ed-b1bd-5a5567c9f045
status: test
description: |
    Detects a process that initiated a network connection over ports 5985 or 5986 from a non-network service account.
    This could potentially indicates a remote PowerShell connection.
references:
    - https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019-09-12
modified: 2024-02-02
tags:
    - attack.execution
    - attack.t1059.001
    - attack.lateral-movement
    - attack.t1021.006
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        DestinationPort:
            - 5985
            - 5986
        Initiated: 'true' # only matches of the initiating system can be evaluated
        SourceIsIpv6: 'false'
    filter_main_service_users:
        - User|contains: # covers many language settings for Network Service. Please expand
              - 'NETWORK SERVICE'
              - 'NETZWERKDIENST'
              - 'SERVICIO DE RED'
              - 'SERVIZIO DI RETE'
        - User|contains|all:
              - 'SERVICE R'
              - 'SEAU'
    filter_main_localhost:
        SourceIp:
            - '::1'
            - '127.0.0.1'
        DestinationIp:
            - '::1'
            - '127.0.0.1'
    filter_optional_avast:
        Image:
            - 'C:\Program Files\Avast Software\Avast\AvastSvc.exe'
            - 'C:\Program Files (x86)\Avast Software\Avast\AvastSvc.exe'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Legitimate usage of remote PowerShell, e.g. remote administration and monitoring.
    - Network Service user name of a not-covered localization
level: high
high
Potential Tampering With RDP Related Registry Keys Via Reg.EXE
Detects the execution of "reg.exe" for enabling/disabling the RDP service on the host by tampering with the 'CurrentControlSet\Control\Terminal Server' values
status test author pH-T (Nextron Systems), @Kostastsale, TheDFIRReport id 0d5675be-bc88-4172-86d3-1e96a4476536
view Sigma YAML 
title: Potential Tampering With RDP Related Registry Keys Via Reg.EXE
id: 0d5675be-bc88-4172-86d3-1e96a4476536
status: test
description: Detects the execution of "reg.exe" for enabling/disabling the RDP service on the host by tampering with the 'CurrentControlSet\Control\Terminal Server' values
references:
    - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
    - http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/ # Contain description for most of the keys mentioned here (check it out if you want more information
    - http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/ # Related to the Shadow RPD technique
    - https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services # Contain description for most of the keys mentioned here (check it out if you want more information)
    - https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/
    - https://blog.sekoia.io/darkgate-internals/
    - https://blog.talosintelligence.com/understanding-the-phobos-affiliate-structure/
    - https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-63---disable-remote-desktop-anti-alias-setting-through-registry
    - https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-64---disable-remote-desktop-security-settings-through-registry
    - https://github.com/redcanaryco/atomic-red-team/blob/dd526047b8c399c312fee47d1e6fb531164da54d/atomics/T1112/T1112.yaml#L790
    - https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-terminalservices-rdp-winstationextensions-securitylayer
    - https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html
    - https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03 # Related to the Shadow RPD technique
    - https://web.archive.org/web/20200929062532/https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html # Related to RDP hijacking via the "ServiceDll" key
    - https://www.trendmicro.com/en_us/research/25/i/unmasking-the-gentlemen-ransomware.html
author: pH-T (Nextron Systems), @Kostastsale, TheDFIRReport
date: 2022-02-12
modified: 2025-11-22
tags:
    - attack.persistence
    - attack.lateral-movement
    - attack.defense-impairment
    - attack.t1021.001
    - attack.t1112
logsource:
    product: windows
    category: process_creation
detection:
    selection_main_img:
        - Image|endswith: '\reg.exe'
        - OriginalFileName: 'reg.exe'
    selection_main_cli:
        CommandLine|contains|all:
            - ' add '
            - '\CurrentControlSet\Control\Terminal Server'
            - 'REG_DWORD'
            - ' /f'
    selection_values_1:
        CommandLine|contains|all:
            - 'Licensing Core'
            - 'EnableConcurrentSessions'
    selection_values_2:
        CommandLine|contains:
            - 'AllowTSConnections'
            - 'fDenyTSConnections'
            - 'fEnableWinStation'
            - 'fSingleSessionPerUser'
            - 'IdleWinStationPoolCount'
            - 'MaxInstanceCount'
            - 'SecurityLayer'
            - 'TSAdvertise'
            - 'TSAppCompat'
            - 'TSEnabled'
            - 'TSUserEnabled'
            - 'WinStations\RDP-Tcp'
    filter_main_values_tls:
        CommandLine|contains|all:
            - 'SecurityLayer'
            - '02'  # TLS Enabled
    condition: all of selection_main_* and 1 of selection_values_* and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high
high
Privilege Escalation via Named Pipe Impersonation
Detects a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.
status test author Tim Rauch, Elastic (idea) id 9bd04a79-dabe-4f1f-a5ff-92430265c96b
view Sigma YAML 
title: Privilege Escalation via Named Pipe Impersonation
id: 9bd04a79-dabe-4f1f-a5ff-92430265c96b
related:
    - id: f35c5d71-b489-4e22-a115-f003df287317
      type: derived
status: test
description: Detects a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.
references:
    - https://www.elastic.co/guide/en/security/current/privilege-escalation-via-named-pipe-impersonation.html
author: Tim Rauch, Elastic (idea)
date: 2022-09-27
modified: 2022-12-30
tags:
    - attack.lateral-movement
    - attack.t1021
logsource:
    category: process_creation
    product: windows
detection:
    selection_name:
        - Image|endswith:
              - '\cmd.exe'
              - '\powershell.exe'
        - OriginalFileName:
              - 'Cmd.Exe'
              - 'PowerShell.EXE'
    selection_args:
        CommandLine|contains|all:
            - 'echo'
            - '>'
            - '\\\\.\\pipe\\'
    condition: all of selection*
falsepositives:
    - Other programs that cause these patterns (please report)
level: high
high
Protected Storage Service Access
Detects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers
status test author Roberto Rodriguez @Cyb3rWard0g id 45545954-4016-43c6-855e-eae8f1c369dc
view Sigma YAML 
title: Protected Storage Service Access
id: 45545954-4016-43c6-855e-eae8f1c369dc
status: test
description: Detects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers
references:
    - https://threathunterplaybook.com/hunts/windows/190620-DomainDPAPIBackupKeyExtraction/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019-08-10
modified: 2021-11-27
tags:
    - attack.lateral-movement
    - attack.t1021.002
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 5145
        ShareName|contains: 'IPC'
        RelativeTargetName: 'protected_storage'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Publicly Accessible RDP Service
Detects connections from routable IPs to an RDP listener. Which is indicative of a publicly-accessible RDP service.
status test author Josh Brower @DefensiveDepth id 1fc0809e-06bf-4de3-ad52-25e5263b7623
view Sigma YAML 
title: Publicly Accessible RDP Service
id: 1fc0809e-06bf-4de3-ad52-25e5263b7623
status: test
description: |
    Detects connections from routable IPs to an RDP listener. Which is indicative of a publicly-accessible RDP service.
author: Josh Brower @DefensiveDepth
date: 2020-08-22
modified: 2024-03-13
tags:
    - attack.lateral-movement
    - attack.t1021.001
logsource:
    product: zeek
    service: rdp
detection:
    selection:
        id.orig_h|cidr:
            - '::1/128'  # IPv6 loopback
            - '10.0.0.0/8'
            - '127.0.0.0/8'
            - '172.16.0.0/12'
            - '192.168.0.0/16'
            - '169.254.0.0/16'
            - '2620:83:8000::/48'
            - 'fc00::/7'  # IPv6 private addresses
            - 'fe80::/10'  # IPv6 link-local addresses
    # approved_rdp:
      # dst_ip:
        # - x.x.x.x
    condition: not selection # and not approved_rdp
falsepositives:
    - Although it is recommended to NOT have RDP exposed to the internet, verify that this is a) allowed b) the server has not already been compromised via some brute force or remote exploit since it has been exposed to the internet. Work to secure the server if you are unable to remove it from being exposed to the internet.
level: high
high
RDP Login from Localhost
RDP login with localhost source address may be a tunnelled login
status test author Thomas Patzke id 51e33403-2a37-4d66-a574-1fda1782cc31
view Sigma YAML 
title: RDP Login from Localhost
id: 51e33403-2a37-4d66-a574-1fda1782cc31
status: test
description: RDP login with localhost source address may be a tunnelled login
references:
    - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
author: Thomas Patzke
date: 2019-01-28
modified: 2022-10-09
tags:
    - attack.lateral-movement
    - car.2013-07-002
    - attack.t1021.001
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4624
        LogonType: 10
        IpAddress:
            - '::1'
            - '127.0.0.1'
    condition: selection
falsepositives:
    - Unknown
level: high
high
RDP Over Reverse SSH Tunnel
Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389
status test author Samir Bousseaden id 5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4
view Sigma YAML 
title: RDP Over Reverse SSH Tunnel
id: 5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4
status: test
description: Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389
references:
    - https://twitter.com/cyb3rops/status/1096842275437625346
author: Samir Bousseaden
date: 2019-02-16
modified: 2024-03-12
tags:
    - attack.command-and-control
    - attack.t1572
    - attack.lateral-movement
    - attack.t1021.001
    - car.2013-07-002
logsource:
    category: network_connection
    product: windows
detection:
    selection_img:
        Image|endswith: '\svchost.exe'
        Initiated: 'true'
        SourcePort: 3389
    selection_destination:
        DestinationIp|cidr:
            - '127.0.0.0/8'
            - '::1/128'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
high
RDP over Reverse SSH Tunnel WFP
Detects svchost hosting RDP termsvcs communicating with the loopback address
status test author Samir Bousseaden id 5bed80b6-b3e8-428e-a3ae-d3c757589e41
view Sigma YAML 
title: RDP over Reverse SSH Tunnel WFP
id: 5bed80b6-b3e8-428e-a3ae-d3c757589e41
status: test
description: Detects svchost hosting RDP termsvcs communicating with the loopback address
references:
    - https://twitter.com/SBousseaden/status/1096148422984384514
    - https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/44fbe85f72ee91582876b49678f9a26292a155fb/Command%20and%20Control/DE_RDP_Tunnel_5156.evtx
author: Samir Bousseaden
date: 2019-02-16
modified: 2022-09-02
tags:
    - attack.command-and-control
    - attack.lateral-movement
    - attack.t1090.001
    - attack.t1090.002
    - attack.t1021.001
    - car.2013-07-002
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 5156
    sourceRDP:
        SourcePort: 3389
        DestAddress:
            - '127.*'
            - '::1'
    destinationRDP:
        DestPort: 3389
        SourceAddress:
            - '127.*'
            - '::1'
    filter_app_container:
        FilterOrigin: 'AppContainer Loopback'
    filter_thor:  # checking BlueKeep vulnerability
        Application|endswith:
            - '\thor.exe'
            - '\thor64.exe'
    condition: selection and ( sourceRDP or destinationRDP ) and not 1 of filter*
falsepositives:
    - Programs that connect locally to the RDP port
level: high
high
RDP to HTTP or HTTPS Target Ports
Detects svchost hosting RDP termsvcs communicating to target systems on TCP port 80 or 443
status test author Florian Roth (Nextron Systems) id b1e5da3b-ca8e-4adf-915c-9921f3d85481
view Sigma YAML 
title: RDP to HTTP or HTTPS Target Ports
id: b1e5da3b-ca8e-4adf-915c-9921f3d85481
status: test
description: Detects svchost hosting RDP termsvcs communicating to target systems on TCP port 80 or 443
references:
    - https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg
    - https://www.mandiant.com/resources/bypassing-network-restrictions-through-rdp-tunneling
author: Florian Roth (Nextron Systems)
date: 2022-04-29
modified: 2022-07-14
tags:
    - attack.command-and-control
    - attack.t1572
    - attack.lateral-movement
    - attack.t1021.001
    - car.2013-07-002
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Image|endswith: '\svchost.exe'
        Initiated: 'true'
        SourcePort: 3389
        DestinationPort:
            - 80
            - 443
    condition: selection
falsepositives:
    - Unknown
level: high
high
Remote DCOM/WMI Lateral Movement
Detects remote RPC calls that performs remote DCOM operations. These could be abused for lateral movement via DCOM or WMI.
status test author Sagie Dulce, Dekel Paz id 68050b10-e477-4377-a99b-3721b422d6ef
view Sigma YAML 
title: Remote DCOM/WMI Lateral Movement
id: 68050b10-e477-4377-a99b-3721b422d6ef
status: test
description: Detects remote RPC calls that performs remote DCOM operations. These could be abused for lateral movement via DCOM or WMI.
references:
    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9
    - https://github.com/zeronetworks/rpcfirewall
    - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
    - attack.lateral-movement
    - attack.execution
    - attack.t1021.003
    - attack.t1047
logsource:
    product: rpc_firewall
    category: application
    definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:367abb81-9844-35f1-ad32-98f038001003'
detection:
    selection:
        EventLog: RPCFW
        EventID: 3
        InterfaceUuid:
            - 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57
            - 99fcfec4-5260-101b-bbcb-00aa0021347a
            - 000001a0-0000-0000-c000-000000000046
            - 00000131-0000-0000-c000-000000000046
            - 00000143-0000-0000-c000-000000000046
            - 00000000-0000-0000-c000-000000000046
    condition: selection
falsepositives:
    - Some administrative tasks on remote host
level: high
high
Remote LSASS Process Access Through Windows Remote Management
Detects remote access to the LSASS process via WinRM. This could be a sign of credential dumping from tools like mimikatz.
status stable author Patryk Prauze - ING Tech id aa35a627-33fb-4d04-a165-d33b4afca3e8
view Sigma YAML 
title: Remote LSASS Process Access Through Windows Remote Management
id: aa35a627-33fb-4d04-a165-d33b4afca3e8
status: stable
description: Detects remote access to the LSASS process via WinRM. This could be a sign of credential dumping from tools like mimikatz.
references:
    - https://pentestlab.blog/2018/05/15/lateral-movement-winrm/
author: Patryk Prauze - ING Tech
date: 2019-05-20
modified: 2023-11-29
tags:
    - attack.credential-access
    - attack.execution
    - attack.t1003.001
    - attack.t1059.001
    - attack.lateral-movement
    - attack.t1021.006
    - attack.s0002
logsource:
    category: process_access
    product: windows
detection:
    selection:
        TargetImage|endswith: '\lsass.exe'
        SourceImage|endswith: ':\Windows\system32\wsmprovhost.exe'
    filter_main_access:
        GrantedAccess: '0x80000000'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unlikely
level: high
high
Remote PowerShell Session (PS Module)
Detects remote PowerShell sessions
status test author Roberto Rodriguez @Cyb3rWard0g, Tim Shelton id 96b9f619-aa91-478f-bacb-c3e50f8df575
view Sigma YAML 
title: Remote PowerShell Session (PS Module)
id: 96b9f619-aa91-478f-bacb-c3e50f8df575
status: test
description: Detects remote PowerShell sessions
references:
    - https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g, Tim Shelton
date: 2019-08-10
modified: 2023-01-20
tags:
    - attack.execution
    - attack.t1059.001
    - attack.lateral-movement
    - attack.t1021.006
logsource:
    product: windows
    category: ps_module
    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
    selection:
        ContextInfo|contains|all:
            - ' = ServerRemoteHost ' #  HostName: 'ServerRemoteHost'  french : Nom d’hôte =
            - 'wsmprovhost.exe'      #  HostApplication|contains: 'wsmprovhost.exe' french  Application hôte =
    filter_pwsh_archive:
        ContextInfo|contains: '\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Archive\Microsoft.PowerShell.Archive.psm1'
    condition: selection and not 1 of filter_*
falsepositives:
    - Legitimate use remote PowerShell sessions
level: high
high
Rundll32 Execution Without Parameters
Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module
status test author Bartlomiej Czyz, Relativity id 5bb68627-3198-40ca-b458-49f973db8752
view Sigma YAML 
title: Rundll32 Execution Without Parameters
id: 5bb68627-3198-40ca-b458-49f973db8752
status: test
description: Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module
references:
    - https://bczyz1.github.io/2021/01/30/psexec.html
author: Bartlomiej Czyz, Relativity
date: 2021-01-31
modified: 2023-02-28
tags:
    - attack.lateral-movement
    - attack.t1021.002
    - attack.t1570
    - attack.execution
    - attack.t1569.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine:
            - 'rundll32.exe'
            - 'rundll32'
    condition: selection
falsepositives:
    - False positives may occur if a user called rundll32 from CLI with no options
level: high
high
Rundll32 UNC Path Execution
Detects rundll32 execution where the DLL is located on a remote location (share)
status test author Nasreddine Bencherchali (Nextron Systems) id 5cdb711b-5740-4fb2-ba88-f7945027afac
view Sigma YAML 
title: Rundll32 UNC Path Execution
id: 5cdb711b-5740-4fb2-ba88-f7945027afac
status: test
description: Detects rundll32 execution where the DLL is located on a remote location (share)
references:
    - https://www.cybereason.com/blog/rundll32-the-infamous-proxy-for-executing-malicious-code
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-10
tags:
    - attack.execution
    - attack.lateral-movement
    - attack.stealth
    - attack.t1021.002
    - attack.t1218.011
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\rundll32.exe'
        - OriginalFileName: 'RUNDLL32.EXE'
        - CommandLine|contains: 'rundll32'
    selection_cli:
        CommandLine|contains: ' \\\\'
    condition: all of selection_*
falsepositives:
    - Unlikely
level: high
high
SMB Create Remote File Admin Share
Look for non-system accounts SMB accessing a file with write (0x2) access mask via administrative share (i.e C$).
status test author Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research) id b210394c-ba12-4f89-9117-44a2464b9511
view Sigma YAML 
title: SMB Create Remote File Admin Share
id: b210394c-ba12-4f89-9117-44a2464b9511
status: test
description: Look for non-system accounts SMB accessing a file with write (0x2) access mask via administrative share (i.e C$).
references:
    - https://github.com/OTRF/ThreatHunter-Playbook/blob/f7a58156dbfc9b019f17f638b8c62d22e557d350/playbooks/WIN-201012004336.yaml
    - https://securitydatasets.com/notebooks/atomic/windows/lateral_movement/SDWIN-200806015757.html?highlight=create%20file
author: Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research)
date: 2020-08-06
modified: 2025-10-17
tags:
    - attack.lateral-movement
    - attack.t1021.002
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 5145
        ShareName|endswith: 'C$'
        AccessMask: '0x2'
    filter_main_subjectusername:
        SubjectUserName|endswith: '$'
    filter_optional_local_ip:
        IpAddress: '::1'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: high
high
Suspicious BitLocker Access Agent Update Utility Execution
Detects the execution of the BitLocker Access Agent Update Utility (baaupdate.exe) which is not a common parent process for other processes. Suspicious child processes spawned by baaupdate.exe could indicate an attempt at lateral movement via BitLocker DCOM & COM Hijacking.
status experimental author andrewdanis, Swachchhanda Shrawan Poudel (Nextron Systems) id 9f38c1db-e2ae-40bf-81d0-5b68f73fb512
view Sigma YAML 
title: Suspicious BitLocker Access Agent Update Utility Execution
id: 9f38c1db-e2ae-40bf-81d0-5b68f73fb512
related:
    - id: 6e8fe0a8-ba0b-4a93-8f9e-82657e7a5984 # BaaUpdate.exe Suspicious DLL Load
      type: similar
status: experimental
description: |
    Detects the execution of the BitLocker Access Agent Update Utility (baaupdate.exe) which is not a common parent process for other processes.
    Suspicious child processes spawned by baaupdate.exe could indicate an attempt at lateral movement via BitLocker DCOM & COM Hijacking.
references:
    - https://github.com/rtecCyberSec/BitlockMove
author: andrewdanis, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-10-18
tags:
    - attack.stealth
    - attack.t1218
    - attack.lateral-movement
    - attack.t1021.003
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\baaupdate.exe'
        Image|endswith:
            - '\bitsadmin.exe'
            - '\cmd.exe'
            - '\cscript.exe'
            - '\mshta.exe'
            - '\powershell_ise.exe'
            - '\powershell.exe'
            - '\regsvr32.exe'
            - '\rundll32.exe'
            - '\schtasks.exe'
            - '\wmic.exe'
            - '\wscript.exe'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Suspicious Plink Port Forwarding
Detects suspicious Plink tunnel port forwarding to a local port
status test author Florian Roth (Nextron Systems) id 48a61b29-389f-4032-b317-b30de6b95314
view Sigma YAML 
title: Suspicious Plink Port Forwarding
id: 48a61b29-389f-4032-b317-b30de6b95314
status: test
description: Detects suspicious Plink tunnel port forwarding to a local port
references:
    - https://www.real-sec.com/2019/04/bypassing-network-restrictions-through-rdp-tunneling/
    - https://medium.com/@informationsecurity/remote-ssh-tunneling-with-plink-exe-7831072b3d7d
author: Florian Roth (Nextron Systems)
date: 2021-01-19
modified: 2022-10-09
tags:
    - attack.command-and-control
    - attack.t1572
    - attack.lateral-movement
    - attack.t1021.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Description: 'Command-line SSH, Telnet, and Rlogin client'
        CommandLine|contains: ' -R '
    condition: selection
falsepositives:
    - Administrative activity using a remote port forwarding to a local port
level: high
high
Suspicious PsExec Execution
detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one
status test author Samir Bousseaden id c462f537-a1e3-41a6-b5fc-b2c2cef9bf82
view Sigma YAML 
title: Suspicious PsExec Execution
id: c462f537-a1e3-41a6-b5fc-b2c2cef9bf82
status: test
description: detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one
references:
    - https://web.archive.org/web/20230329171218/https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html
author: Samir Bousseaden
date: 2019-04-03
modified: 2022-08-11
tags:
    - attack.lateral-movement
    - attack.t1021.002
logsource:
    product: windows
    service: security
    definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
detection:
    selection1:
        EventID: 5145
        ShareName: '\\\\\*\\IPC$' # looking for the string \\*\IPC$
        RelativeTargetName|endswith:
            - '-stdin'
            - '-stdout'
            - '-stderr'
    filter:
        RelativeTargetName|startswith: 'PSEXESVC'
    condition: selection1 and not filter
falsepositives:
    - Unknown
level: high
high
Suspicious PsExec Execution - Zeek
detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one
status test author Samir Bousseaden, @neu5ron, Tim Shelton id f1b3a22a-45e6-4004-afb5-4291f9c21166
view Sigma YAML 
title: Suspicious PsExec Execution - Zeek
id: f1b3a22a-45e6-4004-afb5-4291f9c21166
related:
    - id: c462f537-a1e3-41a6-b5fc-b2c2cef9bf82
      type: derived
status: test
description: detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one
references:
    - https://web.archive.org/web/20230329171218/https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html
author: Samir Bousseaden, @neu5ron, Tim Shelton
date: 2020-04-02
modified: 2022-12-27
tags:
    - attack.lateral-movement
    - attack.t1021.002
logsource:
    product: zeek
    service: smb_files
detection:
    selection:
        path|contains|all:
            - '\\'
            - '\IPC$'
        name|endswith:
            - '-stdin'
            - '-stdout'
            - '-stderr'
    filter:
        name|startswith: 'PSEXESVC'
    condition: selection and not filter
falsepositives:
    - Unknown
level: high
high
Suspicious RDP Redirect Using TSCON
Detects a suspicious RDP session redirect using tscon.exe
status test author Florian Roth (Nextron Systems) id f72aa3e8-49f9-4c7d-bd74-f8ab84ff9bbb
view Sigma YAML 
title: Suspicious RDP Redirect Using TSCON
id: f72aa3e8-49f9-4c7d-bd74-f8ab84ff9bbb
status: test
description: Detects a suspicious RDP session redirect using tscon.exe
references:
    - http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html
    - https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6
    - https://www.hackingarticles.in/rdp-session-hijacking-with-tscon/
author: Florian Roth (Nextron Systems)
date: 2018-03-17
modified: 2023-05-16
tags:
    - attack.lateral-movement
    - attack.t1563.002
    - attack.t1021.001
    - car.2013-07-002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains: ' /dest:rdp-tcp#'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Suspicious Speech Runtime Binary Child Process
Detects suspicious Speech Runtime Binary Execution by monitoring its child processes. Child processes spawned by SpeechRuntime.exe could indicate an attempt for lateral movement via COM & DCOM hijacking.
status experimental author andrewdanis id 78f10490-f2f4-4d19-a75b-4e0683bf3b8d
view Sigma YAML 
title: Suspicious Speech Runtime Binary Child Process
id: 78f10490-f2f4-4d19-a75b-4e0683bf3b8d
status: experimental
description: |
    Detects suspicious Speech Runtime Binary Execution by monitoring its child processes.
    Child processes spawned by SpeechRuntime.exe could indicate an attempt for lateral movement via COM & DCOM hijacking.
references:
    - https://github.com/rtecCyberSec/SpeechRuntimeMove
author: andrewdanis
date: 2025-10-23
logsource:
    category: process_creation
    product: windows
tags:
    - attack.lateral-movement
    - attack.stealth
    - attack.t1021.003
    - attack.t1218
detection:
    selection:
        ParentImage|endswith: '\SpeechRuntime.exe'
    condition: selection
falsepositives:
    - Unlikely.
level: high
high
Suspicious UltraVNC Execution
Detects suspicious UltraVNC command line flag combination that indicate a auto reconnect upon execution, e.g. startup (as seen being used by Gamaredon threat group)
status test author Bhabesh Raj id 871b9555-69ca-4993-99d3-35a59f9f3599
view Sigma YAML 
title: Suspicious UltraVNC Execution
id: 871b9555-69ca-4993-99d3-35a59f9f3599
status: test
description: Detects suspicious UltraVNC command line flag combination that indicate a auto reconnect upon execution, e.g. startup (as seen being used by Gamaredon threat group)
references:
    - https://web.archive.org/web/20220224045756/https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf
    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine
    - https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution
    - https://uvnc.com/docs/uvnc-viewer/52-ultravnc-viewer-commandline-parameters.html
author: Bhabesh Raj
date: 2022-03-04
modified: 2022-03-09
tags:
    - attack.lateral-movement
    - attack.g0047
    - attack.t1021.005
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - '-autoreconnect '
            - '-connect '
            - '-id:'
    condition: selection
falsepositives:
    - Unknown
level: high
Showing 1-50 of 87
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin