Sigma detection rules

Home/Sigma rules

Sigma

18 rules indexed · SIEM-agnostic detection content

Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.

Severity critical high medium low all severities

◈

Detection rules

18 shown of 18

high

DNS Exfiltration and Tunneling Tools Execution

Well-known DNS Exfiltration tools execution

status test author Daniil Yugoslavskiy, oscd.community id 98a96a5a-64a0-4c42-92c5-489da3866cb0

view Sigma YAML

title: DNS Exfiltration and Tunneling Tools Execution
id: 98a96a5a-64a0-4c42-92c5-489da3866cb0
status: test
description: Well-known DNS Exfiltration tools execution
references:
    - https://github.com/iagox86/dnscat2
    - https://github.com/yarrick/iodine
author: Daniil Yugoslavskiy, oscd.community
date: 2019-10-24
modified: 2021-11-27
tags:
    - attack.exfiltration
    - attack.t1048.001
    - attack.command-and-control
    - attack.t1071.004
    - attack.t1132.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\iodine.exe'
        - Image|contains: '\dnscat2'
    condition: selection
falsepositives:
    - Unlikely
level: high

high

PUA - Restic Backup Tool Execution

Detects the execution of the Restic backup tool, which can be used for data exfiltration. Threat actors may leverage Restic to back up and exfiltrate sensitive data to remote storage locations, including cloud services. If not legitimately used in the enterprise environment, its presence may indicate malicious activity.

status experimental author Nounou Mbeiri, Swachchhanda Shrawan Poudel (Nextron Systems) id 6ddff2e8-ea1a-45d0-8938-93dfc1d67ae7

view Sigma YAML

title: PUA - Restic Backup Tool Execution
id: 6ddff2e8-ea1a-45d0-8938-93dfc1d67ae7
status: experimental
description: |
    Detects the execution of the Restic backup tool, which can be used for data exfiltration.
    Threat actors may leverage Restic to back up and exfiltrate sensitive data to remote storage locations, including cloud services.
    If not legitimately used in the enterprise environment, its presence may indicate malicious activity.
references:
    - https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/#exfiltration
    - https://restic.net/
    - https://restic.readthedocs.io/en/stable/030_preparing_a_new_repo.html
author: Nounou Mbeiri, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-10-17
tags:
    - attack.exfiltration
    - attack.t1048
    - attack.t1567.002
logsource:
    product: windows
    category: process_creation
detection:
    selection_specific:
        - CommandLine|contains|all:
              - '--password-file'
              - 'init'
              - ' -r '
        - CommandLine|contains|all:
              - '--use-fs-snapshot'
              - 'backup'
              - ' -r '
    selection_restic:
        CommandLine|contains:
            - 'sftp:'
            - 'rest:http'
            - 's3:s3.'
            - 's3.http'
            - 'azure:'
            - ' gs:'
            - 'rclone:'
            - 'swift:'
            - ' b2:'
        CommandLine|contains|all:
            - ' init '
            - ' -r '
    condition: 1 of selection_*
falsepositives:
    - Legitimate use of Restic for backup purposes within the organization.
level: high

high

Powershell DNSExfiltration

DNSExfiltrator allows for transferring (exfiltrate) a file over a DNS request covert channel

status test author frack113 id d59d7842-9a21-4bc6-ba98-64bfe0091355

view Sigma YAML

title: Powershell DNSExfiltration
id: d59d7842-9a21-4bc6-ba98-64bfe0091355
status: test
description: DNSExfiltrator allows for transferring (exfiltrate) a file over a DNS request covert channel
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048/T1048.md#atomic-test-3---dnsexfiltration-doh
    - https://github.com/Arno0x/DNSExfiltrator
author: frack113
date: 2022-01-07
tags:
    - attack.exfiltration
    - attack.t1048
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_cmdlet:
        - ScriptBlockText|contains: 'Invoke-DNSExfiltrator'
        - ScriptBlockText|contains|all:
              - ' -i '
              - ' -d '
              - ' -p '
              - ' -doh '
              - ' -t '
    condition: selection_cmdlet
falsepositives:
    - Legitimate script
level: high

high

Suspicious Redirection to Local Admin Share

Detects a suspicious output redirection to the local admins share, this technique is often found in malicious scripts or hacktool stagers

status test author Florian Roth (Nextron Systems) id ab9e3b40-0c85-4ba1-aede-455d226fd124

view Sigma YAML

title: Suspicious Redirection to Local Admin Share
id: ab9e3b40-0c85-4ba1-aede-455d226fd124
status: test
description: Detects a suspicious output redirection to the local admins share, this technique is often found in malicious scripts or hacktool stagers
references:
    - https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/
    - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
author: Florian Roth (Nextron Systems)
date: 2022-01-16
modified: 2023-12-28
tags:
    - attack.exfiltration
    - attack.t1048
logsource:
    category: process_creation
    product: windows
detection:
    selection_redirect:
        CommandLine|contains: '>'
    selection_share:
        CommandLine|contains:
            - '\\\\127.0.0.1\\admin$\\'
            - '\\\\localhost\\admin$\\'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

high

Suspicious WebDav Client Execution Via Rundll32.EXE

Detects "svchost.exe" spawning "rundll32.exe" with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397

status test author Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems) id 982e9f2d-1a85-4d5b-aea4-31f5e97c6555

view Sigma YAML

title: Suspicious WebDav Client Execution Via Rundll32.EXE
id: 982e9f2d-1a85-4d5b-aea4-31f5e97c6555
status: test
description: |
    Detects "svchost.exe" spawning "rundll32.exe" with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397
references:
    - https://twitter.com/aceresponder/status/1636116096506818562
    - https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/
    - https://www.pwndefend.com/2023/03/15/the-long-game-persistent-hash-theft/
    - https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2023/03/Figure-7-sample-webdav-process-create-event.png
    - https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/
author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)
date: 2023-03-16
modified: 2023-09-18
tags:
    - attack.exfiltration
    - attack.t1048.003
    - cve.2023-23397
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\svchost.exe'
        ParentCommandLine|contains: '-s WebClient'
        Image|endswith: '\rundll32.exe'
        CommandLine|contains: 'C:\windows\system32\davclnt.dll,DavSetCookie'
        CommandLine|re: '://\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}'
    filter_local_ips:
        CommandLine|contains:
            - '://10.' # 10.0.0.0/8
            - '://192.168.' # 192.168.0.0/16
            - '://172.16.' # 172.16.0.0/12
            - '://172.17.'
            - '://172.18.'
            - '://172.19.'
            - '://172.20.'
            - '://172.21.'
            - '://172.22.'
            - '://172.23.'
            - '://172.24.'
            - '://172.25.'
            - '://172.26.'
            - '://172.27.'
            - '://172.28.'
            - '://172.29.'
            - '://172.30.'
            - '://172.31.'
            - '://127.' # 127.0.0.0/8
            - '://169.254.' # 169.254.0.0/16
    condition: selection and not 1 of filter_*
falsepositives:
    - Unknown
level: high

medium

Copy From Or To Admin Share Or Sysvol Folder

Detects a copy command or a copy utility execution to or from an Admin share or remote

status test author Florian Roth (Nextron Systems), oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Nasreddine Bencherchali id 855bc8b5-2ae8-402e-a9ed-b889e6df1900

view Sigma YAML

title: Copy From Or To Admin Share Or Sysvol Folder
id: 855bc8b5-2ae8-402e-a9ed-b889e6df1900
status: test
description: Detects a copy command or a copy utility execution to or from an Admin share or remote
references:
    - https://twitter.com/SBousseaden/status/1211636381086339073
    - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
    - https://www.elastic.co/guide/en/security/current/remote-file-copy-to-a-hidden-share.html
    - https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/
author: Florian Roth (Nextron Systems), oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Nasreddine Bencherchali
date: 2019-12-30
modified: 2025-10-22
tags:
    - attack.lateral-movement
    - attack.collection
    - attack.exfiltration
    - attack.t1039
    - attack.t1048
    - attack.t1021.002
logsource:
    category: process_creation
    product: windows
detection:
    selection_target:
        CommandLine|contains:
            - '\\\\*\\*$' # example \\SVR_NAME\ADMIN$
            - '\Sysvol\'
    selection_other_tools:
        - Image|endswith:
              - '\robocopy.exe'
              - '\xcopy.exe'
        - OriginalFileName:
              - 'robocopy.exe'
              - 'XCOPY.EXE'
    selection_cmd_img:
        - Image|endswith: '\cmd.exe'
        - OriginalFileName: 'Cmd.Exe'
    selection_cmd_cli:
        CommandLine|contains: 'copy'
    selection_pwsh_img:
        - Image|contains:
              - '\powershell_ise.exe'
              - '\powershell.exe'
              - '\pwsh.exe'
        - OriginalFileName:
              - 'powershell_ise.exe'
              - 'PowerShell.EXE'
              - 'pwsh.dll'
    selection_pwsh_cli:
        CommandLine|contains:
            - 'copy-item'
            - 'copy '
            - 'cpi '
            - ' cp '
            - 'move '
            - ' move-item'
            - ' mi '
            - ' mv '
    condition: selection_target and (selection_other_tools or all of selection_cmd_* or all of selection_pwsh_*)
falsepositives:
    - Administrative scripts
level: medium

medium

DNS TOR Proxies

Identifies IPs performing DNS lookups associated with common Tor proxies.

status test author Saw Winn Naung , Azure-Sentinel id a8322756-015c-42e7-afb1-436e85ed3ff5

view Sigma YAML

title: DNS TOR Proxies
id: a8322756-015c-42e7-afb1-436e85ed3ff5
related:
    - id: b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544
      type: similar
    - id: 8384bd26-bde6-4da9-8e5d-4174a7a47ca2
      type: similar
status: test
description: Identifies IPs performing DNS lookups associated with common Tor proxies.
references:
    - https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/ASimDNS/imDNS_TorProxies.yaml
author: Saw Winn Naung , Azure-Sentinel
date: 2021-08-15
modified: 2025-09-12
tags:
    - attack.exfiltration
    - attack.t1048
logsource:
    service: dns
    product: zeek
detection:
    selection:
        query|endswith:
            - '.hiddenservice.net'
            - '.onion.ca'
            - '.onion.cab'
            - '.onion.casa'
            - '.onion.city'
            - '.onion.direct'
            - '.onion.dog'
            - '.onion.glass'
            - '.onion.gq'
            - '.onion.guide'
            - '.onion.in.net'
            - '.onion.ink'
            - '.onion.it'
            - '.onion.link'
            - '.onion.lt'
            - '.onion.lu'
            - '.onion.ly'
            - '.onion.mn'
            - '.onion.network'
            - '.onion.nu'
            - '.onion.pet'
            - '.onion.plus'
            - '.onion.pt'
            - '.onion.pw'
            - '.onion.rip'
            - '.onion.sh'
            - '.onion.si'
            - '.onion.to'
            - '.onion.top'
            - '.onion.ws'
            - '.onion'
            - '.s1.tor-gateways.de'
            - '.s2.tor-gateways.de'
            - '.s3.tor-gateways.de'
            - '.s4.tor-gateways.de'
            - '.s5.tor-gateways.de'
            - '.t2w.pw'
            - '.tor2web.ae.org'
            - '.tor2web.blutmagie.de'
            - '.tor2web.com'
            - '.tor2web.fi'
            - '.tor2web.io'
            - '.tor2web.org'
            - '.tor2web.xyz'
            - '.torlink.co'
    condition: selection
falsepositives:
    - Unknown
level: medium

medium

Data Exfiltration with Wget

Detects attempts to post the file with the usage of wget utility. The adversary can bypass the permission restriction with the misconfigured sudo permission for wget utility which could allow them to read files like /etc/shadow.

status test author Pawel Mazur id cb39d16b-b3b6-4a7a-8222-1cf24b686ffc

view Sigma YAML

title: Data Exfiltration with Wget
id: cb39d16b-b3b6-4a7a-8222-1cf24b686ffc
status: test
description: |
    Detects attempts to post the file with the usage of wget utility.
    The adversary can bypass the permission restriction with the misconfigured sudo permission for wget utility which could allow them to read files like /etc/shadow.
references:
    - https://linux.die.net/man/1/wget
    - https://gtfobins.github.io/gtfobins/wget/
author: 'Pawel Mazur'
date: 2021-11-18
modified: 2022-12-25
tags:
    - attack.exfiltration
    - attack.t1048.003
logsource:
    product: linux
    service: auditd
detection:
    selection:
        type: EXECVE
        a0: wget
        a1|startswith: '--post-file='
    condition: selection
falsepositives:
    - Legitimate usage of wget utility to post a file
level: medium

medium

Data Export From MSSQL Table Via BCP.EXE

Detects the execution of the BCP utility in order to export data from the database. Attackers were seen saving their malware to a database column or table and then later extracting it via "bcp.exe" into a file.

status test author Omar Khaled (@beacon_exe), MahirAli Khan (in/mahiralikhan), Nasreddine Bencherchali (Nextron Systems) id c615d676-f655-46b9-b913-78729021e5d7

view Sigma YAML

title: Data Export From MSSQL Table Via BCP.EXE
id: c615d676-f655-46b9-b913-78729021e5d7
status: test
description: |
    Detects the execution of the BCP utility in order to export data from the database.
    Attackers were seen saving their malware to a database column or table and then later extracting it via "bcp.exe" into a file.
references:
    - https://docs.microsoft.com/en-us/sql/tools/bcp-utility
    - https://asec.ahnlab.com/en/61000/
    - https://asec.ahnlab.com/en/78944/
    - https://www.huntress.com/blog/attacking-mssql-servers
    - https://www.huntress.com/blog/attacking-mssql-servers-pt-ii
    - https://news.sophos.com/en-us/2024/08/07/sophos-mdr-hunt-tracks-mimic-ransomware-campaign-against-organizations-in-india/
    - https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/
author: Omar Khaled (@beacon_exe), MahirAli Khan (in/mahiralikhan), Nasreddine Bencherchali (Nextron Systems)
date: 2024-08-20
tags:
    - attack.execution
    - attack.exfiltration
    - attack.t1048
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\bcp.exe'
        - OriginalFileName: 'BCP.exe'
    selection_cli:
        CommandLine|contains:
            - ' out ' # Export data from a table
            - ' queryout ' # Export data based on a SQL query
    condition: all of selection_*
falsepositives:
    - Legitimate data export operations.
level: medium

medium

PowerShell ICMP Exfiltration

Detects Exfiltration Over Alternative Protocol - ICMP. Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.

status test author Bartlomiej Czyz @bczyz1, oscd.community id 4c4af3cd-2115-479c-8193-6b8bfce9001c

view Sigma YAML

title: PowerShell ICMP Exfiltration
id: 4c4af3cd-2115-479c-8193-6b8bfce9001c
status: test
description: Detects Exfiltration Over Alternative Protocol - ICMP. Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-2---exfiltration-over-alternative-protocol---icmp
author: 'Bartlomiej Czyz @bczyz1, oscd.community'
date: 2020-10-10
modified: 2022-12-25
tags:
    - attack.exfiltration
    - attack.t1048.003
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains|all:
            - 'New-Object'
            - 'System.Net.NetworkInformation.Ping'
            - '.Send('
    condition: selection
falsepositives:
    - Legitimate usage of System.Net.NetworkInformation.Ping class
level: medium

medium

Python WebServer Execution - Linux

Detects the execution of Python web servers via command line interface (CLI). After gaining access to target systems, adversaries may use Python's built-in HTTP server modules to quickly establish a web server without requiring additional software. This technique is commonly used in post-exploitation scenarios as it provides a simple method for transferring files between the compromised host and attacker-controlled systems.

status experimental author Mohamed LAKRI id 3f0f5957-04f8-4792-ad89-192b0303bde6

view Sigma YAML

title: Python WebServer Execution - Linux
id: 3f0f5957-04f8-4792-ad89-192b0303bde6
status: experimental
description: |
    Detects the execution of Python web servers via command line interface (CLI).
    After gaining access to target systems, adversaries may use Python's built-in HTTP server modules to quickly establish a web server without requiring additional software.
    This technique is commonly used in post-exploitation scenarios as it provides a simple method for transferring files between the compromised host and attacker-controlled systems.
references:
    - https://www.atomicredteam.io/atomic-red-team/atomics/T1048.003#atomic-test-8---python3-httpserver
    - https://docs.python.org/3/library/http.server.html
    - https://docs.python.org/2/library/simplehttpserver.html
author: Mohamed LAKRI
date: 2025-10-17
tags:
    - attack.exfiltration
    - attack.t1048.003
logsource:
    product: linux
    category: process_creation
detection:
    selection_img:
        - Image|endswith:
              - '/python'
              - '/python2'
              - '/python3'
        - Image|contains:
              - '/python2.'  # python image is always of the form ../python3.10; ../python is just a symlink
              - '/python3.'
    selection_module:
        CommandLine|contains:
            - 'http.server'
            - 'SimpleHTTPServer'
    condition: all of selection_*
falsepositives:
    - Testing or development activity
level: medium

medium

Suspicious DNS Query with B64 Encoded String

Detects suspicious DNS queries using base64 encoding

status test author Florian Roth (Nextron Systems) id 4153a907-2451-4e4f-a578-c52bb6881432

view Sigma YAML

title: Suspicious DNS Query with B64 Encoded String
id: 4153a907-2451-4e4f-a578-c52bb6881432
status: test
description: Detects suspicious DNS queries using base64 encoding
references:
    - https://github.com/krmaxwell/dns-exfiltration
author: Florian Roth (Nextron Systems)
date: 2018-05-10
modified: 2022-10-09
tags:
    - attack.exfiltration
    - attack.t1048.003
    - attack.command-and-control
    - attack.t1071.004
logsource:
    category: dns
detection:
    selection:
        query|contains: '==.'
    condition: selection
falsepositives:
    - Unknown
level: medium

medium

Suspicious Outbound SMTP Connections

Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.

status test author frack113 id 9976fa64-2804-423c-8a5b-646ade840773

view Sigma YAML

title: Suspicious Outbound SMTP Connections
id: 9976fa64-2804-423c-8a5b-646ade840773
status: test
description: |
    Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.
    The data may also be sent to an alternate network location from the main command and control server.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp
    - https://www.ietf.org/rfc/rfc2821.txt
author: frack113
date: 2022-01-07
modified: 2022-09-21
tags:
    - attack.exfiltration
    - attack.t1048.003
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        DestinationPort:
            - 25
            - 587
            - 465
            - 2525
        Initiated: 'true'
    filter_clients:
        Image|endswith:
            - \thunderbird.exe
            - \outlook.exe
    filter_mailserver:
        Image|startswith: 'C:\Program Files\Microsoft\Exchange Server\'
    filter_outlook:
        Image|startswith: 'C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_'
        Image|endswith: '\HxTsr.exe'
    condition: selection and not 1 of filter_*
falsepositives:
    - Other SMTP tools
level: medium

medium

Tap Driver Installation

Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques

status test author Daniil Yugoslavskiy, Ian Davis, oscd.community id 8e4cf0e5-aa5d-4dc3-beff-dc26917744a9

view Sigma YAML

title: Tap Driver Installation
id: 8e4cf0e5-aa5d-4dc3-beff-dc26917744a9
status: test
description: Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques
references:
    - https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers
author: Daniil Yugoslavskiy, Ian Davis, oscd.community
date: 2019-10-24
modified: 2022-12-25
tags:
    - attack.exfiltration
    - attack.t1048
logsource:
    product: windows
    service: system
detection:
    selection:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
        ImagePath|contains: 'tap0901'
    condition: selection
falsepositives:
    - Legitimate OpenVPN TAP installation
level: medium

medium

Tap Installer Execution

Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques

status test author Daniil Yugoslavskiy, Ian Davis, oscd.community id 99793437-3e16-439b-be0f-078782cf953d

view Sigma YAML

title: Tap Installer Execution
id: 99793437-3e16-439b-be0f-078782cf953d
status: test
description: Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques
references:
    - https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers
author: Daniil Yugoslavskiy, Ian Davis, oscd.community
date: 2019-10-24
modified: 2023-12-11
tags:
    - attack.exfiltration
    - attack.t1048
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\tapinstall.exe'
    filter_optional_avast:
        Image|contains:
            - ':\Program Files\Avast Software\SecureLine VPN\'
            - ':\Program Files (x86)\Avast Software\SecureLine VPN\'
    filter_optional_openvpn:
        Image|contains: ':\Program Files\OpenVPN Connect\drivers\tap\'
    filter_optional_protonvpn:
        Image|contains: ':\Program Files (x86)\Proton Technologies\ProtonVPNTap\installer\'
    condition: selection and not 1 of filter_optional_*
falsepositives:
    - Legitimate OpenVPN TAP installation
level: medium

medium

WebDav Client Execution Via Rundll32.EXE

Detects "svchost.exe" spawning "rundll32.exe" with command arguments like "C:\windows\system32\davclnt.dll,DavSetCookie". This could be an indicator of exfiltration or use of WebDav to launch code (hosted on a WebDav server).

status test author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) id 2dbd9d3d-9e27-42a8-b8df-f13825c6c3d5

view Sigma YAML

title: WebDav Client Execution Via Rundll32.EXE
id: 2dbd9d3d-9e27-42a8-b8df-f13825c6c3d5
status: test
description: |
    Detects "svchost.exe" spawning "rundll32.exe" with command arguments like "C:\windows\system32\davclnt.dll,DavSetCookie".
    This could be an indicator of exfiltration or use of WebDav to launch code (hosted on a WebDav server).
references:
    - https://github.com/OTRF/detection-hackathon-apt29/issues/17
    - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.B.4_C10730EA-6345-4934-AA0F-B0EFCA0C4BA6.md
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-05-02
modified: 2023-09-18
tags:
    - attack.exfiltration
    - attack.t1048.003
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith: '\svchost.exe'
    selection_img:
        - Image|endswith: '\rundll32.exe'
        - OriginalFileName: 'RUNDLL32.EXE'
    selection_cli:
        CommandLine|contains: 'C:\windows\system32\davclnt.dll,DavSetCookie'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

low

Tap Driver Installation - Security

Detects the installation of a well-known TAP driver service. This could be a sign of potential preparation for data exfiltration using tunnelling techniques.

status test author Daniil Yugoslavskiy, Ian Davis, oscd.community id 9c8afa4d-0022-48f0-9456-3712466f9701

view Sigma YAML

title: Tap Driver Installation - Security
id: 9c8afa4d-0022-48f0-9456-3712466f9701
related:
    - id: 8e4cf0e5-aa5d-4dc3-beff-dc26917744a9
      type: derived
status: test
description: |
    Detects the installation of a well-known TAP driver service. This could be a sign of potential preparation for data exfiltration using tunnelling techniques.
references:
    - https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers
author: Daniil Yugoslavskiy, Ian Davis, oscd.community
date: 2019-10-24
modified: 2022-11-29
tags:
    - attack.exfiltration
    - attack.t1048
logsource:
    product: windows
    service: security
    definition: 'Requirements: The System Security Extension audit subcategory need to be enabled to log the EID 4697'
detection:
    selection:
        EventID: 4697
        ServiceFileName|contains: 'tap0901'
    condition: selection
falsepositives:
    - Legitimate OpenVPN TAP installation
level: low

low

WebDav Put Request

A General detection for WebDav user-agent being used to PUT files on a WebDav network share. This could be an indicator of exfiltration.

status test author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) id 705072a5-bb6f-4ced-95b6-ecfa6602090b

view Sigma YAML

title: WebDav Put Request
id: 705072a5-bb6f-4ced-95b6-ecfa6602090b
status: test
description: A General detection for WebDav user-agent being used to PUT files on a WebDav network share. This could be an indicator of exfiltration.
references:
    - https://github.com/OTRF/detection-hackathon-apt29/issues/17
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-05-02
modified: 2024-03-13
tags:
    - attack.exfiltration
    - attack.t1048.003
logsource:
    product: zeek
    service: http
detection:
    selection:
        user_agent|contains: 'WebDAV'
        method: 'PUT'
    filter:
        id.resp_h|cidr:
            - '10.0.0.0/8'
            - '127.0.0.0/8'
            - '172.16.0.0/12'
            - '192.168.0.0/16'
            - '169.254.0.0/16'
    condition: selection and not filter
falsepositives:
    - Unknown
level: low

Showing 1-18 of 18

Prev 1 Next

Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities

Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs

Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures

Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1

About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service

threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin