Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Detects default file names outputted by the BloodHound collection tool SharpHound
status testauthor C.J. Mayid 02773bed-83bf-469f-b7ff-e676e7d78bab
view Sigma YAML
title: BloodHound Collection Files
id: 02773bed-83bf-469f-b7ff-e676e7d78bab
status: test
description: Detects default file names outputted by the BloodHound collection tool SharpHound
references:
- https://academy.hackthebox.com/course/preview/active-directory-bloodhound/bloodhound--data-collection
author: C.J. May
date: 2022-08-09
modified: 2026-02-19
tags:
- attack.discovery
- attack.t1087.001
- attack.t1087.002
- attack.t1482
- attack.t1069.001
- attack.t1069.002
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith:
- 'BloodHound.zip'
- '_computers.json'
- '_containers.json'
# - '_domains.json' # prone to false positives with ProbabilisticRevealTokenRegistry function in Google Chrome
- '_gpos.json'
- '_groups.json'
- '_ous.json'
- '_users.json'
filter_optional_ms_winapps:
Image|endswith: '\svchost.exe'
TargetFilename|startswith: 'C:\Program Files\WindowsApps\Microsoft.'
TargetFilename|endswith: '\pocket_containers.json'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Some false positives may arise in some environment and this may require some tuning. Add additional filters or reduce level depending on the level of noise
level: high
high
HackTool - Bloodhound/Sharphound Execution
Detects command line parameters used by Bloodhound and Sharphound hack tools
status testauthor Florian Roth (Nextron Systems)id f376c8a7-a2d0-4ddc-aa0c-16c17236d962
view Sigma YAML
title: HackTool - Bloodhound/Sharphound Execution
id: f376c8a7-a2d0-4ddc-aa0c-16c17236d962
status: test
description: Detects command line parameters used by Bloodhound and Sharphound hack tools
references:
- https://github.com/BloodHoundAD/BloodHound
- https://github.com/BloodHoundAD/SharpHound
author: Florian Roth (Nextron Systems)
date: 2019-12-20
modified: 2023-02-04
tags:
- attack.discovery
- attack.t1087.001
- attack.t1087.002
- attack.t1482
- attack.t1069.001
- attack.t1069.002
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Product|contains: 'SharpHound'
- Description|contains: 'SharpHound'
- Company|contains:
- 'SpecterOps'
- 'evil corp'
- Image|contains:
- '\Bloodhound.exe'
- '\SharpHound.exe'
selection_cli_1:
CommandLine|contains:
- ' -CollectionMethod All '
- ' --CollectionMethods Session '
- ' --Loop --Loopduration '
- ' --PortScanTimeout '
- '.exe -c All -d '
- 'Invoke-Bloodhound'
- 'Get-BloodHoundData'
selection_cli_2:
CommandLine|contains|all:
- ' -JsonFolder '
- ' -ZipFileName '
selection_cli_3:
CommandLine|contains|all:
- ' DCOnly '
- ' --NoSaveCache '
condition: 1 of selection_*
falsepositives:
- Other programs that use these command line option and accepts an 'All' parameter
level: high
high
HackTool - SharpView Execution
Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
status testauthor frack113id b2317cfa-4a47-4ead-b3ff-297438c0bc2d
Detects Commandlet names from well-known PowerShell exploitation frameworks
status testauthor Sean Metcalf, Florian Roth, Bartlomiej Czyz @bczyz1, oscd.community, Nasreddine Bencherchali, Tim Shelton, Mustafa Kaan Demir, Georg Lauenstein, Max Altgelt, Tobias Michalski, Austin Songerid 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
Detects activity as "net user administrator /domain" and "net group domain admins /domain"
status testauthor Florian Roth (Nextron Systems), Jack Croock (method), Jonhnathan Ribeiro (improvements), oscd.communityid 968eef52-9cff-4454-8992-1e74b9cbad6c
view Sigma YAML
title: Reconnaissance Activity
id: 968eef52-9cff-4454-8992-1e74b9cbad6c
status: test
description: Detects activity as "net user administrator /domain" and "net group domain admins /domain"
references:
- https://findingbad.blogspot.de/2017/01/hunting-what-does-it-look-like.html
author: Florian Roth (Nextron Systems), Jack Croock (method), Jonhnathan Ribeiro (improvements), oscd.community
date: 2017-03-07
modified: 2022-08-22
tags:
- attack.discovery
- attack.t1087.002
- attack.t1069.002
- attack.s0039
logsource:
product: windows
service: security
definition: The volume of Event ID 4661 is high on Domain Controllers and therefore "Audit SAM" and "Audit Kernel Object" advanced audit policy settings are not configured in the recommendations for server systems
detection:
selection:
EventID: 4661
AccessMask: '0x2d'
ObjectType:
- 'SAM_USER'
- 'SAM_GROUP'
ObjectName|startswith: 'S-1-5-21-'
ObjectName|endswith:
- '-500'
- '-512'
condition: selection
falsepositives:
- Administrator activity
level: high
high
Renamed AdFind Execution
Detects the use of a renamed Adfind.exe. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.
status testauthor Florian Roth (Nextron Systems)id df55196f-f105-44d3-a675-e9dfb6cc2f2b
view Sigma YAML
title: Renamed AdFind Execution
id: df55196f-f105-44d3-a675-e9dfb6cc2f2b
status: test
description: Detects the use of a renamed Adfind.exe. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.
references:
- https://www.joeware.net/freetools/tools/adfind/
- https://thedfirreport.com/2020/05/08/adfind-recon/
- https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/
- https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
- https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx
- https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md
author: Florian Roth (Nextron Systems)
date: 2022-08-21
modified: 2025-02-26
tags:
- attack.discovery
- attack.t1018
- attack.t1087.002
- attack.t1482
- attack.t1069.002
logsource:
category: process_creation
product: windows
detection:
selection_1:
CommandLine|contains:
- 'domainlist'
- 'trustdmp'
- 'dcmodes'
- 'adinfo'
- ' dclist '
- 'computer_pwdnotreqd'
- 'objectcategory='
- '-subnets -f'
- 'name="Domain Admins"'
- '-sc u:'
- 'domainncs'
- 'dompol'
- ' oudmp '
- 'subnetdmp'
- 'gpodmp'
- 'fspdmp'
- 'users_noexpire'
- 'computers_active'
- 'computers_pwdnotreqd'
selection_2:
Hashes|contains:
- 'IMPHASH=BCA5675746D13A1F246E2DA3C2217492'
- 'IMPHASH=53E117A96057EAF19C41380D0E87F1C2'
- 'IMPHASH=d144de8117df2beceaba2201ad304764'
- 'IMPHASH=12ce1c0f3f5837ecc18a3782408fa975'
- 'IMPHASH=4fbf3f084fbbb2470b80b2013134df35'
- 'IMPHASH=49b639b4acbecc49d72a01f357aa4930'
- 'IMPHASH=680dad9e300346e05a85023965867201'
- 'IMPHASH=21aa085d54992511b9f115355e468782'
selection_3:
OriginalFileName: 'AdFind.exe'
filter:
Image|endswith: '\AdFind.exe'
condition: 1 of selection* and not filter
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_renamed_adfind/info.yml
high
Suspicious Active Directory Database Snapshot Via ADExplorer
Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database to a suspicious directory. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.
status testauthor Nasreddine Bencherchali (Nextron Systems)id ef61af62-bc74-4f58-b49b-626448227652
view Sigma YAML
title: Suspicious Active Directory Database Snapshot Via ADExplorer
id: ef61af62-bc74-4f58-b49b-626448227652
related:
- id: 9212f354-7775-4e28-9c9f-8f0a4544e664
type: derived
status: test
description: Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database to a suspicious directory. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.
references:
- https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html
- https://learn.microsoft.com/de-de/sysinternals/downloads/adexplorer
- https://github.com/c3c/ADExplorerSnapshot.py/tree/f700904defac330802bbfedd1d8ffd9248f4ee24
- https://www.packetlabs.net/posts/scattered-spider-is-a-young-ransomware-gang-exploiting-large-corporations/
- https://www.nccgroup.com/us/research-blog/lapsus-recent-techniques-tactics-and-procedures/
- https://trustedsec.com/blog/adexplorer-on-engagements
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-14
modified: 2025-07-09
tags:
- attack.discovery
- attack.t1087.002
- attack.t1069.002
- attack.t1482
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\ADExp.exe'
- '\ADExplorer.exe'
- '\ADExplorer64.exe'
- '\ADExplorer64a.exe'
- OriginalFileName: 'AdExp'
- Description: 'Active Directory Editor'
- Product: 'Sysinternals ADExplorer'
selection_flag:
CommandLine|contains: 'snapshot'
selection_paths:
CommandLine|contains:
# TODO: Add more suspicious paths
- '\Downloads\'
- '\Users\Public\'
- '\AppData\'
- '\Windows\Temp\'
condition: all of selection_*
falsepositives:
- Unknown
level: high
medium
ADExplorer Writing Complete AD Snapshot Into .dat File
Detects the dual use tool ADExplorer writing a complete AD snapshot into a .dat file. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.
status experimentalauthor Arnim Rupp (Nextron Systems), Thomas Patzkeid 0a1255c5-d732-4b62-ac02-b5152d34fb83
view Sigma YAML
title: ADExplorer Writing Complete AD Snapshot Into .dat File
id: 0a1255c5-d732-4b62-ac02-b5152d34fb83
related:
- id: 9212f354-7775-4e28-9c9f-8f0a4544e664
type: similar
status: experimental
description: Detects the dual use tool ADExplorer writing a complete AD snapshot into a .dat file. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.
references:
- https://learn.microsoft.com/de-de/sysinternals/downloads/adexplorer
- https://github.com/c3c/ADExplorerSnapshot.py/tree/f700904defac330802bbfedd1d8ffd9248f4ee24
- https://www.packetlabs.net/posts/scattered-spider-is-a-young-ransomware-gang-exploiting-large-corporations/
- https://www.nccgroup.com/us/research-blog/lapsus-recent-techniques-tactics-and-procedures/
- https://trustedsec.com/blog/adexplorer-on-engagements
author: Arnim Rupp (Nextron Systems), Thomas Patzke
date: 2025-07-09
tags:
- attack.discovery
- attack.t1087.002
- attack.t1069.002
- attack.t1482
logsource:
category: file_event
product: windows
detection:
selection:
Image|endswith:
- '\ADExp.exe'
- '\ADExplorer.exe'
- '\ADExplorer64.exe'
- '\ADExplorer64a.exe'
TargetFilename|endswith: '.dat'
condition: selection
falsepositives:
- Legitimate use of ADExplorer by administrators creating .dat snapshots
level: medium
medium
Active Directory Database Snapshot Via ADExplorer
Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.
status testauthor Nasreddine Bencherchali (Nextron Systems)id 9212f354-7775-4e28-9c9f-8f0a4544e664
view Sigma YAML
title: Active Directory Database Snapshot Via ADExplorer
id: 9212f354-7775-4e28-9c9f-8f0a4544e664
related:
- id: ef61af62-bc74-4f58-b49b-626448227652
type: derived
status: test
description: Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.
references:
- https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html
- https://learn.microsoft.com/de-de/sysinternals/downloads/adexplorer
- https://github.com/c3c/ADExplorerSnapshot.py/tree/f700904defac330802bbfedd1d8ffd9248f4ee24
- https://www.packetlabs.net/posts/scattered-spider-is-a-young-ransomware-gang-exploiting-large-corporations/
- https://www.nccgroup.com/us/research-blog/lapsus-recent-techniques-tactics-and-procedures/
- https://trustedsec.com/blog/adexplorer-on-engagements
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-14
modified: 2025-07-09
tags:
- attack.discovery
- attack.t1087.002
- attack.t1069.002
- attack.t1482
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\ADExp.exe'
- '\ADExplorer.exe'
- '\ADExplorer64.exe'
- '\ADExplorer64a.exe'
- OriginalFileName: 'AdExp'
- Description: 'Active Directory Editor'
- Product: 'Sysinternals ADExplorer'
selection_cli:
CommandLine|contains: 'snapshot'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
medium
Permission Check Via Accesschk.EXE
Detects the usage of the "Accesschk" utility, an access and privilege audit tool developed by SysInternal and often being abused by attacker to verify process privileges
status testauthor Teymur Kheirkhabarov (idea), Mangatas Tondang, oscd.community, Nasreddine Bencherchali (Nextron Systems)id c625d754-6a3d-4f65-9c9a-536aea960d37
view Sigma YAML
title: Permission Check Via Accesschk.EXE
id: c625d754-6a3d-4f65-9c9a-536aea960d37
status: test
description: Detects the usage of the "Accesschk" utility, an access and privilege audit tool developed by SysInternal and often being abused by attacker to verify process privileges
references:
- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment?slide=43
- https://www.youtube.com/watch?v=JGs-aKf2OtU&ab_channel=OFFZONEMOSCOW
- https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat
- https://github.com/gladiatx0r/Powerless/blob/04f553bbc0c65baf4e57344deff84e3f016e6b51/Powerless.bat
author: Teymur Kheirkhabarov (idea), Mangatas Tondang, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2020-10-13
modified: 2023-02-20
tags:
- attack.discovery
- attack.t1069.001
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Product|endswith: 'AccessChk'
- Description|contains: 'Reports effective permissions'
- Image|endswith:
- '\accesschk.exe'
- '\accesschk64.exe'
- OriginalFileName: 'accesschk.exe'
selection_cli:
CommandLine|contains: # These are the most common flags used with this tool. You could add other combinations if needed
- 'uwcqv '
- 'kwsu '
- 'qwsu '
- 'uwdqs '
condition: all of selection*
falsepositives:
- System administrator Usage
level: medium
medium
Potential Active Directory Reconnaissance/Enumeration Via LDAP
Detects potential Active Directory enumeration via LDAP
status testauthor Adeem Mawaniid 31d68132-4038-47c7-8f8e-635a39a7c174
AD Groups Or Users Enumeration Using PowerShell - PoshModule
Adversaries may attempt to find domain-level groups and permission settings.
The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group.
Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.
status testauthor frack113id 815bfc17-7fc6-4908-a55e-2f37b98cedb4
view Sigma YAML
title: AD Groups Or Users Enumeration Using PowerShell - PoshModule
id: 815bfc17-7fc6-4908-a55e-2f37b98cedb4
status: test
description: |
Adversaries may attempt to find domain-level groups and permission settings.
The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group.
Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md
author: frack113
date: 2021-12-15
modified: 2023-01-20
tags:
- attack.discovery
- attack.t1069.001
logsource:
product: windows
category: ps_module
definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
selection_ad_principal:
- Payload|contains: 'get-ADPrincipalGroupMembership'
- ContextInfo|contains: 'get-ADPrincipalGroupMembership'
selection_get_aduser:
- Payload|contains|all:
- get-aduser
- '-f '
- '-pr '
- DoesNotRequirePreAuth
- ContextInfo|contains|all:
- get-aduser
- '-f '
- '-pr '
- DoesNotRequirePreAuth
condition: 1 of selection_*
falsepositives:
- Administrator script
level: low
low
AD Groups Or Users Enumeration Using PowerShell - ScriptBlock
Adversaries may attempt to find domain-level groups and permission settings.
The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group.
Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.
status testauthor frack113id 88f0884b-331d-403d-a3a1-b668cf035603
view Sigma YAML
title: AD Groups Or Users Enumeration Using PowerShell - ScriptBlock
id: 88f0884b-331d-403d-a3a1-b668cf035603
status: test
description: |
Adversaries may attempt to find domain-level groups and permission settings.
The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group.
Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md
author: frack113
date: 2021-12-15
modified: 2022-12-25
tags:
- attack.discovery
- attack.t1069.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
test_2:
ScriptBlockText|contains: get-ADPrincipalGroupMembership
test_7:
ScriptBlockText|contains|all:
- get-aduser
- '-f '
- '-pr '
- DoesNotRequirePreAuth
condition: 1 of test_*
falsepositives:
- Unknown
level: low
low
Active Directory Group Enumeration With Get-AdGroup
Detects usage of the "Get-AdGroup" cmdlet to enumerate Groups within Active Directory
status testauthor frack113id 8c3a6607-b7dc-4f0d-a646-ef38c00b76ee
view Sigma YAML
title: Active Directory Group Enumeration With Get-AdGroup
id: 8c3a6607-b7dc-4f0d-a646-ef38c00b76ee
status: test
description: Detects usage of the "Get-AdGroup" cmdlet to enumerate Groups within Active Directory
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md
author: frack113
date: 2022-03-17
modified: 2022-11-17
tags:
- attack.discovery
- attack.t1069.002
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- 'Get-AdGroup '
- '-Filter'
condition: selection
falsepositives:
- Unknown
level: low
low
Local Groups Discovery - Linux
Detects enumeration of local system groups. Adversaries may attempt to find local system groups and permission settings
status testauthor Ömer Günal, Alejandro Ortuno, oscd.communityid 676381a6-15ca-4d73-a9c8-6a22e970b90d
view Sigma YAML
title: Local Groups Discovery - Linux
id: 676381a6-15ca-4d73-a9c8-6a22e970b90d
status: test
description: Detects enumeration of local system groups. Adversaries may attempt to find local system groups and permission settings
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md
author: Ömer Günal, Alejandro Ortuno, oscd.community
date: 2020-10-11
modified: 2025-06-04
tags:
- attack.discovery
- attack.t1069.001
logsource:
category: process_creation
product: linux
detection:
selection_1:
Image|endswith: '/groups'
selection_2:
Image|endswith:
- '/cat'
- '/ed'
- '/head'
- '/less'
- '/more'
- '/nano'
- '/tail'
- '/vi'
- '/vim'
CommandLine|contains: '/etc/group'
condition: 1 of selection_*
falsepositives:
- Legitimate administration activities
level: low
low
Local Groups Reconnaissance Via Wmic.EXE
Detects the execution of "wmic" with the "group" flag.
Adversaries may attempt to find local system groups and permission settings.
The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group.
Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.
status testauthor frack113id 164eda96-11b2-430b-85ff-6a265c15bf32
view Sigma YAML
title: Local Groups Reconnaissance Via Wmic.EXE
id: 164eda96-11b2-430b-85ff-6a265c15bf32
status: test
description: |
Detects the execution of "wmic" with the "group" flag.
Adversaries may attempt to find local system groups and permission settings.
The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group.
Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md
author: frack113
date: 2021-12-12
modified: 2023-02-14
tags:
- attack.discovery
- attack.t1069.001
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\wmic.exe'
- OriginalFileName: 'wmic.exe'
selection_cli:
CommandLine|contains: ' group'
condition: all of selection*
falsepositives:
- Unknown
level: low
low
RBAC Permission Enumeration Attempt
Detects identities attempting to enumerate their Kubernetes RBAC permissions.
In the early stages of a breach, attackers will aim to list the permissions they have within the compromised environment.
In a Kubernetes cluster, this can be achieved by interacting with the API server, and querying the SelfSubjectAccessReview API via e.g. a "kubectl auth can-i --list" command.
This will enumerate the Role-Based Access Controls (RBAC) rules defining the compromised user's authorization.
status testauthor Leo Tsaousis (@laripping)id 84b777bd-c946-4d17-aa2e-c39f5a454325
view Sigma YAML
title: RBAC Permission Enumeration Attempt
id: 84b777bd-c946-4d17-aa2e-c39f5a454325
status: test
description: |
Detects identities attempting to enumerate their Kubernetes RBAC permissions.
In the early stages of a breach, attackers will aim to list the permissions they have within the compromised environment.
In a Kubernetes cluster, this can be achieved by interacting with the API server, and querying the SelfSubjectAccessReview API via e.g. a "kubectl auth can-i --list" command.
This will enumerate the Role-Based Access Controls (RBAC) rules defining the compromised user's authorization.
references:
- https://www.elastic.co/guide/en/security/current/kubernetes-suspicious-self-subject-review.html
author: Leo Tsaousis (@laripping)
date: 2024-03-26
tags:
- attack.t1069.003
- attack.t1087.004
- attack.discovery
logsource:
category: application
product: kubernetes
service: audit
detection:
selection:
verb: 'create'
apiGroup: 'authorization.k8s.io'
objectRef.resource: 'selfsubjectrulesreviews'
condition: selection
falsepositives:
- Unknown
level: low
low
Suspicious Get Information for SMB Share
Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as
a precursor for Collection and to identify potential systems of interest for Lateral Movement.
Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
status testauthor frack113id 95f0643a-ed40-467c-806b-aac9542ec5ab
view Sigma YAML
title: Suspicious Get Information for SMB Share
id: 95f0643a-ed40-467c-806b-aac9542ec5ab
status: test
description: |
Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as
a precursor for Collection and to identify potential systems of interest for Lateral Movement.
Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md
author: frack113
date: 2021-12-15
modified: 2022-12-25
tags:
- attack.discovery
- attack.t1069.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains: get-smbshare
condition: selection
falsepositives:
- Unknown
level: low
low
Suspicious Get Information for SMB Share - PowerShell Module
Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and
to identify potential systems of interest for Lateral Movement.
Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
status testauthor frack113id 6942bd25-5970-40ab-af49-944247103358
view Sigma YAML
title: Suspicious Get Information for SMB Share - PowerShell Module
id: 6942bd25-5970-40ab-af49-944247103358
status: test
description: |
Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and
to identify potential systems of interest for Lateral Movement.
Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md
author: frack113
date: 2021-12-15
modified: 2022-12-02
tags:
- attack.discovery
- attack.t1069.001
logsource:
product: windows
category: ps_module
definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
selection:
- Payload|contains: get-smbshare
- ContextInfo|contains: get-smbshare
condition: selection
falsepositives:
- Administrator script
level: low
low
Suspicious Get Local Groups Information
Detects the use of PowerShell modules and cmdlets to gather local group information.
Adversaries may use local system permission groups to determine which groups exist and which users belong to a particular group such as the local administrators group.
status testauthor frack113id cef24b90-dddc-4ae1-a09a-8764872f69fc
view Sigma YAML
title: Suspicious Get Local Groups Information
id: cef24b90-dddc-4ae1-a09a-8764872f69fc
related:
- id: fa6a5a45-3ee2-4529-aa14-ee5edc9e29cb
type: similar
status: test
description: |
Detects the use of PowerShell modules and cmdlets to gather local group information.
Adversaries may use local system permission groups to determine which groups exist and which users belong to a particular group such as the local administrators group.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md
author: frack113
date: 2021-12-12
modified: 2025-08-22
tags:
- attack.discovery
- attack.t1069.001
logsource:
product: windows
category: ps_module
definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
selection_localgroup:
- Payload|contains:
- 'get-localgroup '
- 'get-localgroupmember '
- ContextInfo|contains:
- 'get-localgroup '
- 'get-localgroupmember '
selection_wmi_module:
- Payload|contains:
- 'get-wmiobject '
- 'gwmi '
- 'get-ciminstance '
- 'gcim '
- ContextInfo|contains|all:
- 'get-wmiobject '
- 'gwmi '
- 'get-ciminstance '
- 'gcim '
selection_wmi_class:
- Payload|contains: 'win32_group'
- ContextInfo|contains: 'win32_group'
condition: selection_localgroup or all of selection_wmi_*
falsepositives:
- Administrator script
level: low
low
Suspicious Get Local Groups Information - PowerShell
Detects the use of PowerShell modules and cmdlets to gather local group information.
Adversaries may use local system permission groups to determine which groups exist and which users belong to a particular group such as the local administrators group.
status testauthor frack113id fa6a5a45-3ee2-4529-aa14-ee5edc9e29cb
view Sigma YAML
title: Suspicious Get Local Groups Information - PowerShell
id: fa6a5a45-3ee2-4529-aa14-ee5edc9e29cb
related:
- id: cef24b90-dddc-4ae1-a09a-8764872f69fc
type: similar
status: test
description: |
Detects the use of PowerShell modules and cmdlets to gather local group information.
Adversaries may use local system permission groups to determine which groups exist and which users belong to a particular group such as the local administrators group.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md
author: frack113
date: 2021-12-12
modified: 2025-08-22
tags:
- attack.discovery
- attack.t1069.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_localgroup:
ScriptBlockText|contains:
- 'get-localgroup '
- 'get-localgroupmember '
selection_wmi_module:
ScriptBlockText|contains:
- 'get-wmiobject '
- 'gwmi '
- 'get-ciminstance '
- 'gcim '
selection_wmi_class:
ScriptBlockText|contains: 'win32_group' # Covers both win32_group and win32_groupuser
condition: selection_localgroup or all of selection_wmi_*
falsepositives:
- Inventory scripts or admin tasks
level: low
informational
Local Groups Discovery - MacOs
Detects enumeration of local system groups
status testauthor Ömer Günal, Alejandro Ortuno, oscd.communityid 89bb1f97-c7b9-40e8-b52b-7d6afbd67276
view Sigma YAML
title: Local Groups Discovery - MacOs
id: 89bb1f97-c7b9-40e8-b52b-7d6afbd67276
status: test
description: Detects enumeration of local system groups
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md
author: Ömer Günal, Alejandro Ortuno, oscd.community
date: 2020-10-11
modified: 2022-11-27
tags:
- attack.discovery
- attack.t1069.001
logsource:
category: process_creation
product: macos
detection:
selection_1:
Image|endswith: '/dscacheutil'
CommandLine|contains|all:
- '-q'
- 'group'
selection_2:
Image|endswith: '/cat'
CommandLine|contains: '/etc/group'
selection_3:
Image|endswith: '/dscl'
CommandLine|contains|all:
- '-list'
- '/groups'
condition: 1 of selection*
falsepositives:
- Legitimate administration activities
level: informational