Home/Sigma rules
Sigma

Sigma detection rules

4 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Severity critical high medium low all severities

Detection rules

4 shown of 4
medium
Disable Administrative Share Creation at Startup
Administrative shares are hidden network shares created by Microsoft Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system
status test author frack113 id c7dcacd0-cc59-4004-b0a4-1d6cdebe6f3e
view Sigma YAML 
title: Disable Administrative Share Creation at Startup
id: c7dcacd0-cc59-4004-b0a4-1d6cdebe6f3e
status: test
description: Administrative shares are hidden network shares created by Microsoft Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md#atomic-test-4---disable-administrative-share-creation-at-startup
author: frack113
date: 2022-01-16
modified: 2024-03-25
tags:
    - attack.stealth
    - attack.t1070.005
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: '\Services\LanmanServer\Parameters\'
        TargetObject|endswith:
            - '\AutoShareWks'
            - '\AutoShareServer'
        Details: 'DWORD (0x00000000)'
    condition: selection
falsepositives:
    - Unknown
level: medium
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_disable_administrative_share/info.yml
simulation:
    - type: atomic-red-team
      name: Disable Administrative Share Creation at Startup
      technique: T1070.005
      atomic_guid: 99c657aa-ebeb-4179-a665-69288fdd12b8
medium
PowerShell Deleted Mounted Share
Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation
status test author oscd.community, @redcanary, Zach Stanford @svch0st id 66a4d409-451b-4151-94f4-a55d559c49b0
view Sigma YAML 
title: PowerShell Deleted Mounted Share
id: 66a4d409-451b-4151-94f4-a55d559c49b0
status: test
description: Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md
author: 'oscd.community, @redcanary, Zach Stanford @svch0st'
date: 2020-10-08
modified: 2025-10-07
tags:
    - attack.stealth
    - attack.t1070.005
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains:
            - 'Remove-SmbShare'
            - 'Remove-FileShare'
    filter_main_module_load:
        ScriptBlockText|contains|all:
            - 'FileShare.cdxml'
            - 'Microsoft.PowerShell.Core\Export-ModuleMember'
            - 'ROOT/Microsoft/Windows/Storage/MSFT_FileShare'
            - 'ObjectModelWrapper'
            - 'Cmdletization.MethodParameter'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Administrators or Power users may remove their shares via cmd line
level: medium
low
MaxMpxCt Registry Value Changed
Detects changes to the "MaxMpxCt" registry value. MaxMpxCt specifies the maximum outstanding network requests for the server per client, which is used when negotiating a Server Message Block (SMB) connection with a client. Note if the value is set beyond 125 older Windows 9x clients will fail to negotiate. Ransomware threat actors and operators (specifically BlackCat) were seen increasing this value in order to handle a higher volume of traffic.
status test author Nasreddine Bencherchali (Nextron Systems) id 0e6a9e62-627e-496c-aef5-bfa39da29b5e
view Sigma YAML 
title: MaxMpxCt Registry Value Changed
id: 0e6a9e62-627e-496c-aef5-bfa39da29b5e
status: test
description: |
    Detects changes to the "MaxMpxCt" registry value.
    MaxMpxCt specifies the maximum outstanding network requests for the server per client, which is used when negotiating a Server Message Block (SMB) connection with a client. Note if the value is set beyond 125 older Windows 9x clients will fail to negotiate.
    Ransomware threat actors and operators (specifically BlackCat) were seen increasing this value in order to handle a higher volume of traffic.
references:
    - https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps
    - https://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware
    - https://www.intrinsec.com/alphv-ransomware-gang-analysis/?cn-reloaded=1
    - https://www.sentinelone.com/labs/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-03-19
tags:
    - attack.stealth
    - attack.t1070.005
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: '\Services\LanmanServer\Parameters\MaxMpxCt'
    condition: selection
falsepositives:
    - Unknown
level: low
low
Unmount Share Via Net.EXE
Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation
status test author oscd.community, @redcanary, Zach Stanford @svch0st id cb7c4a03-2871-43c0-9bbb-18bbdb079896
view Sigma YAML 
title: Unmount Share Via Net.EXE
id: cb7c4a03-2871-43c0-9bbb-18bbdb079896
status: test
description: Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md
author: oscd.community, @redcanary, Zach Stanford @svch0st
date: 2020-10-08
modified: 2023-02-21
tags:
    - attack.stealth
    - attack.t1070.005
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\net.exe'
              - '\net1.exe'
        - OriginalFileName:
              - 'net.exe'
              - 'net1.exe'
    selection_cli:
        CommandLine|contains|all:
            - 'share'
            - '/delete'
    condition: all of selection*
falsepositives:
    - Administrators or Power users may remove their shares via cmd line
level: low
Showing 1-4 of 4
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin