Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs
status testauthor Samir Bousseadenid 35ba1d85-724d-42a3-889f-2e2362bcaf23
view Sigma YAML
title: AD Privileged Users or Groups Reconnaissance
id: 35ba1d85-724d-42a3-889f-2e2362bcaf23
status: test
description: Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs
references:
- https://web.archive.org/web/20230329163438/https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html
author: Samir Bousseaden
date: 2019-04-03
modified: 2022-07-13
tags:
- attack.discovery
- attack.t1087.002
logsource:
product: windows
service: security
definition: 'Requirements: enable Object Access SAM on your Domain Controllers'
detection:
selection:
EventID: 4661
ObjectType:
- 'SAM_USER'
- 'SAM_GROUP'
selection_object:
- ObjectName|endswith:
- '-512'
- '-502'
- '-500'
- '-505'
- '-519'
- '-520'
- '-544'
- '-551'
- '-555'
- ObjectName|contains: 'admin'
filter:
SubjectUserName|endswith: '$'
condition: selection and selection_object and not filter
falsepositives:
- If source account name is not an admin then its super suspicious
level: high
high
BloodHound Collection Files
Detects default file names outputted by the BloodHound collection tool SharpHound
status testauthor C.J. Mayid 02773bed-83bf-469f-b7ff-e676e7d78bab
view Sigma YAML
title: BloodHound Collection Files
id: 02773bed-83bf-469f-b7ff-e676e7d78bab
status: test
description: Detects default file names outputted by the BloodHound collection tool SharpHound
references:
- https://academy.hackthebox.com/course/preview/active-directory-bloodhound/bloodhound--data-collection
author: C.J. May
date: 2022-08-09
modified: 2026-02-19
tags:
- attack.discovery
- attack.t1087.001
- attack.t1087.002
- attack.t1482
- attack.t1069.001
- attack.t1069.002
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith:
- 'BloodHound.zip'
- '_computers.json'
- '_containers.json'
# - '_domains.json' # prone to false positives with ProbabilisticRevealTokenRegistry function in Google Chrome
- '_gpos.json'
- '_groups.json'
- '_ous.json'
- '_users.json'
filter_optional_ms_winapps:
Image|endswith: '\svchost.exe'
TargetFilename|startswith: 'C:\Program Files\WindowsApps\Microsoft.'
TargetFilename|endswith: '\pocket_containers.json'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Some false positives may arise in some environment and this may require some tuning. Add additional filters or reduce level depending on the level of noise
level: high
high
HackTool - Bloodhound/Sharphound Execution
Detects command line parameters used by Bloodhound and Sharphound hack tools
status testauthor Florian Roth (Nextron Systems)id f376c8a7-a2d0-4ddc-aa0c-16c17236d962
view Sigma YAML
title: HackTool - Bloodhound/Sharphound Execution
id: f376c8a7-a2d0-4ddc-aa0c-16c17236d962
status: test
description: Detects command line parameters used by Bloodhound and Sharphound hack tools
references:
- https://github.com/BloodHoundAD/BloodHound
- https://github.com/BloodHoundAD/SharpHound
author: Florian Roth (Nextron Systems)
date: 2019-12-20
modified: 2023-02-04
tags:
- attack.discovery
- attack.t1087.001
- attack.t1087.002
- attack.t1482
- attack.t1069.001
- attack.t1069.002
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Product|contains: 'SharpHound'
- Description|contains: 'SharpHound'
- Company|contains:
- 'SpecterOps'
- 'evil corp'
- Image|contains:
- '\Bloodhound.exe'
- '\SharpHound.exe'
selection_cli_1:
CommandLine|contains:
- ' -CollectionMethod All '
- ' --CollectionMethods Session '
- ' --Loop --Loopduration '
- ' --PortScanTimeout '
- '.exe -c All -d '
- 'Invoke-Bloodhound'
- 'Get-BloodHoundData'
selection_cli_2:
CommandLine|contains|all:
- ' -JsonFolder '
- ' -ZipFileName '
selection_cli_3:
CommandLine|contains|all:
- ' DCOnly '
- ' --NoSaveCache '
condition: 1 of selection_*
falsepositives:
- Other programs that use these command line option and accepts an 'All' parameter
level: high
high
Malicious PowerShell Commandlets - PoshModule
Detects Commandlet names from well-known PowerShell exploitation frameworks
status testauthor Nasreddine Bencherchali (Nextron Systems)id 7d0d0329-0ef1-4e84-a9f5-49500f9d7c6c
Detects Commandlet names from well-known PowerShell exploitation frameworks
status testauthor Sean Metcalf, Florian Roth, Bartlomiej Czyz @bczyz1, oscd.community, Nasreddine Bencherchali, Tim Shelton, Mustafa Kaan Demir, Georg Lauenstein, Max Altgelt, Tobias Michalski, Austin Songerid 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE
Detects active directory enumeration activity using known AdFind CLI flags
status testauthor frack113id 455b9d50-15a1-4b99-853f-8d37655a4c1b
view Sigma YAML
title: PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE
id: 455b9d50-15a1-4b99-853f-8d37655a4c1b
related:
- id: 9a132afa-654e-11eb-ae93-0242ac130002
type: similar
- id: 514e7e3e-b3b4-4a67-af60-be20f139198b
type: similar
status: test
description: Detects active directory enumeration activity using known AdFind CLI flags
references:
- https://www.joeware.net/freetools/tools/adfind/
- https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.002/T1087.002.md
author: frack113
date: 2021-12-13
modified: 2023-03-05
tags:
- attack.discovery
- attack.t1087.002
logsource:
product: windows
category: process_creation
detection:
selection_password: # Listing password policy
CommandLine|contains:
- lockoutduration
- lockoutthreshold
- lockoutobservationwindow
- maxpwdage
- minpwdage
- minpwdlength
- pwdhistorylength
- pwdproperties
selection_enum_ad: # Enumerate Active Directory Admins
CommandLine|contains: '-sc admincountdmp'
selection_enum_exchange: # Enumerate Active Directory Exchange AD Objects
CommandLine|contains: '-sc exchaddresses'
condition: 1 of selection_*
falsepositives:
- Authorized administrative activity
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_pua_adfind_enumeration/info.yml
high
Reconnaissance Activity
Detects activity as "net user administrator /domain" and "net group domain admins /domain"
status testauthor Florian Roth (Nextron Systems), Jack Croock (method), Jonhnathan Ribeiro (improvements), oscd.communityid 968eef52-9cff-4454-8992-1e74b9cbad6c
view Sigma YAML
title: Reconnaissance Activity
id: 968eef52-9cff-4454-8992-1e74b9cbad6c
status: test
description: Detects activity as "net user administrator /domain" and "net group domain admins /domain"
references:
- https://findingbad.blogspot.de/2017/01/hunting-what-does-it-look-like.html
author: Florian Roth (Nextron Systems), Jack Croock (method), Jonhnathan Ribeiro (improvements), oscd.community
date: 2017-03-07
modified: 2022-08-22
tags:
- attack.discovery
- attack.t1087.002
- attack.t1069.002
- attack.s0039
logsource:
product: windows
service: security
definition: The volume of Event ID 4661 is high on Domain Controllers and therefore "Audit SAM" and "Audit Kernel Object" advanced audit policy settings are not configured in the recommendations for server systems
detection:
selection:
EventID: 4661
AccessMask: '0x2d'
ObjectType:
- 'SAM_USER'
- 'SAM_GROUP'
ObjectName|startswith: 'S-1-5-21-'
ObjectName|endswith:
- '-500'
- '-512'
condition: selection
falsepositives:
- Administrator activity
level: high
high
Renamed AdFind Execution
Detects the use of a renamed Adfind.exe. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.
status testauthor Florian Roth (Nextron Systems)id df55196f-f105-44d3-a675-e9dfb6cc2f2b
view Sigma YAML
title: Renamed AdFind Execution
id: df55196f-f105-44d3-a675-e9dfb6cc2f2b
status: test
description: Detects the use of a renamed Adfind.exe. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.
references:
- https://www.joeware.net/freetools/tools/adfind/
- https://thedfirreport.com/2020/05/08/adfind-recon/
- https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/
- https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
- https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx
- https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md
author: Florian Roth (Nextron Systems)
date: 2022-08-21
modified: 2025-02-26
tags:
- attack.discovery
- attack.t1018
- attack.t1087.002
- attack.t1482
- attack.t1069.002
logsource:
category: process_creation
product: windows
detection:
selection_1:
CommandLine|contains:
- 'domainlist'
- 'trustdmp'
- 'dcmodes'
- 'adinfo'
- ' dclist '
- 'computer_pwdnotreqd'
- 'objectcategory='
- '-subnets -f'
- 'name="Domain Admins"'
- '-sc u:'
- 'domainncs'
- 'dompol'
- ' oudmp '
- 'subnetdmp'
- 'gpodmp'
- 'fspdmp'
- 'users_noexpire'
- 'computers_active'
- 'computers_pwdnotreqd'
selection_2:
Hashes|contains:
- 'IMPHASH=BCA5675746D13A1F246E2DA3C2217492'
- 'IMPHASH=53E117A96057EAF19C41380D0E87F1C2'
- 'IMPHASH=d144de8117df2beceaba2201ad304764'
- 'IMPHASH=12ce1c0f3f5837ecc18a3782408fa975'
- 'IMPHASH=4fbf3f084fbbb2470b80b2013134df35'
- 'IMPHASH=49b639b4acbecc49d72a01f357aa4930'
- 'IMPHASH=680dad9e300346e05a85023965867201'
- 'IMPHASH=21aa085d54992511b9f115355e468782'
selection_3:
OriginalFileName: 'AdFind.exe'
filter:
Image|endswith: '\AdFind.exe'
condition: 1 of selection* and not filter
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_renamed_adfind/info.yml
high
Suspicious Active Directory Database Snapshot Via ADExplorer
Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database to a suspicious directory. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.
status testauthor Nasreddine Bencherchali (Nextron Systems)id ef61af62-bc74-4f58-b49b-626448227652
view Sigma YAML
title: Suspicious Active Directory Database Snapshot Via ADExplorer
id: ef61af62-bc74-4f58-b49b-626448227652
related:
- id: 9212f354-7775-4e28-9c9f-8f0a4544e664
type: derived
status: test
description: Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database to a suspicious directory. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.
references:
- https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html
- https://learn.microsoft.com/de-de/sysinternals/downloads/adexplorer
- https://github.com/c3c/ADExplorerSnapshot.py/tree/f700904defac330802bbfedd1d8ffd9248f4ee24
- https://www.packetlabs.net/posts/scattered-spider-is-a-young-ransomware-gang-exploiting-large-corporations/
- https://www.nccgroup.com/us/research-blog/lapsus-recent-techniques-tactics-and-procedures/
- https://trustedsec.com/blog/adexplorer-on-engagements
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-14
modified: 2025-07-09
tags:
- attack.discovery
- attack.t1087.002
- attack.t1069.002
- attack.t1482
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\ADExp.exe'
- '\ADExplorer.exe'
- '\ADExplorer64.exe'
- '\ADExplorer64a.exe'
- OriginalFileName: 'AdExp'
- Description: 'Active Directory Editor'
- Product: 'Sysinternals ADExplorer'
selection_flag:
CommandLine|contains: 'snapshot'
selection_paths:
CommandLine|contains:
# TODO: Add more suspicious paths
- '\Downloads\'
- '\Users\Public\'
- '\AppData\'
- '\Windows\Temp\'
condition: all of selection_*
falsepositives:
- Unknown
level: high
medium
ADExplorer Writing Complete AD Snapshot Into .dat File
Detects the dual use tool ADExplorer writing a complete AD snapshot into a .dat file. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.
status experimentalauthor Arnim Rupp (Nextron Systems), Thomas Patzkeid 0a1255c5-d732-4b62-ac02-b5152d34fb83
view Sigma YAML
title: ADExplorer Writing Complete AD Snapshot Into .dat File
id: 0a1255c5-d732-4b62-ac02-b5152d34fb83
related:
- id: 9212f354-7775-4e28-9c9f-8f0a4544e664
type: similar
status: experimental
description: Detects the dual use tool ADExplorer writing a complete AD snapshot into a .dat file. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.
references:
- https://learn.microsoft.com/de-de/sysinternals/downloads/adexplorer
- https://github.com/c3c/ADExplorerSnapshot.py/tree/f700904defac330802bbfedd1d8ffd9248f4ee24
- https://www.packetlabs.net/posts/scattered-spider-is-a-young-ransomware-gang-exploiting-large-corporations/
- https://www.nccgroup.com/us/research-blog/lapsus-recent-techniques-tactics-and-procedures/
- https://trustedsec.com/blog/adexplorer-on-engagements
author: Arnim Rupp (Nextron Systems), Thomas Patzke
date: 2025-07-09
tags:
- attack.discovery
- attack.t1087.002
- attack.t1069.002
- attack.t1482
logsource:
category: file_event
product: windows
detection:
selection:
Image|endswith:
- '\ADExp.exe'
- '\ADExplorer.exe'
- '\ADExplorer64.exe'
- '\ADExplorer64a.exe'
TargetFilename|endswith: '.dat'
condition: selection
falsepositives:
- Legitimate use of ADExplorer by administrators creating .dat snapshots
level: medium
medium
Active Directory Database Snapshot Via ADExplorer
Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.
status testauthor Nasreddine Bencherchali (Nextron Systems)id 9212f354-7775-4e28-9c9f-8f0a4544e664
view Sigma YAML
title: Active Directory Database Snapshot Via ADExplorer
id: 9212f354-7775-4e28-9c9f-8f0a4544e664
related:
- id: ef61af62-bc74-4f58-b49b-626448227652
type: derived
status: test
description: Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.
references:
- https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html
- https://learn.microsoft.com/de-de/sysinternals/downloads/adexplorer
- https://github.com/c3c/ADExplorerSnapshot.py/tree/f700904defac330802bbfedd1d8ffd9248f4ee24
- https://www.packetlabs.net/posts/scattered-spider-is-a-young-ransomware-gang-exploiting-large-corporations/
- https://www.nccgroup.com/us/research-blog/lapsus-recent-techniques-tactics-and-procedures/
- https://trustedsec.com/blog/adexplorer-on-engagements
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-14
modified: 2025-07-09
tags:
- attack.discovery
- attack.t1087.002
- attack.t1069.002
- attack.t1482
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\ADExp.exe'
- '\ADExplorer.exe'
- '\ADExplorer64.exe'
- '\ADExplorer64a.exe'
- OriginalFileName: 'AdExp'
- Description: 'Active Directory Editor'
- Product: 'Sysinternals ADExplorer'
selection_cli:
CommandLine|contains: 'snapshot'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
medium
Active Directory Structure Export Via Csvde.EXE
Detects the execution of "csvde.exe" in order to export organizational Active Directory structure.
status testauthor Nasreddine Bencherchali (Nextron Systems)id e5d36acd-acb4-4c6f-a13f-9eb203d50099
view Sigma YAML
title: Active Directory Structure Export Via Csvde.EXE
id: e5d36acd-acb4-4c6f-a13f-9eb203d50099
status: test
description: Detects the execution of "csvde.exe" in order to export organizational Active Directory structure.
references:
- https://www.cybereason.com/blog/research/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms
- https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
- https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit
- https://redcanary.com/blog/msix-installers/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-14
tags:
- attack.exfiltration
- attack.discovery
- attack.t1087.002
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\csvde.exe'
- OriginalFileName: 'csvde.exe'
selection_remote:
CommandLine|contains: ' -f'
filter_import:
CommandLine|contains: ' -i'
condition: all of selection_* and not 1 of filter_*
falsepositives:
- Unknown
level: medium
medium
PUA - AdFind.EXE Execution
Detects execution of Adfind.exe utility, which can be used for reconnaissance in an Active Directory environment
status experimentalauthor Swachchhanda Shrawan Poudel (Nextron Systems)id 514e7e3e-b3b4-4a67-af60-be20f139198b
view Sigma YAML
title: PUA - AdFind.EXE Execution
id: 514e7e3e-b3b4-4a67-af60-be20f139198b
related:
- id: 455b9d50-15a1-4b99-853f-8d37655a4c1b
type: similar
status: experimental
description: Detects execution of Adfind.exe utility, which can be used for reconnaissance in an Active Directory environment
references:
- https://www.joeware.net/freetools/tools/adfind/
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.002/T1087.002.md
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-02-26
tags:
- attack.discovery
- attack.t1087.002
logsource:
product: windows
category: process_creation
detection:
selection:
- Image|endswith: '\AdFind.exe'
- OriginalFileName: 'AdFind.exe'
- Hashes|contains:
- 'IMPHASH=d144de8117df2beceaba2201ad304764'
- 'IMPHASH=12ce1c0f3f5837ecc18a3782408fa975'
- 'IMPHASH=bca5675746d13a1f246e2da3c2217492'
- 'IMPHASH=4fbf3f084fbbb2470b80b2013134df35'
- 'IMPHASH=49b639b4acbecc49d72a01f357aa4930'
- 'IMPHASH=53e117a96057eaf19c41380d0e87f1c2'
- 'IMPHASH=680dad9e300346e05a85023965867201'
- 'IMPHASH=21aa085d54992511b9f115355e468782'
condition: selection
falsepositives:
- Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_pua_adfind_execution/info.yml
medium
Potential AD User Enumeration From Non-Machine Account
Detects read access to a domain user from a non-machine account
status testauthor Maxime Thiebaut (@0xThiebaut)id ab6bffca-beff-4baa-af11-6733f296d57a
view Sigma YAML
title: Potential AD User Enumeration From Non-Machine Account
id: ab6bffca-beff-4baa-af11-6733f296d57a
status: test
description: Detects read access to a domain user from a non-machine account
references:
- https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf
- http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html
- https://learn.microsoft.com/en-us/windows/win32/adschema/attributes-all # For further investigation of the accessed properties
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4662
author: Maxime Thiebaut (@0xThiebaut)
date: 2020-03-30
modified: 2022-11-08
tags:
- attack.discovery
- attack.t1087.002
logsource:
product: windows
service: security
definition: 'Requirements: The "Read all properties" permission on the user object needs to be audited for the "Everyone" principal'
detection:
selection:
EventID: 4662
# Using contains as the data commonly is structured as "%{bf967aba-0de6-11d0-a285-00aa003049e2}"
# The user class (https://learn.microsoft.com/en-us/windows/win32/adschema/c-user)
ObjectType|contains: 'bf967aba-0de6-11d0-a285-00aa003049e2'
AccessMask|endswith:
# Note: Since the Access Mask can have more than once permission we need to add all permutations that include the READ property
- '1?' # This covers all access masks that are 1 bytes or shorter and the "Read Property" itself
- '3?' # Read Property + Write Property
- '4?' # Read Property + Delete Tree
- '7?' # Read Property + Write Property + Delete Tree
- '9?' # Read Property + List Object
- 'B?' # Read Property + Write Property + List Object
- 'D?' # Read Property + Delete Tree + List Object
- 'F?' # Covers usage of all possible 2 bytes permissions with any or none of the single byte permissions
filter_main_machine_accounts:
SubjectUserName|endswith: '$' # Exclude machine accounts
filter_main_msql:
SubjectUserName|startswith: 'MSOL_' # https://learn.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-accounts-permissions#ad-ds-connector-account
condition: selection and not 1 of filter_main_*
falsepositives:
- Administrators configuring new users.
level: medium
medium
Potential Active Directory Reconnaissance/Enumeration Via LDAP
Detects potential Active Directory enumeration via LDAP
status testauthor Adeem Mawaniid 31d68132-4038-47c7-8f8e-635a39a7c174
Suspicious Group And Account Reconnaissance Activity Using Net.EXE
Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE
Check if the user that executed the commands is suspicious (e.g. service accounts, LOCAL_SYSTEM)
title: Suspicious Group And Account Reconnaissance Activity Using Net.EXE
id: d95de845-b83c-4a9a-8a6a-4fc802ebf6c0
status: test
description: |
Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE
Check if the user that executed the commands is suspicious (e.g. service accounts, LOCAL_SYSTEM)
references:
- https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/
- https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/
- https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/
author: Florian Roth (Nextron Systems), omkar72, @svch0st, Nasreddine Bencherchali (Nextron Systems)
date: 2019-01-16
modified: 2023-03-02
tags:
- attack.discovery
- attack.t1087.001
- attack.t1087.002
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\net.exe'
- '\net1.exe'
- OriginalFileName:
- 'net.exe'
- 'net1.exe'
# Covers group and localgroup flags
selection_group_root:
CommandLine|contains:
- ' group '
- ' localgroup '
selection_group_flags:
CommandLine|contains:
# Add more groups for other languages
- 'domain admins'
- ' administrator' # Typo without an 'S' so we catch both
- ' administrateur' # Typo without an 'S' so we catch both
- 'enterprise admins'
- 'Exchange Trusted Subsystem'
- 'Remote Desktop Users'
- 'Utilisateurs du Bureau à distance' # French for "Remote Desktop Users"
- 'Usuarios de escritorio remoto' # Spanish for "Remote Desktop Users"
- ' /do' # short for domain
filter_group_add:
# This filter is added to avoid the potential case where the point is not recon but addition
CommandLine|contains: ' /add'
# Covers 'accounts' flag
selection_accounts_root:
CommandLine|contains: ' accounts '
selection_accounts_flags:
CommandLine|contains: ' /do' # short for domain
condition: selection_img and ((all of selection_group_* and not filter_group_add) or all of selection_accounts_*)
falsepositives:
- Inventory tool runs
- Administrative activity
level: medium
medium
Suspicious Use of PsLogList
Detects usage of the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery or delete events logs
status testauthor Nasreddine Bencherchali (Nextron Systems)id aae1243f-d8af-40d8-ab20-33fc6d0c55bc
view Sigma YAML
title: Suspicious Use of PsLogList
id: aae1243f-d8af-40d8-ab20-33fc6d0c55bc
status: test
description: Detects usage of the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery or delete events logs
references:
- https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/
- https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos
- https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList
- https://twitter.com/EricaZelic/status/1614075109827874817
author: Nasreddine Bencherchali (Nextron Systems)
date: 2021-12-18
modified: 2024-03-05
tags:
- attack.discovery
- attack.t1087
- attack.t1087.001
- attack.t1087.002
logsource:
category: process_creation
product: windows
detection:
selection_img:
- OriginalFileName: 'psloglist.exe'
- Image|endswith:
- '\psloglist.exe'
- '\psloglist64.exe'
selection_cli_eventlog:
CommandLine|contains:
- ' security'
- ' application'
- ' system'
selection_cli_flags:
CommandLine|contains|windash:
- ' -d'
- ' -x'
- ' -s'
- ' -c' # Clear event log after displaying
- ' -g' # Export an event log as an evt file.
condition: all of selection_*
falsepositives:
- Another tool that uses the command line switches of PsLogList
- Legitimate use of PsLogList by an administrator
level: medium
low
Active Directory Computers Enumeration With Get-AdComputer
Detects usage of the "Get-AdComputer" to enumerate Computers or properties within Active Directory.
status testauthor frack113id 36bed6b2-e9a0-4fff-beeb-413a92b86138
view Sigma YAML
title: Active Directory Computers Enumeration With Get-AdComputer
id: 36bed6b2-e9a0-4fff-beeb-413a92b86138
status: test
description: Detects usage of the "Get-AdComputer" to enumerate Computers or properties within Active Directory.
references:
- https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-adcomputer
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md
- https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1087.002/T1087.002.md
author: frack113
date: 2022-03-17
modified: 2023-07-08
tags:
- attack.discovery
- attack.t1018
- attack.t1087.002
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_cmdlet:
ScriptBlockText|contains: 'Get-AdComputer '
selection_option:
ScriptBlockText|contains:
- '-Filter '
- '-LDAPFilter '
- '-Properties '
condition: all of selection_*
falsepositives:
- Unknown
level: low