Sigma detection rules

critical

Registry Entries For Azorult Malware

Detects the presence of a registry key created during Azorult execution

status test author Trent Liffick id f7f9ab88-7557-4a69-b30e-0a8f91b3a0e7

view Sigma YAML

title: Registry Entries For Azorult Malware
id: f7f9ab88-7557-4a69-b30e-0a8f91b3a0e7
status: test
description: Detects the presence of a registry key created during Azorult execution
references:
    - https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/trojan.win32.azoruit.a
author: Trent Liffick
date: 2020-05-08
modified: 2021-11-27
tags:
    - attack.persistence
    - attack.execution
    - attack.defense-impairment
    - attack.t1112
logsource:
    product: windows
    category: registry_event
detection:
    selection:
        EventID:
            - 12
            - 13
        TargetObject|contains: 'SYSTEM\'
        TargetObject|endswith: '\services\localNETService'
    condition: selection
falsepositives:
    - Unknown
level: critical

high

Change User Account Associated with the FAX Service

Detect change of the user account associated with the FAX service to avoid the escalation problem.

status test author frack113 id e3fdf743-f05b-4051-990a-b66919be1743

view Sigma YAML

title: Change User Account Associated with the FAX Service
id: e3fdf743-f05b-4051-990a-b66919be1743
status: test
description: Detect change of the user account associated with the FAX service to avoid the escalation problem.
references:
    - https://twitter.com/dottor_morte/status/1544652325570191361
    - https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf
author: frack113
date: 2022-07-17
modified: 2022-12-30
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject: HKLM\System\CurrentControlSet\Services\Fax\ObjectName
    filter:
        Details|contains: NetworkService
    condition: selection and not filter
falsepositives:
    - Unknown
level: high

high

Change the Fax Dll

Detect possible persistence using Fax DLL load when service restart

status test author frack113 id 9e3357ba-09d4-4fbd-a7c5-ad6386314513

view Sigma YAML

title: Change the Fax Dll
id: 9e3357ba-09d4-4fbd-a7c5-ad6386314513
status: test
description: Detect possible persistence using Fax DLL load when service restart
references:
    - https://twitter.com/dottor_morte/status/1544652325570191361
    - https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf
author: frack113
date: 2022-07-17
modified: 2022-12-30
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|contains|all:
            - '\Software\Microsoft\Fax\Device Providers\'
            - '\ImageName'
    filter:
        Details: '%systemroot%\system32\fxst30.dll' # Windows 10
    condition: selection and not filter
falsepositives:
    - Unknown
level: high

high

DHCP Callout DLL Installation

Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)

status test author Dimitrios Slamaris id 9d3436ef-9476-4c43-acca-90ce06bdf33a

view Sigma YAML

title: DHCP Callout DLL Installation
id: 9d3436ef-9476-4c43-acca-90ce06bdf33a
status: test
description: Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)
references:
    - https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html
    - https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx
    - https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx
author: Dimitrios Slamaris
date: 2017-05-15
modified: 2023-08-17
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.defense-impairment
    - attack.t1574.001
    - attack.t1112
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith:
            - '\Services\DHCPServer\Parameters\CalloutDlls'
            - '\Services\DHCPServer\Parameters\CalloutEnabled'
    condition: selection
falsepositives:
    - Unknown
level: high

high

Disable Security Events Logging Adding Reg Key MiniNt

Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stop writing events.

status test author Ilyas Ochkov, oscd.community id 919f2ef0-be2d-4a7a-b635-eb2b41fde044

view Sigma YAML

title: Disable Security Events Logging Adding Reg Key MiniNt
id: 919f2ef0-be2d-4a7a-b635-eb2b41fde044
status: test
description: Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stop writing events.
references:
    - https://twitter.com/0gtweet/status/1182516740955226112
    - https://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/
author: Ilyas Ochkov, oscd.community
date: 2019-10-25
modified: 2021-11-27
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1685.001
    - attack.t1112
    - car.2022-03-001
logsource:
    category: registry_event
    product: windows
detection:
    selection:
    # Sysmon gives us HKLM\SYSTEM\CurrentControlSet\.. if ControlSetXX is the selected one
        - TargetObject: 'HKLM\SYSTEM\CurrentControlSet\Control\MiniNt'
          EventType: 'CreateKey'    # we don't want deletekey
    # key rename
        - NewName: 'HKLM\SYSTEM\CurrentControlSet\Control\MiniNt'
    condition: selection
falsepositives:
    - Unknown
level: high

high

ETW Logging Disabled In .NET Processes - Registry

Potential adversaries stopping ETW providers recording loaded .NET assemblies.

status test author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) id a4c90ea1-2634-4ca0-adbb-35eae169b6fc

view Sigma YAML

title: ETW Logging Disabled In .NET Processes - Registry
id: a4c90ea1-2634-4ca0-adbb-35eae169b6fc
related:
    - id: bf4fc428-dcc3-4bbd-99fe-2422aeee2544
      type: similar
status: test
description: Potential adversaries stopping ETW providers recording loaded .NET assemblies.
references:
    - https://twitter.com/_xpn_/status/1268712093928378368
    - https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr
    - https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables
    - https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38
    - https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39
    - https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_
    - https://bunnyinside.com/?term=f71e8cb9c76a
    - http://managed670.rssing.com/chan-5590147/all_p1.html
    - https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code
    - https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-06-05
modified: 2022-12-20
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
    - attack.t1685
logsource:
    product: windows
    service: security
detection:
    selection_etw_enabled:
        EventID: 4657
        ObjectName|endswith: '\SOFTWARE\Microsoft\.NETFramework'
        ObjectValueName: 'ETWEnabled'
        NewValue: 0
    selection_complus:
        EventID: 4657
        ObjectName|contains: '\Environment'
        ObjectValueName:
            - 'COMPlus_ETWEnabled'
            - 'COMPlus_ETWFlags'
        NewValue: 0
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: high

high

ETW Logging Disabled In .NET Processes - Sysmon Registry

Potential adversaries stopping ETW providers recording loaded .NET assemblies.

status test author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) id bf4fc428-dcc3-4bbd-99fe-2422aeee2544

view Sigma YAML

title: ETW Logging Disabled In .NET Processes - Sysmon Registry
id: bf4fc428-dcc3-4bbd-99fe-2422aeee2544
related:
    - id: a4c90ea1-2634-4ca0-adbb-35eae169b6fc
      type: similar
status: test
description: Potential adversaries stopping ETW providers recording loaded .NET assemblies.
references:
    - https://twitter.com/_xpn_/status/1268712093928378368
    - https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr
    - https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables
    - https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38
    - https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39
    - https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_
    - https://bunnyinside.com/?term=f71e8cb9c76a
    - http://managed670.rssing.com/chan-5590147/all_p1.html
    - https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code
    - https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/
    - https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-06-05
modified: 2023-08-17
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
    - attack.t1685
logsource:
    product: windows
    category: registry_set
detection:
    selection_etw_enabled:
        TargetObject|endswith: 'SOFTWARE\Microsoft\.NETFramework\ETWEnabled'
        Details: 'DWORD (0x00000000)'
    selection_complus:
        TargetObject|endswith:
            - '\COMPlus_ETWEnabled'
            - '\COMPlus_ETWFlags'
        Details:
            - 0 # For REG_SZ type
            - 'DWORD (0x00000000)'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: high

high

Enable LM Hash Storage

Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes. By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.

status test author Nasreddine Bencherchali (Nextron Systems) id c420410f-c2d8-4010-856b-dffe21866437

view Sigma YAML

title: Enable LM Hash Storage
id: c420410f-c2d8-4010-856b-dffe21866437
related:
    - id: 98dedfdd-8333-49d4-9f23-d7018cccae53 # process_creation
      type: similar
status: test
description: |
    Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes.
    By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.
references:
    - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
    - https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password
    - https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-12-15
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|endswith: 'System\CurrentControlSet\Control\Lsa\NoLMHash'
        Details: 'DWORD (0x00000000)'
    condition: selection
falsepositives:
    - Unknown
level: high

high

Enable LM Hash Storage - ProcCreation

Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes. By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.

status test author Nasreddine Bencherchali (Nextron Systems) id 98dedfdd-8333-49d4-9f23-d7018cccae53

view Sigma YAML

title: Enable LM Hash Storage - ProcCreation
id: 98dedfdd-8333-49d4-9f23-d7018cccae53
related:
    - id: c420410f-c2d8-4010-856b-dffe21866437 # Registry
      type: similar
status: test
description: |
    Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes.
    By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.
references:
    - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
    - https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password
    - https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-12-15
modified: 2023-12-22
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        CommandLine|contains|all:
            - '\System\CurrentControlSet\Control\Lsa'
            - 'NoLMHash'
            - ' 0'
    condition: selection
falsepositives:
    - Unknown
level: high

high

Imports Registry Key From an ADS

Detects the import of a alternate datastream to the registry with regedit.exe.

status test author Oddvar Moe, Sander Wiebing, oscd.community id 0b80ade5-6997-4b1d-99a1-71701778ea61

view Sigma YAML

title: Imports Registry Key From an ADS
id: 0b80ade5-6997-4b1d-99a1-71701778ea61
related:
    - id: 73bba97f-a82d-42ce-b315-9182e76c57b1
      type: similar
status: test
description: Detects the import of a alternate datastream to the registry with regedit.exe.
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Regedit/
    - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
author: Oddvar Moe, Sander Wiebing, oscd.community
date: 2020-10-12
modified: 2024-03-13
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\regedit.exe'
        - OriginalFileName: 'REGEDIT.EXE'
    selection_cli:
        CommandLine|contains:
            - ' /i '
            - '.reg'
        CommandLine|re: ':[^ \\]'
    filter:
        CommandLine|contains|windash:
            - ' -e '
            - ' -a '
            - ' -c '
    condition: all of selection_* and not filter
falsepositives:
    - Unknown
level: high

high

Macro Enabled In A Potentially Suspicious Document

Detects registry changes to Office trust records where the path is located in a potentially suspicious location

status test author Nasreddine Bencherchali (Nextron Systems) id a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd

view Sigma YAML

title: Macro Enabled In A Potentially Suspicious Document
id: a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd
related:
    - id: 295a59c1-7b79-4b47-a930-df12c15fc9c2
      type: derived
status: test
description: Detects registry changes to Office trust records where the path is located in a potentially suspicious location
references:
    - https://twitter.com/inversecos/status/1494174785621819397
    - Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-21
modified: 2023-08-17
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    category: registry_set
    product: windows
detection:
    selection_value:
        TargetObject|contains: '\Security\Trusted Documents\TrustRecords'
    selection_paths:
        TargetObject|contains:
            # Note: add more locations where you don't expect a user to executed macro enabled docs
            - '/AppData/Local/Microsoft/Windows/INetCache/'
            - '/AppData/Local/Temp/'
            - '/PerfLogs/'
            - 'C:/Users/Public/'
            - 'file:///D:/'
            - 'file:///E:/'
    condition: all of selection_*
falsepositives:
    - Unlikely
level: high

high

NET NGenAssemblyUsageLog Registry Key Tamper

Detects changes to the NGenAssemblyUsageLog registry key. .NET Usage Log output location can be controlled by setting the NGenAssemblyUsageLog CLR configuration knob in the Registry or by configuring an environment variable (as described in the next section). By simplify specifying an arbitrary value (e.g. fake output location or junk data) for the expected value, a Usage Log file for the .NET execution context will not be created.

status test author frack113 id 28036918-04d3-423d-91c0-55ecf99fb892

view Sigma YAML

title: NET NGenAssemblyUsageLog Registry Key Tamper
id: 28036918-04d3-423d-91c0-55ecf99fb892
status: test
description: |
  Detects changes to the NGenAssemblyUsageLog registry key.
  .NET Usage Log output location can be controlled by setting the NGenAssemblyUsageLog CLR configuration knob in the Registry or by configuring an environment variable (as described in the next section).
  By simplify specifying an arbitrary value (e.g. fake output location or junk data) for the expected value, a Usage Log file for the .NET execution context will not be created.
references:
    - https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/
author: frack113
date: 2022-11-18
modified: 2023-08-17
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|endswith: 'SOFTWARE\Microsoft\.NETFramework\NGenAssemblyUsageLog'
    condition: selection
falsepositives:
    - Unknown
level: high

high

NetNTLM Downgrade Attack

Detects NetNTLM downgrade attack

status test author Florian Roth (Nextron Systems), wagga id d3abac66-f11c-4ed0-8acb-50cc29c97eed

view Sigma YAML

title: NetNTLM Downgrade Attack
id: d3abac66-f11c-4ed0-8acb-50cc29c97eed
related:
    - id: d67572a0-e2ec-45d6-b8db-c100d14b8ef2
      type: derived
status: test
description: Detects NetNTLM downgrade attack
references:
    - https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks
author: Florian Roth (Nextron Systems), wagga
date: 2018-03-20
modified: 2022-10-09
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1685
    - attack.t1112
logsource:
    product: windows
    service: security
    definition: 'Requirements: Audit Policy : Object Access > Audit Registry (Success)'
detection:
    selection:
        EventID: 4657
        ObjectName|contains|all:
            - '\REGISTRY\MACHINE\SYSTEM'
            - 'ControlSet'
            - '\Control\Lsa'
        ObjectValueName:
            - 'LmCompatibilityLevel'
            - 'NtlmMinClientSec'
            - 'RestrictSendingNTLMTraffic'
    condition: selection
falsepositives:
    - Unknown
level: high

high

NetNTLM Downgrade Attack - Registry

Detects NetNTLM downgrade attack

status test author Florian Roth (Nextron Systems), wagga, Nasreddine Bencherchali (Splunk STRT) id d67572a0-e2ec-45d6-b8db-c100d14b8ef2

view Sigma YAML

title: NetNTLM Downgrade Attack - Registry
id: d67572a0-e2ec-45d6-b8db-c100d14b8ef2
status: test
description: Detects NetNTLM downgrade attack
references:
    - https://web.archive.org/web/20171113231705/https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks
    - https://www.ultimatewindowssecurity.com/wiki/page.aspx?spid=NSrpcservers
author: Florian Roth (Nextron Systems), wagga, Nasreddine Bencherchali (Splunk STRT)
date: 2018-03-20
modified: 2024-12-03
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1685
    - attack.t1112
logsource:
    product: windows
    category: registry_event
detection:
    selection_regkey:
        TargetObject|contains|all:
            - 'SYSTEM\'
            - 'ControlSet'
            - '\Control\Lsa'
    selection_value_lmcompatibilitylevel:
        TargetObject|endswith: '\lmcompatibilitylevel'
        Details:
            - 'DWORD (0x00000000)'
            - 'DWORD (0x00000001)'
            - 'DWORD (0x00000002)'
    selection_value_ntlmminclientsec:
        TargetObject|endswith: '\NtlmMinClientSec'
        Details:
            - 'DWORD (0x00000000)' # No Security
            - 'DWORD (0x00000010)' # Only Integrity
            - 'DWORD (0x00000020)' # Only confidentiality
            - 'DWORD (0x00000030)' # Both Integrity and confidentiality
    selection_value_restrictsendingntlmtraffic:
        # Note: The obvious values with issues are 0x00000000 (allow all) and 0x00000001 (audit).
        # 0x00000002 can be secure but only if "ClientAllowedNTLMServers" is properly configured
        # Hence all values should be monitored and investigated
        TargetObject|endswith: '\RestrictSendingNTLMTraffic'
    condition: selection_regkey and 1 of selection_value_*
falsepositives:
    - Services or tools that set the values to more restrictive values
level: high

high

New DNS ServerLevelPluginDll Installed

Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)

status test author Florian Roth (Nextron Systems) id e61e8a88-59a9-451c-874e-70fcc9740d67

view Sigma YAML

title: New DNS ServerLevelPluginDll Installed
id: e61e8a88-59a9-451c-874e-70fcc9740d67
related:
    - id: cbe51394-cd93-4473-b555-edf0144952d9
      type: derived
    - id: f63b56ee-3f79-4b8a-97fb-5c48007e8573
      type: derived
status: test
description: Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)
references:
    - https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
    - https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html
author: Florian Roth (Nextron Systems)
date: 2017-05-08
modified: 2023-08-17
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.defense-impairment
    - attack.t1574.001
    - attack.t1112
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|endswith: '\services\DNS\Parameters\ServerLevelPluginDll'
    condition: selection
falsepositives:
    - Unknown
level: high

high

New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE

Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)

status test author Florian Roth (Nextron Systems) id f63b56ee-3f79-4b8a-97fb-5c48007e8573

view Sigma YAML

title: New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE
id: f63b56ee-3f79-4b8a-97fb-5c48007e8573
related:
    - id: e61e8a88-59a9-451c-874e-70fcc9740d67
      type: derived
    - id: cbe51394-cd93-4473-b555-edf0144952d9
      type: derived
status: test
description: Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)
references:
    - https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
    - https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html
author: Florian Roth (Nextron Systems)
date: 2017-05-08
modified: 2023-02-05
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.defense-impairment
    - attack.t1574.001
    - attack.t1112
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\dnscmd.exe'
        CommandLine|contains|all:
            - '/config'
            - '/serverlevelplugindll'
    condition: selection
falsepositives:
    - Unknown
level: high

high

Non-privileged Usage of Reg or Powershell

Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry

status test author Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community id 8f02c935-effe-45b3-8fc9-ef8696a9e41d

view Sigma YAML

title: Non-privileged Usage of Reg or Powershell
id: 8f02c935-effe-45b3-8fc9-ef8696a9e41d
status: test
description: Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry
references:
    - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-20-638.jpg
author: Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community
date: 2020-10-05
modified: 2024-12-01
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    category: process_creation
    product: windows
detection:
    selection_cli:
        - CommandLine|contains|all:
              - 'reg '
              - 'add'
        - CommandLine|contains:
              - 'powershell'
              - 'set-itemproperty'
              - ' sp '
              - 'new-itemproperty'
    selection_data:
        IntegrityLevel:
            - 'Medium'
            - 'S-1-16-8192'
        CommandLine|contains|all:
            - 'ControlSet'
            - 'Services'
        CommandLine|contains:
            - 'ImagePath'
            - 'FailureCommand'
            - 'ServiceDLL'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

high

Office Macros Warning Disabled

Detects registry changes to Microsoft Office "VBAWarning" to a value of "1" which enables the execution of all macros, whether signed or unsigned.

status test author Trent Liffick (@tliffick), Nasreddine Bencherchali (Nextron Systems) id 91239011-fe3c-4b54-9f24-15c86bb65913

view Sigma YAML

title: Office Macros Warning Disabled
id: 91239011-fe3c-4b54-9f24-15c86bb65913
related:
    - id: 9b894e57-033f-46cf-b7fa-a52804181973
      type: obsolete
status: test
description: Detects registry changes to Microsoft Office "VBAWarning" to a value of "1" which enables the execution of all macros, whether signed or unsigned.
references:
    - https://twitter.com/inversecos/status/1494174785621819397
    - https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/
    - https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/
author: Trent Liffick (@tliffick), Nasreddine Bencherchali (Nextron Systems)
date: 2020-05-22
modified: 2024-03-19
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: '\Security\VBAWarnings'
        Details: 'DWORD (0x00000001)'
    condition: selection
falsepositives:
    - Unlikely
level: high

high

Outlook EnableUnsafeClientMailRules Setting Enabled - Registry

Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros

status test author Nasreddine Bencherchali (Nextron Systems) id 6763c6c8-bd01-4687-bc8d-4fa52cf8ba08

view Sigma YAML

title: Outlook EnableUnsafeClientMailRules Setting Enabled - Registry
id: 6763c6c8-bd01-4687-bc8d-4fa52cf8ba08
related:
    - id: c3cefdf4-6703-4e1c-bad8-bf422fc5015a
      type: similar
    - id: 55f0a3a1-846e-40eb-8273-677371b8d912 # ProcCreation variation
      type: similar
status: test
description: Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros
references:
    - https://support.microsoft.com/en-us/topic/how-to-control-the-rule-actions-to-start-an-application-or-run-a-macro-in-outlook-2016-and-outlook-2013-e4964b72-173c-959d-5d7b-ead562979048
    - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=44
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-08
modified: 2023-08-17
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: '\Outlook\Security\EnableUnsafeClientMailRules'
        Details: 'DWORD (0x00000001)'
    condition: selection
falsepositives:
    - Unknown
level: high

high

Potential Persistence Via Outlook Home Page

Detects potential persistence activity via outlook home page. An attacker can set a home page to achieve code execution and persistence by editing the WebView registry keys.

status test author Tobias Michalski (Nextron Systems), David Bertho (@dbertho) & Eirik Sveen (@0xSV1), Storebrand id ddd171b5-2cc6-4975-9e78-f0eccd08cc76

view Sigma YAML

title: Potential Persistence Via Outlook Home Page
id: ddd171b5-2cc6-4975-9e78-f0eccd08cc76
related:
    - id: 487bb375-12ef-41f6-baae-c6a1572b4dd1
      type: similar
status: test
description: |
    Detects potential persistence activity via outlook home page.
    An attacker can set a home page to achieve code execution and persistence by editing the WebView registry keys.
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70
    - https://support.microsoft.com/en-us/topic/outlook-home-page-feature-is-missing-in-folder-properties-d207edb7-aa02-46c5-b608-5d9dbed9bd04?ui=en-us&rs=en-us&ad=us
    - https://trustedsec.com/blog/specula-turning-outlook-into-a-c2-with-one-registry-change
author: Tobias Michalski (Nextron Systems), David Bertho (@dbertho) & Eirik Sveen (@0xSV1), Storebrand
date: 2021-06-09
modified: 2024-08-07
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|contains|all:
            - '\Software\Microsoft\Office\'
            - '\Outlook\WebView\'
        TargetObject|endswith: '\URL'
    condition: selection
falsepositives:
    - Unknown
level: high

high

Potential Persistence Via Outlook Today Page

Detects potential persistence activity via outlook today page. An attacker can set a custom page to execute arbitrary code and link to it via the registry values "URL" and "UserDefinedUrl".

status test author Tobias Michalski (Nextron Systems), David Bertho (@dbertho) & Eirik Sveen (@0xSV1), Storebrand id 487bb375-12ef-41f6-baae-c6a1572b4dd1

view Sigma YAML

title: Potential Persistence Via Outlook Today Page
id: 487bb375-12ef-41f6-baae-c6a1572b4dd1
related:
    - id: ddd171b5-2cc6-4975-9e78-f0eccd08cc76
      type: similar
status: test
description: |
    Detects potential persistence activity via outlook today page.
    An attacker can set a custom page to execute arbitrary code and link to it via the registry values "URL" and "UserDefinedUrl".
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=74
    - https://trustedsec.com/blog/specula-turning-outlook-into-a-c2-with-one-registry-change
author: Tobias Michalski (Nextron Systems), David Bertho (@dbertho) & Eirik Sveen (@0xSV1), Storebrand
date: 2021-06-10
modified: 2024-08-07
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    product: windows
    category: registry_set
detection:
    selection_main:
        TargetObject|contains|all:
            - 'Software\Microsoft\Office\'
            - '\Outlook\Today\'
    selection_value_stamp:
        TargetObject|endswith: '\Stamp'
        Details: 'DWORD (0x00000001)'
    selection_value_url:
        TargetObject|endswith:
            - '\URL'
            - '\UserDefinedUrl'
    filter_main_office:
        Image|startswith:
            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\'
        Image|endswith: '\OfficeClickToRun.exe'
    condition: selection_main and 1 of selection_value_* and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high

high

Potential Qakbot Registry Activity

Detects a registry key used by IceID in a campaign that distributes malicious OneNote files

status test author Hieu Tran id 1c8e96cd-2bed-487d-9de0-b46c90cade56

view Sigma YAML

title: Potential Qakbot Registry Activity
id: 1c8e96cd-2bed-487d-9de0-b46c90cade56
status: test
description: Detects a registry key used by IceID in a campaign that distributes malicious OneNote files
references:
    - https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution
author: Hieu Tran
date: 2023-03-13
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    category: registry_event
    product: windows
detection:
    selection:
        TargetObject|endswith: '\Software\firm\soft\Name'
    condition: selection
falsepositives:
    - Unknown
level: high

high

Potential Tampering With RDP Related Registry Keys Via Reg.EXE

Detects the execution of "reg.exe" for enabling/disabling the RDP service on the host by tampering with the 'CurrentControlSet\Control\Terminal Server' values

status test author pH-T (Nextron Systems), @Kostastsale, TheDFIRReport id 0d5675be-bc88-4172-86d3-1e96a4476536

view Sigma YAML

title: Potential Tampering With RDP Related Registry Keys Via Reg.EXE
id: 0d5675be-bc88-4172-86d3-1e96a4476536
status: test
description: Detects the execution of "reg.exe" for enabling/disabling the RDP service on the host by tampering with the 'CurrentControlSet\Control\Terminal Server' values
references:
    - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
    - http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/ # Contain description for most of the keys mentioned here (check it out if you want more information
    - http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/ # Related to the Shadow RPD technique
    - https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services # Contain description for most of the keys mentioned here (check it out if you want more information)
    - https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/
    - https://blog.sekoia.io/darkgate-internals/
    - https://blog.talosintelligence.com/understanding-the-phobos-affiliate-structure/
    - https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-63---disable-remote-desktop-anti-alias-setting-through-registry
    - https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-64---disable-remote-desktop-security-settings-through-registry
    - https://github.com/redcanaryco/atomic-red-team/blob/dd526047b8c399c312fee47d1e6fb531164da54d/atomics/T1112/T1112.yaml#L790
    - https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-terminalservices-rdp-winstationextensions-securitylayer
    - https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html
    - https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03 # Related to the Shadow RPD technique
    - https://web.archive.org/web/20200929062532/https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html # Related to RDP hijacking via the "ServiceDll" key
    - https://www.trendmicro.com/en_us/research/25/i/unmasking-the-gentlemen-ransomware.html
author: pH-T (Nextron Systems), @Kostastsale, TheDFIRReport
date: 2022-02-12
modified: 2025-11-22
tags:
    - attack.persistence
    - attack.lateral-movement
    - attack.defense-impairment
    - attack.t1021.001
    - attack.t1112
logsource:
    product: windows
    category: process_creation
detection:
    selection_main_img:
        - Image|endswith: '\reg.exe'
        - OriginalFileName: 'reg.exe'
    selection_main_cli:
        CommandLine|contains|all:
            - ' add '
            - '\CurrentControlSet\Control\Terminal Server'
            - 'REG_DWORD'
            - ' /f'
    selection_values_1:
        CommandLine|contains|all:
            - 'Licensing Core'
            - 'EnableConcurrentSessions'
    selection_values_2:
        CommandLine|contains:
            - 'AllowTSConnections'
            - 'fDenyTSConnections'
            - 'fEnableWinStation'
            - 'fSingleSessionPerUser'
            - 'IdleWinStationPoolCount'
            - 'MaxInstanceCount'
            - 'SecurityLayer'
            - 'TSAdvertise'
            - 'TSAppCompat'
            - 'TSEnabled'
            - 'TSUserEnabled'
            - 'WinStations\RDP-Tcp'
    filter_main_values_tls:
        CommandLine|contains|all:
            - 'SecurityLayer'
            - '02'  # TLS Enabled
    condition: all of selection_main_* and 1 of selection_values_* and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high

high

PowerShell Logging Disabled Via Registry Key Tampering

Detects changes to the registry for the currently logged-in user. In order to disable PowerShell module logging, script block logging or transcription and script execution logging

status test author frack113 id fecfd1a1-cc78-4313-a1ea-2ee2e8ec27a7

view Sigma YAML

title: PowerShell Logging Disabled Via Registry Key Tampering
id: fecfd1a1-cc78-4313-a1ea-2ee2e8ec27a7
status: test
description: Detects changes to the registry for the currently logged-in user. In order to disable PowerShell module logging, script block logging or transcription and script execution logging
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-32---windows-powershell-logging-disabled
author: frack113
date: 2022-04-02
modified: 2023-08-17
tags:
    - attack.stealth
    - attack.defense-impairment
    - attack.t1564.001
    - attack.t1112
    - attack.persistence
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains:
            - '\Microsoft\Windows\PowerShell\' # PowerShell 5
            - '\Microsoft\PowerShellCore\' # PowerShell 7
        TargetObject|endswith:
            - '\ModuleLogging\EnableModuleLogging'
            - '\ScriptBlockLogging\EnableScriptBlockLogging'
            - '\ScriptBlockLogging\EnableScriptBlockInvocationLogging'
            - '\Transcription\EnableTranscripting'
            - '\Transcription\EnableInvocationHeader'
            - '\EnableScripts'
        Details: 'DWORD (0x00000000)'
    condition: selection
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_powershell_logging_disabled/info.yml
simulation:
    - type: atomic-red-team
      name: Disable PowerShell Logging via Registry
      technique: T1112
      atomic_guid: 95b25212-91a7-42ff-9613-124aca6845a8

high

RDP Sensitive Settings Changed

Detects tampering of RDP Terminal Service/Server sensitive settings. Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc. Below is a list of registry keys/values that are monitored by this rule: - Shadow: Used to enable Remote Desktop shadowing, which allows an administrator to view or control a user's session. - DisableRemoteDesktopAntiAlias: Disables anti-aliasing for remote desktop sessions. - DisableSecuritySettings: Disables certain security settings for Remote Desktop connections. - fAllowUnsolicited: Allows unsolicited remote assistance offers. - fAllowUnsolicitedFullControl: Allows unsolicited remote assistance offers with full control. - InitialProgram: Specifies a program to run automatically when a user logs on to a remote computer. - ServiceDll: Used in RDP hijacking techniques to specify a custom DLL to be loaded by the Terminal Services service. - SecurityLayer: Specifies the security layer used for RDP connections.

status test author Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali id 3f6b7b62-61aa-45db-96bd-9c31b36b653c

view Sigma YAML

title: RDP Sensitive Settings Changed
id: 3f6b7b62-61aa-45db-96bd-9c31b36b653c
related:
    - id: 171b67e1-74b4-460e-8d55-b331f3e32d67
      type: obsolete
    - id: 41904ebe-d56c-4904-b9ad-7a77bdf154b3
      type: obsolete
    - id: a2863fbc-d5cb-48d5-83fb-d976d4b1743b
      type: similar
status: test
description: |
    Detects tampering of RDP Terminal Service/Server sensitive settings.
    Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc.

    Below is a list of registry keys/values that are monitored by this rule:

    - Shadow: Used to enable Remote Desktop shadowing, which allows an administrator to view or control a user's session.
    - DisableRemoteDesktopAntiAlias: Disables anti-aliasing for remote desktop sessions.
    - DisableSecuritySettings: Disables certain security settings for Remote Desktop connections.
    - fAllowUnsolicited: Allows unsolicited remote assistance offers.
    - fAllowUnsolicitedFullControl: Allows unsolicited remote assistance offers with full control.
    - InitialProgram: Specifies a program to run automatically when a user logs on to a remote computer.
    - ServiceDll: Used in RDP hijacking techniques to specify a custom DLL to be loaded by the Terminal Services service.
    - SecurityLayer: Specifies the security layer used for RDP connections.
references:
    - http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/ # Contains description for most of the keys mentioned here (check it out if you want more information)
    - http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/ # Related to the Shadow RPD technique
    - https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services # Contains description for most of the keys mentioned here (check it out if you want more information)
    - https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/
    - https://blog.sekoia.io/darkgate-internals/
    - https://blog.talosintelligence.com/understanding-the-phobos-affiliate-structure/
    - https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-63---disable-remote-desktop-anti-alias-setting-through-registry
    - https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-64---disable-remote-desktop-security-settings-through-registry
    - https://github.com/redcanaryco/atomic-red-team/blob/dd526047b8c399c312fee47d1e6fb531164da54d/atomics/T1112/T1112.yaml#L790
    - https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-terminalservices-rdp-winstationextensions-securitylayer
    - https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html
    - https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03 # Related to the Shadow RPD technique
    - https://web.archive.org/web/20200929062532/https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html # Related to RDP hijacking via the "ServiceDll" key
    - https://www.trendmicro.com/en_us/research/25/i/unmasking-the-gentlemen-ransomware.html
author: Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali
date: 2022-08-06
modified: 2025-11-22
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    category: registry_set
    product: windows
detection:
    selection_shadow:
        TargetObject|contains:
            - '\Control\Terminal Server\'
            - '\Windows NT\Terminal Services\'
        TargetObject|endswith: '\Shadow'
        Details:
            - 'DWORD (0x00000001)' # Full Control with user’s permission
            - 'DWORD (0x00000002)' # Full Control without user’s permission
            - 'DWORD (0x00000003)' # View Session with user’s permission
            - 'DWORD (0x00000004)' # View Session without user’s permission
    selection_terminal_services_key:
        TargetObject|contains:
            - '\Control\Terminal Server\'
            - '\Windows NT\Terminal Services\'
        TargetObject|endswith:
            - '\DisableRemoteDesktopAntiAlias' # Disable anti-aliasing for remote desktop (DarkGate malware)
            - '\DisableSecuritySettings' # Disable security settings, allowing access to programs/entire desktop (DarkGate malware)
            - '\fAllowUnsolicited' # Allow unsolicited remote assistance offers
            - '\fAllowUnsolicitedFullControl'
        Details: 'DWORD (0x00000001)'
    selection_tamper_only:
        # Any changes to these keys should be suspicious and looked at
        TargetObject|contains:
            - '\Control\Terminal Server\InitialProgram' # This value can be set to specify a program to run automatically when a user logs on to a remote computer.
            - '\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram' # This value can be set to specify a program to run automatically when a user logs on to a remote computer.
            - '\services\TermService\Parameters\ServiceDll' # RDP hijacking
            - '\Terminal Server\WinStations\RDP-Tcp\SecurityLayer'
            - '\Windows NT\Terminal Services\InitialProgram' # This value can be set to specify a program to run automatically when a user logs on to a remote computer.
    filter_main_securitylayer_tls:
        TargetObject|endswith: '\SecurityLayer'
        Details: 'DWORD (0x00000002)' # TLS Enabled
    condition: (selection_shadow or selection_terminal_services_key or selection_tamper_only) and not 1 of filter_main_*
falsepositives:
    - Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way)
level: high

high

RedMimicry Winnti Playbook Registry Manipulation

Detects actions caused by the RedMimicry Winnti playbook

status test author Alexander Rausch id 5b175490-b652-4b02-b1de-5b5b4083c5f8

view Sigma YAML

title: RedMimicry Winnti Playbook Registry Manipulation
id: 5b175490-b652-4b02-b1de-5b5b4083c5f8
status: test
description: Detects actions caused by the RedMimicry Winnti playbook
references:
    - https://redmimicry.com
author: Alexander Rausch
date: 2020-06-24
modified: 2021-11-27
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    product: windows
    category: registry_event
detection:
    selection:
        TargetObject|contains: HKLM\SOFTWARE\Microsoft\HTMLHelp\data
    condition: selection
falsepositives:
    - Unknown
level: high

high

Reg Add Suspicious Paths

Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys

status test author frack113, Nasreddine Bencherchali (Nextron Systems) id b7e2a8d4-74bb-4b78-adc9-3f92af2d4829

view Sigma YAML

title: Reg Add Suspicious Paths
id: b7e2a8d4-74bb-4b78-adc9-3f92af2d4829
status: test
description: Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md
    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.001/T1562.001.md
    - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-19
modified: 2022-10-10
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
    - attack.t1685
logsource:
    category: process_creation
    product: windows
detection:
    selection_reg:
        - Image|endswith: '\reg.exe'
        - OriginalFileName: 'reg.exe'
    selection_path:
        CommandLine|contains:
            # Add more suspicious registry locations below
            - '\AppDataLow\Software\Microsoft\'
            - '\Policies\Microsoft\Windows\OOBE'
            - '\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon'
            - '\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon'
            - '\CurrentControlSet\Control\SecurityProviders\WDigest'
            - '\Microsoft\Windows Defender\'
    condition: all of selection_*
falsepositives:
    - Rare legitimate add to registry via cli (to these locations)
level: high

high

Registry Modification for OCI DLL Redirection

Detects registry modifications related to 'OracleOciLib' and 'OracleOciLibPath' under 'MSDTC' settings. Threat actors may modify these registry keys to redirect the loading of 'oci.dll' to a malicious DLL, facilitating phantom DLL hijacking via the MSDTC service.

status experimental author Swachchhanda Shrawan Poudel (Nextron Systems) id c0e0bdec-3e3d-47aa-9974-05539c999c89

view Sigma YAML

title: Registry Modification for OCI DLL Redirection
id: c0e0bdec-3e3d-47aa-9974-05539c999c89
status: experimental
description: |
    Detects registry modifications related to 'OracleOciLib' and 'OracleOciLibPath' under 'MSDTC' settings.
    Threat actors may modify these registry keys to redirect the loading of 'oci.dll' to a malicious DLL, facilitating phantom DLL hijacking via the MSDTC service.
references:
    - https://www.crowdstrike.com/en-us/blog/4-ways-adversaries-hijack-dlls/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-01-24
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.defense-impairment
    - attack.t1112
    - attack.t1574.001
logsource:
    category: registry_set
    product: windows
detection:
    selection_ocilib:
        TargetObject|endswith: '\SOFTWARE\Microsoft\MSDTC\MTxOCI\OracleOciLib'
    filter_main_ocilib_file:
        # it is looking when oci.dll name is changed to something else like evil.dll
        Details|contains: 'oci.dll'
    selection_ocilibpath:
        TargetObject|endswith: '\SOFTWARE\Microsoft\MSDTC\MTxOCI\OracleOciLibPath'
    filter_main_ocilibpath:
        # it is looking when oci.dll path is changed to something else like 'C:\Windows\Temp\'
        Details|contains: '%SystemRoot%\System32\'
    condition: (selection_ocilib and not filter_main_ocilib_file) or (selection_ocilibpath and not filter_main_ocilibpath)
falsepositives:
    - Unlikely
level: high

high

Remote Registry Lateral Movement

Detects remote RPC calls to modify the registry and possible execute code

status test author Sagie Dulce, Dekel Paz id 35c55673-84ca-4e99-8d09-e334f3c29539

view Sigma YAML

title: Remote Registry Lateral Movement
id: 35c55673-84ca-4e99-8d09-e334f3c29539
status: test
description: Detects remote RPC calls to modify the registry and possible execute code
references:
    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78
    - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md
    - https://github.com/zeronetworks/rpcfirewall
    - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
    - attack.lateral-movement
    - attack.defense-impairment
    - attack.t1112
    - attack.persistence
logsource:
    product: rpc_firewall
    category: application
    definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:338cd001-2244-31f1-aaaa-900038001003"'
detection:
    selection:
        EventLog: RPCFW
        EventID: 3
        InterfaceUuid: 338cd001-2244-31f1-aaaa-900038001003
        OpNum:
            - 6
            - 7
            - 8
            - 13
            - 18
            - 19
            - 21
            - 22
            - 23
            - 35
    condition: selection
falsepositives:
    - Remote administration of registry values
level: high

high

RestrictedAdminMode Registry Value Tampering

Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode. RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise

status test author frack113 id d6ce7ebd-260b-4323-9768-a9631c8d4db2

view Sigma YAML

title: RestrictedAdminMode Registry Value Tampering
id: d6ce7ebd-260b-4323-9768-a9631c8d4db2
related:
    - id: 28ac00d6-22d9-4a3c-927f-bbd770104573 # process_creation
      type: similar
status: test
description: |
    Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode.
    RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.
    This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/a8e3cf63e97b973a25903d3df9fd55da6252e564/atomics/T1112/T1112.md
    - https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx
author: frack113
date: 2023-01-13
modified: 2024-08-23
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|endswith: 'System\CurrentControlSet\Control\Lsa\DisableRestrictedAdmin'
    condition: selection
falsepositives:
    - Unknown
level: high

high

RestrictedAdminMode Registry Value Tampering - ProcCreation

Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode. RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise

status test author frack113 id 28ac00d6-22d9-4a3c-927f-bbd770104573

view Sigma YAML

title: RestrictedAdminMode Registry Value Tampering - ProcCreation
id: 28ac00d6-22d9-4a3c-927f-bbd770104573
related:
    - id: d6ce7ebd-260b-4323-9768-a9631c8d4db2 # Registry
      type: similar
status: test
description: |
    Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode.
    RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.
    This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/a8e3cf63e97b973a25903d3df9fd55da6252e564/atomics/T1112/T1112.md
    - https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx
    - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
author: frack113
date: 2023-01-13
modified: 2025-08-28
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        CommandLine|contains|all:
            - '\System\CurrentControlSet\Control\Lsa'
            - 'DisableRestrictedAdmin'
    condition: selection
falsepositives:
    - Unknown
level: high

high

Security Event Logging Disabled via MiniNt Registry Key - Process

Detects attempts to disable security event logging by adding the `MiniNt` registry key. This key is used to disable the Windows Event Log service, which collects and stores event logs from the operating system and applications. Adversaries may want to disable this service to prevent logging of security events that could be used to detect their activities.

status experimental author Swachchhanda Shrawan Poudel (Nextron Systems) id 1a4bd6af-99ac-4466-b5b2-7b72b4a05462

view Sigma YAML

title: Security Event Logging Disabled via MiniNt Registry Key - Process
id: 1a4bd6af-99ac-4466-b5b2-7b72b4a05462
related:
    - id: 8839e550-52d7-4958-9f2f-e13c1e736838 # Disable Security Events Logging Adding Reg Key MiniNt - Registry Set
      type: similar
status: experimental
description: |
    Detects attempts to disable security event logging by adding the `MiniNt` registry key.
    This key is used to disable the Windows Event Log service, which collects and stores event logs from the operating system and applications.
    Adversaries may want to disable this service to prevent logging of security events that could be used to detect their activities.
references:
    - https://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-04-09
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1685.001
    - attack.t1112
    - car.2022-03-001
logsource:
    category: process_creation
    product: windows
detection:
    selection_reg_img:
        # Example: reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MiniNt"
        - Image|endswith: '\reg.exe'
        - OriginalFileName: 'reg.exe'
    selection_reg_cmd:
        CommandLine|contains|all:
            - ' add '
            - '\SYSTEM\CurrentControlSet\Control\MiniNt'
    selection_powershell_img:
        - Image|endswith:
              - '\powershell.exe'
              - '\pwsh.exe'
              - '\powershell_ise.exe'
        - OriginalFileName:
              - 'PowerShell.EXE'
              - 'pwsh.dll'
    selection_powershell_cmd1:
        CommandLine|contains:
            - 'New-Item '
            - 'ni '
    selection_powershell_cmd2:
        CommandLine|contains: '\SYSTEM\CurrentControlSet\Control\MiniNt'
    condition: all of selection_reg_* or all of selection_powershell_*
falsepositives:
    - Highly Unlikely
level: high

high

Security Event Logging Disabled via MiniNt Registry Key - Registry Set

Detects the addition of the 'MiniNt' key to the registry. Upon a reboot, Windows Event Log service will stop writing events. Windows Event Log is a service that collects and stores event logs from the operating system and applications. It is an important component of Windows security and auditing. Adversary may want to disable this service to disable logging of security events which could be used to detect their activities.

status experimental author Swachchhanda Shrawan Poudel (Nextron Systems) id 8839e550-52d7-4958-9f2f-e13c1e736838

view Sigma YAML

title: Security Event Logging Disabled via MiniNt Registry Key - Registry Set
id: 8839e550-52d7-4958-9f2f-e13c1e736838
related:
    - id: 1a4bd6af-99ac-4466-b5b2-7b72b4a05462 # Security Event Logging Disabled Via MiniNt Registry Key
      type: similar
status: experimental
description: |
    Detects the addition of the 'MiniNt' key to the registry. Upon a reboot, Windows Event Log service will stop writing events.
    Windows Event Log is a service that collects and stores event logs from the operating system and applications. It is an important component of Windows security and auditing.
    Adversary may want to disable this service to disable logging of security events which could be used to detect their activities.
references:
    - https://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-04-09
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1685.001
    - attack.t1112
    - car.2022-03-001
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject: 'HKLM\System\CurrentControlSet\Control\MiniNt\(Default)'
    condition: selection
falsepositives:
    - Highly Unlikely
level: high

high

Service Binary in Suspicious Folder

Detect the creation of a service with a service binary located in a suspicious directory

status test author Florian Roth (Nextron Systems), frack113 id a07f0359-4c90-4dc4-a681-8ffea40b4f47

view Sigma YAML

title: Service Binary in Suspicious Folder
id: a07f0359-4c90-4dc4-a681-8ffea40b4f47
related:
    - id: c0abc838-36b0-47c9-b3b3-a90c39455382
      type: obsolete
status: test
description: Detect the creation of a service with a service binary located in a suspicious directory
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
author: Florian Roth (Nextron Systems), frack113
date: 2022-05-02
modified: 2025-10-07
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    category: registry_set
    product: windows
detection:
    selection_service_start:
        TargetObject|startswith: 'HKLM\System\CurrentControlSet\Services\'
        TargetObject|endswith: '\Start'
        Image|contains:
            - '\Users\Public\'
            - '\Perflogs\'
            - '\ADMIN$\'
            - '\Temp\'
        Details:
            - 'DWORD (0x00000000)'  # boot
            - 'DWORD (0x00000001)'  # System
            - 'DWORD (0x00000002)'  # Automatic
            # 3 - Manual , 4 - Disabled
    selection_service_imagepath:
        TargetObject|startswith: 'HKLM\System\CurrentControlSet\Services\'
        TargetObject|endswith: '\ImagePath'
        Details|contains:
            - '\Users\Public\'
            - '\Perflogs\'
            - '\ADMIN$\'
            - '\Temp\'
    filter_optional_avast:
        Image|contains|all: # Filter FP with Avast software
            - '\Common Files\'
            - '\Temp\'
    filter_optional_mbamservice:
        TargetObject|endswith: '\CurrentControlSet\Services\MBAMInstallerService\ImagePath'
        Details|endswith: '\AppData\Local\Temp\MBAMInstallerService.exe"'
        Image: 'C:\Windows\system32\services.exe'
    condition: 1 of selection_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: high

high

ShimCache Flush

Detects actions that clear the local ShimCache and remove forensic evidence

status stable author Florian Roth (Nextron Systems) id b0524451-19af-4efa-a46f-562a977f792e

view Sigma YAML

title: ShimCache Flush
id: b0524451-19af-4efa-a46f-562a977f792e
status: stable
description: Detects actions that clear the local ShimCache and remove forensic evidence
references:
    - https://medium.com/@blueteamops/shimcache-flush-89daff28d15e
author: Florian Roth (Nextron Systems)
date: 2021-02-01
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    category: process_creation
    product: windows
detection:
    selection1a:
        CommandLine|contains|all:
            - 'rundll32'
            - 'apphelp.dll'
    selection1b:
        CommandLine|contains:
            - 'ShimFlushCache'
            - '#250'
    selection2a:
        CommandLine|contains|all:
            - 'rundll32'
            - 'kernel32.dll'
    selection2b:
        CommandLine|contains:
            - 'BaseFlushAppcompatCache'
            - '#46'
    condition: ( selection1a and selection1b ) or ( selection2a and selection2b )
falsepositives:
    - Unknown
level: high

high

Suspicious Registry Modification From ADS Via Regini.EXE

Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys.

status test author Eli Salem, Sander Wiebing, oscd.community id 77946e79-97f1-45a2-84b4-f37b5c0d8682

view Sigma YAML

title: Suspicious Registry Modification From ADS Via Regini.EXE
id: 77946e79-97f1-45a2-84b4-f37b5c0d8682
related:
    - id: 5f60740a-f57b-4e76-82a1-15b6ff2cb134
      type: derived
status: test
description: Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys.
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Regini/
    - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regini
author: Eli Salem, Sander Wiebing, oscd.community
date: 2020-10-12
modified: 2023-02-08
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\regini.exe'
        - OriginalFileName: 'REGINI.EXE'
    selection_re:
        CommandLine|re: ':[^ \\]'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

high

Sysmon Channel Reference Deletion

Potential threat actor tampering with Sysmon manifest and eventually disabling it

status test author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) id 18beca67-ab3e-4ee3-ba7a-a46ca8d7d0cc

view Sigma YAML

title: Sysmon Channel Reference Deletion
id: 18beca67-ab3e-4ee3-ba7a-a46ca8d7d0cc
status: test
description: Potential threat actor tampering with Sysmon manifest and eventually disabling it
references:
    - https://twitter.com/Flangvik/status/1283054508084473861
    - https://twitter.com/SecurityJosh/status/1283027365770276866
    - https://securityjosh.github.io/2020/04/23/Mute-Sysmon.html
    - https://gist.github.com/Cyb3rWard0g/cf08c38c61f7e46e8404b38201ca01c8
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-07-14
modified: 2025-10-22
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    product: windows
    service: security
detection:
    selection1:
        EventID: 4657
        ObjectName|contains:
            - 'WINEVT\Publishers\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'
            - 'WINEVT\Channels\Microsoft-Windows-Sysmon/Operational'
        ObjectValueName: 'Enabled'
        NewValue: 0
    selection2:
        EventID: 4663
        ObjectName|contains:
            - 'WINEVT\Publishers\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'
            - 'WINEVT\Channels\Microsoft-Windows-Sysmon/Operational'
        AccessMask: '0x10000'
    condition: 1 of selection*
falsepositives:
    - Unknown
level: high

high

Terminal Server Client Connection History Cleared - Registry

Detects the deletion of registry keys containing the MSTSC connection history

status test author Christian Burkard (Nextron Systems) id 07bdd2f5-9c58-4f38-aec8-e101bb79ef8d

view Sigma YAML

title: Terminal Server Client Connection History Cleared - Registry
id: 07bdd2f5-9c58-4f38-aec8-e101bb79ef8d
status: test
description: Detects the deletion of registry keys containing the MSTSC connection history
references:
    - https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer
    - http://woshub.com/how-to-clear-rdp-connections-history/
    - https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html
author: Christian Burkard (Nextron Systems)
date: 2021-10-19
modified: 2023-02-08
tags:
    - attack.persistence
    - attack.stealth
    - attack.defense-impairment
    - attack.t1070
    - attack.t1112
logsource:
    category: registry_delete
    product: windows
detection:
    selection1:
        EventType: DeleteValue
        TargetObject|contains: '\Microsoft\Terminal Server Client\Default\MRU'
    selection2:
        EventType: DeleteKey
        TargetObject|contains: '\Microsoft\Terminal Server Client\Servers\'
    condition: 1 of selection*
falsepositives:
    - Unknown
level: high

high

Trust Access Disable For VBApplications

Detects registry changes to Microsoft Office "AccessVBOM" to a value of "1" which disables trust access for VBA on the victim machine and lets attackers execute malicious macros without any Microsoft Office warnings.

status test author Trent Liffick (@tliffick), Nasreddine Bencherchali (Nextron Systems) id 1a5c46e9-f32f-42f7-b2bc-6e9084db7fbf

view Sigma YAML

title: Trust Access Disable For VBApplications
id: 1a5c46e9-f32f-42f7-b2bc-6e9084db7fbf
related:
    - id: 9b894e57-033f-46cf-b7fa-a52804181973
      type: obsolete
status: test
description: Detects registry changes to Microsoft Office "AccessVBOM" to a value of "1" which disables trust access for VBA on the victim machine and lets attackers execute malicious macros without any Microsoft Office warnings.
references:
    - https://twitter.com/inversecos/status/1494174785621819397
    - https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/
    - https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/
author: Trent Liffick (@tliffick), Nasreddine Bencherchali (Nextron Systems)
date: 2020-05-22
modified: 2023-08-17
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: '\Security\AccessVBOM'
        Details: 'DWORD (0x00000001)'
    condition: selection
falsepositives:
    - Unlikely
level: high

high

Uncommon Microsoft Office Trusted Location Added

Detects changes to registry keys related to "Trusted Location" of Microsoft Office where the path is set to something uncommon. Attackers might add additional trusted locations to avoid macro security restrictions.

status test author Nasreddine Bencherchali (Nextron Systems) id f742bde7-9528-42e5-bd82-84f51a8387d2

view Sigma YAML

title: Uncommon Microsoft Office Trusted Location Added
id: f742bde7-9528-42e5-bd82-84f51a8387d2
related:
    - id: a0bed973-45fa-4625-adb5-6ecdf9be70ac
      type: derived
status: test
description: Detects changes to registry keys related to "Trusted Location" of Microsoft Office where the path is set to something uncommon. Attackers might add additional trusted locations to avoid macro security restrictions.
references:
    - Internal Research
    - https://admx.help/?Category=Office2016&Policy=excel16.Office.Microsoft.Policies.Windows::L_TrustedLoc01
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-21
modified: 2023-09-29
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: 'Security\Trusted Locations\Location'
        TargetObject|endswith: '\Path'
    filter_exclude_known_paths:
        Details|contains:
            - '%APPDATA%\Microsoft\Templates'
            - '%%APPDATA%%\Microsoft\Templates'
            - '%APPDATA%\Microsoft\Word\Startup'
            - '%%APPDATA%%\Microsoft\Word\Startup'
            - ':\Program Files (x86)\Microsoft Office\root\Templates\'
            - ':\Program Files\Microsoft Office (x86)\Templates'
            - ':\Program Files\Microsoft Office\root\Templates\'
            - ':\Program Files\Microsoft Office\Templates\'
    filter_main_office_click_to_run:
        Image|contains: ':\Program Files\Common Files\Microsoft Shared\ClickToRun\'
        Image|endswith: '\OfficeClickToRun.exe'
    filter_main_office_apps:
        Image|contains:
            - ':\Program Files\Microsoft Office\'
            - ':\Program Files (x86)\Microsoft Office\'
    condition: selection and not 1 of filter_main_* and not 1 of filter_exclude_*
falsepositives:
    - Other unknown legitimate or custom paths need to be filtered to avoid false positives
level: high

high

User Shell Folders Registry Modification via CommandLine

Detects modifications to User Shell Folders registry values via reg.exe or PowerShell, which could indicate persistence attempts. Attackers may modify User Shell Folders registry values to point to malicious executables or scripts that will be executed during startup. This technique is often used to maintain persistence on a compromised system by ensuring that malicious payloads are executed automatically.

status experimental author Swachchhanda Shrawan Poudel (Nextron Systems) id 8f3ab69a-aa22-4943-aa58-e0a52fdf6818

view Sigma YAML

title: User Shell Folders Registry Modification via CommandLine
id: 8f3ab69a-aa22-4943-aa58-e0a52fdf6818
related:
    - id: 9c226817-8dc9-46c2-a58d-66655aafd7dc
      type: similar
status: experimental
description: |
    Detects modifications to User Shell Folders registry values via reg.exe or PowerShell, which could indicate persistence attempts.
    Attackers may modify User Shell Folders registry values to point to malicious executables or scripts that will be executed during startup.
    This technique is often used to maintain persistence on a compromised system by ensuring that malicious payloads are executed automatically.
references:
    - https://www.welivesecurity.com/en/eset-research/muddywater-snakes-riverbank/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-01-05
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.defense-impairment
    - attack.t1547.001
    - attack.t1112
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\powershell.exe'
              - '\pwsh.exe'
              - '\reg.exe'
        - OriginalFileName:
              - 'powershell.exe'
              - 'pwsh.dll'
              - 'reg.exe'
    selection_cli_action:
        CommandLine|contains:
            - ' add ' # reg.exe modification
            - 'New-ItemProperty'
            - 'Set-ItemProperty'
            - 'si ' # short for Set-ItemProperty
    selection_cli_paths_root:
        CommandLine|contains:
            - '\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders'
            - '\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders'
    selection_cli_paths_suffix:
        CommandLine|contains: 'Startup' # covers both 'Startup' and 'Common Startup'
    condition: all of selection_*
falsepositives:
    - Usage of reg.exe or PowerShell to modify User Shell Folders for legitimate purposes; but rare.
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_user_shell_folders_registry_modification/info.yml
simulation:
    - type: atomic-red-team
      name: Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value
      technique: T1547.001
      atomic_guid: acfef903-7662-447e-a391-9c91c2f00f7b

high

Wdigest CredGuard Registry Modification

Detects potential malicious modification of the property value of IsCredGuardEnabled from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to disable Cred Guard on a system. This is usually used with UseLogonCredential to manipulate the caching credentials.

status test author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) id 1a2d6c47-75b0-45bd-b133-2c0be75349fd

view Sigma YAML

title: Wdigest CredGuard Registry Modification
id: 1a2d6c47-75b0-45bd-b133-2c0be75349fd
status: test
description: |
  Detects potential malicious modification of the property value of IsCredGuardEnabled from
  HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to disable Cred Guard on a system.
  This is usually used with UseLogonCredential to manipulate the caching credentials.
references:
    - https://teamhydra.blog/2020/08/25/bypassing-credential-guard/
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2019-08-25
modified: 2021-11-27
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    category: registry_event
    product: windows
detection:
    selection:
        TargetObject|endswith: '\IsCredGuardEnabled'
    condition: selection
falsepositives:
    - Unknown
level: high

high

Wdigest Enable UseLogonCredential

Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to enable clear-text credentials

status test author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) id d6a9b252-c666-4de6-8806-5561bbbd3bdc

view Sigma YAML

title: Wdigest Enable UseLogonCredential
id: d6a9b252-c666-4de6-8806-5561bbbd3bdc
status: test
description: Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to enable clear-text credentials
references:
    - https://threathunterplaybook.com/hunts/windows/190510-RegModWDigestDowngrade/notebook.html
    - https://support.microsoft.com/en-us/topic/microsoft-security-advisory-update-to-improve-credentials-protection-and-management-may-13-2014-93434251-04ac-b7f3-52aa-9f951c14b649
    - https://github.com/redcanaryco/atomic-red-team/blob/73fcfa1d4863f6a4e17f90e54401de6e30a312bb/atomics/T1112/T1112.md#atomic-test-3---modify-registry-to-store-logon-credentials
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2019-09-12
modified: 2023-08-17
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: 'WDigest\UseLogonCredential'
        Details: DWORD (0x00000001)
    condition: selection
falsepositives:
    - Unknown
level: high

high

Windows Event Log Access Tampering Via Registry

Detects changes to the Windows EventLog channel permission values. It focuses on changes to the Security Descriptor Definition Language (SDDL) string, as modifications to these values can restrict access to specific users or groups, potentially aiding in defense evasion by controlling who can view or modify a event log channel. Upon execution, the user shouldn't be able to access the event log channel via the event viewer or via utilities such as "Get-EventLog" or "wevtutil".

status experimental author X__Junior id ba226dcf-d390-4642-b9af-b534872f1156

view Sigma YAML

title: Windows Event Log Access Tampering Via Registry
id: ba226dcf-d390-4642-b9af-b534872f1156
status: experimental
description: |
    Detects changes to the Windows EventLog channel permission values. It focuses on changes to the Security Descriptor Definition Language (SDDL) string, as modifications to these values can restrict access to specific users or groups, potentially aiding in defense evasion by controlling who can view or modify a event log channel. Upon execution, the user shouldn't be able to access the event log channel via the event viewer or via utilities such as "Get-EventLog" or "wevtutil".
references:
    - https://www.atomicredteam.io/atomic-red-team/atomics/T1562.002#atomic-test-8---modify-event-log-channel-access-permissions-via-registry---powershell
    - https://www.youtube.com/watch?v=uSYvHUVU8xY
    - https://learn.microsoft.com/en-us/windows/win32/secauthz/security-descriptor-definition-language
author: X__Junior
date: 2025-01-16
modified: 2025-08-16
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.defense-impairment
    - attack.t1547.001
    - attack.t1112
logsource:
    category: registry_set
    product: windows
detection:
    # O:SYG:SYD:(D;;0x1;;;WD)
    # O:BAG:SYD:(A;;0x2;;;S-1-15-2-1)(D;;0x1;;;WD)
    selection_key_1:
        TargetObject|contains: '\SYSTEM\CurrentControlSet\Services\EventLog\'
        TargetObject|endswith: '\CustomSD'
    selection_key_2:
        TargetObject|contains:
            - '\Policies\Microsoft\Windows\EventLog\'
            - '\Microsoft\Windows\CurrentVersion\WINEVT\Channels'
        TargetObject|endswith: '\ChannelAccess'
    selection_details:
        - Details|contains: 'D:(D;'
        - Details|contains|all:
              - 'D:('
              - ')(D;'
    filter_main_trustedinstaller:
        Image: 'C:\Windows\servicing\TrustedInstaller.exe'
    filter_main_tiworker:
        Image|startswith: 'C:\Windows\WinSxS\'
        Image|endswith: '\TiWorker.exe'
    filter_optional_empty:
        Image: ''
    filter_optional_null:
        Image: null
    condition: 1 of selection_key_* and selection_details and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Administrative activity, still unlikely
level: high

medium

Activate Suppression of Windows Security Center Notifications

Detect set Notification_Suppress to 1 to disable the Windows security center notification

status test author frack113 id 0c93308a-3f1b-40a9-b649-57ea1a1c1d63

view Sigma YAML

title: Activate Suppression of Windows Security Center Notifications
id: 0c93308a-3f1b-40a9-b649-57ea1a1c1d63
status: test
description: Detect set Notification_Suppress to 1 to disable the Windows security center notification
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md
author: frack113
date: 2022-08-19
modified: 2023-08-17
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: 'SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration\Notification_Suppress'
        Details: DWORD (0x00000001)
    condition: selection
falsepositives:
    - Unknown
level: medium

medium

Add DisallowRun Execution to Registry

Detect set DisallowRun to 1 to prevent user running specific computer program

status test author frack113 id 275641a5-a492-45e2-a817-7c81e9d9d3e9

view Sigma YAML

title: Add DisallowRun Execution to Registry
id: 275641a5-a492-45e2-a817-7c81e9d9d3e9
status: test
description: Detect set DisallowRun to 1 to prevent user running specific computer program
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md
author: frack113
date: 2022-08-19
modified: 2023-08-17
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: 'Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun'
        Details: 'DWORD (0x00000001)'
    condition: selection
falsepositives:
    - Unknown
level: medium

medium

Allow RDP Remote Assistance Feature

Detect enable rdp feature to allow specific user to rdp connect on the targeted machine

status test author frack113 id 37b437cf-3fc5-4c8e-9c94-1d7c9aff842b

view Sigma YAML

title: Allow RDP Remote Assistance Feature
id: 37b437cf-3fc5-4c8e-9c94-1d7c9aff842b
status: test
description: Detect enable rdp feature to allow specific user to rdp connect on the targeted machine
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md
author: frack113
date: 2022-08-19
modified: 2023-08-17
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: 'System\CurrentControlSet\Control\Terminal Server\fAllowToGetHelp'
        Details: DWORD (0x00000001)
    condition: selection
falsepositives:
    - Legitimate use of the feature (alerts should be investigated either way)
level: medium
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature/info.yml
simulation:
    - type: atomic-red-team
      name: Allow RDP Remote Assistance Feature
      technique: T1112
      atomic_guid: 86677d0e-0b5e-4a2b-b302-454175f9aa9e

medium

ClickOnce Trust Prompt Tampering

Detects changes to the ClickOnce trust prompt registry key in order to enable an installation from different locations such as the Internet.

status test author @SerkinValery, Nasreddine Bencherchali (Nextron Systems) id ac9159cc-c364-4304-8f0a-d63fc1a0aabb

view Sigma YAML

title: ClickOnce Trust Prompt Tampering
id: ac9159cc-c364-4304-8f0a-d63fc1a0aabb
status: test
description: Detects changes to the ClickOnce trust prompt registry key in order to enable an installation from different locations such as the Internet.
references:
    - https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5
    - https://learn.microsoft.com/en-us/visualstudio/deployment/how-to-configure-the-clickonce-trust-prompt-behavior
author: '@SerkinValery, Nasreddine Bencherchali (Nextron Systems)'
date: 2023-06-12
modified: 2023-08-17
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: '\SOFTWARE\MICROSOFT\.NETFramework\Security\TrustManager\PromptingLevel\'
        TargetObject|endswith:
            - '\Internet'
            - '\LocalIntranet'
            - '\MyComputer'
            - '\TrustedSites'
            - '\UntrustedSites'
        Details: 'Enabled'
    condition: selection
falsepositives:
    - Legitimate internal requirements.
level: medium

medium

CrashControl CrashDump Disabled

Detects disabling the CrashDump per registry (as used by HermeticWiper)

status test author Tobias Michalski (Nextron Systems) id 2ff692c2-4594-41ec-8fcb-46587de769e0

view Sigma YAML

title: CrashControl CrashDump Disabled
id: 2ff692c2-4594-41ec-8fcb-46587de769e0
status: test
description: Detects disabling the CrashDump per registry (as used by HermeticWiper)
references:
    - https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/
author: Tobias Michalski (Nextron Systems)
date: 2022-02-24
modified: 2023-08-17
tags:
    - attack.persistence
    - attack.stealth
    - attack.defense-impairment
    - attack.t1564
    - attack.t1112
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|contains: 'SYSTEM\CurrentControlSet\Control\CrashControl'
        Details: 'DWORD (0x00000000)'
    condition: selection
falsepositives:
    - Legitimate disabling of crashdumps
level: medium

medium

DNS-over-HTTPS Enabled by Registry

Detects when a user enables DNS-over-HTTPS. This can be used to hide internet activity or be used to hide the process of exfiltrating data. With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors.

status test author Austin Songer id 04b45a8a-d11d-49e4-9acc-4a1b524407a5

view Sigma YAML

title: DNS-over-HTTPS Enabled by Registry
id: 04b45a8a-d11d-49e4-9acc-4a1b524407a5
status: test
description: |
    Detects when a user enables DNS-over-HTTPS.
    This can be used to hide internet activity or be used to hide the process of exfiltrating data.
    With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors.
references:
    - https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html
    - https://github.com/elastic/detection-rules/issues/1371
    - https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode
    - https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS
author: Austin Songer
date: 2021-07-22
modified: 2023-08-17
tags:
    - attack.persistence
    - attack.stealth
    - attack.defense-impairment
    - attack.t1140
    - attack.t1112
logsource:
    product: windows
    category: registry_set
detection:
    selection_edge:
        TargetObject|endswith: '\SOFTWARE\Policies\Microsoft\Edge\BuiltInDnsClientEnabled'
        Details: DWORD (0x00000001)
    selection_chrome:
        TargetObject|endswith: '\SOFTWARE\Google\Chrome\DnsOverHttpsMode'
        Details: 'secure'
    selection_firefox:
        TargetObject|endswith: '\SOFTWARE\Policies\Mozilla\Firefox\DNSOverHTTPS\Enabled'
        Details: DWORD (0x00000001)
    condition: 1 of selection_*
falsepositives:
    - Unlikely
level: medium

Detection rules