Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Detects creation of default named pipes used by the Koh tool
status testauthor Nasreddine Bencherchali (Nextron Systems)id 0adc67e0-a68f-4ffd-9c43-28905aad5d6a
view Sigma YAML
title: HackTool - Koh Default Named Pipe
id: 0adc67e0-a68f-4ffd-9c43-28905aad5d6a
status: test
description: Detects creation of default named pipes used by the Koh tool
references:
- https://github.com/GhostPack/Koh/blob/0283d9f3f91cf74732ad377821986cfcb088e20a/Clients/BOF/KohClient.c#L12
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-08
modified: 2023-08-07
tags:
- attack.privilege-escalation
- attack.credential-access
- attack.stealth
- attack.t1528
- attack.t1134.001
logsource:
product: windows
category: pipe_created
definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
detection:
selection:
PipeName|contains:
- '\imposecost'
- '\imposingcost'
condition: selection
falsepositives:
- Unlikely
level: critical
high
HackTool - NoFilter Execution
Detects execution of NoFilter, a tool for abusing the Windows Filtering Platform for privilege escalation via hardcoded policy name indicators
status testauthor Stamatis Chatzimangou (st0pp3r)id 7b14c76a-c602-4ae6-9717-eff868153fc0
view Sigma YAML
title: HackTool - NoFilter Execution
id: 7b14c76a-c602-4ae6-9717-eff868153fc0
status: test
description: |
Detects execution of NoFilter, a tool for abusing the Windows Filtering Platform for privilege escalation via hardcoded policy name indicators
references:
- https://github.com/deepinstinct/NoFilter/blob/121d215ab130c5e8e3ad45a7e7fcd56f4de97b4d/NoFilter/Consts.cpp
- https://github.com/deepinstinct/NoFilter
- https://www.deepinstinct.com/blog/nofilter-abusing-windows-filtering-platform-for-privilege-escalation
- https://x.com/_st0pp3r_/status/1742203752361128162?s=20
author: Stamatis Chatzimangou (st0pp3r)
date: 2024-01-05
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1134
- attack.t1134.001
logsource:
product: windows
service: security
definition: 'Requirements: Audit Filtering Platform Policy Change needs to be enabled'
detection:
selection_5447:
EventID: 5447
FilterName|contains: 'RonPolicy'
selection_5449:
EventID: 5449
ProviderContextName|contains: 'RonPolicy'
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
high
HackTool - SharpDPAPI Execution
Detects the execution of the SharpDPAPI tool based on CommandLine flags and PE metadata.
SharpDPAPI is a C# port of some DPAPI functionality from the Mimikatz project.
status testauthor Nasreddine Bencherchali (Nextron Systems)id c7d33b50-f690-4b51-8cfb-0fb912a31e57
view Sigma YAML
title: HackTool - SharpDPAPI Execution
id: c7d33b50-f690-4b51-8cfb-0fb912a31e57
status: test
description: |
Detects the execution of the SharpDPAPI tool based on CommandLine flags and PE metadata.
SharpDPAPI is a C# port of some DPAPI functionality from the Mimikatz project.
references:
- https://github.com/GhostPack/SharpDPAPI
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-06-26
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1134.001
- attack.t1134.003
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\SharpDPAPI.exe'
- OriginalFileName: 'SharpDPAPI.exe'
selection_other_cli:
CommandLine|contains:
- ' backupkey '
- ' blob '
- ' certificates '
- ' credentials '
- ' keepass '
- ' masterkeys '
- ' rdg '
- ' vaults '
selection_other_options_guid:
CommandLine|contains|all:
- ' {'
- '}:'
selection_other_options_flags:
CommandLine|contains:
- ' /file:'
- ' /machine'
- ' /mkfile:'
- ' /password:'
- ' /pvk:'
- ' /server:'
- ' /target:'
- ' /unprotect'
condition: selection_img or (selection_other_cli and 1 of selection_other_options_*)
falsepositives:
- Unknown
level: high
high
HackTool - SharpImpersonation Execution
Detects execution of the SharpImpersonation tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively
status testauthor Sai Prashanth Pulisetti @pulisettis, Nasreddine Bencherchali (Nextron Systems)id f89b08d0-77ad-4728-817b-9b16c5a69c7a
view Sigma YAML
title: HackTool - SharpImpersonation Execution
id: f89b08d0-77ad-4728-817b-9b16c5a69c7a
related:
- id: cf0c254b-22f1-4b2b-8221-e137b3c0af94
type: similar
status: test
description: Detects execution of the SharpImpersonation tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively
references:
- https://s3cur3th1ssh1t.github.io/SharpImpersonation-Introduction/
- https://github.com/S3cur3Th1sSh1t/SharpImpersonation
author: Sai Prashanth Pulisetti @pulisettis, Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-27
modified: 2023-02-13
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1134.001
- attack.t1134.003
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\SharpImpersonation.exe'
- OriginalFileName: 'SharpImpersonation.exe'
selection_cli:
- CommandLine|contains|all:
- ' user:'
- ' binary:'
- CommandLine|contains|all:
- ' user:'
- ' shellcode:'
- CommandLine|contains:
- ' technique:CreateProcessAsUserW'
- ' technique:ImpersonateLoggedOnuser'
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
high
Meterpreter or Cobalt Strike Getsystem Service Installation - Security
Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
status testauthor Teymur Kheirkhabarov, Ecco, Florian Roth (Nextron Systems)id ecbc5e16-58e0-4521-9c60-eb9a7ea4ad34
view Sigma YAML
title: Meterpreter or Cobalt Strike Getsystem Service Installation - Security
id: ecbc5e16-58e0-4521-9c60-eb9a7ea4ad34
related:
- id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6
type: derived
status: test
description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
references:
- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
- https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
author: Teymur Kheirkhabarov, Ecco, Florian Roth (Nextron Systems)
date: 2019-10-26
modified: 2023-11-15
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1134.001
- attack.t1134.002
logsource:
product: windows
service: security
definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
selection_eid:
EventID: 4697
selection_cli_cmd:
# meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a
# cobaltstrike getsystem technique 1: %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
# cobaltstrike getsystem technique 1b (expanded %COMSPEC%): %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
ServiceFileName|contains|all:
- '/c'
- 'echo'
- '\pipe\'
ServiceFileName|contains:
- 'cmd'
- '%COMSPEC%'
selection_cli_rundll:
# meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn
ServiceFileName|contains|all:
- 'rundll32'
- '.dll,a'
- '/p:'
selection_cli_share:
ServiceFileName|startswith: '\\\\127.0.0.1\\ADMIN$\' # https://twitter.com/svch0st/status/1413688851877416960?lang=en
condition: selection_eid and 1 of selection_cli_*
falsepositives:
- Unlikely
level: high
high
Meterpreter or Cobalt Strike Getsystem Service Installation - System
Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
status testauthor Teymur Kheirkhabarov, Ecco, Florian Roth (Nextron Systems)id 843544a7-56e0-4dcc-a44f-5cc266dd97d6
view Sigma YAML
title: Meterpreter or Cobalt Strike Getsystem Service Installation - System
id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6
status: test
description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
references:
- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
- https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
author: Teymur Kheirkhabarov, Ecco, Florian Roth (Nextron Systems)
date: 2019-10-26
modified: 2023-11-15
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1134.001
- attack.t1134.002
logsource:
product: windows
service: system
detection:
selection_id:
Provider_Name: 'Service Control Manager'
EventID: 7045
selection_cli_cmd:
# meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a
# cobaltstrike getsystem technique 1: %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
# cobaltstrike getsystem technique 1b (expanded %COMSPEC%): %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
ImagePath|contains|all:
- '/c'
- 'echo'
- '\pipe\'
ImagePath|contains:
- 'cmd'
- '%COMSPEC%'
selection_cli_rundll:
# meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn
ImagePath|contains|all:
- 'rundll32'
- '.dll,a'
- '/p:'
selection_cli_share:
ImagePath|startswith: '\\\\127.0.0.1\\ADMIN$\' # https://twitter.com/svch0st/status/1413688851877416960?lang=en
condition: selection_id and 1 of selection_cli_*
falsepositives:
- Unlikely
level: high
high
Potential Meterpreter/CobaltStrike Activity
Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting
status testauthor Teymur Kheirkhabarov, Ecco, Florian Rothid 15619216-e993-4721-b590-4c520615a67d
view Sigma YAML
title: Potential Meterpreter/CobaltStrike Activity
id: 15619216-e993-4721-b590-4c520615a67d
status: test
description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting
references:
- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
- https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
author: Teymur Kheirkhabarov, Ecco, Florian Roth
date: 2019-10-26
modified: 2023-02-05
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1134.001
- attack.t1134.002
logsource:
category: process_creation
product: windows
detection:
selection_img:
ParentImage|endswith: '\services.exe'
selection_technique_1:
# Examples:
# Meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a
# CobaltStrike getsystem technique 1b (expanded env var): %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
# CobaltStrike getsystem technique 1: %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
CommandLine|contains|all:
- '/c'
- 'echo'
- '\pipe\'
CommandLine|contains:
- 'cmd'
- '%COMSPEC%'
selection_technique_2:
# meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn
CommandLine|contains|all:
- 'rundll32'
- '.dll,a'
- '/p:'
filter_defender:
CommandLine|contains: 'MpCmdRun'
condition: selection_img and 1 of selection_technique_* and not 1 of filter_*
falsepositives:
- Commandlines containing components like cmd accidentally
- Jobs and services started with cmd
level: high
medium
HackTool - Impersonate Execution
Detects execution of the Impersonate tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively
status testauthor Sai Prashanth Pulisetti @pulisettisid cf0c254b-22f1-4b2b-8221-e137b3c0af94
view Sigma YAML
title: HackTool - Impersonate Execution
id: cf0c254b-22f1-4b2b-8221-e137b3c0af94
status: test
description: Detects execution of the Impersonate tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively
references:
- https://sensepost.com/blog/2022/abusing-windows-tokens-to-compromise-active-directory-without-touching-lsass/
- https://github.com/sensepost/impersonate
author: Sai Prashanth Pulisetti @pulisettis
date: 2022-12-21
modified: 2024-11-23
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1134.001
- attack.t1134.003
logsource:
product: windows
category: process_creation
detection:
selection_commandline_exe:
CommandLine|contains: 'impersonate.exe'
selection_commandline_opt:
CommandLine|contains:
- ' list '
- ' exec '
- ' adduser '
selection_hash:
Hashes|contains:
- 'MD5=9520714AB576B0ED01D1513691377D01'
- 'SHA256=E81CC96E2118DC4FBFE5BAD1604E0AC7681960143E2101E1A024D52264BB0A8A'
- 'IMPHASH=0A358FFC1697B7A07D0E817AC740DF62'
condition: all of selection_commandline_* or selection_hash
falsepositives:
- Unknown
level: medium
medium
Potential Access Token Abuse
Detects potential token impersonation and theft. Example, when using "DuplicateToken(Ex)" and "ImpersonateLoggedOnUser" with the "LOGON32_LOGON_NEW_CREDENTIALS flag".
status testauthor Michaela Adams, Zach Mathisid 02f7c9c1-1ae8-4c6a-8add-04693807f92f
view Sigma YAML
title: Potential Access Token Abuse
id: 02f7c9c1-1ae8-4c6a-8add-04693807f92f
status: test
description: Detects potential token impersonation and theft. Example, when using "DuplicateToken(Ex)" and "ImpersonateLoggedOnUser" with the "LOGON32_LOGON_NEW_CREDENTIALS flag".
references:
- https://www.elastic.co/fr/blog/how-attackers-abuse-access-token-manipulation
- https://www.manageengine.com/log-management/cyber-security/access-token-manipulation.html
author: Michaela Adams, Zach Mathis
date: 2022-11-06
modified: 2023-04-26
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1134.001
- stp.4u
logsource:
product: windows
service: security
detection:
selection:
EventID: 4624
LogonType: 9
LogonProcessName: 'Advapi'
AuthenticationPackageName: 'Negotiate'
ImpersonationLevel: '%%1833' # Impersonation
condition: selection
falsepositives:
- Anti-Virus
level: medium