Sigma detection rules

Home/Sigma rules

Sigma

6 rules indexed · SIEM-agnostic detection content

Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.

Severity critical high medium low all severities

◈

Detection rules

6 shown of 6

high

Meterpreter or Cobalt Strike Getsystem Service Installation - Security

Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation

status test author Teymur Kheirkhabarov, Ecco, Florian Roth (Nextron Systems) id ecbc5e16-58e0-4521-9c60-eb9a7ea4ad34

view Sigma YAML

title: Meterpreter or Cobalt Strike Getsystem Service Installation - Security
id: ecbc5e16-58e0-4521-9c60-eb9a7ea4ad34
related:
    - id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6
      type: derived
status: test
description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
    - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
author: Teymur Kheirkhabarov, Ecco, Florian Roth (Nextron Systems)
date: 2019-10-26
modified: 2023-11-15
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1134.001
    - attack.t1134.002
logsource:
    product: windows
    service: security
    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
    selection_eid:
        EventID: 4697
    selection_cli_cmd:
        # meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a
        # cobaltstrike getsystem technique 1: %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
        # cobaltstrike getsystem technique 1b (expanded %COMSPEC%): %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
        ServiceFileName|contains|all:
            - '/c'
            - 'echo'
            - '\pipe\'
        ServiceFileName|contains:
            - 'cmd'
            - '%COMSPEC%'
    selection_cli_rundll:
        # meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn
        ServiceFileName|contains|all:
            - 'rundll32'
            - '.dll,a'
            - '/p:'
    selection_cli_share:
        ServiceFileName|startswith: '\\\\127.0.0.1\\ADMIN$\'  # https://twitter.com/svch0st/status/1413688851877416960?lang=en
    condition: selection_eid and 1 of selection_cli_*
falsepositives:
    - Unlikely
level: high

high

Meterpreter or Cobalt Strike Getsystem Service Installation - System

Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation

status test author Teymur Kheirkhabarov, Ecco, Florian Roth (Nextron Systems) id 843544a7-56e0-4dcc-a44f-5cc266dd97d6

view Sigma YAML

title: Meterpreter or Cobalt Strike Getsystem Service Installation - System
id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6
status: test
description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
    - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
author: Teymur Kheirkhabarov, Ecco, Florian Roth (Nextron Systems)
date: 2019-10-26
modified: 2023-11-15
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1134.001
    - attack.t1134.002
logsource:
    product: windows
    service: system
detection:
    selection_id:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
    selection_cli_cmd:
        # meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a
        # cobaltstrike getsystem technique 1: %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
        # cobaltstrike getsystem technique 1b (expanded %COMSPEC%): %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
        ImagePath|contains|all:
            - '/c'
            - 'echo'
            - '\pipe\'
        ImagePath|contains:
        - 'cmd'
        - '%COMSPEC%'
    selection_cli_rundll:
        # meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn
        ImagePath|contains|all:
            - 'rundll32'
            - '.dll,a'
            - '/p:'
    selection_cli_share:
        ImagePath|startswith: '\\\\127.0.0.1\\ADMIN$\'  # https://twitter.com/svch0st/status/1413688851877416960?lang=en
    condition: selection_id and 1 of selection_cli_*
falsepositives:
    - Unlikely
level: high

high

PUA - AdvancedRun Suspicious Execution

Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts

status test author Florian Roth (Nextron Systems) id fa00b701-44c6-4679-994d-5a18afa8a707

view Sigma YAML

title: PUA - AdvancedRun Suspicious Execution
id: fa00b701-44c6-4679-994d-5a18afa8a707
related:
    - id: d2b749ee-4225-417e-b20e-a8d2193cbb84
      type: similar
status: test
description: Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts
references:
    - https://twitter.com/splinter_code/status/1483815103279603714
    - https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3
    - https://www.elastic.co/security-labs/operation-bleeding-bear
    - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/
author: Florian Roth (Nextron Systems)
date: 2022-01-20
modified: 2023-02-21
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1134.002
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        CommandLine|contains:
            - '/EXEFilename'
            - '/CommandLine'
    selection_runas:
        - CommandLine|contains:
              - ' /RunAs 8 '
              - ' /RunAs 4 '
              - ' /RunAs 10 '
              - ' /RunAs 11 '
        - CommandLine|endswith:
              - '/RunAs 8'
              - '/RunAs 4'
              - '/RunAs 10'
              - '/RunAs 11'
    condition: all of selection*
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user/info.yml

high

Potential Meterpreter/CobaltStrike Activity

Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting

status test author Teymur Kheirkhabarov, Ecco, Florian Roth id 15619216-e993-4721-b590-4c520615a67d

view Sigma YAML

title: Potential Meterpreter/CobaltStrike Activity
id: 15619216-e993-4721-b590-4c520615a67d
status: test
description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
    - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
author: Teymur Kheirkhabarov, Ecco, Florian Roth
date: 2019-10-26
modified: 2023-02-05
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1134.001
    - attack.t1134.002
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        ParentImage|endswith: '\services.exe'
    selection_technique_1:
        # Examples:
        #   Meterpreter  getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a
        #   CobaltStrike getsystem technique 1b (expanded env var): %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
        #   CobaltStrike getsystem technique 1: %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
        CommandLine|contains|all:
            - '/c'
            - 'echo'
            - '\pipe\'
        CommandLine|contains:
            - 'cmd'
            - '%COMSPEC%'
    selection_technique_2:
        # meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn
        CommandLine|contains|all:
            - 'rundll32'
            - '.dll,a'
            - '/p:'
    filter_defender:
        CommandLine|contains: 'MpCmdRun'
    condition: selection_img and 1 of selection_technique_* and not 1 of filter_*
falsepositives:
    - Commandlines containing components like cmd accidentally
    - Jobs and services started with cmd
level: high

high

Suspicious Child Process Created as System

Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE accounts

status test author Teymur Kheirkhabarov, Roberto Rodriguez (@Cyb3rWard0g), Open Threat Research (OTR) id 590a5f4c-6c8c-4f10-8307-89afe9453a9d

view Sigma YAML

title: Suspicious Child Process Created as System
id: 590a5f4c-6c8c-4f10-8307-89afe9453a9d
status: test
description: Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE accounts
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
    - https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/
    - https://github.com/antonioCoco/RogueWinRM
    - https://twitter.com/Cyb3rWard0g/status/1453123054243024897
author: Teymur Kheirkhabarov, Roberto Rodriguez (@Cyb3rWard0g), Open Threat Research (OTR)
date: 2019-10-26
modified: 2024-12-01
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1134.002
logsource:
    category: process_creation
    product: windows
    definition: 'Requirements: ParentUser field needs sysmon >= 13.30'
detection:
    selection:
        ParentUser|contains:
            - 'AUTHORI'
            - 'AUTORI'
        ParentUser|endswith:
            - '\NETWORK SERVICE'
            - '\LOCAL SERVICE'
        User|contains: # covers many language settings
            - 'AUTHORI'
            - 'AUTORI'
        User|endswith: # System
            - '\SYSTEM'
            - '\Système'
            - '\СИСТЕМА'
        IntegrityLevel:
            - 'System'
            - 'S-1-16-16384'
    filter_rundll32:
        Image|endswith: '\rundll32.exe'
        CommandLine|contains: 'DavSetCookie'
    condition: selection and not 1 of filter_*
falsepositives:
    - Unknown
level: high

medium

PUA - AdvancedRun Execution

Detects the execution of AdvancedRun utility

status test author Florian Roth (Nextron Systems) id d2b749ee-4225-417e-b20e-a8d2193cbb84

view Sigma YAML

title: PUA - AdvancedRun Execution
id: d2b749ee-4225-417e-b20e-a8d2193cbb84
related:
    - id: fa00b701-44c6-4679-994d-5a18afa8a707
      type: similar
status: test
description: Detects the execution of AdvancedRun utility
references:
    - https://twitter.com/splinter_code/status/1483815103279603714
    - https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3
    - https://www.elastic.co/security-labs/operation-bleeding-bear
    - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/
author: Florian Roth (Nextron Systems)
date: 2022-01-20
modified: 2023-02-21
tags:
    - attack.execution
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1564.003
    - attack.t1134.002
    - attack.t1059.003
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        - OriginalFileName: 'AdvancedRun.exe'
        - CommandLine|contains|all:
              - ' /EXEFilename '
              - ' /Run'
        - CommandLine|contains|all:
              - ' /WindowState 0'
              - ' /RunAs '
              - ' /CommandLine '
    condition: selection
falsepositives:
    - Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_pua_advancedrun/info.yml

Showing 1-6 of 6

Prev 1 Next

Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities

Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs

Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures

Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1

About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service

threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin