Home/Sigma rules
Sigma

Sigma detection rules

2 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Severity critical high medium low all severities

Detection rules

2 shown of 2
high
Potential Persistence Via App Paths Default Property
Detects changes to the "Default" property for keys located in the \Software\Microsoft\Windows\CurrentVersion\App Paths\ registry. Which might be used as a method of persistence The entries found under App Paths are used primarily for the following purposes. First, to map an application's executable file name to that file's fully qualified path. Second, to prepend information to the PATH environment variable on a per-application, per-process basis.
status test author Nasreddine Bencherchali (Nextron Systems) id 707e097c-e20f-4f67-8807-1f72ff4500d6
view Sigma YAML 
title: Potential Persistence Via App Paths Default Property
id: 707e097c-e20f-4f67-8807-1f72ff4500d6
status: test
description: |
    Detects changes to the "Default" property for keys located in the \Software\Microsoft\Windows\CurrentVersion\App Paths\ registry. Which might be used as a method of persistence
    The entries found under App Paths are used primarily for the following purposes.
    First, to map an application's executable file name to that file's fully qualified path.
    Second, to prepend information to the PATH environment variable on a per-application, per-process basis.
references:
    - https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/
    - https://learn.microsoft.com/en-us/windows/win32/shell/app-registration
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-10
modified: 2023-08-17
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1546.012
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths'
        TargetObject|endswith:
            - '(Default)'
            - 'Path'
        Details|contains:
            # Add more suspicious paths or binaries as you see fit.
            - '\Users\Public'
            - '\AppData\Local\Temp\'
            - '\Windows\Temp\'
            - '\Desktop\'
            - '\Downloads\'
            - '%temp%'
            - '%tmp%'
            - 'iex'
            - 'Invoke-'
            - 'rundll32'
            - 'regsvr32'
            - 'mshta'
            - 'cscript'
            - 'wscript'
            - '.bat'
            - '.hta'
            - '.dll'
            - '.ps1'
    condition: selection
falsepositives:
    - Legitimate applications registering their binary from on of the suspicious locations mentioned above (tune it)
level: high
high
Potential Persistence Via GlobalFlags
Detects registry persistence technique using the GlobalFlags and SilentProcessExit keys
status test author Karneades, Jonhnathan Ribeiro, Florian Roth id 36803969-5421-41ec-b92f-8500f79c23b0
view Sigma YAML 
title: Potential Persistence Via GlobalFlags
id: 36803969-5421-41ec-b92f-8500f79c23b0
related:
    - id: c81fe886-cac0-4913-a511-2822d72ff505
      type: obsolete
status: test
description: Detects registry persistence technique using the GlobalFlags and SilentProcessExit keys
references:
    - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/
    - https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/
author: Karneades, Jonhnathan Ribeiro, Florian Roth
date: 2018-04-11
modified: 2023-06-05
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1546.012
    - car.2013-01-002
logsource:
    category: registry_set
    product: windows
detection:
    selection_global_flag:
        TargetObject|contains|all:
            - '\Microsoft\Windows NT\CurrentVersion\'
            - '\Image File Execution Options\'
            - '\GlobalFlag'
    selection_silent_process:
        TargetObject|contains|all:
            - '\Microsoft\Windows NT\CurrentVersion\'
            - '\SilentProcessExit\'
        TargetObject|contains:
            - '\ReportingMode'
            - '\MonitorProcess'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: high
Showing 1-2 of 2
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin