Home/Sigma rules
Sigma

Sigma detection rules

21 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Severity critical high medium low all severities

Detection rules

21 shown of 21
high
Cisco Crypto Commands
Show when private keys are being exported from the device, or when new certificates are installed
status test author Austin Clark id 1f978c6a-4415-47fb-aca5-736a44d7ca3d
view Sigma YAML 
title: Cisco Crypto Commands
id: 1f978c6a-4415-47fb-aca5-736a44d7ca3d
status: test
description: Show when private keys are being exported from the device, or when new certificates are installed
references:
    - https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-cr-book/sec-a1-cr-book_chapter_0111.html
author: Austin Clark
date: 2019-08-12
modified: 2023-01-04
tags:
    - attack.credential-access
    - attack.defense-impairment
    - attack.t1553.004
    - attack.t1552.004
logsource:
    product: cisco
    service: aaa
detection:
    keywords:
        - 'crypto pki export'
        - 'crypto pki import'
        - 'crypto pki trustpoint'
    condition: keywords
falsepositives:
    - Not commonly run by administrators. Also whitelist your known good certificates
level: high
high
Root Certificate Installed From Susp Locations
Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
status test author Nasreddine Bencherchali (Nextron Systems) id 5f6a601c-2ecb-498b-9c33-660362323afa
view Sigma YAML 
title: Root Certificate Installed From Susp Locations
id: 5f6a601c-2ecb-498b-9c33-660362323afa
status: test
description: Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
references:
    - https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/
    - https://learn.microsoft.com/en-us/powershell/module/pki/import-certificate?view=windowsserver2022-ps
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-09
modified: 2023-01-16
tags:
    - attack.defense-impairment
    - attack.t1553.004
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - 'Import-Certificate'
            - ' -FilePath '
            - 'Cert:\LocalMachine\Root'
        CommandLine|contains:
            - '\AppData\Local\Temp\'
            - ':\Windows\TEMP\'
            - '\Desktop\'
            - '\Downloads\'
            - '\Perflogs\'
            - ':\Users\Public\'
    condition: selection
falsepositives:
    - Unlikely
level: high
medium
New Root Certificate Installed Via CertMgr.EXE
Detects execution of "certmgr" with the "add" flag in order to install a new certificate on the system. Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
status test author oscd.community, @redcanary, Zach Stanford @svch0st id ff992eac-6449-4c60-8c1d-91c9722a1d48
view Sigma YAML 
title: New Root Certificate Installed Via CertMgr.EXE
id: ff992eac-6449-4c60-8c1d-91c9722a1d48
related:
    - id: 42821614-9264-4761-acfc-5772c3286f76
      type: derived
    - id: 46591fae-7a4c-46ea-aec3-dff5e6d785dc
      type: obsolete
status: test
description: |
    Detects execution of "certmgr" with the "add" flag in order to install a new certificate on the system.
    Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md
    - https://securelist.com/to-crypt-or-to-mine-that-is-the-question/86307/
author: oscd.community, @redcanary, Zach Stanford @svch0st
date: 2023-03-05
tags:
    - attack.defense-impairment
    - attack.t1553.004
logsource:
    category: process_creation
    product: windows
detection:
    # Example: CertMgr.exe /add CertificateFileName.cer /s /r localMachine root /all
    selection_img:
        - Image|endswith: '\CertMgr.exe'
        - OriginalFileName: 'CERTMGT.EXE'
    selection_cli:
        CommandLine|contains|all:
            - '/add'
            - 'root'
    condition: all of selection_*
falsepositives:
    - Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP
level: medium
medium
New Root Certificate Installed Via Certutil.EXE
Detects execution of "certutil" with the "addstore" flag in order to install a new certificate on the system. Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
status test author oscd.community, @redcanary, Zach Stanford @svch0st id d2125259-ddea-4c1c-9c22-977eb5b29cf0
view Sigma YAML 
title: New Root Certificate Installed Via Certutil.EXE
id: d2125259-ddea-4c1c-9c22-977eb5b29cf0
related:
    - id: 42821614-9264-4761-acfc-5772c3286f76
      type: derived
    - id: 46591fae-7a4c-46ea-aec3-dff5e6d785dc
      type: obsolete
status: test
description: |
    Detects execution of "certutil" with the "addstore" flag in order to install a new certificate on the system.
    Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md
author: oscd.community, @redcanary, Zach Stanford @svch0st
date: 2023-03-05
modified: 2024-03-05
tags:
    - attack.defense-impairment
    - attack.t1553.004
logsource:
    category: process_creation
    product: windows
detection:
    # Example: certutil -addstore -f -user ROOT CertificateFileName.der
    selection_img:
        - Image|endswith: '\certutil.exe'
        - OriginalFileName: 'CertUtil.exe'
    selection_cli_add:
        CommandLine|contains|windash: '-addstore'
    selection_cli_store:
        CommandLine|contains: 'root'
    condition: all of selection_*
falsepositives:
    - Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_certificate_installation/info.yml
medium
Persistence Via New SIP Provider
Detects when an attacker register a new SIP provider for persistence and defense evasion
status test author Nasreddine Bencherchali (Nextron Systems) id 5a2b21ee-6aaa-4234-ac9d-59a59edf90a1
view Sigma YAML 
title: Persistence Via New SIP Provider
id: 5a2b21ee-6aaa-4234-ac9d-59a59edf90a1
status: test
description: Detects when an attacker register a new SIP provider for persistence and defense evasion
references:
    - https://persistence-info.github.io/Data/codesigning.html
    - https://github.com/gtworek/PSBits/tree/master/SIP
    - https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-21
modified: 2023-08-17
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1553.003
logsource:
    category: registry_set
    product: windows
detection:
    selection_root:
        TargetObject|contains:
            - '\SOFTWARE\Microsoft\Cryptography\Providers\'
            - '\SOFTWARE\Microsoft\Cryptography\OID\EncodingType'
            - '\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\'
            - '\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType'
    selection_dll:
        TargetObject|contains:
            - '\Dll'
            - '\$DLL'
    filter:
        Details:
            # Add more legitimate SIP providers according to your env
            - WINTRUST.DLL
            - mso.dll
    filter_poqexec:
        Image: 'C:\Windows\System32\poqexec.exe'
        TargetObject|contains: '\CryptSIPDll'
        Details: 'C:\Windows\System32\PsfSip.dll'
    condition: all of selection_* and not 1 of filter*
falsepositives:
    - Legitimate SIP being registered by the OS or different software.
level: medium
medium
Potential Secure Deletion with SDelete
Detects files that have extensions commonly seen while SDelete is used to wipe files.
status test author Thomas Patzke id 39a80702-d7ca-4a83-b776-525b1f86a36d
view Sigma YAML 
title: Potential Secure Deletion with SDelete
id: 39a80702-d7ca-4a83-b776-525b1f86a36d
status: test
description: Detects files that have extensions commonly seen while SDelete is used to wipe files.
references:
    - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/sdelete.htm
    - https://www.jpcert.or.jp/english/pub/sr/ir_research.html
    - https://learn.microsoft.com/en-gb/sysinternals/downloads/sdelete
author: Thomas Patzke
date: 2017-06-14
modified: 2024-12-13
tags:
    - attack.impact
    - attack.stealth
    - attack.defense-impairment
    - attack.t1070.004
    - attack.t1027.005
    - attack.t1485
    - attack.t1553.002
    - attack.s0195
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID:
            - 4656
            - 4663
            - 4658
        ObjectName|endswith:
            - '.AAA'
            - '.ZZZ'
    condition: selection
falsepositives:
    - Legitimate usage of SDelete
    - Files that are interacted with that have these extensions legitimately
level: medium
medium
Renamed BOINC Client Execution
Detects the execution of a renamed BOINC binary.
status test author Matt Anderson (Huntress) id 30d07da2-83ab-45d8-ae75-ec7c0edcaffc
view Sigma YAML 
title: Renamed BOINC Client Execution
id: 30d07da2-83ab-45d8-ae75-ec7c0edcaffc
status: test
description: Detects the execution of a renamed BOINC binary.
references:
    - https://boinc.berkeley.edu/
    - https://www.virustotal.com/gui/file/91e405e8a527023fb8696624e70498ae83660fe6757cef4871ce9bcc659264d3/details
    - https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software
author: Matt Anderson (Huntress)
date: 2024-07-23
tags:
    - attack.defense-impairment
    - attack.t1553
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        OriginalFileName: 'BOINC.exe'
    filter_main_legit_name:
        Image|endswith: '\BOINC.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium
medium
Root Certificate Installed - PowerShell
Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
status test author oscd.community, @redcanary, Zach Stanford @svch0st id 42821614-9264-4761-acfc-5772c3286f76
view Sigma YAML 
title: Root Certificate Installed - PowerShell
id: 42821614-9264-4761-acfc-5772c3286f76
status: test
description: Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md
author: 'oscd.community, @redcanary, Zach Stanford @svch0st'
date: 2020-10-10
modified: 2022-12-02
tags:
    - attack.defense-impairment
    - attack.t1553.004
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection1:
        ScriptBlockText|contains|all:
            - 'Move-Item'
            - 'Cert:\LocalMachine\Root'
    selection2:
        ScriptBlockText|contains|all:
            - 'Import-Certificate'
            - 'Cert:\LocalMachine\Root'
    condition: 1 of selection*
falsepositives:
    - Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP
level: medium
medium
Suspicious Execution via macOS Script Editor
Detects when the macOS Script Editor utility spawns an unusual child process.
status test author Tim Rauch (rule), Elastic (idea) id 6e4dcdd1-e48b-42f7-b2d8-3b413fc58cb4
view Sigma YAML 
title: Suspicious Execution via macOS Script Editor
id: 6e4dcdd1-e48b-42f7-b2d8-3b413fc58cb4
status: test
description: Detects when the macOS Script Editor utility spawns an unusual child process.
author: Tim Rauch (rule), Elastic (idea)
references:
    - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-7f541fbc4a4a28a92970e8bf53effea5bd934604429112c920affb457f5b2685
    - https://wojciechregula.blog/post/macos-red-teaming-initial-access-via-applescript-url/
date: 2022-10-21
modified: 2022-12-28
logsource:
    category: process_creation
    product: macos
tags:
    - attack.defense-impairment
    - attack.t1566
    - attack.t1566.002
    - attack.initial-access
    - attack.t1059
    - attack.t1059.002
    - attack.t1204
    - attack.t1204.001
    - attack.execution
    - attack.persistence
    - attack.t1553
detection:
    selection_parent:
        ParentImage|endswith: '/Script Editor'
    selection_img:
        - Image|endswith:
              - '/curl'
              - '/bash'
              - '/sh'
              - '/zsh'
              - '/dash'
              - '/fish'
              - '/osascript'
              - '/mktemp'
              - '/chmod'
              - '/php'
              - '/nohup'
              - '/openssl'
              - '/plutil'
              - '/PlistBuddy'
              - '/xattr'
              - '/sqlite'
              - '/funzip'
              - '/popen'
        - Image|contains:
              - 'python'
              - 'perl'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium
medium
Suspicious Invoke-Item From Mount-DiskImage
Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.
status test author frack113 id 902cedee-0398-4e3a-8183-6f3a89773a96
view Sigma YAML 
title: Suspicious Invoke-Item From Mount-DiskImage
id: 902cedee-0398-4e3a-8183-6f3a89773a96
status: test
description: Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-2---mount-an-iso-image-and-run-executable-from-the-iso
    - https://learn.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps
author: frack113
date: 2022-02-01
tags:
    - attack.defense-impairment
    - attack.t1553.005
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains|all:
            - 'Mount-DiskImage '
            - '-ImagePath '
            - Get-Volume
            - '.DriveLetter'
            - 'invoke-item '
            - '):\'
    condition: selection
falsepositives:
    - Legitimate PowerShell scripts
level: medium
medium
Suspicious Package Installed - Linux
Detects installation of suspicious packages using system installation utilities
status test author Nasreddine Bencherchali (Nextron Systems) id 700fb7e8-2981-401c-8430-be58e189e741
view Sigma YAML 
title: Suspicious Package Installed - Linux
id: 700fb7e8-2981-401c-8430-be58e189e741
status: test
description: Detects installation of suspicious packages using system installation utilities
references:
    - https://gist.githubusercontent.com/MichaelKoczwara/12faba9c061c12b5814b711166de8c2f/raw/e2068486692897b620c25fde1ea258c8218fe3d3/history.txt
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-03
modified: 2026-01-01
tags:
    - attack.defense-impairment
    - attack.t1553.004
logsource:
    product: linux
    category: process_creation
detection:
    selection_tool_apt:
        Image|endswith:
            - '/apt'
            - '/apt-get'
        CommandLine|contains: 'install'
    selection_tool_yum:
        Image|endswith: '/yum'
        CommandLine|contains:
            - 'localinstall'
            - 'install'
    selection_tool_rpm:
        Image|endswith: '/rpm'
        CommandLine|contains: '-i'
    selection_tool_dpkg:
        Image|endswith: '/dpkg'
        CommandLine|contains:
            - '--install'
            - '-i'
    selection_keyword:
        CommandLine|contains:
            # Add more suspicious packages
            - 'nmap'
            - ' nc'
            - 'netcat'
            - 'wireshark'
            - 'tshark'
            - 'openconnect'
            - 'proxychains'
            - 'socat'
    condition: 1 of selection_tool_* and selection_keyword
falsepositives:
    - Legitimate administration activities
level: medium
medium
Suspicious Unblock-File
Remove the Zone.Identifier alternate data stream which identifies the file as downloaded from the internet.
status test author frack113 id 5947497f-1aa4-41dd-9693-c9848d58727d
view Sigma YAML 
title: Suspicious Unblock-File
id: 5947497f-1aa4-41dd-9693-c9848d58727d
status: test
description: Remove the Zone.Identifier alternate data stream which identifies the file as downloaded from the internet.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-3---remove-the-zoneidentifier-alternate-data-stream
    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-7.2
author: frack113
date: 2022-02-01
tags:
    - attack.defense-impairment
    - attack.t1553.005
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains|all:
            - 'Unblock-File '
            - '-Path '
    condition: selection
falsepositives:
    - Legitimate PowerShell scripts
level: medium
medium
Suspicious X509Enrollment - Process Creation
Detect use of X509Enrollment
status test author frack113 id 114de787-4eb2-48cc-abdb-c0b449f93ea4
view Sigma YAML 
title: Suspicious X509Enrollment - Process Creation
id: 114de787-4eb2-48cc-abdb-c0b449f93ea4
related:
    - id: 504d63cb-0dba-4d02-8531-e72981aace2c
      type: similar
status: test
description: Detect use of X509Enrollment
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42
    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41
    - https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115
author: frack113
date: 2022-12-23
tags:
    - attack.defense-impairment
    - attack.t1553.004
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        CommandLine|contains:
            - 'X509Enrollment.CBinaryConverter'
            - '884e2002-217d-11da-b2a4-000e7bbb2b09'
    condition: selection
falsepositives:
    - Legitimate administrative script
level: medium
medium
Suspicious X509Enrollment - Ps Script
Detect use of X509Enrollment
status test author frack113 id 504d63cb-0dba-4d02-8531-e72981aace2c
view Sigma YAML 
title: Suspicious X509Enrollment - Ps Script
id: 504d63cb-0dba-4d02-8531-e72981aace2c
related:
    - id: 114de787-4eb2-48cc-abdb-c0b449f93ea4
      type: similar
status: test
description: Detect use of X509Enrollment
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42
    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41
    - https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115
author: frack113
date: 2022-12-23
tags:
    - attack.defense-impairment
    - attack.t1553.004
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains:
            - 'X509Enrollment.CBinaryConverter'
            - '884e2002-217d-11da-b2a4-000e7bbb2b09'
    condition: selection
falsepositives:
    - Legitimate administrative script
level: medium
medium
Windows AppX Deployment Full Trust Package Installation
Detects the installation of MSIX/AppX packages with full trust privileges which run with elevated privileges outside normal AppX container restrictions
status experimental author Michael Haag, Swachchhanda Shrawan Poudel (Nextron Systems) id e54279c7-4910-4e2c-902c-c56a25b549f6
view Sigma YAML 
title: Windows AppX Deployment Full Trust Package Installation
id: e54279c7-4910-4e2c-902c-c56a25b549f6
status: experimental
description: Detects the installation of MSIX/AppX packages with full trust privileges which run with elevated privileges outside normal AppX container restrictions
references:
    - https://www.splunk.com/en_us/blog/security/msix-weaponization-threat-detection-splunk.html
author: Michael Haag, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-03
tags:
    - attack.execution
    - attack.defense-impairment
    - attack.t1204.002
    - attack.t1553.005
logsource:
    product: windows
    service: appxdeployment-server
detection:
    selection:
        EventID: 400
        HasFullTrust: true
    filter_main_legitpath:
        PackageSourceUri|startswith:
            - 'file:///C:/Program%20Files/'
            - 'file:///C:/Program%20Files%20(x86)/'
    filter_main_microsoft:
        - PackageSourceUri|startswith: 'https://go.microsoft.com/fwlink/?linkid'
        - PackageSourceUri|contains:
              - '.cdn.microsoft.com'
              - '.cdn.office.net/'
    filter_main_callerprocess:
        CallingProcess|startswith:
            - 'sysprep.exe'
            - 'svchost.exe,AppReadiness'
    filter_optional_x_update:
        PackageSourceUri|startswith: 'x-windowsupdate://'
    filter_optional_microsoftclient:
        PackageFullName|startswith: 'MicrosoftWindows.Client.'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Some legitimate applications installation which have been missed from filtering can generate fps, thus baselining and tuning is recommended before deploying to production
level: medium
medium
Windows AppX Deployment Unsigned Package Installation
Detects attempts to install unsigned MSIX/AppX packages using the -AllowUnsigned parameter via AppXDeployment-Server events
status experimental author Michael Haag, Swachchhanda Shrawan Poudel (Nextron Systems) id 9a025188-6f2d-42f8-bb2f-d3a83d24a5af
view Sigma YAML 
title: Windows AppX Deployment Unsigned Package Installation
id: 9a025188-6f2d-42f8-bb2f-d3a83d24a5af
related:
    - id: 37651c2a-42cd-4a69-ae0d-22a4349aa04a
      type: similar
    - id: 975b2262-9a49-439d-92a6-0709cccdf0b2
      type: similar
status: experimental
description: Detects attempts to install unsigned MSIX/AppX packages using the -AllowUnsigned parameter via AppXDeployment-Server events
references:
    - https://docs.microsoft.com/en-us/powershell/module/appx/add-appxpackage
    - https://www.splunk.com/en_us/blog/security/msix-weaponization-threat-detection-splunk.html
author: Michael Haag, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-03
tags:
    - attack.execution
    - attack.defense-impairment
    - attack.t1204.002
    - attack.t1553.005
logsource:
    product: windows
    service: appxdeployment-server
detection:
    selection:
        EventID: 603
        Flags: '8388608'
    condition: selection
falsepositives:
    - Legitimate installation of unsigned packages for legitimate purposes such as development or testing
level: medium
low
Active Directory Certificate Services Denied Certificate Enrollment Request
Detects denied requests by Active Directory Certificate Services. Example of these requests denial include issues with permissions on the certificate template or invalid signatures.
status test author @SerkinValery id 994bfd6d-0a2e-481e-a861-934069fcf5f5
view Sigma YAML 
title: Active Directory Certificate Services Denied Certificate Enrollment Request
id: 994bfd6d-0a2e-481e-a861-934069fcf5f5
status: test
description: |
    Detects denied requests by Active Directory Certificate Services.
    Example of these requests denial include issues with permissions on the certificate template or invalid signatures.
references:
    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd299871(v=ws.10)
    - https://www.gradenegger.eu/en/details-of-the-event-with-id-53-of-the-source-microsoft-windows-certificationauthority/
author: '@SerkinValery'
date: 2024-03-07
tags:
    - attack.credential-access
    - attack.defense-impairment
    - attack.t1553.004
logsource:
    product: windows
    service: system
detection:
    selection:
        Provider_Name: 'Microsoft-Windows-CertificationAuthority'
        EventID: 53
    condition: selection
falsepositives:
    - Unknown
level: low
low
Gatekeeper Bypass via Xattr
Detects macOS Gatekeeper bypass via xattr utility
status test author Daniil Yugoslavskiy, oscd.community id f5141b6d-9f42-41c6-a7bf-2a780678b29b
view Sigma YAML 
title: Gatekeeper Bypass via Xattr
id: f5141b6d-9f42-41c6-a7bf-2a780678b29b
status: test
description: Detects macOS Gatekeeper bypass via xattr utility
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/1fed40dc7e48f16ed44dcdd9c73b9222a70cca85/atomics/T1553.001/T1553.001.md
    - https://www.loobins.io/binaries/xattr/
author: Daniil Yugoslavskiy, oscd.community
date: 2020-10-19
modified: 2024-04-18
tags:
    - attack.defense-impairment
    - attack.t1553.001
logsource:
    category: process_creation
    product: macos
detection:
    selection:
        Image|endswith: '/xattr'
        CommandLine|contains|all:
            - '-d'
            - 'com.apple.quarantine'
    condition: selection
falsepositives:
    - Legitimate activities
level: low
low
Install Root Certificate
Detects installation of new certificate on the system which attackers may use to avoid warnings when connecting to controlled web servers or C2s
status test author Ömer Günal, oscd.community id 78a80655-a51e-4669-bc6b-e9d206a462ee
view Sigma YAML 
title: Install Root Certificate
id: 78a80655-a51e-4669-bc6b-e9d206a462ee
status: test
description: Detects installation of new certificate on the system which attackers may use to avoid warnings when connecting to controlled web servers or C2s
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md
author: Ömer Günal, oscd.community
date: 2020-10-05
modified: 2022-07-07
tags:
    - attack.defense-impairment
    - attack.t1553.004
logsource:
    product: linux
    category: process_creation
detection:
    selection:
        Image|endswith:
            - '/update-ca-certificates'
            - '/update-ca-trust'
    condition: selection
falsepositives:
    - Legitimate administration activities
level: low
low
Suspicious Mount-DiskImage
Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.
status test author frack113 id 29e1c216-6408-489d-8a06-ee9d151ef819
view Sigma YAML 
title: Suspicious Mount-DiskImage
id: 29e1c216-6408-489d-8a06-ee9d151ef819
status: test
description: Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image
    - https://learn.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps
author: frack113
date: 2022-02-01
tags:
    - attack.defense-impairment
    - attack.t1553.005
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains|all:
            - 'Mount-DiskImage '
            - '-ImagePath '
    condition: selection
falsepositives:
    - Legitimate PowerShell scripts
level: low
low
Windows MSIX Package Support Framework AI_STUBS Execution
Detects execution of Advanced Installer MSIX Package Support Framework (PSF) components, specifically AI_STUBS executables with original filename 'popupwrapper.exe'. This activity may indicate malicious MSIX packages build with Advanced Installer leveraging the Package Support Framework to bypass application control restrictions.
status experimental author Michael Haag, Swachchhanda Shrawan Poudel (Nextron Systems) id af5732ed-764e-489d-826d-0447c8b36242
view Sigma YAML 
title: Windows MSIX Package Support Framework AI_STUBS Execution
id: af5732ed-764e-489d-826d-0447c8b36242
status: experimental
description: |
    Detects execution of Advanced Installer MSIX Package Support Framework (PSF) components, specifically AI_STUBS executables with original filename 'popupwrapper.exe'.
    This activity may indicate malicious MSIX packages build with Advanced Installer leveraging the Package Support Framework to bypass application control restrictions.
references:
    - https://redcanary.com/blog/threat-intelligence/msix-installers/
    - https://redcanary.com/threat-detection-report/techniques/installer-packages/
    - https://learn.microsoft.com/en-us/windows/msix/package/package-support-framework
    - https://www.splunk.com/en_us/blog/security/msix-weaponization-threat-detection-splunk.html
author: Michael Haag, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-03
tags:
    - attack.execution
    - attack.stealth
    - attack.defense-impairment
    - attack.t1218
    - attack.t1553.005
    - attack.t1204.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\AI_STUBS\AiStubX64Elevated.exe'
            - '\AI_STUBS\AiStubX86Elevated.exe'
            - '\AI_STUBS\AiStubX64.exe'
            - '\AI_STUBS\AiStubX86.exe'
        OriginalFileName: 'popupwrapper.exe'
    condition: selection
falsepositives:
    - Legitimate applications packaged with Advanced Installer using Package Support Framework
level: low
Showing 1-21 of 21
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin