Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Detects different hacktools used for relay attacks on Windows for privilege escalation
status testauthor Florian Roth (Nextron Systems)id 5589ab4f-a767-433c-961d-c91f3f704db1
view Sigma YAML
title: Potential SMB Relay Attack Tool Execution
id: 5589ab4f-a767-433c-961d-c91f3f704db1
status: test
description: Detects different hacktools used for relay attacks on Windows for privilege escalation
references:
- https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/
- https://pentestlab.blog/2017/04/13/hot-potato/
- https://github.com/ohpe/juicy-potato
- https://hunter2.gitbook.io/darthsidious/other/war-stories/domain-admin-in-30-minutes
- https://hunter2.gitbook.io/darthsidious/execution/responder-with-ntlm-relay-and-empire
- https://www.localpotato.com/
author: Florian Roth (Nextron Systems)
date: 2021-07-24
modified: 2023-02-14
tags:
- attack.collection
- attack.execution
- attack.credential-access
- attack.t1557.001
logsource:
category: process_creation
product: windows
detection:
selection_pe:
Image|contains:
- 'PetitPotam'
- 'RottenPotato'
- 'HotPotato'
- 'JuicyPotato'
- '\just_dce_'
- 'Juicy Potato'
- '\temp\rot.exe'
- '\Potato.exe'
- '\SpoolSample.exe'
- '\Responder.exe'
- '\smbrelayx'
- '\ntlmrelayx'
- '\LocalPotato'
selection_script:
CommandLine|contains:
- 'Invoke-Tater'
- ' smbrelay'
- ' ntlmrelay'
- 'cme smb '
- ' /ntlm:NTLMhash '
- 'Invoke-PetitPotam'
- '.exe -t * -p ' # JuicyPotatoNG pattern https://github.com/antonioCoco/JuicyPotatoNG
selection_juicypotato_enum: # appears when JuicyPotatoNG is used with -b
CommandLine|contains: '.exe -c "{'
CommandLine|endswith: '}" -z'
filter_hotpotatoes: # known goodware https://hotpot.uvic.ca/
Image|contains:
- 'HotPotatoes6'
- 'HotPotatoes7'
- 'HotPotatoes ' # Covers the following: 'HotPotatoes 6', 'HotPotatoes 7', 'HotPotatoes Help', 'HotPotatoes Tutorial'
condition: 1 of selection_* and not 1 of filter_*
falsepositives:
- Legitimate files with these rare hacktool names
level: critical
high
Attempts of Kerberos Coercion Via DNS SPN Spoofing
Detects the presence of "UWhRC....AAYBAAAA" pattern in command line.
The pattern "1UWhRCAAAAA..BAAAA" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure.
Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts.
It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records
to spoof Service Principal Names (SPNs) and redirect authentication requests like in CVE-2025-33073.
If you see this pattern in the command line, it is likely an attempt to add spoofed Service Principal Names (SPNs) to DNS records,
or checking for the presence of such records through the `nslookup` command.
status experimentalauthor Swachchhanda Shrawan Poudel (Nextron Systems)id 0ed99dda-6a35-11ef-8c99-0242ac120002
view Sigma YAML
title: Attempts of Kerberos Coercion Via DNS SPN Spoofing
id: 0ed99dda-6a35-11ef-8c99-0242ac120002
related:
- id: b07e58cf-cacc-4135-8473-ccb2eba63dd2
type: similar
status: experimental
description: |
Detects the presence of "UWhRC....AAYBAAAA" pattern in command line.
The pattern "1UWhRCAAAAA..BAAAA" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure.
Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts.
It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records
to spoof Service Principal Names (SPNs) and redirect authentication requests like in CVE-2025-33073.
If you see this pattern in the command line, it is likely an attempt to add spoofed Service Principal Names (SPNs) to DNS records,
or checking for the presence of such records through the `nslookup` command.
references:
- https://www.synacktiv.com/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025
- https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-06-20
tags:
- attack.collection
- attack.credential-access
- attack.persistence
- attack.privilege-escalation
- attack.t1557.001
- attack.t1187
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'UWhRCA'
- 'BAAAA'
condition: selection
falsepositives:
- Unknown
level: high
high
HackTool - ADCSPwn Execution
Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service
status testauthor Florian Roth (Nextron Systems)id cd8c163e-a19b-402e-bdd5-419ff5859f12
view Sigma YAML
title: HackTool - ADCSPwn Execution
id: cd8c163e-a19b-402e-bdd5-419ff5859f12
status: test
description: Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service
references:
- https://github.com/bats3c/ADCSPwn
author: Florian Roth (Nextron Systems)
date: 2021-07-31
modified: 2023-02-04
tags:
- attack.collection
- attack.credential-access
- attack.t1557.001
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- ' --adcs '
- ' --port '
condition: selection
falsepositives:
- Unlikely
level: high
high
HackTool - Impacket Tools Execution
Detects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives)
status testauthor Florian Roth (Nextron Systems)id 4627c6ae-6899-46e2-aa0c-6ebcb1becd19
view Sigma YAML
title: HackTool - Impacket Tools Execution
id: 4627c6ae-6899-46e2-aa0c-6ebcb1becd19
status: test
description: Detects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives)
references:
- https://github.com/ropnop/impacket_static_binaries/releases/tag/0.9.21-dev-binaries
author: Florian Roth (Nextron Systems)
date: 2021-07-24
modified: 2023-02-07
tags:
- attack.collection
- attack.execution
- attack.credential-access
- attack.t1557.001
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|contains:
- '\goldenPac'
- '\karmaSMB'
- '\kintercept'
- '\ntlmrelayx'
- '\rpcdump'
- '\samrdump'
- '\secretsdump'
- '\smbexec'
- '\smbrelayx'
- '\wmiexec'
- '\wmipersist'
- Image|endswith:
- '\atexec_windows.exe'
- '\dcomexec_windows.exe'
- '\dpapi_windows.exe'
- '\findDelegation_windows.exe'
- '\GetADUsers_windows.exe'
- '\GetNPUsers_windows.exe'
- '\getPac_windows.exe'
- '\getST_windows.exe'
- '\getTGT_windows.exe'
- '\GetUserSPNs_windows.exe'
- '\ifmap_windows.exe'
- '\mimikatz_windows.exe'
- '\netview_windows.exe'
- '\nmapAnswerMachine_windows.exe'
- '\opdump_windows.exe'
- '\psexec_windows.exe'
- '\rdp_check_windows.exe'
- '\sambaPipe_windows.exe'
- '\smbclient_windows.exe'
- '\smbserver_windows.exe'
- '\sniff_windows.exe'
- '\sniffer_windows.exe'
- '\split_windows.exe'
- '\ticketer_windows.exe'
# - '\addcomputer_windows.exe'
# - '\esentutl_windows.exe'
# - '\getArch_windows.exe'
# - '\lookupsid_windows.exe'
# - '\mqtt_check_windows.exe'
# - '\mssqlclient_windows.exe'
# - '\mssqlinstance_windows.exe'
# - '\ntfs-read_windows.exe'
# - '\ping_windows.exe'
# - '\ping6_windows.exe'
# - '\raiseChild_windows.exe'
# - '\reg_windows.exe'
# - '\registry-read_windows.exe'
# - '\services_windows.exe'
# - '\wmiquery_windows.exe'
condition: selection
falsepositives:
- Legitimate use of the impacket tools
level: high
high
Local Privilege Escalation Indicator TabTip
Detects the invocation of TabTip via CLSID as seen when JuicyPotatoNG is used on a system in brute force mode
status testauthor Florian Roth (Nextron Systems)id bc2e25ed-b92b-4daa-b074-b502bdd1982b
view Sigma YAML
title: Local Privilege Escalation Indicator TabTip
id: bc2e25ed-b92b-4daa-b074-b502bdd1982b
status: test
description: Detects the invocation of TabTip via CLSID as seen when JuicyPotatoNG is used on a system in brute force mode
references:
- https://github.com/antonioCoco/JuicyPotatoNG
author: Florian Roth (Nextron Systems)
date: 2022-10-07
modified: 2023-04-14
tags:
- attack.collection
- attack.execution
- attack.credential-access
- attack.t1557.001
logsource:
product: windows
service: system
detection:
selection:
Provider_Name: 'Microsoft-Windows-DistributedCOM'
EventID: 10001
param1: 'C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe' # Binary starting/started
param2: 2147943140 # ERROR id
param3: '{054AAE20-4BEA-4347-8A35-64A533254A9D}' # DCOM Server
condition: selection
falsepositives:
- Unknown
level: high
high
Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation
Detects modifications to DNS records in Active Directory where the Distinguished Name (DN) contains a base64-encoded blob
matching the pattern "1UWhRCAAAAA...BAAAA". This pattern corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure,
commonly used in Kerberos coercion attacks. Adversaries may exploit this to coerce victim systems into authenticating to
attacker-controlled hosts by spoofing SPNs via DNS. It is one of the strong indicators of a Kerberos coercion attack,.
where adversaries manipulate DNS records to spoof Service Principal Names (SPNs) and redirect authentication requests like CVE-2025-33073.
Please investigate the user account that made the changes, as it is likely a low-privileged account that has been compromised.
status experimentalauthor Swachchhanda Shrawan Poudel (Nextron Systems)id b07e58cf-cacc-4135-8473-ccb2eba63dd2
view Sigma YAML
title: Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation
id: b07e58cf-cacc-4135-8473-ccb2eba63dd2
related:
- id: e7a21b5f-d8c4-4ae5-b8d9-93c5d3f28e1c # Suspicious DNS Query Indicating Kerberos Coercion via DNS Object Spoofing
type: similar
- id: 5588576c-5898-4fac-bcdd-7475a60e8f43 # Suspicious DNS Query Indicating Kerberos Coercion via DNS Object Spoofing - Network
type: similar
- id: 0ed99dda-6a35-11ef-8c99-0242ac120002 # Kerberos Coercion Via DNS SPN Spoofing Attempt
type: similar
status: experimental
description: |
Detects modifications to DNS records in Active Directory where the Distinguished Name (DN) contains a base64-encoded blob
matching the pattern "1UWhRCAAAAA...BAAAA". This pattern corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure,
commonly used in Kerberos coercion attacks. Adversaries may exploit this to coerce victim systems into authenticating to
attacker-controlled hosts by spoofing SPNs via DNS. It is one of the strong indicators of a Kerberos coercion attack,.
where adversaries manipulate DNS records to spoof Service Principal Names (SPNs) and redirect authentication requests like CVE-2025-33073.
Please investigate the user account that made the changes, as it is likely a low-privileged account that has been compromised.
references:
- https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html
- https://www.synacktiv.com/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-06-20
tags:
- attack.collection
- attack.credential-access
- attack.t1557.003
- attack.persistence
- attack.privilege-escalation
logsource:
product: windows
service: security
definition: |
By default these events are not logged by default for MicrosoftDNS objects in Active Directory.
To enable detection, configure an AuditRule on the DNS object container with the "CreateChild" permission for the "Everyone" principal.
This can be accomplished using tools such as Set-AuditRule (see https://github.com/OTRF/Set-AuditRule).
detection:
selection_directory_service_changes:
EventID:
- 5136
- 5137
ObjectClass: 'dnsNode'
ObjectDN|contains|all: # ObjectDN">DC=foo-11UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA,DC=domain.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=com</Data>
- 'UWhRCA'
- 'BAAAA'
- 'CN=MicrosoftDNS'
selection_directory_service_access:
EventID: 4662
AdditionalInfo|contains|all: # AdditionalInfo">DC=foo-11UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA,DC=domain.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=com</Data>
- 'UWhRCA'
- 'BAAAA'
- 'CN=MicrosoftDNS'
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
high
RottenPotato Like Attack Pattern
Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like
status testauthor @SBousseaden, Florian Rothid 16f5d8ca-44bd-47c8-acbe-6fc95a16c12f
view Sigma YAML
title: RottenPotato Like Attack Pattern
id: 16f5d8ca-44bd-47c8-acbe-6fc95a16c12f
status: test
description: Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like
references:
- https://twitter.com/SBousseaden/status/1195284233729777665
author: '@SBousseaden, Florian Roth'
date: 2019-11-15
modified: 2022-12-22
tags:
- attack.collection
- attack.privilege-escalation
- attack.credential-access
- attack.t1557.001
logsource:
product: windows
service: security
detection:
selection:
EventID: 4624
LogonType: 3
TargetUserName: 'ANONYMOUS LOGON'
WorkstationName: '-'
IpAddress:
- '127.0.0.1'
- '::1'
condition: selection
falsepositives:
- Unknown
level: high
high
Suspicious Child Process of Notepad++ Updater - GUP.Exe
Detects suspicious child process creation by the Notepad++ updater process (gup.exe).
This could indicate potential exploitation of the updater component to deliver unwanted malware.
status experimentalauthor Swachchhanda Shrawan Poudel (Nextron Systems)id bb0e87ce-c89f-4857-84fa-095e4483e9cb
view Sigma YAML
title: Suspicious Child Process of Notepad++ Updater - GUP.Exe
id: bb0e87ce-c89f-4857-84fa-095e4483e9cb
status: experimental
description: |
Detects suspicious child process creation by the Notepad++ updater process (gup.exe).
This could indicate potential exploitation of the updater component to deliver unwanted malware.
references:
- https://notepad-plus-plus.org/news/v889-released/
- https://www.heise.de/en/news/Notepad-updater-installed-malware-11109726.html
- https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
- https://www.validin.com/blog/exploring_notepad_plus_plus_network_indicators/
- https://securelist.com/notepad-supply-chain-attack/118708/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-02-03
tags:
- attack.collection
- attack.credential-access
- attack.t1195.002
- attack.initial-access
- attack.t1557
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\gup.exe'
selection_child_img:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\cscript.exe'
- '\wscript.exe'
- '\mshta.exe'
selection_child_cli:
CommandLine|contains:
- 'bitsadmin'
- 'certutil'
- 'curl'
- 'finger'
- 'forfiles'
- 'regsvr32'
- 'rundll32'
- 'wget'
condition: selection_parent and 1 of selection_child_*
falsepositives:
- Unlikely
level: high
high
Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing
Detects DNS queries containing patterns associated with Kerberos coercion attacks via DNS object spoofing.
The pattern "1UWhRCAAAAA..BAAAA" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure.
Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts.
It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records
to spoof Service Principal Names (SPNs) and redirect authentication requests like CVE-2025-33073.
status experimentalauthor Swachchhanda Shrawan Poudel (Nextron Systems)id e7a21b5f-d8c4-4ae5-b8d9-93c5d3f28e1c
view Sigma YAML
title: Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing
id: e7a21b5f-d8c4-4ae5-b8d9-93c5d3f28e1c
related:
- id: b07e58cf-cacc-4135-8473-ccb2eba63dd2 # Potential Kerberos Coercion via DNS Object Spoofing
type: similar
- id: 5588576c-5898-4fac-bcdd-7475a60e8f43 # Suspicious DNS Query Indicating Kerberos Coercion via DNS Object Spoofing - Network
type: similar
status: experimental
description: |
Detects DNS queries containing patterns associated with Kerberos coercion attacks via DNS object spoofing.
The pattern "1UWhRCAAAAA..BAAAA" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure.
Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts.
It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records
to spoof Service Principal Names (SPNs) and redirect authentication requests like CVE-2025-33073.
references:
- https://www.synacktiv.com/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025
- https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-06-20
tags:
- attack.collection
- attack.credential-access
- attack.persistence
- attack.privilege-escalation
- attack.t1557.001
- attack.t1187
logsource:
product: windows
category: dns_query
detection:
selection:
QueryName|contains|all:
- 'UWhRCA'
- 'BAAAA'
condition: selection
falsepositives:
- Unknown
level: high
high
Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing - Network
Detects DNS queries containing patterns associated with Kerberos coercion attacks via DNS object spoofing.
The pattern "1UWhRCAAAAA..BAAAA" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure.
Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts.
It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records
to spoof Service Principal Names (SPNs) and redirect authentication requests like CVE-2025-33073.
status experimentalauthor Swachchhanda Shrawan Poudel (Nextron Systems)id 5588576c-5898-4fac-bcdd-7475a60e8f43
view Sigma YAML
title: Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing - Network
id: 5588576c-5898-4fac-bcdd-7475a60e8f43
related:
- id: b07e58cf-cacc-4135-8473-ccb2eba63dd2 # Potential Kerberos Coercion via DNS Object Spoofing
type: similar
- id: e7a21b5f-d8c4-4ae5-b8d9-93c5d3f28e1c # Suspicious DNS Query Indicating Kerberos Coercion via DNS Object Spoofing
type: similar
status: experimental
description: |
Detects DNS queries containing patterns associated with Kerberos coercion attacks via DNS object spoofing.
The pattern "1UWhRCAAAAA..BAAAA" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure.
Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts.
It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records
to spoof Service Principal Names (SPNs) and redirect authentication requests like CVE-2025-33073.
references:
- https://www.synacktiv.com/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025
- https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-06-20
tags:
- attack.collection
- attack.credential-access
- attack.persistence
- attack.privilege-escalation
- attack.t1557.001
- attack.t1187
logsource:
product: zeek
service: dns
detection:
selection:
query|contains|all:
- 'UWhRCA' # Follows this pattern UWhRCAAAAA..BAAA
- 'BAAAA'
condition: selection
falsepositives:
- Unknown
level: high
high
Uncommon File Created by Notepad++ Updater Gup.EXE
Detects when the Notepad++ updater (gup.exe) creates files in suspicious or uncommon locations.
This could indicate potential exploitation of the updater component to deliver unwanted malware or unwarranted files.
status experimentalauthor Swachchhanda Shrawan Poudel (Nextron Systems)id 3b8f4c92-6a51-4d7e-9c3a-8e2d1f5a7b09
view Sigma YAML
title: Uncommon File Created by Notepad++ Updater Gup.EXE
id: 3b8f4c92-6a51-4d7e-9c3a-8e2d1f5a7b09
status: experimental
description: |
Detects when the Notepad++ updater (gup.exe) creates files in suspicious or uncommon locations.
This could indicate potential exploitation of the updater component to deliver unwanted malware or unwarranted files.
references:
- https://notepad-plus-plus.org/news/v889-released/
- https://www.heise.de/en/news/Notepad-updater-installed-malware-11109726.html
- https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
- https://www.validin.com/blog/exploring_notepad_plus_plus_network_indicators/
- https://securelist.com/notepad-supply-chain-attack/118708/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-02-03
modified: 2026-03-16
tags:
- attack.collection
- attack.credential-access
- attack.t1195.002
- attack.initial-access
- attack.t1557
logsource:
category: file_event
product: windows
detection:
selection:
Image|endswith: '\gup.exe'
filter_main_legit_paths:
TargetFilename|startswith:
- 'C:\Program Files\Notepad++\'
- 'C:\Program Files (x86)\Notepad++\'
filter_main_temp_update_installer:
TargetFilename|startswith: 'C:\Users\'
TargetFilename|contains|all:
- '\AppData\Local\Temp\'
- 'npp.'
- '.Installer.'
- '.exe'
filter_main_temp_generic_zip:
TargetFilename|startswith: 'C:\Users\'
TargetFilename|contains|all:
- '\AppData\Local\Temp\'
- '.zip'
filter_main_recycle_bin:
TargetFilename|startswith: 'C:\$Recycle.Bin\S-1-5-21'
filter_main_plugins:
- TargetFilename|contains:
- '\plugins\JsonTools\testfiles\'
- '\Notepad++\plugins\ComparePlugin\'
- TargetFilename|contains|all:
- 'npp.'
- '.portable.'
- '\plugins\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Custom or portable Notepad++ installations in non-standard directories.
- Legitimate update processes creating temporary files in unexpected locations.
level: high
high
WinDivert Driver Load
Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection package for Windows
status testauthor Florian Roth (Nextron Systems)id 679085d5-f427-4484-9f58-1dc30a7c426d
Detects the configuration of a new ISATAP router on a Windows host. While ISATAP is a legitimate Microsoft technology for IPv6 transition, unexpected or unauthorized ISATAP router configurations could indicate a potential IPv6 DNS Takeover attack using tools like mitm6.
In such attacks, adversaries advertise themselves as DHCPv6 servers and set malicious ISATAP routers to intercept traffic.
This detection should be correlated with network baselines and known legitimate ISATAP deployments in your environment.
status experimentalauthor hamidid d22df9cd-2aee-4089-93c7-9dc4eae77f2c
view Sigma YAML
title: ISATAP Router Address Was Set
id: d22df9cd-2aee-4089-93c7-9dc4eae77f2c
status: experimental
description: |
Detects the configuration of a new ISATAP router on a Windows host. While ISATAP is a legitimate Microsoft technology for IPv6 transition, unexpected or unauthorized ISATAP router configurations could indicate a potential IPv6 DNS Takeover attack using tools like mitm6.
In such attacks, adversaries advertise themselves as DHCPv6 servers and set malicious ISATAP routers to intercept traffic.
This detection should be correlated with network baselines and known legitimate ISATAP deployments in your environment.
references:
- https://www.blackhillsinfosec.com/mitm6-strikes-again-the-dark-side-of-ipv6/
- https://redfoxsec.com/blog/ipv6-dns-takeover/
- https://www.securityhq.com/blog/malicious-isatap-tunneling-unearthed-on-windows-server/
- https://medium.com/@ninnesoturan/detecting-ipv6-dns-takeover-a54a6a88be1f
author: hamid
date: 2025-10-19
tags:
- attack.impact
- attack.credential-access
- attack.collection
- attack.initial-access
- attack.privilege-escalation
- attack.execution
- attack.t1557
- attack.t1565.002
logsource:
product: windows
service: system
detection:
selection:
EventID: 4100
Provider_Name: 'Microsoft-Windows-Iphlpsvc'
filter_main_localhost:
IsatapRouter:
- '127.0.0.1'
- '::1'
filter_optional_null:
IsatapRouter: null
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Legitimate ISATAP router configuration in enterprise environments
- IPv6 transition projects and network infrastructure changes
- Network administrators configuring dual-stack networking
- Automatic ISATAP configuration in some Windows deployments
level: medium
medium
Notepad++ Updater DNS Query to Uncommon Domains
Detects when the Notepad++ updater (gup.exe) makes DNS queries to domains that are not part of the known legitimate update infrastructure.
This could indicate potential exploitation of the updater mechanism or suspicious network activity that warrants further investigation.
status experimentalauthor Swachchhanda Shrawan Poudel (Nextron Systems)id 2074e137-1b73-4e2d-88ba-5a3407dbdce0
view Sigma YAML
title: Notepad++ Updater DNS Query to Uncommon Domains
id: 2074e137-1b73-4e2d-88ba-5a3407dbdce0
status: experimental
description: |
Detects when the Notepad++ updater (gup.exe) makes DNS queries to domains that are not part of the known legitimate update infrastructure.
This could indicate potential exploitation of the updater mechanism or suspicious network activity that warrants further investigation.
references:
- https://notepad-plus-plus.org/news/v889-released/
- https://www.heise.de/en/news/Notepad-updater-installed-malware-11109726.html
- https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
- https://www.validin.com/blog/exploring_notepad_plus_plus_network_indicators/
- https://securelist.com/notepad-supply-chain-attack/118708/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-02-02
modified: 2026-03-16
tags:
- attack.collection
- attack.credential-access
- attack.t1195.002
- attack.initial-access
- attack.t1557
logsource:
category: dns_query
product: windows
detection:
selection:
Image|endswith: '\gup.exe'
filter_main_notepad_legit_domain:
QueryName: 'notepad-plus-plus.org'
filter_optional_sourceforge_legit_domain:
QueryName|endswith: '.sourceforge.net'
filter_optional_github_legit_domain:
- QueryName|endswith: '.githubusercontent.com'
- QueryName: 'github.com'
filter_optional_google_storage_legit_domain:
QueryName|endswith: '.googleapis.com'
filter_optional_uncommon_domains:
QueryName|endswith:
- '.azurewebsites.net'
- 'block.opendns.com'
- 'gateway.zscalerthree.net'
# Add other known legitimate domains if any
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Some legitimate network misconfigurations or proxy issues causing unexpected DNS queries.
- Other legitimate query to official domains not listed in the filter, needing tuning.
level: medium # can be upgraded to high after tuning with known legitimate DNS queries
medium
Potential PetitPotam Attack Via EFS RPC Calls
Detects usage of the windows RPC library Encrypting File System Remote Protocol (MS-EFSRPC). Variations of this RPC are used within the attack refereed to as PetitPotam.
The usage of this RPC function should be rare if ever used at all.
Thus usage of this function is uncommon enough that any usage of this RPC function should warrant further investigation to determine if it is legitimate.
View surrounding logs (within a few minutes before and after) from the Source IP to. Logs from from the Source IP would include dce_rpc, smb_mapping, smb_files, rdp, ntlm, kerberos, etc..'
status testauthor @neu5ron, @Antonlovesdnb, Mike Remenid 4096842a-8f9f-4d36-92b4-d0b2a62f9b2a
view Sigma YAML
title: Potential PetitPotam Attack Via EFS RPC Calls
id: 4096842a-8f9f-4d36-92b4-d0b2a62f9b2a
status: test
description: |
Detects usage of the windows RPC library Encrypting File System Remote Protocol (MS-EFSRPC). Variations of this RPC are used within the attack refereed to as PetitPotam.
The usage of this RPC function should be rare if ever used at all.
Thus usage of this function is uncommon enough that any usage of this RPC function should warrant further investigation to determine if it is legitimate.
View surrounding logs (within a few minutes before and after) from the Source IP to. Logs from from the Source IP would include dce_rpc, smb_mapping, smb_files, rdp, ntlm, kerberos, etc..'
references:
- https://github.com/topotam/PetitPotam/blob/d83ac8f2dd34654628c17490f99106eb128e7d1e/PetitPotam/PetitPotam.cpp
- https://msrc.microsoft.com/update-guide/vulnerability/ADV210003
- https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf
- https://threatpost.com/microsoft-petitpotam-poc/168163/
author: '@neu5ron, @Antonlovesdnb, Mike Remen'
date: 2021-08-17
modified: 2022-11-28
tags:
- attack.collection
- attack.credential-access
- attack.t1557.001
- attack.t1187
logsource:
product: zeek
service: dce_rpc
detection:
selection:
operation|startswith: 'efs'
condition: selection
falsepositives:
- Uncommon but legitimate windows administrator or software tasks that make use of the Encrypting File System RPC Calls. Verify if this is common activity (see description).
level: medium
medium
Potential Suspicious Activity Using SeCEdit
Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy
status testauthor Janantha Marasingheid c2c76b77-32be-4d1f-82c9-7e544bdfe0eb
view Sigma YAML
title: Potential Suspicious Activity Using SeCEdit
id: c2c76b77-32be-4d1f-82c9-7e544bdfe0eb
status: test
description: Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy
references:
- https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/secedit
author: Janantha Marasinghe
date: 2022-11-18
modified: 2022-12-30
tags:
- attack.collection
- attack.discovery
- attack.persistence
- attack.credential-access
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.defense-impairment
- attack.t1685.001
- attack.t1547.001
- attack.t1505.005
- attack.t1556.002
- attack.t1685
- attack.t1574.007
- attack.t1564.002
- attack.t1546.008
- attack.t1546.007
- attack.t1547.014
- attack.t1547.010
- attack.t1547.002
- attack.t1557
- attack.t1082
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\secedit.exe'
- OriginalFileName: 'SeCEdit'
selection_flags_discovery:
CommandLine|contains|all:
- '/export'
- '/cfg'
selection_flags_configure:
CommandLine|contains|all:
- '/configure'
- '/db'
# filter:
# SubjectUserName|endswith: '$' SubjectUserName is from event ID 4719 in the Windows Security log
condition: selection_img and (1 of selection_flags_*)
falsepositives:
- Legitimate administrative use
level: medium
low
Cisco BGP Authentication Failures
Detects BGP failures which may be indicative of brute force attacks to manipulate routing
status testauthor Tim Brownid 56fa3cd6-f8d6-4520-a8c7-607292971886
view Sigma YAML
title: Cisco BGP Authentication Failures
id: 56fa3cd6-f8d6-4520-a8c7-607292971886
status: test
description: Detects BGP failures which may be indicative of brute force attacks to manipulate routing
references:
- https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf
author: Tim Brown
date: 2023-01-09
modified: 2023-01-23
tags:
- attack.initial-access
- attack.persistence
- attack.privilege-escalation
- attack.credential-access
- attack.collection
- attack.stealth
- attack.t1078
- attack.t1110
- attack.t1557
logsource:
product: cisco
service: bgp
definition: 'Requirements: cisco bgp logs need to be enabled and ingested'
detection:
keywords_bgp_cisco:
'|all':
- ':179' # Protocol
- 'IP-TCP-3-BADAUTH'
condition: keywords_bgp_cisco
falsepositives:
- Unlikely. Except due to misconfigurations
level: low
low
Cisco LDP Authentication Failures
Detects LDP failures which may be indicative of brute force attacks to manipulate MPLS labels
status testauthor Tim Brownid 50e606bf-04ce-4ca7-9d54-3449494bbd4b
view Sigma YAML
title: Cisco LDP Authentication Failures
id: 50e606bf-04ce-4ca7-9d54-3449494bbd4b
status: test
description: Detects LDP failures which may be indicative of brute force attacks to manipulate MPLS labels
references:
- https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf
author: Tim Brown
date: 2023-01-09
tags:
- attack.initial-access
- attack.persistence
- attack.privilege-escalation
- attack.credential-access
- attack.collection
- attack.stealth
- attack.t1078
- attack.t1110
- attack.t1557
logsource:
product: cisco
service: ldp
definition: 'Requirements: cisco ldp logs need to be enabled and ingested'
detection:
selection_protocol:
- 'LDP'
selection_keywords:
- 'SOCKET_TCP_PACKET_MD5_AUTHEN_FAIL'
- 'TCPMD5AuthenFail'
condition: selection_protocol and selection_keywords
falsepositives:
- Unlikely. Except due to misconfigurations
level: low
low
Huawei BGP Authentication Failures
Detects BGP failures which may be indicative of brute force attacks to manipulate routing.
status testauthor Tim Brownid a557ffe6-ac54-43d2-ae69-158027082350
view Sigma YAML
title: Huawei BGP Authentication Failures
id: a557ffe6-ac54-43d2-ae69-158027082350
status: test
description: Detects BGP failures which may be indicative of brute force attacks to manipulate routing.
references:
- https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf
author: Tim Brown
date: 2023-01-09
modified: 2023-01-23
tags:
- attack.initial-access
- attack.persistence
- attack.privilege-escalation
- attack.credential-access
- attack.collection
- attack.stealth
- attack.t1078
- attack.t1110
- attack.t1557
logsource:
product: huawei
service: bgp
definition: 'Requirements: huawei bgp logs need to be enabled and ingested'
detection:
keywords_bgp_huawei:
'|all':
- ':179' # Protocol
- 'BGP_AUTH_FAILED'
condition: keywords_bgp_huawei
falsepositives:
- Unlikely. Except due to misconfigurations
level: low
low
Juniper BGP Missing MD5
Detects juniper BGP missing MD5 digest. Which may be indicative of brute force attacks to manipulate routing.
status testauthor Tim Brownid a7c0ae48-8df8-42bf-91bd-2ea57e2f9d43
view Sigma YAML
title: Juniper BGP Missing MD5
id: a7c0ae48-8df8-42bf-91bd-2ea57e2f9d43
status: test
description: Detects juniper BGP missing MD5 digest. Which may be indicative of brute force attacks to manipulate routing.
references:
- https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf
author: Tim Brown
date: 2023-01-09
modified: 2023-01-23
tags:
- attack.initial-access
- attack.persistence
- attack.privilege-escalation
- attack.credential-access
- attack.collection
- attack.stealth
- attack.t1078
- attack.t1110
- attack.t1557
logsource:
product: juniper
service: bgp
definition: 'Requirements: juniper bgp logs need to be enabled and ingested'
detection:
keywords_bgp_juniper:
'|all':
- ':179' # Protocol
- 'missing MD5 digest'
condition: keywords_bgp_juniper
falsepositives:
- Unlikely. Except due to misconfigurations
level: low