Home/Sigma rules
Sigma

Sigma detection rules

11 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Severity critical high medium low all severities

Detection rules

11 shown of 11
high
Abuse of Service Permissions to Hide Services Via Set-Service
Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)
status test author Nasreddine Bencherchali (Nextron Systems) id 514e4c3a-c77d-4cde-a00f-046425e2301e
view Sigma YAML 
title: Abuse of Service Permissions to Hide Services Via Set-Service
id: 514e4c3a-c77d-4cde-a00f-046425e2301e
related:
    - id: a537cfc3-4297-4789-92b5-345bfd845ad0
      type: derived
    - id: 953945c5-22fe-4a92-9f8a-a9edc1e522da
      type: similar
status: test
description: Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)
references:
    - https://twitter.com/Alh4zr3d/status/1580925761996828672
    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-17
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.011
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\pwsh.exe'
        - OriginalFileName: 'pwsh.dll'
    selection_sddl:
        # Example would be: "D:(D;;DCLCWPDTSD;;;IU)(D;;DCLCWPDTSD;;;SU)(D;;DCLCWPDTSD;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
        CommandLine|contains|all:
            - 'Set-Service '
            - 'DCLCWPDTSD'
    selection_cmdlet:
        CommandLine|contains:
            - '-SecurityDescriptorSddl '
            - '-sd '
    condition: all of selection_*
falsepositives:
    - Rare intended use of hidden services
level: high
high
Abuse of Service Permissions to Hide Services Via Set-Service - PS
Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)
status test author Nasreddine Bencherchali (Nextron Systems) id 953945c5-22fe-4a92-9f8a-a9edc1e522da
view Sigma YAML 
title: Abuse of Service Permissions to Hide Services Via Set-Service - PS
id: 953945c5-22fe-4a92-9f8a-a9edc1e522da
related:
    - id: 514e4c3a-c77d-4cde-a00f-046425e2301e
      type: similar
status: test
description: Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)
references:
    - https://twitter.com/Alh4zr3d/status/1580925761996828672
    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-17
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.011
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains|all:
            - 'Set-Service '
            - 'DCLCWPDTSD'
        ScriptBlockText|contains:
            - '-SecurityDescriptorSddl '
            - '-sd '
    condition: selection
falsepositives:
    - Rare intended use of hidden services
    - Rare FP could occur due to the non linearity of the ScriptBlockText log
level: high
high
Possible Privilege Escalation via Weak Service Permissions
Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand
status test author Teymur Kheirkhabarov id d937b75f-a665-4480-88a5-2f20e9f9b22a
view Sigma YAML 
title: Possible Privilege Escalation via Weak Service Permissions
id: d937b75f-a665-4480-88a5-2f20e9f9b22a
status: test
description: Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
    - https://pentestlab.blog/2017/03/30/weak-service-permissions/
author: Teymur Kheirkhabarov
date: 2019-10-26
modified: 2024-12-01
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.011
logsource:
    category: process_creation
    product: windows
detection:
    scbynonadmin:
        Image|endswith: '\sc.exe'
        IntegrityLevel:
            - 'Medium'
            - 'S-1-16-8192'
    selection_binpath:
        CommandLine|contains|all:
            - 'config'
            - 'binPath'
    selection_failure:
        CommandLine|contains|all:
            - 'failure'
            - 'command'
    condition: scbynonadmin and 1 of selection_*
falsepositives:
    - Unknown
level: high
high
Potential Privilege Escalation via Service Permissions Weakness
Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level
status test author Teymur Kheirkhabarov id 0f9c21f1-6a73-4b0e-9809-cb562cb8d981
view Sigma YAML 
title: Potential Privilege Escalation via Service Permissions Weakness
id: 0f9c21f1-6a73-4b0e-9809-cb562cb8d981
status: test
description: Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
    - https://pentestlab.blog/2017/03/31/insecure-registry-permissions/
author: Teymur Kheirkhabarov
date: 2019-10-26
modified: 2024-12-01
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.011
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        IntegrityLevel:
            - 'Medium'
            - 'S-1-16-8192'
        CommandLine|contains|all:
            - 'ControlSet'
            - 'services'
        CommandLine|contains:
            - '\ImagePath'
            - '\FailureCommand'
            - '\ServiceDll'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Service DACL Abuse To Hide Services Via Sc.EXE
Detects usage of the "sc.exe" utility adding a new service with special permission seen used by threat actors which makes the service hidden and unremovable.
status test author Andreas Hunkeler (@Karneades) id a537cfc3-4297-4789-92b5-345bfd845ad0
view Sigma YAML 
title: Service DACL Abuse To Hide Services Via Sc.EXE
id: a537cfc3-4297-4789-92b5-345bfd845ad0
related:
    - id: 99cf1e02-00fb-4c0d-8375-563f978dfd37 # Deny Service Access
      type: similar
    - id: 98c5aeef-32d5-492f-b174-64a691896d25 # Generic SD tampering
      type: similar
status: test
description: Detects usage of the "sc.exe" utility adding a new service with special permission seen used by threat actors which makes the service hidden and unremovable.
references:
    - https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html
    - https://www.sans.org/blog/red-team-tactics-hiding-windows-services/
    - https://twitter.com/Alh4zr3d/status/1580925761996828672
    - https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/
author: Andreas Hunkeler (@Karneades)
date: 2021-12-20
modified: 2022-08-08
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.011
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\sc.exe'
        - OriginalFileName: 'sc.exe'
    selection_cli:
        CommandLine|contains|all:
            - 'sdset'
            # Summary of permissions
            #   DC: Delete All Child Objects
            #   LC: List Contents
            #   WP: Write All Properties
            #   DT: Delete Subtree
            #   SD: Delete
            - 'DCLCWPDTSD'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
high
Suspicious Service DACL Modification Via Set-Service Cmdlet - PS
Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)
status test author Nasreddine Bencherchali (Nextron Systems) id 22d80745-6f2c-46da-826b-77adaededd74
view Sigma YAML 
title: Suspicious Service DACL Modification Via Set-Service Cmdlet - PS
id: 22d80745-6f2c-46da-826b-77adaededd74
related:
    - id: a95b9b42-1308-4735-a1af-abb1c5e6f5ac
      type: similar
status: test
description: Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)
references:
    - https://twitter.com/Alh4zr3d/status/1580925761996828672
    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-24
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.011
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_sddl_flag:
        ScriptBlockText|contains:
            - '-SecurityDescriptorSddl '
            - '-sd '
    selection_set_service:
        ScriptBlockText|contains|all:
            - 'Set-Service '
            - 'D;;'
        ScriptBlockText|contains:
            - ';;;IU'
            - ';;;SU'
            - ';;;BA'
            - ';;;SY'
            - ';;;WD'
    condition: all of selection_*
falsepositives:
    - Rare intended use of hidden services
    - Rare FP could occur due to the non linearity of the ScriptBlockText log
level: high
medium
Changing Existing Service ImagePath Value Via Reg.EXE
Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start. Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services
status test author frack113 id 9b0b7ac3-6223-47aa-a3fd-e8f211e637db
view Sigma YAML 
title: Changing Existing Service ImagePath Value Via Reg.EXE
id: 9b0b7ac3-6223-47aa-a3fd-e8f211e637db
status: test
description: |
    Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.
    Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start.
    Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-2---service-imagepath-change-with-regexe
author: frack113
date: 2021-12-30
modified: 2024-03-13
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574.011
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\reg.exe'
        CommandLine|contains|all:
            - 'add '
            - 'SYSTEM\CurrentControlSet\Services\'
            - ' ImagePath '
    selection_value:
        CommandLine|contains|windash: ' -d '
    condition: all of selection*
falsepositives:
    - Unknown
level: medium
medium
Potential Persistence Attempt Via Existing Service Tampering
Detects the modification of an existing service in order to execute an arbitrary payload when the service is started or killed as a potential method for persistence.
status test author Sreeman id 38879043-7e1e-47a9-8d46-6bec88e201df
view Sigma YAML 
title: Potential Persistence Attempt Via Existing Service Tampering
id: 38879043-7e1e-47a9-8d46-6bec88e201df
status: test
description: Detects the modification of an existing service in order to execute an arbitrary payload when the service is started or killed as a potential method for persistence.
references:
    - https://pentestlab.blog/2020/01/22/persistence-modify-existing-service/
author: Sreeman
date: 2020-09-29
modified: 2023-02-04
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1543.003
    - attack.t1574.011
logsource:
    category: process_creation
    product: windows
detection:
    selection_sc:
        - CommandLine|contains|all:
              - 'sc '
              - 'config '
              - 'binpath='
        - CommandLine|contains|all:
              - 'sc '
              - 'failure'
              - 'command='
    selection_reg_img:
        - CommandLine|contains|all:
              - 'reg '
              - 'add '
              - 'FailureCommand'
        - CommandLine|contains|all:
              - 'reg '
              - 'add '
              - 'ImagePath'
    selection_reg_ext:
        CommandLine|contains:
            - '.sh'
            - '.exe'
            - '.dll'
            - '.bin$'
            - '.bat'
            - '.cmd'
            - '.js'
            - '.msh$'
            - '.reg$'
            - '.scr'
            - '.ps'
            - '.vb'
            - '.jar'
            - '.pl'
    condition: selection_sc or all of selection_reg_*
falsepositives:
    - Unknown
level: medium
medium
Service Registry Permissions Weakness Check
Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start. Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services
status test author frack113 id 95afc12e-3cbb-40c3-9340-84a032e596a3
view Sigma YAML 
title: Service Registry Permissions Weakness Check
id: 95afc12e-3cbb-40c3-9340-84a032e596a3
status: test
description: |
    Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.
    Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start.
    Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness
    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.4
author: frack113
date: 2021-12-30
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574.011
    - stp.2a
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains|all:
            - 'get-acl'
            - 'REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\'
    condition: selection
falsepositives:
    - Legitimate administrative script
level: medium
medium
Service Security Descriptor Tampering Via Sc.EXE
Detection of sc.exe utility adding a new service with special permission which hides that service.
status test author Nasreddine Bencherchali (Nextron Systems) id 98c5aeef-32d5-492f-b174-64a691896d25
view Sigma YAML 
title: Service Security Descriptor Tampering Via Sc.EXE
id: 98c5aeef-32d5-492f-b174-64a691896d25
related:
    - id: 99cf1e02-00fb-4c0d-8375-563f978dfd37 # Deny Service Access
      type: similar
    - id: a537cfc3-4297-4789-92b5-345bfd845ad0 # Specific Technique
      type: similar
status: test
description: Detection of sc.exe utility adding a new service with special permission which hides that service.
references:
    - https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html
    - https://www.sans.org/blog/red-team-tactics-hiding-windows-services/
    - https://twitter.com/Alh4zr3d/status/1580925761996828672
    - https://twitter.com/0gtweet/status/1628720819537936386
    - https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-28
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.011
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\sc.exe'
        - OriginalFileName: 'sc.exe'
    selection_cli:
        CommandLine|contains: 'sdset'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium
low
Service Registry Key Read Access Request
Detects "read access" requests on the services registry key. Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts.
status test author Center for Threat Informed Defense (CTID) Summiting the Pyramid Team id 11d00fff-5dc3-428c-8184-801f292faec0
view Sigma YAML 
title: Service Registry Key Read Access Request
id: 11d00fff-5dc3-428c-8184-801f292faec0
status: test
description: |
    Detects "read access" requests on the services registry key.
    Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.
    Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts.
references:
    - https://center-for-threat-informed-defense.github.io/summiting-the-pyramid/analytics/service_registry_permissions_weakness_check/
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness
author: Center for Threat Informed Defense (CTID) Summiting the Pyramid Team
date: 2023-09-28
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.011
logsource:
    product: windows
    service: security
    definition: 'Requirements: SACLs must be enabled for "READ_CONTROL" on the registry keys used in this rule'
detection:
    selection:
        EventID: 4663
        ObjectName|contains|all:
            - '\SYSTEM\'
            - 'ControlSet\Services\'
        AccessList|contains: '%%1538' # READ_CONTROL
    condition: selection
falsepositives:
    - Likely from legitimate applications reading their key. Requires heavy tuning
level: low
Showing 1-11 of 11
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin