Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Detects code fragments found in small and obfuscated AMSI bypass PowerShell scripts
status testauthor Florian Roth (Nextron Systems)id e0d6c087-2d1c-47fd-8799-3904103c5a98
view Sigma YAML
title: AMSI Bypass Pattern Assembly GetType
id: e0d6c087-2d1c-47fd-8799-3904103c5a98
status: test
description: Detects code fragments found in small and obfuscated AMSI bypass PowerShell scripts
references:
- https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/
- https://twitter.com/cyb3rops/status/1588574518057979905?s=20&t=A7hh93ONM7ni1Rj1jO5OaA
author: Florian Roth (Nextron Systems)
date: 2022-11-09
tags:
- attack.defense-impairment
- attack.t1685
- attack.execution
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- '[Ref].Assembly.GetType'
- 'SetValue($null,$true)'
- 'NonPublic,Static'
condition: selection
falsepositives:
- Unknown
level: high
high
AMSI Disabled via Registry Modification
Detects attempts to disable AMSI (Anti-Malware Scan Interface) by modifying the AmsiEnable registry value.
Anti-Malware Scan Interface (AMSI) is a security feature in Windows that allows applications and services to integrate with anti-malware products for enhanced protection against malicious content.
Adversaries may attempt to disable AMSI to evade detection by security software, allowing them to execute malicious scripts or code without being scanned.
status experimentalauthor Swachchhanda Shrawan Poudel (Nextron Systems)id aa37cbb0-da36-42cb-a90f-fdf216fc7467
view Sigma YAML
title: AMSI Disabled via Registry Modification
id: aa37cbb0-da36-42cb-a90f-fdf216fc7467
related:
- id: 7dbbcac2-57a0-45ac-b306-ff30a8bd2981 # Windows AMSI Related Registry Tampering Via CommandLine
type: similar
status: experimental
description: |
Detects attempts to disable AMSI (Anti-Malware Scan Interface) by modifying the AmsiEnable registry value.
Anti-Malware Scan Interface (AMSI) is a security feature in Windows that allows applications and services to integrate with anti-malware products for enhanced protection against malicious content.
Adversaries may attempt to disable AMSI to evade detection by security software, allowing them to execute malicious scripts or code without being scanned.
references:
- https://mostafayahiax.medium.com/hunting-for-amsi-bypassing-methods-9886dda0bf9d
- https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal
- https://www.mdsec.co.uk/2019/02/macros-and-more-with-sharpshooter-v2-0/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-12-25
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\Software\Microsoft\Windows Script\Settings\AmsiEnable'
Details: 'DWORD (0x00000000)'
condition: selection
falsepositives:
- Unlikely
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_amsi_disable/info.yml
simulation:
- type: atomic-red-team
name: AMSI Bypass - Create AMSIEnable Reg Key
technique: T1562.001
atomic_guid: 728eca7b-0444-4f6f-ac36-437e3d751dc0
high
ASLR Disabled Via Sysctl or Direct Syscall - Linux
Detects actions that disable Address Space Layout Randomization (ASLR) in Linux, including:
- Use of the `personality` syscall with the ADDR_NO_RANDOMIZE flag (0x0040000)
- Modification of the /proc/sys/kernel/randomize_va_space file
- Execution of the `sysctl` command to set `kernel.randomize_va_space=0`
Disabling ASLR is often used by attackers during exploit development or to bypass memory protection mechanisms.
A successful use of these methods can reduce the effectiveness of ASLR and make memory corruption attacks more reliable.
status experimentalauthor Milad Cheraghiid e497a24e-9345-4a62-9803-b06d7d7cb132
view Sigma YAML
title: ASLR Disabled Via Sysctl or Direct Syscall - Linux
id: e497a24e-9345-4a62-9803-b06d7d7cb132
status: experimental
description: |
Detects actions that disable Address Space Layout Randomization (ASLR) in Linux, including:
- Use of the `personality` syscall with the ADDR_NO_RANDOMIZE flag (0x0040000)
- Modification of the /proc/sys/kernel/randomize_va_space file
- Execution of the `sysctl` command to set `kernel.randomize_va_space=0`
Disabling ASLR is often used by attackers during exploit development or to bypass memory protection mechanisms.
A successful use of these methods can reduce the effectiveness of ASLR and make memory corruption attacks more reliable.
references:
- https://github.com/CheraghiMilad/bypass-Neo23x0-auditd-config/blob/f1c478a37911a5447d5ffcd580f22b167bf3df14/personality-syscall/README.md
- https://man7.org/linux/man-pages/man2/personality.2.html
- https://manual.cs50.io/2/personality
- https://linux-audit.com/linux-aslr-and-kernelrandomize_va_space-setting/
author: Milad Cheraghi
date: 2025-05-26
modified: 2025-12-05
tags:
- attack.privilege-escalation
- attack.stealth
- attack.defense-impairment
- attack.t1685
- attack.t1055.009
logsource:
product: linux
service: auditd
detection:
selection_syscall:
type: 'SYSCALL'
SYSCALL: 'personality'
a0: 40000
selection_sysctl:
type: 'EXECVE'
a0: 'sysctl'
a1: '-w'
a2: 'kernel.randomize_va_space=0' # 0 = disable
condition: 1 of selection_*
falsepositives:
- Debugging or legitimate software testing
level: high
high
AWS Config Disabling Channel/Recorder
Detects AWS Config Service disabling
status testauthor vitaliy0x1id 07330162-dba1-4746-8121-a9647d49d297
Detects successful deletion or disabling of an AWS GuardDuty detector, possibly by an attacker trying to avoid detection of its malicious activities.
Upon deletion, GuardDuty stops monitoring the environment and all existing findings are lost.
Verify with the user identity that this activity is legitimate.
status experimentalauthor suktech24id d2656e78-c069-4571-8220-9e0ab5913f19
view Sigma YAML
title: AWS GuardDuty Detector Deleted Or Updated
id: d2656e78-c069-4571-8220-9e0ab5913f19
status: experimental
description: |
Detects successful deletion or disabling of an AWS GuardDuty detector, possibly by an attacker trying to avoid detection of its malicious activities.
Upon deletion, GuardDuty stops monitoring the environment and all existing findings are lost.
Verify with the user identity that this activity is legitimate.
references:
- https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DeleteDetector.html
- https://docs.aws.amazon.com/guardduty/latest/APIReference/API_UpdateDetector.html
- https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_suspend-disable.html
- https://docs.datadoghq.com/security/default_rules/719-39f-9cd/
- https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-guardduty-detector-is-enabled
- https://docs.stellarcyber.ai/5.2.x/Using/ML/Alert-Rule-Based-Potentially_Malicious_AWS_Activity.html
- https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Amazon%20Web%20Services/Analytic%20Rules/AWS_GuardDutyDisabled.yaml
- https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml
- https://help.fortinet.com/fsiem/Public_Resource_Access/7_4_0/rules/PH_RULE_AWS_GuardDuty_Detector_Deletion.htm
- https://research.splunk.com/sources/5d8bd475-c8bc-4447-b27f-efa508728b90/
- https://suktech24.com/2025/07/17/aws-threat-detection-rule-guardduty-detector-disabled-or-suspended/
- https://www.atomicredteam.io/atomic-red-team/atomics/T156001#atomic-test-46---aws---guardduty-suspension-or-deletion
author: suktech24
date: 2025-11-27
tags:
- attack.defense-impairment
- attack.t1685
- attack.t1685.002
logsource:
product: aws
service: cloudtrail
detection:
selection_event_source:
eventSource: 'guardduty.amazonaws.com'
selection_action_delete:
eventName: 'DeleteDetector'
selection_action_update:
eventName: 'UpdateDetector'
requestParameters.enable: 'false'
selection_status_success:
errorCode: 'Success'
selection_status_null:
errorCode: null
condition: selection_event_source and 1 of selection_action_* and 1 of selection_status_*
falsepositives:
- Legitimate detector deletion by an admin (e.g., during account decommissioning).
- Temporary disablement for troubleshooting (verify via change management tickets).
- Automated deployment tools (e.g. Terraform) managing GuardDuty state.
level: high
high
AWS GuardDuty Important Change
Detects updates of the GuardDuty list of trusted IPs, perhaps to disable security alerts against malicious IPs.
status testauthor falokerid 6e61ee20-ce00-4f8d-8aee-bedd8216f7e3
view Sigma YAML
title: AWS GuardDuty Important Change
id: 6e61ee20-ce00-4f8d-8aee-bedd8216f7e3
status: test
description: Detects updates of the GuardDuty list of trusted IPs, perhaps to disable security alerts against malicious IPs.
references:
- https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/guardduty__whitelist_ip/main.py#L9
author: faloker
date: 2020-02-11
modified: 2022-10-09
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: aws
service: cloudtrail
detection:
selection_source:
eventSource: guardduty.amazonaws.com
eventName: CreateIPSet
condition: selection_source
falsepositives:
- Valid change in the GuardDuty (e.g. to ignore internal scanners)
level: high
high
AWS SecurityHub Findings Evasion
Detects the modification of the findings on SecurityHub.
status stableauthor Sittikorn Sid a607e1fe-74bf-4440-a3ec-b059b9103157
view Sigma YAML
title: AWS SecurityHub Findings Evasion
id: a607e1fe-74bf-4440-a3ec-b059b9103157
status: stable
description: Detects the modification of the findings on SecurityHub.
references:
- https://docs.aws.amazon.com/cli/latest/reference/securityhub/
author: Sittikorn S
date: 2021-06-28
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: securityhub.amazonaws.com
eventName:
- 'BatchUpdateFindings'
- 'DeleteInsight'
- 'UpdateFindings'
- 'UpdateInsight'
condition: selection
falsepositives:
- System or Network administrator behaviors
- DEV, UAT, SAT environment. You should apply this rule with PROD environment only.
level: high
high
Add SafeBoot Keys Via Reg Utility
Detects execution of "reg.exe" commands with the "add" or "copy" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not
status testauthor Nasreddine Bencherchali (Nextron Systems)id d7662ff6-9e97-4596-a61d-9839e32dee8d
view Sigma YAML
title: Add SafeBoot Keys Via Reg Utility
id: d7662ff6-9e97-4596-a61d-9839e32dee8d
related:
- id: fc0e89b5-adb0-43c1-b749-c12a10ec37de
type: similar
status: test
description: Detects execution of "reg.exe" commands with the "add" or "copy" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not
references:
- https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-02
modified: 2024-03-19
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\reg.exe'
- OriginalFileName: 'reg.exe'
selection_safeboot:
CommandLine|contains: '\SYSTEM\CurrentControlSet\Control\SafeBoot'
selection_flag:
CommandLine|contains:
- ' copy '
- ' add '
condition: all of selection*
falsepositives:
- Unlikely
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_reg_add_safeboot/info.yml
high
Antivirus Filter Driver Disallowed On Dev Drive - Registry
Detects activity that indicates a user disabling the ability for Antivirus mini filter to inspect a "Dev Drive".
status testauthor @kostastsale, Nasreddine Bencherchali (Nextron Systems)id 31e124fb-5dc4-42a0-83b3-44a69c77b271
view Sigma YAML
title: Antivirus Filter Driver Disallowed On Dev Drive - Registry
id: 31e124fb-5dc4-42a0-83b3-44a69c77b271
status: test
description: |
Detects activity that indicates a user disabling the ability for Antivirus mini filter to inspect a "Dev Drive".
references:
- https://twitter.com/0gtweet/status/1720419490519752955
author: '@kostastsale, Nasreddine Bencherchali (Nextron Systems)'
date: 2023-11-05
modified: 2024-08-16
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\FilterManager\FltmgrDevDriveAllowAntivirusFilter'
Details: 'DWORD (0x00000000)'
condition: selection
falsepositives:
- Unlikely
level: high
high
Audit Policy Tampering Via Auditpol
Threat actors can use auditpol binary to change audit policy configuration to impair detection capability.
This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.
status testauthor Janantha Marasinghe (https://github.com/blueteam0ps)id 0a13e132-651d-11eb-ae93-0242ac130002
view Sigma YAML
title: Audit Policy Tampering Via Auditpol
id: 0a13e132-651d-11eb-ae93-0242ac130002
related:
- id: c6c56ada-612b-42d1-9a29-adad3c5c2c1e # Old auditpol
type: similar
status: test
description: |
Threat actors can use auditpol binary to change audit policy configuration to impair detection capability.
This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.
references:
- https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
author: Janantha Marasinghe (https://github.com/blueteam0ps)
date: 2021-02-02
modified: 2023-02-22
tags:
- attack.defense-impairment
- attack.t1685.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\auditpol.exe'
- OriginalFileName: 'AUDITPOL.EXE'
selection_cli:
CommandLine|contains:
- 'disable' # disables a specific audit policy
- 'clear' # delete or clears audit policy
- 'remove' # removes an audit policy
- 'restore' # restores an audit policy
condition: all of selection_*
falsepositives:
- Administrator or administrator scripts might leverage the flags mentioned in the detection section. Either way, it should always be monitored
level: high
high
Audit Policy Tampering Via NT Resource Kit Auditpol
Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability.
This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.
status testauthor Nasreddine Bencherchali (Nextron Systems)id c6c56ada-612b-42d1-9a29-adad3c5c2c1e
view Sigma YAML
title: Audit Policy Tampering Via NT Resource Kit Auditpol
id: c6c56ada-612b-42d1-9a29-adad3c5c2c1e
related:
- id: 0a13e132-651d-11eb-ae93-0242ac130002 # New auditpol version
type: similar
status: test
description: |
Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability.
This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.
references:
- https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Windows%202000%20Resource%20Kit%20Tools/AuditPol
author: Nasreddine Bencherchali (Nextron Systems)
date: 2021-12-18
modified: 2023-02-21
tags:
- attack.defense-impairment
- attack.t1685.001
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- '/logon:none'
- '/system:none'
- '/sam:none'
- '/privilege:none'
- '/object:none'
- '/process:none'
- '/policy:none'
condition: selection
falsepositives:
- The old auditpol utility isn't available by default on recent versions of Windows as it was replaced by a newer version. The FP rate should be very low except for tools that use a similar flag structure
level: high
high
Audit Rules Deleted Via Auditctl
Detects the execution of 'auditctl' with the '-D' command line parameter, which deletes all configured audit rules and watches on Linux systems.
This technique is commonly used by attackers to disable audit logging and cover their tracks by removing monitoring capabilities.
Removal of audit rules can significantly impair detection of malicious activities on the affected system.
status experimentalauthor Mohamed LAKRIid bed26dea-4525-47f4-b24a-76e30e44ffb0
view Sigma YAML
title: Audit Rules Deleted Via Auditctl
id: bed26dea-4525-47f4-b24a-76e30e44ffb0
status: experimental
description: |
Detects the execution of 'auditctl' with the '-D' command line parameter, which deletes all configured audit rules and watches on Linux systems.
This technique is commonly used by attackers to disable audit logging and cover their tracks by removing monitoring capabilities.
Removal of audit rules can significantly impair detection of malicious activities on the affected system.
references:
- https://www.atomicredteam.io/atomic-red-team/atomics/T1562.012
- https://linux.die.net/man/8/auditct
author: Mohamed LAKRI
date: 2025-10-17
tags:
- attack.defense-impairment
- attack.t1685.004
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith: '/auditctl'
CommandLine|re: '-D'
condition: selection
falsepositives:
- An administrator troubleshooting. Investigate all attempts.
level: high
high
Auditing Configuration Changes on Linux Host
Detect changes in auditd configuration files
status testauthor Mikhail Larin, oscd.communityid 977ef627-4539-4875-adf4-ed8f780c4922
Detects when a repository is exempted from secret scanning feature.
status testauthor Muhammad Faisal (@faisalusuf)id b91e8d5e-0033-44fe-973f-b730316f23a1
view Sigma YAML
title: Bitbucket Secret Scanning Exempt Repository Added
id: b91e8d5e-0033-44fe-973f-b730316f23a1
status: test
description: Detects when a repository is exempted from secret scanning feature.
references:
- https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html
- https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html
author: Muhammad Faisal (@faisalusuf)
date: 2024-02-25
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: bitbucket
service: audit
definition: 'Requirements: "Basic" log level is required to receive these audit events.'
detection:
selection:
auditType.category: 'Repositories'
auditType.action: 'Secret scanning exempt repository added'
condition: selection
falsepositives:
- Legitimate user activity.
level: high
high
Change Winevt Channel Access Permission Via Registry
Detects tampering with the "ChannelAccess" registry key in order to change access to Windows event channel.
status testauthor frack113id 7d9263bd-dc47-4a58-bc92-5474abab390c
view Sigma YAML
title: Change Winevt Channel Access Permission Via Registry
id: 7d9263bd-dc47-4a58-bc92-5474abab390c
status: test
description: Detects tampering with the "ChannelAccess" registry key in order to change access to Windows event channel.
references:
- https://app.any.run/tasks/77b2e328-8f36-46b2-b2e2-8a80398217ab/
- https://learn.microsoft.com/en-us/windows/win32/api/winevt/
- https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/
author: frack113
date: 2022-09-17
modified: 2024-03-25
tags:
- attack.defense-impairment
- attack.t1685.001
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\'
TargetObject|endswith: '\ChannelAccess'
# Add more interesting combinations if you found them
Details|contains:
- '(A;;0x1;;;LA)' # Local administrator having GENERIC ALL
- '(A;;0x1;;;SY)' # Local System having GENERIC ALL
- '(A;;0x5;;;BA)' # Built-in administrators having GENERIC ALL and GENERIC WRITE
filter_main_trustedinstaller:
Image: 'C:\Windows\servicing\TrustedInstaller.exe'
filter_main_tiworker:
Image|startswith: 'C:\Windows\WinSxS\'
Image|endswith: '\TiWorker.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
high
Cisco Disabling Logging
Turn off logging locally or remote
status testauthor Austin Clarkid 9e8f6035-88bf-4a63-96b6-b17c0508257e
Detects execution of devcon.exe with commands that disable the VMware Virtual Machine Communication Interface (VMCI) device.
This can be legitimate during VMware Tools troubleshooting or driver conflicts, but may also indicate malware attempting to hijack communication with the hardware via the VMCI device.
This has been used to facilitate VMware ESXi vulnerability exploits to escape VMs and execute code on the ESXi host.
status experimentalauthor Matt Anderson, Dray Agha, Anna Pham (Huntress)id 85f520e7-6f5e-43ca-874c-222e5bf9c0de
view Sigma YAML
title: Devcon Execution Disabling VMware VMCI Device
id: 85f520e7-6f5e-43ca-874c-222e5bf9c0de
status: experimental
description: |
Detects execution of devcon.exe with commands that disable the VMware Virtual Machine Communication Interface (VMCI) device.
This can be legitimate during VMware Tools troubleshooting or driver conflicts, but may also indicate malware attempting to hijack communication with the hardware via the VMCI device.
This has been used to facilitate VMware ESXi vulnerability exploits to escape VMs and execute code on the ESXi host.
references:
- https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/devcon
- https://communities.vmware.com/t5/VMware-Workstation-Pro/VMCI-driver-issues/td-p/2866060
- https://github.com/search?q=devcon+disable+VMWVMCIHOSTDEV
- https://huntress.com/blog/esxi-vm-escape-exploit
author: Matt Anderson, Dray Agha, Anna Pham (Huntress)
date: 2026-01-02
tags:
- attack.persistence
- attack.privilege-escalation
- attack.defense-impairment
- attack.t1543.003
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\devcon.exe'
- OriginalFileName: 'DevCon.exe'
selection_action:
CommandLine|contains: ' disable '
selection_vmci_pci:
CommandLine|contains:
- '15AD&DEV_0740' # VMware VMCI PCI device (Vendor 0x15AD = VMware, Device 0x0740 = VMCI)
- 'VMWVMCIHOSTDEV' # VMware VMCI root host device driver name
condition: all of selection_*
falsepositives:
- Legitimate VMware administration, Tools installation/uninstallation, or troubleshooting driver conflicts.
- Automated scripts in virtualized environments for device cleanup.
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_devcon_disable_vmci_driver/info.yml
high
Disable PUA Protection on Windows Defender
Detects disabling Windows Defender PUA protection
status testauthor Austin Songer @austinsongerid 8ffc5407-52e3-478f-9596-0a7371eafe13
view Sigma YAML
title: Disable PUA Protection on Windows Defender
id: 8ffc5407-52e3-478f-9596-0a7371eafe13
status: test
description: Detects disabling Windows Defender PUA protection
references:
- https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html
author: Austin Songer @austinsonger
date: 2021-08-04
modified: 2023-08-17
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\Policies\Microsoft\Windows Defender\PUAProtection'
Details: 'DWORD (0x00000000)'
condition: selection
falsepositives:
- Unknown
level: high
Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stop writing events.
status testauthor Ilyas Ochkov, oscd.communityid 919f2ef0-be2d-4a7a-b635-eb2b41fde044
view Sigma YAML
title: Disable Security Events Logging Adding Reg Key MiniNt
id: 919f2ef0-be2d-4a7a-b635-eb2b41fde044
status: test
description: Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stop writing events.
references:
- https://twitter.com/0gtweet/status/1182516740955226112
- https://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/
author: Ilyas Ochkov, oscd.community
date: 2019-10-25
modified: 2021-11-27
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1685.001
- attack.t1112
- car.2022-03-001
logsource:
category: registry_event
product: windows
detection:
selection:
# Sysmon gives us HKLM\SYSTEM\CurrentControlSet\.. if ControlSetXX is the selected one
- TargetObject: 'HKLM\SYSTEM\CurrentControlSet\Control\MiniNt'
EventType: 'CreateKey' # we don't want deletekey
# key rename
- NewName: 'HKLM\SYSTEM\CurrentControlSet\Control\MiniNt'
condition: selection
falsepositives:
- Unknown
level: high
high
Disable Windows Defender AV Security Monitoring
Detects attackers attempting to disable Windows Defender using Powershell
status testauthor ok @securonix invrep-de, oscd.community, frack113id a7ee1722-c3c5-aeff-3212-c777e4733217
view Sigma YAML
title: Disable Windows Defender AV Security Monitoring
id: a7ee1722-c3c5-aeff-3212-c777e4733217
status: test
description: Detects attackers attempting to disable Windows Defender using Powershell
references:
- https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/
- https://rvsec0n.wordpress.com/2020/01/24/malwares-that-bypass-windows-defender/
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
author: 'ok @securonix invrep-de, oscd.community, frack113'
date: 2020-10-12
modified: 2022-11-18
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_pwsh_binary:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_pwsh_cli:
CommandLine|contains:
- '-DisableBehaviorMonitoring $true'
- '-DisableRuntimeMonitoring $true'
selection_sc_binary:
- Image|endswith: '\sc.exe'
- OriginalFileName: 'sc.exe'
selection_sc_tamper_cmd_stop:
CommandLine|contains|all:
- 'stop'
- 'WinDefend'
selection_sc_tamper_cmd_delete:
CommandLine|contains|all:
- 'delete'
- 'WinDefend'
selection_sc_tamper_cmd_disabled:
CommandLine|contains|all:
- 'config'
- 'WinDefend'
- 'start=disabled'
condition: all of selection_pwsh_* or (selection_sc_binary and 1 of selection_sc_tamper_*)
falsepositives:
- 'Minimal, for some older versions of dev tools, such as pycharm, developers were known to sometimes disable Windows Defender to improve performance, but this generally is not considered a good security practice.'
level: high
high
Disable Windows Defender Functionalities Via Registry Keys
Detects when attackers or tools disable Windows Defender functionalities via the Windows registry
status testauthor AlertIQ, Ján Trenčanský, frack113, Nasreddine Bencherchali, Swachchhanda Shrawan Poudelid 0eb46774-f1ab-4a74-8238-1155855f2263
view Sigma YAML
title: Disable Windows Defender Functionalities Via Registry Keys
id: 0eb46774-f1ab-4a74-8238-1155855f2263
related:
- id: a64e4198-c1c8-46a5-bc9c-324c86455fd4
type: obsolete
- id: fd115e64-97c7-491f-951c-fc8da7e042fa
type: obsolete
status: test
description: Detects when attackers or tools disable Windows Defender functionalities via the Windows registry
references:
- https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
- https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105
- https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker
- https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html
- https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html
- https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html
- https://securelist.com/key-group-ransomware-samples-and-telegram-schemes/114025/
author: AlertIQ, Ján Trenčanský, frack113, Nasreddine Bencherchali, Swachchhanda Shrawan Poudel
date: 2022-08-01
modified: 2024-10-07
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: windows
category: registry_set
detection:
selection_main:
TargetObject|contains:
- '\SOFTWARE\Microsoft\Windows Defender\'
- '\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\'
- '\SOFTWARE\Policies\Microsoft\Windows Defender\'
selection_dword_1:
TargetObject|endswith:
- '\DisableAntiSpyware'
- '\DisableAntiVirus'
- '\DisableBehaviorMonitoring'
- '\DisableBlockAtFirstSeen'
- '\DisableEnhancedNotifications'
- '\DisableIntrusionPreventionSystem'
- '\DisableIOAVProtection'
- '\DisableOnAccessProtection'
- '\DisableRealtimeMonitoring'
- '\DisableScanOnRealtimeEnable'
- '\DisableScriptScanning'
Details: 'DWORD (0x00000001)'
selection_dword_0:
TargetObject|endswith:
- '\DisallowExploitProtectionOverride'
- '\Features\TamperProtection'
- '\MpEngine\MpEnablePus'
- '\PUAProtection'
- '\Signature Update\ForceUpdateFromMU'
- '\SpyNet\SpynetReporting'
- '\SpyNet\SubmitSamplesConsent'
- '\Windows Defender Exploit Guard\Controlled Folder Access\EnableControlledFolderAccess'
Details: 'DWORD (0x00000000)'
filter_optional_symantec:
Image|startswith: 'C:\Program Files\Symantec\Symantec Endpoint Protection\'
Image|endswith: '\sepWscSvc64.exe'
condition: selection_main and 1 of selection_dword_* and not 1 of filter_optional_*
falsepositives:
- Administrator actions via the Windows Defender interface
- Third party Antivirus
level: high
high
Disable Windows Event Logging Via Registry
Detects tampering with the "Enabled" registry key in order to disable Windows logging of a Windows event channel
status testauthor frack113, Nasreddine Bencherchali (Nextron Systems)id 2f78da12-f7c7-430b-8b19-a28f269b77a3
view Sigma YAML
title: Disable Windows Event Logging Via Registry
id: 2f78da12-f7c7-430b-8b19-a28f269b77a3
status: test
description: Detects tampering with the "Enabled" registry key in order to disable Windows logging of a Windows event channel
references:
- https://twitter.com/WhichbufferArda/status/1543900539280293889
- https://github.com/DebugPrivilege/CPP/blob/c39d365617dbfbcb01fffad200d52b6239b2918c/Windows%20Defender/RestoreDefenderConfig.cpp
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-04
modified: 2024-03-25
tags:
- attack.defense-impairment
- attack.t1685.001
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\'
TargetObject|endswith: '\Enabled'
Details: 'DWORD (0x00000000)'
filter_main_wevutil:
Image: 'C:\Windows\system32\wevtutil.exe' # FP generated during installation of manifests via wevtutil
filter_main_iis:
Image|startswith: 'C:\Windows\winsxs\'
Image|endswith: '\TiWorker.exe' # Many different TargetObjects
filter_main_svchost:
Image: 'C:\Windows\System32\svchost.exe'
TargetObject|contains:
- '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-FileInfoMinifilter'
- '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-ASN1\'
- '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Kernel-AppCompat\'
- '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Runtime\Error\'
- '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-CAPI2/Operational\'
filter_main_trusted_installer:
Image: C:\Windows\servicing\TrustedInstaller.exe
TargetObject|contains: '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Compat-Appraiser'
filter_optional_empty: # This filter is related to aurora. Should be removed when fix is deployed. # TODO: Remove later
Image: ''
filter_optional_null: # This filter is related to aurora. Should be removed when fix is deployed. # TODO: Remove later
Image: null
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Rare falsepositives may occur from legitimate administrators disabling specific event log for troubleshooting
level: high
high
Disable Windows IIS HTTP Logging
Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union)
status testauthor frack113id e4ed6030-ffe5-4e6a-8a8a-ab3c1ab9d94e
view Sigma YAML
title: Disable Windows IIS HTTP Logging
id: e4ed6030-ffe5-4e6a-8a8a-ab3c1ab9d94e
status: test
description: Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union)
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.002/T1562.002.md#atomic-test-1---disable-windows-iis-http-logging
author: frack113
date: 2022-01-09
modified: 2023-01-22
tags:
- attack.defense-impairment
- attack.t1685.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\appcmd.exe'
- OriginalFileName: 'appcmd.exe'
selection_cli:
CommandLine|contains|all:
- 'set'
- 'config'
- 'section:httplogging'
- 'dontLog:true'
condition: all of selection_*
falsepositives:
- Unknown
level: high
high
Disable of ETW Trace - Powershell
Detects usage of powershell cmdlets to disable or remove ETW trace sessions
status testauthor Nasreddine Bencherchali (Nextron Systems)id 115fdba9-f017-42e6-84cf-d5573bf2ddf8
view Sigma YAML
title: Disable of ETW Trace - Powershell
id: 115fdba9-f017-42e6-84cf-d5573bf2ddf8
related:
- id: a238b5d0-ce2d-4414-a676-7a531b3d13d6
type: derived
status: test
description: Detects usage of powershell cmdlets to disable or remove ETW trace sessions
references:
- https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-28
modified: 2022-11-25
tags:
- attack.stealth
- attack.defense-impairment
- attack.t1070
- attack.t1685
- car.2016-04-002
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_pwsh_remove: # Autologger provider removal
ScriptBlockText|contains: 'Remove-EtwTraceProvider '
selection_pwsh_set: # Provider “Enable” property modification
ScriptBlockText|contains|all:
- 'Set-EtwTraceProvider '
- '0x11'
condition: 1 of selection*
falsepositives:
- Unknown
level: high
high
Disable-WindowsOptionalFeature Command PowerShell
Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool.
Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
status testauthor frack113id 99c4658d-2c5e-4d87-828d-7c066ca537c3
view Sigma YAML
title: Disable-WindowsOptionalFeature Command PowerShell
id: 99c4658d-2c5e-4d87-828d-7c066ca537c3
status: test
description: |
Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool.
Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
references:
- https://github.com/redcanaryco/atomic-red-team/blob/5b67c9b141fa3918017f8fa44f2f88f0b1ecb9e1/atomics/T1562.001/T1562.001.md
- https://learn.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps
author: frack113
date: 2022-09-10
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_cmd:
ScriptBlockText|contains|all:
- 'Disable-WindowsOptionalFeature'
- '-Online'
- '-FeatureName'
selection_feature:
# Add any important windows features
ScriptBlockText|contains:
- 'Windows-Defender-Gui'
- 'Windows-Defender-Features'
- 'Windows-Defender'
- 'Windows-Defender-ApplicationGuard'
# - 'Containers-DisposableClientVM' # Windows Sandbox
condition: all of selection*
falsepositives:
- Unknown
level: high
high
Disabled IE Security Features
Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features
status testauthor Florian Roth (Nextron Systems)id fb50eb7a-5ab1-43ae-bcc9-091818cb8424
view Sigma YAML
title: Disabled IE Security Features
id: fb50eb7a-5ab1-43ae-bcc9-091818cb8424
status: test
description: Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features
references:
- https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/
author: Florian Roth (Nextron Systems)
date: 2020-06-19
modified: 2021-11-27
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection1:
CommandLine|contains|all:
- ' -name IEHarden '
- ' -value 0 '
selection2:
CommandLine|contains|all:
- ' -name DEPOff '
- ' -value 1 '
selection3:
CommandLine|contains|all:
- ' -name DisableFirstRunCustomize '
- ' -value 2 '
condition: 1 of selection*
falsepositives:
- Unknown
level: high
high
Disabled Volume Snapshots
Detects commands that temporarily turn off Volume Snapshots
status testauthor Florian Roth (Nextron Systems)id dee4af55-1f22-4e1d-a9d2-4bdc7ecb472a
Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections
status testauthor Florian Roth (Nextron Systems)id fcddca7c-b9c0-4ddf-98da-e1e2d18b0157
view Sigma YAML
title: Disabled Windows Defender Eventlog
id: fcddca7c-b9c0-4ddf-98da-e1e2d18b0157
status: test
description: Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections
references:
- https://twitter.com/WhichbufferArda/status/1543900539280293889/photo/2
author: Florian Roth (Nextron Systems)
date: 2022-07-04
modified: 2023-08-17
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational\Enabled'
Details: 'DWORD (0x00000000)'
condition: selection
falsepositives:
- Other Antivirus software installations could cause Windows to disable that eventlog (unknown)
level: high
high
Disabling Windows Defender WMI Autologger Session via Reg.exe
Detects the use of reg.exe to disable the Event Tracing for Windows (ETW) Autologger session for Windows Defender API and Audit events.
By setting the 'Start' value to '0' for the 'DefenderApiLogger' or 'DefenderAuditLogger' session, an attacker can prevent these critical security events
from being logged, effectively blinding monitoring tools that rely on this data. This is a powerful defense evasion technique.
status experimentalauthor Matt Anderson (Huntress)id a1b2c3d4-e5f6-a7b8-c9d0-e1f2a3b4c5d6
view Sigma YAML
title: Disabling Windows Defender WMI Autologger Session via Reg.exe
id: a1b2c3d4-e5f6-a7b8-c9d0-e1f2a3b4c5d6
related:
- id: f37b4bce-49d0-4087-9f5b-58bffda77316
type: similar
status: experimental
description: |
Detects the use of reg.exe to disable the Event Tracing for Windows (ETW) Autologger session for Windows Defender API and Audit events.
By setting the 'Start' value to '0' for the 'DefenderApiLogger' or 'DefenderAuditLogger' session, an attacker can prevent these critical security events
from being logged, effectively blinding monitoring tools that rely on this data. This is a powerful defense evasion technique.
references:
- https://research.splunk.com/endpoint/76406a0f-f5e0-4167-8e1f-337fdc0f1b0c/
- https://docs.microsoft.com/en-us/windows/win32/etw/configuring-and-starting-an-autologger-session
- https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
- https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/
- https://www.binarly.io/blog/design-issues-of-modern-edrs-bypassing-etw-based-solutions
author: Matt Anderson (Huntress)
date: 2025-07-09
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\reg.exe'
- OriginalFileName: 'reg.exe'
selection_reg_path:
CommandLine|contains:
- '\Control\WMI\Autologger\DefenderApiLogger\Start'
- '\Control\WMI\Autologger\DefenderAuditLogger\Start'
selection_reg_add:
CommandLine|contains|all:
- 'add'
- '0'
filter_main_enable:
CommandLine|contains: '0x00000001'
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Highly unlikely
level: high
ETW Logging Tamper In .NET Processes Via CommandLine
Detects changes to environment variables related to ETW logging via the CommandLine.
This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies.
status testauthor Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)id 41421f44-58f9-455d-838a-c398859841d4
view Sigma YAML
title: ETW Logging Tamper In .NET Processes Via CommandLine
id: 41421f44-58f9-455d-838a-c398859841d4
status: test
description: |
Detects changes to environment variables related to ETW logging via the CommandLine.
This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies.
references:
- https://twitter.com/_xpn_/status/1268712093928378368
- https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr
- https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables
- https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38
- https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39
- https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_
- https://bunnyinside.com/?term=f71e8cb9c76a
- http://managed670.rssing.com/chan-5590147/all_p1.html
- https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code
- https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-05-02
modified: 2022-12-09
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- 'COMPlus_ETWEnabled'
- 'COMPlus_ETWFlags'
condition: selection
falsepositives:
- Unlikely
level: high
high
ETW Trace Evasion Activity
Detects command line activity that tries to clear or disable any ETW trace log which could be a sign of logging evasion.
title: ETW Trace Evasion Activity
id: a238b5d0-ce2d-4414-a676-7a531b3d13d6
status: test
description: |
Detects command line activity that tries to clear or disable any ETW trace log which could be a sign of logging evasion.
references:
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil
- https://abuse.io/lockergoga.txt
- https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
author: '@neu5ron, Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community'
date: 2019-03-22
modified: 2022-06-28
tags:
- attack.stealth
- attack.defense-impairment
- attack.t1070
- attack.t1685
- car.2016-04-002
logsource:
category: process_creation
product: windows
detection:
selection_clear_1:
CommandLine|contains|all:
- 'cl'
- '/Trace'
selection_clear_2:
CommandLine|contains|all:
- 'clear-log'
- '/Trace'
selection_disable_1:
CommandLine|contains|all:
- 'sl'
- '/e:false'
selection_disable_2:
CommandLine|contains|all:
- 'set-log'
- '/e:false'
selection_disable_3: # ETW provider removal from a trace session
CommandLine|contains|all:
- 'logman'
- 'update'
- 'trace'
- '--p'
- '-ets'
selection_pwsh_remove: # Autologger provider removal
CommandLine|contains: 'Remove-EtwTraceProvider'
selection_pwsh_set: # Provider “Enable” property modification
CommandLine|contains|all:
- 'Set-EtwTraceProvider'
- '0x11'
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
high
Folder Removed From Exploit Guard ProtectedFolders List - Registry
Detects the removal of folders from the "ProtectedFolders" list of of exploit guard. This could indicate an attacker trying to launch an encryption process or trying to manipulate data inside of the protected folder
status testauthor Nasreddine Bencherchali (Nextron Systems)id 272e55a4-9e6b-4211-acb6-78f51f0b1b40
view Sigma YAML
title: Folder Removed From Exploit Guard ProtectedFolders List - Registry
id: 272e55a4-9e6b-4211-acb6-78f51f0b1b40
status: test
description: Detects the removal of folders from the "ProtectedFolders" list of of exploit guard. This could indicate an attacker trying to launch an encryption process or trying to manipulate data inside of the protected folder
references:
- https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-05
modified: 2023-02-08
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: registry_delete
product: windows
detection:
selection:
EventType: DeleteValue
TargetObject|contains: 'SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\ProtectedFolders'
condition: selection
falsepositives:
- Legitimate administrators removing applications (should always be investigated)
level: high
high
Github Push Protection Disabled
Detects if the push protection feature is disabled for an organization, enterprise, repositories or custom pattern rules.
status testauthor Muhammad Faisal (@faisalusuf)id ccd55945-badd-4bae-936b-823a735d37dd
view Sigma YAML
title: Github Push Protection Disabled
id: ccd55945-badd-4bae-936b-823a735d37dd
status: test
description: Detects if the push protection feature is disabled for an organization, enterprise, repositories or custom pattern rules.
references:
- https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations
- https://thehackernews.com/2024/03/github-rolls-out-default-secret.html
author: Muhammad Faisal (@faisalusuf)
date: 2024-03-07
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: github
service: audit
definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'
detection:
selection:
action:
- 'business_secret_scanning_custom_pattern_push_protection.disabled'
- 'business_secret_scanning_push_protection.disable'
- 'business_secret_scanning_push_protection.disabled_for_new_repos'
- 'org.secret_scanning_custom_pattern_push_protection_disabled'
- 'org.secret_scanning_push_protection_disable'
- 'org.secret_scanning_push_protection_new_repos_disable'
- 'repository_secret_scanning_custom_pattern_push_protection.disabled'
condition: selection
falsepositives:
- Allowed administrative activities.
level: high
high
Github Secret Scanning Feature Disabled
Detects if the secret scanning feature is disabled for an enterprise or repository.
status testauthor Muhammad Faisal (@faisalusuf)id 3883d9a0-fd0f-440f-afbb-445a2a799bb8
view Sigma YAML
title: Github Secret Scanning Feature Disabled
id: 3883d9a0-fd0f-440f-afbb-445a2a799bb8
status: test
description: Detects if the secret scanning feature is disabled for an enterprise or repository.
references:
- https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/about-secret-scanning
author: Muhammad Faisal (@faisalusuf)
date: 2024-03-07
modified: 2024-07-19
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: github
service: audit
definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'
detection:
selection:
action:
- 'business_secret_scanning.disable'
- 'business_secret_scanning.disabled_for_new_repos'
- 'repository_secret_scanning.disable'
- 'secret_scanning_new_repos.disable'
- 'secret_scanning.disable'
condition: selection
falsepositives:
- Allowed administrative activities.
level: high
high
HTTP Logging Disabled On IIS Server
Detects changes to of the IIS server configuration in order to disable HTTP logging for successful requests.
status testauthor frack113id e8ebd53a-30c2-45bd-81bb-74befba07bdb
view Sigma YAML
title: HTTP Logging Disabled On IIS Server
id: e8ebd53a-30c2-45bd-81bb-74befba07bdb
status: test
description: Detects changes to of the IIS server configuration in order to disable HTTP logging for successful requests.
references:
- https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis
- https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/
- https://learn.microsoft.com/en-us/iis/configuration/system.webserver/httplogging
author: frack113
date: 2024-10-06
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1685.001
- attack.t1505.004
logsource:
product: windows
service: iis-configuration
detection:
selection:
EventID: 29
Configuration: '/system.webServer/httpLogging/@dontLog'
NewValue: 'true'
condition: selection
falsepositives:
- Unknown
level: high
high
HackTool - CobaltStrike BOF Injection Pattern
Detects a typical pattern of a CobaltStrike BOF which inject into other processes
status testauthor Christian Burkard (Nextron Systems)id 09706624-b7f6-455d-9d02-adee024cee1d
view Sigma YAML
title: HackTool - CobaltStrike BOF Injection Pattern
id: 09706624-b7f6-455d-9d02-adee024cee1d
status: test
description: Detects a typical pattern of a CobaltStrike BOF which inject into other processes
references:
- https://github.com/boku7/injectAmsiBypass
- https://github.com/boku7/spawn
author: Christian Burkard (Nextron Systems)
date: 2021-08-04
modified: 2023-11-28
tags:
- attack.execution
- attack.defense-impairment
- attack.t1106
- attack.t1685
logsource:
category: process_access
product: windows
detection:
selection:
CallTrace|re: '^C:\\Windows\\SYSTEM32\\ntdll\.dll\+[a-z0-9]{4,6}\|C:\\Windows\\System32\\KERNELBASE\.dll\+[a-z0-9]{4,6}\|UNKNOWN\([A-Z0-9]{16}\)$'
GrantedAccess:
- '0x1028'
- '0x1fffff'
condition: selection
falsepositives:
- Unknown
level: high
high
HackTool - EDRSilencer Execution
Detects the execution of EDRSilencer, a tool that leverages Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server based on PE metadata information.
status testauthor @gott_cyberid eb2d07d4-49cb-4523-801a-da002df36602
view Sigma YAML
title: HackTool - EDRSilencer Execution
id: eb2d07d4-49cb-4523-801a-da002df36602
status: test
description: |
Detects the execution of EDRSilencer, a tool that leverages Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server based on PE metadata information.
references:
- https://github.com/netero1010/EDRSilencer
author: '@gott_cyber'
date: 2024-01-02
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\EDRSilencer.exe'
- OriginalFileName: 'EDRSilencer.exe'
- Description|contains: 'EDRSilencer'
condition: selection
falsepositives:
- Unlikely
level: high
high
HackTool - EDRSilencer Execution - Filter Added
Detects execution of EDRSilencer, a tool that abuses the Windows Filtering Platform (WFP) to block the outbound traffic of running EDR agents based on specific hardcoded filter names.
status testauthor Thodoris Polyzos (@SmoothDeploy)id 98054878-5eab-434c-85d4-72d4e5a3361b
view Sigma YAML
title: HackTool - EDRSilencer Execution - Filter Added
id: 98054878-5eab-434c-85d4-72d4e5a3361b
status: test
description: |
Detects execution of EDRSilencer, a tool that abuses the Windows Filtering Platform (WFP) to block the outbound traffic of running EDR agents based on specific hardcoded filter names.
references:
- https://github.com/netero1010/EDRSilencer
author: Thodoris Polyzos (@SmoothDeploy)
date: 2024-01-29
modified: 2024-01-30
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: windows
service: security
definition: 'Requirements: Audit Filtering Platform Policy Change needs to be enabled'
detection:
selection:
EventID:
- 5441
- 5447
FilterName|contains: 'Custom Outbound Filter'
condition: selection
falsepositives:
- Unknown
level: high
high
HackTool - PowerTool Execution
Detects the execution of the tool PowerTool which has the ability to kill a process, delete its process file, unload drivers, and delete the driver files
status testauthor Nasreddine Bencherchali (Nextron Systems)id a34f79a3-8e5f-4cc3-b765-de00695452c2
view Sigma YAML
title: HackTool - PowerTool Execution
id: a34f79a3-8e5f-4cc3-b765-de00695452c2
status: test
description: Detects the execution of the tool PowerTool which has the ability to kill a process, delete its process file, unload drivers, and delete the driver files
references:
- https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/
- https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html
- https://twitter.com/gbti_sa/status/1249653895900602375?lang=en
- https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-11-29
modified: 2023-02-04
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: windows
category: process_creation
detection:
selection:
- Image|endswith:
- '\PowerTool.exe'
- '\PowerTool64.exe'
- OriginalFileName: 'PowerTool.exe'
condition: selection
falsepositives:
- Unlikely
level: high
high
HackTool - SharpEvtMute DLL Load
Detects the load of EvtMuteHook.dll, a key component of SharpEvtHook, a tool that tampers with the Windows event logs
status testauthor Florian Roth (Nextron Systems)id 49329257-089d-46e6-af37-4afce4290685
view Sigma YAML
title: HackTool - SharpEvtMute DLL Load
id: 49329257-089d-46e6-af37-4afce4290685
related:
- id: bedfc8ad-d1c7-4e37-a20e-e2b0dbee759c # Process Creation
type: similar
status: test
description: Detects the load of EvtMuteHook.dll, a key component of SharpEvtHook, a tool that tampers with the Windows event logs
references:
- https://github.com/bats3c/EvtMute
author: Florian Roth (Nextron Systems)
date: 2022-09-07
modified: 2024-11-23
tags:
- attack.defense-impairment
- attack.t1685.001
logsource:
category: image_load
product: windows
detection:
selection:
Hashes|contains: 'IMPHASH=330768A4F172E10ACB6287B87289D83B'
condition: selection
falsepositives:
- Other DLLs with the same Imphash
level: high
high
HackTool - SharpEvtMute Execution
Detects the use of SharpEvtHook, a tool that tampers with the Windows event logs
status testauthor Florian Roth (Nextron Systems)id bedfc8ad-d1c7-4e37-a20e-e2b0dbee759c
view Sigma YAML
title: HackTool - SharpEvtMute Execution
id: bedfc8ad-d1c7-4e37-a20e-e2b0dbee759c
related:
- id: 49329257-089d-46e6-af37-4afce4290685 # DLL load
type: similar
status: test
description: Detects the use of SharpEvtHook, a tool that tampers with the Windows event logs
references:
- https://github.com/bats3c/EvtMute
author: Florian Roth (Nextron Systems)
date: 2022-09-07
modified: 2023-02-14
tags:
- attack.defense-impairment
- attack.t1685.001
logsource:
product: windows
category: process_creation
detection:
selection:
- Image|endswith: '\SharpEvtMute.exe'
- Description: 'SharpEvtMute'
- CommandLine|contains:
- '--Filter "rule '
- '--Encoded --Filter \"'
condition: selection
falsepositives:
- Unknown
level: high
high
HackTool - Stracciatella Execution
Detects Stracciatella which executes a Powershell runspace from within C# (aka SharpPick technique) with AMSI, ETW and Script Block Logging disabled based on PE metadata characteristics.
status testauthor pH-T (Nextron Systems)id 7a4d9232-92fc-404d-8ce1-4c92e7caf539
view Sigma YAML
title: HackTool - Stracciatella Execution
id: 7a4d9232-92fc-404d-8ce1-4c92e7caf539
status: test
description: Detects Stracciatella which executes a Powershell runspace from within C# (aka SharpPick technique) with AMSI, ETW and Script Block Logging disabled based on PE metadata characteristics.
references:
- https://github.com/mgeeky/Stracciatella
author: pH-T (Nextron Systems)
date: 2023-04-17
modified: 2024-11-23
tags:
- attack.execution
- attack.defense-impairment
- attack.t1059
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\Stracciatella.exe'
- OriginalFileName: 'Stracciatella.exe'
- Description: 'Stracciatella'
- Hashes|contains:
- 'SHA256=9d25e61ec1527e2a69d7c2a4e3fe2fe15890710c198a66a9f25d99fdf6c7b956'
- 'SHA256=fd16609bd9830c63b9413671678bb159b89c357d21942ddbb6b93add808d121a'
condition: selection
falsepositives:
- Unlikely
level: high
high
HackTool - SysmonEnte Execution
Detects the use of SysmonEnte, a tool to attack the integrity of Sysmon
status testauthor Florian Roth (Nextron Systems)id d29ada0f-af45-4f27-8f32-f7b77c3dbc4e
view Sigma YAML
title: HackTool - SysmonEnte Execution
id: d29ada0f-af45-4f27-8f32-f7b77c3dbc4e
status: test
description: Detects the use of SysmonEnte, a tool to attack the integrity of Sysmon
references:
- https://codewhitesec.blogspot.com/2022/09/attacks-on-sysmon-revisited-sysmonente.html
- https://github.com/codewhitesec/SysmonEnte/
- https://github.com/codewhitesec/SysmonEnte/blob/fe267690fcc799fbda15398243615a30451d9099/screens/1.png
author: Florian Roth (Nextron Systems)
date: 2022-09-07
modified: 2023-11-28
tags:
- attack.defense-impairment
- attack.t1685.001
logsource:
category: process_access
product: windows
detection:
selection_sysmon:
TargetImage|contains:
- ':\Windows\Sysmon.exe'
- ':\Windows\Sysmon64.exe'
GrantedAccess: '0x1400'
selection_calltrace:
CallTrace: 'Ente'
filter_main_generic:
SourceImage|contains:
- ':\Program Files (x86)\'
- ':\Program Files\'
- ':\Windows\System32\'
- ':\Windows\SysWOW64\'
filter_main_msdefender:
SourceImage|contains: ':\ProgramData\Microsoft\Windows Defender\Platform\'
SourceImage|endswith: '\MsMpEng.exe'
condition: ( selection_sysmon and not 1 of filter_main_* ) or selection_calltrace
falsepositives:
- Unknown
level: high
high
Hacktool - EDR-Freeze Execution
Detects execution of EDR-Freeze, a tool that exploits the MiniDumpWriteDump function and WerFaultSecure.exe to suspend EDR and Antivirus processes on Windows.
EDR-Freeze leverages a race-condition attack to put security processes into a dormant state by suspending WerFaultSecure at the moment it freezes the target process.
This technique does not require kernel-level exploits or BYOVD, but instead abuses user-mode functionality to temporarily disable monitoring by EDR or Antimalware solutions.
status experimentalauthor Swachchhanda Shrawan Poudel (Nextron Systems)id c598cc0c-9e70-4852-b9eb-8921af79f598
view Sigma YAML
title: Hacktool - EDR-Freeze Execution
id: c598cc0c-9e70-4852-b9eb-8921af79f598
status: experimental
description: |
Detects execution of EDR-Freeze, a tool that exploits the MiniDumpWriteDump function and WerFaultSecure.exe to suspend EDR and Antivirus processes on Windows.
EDR-Freeze leverages a race-condition attack to put security processes into a dormant state by suspending WerFaultSecure at the moment it freezes the target process.
This technique does not require kernel-level exploits or BYOVD, but instead abuses user-mode functionality to temporarily disable monitoring by EDR or Antimalware solutions.
references:
- https://www.zerosalarium.com/2025/09/EDR-Freeze-Puts-EDRs-Antivirus-Into-Coma.html
- https://github.com/TwoSevenOneT/EDR-Freeze
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-09-24
modified: 2025-11-27
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|contains:
- '\EDR-Freeze'
- '\EDRFreeze'
Image|endswith: '.exe'
selection_imphash:
Hashes|contains:
- 'IMPHASH=1195F7935954A2CD09157390C33F8E8C'
- 'IMPHASH=129F58DE3D687FB7F012BF6C3D679997'
- 'IMPHASH=2C617A175D0086251642C6619F7CC8BA'
- 'IMPHASH=8828F0B906F7844358FB92A899E9520F'
- 'IMPHASH=AF76D95157EC554DC1EF178E4E66D447'
- 'IMPHASH=E1B04316B61ACA31DD52ABBEC0A37FD5'
- 'IMPHASH=8B2D5B54AFCFEC60D54F6B31D80ED4A0'
- 'IMPHASH=AB8BB31EDD91D2A05FE7B62A535E9EB7'
condition: 1 of selection_*
falsepositives:
- Unlikely
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_hktl_edr_freeze/info.yml
high
Hide Schedule Task Via Index Value Tamper
Detects when the "index" value of a scheduled task is modified from the registry
Which effectively hides it from any tooling such as "schtasks /query" (Read the referenced link for more information about the effects of this technique)
status testauthor Nasreddine Bencherchali (Nextron Systems)id 5b16df71-8615-4f7f-ac9b-6c43c0509e61
view Sigma YAML
title: Hide Schedule Task Via Index Value Tamper
id: 5b16df71-8615-4f7f-ac9b-6c43c0509e61
related:
- id: acd74772-5f88-45c7-956b-6a7b36c294d2
type: similar
- id: 526cc8bc-1cdc-48ad-8b26-f19bff969cec
type: similar
status: test
description: |
Detects when the "index" value of a scheduled task is modified from the registry
Which effectively hides it from any tooling such as "schtasks /query" (Read the referenced link for more information about the effects of this technique)
references:
- https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-26
modified: 2023-08-17
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains|all:
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\'
- 'Index'
Details: DWORD (0x00000000)
condition: selection
falsepositives:
- Unlikely
level: high
high
Hypervisor Enforced Paging Translation Disabled
Detects changes to the "DisableHypervisorEnforcedPagingTranslation" registry value. Where the it is set to "1" in order to disable the Hypervisor Enforced Paging Translation feature.
status testauthor Nasreddine Bencherchali (Nextron Systems)id 7f2954d2-99c2-4d42-a065-ca36740f187b
view Sigma YAML
title: Hypervisor Enforced Paging Translation Disabled
id: 7f2954d2-99c2-4d42-a065-ca36740f187b
status: test
description: |
Detects changes to the "DisableHypervisorEnforcedPagingTranslation" registry value. Where the it is set to "1" in order to disable the Hypervisor Enforced Paging Translation feature.
references:
- https://twitter.com/standa_t/status/1808868985678803222
- https://github.com/AaLl86/WindowsInternals/blob/070dc4f317726dfb6ffd2b7a7c121a33a8659b5e/Slides/Hypervisor-enforced%20Paging%20Translation%20-%20The%20end%20of%20non%20data-driven%20Kernel%20Exploits%20(Recon2024).pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-07-05
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\DisableHypervisorEnforcedPagingTranslation'
Details: 'DWORD (0x00000001)'
condition: selection
falsepositives:
- Unknown
level: high
high
Hypervisor-protected Code Integrity (HVCI) Related Registry Tampering Via CommandLine
Detects the tampering of Hypervisor-protected Code Integrity (HVCI) related registry values via command line tool reg.exe.
HVCI uses virtualization-based security to protect code integrity by ensuring that only trusted code can run in kernel mode.
Adversaries may tamper with HVCI to load malicious or unsigned drivers, which can be used to escalate privileges, maintain persistence, or evade security mechanisms.
status experimentalauthor Swachchhanda Shrawan Poudel (Nextron Systems)id 6225c53a-a96e-4235-b28f-8d7997cd96eb
view Sigma YAML
title: Hypervisor-protected Code Integrity (HVCI) Related Registry Tampering Via CommandLine
id: 6225c53a-a96e-4235-b28f-8d7997cd96eb
related:
- id: 8b7273a4-ba5d-4d8a-b04f-11f2900d043a
type: similar
status: experimental
description: |
Detects the tampering of Hypervisor-protected Code Integrity (HVCI) related registry values via command line tool reg.exe.
HVCI uses virtualization-based security to protect code integrity by ensuring that only trusted code can run in kernel mode.
Adversaries may tamper with HVCI to load malicious or unsigned drivers, which can be used to escalate privileges, maintain persistence, or evade security mechanisms.
references:
- https://www.sophos.com/en-us/blog/sharpening-the-knife-gold-blades-strategic-evolution
- https://learn.microsoft.com/en-us/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-01-26
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- '\reg.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
- 'reg.exe'
selection_cli:
CommandLine|contains:
- 'add '
- 'New-ItemProperty '
- 'Set-ItemProperty '
- 'si ' # SetItem Alias
selection_cli_base:
CommandLine|contains: '\DeviceGuard'
selection_cli_key:
CommandLine|contains:
- 'EnableVirtualizationBasedSecurity'
- 'HypervisorEnforcedCodeIntegrity'
condition: all of selection_*
falsepositives:
- Legitimate system administration tasks that require disabling HVCI for troubleshooting purposes when certain drivers or applications are incompatible with it.
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_hvci_registry_tampering/info.yml
simulation:
- type: atomic-red-team
name: Disable Hypervisor-Enforced Code Integrity (HVCI)
technique: T1562.001
atomic_guid: 70bd71e6-eba4-4e00-92f7-617911dbe020
high
Important Windows Event Auditing Disabled
Detects scenarios where system auditing for important events such as "Process Creation" or "Logon" events is disabled.
status testauthor Nasreddine Bencherchali (Nextron Systems)id ab4561b1-6c7e-48a7-ad08-087cfb9ce8f1
view Sigma YAML
title: Important Windows Event Auditing Disabled
id: ab4561b1-6c7e-48a7-ad08-087cfb9ce8f1
related:
- id: 69aeb277-f15f-4d2d-b32a-55e883609563
type: derived
status: test
description: Detects scenarios where system auditing for important events such as "Process Creation" or "Logon" events is disabled.
references:
- https://docs.google.com/presentation/d/1dkrldTTlN3La-OjWtkWJBb4hVk6vfsSMBFBERs6R8zA/edit
- https://github.com/SigmaHQ/sigma/blob/ad1bfd3d28aa0ccc9656240f845022518ef65a2e/documentation/logsource-guides/windows/service/security.md
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-20
modified: 2023-11-17
tags:
- attack.defense-impairment
- attack.t1685.001
logsource:
product: windows
service: security
definition: dfd8c0f4-e6ad-4e07-b91b-f2fca0ddef64
detection:
selection_state_success_and_failure:
EventID: 4719
SubcategoryGuid:
# Note: Add or remove GUID as you see fit in your env
- '{0CCE9210-69AE-11D9-BED3-505054503030}' # Audit Security State Change
- '{0CCE9211-69AE-11D9-BED3-505054503030}' # Audit Security System Extension
- '{0CCE9212-69AE-11D9-BED3-505054503030}' # Audit System Integrity
- '{0CCE9215-69AE-11D9-BED3-505054503030}' # Audit Logon
- '{0CCE921B-69AE-11D9-BED3-505054503030}' # Audit Special Logon
- '{0CCE922B-69AE-11D9-BED3-505054503030}' # Audit Process Creation
- '{0CCE922F-69AE-11D9-BED3-505054503030}' # Audit Audit Policy Change
- '{0CCE9230-69AE-11D9-BED3-505054503030}' # Audit Authentication Policy Change
- '{0CCE9235-69AE-11D9-BED3-505054503030}' # Audit User Account Management
- '{0CCE9236-69AE-11D9-BED3-505054503030}' # Audit Computer Account Management
- '{0CCE9237-69AE-11D9-BED3-505054503030}' # Audit Security Group Management
- '{0CCE923F-69AE-11D9-BED3-505054503030}' # Audit Credential Validation
- '{0CCE9240-69AE-11D9-BED3-505054503030}' # Audit Kerberos Service Ticket Operations
- '{0CCE9242-69AE-11D9-BED3-505054503030}' # Audit Kerberos Authentication Service
AuditPolicyChanges|contains:
- '%%8448' # This is "Success removed"
- '%%8450' # This is "Failure removed"
selection_state_success_only:
EventID: 4719
SubcategoryGuid: '{0CCE9217-69AE-11D9-BED3-505054503030}' # Audit Account Lockout
AuditPolicyChanges|contains: '%%8448'
condition: 1 of selection_*
falsepositives:
- Unlikely
level: high