Sigma rules for Ping
61 rules · scoped to tool · back to Ping
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Dumping Process via Sqldumper.exe
id: 23ceaf5c-b6f1-4a32-8559-f2ff734be516
status: test
description: Detects process dump via legitimate sqldumper.exe binary
references:
- https://twitter.com/countuponsec/status/910977826853068800
- https://twitter.com/countuponsec/status/910969424215232518
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/
author: Kirill Kiryanov, oscd.community
date: 2020-10-08
modified: 2021-11-27
tags:
- attack.credential-access
- attack.t1003.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\sqldumper.exe'
CommandLine|contains:
- '0x0110'
- '0x01100:40'
condition: selection
falsepositives:
- Legitimate MSSQL Server actions
level: medium
title: Dropping Of Password Filter DLL
id: b7966f4a-b333-455b-8370-8ca53c229762
status: test
description: Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS
references:
- https://pentestlab.blog/2020/02/10/credential-access-password-filter-dll/
- https://github.com/3gstudent/PasswordFilter/tree/master/PasswordFilter
author: Sreeman
date: 2020-10-29
modified: 2022-10-09
tags:
- attack.persistence
- attack.credential-access
- attack.defense-impairment
- attack.t1556.002
logsource:
category: process_creation
product: windows
detection:
selection_cmdline:
CommandLine|contains|all:
- 'HKLM\SYSTEM\CurrentControlSet\Control\Lsa'
- 'scecli\0*'
- 'reg add'
condition: selection_cmdline
falsepositives:
- Unknown
level: medium
title: LSA PPL Protection Setting Modification via CommandLine
id: 8c0eca51-0f88-4db2-9183-fdfb10c703f9
status: test
description: |
Detects modification of LSA PPL protection settings via CommandLine.
It may indicate an attempt to disable protection and enable credential dumping tools to access LSASS process memory.
references:
- https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/
- https://github.com/shoober420/windows11-scripts/blob/38d83331738cd713ccb42f2c4557d17a27aefd98/Windows11Tweaks.bat#L1825
author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2022-03-22
modified: 2026-03-13
tags:
- attack.defense-impairment
- attack.t1689
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\reg.exe'
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'reg.exe'
- 'powershell.exe'
- 'pwsh.dll'
selection_cli_action:
CommandLine|contains|all:
- 'ControlSet'
- '\Control\Lsa'
CommandLine|contains:
- 'Set-ItemProperty'
- 'New-ItemProperty'
- ' add '
selection_key:
CommandLine|contains:
- 'IsPplAutoEnabled'
- 'RunAsPPL'
- 'RunAsPPLBoot'
condition: all of selection_*
falsepositives:
- Unlikely
level: medium
title: Capture Credentials with Rpcping.exe
id: 93671f99-04eb-4ab4-a161-70d446a84003
status: test
description: Detects using Rpcping.exe to send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Rpcping/
- https://twitter.com/vysecurity/status/974806438316072960
- https://twitter.com/vysecurity/status/873181705024266241
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11)
author: Julia Fomina, oscd.community
date: 2020-10-09
modified: 2025-10-31
tags:
- attack.credential-access
- attack.t1003
logsource:
category: process_creation
product: windows
detection:
selection_main_img:
- Image|endswith: '\RpcPing.exe'
- OriginalFileName: '\RpcPing.exe'
selection_main_flag:
CommandLine|contains|windash: '-s'
selection_cli_ntlm:
CommandLine|contains|windash: '-u'
CommandLine|contains: 'NTLM'
selection_cli_ncacn:
CommandLine|contains|windash: '-t'
CommandLine|contains: 'ncacn_np'
condition: all of selection_main_* and 1 of selection_cli_*
falsepositives:
- Unlikely
level: medium
title: Potential Credential Dumping Activity Via LSASS
id: 5ef9853e-4d0e-4a70-846f-a9ca37d876da
status: test
description: |
Detects process access requests to the LSASS process with specific call trace calls and access masks.
This behaviour is expressed by many credential dumping tools such as Mimikatz, NanoDump, Invoke-Mimikatz, Procdump and even the Taskmgr dumping feature.
references:
- https://web.archive.org/web/20230329170326/https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html
- https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.001/T1003.001.md
- https://research.splunk.com/endpoint/windows_possible_credential_dumping/
author: Samir Bousseaden, Michael Haag
date: 2019-04-03
modified: 2024-03-02
tags:
- attack.credential-access
- attack.t1003.001
- attack.s0002
logsource:
category: process_access
product: windows
detection:
selection:
TargetImage|endswith: '\lsass.exe'
GrantedAccess|contains:
- '0x1038'
- '0x1438'
- '0x143a'
- '0x1fffff' # Too many false positives
# - '0x01000' # Too many false positives
# - '0x1010' # Too many false positives
# - '0x1400' # Too many false positives
# - '0x1410' # Too many false positives
# - '0x40' # Too many false positives
CallTrace|contains:
- 'dbgcore.dll'
- 'dbghelp.dll'
- 'kernel32.dll'
- 'kernelbase.dll'
- 'ntdll.dll'
filter_main_system_user:
SourceUser|contains: # Covers many language settings
- 'AUTHORI'
- 'AUTORI'
filter_optional_thor:
CallTrace|contains|all:
- ':\Windows\Temp\asgard2-agent\'
- '\thor\thor64.exe+'
- '|UNKNOWN('
GrantedAccess: '0x103800'
filter_optional_sysmon:
SourceImage|endswith: ':\Windows\Sysmon64.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: medium
title: Certificate Use With No Strong Mapping
id: 993c2665-e6ef-40e3-a62a-e1a97686af79
status: test
description: |
Detects a user certificate that was valid but could not be mapped to a user in a strong way (such as via explicit mapping, key trust mapping, or a SID)
This could be a sign of exploitation of the elevation of privilege vulnerabilities (CVE-2022-34691, CVE-2022-26931, CVE-2022-26923) that can occur when the KDC allows certificate spoofing by not requiring a strong mapping.
Events where the AccountName and CN of the Subject do not match, or where the CN ends in a dollar sign indicating a machine, may indicate certificate spoofing.
references:
- https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16
author: '@br4dy5'
date: 2023-10-09
modified: 2025-09-22
tags:
- attack.privilege-escalation
logsource:
product: windows
service: system
detection:
selection:
Provider_Name:
- 'Kerberos-Key-Distribution-Center'
- 'Microsoft-Windows-Kerberos-Key-Distribution-Center'
EventID:
- 39
- 41 # For Windows Server 2008 R2 SP1 and Windows Server 2008 SP2
condition: selection
falsepositives:
- If prevalent in the environment, filter on events where the AccountName and CN of the Subject do not reference the same user
- If prevalent in the environment, filter on CNs that end in a dollar sign indicating it is a machine name
level: medium
title: Potential Credential Dumping Attempt Using New NetworkProvider - REG
id: 0442defa-b4a2-41c9-ae2c-ea7042fc4701
related:
- id: baef1ec6-2ca9-47a3-97cc-4cf2bda10b77
type: similar
status: test
description: Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it
references:
- https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/network-provider-settings-removed-in-place-upgrade
- https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-23
modified: 2023-08-17
tags:
- attack.credential-access
- attack.t1003
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains|all:
- '\System\CurrentControlSet\Services\'
- '\NetworkProvider'
filter:
TargetObject|contains:
- '\System\CurrentControlSet\Services\WebClient\NetworkProvider'
- '\System\CurrentControlSet\Services\LanmanWorkstation\NetworkProvider'
- '\System\CurrentControlSet\Services\RDPNP\NetworkProvider'
# - '\System\CurrentControlSet\Services\P9NP\NetworkProvider' # Related to WSL remove the comment if you use WSL in your ENV
filter_valid_procs:
Image: C:\Windows\System32\poqexec.exe
condition: selection and not 1 of filter*
falsepositives:
- Other legitimate network providers used and not filtred in this rule
level: medium
title: Overwriting the File with Dev Zero or Null
id: 37222991-11e9-4b6d-8bdf-60fbe48f753e
status: stable
description: Detects overwriting (effectively wiping/deleting) of a file.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md
author: Jakob Weinzettl, oscd.community
date: 2019-10-23
tags:
- attack.impact
- attack.t1485
logsource:
product: linux
service: auditd
detection:
selection:
type: 'EXECVE'
a0|contains: 'dd'
a1|contains:
- 'if=/dev/null'
- 'if=/dev/zero'
condition: selection
falsepositives:
- Appending null bytes to files.
- Legitimate overwrite of files.
level: low
title: Stop Windows Service Via PowerShell Stop-Service
id: c49c5062-0966-4170-9efd-9968c913a6cf
related:
- id: eb87818d-db5d-49cc-a987-d5da331fbd90
type: obsolete
status: test
description: Detects the stopping of a Windows service via the PowerShell Cmdlet "Stop-Service"
references:
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/stop-service?view=powershell-7.4
author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-05
tags:
- attack.impact
- attack.t1489
logsource:
category: process_creation
product: windows
detection:
selection_sc_net_img:
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
selection_cli:
CommandLine|contains: 'Stop-Service '
condition: all of selection_*
falsepositives:
- There are many legitimate reasons to stop a service. This rule isn't looking for any suspicious behaviour in particular. Filter legitimate activity accordingly
level: low
title: Stop Windows Service Via Net.EXE
id: 88872991-7445-4a22-90b2-a3adadb0e827
related:
- id: eb87818d-db5d-49cc-a987-d5da331fbd90
type: obsolete
status: test
description: Detects the stopping of a Windows service via the "net" utility.
references:
- https://ss64.com/nt/net-service.html
author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-05
tags:
- attack.impact
- attack.t1489
logsource:
category: process_creation
product: windows
detection:
selection_img:
- OriginalFileName:
- 'net.exe'
- 'net1.exe'
- Image|endswith:
- '\net.exe'
- '\net1.exe'
selection_cli:
CommandLine|contains: ' stop '
condition: all of selection_*
falsepositives:
- There are many legitimate reasons to stop a service. This rule isn't looking for any suspicious behaviour in particular. Filter legitimate activity accordingly
level: low
title: Stop Windows Service Via Sc.EXE
id: 81bcb81b-5b1f-474b-b373-52c871aaa7b1
related:
- id: eb87818d-db5d-49cc-a987-d5da331fbd90
type: obsolete
status: test
description: Detects the stopping of a Windows service via the "sc.exe" utility
references:
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc742107(v=ws.11)
author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-05
modified: 2024-01-18
tags:
- attack.impact
- attack.t1489
logsource:
category: process_creation
product: windows
detection:
selection_img:
- OriginalFileName: 'sc.exe'
- Image|endswith: '\sc.exe'
selection_cli:
CommandLine|contains: ' stop '
condition: all of selection_*
falsepositives:
- There are many legitimate reasons to stop a service. This rule isn't looking for any suspicious behavior in particular. Filter legitimate activity accordingly
level: low
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_sc_stop_service/info.yml