Home/Agent Tesla/Sigma rules
Sigma

Sigma rules for Agent Tesla

4 rules · scoped to tool · back to Agent Tesla
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.

Detection rules

4 of 4
direct medium
Testing Usage of Uncommonly Used Port
Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443.
status test author frack113 id adf876b3-f1f8-4aa9-a4e4-a64106feec06 license Sigma · DRL-1.1
view Sigma YAML 
title: Testing Usage of Uncommonly Used Port
id: adf876b3-f1f8-4aa9-a4e4-a64106feec06
status: test
description: |
    Adversaries may communicate using a protocol and port paring that are typically not associated.
    For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1571/T1571.md#atomic-test-1---testing-usage-of-uncommonly-used-port-with-powershell
    - https://learn.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps
author: frack113
date: 2022-01-23
tags:
    - attack.command-and-control
    - attack.t1571
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains|all:
            - Test-NetConnection
            - '-ComputerName '
            - '-port '
    filter:
        ScriptBlockText|contains:
            - ' 443 '
            - ' 80 '
    condition: selection and not filter
falsepositives:
    - Legitimate administrative script
level: medium
direct medium
Disable Internal Tools or Feature in Registry
Detects registry modifications that change features of internal Windows tools (malware like Agent Tesla uses this technique)
status test author frack113, Nasreddine Bencherchali (Nextron Systems), CrimpSec id e2482f8d-3443-4237-b906-cc145d87a076 license Sigma · DRL-1.1
view Sigma YAML 
title: Disable Internal Tools or Feature in Registry
id: e2482f8d-3443-4237-b906-cc145d87a076
status: test
description: Detects registry modifications that change features of internal Windows tools (malware like Agent Tesla uses this technique)
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md
    - https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions
    - https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html
    - https://www.malwarebytes.com/blog/detections/pum-optional-nodispbackgroundpage
    - https://www.malwarebytes.com/blog/detections/pum-optional-nodispcpl
    - https://bazaar.abuse.ch/sample/7bde840c7e8c36dce4c3bac937bcf39f36a6f118001b406bfbbc25451ce44fb4/
author: frack113, Nasreddine Bencherchali (Nextron Systems), CrimpSec
date: 2022-03-18
modified: 2025-06-04
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    category: registry_set
    product: windows
detection:
    selection_set_1:
        TargetObject|endswith:
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisableCMD'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\StartMenuLogOff'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableChangePassword'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableLockWorkstation'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskmgr'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCPL'
            - 'SOFTWARE\Policies\Microsoft\Windows\Explorer\DisableNotificationCenter'
            - 'SOFTWARE\Policies\Microsoft\Windows\System\DisableCMD'
        Details: 'DWORD (0x00000001)'
    selection_set_0:
        TargetObject|endswith:
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin'
            - 'Software\Microsoft\Windows\CurrentVersion\Policies\System\InactivityTimeoutSecs'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\ToastEnabled'
            - 'SYSTEM\CurrentControlSet\Control\Storage\Write Protection'
            - 'SYSTEM\CurrentControlSet\Control\StorageDevicePolicies\WriteProtect'
        Details: 'DWORD (0x00000000)'
    condition: 1 of selection_set_*
falsepositives:
    - Legitimate admin script
level: medium
direct medium
Registry Hide Function from User
Detects registry modifications that hide internal tools or functions from the user (malware like Agent Tesla, Hermetic Wiper uses this technique)
status test author frack113 id 5a93eb65-dffa-4543-b761-94aa60098fb6 license Sigma · DRL-1.1
view Sigma YAML 
title: Registry Hide Function from User
id: 5a93eb65-dffa-4543-b761-94aa60098fb6
status: test
description: Detects registry modifications that hide internal tools or functions from the user (malware like Agent Tesla, Hermetic Wiper uses this technique)
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md
author: frack113
date: 2022-03-18
modified: 2023-08-17
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    category: registry_set
    product: windows
detection:
    selection_set_1:
        TargetObject|endswith:
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideClock'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCANetwork'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAPower'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAVolume'
        Details: 'DWORD (0x00000001)'
    selection_set_0:
        TargetObject|endswith:
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor'
        Details: 'DWORD (0x00000000)'
    condition: 1 of selection_set_*
falsepositives:
    - Legitimate admin script
level: medium
direct medium
Registry Explorer Policy Modification
Detects registry modifications that disable internal tools or functions in explorer (malware like Agent Tesla uses this technique)
status test author frack113 id 1c3121ed-041b-4d97-a075-07f54f20fb4a license Sigma · DRL-1.1
view Sigma YAML 
title: Registry Explorer Policy Modification
id: 1c3121ed-041b-4d97-a075-07f54f20fb4a
status: test
description: Detects registry modifications that disable internal tools or functions in explorer (malware like Agent Tesla uses this technique)
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md
author: frack113
date: 2022-03-18
modified: 2023-08-17
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    category: registry_set
    product: windows
detection:
    selection_set_1:
        TargetObject|endswith:
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileMenu'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetTaskbar'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyDocuments'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu'
        Details: 'DWORD (0x00000001)'
    condition: selection_set_1
falsepositives:
    - Legitimate admin script
level: medium
Showing 1-4 of 4
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin