LoFP
/
windows
windows rule
Title
Tags
\pipe\local\monitorian
t1055
windows
sigma
a legitimate vba for outlook is usually configured interactively via outlook.exe.
t1137
windows
elastic
access to badly maintained internal or development systems
windows
sigma
account fallback reasons (after failed login with specific account)
t1110
t1110.001
windows
sigma
actions of a legitimate telnet client
t1548
t1548.002
t1574
t1574.002
windows
sigma
actual failures in lsass.exe that trigger a crash dump (unlikely)
t1003
t1003.001
windows
sigma
admin activity
t1033
t1059
t1059.004
t1070
t1070.001
t1136
t1136.001
t1485
t1505
t1505.003
t1546
t1546.001
t1562
t1562.002
t1562.004
windows
linux
sigma
admin activity (unclear what they do nowadays with finger.exe)
t1105
windows
sigma
admin script
t1120
windows
sigma
administration activity
t1558
t1558.003
windows
sigma
administration and debugging activity (must be investigated)
windows
sigma
administrative activity
t1003
t1016
t1021
t1021.001
t1027
t1036
t1053
t1053.005
t1059
t1059.001
t1059.005
t1071
t1071.001
t1087
t1087.001
t1087.002
t1098
t1105
t1133
t1134
t1136
t1136.001
t1137
t1222
t1222.001
t1505
t1505.004
t1552
t1552.006
t1555
t1555.004
t1562
t1562.001
t1572
t1615
windows
linux
sigma
administrative activity (adjust code pages according to your organization's region)
t1036
windows
sigma
administrative activity that must be investigated
t1098
windows
sigma
administrative activity using a remote port forwarding to a local port
t1021
t1021.001
t1021.004
t1572
windows
sigma
administrative or software activity
t1105
t1218
t1552
t1552.001
t1564
t1564.004
windows
sigma
administrative script libraries
t1027
t1059
t1059.001
t1140
windows
sigma
administrative scripts
t1021
t1021.002
t1039
t1048
t1055
t1059
t1059.001
t1059.005
t1137
t1218
t1543
t1543.003
windows
sigma
administrative scripts that change the desktop background to a company logo or other image.
t1112
t1491
t1491.001
windows
sigma
administrative scripts that use the same keywords.
t1047
t1059
t1059.001
windows
sigma
administrator actions
t1562
t1562.001
windows
sigma
administrator actions (should be investigated)
t1562
t1562.001
windows
sigma
administrator actions via the windows defender interface
t1562
t1562.001
windows
sigma
administrator activity
t1069
t1069.002
t1087
t1087.002
t1550
t1550.002
windows
sigma
administrator activity (must be investigated)
t1562
t1562.001
windows
sigma
administrator might leverage the same command line for debugging or other purposes. however this action must be always investigated
t1562
t1562.001
windows
sigma
administrator might try to disable defender features during testing (must be investigated)
t1562
t1562.001
windows
sigma
administrator or administrator scripts might leverage the flags mentioned in the detection section. either way, it should always be monitored
t1562
t1562.002
windows
sigma
administrator or backup activity
t1562
t1562.002
windows
sigma
administrator powershell scripts
t1078
t1197
windows
sigma
administrator script
t1059
t1059.001
t1069
t1069.001
windows
sigma
administrator scripts
t1059
t1059.001
windows
sigma
administrator scripts or activity.
t1562
t1562.004
windows
sigma
administrator typo might cause some false positives
t1218
t1218.010
windows
sigma
administrator, hotline ask to user
t1016
windows
sigma
administrators
t1021
t1021.002
windows
sigma
administrators backup scripts (must be investigated)
windows
sigma
administrators building packages using iexpress.exe
t1218
windows
sigma
administrators can create memory dumps for debugging purposes, but memory dumps of the lsass process would be unusual.
t1003
t1003.001
windows
splunk
administrators configuring new users.
t1087
t1087.002
windows
sigma
administrators debugging servers
t1082
windows
splunk
administrators may use the command prompt for regular administrative tasks. it's important to baseline your environment for network connections being made from the command prompt to determine any abnormal use of this tool.
t1059
t1105
windows
elastic
administrators might rename livekd before its usage which could trigger this. add additional names you use to the filter
windows
sigma
administrators or developers might enable this for testing purposes or to install custom private packages
windows
sigma
administrators or power users may remove their shares via cmd line
t1070
t1070.005
windows
sigma
administrators or tools shutting down the services due to upgrade or removal purposes. if you experience some false positive, please consider adding filters to the parent process launching this command and not removing the entry
t1489
windows
sigma
administrators or users that actually use the selected keyboard layouts (heavily depends on the organisation's user base)
t1588
t1588.002
windows
sigma
administrators that have renamed megasync
t1218
windows
sigma
administrators that use the runas command or scheduled tasks
t1078
windows
sigma
administrators who rename binaries (should be investigated).
t1036
t1036.003
windows
sigma
admins that use psexec or paexec to escalate to the system account for maintenance purposes (rare)
t1587
t1587.001
windows
sigma
adws is used by a number of legitimate applications that need to interact with active directory. these applications should be added to the allow-listing to avoid false positives.
t1087
windows
sigma
alerts on legitimate printer drivers that do not set any more details in the manufacturer value
t1574
windows
sigma
amazon ssm document worker
t1027
t1059
t1059.001
windows
sigma
an unknown bug seems to trigger the windows \"svchost\" process to drop evtx files in the \"c:\windows\temp\" directory in the form \"<log_name\">_<uuid>.evtx\". see https://superuser.com/questions/1371229/low-disk-space-after-filling-up-c-windows-temp-with-evtx-and-txt-files
t1562
t1562.002
windows
sigma
another service that uses a single -s command line switch
t1003
t1003.001
windows
sigma
another tool that uses command line flags similar to procdump
t1003
t1003.001
t1036
windows
sigma
another tool that uses the command line switches of ngrok
t1572
windows
sigma
another tool that uses the command line switches of psloglist
t1087
t1087.001
t1087.002
windows
sigma
another tool that uses the command line switches of xordump
t1003
t1003.001
t1036
windows
sigma
ansible
t1027
t1027.004
windows
sigma
anti virus products
t1548
t1548.002
windows
sigma
anti-virus
t1134
t1134.001
windows
sigma
antivirus and other third party products are known to trigger this rule quite a lot. initial filters and tuning is required before using this rule.
windows
sigma
antivirus products
t1003
t1003.001
windows
sigma
antivirus, anti-spyware, anti-malware software
t1003
windows
sigma
any powershell script that creates bat files
t1574
t1574.001
windows
sigma
app-v clients
t1218
windows
sigma
applications could use this notation occasionally which might generate some false positives. in that case investigate the parent and child process.
t1564
t1564.004
windows
sigma
applications that load the same dlls mentioned in the detection section. investigate them and filter them out if a lot fps are caused.
t1574
t1574.001
t1574.002
windows
sigma
approved installs of windows sdk with debugging tools for windows (windbg).
t1127
windows
sigma
appvclient
t1047
t1059
t1059.001
windows
sigma
as the \"selection_cmdlet\" is common in scripts the matching engine might slow down the search. change into regex or a more accurate string to avoid heavy resource consumption if experienced
t1518
t1518.001
windows
sigma
as the script block is a blob of text. false positive may occur with scripts that contain the keyword as a reference or simply use it for detection.
t1046
t1082
t1106
t1518
t1548
t1548.002
t1552
t1552.001
t1555
t1555.003
windows
sigma
as this is a general purpose rule, legitimate usage of the encode functionality will trigger some false positives. apply additional filters accordingly
t1027
windows
sigma
as this is controlled by group policy as well as user settings. some false positives may occur.
windows
sigma
authorized administrative activity
t1087
t1087.002
windows
sigma
authorized third party network logon providers.
t1543
t1556
windows
elastic
auto updates of windows defender causes restarts
t1562
t1562.001
windows
sigma
av signature updates
t1003
t1003.001
t1003.002
t1003.004
t1003.006
windows
sigma
backup scenarios using the commandline
t1490
windows
sigma
backup software
t1003
t1486
windows
sigma
bad connections or network interruptions
t1210
windows
sigma
because the recycle bin is a hidden folder in modern versions of windows, it would be unusual for a process other than explorer.exe to write to it. incidents should be investigated as appropriate.
t1036
windows
splunk
benign scheduled tasks creations or executions that happen often during software installations
t1053
t1053.005
windows
sigma
better use event ids for user creation rather than command line rules.
t1136
t1136.001
windows
sigma
cases in which a user mounts an image file for legitimate reasons
t1566
t1566.001
windows
sigma
ccm
t1047
t1059
t1059.001
windows
sigma
certain applications may install root certificates for the purpose of inspecting ssl traffic.
t1553
windows
macos
elastic
certain software or administrative tasks may trigger false positives.
t1120
windows
sigma
certain utilities that delete files for disk cleanup or administrators manually removing backup files.
t1485
t1490
windows
elastic
changes made to or by the local ntp service
t1070
t1070.006
windows
sigma
changes to windows services or a rarely executed child process.
t1055
windows
elastic
chrome instances using the exact same pipe name \"mojo.xxx\"
t1055
windows
sigma
citrix
t1036
windows
sigma
citrix configsync.ps1
t1059
t1059.001
windows
sigma
command lines that use the same flags
t1003
t1003.001
t1036
windows
sigma
commandlines containing components like cmd accidentally
t1134
t1134.001
t1134.002
windows
sigma
commandlines that contains scriptures such as arabic or hebrew might make use of this character
t1036
t1036.002
windows
sigma
commandlines with legitimate cyrillic text; will likely require tuning (or not be usable) in countries where these alphabets are in use.
t1036
t1036.003
windows
sigma
communication to other corporate systems that use ip addresses from public address spaces
t1218
t1218.011
windows
sigma
companies, who may use these default ldap-attributes for personal information
t1001
t1001.003
windows
sigma
company specific internal usage
windows
sigma
copying sensitive files for legitimate use (eg. backup) or forensic investigation by legitimate incident responder or forensic investigator.
t1003
t1003.002
t1003.003
windows
sigma
corrupted user profiles - https://social.technet.microsoft.com/wiki/contents/articles/3571.windows-user-profiles-service-event-1511-windows-cannot-find-the-local-profile-and-is-logging-you-on-with-a-temporary-profile.aspx
windows
sigma
creation of non-default, legitimate at usage
t1218
t1547
windows
sigma
custom applications use renamed binaries adding slight change to binary name. typically this is easy to spot and add to whitelist
t1036
t1036.003
windows
sigma
custom windows error reporting debugger or applications restarted by werfault after a crash.
t1036
t1546
windows
elastic
datasvcutil.exe being executed from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
t1567
windows
sigma
datasvcutil.exe being used may be performed by a system administrator.
t1567
windows
sigma
deletion of defender malware detections history for legitimate reasons
windows
sigma
dell computers on some versions register an event consumer that is known to cause false positives when brightness is changed by the corresponding keyboard button
t1546
t1546.003
windows
sigma
dell power manager (c:\program files\dell\powermanager\dpmpowerplansetup.exe)
t1546
t1546.003
windows
sigma
dell saremediation plugin folder (c:\program files\dell\saremediation\plugin\log.dll) is known to contain the 'log.dll' file.
t1574
t1574.001
t1574.002
windows
sigma
depend on scripts and administrative tools used in the monitored environment (for example an admin scripts like https://www.itexperience.net/sccm-batch-files-and-32-bits-processes-on-64-bits-os/)
t1036
t1036.003
windows
sigma
depending on the environment the rule might require some initial tuning before usage to avoid fp with third party applications
t1219
windows
sigma
depending on the scripts, this rule might require some initial tuning to fit the environment
t1059
t1059.001
windows
sigma
depending on your environment accepted applications may leverage this at times. it is recommended to search for anomalies inidicative of malware.
t1547
t1547.001
windows
sigma
diagnostics
t1003
windows
sigma
direct ps command execution through sqlps.exe is uncommon, childprocess sqlps.exe spawned by sqlagent.exe is a legitimate action.
t1059
t1059.001
t1127
windows
sigma
direct ps command execution through sqltoolsps.exe is uncommon, childprocess sqltoolsps.exe spawned by smss.exe is a legitimate action.
t1059
t1059.001
t1127
windows
sigma
discord
t1007
t1012
t1547
t1547.001
windows
sigma
discord was seen using chcp to look up code pages
t1614
t1614.001
windows
sigma
disk device errors
t1027
t1027.001
windows
sigma
dns queries for \"ufile\" are not malicious by nature necessarily. investigate the source to determine the necessary actions to take
t1567
t1567.002
windows
sigma
domain administrators may use this command-line utility for legitimate information gathering purposes.
t1018
t1482
windows
elastic
domain controller logs
t1136
t1136.001
windows
sigma
domain controller user logon
t1548
t1548.002
windows
sigma
domain controllers acting as printer servers too? :)
t1021
t1021.002
windows
sigma
dumping hives for legitimate purpouse i.e. backup or forensic investigation
t1003
t1003.002
t1003.004
t1003.005
t1012
windows
sigma
during anaconda update the 'conda.exe' process will eventually execution the 'chcp' command.
t1614
t1614.001
windows
sigma
during log rotation
t1070
windows
sigma
during uninstallation of the iis service
t1070
windows
sigma
during uninstallation of the tomcat server
t1070
windows
sigma
environments that use ntlmv1
t1550
t1550.002
windows
sigma
evernote
t1112
windows
sigma
exclude legitimate (vetted) use of wmi event subscription in your network
t1546
t1546.003
windows
sigma
execution of tools named gup.exe and located in folders different than notepad++\updater
t1574
t1574.002
windows
sigma
expected fp with some electron based applications such as (1clipboard, beaker browser, caret, discord, github desktop, etc.)
t1218
windows
sigma
false positive are expected with legitimate sources
t1059
windows
sigma
false positive might stem from rare extensions used by other office utilities.
t1587
t1587.001
windows
sigma
false positive rate will vary depending on the environments. additional filters might be required to make this logic usable in production.
windows
sigma
false positives are expected (e.g. in environments where winrm is used legitimately)
t1047
windows
sigma
false positives are expected from google chrome installations running from user locations (appdata) and other custom locations. apply additional filters accordingly.
t1574
t1574.001
t1574.002
windows
sigma
false positives are expected if vlc is installed in non-default locations
t1574
t1574.001
t1574.002
windows
sigma
false positives are expected in cases in which procdump just gets copied to a different directory without any renaming
t1003
t1003.001
t1036
windows
sigma
false positives are expected since this rules is only looking for the dll load event. this rule is better used in correlation with related activity
t1574
t1574.002
windows
sigma
false positives are expected with legitimate \".chm\"
t1218
t1218.001
windows
sigma
false positives can be found in environments using messagent for remote management, analysis should prioritize the grandparent process, messagent.exe, and scrutinize the resulting child processes triggered by any suspicious interactive commands directed at the target host.
t1219
windows
sigma
false positives could occur from other custom installation paths. apply additional filters accordingly.
t1574
t1574.001
t1574.002
windows
sigma
false positives could occur since service termination could happen due to multiple reasons
windows
sigma
false positives depend on custom use of vsls-agent.exe
t1218
windows
sigma
false positives depend on scripts and administrative tools used in the monitored environment
t1036
t1059
t1059.007
t1082
t1087
t1105
t1140
t1218
t1218.005
t1218.007
t1218.011
windows
sigma
false positives levels will differ depending on the environment. you can use a combination of parentimage and other keywords from the commandline field to filter legitimate activity
t1070
t1070.004
windows
sigma
false positives may occur if a user called rundll32 from cli with no options
t1021
t1021.002
t1569
t1569.002
t1570
windows
sigma
false positives may occur if one of the vulnerable driver names mentioned above didn't change its name between versions. so always make sure that the driver being loaded is the legitimate one and the non vulnerable version.
t1068
t1543
t1543.003
windows
sigma
false positives may occur if you allow installation from folders such as the desktop, the public folder or remote shares. a baseline is required before production use.
windows
sigma
false positives may occur if you execute the script from one of the paths mentioned in the rule. apply additional filters that fits your org needs.
t1218
windows
sigma
false positives may occur with some of the selected binaries if you have tasks using them (which could be very common in your environment). exclude all the specific trusted tasks before using this rule
t1053
t1053.005
windows
sigma
false positives may occur with troubleshooting scripts
t1562
t1562.001
windows
sigma
false positives might occur due to the nature of the scriptblock being ingested as a big blob. initial tuning is required.
t1518
t1518.001
windows
sigma
false positives might occur if the users are unaware of such control checks
t1059
windows
sigma
false positives should be very low with the extensions list cited. especially if you don't heavily utilize onenote.
windows
sigma
false positives will differ depending on the environment and scripts used. apply additional filters accordingly.
windows
sigma
false postitve can occur in cases where admin scripts levreage the \"exec\" flag to execute applications
t1218
windows
sigma
false postitve might occur with legitimate or uncommon extensions used internally. initial baseline is required.
t1218
windows
sigma
faulty legacy applications
t1212
windows
sigma
file located in the appdata folder with trusted signature
t1566
t1566.001
windows
sigma
file names with legitimate cyrillic text. will likely require tuning (or not be usable) in countries where these alphabets are in use.
t1036
t1036.003
windows
sigma
filenames that contains scriptures such as arabic or hebrew might make use of this character
t1036
t1036.002
windows
sigma
files generated during installation will generate a lot of noise, so the rule should only be enabled after the fact.
t1190
t1210
windows
elastic
files that accidentally contain these strings
t1552
t1552.001
windows
sigma
files that are interacted with that have these extensions legitimately
t1027
t1027.005
t1070
t1070.004
t1485
t1553
t1553.002
windows
sigma
files with mimikatz in their filename
t1003
t1003.001
t1003.002
t1003.004
t1003.006
windows
sigma
fp could be caused by legitimate application writing shortcuts for example. this folder should always be inspected to make sure that all the files in there are legitimate
t1547
t1547.001
windows
sigma
fp could occur if the legitimate version of vmguestlib already exists on the system
t1574
t1574.001
t1574.002
windows
sigma
fqdns that start with a number such as \"7-zip\"
t1218
t1218.010
windows
sigma
go utilities that use staaldraad awesome ntlm library
t1059
t1087
t1114
t1550
t1550.002
windows
sigma
google chrome googleupdate.exe
t1003
t1003.001
windows
sigma
google drive
t1036
windows
sigma
gpo
t1546
t1546.002
windows
sigma
help desk operator doing backup or re-imaging end user machine or backup software
t1039
zeek
windows
sigma
help desk or it may need to manually add a corporate root ca on occasion. need to test if gpo push doesn't trigger fp
t1553
t1553.004
windows
sigma
high
t1059
t1059.001
t1059.003
t1105
windows
sigma
highly likely if rar is a default archiver in the monitored environment.
t1560
t1560.001
windows
sigma
host connections not using host fqdn.
t1219
windows
sigma
host connections to external legitimate domains.
t1219
windows
sigma
host connections to valid domains, exclude these.
t1219
windows
sigma
host windows firewall planned system administration changes.
t1562
windows
elastic
hp software
t1218
t1218.005
windows
sigma
http traffic on a non standard port. verify that the destination ip address is not related to a domain controller.
t1558
windows
elastic
hyperv or other virtualization technologies with binary not listed in filter portion of detection
t1070
t1070.006
windows
sigma
if a computer is a member of a domain, dpapi has a backup mechanism to allow unprotection of the data. which will trigger this event.
t1003
t1003.004
windows
sigma
if installed on a per-user level, the path would be located in \"appdata\local\". add additional filters to reflect this mode of installation
t1574
t1574.001
t1574.002
windows
sigma
if prevalent in the environment, filter on cns that end in a dollar sign indicating it is a machine name
windows
sigma
if prevalent in the environment, filter on events where the accountname and cn of the subject do not reference the same user
windows
sigma
if source account name is not an admin then its super suspicious
t1087
t1087.002
windows
sigma
if the script being executed make use of any of the utilities mentioned in the detection then they should filtered out or allowed.
t1219
windows
sigma
if the source ip is not localhost then it's super suspicious, better to monitor both local and remote changes to gpo scheduled tasks.
t1053
t1053.005
windows
sigma
if you experience a lot of fp you could comment the driver name or its exact known legitimate location (when possible)
t1068
t1543
t1543.003
windows
sigma
igfxcuiservice.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe and igfxcuiservice.exe is the parent of the cmd.exe)
t1564
t1564.001
windows
sigma
imes are essential for languages that have more characters than can be represented on a standard keyboard, such as chinese, japanese, and korean.
t1562
t1562.001
windows
sigma
in development environment where vscode is used heavily. false positives may occur when developers use task to compile or execute different types of code. remove or add processes accordingly
t1202
t1218
windows
sigma
in modern windows systems, unable to see legitimate usage of this process, however, if an organization has legitimate purpose for this there can be false positives.
t1071
t1071.001
windows
sigma
in rare administrative cases, this function might be used to check network connectivity
t1059
t1059.001
windows
sigma
in rare occasions administrators might leverage livekd to perform live kernel debugging. this should not be allowed on production systems. investigate and apply additional filters where necessary.
windows
sigma
in rare occurrences where \"odbcconf\" crashes. it might spawn a \"werfault\" process
t1218
t1218.008
windows
sigma
initial installation of a domain controller.
t1098
windows
sigma
inline scripting can be used by some rare third party applications or administrators. investigate and apply additional filters accordingly
t1059
windows
sigma
install or update of a legitimate printing driver. verify the printer driver file metadata such as manufacturer and signature information.
t1068
windows
elastic
installation of a service
t1543
t1543.003
windows
sigma
installation of unsigned packages for testing purposes
windows
sigma
installer tools that disable services, e.g. before log collection agent installation
t1070
t1070.001
t1562
t1562.001
windows
sigma
installers and updaters may set currently in use files for rename or deletion after a reboot.
t1036
t1036.003
windows
sigma
intended exclusions by administrators
t1562
t1562.001
windows
sigma
inventory tool runs
t1087
t1087.001
t1087.002
windows
sigma
investigate the contents of the \"userinitmprlogonscript\" value to determine of the added script is legitimate
t1037
t1037.001
windows
sigma
ipv4-to-ipv6 mapped ips
t1078
t1133
t1190
windows
sigma
it is highly recommended to baseline your activity and tune out common business use cases.
t1203
windows
sigma
it is possible that a legitimate user is experiencing an issue causing multiple account login failures leading to lockouts.
t1078
t1078.003
windows
splunk
it is possible that an administrator created and deleted an account in a short time period. verifying activity with an administrator is advised.
t1078.003
t1136
t1136.001
windows
splunk
it is possible that other utilities or system processes may legitimately write to this folder. investigate and modify the search to include exceptions as appropriate.
t1036
windows
splunk
it's not an uncommon to use te.exe directly to execute legal taef tests
t1218
windows
sigma
it's possible that a widely used system, such as a kiosk, could cause a large number of account lockouts.
t1078
t1078.002
windows
splunk
java tools are known to produce false-positive when loading libraries
t1059
t1059.003
windows
sigma
jobs and services started with cmd
t1134
t1134.001
t1134.002
windows
sigma
known false positive caused with python anaconda
t1027
t1027.002
windows
sigma
landesk ldclient ivanti-psmodule (ps encodedcommand)
t1070
t1490
windows
sigma
legacy applications.
t1558
t1558.003
windows
sigma
legacy hosts
t1550
t1550.002
windows
sigma
legit application crash with rare werfault commandline value
t1036
windows
elastic
legit usage of scripts
t1218
windows
sigma
legitimate \".bat\", \".hta\", \".ps1\" or \".vbs\" scripts leverage legitimately often. apply additional filter and exclusions as necessary
t1218
t1218.010
windows
sigma
legitimate \".xbap\" being executed via \"presentationhost\"
t1218
windows
sigma
legitimate activity by administrators and scripts
t1021
t1021.002
windows
sigma
legitimate activity is expected since compressing files with a password is common.
t1560
t1560.001
windows
sigma
legitimate activity of system administrators
t1219
windows
linux
sigma
legitimate add-ins
t1137
t1137.006
windows
sigma
legitimate addin installation
t1137
t1137.006
windows
sigma
legitimate addition of logon scripts via the command line by administrators or third party tools
t1037
t1037.001
windows
sigma
legitimate admin activity
t1003
t1003.003
t1018
t1069
t1069.002
t1087
t1087.002
t1482
t1562
t1562.004
windows
linux
sigma
legitimate admin or third party scripts used for diagnostic collection might generate some false positives
t1218
windows
sigma
legitimate admin or third party scripts. baseline according to your environment
t1547
t1547.001
windows
sigma
legitimate admin script
t1070
t1070.006
t1112
t1562
t1562.001
windows
sigma
legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often
t1033
windows
sigma
legitimate admin usage
t1003
t1003.003
windows
sigma
legitimate administration
t1562
t1562.001
windows
sigma
legitimate administration activities
t1007
t1016
t1018
t1033
t1037
t1037.005
t1040
t1046
t1053
t1053.002
t1053.003
t1069
t1069.001
t1070
t1070.002
t1070.004
t1078
t1078.003
t1082
t1087
t1087.001
t1090
t1105
t1136
t1136.001
t1140
t1201
t1518
t1518.001
t1546
t1546.014
t1548
t1548.001
t1552
t1552.001
t1553
t1553.004
t1555
t1555.001
t1562
t1562.004
t1564
t1564.002
t1565
t1565.001
t1592
t1592.004
windows
macos
linux
sigma
legitimate administration activity
t1016
t1018
t1040
t1090
t1482
t1562
t1562.004
windows
sigma
legitimate administration activity to troubleshoot network issues
t1040
windows
sigma
legitimate administration and backup scripts
windows
sigma
legitimate administration and tuning scripts that aim to add functionality to a user powershell session
t1546
t1546.013
windows
sigma
legitimate administration script
t1059
t1059.003
windows
sigma
legitimate administration scripts
windows
sigma
legitimate administration use
t1543
t1543.003
windows
sigma
legitimate administration use but user and host must be investigated
t1016
t1482
windows
sigma
legitimate administrative action
t1564
windows
sigma
legitimate administrative activity
t1484
t1547
windows
elastic
legitimate administrative activity related to shadow copies.
t1003
windows
elastic
legitimate administrative script
t1059
t1059.001
t1098
t1132
t1132.001
t1136
t1136.002
t1553
t1553.004
t1571
t1573
t1574
t1574.011
t1574.012
windows
sigma
legitimate administrative scripts
t1059
t1059.005
windows
sigma
legitimate administrative scripts may use this functionality. use \"parentimage\" in combination with the script names and allowed users and applications to filter legitimate executions
t1132
t1132.001
windows
sigma
legitimate administrative tasks
t1003
t1003.005
windows
sigma
legitimate administrative use
t1046
t1082
t1135
t1505
t1505.005
t1546
t1546.007
t1546.008
t1547
t1547.001
t1547.002
t1547.010
t1547.014
t1556
t1556.002
t1557
t1562
t1562.002
t1564
t1564.002
t1574
t1574.007
windows
sigma
legitimate administrative use (should be investigated either way)
t1562
t1562.001
windows
sigma
legitimate administrator activity
t1021
t1021.002
t1021.004
t1046
t1490
t1505
t1505.004
t1562
t1562.002
t1569
t1569.002
windows
macos
sigma
legitimate administrator activity restoring a file
t1562
t1562.001
windows
sigma
legitimate administrator deletes shadow copies using operating systems utilities for legitimate reason
t1070
t1490
windows
sigma
legitimate administrator or developer creating legitimate executable files in a web application folder
t1505
t1505.003
windows
sigma
legitimate administrator or user creates a service for legitimate reasons.
t1543
t1543.003
windows
sigma
legitimate administrator or user enumerates local users for legitimate reason
t1033
t1087
t1087.001
windows
sigma
legitimate administrator or user executes a service for legitimate reasons.
t1569
t1569.002
windows
sigma
legitimate administrator sets up autorun keys for legitimate reason
t1546
t1546.009
t1547
t1547.001
windows
sigma
legitimate administrator sets up autorun keys for legitimate reasons.
t1547
t1547.001
windows
sigma
legitimate administrator usage
t1218
windows
sigma
legitimate administrator using credential dumping tool for password recovery
t1003
t1003.001
t1003.002
t1003.004
t1003.005
t1003.006
t1569
t1569.002
windows
sigma
legitimate administrator using tool for password recovery
t1003
t1003.001
t1003.002
t1003.003
t1003.004
t1003.005
windows
sigma
legitimate administrator working with shadow copies, access for backup purposes
t1003
t1003.002
t1003.003
windows
sigma
legitimate administrators granting over permissive permissions to users
t1218
windows
sigma
legitimate administrators might use this command to remove sysmon for debugging purposes
t1562
t1562.001
windows
sigma
legitimate administrators might use this command to update sysmon configuration.
t1562
t1562.001
windows
sigma
legitimate administrators removing applications (should always be investigated)
t1562
t1562.001
windows
sigma
legitimate application requesting certificate exports will trigger this. apply additional filters as needed
t1649
windows
sigma
legitimate application that needs to do a full dump of their process
t1003
t1003.001
windows
sigma
legitimate applications communicating with the \"api.notion.com\" endpoint that are not already in the exclusion list. the desktop and browser applications do not appear to be using the api by default unless integrations are configured.
t1102
windows
sigma
legitimate applications communicating with the \"googleapis.com\" endpoints that are not already in the exclusion list. this is environmental dependent and requires further testing and tuning.
t1102
windows
sigma
legitimate applications communicating with the telegram api e.g. web browsers not in the exclusion list, app with an rss etc.
t1102
windows
sigma
legitimate applications loading their own versions of the dll mentioned in this rule.
t1574
t1574.002
windows
sigma
legitimate applications loading their own versions of the dlls mentioned in this rule
t1574
t1574.001
t1574.002
windows
sigma
legitimate applications making use of this feature for compatibility reasons
t1546
t1546.011
windows
sigma
legitimate applications registering their binary from on of the suspicious locations mentioned above (tune it)
t1546
t1546.012
windows
sigma
legitimate applications writing events via this cmdlet. investigate alerts to determine if the action is benign
windows
sigma
legitimate appx packages not signed by ms used part of an enterprise
windows
sigma
legitimate assembly compilation using a build provider
windows
sigma
legitimate atera agent installation
t1219
windows
sigma
legitimate audio capture by legitimate user.
t1123
windows
sigma
legitimate backup activity from administration scripts and software.
t1490
windows
sigma
legitimate backup operation by authorized administrators. matches must be investigated and allowed on a case by case basis.
t1003
t1003.003
windows
sigma
legitimate backup operation/creating shadow copies
t1003
t1003.003
windows
sigma
legitimate calls to system binaries
windows
sigma
legitimate cases in which archives contain iso or img files and the user opens the archive and the image via clicking and not extraction
t1566
windows
sigma
legitimate certificate exports by administrators. additional filters might be required.
t1059
t1059.001
t1552
t1552.004
windows
sigma
legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable)
t1003
t1003.001
windows
sigma
legitimate cmstp use (unlikely in modern enterprise environments)
t1218
t1218.003
t1548
t1548.002
t1559
t1559.001
windows
sigma
legitimate commands in .lnk files
t1059
t1059.001
windows
sigma
legitimate custom shim installations will also trigger this rule
t1546
t1546.011
t1547
t1547.009
windows
sigma
legitimate data export operations.
t1048
windows
sigma
legitimate deactivation by administrative staff
t1070
t1070.001
t1562
t1562.001
windows
sigma
legitimate deinstallation by administrative staff
t1562
t1562.001
windows
sigma
legitimate deployment of anydesk
t1219
windows
sigma
legitimate disabling of crashdumps
t1112
t1564
windows
sigma
legitimate dlls being registered via \"odbcconf\" will generate false positives. investigate the path of the dll and its content to determine if the action is authorized.
t1218
t1218.008
windows
sigma
legitimate dns queries and usage of mega
t1567
t1567.002
windows
sigma
legitimate dns queries and usage of put.io
windows
sigma
legitimate downloads of \".vhd\" files would also trigger this
t1587
t1587.001
windows
sigma
legitimate downloads via scripting or command-line tools (investigate to determine if it's legitimate)
windows
sigma
legitimate driver altitude change to hide sysmon
t1562
t1562.001
windows
sigma
legitimate driver dlls being registered via \"odbcconf\" will generate false positives. investigate the path of the dll and its contents to determine if the action is authorized.
t1218
t1218.008
windows
sigma
legitimate enable/disable of the setting
windows
sigma
legitimate enabling of the old tls versions due to incompatibility
windows
sigma
legitimate event consumers
t1546
t1546.003
windows
sigma
legitimate exchange system administration activity.
t1005
t1059
t1098
t1114
windows
elastic
legitimate execution by system administrators.
t1484
t1484.001
t1547
windows
sigma
legitimate execution of dxcap.exe by legitimate user
t1218
windows
sigma
legitimate export of keys
t1012
windows
sigma
legitimate extension of domain structure
t1098
windows
sigma
legitimate file downloads from a websites and web services that uses the \".zip\" top level domain.
windows
sigma
legitimate files with these rare hacktool names
t1557
t1557.001
windows
sigma
legitimate helper added by different programs and the os
t1546
t1546.007
windows
sigma
legitimate import of keys
t1112
windows
sigma
legitimate incoming connections (e.g. sysadmin activity). most of the time i would expect outgoing connections (initiated locally).
t1219
windows
sigma
legitimate installation of a new screensaver
t1218
t1218.011
windows
sigma
legitimate installation of code-tunnel as a service
t1071
t1071.001
windows
sigma
legitimate installation of new application.
t1204
t1204.002
windows
sigma
legitimate installation of printer driver qms 810, texas instruments microlaser printer (unlikely)
t1204
windows
sigma
legitimate installations of exchange transportagents. assemblypath is a good indicator for this.
t1505
t1505.002
windows
sigma
legitimate internal requirements.
t1112
windows
sigma
legitimate local user creations may be done by a system or network administrator. verify whether this is known behavior in your environment. local user creations by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
t1136
windows
elastic
legitimate logon attempts over the internet
t1078
t1133
t1190
windows
sigma
legitimate logon scripts or custom shells may trigger false positives. apply additional filters accordingly.
t1037
t1037.001
windows
sigma
legitimate macro files downloaded from the internet
t1566
t1566.001
windows
sigma
legitimate macro files sent as attachments via emails
t1566
t1566.001
windows
sigma
legitimate macro usage. add the appropriate filter according to your environment
t1204
t1204.002
windows
sigma
legitimate mega installers and utilities are expected to communicate with this domain. exclude hosts that are known to be allowed to use this tool.
t1567
t1567.001
windows
sigma
legitimate microsoft diagcab
windows
sigma
legitimate microsoft software - https://twitter.com/gabriele_pippi/status/1206907900268072962
t1027
t1027.004
windows
sigma
legitimate modification of keys
t1112
windows
sigma
legitimate modification of screensaver
t1546
t1546.002
windows
sigma
legitimate modification of the registry key by legitimate program
t1112
windows
sigma
legitimate mssql server actions
t1003
t1003.001
windows
sigma
legitimate ncat use
t1095
windows
sigma
legitimate need for regback feature by administrators.
t1113
windows
sigma
legitimate network diagnostic scripts.
t1040
windows
sigma
legitimate new entry added by windows
windows
sigma
legitimate openvpn tap installation
t1048
windows
sigma
legitimate or intentional inbound connections from public ip addresses on the smb port.
t1078
t1110
t1133
windows
sigma
legitimate package hosted on a known and authorized remote location
windows
sigma
legitimate packages that make use of external binaries such as windows terminal
windows
sigma
legitimate piping of the password to anydesk
t1219
windows
sigma
legitimate powershell scripts
t1003
t1003.003
t1003.006
t1033
t1036
t1036.003
t1057
t1070
t1070.003
t1083
t1201
t1546
t1546.015
t1553
t1553.005
t1562
t1562.001
t1564
t1564.006
t1615
windows
sigma
legitimate powershell scripts that disable windows defender for troubleshooting purposes. must be investigated.
t1562
t1562.001
windows
sigma
legitimate powershell scripts that make use of psreflect to access the win32 api
t1059
t1106
windows
elastic
legitimate powershell scripts that make use of these functions.
t1039
t1055
t1059
t1069
t1087
t1106
t1135
t1482
windows
elastic
legitimate powershell scripts which makes use of compression and encoding.
t1027
t1059
t1140
windows
elastic
legitimate powershell scripts which makes use of encryption.
t1027
t1140
windows
elastic
legitimate powershell web access installations by administrators
t1059
t1059.001
t1548
t1548.002
windows
sigma
legitimate processes may be spawned from the microsoft exchange server unified messaging (um) service. if known processes are causing false positives, they can be exempted from the rule.
t1190
t1210
windows
elastic
legitimate processes that run at logon. filter according to your environment
t1053
t1053.005
windows
sigma
legitimate py2exe binaries
t1027
t1027.002
windows
sigma
legitimate python scripts using the socket library or similar will trigger this. apply additional filters and perform an initial baseline before deploying.
t1046
windows
sigma
legitimate rclone usage
t1567
t1567.002
windows
sigma
legitimate registration of ifilters by the os or software
windows
sigma
legitimate remote account administration.
t1098
t1531
windows
elastic
legitimate remote administration activity
t1550
windows
sigma
legitimate scheduled jobs may be created during installation of new software.
t1053
windows
elastic
legitimate scheduled tasks may be created during installation of new software.
t1053
t1059
t1218
windows
elastic
legitimate scheduled tasks running third party software.
t1053
windows
elastic
legitimate script
t1018
t1021
t1021.006
t1048
t1059
t1218
t1218.007
t1562
t1562.001
windows
sigma
legitimate script that disables the command history
t1070
t1070.003
windows
sigma
legitimate scripts
t1105
windows
sigma
legitimate scripts that use iex
t1059
t1059.001
windows
sigma
legitimate security products adding their own amsi providers. filter these according to your environment
windows
sigma
legitimate sip being registered by the os or different software.
t1553
t1553.003
windows
sigma
legitimate software (un)installations are known to cause some false positives. please add them as a filter when encountered
t1112
windows
sigma
legitimate software accessing lsass process for legitimate reason; update the whitelist with it
t1003
t1003.001
windows
sigma
legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons.
t1547
t1547.001
windows
sigma
legitimate software creating script event consumers
t1546
t1546.003
windows
sigma
legitimate software from program files - https://twitter.com/gn3mes1s/status/1206874118282448897
t1027
t1027.004
windows
sigma
legitimate software installed by the users for example in the \"appdata\" directory may access these files (for any reason).
t1003
windows
sigma
legitimate software installed on partitions other than \"c:\\"
t1003
windows
sigma
legitimate software naming their tasks as guids
t1053
t1053.005
windows
sigma
legitimate software such as av and edr
t1003
t1003.001
windows
sigma
legitimate software using python dlls
t1574
t1574.002
windows
sigma
legitimate sub processes started by manage engine servicedesk pro
t1102
windows
sigma
legitimate system administration
t1047
windows
sigma
legitimate testing of microsoft ui parts.
t1218
windows
sigma
legitimate third party application located in \"appdata\" may leverage this dll to offer 7z compression functionality and may generate false positives. apply additional filters as needed.
t1574
t1574.001
t1574.002
windows
sigma
legitimate tools that accidentally match on the searched patterns
t1059
windows
sigma
legitimate usage by an administrator
windows
sigma
legitimate usage by software developers
t1072
t1218
windows
sigma
legitimate usage by software developers/testers
t1003
t1003.001
t1218
windows
sigma
legitimate usage by some scripts might trigger this as well
windows
sigma
legitimate usage for administration purposes
t1003
t1003.005
t1218
windows
sigma
legitimate usage for debugging purposes
windows
sigma
legitimate usage for tracing and diagnostics purposes
t1218
windows
sigma
legitimate usage of \".diagcab\" files
t1202
windows
sigma
legitimate usage of \".one\" or \".onepkg\" files from those locations
windows
sigma
legitimate usage of \".pub\" files from those locations
windows
sigma
legitimate usage of \"troubleshootingpack\" cmdlet for troubleshooting purposes
t1202
windows
sigma
legitimate usage of adplus for debugging purposes
t1003
t1003.001
windows
sigma
legitimate usage of appcmd to add new url rewrite rules
windows
sigma
legitimate usage of bitlockertogo.exe to encrypt portable devices.
t1218
windows
sigma
legitimate usage of cloudflare quick tunnel
t1090
t1090.001
windows
sigma
legitimate usage of cloudflared portable versions
t1090
t1090.001
windows
sigma
legitimate usage of cloudflared tunnel.
t1090
t1102
t1572
windows
sigma
legitimate usage of cloudflared.
t1090
t1102
t1572
windows
sigma
legitimate usage of dsinternals for administration or audit purpose.
t1059
t1059.001
windows
sigma
legitimate usage of ip lookup services such as ipify api
t1590
windows
sigma
legitimate usage of livekd for debugging purposes will also trigger this
windows
sigma
legitimate usage of remote powershell, e.g. for monitoring purposes.
t1021
t1021.006
t1059
t1059.001
windows
sigma
legitimate usage of remote powershell, e.g. remote administration and monitoring.
t1021
t1021.006
t1059
t1059.001
windows
sigma
legitimate usage of sdelete
t1027
t1027.005
t1070
t1070.004
t1485
t1553
t1553.002
windows
sigma
legitimate usage of stordiag.exe.
t1218
windows
sigma
legitimate usage of system.net.networkinformation.ping class
t1048
t1048.003
windows
sigma
legitimate usage of teamviewer
t1133
windows
macos
linux
sigma
legitimate usage of the anydesk tool
windows
sigma
legitimate usage of the applications from the windows store
windows
sigma
legitimate usage of the capabilities by administrators or users. add additional filters accordingly.
windows
sigma
legitimate usage of the cmdlet to forward emails
windows
sigma
legitimate usage of the features listed in the rule.
windows
sigma
legitimate usage of the file by hardware manufacturer such as lenovo (thanks @0gtweet for the tip)
t1542
t1542.001
windows
sigma
legitimate usage of the passwords by users via commandline (should be discouraged)
windows
sigma
legitimate usage of the script by a developer
t1216
t1216.001
windows
sigma
legitimate usage of the script. always investigate what's being registered to confirm if it's benign
t1218
windows
sigma
legitimate usage of the tool
t1219
windows
sigma
legitimate usage of the uncommon windows work folders feature.
t1218
windows
sigma
legitimate usage of the utility by administrators to query the event log
t1552
windows
sigma
legitimate usage of the utility in order to debug and trace a program.
t1218
windows
sigma
legitimate usage of this key would also trigger this. investigate the driver being added and make sure its intended
windows
sigma
legitimate usage to restore snapshots
t1003
t1003.003
windows
sigma
legitimate use
t1005
t1040
t1059
t1072
t1090
t1124
t1127
t1219
t1484
t1484.001
t1546
t1546.015
t1555
t1555.003
t1562
t1562.001
windows
sigma
legitimate use by a software developer
t1127
windows
sigma
legitimate use by a via a batch script or by an administrator.
t1059
windows
sigma
legitimate use by administrative staff
t1133
windows
sigma
legitimate use by administrators
t1569
t1569.002
windows
sigma
legitimate use by an administrator
t1059
windows
sigma
legitimate use by developers as part of nodejs development with visual studio tools
t1218
windows
sigma
legitimate use by third party tools in order to investigate installed drivers
windows
sigma
legitimate use by users
t1083
windows
sigma
legitimate use by vm administrator
t1059
windows
sigma
legitimate use for tracing purposes
t1127
windows
sigma
legitimate use of 7z to compress wer \".dmp\" files for troubleshooting
t1560
t1560.001
windows
sigma
legitimate use of 7z with a command line in which \".dmp\" or \".dump\" appears accidentally
t1560
t1560.001
windows
sigma
legitimate use of anydesk from a non-standard folder
t1219
windows
sigma
legitimate use of azure hybrid connection manager and the azure service bus service
t1554
windows
sigma
legitimate use of btunnels will also trigger this.
t1567
t1567.001
windows
sigma
legitimate use of cloudflare tunnels will also trigger this.
t1071
t1071.001
t1567
t1567.001
windows
sigma
legitimate use of cmstp.exe utility by legitimate user
t1218
t1218.003
t1548
t1548.002
windows
sigma
legitimate use of crypto miners
t1496
windows
linux
sigma
legitimate use of custom plugins by users in order to enhance notepad++ functionalities
windows
sigma
legitimate use of debugging tools
t1106
t1127
t1218
windows
sigma
legitimate use of devtoolslauncher.exe by legitimate user
t1218
windows
sigma
legitimate use of devtunnels will also trigger this.
t1071
t1071.001
t1567
t1567.001
windows
sigma
legitimate use of dnx.exe by legitimate user
t1027
t1027.004
t1218
windows
sigma
legitimate use of dsacls to bind to an ldap session
t1218
windows
sigma
legitimate use of external db to save the results
t1112
windows
sigma
legitimate use of fodhelper.exe utility by legitimate user
t1548
t1548.002
windows
sigma
legitimate use of hybrid connection manager via azure function apps.
t1554
windows
sigma
legitimate use of msra.exe
t1055
windows
sigma
legitimate use of net.exe utility by legitimate user
t1018
windows
sigma
legitimate use of nim on a developer systems
t1105
windows
sigma
legitimate use of one of these tools
t1003
t1588
t1588.002
windows
sigma
legitimate use of outlook forms
t1137
t1137.003
windows
sigma
legitimate use of pester for writing tests for powershell scripts and modules
t1059
t1059.001
t1216
windows
sigma
legitimate use of portmap.io domains
t1041
t1090
t1090.002
windows
sigma
legitimate use of procdump by a developer or administrator
t1003
t1003.001
t1036
windows
sigma
legitimate use of process hacker or system informer by developers or system administrators
t1543
windows
sigma
legitimate use of psloglist by an administrator
t1087
t1087.001
t1087.002
windows
sigma
legitimate use of psservice by an administrator
t1543
t1543.003
windows
sigma
legitimate use of quick assist in the environment.
t1071
t1071.001
t1210
t1219
windows
sigma
legitimate use of remote powershell execution
t1059
t1059.001
windows
sigma
legitimate use of screen saver
t1218
t1218.011
windows
sigma
legitimate use of screenconnect
t1059
t1059.003
windows
sigma
legitimate use of screenconnect. disable this rule if screenconnect is heavily used.
t1059
t1059.003
windows
sigma
legitimate use of sysinternals tools
t1588
t1588.002
windows
sigma
legitimate use of sysinternals tools. filter the legitimate paths used in your environment
t1588
t1588.002
windows
sigma
legitimate use of the api with a tool that the author wasn't aware of
t1105
windows
sigma
legitimate use of the dll.
t1546
t1546.015
windows
sigma
legitimate use of the external websites for troubleshooting or network monitoring
t1016
windows
sigma
legitimate use of the feature (alerts should be investigated either way)
t1112
windows
sigma
legitimate use of the feature by administrators (rare)
windows
sigma
legitimate use of the impacket tools
t1557
t1557.001
windows
sigma
legitimate use of the key to setup a debugger. which is often the case on developers machines
t1574
windows
sigma
legitimate use of the library
t1105
t1620
windows
sigma
legitimate use of the library for administrative activity
windows
sigma
legitimate use of the localtonet service.
t1090
t1102
t1572
windows
linux
sigma
legitimate use of the multi session functionality
t1112
windows
sigma
legitimate use of the ngrok service.
t1090
t1102
t1567
t1567.001
t1568
t1568.002
t1572
windows
sigma
legitimate use of the pdqdeploy tool to execute these commands
windows
sigma
legitimate use of the profile by developers or administrators
t1546
t1546.013
windows
sigma
legitimate use of the system utilities to discover system time for legitimate reason
t1124
windows
sigma
legitimate use of the tool
t1219
t1543
t1543.003
windows
sigma
legitimate use of the tool by administrators or users to update metadata of a binary
t1027
t1027.005
t1036
t1036.003
windows
sigma
legitimate use of the ui accessibility checker
windows
sigma
legitimate use of the utilities by legitimate user for legitimate reason
t1482
windows
sigma
legitimate use of vboxdrvinst.exe utility by virtualbox guest additions installation process
t1112
windows
sigma
legitimate use of visual studio code tunnel
t1071
t1071.001
windows
sigma
legitimate use of visual studio code tunnel and running code from there
t1071
t1071.001
windows
sigma
legitimate use of visual studio code tunnel will also trigger this.
t1071
t1071.001
t1567
t1567.001
windows
sigma
legitimate use of volume shadow copy mounts (backups maybe).
t1003
t1003.002
windows
sigma
legitimate use of vssvc. maybe backup operations. it would usually be done by c:\windows\system32\vssvc.exe.
t1003
t1003.002
windows
sigma
legitimate use of winrar command line version
t1560
t1560.001
windows
sigma
legitimate use of winrar in a folder of a software that bundles winrar
t1560
t1560.001
windows
sigma
legitimate use of winrar to compress wer \".dmp\" files for troubleshooting
t1560
t1560.001
windows
sigma
legitimate use of winrar with a command line in which \".dmp\" or \".dump\" appears accidentally
t1560
t1560.001
windows
sigma
legitimate use remote powershell sessions
t1021
t1021.006
t1059
t1059.001
windows
sigma
legitimate use to compile jscript by developers.
t1127
windows
sigma
legitimate use to pass password to different powershell commands
t1027
t1059
t1059.001
windows
sigma
legitimate use via a batch script or by an administrator.
t1059
windows
sigma
legitimate use via intune management. you exclude script paths and names to reduce fp rate
t1218
windows
sigma
legitimate use when app-v is deployed
t1218
windows
sigma
legitimate use/activation of windows recall
t1113
windows
sigma
legitimate used of encrypted zip files
t1027
t1036
t1105
t1566
t1566.001
windows
sigma
legitimate user creation.
t1136
t1136.001
windows
sigma
legitimate uses in which users or programs use the ssh service of serv-u for remote command execution
t1555
windows
sigma
legitimate uses of logon scripts distributed via group policy
t1218
windows
sigma
legitimate uses of mouse lock software
t1056
t1056.002
windows
sigma
legitimate uses of teamviewer in an organisation
t1219
windows
sigma
legitimate vbscript
t1112
windows
sigma
legitimate windivert driver usage
t1557
t1557.001
t1599
t1599.001
windows
sigma
legitimate windows defender configuration changes
t1112
t1562
windows
elastic
legitimate winrm usage
t1190
windows
sigma
legitimate wmi query
t1112
windows
sigma
legitimate, non-default assistive technology applications execution
t1218
windows
sigma
legitime usage
t1490
windows
sigma
legitime usage of sdelete
t1070
t1070.004
windows
sigma
likelihood is related to how often the paths are used in the environment
t1219
windows
sigma
likely
t1006
t1059
t1059.001
t1082
t1091
t1200
t1217
t1482
t1560
t1560.001
windows
linux
sigma
likely from legitimate applications reading their key. requires heavy tuning
t1574
t1574.011
windows
sigma
likely with legitimate usage of \".rdp\" files
t1219
windows
sigma
likely with other browser software. apply additional filters for any other browsers you might use.
t1219
windows
sigma
likely. many admin scripts and tools leverage powershell in their bat or vb scripts which may trigger this rule often. it is best to add additional filters or use this to hunt for anomalies
t1059
t1059.001
windows
sigma
linux hostnames composed of 16 characters.
t1021
t1021.002
windows
sigma
loading a user environment from a backup or a domain controller
t1137
windows
sigma
loading of legitimate driver
t1574
windows
sigma
local accounts managed by privileged account management tools
t1136
t1136.001
windows
sigma
local domain admin account used for azure ad connect
t1003
t1003.006
windows
sigma
maintenance activity
t1070
t1070.001
t1562
t1562.002
windows
sigma
many legitimate applications can register a new custom protocol handler. additional filters needs to applied according to your environment.
t1112
windows
sigma
many legitimate applications leverage this dll. (visual studio, jetbrains, ruby, anaconda, githubdesktop, etc.)
t1574
t1574.001
t1574.002
windows
sigma
many legitimate applications or scripts could leverage \"bitsadmin\". this event is best correlated with eid 16403 via the jobid field
t1197
windows
sigma
maybe some system utilities in rare cases use linking keys for backward compatibility
t1546
t1546.015
windows
sigma
microsoft antimalware service executable installed on non default installation path.
t1574
windows
elastic
microsoft operations manager (mom)
t1059
t1059.001
windows
sigma
microsoft sccm
t1059
t1059.001
t1059.005
t1218
windows
sigma
microsoft windows installers leveraging rundll32 for installation.
t1059
t1218
t1552
windows
elastic
might trigger if a legitimate new sip provider is registered. but this is not a common occurrence in an environment and should be investigated either way
windows
sigma
migration of an account into a new domain
t1134
t1134.005
windows
sigma
mimikatz can be useful for testing the security of networks
t1003
windows
sigma
minimal, for some older versions of dev tools, such as pycharm, developers were known to sometimes disable windows defender to improve performance, but this generally is not considered a good security practice.
t1562
t1562.001
windows
sigma
moderate-to-low; despite the shorter length/lower entropy for some of these, because of high specificity, fp appears to be fairly limited in many environments.
t1059
t1059.001
windows
sigma
modifications in the msds-keycredentiallink attribute can be done legitimately by the azure ad connect synchronization account or the adfs service account. these accounts can be added as exceptions.
t1556
windows
elastic
monitoring activity
t1003
t1027
t1033
t1134
windows
sigma
monitoring tools
t1047
windows
sigma
msiexec.exe hiding desktop.ini
t1564
t1564.001
windows
sigma
msmpeng might crash if the \"c:\\" partition is full
t1211
t1562
t1562.001
windows
sigma
msp detection searcher
t1059
t1059.001
windows
sigma
msxsl is not installed by default and is deprecated, so unlikely on most systems.
t1220
windows
sigma
naughty administrators
t1003
t1003.001
t1003.002
t1003.004
t1003.006
windows
sigma
need to use extra processing with 'unique_count' / 'filter' to focus on outliers as opposed to commonly seen artifacts
t1218
windows
sigma
need tuning applocker or add exceptions in siem
t1059
t1059.001
t1059.003
t1059.005
t1059.006
t1059.007
t1204
t1204.002
windows
sigma
network service user name of a not-covered localization
t1021
t1021.006
t1059
t1059.001
windows
sigma
new domain controller computer account, check user sids within the value attribute of event 5136 and verify if it's a regular user or dc computer account.
t1098
windows
sigma
newly setup system.
t1204
t1204.002
windows
sigma
ngrok http 3978 (https://learn.microsoft.com/en-us/azure/bot-service/bot-service-debug-channel-ngrok?view=azure-bot-service-4.0)
t1572
windows
sigma
ninite contacting githubusercontent.com
t1102
t1102.001
windows
sigma
none thus far found
t1210
windows
splunk
note that since the event contain the change for both values. this means that this will trigger on both enable and disable
windows
sigma
ntds maintenance
t1003
t1003.003
windows
sigma
occasional fps might occur if onenote is used internally to share different embedded documents
windows
sigma
office documents commonly have templates that refer to external addresses, like \"sharepoint.ourcompany.com\" may have to be tuned.
t1203
windows
sigma
on modern windows system, the \"setup16\" utility is practically never used, hence false positive should be very rare.
t1574
t1574.005
windows
sigma
one might need to exclude other internet browsers found in it's network or other applications like ones mentioned above from microsoft defender.
t1102
t1102.001
windows
sigma
operations performed through windows sccm or equivalent
t1547
t1547.009
windows
sigma
other antivirus software installations could cause windows to disable that eventlog (unknown)
t1562
t1562.001
windows
sigma
other child processes will depend on the dll being registered by actions like \"regsvr\". in case where the dlls have external calls (which should be rare). other child processes might spawn and additional filters need to be applied.
t1218
t1218.008
windows
sigma
other cmdlets that may use the same parameters
t1562
t1562.001
windows
sigma
other command line tools, that use these flags
t1560
t1560.001
windows
sigma
other currently unknown false positives
windows
sigma
other dlls with the same imphash
t1562
t1562.002
windows
sigma
other legimate tools loading drivers. including but not limited to, sysinternals, cpu-z, avs etc. a baseline needs to be created according to the used products and allowed tools. a good thing to do is to try and exclude users who are allowed to load drivers.
t1562
t1562.001
windows
sigma
other legimate tools using this driver and filename (like sysinternals). note - clever attackers may easily bypass this detection by just renaming the driver filename. therefore just medium-level and don't rely on it.
t1562
t1562.001
windows
sigma
other legimate tools using this service names and drivers. note - clever attackers may easily bypass this detection by just renaming the services. therefore just medium-level and don't rely on it.
t1562
t1562.001
windows
sigma
other legimate tools, which do adsi (ldap) operations, e.g. any remoting activity by mmc, powershell, windows etc.
t1001
t1001.003
windows
sigma
other legitimate \"windows terminal\" profiles
windows
sigma
other legitimate binaries named \"thor.exe\" that aren't published by nextron systems
t1574
t1574.002
windows
sigma
other legitimate browsers not currently included in the filter (please add them)
windows
sigma
other legitimate extensions currently not in the list either from third party or specific windows components.
t1574
windows
sigma
other legitimate network providers used and not filtred in this rule
t1003
windows
sigma
other legitimate processes loading those dlls in your environment.
t1056
t1056.002
windows
sigma
other legitimate windows processes not currently listed
t1486
t1562
t1562.001
windows
sigma
other parent binaries using gup not currently identified
windows
sigma
other parent processes other than notepad++ using gup that are not currently identified
t1105
windows
sigma
other ports can be used, apply additional filters accordingly
windows
sigma
other programs that cause these patterns (please report)
t1021
windows
sigma
other programs that use these command line option and accepts an 'all' parameter
t1059
t1059.001
t1069
t1069.001
t1069.002
t1087
t1087.001
t1087.002
t1482
windows
sigma
other scripts
t1059
t1059.001
windows
sigma
other smtp tools
t1048
t1048.003
windows
sigma
other third party applications not listed.
t1070
t1070.004
windows
sigma
other third party chromium browsers located in appdata
t1574
t1574.001
t1574.002
windows
sigma
other tools can access lsass for legitimate reasons and generate an event. in these cases, tweaking the search may help eliminate noise.
t1003
t1003.001
windows
splunk
other tools can import the same dlls. these tools should be part of a whitelist. false positives may be present with any process that authenticates or uses credentials, powershell included. filter based on parent process.
t1003
t1003.001
windows
splunk
other tools could load images into lsass for legitimate reason. but enterprise tools should always use signed dlls.
t1003.001
windows
splunk
other tools that incidentally use the same command line parameters
t1059
t1059.001
windows
sigma
other tools that work with encoded scripts in the command line instead of script files
t1059
t1059.001
windows
sigma
other unknown legitimate or custom paths need to be filtered to avoid false positives
t1112
windows
sigma
other vb scripts that leverage the same starting command line flags
t1218
windows
sigma
packages or applications being legitimately used by users or administrators
windows
sigma
particular web applications may spawn a shell process legitimately
t1190
t1505
t1505.003
windows
sigma
planned windows defender configuration changes.
t1059
t1562
windows
elastic
pnputil.exe being executed from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
t1547
windows
sigma
pnputil.exe being used may be performed by a system administrator.
t1547
windows
sigma
possible admin activity
t1562
t1562.001
windows
sigma
possible administrative activity
t1562
t1562.001
windows
sigma
possible but rare
t1202
windows
sigma
possible depending on environment. pair with other factors such as net connections, command-line args, etc.
t1127
windows
sigma
possible fp during log rotation
t1070
windows
sigma
possible fps during first installation of notepad++
windows
sigma
possible undocumented parents of \"msdt\" other than \"pcwrun\"
t1218
windows
sigma
possible, different agents with a 8 character binary and a 4, 8 or 16 character service name
t1021
t1021.002
t1569
t1569.002
t1570
windows
sigma
potential fp by sysadmin opening a zip file containing a legitimate iso file
t1566
t1566.001
windows
sigma
powershell and windows command shell are often observed as legit child processes of the jetbrains teamcity service and may require further tuning.
t1059
t1190
windows
elastic
powershell remoting is a dual-use protocol that can be used for benign or malicious activity. it's important to baseline your environment to determine the amount of noise to expect from this tool.
t1021
t1059
windows
elastic
powershell scripts fixing hivenightmare / serioussam acls
t1003
t1003.002
windows
sigma
powershell scripts running as system user
t1059
t1059.001
windows
sigma
powershell scripts that download content from the internet
t1059
t1059.001
windows
sigma
powershell scripts that use this capability for troubleshooting.
t1003
t1059
windows
elastic
printer software / driver installations
t1218
t1218.005
windows
sigma
printing documents via notepad might cause communication with the printer via port 9100 or similar.
t1055
windows
sigma
procdump illegally bundled with legitimate software.
t1036
t1036.003
windows
sigma
process dumping is the expected behavior of the tool. so false positives are expected in legitimate usage. the pid/process name of the process being dumped needs to be investigated
t1218
windows
sigma
processes related to software installation
t1486
t1562
t1562.001
windows
sigma
processes such as ms office using ieproxy to render html content.
t1071
t1559
windows
elastic
programs that connect locally to the rdp port
t1021
t1021.001
t1090
t1090.001
t1090.002
windows
sigma
programs that use the same command line flag
t1588
t1588.002
windows
sigma
programs that use the same command line flags
t1033
windows
sigma
programs that use the same registry key
t1588
t1588.002
windows
sigma
programs using powershell directly without invocation of a dedicated interpreter.
t1059
t1059.001
windows
sigma
proxy ssl certificate with subject modification
windows
sigma
psexec installed via windows store doesn't contain original filename field (false negative)
t1036
t1036.003
windows
sigma
psexec is a dual-use tool that can be used for benign or malicious activity. it's important to baseline your environment to determine the amount of noise to expect from this tool.
t1021
t1569
t1570
windows
elastic
python libraries that use a flag starting with \"-c\". filter according to your environment
t1059
windows
sigma
rare case of troubleshooting by an administrator or support that has to be investigated regardless
t1003
t1003.001
windows
sigma
rare cases of administrative activity
t1003
t1003.002
windows
sigma
rare false positives could occur on servers with multiple drives.
windows
sigma
rare false positives could occur since service termination could happen due to multiple reasons
windows
sigma
rare falsepositives may occur from legitimate administrators disabling specific event log for troubleshooting
t1562
t1562.002
windows
sigma
rare fp could occur due to the non linearity of the scriptblocktext log
t1574
t1574.011
windows
sigma
rare intended use of hidden services
t1574
t1574.011
windows
sigma
rare legitimate access to anonfiles.com
t1567
t1567.002
windows
sigma
rare legitimate add to registry via cli (to these locations)
t1112
t1562
t1562.001
windows
sigma
rare legitimate administrative activity
windows
sigma
rare legitimate crashing of the lsass process
t1003
t1003.001
windows
sigma
rare legitimate dump of the process by the operating system due to a crash of lsass
t1003
t1003.001
windows
sigma
rare legitimate files with similar filename structure
t1003
t1003.001
windows
sigma
rare legitimate installation of kernel drivers via sc.exe
t1543
t1543.003
windows
sigma
rare legitimate software.
windows
sigma
rare legitimate usage of some of the extensions mentioned in the rule
t1547
t1547.001
windows
sigma
rare legitimate use by administrators to test software (should always be investigated)
t1562
t1562.001
windows
sigma
rare legitimate use of psexec from the locations mentioned above. this will require initial tuning based on your environment.
t1569
t1569.002
windows
sigma
rare need to clear logs before doing something. sometimes used by installers or cleaner scripts. the script should be investigated to determine if it's legitimate
t1070
t1070.001
windows
sigma
rare occasions of legitimate cases where kernel debugging is necessary in production. investigation is required
windows
sigma
rare occasions where a malicious package uses the exact same name and version as a legtimate application
windows
sigma
rare programs that contain the word dump in their name and access lsass
t1003
t1003.001
windows
sigma
read only access list authority
t1547
t1547.009
windows
sigma
rollout of log collection agents (the setup routine often includes a reset of the local eventlog)
t1070
t1070.001
windows
sigma
rpcnet.exe / rpcnetp.exe which is a lojack style software. https://www.blackhat.com/docs/us-14/materials/us-14-kamlyuk-kamluk-computrace-backdoor-revisited.pdf
t1055
windows
sigma
runas command-line tool using /netonly parameter
t1550
t1550.002
windows
sigma
rundll32.exe with zzzzinvokemanagedcustomactionoutofproc in command line and msiexec.exe as parent process - https://twitter.com/sbousseaden/status/1388064061087260675
t1218
windows
sigma
russian speaking people changing the codepage
t1036
windows
sigma
scripts and administrative tools that use inf files for driver installation with setupapi.dll
t1218
t1218.011
windows
sigma
scripts and administrative tools used in the monitored environment
t1003
t1027
t1033
t1070
t1070.001
t1134
t1485
t1562
t1562.002
windows
sigma
scripts created by developers and admins
t1071
t1071.001
t1105
t1222
t1222.001
t1567
windows
linux
sigma
scripts or links on the user desktop used to lock the workstation instead of windows+l or the menu option
windows
sigma
scripts or tools that download attachments from these domains (onenote, outlook 365)
t1105
t1608
windows
sigma
scripts or tools that download files
t1059
t1059.001
t1105
windows
sigma
searching software such as \"everything.exe\"
t1003
windows
sigma
security audits, maintenance, and network administrative scripts may trigger this alert when run under web processes.
t1047
t1059
t1190
t1505
windows
elastic
security testing may produce events like this. activity of this kind performed by non-engineers and ordinary users is unusual.
t1218
windows
elastic
seen being triggered occasionally during windows 8 defender updates
t1562
t1562.001
windows
sigma
service accounts used on legacy systems (e.g. netapp)
t1558
t1558.003
windows
sigma
services or tools that set the values to more restrictive values
t1112
t1562
t1562.001
windows
sigma
since the content of the files are unknown, false positives are expected
t1105
t1218
windows
sigma
since the imageload event doesn't have enough information in this case. it's better to look at the recent process creation events that spawned the wmic process and investigate the command line and parent/child processes to get more insights
t1220
windows
sigma
smart card enrollement
windows
sigma
software companies that bundle paexec with their software and rename it, so that it is less embarrassing
t1202
windows
sigma
software companies that bundle psexec/paexec with their software and rename it, so that it is less embarrassing
t1587
t1587.001
windows
sigma
software installation
t1053
t1053.005
t1543
t1543.003
windows
sigma
software installation iso files
t1566
t1566.001
windows
sigma
software installations
t1562
t1562.004
windows
sigma
software installations and removal
t1562
t1562.004
windows
sigma
software installers
t1564
t1564.004
windows
sigma
software installers downloaded and used by users
t1547
t1547.001
windows
sigma
software installers that pull packages from remote systems and execute them
t1059
t1059.001
windows
sigma
software installers that run from temporary folders and also install scheduled tasks are expected to generate some false positives
t1053
t1053.005
windows
sigma
software that illegally integrates megasync in a renamed form
t1218
windows
sigma
software that uses the appdata folder and scheduled tasks to update the software in the appdata folders
t1053
t1053.005
windows
sigma
software that uses the caret encased keywords pass and user in its command line
t1110
t1110.001
windows
sigma
software using weird folders for updates
t1547
t1547.001
windows
sigma
some administrative powershell or vb scripts might have the ability to collect dumps and move them to other folders which might trigger a false positive.
windows
sigma
some build frameworks
t1496
windows
sigma
some crashes can occur sometimes and the event doesn't provide enough information to tune out these cases. manual exception is required
t1562
t1562.001
windows
sigma
some false positive is expected from tools with similar command line flags.
windows
sigma
some false positives are expected in some environment that may use this functionality to install and test their custom applications
t1059
windows
sigma
some false positives are to be expected from uninstallers.
windows
sigma
some false positives could occur with the admin or guest account. it depends on the scripts being used by the admins in your env. if you experience a lot of fp you could reduce the level to medium
t1560
t1560.001
windows
sigma
some false positives may arise in some environment and this may require some tuning. add additional filters or reduce level depending on the level of noise
t1059
t1059.001
t1069
t1069.001
t1069.002
t1087
t1087.001
t1087.002
t1482
windows
sigma
some false positives may occur with admin scripts that set wt settings.
t1547
t1547.015
windows
sigma
some false positives may occur with legitimate renamed process explorer binaries
t1068
windows
sigma
some false positives may occur with legitimate renamed process monitor binaries
t1068
windows
sigma
some false positives may occur with other tools with similar commandlines
t1090
t1090.001
windows
sigma
some false positives might occur with admin or third party software scripts. investigate and apply additional filters accordingly.
windows
sigma
some false positives might occur with binaries download via github
t1564
t1564.004
windows
sigma
some fp could occur with similar tools that uses the same command line '--set-password'
t1219
windows
sigma
some fp may occur when the feature is disabled by the av itself, you should always investigate if the action was legitimate
t1562
t1562.001
windows
sigma
some installers located in the temp directory might communicate with the github domains in order to download additional software. baseline these cases or move the github domain to a lower level hunting rule.
t1105
windows
sigma
some installers may trigger some false positives
t1574
t1574.001
t1574.002
windows
sigma
some installers might execute \"regsvr32\" with dlls located in %temp% or in %programdata%. apply additional filters if necessary.
t1218
t1218.010
windows
sigma
some installers might generate a similar behavior. an initial baseline is required
t1059
t1059.005
t1059.007
windows
sigma
some installers were seen using this method of creation unfortunately. filter them in your environment
t1053
t1053.005
windows
sigma
some legitimate apps use this, but limited.
t1036
t1036.003
t1197
windows
sigma
some legitimate windows services
t1218
t1218.010
windows
sigma
some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools and frameworks. usage by non-engineers and ordinary users is unusual.
t1033
windows
elastic
some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way)
t1112
windows
sigma
some powershell installers were seen using similar combinations. apply filters accordingly
t1059
windows
sigma
some rare backup scenarios
t1003
t1003.002
windows
sigma
some security products seem to spawn these
t1036
t1036.003
t1036.005
windows
sigma
some software piracy tools (key generators, cracks) are classified as hack tools
t1588
windows
sigma
some taskmgr.exe related activity
t1003
t1003.001
windows
sigma
some tuning is required for other general purpose directories of third party apps
t1036
t1036.007
windows
sigma
some tuning might be required to allow or remove certain locations used by the rule if you consider them as safe locations
t1204
t1204.002
windows
sigma
standard domain users who are part of the administrator group. these users shouldn't have these right. but in the case where it's necessary. they should be filtered out using the \"targetusername\" field
windows
sigma
static format arguments - https://petri.com/command-line-wmi-part-3
t1220
windows
sigma
synchronization of templates
t1137
windows
sigma
synergy software kvm (https://symless.com/synergy)
t1090
windows
sigma
system administrator activities
t1486
t1564
t1564.002
t1565
windows
aws
sigma
system administrator creating powershell profile manually
t1546
t1546.013
windows
sigma
system administrator usage
t1069
t1069.001
t1218
t1485
t1548
t1548.002
windows
sigma
system administrators managing certificates.
t1552
t1552.004
windows
sigma
system informer is regularly used legitimately by system administrators or developers. apply additional filters accordingly
t1082
t1543
t1564
windows
sigma
system processes copied outside their default folders for testing purposes
t1036
t1036.005
windows
sigma
system provisioning (system reset before the golden image creation)
t1070
t1070.001
windows
sigma
systems with names equal to the spoofed ones used by the brute force tools
t1110
windows
sigma
the activity may be legitimate. for this reason, it's best to verify the account with an administrator and ask whether there was a valid service request for the account creation. if your local administrator group name is not \"administrators\", this search may generate an excessive number of false positives
t1136
t1136.001
windows
splunk
the activity may be legitimate. other tools can access lsass for legitimate reasons, and it's possible this event could be generated in those cases. in these cases, false positives should be fairly obvious and you may need to tweak the search to eliminate noise.
t1003
t1003.001
windows
splunk
the activity may be legitimate. powershell is often used by administrators to perform various tasks, and it's possible this event could be generated in those cases. in these cases, false positives should be fairly obvious and you may need to tweak the search to eliminate noise.
t1003.001
windows
splunk
the build engine is commonly used by windows developers but use by non-engineers is unusual.
t1003
t1036
t1055
t1059
t1127
t1555
windows
elastic
the canon myprinter folder 'c:\program files\canon\myprinter\' is known to contain the 'log.dll' file
t1574
t1574.001
t1574.002
windows
sigma
the command wmic os get lastboottuptime loads vbscript.dll
t1220
windows
sigma
the command wmic os get locale loads vbscript.dll
t1220
windows
sigma
the event doesn't contain information about the type of change. false positives are expected with legitimate changes
windows
sigma
the html help executable program (hh.exe) runs whenever a user clicks a compiled help (.chm) file or menu item that opens the help file inside the help viewer. this is not always malicious, but adversaries may abuse this technology to conceal malicious code.
t1204
t1218
windows
elastic
the installation of new screen savers by third party software
t1218
t1218.011
windows
sigma
the old auditpol utility isn't available by default on recent versions of windows as it was replaced by a newer version. the fp rate should be very low except for tools that use a similar flag structure
t1562
t1562.002
windows
sigma
the process spawned by vsjitdebugger.exe is uncommon.
t1218
windows
sigma
the rule doesn't look for anything suspicious so false positives are expected. if you use one of the tools mentioned, comment it out
t1543
t1543.003
t1569
t1569.002
windows
sigma
the rule is looking for any usage of response file, which might generate false positive when this function is used legitimately. investigate the contents of the \".rsp\" file to determine if it is malicious and apply additional filters if necessary.
t1218
t1218.008
windows
sigma
the same functionality can be implemented by admin scripts, correlate with name and creator
t1020
windows
sigma
there are many legitimate reasons to stop a service. this rule isn't looking for any suspicious behaviour in particular. filter legitimate activity accordingly
t1489
windows
sigma
there is a relevant set of false positives depending on applications in the environment
t1543
t1543.003
windows
sigma
there legitimate reasons to export certificates. investigate the activity to determine if it's benign
t1027
windows
sigma
third party antivirus
t1562
t1562.001
windows
sigma
third party rdp tools
t1021
t1021.001
windows
sigma
third party software might bundle specific versions of system dlls.
t1036
t1036.005
windows
sigma
third party software naming their software with the same names as the processes mentioned here
t1036
t1036.005
windows
sigma
this event could stem from users changing an account's password that's used to authenticate via a job or an automated process. investigate the source of such events and mitigate them
t1110
windows
sigma
this event should only fire when an administrator is modifying the audit policy. which should be a rare occurrence once it's set up
windows
sigma
this may have false positives on hosts where virtualbox is legitimately being used for operations
t1564
t1564.006
windows
sigma
this rule doesn't exclude other known tlds such as \".org\" or \".net\". it's recommended to apply additional filters for software and scripts that leverage the bits service
t1197
windows
sigma
this rule is best put in testing first in order to create a baseline that reflects the data in your environment.
t1055
windows
sigma
this rule is to explore new applications on an endpoint. false positives depends on the organization.
t1204
t1204.002
windows
sigma
this rule isn't looking for any particular binary characteristics. as legitimate installers and programs were seen embedding hidden binaries in their ads. some false positives are expected from browser processes and similar.
t1564
t1564.004
windows
sigma
this rule was tuned using the following baseline: https://raw.githubusercontent.com/microsoft/css-exchange/main/security/baselines/baseline_15.2.792.5.csv from microsoft. depending on version, consult https://github.com/microsoft/css-exchange/tree/main/security/baselines to help determine normalcy.
t1190
t1210
windows
elastic
this value is not set by default but could be rarly used by administrators
windows
sigma
this will alert on legitimate macro usage as well, additional tuning is required
t1566
t1566.001
windows
sigma
to be determined
t1003
t1003.003
windows
sigma
tools that use similar command line flags and values
t1110
t1110.002
windows
sigma
tools with similar commandline (very rare)
t1046
t1135
windows
sigma
transferring sensitive files for legitimate administration work by legitimate administrator
t1003
t1003.001
t1003.002
t1003.003
zeek
windows
sigma
trusted solarwinds child processes. verify process details such as network connections and file writes.
t1059
t1195
windows
elastic
udl files serve as a convenient and flexible tool for managing and testing database connections in various development and administrative scenarios.
t1071
t1218
t1218.011
windows
sigma
unikely
t1218
t1218.003
windows
sigma
uninstall or manual deletion of a legitimate printing driver files. verify the printer file metadata such as manufacturer and signature information.
t1068
windows
elastic
unknown (data set is too small; further testing needed)
t1546
t1546.003
windows
sigma
unknown as it may vary from organisation to organisation how admins use to install iis modules
t1505
t1505.003
windows
sigma
unknown binary names of teamviewer
t1219
windows
sigma
unknown cases in which werfault accesses lsass.exe
t1003
t1003.001
windows
sigma
unknown how many legitimate software products use that method
t1548
t1548.002
windows
sigma
unknown sub processes of wsreset.exe
t1548
t1548.002
windows
sigma
unknown. feedback welcomed.
t1187
windows
sigma
unlikely
t1003
t1003.001
t1003.002
t1003.004
t1003.005
t1003.006
t1005
t1007
t1008
t1012
t1014
t1016
t1018
t1021
t1021.002
t1021.003
t1021.006
t1027
t1027.005
t1033
t1036
t1036.003
t1036.005
t1036.007
t1041
t1046
t1047
t1048
t1048.001
t1053
t1053.003
t1053.005
t1055
t1055.001
t1056
t1057
t1059
t1059.001
t1059.002
t1059.003
t1068
t1070
t1071
t1071.001
t1071.004
t1078
t1082
t1083
t1087
t1090
t1090.001
t1090.003
t1105
t1106
t1112
t1115
t1123
t1127
t1132
t1132.001
t1133
t1134
t1134.001
t1134.002
t1134.004
t1136
t1136.001
t1136.002
t1137
t1137.002
t1140
t1190
t1202
t1203
t1204
t1210
t1213
t1213.003
t1216
t1218
t1218.001
t1218.008
t1218.010
t1218.011
t1218.013
t1219
t1486
t1489
t1490
t1496
t1498
t1499
t1499.001
t1505
t1505.003
t1526
t1528
t1543
t1543.003
t1546
t1546.008
t1546.015
t1548
t1548.003
t1550
t1550.003
t1552
t1552.004
t1553
t1553.004
t1555
t1556
t1557
t1557.001
t1558
t1558.003
t1562
t1562.001
t1562.002
t1562.010
t1564
t1564.004
t1566
t1569
t1569.002
t1570
t1574
t1574.001
t1574.002
t1586
t1587
t1587.001
t1588
t1588.002
t1590
t1590.001
t1590.002
t1620
t1649
windows
opencanary
okta
m365
azure
bitbucket
macos
linux
sigma
unlikely (at.exe deprecated as of windows 8)
t1053
t1053.002
windows
sigma
unlikely but if you experience fps add specific processes and locations you would like to monitor for
windows
sigma
unlikely in most cases, further investigation should be done in the commandline of the browser process to determine the context of the url accessed.
t1204
t1204.002
windows
sigma
unlikely in production environment
windows
sigma
unlikely, because no one should dump an lsass process memory
t1003
t1003.001
t1036
windows
sigma
unlikely, because no sane admin pings ip addresses in a hexadecimal form
t1027
t1140
windows
sigma
unlikely, but can rarely occur. apply additional filters accordingly.
t1218
t1218.010
windows
sigma
unlikely, there could be conferencing software running from a temp folder accessing the devices
t1123
t1125
windows
sigma
update the excluded named pipe to filter out any newly observed legit named pipe
t1021
t1021.002
zeek
windows
sigma
usage of chrome extensions in testing tools such as burpsuite will trigger this alert
t1176
windows
sigma
use of get-command and get-help modules to reference invoke-webrequest and start-bitstransfer.
t1059
t1059.001
windows
sigma
use of program compatibility troubleshooter helper
t1218
t1218.011
windows
sigma
used by microsoft sql server management studio
t1059
t1059.001
windows
sigma
used by some .net binaries, minimal on user workstation.
t1059
t1059.001
windows
sigma
user accounts can be used as service accounts and have their password set never to expire. this is a bad security practice that exposes the account to credential access attacks. for cases in which user accounts cannot be avoided, microsoft provides the group managed service accounts (gmsa) feature, which ensures that the account password is robust and changed regularly and automatically.
t1098
windows
elastic
user genuinely creates a vb macro for their email
t1008
t1137
t1546
windows
sigma
user using a disabled account
t1078
windows
sigma
users allowed to perform these modifications (user found in field subjectusername)
t1484
t1484.001
windows
sigma
users that debug microsoft intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension
t1587
t1587.001
windows
sigma
users working with these data types or exchanging message files
t1039
zeek
windows
sigma
utilization of this tool should not be seen in enterprise environment
t1027
t1027.004
windows
sigma
valid dc sync that is not covered by the filters; please report
t1003
t1003.006
windows
sigma
valid on domain controllers; exclude known dcs
t1207
windows
sigma
valid user connecting using rdp
t1003
t1003.001
windows
sigma
valid user was not added to rdp group
t1021
t1021.001
windows
sigma
very common in environments that rely heavily on macro documents
t1566
t1566.001
windows
sigma
very likely, including launching cmd.exe via run as administrator
t1202
windows
sigma
very possible
t1564
t1564.004
windows
sigma
very special / sneaky powershell scripts
t1059
t1059.001
windows
sigma
very unlikely
t1003
t1003.001
windows
sigma
viberpc updater calls this binary with the following commandline \"ie4uinit.exe -cleariconcache\"
t1218
windows
sigma
web browsers and third party application might generate similar activity. an initial baseline is required.
t1550
t1550.003
t1558
t1558.003
windows
sigma
websense endpoint using the pipe name \"dsernamepipe(r|w)\d{1,5}\"
t1055
windows
sigma
weird admins that rename their tools
t1202
t1587
t1587.001
windows
sigma
werfault.exe will legitimately spawn when dns.exe crashes, but the dns service is very stable and so this is a low occurring event. denial of service (dos) attempts by intentionally crashing the service will also cause werfault.exe to spawn.
t1210
windows
elastic
when cmd.exe and xcopy.exe are called directly
t1036
t1036.003
windows
sigma
when executed with the \"-s\" flag. paexec will copy itself to the \"c:\windows\\" directory with a different name. usually like this \"paexec-[xxxxx]-[computername]\"
t1202
windows
sigma
when the command contains the keywords but not in the correct order
t1036
t1036.003
windows
sigma
whenever someone receives an rdp file as an email attachment and decides to save or open it right from the attachments
windows
sigma
while sometimes 'process hacker is used by legitimate administrators, the execution of process hacker must be investigated and allowed on a case by case basis
t1543
t1564
t1622
windows
sigma
while the file extensions in question can be suspicious at times. it's best to add filters according to your environment to avoid large amount false positives
t1197
windows
sigma
windows defender atp
t1027
t1059
t1059.001
windows
sigma
windows domains with dfl 2003 and legacy systems
t1558
t1558.003
windows
sigma
windows error reporting might produce similar behavior. in that case, check the pid associated with the \"-p\" parameter in the commandline.
t1003
t1003.001
windows
sigma
windows firewall can be disabled by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. windows profile being disabled by unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
t1059
t1562
windows
elastic
windows installed on non-c drive
t1574
t1574.002
windows
sigma
windowsapps installing updates via the quiet flag
t1218
t1218.007
windows
sigma
windowsapps located in \"c:\program files\windowsapps\\"
t1548
t1548.002
windows
sigma
winrm
t1047
t1059
t1059.001
windows
sigma
winrm is a dual-use protocol that can be used for benign or malicious activity. it's important to baseline your environment to determine the amount of noise to expect from this tool.
t1021
windows
elastic
wmic.exe fp depend on scripts and administrative methods used in the monitored environment.
t1220
windows
sigma
wsl (windows sub system for linux)
t1021
t1021.001
windows
sigma
wsl2 network bridge powershell script used for wsl/kubernetes/docker (e.g. https://github.com/microsoft/wsl/issues/4150#issuecomment-504209723)
t1090
windows
sigma
you may have to tune certain domains out that excel may call out to, such as microsoft or other business use case domains.
t1203
windows
sigma