Techniques
- t1003
- t1003.001
- t1003.002
- t1003.004
- t1003.005
- t1003.006
- t1005
- t1007
- t1008
- t1012
- t1014
- t1016
- t1018
- t1021
- t1021.002
- t1021.003
- t1021.006
- t1027
- t1027.005
- t1033
- t1036
- t1036.003
- t1036.007
- t1041
- t1046
- t1047
- t1048
- t1048.001
- t1053
- t1053.003
- t1053.005
- t1055
- t1055.001
- t1056
- t1057
- t1059
- t1059.001
- t1059.002
- t1059.003
- t1068
- t1070
- t1071
- t1071.001
- t1071.004
- t1078
- t1082
- t1083
- t1087
- t1090
- t1090.001
- t1090.003
- t1105
- t1106
- t1112
- t1115
- t1123
- t1127
- t1132
- t1132.001
- t1133
- t1134
- t1134.001
- t1134.002
- t1134.004
- t1136
- t1136.001
- t1136.002
- t1137
- t1137.002
- t1140
- t1190
- t1203
- t1204
- t1210
- t1213
- t1213.003
- t1216
- t1218
- t1218.008
- t1218.010
- t1218.011
- t1218.013
- t1219
- t1486
- t1489
- t1490
- t1496
- t1498
- t1499
- t1499.001
- t1505
- t1505.003
- t1526
- t1528
- t1543
- t1543.003
- t1546
- t1546.008
- t1548
- t1548.003
- t1550
- t1550.003
- t1552
- t1553
- t1553.004
- t1555
- t1556
- t1557
- t1557.001
- t1558
- t1558.003
- t1562
- t1562.001
- t1562.002
- t1562.010
- t1564
- t1564.004
- t1566
- t1569
- t1569.002
- t1570
- t1574
- t1574.001
- t1574.002
- t1586
- t1587
- t1587.001
- t1588
- t1588.002
- t1590
- t1590.001
- t1590.002
- t1620
- t1649
Sample rules
Antivirus Password Dumper Detection
- source: sigma
- technicques:
- t1003
- t1003.001
- t1003.002
- t1558
Description
Detects a highly relevant Antivirus alert that reports a password dumper
Detection logic
condition: selection
selection:
- Signature|startswith: PWS
- Signature|contains:
- DumpCreds
- Mimikatz
- PWCrack
- HTool/WCE
- PSWTool
- PWDump
- SecurityTool
- PShlSpy
- Rubeus
- Kekeo
- LsassDump
- Outflank
- DumpLsass
- SharpDump
- PWSX
- PWS.
Antivirus Web Shell Detection
- source: sigma
- technicques:
- t1505
- t1505.003
Description
Detects a highly relevant Antivirus alert that reports a web shell. It’s highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big webshell repo from e.g. github and checking the matches.
Detection logic
condition: selection
selection:
- Signature|startswith:
- PHP.
- JSP.
- ASP.
- Perl.
- VBS/Uxor
- IIS/BackDoor
- JAVA/Backdoor
- Troj/ASP
- Troj/PHP
- Troj/JSP
- Signature|contains:
- Webshell
- Chopper
- SinoChoper
- ASPXSpy
- Aspdoor
- filebrowser
- PHP_
- JSP_
- ASP_
- 'PHP:'
- 'JSP:'
- 'ASP:'
- 'Perl:'
- PHP/
- JSP/
- ASP/
- Perl/
- PHPShell
- Trojan.PHP
- Trojan.ASP
- Trojan.JSP
- Trojan.VBS
- PHP/Agent
- ASP/Agent
- JSP/Agent
- VBS/Agent
- Backdoor/PHP
- Backdoor/JSP
- Backdoor/ASP
- Backdoor/VBS
- Backdoor/Java
- PHP.Agent
- ASP.Agent
- JSP.Agent
- VBS.Agent
- Backdoor.PHP
- Backdoor.JSP
- Backdoor.ASP
- Backdoor.VBS
- Backdoor.Java
- PShlSpy
- C99shell
Antivirus Relevant File Paths Alerts
- source: sigma
- technicques:
- t1588
Description
Detects an Antivirus alert in a highly relevant file path or with a relevant file name
Detection logic
condition: 1 of selection_*
selection_ext:
Filename|endswith:
- .asax
- .ashx
- .asmx
- .asp
- .aspx
- .bat
- .cfm
- .cgi
- .chm
- .cmd
- .dat
- .ear
- .gif
- .hta
- .jpeg
- .jpg
- .jsp
- .jspx
- .lnk
- .php
- .pl
- .png
- .ps1
- .psm1
- .py
- .pyc
- .rb
- .scf
- .sct
- .sh
- .svg
- .txt
- .vbe
- .vbs
- .war
- .wsf
- .wsh
- .xml
selection_path:
Filename|contains:
- :\Windows\
- :\Temp\
- :\PerfLogs\
- :\Users\Public\
- :\Users\Default\
- \Client\
- \tsclient\
- \inetpub\
- /www/
- apache
- tomcat
- nginx
- weblogic
Antivirus Hacktool Detection
- source: sigma
- technicques:
- t1204
Description
Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool
Detection logic
condition: selection
selection:
- Signature|startswith:
- HTOOL
- HKTL
- SecurityTool
- Adfind
- ATK/
- Exploit.Script.CVE
- PWS.
- PWSX
- Signature|contains:
- Hacktool
- ATK/
- Potato
- Rozena
- Sbelt
- Seatbelt
- SecurityTool
- SharpDump
- Sliver
- Splinter
- Swrort
- Impacket
- Koadic
- Lazagne
- Metasploit
- Meterpreter
- MeteTool
- Mimikatz
- Mpreter
- Nighthawk
- PentestPowerShell
- PowerSploit
- PowerSSH
- PshlSpy
- PSWTool
- PWCrack
- Brutel
- BruteR
- Cobalt
- COBEACON
- Cometer
- DumpCreds
- FastReverseProxy
- PWDump
Antivirus Exploitation Framework Detection
- source: sigma
- technicques:
- t1203
- t1219
Description
Detects a highly relevant Antivirus alert that reports an exploitation framework
Detection logic
condition: selection
selection:
Signature|contains:
- MeteTool
- MPreter
- Meterpreter
- Metasploit
- PowerSploit
- CobaltStrike
- BruteR
- Brutel
- Swrort
- Rozena
- Backdoor.Cobalt
- CobaltStr
- COBEACON
- Cometer
- Razy
- IISExchgSpawnCMD
- Exploit.Script.CVE
- Seatbelt
- Sbelt
- Sliver
Antivirus Ransomware Detection
- source: sigma
- technicques:
- t1486
Description
Detects a highly relevant Antivirus alert that reports ransomware
Detection logic
condition: selection
selection:
Signature|contains:
- Ransom
- Cryptor
- Crypter
- CRYPTES
- GandCrab
- BlackWorm
- Phobos
- Destructor
- Filecoder
- GrandCrab
- Krypt
- Locker
- Ryuk
- Ryzerlo
- Tescrypt
- TeslaCrypt
HackTool - BabyShark Agent Default URL Pattern
- source: sigma
- technicques:
- t1071
- t1071.001
Description
Detects Baby Shark C2 Framework default communication patterns
Detection logic
condition: selection
selection:
c-uri|contains: momyshark\?key=
Bitbucket Unauthorized Full Data Export Triggered
- source: sigma
- technicques:
- t1213
- t1213.003
- t1586
Description
Detects when full data export is attempted an unauthorized user.
Detection logic
condition: selection
selection:
auditType.action: Unauthorized full data export triggered
auditType.category: Data pipeline
Increased Failed Authentications Of Any Type
- source: sigma
- technicques:
- t1078
Description
Detects when sign-ins increased by 10% or greater.
Detection logic
condition: selection
selection:
Count: <10%
Status: failure
Disabling Multi Factor Authentication
- source: sigma
- technicques:
- t1556
Description
Detects disabling of Multi Factor Authentication.
Detection logic
condition: selection
selection:
Operation|contains: Disable Strong Authentication.
Okta FastPass Phishing Detection
- source: sigma
- technicques:
- t1566
Description
Detects when Okta FastPass prevents a known phishing site.
Detection logic
condition: selection
selection:
eventtype: user.authentication.auth_via_mfa
outcome.reason: FastPass declined phishing attempt
outcome.result: FAILURE
Potential Okta Password in AlternateID Field
- source: sigma
- technicques:
- t1552
Description
Detects when a user has potentially entered their password into the username field, which will cause the password to be retained in log files.
Detection logic
condition: selection and not filter_main
filter_main:
actor.alternateid|re: (^0oa.*|[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,10})
selection:
legacyeventtype: core.user_auth.login_failed
Clipboard Data Collection Via OSAScript
- source: sigma
- technicques:
- t1059
- t1059.002
- t1115
Description
Detects possible collection of data from the clipboard via execution of the osascript binary
Detection logic
condition: selection
selection:
CommandLine|contains|all:
- osascript
- ' -e '
- clipboard
Equation Editor Network Connection
- source: sigma
- technicques:
- t1203
Description
Detects network connections from Equation Editor
Detection logic
condition: selection
selection:
Image|endswith: \eqnedt32.exe
Network Communication With Crypto Mining Pool
- source: sigma
- technicques:
- t1496
Description
Detects initiated network connections to crypto mining pools
Detection logic
condition: selection
selection:
DestinationHostname:
- alimabi.cn
- ap.luckpool.net
- bcn.pool.minergate.com
- bcn.vip.pool.minergate.com
- bohemianpool.com
- ca-aipg.miningocean.org
- ca-dynex.miningocean.org
- ca-neurai.miningocean.org
- ca-qrl.miningocean.org
- ca-upx.miningocean.org
- ca-zephyr.miningocean.org
- ca.minexmr.com
- ca.monero.herominers.com
- cbd.monerpool.org
- cbdv2.monerpool.org
- cryptmonero.com
- crypto-pool.fr
- crypto-pool.info
- cryptonight-hub.miningpoolhub.com
- d1pool.ddns.net
- d5pool.us
- daili01.monerpool.org
- de-aipg.miningocean.org
- de-dynex.miningocean.org
- de-zephyr.miningocean.org
- de.minexmr.com
- dl.nbminer.com
- donate.graef.in
- donate.ssl.xmrig.com
- donate.v2.xmrig.com
- donate.xmrig.com
- donate2.graef.in
- drill.moneroworld.com
- dwarfpool.com
- emercoin.com
- emercoin.net
- emergate.net
- ethereumpool.co
- eu.luckpool.net
- eu.minerpool.pw
- fcn-xmr.pool.minergate.com
- fee.xmrig.com
- fr-aipg.miningocean.org
- fr-dynex.miningocean.org
- fr-neurai.miningocean.org
- fr-qrl.miningocean.org
- fr-upx.miningocean.org
- fr-zephyr.miningocean.org
- fr.minexmr.com
- hellominer.com
- herominers.com
- hk-aipg.miningocean.org
- hk-dynex.miningocean.org
- hk-neurai.miningocean.org
- hk-qrl.miningocean.org
- hk-upx.miningocean.org
- hk-zephyr.miningocean.org
- huadong1-aeon.ppxxmr.com
- iwanttoearn.money
- jw-js1.ppxxmr.com
- koto-pool.work
- lhr.nbminer.com
- lhr3.nbminer.com
- linux.monerpool.org
- lokiturtle.herominers.com
- luckpool.net
- masari.miner.rocks
- mine.c3pool.com
- mine.moneropool.com
- mine.ppxxmr.com
- mine.zpool.ca
- mine1.ppxxmr.com
- minemonero.gq
- miner.ppxxmr.com
- miner.rocks
- minercircle.com
- minergate.com
- minerpool.pw
- minerrocks.com
- miners.pro
- minerxmr.ru
- minexmr.cn
- minexmr.com
- mining-help.ru
- miningpoolhub.com
- mixpools.org
- moner.monerpool.org
- moner1min.monerpool.org
- monero-master.crypto-pool.fr
- monero.crypto-pool.fr
- monero.hashvault.pro
- monero.herominers.com
- monero.lindon-pool.win
- monero.miners.pro
- monero.riefly.id
- monero.us.to
- monerocean.stream
- monerogb.com
- monerohash.com
- moneroocean.stream
- moneropool.com
- moneropool.nl
- monerorx.com
- monerpool.org
- moriaxmr.com
- mro.pool.minergate.com
- multipool.us
- myxmr.pw
- na.luckpool.net
- nanopool.org
- nbminer.com
- node3.luckpool.net
- noobxmr.com
- pangolinminer.comgandalph3000.com
- pool.4i7i.com
- pool.armornetwork.org
- pool.cortins.tk
- pool.gntl.co.uk
- pool.hashvault.pro
- pool.minergate.com
- pool.minexmr.com
- pool.monero.hashvault.pro
- pool.ppxxmr.com
- pool.somec.cc
- pool.support
- pool.supportxmr.com
- pool.usa-138.com
- pool.xmr.pt
- pool.xmrfast.com
- pool2.armornetwork.org
- poolchange.ppxxmr.com
- pooldd.com
- poolmining.org
- poolto.be
- ppxvip1.ppxxmr.com
- ppxxmr.com
- prohash.net
- r.twotouchauthentication.online
- randomx.xmrig.com
- ratchetmining.com
- seed.emercoin.com
- seed.emercoin.net
- seed.emergate.net
- seed1.joulecoin.org
- seed2.joulecoin.org
- seed3.joulecoin.org
- seed4.joulecoin.org
- seed5.joulecoin.org
- seed6.joulecoin.org
- seed7.joulecoin.org
- seed8.joulecoin.org
- sg-aipg.miningocean.org
- sg-dynex.miningocean.org
- sg-neurai.miningocean.org
- sg-qrl.miningocean.org
- sg-upx.miningocean.org
- sg-zephyr.miningocean.org
- sg.minexmr.com
- sheepman.mine.bz
- siamining.com
- sumokoin.minerrocks.com
- supportxmr.com
- suprnova.cc
- teracycle.net
- trtl.cnpool.cc
- trtl.pool.mine2gether.com
- turtle.miner.rocks
- us-aipg.miningocean.org
- us-dynex.miningocean.org
- us-neurai.miningocean.org
- us-west.minexmr.com
- us-zephyr.miningocean.org
- usxmrpool.com
- viaxmr.com
- webservicepag.webhop.net
- xiazai.monerpool.org
- xiazai1.monerpool.org
- xmc.pool.minergate.com
- xmo.pool.minergate.com
- xmr-asia1.nanopool.org
- xmr-au1.nanopool.org
- xmr-eu1.nanopool.org
- xmr-eu2.nanopool.org
- xmr-jp1.nanopool.org
- xmr-us-east1.nanopool.org
- xmr-us-west1.nanopool.org
- xmr-us.suprnova.cc
- xmr-usa.dwarfpool.com
- xmr.2miners.com
- xmr.5b6b7b.ru
- xmr.alimabi.cn
- xmr.bohemianpool.com
- xmr.crypto-pool.fr
- xmr.crypto-pool.info
- xmr.f2pool.com
- xmr.hashcity.org
- xmr.hex7e4.ru
- xmr.ip28.net
- xmr.monerpool.org
- xmr.mypool.online
- xmr.nanopool.org
- xmr.pool.gntl.co.uk
- xmr.pool.minergate.com
- xmr.poolto.be
- xmr.ppxxmr.com
- xmr.prohash.net
- xmr.simka.pw
- xmr.somec.cc
- xmr.suprnova.cc
- xmr.usa-138.com
- xmr.vip.pool.minergate.com
- xmr1min.monerpool.org
- xmrf.520fjh.org
- xmrf.fjhan.club
- xmrfast.com
- xmrigcc.graef.in
- xmrminer.cc
- xmrpool.de
- xmrpool.eu
- xmrpool.me
- xmrpool.net
- xmrpool.xyz
- xx11m.monerpool.org
- xx11mv2.monerpool.org
- xxx.hex7e4.ru
- zarabotaibitok.ru
- zer0day.ru
HackTool - EDRSilencer Execution
- source: sigma
- technicques:
- t1562
Description
Detects the execution of EDRSilencer, a tool that leverages Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server based on PE metadata information.
Detection logic
condition: selection
selection:
- Image|endswith: \EDRSilencer.exe
- OriginalFileName: EDRSilencer.exe
- Description|contains: EDRSilencer
Bad Opsec Defaults Sacrificial Processes With Improper Arguments
- source: sigma
- technicques:
- t1218
- t1218.011
Description
Detects attackers using tooling with bad opsec defaults. E.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run. One trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.
Detection logic
condition: 1 of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_edge_update:
ParentImage|contains|all:
- :\Users\
- \AppData\Local\Microsoft\EdgeUpdate\Install\{
filter_optional_chrome_installer:
CommandLine|endswith: rundll32.exe
Image|endswith: \rundll32.exe
ParentCommandLine|contains: --uninstall --channel=stable
ParentImage|contains|all:
- :\Users\
- \AppData\Local\Google\Chrome\Application\
ParentImage|endswith: \Installer\setup.exe
selection_regasm:
CommandLine|endswith: regasm.exe
Image|endswith: \regasm.exe
selection_regsvcs:
CommandLine|endswith: regsvcs.exe
Image|endswith: \regsvcs.exe
selection_regsvr32:
CommandLine|endswith: regsvr32.exe
Image|endswith: \regsvr32.exe
selection_rundll32:
CommandLine|endswith: rundll32.exe
Image|endswith: \rundll32.exe
selection_werfault:
CommandLine|endswith: WerFault.exe
Image|endswith: \WerFault.exe
HackTool - Quarks PwDump Execution
- source: sigma
- technicques:
- t1003
- t1003.002
Description
Detects usage of the Quarks PwDump tool via commandline arguments
Detection logic
condition: 1 of selection_*
selection_cli:
CommandLine:
- ' -dhl'
- ' --dump-hash-local'
- ' -dhdc'
- ' --dump-hash-domain-cached'
- ' --dump-bitlocker'
- ' -dhd '
- ' --dump-hash-domain '
- --ntds-file
selection_img:
Image|endswith: \QuarksPwDump.exe
Sysinternals PsSuspend Suspicious Execution
- source: sigma
- technicques:
- t1562
- t1562.001
Description
Detects suspicious execution of Sysinternals PsSuspend, where the utility is used to suspend critical processes such as AV or EDR to bypass defenses
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains: msmpeng.exe
selection_img:
- OriginalFileName: pssuspend.exe
- Image|endswith:
- \pssuspend.exe
- \pssuspend64.exe
HackTool - SecurityXploded Execution
- source: sigma
- technicques:
- t1555
Description
Detects the execution of SecurityXploded Tools
Detection logic
condition: selection
selection:
- Company: SecurityXploded
- Image|endswith: PasswordDump.exe
- OriginalFileName|endswith: PasswordDump.exe
Remote Access Tool - AnyDesk Execution With Known Revoked Signing Certificate
- source: sigma
- technicques:
Description
Detects the execution of an AnyDesk binary with a version prior to 8.0.8. Prior to version 8.0.8, the Anydesk application used a signing certificate that got compromised by threat actors. Use this rule to detect instances of older versions of Anydesk using the compromised certificate This is recommended in order to avoid attackers leveraging the certificate and signing their binaries to bypass detections.
Detection logic
condition: all of selection_* and not 1 of filter_main_*
filter_main_uninstall:
CommandLine|contains:
- ' --remove'
- ' --uninstall'
selection_img:
- Image|endswith: \AnyDesk.exe
- Description: AnyDesk
- Product: AnyDesk
- Company: AnyDesk Software GmbH
selection_version:
FileVersion|startswith:
- 7.0.
- 7.1.
- 8.0.1
- 8.0.2
- 8.0.3
- 8.0.4
- 8.0.5
- 8.0.6
- 8.0.7
Potential Arbitrary Code Execution Via Node.EXE
- source: sigma
- technicques:
- t1127
Description
Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe…etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks…etc
Detection logic
action_reverse_shell:
CommandLine|contains|all:
- .exec(
- net.socket
- .connect
- child_process
condition: selection and 1 of action_*
selection:
CommandLine|contains:
- ' -e '
- ' --eval '
Image|endswith: \node.exe
HackTool - PowerTool Execution
- source: sigma
- technicques:
- t1562
- t1562.001
Description
Detects the execution of the tool PowerTool which has the ability to kill a process, delete its process file, unload drivers, and delete the driver files
Detection logic
condition: selection
selection:
- Image|endswith:
- \PowerTool.exe
- \PowerTool64.exe
- OriginalFileName: PowerTool.exe
Execute Pcwrun.EXE To Leverage Follina
- source: sigma
- technicques:
- t1218
Description
Detects indirect command execution via Program Compatibility Assistant “pcwrun.exe” leveraging the follina (CVE-2022-30190) vulnerability
Detection logic
condition: selection
selection:
CommandLine|contains: ../
Image|endswith: \pcwrun.exe
HackTool - DInjector PowerShell Cradle Execution
- source: sigma
- technicques:
- t1055
Description
Detects the use of the Dinject PowerShell cradle based on the specific flags
Detection logic
condition: selection
selection:
CommandLine|contains|all:
- ' /am51'
- ' /password'
Base64 MZ Header In CommandLine
- source: sigma
- technicques:
Description
Detects encoded base64 MZ header in the commandline
Detection logic
condition: selection
selection:
CommandLine|contains:
- TVqQAAMAAAAEAAAA
- TVpQAAIAAAAEAA8A
- TVqAAAEAAAAEABAA
- TVoAAAAAAAAAAAAA
- TVpTAQEAAAAEAAAA
PowerShell Base64 Encoded Reflective Assembly Load
- source: sigma
- technicques:
- t1027
- t1059
- t1059.001
- t1620
Description
Detects base64 encoded .NET reflective loading of Assembly
Detection logic
condition: selection
selection:
CommandLine|contains:
- WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA
- sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA
- bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA
- AFsAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiAC
- BbAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgAp
- AWwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAK
- WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAKQ
- sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiACkA
- bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgApA
- WwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA
- sAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA
- bAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA
Potential PowerShell Obfuscation Via Reversed Commands
- source: sigma
- technicques:
- t1027
- t1059
- t1059.001
Description
Detects the presence of reversed PowerShell commands in the CommandLine. This is often used as a method of obfuscation by attackers
Detection logic
condition: all of selection_* and not 1 of filter_main_*
filter_main_encoded_keyword:
CommandLine|contains:
- ' -EncodedCommand '
- ' -enc '
selection_cli:
CommandLine|contains:
- hctac
- kaerb
- dnammoc
- ekovn
- eliFd
- rahc
- etirw
- golon
- tninon
- eddih
- tpircS
- ssecorp
- llehsrewop
- esnopser
- daolnwod
- tneilCbeW
- tneilc
- ptth
- elifotevas
- 46esab
- htaPpmeTteG
- tcejbO
- maerts
- hcaerof
- retupmoc
selection_img:
- Image|endswith:
- \powershell.exe
- \pwsh.exe
- OriginalFileName:
- PowerShell.EXE
- pwsh.dll
Mshtml.DLL RunHTMLApplication Suspicious Usage
- source: sigma
- technicques:
Description
Detects execution of commands that leverage the “mshtml.dll” RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, http…)
Detection logic
condition: selection
selection:
CommandLine|contains:
- '#135'
- RunHTMLApplication
CommandLine|contains|all:
- \..\
- mshtml
Renamed Mavinject.EXE Execution
- source: sigma
- technicques:
- t1055
- t1055.001
- t1218
- t1218.013
Description
Detects the execution of a renamed version of the “Mavinject” process. Which can be abused to perform process injection using the “/INJECTRUNNING” flag
Detection logic
condition: selection and not filter
filter:
Image|endswith:
- \mavinject32.exe
- \mavinject64.exe
selection:
OriginalFileName:
- mavinject32.exe
- mavinject64.exe
DNS Exfiltration and Tunneling Tools Execution
- source: sigma
- technicques:
- t1048
- t1048.001
- t1071
- t1071.004
- t1132
- t1132.001
Description
Well-known DNS Exfiltration tools execution
Detection logic
condition: selection
selection:
- Image|endswith: \iodine.exe
- Image|contains: \dnscat2
Security Service Disabled Via Reg.EXE
- source: sigma
- technicques:
- t1562
- t1562.001
Description
Detects execution of “reg.exe” to disable security services such as Windows Defender.
Detection logic
condition: selection_reg_add and 1 of selection_cli_*
selection_cli_reg_start:
CommandLine|contains:
- \AppIDSvc
- \MsMpSvc
- \NisSrv
- \SecurityHealthService
- \Sense
- \UsoSvc
- \WdBoot
- \WdFilter
- \WdNisDrv
- \WdNisSvc
- \WinDefend
- \wscsvc
- \wuauserv
CommandLine|contains|all:
- d 4
- v Start
selection_reg_add:
CommandLine|contains|all:
- reg
- add
Suspicious Certreq Command to Download
- source: sigma
- technicques:
- t1105
Description
Detects a suspicious certreq execution taken from the LOLBAS examples, which can be abused to download (small) files
Detection logic
condition: all of selection*
selection_cli:
CommandLine|contains|all:
- ' -Post '
- ' -config '
- ' http'
- ' C:\windows\win.ini '
selection_img:
- Image|endswith: \certreq.exe
- OriginalFileName: CertReq.exe
Sensitive File Access Via Volume Shadow Copy Backup
- source: sigma
- technicques:
- t1490
Description
Detects a command that accesses the VolumeShadowCopy in order to extract sensitive files such as the Security or SAM registry hives or the AD database (ntds.dit)
Detection logic
condition: all of selection_*
selection_1:
CommandLine|contains: \\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy
selection_2:
CommandLine|contains:
- \\NTDS.dit
- \\SYSTEM
- \\SECURITY
SafeBoot Registry Key Deleted Via Reg.EXE
- source: sigma
- technicques:
- t1562
- t1562.001
Description
Detects execution of “reg.exe” commands with the “delete” flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products
Detection logic
condition: all of selection_*
selection_delete:
CommandLine|contains|all:
- ' delete '
- \SYSTEM\CurrentControlSet\Control\SafeBoot
selection_img:
- Image|endswith: reg.exe
- OriginalFileName: reg.exe
Root Certificate Installed From Susp Locations
- source: sigma
- technicques:
- t1553
- t1553.004
Description
Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
Detection logic
condition: selection
selection:
CommandLine|contains:
- \AppData\Local\Temp\
- :\Windows\TEMP\
- \Desktop\
- \Downloads\
- \Perflogs\
- :\Users\Public\
CommandLine|contains|all:
- Import-Certificate
- ' -FilePath '
- Cert:\LocalMachine\Root
HackTool - PurpleSharp Execution
- source: sigma
- technicques:
- t1587
Description
Detects the execution of the PurpleSharp adversary simulation tool
Detection logic
condition: 1 of selection_*
selection_cli:
CommandLine|contains:
- xyz123456.exe
- PurpleSharp
selection_img:
- Image|contains: \purplesharp
- OriginalFileName: PurpleSharp.exe
Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call
- source: sigma
- technicques:
- t1027
- t1059
- t1059.001
Description
Detects suspicious base64 encoded and obfuscated “LOAD” keyword used in .NET “reflection.assembly”
Detection logic
condition: selection
selection:
CommandLine|contains:
- OgA6ACgAIgBMACIAKwAiAG8AYQBkACIAKQ
- oAOgAoACIATAAiACsAIgBvAGEAZAAiACkA
- 6ADoAKAAiAEwAIgArACIAbwBhAGQAIgApA
- OgA6ACgAIgBMAG8AIgArACIAYQBkACIAKQ
- oAOgAoACIATABvACIAKwAiAGEAZAAiACkA
- 6ADoAKAAiAEwAbwAiACsAIgBhAGQAIgApA
- OgA6ACgAIgBMAG8AYQAiACsAIgBkACIAKQ
- oAOgAoACIATABvAGEAIgArACIAZAAiACkA
- 6ADoAKAAiAEwAbwBhACIAKwAiAGQAIgApA
- OgA6ACgAJwBMACcAKwAnAG8AYQBkACcAKQ
- oAOgAoACcATAAnACsAJwBvAGEAZAAnACkA
- 6ADoAKAAnAEwAJwArACcAbwBhAGQAJwApA
- OgA6ACgAJwBMAG8AJwArACcAYQBkACcAKQ
- oAOgAoACcATABvACcAKwAnAGEAZAAnACkA
- 6ADoAKAAnAEwAbwAnACsAJwBhAGQAJwApA
- OgA6ACgAJwBMAG8AYQAnACsAJwBkACcAKQ
- oAOgAoACcATABvAGEAJwArACcAZAAnACkA
- 6ADoAKAAnAEwAbwBhACcAKwAnAGQAJwApA
Service Registry Key Deleted Via Reg.EXE
- source: sigma
- technicques:
- t1562
- t1562.001
Description
Detects execution of “reg.exe” commands with the “delete” flag on services registry key. Often used by attacker to remove AV software services
Detection logic
condition: all of selection_*
selection_delete:
CommandLine|contains: ' delete '
selection_img:
- Image|endswith: reg.exe
- OriginalFileName: reg.exe
selection_key:
CommandLine|contains: \SYSTEM\CurrentControlSet\services\
HackTool - ADCSPwn Execution
- source: sigma
- technicques:
- t1557
- t1557.001
Description
Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service
Detection logic
condition: selection
selection:
CommandLine|contains|all:
- ' --adcs '
- ' --port '
HackTool - PCHunter Execution
- source: sigma
- technicques:
- t1007
- t1012
- t1057
- t1082
- t1083
Description
Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff
Detection logic
condition: 1 of selection_*
selection_hash_values:
- md5:
- 228dd0c2e6287547e26ffbd973a40f14
- 987b65cd9b9f4e9a1afd8f8b48cf64a7
- sha1:
- 5f1cbc3d99558307bc1250d084fa968521482025
- 3fb89787cb97d902780da080545584d97fb1c2eb
- sha256:
- 2b214bddaab130c274de6204af6dba5aeec7433da99aa950022fa306421a6d32
- 55f041bf4e78e9bfa6d4ee68be40e496ce3a1353e1ca4306598589e19802522c
- Imphash:
- 444d210cea1ff8112f256a4997eed7ff
- 0479f44df47cfa2ef1ccc4416a538663
selection_hashes:
Hashes|contains:
- SHA1=5F1CBC3D99558307BC1250D084FA968521482025
- MD5=987B65CD9B9F4E9A1AFD8F8B48CF64A7
- SHA256=2B214BDDAAB130C274DE6204AF6DBA5AEEC7433DA99AA950022FA306421A6D32
- IMPHASH=444D210CEA1FF8112F256A4997EED7FF
- SHA1=3FB89787CB97D902780DA080545584D97FB1C2EB
- MD5=228DD0C2E6287547E26FFBD973A40F14
- SHA256=55F041BF4E78E9BFA6D4EE68BE40E496CE3A1353E1CA4306598589E19802522C
- IMPHASH=0479F44DF47CFA2EF1CCC4416A538663
selection_image:
Image|endswith:
- \PCHunter64.exe
- \PCHunter32.exe
selection_pe:
- OriginalFileName: PCHunter.exe
- Description: Epoolsoft Windows Information View Tools
Dllhost.EXE Execution Anomaly
- source: sigma
- technicques:
- t1055
Description
Detects a “dllhost” process spawning with no commandline arguments which is very rare to happen and could indicate process injection activity or malware mimicking similar system processes.
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_null:
CommandLine: null
selection:
CommandLine:
- dllhost.exe
- dllhost
Image|endswith: \dllhost.exe
DeviceCredentialDeployment Execution
- source: sigma
- technicques:
- t1218
Description
Detects the execution of DeviceCredentialDeployment to hide a process from view
Detection logic
condition: selection
selection:
Image|endswith: \DeviceCredentialDeployment.exe
Webshell Hacking Activity Patterns
- source: sigma
- technicques:
- t1018
- t1033
- t1087
- t1505
- t1505.003
Description
Detects certain parent child patterns found in cases in which a web shell is used to perform certain credential dumping or exfiltration activities on a compromised system
Detection logic
condition: 1 of selection_webserver_* and 1 of selection_child_*
selection_child_1:
CommandLine|contains|all:
- rundll32
- comsvcs
selection_child_2:
CommandLine|contains|all:
- ' -hp'
- ' a '
- ' -m'
selection_child_3:
CommandLine|contains|all:
- net
- ' user '
- ' /add'
selection_child_4:
CommandLine|contains|all:
- net
- ' localgroup '
- ' administrators '
- /add
selection_child_5:
Image|endswith:
- \ntdsutil.exe
- \ldifde.exe
- \adfind.exe
- \procdump.exe
- \Nanodump.exe
- \vssadmin.exe
- \fsutil.exe
selection_child_6:
CommandLine|contains:
- ' -decode '
- ' -NoP '
- ' -W Hidden '
- ' /decode '
- ' /ticket:'
- ' sekurlsa'
- .dmp full
- .downloadfile(
- .downloadstring(
- FromBase64String
- process call create
- 'reg save '
- whoami /priv
selection_webserver_characteristics_tomcat1:
ParentImage|contains:
- -tomcat-
- \tomcat
ParentImage|endswith:
- \java.exe
- \javaw.exe
selection_webserver_characteristics_tomcat2:
CommandLine|contains:
- catalina.jar
- CATALINA_HOME
ParentImage|endswith:
- \java.exe
- \javaw.exe
selection_webserver_image:
ParentImage|endswith:
- \caddy.exe
- \httpd.exe
- \nginx.exe
- \php-cgi.exe
- \w3wp.exe
- \ws_tomcatservice.exe
MMC20 Lateral Movement
- source: sigma
- technicques:
- t1021
- t1021.003
Description
Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of “-Embedding” as a child of svchost.exe
Detection logic
condition: selection
selection:
CommandLine|contains: -Embedding
Image|endswith: \mmc.exe
ParentImage|endswith: \svchost.exe
HackTool - KrbRelayUp Execution
- source: sigma
- technicques:
- t1550
- t1550.003
- t1558
- t1558.003
Description
Detects KrbRelayUp used to perform a universal no-fix local privilege escalation in Windows domain environments where LDAP signing is not enforced
Detection logic
condition: 1 of selection_*
selection_cli_1:
CommandLine|contains|all:
- ' relay '
- ' -Domain '
- ' -ComputerName '
selection_cli_2:
CommandLine|contains|all:
- ' krbscm '
- ' -sc '
selection_cli_3:
CommandLine|contains|all:
- ' spawn '
- ' -d '
- ' -cn '
- ' -cp '
selection_img:
- Image|endswith: \KrbRelayUp.exe
- OriginalFileName: KrbRelayUp.exe
HackTool - LocalPotato Execution
- source: sigma
- technicques:
Description
Detects the execution of the LocalPotato POC based on basic PE metadata information and default CLI examples
Detection logic
condition: 1 of selection_*
selection_cli:
CommandLine|contains|all:
- .exe -i C:\
- -o Windows\
selection_hash_ext:
Imphash:
- E1742EE971D6549E8D4D81115F88F1FC
- DD82066EFBA94D7556EF582F247C8BB5
selection_hash_plain:
Hashes|contains:
- IMPHASH=E1742EE971D6549E8D4D81115F88F1FC
- IMPHASH=DD82066EFBA94D7556EF582F247C8BB5
selection_img:
Image|endswith: \LocalPotato.exe
PUA - Crassus Execution
- source: sigma
- technicques:
- t1590
- t1590.001
Description
Detects Crassus, a Windows privilege escalation discovery tool, based on PE metadata characteristics.
Detection logic
condition: selection
selection:
- Image|endswith: \Crassus.exe
- OriginalFileName: Crassus.exe
- Description|contains: Crassus
PUA - Seatbelt Execution
- source: sigma
- technicques:
- t1083
- t1087
- t1526
Description
Detects the execution of the PUA/Recon tool Seatbelt via PE information of command line parameters
Detection logic
condition: selection_img or all of selection_group_*
selection_group_list:
CommandLine|contains:
- ' -group=misc'
- ' -group=remote'
- ' -group=chromium'
- ' -group=slack'
- ' -group=system'
- ' -group=user'
- ' -group=all'
selection_group_output:
CommandLine|contains: ' -outputfile='
selection_img:
- Image|endswith: \Seatbelt.exe
- OriginalFileName: Seatbelt.exe
- Description: Seatbelt
- CommandLine|contains:
- ' DpapiMasterKeys'
- ' InterestingProcesses'
- ' InterestingFiles'
- ' CertificateThumbprints'
- ' ChromiumBookmarks'
- ' ChromiumHistory'
- ' ChromiumPresence'
- ' CloudCredentials'
- ' CredEnum'
- ' CredGuard'
- ' FirefoxHistory'
- ' ProcessCreationEvents'
Sysmon Driver Unloaded Via Fltmc.EXE
- source: sigma
- technicques:
- t1070
- t1562
- t1562.002
Description
Detects possible Sysmon filter driver unloaded via fltmc.exe
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains|all:
- unload
- sysmon
selection_img:
- Image|endswith: \fltMC.exe
- OriginalFileName: fltMC.exe
Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI
- source: sigma
- technicques:
- t1564
- t1564.004
Description
Detects command line containing reference to the “::$index_allocation” stream, which can be used as a technique to prevent access to folders or files from tooling such as “explorer.exe” or “powershell.exe”
Detection logic
condition: selection
selection:
CommandLine|contains: ::$index_allocation
ETW Logging Tamper In .NET Processes
- source: sigma
- technicques:
- t1562
Description
Detects changes to environment variables related to ETW logging. This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies.
Detection logic
condition: selection
selection:
CommandLine|contains:
- COMPlus_ETWEnabled
- COMPlus_ETWFlags
Sticky Key Like Backdoor Execution
- source: sigma
- technicques:
- t1546
- t1546.008
Description
Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen
Detection logic
condition: selection
selection:
CommandLine|contains:
- sethc.exe
- utilman.exe
- osk.exe
- Magnify.exe
- Narrator.exe
- DisplaySwitch.exe
Image|endswith:
- \cmd.exe
- \cscript.exe
- \mshta.exe
- \powershell.exe
- \pwsh.exe
- \regsvr32.exe
- \rundll32.exe
- \wscript.exe
- \wt.exe
ParentImage|endswith: \winlogon.exe
Execution of Powershell Script in Public Folder
- source: sigma
- technicques:
- t1059
- t1059.001
Description
This rule detects execution of PowerShell scripts located in the “C:\Users\Public” folder
Detection logic
condition: selection
selection:
CommandLine|contains:
- -f C:\Users\Public
- -f "C:\Users\Public
- -f %Public%
- -fi C:\Users\Public
- -fi "C:\Users\Public
- -fi %Public%
- -fil C:\Users\Public
- -fil "C:\Users\Public
- -fil %Public%
- -file C:\Users\Public
- -file "C:\Users\Public
- -file %Public%
Image|endswith:
- \powershell.exe
- \pwsh.exe
New User Created Via Net.EXE With Never Expire Option
- source: sigma
- technicques:
- t1136
- t1136.001
Description
Detects creation of local users via the net.exe command with the option “never expire”
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains|all:
- user
- add
- expires:never
selection_img:
- Image|endswith:
- \net.exe
- \net1.exe
- OriginalFileName:
- net.exe
- net1.exe
Suspicious Reg Add BitLocker
- source: sigma
- technicques:
- t1486
Description
Detects suspicious addition to BitLocker related registry keys via the reg.exe utility
Detection logic
condition: selection
selection:
CommandLine|contains:
- EnableBDEWithNoTPM
- UseAdvancedStartup
- UseTPM
- UseTPMKey
- UseTPMKeyPIN
- RecoveryKeyMessageSource
- UseTPMPIN
- RecoveryKeyMessage
CommandLine|contains|all:
- REG
- ADD
- \SOFTWARE\Policies\Microsoft\FVE
- /v
- /f
Capture Credentials with Rpcping.exe
- source: sigma
- technicques:
- t1003
Description
Detects using Rpcping.exe to send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process.
Detection logic
condition: use_rpcping and remote_server and ntlm_auth
ntlm_auth:
- CommandLine|contains|all|windash:
- -u
- NTLM
- CommandLine|contains|all|windash:
- -t
- ncacn_np
remote_server:
CommandLine|contains|windash: -s
use_rpcping:
Image|endswith: \rpcping.exe
DLL Execution via Rasautou.exe
- source: sigma
- technicques:
- t1218
Description
Detects using Rasautou.exe for loading arbitrary .DLL specified in -d option and executes the export specified in -p.
Detection logic
condition: all of selection*
selection_cli:
CommandLine|contains|all:
- ' -d '
- ' -p '
selection_img:
- Image|endswith: \rasautou.exe
- OriginalFileName: rasdlui.exe
Potential Renamed Rundll32 Execution
- source: sigma
- technicques:
Description
Detects when ‘DllRegisterServer’ is called in the commandline and the image is not rundll32. This could mean that the ‘rundll32’ utility has been renamed in order to avoid detection
Detection logic
condition: selection and not filter
filter:
Image|endswith: \rundll32.exe
selection:
CommandLine|contains: DllRegisterServer
HackTool - SafetyKatz Execution
- source: sigma
- technicques:
- t1003
- t1003.001
Description
Detects the execution of the hacktool SafetyKatz via PE information and default Image name
Detection logic
condition: selection
selection:
- Image|endswith: \SafetyKatz.exe
- OriginalFileName: SafetyKatz.exe
- Description: SafetyKatz
Conhost.exe CommandLine Path Traversal
- source: sigma
- technicques:
- t1059
- t1059.003
Description
detects the usage of path traversal in conhost.exe indicating possible command/argument confusion/hijacking
Detection logic
condition: selection
selection:
CommandLine|contains: /../../
ParentCommandLine|contains: conhost
Odbcconf.EXE Suspicious DLL Location
- source: sigma
- technicques:
- t1218
- t1218.008
Description
Detects execution of “odbcconf” where the path of the DLL being registered is located in a potentially suspicious location.
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains:
- :\PerfLogs\
- :\ProgramData\
- :\Temp\
- :\Users\Public\
- :\Windows\Registration\CRMLog
- :\Windows\System32\com\dmp\
- :\Windows\System32\FxsTmp\
- :\Windows\System32\Microsoft\Crypto\RSA\MachineKeys\
- :\Windows\System32\spool\drivers\color\
- :\Windows\System32\spool\PRINTERS\
- :\Windows\System32\spool\SERVERS\
- :\Windows\System32\Tasks_Migrated\
- :\Windows\System32\Tasks\Microsoft\Windows\SyncCenter\
- :\Windows\SysWOW64\com\dmp\
- :\Windows\SysWOW64\FxsTmp\
- :\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System\
- :\Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter\
- :\Windows\Tasks\
- :\Windows\Temp\
- :\Windows\Tracing\
- \AppData\Local\Temp\
- \AppData\Roaming\
selection_img:
- Image|endswith: \odbcconf.exe
- OriginalFileName: odbcconf.exe
Potential AMSI Bypass Via .NET Reflection
- source: sigma
- technicques:
- t1562
- t1562.001
Description
Detects Request to “amsiInitFailed” that can be used to disable AMSI Scanning
Detection logic
condition: 1 of selection_*
selection_1:
CommandLine|contains:
- System.Management.Automation.AmsiUtils
- amsiInitFailed
selection_2:
CommandLine|contains|all:
- '[Ref].Assembly.GetType'
- SetValue($null,$true)
- NonPublic,Static
LSA PPL Protection Disabled Via Reg.EXE
- source: sigma
- technicques:
- t1562
- t1562.010
Description
Detects the usage of the “reg.exe” utility to disable PPL protection on the LSA process
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains: SYSTEM\CurrentControlSet\Control\Lsa
CommandLine|contains|all:
- ' add '
- ' /d 0'
- ' /v RunAsPPL '
selection_img:
- Image|endswith: \reg.exe
- OriginalFileName: reg.exe
HackTool - Rubeus Execution
- source: sigma
- technicques:
- t1003
- t1550
- t1550.003
- t1558
- t1558.003
Description
Detects the execution of the hacktool Rubeus via PE information of command line parameters
Detection logic
condition: selection
selection:
- Image|endswith: \Rubeus.exe
- OriginalFileName: Rubeus.exe
- Description: Rubeus
- CommandLine|contains:
- 'asreproast '
- 'dump /service:krbtgt '
- dump /luid:0x
- 'kerberoast '
- 'createnetonly /program:'
- 'ptt /ticket:'
- '/impersonateuser:'
- 'renew /ticket:'
- 'asktgt /user:'
- 'harvest /interval:'
- 's4u /user:'
- 's4u /ticket:'
- 'hash /password:'
- 'golden /aes256:'
- 'silver /user:'
Process Memory Dump Via Comsvcs.DLL
- source: sigma
- technicques:
- t1003
- t1003.001
- t1036
Description
Detects a process memory dump via “comsvcs.dll” using rundll32, covering multiple different techniques (ordinal, minidump function, etc.)
Detection logic
condition: (selection_img and 1 of selection_cli_*) or selection_generic
selection_cli_1:
CommandLine|contains:
- '#-'
- '#+'
- '#24'
- '24 '
- MiniDump
CommandLine|contains|all:
- comsvcs
- full
selection_generic:
CommandLine|contains:
- ' #'
- ',#'
- ', #'
CommandLine|contains|all:
- '24'
- comsvcs
- full
selection_img:
- Image|endswith: \rundll32.exe
- OriginalFileName: RUNDLL32.EXE
- CommandLine|contains: rundll32
Potential Data Exfiltration Activity Via CommandLine Tools
- source: sigma
- technicques:
- t1059
- t1059.001
Description
Detects the use of various CLI utilities exfiltrating data via web requests
Detection logic
condition: (selection_iwr or all of selection_curl* or selection_wget) and payloads
payloads:
- CommandLine|contains:
- Get-Content
- GetBytes
- hostname
- ifconfig
- ipconfig
- net view
- netstat
- nltest
- qprocess
- sc query
- systeminfo
- tasklist
- ToBase64String
- whoami
- CommandLine|contains|all:
- 'type '
- ' > '
- ' C:\'
selection_curl:
CommandLine|contains: --ur
Image|endswith: \curl.exe
selection_curl_data:
CommandLine|contains:
- ' -d '
- ' --data '
selection_iwr:
CommandLine|contains:
- Invoke-WebRequest
- 'iwr '
- 'wget '
- 'curl '
CommandLine|contains|all:
- ' -ur'
- ' -me'
- ' -b'
- ' POST '
Image|endswith:
- \powershell.exe
- \pwsh.exe
- \cmd.exe
selection_wget:
CommandLine|contains:
- --post-data
- --post-file
Image|endswith: \wget.exe
Potential Mpclient.DLL Sideloading Via Defender Binaries
- source: sigma
- technicques:
- t1574
- t1574.002
Description
Detects potential sideloading of “mpclient.dll” by Windows Defender processes (“MpCmdRun” and “NisSrv”) from their non-default directory.
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_known_locations:
Image|startswith:
- C:\Program Files (x86)\Windows Defender\
- C:\Program Files\Microsoft Security Client\
- C:\Program Files\Windows Defender\
- C:\ProgramData\Microsoft\Windows Defender\Platform\
- C:\Windows\WinSxS\
selection:
Image|endswith:
- \MpCmdRun.exe
- \NisSrv.exe
HackTool - Sliver C2 Implant Activity Pattern
- source: sigma
- technicques:
- t1059
Description
Detects process activity patterns as seen being used by Sliver C2 framework implants
Detection logic
condition: selection
selection:
CommandLine|contains: -NoExit -Command [Console]::OutputEncoding=[Text.UTF8Encoding]::UTF8
HackTool - KrbRelay Execution
- source: sigma
- technicques:
- t1558
- t1558.003
Description
Detects the use of KrbRelay, a Kerberos relaying tool
Detection logic
condition: 1 of selection_*
selection_cli_1:
CommandLine|contains|all:
- ' -spn '
- ' -clsid '
- ' -rbcd '
selection_cli_2:
CommandLine|contains|all:
- shadowcred
- clsid
- spn
selection_cli_3:
CommandLine|contains|all:
- 'spn '
- 'session '
- 'clsid '
selection_img:
- Image|endswith: \KrbRelay.exe
- OriginalFileName: KrbRelay.exe
Add SafeBoot Keys Via Reg Utility
- source: sigma
- technicques:
- t1562
- t1562.001
Description
Detects execution of “reg.exe” commands with the “add” or “copy” flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not
Detection logic
condition: all of selection*
selection_flag:
CommandLine|contains:
- ' copy '
- ' add '
selection_img:
- Image|endswith: \reg.exe
- OriginalFileName: reg.exe
selection_safeboot:
CommandLine|contains: \SYSTEM\CurrentControlSet\Control\SafeBoot
HackTool - Certipy Execution
- source: sigma
- technicques:
- t1649
Description
Detects Certipy a tool for Active Directory Certificate Services enumeration and abuse based on PE metadata characteristics and common command line arguments.
Detection logic
condition: selection_img or all of selection_cli_*
selection_cli_commands:
CommandLine|contains:
- ' auth '
- ' find '
- ' forge '
- ' relay '
- ' req '
- ' shadow '
selection_cli_flags:
CommandLine|contains:
- ' -bloodhound'
- ' -ca-pfx '
- ' -dc-ip '
- ' -kirbi'
- ' -old-bloodhound'
- ' -pfx '
- ' -target'
- ' -username '
- ' -vulnerable'
- auth -pfx
- shadow auto
- shadow list
selection_img:
- Image|endswith: \Certipy.exe
- OriginalFileName: Certipy.exe
- Description|contains: Certipy
PUA - DefenderCheck Execution
- source: sigma
- technicques:
- t1027
- t1027.005
Description
Detects the use of DefenderCheck, a tool to evaluate the signatures used in Microsoft Defender. It can be used to figure out the strings / byte chains used in Microsoft Defender to detect a tool and thus used for AV evasion.
Detection logic
condition: selection
selection:
- Image|endswith: \DefenderCheck.exe
- Description: DefenderCheck
Suspicious New Service Creation
- source: sigma
- technicques:
- t1543
- t1543.003
Description
Detects creation of a new service via “sc” command or the powershell “new-service” cmdlet with suspicious binary paths
Detection logic
condition: 1 of selection* and susp_binpath
selection_posh:
CommandLine|contains|all:
- New-Service
- -BinaryPathName
selection_sc:
CommandLine|contains|all:
- create
- binPath=
Image|endswith: \sc.exe
susp_binpath:
CommandLine|contains:
- powershell
- mshta
- wscript
- cscript
- svchost
- dllhost
- 'cmd '
- cmd.exe /c
- cmd.exe /k
- cmd.exe /r
- rundll32
- C:\Users\Public
- \Downloads\
- \Desktop\
- \Microsoft\Windows\Start Menu\Programs\Startup\
- C:\Windows\TEMP\
- \AppData\Local\Temp
Scheduled Task Executing Encoded Payload from Registry
- source: sigma
- technicques:
- t1053
- t1053.005
- t1059
- t1059.001
Description
Detects the creation of a schtask that potentially executes a base64 encoded payload stored in the Windows Registry using PowerShell.
Detection logic
condition: all of selection_*
selection_cli_create:
CommandLine|contains: /Create
selection_cli_encoding:
CommandLine|contains:
- FromBase64String
- encodedcommand
selection_cli_get:
CommandLine|contains:
- Get-ItemProperty
- ' gp '
selection_cli_hive:
CommandLine|contains:
- 'HKCU:'
- 'HKLM:'
- 'registry::'
- HKEY_
selection_img:
- Image|endswith: \schtasks.exe
- OriginalFileName: schtasks.exe
Potential ShellDispatch.DLL Functionality Abuse
- source: sigma
- technicques:
Description
Detects potential “ShellDispatch.dll” functionality abuse to execute arbitrary binaries via “ShellExecute”
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains: RunDll_ShellExecuteW
selection_img:
- Image|endswith: \rundll32.exe
- OriginalFileName: RUNDLL32.EXE
Suspicious Driver/DLL Installation Via Odbcconf.EXE
- source: sigma
- technicques:
- t1218
- t1218.008
Description
Detects execution of “odbcconf” with the “INSTALLDRIVER” action where the driver doesn’t contain a “.dll” extension. This is often used as a defense evasion method.
Detection logic
condition: all of selection_* and not 1 of filter_main_*
filter_main_dll_ext:
CommandLine|contains: .dll
selection_cli:
CommandLine|contains: 'INSTALLDRIVER '
selection_img:
- Image|endswith: \odbcconf.exe
- OriginalFileName: odbcconf.exe
Regsvr32 Execution From Highly Suspicious Location
- source: sigma
- technicques:
- t1218
- t1218.010
Description
Detects execution of regsvr32 where the DLL is located in a highly suspicious locations
Detection logic
condition: selection_img and (selection_path_1 or (selection_path_2 and not selection_exclude_known_dirs))
and not 1 of filter_main_*
filter_main_empty:
CommandLine: ''
filter_main_null:
CommandLine: null
selection_exclude_known_dirs:
CommandLine|contains:
- C:\Program Files (x86)\
- C:\Program Files\
- C:\ProgramData\
- C:\Users\
- ' C:\Windows\'
- ' "C:\Windows\'
- ' ''C:\Windows\'
selection_img:
- Image|endswith: \regsvr32.exe
- OriginalFileName: REGSVR32.EXE
selection_path_1:
CommandLine|contains:
- :\PerfLogs\
- :\Temp\
- \Windows\Registration\CRMLog
- \Windows\System32\com\dmp\
- \Windows\System32\FxsTmp\
- \Windows\System32\Microsoft\Crypto\RSA\MachineKeys\
- \Windows\System32\spool\drivers\color\
- \Windows\System32\spool\PRINTERS\
- \Windows\System32\spool\SERVERS\
- \Windows\System32\Tasks_Migrated\
- \Windows\System32\Tasks\Microsoft\Windows\SyncCenter\
- \Windows\SysWOW64\com\dmp\
- \Windows\SysWOW64\FxsTmp\
- \Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System\
- \Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter\
- \Windows\Tasks\
- \Windows\Tracing\
selection_path_2:
CommandLine|contains:
- ' "C:\'
- ' C:\'
- ' ''C:\'
- D:\
HackTool - SILENTTRINITY Stager Execution
- source: sigma
- technicques:
- t1071
Description
Detects SILENTTRINITY stager use via PE metadata
Detection logic
condition: selection
selection:
Description|contains: st2stager
Suspicious Response File Execution Via Odbcconf.EXE
- source: sigma
- technicques:
- t1218
- t1218.008
Description
Detects execution of “odbcconf” with the “-f” flag in order to load a response file with a non-".rsp" extension.
Detection logic
condition: all of selection_* and not 1 of filter_main_*
filter_main_rsp_ext:
CommandLine|contains: .rsp
filter_main_runonce_odbc:
CommandLine|contains: .exe /E /F "C:\WINDOWS\system32\odbcconf.tmp"
Image: C:\Windows\System32\odbcconf.exe
ParentImage: C:\Windows\System32\runonce.exe
selection_cli:
CommandLine|contains|windash: ' -f '
selection_img:
- Image|endswith: \odbcconf.exe
- OriginalFileName: odbcconf.exe
AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl
- source: sigma
- technicques:
- t1216
Description
Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)
Detection logic
condition: contains_winrm and (contains_format_pretty_arg and not image_from_system_folder)
contains_format_pretty_arg:
CommandLine|contains:
- format:pretty
- format:"pretty"
- format:"text"
- format:text
contains_winrm:
CommandLine|contains: winrm
image_from_system_folder:
Image|startswith:
- C:\Windows\System32\
- C:\Windows\SysWOW64\
Regedit as Trusted Installer
- source: sigma
- technicques:
- t1548
Description
Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe
Detection logic
condition: selection
selection:
Image|endswith: \regedit.exe
ParentImage|endswith:
- \TrustedInstaller.exe
- \ProcessHacker.exe
Suspicious Advpack Call Via Rundll32.EXE
- source: sigma
- technicques:
Description
Detects execution of “rundll32” calling “advpack.dll” with potential obfuscated ordinal calls in order to leverage the “RegisterOCX” function
Detection logic
condition: all of selection_*
selection_cli_dll:
CommandLine|contains: advpack
selection_cli_ordinal:
- CommandLine|contains|all:
- '#+'
- '12'
- CommandLine|contains: '#-'
selection_img:
- Image|endswith: \rundll32.exe
- OriginalFileName: RUNDLL32.EXE
- CommandLine|contains: rundll32
Delete Important Scheduled Task
- source: sigma
- technicques:
- t1489
Description
Detects when adversaries stop services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities
Detection logic
condition: all of schtasks_*
schtasks_exe:
CommandLine|contains:
- \Windows\SystemRestore\SR
- \Windows\Windows Defender\
- \Windows\BitLocker
- \Windows\WindowsBackup\
- \Windows\WindowsUpdate\
- \Windows\UpdateOrchestrator\
- \Windows\ExploitGuard
CommandLine|contains|all:
- /delete
- /tn
Image|endswith: \schtasks.exe
Persistence Via Sticky Key Backdoor
- source: sigma
- technicques:
- t1546
- t1546.008
Description
By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system. When the sticky keys are “activated” the privilleged shell is launched.
Detection logic
condition: selection
selection:
CommandLine|contains|all:
- 'copy '
- '/y '
- C:\windows\system32\cmd.exe C:\windows\system32\sethc.exe
HackTool - Stracciatella Execution
- source: sigma
- technicques:
- t1059
- t1562
- t1562.001
Description
Detects Stracciatella which executes a Powershell runspace from within C# (aka SharpPick technique) with AMSI, ETW and Script Block Logging disabled based on PE metadata characteristics.
Detection logic
condition: selection
selection:
- Image|endswith: \Stracciatella.exe
- OriginalFileName: Stracciatella.exe
- Description: Stracciatella
- Hashes|contains:
- SHA256=9d25e61ec1527e2a69d7c2a4e3fe2fe15890710c198a66a9f25d99fdf6c7b956
- SHA256=fd16609bd9830c63b9413671678bb159b89c357d21942ddbb6b93add808d121a
- sha256:
- 9d25e61ec1527e2a69d7c2a4e3fe2fe15890710c198a66a9f25d99fdf6c7b956
- fd16609bd9830c63b9413671678bb159b89c357d21942ddbb6b93add808d121a
Remote Access Tool - ScreenConnect Server Web Shell Execution
- source: sigma
- technicques:
- t1190
Description
Detects potential web shell execution from the ScreenConnect server process.
Detection logic
condition: selection
selection:
Image|endswith:
- \cmd.exe
- \csc.exe
ParentImage|endswith: \ScreenConnect.Service.exe
LSASS Dump Keyword In CommandLine
- source: sigma
- technicques:
- t1003
- t1003.001
Description
Detects the presence of the keywords “lsass” and “.dmp” in the commandline, which could indicate a potential attempt to dump or create a dump of the lsass process.
Detection logic
condition: selection
selection:
- CommandLine|contains:
- lsass.dmp
- lsass.zip
- lsass.rar
- Andrew.dmp
- Coredump.dmp
- NotLSASS.zip
- lsass_2
- lsassdump
- lsassdmp
- CommandLine|contains|all:
- lsass
- .dmp
- CommandLine|contains|all:
- SQLDmpr
- .mdmp
- CommandLine|contains|all:
- nanodump
- .dmp
HackTool - Mimikatz Execution
- source: sigma
- technicques:
- t1003
- t1003.001
- t1003.002
- t1003.004
- t1003.005
- t1003.006
Description
Detection well-known mimikatz command line arguments
Detection logic
condition: 1 of selection_*
selection_function_names:
CommandLine|contains:
- ::aadcookie
- ::detours
- ::memssp
- ::mflt
- ::ncroutemon
- ::ngcsign
- ::printnightmare
- ::skeleton
- ::preshutdown
- ::mstsc
- ::multirdp
selection_module_names:
CommandLine|contains:
- 'rpc::'
- 'token::'
- 'crypto::'
- 'dpapi::'
- 'sekurlsa::'
- 'kerberos::'
- 'lsadump::'
- 'privilege::'
- 'process::'
- 'vault::'
selection_tools_name:
CommandLine|contains:
- DumpCreds
- mimikatz
Potential Manage-bde.wsf Abuse To Proxy Execution
- source: sigma
- technicques:
- t1216
Description
Detects potential abuse of the “manage-bde.wsf” script as a LOLBIN to proxy execution
Detection logic
condition: all of selection_wscript_* or (selection_parent and not selection_filter_cmd)
selection_filter_cmd:
Image|endswith: \cmd.exe
selection_parent:
ParentCommandLine|contains: manage-bde.wsf
ParentImage|endswith:
- \cscript.exe
- \wscript.exe
selection_wscript_cli:
CommandLine|contains: manage-bde.wsf
selection_wscript_img:
- Image|endswith: \wscript.exe
- OriginalFileName: wscript.exe
HackTool - SysmonEOP Execution
- source: sigma
- technicques:
- t1068
Description
Detects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120
Detection logic
condition: 1 of selection_*
selection_hash:
- Hashes|contains:
- IMPHASH=22F4089EB8ABA31E1BB162C6D9BF72E5
- IMPHASH=5123FA4C4384D431CD0D893EEB49BBEC
- Imphash:
- 22f4089eb8aba31e1bb162c6d9bf72e5
- 5123fa4c4384d431cd0d893eeb49bbec
selection_img:
Image|endswith: \SysmonEOP.exe
PowerShell Execution With Potential Decryption Capabilities
- source: sigma
- technicques:
Description
Detects PowerShell commands that decrypt an “.LNK” “file to drop the next stage of the malware.
Detection logic
condition: all of selection_*
selection_cli_dir:
CommandLine|contains:
- 'Get-ChildItem '
- 'dir '
- 'gci '
- 'ls '
selection_cli_gc:
CommandLine|contains:
- 'Get-Content '
- 'gc '
- 'cat '
- 'type '
- ReadAllBytes
selection_cli_specific:
- CommandLine|contains|all:
- ' ^| '
- \*.lnk
- -Recurse
- '-Skip '
- CommandLine|contains|all:
- ' -ExpandProperty '
- \*.lnk
- WriteAllBytes
- ' .length '
selection_img:
Image|endswith:
- \powershell.exe
- \pwsh.exe
OriginalFileName:
- PowerShell.EXE
- pwsh.dll
DLL Sideloading by VMware Xfer Utility
- source: sigma
- technicques:
- t1574
- t1574.002
Description
Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL
Detection logic
condition: selection and not filter
filter:
Image|startswith: C:\Program Files\VMware\
selection:
Image|endswith: \VMwareXferlogs.exe
HackTool - Default PowerSploit/Empire Scheduled Task Creation
- source: sigma
- technicques:
- t1053
- t1053.005
- t1059
- t1059.001
Description
Detects the creation of a schtask via PowerSploit or Empire Default Configuration.
Detection logic
condition: selection
selection:
CommandLine|contains:
- /SC ONLOGON
- /SC DAILY /ST
- /SC ONIDLE
- /SC HOURLY
CommandLine|contains|all:
- /Create
- powershell.exe -NonI
- /TN Updater /TR
Image|endswith: \schtasks.exe
ParentImage|endswith:
- \powershell.exe
- \pwsh.exe
HackTool - GMER Rootkit Detector and Remover Execution
- source: sigma
- technicques:
Description
Detects the execution GMER tool based on image and hash fields.
Detection logic
condition: 1 of selection_*
selection_img:
Image|endswith: \gmer.exe
selection_other:
- md5: e9dc058440d321aa17d0600b3ca0ab04
- sha1: 539c228b6b332f5aa523e5ce358c16647d8bbe57
- sha256: e8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173
selection_sysmon_hash:
Hashes|contains:
- MD5=E9DC058440D321AA17D0600B3CA0AB04
- SHA1=539C228B6B332F5AA523E5CE358C16647D8BBE57
- SHA256=E8A3E804A96C716A3E9B69195DB6FFB0D33E2433AF871E4D4E1EAB3097237173
HackTool - winPEAS Execution
- source: sigma
- technicques:
- t1046
- t1082
- t1087
Description
WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz
Detection logic
condition: 1 of selection_*
selection_cli_dl:
CommandLine|contains: https://github.com/carlospolop/PEASS-ng/releases/latest/download/
selection_cli_option:
CommandLine|contains:
- ' applicationsinfo'
- ' browserinfo'
- ' eventsinfo'
- ' fileanalysis'
- ' filesinfo'
- ' processinfo'
- ' servicesinfo'
- ' windowscreds'
selection_cli_specific:
- ParentCommandLine|endswith: ' -linpeas'
- CommandLine|endswith: ' -linpeas'
selection_img:
- OriginalFileName: winPEAS.exe
- Image|endswith:
- \winPEASany_ofs.exe
- \winPEASany.exe
- \winPEASx64_ofs.exe
- \winPEASx64.exe
- \winPEASx86_ofs.exe
- \winPEASx86.exe
Mstsc.EXE Execution From Uncommon Parent
- source: sigma
- technicques:
Description
Detects potential RDP connection via Mstsc using a local “.rdp” file located in suspicious locations.
Detection logic
condition: all of selection_*
selection_img:
- Image|endswith: \mstsc.exe
- OriginalFileName: mstsc.exe
selection_parent:
ParentImage|endswith:
- \brave.exe
- \CCleanerBrowser.exe
- \chrome.exe
- \chromium.exe
- \firefox.exe
- \iexplore.exe
- \microsoftedge.exe
- \msedge.exe
- \opera.exe
- \vivaldi.exe
- \whale.exe
- \outlook.exe
HackTool - Wmiexec Default Powershell Command
- source: sigma
- technicques:
Description
Detects the execution of PowerShell with a specific flag sequence that is used by the Wmiexec script
Detection logic
condition: selection
selection:
CommandLine|contains: -NoP -NoL -sta -NonI -W Hidden -Exec Bypass -Enc
Hacktool Execution - PE Metadata
- source: sigma
- technicques:
- t1003
- t1588
- t1588.002
Description
Detects the execution of different Windows based hacktools via PE metadata (company, product, etc.) even if the files have been renamed
Detection logic
condition: selection
selection:
Company: Cube0x0
Rundll32 UNC Path Execution
- source: sigma
- technicques:
- t1021
- t1021.002
- t1218
- t1218.011
Description
Detects rundll32 execution where the DLL is located on a remote location (share)
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains: ' \\\\'
selection_img:
- Image|endswith: \rundll32.exe
- OriginalFileName: RUNDLL32.EXE
- CommandLine|contains: rundll32
Renamed Msdt.EXE Execution
- source: sigma
- technicques:
- t1036
- t1036.003
Description
Detects the execution of a renamed “Msdt.exe” binary
Detection logic
condition: selection and not filter
filter:
Image|endswith: \msdt.exe
selection:
OriginalFileName: msdt.exe
Boot Configuration Tampering Via Bcdedit.EXE
- source: sigma
- technicques:
- t1490
Description
Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware.
Detection logic
condition: all of selection_*
selection_cli:
- CommandLine|contains|all:
- bootstatuspolicy
- ignoreallfailures
- CommandLine|contains|all:
- recoveryenabled
- 'no'
selection_img:
- Image|endswith: \bcdedit.exe
- OriginalFileName: bcdedit.exe
selection_set:
CommandLine|contains: set
Regsvr32 DLL Execution With Suspicious File Extension
- source: sigma
- technicques:
- t1218
- t1218.010
Description
Detects the execution of REGSVR32.exe with DLL files masquerading as other files
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|endswith:
- .bin
- .bmp
- .cr2
- .dat
- .eps
- .gif
- .ico
- .jpeg
- .jpg
- .nef
- .orf
- .png
- .raw
- .sr2
- .temp
- .tif
- .tiff
- .tmp
- .rtf
- .txt
selection_img:
- Image|endswith: \regsvr32.exe
- OriginalFileName: REGSVR32.EXE
Delete All Scheduled Tasks
- source: sigma
- technicques:
- t1489
Description
Detects the usage of schtasks with the delete flag and the asterisk symbol to delete all tasks from the schedule of the local computer, including tasks scheduled by other users.
Detection logic
condition: selection
selection:
CommandLine|contains|all:
- ' /delete '
- /tn \*
- ' /f'
Image|endswith: \schtasks.exe
HackTool - SharpChisel Execution
- source: sigma
- technicques:
- t1090
- t1090.001
Description
Detects usage of the Sharp Chisel via the commandline arguments
Detection logic
condition: selection
selection:
- Image|endswith: \SharpChisel.exe
- Product: SharpChisel
HackTool - PPID Spoofing SelectMyParent Tool Execution
- source: sigma
- technicques:
- t1134
- t1134.004
Description
Detects the use of parent process ID spoofing tools like Didier Stevens tool SelectMyParent
Detection logic
condition: selection
selection:
- Image|endswith: \SelectMyParent.exe
- CommandLine|contains:
- PPID-spoof
- ppid_spoof
- spoof-ppid
- spoof_ppid
- ppidspoof
- spoofppid
- spoofedppid
- ' -spawnto '
- OriginalFileName|contains:
- PPID-spoof
- ppid_spoof
- spoof-ppid
- spoof_ppid
- ppidspoof
- spoofppid
- spoofedppid
- Description: SelectMyParent
- Imphash:
- 04d974875bd225f00902b4cad9af3fbc
- a782af154c9e743ddf3f3eb2b8f3d16e
- 89059503d7fbf470e68f7e63313da3ad
- ca28337632625c8281ab8a130b3d6bad
- Hashes|contains:
- IMPHASH=04D974875BD225F00902B4CAD9AF3FBC
- IMPHASH=A782AF154C9E743DDF3F3EB2B8F3D16E
- IMPHASH=89059503D7FBF470E68F7E63313DA3AD
- IMPHASH=CA28337632625C8281AB8A130B3D6BAD
Potentially Suspicious DLL Registered Via Odbcconf.EXE
- source: sigma
- technicques:
- t1218
- t1218.008
Description
Detects execution of “odbcconf” with the “REGSVR” action where the DLL in question doesn’t contain a “.dll” extension. Which is often used as a method to evade defenses.
Detection logic
condition: all of selection_* and not 1 of filter_main_*
filter_main_dll_ext:
CommandLine|contains: .dll
selection_cli:
CommandLine|contains: 'REGSVR '
selection_img:
- Image|endswith: \odbcconf.exe
- OriginalFileName: odbcconf.exe
Suspicious Service Path Modification
- source: sigma
- technicques:
- t1543
- t1543.003
Description
Detects service path modification via the “sc” binary to a suspicious command or path
Detection logic
condition: selection
selection:
CommandLine|contains:
- powershell
- 'cmd '
- mshta
- wscript
- cscript
- rundll32
- svchost
- dllhost
- cmd.exe /c
- cmd.exe /k
- cmd.exe /r
- cmd /c
- cmd /k
- cmd /r
- C:\Users\Public
- \Downloads\
- \Desktop\
- \Microsoft\Windows\Start Menu\Programs\Startup\
- C:\Windows\TEMP\
- \AppData\Local\Temp
CommandLine|contains|all:
- config
- binPath
Image|endswith: \sc.exe
Wmiexec Default Output File
- source: sigma
- technicques:
- t1047
Description
Detects the creation of the default output filename used by the wmiexec tool
Detection logic
condition: selection
selection:
- TargetFilename|re: \\Windows\\__1\d{9}\.\d{1,7}$
- TargetFilename|re: C:\\__1\d{9}\.\d{1,7}$
- TargetFilename|re: D:\\__1\d{9}\.\d{1,7}$
Inveigh Execution Artefacts
- source: sigma
- technicques:
- t1219
Description
Detects the presence and execution of Inveigh via dropped artefacts
Detection logic
condition: selection
selection:
TargetFilename|endswith:
- \Inveigh-Log.txt
- \Inveigh-Cleartext.txt
- \Inveigh-NTLMv1Users.txt
- \Inveigh-NTLMv2Users.txt
- \Inveigh-NTLMv1.txt
- \Inveigh-NTLMv2.txt
- \Inveigh-FormInput.txt
- \Inveigh.dll
- \Inveigh.exe
- \Inveigh.ps1
- \Inveigh-Relay.ps1
Suspicious Outlook Macro Created
- source: sigma
- technicques:
- t1008
- t1137
- t1546
Description
Detects the creation of a macro file for Outlook.
Detection logic
condition: selection and not filter
filter:
Image|endswith: \outlook.exe
selection:
TargetFilename|endswith: \Microsoft\Outlook\VbaProject.OTM
AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File
- source: sigma
- technicques:
- t1216
Description
Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)
Detection logic
condition: system_files and not in_system_folder
in_system_folder:
TargetFilename|startswith:
- C:\Windows\System32\
- C:\Windows\SysWOW64\
system_files:
TargetFilename|endswith:
- WsmPty.xsl
- WsmTxt.xsl
PSEXEC Remote Execution File Artefact
- source: sigma
- technicques:
- t1136
- t1136.002
- t1543
- t1543.003
- t1570
Description
Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system
Detection logic
condition: selection
selection:
TargetFilename|endswith: .key
TargetFilename|startswith: C:\Windows\PSEXEC-
Suspicious File Created In PerfLogs
- source: sigma
- technicques:
- t1059
Description
Detects suspicious file based on their extension being created in “C:\PerfLogs". Note that this directory mostly contains “.etl” files
Detection logic
condition: selection
selection:
TargetFilename|endswith:
- .7z
- .bat
- .bin
- .chm
- .dll
- .exe
- .hta
- .lnk
- .ps1
- .psm1
- .py
- .scr
- .sys
- .vbe
- .vbs
- .zip
TargetFilename|startswith: C:\PerfLogs\
Suspicious Double Extension Files
- source: sigma
- technicques:
- t1036
- t1036.007
Description
Detects dropped files with double extensions, which is often used by malware as a method to abuse the fact that Windows hide default extensions by default.
Detection logic
condition: 1 of selection_*
selection_exe:
TargetFilename|endswith:
- .rar.exe
- .zip.exe
selection_gen:
TargetFilename|contains:
- .doc.
- .docx.
- .jpg.
- .pdf.
- .ppt.
- .pptx.
- .xls.
- .xlsx.
TargetFilename|endswith:
- .exe
- .iso
- .rar
- .zip
Mimikatz Kirbi File Creation
- source: sigma
- technicques:
- t1558
Description
Detects the creation of files created by mimikatz such as “.kirbi”, “mimilsa.log”, etc.
Detection logic
condition: selection
selection:
TargetFilename|endswith:
- .kirbi
- mimilsa.log
Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream
- source: sigma
- technicques:
- t1564
- t1564.004
Description
Detects the creation of hidden file/folder with the “::$index_allocation” stream. Which can be used as a technique to prevent access to folder and files from tooling such as “explorer.exe” and “powershell.exe”
Detection logic
condition: selection
selection:
TargetFilename|contains: ::$index_allocation
Hijack Legit RDP Session to Move Laterally
- source: sigma
- technicques:
- t1219
Description
Detects the usage of tsclient share to place a backdoor on the RDP source machine’s startup folder
Detection logic
condition: selection
selection:
Image|endswith: \mstsc.exe
TargetFilename|contains: \Microsoft\Windows\Start Menu\Programs\Startup\
Suspicious File Creation In Uncommon AppData Folder
- source: sigma
- technicques:
Description
Detects the creation of suspicious files and folders inside the user’s AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs
Detection logic
condition: selection and not filter_main
filter_main:
TargetFilename|contains:
- \AppData\Local\
- \AppData\LocalLow\
- \AppData\Roaming\
TargetFilename|startswith: C:\Users\
selection:
TargetFilename|contains: \AppData\
TargetFilename|endswith:
- .bat
- .cmd
- .cpl
- .dll
- .exe
- .hta
- .iso
- .lnk
- .msi
- .ps1
- .psm1
- .scr
- .vbe
- .vbs
TargetFilename|startswith: C:\Users\
Suspicious Execution Of Renamed Sysinternals Tools - Registry
- source: sigma
- technicques:
- t1588
- t1588.002
Description
Detects the creation of the “accepteula” key related to the Sysinternals tools being created from executables with the wrong name (e.g. a renamed Sysinternals tool)
Detection logic
condition: selection and not filter
filter:
Image|endswith:
- \ADExplorer.exe
- \ADExplorer64.exe
- \handle.exe
- \handle64.exe
- \livekd.exe
- \livekd64.exe
- \procdump.exe
- \procdump64.exe
- \procexp.exe
- \procexp64.exe
- \PsExec.exe
- \PsExec64.exe
- \PsLoggedon.exe
- \PsLoggedon64.exe
- \psloglist.exe
- \psloglist64.exe
- \pspasswd.exe
- \pspasswd64.exe
- \PsPing.exe
- \PsPing64.exe
- \PsService.exe
- \PsService64.exe
- \sdelete.exe
selection:
EventType: CreateKey
TargetObject|contains:
- \Active Directory Explorer
- \Handle
- \LiveKd
- \ProcDump
- \Process Explorer
- \PsExec
- \PsLoggedon
- \PsLoglist
- \PsPasswd
- \PsPing
- \PsService
- \SDelete
TargetObject|endswith: \EulaAccepted
Office Application Startup - Office Test
- source: sigma
- technicques:
- t1137
- t1137.002
Description
Detects the addition of office test registry that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started
Detection logic
condition: selection
selection:
TargetObject|contains: \Software\Microsoft\Office test\Special\Perf
Potential Credential Dumping Via LSASS SilentProcessExit Technique
- source: sigma
- technicques:
- t1003
- t1003.001
Description
Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process
Detection logic
condition: selection
selection:
TargetObject|contains: Microsoft\Windows NT\CurrentVersion\SilentProcessExit\lsass.exe
OilRig APT Registry Persistence
- source: sigma
- technicques:
- t1053
- t1053.005
- t1071
- t1071.004
- t1112
- t1543
- t1543.003
Description
Detects OilRig registry persistence as reported by Nyotron in their March 2018 report
Detection logic
condition: selection
selection:
TargetObject|endswith:
- SOFTWARE\Microsoft\Windows\CurrentVersion\UMe
- SOFTWARE\Microsoft\Windows\CurrentVersion\UT
Sticky Key Like Backdoor Usage - Registry
- source: sigma
- technicques:
- t1546
- t1546.008
Description
Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen
Detection logic
condition: selection_registry
selection_registry:
TargetObject|endswith:
- \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger
- \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger
- \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\Debugger
- \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe\Debugger
- \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Narrator.exe\Debugger
- \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe\Debugger
- \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atbroker.exe\Debugger
- \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HelpPane.exe\Debugger
Removal Of AMSI Provider Registry Keys
- source: sigma
- technicques:
- t1562
- t1562.001
Description
Detects the deletion of AMSI provider registry key entries in HKLM\Software\Microsoft\AMSI. This technique could be used by an attacker in order to disable AMSI inspection.
Detection logic
condition: selection
selection:
EventType: DeleteKey
TargetObject|endswith:
- '{2781761E-28E0-4109-99FE-B9D127C57AFE}'
- '{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}'
Potential Persistence Via LSA Extensions
- source: sigma
- technicques:
Description
Detects when an attacker modifies the “REG_MULTI_SZ” value named “Extensions” to include a custom DLL to achieve persistence via lsass. The “Extensions” list contains filenames of DLLs being automatically loaded by lsass.exe. Each DLL has its InitializeLsaExtension() method called after loading.
Detection logic
condition: selection
selection:
TargetObject|contains: \SYSTEM\CurrentControlSet\Control\LsaExtensionConfig\LsaSrv\Extensions
DNS-over-HTTPS Enabled by Registry
- source: sigma
- technicques:
- t1112
- t1140
Description
Detects when a user enables DNS-over-HTTPS. This can be used to hide internet activity or be used to hide the process of exfiltrating data. With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors.
Detection logic
condition: 1 of selection_*
selection_chrome:
Details: secure
TargetObject|endswith: \SOFTWARE\Google\Chrome\DnsOverHttpsMode
selection_edge:
Details: DWORD (0x00000001)
TargetObject|endswith: \SOFTWARE\Policies\Microsoft\Edge\BuiltInDnsClientEnabled
selection_firefox:
Details: DWORD (0x00000001)
TargetObject|endswith: \SOFTWARE\Policies\Mozilla\Firefox\DNSOverHTTPS\Enabled
Office Macros Warning Disabled
- source: sigma
- technicques:
- t1112
Description
Detects registry changes to Microsoft Office “VBAWarning” to a value of “1” which enables the execution of all macros, whether signed or unsigned.
Detection logic
condition: selection
selection:
Details: DWORD (0x00000001)
TargetObject|endswith: \Security\VBAWarnings
Hide Schedule Task Via Index Value Tamper
- source: sigma
- technicques:
- t1562
Description
Detects when the “index” value of a scheduled task is modified from the registry Which effectively hides it from any tooling such as “schtasks /query” (Read the referenced link for more information about the effects of this technique)
Detection logic
condition: selection
selection:
Details: DWORD (0x00000000)
TargetObject|contains|all:
- \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\
- Index
Persistence Via Hhctrl.ocx
- source: sigma
- technicques:
Description
Detects when an attacker modifies the registry value of the “hhctrl” to point to a custom binary
Detection logic
condition: selection and not filter
filter:
Details: C:\Windows\System32\hhctrl.ocx
selection:
TargetObject|contains: \CLSID\{52A2AAAE-085D-4187-97EA-8C30DB990436}\InprocServer32\(Default)
Potential Persistence Via AutodialDLL
- source: sigma
- technicques:
Description
Detects change the the “AutodialDLL” key which could be used as a persistence method to load custom DLL via the “ws2_32” library
Detection logic
condition: selection
selection:
TargetObject|contains: \Services\WinSock2\Parameters\AutodialDLL
Usage of Renamed Sysinternals Tools - RegistrySet
- source: sigma
- technicques:
- t1588
- t1588.002
Description
Detects non-sysinternals tools setting the “accepteula” key which normally is set on sysinternals tool execution
Detection logic
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_image_names:
Image|endswith:
- \PsExec.exe
- \PsExec64.exe
- \procdump.exe
- \procdump64.exe
- \handle.exe
- \handle64.exe
- \livekd.exe
- \livekd64.exe
- \procexp.exe
- \procexp64.exe
- \psloglist.exe
- \psloglist64.exe
- \pspasswd.exe
- \pspasswd64.exe
- \ADExplorer.exe
- \ADExplorer64.exe
filter_optional_null:
Image: null
selection:
TargetObject|contains:
- \PsExec
- \ProcDump
- \Handle
- \LiveKd
- \Process Explorer
- \PsLoglist
- \PsPasswd
- \Active Directory Explorer
TargetObject|endswith: \EulaAccepted
Potential Attachment Manager Settings Associations Tamper
- source: sigma
- technicques:
Description
Detects tampering with attachment manager settings policies associations to lower the default file type risks (See reference for more information)
Detection logic
condition: selection_main and 1 of selection_value_*
selection_main:
TargetObject|contains: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations\
selection_value_default_file_type_rsik:
Details: DWORD (0x00006152)
TargetObject|endswith: \DefaultFileTypeRisk
selection_value_low_risk_filetypes:
Details|contains:
- .zip;
- .rar;
- .exe;
- .bat;
- .com;
- .cmd;
- .reg;
- .msi;
- .htm;
- .html;
TargetObject|endswith: \LowRiskFileTypes
Potential Persistence Via TypedPaths
- source: sigma
- technicques:
Description
Detects modification addition to the ‘TypedPaths’ key in the user or admin registry from a non standard application. Which might indicate persistence attempt
Detection logic
condition: selection and not filter
filter:
Image:
- C:\Windows\explorer.exe
- C:\Windows\SysWOW64\explorer.exe
selection:
TargetObject|contains: \Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths\
Outlook Macro Execution Without Warning Setting Enabled
- source: sigma
- technicques:
- t1008
- t1137
- t1546
Description
Detects the modification of Outlook security setting to allow unprompted execution of macros.
Detection logic
condition: selection
selection:
Details|contains: '0x00000001'
TargetObject|endswith: \Outlook\Security\Level
Potentially Suspicious ODBC Driver Registered
- source: sigma
- technicques:
- t1003
Description
Detects the registration of a new ODBC driver where the driver is located in a potentially suspicious location
Detection logic
condition: selection
selection:
Details|contains:
- :\PerfLogs\
- :\ProgramData\
- :\Temp\
- :\Users\Public\
- :\Windows\Registration\CRMLog
- :\Windows\System32\com\dmp\
- :\Windows\System32\FxsTmp\
- :\Windows\System32\Microsoft\Crypto\RSA\MachineKeys\
- :\Windows\System32\spool\drivers\color\
- :\Windows\System32\spool\PRINTERS\
- :\Windows\System32\spool\SERVERS\
- :\Windows\System32\Tasks_Migrated\
- :\Windows\System32\Tasks\Microsoft\Windows\SyncCenter\
- :\Windows\SysWOW64\com\dmp\
- :\Windows\SysWOW64\FxsTmp\
- :\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System\
- :\Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter\
- :\Windows\Tasks\
- :\Windows\Temp\
- :\Windows\Tracing\
- \AppData\Local\Temp\
- \AppData\Roaming\
TargetObject|contains: \SOFTWARE\ODBC\ODBCINST.INI\
TargetObject|endswith:
- \Driver
- \Setup
Potential Attachment Manager Settings Attachments Tamper
- source: sigma
- technicques:
Description
Detects tampering with attachment manager settings policies attachments (See reference for more information)
Detection logic
condition: selection_main and 1 of selection_value_*
selection_main:
TargetObject|contains: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments\
selection_value_hide_zone_info:
Details: DWORD (0x00000001)
TargetObject|endswith: \HideZoneInfoOnProperties
selection_value_save_zone_info:
Details: DWORD (0x00000002)
TargetObject|endswith: \SaveZoneInformation
selection_value_scan_with_av:
Details: DWORD (0x00000001)
TargetObject|endswith: \ScanWithAntiVirus
Suspicious Application Allowed Through Exploit Guard
- source: sigma
- technicques:
- t1562
- t1562.001
Description
Detects applications being added to the “allowed applications” list of exploit guard in order to bypass controlled folder settings
Detection logic
condition: all of selection_*
selection_key:
TargetObject|contains: SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit
Guard\Controlled Folder Access\AllowedApplications
selection_paths:
TargetObject|contains:
- \Users\Public\
- \AppData\Local\Temp\
- \Desktop\
- \PerfLogs\
- \Windows\Temp\
Trust Access Disable For VBApplications
- source: sigma
- technicques:
- t1112
Description
Detects registry changes to Microsoft Office “AccessVBOM” to a value of “1” which disables trust access for VBA on the victim machine and lets attackers execute malicious macros without any Microsoft Office warnings.
Detection logic
condition: selection
selection:
Details: DWORD (0x00000001)
TargetObject|endswith: \Security\AccessVBOM
Microsoft Office Protected View Disabled
- source: sigma
- technicques:
- t1562
- t1562.001
Description
Detects changes to Microsoft Office protected view registry keys with which the attacker disables this feature.
Detection logic
condition: selection_path and 1 of selection_values_*
selection_path:
TargetObject|contains|all:
- \SOFTWARE\Microsoft\Office\
- \Security\ProtectedView\
selection_values_0:
Details: DWORD (0x00000000)
TargetObject|endswith:
- \enabledatabasefileprotectedview
- \enableforeigntextfileprotectedview
selection_values_1:
Details: DWORD (0x00000001)
TargetObject|endswith:
- \DisableAttachementsInPV
- \DisableInternetFilesInPV
- \DisableIntranetCheck
- \DisableUnsafeLocationsInPV
Macro Enabled In A Potentially Suspicious Document
- source: sigma
- technicques:
- t1112
Description
Detects registry changes to Office trust records where the path is located in a potentially suspicious location
Detection logic
condition: all of selection_*
selection_paths:
TargetObject|contains:
- /AppData/Local/Microsoft/Windows/INetCache/
- /AppData/Local/Temp/
- /PerfLogs/
- C:/Users/Public/
- file:///D:/
- file:///E:/
selection_value:
TargetObject|contains: \Security\Trusted Documents\TrustRecords
Potential CobaltStrike Service Installations - Registry
- source: sigma
- technicques:
- t1021
- t1021.002
- t1543
- t1543.003
- t1569
- t1569.002
Description
Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.
Detection logic
condition: all of selection_*
selection_details:
- Details|contains|all:
- ADMIN$
- .exe
- Details|contains|all:
- '%COMSPEC%'
- start
- powershell
selection_key:
- TargetObject|contains: \System\CurrentControlSet\Services
- TargetObject|contains|all:
- \System\ControlSet
- \Services
Sysmon File Executable Creation Detected
- source: sigma
- technicques:
Description
Triggers on any Sysmon “FileExecutableDetected” event, which triggers every time a PE that is monitored by the config is created.
Detection logic
condition: selection
selection:
EventID: 29
Sysmon Blocked File Shredding
- source: sigma
- technicques:
Description
Triggers on any Sysmon “FileBlockShredding” event, which indicates a violation of the configured shredding policy.
Detection logic
condition: selection
selection:
EventID: 28
Sysmon Blocked Executable
- source: sigma
- technicques:
Description
Triggers on any Sysmon “FileBlockExecutable” event, which indicates a violation of the configured block policy
Detection logic
condition: selection
selection:
EventID: 27
Remote LSASS Process Access Through Windows Remote Management
- source: sigma
- technicques:
- t1003
- t1003.001
- t1021
- t1021.006
- t1059
- t1059.001
Description
Detects remote access to the LSASS process via WinRM. This could be a sign of credential dumping from tools like mimikatz.
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_access:
GrantedAccess: '0x80000000'
selection:
SourceImage|endswith: :\Windows\system32\wsmprovhost.exe
TargetImage|endswith: \lsass.exe
HackTool - Generic Process Access
- source: sigma
- technicques:
- t1003
- t1003.001
Description
Detects process access requests from hacktool processes based on their default image name
Detection logic
condition: selection
selection:
- SourceImage|endswith:
- \Akagi.exe
- \Akagi64.exe
- \atexec_windows.exe
- \Certify.exe
- \Certipy.exe
- \CoercedPotato.exe
- \crackmapexec.exe
- \CreateMiniDump.exe
- \dcomexec_windows.exe
- \dpapi_windows.exe
- \findDelegation_windows.exe
- \GetADUsers_windows.exe
- \GetNPUsers_windows.exe
- \getPac_windows.exe
- \getST_windows.exe
- \getTGT_windows.exe
- \GetUserSPNs_windows.exe
- \gmer.exe
- \hashcat.exe
- \htran.exe
- \ifmap_windows.exe
- \impersonate.exe
- \Inveigh.exe
- \LocalPotato.exe
- \mimikatz_windows.exe
- \mimikatz.exe
- \netview_windows.exe
- \nmapAnswerMachine_windows.exe
- \opdump_windows.exe
- \PasswordDump.exe
- \Potato.exe
- \PowerTool.exe
- \PowerTool64.exe
- \psexec_windows.exe
- \PurpleSharp.exe
- \pypykatz.exe
- \QuarksPwDump.exe
- \rdp_check_windows.exe
- \Rubeus.exe
- \SafetyKatz.exe
- \sambaPipe_windows.exe
- \SelectMyParent.exe
- \SharpChisel.exe
- \SharPersist.exe
- \SharpEvtMute.exe
- \SharpImpersonation.exe
- \SharpLDAPmonitor.exe
- \SharpLdapWhoami.exe
- \SharpUp.exe
- \SharpView.exe
- \smbclient_windows.exe
- \smbserver_windows.exe
- \sniff_windows.exe
- \sniffer_windows.exe
- \split_windows.exe
- \SpoolSample.exe
- \Stracciatella.exe
- \SysmonEOP.exe
- \temp\rot.exe
- \ticketer_windows.exe
- \TruffleSnout.exe
- \winPEASany_ofs.exe
- \winPEASany.exe
- \winPEASx64_ofs.exe
- \winPEASx64.exe
- \winPEASx86_ofs.exe
- \winPEASx86.exe
- \xordump.exe
- SourceImage|contains:
- \goldenPac
- \just_dce_
- \karmaSMB
- \kintercept
- \LocalPotato
- \ntlmrelayx
- \rpcdump
- \samrdump
- \secretsdump
- \smbexec
- \smbrelayx
- \wmiexec
- \wmipersist
- HotPotato
- Juicy Potato
- JuicyPotato
- PetitPotam
- RottenPotato
Windows Defender Threat Detected
- source: sigma
- technicques:
- t1059
Description
Detects actions taken by Windows Defender malware detection engines
Detection logic
condition: selection
selection:
EventID:
- 1006
- 1015
- 1116
- 1117
Windows Defender Exploit Guard Tamper
- source: sigma
- technicques:
- t1562
- t1562.001
Description
Detects when someone is adding or removing applications or folders from exploit guard “ProtectedFolders” or “AllowedApplications”
Detection logic
allowed_apps_key:
EventID: 5007
NewValue|contains: \Windows Defender\Windows Defender Exploit Guard\Controlled Folder
Access\AllowedApplications\
allowed_apps_path:
NewValue|contains:
- \Users\Public\
- \AppData\Local\Temp\
- \Desktop\
- \PerfLogs\
- \Windows\Temp\
condition: all of allowed_apps* or protected_folders
protected_folders:
EventID: 5007
OldValue|contains: \Windows Defender\Windows Defender Exploit Guard\Controlled Folder
Access\ProtectedFolders\
Windows Defender AMSI Trigger Detected
- source: sigma
- technicques:
- t1059
Description
Detects triggering of AMSI by Windows Defender.
Detection logic
condition: selection
selection:
EventID: 1116
SourceName: AMSI
Important Windows Event Auditing Disabled
- source: sigma
- technicques:
- t1562
- t1562.002
Description
Detects scenarios where system auditing for important events such as “Process Creation” or “Logon” events is disabled.
Detection logic
condition: 1 of selection_*
selection_state_success_and_failure:
AuditPolicyChanges|contains:
- '%%8448'
- '%%8450'
EventID: 4719
SubcategoryGuid:
- '{0CCE9210-69AE-11D9-BED3-505054503030}'
- '{0CCE9211-69AE-11D9-BED3-505054503030}'
- '{0CCE9212-69AE-11D9-BED3-505054503030}'
- '{0CCE9215-69AE-11D9-BED3-505054503030}'
- '{0CCE921B-69AE-11D9-BED3-505054503030}'
- '{0CCE922B-69AE-11D9-BED3-505054503030}'
- '{0CCE922F-69AE-11D9-BED3-505054503030}'
- '{0CCE9230-69AE-11D9-BED3-505054503030}'
- '{0CCE9235-69AE-11D9-BED3-505054503030}'
- '{0CCE9236-69AE-11D9-BED3-505054503030}'
- '{0CCE9237-69AE-11D9-BED3-505054503030}'
- '{0CCE923F-69AE-11D9-BED3-505054503030}'
- '{0CCE9240-69AE-11D9-BED3-505054503030}'
- '{0CCE9242-69AE-11D9-BED3-505054503030}'
selection_state_success_only:
AuditPolicyChanges|contains: '%%8448'
EventID: 4719
SubcategoryGuid: '{0CCE9217-69AE-11D9-BED3-505054503030}'
Meterpreter or Cobalt Strike Getsystem Service Installation - Security
- source: sigma
- technicques:
- t1134
- t1134.001
- t1134.002
Description
Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
Detection logic
condition: selection_eid and 1 of selection_cli_*
selection_cli_cmd:
ServiceFileName|contains:
- cmd
- '%COMSPEC%'
ServiceFileName|contains|all:
- /c
- echo
- \pipe\
selection_cli_rundll:
ServiceFileName|contains|all:
- rundll32
- .dll,a
- '/p:'
selection_cli_share:
ServiceFileName|startswith: \\\\127.0.0.1\\ADMIN$\
selection_eid:
EventID: 4697
Windows Filtering Platform Blocked Connection From EDR Agent Binary
- source: sigma
- technicques:
- t1562
Description
Detects a Windows Filtering Platform (WFP) blocked connection event involving common Endpoint Detection and Response (EDR) agents. Adversaries may use WFP filters to prevent Endpoint Detection and Response (EDR) agents from reporting security events.
Detection logic
condition: selection
selection:
Application|endswith:
- \AmSvc.exe
- \cb.exe
- \CETASvc.exe
- \CNTAoSMgr.exe
- \CrAmTray.exe
- \CrsSvc.exe
- \CSFalconContainer.exe
- \CSFalconService.exe
- \CybereasonAV.exe
- \CylanceSvc.exe
- \cyserver.exe
- \CyveraService.exe
- \CyvrFsFlt.exe
- \EIConnector.exe
- \elastic-agent.exe
- \elastic-endpoint.exe
- \EndpointBasecamp.exe
- \ExecutionPreventionSvc.exe
- \filebeat.exe
- \fortiedr.exe
- \hmpalert.exe
- \hurukai.exe
- \LogProcessorService.exe
- \mcsagent.exe
- \mcsclient.exe
- \MsMpEng.exe
- \MsSense.exe
- \Ntrtscan.exe
- \PccNTMon.exe
- \QualysAgent.exe
- \RepMgr.exe
- \RepUtils.exe
- \RepUx.exe
- \RepWAV.exe
- \RepWSC.exe
- \sedservice.exe
- \SenseCncProxy.exe
- \SenseIR.exe
- \SenseNdr.exe
- \SenseSampleUploader.exe
- \SentinelAgent.exe
- \SentinelAgentWorker.exe
- \SentinelBrowserNativeHost.exe
- \SentinelHelperService.exe
- \SentinelServiceHost.exe
- \SentinelStaticEngine.exe
- \SentinelStaticEngineScanner.exe
- \sfc.exe
- \sophos ui.exe
- \sophosfilescanner.exe
- \sophosfs.exe
- \sophoshealth.exe
- \sophosips.exe
- \sophosLivequeryservice.exe
- \sophosnetfilter.exe
- \sophosntpservice.exe
- \sophososquery.exe
- \sspservice.exe
- \TaniumClient.exe
- \TaniumCX.exe
- \TaniumDetectEngine.exe
- \TMBMSRV.exe
- \TmCCSF.exe
- \TmListen.exe
- \TmWSCSvc.exe
- \Traps.exe
- \winlogbeat.exe
- \WSCommunicator.exe
- \xagt.exe
EventID: 5157
DiagTrackEoP Default Login Username
- source: sigma
- technicques:
Description
Detects the default “UserName” used by the DiagTrackEoP POC
Detection logic
condition: selection
selection:
EventID: 4624
LogonType: 9
TargetOutboundUserName: thisisnotvaliduser
Scanner PoC for CVE-2019-0708 RDP RCE Vuln
- source: sigma
- technicques:
- t1210
Description
Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep
Detection logic
condition: selection
selection:
EventID: 4625
TargetUserName: AAAAAAA
CodeIntegrity - Disallowed File For Protected Processes Has Been Blocked
- source: sigma
- technicques:
Description
Detects block events for files that are disallowed by code integrity for protected processes
Detection logic
condition: selection
selection:
EventID: 3104
CodeIntegrity - Revoked Kernel Driver Loaded
- source: sigma
- technicques:
Description
Detects the load of a revoked kernel driver
Detection logic
condition: selection
selection:
EventID:
- 3021
- 3022
CodeIntegrity - Unsigned Image Loaded
- source: sigma
- technicques:
Description
Detects loaded unsigned image on the system
Detection logic
condition: selection
selection:
EventID: 3037
CodeIntegrity - Revoked Image Loaded
- source: sigma
- technicques:
Description
Detects image load events with revoked certificates by code integrity.
Detection logic
condition: selection
selection:
EventID:
- 3032
- 3035
CodeIntegrity - Unsigned Kernel Module Loaded
- source: sigma
- technicques:
Description
Detects the presence of a loaded unsigned kernel module on the system.
Detection logic
condition: selection
selection:
EventID: 3001
CodeIntegrity - Blocked Image Load With Revoked Certificate
- source: sigma
- technicques:
Description
Detects blocked image load events with revoked certificates by code integrity.
Detection logic
condition: selection
selection:
EventID: 3036
CodeIntegrity - Unmet WHQL Requirements For Loaded Kernel Module
- source: sigma
- technicques:
Description
Detects loaded kernel modules that did not meet the WHQL signing requirements.
Detection logic
condition: selection and not 1 of filter_optional_*
filter_optional_vmware:
FileNameBuffer:
- system32\drivers\vsock.sys
- System32\drivers\vmci.sys
selection:
EventID:
- 3082
- 3083
ProcessHacker Privilege Elevation
- source: sigma
- technicques:
- t1543
- t1543.003
- t1569
- t1569.002
Description
Detects a ProcessHacker tool that elevated privileges to a very high level
Detection logic
condition: selection
selection:
AccountName: LocalSystem
EventID: 7045
Provider_Name: Service Control Manager
ServiceName|startswith: ProcessHacker
Meterpreter or Cobalt Strike Getsystem Service Installation - System
- source: sigma
- technicques:
- t1134
- t1134.001
- t1134.002
Description
Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
Detection logic
condition: selection_id and 1 of selection_cli_*
selection_cli_cmd:
ImagePath|contains:
- cmd
- '%COMSPEC%'
ImagePath|contains|all:
- /c
- echo
- \pipe\
selection_cli_rundll:
ImagePath|contains|all:
- rundll32
- .dll,a
- '/p:'
selection_cli_share:
ImagePath|startswith: \\\\127.0.0.1\\ADMIN$\
selection_id:
EventID: 7045
Provider_Name: Service Control Manager
NTFS Vulnerability Exploitation
- source: sigma
- technicques:
- t1499
- t1499.001
Description
This the exploitation of a NTFS vulnerability as reported without many details via Twitter
Detection logic
condition: selection
selection:
Description|contains|all:
- contains a corrupted file record
- The name of the file is "\"
EventID: 55
Origin: File System Driver
Provider_Name: Ntfs
Mailbox Export to Exchange Webserver
- source: sigma
- technicques:
- t1505
- t1505.003
Description
Detects a successful export of an Exchange mailbox to untypical directory or with aspx name suffix which can be used to place a webshell or the needed role assignment for it
Detection logic
condition: (export_command and export_params) or role_assignment
export_command:
'|all':
- New-MailboxExportRequest
- ' -Mailbox '
export_params:
- -FilePath "\\\\
- .aspx
role_assignment:
'|all':
- New-ManagementRoleAssignment
- ' -Role "Mailbox Import Export"'
- ' -User '
ProxyLogon MSExchange OabVirtualDirectory
- source: sigma
- technicques:
- t1587
- t1587.001
Description
Detects specific patterns found after a successful ProxyLogon exploitation in relation to a Commandlet invocation of Set-OabVirtualDirectory
Detection logic
condition: keywords_cmdlet and keywords_params
keywords_cmdlet:
'|all':
- OabVirtualDirectory
- ' -ExternalUrl '
keywords_params:
- eval(request
- http://f/<script
- '"unsafe"};'
- function Page_Load()
Certificate Request Export to Exchange Webserver
- source: sigma
- technicques:
- t1505
- t1505.003
Description
Detects a write of an Exchange CSR to an untypical directory or with aspx name suffix which can be used to place a webshell
Detection logic
condition: keywords_export_command and keywords_export_params
keywords_export_command:
'|all':
- New-ExchangeCertificate
- ' -GenerateRequest'
- ' -BinaryEncoded'
- ' -RequestFile'
keywords_export_params:
- \\\\localhost\\C$
- \\\\127.0.0.1\\C$
- C:\\inetpub
- .aspx
Query Tor Onion Address - DNS Client
- source: sigma
- technicques:
- t1090
- t1090.003
Description
Detects DNS resolution of an .onion address related to Tor routing networks
Detection logic
condition: selection
selection:
EventID: 3008
QueryName|contains: .onion
Failed DNS Zone Transfer
- source: sigma
- technicques:
- t1590
- t1590.002
Description
Detects when a DNS zone transfer failed.
Detection logic
condition: selection
selection:
EventID: 6004
DNS Query Request To OneLaunch Update Service
- source: sigma
- technicques:
- t1056
Description
Detects DNS query requests to “update.onelaunch.com”. This domain is associated with the OneLaunch adware application. When the OneLaunch application is installed it will attempt to get updates from this domain.
Detection logic
condition: selection
selection:
Image|endswith: \OneLaunch.exe
QueryName: update.onelaunch.com
Vulnerable HackSys Extreme Vulnerable Driver Load
- source: sigma
- technicques:
- t1543
- t1543.003
Description
Detects the load of HackSys Extreme Vulnerable Driver which is an intentionally vulnerable Windows driver developed for security enthusiasts to learn and polish their exploitation skills at Kernel level and often abused by threat actors
Detection logic
condition: 1 of selection*
selection_name:
ImageLoaded|endswith: \HEVD.sys
selection_other:
Imphash:
- f26d0b110873a1c7d8c4f08fbeab89c5
- c46ea2e651fd5f7f716c8867c6d13594
selection_sysmon:
Hashes|contains:
- IMPHASH=f26d0b110873a1c7d8c4f08fbeab89c5
- IMPHASH=c46ea2e651fd5f7f716c8867c6d13594
Potential Mpclient.DLL Sideloading
- source: sigma
- technicques:
- t1574
- t1574.002
Description
Detects potential sideloading of “mpclient.dll” by Windows Defender processes (“MpCmdRun” and “NisSrv”) from their non-default directory.
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_known_locations:
Image|startswith:
- C:\Program Files (x86)\Windows Defender\
- C:\Program Files\Microsoft Security Client\
- C:\Program Files\Windows Defender\
- C:\ProgramData\Microsoft\Windows Defender\Platform\
- C:\Windows\WinSxS\
selection:
ImageLoaded|endswith: \mpclient.dll
Image|endswith:
- \MpCmdRun.exe
- \NisSrv.exe
Microsoft Office DLL Sideload
- source: sigma
- technicques:
- t1574
- t1574.001
- t1574.002
Description
Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location
Detection logic
condition: selection and not filter
filter:
ImageLoaded|startswith:
- C:\Program Files\Microsoft Office\OFFICE
- C:\Program Files (x86)\Microsoft Office\OFFICE
- C:\Program Files\Microsoft Office\Root\OFFICE
- C:\Program Files (x86)\Microsoft Office\Root\OFFICE
selection:
ImageLoaded|endswith: \outllib.dll
Potential RjvPlatform.DLL Sideloading From Non-Default Location
- source: sigma
- technicques:
- t1574
- t1574.001
- t1574.002
Description
Detects potential DLL sideloading of “RjvPlatform.dll” by “SystemResetPlatform.exe” located in a non-default location.
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_legit_path:
Image|startswith: C:\Windows\System32\SystemResetPlatform\
selection:
Image: \SystemResetPlatform.exe
ImageLoaded|endswith: \RjvPlatform.dll
Potential Waveedit.DLL Sideloading
- source: sigma
- technicques:
- t1574
- t1574.001
- t1574.002
Description
Detects potential DLL sideloading of “waveedit.dll”, which is part of the Nero WaveEditor audio editing software.
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_legit_path:
Image:
- C:\Program Files (x86)\Nero\Nero Apps\Nero WaveEditor\waveedit.exe
- C:\Program Files\Nero\Nero Apps\Nero WaveEditor\waveedit.exe
ImageLoaded|startswith:
- C:\Program Files (x86)\Nero\Nero Apps\Nero WaveEditor\
- C:\Program Files\Nero\Nero Apps\Nero WaveEditor\
selection:
ImageLoaded|endswith: \waveedit.dll
Suspicious Renamed Comsvcs DLL Loaded By Rundll32
- source: sigma
- technicques:
- t1003
- t1003.001
Description
Detects rundll32 loading a renamed comsvcs.dll to dump process memory
Detection logic
condition: selection and not filter
filter:
ImageLoaded|endswith: \comsvcs.dll
selection:
Hashes|contains:
- IMPHASH=eed93054cb555f3de70eaa9787f32ebb
- IMPHASH=5e0dbdec1fce52daae251a110b4f309d
- IMPHASH=eadbccbb324829acb5f2bbe87e5549a8
- IMPHASH=407ca0f7b523319d758a40d7c0193699
- IMPHASH=281d618f4e6271e527e6386ea6f748de
Image|endswith: \rundll32.exe
Potential Mfdetours.DLL Sideloading
- source: sigma
- technicques:
- t1574
- t1574.001
- t1574.002
Description
Detects potential DLL sideloading of “mfdetours.dll”. While using “mftrace.exe” it can be abused to attach to an arbitrary process and force load any DLL named “mfdetours.dll” from the current directory of execution.
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_legit_path:
ImageLoaded|contains: :\Program Files (x86)\Windows Kits\10\bin\
selection:
ImageLoaded|endswith: \mfdetours.dll
Potential DLL Sideloading Via VMware Xfer
- source: sigma
- technicques:
- t1574
- t1574.002
Description
Detects loading of a DLL by the VMware Xfer utility from the non-default directory which may be an attempt to sideload arbitrary DLL
Detection logic
condition: selection and not filter
filter:
ImageLoaded|startswith: C:\Program Files\VMware\
selection:
ImageLoaded|endswith: \glib-2.0.dll
Image|endswith: \VMwareXferlogs.exe
Unsigned Module Loaded by ClickOnce Application
- source: sigma
- technicques:
- t1574
- t1574.002
Description
Detects unsigned module load by ClickOnce application.
Detection logic
condition: all of selection_*
selection_path:
Image|contains: \AppData\Local\Apps\2.0\
selection_sig_status:
- Signed: 'false'
- SignatureStatus: Expired
Potential Edputil.DLL Sideloading
- source: sigma
- technicques:
- t1574
- t1574.001
- t1574.002
Description
Detects potential DLL sideloading of “edputil.dll”
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_generic:
ImageLoaded|startswith:
- C:\Windows\System32\
- C:\Windows\SysWOW64\
- C\Windows\WinSxS\
selection:
ImageLoaded|endswith: \edputil.dll
Potential DLL Sideloading Via comctl32.dll
- source: sigma
- technicques:
- t1574
- t1574.001
- t1574.002
Description
Detects potential DLL sideloading using comctl32.dll to obtain system privileges
Detection logic
condition: selection
selection:
ImageLoaded|endswith: \comctl32.dll
ImageLoaded|startswith:
- C:\Windows\System32\logonUI.exe.local\
- C:\Windows\System32\werFault.exe.local\
- C:\Windows\System32\consent.exe.local\
- C:\Windows\System32\narrator.exe.local\
- C:\windows\system32\wermgr.exe.local\
HackTool - SILENTTRINITY Stager DLL Load
- source: sigma
- technicques:
- t1071
Description
Detects SILENTTRINITY stager dll loading activity
Detection logic
condition: selection
selection:
Description|contains: st2stager
Unsigned Mfdetours.DLL Sideloading
- source: sigma
- technicques:
- t1574
- t1574.001
- t1574.002
Description
Detects DLL sideloading of unsigned “mfdetours.dll”. Executing “mftrace.exe” can be abused to attach to an arbitrary process and force load any DLL named “mfdetours.dll” from the current directory of execution.
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_legit_path:
ImageLoaded|contains: :\Program Files (x86)\Windows Kits\10\bin\
SignatureStatus: Valid
selection:
ImageLoaded|endswith: \mfdetours.dll
Potential SmadHook.DLL Sideloading
- source: sigma
- technicques:
- t1574
- t1574.001
- t1574.002
Description
Detects potential DLL sideloading of “SmadHook.dll”, a DLL used by SmadAV antivirus
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_legit_path:
Image:
- C:\Program Files (x86)\SMADAV\SmadavProtect32.exe
- C:\Program Files (x86)\SMADAV\SmadavProtect64.exe
- C:\Program Files\SMADAV\SmadavProtect32.exe
- C:\Program Files\SMADAV\SmadavProtect64.exe
ImageLoaded|startswith:
- C:\Program Files (x86)\SMADAV\
- C:\Program Files\SMADAV\
selection:
ImageLoaded|endswith:
- \SmadHook32c.dll
- \SmadHook64c.dll
Fax Service DLL Search Order Hijack
- source: sigma
- technicques:
- t1574
- t1574.001
- t1574.002
Description
The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.
Detection logic
condition: selection and not filter
filter:
ImageLoaded|startswith: C:\Windows\WinSxS\
selection:
ImageLoaded|endswith: ualapi.dll
Image|endswith: \fxssvc.exe
Potential appverifUI.DLL Sideloading
- source: sigma
- technicques:
- t1574
- t1574.001
- t1574.002
Description
Detects potential DLL sideloading of “appverifUI.dll”
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_legit_path:
Image:
- C:\Windows\SysWOW64\appverif.exe
- C:\Windows\System32\appverif.exe
ImageLoaded|startswith:
- C:\Windows\System32\
- C:\Windows\SysWOW64\
- C:\Windows\WinSxS\
selection:
ImageLoaded|endswith: \appverifUI.dll
Potential EACore.DLL Sideloading
- source: sigma
- technicques:
- t1574
- t1574.001
- t1574.002
Description
Detects potential DLL sideloading of “EACore.dll”
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_legit_path:
ImageLoaded|startswith: C:\Program Files\Electronic Arts\EA Desktop\
Image|contains|all:
- C:\Program Files\Electronic Arts\EA Desktop\
- \EACoreServer.exe
selection:
ImageLoaded|endswith: \EACore.dll
HackTool - Koh Default Named Pipe
- source: sigma
- technicques:
- t1134
- t1134.001
- t1528
Description
Detects creation of default named pipes used by the Koh tool
Detection logic
condition: selection
selection:
PipeName|contains:
- \imposecost
- \imposingcost
HackTool - DiagTrackEoP Default Named Pipe
- source: sigma
- technicques:
Description
Detects creation of default named pipe used by the DiagTrackEoP POC, a tool that abuses “SeImpersonate” privilege.
Detection logic
condition: selection
selection:
PipeName|contains: thisispipe
HackTool - Rubeus Execution - ScriptBlock
- source: sigma
- technicques:
- t1003
- t1550
- t1550.003
- t1558
- t1558.003
Description
Detects the execution of the hacktool Rubeus using specific command line flags
Detection logic
condition: selection
selection:
ScriptBlockText|contains:
- 'asreproast '
- 'dump /service:krbtgt '
- dump /luid:0x
- 'kerberoast '
- 'createnetonly /program:'
- 'ptt /ticket:'
- '/impersonateuser:'
- 'renew /ticket:'
- 'asktgt /user:'
- 'harvest /interval:'
- 's4u /user:'
- 's4u /ticket:'
- 'hash /password:'
- 'golden /aes256:'
- 'silver /user:'
PSAsyncShell - Asynchronous TCP Reverse Shell
- source: sigma
- technicques:
- t1059
- t1059.001
Description
Detects the use of PSAsyncShell an Asynchronous TCP Reverse Shell written in powershell
Detection logic
condition: selection
selection:
ScriptBlockText|contains: PSAsyncShell
Linux Doas Tool Execution
- source: sigma
- technicques:
- t1548
Description
Detects the doas tool execution in linux host platform. This utility tool allow standard users to perform tasks as root, the same way sudo does.
Detection logic
condition: selection
selection:
Image|endswith: /doas
Potential Netcat Reverse Shell Execution
- source: sigma
- technicques:
- t1059
Description
Detects execution of netcat with the “-e” flag followed by common shells. This could be a sign of a potential reverse shell setup.
Detection logic
condition: all of selection_*
selection_flags:
CommandLine|contains:
- ' -c '
- ' -e '
selection_nc:
Image|endswith:
- /nc
- /ncat
selection_shell:
CommandLine|contains:
- ' ash'
- ' bash'
- ' bsh'
- ' csh'
- ' ksh'
- ' pdksh'
- ' sh'
- ' tcsh'
- /bin/ash
- /bin/bash
- /bin/bsh
- /bin/csh
- /bin/ksh
- /bin/pdksh
- /bin/sh
- /bin/tcsh
- /bin/zsh
- $IFSash
- $IFSbash
- $IFSbsh
- $IFScsh
- $IFSksh
- $IFSpdksh
- $IFSsh
- $IFStcsh
- $IFSzsh
Triple Cross eBPF Rootkit Execve Hijack
- source: sigma
- technicques:
Description
Detects execution of a the file “execve_hijack” which is used by the Triple Cross rootkit as a way to elevate privileges
Detection logic
condition: selection
selection:
CommandLine|contains: execve_hijack
Image|endswith: /sudo
Apache Spark Shell Command Injection - ProcessCreation
- source: sigma
- technicques:
- t1190
Description
Detects attempts to exploit an apache spark server via CVE-2014-6287 from a commandline perspective
Detection logic
condition: selection
selection:
CommandLine|contains:
- id -Gn `
- id -Gn '
ParentImage|endswith: \bash
Sudo Privilege Escalation CVE-2019-14287
- source: sigma
- technicques:
- t1068
- t1548
- t1548.003
Description
Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287
Detection logic
condition: selection
selection:
CommandLine|contains: ' -u#'
Triple Cross eBPF Rootkit Install Commands
- source: sigma
- technicques:
- t1014
Description
Detects default install commands of the Triple Cross eBPF rootkit based on the “deployer.sh” script
Detection logic
condition: selection
selection:
CommandLine|contains:
- ' qdisc '
- ' filter '
CommandLine|contains|all:
- ' tc '
- ' enp0s3 '
Image|endswith: /sudo
Potential Perl Reverse Shell Execution
- source: sigma
- technicques:
Description
Detects execution of the perl binary with the “-e” flag and common strings related to potential reverse shell activity
Detection logic
condition: all of selection_*
selection_content:
- CommandLine|contains|all:
- fdopen(
- ::Socket::INET
- CommandLine|contains|all:
- Socket
- connect
- open
- exec
selection_img:
CommandLine|contains: ' -e '
Image|endswith: /perl
Linux HackTool Execution
- source: sigma
- technicques:
- t1587
Description
Detects known hacktool execution based on image name.
Detection logic
condition: 1 of selection_*
selection_c2_framework_cobaltstrike:
Image|contains:
- /cobaltstrike
- /teamserver
selection_c2_frameworks:
Image|endswith:
- /crackmapexec
- /havoc
- /merlin-agent
- /merlinServer-Linux-x64
- /msfconsole
- /msfvenom
- /ps-empire server
- /ps-empire
- /sliver-client
- /sliver-server
- /Villain.py
selection_exploit_tools:
Image|endswith:
- /aircrack-ng
- /bloodhound-python
- /bpfdos
- /ebpfki
- /evil-winrm
- /hashcat
- /hoaxshell.py
- /hydra
- /john
- /ncrack
- /nxc-ubuntu-latest
- /pidhide
- /pspy32
- /pspy32s
- /pspy64
- /pspy64s
- /setoolkit
- /sqlmap
- /writeblocker
selection_linpeas:
Image|contains: /linpeas
selection_scanners:
Image|endswith:
- /autorecon
- /httpx
- /legion
- /naabu
- /netdiscover
- /nmap
- /nuclei
- /recon-ng
- /zenmap
selection_scanners_sniper:
Image|contains: /sniper
selection_web_enum:
Image|endswith:
- /dirb
- /dirbuster
- /eyewitness
- /feroxbuster
- /ffuf
- /gobuster
- /wfuzz
- /whatweb
selection_web_vuln:
Image|endswith:
- /joomscan
- /nikto
- /wpscan
Triple Cross eBPF Rootkit Default Persistence
- source: sigma
- technicques:
- t1053
- t1053.003
Description
Detects the creation of “ebpfbackdoor” files in both “cron.d” and “sudoers.d” directories. Which both are related to the TripleCross persistence method
Detection logic
condition: selection
selection:
TargetFilename|endswith: ebpfbackdoor
Linux Doas Conf File Creation
- source: sigma
- technicques:
- t1548
Description
Detects the creation of doas.conf file in linux host platform.
Detection logic
condition: selection
selection:
TargetFilename|endswith: /etc/doas.conf
Triple Cross eBPF Rootkit Default LockFile
- source: sigma
- technicques:
Description
Detects the creation of the file “rootlog” which is used by the TripleCross rootkit as a way to check if the backdoor is already running.
Detection logic
condition: selection
selection:
TargetFilename: /tmp/rootlog
Sudo Privilege Escalation CVE-2019-14287 - Builtin
- source: sigma
- technicques:
- t1068
- t1548
- t1548.003
Description
Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287
Detection logic
condition: selection_user
selection_user:
USER:
- '#-*'
- '#*4294967295'
BPFDoor Abnormal Process ID or Lock File Accessed
- source: sigma
- technicques:
- t1059
- t1106
Description
detects BPFDoor .lock and .pid files access in temporary file storage facility
Detection logic
condition: selection
selection:
name:
- /var/run/haldrund.pid
- /var/run/xinetd.lock
- /var/run/kdevrund.pid
type: PATH
OpenCanary - SSH Login Attempt
- source: sigma
- technicques:
- t1021
- t1078
- t1133
Description
Detects instances where an SSH service on an OpenCanary node has had a login attempt.
Detection logic
condition: selection
selection:
logtype: 4002
OpenCanary - SIP Request
- source: sigma
- technicques:
- t1123
Description
Detects instances where an SIP service on an OpenCanary node has had a SIP request.
Detection logic
condition: selection
selection:
logtype: 15001
OpenCanary - VNC Connection Attempt
- source: sigma
- technicques:
- t1021
Description
Detects instances where a VNC service on an OpenCanary node has had a connection attempt.
Detection logic
condition: selection
selection:
logtype: 12001
OpenCanary - HTTP GET Request
- source: sigma
- technicques:
- t1190
Description
Detects instances where an HTTP service on an OpenCanary node has received a GET request.
Detection logic
condition: selection
selection:
logtype: 3000
OpenCanary - HTTPPROXY Login Attempt
- source: sigma
- technicques:
- t1090
Description
Detects instances where an HTTPPROXY service on an OpenCanary node has had an attempt to proxy another page.
Detection logic
condition: selection
selection:
logtype: 7001
OpenCanary - GIT Clone Request
- source: sigma
- technicques:
- t1213
Description
Detects instances where a GIT service on an OpenCanary node has had Git Clone request.
Detection logic
condition: selection
selection:
logtype: 16001
OpenCanary - SSH New Connection Attempt
- source: sigma
- technicques:
- t1021
- t1078
- t1133
Description
Detects instances where an SSH service on an OpenCanary node has had a connection attempt.
Detection logic
condition: selection
selection:
logtype: 4000
OpenCanary - MSSQL Login Attempt Via Windows Authentication
- source: sigma
- technicques:
- t1003
- t1213
Description
Detects instances where an MSSQL service on an OpenCanary node has had a login attempt using Windows Authentication.
Detection logic
condition: selection
selection:
logtype: 9002
OpenCanary - Telnet Login Attempt
- source: sigma
- technicques:
- t1078
- t1133
Description
Detects instances where a Telnet service on an OpenCanary node has had a login attempt.
Detection logic
condition: selection
selection:
logtype: 6001
OpenCanary - SMB File Open Request
- source: sigma
- technicques:
- t1005
- t1021
Description
Detects instances where an SMB service on an OpenCanary node has had a file open request.
Detection logic
condition: selection
selection:
logtype: 5000
OpenCanary - HTTP POST Login Attempt
- source: sigma
- technicques:
- t1190
Description
Detects instances where an HTTP service on an OpenCanary node has had login attempt via Form POST.
Detection logic
condition: selection
selection:
logtype: 3001
OpenCanary - REDIS Action Command Attempt
- source: sigma
- technicques:
- t1003
- t1213
Description
Detects instances where a REDIS service on an OpenCanary node has had an action command attempted.
Detection logic
condition: selection
selection:
logtype: 17001
OpenCanary - NTP Monlist Request
- source: sigma
- technicques:
- t1498
Description
Detects instances where an NTP service on an OpenCanary node has had a NTP monlist request.
Detection logic
condition: selection
selection:
logtype: 11001
OpenCanary - SNMP OID Request
- source: sigma
- technicques:
- t1016
- t1021
Description
Detects instances where an SNMP service on an OpenCanary node has had an OID request.
Detection logic
condition: selection
selection:
logtype: 13001
OpenCanary - FTP Login Attempt
- source: sigma
- technicques:
- t1021
- t1190
Description
Detects instances where an FTP service on an OpenCanary node has had a login attempt.
Detection logic
condition: selection
selection:
logtype: 2000
OpenCanary - MSSQL Login Attempt Via SQLAuth
- source: sigma
- technicques:
- t1003
- t1213
Description
Detects instances where an MSSQL service on an OpenCanary node has had a login attempt using SQLAuth.
Detection logic
condition: selection
selection:
logtype: 9001
OpenCanary - TFTP Request
- source: sigma
- technicques:
- t1041
Description
Detects instances where a TFTP service on an OpenCanary node has had a request.
Detection logic
condition: selection
selection:
logtype: 10001
OpenCanary - MySQL Login Attempt
- source: sigma
- technicques:
- t1003
- t1213
Description
Detects instances where a MySQL service on an OpenCanary node has had a login attempt.
Detection logic
condition: selection
selection:
logtype: 8001