Turla
Use the IBM Security QRadar Techniques for Turla Content Extension to closely monitor your deployment for Turla malware.
IBM Security QRadar Techniques for Turla Content Extension
- IBM Security QRadar Techniques for Turla Content Extension 1.0.4
- IBM Security QRadar Techniques for Turla Content Extension 1.0.3
- IBM Security QRadar Techniques for Turla Content Extension 1.0.2
- IBM Security QRadar Techniques for Turla Content Extension 1.0.1
- IBM Security QRadar Techniques for Turla Content Extension 1.0.0
IBM Security QRadar Techniques for Turla Content Extension 1.0.4
The following table shows the rules that have been updated in IBM Security QRadar Techniques for Turla Content Extension 1.0.4.
Name | Optimized | Description |
---|---|---|
Key Length | Yes | This property type is changed from alphanumeric to numeric. |
IBM Security QRadar Techniques for Turla Content Extension 1.0.3
The following table shows the rules that have been updated in IBM Security QRadar Techniques for Turla Content Extension 1.0.3.
Type | Name | Description |
---|---|---|
Rule | Pass the Hash Activity | Detects the attack technique pass the hash that is used to move laterally inside the
network. Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Pass the Hash Activity in Network Logons | Detects the attack technique pass the hash that is used to move laterally inside the
network. Used under Detection Rule License 1.1. |
IBM Security QRadar Techniques for Turla Content Extension 1.0.2
The following table shows the rules that have been updated in IBM Security QRadar Techniques for Turla Content Extension 1.0.2.
Type | Name | Description |
---|---|---|
Rule | DNS Exfiltration Tools Execution | Detects DNS exfiltration tool execution. Based on the DNS Exfiltration and Tunneling Tools
Execution Sigma rule by Daniil Yugoslavskiy, and oscd.community. Used under Detection Rule License 1.1. |
Rule | UAC Remote Restrictions Disabled | Detects registry modification that allows remote administrative actions. Based on the Disable
UAC Remote Restriction Sigma rule by Steven Dick, Teoderick Contreras, and Splunk. Used under Detection Rule License 1.1. |
Rule | Suspicious Subprocess from RazerInstaller | Detects suspicious subprocess from RazerInstaller.exe. Based on the
Suspicious RazerInstaller Explorer Subprocess Sigma rule by Florian Roth, and Maxime
Thiebaut. Used under Detection Rule License 1.1. |
IBM Security QRadar Techniques for Turla Content Extension 1.0.1
The following table shows the custom properties that are updated in IBM Security QRadar Techniques for Turla Content Extension 1.0.1.
Name | Optimized | Description |
---|---|---|
Command Property Definition | Yes | This property is a placeholder for default custom extraction of Command Property from DSM payloads. |
Parent Process Path Property Definition | Yes | This property is a placeholder for default custom extraction of Parent Process Path from DSM payloads. |
The following table shows the rules and building blocks that are updated in IBM Security QRadar Techniques for Turla Content Extension 1.0.1.
Type | Name | Description |
---|---|---|
Rule | Communication to EquationGroup C2 Tools | Detects communications to C2 servers. Based on the Equation Group C2 Communication Sigma rule
by Florian Roth. Used under Detection Rule License 1.1. |
Rule | Command Executed via SettingContent-ms | Detects command that is executed through SettingContent-ms. Based on the Arbitrary Shell
Command Execution through Settingcontent-Ms Sigma rule by Sreeman. Used under Detection Rule License 1.1. |
Rule | DNS Exfiltration Tools Execution | Detects DNS exfiltration tool execution. Based on the DNS Exfiltration and Tunneling Tools
Execution Sigma rule by Daniil Yugoslavskiy, and oscd.community. Used under Detection Rule License 1.1. |
Rule | UAC Remote Restrictions Disabled | Detects registry modification that allows remote administrative actions. Based on the Disable
UAC Remote Restriction Sigma rule by Steven Dick, Teoderick Contreras, and Splunk. Used under Detection Rule License 1.1. |
Rule | Shadow Copies Creation Using Operating Systems Utilities | Detects possible scenarios of credential access where shadow copies are created by using
operating systems utilities. Based on the Shadow Copies Creation Using Operating Systems Utilities
Sigma rule by Teymur Kheirkhabarov, Daniil Yugoslavskiy, and oscd.community. Used under Detection Rule License 1.1. |
Rule | Shells Spawned by Web Servers | Detects web servers that spawn shell processes that might be the result of a successfully
placed web shell or another attack. Based on the Shells Spawned by Web Servers Sigma rule by Thomas
Patzke, Florian Roth (Nextron Systems), Zach Stanford @svch0st, Tim Shelton, and Nasreddine
Bencherchali (Nextron Systems). Used under Detection Rule License 1.1. |
Rule | Active Directory Group/Computer Enumeration | Triggers when a group or a computer is counted within Active Directory. Based on the Active
Directory Group Enumeration With Get-AdGroup and Active Directory Computers Enumeration with
Get-AdComputer Sigma rules by frack113. Used under Detection Rule License 1.1. |
Rule | Get-ADUser User Discovery and Export | Triggers when usage of the Get-ADUser cmdlet to collect user information and output it to a
file. Based on the User Discovery And Export Via Get-ADUser Cmdlet - PowerShell Sigma rule by
Nasreddine Bencherchali (Nextron Systems). Used under Detection Rule License 1.1. |
IBM Security QRadar Techniques for Turla Content Extension 1.0.0
The following table shows the custom properties that are in IBM Security QRadar Techniques for Turla Content Extension 1.0.0.
Name | Optimized | Description |
---|---|---|
Access Mask | Yes | This property is a placeholder for default custom extraction of Access Mask from DSM payloads. |
Accesses | Yes | This property is a placeholder for default custom extraction of Accesses from DSM payloads. |
Account Name | Yes | This property is a placeholder for default custom extraction of Account Name from DSM payloads. |
Account Security ID | No | This property is a placeholder for default custom extraction of Account Security ID from DSM payloads. |
Audit ID | Yes | This property is a placeholder for default custom extraction of Audit ID from DSM payloads. |
Authentication Package | Yes | This property is a placeholder for default custom extraction of Authentication Package from DSM payloads. |
Call Trace | Yes | This property is a placeholder for default custom extraction of Call Trace from DSM payloads. |
Call Type | Yes | This property is a placeholder for default custom extraction of Call Type from DSM payloads. |
Command | Yes | This property is a placeholder for default custom extraction of Command from DSM payloads. |
Command Arguments | Yes | This property is a placeholder for default custom extraction of Command Arguments from DSM payloads. |
Consumer Destination | Yes | This property is a placeholder for default custom extraction of Consumer Destination from DSM payloads. |
Description | No | This property is a placeholder for default custom extraction of Description from DSM payloads. |
Destination Hostname | Yes | This property is a placeholder for default custom extraction of Destination Hostname from DSM payloads. |
Error Code | Yes | This property is a placeholder for default custom extraction of Error Code from DSM payloads. |
Extended Error Code | Yes | This property is a placeholder for default custom extraction of Extended Error Code from DSM payloads. |
File Directory | Yes | This property is a placeholder for default custom extraction of File Directory from DSM payloads. |
File Extension | Yes | This property is a placeholder for default custom extraction of File Extension from DSM payloads. |
File Path | Yes | This property is a placeholder for default custom extraction of File Path from DSM payloads. |
Filename | Yes | This property is a placeholder for default custom extraction of Filename from DSM payloads. |
Granted Access | Yes | This property is a placeholder for default custom extraction of Granted Access from DSM payloads. |
Group Name | Yes | This property is a placeholder for default custom extraction of Group Name from DSM payloads. |
Impersonation Level | Yes | This property is a placeholder for default custom extraction of Impersonation Level from DSM payloads. |
Initiated | Yes | This property is a placeholder for default custom extraction of Initiated from DSM payloads. |
Initiator Username | Yes | This property is a placeholder for default custom extraction of Initiator Username from DSM payloads. |
Integrity Level | Yes | This property is a placeholder for default custom extraction of Integrity Level from DSM payloads. |
Logon Process | Yes | This property is a placeholder for default custom extraction of Logon Process from DSM payloads. |
Logon Type | Yes | This property is a placeholder for default custom extraction of Logon Type from DSM payloads. |
Machine Identifier | Yes | This property is a placeholder for default custom extraction of Machine Identifier from DSM payloads. |
MD5 Hash | Yes | This property is a placeholder for default custom extraction of MD5 Hash from DSM payloads. |
Parent Command | Yes | This property is a placeholder for default custom extraction of Parent Command from DSM payloads. |
Parent Process Name | Yes | This property is a placeholder for default custom extraction of Parent Process Name from DSM payloads. |
Parent Process Path | Yes | This property is a placeholder for default custom extraction of Parent Process Path from DSM payloads. |
Pipe Name | Yes | This property is a placeholder for default custom extraction of Pipe Name from DSM payloads. |
Process Name | Yes | This property is a placeholder for default custom extraction of Process Name from DSM payloads. |
Process Path | Yes | This property is a placeholder for default custom extraction of Process Path from DSM payloads. |
Properties | Yes | This property is a placeholder for default custom extraction of Properties from DSM payloads. |
Registry Key | Yes | This property is a placeholder for default custom extraction of Registry Key from DSM payloads. |
Registry Value Data | Yes | This property is a placeholder for default custom extraction of Registry Value Data from DSM payloads. |
Relative Target Name | No | This property is a placeholder for default custom extraction of Relative Target Name from DSM payloads. |
Service Filename | Yes | This property is a placeholder for default custom extraction of Service Filename from DSM payloads. |
Service Name | Yes | This property is a placeholder for default custom extraction of Service Name from DSM payloads. |
SHA256 Hash | Yes | This property is a placeholder for default custom extraction of SHA256 Hash from DSM payloads. |
Share Name | Yes | This property is a placeholder for default custom extraction of Share Name from DSM payloads. |
Start Function | Yes | This property is a placeholder for default custom extraction of Start Function from DSM payloads. |
Start Module | Yes | This property is a placeholder for default custom extraction of Start Module from DSM payloads. |
Subject Account Name | Yes | This property is a placeholder for default custom extraction of Subject Account Name from DSM payloads. |
Target Account Security ID | No | This property is a placeholder for default custom extraction of Target Account Security ID from DSM payloads. |
Target Details | Yes | This property is a placeholder for default custom extraction of Target Details from DSM payloads. |
Target File Directory | Yes | This property is a placeholder for default custom extraction of Target File Directory from DSM payloads. |
Target Object | Yes | This property is a placeholder for default custom extraction of Target Object from DSM payloads. |
Target Process Name | No | This property is a placeholder for default custom extraction of Target Process Name from DSM payloads. |
Target Process Path | No | This property is a placeholder for default custom extraction of Target Process Path from DSM payloads. |
Target Username | Yes | This property is a placeholder for default custom extraction of Target Username from DSM payloads. |
Type | No | This property is a placeholder for default custom extraction of Type from DSM payloads. |
URL Host | Yes | This property is a placeholder for default custom extraction of URL Host from DSM payloads. |
The following table shows the rules and building blocks that are in IBM Security QRadar Techniques for Turla Content Extension 1.0.0.
Type | Name | Description |
---|---|---|
Building Block | BB:BehaviorDefinition: Abuse of Findstr | Detects abuse of findstr for evasion. Adversaries can use findstr to hide their artifacts or
search specific strings and evade defense mechanism. Based on the Abusing Findstr for Defense
Evasion Sigma rule by Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, and Nasreddine
Bencherchali. Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Abuse of Print Executable | Detects the use of print.exe for remote file copy. Based on the
Abusing Print Executable Sigma rule by Furkan CALISKAN, @caliskanfurkan_, and
@oscd_initiative. Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Account Tampering - Suspicious Failed Logon Reasons | Detects uncommon error codes on failed login attempts to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted. |
Building Block | BB:BehaviorDefinition: Application Whitelisting Bypass via Bginfo | Detects execution of VBscript code that is referenced within the *.bgi
file. Based on the Application Whitelisting Bypass via Bginfo Sigma rule by Beyu Denis,
and oscd.community. Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Arbitrary Command Execution Using WSL | Detects Possible usage of Windows Subsystem for Linux® (WSL) binary as a LOLBIN to execute arbitrary Linux and Windows commands. Based on the Arbitrary Command Execution Using
WSL Sigma rule by oscd.community, Zach Stanford @svch0st, and Nasreddine Bencherchali
(Nextron Systems). Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Atbroker Registry Change | Detects creation or modification of Assistive Technology applications and persistence with
usage of 'at'. Based on the Atbroker Registry Change Sigma rule by Mateusz Wydra, and
oscd.community. Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Atlassian Confluence Spawning | Detects spawning of suspicious child processes by Atlassian Confluence server which might
indicate successful exploitation. Based on the Atlassian Confluence CVE-2021-26084
Sigma rule by Bhabesh Raj. Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Automated Collection Command PowerShell | Detects an adversary using automated techniques for collecting internal data. Based on the
Automated Collection Command PowerShell Sigma rule by frack113. Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Automated Collection Command Prompt | Detects an adversary using automated techniques for collecting internal data. Based on the
Automated Collection Command Prompt Sigma rule by frack113. Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: BPFtrace Unsafe Option Usage | Detects the usage of the unsafe bpftrace option. Based on the BPFtrace Unsafe Option
Usage Sigma rule by Andreas Hunkeler (@Karneades). Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: C2 Session over ICMP | Detects C2 session over ICMP. |
Building Block | BB:BehaviorDefinition: Carbon Filenames | Detects when a Carbon filename is discovered. First set of names is from Carbon 3.7x, while second set of names is from Carbon 3.8x. |
Building Block | BB:BehaviorDefinition: Carbon Service Name | Detects when a Carbon service is installed. |
Building Block | BB:BehaviorDefinition: Clearing Windows Console History | Identifies when a user attempts to clear console history. An adversary may clear the command
history of a compromised account to conceal the actions undertaken during an intrusion. Based on the
Clearing Windows Console History Sigma rule by Austin Songer @austinsonger. Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: ComRAT Registry Installation | Detects when a ComRAT service is installed and a payload is written into the registry. This might indicate an existing access such as compromised credentials or a previously installed backdoor. |
Building Block | BB:BehaviorDefinition: ComRAT Scheduled Task Creation | Detects when new scheduled task creations. ComRAT utilizes scheduled task to execute commands. |
Building Block | BB:BehaviorDefinition: Common Reconnaissance Commands | Detects common reconnaissance commands adversaries execute to gather information about the
victim. The rule may be tuned by the Process CommandLine field. Some common Process CommandLine keywords that appear are:
|
Building Block | BB:BehaviorDefinition: Creation of Cron Files | Detects creation of cron file or files in Cron directories. Based on the Persistence
Via Cron Files Sigma rule by Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), and
MSTIC. Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Crutch File Staging | Detects when a Crutch file staging under C:\AMD\Temp location. |
Building Block | BB:BehaviorDefinition: Crutch Filenames | Detects when Crutch files under C:\Intel are discovered. Crunch files
can include:
|
Building Block | BB:BehaviorDefinition: Curl Start Combination and VBS Execute Arbitrary PowerShell Code | Detects execution of arbitrary PowerShell code using
SyncAppvPublishingServer.vbs. Adversaries can use curl to download payloads
remotely and execute them. Based on the Curl Download And Execute Combination Sigma
rule by Sreeman, and Nasreddine Bencherchali (Nextron Systems). Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: DLL Execution Via Register-cimprovider.exe | Detects using register-cimprovider.exe to execute arbitrary DLL file.
Based on the DLL Execution Via Register-cimprovider.exe Sigma rule by Ivan Dyachkov,
Yulia Fomina, and oscd.community. Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: DLL Execution via Rasautou | Detects using Rasautou.exe for loading arbitrary DLL specified in
-d option and executes the export specified in -p. Based
on the DLL Execution via Rasautou.exe Sigma rule by Julia Fomina, and oscd.community. Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Data Compressed - PowerShell | Detects compressed data that is collected prior to exfiltration. Based on the Data
Compressed - PowerShell Sigma rule by Timur Zinniatullin, and oscd.community. Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Delete Application Log | Detects deletion of log files. Based on the TeamViewer Log File Deleted Sigma
rule by frack113. Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Disable of ETW Trace | Detects a command that clears or disables any ETW trace log which could indicate a logging
evasion. Based on the Disable of ETW Trace Sigma rule by @neu5ron, Florian Roth
(Nextron Systems), Jonhnathan Ribeiro, and oscd.community. Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Discovery Via Default Driver Altitude - Sysmon | Detects usage of findstr with the argument 385201,
which could indicate potential discovery of an installed Sysinternals Sysmon service using the
default driver altitude. Based on the Suspicious Findstr 385201 Execution Sigma rule by
frack113. Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Dotnet.exe Exec Dll and Execute Unsigned Code LOLBIN | Detects dotnet.exe will execute any DLL and execute unsigned code. Based
on the Dotnet.exe Exec Dll and Execute Unsigned Code LOLBIN Sigma rule by Beyu Denis,
and oscd.community. Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Download Utilities in Events | Detects when a download utility is being used on an Endpoint, such as ftp, sftp, curl, cuteftp, wget, certutil, bits, or nc. |
Building Block | BB:BehaviorDefinition: ETW Logging Tamper In .NET Processes | Detects changes to environment variables related to ETW logging. Based on the ETW
Logging Tamper In .NET Processes Sigma rule by Roberto Rodriguez (Cyb3rWard0g), and OTR (Open
Threat Research). Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Epic Filenames | Detects when Epic files are discovered. |
Building Block | BB:BehaviorDefinition: Epic Log Filenames | Detects when Epic log files are discovered. |
Building Block | BB:BehaviorDefinition: Epic Search Terms | Detects when Epic does a search on certain terms. |
Building Block | BB:BehaviorDefinition: Exchange Mailbox Export via PowerShell | Detects the Exchange PowerShell New-MailBoxExportRequest cmdlet exporting the contents of a primary mailbox or archive to a .pst file. For more information about this attack, see Exporting Exchange Mailbox via PowerShell. |
Building Block | BB:BehaviorDefinition: Exchange PowerShell Snap-Ins Usage | detects adding and using Exchange PowerShell snap-ins to export mailbox data. Based on the
Exchange PowerShell Snap-Ins Usage Sigma rule by FPT.EagleEye, and Nasreddine
Bencherchali (Nextron Systems). Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Execute Files with Msdeploy | Detects file execution using the msdeploy.exe lolbin. Based on the
Execute Files with Msdeploy.exe Sigma rule by Beyu Denis, and oscd.community. Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Execution DLL of Choice Using WAB | Detects that the path to the DLL written in the registry is different from the default one.
Launched WAB.exe tries to load the DLL from Registry. Based on the
Execution DLL of Choice Using WAB.EXE Sigma rule by oscd.community, and Natalia
Shornikova. Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Execution via Diskshadow | Detects using Diskshadow.exe to execute arbitrary code in text file.
Based on the Execution via Diskshadow.exe Sigma rule by Ivan Dyachkov, and
oscd.community. Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Execution via WorkFolders | Detects using WorkFolders.exe to execute an arbitrary
control.exe. Based on the Execution via WorkFolders.exe Sigma rule
by Maxime Thiebaut (@0xThiebaut). Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Execution via stordiag | Detects the use of stordiag.exe to execute
schtasks.exe, systeminfo.exe, and
fltmc.exe. Based on the Execution via stordiag.exe Sigma rule by
Austin Songer (@austinsonger). Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: File Download Using ProtocolHandler | Detects usage of ProtocolHandler to download files. Downloaded files will
be located in the cache folder. Based on the File Download Using ProtocolHandler.exe
Sigma rule by frack113. Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: File and Directory Discovery - Linux | Detects usage of system utilities to discover files and directories. Based on the File and Directory Discovery - Linux Sigma rule by Daniil Yugoslavskiy, and oscd.community. Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Fsutil Suspicious Invocation | Detects suspicious parameters of fsutil, such as deleting USN journal, or
configuring it with small size. Based on the Fsutil Suspicious Invocation Sigma rule by
JEcco, E.M. Anhaus, and oscd.community. Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Gazer Filenames | Detects when Gazer files are discovered. |
Building Block | BB:BehaviorDefinition: Gazer Registry | Detects when Gazer registry names are discovered. |
Building Block | BB:BehaviorDefinition: Gazer Registry Values | Detects when Gazer registry names are discovered. |
Building Block | BB:BehaviorDefinition: Hide Schedule Task Via Index Value Tamper | Detects when the index value of a scheduled task is modified from the
registry. Based on the Hide Schedule Task Via Index Value Tamper Sigma rule by
Nasreddine Bencherchali. Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Hiding Files with Attrib.exe | Detects usage of attrib.exe to hide files from users. Based on the
Hiding Files with Attrib.exe Sigma rule by Sami Ruohonen. Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: HyperStack Filenames | Detects when HyperStack files are discovered. |
Building Block | BB:BehaviorDefinition: HyperStack Pipe | Detects when HyperStack pipe name is discovered. |
Building Block | BB:BehaviorDefinition: HyperStack Registry | Detects when HyperStack registries are discovered. |
Building Block | BB:BehaviorDefinition: Invalid Password at Login | Detects invalid password at login. |
Building Block | BB:BehaviorDefinition: Invalid Password during Kerberos Pre-Authentication | Detects invalid password during Kerberos pre-authentication. |
Building Block | BB:BehaviorDefinition: Kazuar Registry Installation | detects when a Kazuar service creates registry keys for persistence. |
Building Block | BB:BehaviorDefinition: Linux File Deletion | detects file deletion using rm, shred or
unlink commands. Adversaries may delete files using these commands to cover up
their activities. Based on the File Deletion Sigma rule by Ömer Günal, and
oscd.community. Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Logon Scripts with UserInitMprLogonScript | Detects modification or creation of UserInitMprLogonScript. Based on the Logon Scripts
(UserInitMprLogonScript) Sigma rule by Tom Ueltschi (@c_APT_ure), and Tim Shelton. Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Logon Scripts with UserInitMprLogonScript Registry | Detects modification or creation of UserInitMprLogonScript. |
Building Block | BB:BehaviorDefinition: Lolbin PressAnyKey and Download Activity | Detects a certain command line flag combination used by devinit.exe lolbin to download arbitrary MSI packages on a Windows system. Based on the NodejsTools
PressAnyKey Lolbin Sigma rule by Florian Roth. Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: MSExchange Transport Agent Installation | Detects the installation of a Transport Agent in Exchange. Based on the MSExchange
Transport Agent Installation - Builtin Sigma rule by Tobias Michalski. Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: MSExchange Transport Agent Registration | Detects modifications to the list of agents registered in Exchange. |
Building Block | BB:BehaviorDefinition: Malicious Files Written to the Fonts Folder | Monitors for the hiding possible malicious files in the C:\Windows\Fonts\ location. This folder doesn't require admin privillege to be written and executed from. Based on the Writing
Of Malicious Files To The Fonts Folder Sigma rule by Sreeman. Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Mavinject Inject DLL Into Running Process | Detects process injection using the signed Windows Mavinject toll with
the INJECTRUNNING flag. Based on the Mavinject Inject DLL Into Running
Process Sigma rule by frack113, and Florian Roth. Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Microsoft Excel Template Creation | Detects the creation of template files for Microsoft Excel from a process which is not Excel. Based on the Office Template Creation Sigma rule by Max Altgelt (Nextron Systems). Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Microsoft Word Template Creation | Detects the creation of template files for Microsoft Word from a process which is not Word. Based on the Office Template Creation Sigma rule by Max Altgelt (Nextron Systems). Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Modification of Explorer Hidden Keys | Detects modifications to the hidden files keys in registry. Based on the Modification
of Explorer Hidden Keys Sigma rule by frack113. Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Mosquito Registry Installation | Detects when a Mosquito service creates registry keys for persistence. The malware adds a shell value to HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\. |
Building Block | BB:BehaviorDefinition: Mosquito Registry Installation (2) | Detects when a Mosquito service creates registry keys for persistence. The malware adds a local_update_check value to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. |
Building Block | BB:BehaviorDefinition: NTDS Exfiltration Command | Detects a command used by conti to exfiltrate NTDS. Based on the Conti NTDS
Exfiltration Command Sigma rule by Max Altgelt, and Tobias Michalski. Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Netcat Execution | Detects suspicious netcat execution. Based on the Netcat Suspicious
Execution Sigma rule by frack113, and Florian Roth. Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Netsh Port Forwarding | Detects netsh commands that configure a port forwarding. Based on the
New Port Forwarding Rule Added Via Netsh.EXX Sigma rule by Florian Roth (Nextron
Systems), omkar72, oscd.community, and Swachchhanda Shrawan Poudel. Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Netsh RDP Port Forwarding | Detects netsh commands that configure a port forwarding of port 3389 used
for RDP. Based on the RDP Port Forwarding Rule Added Via Netsh.EXE Sigma rule by
Florian Roth (Nextron Systems), and oscd.community. Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: New Service Creation Using PowerShell | Detects the creation of a new service using Powershell. Based on the New Service
Creation Using PowerShell Sigma rule by Timur Zinniatullin, Daniil Yugoslavskiy, and
oscd.community. Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: New Service Creation Using Sc.EXE | Detects the creation of a new service using the sc.exe utility. Based on
the New Service Creation Using Sc.EXE Sigma rule by Timur Zinniatullin, Daniil
Yugoslavskiy, and oscd.community. Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Pass the Hash Activity in Network Logons | Detects the attack technique pass the hash which is used to move laterally inside the
network. Based on the Pass the Hash Activity 2 Sigma rule by Dave Kennedy, Jeff Warren
(method), and David Vassallo (rule). Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Pass the Hash Activity in NewCredentials Logons | Detects the attack technique pass the hash which is used to move laterally inside the
network. Based on the Pass the Hash Activity 2 Sigma rule by Dave Kennedy, Jeff Warren
(method), and David Vassallo (rule). Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: PortProxy Registry Key | Detects the modification of port proxy registry key which is used for port forwarding. Based
on the PortProxy Registry Key Sigma rule by Andreas Hunkeler (@Karneades). Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Possible Linux Privilege Escalation | Detects suspicious shell commands indicating the information gathering phase as preparation
for the Privilege Escalation. Based on the Privilege Escalation Preparation Sigma rule
by Patrick Bareiss. Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Possible Unauthorized MBR Modifications | Detects possible malicious unauthorized usage of bcdedit.exe. Based on
the Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE Sigma rule by
@neu5ron. Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Potential Equation Group Indicators | Detects suspicious shell commands used in various Equation Group scripts and tools. Based on
the Equation Group Indicators Sigma rule by Florian Roth. Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: PowerShell File Download Activity | Detects when PowerShell is used to download files. |
Building Block | BB:BehaviorDefinition: Powercat Execution | Detects powercat execution. Based on the Netcat The Powershell Version Sigma
rule by frack113. Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Powershell File and Directory Discovery | Finds or discovers files on the file system. Upon execution, file and folder information is
displayed. Based on the Powershell File and Directory Discovery Sigma rule by
frack113. Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Prefetch File Deletion | Detects the deletion of a prefetch file. Based on the Prefetch File Deleted
Sigma rule by Cedric MAURUGEON. Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Proxy Execution Via Explorer | Detects the use of explorer.exe for evading defense mechanisms. Based on
the Proxy Execution Via Explorer.exe Sigma rule by Furkan CALISKAN, @caliskanfurkan_,
and @oscd_initiative. Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Regsvr32 Command Line Without DLL | Detects a regsvr.exe execution that doesn't contain a DLL in the command
line. Based on the Regsvr32 Command Line Without DLL Sigma rule by Florian Roth. Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Root Certificate Installed via CertMgr | Detects adversaries installing a root certificate on a compromised system to avoid warnings
when connecting to adversary controlled web servers. Based on the Root Certificate
Installed Sigma rule by oscd.community, @redcanary, and Zach Stanford @svch0st. Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Root Certificate Installed via Certutil | Detects adversaries installing a root certificate on a compromised system to avoid warnings
when connecting to adversary controlled web servers. Based on the Root Certificate
Installed Sigma rule by oscd.community, @redcanary, and Zach Stanford @svch0st. Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Runs COM Object via Verclsid | Detects when verclsid.exe is used to run COM object via GUID. Based on
the Verclsid.exe Runs COM Object Sigma rule by Victor Sergeev, and oscd.community. Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Scheduled Cron Task | Detects the use of cron utility to create a scheduled job. |
Building Block | BB:BehaviorDefinition: Scheduled Cron Task/Job - Linux | Detects the use of cron utility to create a scheduled job. Based on the Scheduled Cron Task/Job - Linux Sigma rule by Alejandro Ortuno, and oscd.community. Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Scheduled Task Write to System32 Tasks | Detects the creation of tasks from processes executed from suspicious locations. Based on the
Suspicious Scheduled Task Write to System32 Tasks Sigma rule by Florian Roth. Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Scheduled Task/Job - Windows | Detects uncommon scheduled task. Based on the Uncommon Scheduled Task Once 00:00
Sigma rule by pH-T. Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Script Interpreter Execution From Suspicious Folder | Detects a suspicious script executions in temporary folders or folders accessible by
environment variables. Based on the Script Interpreter Execution From Suspicious
Folder Sigma rule by Florian Roth. Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Security Software Discovery - Linux | Detects usage of system utilities to discover security software discovery. Based on the
Security Software Discovery - Linux Sigma rule by Daniil Yugoslavskiy, and
oscd.community. Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Security Software Discovery - Powershell | Detects PowerShell security software discovery. Based on the Security Software
Discovery by Powershell Sigma rule by frack113. Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Set Windows System File with Attrib | Detects files are marked as a system file using the attrib.exe utility.
Based on the Set Files as System Files Using Attrib.EXE Sigma rule by frack113. Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Specified Binary Execution via Devtoolslauncher or OpenWith | Detects when OpenWith.exe or Devtoolslauncher.exe
executes other binary. Based on the OpenWith.exe Executes Specified Binary Sigma rule
by Beyu Denis, oscd.community (rule), and @harr0ey (idea). Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Squirrel Lolbin | Detects Possible Squirrel Packages Manager as Lolbin. Based on the Squirrel
Lolbin Sigma rule by Karneades / Markus Neis, Jonhnathan Ribeiro, and oscd.community. Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Startup Shortcut Created | Detects when a service creates a shortcut under Windows startup folder. |
Building Block | BB:BehaviorDefinition: Suspicious Activity in Shell Commands | detects suspicious shell commands used in various code exploits. Based on the
Suspicious Activity in Shell Commands Sigma rule by Florian Roth. Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Suspicious Atbroker Execution | Detects Atbroker executing non-default Assistive Technology applications. Based on the
Suspicious Atbroker Execution Sigma rule by Mateusz Wydra, and oscd.community. Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Suspicious Cabinet File Expansion | Detects the use of built-in expand utility to decompress cab files. Based on the
Suspicious Cabinet File Expansion Sigma rule by Bhabesh Raj. Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Suspicious Commands Linux | Detects relevant commands often related to malware or hacking activity. Based on the
Suspicious Commands Linux Sigma rule by Florian Roth. Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Suspicious Delete Command | detects suspicious command line to remove exe or
dll. Based on the Greedy File Deletion Using Del Sigma rule by
frack113. Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Suspicious Eventlog Cleared via PowerShell | Detects clearing of eventlogs using PowerShell. Based on the Suspicious Eventlog Clear
or Configuration Change Sigma rule by Ecco, Daniil Yugoslavskiy, oscd.community, and
D3F7A5105. Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Suspicious Eventlog Cleared via WMIC | Detects clearing of eventlogs using wmic. Based on the Suspicious
Eventlog Clear or Configuration Change Sigma rule by Ecco, Daniil Yugoslavskiy,
oscd.community, and D3F7A5105. Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Suspicious Eventlog Cleared via Wevtutil | Detects clearing of eventlogs using wevtutil. Based on the
Suspicious Eventlog Clear or Configuration Change Sigma rule by Ecco, Daniil
Yugoslavskiy, oscd.community, and D3F7A5105. Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Suspicious Group And Account Reconnaissance Activity Using Net.EXE | Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE. Based on the Suspicious Group And Account Reconnaissance
Activity Using Net.EXE Sigma rule by Florian Roth (Nextron Systems), omkar72, @svch0st, and
Nasreddine Bencherchali (Nextron Systems). Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Suspicious Load DLL and Extexport Execution | Detects when a user installs certificates by using CertOC.exe to loads
the target DLL file. This also detects Extexport.exe loads DLL and is execute
from other folder the original path. Based on the Suspicious Extexport Execution Sigma
rule by frack113. Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Suspicious Load of Advapi31 | detects the load of advapi31.dll by a process running in an uncommon
folder. Based on the Suspicious Load of Advapi31.dll Sigma rule by frack113. Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Suspicious Loaders | Detects different loaders used by the Lazarus group activity. Based on the Lazarus
Loaders Sigma rule by Florian Roth, and wagga. Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Suspicious Net Execution | Detects suspicious reconnaissance command line activity on Windows systems using the PowerShell Get-LocalGroupMember Cmdlet. Based on the Net.exe
Execution Sigma rule by Michael Haag, Mark Woan (improvements), James Pemberton, @4A616D6573,
and oscd.community (improvements). Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Suspicious Obfuscation Character in Commandline | Detects possible payload obfuscation via the command line. Based on the Suspicious
Dosfuscation Character in Commandline Sigma rule by frack113. Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Suspicious Registration via cscript | Detects the registration of a VSS/VDS Provider as a COM+ application. |
Building Block | BB:BehaviorDefinition: Suspicious Remote Logon with Explicit Credentials | Detects suspicious processes logging on with explicit credentials. |
Building Block | BB:BehaviorDefinition: Suspicious Reverse Shell Command Line | detects suspicious shell commands or program code that may be executed or used in command
line to establish a reverse shell. Based on the Suspicious Reverse Shell Command Line
Sigma rule by Florian Roth. Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Suspicious Script Execution From Temp Folder | Detects a suspicious script executions from temporary folder. Based on the Suspicious
Script Execution From Temp Folder Sigma rule by Florian Roth, Max Altgelt, and Tim Shelton. Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Suspicious ZipExec Execution | Detects the use of ZipExec which is a Proof-of-Concept (POC) tool to wrap binary-based tools
into a password-protected zip file. Based on the Suspicious ZipExec Execution Sigma
rule by frack113. Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Svchost Incoming Connection | Detects suspicious incoming connections to the svchost.exe process. |
Building Block | BB:BehaviorDefinition: Sysinternals SDelete File Deletion | Detects the deletion of files by Sysinternals SDelete. Based on the File Deleted Via
Sysinternals SDelete Sigma rule by Roberto Rodriguez (Cyb3rWard0g), and OTR (Open Threat
Research). Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Sysmon Driver Unload | Detects possible Sysmon driver unload. Based on the Sysmon Driver Unload Sigma
rule by Kirill Kiryanov, and oscd.community. Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: TaskCache Registry Modification | detects suspicious registry modifications to the TaskCache key. Based on the Scheduled
TaskCache Change by Uncommon Program Sigma rule by Syed Hasan (@syedhasan009). Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Terminal Server Client Connection History Cleared - Registry | Detects the deletion of registry keys containing the MSTSC connection history. Based on the
Terminal Server Client Connection History Cleared - Registry Sigma rule by Christian
Burkard (Nextron Systems). Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Turla Group Lateral Movement | Detects automated lateral movement by Turla group. Based on the Turla Group Lateral
Movement Sigma rule by Markus Neis. Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Turla LightNeuron Installation | Triggers when a Turla LightNeuron is installed. |
Building Block | BB:BehaviorDefinition: Turla LightNeuron Objects | Triggers when a Turla LightNeuron object is loaded. |
Building Block | BB:BehaviorDefinition: User Added to Local Administrators | Detects user accounts that are added to the local Administrators group, which could be legitimate activity or a sign of privilege escalation activity. |
Building Block | BB:BehaviorDefinition: User Agent Changed via Curl | Detects a suspicious curl process start with user agent. Based on the Suspicious Curl Change User Agents - Linux Sigma rule by Nasreddine Bencherchali (Nextron Systems). Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: User Agent Changed via Powershell | Detects embedding of suspicious commands into a user agent. Based on the Change User
Agents with WebRequest Sigma rule by frack113. Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: WinDbg/CDB LOLBIN Usage and Application Whitelisting Bypass via Dxcap.exe | Detects execution of Dxcap.exe and also detects usage of
cdb.exe to launch 64-bit shellcode or arbitrary processes or commands from a
debugger script file. Based on the WinDbg/CDB LOLBIN Usage Sigma rule by Beyu Denis,
oscd.community, and Nasreddine Bencherchali. Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Windows Shell/Scripting Processes Spawning Suspicious Programs | Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, and
mshta. Based on the Windows Shell/Scripting Processes Spawning Suspicious Programs Sigma rule by Florian Roth (Nextron Systems), and Tim Shelton. Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Windows Software Discovery | Triggers when windows software is discovered. Based on the Detected Windows Software Discovery Sigma rule by Nikita Nazarov, and oscd.community. Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Windows Software Discovery - PowerShell | Triggers when windows software is discovered. Based on the Detected Windows Software Discovery - PowerShell Sigma rule by Nikita Nazarov, and oscd.community. Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Windows Spooler Service Binary Load | Detects DLL Load from Spooler Service backup folder. Based on the Windows Spooler Service Suspicious Binary Load Sigma rule by FPT.EagleEye, and Thomas Patzke
(improvements). Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Windows Spooler Service File Deletion | Detect DLL deletions from Spooler Service driver folder. Based on the Windows Spooler Service Suspicious File Deletion Sigma rule by Bhabesh Raj. Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Windows Update Client LOLBIN | Detects code execution via the Windows Update client. Based on the Windows Update Client LOLBIN Sigma rule by FPT.EagleEye Team. Used under Detection Rule License 1.1. |
Building Block | BB:BehaviorDefinition: Write Protect For Storage Disabled | Detects changes to registry to disable any write-protect property for storage devices. Based
on the Write Protect For Storage Disabled Sigma rule by Sreeman. Used under Detection Rule License 1.1. |
Building Block | BB:CategoryDefinition: File Permission Changed | Defines when a command has been executed to change the permissions assigned to a file. |
Building Block | BB:CategoryDefinition: Object Download Events | Edit this Building Block to include all object (file, folder, etc) download related event categories. |
Building Block | BB:DeviceDefinition: Endpoint Devices | Defines Endpoint devices on system. |
Rule | Access Token Abuse | Detects token impersonation and theft. Based on the Access Token Abuse Sigma
rule by Michaela Adams, and Zach Mathis. Used under Detection Rule License 1.1. |
Rule | Access to ADMIN$ Share | Detects access to $ADMIN share. Based on the Access to ADMIN$ Share Sigma rule
by Florian Roth. Used under Detection Rule License 1.1. |
Rule | Active Directory Group/Computer Enumeration | Triggers when a group or a computer is enumerated within Active Directory. Based on the
Active Directory Group Enumeration With Get-AdGroup and Active Directory
Computers Enumeration with Get-AdComputer Sigma rules by frack113. Used under Detection Rule License 1.1. |
Rule | Active Directory Kerberos DLL Loaded Via Office Application | Detects Kerberos DLL being loaded by a Microsoft Office product. Based on the Active
Directory Kerberos DLL Loaded Via Office Application Sigma rule by Antonlovesdnb. Used under Detection Rule License 1.1. |
Rule | Active Directory Parsing DLL Loaded Via Office Application | Detects DSParse DLL being loaded by a Microsoft Office product. Based on the Active
Directory Parsing DLL Loaded Via Office Application Sigma rule by Antonlovesdnb. Used under Detection Rule License 1.1. |
Rule | Alternate Data Streams Writing Files | Detects Alternate Data Stream (ADS) writing files. ADS may be used to store configuration
files. Based on the NTFS Alternate Data Stream Sigma rule by Sami Ruohonen. Used under Detection Rule License 1.1. |
Rule | Attempt to bypass UAC via Windows Firewall Snap-In Hijacking | Detects attempts to bypass UAC via Windows firewall snap-in. For more information about this attack, see UAC Bypass via Windows Firewall Snap-In Hijack. |
Rule | Automated Collection Commands | Detects an adversary using automated techniques for collecting internal data. |
Rule | CLR DLL Loaded Via Office Application | Detects CLR DLL being loaded by a Microsoft Office product. Based on the CLR DLL Loaded
Via Office Applications Sigma rule by Antonlovesdnb. Used under Detection Rule License 1.1. |
Rule | CLR DLL Loaded Via Scripting Applications | Detects CLR DLLs being loaded by scripting applications. Based on the DotNet CLR DLL
Loaded By Scripting Applications Sigma rule by omkar72, and oscd.community. Used under Detection Rule License 1.1. |
Rule | COM Hijacking With Suspicious Locations | Detects potential COM hijacking where the 'Server' (In/Out) is pointing to a suspicious
location. Based on the COM Hijacking For Persistence With Suspicious Locations Sigma
rule by Nasreddine Bencherchali. Used under Detection Rule License 1.1. |
Rule | COM Hijacking via Sdclt | Detects potential COM hijacking via Sdclt. Based on the COM Hijack via Sdclt
Sigma rule by Omkar Gudhate. Used under Detection Rule License 1.1. |
Rule | COM Object Downloading Cradles | Detects usage of COM objects that can be abused to download files in PowerShell by CLSID.
Based on the Potential COM Objects Download Cradles Usage - PS Script Sigma rule by
frack113. Used under Detection Rule License 1.1. |
Rule | Certutil Initiated Connection | Detects a network connection intitiated by the certutil.exe tool.
Attackers can abuse certutil.exe to download malware or offensive security
tools. Based on the Certutil Initiated Connection Sigma rule by frack113, and Florian
Roth. Used under Detection Rule License 1.1. |
Rule | Clear Command History | Detects clear command history activity. |
Rule | ComRat Registry Service Installation | Triggers when a comrat service is installed and a payload is written into the registry. This could indicate an existing access such as compromised credentials or a previously installed backdoor. |
Rule | Command Executed via SettingContent-ms | Detects command executed via SettingContent-ms. Based on the Arbitrary Shell Command
Execution Via Settingcontent-Ms Sigma rule by Sreeman. Used under Detection Rule License 1.1. |
Rule | Command Line Execution with Suspicious URL and AppData Strings | Detects a suspicious command line execution that includes an URL and AppData string in the
command line parameters as used by several droppers. Based on the Command Line Execution with
Suspicious URL and AppData Strings Sigma rule by Florian Roth, Jonhnathan Ribeiro, and
oscd.community. Used under Detection Rule License 1.1. |
Rule | Communication to EquationGroup C2 Tools | Detects communications to C2 servers. Based on the Equation Group C2
Communication Sigma rule by Florian Roth. Used under Detection Rule License 1.1. |
Rule | Copying Sensitive Files with Credential Data | Detects attempts to copy sensitive files with credential data. Based on the Copying
Sensitive Files with Credential Data Sigma rule by Teymur Kheirkhabarov, Daniil Yugoslavskiy,
and oscd.community. Used under Detection Rule License 1.1. |
Rule | Creation of Outlook C2 Macro File | Detects creation of an Outlook C2 macro file. Based on the Outlook C2 Macro
Creation Sigma rule by @ScoubiMtl. Used under Detection Rule License 1.1. |
Rule | Creation of Suspicious Executable Files | Detects creation of suspicious executable files. Based on the Suspicious Executable
File Creation Sigma rule by frack113. Used under Detection Rule License 1.1. |
Rule | Creation or Modification of Assistive Technology Applications | Detects creation or modification of Assistive Technology applications. Based on the
Atbroker Registry Change Sigma rule by Mateusz Wydra, and oscd.community. Used under Detection Rule License 1.1. |
Rule | Creation or Modification of a new GPO Scheduled Task or Service | Detects the creation or modification of a new Group Policy based scheduled task or service.
Based on the Persistence and Execution at Scale via GPO Scheduled Task Sigma rule by
Samir Bousseaden. Used under Detection Rule License 1.1. |
Rule | Credential Dumping Tools Named Pipes | Detects well-known credential dumping tools execution via specific named pipes. Based on the
Cred Dump-Tools Named Pipes Sigma rule by Teymur Kheirkhabarov, and oscd.community. Used under Detection Rule License 1.1. |
Rule | Curl Download And Execute Combination | Detects potential attackers using curl to download payloads remotely and execute them. Based
on the Curl Download And Execute Combination Sigma rule by Sreeman, and Nasreddine
Bencherchali (Nextron Systems). Used under Detection Rule License 1.1. |
Rule | DNS Exfiltration Tools Execution | Detects DNS exfiltration tool execution. Based on the DNS Exfiltration and Tunneling
Tools Execution Sigma rule by Daniil Yugoslavskiy, and oscd.community. Used under Detection Rule License 1.1. |
Rule | DNS Exfiltration in Powershell | Detects detects DNS exfiltration in powershell. Based on the Powershell
DNSExfiltration Sigma rule by frack113. Used under Detection Rule License 1.1. |
Rule | DNS HybridConnectionManager Service Bus | Detects Hybrid Connection Manager querying the service bus. Based on the DNS
HybridConnectionManager Service Bus Sigma rule by Roberto Rodriguez (Cyb3rWard0g), and OTR
(Open Threat Research). Used under Detection Rule License 1.1. |
Rule | DarkSide Ransomware Activity Detected | Detects DarkSide ransomware activity. Based on the DarkSide Ransomware Pattern
Sigma rule by Florian Roth. Used under Detection Rule License 1.1. |
Rule | Data Split into Pieces (Mac) | Detects data split into pieces. Based on the Split A File Into Pieces Sigma rule
by Igor Fits, Mikhail Larin, and oscd.community. Used under Detection Rule License 1.1. |
Rule | Data Split into Pieces (Unix) | Detects data split into pieces. Based on the Split A File Into Pieces - Linux
Sigma rule by Igor Fits, and oscd.community. Used under Detection Rule License 1.1. |
Rule | Default Accounts Used | Detects default accounts used. Based on the Suspicious Manipulation Of Default
Accounts Sigma rule by Nasreddine Bencherchali. Used under Detection Rule License 1.1. |
Rule | Disable Windows Defender Functionalities Via Registry Keys | Detects when attackers disable Windows Defender functionality by using the Windows registry. Based on the Disable Windows Defender Functionalities Via Registry Keys Sigma rule by
AlertIQ, Ján Trenčanský, frack113, Nasreddine Bencherchali, and Swachchhanda Shrawan Poudel. Used under Detection Rule License 1.1. |
Rule | Disabled CrashDump via Registry | Detects CrashDump disabled through registry modification. Based on the CrashControl
CrashDump Disabled Sigma rule by Tobias Michalski. Used under Detection Rule License 1.1. |
Rule | Dllhost Outbound Network Connection | Detects outbound connections initiated by dllhost.exe. |
Rule | Dllhost.exe Execution Anomaly | Detects the dllhost.exe process spawning with no command line arguments
which is rare and could indicate process injection activity or malware mimicking similar system
processes. Based on the Dllhost.EXE Execution Anomaly Sigma rule by Nasreddine
Bencherchali (Nextron Systems). Used under Detection Rule License 1.1. |
Rule | Domain Trust Discovery | Detects execution of nltest.exe and dsquery.exe for
domain trust discovery. This technique is used by attackers to enumerate Active Directory trusts.
Based on the Domain Trust Discovery Sigma rule by E.M. Anhaus (originally from Atomic
Blue Detections), Tony Lambert, oscd.community, and omkar72. Used under Detection Rule License 1.1. |
Rule | DotNET DLL Loaded Via Office Application | Detects any assembly DLL being loaded by a Microsoft Office product. Based on the DotNET Assembly DLL Loaded Via Office Application Sigma rule by Antonlovesdnb. Used under Detection Rule License 1.1. |
Rule | Download Payload Using Edge Headless Feature | Detects downloading of payloads using the Edge headless feature. Based on the Potential
Arbitrary File Download Via MSEdge.EXE Sigma rule by Florian Roth (Nextron Systems), and
Nasreddine Bencherchali (Nextron Systems). Used under Detection Rule License 1.1. |
Rule | Download Payload via Console Using Edge | Detects downloading of payloads using the Edge console. Based on the Edge abuse for
payload download via console Sigma rule by mdecrevoisier. Used under Detection Rule License 1.1. |
Rule | Dump Credentials from Windows Credential Manager With PowerShell | Detects adversaries searching for common password storage locations to obtain user
credentials. Based on the Dump Credentials from Windows Credential Manager With PowerShell Sigma rule by frack113. Used under Detection Rule License 1.1. |
Rule | ETW Trace Disabled | Detects a command that clears or disables any ETW trace log which could indicate a logging
evasion. Based on the Disable of ETW Trace Sigma rule by @neu5ron, Florian Roth,
Jonhnathan Ribeiro, and oscd.community. Used under Detection Rule License 1.1. |
Rule | Email Account Discovery from Powershell | Detects email account discovery from Powershell. |
Rule | Encrypted Channel Activity | Detects encrypted channel activity. Based on the Suspicious SSL Connection Sigma
rule by frack113. Used under Detection Rule License 1.1. |
Rule | Enumerate Credentials from Windows Credential Manager With PowerShell | Detects adversaries searching for common password storage locations to obtain user credentials. |
Rule | Excessive Number of nslookup from Powershell | Detects excessive number of nslookup from Powershell. Based on the
Nslookup PowerShell Download Cradle - ProcessCreation Sigma rule by Nasreddine
Bencherchali (Nextron Systems). Used under Detection Rule License 1.1. |
Rule | Executable File Created by another Executable | Triggers when an executable is created by another executable. Based on the Creation of
an Executable by an Executable Sigma rule by frack113. Used under Detection Rule License 1.1. |
Rule | Execution of Dnscat | Detects execution of Dnscat. Based on the Dnscat Execution Sigma rule by Daniil
Yugoslavskiy, and oscd.community. Used under Detection Rule License 1.1. |
Rule | Execution of Exfiltration and Tunneling Tools | Detects execution of exfiltration and tunneling tools. Based on the Exfiltration and
Tunneling Tools Execution Sigma rule by Daniil Yugoslavskiy, and oscd.community. Used under Detection Rule License 1.1. |
Rule | Execution of Non-DLL Using Rundll32 | Detects rundll32.exe running non-DLL. Based on the Suspicious
Rundll32 Execution With Image Extension Sigma rule by Hieu Tran. Used under Detection Rule License 1.1. |
Rule | Execution of Tap Installer Software | Detects execution of Tap Installer software. Based on the Tap Installer
Execution Sigma rule by Daniil Yugoslavskiy, Ian Davis, and oscd.community. Used under Detection Rule License 1.1. |
Rule | Exploitation of EQNEDT32 | Detects CVE-2017-11882 which is an exploitation of EQNEDT32.EXE to spawn other processes.
Based on the Droppers Exploiting CVE-2017-11882 Sigma rule by Florian Roth. Used under Detection Rule License 1.1. |
Rule | File Creation by Non-Privileged Processes in Program Files Directory | Detects file creation by non-privileged processes in the Program Files directory. Based on
the Files Dropped to Program Files by Non-Priviledged Process Sigma rule by Teymur
Kheirkhabarov (idea), Ryan Plas (rule), and oscd.community. Used under Detection Rule License 1.1. |
Rule | File Download Via Bitsadmin | Detects usage of bitsadmin downloading a file. Based on the File Download Via
Bitsadmin Sigma rule by Michael Haag, and FPT.EagleEye. Used under Detection Rule License 1.1. |
Rule | File and Directory Permission Modification (Windows) | Detects file and directory permission modification in Windows. Based on the File or
Folder Permissions Modifications Sigma rule by Jakob Weinzettl, oscd.community, and
Nasreddine Bencherchali. Used under Detection Rule License 1.1. |
Rule | File and Directory Permission Modification after Download | Detects file and directory permission modification after file download event. |
Rule | Finger Suspicious Invocation | Detects suspicious aged finger.exe tool execution often used in malware
attacks nowadays. Based on the Finger.exe Suspicious Invocation Sigma rule by Florian
Roth (Nextron Systems), omkar72, and oscd.community. Used under Detection Rule License 1.1. |
Rule | GAC DLL Loaded Via Office Application | Detects any GAC DLL being loaded by a Microsoft Office product. Based on the GAC DLL
Loaded Via Office Applications Sigma rule by Antonlovesdnb. Used under Detection Rule License 1.1. |
Rule | Get-ADUser User Discovery and Export | Triggers when usage of the Get-ADUser cmdlet to collect user information and output it to a
file. Based on the User Discovery And Export Via Get-ADUser Cmdlet - PowerShell Sigma
rule by Nasreddine Bencherchali (Nextron Systems). Used under Detection Rule License 1.1. |
Rule | Google Chrome DLL Sideloading | Detects DLL sideloading in Google Chrome. Based on the Potential Chrome Frame Helper
DLL Sideloading Sigma rule by Nasreddine Bencherchali (Nextron Systems), and Wietze Beukema
(project and research). Used under Detection Rule License 1.1. |
Rule | Hiding Files with Attrib | Detects usage of attrib.exe to hide files from users. Based on the Hiding Files with
Attrib.exe Sigma rule by Sami Ruohonen. Used under Detection Rule License 1.1. |
Rule | Hybrid Connection Manager Service Installation | Detects Hybrid Connection Manager service installation. Based on the
HybridConnectionManager Service Installation Sigma rule by Roberto Rodriguez
(Cyb3rWard0g), and OTR (Open Threat Research). Used under Detection Rule License 1.1. |
Rule | In-memory PowerShell | Detects loading of essential DLLs used by PowerShell, but not by the process
Powershell.exe. Based on the In-memory PowerShell Sigma rule by
Tom Kern, oscd.community, Natalia Shornikova, and Tim Shelton. Used under Detection Rule License 1.1. |
Rule | Input Capture Using Mouse Lock | Detects input capture using mouse lock tool. Based on the Mouse Lock Credential
Gathering Sigma rule by Cian Heasley. Used under Detection Rule License 1.1. |
Rule | Linux Doas Tool Execution | Detects Linux doas tool execution. Based on the Linux Doas Tool Execution Sigma rule by Sittikorn S, and Teoderick Contreras. Used under Detection Rule License 1.1. |
Rule | Lookup System Locale | Detects looking up system locale. Based on the Console CodePage Lookup Via CHCP
Sigma rule by _pete_0, and TheDFIRReport. Used under Detection Rule License 1.1. |
Rule | Malicious Base64 in Registry | Detects registry write modifications where an adversary attempts to hide encoded commands.
Based on the Suspicious Environment Variable Has Been Registered Sigma rule by
Nasreddine Bencherchali. Used under Detection Rule License 1.1. |
Rule | Malicious Named Pipe | Triggers when a named pipe is created by known APT malware. |
Rule | Malicious PowerShell Scripts | Detects the creation of known Powershell scripts for exploitation. Based on the
Malicious PowerShell Scripts - FileCreation Sigma rule by Markus Neis, Nasreddine
Bencherchali (Nextron Systems), Mustafa Kaan Demir, and Georg Lauenstein. Used under Detection Rule License 1.1. |
Rule | Malicious Use of Control Panel | Detects malicious use of control panel items. Based on the Control Panel Items
by Kyaw Min Thein, and Furkan Caliskan (@caliskanfurkan_). Used under Detection Rule License 1.1. |
Rule | Masquerading Task or Service | Triggers when task or service masquerading. |
Rule | Microsoft Binary Github Communication | Detects an executable in the Windows folder accessing github.com. Based on the Microsoft Binary Github Communication Sigma rule by Michael Haag (idea), Florian Roth
(rule). Used under Detection Rule License 1.1. |
Rule | Microsoft Binary Suspicious Communication Endpoint | Detects an executable in the Windows folder accessing suspicious domains. Based on the Microsoft Binary Suspicious Communication Endpoint Sigma rule by Florian Roth (Nextron
Systems), and Nasreddine Bencherchali (Nextron Systems). Used under Detection Rule License 1.1. |
Rule | Microsoft Office DLL Sideloading | Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location. Based on the Microsoft Office DLL Sideload Sigma rule by Nasreddine Bencherchali
(Nextron Systems), and Wietze Beukema (project and research). Used under Detection Rule License 1.1. |
Rule | Microsoft Office Template Creation | Detects the creation of template files for Microsoft Office from outside Office. |
Rule | Mimikatz Execution | Detects well-known Mimikatz command line arguments. Based on the HackTool - Mimikatz
Execution by Teymur Kheirkhabarov, oscd.community, David ANDRE (additional keywords), and Tim
Shelton. Used under Detection Rule License 1.1. |
Rule | Multiple Login Failures due to Bad Password | Detects adversary performing password spraying. |
Rule | Network Share Discovery Activity | Detects network share discovery activity. |
Rule | Network Sniffing Activity | Detects network sniffing activities. Based on the Network Sniffing Sigma rule by
Timur Zinniatullin and oscd.community. Used under Detection Rule License 1.1. |
Rule | New Certificate Added to Certificate Store | Detects the addition of new root, CA or AuthRoot certificates to the Windows registry. Based on the New Root or CA or AuthRoot Certificate to Store Sigma rule by frack113. Used under Detection Rule License 1.1. |
Rule | New Port Forwarding Rule Added Via Netsh | Detects the execution of netsh commands that configure a new port forwarding (PortProxy)
rule. Based on the New Port Forwarding Rule Added Via Netsh.EXX Sigma rule by Florian
Roth (Nextron Systems), omkar72, oscd.community, and Swachchhanda Shrawan Poudel. Used under Detection Rule License 1.1. |
Rule | New Service Creation | Detects the creation of a new service. |
Rule | Non-Standard Port Usage | Detects non-standard port usage. Based on the Suspicious Typical Malware Back Connect
Ports Sigma rule by Florian Roth (Nextron Systems). Used under Detection Rule License 1.1. |
Rule | Outlook C2 Macro Creation | Detects detects the creation of a macro file for Outlook. Based on the Outlook C2 Macro
Creation Sigma rule by @ScoubiMtl. Used under Detection Rule License 1.1. |
Rule | Outlook Security Settings Changed in Registry | Detects changing in Outlook email security settings. Based on the Change Outlook
Security Setting in Registry Sigma rule by frack113. Used under Detection Rule License 1.1. |
Rule | Pass the Hash Activity | Detects the attack technique pass the hash which is used to move laterally inside the network. |
Rule | Persistence Registry Key for Recycle Bin | Detects persistence registry key for recycle bin. Based on the Registry Persistence
Mechanisms in Recycle Bin Sigma rule by frack113. Used under Detection Rule License 1.1. |
Rule | Persistence and Execution at Scale via GPO Scheduled Task | Detects lateral movement using GPO scheduled task. Based on the Persistence and
Execution at Scale via GPO Scheduled Task Sigma rule by Samir Bousseaden. Used under Detection Rule License 1.1. |
Rule | Persistence via Services Registry Key | Detects an adversary attempting to persist via service creation or modification of an
existing service. Based on the ServiceDll Hijack Sigma rule by frack113. Used under Detection Rule License 1.1. |
Rule | Persistence via Startup Folder | Detects when a file with a suspicious extension is created in the startup folder. Based on
the Suspicious Startup Folder Persistence Sigma rule by Nasreddine Bencherchali. Used under Detection Rule License 1.1. |
Rule | Phishing Patterns in ISO Archive | Detects when an ISO file is opened with archive applications. Based on the Phishing
Pattern ISO in Archive Sigma rule by Florian Roth. Used under Detection Rule License 1.1. |
Rule | Possible Brute Force Attempt | Detects adversary performing brute force. |
Rule | Possible Turla LightNeuron Backdoor Installation | Triggers when a Turla LightNeuron Backdoor is installed. LightNeuron targets Microsoft Exchange email servers making use of the Transport Agent. Used under Detection Rule License 1.1. |
Rule | Potential Archive of Collected Data | Triggers when data is archived or compressed for exfiltration. An adversary may compress data, such as sensitive documents, that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. |
Rule | Potential Boot or Logon Initialization Scripts | Detects triggers when a modification is made to Windows logon scripts to initialize boot or logon scripts. |
Rule | Potential C2 Communication over a Non-Application Layer Protocol | Detects adversaries using a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. |
Rule | Potential Carbon Activity | Detects Carbon activity which communicates with the C&C server to exfiltrate data. |
Rule | Potential ComRAT Activity | Detects ComRAT activity that is a powershell loader to create scheduled tasks. |
Rule | Potential Command and Scripting Interpreters | Triggers when a command and scripting interpreters are detected. |
Rule | Potential Configuration And Service Reconnaissance | Detects reconnaissance attempts from the registry. Adversaries may interact with the Windows registry to gather information about credentials, the system, configuration, and installed software. Based on the Query Registry Sigma rule by Timur Zinniatullin, oscd.community. Used under Detection Rule License 1.1. |
Rule | Potential Crutch Activity | Detects Crutch activity which encrypts and exfiltrates data. |
Rule | Potential DLL Injection Pattern Detected | Detects potential use of CreateRemoteThread API and LoadLibrary function to inject a DLL into
a process. Based on the CreateRemoteThread API and LoadLibrary by Roberto Rodriguez
@Cyb3rWard0g. Used under Detection Rule License 1.1. |
Rule | Potential DLL Search Order Hijacking | Triggers when attempts to create a DLL file to a known desktop application dependencies
folder such as Slack, Teams or OneDrive and by an unusual process. This may indicate an attempt to
load a malicious module via DLL search order hijacking. Based on the Potential Initial Access
via DLL Search Order Hijacking Sigma rule by Tim Rauch (rule), and Elastic (idea). Used under Detection Rule License 1.1. |
Rule | Potential Data Exfiltration Via Curl | Detects the execution of the curl process with upload
flags. Which might indicate potential data exfiltration. Based on the Suspicious Curl File
Upload Sigma rule by Florian Roth. Used under Detection Rule License 1.1. |
Rule | Potential Empire Activity | Detects Empire activity which hijacks Microsoft Outlook to exfiltrate data over mail. |
Rule | Potential Epic Activity | Detects Turla Epic activity which searches for various terms within the victim system. |
Rule | Potential Exchange Exploit Activity Detected | Detects potential Exchange exploit activity. Based on the Exchange Exploitation
Activity Sigma rule by Florian Roth. Used under Detection Rule License 1.1. |
Rule | Potential File and Directory Discovery | Triggers when a file or directory is searched for information discovery. An adversary may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. |
Rule | Potential Flow of Execution Hijack | Triggers when a DLL is loaded or deleted from a suspicious folder or file. |
Rule | Potential Gazer Activity | Detects Turla Gazer activity which is a backdoor that uses various techniques for persistence. |
Rule | Potential Hidden File or Directory | Triggers when a file or directory attributes are changed or modified to hide artifacts from users. |
Rule | Potential HyperStack Activity | Detects Turla HyperStack activity, which is a backdoor. |
Rule | Potential Indicator Removal Activity on Host | Triggers when an adversary delete or modify artifacts generated on a host system to remove evidence of their presence or hinder defenses. |
Rule | Potential Ingress Tool Transfer | Detects a suspicious call to Invoke-WebRequest, curl or wget where the and output is located
in a suspicious location. Based on the Suspicious Invoke-WebRequest Usage Sigma rule by
Nasreddine Bencherchali. Used under Detection Rule License 1.1. |
Rule | Potential Kazuar Activity | Detects Kazuar activity that is a shortcut creation and a sub-key added under HKCU registry path. |
Rule | Potential LOLBIN Activity | Triggers when LOLBIN is used to execute code for a specified binary. |
Rule | Potential Lateral Movement via PowerShell | Detects a PowerShell process spawned as a child or grand child process of commonly abused
processes during lateral movement. Based on the Possible Lateral Movement PowerShell
Spawn Sigma rule by Mauricio Velazco, and Splunk. Used under Detection Rule License 1.1. |
Rule | Potential MSExchange Mailbox Export | Triggers when an exchange mailbox data is exported to a file. |
Rule | Potential Malicious MSExchange Transport Agent Installation | Detects the installation of an Exchange Transport Agent. |
Rule | Potential Mosquito Activity | Detects Mosquito activity, which is a Win32 backdoor. |
Rule | Potential PowerShell ReverseShell Connection | Detects usage of the 'TcpClient' class. Which can be abused to establish remote connections
and reverse-shells. Based on the Potential Powershell ReverseShell Connection Sigma
rule by FPT.EagleEye, wagga, and Nasreddine Bencherchali (Nextron Systems). Used under Detection Rule License 1.1. |
Rule | Potential Proxy Forwarding Configuration | Triggers when a proxy port is configured to be used in forwarding. Adversaries may configure proxy ports to bypass network restrictions through tunneling. |
Rule | Potential Registry or Environment Variable Unload | Triggers when changes are made to environment variables or registry. This could indicate a precursor to a ransomware attack. |
Rule | Potential Scheduled Task Created | Detects scheduled tasks created. |
Rule | Potential Security Software Discovery | Triggers when a security software is discovered. Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-viruses. |
Rule | Potential Svchost Memory Access | Detects potential access to svchost process memory such as that used by Invoke-Phantom to
kill the winRM windows event logging service. Based on the Suspect Svchost Memory
Asccess Sigma rule by Tim Burrell. Used under Detection Rule License 1.1. |
Rule | Potential System DLL Sideloading From Non System Locations | Detects DLL sideloading of DLLs usually located in system locations, such as
System32, or SysWOW64. Based on the System DLL
Sideloading From Non System Locations Sigma rule by Nasreddine Bencherchali, Wietze Beukema
(project and research), Chris Spehn (research WFH Dridex), and XForceIR (SideLoadHunter Project). Used under Detection Rule License 1.1. |
Rule | Potential TinyTurla Activity | Detects TinyTurla activity that uses a fake DLL called w64time.dll. The Windows legit version is w32time.dll, which makes the malware less noticeable. |
Rule | Potential Turla Recon Activity | Detects a common Turla activity which executes several reconnaissance commands to discover about the victim machine and also to move across laterally. |
Rule | Potential Unix Shell Command and Scripting Interpreter | Detects triggers when suspicious shell commands or program code that may be executed for command and scripting interpreters. |
Rule | Potential Web Shell Dropped | Detects potential web shells dropped. Based on the Suspicious ASPX File Drop by
Exchange Sigma rule by Florian Roth (rule), MSTI (query, idea). Used under Detection Rule License 1.1. |
Rule | Potential WinAPI Calls Via PowerShell Scripts | Detects use of WinAPI Functions in PowerShell scripts. Based on the Potential WinAPI
Calls Via PowerShell Scripts Sigma rule by Nikita Nazarov, oscd.community, and Tim Shelton. Used under Detection Rule License 1.1. |
Rule | Potential Windows Command Shell Interpreter | Triggers when the usage of path traversal in cmd.exe indicating possible command/argument
confusion/hijacking. Based on the Cmd.exe CommandLine Path Traversal Sigma rule by
xknow @xknow_infosec, and Tim Shelton. Used under Detection Rule License 1.1. |
Rule | Potential Windows Scheduled Task Creation | Triggers when adversaries attempts to create a scheduled task. |
Rule | Potential Windows Software Discovery | Triggers when a windows software is discovered. Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software with a vulnerability. |
Rule | PowerShell DownloadFile | Detects the execution of powershell, a WebClient object creation and the invocation of
DownloadFile in a single command line. Based on the PowerShell DownloadFile Sigma rule
by Florian Roth. Used under Detection Rule License 1.1. |
Rule | PowerShell Profile Modification | Triggers when a powershell profile is created or modified which could indicate suspicious
activity as the profile can be used as a mean of persistence. Based on the PowerShell Profile
Modification Sigma rule by HieuTT35, and Nasreddine Bencherchali. Used under Detection Rule License 1.1. |
Rule | Powershell Keylogging Activity | Detects Powershell keylogging activity. Based on the Powershell Keylogging Sigma rule by frack113. |
Rule | Powershell Local Email Collection | Detects adversaries targeting user email on local systems to collect sensitive information.
Based on the Powershell Local Email Collection by frack113. Used under Detection Rule License 1.1. |
Rule | Powershell Remote Thread Creation | Detects Powershell injecting code into critical Windows processes. |
Rule | Process Injection via Maldoc | Detects process injection using maldoc. Based on the LittleCorporal Generated Maldoc
Injection Sigma rule by Christian Burkard. Used under Detection Rule License 1.1. |
Rule | Psexec Accepteula Agreement Detected | Detects psexec accepteula activity. Based on the Psexec Accepteula Condition
Sigma rule by omkar72. Used under Detection Rule License 1.1. |
Rule | Python Core Image Load Detected | Detects Python Core image load. Based on the Python Py2Exe Image Load Sigma rule
by Patrick St. John, and OTR (Open Threat Research). Used under Detection Rule License 1.1. |
Rule | Python Py2Exe Image Load | Detects the image load of Python Core indicative of a Python script bundled with Py2Exe.
Based on the Python Py2Exe Image Load Sigma rule by Patrick St. John, and OTR (Open
Threat Research). Used under Detection Rule License 1.1. |
Rule | RDP Communication over Loopback Address | Detects RDP communication over loopback address. Based on the RDP over Reverse SSH
Tunnel WFP Sigma rule by Samir Bousseaden. Used under Detection Rule License 1.1. |
Rule | Reconnaissance Activity Using BuiltIn Commands | Detects the execution of a set of builtin commands often used in recon stages by different
attack groups. Based on the Quick Execution of a Series of Suspicious Commands Sigma
rule by juju4. Used under Detection Rule License 1.1. |
Rule | Regedit Started with TrustedInstaller Privileges | Detects regedit started with TrustedInstaller privileges or with
ProcessHacker.exe. Based on the Regedit as Trusted Installer Sigma
rule by Florian Roth. Used under Detection Rule License 1.1. |
Rule | Registry Modification of Run Keys | Detects registry modification of run keys. Based on the Suspicious Driver Install by
pnputil.exe Sigma rule by Hai Vaknin @LuxNoBulIshit, Avihay eldad @aloneliassaf, and Austin
Songer @austinsonger. Used under Detection Rule License 1.1. |
Rule | Regsvr32 Outbound Network Connection | Detects outbound connections initiated by regsvr32.exe. |
Rule | Remote PowerShell Session | Detects remote PowerShell connections by monitoring network outbound connections to ports
5985 or 5986 from a non-network service account. Based on the Remote PowerShell Session
(Network) Sigma rule by Roberto Rodriguez (@Cyb3rWard0g). Used under Detection Rule License 1.1. |
Rule | Remote Scheduled Task Creation | Detects remote scheduled task creations. |
Rule | Remote Service Activity via SVCCTL Named Pipe | Detects remote service activity via remote access to the svcctl named pipe. Based on the
Remote service creation via named pipes Sigma rule by mdecrevoisier. Used under Detection Rule License 1.1. |
Rule | Remote Thread Creation in Suspicious Targets | Detects a remote thread creation in suspicious target images. Based on the Remote
Thread Creation in Suspicious Targets by Florian Roth. Used under Detection Rule License 1.1. |
Rule | Root Certificate Installed | Detects adversaries installing a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. |
Rule | RunDLL32 Outbound Network Connection | Detects outbound connections initiated by rundll32.exe. |
Rule | Rundll32 with Suspicious Process Lineage | Detects executions of rundll32.exe from unusual parent processes. |
Rule | Running of Hijacked Binary Detected | Detects running of hijacked binary. Based on the Using SettingSyncHost.exe as
LOLBin Sigma rule by Anton Kutepov, and oscd.community. Used under Detection Rule License 1.1. |
Rule | Ryuk Ransomware Command Line Activity Detected | Detects Ryuk ransomware command line activity. Based on the Ryuk Ransomware Command
Line Activity Sigma rule by Vasiliy Burov. Used under Detection Rule License 1.1. |
Rule | SMB Create Remote File Admin Share | Detects non-system accounts SMB accessing a file with write (0x2 ) access
mask via administrative share such as C$ . Based on the SMB Create Remote File
Admin Share Sigma rule by Jose Rodriguez (@Cyb3rPandaH), and OTR (Open Threat Research).Used under Detection Rule License 1.1. |
Rule | SSH Firewall Configuration | Detects SSH firewall configuration. Based on the OpenSSH server firewall configuration on Windows (command) Sigma rule by mdecrevoisier. Used under Detection Rule License 1.1. |
Rule | Script Initiated Connection | Detects a script interpreter wscript/cscript opening a network connection. Adversaries may
use script to download malicious payloads. Based on the Script Initiated Connection
Sigma rule by frack113. Used under Detection Rule License 1.1. |
Rule | Service Dll Hijacking | Detects changes to the ServiceDLL value related to a service in the
registry. This is often used as a method of persistence. Based on the ServiceDll Hijack
Sigma rule by frack113. Used under Detection Rule License 1.1. |
Rule | Service Registry Permissions Weakness Check | Detects adversaries checking for flaws in permissions inside the registry to redirect from
the originally specified executable to one that they control, in order to launch their own code at
Service start. Based on the Service Registry Permissions Weakness Check Sigma rule by
frack113. Used under Detection Rule License 1.1. |
Rule | SetupComplete.cmd Exploitation | Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd. |
Rule | Shadow Copies Creation Using Operating Systems Utilities | Detects possible scenarios of credential access where shadow copies are crated using
operating systems utilities. Based on the Shadow Copies Creation Using Operating Systems
Utilities Sigma rule by Teymur Kheirkhabarov, Daniil Yugoslavskiy, and oscd.community. Used under Detection Rule License 1.1. |
Rule | Shells Spawned by Web Servers | Detects web servers that spawn shell processes which could be the result of a successfully
placed web shell or another attack. Based on the Shells Spawned by Web Servers Sigma
rule by Thomas Patzke, Florian Roth (Nextron Systems), Zach Stanford @svch0st, Tim Shelton, and
Nasreddine Bencherchali (Nextron Systems). Used under Detection Rule License 1.1. |
Rule | Snatch Ransomware Activity Detected | Detects Snatch ransomware activity. Based on the Snatch Ransomware Sigma rule by
Florian Roth. Used under Detection Rule License 1.1. |
Rule | Static Mimikatz Driver Name Detected | Detects known exploited mimikatz driver names. Based on the PrinterNightmare Mimikatz
Driver Name Sigma rule by Markus Neis, @markus_neis, and Florian Roth. Used under Detection Rule License 1.1. |
Rule | Steganography Embedding Files | Detects embedding of steganography files. Based on the Steganography Unzip Hidden
Information From Picture File Sigma rule by Pawel Mazur. Used under Detection Rule License 1.1. |
Rule | Steganography Extracting Files | Detects extraction of steganography files. Based on the Steganography Extract Files
with Steghide Sigma rule by Pawel Mazur. Used under Detection Rule License 1.1. |
Rule | Steganography with RAR | Detects a privilege escalation attempt via a rogue Windows directory environment variable. Based on the Suspicious Greedy Compression Using Rar.EXE Sigma rule by X__Junior
(Nextron Systems), and Florian Roth (Nextron Systems). Used under Detection Rule License 1.1. |
Rule | Suspicious Behavior by SOURGUM Actor | Detects suspicious behavior by SOURGUM actor. |
Rule | Suspicious Binary DLL Execution | Triggers when a DLL is executed from a specified directory. |
Rule | Suspicious Binary Load and Execution | Triggers when an arbitrary DLL is loaded or executed from a specified binary. |
Rule | Suspicious CLR Logs Creation | Detects suspicious .NET assembly executions. Based on the Suspicious CLR Logs
Creation Sigma rule by omkar72, oscd.community, and Wojciech Lesicki. Used under Detection Rule License 1.1. |
Rule | Suspicious Changing of User Agent | Detects a suspicious changing of user agent. Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. |
Rule | Suspicious Copy Command from Admin Share | Detects suspicious copy command from admin share. Based on the Copy from Admin
Share Sigma rule by Florian Roth (Nextron Systems), oscd.community, Teymur Kheirkhabarov
@HeirhabarovT, Zach Stanford @svch0st, and Nasreddine Bencherchali. Used under Detection Rule License 1.1. |
Rule | Suspicious Creation of Get-Variable File | Detects suspicious creation of get-variable.exe file. Based on the
Suspicious Get-Variable.exe Creation Sigma rule by frack113. Used under Detection Rule License 1.1. |
Rule | Suspicious Cron Scheduled Task/Job | Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. |
Rule | Suspicious Curl Download | Detects a suspicious curl process start on Windows and outputs the requested document to a local file. Based on the Suspicious Curl.EXE Download Sigma
rule by Florian Roth (Nextron Systems), and Nasreddine Bencherchali (Nextron Systems). Used under Detection Rule License 1.1. |
Rule | Suspicious Double File Extension Process | Detects processes with double file extensions. Based on the Suspicious Double Extension
File Execution Sigma rule by Florian Roth (Nextron Systems), @blu3_team (idea), and
Nasreddine Bencherchali (Nextron Systems). Used under Detection Rule License 1.1. |
Rule | Suspicious Elevated System Shell | Triggers when a shell program such as the windows Command Prompt or PowerShell is launched
with system privileges. Based on the Suspicious Elevated System Shell Sigma rule by
frack113, and Tim Shelton. Used under Detection Rule License 1.1. |
Rule | Suspicious EventLog Cleared | Detects clearing of event logs using wevtutil, powershell and wmic. |
Rule | Suspicious Execution of GRP File Conversion | Detects suspicious execution of .grp file conversion. Based on the
Suspicious GrpConv Execution Sigma rule by Florian Roth (Nextron Systems). Used under Detection Rule License 1.1. |
Rule | Suspicious Execution of Outlook from Temporary Directory | Detects Outlook executed from a temporary directory. Based on the Execution in Outlook
Temp Folder Sigma rule by Florian Roth (Nextron Systems). Used under Detection Rule License 1.1. |
Rule | Suspicious Execution with Colorcpl | Detects suspicious execution of colorcpl.exe. Based on the
Suspicious Creation with Colorcpl Sigma rule by frack113. Used under Detection Rule License 1.1. |
Rule | Suspicious File Created by Office Application | Detects executable and script file creation by Microsoft Office applications. Based on the Created Files by Office Applications Sigma rule by Vadim Khrykov (ThreatIntel), and
Cyb3rEng (Rule). Used under Detection Rule License 1.1. |
Rule | Suspicious File Download Using Office Application | Detects the usage of Microsoft Word, Microsoft Excel, or Microsoft PowerPoint being used to download arbitrary files. Based on the Suspicious File Download Using Office
Application Sigma rule by Beyu Denis, and oscd.community. Used under Detection Rule License 1.1. |
Rule | Suspicious Get-Variable Creation | Detects PowerShell Persistence via hijacking Get-Variable.exe. Based on the Suspicious
Get-Variable.exe Creation Sigma rule by frack113. Used under Detection Rule License 1.1. |
Rule | Suspicious GetTypeFromCLSID ShellExecute | Detects suspicious Powershell code that execute COM Objects. Based on the Suspicious
GetTypeFromCLSID ShellExecute Sigma rule by frack113. Used under Detection Rule License 1.1. |
Rule | Suspicious Group And Account Reconnaissance Activity | Detects suspicious reconnaissance command line activity on Windows systems. |
Rule | Suspicious Host File Deletion Activity | Triggers when host files are deleted from a system. |
Rule | Suspicious In-Memory Module Execution | Detects process access events by suspicious processes which have reflectively loaded
libraries in their memory space. Based on the Suspicious In-Memory Module Execution
Sigma rule by Perez Diego (@darkquassar), oscd.community, and Jonhnathan Ribeiro. Used under Detection Rule License 1.1. |
Rule | Suspicious Linux Log Cleared | Triggers when attempts to clear logs on the system. Adversaries may clear system logs to hide
evidence of an intrusion. Based on the Clear Linux Logs Sigma rule by Ömer Günal, and
oscd.community. Used under Detection Rule License 1.1. |
Rule | Suspicious Mac System Log Cleared | Triggers when a local audit log is deleted. Based on the Indicator Removal on Host -
Clear Mac System Logs Sigma rule by remotephone, and oscd.community. Used under Detection Rule License 1.1. |
Rule | Suspicious Microsoft OneNote Child Process | Detects suspicious Microsoft Onenote child process spawned. Based on the Suspicious Microsoft OneNote Child Process Sigma rule by Tim Rauch (Nextron Systems), Nasreddine
Bencherchali (Nextron Systems), and Elastic (idea). Used under Detection Rule License 1.1. |
Rule | Suspicious NTDS Process Patterns Exfiltration | Detects suspicious processes that write (copy) a Active Directory database
(ntds.dit) file. Based on the NTDS.DIT Creation By Uncommon
Process Sigma rule by Florian Roth (Nextron Systems), and Nasreddine Bencherchali (Nextron
Systems). Used under Detection Rule License 1.1. |
Rule | Suspicious NTDS Process Writes | Detects suspicious process patterns used in NTDS.DIT exfiltration. Based on the
Suspicious Process Patterns NTDS.DIT Exfil Sigma rule by Florian Roth (Nextron
Systems). Used under Detection Rule License 1.1. |
Rule | Suspicious New Instance of an Office COM Object | Detects a Microsoft Office application creating an instance of one of the Office COM objects such as Word.Application, or Excel.Application. This can
be used by malicious actors to create malicious Office documents with macros on the fly. Based on
the Suspicious New Instance Of An Office COM Object by Nasreddine Bencherchali (Nextron
Systems). Used under Detection Rule License 1.1. |
Rule | Suspicious Outbound SMTP Connections | Detects potential exfiltration over SMTP protocol. Based on the Suspicious Outbound
SMTP Connections Sigma rule by frack113. Used under Detection Rule License 1.1. |
Rule | Suspicious PowerShell Keywords | Detects keywords that could indicate the use of some PowerShell exploitation framework. Based
on the Potential Suspicious PowerShell Keywords Sigma rule by Florian Roth (Nextron
Systems), Perez Diego (@darkquassar), and Tuan Le (NCSGroup). Used under Detection Rule License 1.1. |
Rule | Suspicious Process Discovery With Get-Process | Detects adversaries performing discovery to get the processes that are running on the local
computer. Based on the Suspicious Process Discovery With Get-Process Sigma rule by
frack113. Used under Detection Rule License 1.1. |
Rule | Suspicious Process from Microsoft HTML Help | Detects suspicious process spawned from Microsoft HTML Help. Based on the HTML Help
HH.EXE Suspicious Child Process Sigma rule by Maxim Pavlunin, and Nasreddine Bencherchali
(Nextron Systems). Used under Detection Rule License 1.1. |
Rule | Suspicious Program Location with Network Connections | Detects programs with network connections running in suspicious files system locations. Based
on the Suspicious Program Location with Network Connections by Florian Roth. Used under Detection Rule License 1.1. |
Rule | Suspicious Proxy Binary Execution | Triggers when a system binary is executed from a proxy. |
Rule | Suspicious PsExec Activity | Detects suspicious PsExec activity. Based on the Impacket PsExec Execution Sigma
rule by Bhabesh Raj. Used under Detection Rule License 1.1. |
Rule | Suspicious Remote Named Pipe | Detects lateral movement and remote execution scenarios using newly observed named pipes
accessed remotely. Based on the First Time Seen Remote Named Pipe Sigma rule by Samir
Bousseaden. Used under Detection Rule License 1.1. |
Rule | Suspicious Scheduled Task | Detects suspicious scheduled task creation or update events based on attributes such as
paths, or commands line flags. Based on the Suspicious Scheduled Task Creation by
Nasreddine Bencherchali. Used under Detection Rule License 1.1. |
Rule | Suspicious Scripting in a WMI Consumer | Detects suspicious commands that are related to scripting/powershell in WMI Event Consumers.
Based on the Suspicious Scripting in a WMI Consumer Sigma rule by Florian Roth (Nextron
Systems), and Jonhnathan Ribeiro. Used under Detection Rule License 1.1. |
Rule | Suspicious Subprocess from RazerInstaller | Detects suspicious subprocess from RazerInstaller.exe. Based on the
Suspicious RazerInstaller Explorer Subprocess Sigma rule by Florian Roth, and Maxime
Thiebaut. Used under Detection Rule License 1.1. |
Rule | Suspicious Svchost Execution Anomaly | Detects the svchost.exe executed without any CLI arguments which is
normally observed when a malicious process spawns the process and injects code into the process
memory space. Based on the Suspect Svchost Activity Sigma rule by David Burkett, and
@signalblur. Used under Detection Rule License 1.1. |
Rule | Suspicious TCP Tunnel Via PowerShell Script | Detects PowerShell scripts that creates sockets/listeners which could be indicative of
tunneling activity. Based on the Suspicious TCP Tunnel Via PowerShell Script Sigma rule
by Nasreddine Bencherchali (Nextron Systems). Used under Detection Rule License 1.1. |
Rule | Suspicious Valid Accounts Logon | Triggers when a suspicious login from a valid account is detected. |
Rule | Suspicious WMIC Execution | Detects WMIC executing suspicious or recon commands. Based on the Suspicious WMIC
Execution Sigma rule by Michael Haag, Florian Roth, juju4, and oscd.community. Used under Detection Rule License 1.1. |
Rule | Suspicious WebDav Client Execution | Detects exfiltration attempts or use of WebDav to launch code hosted on a WebDav Server.
Based on the WebDav Client Execution Sigma rule by Roberto Rodriguez (Cyb3rWard0g), and
OTR (Open Threat Research). Used under Detection Rule License 1.1. |
Rule | Symlink to passwd Created | Detects symlink created to the /etc/passwd directory. Based on the
Symlink Etc Passwd Sigma rule by Florian Roth. Used under Detection Rule License 1.1. |
Rule | System Owner or User Discover (Linux) | Detects system owner or user discovery activities. Based on the System Owner or User
Discovery Sigma rule by Timur Zinniatullin, and oscd.community. Used under Detection Rule License 1.1. |
Rule | System Owner or User Discovery (Windows) | Detects system owner or user discovery activities. Based on the Local Accounts
Discovery Sigma rule by Timur Zinniatullin, Daniil Yugoslavskiy, and oscd.community. Used under Detection Rule License 1.1. |
Rule | System Time Discovery Activity | Detects system time discovery activity. |
Rule | Token Impersonation via PowerShell | Detects adversaries leveraging Windows API functions related to token impersonation or theft. |
Rule | Transferring Files with Credential Data via Network Shares | Detects attempts to transfer files with well-known filenames, such as sensitive files with
credential data, using network shares. Based on the Transferring Files with Credential Data
via Network Shares Sigma rule by Teymur Kheirkhabarov and oscd.community. Used under Detection Rule License 1.1. |
Rule | Turla Service Installed | Triggers when a malicious service known by a malicious APT is installed. |
Rule | UAC Remote Restrictions Disabled | Detects registry modification allowing remote administrative actions. Based on the
Disable UAC Remote Restriction Sigma rule by Steven Dick, Teoderick Contreras, and
Splunk. Used under Detection Rule License 1.1. |
Rule | Uncommon Process Spawned from HWP | Detects uncommon processes spawning from Hangul Word Processor (Hanword). Based on the
Suspicious HWP Sub Processes Sigma rule by Florian Roth (Nextron Systems). Used under Detection Rule License 1.1. |
Rule | Unusual Child Process from Different Processes | Detects unusual child process from different processes. Based on the Abused Debug
Privilege by Arbitrary Parent Processes Sigma rule by Semanur Guneysu @semanurtg, and
oscd.community. Used under Detection Rule License 1.1. |
Rule | User Authenticating via Multiple Explicit Credentials | Detects a user attempting to authenticate with multiple target users using explicit credentials. |
Rule | User Creation Abusing Fortinet Vulnerability | Detects user creation by abusing Fortinet vulnerability. Based on the Fortinet APT group abuse on Windows (user) Sigma rule by mdecrevoisier. Used under Detection Rule License 1.1. |
Rule | VBA DLL Loaded Via Office Application | Detects VB DLLs loaded by a Microsoft Office application, which could indicate the presence of VBA Macros. Based on the VBA DLL Loaded Via Office Application Sigma rule by
Antonlovesdnb. Used under Detection Rule License 1.1. |
Rule | VirtualBox Driver Installed or Started | Detects VirtualBox driver installation or a start of virtual machines. Based on the
Detect Virtualbox Driver Installation OR Starting Of VMs Sigma rule by Janantha
Marasinghe. Used under Detection Rule License 1.1. |
Rule | Vulnerable Driver Loaded | Triggers when a vulnerable driver is loaded. Based on the Windows Vulnerable Driver Loaded Sigma rule by Michael Haag, and Splunk. Used under Detection Rule License 1.1. |
Rule | WMI Event Consumer Persistence | Detects WMI command line event consumers. Based on the WMI Persistence - Command Line
Event Consumer Sigma rule by Thomas Patzke. Used under Detection Rule License 1.1. |
Rule | WScript or CScript Dropping File | Detects a file ending in jse, vbe,
js, vba, or vbs being written by
cscript.exe or wscript.exe. Based on the WScript or
CScript Dropper - File Sigma rule by Tim Shelton. Used under Detection Rule License 1.1. |
Rule | Windows Event Logging Disabled Via Registry | Detects tampering with the 'Enabled' registry key in order to disable windows logging of a
windows event channel. Based on the Disable Windows Event Logging Via Registry Sigma
rule by frack113, and Nasreddine Bencherchali. Used under Detection Rule License 1.1. |
Rule | Windows Registry Trust Record Modification | Detects Windows registry trust record modification. Based to the Windows Registry Trust Record Modification Sigma rule by Antonlovesdnb. Used under Detection Rule License 1.1. |