Sigma Rules
1,701 rules found
Replay Attack Detected
Detects possible Kerberos Replay Attack on the domain controllers when "KRB_AP_ERR_REPEAT" Kerberos response is sent to the client
SAM Registry Hive Handle Request
Detects handles requested to SAM registry hive
Service Installed By Unusual Client - Security
Detects a service installed by a client which has PID 0 or whose parent has PID 0
SMB Create Remote File Admin Share
Look for non-system accounts SMB accessing a file with write (0x2) access mask via administrative share (i.e C$).
Password Change on Directory Service Restore Mode (DSRM) Account
Detects potential attempts made to set the Directory Services Restore Mode administrator password. The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password in order to obtain persistence.
Kerberos Manipulation
Detects failed Kerberos TGT issue operation. This can be a sign of manipulations of TGT messages by an attacker.
Suspicious LDAP-Attributes Used
Detects the usage of particular AttributeLDAPDisplayNames, which are known for data exchange via LDAP by the tool LDAPFragger and are additionally not commonly used in companies.
Suspicious Windows ANONYMOUS LOGON Local Account Created
Detects the creation of suspicious accounts similar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts.
Password Dumper Activity on LSASS
Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN
Reconnaissance Activity
Detects activity as "net user administrator /domain" and "net group domain admins /domain"
Password Protected ZIP File Opened (Suspicious Filenames)
Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened.
Password Protected ZIP File Opened (Email Attachment)
Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.
Possible Shadow Credentials Added
Detects possible addition of shadow credentials to an active directory object.
Suspicious PsExec Execution
detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one
Suspicious Scheduled Task Creation
Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc.
Important Scheduled Task Deleted/Disabled
Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities
Suspicious Scheduled Task Update
Detects update to a scheduled task event that contain suspicious keywords.
SysKey Registry Keys Access
Detects handle requests and access operations to specific registry keys to calculate the SysKey
Sysmon Channel Reference Deletion
Potential threat actor tampering with Sysmon manifest and eventually disabling it
Suspicious Teams Application Related ObjectAcess Event
Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.
User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'
The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA.
T1047 Wmiprvse Wbemcomn DLL Hijack
Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network for a WMI DLL Hijack scenario.
Microsoft Defender Blocked from Loading Unsigned DLL
Detects Code Integrity (CI) engine blocking Microsoft Defender's processes (MpCmdRun and NisSrv) from loading unsigned DLLs which may be an attempt to sideload arbitrary DLL
Unsigned Binary Loaded From Suspicious Location
Detects Code Integrity (CI) engine blocking processes from loading unsigned DLLs residing in suspicious locations
HybridConnectionManager Service Running
Rule to detect the Hybrid Connection Manager service running on an endpoint.
Sysmon Application Crashed
Detects application popup reporting a failure of the Sysmon service
DHCP Server Loaded the CallOut DLL
This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded
DHCP Server Error Failed Loading the CallOut DLL
This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded
Local Privilege Escalation Indicator TabTip
Detects the invocation of TabTip via CLSID as seen when JuicyPotatoNG is used on a system in brute force mode
Important Windows Eventlog Cleared
Detects the clearing of one of the Windows Core Eventlogs. e.g. caused by "wevtutil cl" command execution
Critical Hive In Suspicious Location Access Bits Cleared
Detects events from the Kernel-General ETW indicating that the access bits of a hive with a system like hive name located in the temp directory have been reset. This occurs when an application tries to access a hive and the hive has not be recognized since the last 7 days (by default). Registry hive dumping utilities such as QuarksPwDump were seen emitting this behavior.
Vulnerable Netlogon Secure Channel Connection Allowed
Detects that a vulnerable Netlogon secure channel connection was allowed, which could be an indicator of CVE-2020-1472.
NTFS Vulnerability Exploitation
This the exploitation of a NTFS vulnerability as reported without many details via Twitter
smbexec.py Service Installation
Detects the use of smbexec.py tool by detecting a specific service installation
Invoke-Obfuscation CLIP+ Launcher - System
Detects Obfuscated use of Clip.exe to execute PowerShell
Invoke-Obfuscation Obfuscated IEX Invocation - System
Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references
Invoke-Obfuscation STDIN+ Launcher - System
Detects Obfuscated use of stdin to execute PowerShell
Invoke-Obfuscation VAR+ Launcher - System
Detects Obfuscated use of Environment Variables to execute PowerShell
Invoke-Obfuscation Via Stdin - System
Detects Obfuscated Powershell via Stdin in Scripts
Invoke-Obfuscation Via Use Clip - System
Detects Obfuscated Powershell via use Clip.exe in Scripts
Invoke-Obfuscation Via Use MSHTA - System
Detects Obfuscated Powershell via use MSHTA in Scripts
Invoke-Obfuscation Via Use Rundll32 - System
Detects Obfuscated Powershell via use Rundll32 in Scripts
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System
Detects Obfuscated Powershell via VAR++ LAUNCHER
KrbRelayUp Service Installation
Detects service creation from KrbRelayUp tool used for privilege escalation in Windows domain environments where LDAP signing is not enforced (the default settings)
Credential Dumping Tools Service Execution - System
Detects well-known credential dumping tools execution via service execution events
Meterpreter or Cobalt Strike Getsystem Service Installation - System
Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
PowerShell Scripts Installed as Services
Detects powershell script installed as a Service
HackTool Service Registration or Execution
Detects installation or execution of services