Sigma Rules
1,473 rules found
Run Once Task Configuration in Registry
Rule to detect the configuration of Run Once registry key. Configured payload can be run by runonce.exe /AlternateShellStartup
Atbroker Registry Change
Detects creation/modification of Assistive Technology applications and persistence with usage of 'at'
Registry Tampering by Potentially Suspicious Processes
Detects suspicious registry modifications made by suspicious processes such as script engine processes such as WScript, or CScript etc. These processes are rarely used for legitimate registry modifications, and their activity may indicate an attempt to modify the registry without using standard tools like regedit.exe or reg.exe, potentially for evasion and persistence.
Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback
Detects enabling of the "AllowAnonymousCallback" registry value, which allows a remote connection between computers that do not have a trust relationship.
Add Port Monitor Persistence in Registry
Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.
Add Debugger Entry To AeDebug For Persistence
Detects when an attacker adds a new "Debugger" value to the "AeDebug" key in order to achieve persistence which will get invoked when an application crashes
Allow RDP Remote Assistance Feature
Detect enable rdp feature to allow specific user to rdp connect on the targeted machine
Classes Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
Common Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
CurrentControlSet Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
CurrentVersion Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
CurrentVersion NT Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
Internet Explorer Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
Office Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
Session Manager Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
System Scripts Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
WinSock2 Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
Wow6432Node CurrentVersion Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
Wow6432Node Classes Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
Wow6432Node Windows NT CurrentVersion Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
New BgInfo.EXE Custom DB Path Registry Configuration
Detects setting of a new registry database value related to BgInfo configuration. Attackers can for example set this value to save the results of the commands executed by BgInfo in order to exfiltrate information.
New BgInfo.EXE Custom VBScript Registry Configuration
Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom VBScript via "BgInfo.exe"
New BgInfo.EXE Custom WMI Query Registry Configuration
Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom WMI query via "BgInfo.exe"
IE Change Domain Zone
Hides the file extension through modification of the registry
ClickOnce Trust Prompt Tampering
Detects changes to the ClickOnce trust prompt registry key in order to enable an installation from different locations such as the Internet.
CrashControl CrashDump Disabled
Detects disabling the CrashDump per registry (as used by HermeticWiper)
Potential Registry Persistence Attempt Via DbgManagedDebugger
Detects the addition of the "Debugger" value to the "DbgManagedDebugger" key in order to achieve persistence. Which will get invoked when an application crashes
Windows Defender Exclusions Added - Registry
Detects the Setting of Windows Defender Exclusions
Potentially Suspicious Desktop Background Change Via Registry
Detects registry value settings that would replace the user's desktop background. This is a common technique used by malware to change the desktop background to a ransom note or other image.
Disable Exploit Guard Network Protection on Windows Defender
Detects disabling Windows Defender Exploit Guard Network Protection
Disable Tamper Protection on Windows Defender
Detects disabling Windows Defender Tamper Protection
Disable Administrative Share Creation at Startup
Administrative shares are hidden network shares created by Microsoft Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system
Disable Microsoft Defender Firewall via Registry
Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage
Disable Internal Tools or Feature in Registry
Detects registry modifications that change features of internal Windows tools (malware like Agent Tesla uses this technique)
Disable Privacy Settings Experience in Registry
Detects registry modifications that disable Privacy Settings Experience
Disable Windows Security Center Notifications
Detect set UseActionCenterExperience to 0 to disable the Windows security center notification
Disable Windows Firewall by Registry
Detect set EnableFirewall to 0 to disable the Windows firewall
Add DisallowRun Execution to Registry
Detect set DisallowRun to 1 to prevent user running specific computer program
Persistence Via Disk Cleanup Handler - Autorun
Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence via autorun. The disk cleanup manager is part of the operating system. It displays the dialog box […] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI. Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications. Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler. Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.
DNS-over-HTTPS Enabled by Registry
Detects when a user enables DNS-over-HTTPS. This can be used to hide internet activity or be used to hide the process of exfiltrating data. With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors.
Periodic Backup For System Registry Hives Enabled
Detects the enabling of the "EnablePeriodicBackup" registry value. Once enabled, The OS will backup System registry hives on restarts to the "C:\Windows\System32\config\RegBack" folder. Windows creates a "RegIdleBackup" task to manage subsequent backups. Registry backup was a default behavior on Windows and was disabled as of "Windows 10, version 1803".
Windows Recall Feature Enabled - Registry
Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by setting the value of "DisableAIDataAnalysis" to "0". Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities. This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.
Enabling COR Profiler Environment Variables
Detects .NET Framework CLR and .NET Core CLR "cor_enable_profiling" and "cor_profiler" variables being set and configured.
Scripted Diagnostics Turn Off Check Enabled - Registry
Detects enabling TurnOffCheck which can be used to bypass defense of MSDT Follina vulnerability
Registry Modification to Hidden File Extension
Hides the file extension through modification of the registry
Displaying Hidden Files Feature Disabled
Detects modifications to the "Hidden" and "ShowSuperHidden" explorer registry values in order to disable showing of hidden files and system files. This technique is abused by several malware families to hide their files from normal users.
Registry Hide Function from User
Detects registry modifications that hide internal tools or functions from the user (malware like Agent Tesla, Hermetic Wiper uses this technique)
New Root or CA or AuthRoot Certificate to Store
Detects the addition of new root, CA or AuthRoot certificates to the Windows registry