Sigma Rules
1,473 rules found
Internet Explorer DisableFirstRunCustomize Enabled
Detects changes to the Internet Explorer "DisableFirstRunCustomize" value, which prevents Internet Explorer from running the first run wizard the first time a user starts the browser after installing Internet Explorer or Windows.
Potential Persistence Via Netsh Helper DLL - Registry
Detects changes to the Netsh registry key to add a new DLL value. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper
Potential Credential Dumping Attempt Using New NetworkProvider - REG
Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it
Enable Microsoft Dynamic Data Exchange
Enable Dynamic Data Exchange protocol (DDE) in all supported editions of Microsoft Word or Excel.
Outlook Security Settings Updated - Registry
Detects changes to the registry values related to outlook security settings
Potential Persistence Via New AMSI Providers - Registry
Detects when an attacker adds a new AMSI provider via the Windows Registry to bypass AMSI (Antimalware Scan Interface) protections. Attackers may add custom AMSI providers to persist on the system and evade detection by security software that relies on AMSI for scanning scripts and other content. This technique is often used in conjunction with fileless malware and script-based attacks to maintain persistence while avoiding detection.
Potential Persistence Using DebugPath
Detects potential persistence using Appx DebugPath
Potential Persistence Via AppCompat RegisterAppRestart Layer
Detects the setting of the REGISTERAPPRESTART compatibility layer on an application. This compatibility layer allows an application to register for restart using the "RegisterApplicationRestart" API. This can be potentially abused as a persistence mechanism.
Potential COM Object Hijacking Via TreatAs Subkey - Registry
Detects COM object hijacking via TreatAs subkey
Potential Persistence Via Custom Protocol Handler
Detects potential persistence activity via the registering of a new custom protocole handlers. While legitimate applications register protocole handlers often times during installation. And attacker can abuse this by setting a custom handler to be used as a persistence mechanism.
Potential Persistence Via Event Viewer Events.asp
Detects potential registry persistence technique using the Event Viewer "Events.asp" technique
Register New IFiltre For Persistence
Detects when an attacker registers a new IFilter for an extension. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index. You can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files.
Potential Persistence Via Logon Scripts - Registry
Detects creation of "UserInitMprLogonScript" registry value which can be used as a persistence method by malicious actors
Potential Persistence Via Visual Studio Tools for Office
Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications.
Potential Persistence Via Scrobj.dll COM Hijacking
Detect use of scrobj.dll as this DLL looks for the ScriptletURL key to get the location of the script to execute
Potential Persistence Via Shim Database Modification
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time
Potential PowerShell Execution Policy Tampering
Detects changes to the PowerShell execution policy in order to bypass signing requirements for script execution
Suspicious PowerShell In Registry Run Keys
Detects potential PowerShell commands or code within registry run keys
PUA - Sysinternals Tools Execution - Registry
Detects the execution of some potentially unwanted tools such as PsExec, Procdump, etc. (part of the Sysinternals suite) via the creation of the "accepteula" registry key.
ScreenSaver Registry Key Set
Detects registry key established after masqueraded .scr file execution using Rundll32 through desk.cpl
Potential SentinelOne Shell Context Menu Scan Command Tampering
Detects potentially suspicious changes to the SentinelOne context menu scan command by a process other than SentinelOne.
ServiceDll Hijack
Detects changes to the "ServiceDLL" value related to a service in the registry. This is often used as a method of persistence.
Registry Explorer Policy Modification
Detects registry modifications that disable internal tools or functions in explorer (malware like Agent Tesla uses this technique)
Persistence Via New SIP Provider
Detects when an attacker register a new SIP provider for persistence and defense evasion
Activate Suppression of Windows Security Center Notifications
Detect set Notification_Suppress to 1 to disable the Windows security center notification
Suspicious Keyboard Layout Load
Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only
Potential PendingFileRenameOperations Tampering
Detect changes to the "PendingFileRenameOperations" registry key from uncommon or suspicious images locations to stage currently used files for rename or deletion after reboot.
Suspicious Service Installed
Detects installation of NalDrv or PROCEXP152 services via registry-keys to non-system32 folders. Both services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU (https://github.com/hfiref0x/KDU)
Suspicious Shell Open Command Registry Modification
Detects modifications to shell open registry keys that point to suspicious locations typically used by malware for persistence. Generally, modifications to the `*\shell\open\command` registry key can indicate an attempt to change the default action for opening files, and various UAC bypass or persistence techniques involve modifying these keys to execute malicious scripts or binaries.
WFP Filter Added via Registry
Detects registry modifications that add Windows Filtering Platform (WFP) filters, which may be used to block security tools and EDR agents from reporting events.
RDP Sensitive Settings Changed to Zero
Detects tampering of RDP Terminal Service/Server sensitive settings. Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc.
Old TLS1.0/TLS1.1 Protocol Version Enabled
Detects applications or users re-enabling old TLS versions by setting the "Enabled" value to "1" for the "Protocols" registry key.
COM Hijacking via TreatAs
Detect modification of TreatAs key to enable "rundll32.exe -sta" command
UAC Disabled
Detects when an attacker tries to disable User Account Control (UAC) by setting the registry value "EnableLUA" to 0.
UAC Notification Disabled
Detects when an attacker tries to disable User Account Control (UAC) notification by tampering with the "UACDisableNotify" value. UAC is a critical security feature in Windows that prevents unauthorized changes to the operating system. It prompts the user for permission or an administrator password before allowing actions that could affect the system's operation or change settings that affect other users. When "UACDisableNotify" is set to 1, UAC prompts are suppressed.
UAC Secure Desktop Prompt Disabled
Detects when an attacker tries to change User Account Control (UAC) elevation request destination via the "PromptOnSecureDesktop" value. The "PromptOnSecureDesktop" setting specifically determines whether UAC prompts are displayed on the secure desktop. The secure desktop is a separate desktop environment that's isolated from other processes running on the system. It's designed to prevent malicious software from intercepting or tampering with UAC prompts. When "PromptOnSecureDesktop" is set to 0, UAC prompts are displayed on the user's current desktop instead of the secure desktop. This reduces the level of security because it potentially exposes the prompts to manipulation by malicious software.
Enable Local Manifest Installation With Winget
Detects changes to the AppInstaller (winget) policy. Specifically the activation of the local manifest installation, which allows a user to install new packages via custom manifests.
Winlogon AllowMultipleTSSessions Enable
Detects when the 'AllowMultipleTSSessions' value is enabled. Which allows for multiple Remote Desktop connection sessions to be opened at once. This is often used by attacker as a way to connect to an RDP session without disconnecting the other users
Sysmon Configuration Change
Detects a Sysmon configuration change, which could be the result of a legitimate reconfiguration or someone trying manipulate the configuration
Sysmon File Executable Creation Detected
Triggers on any Sysmon "FileExecutableDetected" event, which triggers every time a PE that is monitored by the config is created.
WMI Event Subscription
Detects creation of WMI event subscription persistence method
Exploit for CVE-2017-0261
Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262
SSHD Error Message CVE-2018-15473
Detects exploitation attempt using public exploit code for CVE-2018-15473
Defrag Deactivation
Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group
Defrag Deactivation - Security
Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group
Potential RDP Exploit CVE-2019-0708
Detect suspicious error on protocol RDP, potential CVE-2019-0708
Potential APT-C-12 BlueMushroom DLL Load Activity Via Regsvr32
Detects potential BlueMushroom DLL loading activity via regsvr32 from AppData Local
Possible PrintNightmare Print Driver Install - CVE-2021-1675
Detects the remote installation of a print driver which is possible indication of the exploitation of PrintNightmare (CVE-2021-1675). The occurrence of print drivers being installed remotely via RPC functions should be rare, as print drivers are normally installed locally and or through group policy.