Sigma Rules
557 rules found for "Red Canary"
Disable Windows Security Center Notifications
Detect set UseActionCenterExperience to 0 to disable the Windows security center notification
Registry Disable System Restore
Detects the modification of the registry to disable a system restore on the computer
Disable Windows Firewall by Registry
Detect set EnableFirewall to 0 to disable the Windows firewall
Add DisallowRun Execution to Registry
Detect set DisallowRun to 1 to prevent user running specific computer program
Registry Modification to Hidden File Extension
Hides the file extension through modification of the registry
Displaying Hidden Files Feature Disabled
Detects modifications to the "Hidden" and "ShowSuperHidden" explorer registry values in order to disable showing of hidden files and system files. This technique is abused by several malware families to hide their files from normal users.
Registry Hide Function from User
Detects registry modifications that hide internal tools or functions from the user (malware like Agent Tesla, Hermetic Wiper uses this technique)
New Root or CA or AuthRoot Certificate to Store
Detects the addition of new root, CA or AuthRoot certificates to the Windows registry
Potential Ransomware Activity Using LegalNotice Message
Detect changes to the "LegalNoticeCaption" or "LegalNoticeText" registry values where the message set contains keywords often used in ransomware ransom messages
RestrictedAdminMode Registry Value Tampering
Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode. RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise
Microsoft Office Protected View Disabled
Detects changes to Microsoft Office protected view registry keys with which the attacker disables this feature.
Outlook Security Settings Updated - Registry
Detects changes to the registry values related to outlook security settings
Potential Persistence Via Event Viewer Events.asp
Detects potential registry persistence technique using the Event Viewer "Events.asp" technique
Modification of IE Registry Settings
Detects modification of the registry settings used for Internet Explorer and other Windows components that use these settings. An attacker can abuse this registry key to add a domain to the trusted sites Zone or insert JavaScript for persistence
Potential Persistence Via Logon Scripts - Registry
Detects creation of "UserInitMprLogonScript" registry value which can be used as a persistence method by malicious actors
Potential Persistence Via Scrobj.dll COM Hijacking
Detect use of scrobj.dll as this DLL looks for the ScriptletURL key to get the location of the script to execute
Potential Persistence Via Shim Database Modification
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time
Potential Persistence Via Excel Add-in - Registry
Detect potential persistence via the creation of an excel add-in (XLL) file to make it run automatically when Excel is started.
PowerShell Logging Disabled Via Registry Key Tampering
Detects changes to the registry for the currently logged-in user. In order to disable PowerShell module logging, script block logging or transcription and script execution logging
Potentially Suspicious Command Executed Via Run Dialog Box - Registry
Detects execution of commands via the run dialog box on Windows by checking values of the "RunMRU" registry key. This technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps.
ServiceDll Hijack
Detects changes to the "ServiceDLL" value related to a service in the registry. This is often used as a method of persistence.
Registry Explorer Policy Modification
Detects registry modifications that disable internal tools or functions in explorer (malware like Agent Tesla uses this technique)
Hiding User Account Via SpecialAccounts Registry Key
Detects modifications to the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to "0" in order to hide user account from being listed on the logon screen.
Activate Suppression of Windows Security Center Notifications
Detect set Notification_Suppress to 1 to disable the Windows security center notification
Modify User Shell Folders Startup Value
Detect modification of the User Shell Folders registry values for Startup or Common Startup which could indicate persistence attempts. Attackers may modify User Shell Folders registry keys to point to malicious executables or scripts that will be executed during startup. This technique is often used to maintain persistence on a compromised system by ensuring that the malicious payload is executed automatically.
RDP Sensitive Settings Changed
Detects tampering of RDP Terminal Service/Server sensitive settings. Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc. Below is a list of registry keys/values that are monitored by this rule: - Shadow: Used to enable Remote Desktop shadowing, which allows an administrator to view or control a user's session. - DisableRemoteDesktopAntiAlias: Disables anti-aliasing for remote desktop sessions. - DisableSecuritySettings: Disables certain security settings for Remote Desktop connections. - fAllowUnsolicited: Allows unsolicited remote assistance offers. - fAllowUnsolicitedFullControl: Allows unsolicited remote assistance offers with full control. - InitialProgram: Specifies a program to run automatically when a user logs on to a remote computer. - ServiceDll: Used in RDP hijacking techniques to specify a custom DLL to be loaded by the Terminal Services service. - SecurityLayer: Specifies the security layer used for RDP connections.
New TimeProviders Registered With Uncommon DLL Name
Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProvider. Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains.
COM Hijacking via TreatAs
Detect modification of TreatAs key to enable "rundll32.exe -sta" command
UAC Disabled
Detects when an attacker tries to disable User Account Control (UAC) by setting the registry value "EnableLUA" to 0.
UAC Notification Disabled
Detects when an attacker tries to disable User Account Control (UAC) notification by tampering with the "UACDisableNotify" value. UAC is a critical security feature in Windows that prevents unauthorized changes to the operating system. It prompts the user for permission or an administrator password before allowing actions that could affect the system's operation or change settings that affect other users. When "UACDisableNotify" is set to 1, UAC prompts are suppressed.
UAC Secure Desktop Prompt Disabled
Detects when an attacker tries to change User Account Control (UAC) elevation request destination via the "PromptOnSecureDesktop" value. The "PromptOnSecureDesktop" setting specifically determines whether UAC prompts are displayed on the secure desktop. The secure desktop is a separate desktop environment that's isolated from other processes running on the system. It's designed to prevent malicious software from intercepting or tampering with UAC prompts. When "PromptOnSecureDesktop" is set to 0, UAC prompts are displayed on the user's current desktop instead of the secure desktop. This reduces the level of security because it potentially exposes the prompts to manipulation by malicious software.
Wdigest Enable UseLogonCredential
Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to enable clear-text credentials
Winlogon Notify Key Logon Persistence
Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.
Sysmon Configuration Error
Detects when an adversary is trying to hide it's action from Sysmon logging based on error messages
Sysmon Configuration Modification
Detects when an attacker tries to hide from Sysmon by disabling or stopping it
Potential Dridex Activity
Detects potential Dridex acitvity via specific process patterns
Blue Mockingbird
Attempts to detect system changes made by Blue Mockingbird
Blue Mockingbird - Registry
Attempts to detect system changes made by Blue Mockingbird
UNC2452 PowerShell Pattern
Detects a specific PowerShell command line pattern used by the UNC2452 actors as mentioned in Microsoft and Symantec reports
Potential BlackByte Ransomware Activity
Detects command line patterns used by BlackByte ransomware in different operations
Blackbyte Ransomware Registry
Detects specific windows registry modifications made by BlackByte ransomware variants. BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption. This rule triggers when any of the following registry keys are set to DWORD 1, however all three should be investigated as part of a larger BlackByte ransomware detection and response effort.
Raspberry Robin Subsequent Execution of Commands
Detects raspberry robin subsequent execution of commands.
Raspberry Robin Initial Execution From External Drive
Detects the initial execution of the Raspberry Robin malware from an external drive using "Cmd.EXE".
Mail Forwarding/Redirecting Activity In O365
Detects email forwarding or redirecting activity in O365 Audit logs.
Inbox Rules Creation Or Update Activity in O365
Detects inbox rule creation or update via O365 Audit logs, a technique commonly observed in Business Email Compromise (BEC) attacks to hide emails. The usage of inbox rules can be a sign of a compromised mailbox, where an attacker is attempting to evade detections by suppressing or redirecting incoming emails. Analysts should review these rules in context, validate whether they reflect normal user behavior, and correlate with other indicators such as unusual login activity or recent mailbox rule modifications.
Process Discovery
Detects process discovery commands. Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network
Access To Windows Outlook Mail Files By Uncommon Applications
Detects file access requests to Windows Outlook Mail by uncommon processes. Could indicate potential attempt of credential stealing. Requires heavy baselining before usage
Unattend.XML File Access Attempt
Detects attempts to access the "unattend.xml" file, where credentials might be stored. This file is used during the unattended windows install process.