Sigma Rules
794 rules found for "Microsoft"
Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Detects attackers using tooling with bad opsec defaults. E.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run. One trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.
Potential Suspicious Browser Launch From Document Reader Process
Detects when a browser process or browser tab is launched from an application that handles document files such as Adobe, Microsoft Office, etc. And connects to a web application over http(s), this could indicate a possible phishing attempt.
Copy From Or To Admin Share Or Sysvol Folder
Detects a copy command or a copy utility execution to or from an Admin share or remote
Potential Data Exfiltration Activity Via CommandLine Tools
Detects the use of various CLI utilities exfiltrating data via web requests
Suspicious Download from Office Domain
Detects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents
DumpStack.log Defender Evasion
Detects the use of the filename DumpStack.log to evade Microsoft Defender
ETW Logging Tamper In .NET Processes Via CommandLine
Detects changes to environment variables related to ETW logging via the CommandLine. This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies.
ETW Trace Evasion Activity
Detects command line activity that tries to clear or disable any ETW trace log which could be a sign of logging evasion.
Suspicious Eventlog Clearing or Configuration Change Activity
Detects the clearing or configuration tampering of EventLog using utilities such as "wevtutil", "powershell" and "wmic". This technique were seen used by threat actors and ransomware strains in order to evade defenses.
Potentially Suspicious EventLog Recon Activity Using Log Query Utilities
Detects execution of different log query utilities and commands to search and dump the content of specific event logs or look for specific event IDs. This technique is used by threat actors in order to extract sensitive information from events logs such as usernames, IP addresses, hostnames, etc.
Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI
Detects command line containing reference to the "::$index_allocation" stream, which can be used as a technique to prevent access to folders or files from tooling such as "explorer.exe" or "powershell.exe"
Potentially Suspicious Inline JavaScript Execution via NodeJS Binary
Detects potentially suspicious inline JavaScript execution using Node.js with specific keywords in the command line.
Potentially Suspicious JWT Token Search Via CLI
Detects potentially suspicious search for JWT tokens via CLI by looking for the string "eyJ0eX" or "eyJhbG". JWT tokens are often used for access-tokens across various applications and services like Microsoft 365, Azure, AWS, Google Cloud, and others. Threat actors may search for these tokens to steal them for lateral movement or privilege escalation.
Potential File Download Via MS-AppInstaller Protocol Handler
Detects usage of the "ms-appinstaller" protocol handler via command line to potentially download arbitrary files via AppInstaller.EXE The downloaded files are temporarly stored in ":\Users\%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\<RANDOM-8-CHAR-DIRECTORY>"
Potentially Suspicious Call To Win32_NTEventlogFile Class
Detects usage of the WMI class "Win32_NTEventlogFile" in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script
Use Short Name Path in Image
Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image detection
Use NTFS Short Name in Command Line
Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection
Use NTFS Short Name in Image
Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image based detection
Suspicious Redirection to Local Admin Share
Detects a suspicious output redirection to the local admins share, this technique is often found in malicious scripts or hacktool stagers
Script Interpreter Execution From Suspicious Folder
Detects a suspicious script execution in temporary folders or folders accessible by environment variables
Suspicious Script Execution From Temp Folder
Detects a suspicious script executions from temporary folder
Suspicious Windows Service Tampering
Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts
Malicious Windows Script Components File Execution by TAEF Detection
Windows Test Authoring and Execution Framework (TAEF) framework allows you to run automation by executing tests files written on different languages (C, C#, Microsoft COM Scripting interfaces Adversaries may execute malicious code (such as WSC file with VBScript, dll and so on) directly by running te.exe
Malicious PE Execution by Microsoft Visual Studio Debugger
There is an option for a MS VS Just-In-Time Debugger "vsjitdebugger.exe" to launch specified executable and attach a debugger. This option may be used adversaries to execute malicious code by signed verified binary. The debugger is installed alongside with Microsoft Visual Studio package.
Weak or Abused Passwords In CLI
Detects weak passwords or often abused passwords (seen used by threat actors) via the CLI. An example would be a threat actor creating a new user via the net command and providing the password inline
Usage Of Web Request Commands And Cmdlets
Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via CommandLine
Active Directory Database Snapshot Via ADExplorer
Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.
Suspicious Active Directory Database Snapshot Via ADExplorer
Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database to a suspicious directory. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.
Potential Memory Dumping Activity Via LiveKD
Detects execution of LiveKD based on PE metadata or image name
Kernel Memory Dump Via LiveKD
Detects execution of LiveKD with the "-m" flag to potentially dump the kernel memory
Procdump Execution
Detects usage of the SysInternals Procdump utility
Potential LSASS Process Dump Via Procdump
Detects potential credential harvesting attempts through LSASS memory dumps using ProcDump. This rule identifies suspicious command-line patterns that combine memory dump flags (-ma, -mm, -mp) with LSASS-related process markers. LSASS (Local Security Authority Subsystem Service) contains sensitive authentication data including plaintext passwords, NTLM hashes, and Kerberos tickets in memory. Attackers commonly dump LSASS memory to extract credentials for lateral movement and privilege escalation.
PsExec/PAExec Escalation to LOCAL SYSTEM
Detects suspicious commandline flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights
Potential PsExec Remote Execution
Detects potential psexec command that initiate execution on a remote systems via common commandline flags used by the utility
PsExec Service Execution
Detects launch of the PSEXESVC service, which means that this system was the target of a psexec remote execution
PsExec Service Child Process Execution as LOCAL SYSTEM
Detects suspicious launch of the PSEXESVC service on this system and a sub process run as LOCAL_SYSTEM (-s), which means that someone remotely started a command on this system running it with highest privileges and not only the privileges of the login user account (e.g. the administrator account)
Sysinternals PsService Execution
Detects usage of Sysinternals PsService which can be abused for service reconnaissance and tampering
Sysinternals PsSuspend Execution
Detects usage of Sysinternals PsSuspend which can be abused to suspend critical processes
Sysinternals PsSuspend Suspicious Execution
Detects suspicious execution of Sysinternals PsSuspend, where the utility is used to suspend critical processes such as AV or EDR to bypass defenses
Potential Privilege Escalation To LOCAL SYSTEM
Detects unknown program using commandline flags usually used by tools such as PsExec and PAExec to start programs with SYSTEM Privileges
Sysmon Configuration Update
Detects updates to Sysmon's configuration. Attackers might update or replace the Sysmon configuration with a bare bone one to avoid monitoring without shutting down the service completely
Potential Binary Impersonating Sysinternals Tools
Detects binaries that use the same name as legitimate sysinternals tools to evade detection. This rule looks for the execution of binaries that are named similarly to Sysinternals tools. Adversary may rename their malicious tools as legitimate Sysinternals tools to evade detection.
Suspicious Execution of Systeminfo
Detects usage of the "systeminfo" command to retrieve information
Suspicious Recursive Takeown
Adversaries can interact with the DACLs using built-in Windows commands takeown which can grant adversaries higher permissions on specific files and folders
Potentially Suspicious Command Targeting Teams Sensitive Files
Detects a commandline containing references to the Microsoft Teams database or cookies files from a process other than Teams. The database might contain authentication tokens and other sensitive information about the logged in accounts.
New Virtual Smart Card Created Via TpmVscMgr.EXE
Detects execution of "Tpmvscmgr.exe" to create a new virtual smart card.
Bypass UAC via CMSTP
Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files
CMSTP UAC Bypass via COM Object Access
Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)