Sigma Rules
794 rules found for "Microsoft"
CurrentVersion NT Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
Internet Explorer Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
Office Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
Session Manager Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
System Scripts Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
WinSock2 Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
Wow6432Node CurrentVersion Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
Wow6432Node Classes Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
Wow6432Node Windows NT CurrentVersion Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
Bypass UAC Using DelegateExecute
Bypasses User Account Control using a fileless method
Default RDP Port Changed to Non Standard Port
Detects changes to the default RDP port. Remote desktop is a common feature in operating systems. It allows a user to log into a remote system using an interactive session with a graphical user interface. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).
IE Change Domain Zone
Hides the file extension through modification of the registry
Change Winevt Channel Access Permission Via Registry
Detects tampering with the "ChannelAccess" registry key in order to change access to Windows event channel.
ClickOnce Trust Prompt Tampering
Detects changes to the ClickOnce trust prompt registry key in order to enable an installation from different locations such as the Internet.
Potentially Suspicious Desktop Background Change Via Registry
Detects registry value settings that would replace the user's desktop background. This is a common technique used by malware to change the desktop background to a ransom note or other image.
DHCP Callout DLL Installation
Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)
Disabled Windows Defender Eventlog
Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections
Disable PUA Protection on Windows Defender
Detects disabling Windows Defender PUA protection
Disable Tamper Protection on Windows Defender
Detects disabling Windows Defender Tamper Protection
Disable Administrative Share Creation at Startup
Administrative shares are hidden network shares created by Microsoft Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system
Disable Microsoft Defender Firewall via Registry
Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage
Disable Macro Runtime Scan Scope
Detects tampering with the MacroRuntimeScanScope registry key to disable runtime scanning of enabled macros
Windows Event Log Access Tampering Via Registry
Detects changes to the Windows EventLog channel permission values. It focuses on changes to the Security Descriptor Definition Language (SDDL) string, as modifications to these values can restrict access to specific users or groups, potentially aiding in defense evasion by controlling who can view or modify a event log channel. Upon execution, the user shouldn't be able to access the event log channel via the event viewer or via utilities such as "Get-EventLog" or "wevtutil".
DNS-over-HTTPS Enabled by Registry
Detects when a user enables DNS-over-HTTPS. This can be used to hide internet activity or be used to hide the process of exfiltrating data. With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors.
ETW Logging Disabled In .NET Processes - Sysmon Registry
Potential adversaries stopping ETW providers recording loaded .NET assemblies.
Periodic Backup For System Registry Hives Enabled
Detects the enabling of the "EnablePeriodicBackup" registry value. Once enabled, The OS will backup System registry hives on restarts to the "C:\Windows\System32\config\RegBack" folder. Windows creates a "RegIdleBackup" task to manage subsequent backups. Registry backup was a default behavior on Windows and was disabled as of "Windows 10, version 1803".
Windows Recall Feature Enabled - Registry
Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by setting the value of "DisableAIDataAnalysis" to "0". Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities. This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.
Enabling COR Profiler Environment Variables
Detects .NET Framework CLR and .NET Core CLR "cor_enable_profiling" and "cor_profiler" variables being set and configured.
Potential EventLog File Location Tampering
Detects tampering with EventLog service "file" key. In order to change the default location of an Evtx file. This technique is used to tamper with log collection and alerting
Suspicious Application Allowed Through Exploit Guard
Detects applications being added to the "allowed applications" list of exploit guard in order to bypass controlled folder settings
Registry Modification to Hidden File Extension
Hides the file extension through modification of the registry
IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols
Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My Computer" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally.
Internet Explorer DisableFirstRunCustomize Enabled
Detects changes to the Internet Explorer "DisableFirstRunCustomize" value, which prevents Internet Explorer from running the first run wizard the first time a user starts the browser after installing Internet Explorer or Windows.
Lolbas OneDriveStandaloneUpdater.exe Proxy Download
Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any anomalous executables with suspicious arguments. The downloaded file will be in C:\Users\redacted\AppData\Local\Microsoft\OneDrive\StandaloneUpdaterreSignInSettingsConfig.json
Lsass Full Dump Request Via DumpType Registry Settings
Detects the setting of the "DumpType" registry value to "2" which stands for a "Full Dump". Technique such as LSASS Shtinkering requires this value to be "2" in order to dump LSASS.
RestrictedAdminMode Registry Value Tampering
Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode. RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise
Potential Credential Dumping Attempt Using New NetworkProvider - REG
Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it
Trust Access Disable For VBApplications
Detects registry changes to Microsoft Office "AccessVBOM" to a value of "1" which disables trust access for VBA on the victim machine and lets attackers execute malicious macros without any Microsoft Office warnings.
Microsoft Office Protected View Disabled
Detects changes to Microsoft Office protected view registry keys with which the attacker disables this feature.
Python Function Execution Security Warning Disabled In Excel - Registry
Detects changes to the registry value "PythonFunctionWarnings" that would prevent any warnings or alerts from showing when Python functions are about to be executed. Threat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet.
Enable Microsoft Dynamic Data Exchange
Enable Dynamic Data Exchange protocol (DDE) in all supported editions of Microsoft Word or Excel.
Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting
Detects the modification of Outlook setting "LoadMacroProviderOnBoot" which if enabled allows the automatic loading of any configured VBA project/module
Outlook Macro Execution Without Warning Setting Enabled
Detects the modification of Outlook security setting to allow unprompted execution of macros.
Outlook EnableUnsafeClientMailRules Setting Enabled - Registry
Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros
Outlook Security Settings Updated - Registry
Detects changes to the registry values related to outlook security settings
Uncommon Microsoft Office Trusted Location Added
Detects changes to registry keys related to "Trusted Location" of Microsoft Office where the path is set to something uncommon. Attackers might add additional trusted locations to avoid macro security restrictions.
Office Macros Warning Disabled
Detects registry changes to Microsoft Office "VBAWarning" to a value of "1" which enables the execution of all macros, whether signed or unsigned.
Potential Persistence Via App Paths Default Property
Detects changes to the "Default" property for keys located in the \Software\Microsoft\Windows\CurrentVersion\App Paths\ registry. Which might be used as a method of persistence The entries found under App Paths are used primarily for the following purposes. First, to map an application's executable file name to that file's fully qualified path. Second, to prepend information to the PATH environment variable on a per-application, per-process basis.