Sigma Rules
801 rules found for "privilege-escalation"
Exploiting CVE-2019-1388
Detects an exploitation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM
Sudo Privilege Escalation CVE-2019-14287 - Builtin
Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287
Sudo Privilege Escalation CVE-2019-14287
Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287
Potential Dridex Activity
Detects potential Dridex acitvity via specific process patterns
Potential Ryuk Ransomware Activity
Detects Ryuk ransomware activity
Operation Wocao Activity
Detects activity mentioned in Operation Wocao report
Operation Wocao Activity - Security
Detects activity mentioned in Operation Wocao report
Leviathan Registry Key Activity
Detects registry key used by Leviathan APT in Malaysian focused campaign
Suspicious VBScript UN2452 Pattern
Detects suspicious inline VBScript keywords as used by UNC2452
TAIDOOR RAT DLL Load
Detects specific process characteristics of Chinese TAIDOOR RAT malware load
Winnti Malware HK University Campaign
Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities
Winnti Pipemon Characteristics
Detects specific process characteristics of Winnti Pipemon malware reported by ESET
Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection
Detects the suspicious file that is created from PoC code against Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 (PrinterNightmare), CVE-2021-1675 .
Potential PrintNightmare Exploitation Attempt
Detect DLL deletions from Spooler Service driver folder. This might be a potential exploitation attempt of CVE-2021-1675
CVE-2021-1675 Print Spooler Exploitation Filename Pattern
Detects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675
Windows Spooler Service Suspicious Binary Load
Detect DLL Load from Spooler Service backup folder. This behavior has been observed during the exploitation of the Print Spooler Vulnerability CVE-2021-1675 and CVE-2021-34527 (PrinterNightmare).
OMIGOD HTTP No Authentication RCE - CVE-2021-38647
Detects the exploitation of OMIGOD (CVE-2021-38647) which allows remote execute (RCE) commands as root with just a single unauthenticated HTTP request. Verify, successful, exploitation by viewing the HTTP client (request) body to see what was passed to the server (using PCAP). Within the client body is where the code execution would occur. Additionally, check the endpoint logs to see if suspicious commands or activity occurred within the timeframe of this HTTP request.
PwnKit Local Privilege Escalation
Detects potential PwnKit exploitation CVE-2021-4034 in auth logs
InstallerFileTakeOver LPE CVE-2021-41379 File Create Event
Detects signs of the exploitation of LPE CVE-2021-41379 that include an msiexec process that creates an elevation_service.exe file
Potential CVE-2021-41379 Exploitation Attempt
Detects potential exploitation attempts of CVE-2021-41379 (InstallerFileTakeOver), a local privilege escalation (LPE) vulnerability where the attacker spawns a "cmd.exe" process as a child of Microsoft Edge elevation service "elevation_service" with "LOCAL_SYSTEM" rights
Suspicious Computer Account Name Change CVE-2021-42287
Detects the renaming of an existing computer account to a account name that doesn't contain a $ symbol as seen in attacks against CVE-2021-42287
Suspicious RazerInstaller Explorer Subprocess
Detects a explorer.exe sub process of the RazerInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM
Potential SystemNightmare Exploitation Attempt
Detects an exploitation attempt of SystemNightmare in order to obtain a shell as LOCAL_SYSTEM
Moriya Rootkit File Created
Detects the creation of a file named "MoriyaStreamWatchmen.sys" in a specific location. This filename was reported to be related to the Moriya rootkit as described in the securelist's Operation TunnelSnake report.
Pingback Backdoor File Indicators
Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report
Pingback Backdoor DLL Loading Activity
Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report
Pingback Backdoor Activity
Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report
Small Sieve Malware CommandLine Indicator
Detects specific command line argument being passed to a binary as seen being used by the malware Small Sieve.
HAFNIUM Exchange Exploitation Activity
Detects activity observed by different researchers to be HAFNIUM group activity (or related) on Exchange servers
APT PRIVATELOG Image Load Pattern
Detects an image load pattern as seen when a tool named PRIVATELOG is used and rarely observed under legitimate circumstances
SOURGUM Actor Behaviours
Suspicious behaviours related to an actor tracked by Microsoft as SOURGUM
Potential CVE-2023-21554 QueueJumper Exploitation
Detects potential exploitation of CVE-2023-21554 (dubbed QueueJumper)
Potential Exploitation of CVE-2022-21919 or CVE-2021-34484 for LPE
Detects potential exploitation attempts of CVE-2022-21919 or CVE-2021-34484 leading to local privilege escalation via the User Profile Service. During exploitation of this vulnerability, two logs (Provider_Name: Microsoft-Windows-User Profiles Service) with EventID 1511 and 1515 are created (EventID 1515 may generate many false positives). Additionally, the directory \Users\TEMP may be created during exploitation. This behavior was observed on Windows Server 2008.
CVE-2022-24527 Microsoft Connected Cache LPE
Detects files created during the local privilege exploitation of CVE-2022-24527 Microsoft Connected Cache
Potential CVE-2022-29072 Exploitation Attempt
Detects potential exploitation attempts of CVE-2022-29072, a 7-Zip privilege escalation and command execution vulnerability. 7-Zip version 21.07 and earlier on Windows allows privilege escalation (CVE-2022-29072) and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow. The command runs in a child process under the 7zFM.exe process.
Potential Nimbuspwn Exploit CVE-2022-29799 and CVE-2022-27800
Detects potential exploitation attempts of Nimbuspwn vulnerabilities CVE-2022-29799 and CVE-2022-27800 in Linux systems.
Potential KDC RC4-HMAC Downgrade Exploit - CVE-2022-37966
Detects the exploitation of a security bypass and elevation of privilege vulnerability with Authentication Negotiation by using weak RC4-HMAC negotiation
Suspicious Sysmon as Execution Parent
Detects suspicious process executions in which Sysmon itself is the parent of a process, which could be a sign of exploitation (e.g. CVE-2022-41120)
ChromeLoader Malware Execution
Detects execution of ChromeLoader malware via a registered scheduled task
Serpent Backdoor Payload Execution Via Scheduled Task
Detects post exploitation execution technique of the Serpent backdoor. According to Proofpoint, one of the commands that the backdoor ran was via creating a temporary scheduled task using an unusual method. It creates a fictitious windows event and a trigger in which once the event is created, it executes the payload.
MSSQL Extended Stored Procedure Backdoor Maggie
This rule detects the execution of the extended storage procedure backdoor named Maggie in the context of Microsoft SQL server
Potential ACTINIUM Persistence Activity
Detects specific process parameters as used by ACTINIUM scheduled task persistence creation.
Exploitation Indicators Of CVE-2023-20198
Detecting exploitation indicators of CVE-2023-20198 a privilege escalation vulnerability in Cisco IOS XE Software Web UI.
Injected Browser Process Spawning Rundll32 - GuLoader Activity
Detects the execution of installed GuLoader malware on the host. GuLoader is initiating network connections via the rundll32.exe process that is spawned via a browser parent(injected) process.
Potential Pikabot Hollowing Activity
Detects the execution of rundll32 that leads to the invocation of legitimate Windows binaries. The malware Pikabot has been seen to use this technique for process hollowing through hard-coded Windows binaries
DLL Names Used By SVR For GraphicalProton Backdoor
Hunts known SVR-specific DLL names.
Diamond Sleet APT DLL Sideloading Indicators
Detects DLL sideloading activity seen used by Diamond Sleet APT
Diamond Sleet APT Scheduled Task Creation
Detects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability