Sigma Rules
3,707 rules found
BITS Transfer Job Download From Direct IP
Detects a BITS transfer job downloading file(s) from a direct IP address.
BITS Transfer Job With Uncommon Or Suspicious Remote TLD
Detects a suspicious download using the BITS client from a FQDN that is unusual. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.
BITS Transfer Job Download To Potential Suspicious Folder
Detects new BITS transfer job where the LocalName/Saved file is stored in a potentially suspicious location
Certificate Private Key Acquired
Detects when an application acquires a certificate private key
Certificate Exported From Local Certificate Store
Detects when an application exports a certificate (and potentially the private key as well) from the local Windows certificate store.
CodeIntegrity - Unmet Signing Level Requirements By File Under Validation
Detects attempted file load events that did not meet the signing level requirements. It often means the file's signature is revoked or a signature with the Lifetime Signing EKU has expired. This event is best correlated with EID 3089 to determine the error of the validation.
CodeIntegrity - Disallowed File For Protected Processes Has Been Blocked
Detects block events for files that are disallowed by code integrity for protected processes
CodeIntegrity - Blocked Image/Driver Load For Policy Violation
Detects blocked load events that did not meet the authenticode signing level requirements or violated the code integrity policy.
CodeIntegrity - Blocked Driver Load With Revoked Certificate
Detects blocked load attempts of revoked drivers
CodeIntegrity - Revoked Kernel Driver Loaded
Detects the load of a revoked kernel driver
CodeIntegrity - Blocked Image Load With Revoked Certificate
Detects blocked image load events with revoked certificates by code integrity.
CodeIntegrity - Revoked Image Loaded
Detects image load events with revoked certificates by code integrity.
CodeIntegrity - Unsigned Kernel Module Loaded
Detects the presence of a loaded unsigned kernel module on the system.
CodeIntegrity - Unsigned Image Loaded
Detects loaded unsigned image on the system
CodeIntegrity - Unmet WHQL Requirements For Loaded Kernel Module
Detects loaded kernel modules that did not meet the WHQL signing requirements.
Loading Diagcab Package From Remote Path
Detects loading of diagcab packages from a remote path, as seen in DogWalk vulnerability
DNS Query for Anonfiles.com Domain - DNS Client
Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes
Suspicious Cobalt Strike DNS Beaconing - DNS Client
Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons
DNS Query To MEGA Hosting Website - DNS Client
Detects DNS queries for subdomains related to MEGA sharing website
DNS Query To Put.io - DNS Client
Detects DNS queries for subdomains related to "Put.io" sharing website.
Query Tor Onion Address - DNS Client
Detects DNS resolution of an .onion address related to Tor routing networks
DNS Query To Ufile.io - DNS Client
Detects DNS queries to "ufile.io", which was seen abused by malware and threat actors as a method for data exfiltration
Failed DNS Zone Transfer
Detects when a DNS zone transfer failed.
DNS Server Error Failed Loading the ServerLevelPluginDLL
Detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded
USB Device Plugged
Detects plugged/unplugged USB devices
Uncommon New Firewall Rule Added In Windows Firewall Exception List
Detects when a rule has been added to the Windows Firewall exception list
New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application
Detects the addition of a new rule to the Windows Firewall exception list for an application located in a potentially suspicious location.
New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE
Detects the addition of a new "Allow" firewall rule by the WMI process (WmiPrvSE.EXE). This can occur if an attacker leverages PowerShell cmdlets such as "New-NetFirewallRule", or directly uses WMI CIM classes such as "MSFT_NetFirewallRule".
All Rules Have Been Deleted From The Windows Firewall Configuration
Detects when a all the rules have been deleted from the Windows Defender Firewall configuration
A Rule Has Been Deleted From The Windows Firewall Exception List
Detects when a single rules or all of the rules have been deleted from the Windows Defender Firewall
The Windows Defender Firewall Service Failed To Load Group Policy
Detects activity when The Windows Defender Firewall service failed to load Group Policy
Windows Defender Firewall Has Been Reset To Its Default Configuration
Detects activity when Windows Defender Firewall has been reset to its default configuration
Windows Firewall Settings Have Been Changed
Detects activity when the settings of the Windows firewall have been changed
ETW Logging/Processing Option Disabled On IIS Server
Detects changes to of the IIS server configuration in order to disable/remove the ETW logging/processing option.
HTTP Logging Disabled On IIS Server
Detects changes to of the IIS server configuration in order to disable HTTP logging for successful requests.
New Module Module Added To IIS Server
Detects the addition of a new module to an IIS server.
Previously Installed IIS Module Was Removed
Detects the removal of a previously installed IIS module.
Potential Active Directory Reconnaissance/Enumeration Via LDAP
Detects potential Active Directory enumeration via LDAP
Standard User In High Privileged Group
Detect standard users login that are part of high privileged groups such as the Administrator group
ProxyLogon MSExchange OabVirtualDirectory
Detects specific patterns found after a successful ProxyLogon exploitation in relation to a Commandlet invocation of Set-OabVirtualDirectory
Certificate Request Export to Exchange Webserver
Detects a write of an Exchange CSR to an untypical directory or with aspx name suffix which can be used to place a webshell
Mailbox Export to Exchange Webserver
Detects a successful export of an Exchange mailbox to untypical directory or with aspx name suffix which can be used to place a webshell or the needed role assignment for it
Remove Exported Mailbox from Exchange Webserver
Detects removal of an exported Exchange mailbox which could be to cover tracks from ProxyShell exploit
Exchange Set OabVirtualDirectory ExternalUrl Property
Rule to detect an adversary setting OabVirtualDirectory External URL property to a script in Exchange Management log
MSExchange Transport Agent Installation - Builtin
Detects the Installation of a Exchange Transport Agent
Failed MSExchange Transport Agent Installation
Detects a failed installation of a Exchange Transport Agent
NTLM Logon
Detects logons using NTLM, which could be caused by a legacy source or attackers
NTLM Brute Force
Detects common NTLM brute force device names