Sigma Rules
3,332 rules found
Protected Storage Service Access
Detects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers
RDP over Reverse SSH Tunnel WFP
Detects svchost hosting RDP termsvcs communicating with the loopback address
Register new Logon Process by Rubeus
Detects potential use of Rubeus via registered new trusted logon process
Service Registry Key Read Access Request
Detects "read access" requests on the services registry key. Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts.
Remote PowerShell Sessions Network Connections (WinRM)
Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986
Replay Attack Detected
Detects possible Kerberos Replay Attack on the domain controllers when "KRB_AP_ERR_REPEAT" Kerberos response is sent to the client
SAM Registry Hive Handle Request
Detects handles requested to SAM registry hive
SCM Database Handle Failure
Detects non-system users failing to get a handle of the SCM database.
SCM Database Privileged Operation
Detects non-system users performing privileged operation os the SCM database
Potential Secure Deletion with SDelete
Detects files that have extensions commonly seen while SDelete is used to wipe files.
Remote Access Tool Services Have Been Installed - Security
Detects service installation of different remote access tools software. These software are often abused by threat actors to perform
Service Installed By Unusual Client - Security
Detects a service installed by a client which has PID 0 or whose parent has PID 0
SMB Create Remote File Admin Share
Look for non-system accounts SMB accessing a file with write (0x2) access mask via administrative share (i.e C$).
Win Susp Computer Name Containing Samtheadmin
Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool
Account Tampering - Suspicious Failed Logon Reasons
This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.
Group Policy Abuse for Privilege Addition
Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins.
Startup/Logon Script Added to Group Policy Object
Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.
Kerberos Manipulation
Detects failed Kerberos TGT issue operation. This can be a sign of manipulations of TGT messages by an attacker.
Suspicious LDAP-Attributes Used
Detects the usage of particular AttributeLDAPDisplayNames, which are known for data exchange via LDAP by the tool LDAPFragger and are additionally not commonly used in companies.
Suspicious Windows ANONYMOUS LOGON Local Account Created
Detects the creation of suspicious accounts similar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts.
Suspicious Remote Logon with Explicit Credentials
Detects suspicious processes logging on with explicit credentials
Password Dumper Activity on LSASS
Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN
Potentially Suspicious AccessMask Requested From LSASS
Detects process handle on LSASS process with certain access mask
Reconnaissance Activity
Detects activity as "net user administrator /domain" and "net group domain admins /domain"
Password Protected ZIP File Opened
Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.
Password Protected ZIP File Opened (Suspicious Filenames)
Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened.
Password Protected ZIP File Opened (Email Attachment)
Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.
Uncommon Outbound Kerberos Connection - Security
Detects uncommon outbound network activity via Kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.
Possible Shadow Credentials Added
Detects possible addition of shadow credentials to an active directory object.
Suspicious PsExec Execution
detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one
Suspicious Access to Sensitive File Extensions
Detects known sensitive file extensions accessed on a network share
Suspicious Kerberos RC4 Ticket Encryption
Detects service ticket requests using RC4 encryption type
Suspicious Scheduled Task Creation
Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc.
Important Scheduled Task Deleted/Disabled
Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities
Suspicious Scheduled Task Update
Detects update to a scheduled task event that contain suspicious keywords.
Unauthorized System Time Modification
Detect scenarios where a potentially unauthorized application or user is modifying the system time.
Remote Service Activity via SVCCTL Named Pipe
Detects remote service activity via remote access to the svcctl named pipe
SysKey Registry Keys Access
Detects handle requests and access operations to specific registry keys to calculate the SysKey
Sysmon Channel Reference Deletion
Potential threat actor tampering with Sysmon manifest and eventually disabling it
Tap Driver Installation - Security
Detects the installation of a well-known TAP driver service. This could be a sign of potential preparation for data exfiltration using tunnelling techniques.
Suspicious Teams Application Related ObjectAcess Event
Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.
Transferring Files with Credential Data via Network Shares
Transferring files with well-known filenames (sensitive files with credential data) using network shares
User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'
The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA.
Local User Creation
Detects local user creation on Windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your Windows server logs and not on your DC logs.
Potential Privileged System Service Operation - SeLoadDriverPrivilege
Detects the usage of the 'SeLoadDriverPrivilege' privilege. This privilege is required to load or unload a device driver. With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. If you exclude privileged users/admins and processes, which are allowed to do so, you are maybe left with bad programs trying to load malicious kernel drivers. This will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) and the usage of Sysinternals and various other tools. So you have to work with a whitelist to find the bad stuff.
User Logoff Event
Detects a user log-off activity. Could be used for example to correlate information during forensic investigations
VSSAudit Security Event Source Registration
Detects the registration of the security event source VSSAudit. It would usually trigger when volume shadow copy operations happen.
Windows Defender Exclusion List Modified
Detects modifications to the Windows Defender exclusion registry key. This could indicate a potentially suspicious or even malicious activity by an attacker trying to add a new exclusion in order to bypass security.