Sigma Rules
94 rules found for "attack.T1112"
Add DisallowRun Execution to Registry
Detect set DisallowRun to 1 to prevent user running specific computer program
DNS-over-HTTPS Enabled by Registry
Detects when a user enables DNS-over-HTTPS. This can be used to hide internet activity or be used to hide the process of exfiltrating data. With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors.
New DNS ServerLevelPluginDll Installed
Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)
ETW Logging Disabled In .NET Processes - Sysmon Registry
Potential adversaries stopping ETW providers recording loaded .NET assemblies.
Change User Account Associated with the FAX Service
Detect change of the user account associated with the FAX service to avoid the escalation problem.
Change the Fax Dll
Detect possible persistence using Fax DLL load when service restart
Registry Hide Function from User
Detects registry modifications that hide internal tools or functions from the user (malware like Agent Tesla, Hermetic Wiper uses this technique)
RestrictedAdminMode Registry Value Tampering
Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode. RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise
NET NGenAssemblyUsageLog Registry Key Tamper
Detects changes to the NGenAssemblyUsageLog registry key. .NET Usage Log output location can be controlled by setting the NGenAssemblyUsageLog CLR configuration knob in the Registry or by configuring an environment variable (as described in the next section). By simplify specifying an arbitrary value (e.g. fake output location or junk data) for the expected value, a Usage Log file for the .NET execution context will not be created.
Trust Access Disable For VBApplications
Detects registry changes to Microsoft Office "AccessVBOM" to a value of "1" which disables trust access for VBA on the victim machine and lets attackers execute malicious macros without any Microsoft Office warnings.
Outlook EnableUnsafeClientMailRules Setting Enabled - Registry
Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros
Uncommon Microsoft Office Trusted Location Added
Detects changes to registry keys related to "Trusted Location" of Microsoft Office where the path is set to something uncommon. Attackers might add additional trusted locations to avoid macro security restrictions.
Macro Enabled In A Potentially Suspicious Document
Detects registry changes to Office trust records where the path is located in a potentially suspicious location
Office Macros Warning Disabled
Detects registry changes to Microsoft Office "VBAWarning" to a value of "1" which enables the execution of all macros, whether signed or unsigned.
Potential Persistence Via Custom Protocol Handler
Detects potential persistence activity via the registering of a new custom protocole handlers. While legitimate applications register protocole handlers often times during installation. And attacker can abuse this by setting a custom handler to be used as a persistence mechanism.
Potential Persistence Via Event Viewer Events.asp
Detects potential registry persistence technique using the Event Viewer "Events.asp" technique
Modification of IE Registry Settings
Detects modification of the registry settings used for Internet Explorer and other Windows components that use these settings. An attacker can abuse this registry key to add a domain to the trusted sites Zone or insert JavaScript for persistence
Potential Persistence Via Outlook Home Page
Detects potential persistence activity via outlook home page. An attacker can set a home page to achieve code execution and persistence by editing the WebView registry keys.
Potential Persistence Via Outlook Today Page
Detects potential persistence activity via outlook today page. An attacker can set a custom page to execute arbitrary code and link to it via the registry values "URL" and "UserDefinedUrl".
Registry Modification for OCI DLL Redirection
Detects registry modifications related to 'OracleOciLib' and 'OracleOciLibPath' under 'MSDTC' settings. Threat actors may modify these registry keys to redirect the loading of 'oci.dll' to a malicious DLL, facilitating phantom DLL hijacking via the MSDTC service.
PowerShell Logging Disabled Via Registry Key Tampering
Detects changes to the registry for the currently logged-in user. In order to disable PowerShell module logging, script block logging or transcription and script execution logging
ETW Logging Disabled For rpcrt4.dll
Detects changes to the "ExtErrorInformation" key in order to disable ETW logging for rpcrt4.dll
ETW Logging Disabled For SCM
Detects changes to the "TracingDisabled" key in order to disable ETW logging for services.exe (SCM)
Registry Explorer Policy Modification
Detects registry modifications that disable internal tools or functions in explorer (malware like Agent Tesla uses this technique)
Activate Suppression of Windows Security Center Notifications
Detect set Notification_Suppress to 1 to disable the Windows security center notification
Enable LM Hash Storage
Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes. By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.
RDP Sensitive Settings Changed to Zero
Detects tampering of RDP Terminal Service/Server sensitive settings. Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc.
RDP Sensitive Settings Changed
Detects tampering of RDP Terminal Service/Server sensitive settings. Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc. Below is a list of registry keys/values that are monitored by this rule: - Shadow: Used to enable Remote Desktop shadowing, which allows an administrator to view or control a user's session. - DisableRemoteDesktopAntiAlias: Disables anti-aliasing for remote desktop sessions. - DisableSecuritySettings: Disables certain security settings for Remote Desktop connections. - fAllowUnsolicited: Allows unsolicited remote assistance offers. - fAllowUnsolicitedFullControl: Allows unsolicited remote assistance offers with full control. - InitialProgram: Specifies a program to run automatically when a user logs on to a remote computer. - ServiceDll: Used in RDP hijacking techniques to specify a custom DLL to be loaded by the Terminal Services service. - SecurityLayer: Specifies the security layer used for RDP connections.
Wdigest Enable UseLogonCredential
Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to enable clear-text credentials
Winlogon AllowMultipleTSSessions Enable
Detects when the 'AllowMultipleTSSessions' value is enabled. Which allows for multiple Remote Desktop connection sessions to be opened at once. This is often used by attacker as a way to connect to an RDP session without disconnecting the other users
OceanLotus Registry Activity
Detects registry keys created in OceanLotus (also known as APT32) attacks
OilRig APT Activity
Detects OilRig activity as reported by Nyotron in their March 2018 report
OilRig APT Registry Persistence
Detects OilRig registry persistence as reported by Nyotron in their March 2018 report
OilRig APT Schedule Task Persistence - Security
Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report
OilRig APT Schedule Task Persistence - System
Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report
Potential Ursnif Malware Activity - Registry
Detects registry keys related to Ursnif malware.
CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry
Detects changes to the "Ports" registry key with data that includes a Windows path or a file with a suspicious extension. This could be an attempt to exploit CVE-2020-1048 - a Windows Print Spooler elevation of privilege vulnerability.
Blue Mockingbird
Attempts to detect system changes made by Blue Mockingbird
Blue Mockingbird - Registry
Attempts to detect system changes made by Blue Mockingbird
FlowCloud Registry Markers
Detects FlowCloud malware registry markers from threat group TA410. The malware stores its configuration in the registry alongside drivers utilized by the malware's keylogger components.
Blackbyte Ransomware Registry
Detects specific windows registry modifications made by BlackByte ransomware variants. BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption. This rule triggers when any of the following registry keys are set to DWORD 1, however all three should be investigated as part of a larger BlackByte ransomware detection and response effort.
Potential NetWire RAT Activity - Registry
Detects registry keys related to NetWire RAT
Potential Raspberry Robin Registry Set Internet Settings ZoneMap
Detects registry modifications related to the proxy configuration of the system, potentially associated with the Raspberry Robin malware, as seen in campaigns running in Q1 2024. Raspberry Robin may alter proxy settings to circumvent security measures, ensuring unhindered connection with Command and Control servers for maintaining control over compromised systems if there are any proxy settings that are blocking connections.
Access To .Reg/.Hive Files By Uncommon Applications
Detects file access requests to files ending with either the ".hive"/".reg" extension, usually associated with Windows Registry backups.
Microsoft Office Trusted Location Updated
Detects changes to the registry keys related to "Trusted Location" of Microsoft Office. Attackers might add additional trusted locations to avoid macro security restrictions.
Service Binary in User Controlled Folder
Detects the setting of the "ImagePath" value of a service registry key to a path controlled by a non-administrator user such as "\AppData\" or "\ProgramData\". Attackers often use such directories for staging purposes. This rule might also trigger on badly written software, where if an attacker controls an auto starting service, they might achieve persistence or privilege escalation. Note that while ProgramData is a user controlled folder, software might apply strict ACLs which makes them only accessible to admin users. Remove such folders via filters if you experience a lot of noise.