Sigma Rules
143 rules found for "collection"
Hacktool Ruler
This events that are generated when using the hacktool Ruler by Sensepost
Processes Accessing the Microphone and Webcam
Potential adversaries accessing the microphone and webcam in an endpoint.
Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation
Detects modifications to DNS records in Active Directory where the Distinguished Name (DN) contains a base64-encoded blob matching the pattern "1UWhRCAAAAA...BAAAA". This pattern corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure, commonly used in Kerberos coercion attacks. Adversaries may exploit this to coerce victim systems into authenticating to attacker-controlled hosts by spoofing SPNs via DNS. It is one of the strong indicators of a Kerberos coercion attack,. where adversaries manipulate DNS records to spoof Service Principal Names (SPNs) and redirect authentication requests like CVE-2025-33073. Please investigate the user account that made the changes, as it is likely a low-privileged account that has been compromised.
Suspicious Access to Sensitive File Extensions
Detects known sensitive file extensions accessed on a network share
Local Privilege Escalation Indicator TabTip
Detects the invocation of TabTip via CLSID as seen when JuicyPotatoNG is used on a system in brute force mode
ISATAP Router Address Was Set
Detects the configuration of a new ISATAP router on a Windows host. While ISATAP is a legitimate Microsoft technology for IPv6 transition, unexpected or unauthorized ISATAP router configurations could indicate a potential IPv6 DNS Takeover attack using tools like mitm6. In such attacks, adversaries advertise themselves as DHCPv6 servers and set malicious ISATAP routers to intercept traffic. This detection should be correlated with network baselines and known legitimate ISATAP deployments in your environment.
Crash Dump Created By Operating System
Detects "BugCheck" errors indicating the system rebooted due to a crash, capturing the bugcheck code, dump file path, and report ID.
Notepad++ Updater DNS Query to Uncommon Domains
Detects when the Notepad++ updater (gup.exe) makes DNS queries to domains that are not part of the known legitimate update infrastructure. This could indicate potential exploitation of the updater mechanism or suspicious network activity that warrants further investigation.
Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing
Detects DNS queries containing patterns associated with Kerberos coercion attacks via DNS object spoofing. The pattern "1UWhRCAAAAA..BAAAA" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure. Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts. It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records to spoof Service Principal Names (SPNs) and redirect authentication requests like CVE-2025-33073.
DNS Query Request To OneLaunch Update Service
Detects DNS query requests to "update.onelaunch.com". This domain is associated with the OneLaunch adware application. When the OneLaunch application is installed it will attempt to get updates from this domain.
WinDivert Driver Load
Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection package for Windows
BloodHound Collection Files
Detects default file names outputted by the BloodHound collection tool SharpHound
Uncommon File Created by Notepad++ Updater Gup.EXE
Detects when the Notepad++ updater (gup.exe) creates files in suspicious or uncommon locations. This could indicate potential exploitation of the updater component to deliver unwanted malware or unwarranted files.
Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream
Detects the creation of hidden file/folder with the "::$index_allocation" stream. Which can be used as a technique to prevent access to folder and files from tooling such as "explorer.exe" and "powershell.exe"
CredUI.DLL Loaded By Uncommon Process
Detects loading of "credui.dll" and related DLLs by an uncommon process. Attackers might leverage this DLL for potential use of "CredUIPromptForCredentials" or "CredUnPackAuthenticationBufferW".
ADFS Database Named Pipe Connection By Uncommon Tool
Detects suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database). Used to access information such as the AD FS configuration settings which contains sensitive information used to sign SAML tokens.
Zip A Folder With PowerShell For Staging In Temp - PowerShell
Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration. An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
PowerShell Get Clipboard
A General detection for the Get-Clipboard commands in PowerShell logs. This could be an adversary capturing clipboard contents.
Malicious PowerShell Commandlets - PoshModule
Detects Commandlet names from well-known PowerShell exploitation frameworks
Suspicious Get Information for SMB Share - PowerShell Module
Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Zip A Folder With PowerShell For Staging In Temp - PowerShell Module
Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration. An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
Automated Collection Command PowerShell
Once established within a system or network, an adversary may use automated techniques for collecting internal data.
Windows Screen Capture with CopyFromScreen
Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations
Automated Collection Bookmarks Using Get-ChildItem PowerShell
Adversaries may enumerate browser bookmarks to learn more about compromised hosts. Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.
Powershell Keylogging
Adversaries may log user keystrokes to intercept credentials as the user types them.
Malicious PowerShell Commandlets - ScriptBlock
Detects Commandlet names from well-known PowerShell exploitation frameworks
Potential Keylogger Activity
Detects PowerShell scripts that contains reference to keystroke capturing functions
Powershell Local Email Collection
Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a users local system, such as Outlook storage or cache files.
Recon Information for Export with PowerShell
Once established within a system or network, an adversary may use automated techniques for collecting internal data
Suspicious Get Information for SMB Share
Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Zip A Folder With PowerShell For Staging In Temp - PowerShell Script
Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration. An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
7Zip Compressing Dump Files
Detects execution of 7z in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration.
Compress Data and Lock With Password for Exfiltration With 7-ZIP
An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities
Potential Data Stealing Via Chromium Headless Debugging
Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control
Browser Started with Remote Debugging
Detects browsers starting with the remote debugging flags. Which is a technique often used to perform browser injection attacks
Data Copied To Clipboard Via Clip.EXE
Detects the execution of clip.exe in order to copy data to the clipboard. Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Arbitrary File Download Via ConfigSecurityPolicy.EXE
Detects the execution of "ConfigSecurityPolicy.EXE", a binary part of Windows Defender used to manage settings in Windows Defender. Users can configure different pilot collections for each of the co-management workloads. It can be abused by attackers in order to upload or download files.
Esentutl Steals Browser Information
One way Qbot steals sensitive information is by extracting browser data from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe
Suspicious Child Process of Notepad++ Updater - GUP.Exe
Detects suspicious child process creation by the Notepad++ updater process (gup.exe). This could indicate potential exploitation of the updater component to deliver unwanted malware.
HackTool - ADCSPwn Execution
Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service
HackTool - Impacket Tools Execution
Detects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives)
HackTool - LaZagne Execution
Detects the execution of the LaZagne. A utility used to retrieve multiple types of passwords stored on a local computer. LaZagne has been leveraged multiple times by threat actors in order to dump credentials.
Potential SMB Relay Attack Tool Execution
Detects different hacktools used for relay attacks on Windows for privilege escalation
Attempts of Kerberos Coercion Via DNS SPN Spoofing
Detects the presence of "UWhRC....AAYBAAAA" pattern in command line. The pattern "1UWhRCAAAAA..BAAAA" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure. Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts. It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records to spoof Service Principal Names (SPNs) and redirect authentication requests like in CVE-2025-33073. If you see this pattern in the command line, it is likely an attempt to add spoofed Service Principal Names (SPNs) to DNS records, or checking for the presence of such records through the `nslookup` command.
Suspicious Manipulation Of Default Accounts Via Net.EXE
Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc
Audio Capture via PowerShell
Detects audio capture via PowerShell Cmdlet.
PowerShell Get-Clipboard Cmdlet Via CLI
Detects usage of the 'Get-Clipboard' cmdlet via CLI
Malicious PowerShell Commandlets - ProcessCreation
Detects Commandlet names from well-known PowerShell exploitation frameworks