Sigma Rules
2,824 rules found
RDP Login from Localhost
RDP login with localhost source address may be a tunnelled login
A Security-Enabled Global Group Was Deleted
Detects activity when a security-enabled global group is deleted
External Remote RDP Logon from Public IP
Detects successful logon from public IP address via RDP. This can indicate a publicly-exposed RDP port.
External Remote SMB Logon from Public IP
Detects successful logon from public IP address via SMB. This can indicate a publicly-exposed SMB port.
Failed Logon From Public IP
Detects a failed logon attempt from a public IP. A login from a public IP can indicate a misconfigured firewall or network boundary.
Outgoing Logon with New Credentials
Detects logon events that specify new credentials
Potential Privilege Escalation via Local Kerberos Relay over LDAP
Detects a suspicious local successful logon event where the Logon Package is Kerberos, the remote address is set to localhost, and the target user SID is the built-in local Administrator account. This may indicate an attempt to leverage a Kerberos relay attack variant that can be used to elevate privilege locally from a domain joined limited user to local System privileges.
RottenPotato Like Attack Pattern
Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like
Successful Account Login Via WMI
Detects successful logon attempts performed with WMI
Windows Filtering Platform Blocked Connection From EDR Agent Binary
Detects a Windows Filtering Platform (WFP) blocked connection event involving common Endpoint Detection and Response (EDR) agents. Adversaries may use WFP filters to prevent Endpoint Detection and Response (EDR) agents from reporting security events.
Azure AD Health Monitoring Agent Registry Keys Access
This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent. This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent.
Azure AD Health Service Agents Registry Keys Access
This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS). Information from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation). This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\SOFTWARE\Microsoft\ADHealthAgent. Make sure you set the SACL to propagate to its sub-keys.
Powerview Add-DomainObjectAcl DCSync AD Extend Right
Backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer
AD Privileged Users or Groups Reconnaissance
Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs
ADCS Certificate Template Configuration Vulnerability
Detects certificate creation with template allowing risk permission subject
ADCS Certificate Template Configuration Vulnerability with Risky EKU
Detects certificate creation with template allowing risk permission subject and risky EKU
Add or Remove Computer from DC
Detects the creation or removal of a computer. Can be used to detect attacks such as DCShadow via the creation of a new SPN.
Access To ADMIN$ Network Share
Detects access to ADMIN$ network share
AD Object WriteDAC Access
Detects WRITE_DAC access to a domain object
Active Directory Replication from Non Machine Account
Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.
Potential AD User Enumeration From Non-Machine Account
Detects read access to a domain user from a non-machine account
Enabled User Right in AD to Control User Objects
Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.
Active Directory User Backdoors
Detects scenarios where one can control another users or computers account without having to use their credentials.
Weak Encryption Enabled and Kerberoast
Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking.
Hacktool Ruler
This events that are generated when using the hacktool Ruler by Sensepost
Remote Task Creation via ATSVC Named Pipe
Detects remote task creation via at.exe or API interacting with ATSVC namedpipe
Security Eventlog Cleared
One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution
Processes Accessing the Microphone and Webcam
Potential adversaries accessing the microphone and webcam in an endpoint.
CobaltStrike Service Installations - Security
Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement
Failed Code Integrity Checks
Detects code integrity failures such as missing page hashes or corrupted drivers due unauthorized modification. This could be a sign of tampered binaries.
DCERPC SMB Spoolss Named Pipe
Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.
DCOM InternetExplorer.Application Iertutil DLL Hijack - Security
Detects a threat actor creating a file named `iertutil.dll` in the `C:\Program Files\Internet Explorer\` directory over the network for a DCOM InternetExplorer DLL Hijack scenario.
Mimikatz DC Sync
Detects Mimikatz DC sync security events
Windows Default Domain GPO Modification
Detects modifications to Default Domain or Default Domain Controllers Group Policy Objects (GPOs). Adversaries may modify these default GPOs to deploy malicious configurations across the domain.
Device Installation Blocked
Detects an installation of a device that is forbidden by the system policy
Windows Event Auditing Disabled
Detects scenarios where system auditing (i.e.: Windows event log auditing) is disabled. This may be used in a scenario where an entity would want to bypass local logging to evade detection when Windows event logging is enabled and reviewed. Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc". Please note, that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off specific GPO modifications - however, it is recommended to perform these modifications in Active Directory anyways.
Important Windows Event Auditing Disabled
Detects scenarios where system auditing for important events such as "Process Creation" or "Logon" events is disabled.
ETW Logging Disabled In .NET Processes - Registry
Potential adversaries stopping ETW providers recording loaded .NET assemblies.
DPAPI Domain Backup Key Extraction
Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers
DPAPI Domain Master Key Backup Attempt
Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller.
External Disk Drive Or USB Storage Device Was Recognized By The System
Detects external disk drives or plugged-in USB devices.
Persistence and Execution at Scale via GPO Scheduled Task
Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale
Hidden Local User Creation
Detects the creation of a local hidden user account which should not happen for event ID 4720.
HackTool - EDRSilencer Execution - Filter Added
Detects execution of EDRSilencer, a tool that abuses the Windows Filtering Platform (WFP) to block the outbound traffic of running EDR agents based on specific hardcoded filter names.
HackTool - NoFilter Execution
Detects execution of NoFilter, a tool for abusing the Windows Filtering Platform for privilege escalation via hardcoded policy name indicators
HybridConnectionManager Service Installation
Rule to detect the Hybrid Connection Manager service installation.
Impacket PsExec Execution
Detects execution of Impacket's psexec.py.
Possible Impacket SecretDump Remote Activity
Detect AD credential dumping using impacket secretdump HKTL