Sigma Rules
2,824 rules found
Win Susp Computer Name Containing Samtheadmin
Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool
Password Change on Directory Service Restore Mode (DSRM) Account
Detects potential attempts made to set the Directory Services Restore Mode administrator password. The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password in order to obtain persistence.
Account Tampering - Suspicious Failed Logon Reasons
This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.
Group Policy Abuse for Privilege Addition
Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins.
Startup/Logon Script Added to Group Policy Object
Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.
Kerberos Manipulation
Detects failed Kerberos TGT issue operation. This can be a sign of manipulations of TGT messages by an attacker.
Suspicious LDAP-Attributes Used
Detects the usage of particular AttributeLDAPDisplayNames, which are known for data exchange via LDAP by the tool LDAPFragger and are additionally not commonly used in companies.
Suspicious Windows ANONYMOUS LOGON Local Account Created
Detects the creation of suspicious accounts similar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts.
Suspicious Remote Logon with Explicit Credentials
Detects suspicious processes logging on with explicit credentials
Password Dumper Activity on LSASS
Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN
Potentially Suspicious AccessMask Requested From LSASS
Detects process handle on LSASS process with certain access mask
Reconnaissance Activity
Detects activity as "net user administrator /domain" and "net group domain admins /domain"
Password Protected ZIP File Opened
Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.
Password Protected ZIP File Opened (Suspicious Filenames)
Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened.
Password Protected ZIP File Opened (Email Attachment)
Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.
Uncommon Outbound Kerberos Connection - Security
Detects uncommon outbound network activity via Kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.
Possible Shadow Credentials Added
Detects possible addition of shadow credentials to an active directory object.
Suspicious PsExec Execution
detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one
Suspicious Access to Sensitive File Extensions
Detects known sensitive file extensions accessed on a network share
Suspicious Kerberos RC4 Ticket Encryption
Detects service ticket requests using RC4 encryption type
Suspicious Scheduled Task Creation
Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc.
Important Scheduled Task Deleted/Disabled
Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities
Suspicious Scheduled Task Update
Detects update to a scheduled task event that contain suspicious keywords.
Unauthorized System Time Modification
Detect scenarios where a potentially unauthorized application or user is modifying the system time.
Remote Service Activity via SVCCTL Named Pipe
Detects remote service activity via remote access to the svcctl named pipe
SysKey Registry Keys Access
Detects handle requests and access operations to specific registry keys to calculate the SysKey
Sysmon Channel Reference Deletion
Potential threat actor tampering with Sysmon manifest and eventually disabling it
Tap Driver Installation - Security
Detects the installation of a well-known TAP driver service. This could be a sign of potential preparation for data exfiltration using tunnelling techniques.
Suspicious Teams Application Related ObjectAcess Event
Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.
Transferring Files with Credential Data via Network Shares
Transferring files with well-known filenames (sensitive files with credential data) using network shares
User Added to Local Administrator Group
Detects the addition of a new member to the local administrator group, which could be legitimate activity or a sign of privilege escalation activity
User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'
The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA.
Local User Creation
Detects local user creation on Windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your Windows server logs and not on your DC logs.
Potential Privileged System Service Operation - SeLoadDriverPrivilege
Detects the usage of the 'SeLoadDriverPrivilege' privilege. This privilege is required to load or unload a device driver. With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. If you exclude privileged users/admins and processes, which are allowed to do so, you are maybe left with bad programs trying to load malicious kernel drivers. This will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) and the usage of Sysinternals and various other tools. So you have to work with a whitelist to find the bad stuff.
User Logoff Event
Detects a user log-off activity. Could be used for example to correlate information during forensic investigations
VSSAudit Security Event Source Registration
Detects the registration of the security event source VSSAudit. It would usually trigger when volume shadow copy operations happen.
Windows Defender Exclusion List Modified
Detects modifications to the Windows Defender exclusion registry key. This could indicate a potentially suspicious or even malicious activity by an attacker trying to add a new exclusion in order to bypass security.
Windows Defender Exclusion Registry Key - Write Access Requested
Detects write access requests to the Windows Defender exclusions registry keys. This could be an indication of an attacker trying to request a handle or access the object to write new exclusions in order to bypass security.
T1047 Wmiprvse Wbemcomn DLL Hijack
Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network for a WMI DLL Hijack scenario.
WMI Persistence - Security
Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.
Locked Workstation
Detects locked workstation session events that occur automatically after a standard period of inactivity.
Microsoft Defender Blocked from Loading Unsigned DLL
Detects Code Integrity (CI) engine blocking Microsoft Defender's processes (MpCmdRun and NisSrv) from loading unsigned DLLs which may be an attempt to sideload arbitrary DLL
Unsigned Binary Loaded From Suspicious Location
Detects Code Integrity (CI) engine blocking processes from loading unsigned DLLs residing in suspicious locations
HybridConnectionManager Service Running
Rule to detect the Hybrid Connection Manager service running on an endpoint.
Suspicious Application Installed
Detects suspicious application installed by looking at the added shortcut to the app resolver cache
Suspicious Rejected SMB Guest Logon From IP
Detect Attempt PrintNightmare (CVE-2021-1675) Remote code execution in Windows Spooler Service
Unsigned or Unencrypted SMB Connection to Share Established
Detects SMB server connections to shares without signing or encryption enabled. This could indicate potential lateral movement activity using unsecured SMB shares.
Sysmon Application Crashed
Detects application popup reporting a failure of the Sysmon service