Sigma Rules
889 rules found for "persistence"
Windows Network Access Suspicious desktop.ini Action
Detects unusual processes accessing desktop.ini remotely over network share, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.
Service Registry Key Read Access Request
Detects "read access" requests on the services registry key. Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts.
Remote Access Tool Services Have Been Installed - Security
Detects service installation of different remote access tools software. These software are often abused by threat actors to perform
Service Installed By Unusual Client - Security
Detects a service installed by a client which has PID 0 or whose parent has PID 0
A New Trust Was Created To A Domain
Addition of domains is seldom and should be verified for legitimacy.
Addition of SID History to Active Directory Object
An attacker can use the SID history attribute to gain additional privileges.
Win Susp Computer Name Containing Samtheadmin
Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool
Password Change on Directory Service Restore Mode (DSRM) Account
Detects potential attempts made to set the Directory Services Restore Mode administrator password. The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password in order to obtain persistence.
Account Tampering - Suspicious Failed Logon Reasons
This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.
Startup/Logon Script Added to Group Policy Object
Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.
Suspicious Windows ANONYMOUS LOGON Local Account Created
Detects the creation of suspicious accounts similar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts.
Suspicious Remote Logon with Explicit Credentials
Detects suspicious processes logging on with explicit credentials
Possible Shadow Credentials Added
Detects possible addition of shadow credentials to an active directory object.
Suspicious Scheduled Task Creation
Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc.
Important Scheduled Task Deleted/Disabled
Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities
Suspicious Scheduled Task Update
Detects update to a scheduled task event that contain suspicious keywords.
Remote Service Activity via SVCCTL Named Pipe
Detects remote service activity via remote access to the svcctl named pipe
Sysmon Channel Reference Deletion
Potential threat actor tampering with Sysmon manifest and eventually disabling it
User Added to Local Administrator Group
Detects the addition of a new member to the local administrator group, which could be legitimate activity or a sign of privilege escalation activity
Local User Creation
Detects local user creation on Windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your Windows server logs and not on your DC logs.
WMI Persistence - Security
Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.
Microsoft Defender Blocked from Loading Unsigned DLL
Detects Code Integrity (CI) engine blocking Microsoft Defender's processes (MpCmdRun and NisSrv) from loading unsigned DLLs which may be an attempt to sideload arbitrary DLL
Unsigned Binary Loaded From Suspicious Location
Detects Code Integrity (CI) engine blocking processes from loading unsigned DLLs residing in suspicious locations
HybridConnectionManager Service Running
Rule to detect the Hybrid Connection Manager service running on an endpoint.
DHCP Server Loaded the CallOut DLL
This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded
DHCP Server Error Failed Loading the CallOut DLL
This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded
CobaltStrike Service Installations - System
Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement
KrbRelayUp Service Installation
Detects service creation from KrbRelayUp tool used for privilege escalation in Windows domain environments where LDAP signing is not enforced (the default settings)
Moriya Rootkit - System
Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report
Anydesk Remote Access Software Service Installation
Detects the installation of the anydesk software service. Which could be an indication of anydesk abuse if you the software isn't already used.
NetSupport Manager Service Install
Detects NetSupport Manager service installation on the target system.
New PDQDeploy Service - Server Side
Detects a PDQDeploy service installation which indicates that PDQDeploy was installed on the machines. PDQDeploy can be abused by attackers to remotely install packages or execute commands on target machines
New PDQDeploy Service - Client Side
Detects PDQDeploy service installation on the target system. When a package is deployed via PDQDeploy it installs a remote service on the target machine with the name "PDQDeployRunner-X" where "X" is an integer starting from 1
ProcessHacker Privilege Elevation
Detects a ProcessHacker tool that elevated privileges to a very high level
Remote Access Tool Services Have Been Installed - System
Detects service installation of different remote access tools software. These software are often abused by threat actors to perform
Remote Utilities Host Service Install
Detects Remote Utilities Host service installation on the target system.
Sliver C2 Default Service Installation
Detects known malicious service installation that appear in cases in which a Sliver implants execute the PsExec commands
Service Installed By Unusual Client - System
Detects a service installed by a client which has PID 0 or whose parent has PID 0
Suspicious Service Installation
Detects suspicious service installation commands
Uncommon Service Installation Image Path
Detects uncommon service installation commands by looking at suspicious or uncommon image path values containing references to encoded powershell commands, temporary paths, etc.
RTCore Suspicious Service Installation
Detects the installation of RTCore service. Which could be an indication of Micro-Star MSI Afterburner vulnerable driver abuse
Service Installation in Suspicious Folder
Detects service installation in suspicious folder appdata
Service Installation with Suspicious Folder Pattern
Detects service installation with suspicious folder patterns
Suspicious Service Installation Script
Detects suspicious service installation scripts
Scheduled Task Executed From A Suspicious Location
Detects the execution of Scheduled Tasks where the Program being run is located in a suspicious location or it's an unusale program to be run from a Scheduled Task
Scheduled Task Executed Uncommon LOLBIN
Detects the execution of Scheduled Tasks where the program being run is located in a suspicious location or where it is an unusual program to be run from a Scheduled Task
WMI Persistence
Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.
Potential Suspicious Winget Package Installation
Detects potential suspicious winget package installation from a suspicious source.