Sigma Rules
1,585 rules found for "defense-evasion"
Windows Filtering Platform Blocked Connection From EDR Agent Binary
Detects a Windows Filtering Platform (WFP) blocked connection event involving common Endpoint Detection and Response (EDR) agents. Adversaries may use WFP filters to prevent Endpoint Detection and Response (EDR) agents from reporting security events.
AD Object WriteDAC Access
Detects WRITE_DAC access to a domain object
Add or Remove Computer from DC
Detects the creation or removal of a computer. Can be used to detect attacks such as DCShadow via the creation of a new SPN.
Weak Encryption Enabled and Kerberoast
Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking.
Hacktool Ruler
This events that are generated when using the hacktool Ruler by Sensepost
Security Eventlog Cleared
One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution
Failed Code Integrity Checks
Detects code integrity failures such as missing page hashes or corrupted drivers due unauthorized modification. This could be a sign of tampered binaries.
Windows Default Domain GPO Modification
Detects modifications to Default Domain or Default Domain Controllers Group Policy Objects (GPOs). Adversaries may modify these default GPOs to deploy malicious configurations across the domain.
Windows Event Auditing Disabled
Detects scenarios where system auditing (i.e.: Windows event log auditing) is disabled. This may be used in a scenario where an entity would want to bypass local logging to evade detection when Windows event logging is enabled and reviewed. Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc". Please note, that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off specific GPO modifications - however, it is recommended to perform these modifications in Active Directory anyways.
Important Windows Event Auditing Disabled
Detects scenarios where system auditing for important events such as "Process Creation" or "Logon" events is disabled.
ETW Logging Disabled In .NET Processes - Registry
Potential adversaries stopping ETW providers recording loaded .NET assemblies.
HackTool - EDRSilencer Execution - Filter Added
Detects execution of EDRSilencer, a tool that abuses the Windows Filtering Platform (WFP) to block the outbound traffic of running EDR agents based on specific hardcoded filter names.
HackTool - NoFilter Execution
Detects execution of NoFilter, a tool for abusing the Windows Filtering Platform for privilege escalation via hardcoded policy name indicators
Invoke-Obfuscation CLIP+ Launcher - Security
Detects Obfuscated use of Clip.exe to execute PowerShell
Invoke-Obfuscation Obfuscated IEX Invocation - Security
Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references
Invoke-Obfuscation STDIN+ Launcher - Security
Detects Obfuscated use of stdin to execute PowerShell
Invoke-Obfuscation VAR+ Launcher - Security
Detects Obfuscated use of Environment Variables to execute PowerShell
Invoke-Obfuscation COMPRESS OBFUSCATION - Security
Detects Obfuscated Powershell via COMPRESS OBFUSCATION
Invoke-Obfuscation RUNDLL LAUNCHER - Security
Detects Obfuscated Powershell via RUNDLL LAUNCHER
Invoke-Obfuscation Via Stdin - Security
Detects Obfuscated Powershell via Stdin in Scripts
Invoke-Obfuscation Via Use Clip - Security
Detects Obfuscated Powershell via use Clip.exe in Scripts
Invoke-Obfuscation Via Use MSHTA - Security
Detects Obfuscated Powershell via use MSHTA in Scripts
Invoke-Obfuscation Via Use Rundll32 - Security
Detects Obfuscated Powershell via use Rundll32 in Scripts
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security
Detects Obfuscated Powershell via VAR++ LAUNCHER
Meterpreter or Cobalt Strike Getsystem Service Installation - Security
Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
NetNTLM Downgrade Attack
Detects NetNTLM downgrade attack
New or Renamed User Account with '$' Character
Detects the creation of a user with the "$" character. This can be used by attackers to hide a user or trick detection systems that lack the parsing mechanisms.
Possible DC Shadow Attack
Detects DCShadow via create new SPN
RDP over Reverse SSH Tunnel WFP
Detects svchost hosting RDP termsvcs communicating with the loopback address
Service Registry Key Read Access Request
Detects "read access" requests on the services registry key. Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts.
SCM Database Privileged Operation
Detects non-system users performing privileged operation os the SCM database
Potential Secure Deletion with SDelete
Detects files that have extensions commonly seen while SDelete is used to wipe files.
Addition of SID History to Active Directory Object
An attacker can use the SID history attribute to gain additional privileges.
Win Susp Computer Name Containing Samtheadmin
Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool
Account Tampering - Suspicious Failed Logon Reasons
This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.
Group Policy Abuse for Privilege Addition
Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins.
Startup/Logon Script Added to Group Policy Object
Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.
Suspicious Remote Logon with Explicit Credentials
Detects suspicious processes logging on with explicit credentials
Password Protected ZIP File Opened
Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.
Password Protected ZIP File Opened (Suspicious Filenames)
Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened.
Password Protected ZIP File Opened (Email Attachment)
Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.
Possible Shadow Credentials Added
Detects possible addition of shadow credentials to an active directory object.
Unauthorized System Time Modification
Detect scenarios where a potentially unauthorized application or user is modifying the system time.
Sysmon Channel Reference Deletion
Potential threat actor tampering with Sysmon manifest and eventually disabling it
User Added to Local Administrator Group
Detects the addition of a new member to the local administrator group, which could be legitimate activity or a sign of privilege escalation activity
Potential Privileged System Service Operation - SeLoadDriverPrivilege
Detects the usage of the 'SeLoadDriverPrivilege' privilege. This privilege is required to load or unload a device driver. With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. If you exclude privileged users/admins and processes, which are allowed to do so, you are maybe left with bad programs trying to load malicious kernel drivers. This will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) and the usage of Sysinternals and various other tools. So you have to work with a whitelist to find the bad stuff.
Windows Defender Exclusion List Modified
Detects modifications to the Windows Defender exclusion registry key. This could indicate a potentially suspicious or even malicious activity by an attacker trying to add a new exclusion in order to bypass security.
Windows Defender Exclusion Registry Key - Write Access Requested
Detects write access requests to the Windows Defender exclusions registry keys. This could be an indication of an attacker trying to request a handle or access the object to write new exclusions in order to bypass security.