Sigma Rules
794 rules found for "Microsoft"
Potential DLL Sideloading Of DbgModel.DLL
Detects potential DLL sideloading of "DbgModel.dll"
Potential DLL Sideloading Of MpSvc.DLL
Detects potential DLL sideloading of "MpSvc.dll".
Potential DLL Sideloading Of MsCorSvc.DLL
Detects potential DLL sideloading of "mscorsvc.dll".
Microsoft Office DLL Sideload
Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location
VMMap Signed Dbghelp.DLL Potential Sideloading
Detects potential DLL sideloading of a signed dbghelp.dll by the Sysinternals VMMap.
VMMap Unsigned Dbghelp.DLL Potential Sideloading
Detects potential DLL sideloading of an unsigned dbghelp.dll by the Sysinternals VMMap.
Potential Mpclient.DLL Sideloading
Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory.
MMC Loading Script Engines DLLs
Detects when the Microsoft Management Console (MMC) loads the DLL libraries like vbscript, jscript etc which might indicate an attempt to execute malicious scripts within a trusted system process for bypassing application whitelisting or defense evasion.
Suspicious WSMAN Provider Image Loads
Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution.
Uncommon Network Connection Initiated By Certutil.EXE
Detects a network connection initiated by the certutil.exe utility. Attackers can abuse the utility in order to download malware or additional payloads.
Outbound Network Connection Initiated By Microsoft Dialer
Detects outbound network connection initiated by Microsoft Dialer. The Microsoft Dialer, also known as Phone Dialer, is a built-in utility application included in various versions of the Microsoft Windows operating system. Its primary function is to provide users with a graphical interface for managing phone calls via a modem or a phone line connected to the computer. This is an outdated process in the current conext of it's usage and is a common target for info stealers for process injection, and is used to make C2 connections, common example is "Rhadamanthys"
Network Connection Initiated To DevTunnels Domain
Detects network connections to Devtunnels domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
Office Application Initiated Network Connection To Non-Local IP
Detects an office application (Word, Excel, PowerPoint) that initiate a network connection to a non-private IP addresses. This rule aims to detect traffic similar to one seen exploited in CVE-2021-42292. This rule will require an initial baseline and tuning that is specific to your organization.
Outbound RDP Connections Over Non-Standard Tools
Detects Non-Standard tools initiating a connection over port 3389 indicating possible lateral movement. An initial baseline is required before using this utility to exclude third party RDP tooling that you might use.
Microsoft Sync Center Suspicious Network Connections
Detects suspicious connections from Microsoft Sync Center to non-private IPs.
Outbound Network Connection To Public IP Via Winlogon
Detects a "winlogon.exe" process that initiate network communications with public IP addresses
PUA - PAExec Default Named Pipe
Detects PAExec default named pipe
Potential Active Directory Enumeration Using AD Module - PsModule
Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.
Suspicious PowerShell Download - PoshModule
Detects suspicious PowerShell download command
Suspicious Computer Machine Password by PowerShell
The Reset-ComputerMachinePassword cmdlet changes the computer account password that the computers use to authenticate to the domain controllers in the domain. You can use it to reset the password of the local computer.
Potential Active Directory Enumeration Using AD Module - PsScript
Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.
Powershell Add Name Resolution Policy Table Rule
Detects powershell scripts that adds a Name Resolution Policy Table (NRPT) rule for the specified namespace. This will bypass the default DNS server and uses a specified server for answering the query.
Add Windows Capability Via PowerShell Script
Detects usage of the "Add-WindowsCapability" cmdlet to add Windows capabilities. Notable capabilities could be "OpenSSH" and others.
Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell
Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file
Registry-Free Process Scope COR_PROFILER
Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profiliers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR. (Citation: Microsoft Profiling Mar 2017) (Citation: Microsoft COR_PROFILER Feb 2013)
Create Volume Shadow Copy with Powershell
Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information
Manipulation of User Computer or Group Security Principals Across AD
Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain..
Disable-WindowsOptionalFeature Command PowerShell
Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool. Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
Potential COM Objects Download Cradles Usage - PS Script
Detects usage of COM objects that can be abused to download files in PowerShell by CLSID
Enable Windows Remote Management
Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.
Potential Suspicious Windows Feature Enabled
Detects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" used as a Deployment Image Servicing and Management tool. Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
Certificate Exported Via PowerShell - ScriptBlock
Detects calls to cmdlets inside of PowerShell scripts that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.
Service Registry Permissions Weakness Check
Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start. Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services
Active Directory Computers Enumeration With Get-AdComputer
Detects usage of the "Get-AdComputer" to enumerate Computers or properties within Active Directory.
Unsigned AppX Installation Attempt Using Add-AppxPackage - PsScript
Detects usage of the "Add-AppxPackage" or it's alias "Add-AppPackage" to install unsigned AppX packages
Execute Invoke-command on Remote Host
Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.
Powershell LocalAccount Manipulation
Adversaries may manipulate accounts to maintain access to victim systems. Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups
Live Memory Dump Using Powershell
Detects usage of a PowerShell command to dump the live memory of a Windows machine
Powershell MsXml COM Object
Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code
Code Executed Via Office Add-in XLL File
Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system. Office add-ins can be used to add functionality to Office programs
Potential Unconstrained Delegation Discovery Via Get-ADComputer - ScriptBlock
Detects the use of the "Get-ADComputer" cmdlet in order to identify systems which are configured for unconstrained delegation.
PowerShell Web Access Installation - PsScript
Detects the installation and configuration of PowerShell Web Access, which could be used for remote access and potential abuse
PowerShell Remote Session Creation
Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system
Suspicious Kerberos Ticket Request via PowerShell Script - ScriptBlock
Detects PowerShell scripts that utilize native PowerShell Identity modules to request Kerberos tickets. This behavior is typically seen during a Kerberos or silver ticket attack. A successful execution will output the SPNs for the endpoint in question.
Suspicious Invoke-Item From Mount-DiskImage
Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.
PowerShell Script With File Upload Capabilities
Detects PowerShell scripts leveraging the "Invoke-WebRequest" cmdlet to send data via either "PUT" or "POST" method.
PowerShell Set-Acl On Windows Folder - PsScript
Detects PowerShell scripts to set the ACL to a file in the Windows folder
Change PowerShell Policies to an Insecure Level - PowerShell
Detects changing the PowerShell script execution policy to a potentially insecure level using the "Set-ExecutionPolicy" cmdlet.