Sigma Rules
1,585 rules found for "defense-evasion"
Microsoft Defender Blocked from Loading Unsigned DLL
Detects Code Integrity (CI) engine blocking Microsoft Defender's processes (MpCmdRun and NisSrv) from loading unsigned DLLs which may be an attempt to sideload arbitrary DLL
Unsigned Binary Loaded From Suspicious Location
Detects Code Integrity (CI) engine blocking processes from loading unsigned DLLs residing in suspicious locations
Sysmon Application Crashed
Detects application popup reporting a failure of the Sysmon service
NTLMv1 Logon Between Client and Server
Detects the reporting of NTLMv1 being used between a client and server. NTLMv1 is insecure as the underlying encryption algorithms can be brute-forced by modern hardware.
Active Directory Certificate Services Denied Certificate Enrollment Request
Detects denied requests by Active Directory Certificate Services. Example of these requests denial include issues with permissions on the certificate template or invalid signatures.
DHCP Server Loaded the CallOut DLL
This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded
DHCP Server Error Failed Loading the CallOut DLL
This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded
Eventlog Cleared
One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution
Important Windows Eventlog Cleared
Detects the clearing of one of the Windows Core Eventlogs. e.g. caused by "wevtutil cl" command execution
Vulnerable Netlogon Secure Channel Connection Allowed
Detects that a vulnerable Netlogon secure channel connection was allowed, which could be an indicator of CVE-2020-1472.
Windows Defender Threat Detection Service Disabled
Detects when the "Windows Defender Threat Protection" service is disabled.
Invoke-Obfuscation CLIP+ Launcher - System
Detects Obfuscated use of Clip.exe to execute PowerShell
Invoke-Obfuscation Obfuscated IEX Invocation - System
Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references
Invoke-Obfuscation STDIN+ Launcher - System
Detects Obfuscated use of stdin to execute PowerShell
Invoke-Obfuscation VAR+ Launcher - System
Detects Obfuscated use of Environment Variables to execute PowerShell
Invoke-Obfuscation COMPRESS OBFUSCATION - System
Detects Obfuscated Powershell via COMPRESS OBFUSCATION
Invoke-Obfuscation RUNDLL LAUNCHER - System
Detects Obfuscated Powershell via RUNDLL LAUNCHER
Invoke-Obfuscation Via Stdin - System
Detects Obfuscated Powershell via Stdin in Scripts
Invoke-Obfuscation Via Use Clip - System
Detects Obfuscated Powershell via use Clip.exe in Scripts
Invoke-Obfuscation Via Use MSHTA - System
Detects Obfuscated Powershell via use MSHTA in Scripts
Invoke-Obfuscation Via Use Rundll32 - System
Detects Obfuscated Powershell via use Rundll32 in Scripts
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System
Detects Obfuscated Powershell via VAR++ LAUNCHER
Meterpreter or Cobalt Strike Getsystem Service Installation - System
Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
Windows Service Terminated With Error
Detects Windows services that got terminated for whatever reason
Important Windows Service Terminated With Error
Detects important or interesting Windows services that got terminated for whatever reason
Important Windows Service Terminated Unexpectedly
Detects important or interesting Windows services that got terminated unexpectedly.
Windows Defender Grace Period Expired
Detects the expiration of the grace period of Windows Defender. This means protection against viruses, spyware, and other potentially unwanted software is disabled.
Windows Defender Exclusions Added
Detects the Setting of Windows Defender Exclusions
Windows Defender Exploit Guard Tamper
Detects when someone is adding or removing applications or folders from exploit guard "ProtectedFolders" or "AllowedApplications"
Windows Defender Submit Sample Feature Disabled
Detects disabling of the "Automatic Sample Submission" feature of Windows Defender.
Windows Defender Malware Detection History Deletion
Windows Defender logs when the history of detected infections is deleted.
Windows Defender Malware And PUA Scanning Disabled
Detects disabling of the Windows Defender feature of scanning for malware and other potentially unwanted software
Windows Defender Real-time Protection Disabled
Detects disabling of Windows Defender Real-time Protection. As this event doesn't contain a lot of information on who initiated this action you might want to reduce it to a "medium" level if this occurs too many times in your environment
Windows Defender Real-Time Protection Failure/Restart
Detects issues with Windows Defender Real-Time Protection features
Win Defender Restored Quarantine File
Detects the restoration of files from the defender quarantine
Windows Defender Configuration Changes
Detects suspicious changes to the Windows Defender configuration
Microsoft Defender Tamper Protection Trigger
Detects blocked attempts to change any of Defender's settings such as "Real Time Monitoring" and "Behavior Monitoring"
Windows Defender Virus Scanning Feature Disabled
Detects disabling of the Windows Defender virus scanning feature
HackTool - CACTUSTORCH Remote Thread Creation
Detects remote thread creation from CACTUSTORCH as described in references.
HackTool - Potential CobaltStrike Process Injection
Detects a potential remote threat creation with certain characteristics which are typical for Cobalt Strike beacons
Remote Thread Creation Via PowerShell In Uncommon Target
Detects the creation of a remote thread from a Powershell process in an uncommon target process
Rare Remote Thread Creation By Uncommon Source Image
Detects uncommon processes creating remote threads.
Remote Thread Creation By Uncommon Source Image
Detects uncommon processes creating remote threads.
Remote Thread Creation In Uncommon Target Image
Detects uncommon target processes for remote thread creation
Remote Thread Creation Ttdinject.exe Proxy
Detects a remote thread creation of Ttdinject.exe used as proxy
Hidden Executable In NTFS Alternate Data Stream
Detects the creation of an ADS (Alternate Data Stream) that contains an executable by looking at a non-empty Imphash
Creation Of a Suspicious ADS File Outside a Browser Download
Detects the creation of a suspicious ADS (Alternate Data Stream) file by software other than browsers
Suspicious File Download From File Sharing Websites - File Stream
Detects the download of suspicious file type from a well-known file and paste sharing domain