Sigma Rules

TA0006 · Credential AccessTA0002 · ExecutionT1003.001 · LSASS MemoryT1003.002 · Security Account Manager+5

Credential Dumping Tools Service Execution - System

Detects well-known credential dumping tools execution via service execution events

Windowssystem

Florian Roth (Nextron Systems)+3Sun Mar 05windows

TA0010 · ExfiltrationT1048 · Exfiltration Over Alternative Protocol

Tap Driver Installation

Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques

Windowssystem

Daniil Yugoslavskiy+2Thu Oct 24windows

TA0005 · Defense EvasionT1070.003 · Clear Command History

Clear PowerShell History - PowerShell Module

Detects keywords that could indicate clearing PowerShell history

WindowsPowerShell Module

Ilyas Ochkov+3Fri Oct 25windows

TA0005 · Defense EvasionT1070.003 · Clear Command History

Clear PowerShell History - PowerShell

Detects keywords that could indicate clearing PowerShell history

WindowsPowerShell Script

Ilyas Ochkov+3Tue Jan 25windows

DNS Exfiltration and Tunneling Tools Execution

Well-known DNS Exfiltration tools execution

TA0010 · ExfiltrationT1048.001 · Exfiltration Over Symmetric Encrypted Non-C2 ProtocolTA0011 · Command and ControlT1071.004 · DNS+1

Daniil Yugoslavskiy+1Thu Oct 24windows

Copying Sensitive Files with Credential Data

Files with well-known filenames (sensitive files with credential data) copying

TA0006 · Credential AccessT1003.002 · Security Account ManagerT1003.003 · NTDS2013-07-001 · CAR 2013-07-001+1

Teymur Kheirkhabarov+2Tue Oct 22windows

Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE

Detects Netsh command execution that whitelists a program located in a suspicious location in the Windows Firewall

TA0005 · Defense EvasionT1562.004 · Disable or Modify System Firewall

Sander Wiebing+3Mon May 25windows

Start Windows Service Via Net.EXE

Detects the usage of the "net.exe" command to start a service using the "start" flag

TA0002 · ExecutionT1569.002 · Service Execution

Timur Zinniatullin+2Mon Oct 21windows

New DLL Registered Via Odbcconf.EXE

Detects execution of "odbcconf" with "REGSVR" in order to register a new DLL (equivalent to running regsvr32). Attackers abuse this to install and run malicious DLLs.

TA0005 · Defense EvasionT1218.008 · Odbcconf

Kirill Kiryanov+4Mon May 22windows

Response File Execution Via Odbcconf.EXE

Detects execution of "odbcconf" with the "-f" flag in order to load a response file which might contain a malicious action.

TA0005 · Defense EvasionT1218.008 · Odbcconf

Kirill Kiryanov+4Mon May 22windows

Suspicious Encoded PowerShell Command Line

Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)

TA0002 · ExecutionT1059.001 · PowerShell

Florian Roth (Nextron Systems)+5Mon Sep 03windows

New Service Creation Using PowerShell

Detects the creation of a new service using powershell.

TA0003 · PersistenceTA0004 · Privilege EscalationT1543.003 · Windows Service

Timur Zinniatullin+2Mon Feb 20windows

Direct Autorun Keys Modification

Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.

TA0004 · Privilege EscalationTA0003 · PersistenceT1547.001 · Registry Run Keys / Startup Folder

Victor Sergeev+3Fri Oct 25windows

Dumping of Sensitive Hives Via Reg.EXE

Detects the usage of "reg.exe" in order to dump sensitive registry hives. This includes SAM, SYSTEM and SECURITY hives.

TA0006 · Credential AccessT1003.002 · Security Account ManagerT1003.004 · LSA SecretsT1003.005 · Cached Domain Credentials+1

Teymur Kheirkhabarov+5Tue Oct 22windows

New Service Creation Using Sc.EXE

Detects the creation of a new service using the "sc.exe" utility.

TA0003 · PersistenceTA0004 · Privilege EscalationT1543.003 · Windows Service

Timur Zinniatullin+2Mon Feb 20windows

Detectionhighstable

Suspicious Eventlog Clearing or Configuration Change Activity

Detects the clearing or configuration tampering of EventLog using utilities such as "wevtutil", "powershell" and "wmic". This technique were seen used by threat actors and ransomware strains in order to evade defenses.

TA0005 · Defense EvasionT1070.001 · Clear Windows Event LogsT1562.002 · Disable Windows Event Logging2016-04-002 · CAR 2016-04-002

Ecco+4Thu Sep 26windows

Local Accounts Discovery

Local accounts, System Owner/User discovery using operating systems utilities

TA0007 · DiscoveryT1033 · System Owner/User DiscoveryT1087.001 · Local Account

Timur Zinniatullin+2Mon Oct 21windows

Shadow Copies Creation Using Operating Systems Utilities

Shadow Copies creation using operating systems utilities, possible credential access

TA0006 · Credential AccessT1003 · OS Credential DumpingT1003.002 · Security Account ManagerT1003.003 · NTDS

Teymur Kheirkhabarov+2Tue Oct 22windows

Detectionhighstable

Shadow Copies Deletion Using Operating Systems Utilities

Shadow Copies deletion using operating systems utilities

TA0005 · Defense EvasionTA0040 · ImpactT1070 · Indicator RemovalT1490 · Inhibit System Recovery

Florian Roth (Nextron Systems)+5Tue Oct 22windows

Tap Installer Execution

Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques

TA0010 · ExfiltrationT1048 · Exfiltration Over Alternative Protocol

Daniil Yugoslavskiy+2Thu Oct 24windows