Public Domain Built-in Rules
The following table shows the public domain built-in rules incorporated into FortiSIEM.
Rules that are adopted from the SIGMA rule set are licensed under the Detection Rule License available here.
|
FortiSIEM Rule |
Author |
Source Link |
|---|---|---|
|
AWS CloudTrail Important Changes |
vitaliy0x1 |
https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws_cloudtrail_disable_logging.yml |
|
AWS EC2 Userdata Download |
faloker |
https://github.com/SigmaHQ/sigma/blob/master/rules/cloud/aws_ec2_download_userdata.yml |
|
Linux: Attempt to Disable Crowdstrike Service |
Ömer Günal |
https://github.com/SigmaHQ/sigma/blob/master/rules/linux/lnx_security_tools_disabling.yml |
|
Linux: Attempt to Disable CarbonBlack Service |
Ömer Günal |
https://github.com/SigmaHQ/sigma/blob/master/rules/linux/lnx_security_tools_disabling.yml |
|
Windows: Turla Service Install |
Florian Roth |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_apt_carbonpaper_turla.yml |
|
Windows: StoneDrill Service Install |
Florian Roth |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_apt_stonedrill.yml |
|
Windows: Turla PNG Dropper Service |
Florian Roth |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_apt_turla_service_png.yml |
|
Windows: smbexec.py Service Installation |
Omer Faruk Celik |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_hack_smbexec.yml |
|
Windows: Malicious Service Installations |
Florian Roth, Daniil Yugoslavskiy, oscd.community (update) |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_mal_service_installs.yml |
|
Windows: Meterpreter or Cobalt Strike Getsystem Service Installation |
Teymur Kheirkhabarov, Ecco |
|
|
Windows: PsExec Tool Execution |
Thomas Patzke |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/other/win_tool_psexec.yml |
|
Windows: Local User Creation |
Patrick Bareiss |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_user_creation.yml |
|
Windows: Local User Creation Via Powershell |
@ROxPinTeddy |
|
|
Windows: Local User Creation Via Net.exe |
Endgame, JHasenbusch (adapted to sigma for oscd.community) |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_net_user_add.yml |
|
Windows: Suspicious ANONYMOUS LOGON Local Account Created |
James Pemberton / @4A616D6573 |
|
|
Windows: New or Renamed User Account with $ in Attribute SamAccountName |
Ilyas Ochkov, oscd.community |
|
|
Windows: AD Privileged Users or Groups Reconnaissance |
Samir Bousseaden |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_account_discovery.yml |
|
Windows: Administrator and Domain Admin Reconnaissance |
Florian Roth (rule), Jack Croock (method) |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_susp_net_recon_activity.yml |
|
Windows: Access to ADMIN$ Share |
Florian Roth |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_admin_share_access.yml |
|
Windows: Login with WMI |
Thomas Patzke |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_susp_wmi_login.yml |
|
Windows: Admin User Remote Logon |
juju4 |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_admin_rdp_login.yml |
|
Windows: RDP Login from Localhost |
Thomas Patzke |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_rdp_localhost_login.yml |
|
Windows: Interactive Logon to Server Systems |
Florian Roth |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_susp_interactive_logons.yml |
|
Windows: Pass the Hash Activity |
Ilias el Matani (rule), The Information Assurance Directorate at the NSA (method) |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_pass_the_hash.yml |
|
Windows: Pass the Hash Activity 2 |
Dave Kennedy, Jeff Warren (method) / David Vassallo (rule) |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_pass_the_hash_2.yml |
|
Windows: Successful Overpass the Hash Attempt |
Roberto Rodriguez (source), Dominik Schaudel (rule) |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_overpass_the_hash.yml |
|
Windows: RottenPotato Like Attack Pattern |
@SBousseaden, Florian Roth |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_susp_rottenpotato.yml |
|
Windows: Hacktool Ruler |
Florian Roth |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_alert_ruler.yml |
|
Windows: Metasploit SMB Authentication |
Chakib Gzenayi (@Chak092), Hosni Mribah |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_metasploit_authentication.yml |
|
Windows: Kerberos Manipulation |
Florian Roth |
|
|
Windows: Suspicious Kerberos RC4 Ticket Encryption |
Florian Roth |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_susp_rc4_kerberos.yml |
|
Windows: Persistence and Execution at Scale via GPO Scheduled Task |
Samir Bousseaden |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_GPO_scheduledtasks.yml |
|
Windows: Powerview Add-DomainObjectAcl DCSync AD Extend Right |
Samir Bousseaden; Roberto Rodriguez @Cyb3rWard0g; oscd.community |
|
|
Windows: AD Object WriteDAC Access |
Roberto Rodriguez @Cyb3rWard0g |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_ad_object_writedac_access.yml |
|
Windows: Active Directory Replication from Non Machine Account |
Roberto Rodriguez @Cyb3rWard0g |
|
|
Windows: AD User Enumeration |
Maxime Thiebaut (@0xThiebaut) |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_ad_user_enumeration.yml |
|
Windows: Enabled User Right in AD to Control User Objects |
@neu5ron |
|
|
Windows: Eventlog Cleared |
Florian Roth |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_susp_eventlog_cleared.yml |
|
Windows: MSHTA Suspicious Execution 01 |
Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule) |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_susp_mshta_execution.yml |
|
Windows: Dumpert Process Dumper |
Florian Roth |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file_event/sysmon_hack_dumpert.yml |
|
Windows: Blue Mockingbird |
Trent Liffick (@tliffick) |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/malware/win_mal_blue_mockingbird.yml |
|
Windows: Windows PowerShell Web Request |
James Pemberton / @4A616D6573 |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/powershell/win_powershell_web_request.yml |
|
Windows: DNS Tunnel Technique from MuddyWater |
@caliskanfurkan_ |
|
|
Windows: Advanced IP Scanner Detected |
@ROxPinTeddy |
|
|
Windows: APT29 Detected |
Florian Roth |
|
|
Windows: Baby Shark Activity |
Florian Roth |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_apt_babyshark.yml |
|
Windows: Judgement Panda Credential Access Activity |
Florian Roth |
|
|
Windows: Logon Scripts - UserInitMprLogonScript |
Tom Ueltschi (@c_APT_ure) |
|
|
Windows: BlueMashroom DLL Load |
Florian Roth |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_apt_bluemashroom.yml |
|
Windows: Password Change on Directory Service Restore Mode DSRM Account |
Thomas Patzke |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_susp_dsrm_password_change.yml |
|
Windows: Account Tampering - Suspicious Failed Logon Reasons |
Florian Roth |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_susp_failed_logon_reasons.yml |
|
Windows: Backup Catalog Deleted |
Florian Roth (rule), Tom U. @c_APT_ure (collection) |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_susp_backup_delete.yml |
|
Windows: Failed Code Integrity Checks |
Thomas Patzke |
|
|
Windows: DHCP Server Loaded the CallOut DLL |
Dimitrios Slamaris |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_susp_dhcp_config.yml |
|
Windows: Suspicious LDAP-Attributes Used |
xknow @xknow_infosec |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_susp_ldap_dataexchange.yml |
|
Windows: Password Dumper Activity on LSASS |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_susp_lsass_dump.yml |
|
|
Windows: Generic Password Dumper Activity on LSASS |
Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update) |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_susp_lsass_dump_generic.yml |
|
Windows: Suspicious PsExec Execution |
Samir Bousseaden |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_susp_psexec.yml |
|
Windows: Suspicious Access to Sensitive File Extensions |
Samir Bousseaden |
|
|
Windows: Secure Deletion with SDelete |
Thomas Patzke |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_susp_sdelete.yml |
|
Windows: Unauthorized System Time Modification |
@neu5ron |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_susp_time_modification.yml |
|
Windows: Windows Defender Exclusion Set |
@BarryShooshooga |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/other/win_defender_bypass.yml |
|
Windows: Windows Pcap Driver Installed |
Cian Heasley |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/other/win_pcap_drivers.yml |
|
Windows: Weak Encryption Enabled and Kerberoast |
@neu5ron |
|
|
Windows: Remote Task Creation via ATSVC Named Pipe |
Samir Bousseaden |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_atsvc_task.yml |
|
Windows: Chafer Activity |
Florian Roth, Markus Neis |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_apt_chafer_mar18.yml |
|
Windows: WMIExec VBS Script |
Florian Roth |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_apt_cloudhopper.yml |
|
Windows: CrackMapExecWin Activity |
Markus Neis |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_apt_dragonfly.yml |
|
Windows: Elise Backdoor |
Florian Roth |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_apt_elise.yml |
|
Windows: Emissary Panda Malware SLLauncher Activity |
Florian Roth |
|
|
Windows: Empire Monkey Activity |
Markus Neis |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_apt_empiremonkey.yml |
|
Windows: Equation Group DLL-U Load |
Florian Roth |
|
|
Windows: EvilNum Golden Chickens Deployment via OCX Files |
Florian Roth |
|
|
Windows: GALLIUM Artefacts Via Hash Match |
Tim Burrell |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_apt_gallium.yml |
|
Windows: GALLIUM Artefacts Via Hash and Process Match |
Tim Burrell |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_apt_gallium.yml |
|
Windows: Windows Credential Editor Startup |
Florian Roth |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/sysmon_hack_wce.yml |
|
Windows: Greenbug Campaign Indicators |
Florian Roth |
|
|
Windows: Hurricane Panda Activity |
Florian Roth |
|
|
Windows: Judgement Panda Exfiltration Activity |
Florian Roth |
|
|
Windows: Ke3chang Registry Key Modifications |
Markus Neis, Swisscom |
|
|
Windows: Lazarus Session Highjacker |
Trent Liffick (@tliffick), Bartlomiej Czyz (@bczyz1) |
|
|
Windows: Mustang Panda Dropper Activity |
Florian Roth |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_apt_mustangpanda.yml |
|
Windows: Defrag Deactivation |
Florian Roth, Bartlomiej Czyz (@bczyz1) |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_apt_slingshot.yml |
|
Windows: Sofacy Trojan Loader Activity |
Florian Roth |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_apt_sofacy.yml |
|
Windows: Ps.exe Renamed SysInternals Tool |
Florian Roth |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_apt_ta17_293a_ps.yml |
|
Windows: TAIDOOR RAT DLL Load |
Florian Roth |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_apt_taidoor.yml |
|
Windows: TropicTrooper Campaign November 2018 |
@41thexplorer, Microsoft Defender ATP |
|
|
Windows: Turla Group Commands May 2020 |
Florian Roth |
|
|
Windows: Unidentified Attacker November 2018 Activity 1 |
@41thexplorer, Microsoft Defender ATP |
|
|
Windows: Unidentified Attacker November 2018 Activity 2 |
@41thexplorer, Microsoft Defender ATP |
|
|
Windows: Winnti Malware HK University Campaign |
Florian Roth, Markus Neis |
|
|
Windows: Winnti Pipemon Characteristics |
Florian Roth |
|
|
Windows: Operation Wocao Activity |
Florian Roth |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_apt_wocao.yml |
|
Windows: ZxShell Malware |
Florian Roth |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_apt_zxshell.yml |
|
Windows: Active Directory User Backdoors |
@neu5ron |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_alert_ad_user_backdoors.yml |
|
Windows: Mimikatz DC Sync |
Benjamin Delpy, Florian Roth, Scott Dermott |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_dcsync.yml |
|
Windows: Windows Event Auditing Disabled |
@neu5ron |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_disable_event_logging.yml |
|
Windows: DPAPI Domain Backup Key Extraction |
Roberto Rodriguez @Cyb3rWard0g |
|
|
Windows: DPAPI Domain Master Key Backup Attempt |
Roberto Rodriguez @Cyb3rWard0g |
|
|
Windows: External Disk Drive or USB Storage Device |
Keith Wright |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_external_device.yml |
|
Windows: Possible Impacket SecretDump Remote Activity |
Samir Bousseaden |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_impacket_secretdump.yml |
|
Windows: Obfuscated Powershell IEX invocation |
Daniel Bohannon (@Mandiant/@FireEye), oscd.community |
|
|
Windows: First Time Seen Remote Named Pipe |
Samir Bousseaden |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_lm_namedpipe.yml |
|
Windows: LSASS Access from Non-System Account |
Roberto Rodriguez @Cyb3rWard0g |
|
|
Windows: Credential Dumping Tools Service Execution |
Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_mal_creddumper.yml |
|
Windows: WCE wceaux dll Access |
Thomas Patzke |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_mal_wceaux_dll.yml |
|
Windows: MMC20 Lateral Movement |
@2xxeformyshirt (Security Risk Advisors) - rule; Teymur Kheirkhabarov (idea) |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_mmc20_lateral_movement.yml |
|
Windows: NetNTLM Downgrade Attack |
Florian Roth |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_net_ntlm_downgrade.yml |
|
Windows: Denied Access To Remote Desktop |
Pushkarev Dmitry |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_not_allowed_rdp_access.yml |
|
Windows: Possible DCShadow |
Ilyas Ochkov, oscd.community, Chakib Gzenayi (@Chak092), Hosni Mribah |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_possible_dc_shadow.yml |
|
Windows: Protected Storage Service Access |
Roberto Rodriguez @Cyb3rWard0g |
|
|
Windows: Scanner PoC for CVE-2019-0708 RDP RCE Vuln |
Florian Roth (rule), Adam Bradbury (idea) |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_rdp_bluekeep_poc_scanner.yml |
|
Windows: RDP over Reverse SSH Tunnel |
Samir Bousseaden |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_rdp_reverse_tunnel.yml |
|
Windows: Register new Logon Process by Rubeus |
Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community |
|
|
Windows: Remote PowerShell Sessions |
Roberto Rodriguez @Cyb3rWard0g |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_remote_powershell_session.yml |
|
Windows: Remote Registry Management Using Reg Utility |
Teymur Kheirkhabarov, oscd.community |
|
|
Windows: SAM Registry Hive Handle Request |
Roberto Rodriguez @Cyb3rWard0g |
|
|
Windows: SCM Database Handle Failure |
Roberto Rodriguez @Cyb3rWard0g |
|
|
Windows: SCM Database Privileged Operation |
Roberto Rodriguez @Cyb3rWard0g |
|
|
Windows: Addition of Domain Trusts |
Thomas Patzke |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_susp_add_domain_trust.yml |
|
Windows: Addition of SID History to Active Directory Object |
Thomas Patzke, @atc_project (improvements) |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_susp_add_sid_history.yml |
|
Windows: Failed Logon From Public IP |
NVISO |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_susp_failed_logon_source.yml |
|
Windows: Failed Logins with Different Accounts from Single Source System |
Florian Roth |
|
|
Windows: Remote Service Activity via SVCCTL Named Pipe |
Samir Bousseaden |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_svcctl_remote_service.yml |
|
Windows: SysKey Registry Keys Access |
Roberto Rodriguez @Cyb3rWard0g |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_syskey_registry_access.yml |
|
Windows: Tap Driver Installation |
Daniil Yugoslavskiy, Ian Davis, oscd.community |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_tap_driver_installation.yml |
|
Windows: Transferring Files with Credential Data via Network Shares |
Teymur Kheirkhabarov, oscd.community |
|
|
Windows: User Added to Local Administrators |
Florian Roth |
|
|
Windows: Failed to Call Privileged Service LsaRegisterLogonProcess |
Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community |
|
|
Windows: Suspicious Driver Loaded By User |
xknow (@xknow_infosec), xorxes (@xor_xes) |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_user_driver_loaded.yml |
|
Windows: Suspicious Driver Load from Temp |
Florian Roth |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/driver_load/sysmon_susp_driver_load.yml |
|
Windows: File Created with System Process Name |
Sander Wiebing |
|
|
Windows: Credential Dump Tools Dropped Files |
Teymur Kheirkhabarov, oscd.community |
|
|
Windows: Detection of SafetyKatz |
Markus Neis |
|
|
Windows: LSASS Memory Dump File Creation |
Teymur Kheirkhabarov, oscd.community |
|
|
Windows: Microsoft Office Add-In Loading |
NVISO |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file_event/sysmon_office_persistence.yml |
|
Windows: QuarksPwDump Dump File |
Florian Roth |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file_event/sysmon_quarkspw_filedump.yml |
|
Windows: RedMimicry Winnti Playbook Dropped File |
Alexander Rausch |
|
|
Windows: Suspicious ADSI-Cache Usage By Unknown Tool |
xknow @xknow_infosec |
|
|
Windows: Suspicious desktop.ini Action |
Maxime Thiebaut (@0xThiebaut) |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file_event/sysmon_susp_desktop_ini.yml |
|
Windows: Suspicious PROCEXP152 sys File Created In TMP |
xknow (@xknow_infosec), xorxes (@xor_xes) |
|
|
Windows: Hijack Legit RDP Session to Move Laterally |
Samir Bousseaden |
|
|
Windows: Windows Web shell Creation |
Beyu Denis, oscd.community |
|
|
Windows: WMI Persistence - Script Event Consumer File Write |
Thomas Patzke |
|
|
Windows: Suspicious Desktopimgdownldr Target File |
Florian Roth |
|
|
Windows: In-memory PowerShell |
Tom Kern, oscd.community |
|
|
Windows: PowerShell load within System Management Automation DLL |
Roberto Rodriguez @Cyb3rWard0g |
|
|
Windows: Fax Service DLL Search Order Hijack |
NVISO |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/image_load/sysmon_susp_fax_dll.yml |
|
Windows: Possible Process Hollowing Image Loading |
Markus Neis |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/image_load/sysmon_susp_image_load.yml |
|
Windows: .NET DLL Loaded Via Office Applications |
Antonlovesdnb |
|
|
Windows: CLR DLL Loaded Via Office Applications |
Antonlovesdnb |
|
|
Windows: GAC DLL Loaded Via Office Applications |
Antonlovesdnb |
|
|
Windows: Active Directory Parsing DLL Loaded Via Office Applications |
Antonlovesdnb |
|
|
Windows: Active Directory Kerberos DLL Loaded Via Office Applications |
Antonlovesdnb |
|
|
Windows: VBA DLL Loaded Via Office Applications |
Antonlovesdnb |
|
|
Windows: WMI DLL Loaded Via Office Applications |
Michael R. (@nahamike01) |
|
|
Windows: Loading dbghelp dbgcore DLL from Suspicious Processes |
Perez Diego (@darkquassar), oscd.community, Ecco |
|
|
Windows: Svchost DLL Search Order Hijack |
SBousseaden |
|
|
Windows: Unsigned Image Loaded Into LSASS Process |
Teymur Kheirkhabarov, oscd.community |
|
|
Windows: Suspicious WMI Modules Loaded |
Roberto Rodriguez @Cyb3rWard0g |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/image_load/sysmon_wmi_module_load.yml |
|
Windows: WMI Persistence - Command Line Event Consumer |
Thomas Patzke |
|
|
Windows: Registry Entries Found For Azorult Malware |
Trent Liffick |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/malware/mal_azorult_reg.yml |
|
Windows: Registry Entries Found For FlowCloud Malware |
NVISO |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/malware/win_mal_flowcloud.yml |
|
Windows: Octopus Scanner Malware Detected |
NVISO |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/malware/win_mal_octopus_scanner.yml |
|
Windows: Registry Entries For Ursnif Malware |
megan201296 |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/malware/win_mal_ursnif.yml |
|
Windows: Dllhost.exe Internet Connection |
bartblaze |
|
|
Windows: Suspicious Typical Malware Back Connect Ports |
Florian Roth |
|
|
Windows: Notepad Making Network Connection |
EagleEye Team |
|
|
Windows: PowerShell Network Connections |
Florian Roth |
|
|
Windows: RDP Over Reverse SSH Tunnel |
Samir Bousseaden |
|
|
Windows: Regsvr32 Network Activity |
Dmitriy Lifanov, oscd.community |
|
|
Windows: Remote PowerShell Session |
Roberto Rodriguez @Cyb3rWard0g |
|
|
Windows: Rundll32 Internet Connection |
Florian Roth |
|
|
Windows: Network Connections From Executables in Suspicious Program Locations |
Florian Roth |
|
|
Windows: Outbound RDP Connections From Suspicious Executables |
Markus Neis - Swisscom |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/network_connection/sysmon_susp_rdp.yml |
|
Windows: Outbound Kerberos Connection From Suspicious Executables |
Ilyas Ochkov, oscd.community |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml ; https://github.com/SigmaHQ/sigma/blob/master/rules/windows/network_connection/sysmon_suspicious_outbound_kerberos_connection.yml |
|
Windows: Microsoft Binary Github Communication |
Michael Haag (idea), Florian Roth (rule) |
|
|
Windows: Microsoft Binary Suspicious External Communication |
Florian Roth |
|
|
Windows: Data Compressed - Powershell |
Timur Zinniatullin, oscd.community |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/powershell/powershell_data_compressed.yml |
|
Windows: Dnscat Execution |
Daniil Yugoslavskiy, oscd.community |
|
|
Windows: PowerShell Credential Prompt |
John Lambert (idea), Florian Roth (rule) |
|
|
Windows: Powershell Profile ps1 Modification |
HieuTT35 |
|
|
Windows: Credentials Dumping Tools Accessing LSASS Memory |
Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community (update) |
|
|
Windows: Suspicious In-Memory Module Execution |
Perez Diego (@darkquassar), oscd.community |
|
|
Windows: Suspect Svchost Memory Asccess |
Tim Burrell |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_access/sysmon_invoke_phantom.yml |
|
Windows: Credential Dumping by LaZagne |
Bhabesh Raj |
|
|
Windows: LSASS Memory Dump |
Samir Bousseaden |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_access/sysmon_lsass_memdump.yml |
|
Windows: Malware Shellcode in Verclsid Target Process |
John Lambert (tech), Florian Roth (rule) |
|
|
Windows: Mimikatz through Windows Remote Management |
Patryk Prauze - ING Tech |
|
|
Windows: Turla Group Lateral Movement |
Markus Neis |
|
|
Windows: Hiding Files with Attrib exe |
Sami Ruohonen |
|
|
Windows: Modification of Boot Configuration |
E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_bootconf_mod.yml |
|
Windows: SquiblyTwo |
Markus Neis / Florian Roth |
|
|
Windows: Change Default File Association |
Timur Zinniatullin, oscd.community |
|
|
Windows: Cmdkey Cached Credentials Recon |
jmallette |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_cmdkey_recon.yml |
|
Windows: CMSTP UAC Bypass via COM Object Access |
Nik Seetharaman |
|
|
Windows: Cmd exe CommandLine Path Traversal |
xknow @xknow_infosec |
|
|
Windows: Unusual Control Panel Items |
Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_) |
|
|
Windows: Copying Sensitive Files with Credential Data |
Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community |
|
|
Windows: Fireball Archer Malware Install |
Florian Roth |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_crime_fireball.yml |
|
Windows: Maze Ransomware |
Florian Roth |
|
|
Windows: Snatch Ransomware |
Florian Roth |
|
|
Windows: Data Compressed - rar.exe |
Timur Zinniatullin, E.M. Anhaus, oscd.community |
|
|
Windows: DNS Exfiltration and Tunneling Tools Execution |
Daniil Yugoslavskiy, oscd.community |
|
|
Windows: DNSCat2 Powershell Detection Via Process Creation |
Cian Heasley |
|
|
Windows: Encoded FromBase64String |
Florian Roth |
|
|
Windows: Encoded IEX |
Florian Roth |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_encoded_iex.yml |
|
Windows: COMPlus-ETWEnabled Command Line Arguments |
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) |
|
|
Windows: Disabling ETW Trace |
@neu5ron, Florian Roth, Jonhnathan Ribeiro, oscd.community |
|
|
Windows: Exfiltration and Tunneling Tools Execution |
Daniil Yugoslavskiy, oscd.community |
|
|
Windows: Exploit for CVE-2015-1641 |
Florian Roth |
|
|
Windows: Exploit for CVE-2017-0261 |
Florian Roth |
|
|
Windows: Droppers Exploiting CVE-2017-11882 |
Florian Roth |
|
|
Windows: Exploit for CVE-2017-8759 |
Florian Roth |
|
|
Windows: Exploiting SetupComplete.cmd CVE-2019-1378 |
Florian Roth |
|
|
Windows: Exploiting CVE-2019-1388 |
Florian Roth |
|
|
Windows: Exploited CVE-2020-10189 Zoho ManageEngine |
Florian Roth |
|
|
Windows: Suspicious PrinterPorts Creation CVE-2020-1048 |
EagleEye Team, Florian Roth |
|
|
Windows: DNS RCE CVE-2020-1350 |
Florian Roth |
|
|
Windows: File/Folder Permissions Modifications Via Command line Utilities |
Jakob Weinzettl, oscd.community |
|
|
Windows: Grabbing Sensitive Hives via Reg Utility |
Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community |
|
|
Windows: Bloodhound and Sharphound Hack Tool |
Florian Roth |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_hack_bloodhound.yml |
|
Windows: Koadic Execution |
wagga |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_hack_koadic.yml |
|
Windows: Rubeus Hack Tool |
Florian Roth |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_hack_rubeus.yml |
|
Windows: SecurityXploded Tool |
Florian Roth |
|
|
Windows: HH exe Execution |
E.M. Anhaus (originally from Atomic Blue Detections, Dan Beavin), oscd.community |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_hh_chm.yml |
|
Windows: CreateMiniDump Hacktool |
Florian Roth |
|
|
Windows: HTML Help Shell Spawn |
Maxim Pavlunin |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_html_help_spawn.yml |
|
Windows: Suspicious HWP Sub Processes |
Florian Roth |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_hwp_exploits.yml |
|
Windows: Impacket Lateralization Detection |
Ecco |
|
|
Windows: Indirect Command Execution |
E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_indirect_cmd.yml |
|
Windows: Suspicious Debugger Registration Cmdline |
Florian Roth |
|
|
Windows: Interactive AT Job |
E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_interactive_at.yml |
|
Windows: Invoke-Obfuscation Obfuscated IEX Invocation when to create process |
Daniel Bohannon (@Mandiant/@FireEye), oscd.community |
|
|
Windows: Windows Kernel and 3rd-Party Drivers Exploits Token Stealing |
Teymur Kheirkhabarov (source), Daniil Yugoslavskiy (rule) |
|
|
Windows: MSHTA Spawned by SVCHOST |
Markus Neis |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_lethalhta.yml |
|
Windows: Local Accounts Discovery |
Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community |
|
|
Windows: LSASS Memory Dumping Using procdump |
E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_lsass_dump.yml |
|
Windows: Adwind Remote Access Tool JRAT |
Florian Roth, Tom Ueltschi |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_mal_adwind.yml |
|
Windows: Dridex Process Pattern |
Florian Roth |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_malware_dridex.yml |
|
Windows: DTRACK Malware Process Creation |
Florian Roth |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_malware_dtrack.yml |
|
Windows: Emotet Malware Process Creation |
Florian Roth |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_malware_emotet.yml |
|
Windows: Formbook Malware Process Creation |
Florian Roth |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_malware_formbook.yml |
|
Windows: QBot Process Creation |
Florian Roth |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_malware_qbot.yml |
|
Windows: Ryuk Ransomware |
Florian Roth |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/malware/win_mal_ryuk.yml ; https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_malware_ryuk.yml |
|
Windows: WScript or CScript Dropper |
Margaritis Dimitrios (idea), Florian Roth (rule) |
|
|
Windows: Trickbot Malware Recon Activity |
David Burkett, Florian Roth |
|
|
Windows: WannaCry Ransomware |
Florian Roth (rule), Tom U. @c_APT_ure (collection) |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_malware_wannacry.yml |
|
Windows: MavInject Process Injection |
Florian Roth |
|
|
Windows: Meterpreter or Cobalt Strike Getsystem Service Start |
Teymur Kheirkhabarov, Ecco |
|
|
Windows: Mimikatz Command Line |
Teymur Kheirkhabarov, oscd.community |
|
|
Windows: MMC Spawning Windows Shell |
Karneades, Swisscom CSIRT |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_mmc_spawn_shell.yml |
|
Windows: Mouse Lock Credential Gathering |
Cian Heasley |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_mouse_lock.yml |
|
Windows: Mshta JavaScript Execution |
E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_mshta_javascript.yml |
|
Windows: MSHTA Spawning Windows Shell |
Michael Haag |
|
|
Windows: Quick Execution of a Series of Suspicious Commands |
juju4 |
|
|
Windows: Windows Network Enumeration |
Endgame, JHasenbusch (ported for oscd.community) |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_net_enum.yml |
|
Windows: Netsh RDP Port Opening |
Sander Wiebing |
|
|
Windows: Netsh Port or Application Allowed |
Markus Neis, Sander Wiebing |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_netsh_fw_add.yml |
|
Windows: Netsh Program Allowed with Suspcious Location |
Sander Wiebing |
|
|
Windows: Network Trace with netsh exe |
Kutepov Anton, oscd.community |
|
|
Windows: Netsh Port Forwarding |
Florian Roth |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_netsh_port_fwd.yml |
|
Windows: Netsh RDP Port Forwarding |
Florian Roth |
|
|
Windows: Harvesting of Wifi Credentials Using netsh exe |
Andreas Hunkeler (@Karneades) |
|
|
Windows: Network Sniffing |
Timur Zinniatullin, oscd.community |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_network_sniffing.yml |
|
Windows: New Service Creation via sc.exe |
Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community |
|
|
Windows: Non Interactive PowerShell |
Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements) |
|
|
Windows: Microsoft Office Product Spawning Windows Shell |
Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_office_shell.yml |
|
Windows: MS Office Product Spawning Exe in User Directory |
Jason Lynch |
|
|
Windows: Executable Used by PlugX in Uncommon Location |
Florian Roth |
|
|
Windows: Possible Applocker Bypass |
juju4 |
|
|
Windows: Detection of Possible Rotten Potato |
Teymur Kheirkhabarov |
|
|
Windows: Powershell AMSI Bypass via NET Reflection |
Markus Neis |
|
|
Windows: Audio Capture via PowerShell |
E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community |
|
|
Windows: PowerShell Base64 Encoded Shellcode |
Florian Roth |
|
|
Windows: Suspicious Bitsadmin Job via PowerShell |
Endgame, JHasenbusch (ported to sigma for oscd.community) |
|
|
Windows: Suspicious PowerShell Execution via DLL |
Markus Neis |
|
|
Windows: PowerShell Downgrade Attack |
Harish Segar (rule) |
|
|
Windows: Download via PowerShell URL |
Florian Roth |
|
|
Windows: FromBase64String Command Line |
Florian Roth |
|
|
Windows: Suspicious PowerShell Parameter Substring |
Florian Roth (rule), Daniel Bohannon (idea), Roberto Rodriguez (Fix) |
|
|
Windows: Suspicious XOR Encoded PowerShell Command Line |
Sami Ruohonen, Harish Segar (improvement) |
|
|
Windows: Default PowerSploit and Empire Schtasks Persistence |
Markus Neis, @Karneades |
|
|
Windows: Windows Important Process Started From Suspicious Parent Directories |
vburov |
|
|
Windows: Bitsadmin Download |
Michael Haag |
|
|
Windows: Process Dump via Rundll32 and Comsvcs dll |
Florian Roth |
|
|
Windows: PsExec Service Start |
Florian Roth |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_psexesvc_start.yml |
|
Windows: Query Registry |
Timur Zinniatullin, oscd.community |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_query_registry.yml |
|
Windows: MSTSC Shadowing |
Florian Roth |
|
|
Windows: RedMimicry Winnti Playbook Execute |
Alexander Rausch |
|
|
Windows: Remote PowerShell Session for creating process |
Roberto Rodriguez @Cyb3rWard0g |
|
|
Windows: System Time Discovery |
E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community |
|
|
Windows: Renamed Binary |
Matthew Green - @mgreen27, Ecco, James Pemberton / @4A616D6573, oscd.community (improvements), Andreas Hunkeler (@Karneades) |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_renamed_binary.yml |
|
Windows: Highly Relevant Renamed Binary |
Matthew Green - @mgreen27, Florian Roth |
|
|
Windows: Renamed jusched exe |
Markus Neis, Swisscom |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_renamed_jusched.yml |
|
Windows: Execution of Renamed PaExec |
Jason Lynch |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_renamed_paexec.yml |
|
Windows: Renamed PowerShell |
Florian Roth |
|
|
Windows: Renamed ProcDump |
Florian Roth |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_renamed_procdump.yml |
|
Windows: Renamed PsExec |
Florian Roth |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_renamed_psexec.yml |
|
Windows: Run PowerShell Script from ADS |
Sergey Soldatov, Kaspersky Lab, oscd.community |
|
|
Windows: Possible Shim Database Persistence via sdbinst exe |
Markus Neis |
|
|
Windows: Manual Service Execution |
Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community |
|
|
Windows: Stop Windows Service |
Jakob Weinzettl, oscd.community |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_service_stop.yml |
|
Windows: Shadow Copies Access via Symlink |
Teymur Kheirkhabarov, oscd.community |
|
|
Windows: Shadow Copies Creation Using Operating Systems Utilities |
Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community |
|
|
Windows: Shadow Copies Deletion Using Operating Systems Utilities |
Florian Roth, Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community |
|
|
Windows: Windows Shell Spawning Suspicious Program |
Florian Roth |
|
|
Windows: SILENTTRINITY Stager Execution |
Aleksey Potapov, oscd.community |
|
|
Windows: Audio Capture via SoundRecorder |
E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community |
|
|
Windows: Possible SPN Enumeration |
Markus Neis, keepwatch |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_spn_enum.yml |
|
Windows: Possible Ransomware or Unauthorized MBR Modifications |
@neu5ron |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_susp_bcdedit.yml |
|
Windows: Application Allowlisting Bypass via Bginfo |
Beyu Denis, oscd.community |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_susp_bginfo.yml |
|
Windows: Suspicious Calculator Usage |
Florian Roth |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_susp_calc.yml |
|
Windows: Possible App Allowlisting Bypass via WinDbg CDB as a Shell code Runner |
Beyu Denis, oscd.community |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_susp_cdb.yml |
|
Windows: Suspicious Certutil Command |
Florian Roth, juju4, keepwatch |
|
|
Windows: Certutil Encode |
Florian Roth |
|
|
Windows: Suspicious Commandline Escape |
juju4 |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_susp_cli_escape.yml |
|
Windows: Command Line Execution with Suspicious URL and AppData Strings |
Florian Roth |
|
|
Windows: Suspicious Code Page Switch |
Florian Roth |
|
|
Windows: Reconnaissance Activity with Net Command |
Florian Roth, Markus Neis |
|
|
Windows: Suspicious Compression Tool Parameters |
Florian Roth, Samir Bousseaden |
|
|
Windows: Process Dump via Comsvcs DLL |
Modexp (idea) |
|
|
Windows: Copy from Admin Share |
Florian Roth |
|
|
Windows: Suspicious Copy From or To System32 |
Florian Roth, Markus Neis |
|
|
Windows: Covenant Launcher Indicators |
Florian Roth |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_susp_covenant.yml |
|
Windows: CrackMapExec Command Execution |
Thomas Patzke |
|
|
Windows: CrackMapExec PowerShell Obfuscation |
Thomas Patzke |
|
|
Windows: Suspicious Parent of Csc.exe |
Florian Roth |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_susp_csc.yml |
|
Windows: Suspicious Csc.exe Source File Folder |
Florian Roth |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_susp_csc_folder.yml |
|
Windows: Suspicious Curl Usage on Windows |
Florian Roth |
|
|
Windows: Suspicious Curl File Upload |
Florian Roth |
|
|
Windows: Curl Start Combination |
Sreeman |
|
|
Windows: ZOHO Dctask64 Process Injection |
Florian Roth |
|
|
Windows: Suspicious Desktopimgdownldr Command |
Florian Roth |
|
|
Windows: Devtoolslauncher.exe Executing Specified Binary |
Beyu Denis, oscd.community (rule), @_felamos (idea) |
|
|
Windows: Direct Autorun Keys Modification |
Victor Sergeev, Daniil Yugoslavskiy, oscd.community |
|
|
Windows: Disabled IE Security Features |
Florian Roth |
|
|
Windows: DIT Snapshot Viewer Use |
Furkan Caliskan (@caliskanfurkan_) |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_susp_ditsnap.yml |
|
Windows: Application Allowlisting Bypass via Dnx.exe |
Beyu Denis, oscd.community |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_susp_dnx.yml |
|
Windows: Suspicious Double File Extension |
Florian Roth (rule), @blu3_team (idea) |
|
|
Windows: Application Allowlisting Bypass via Dxcap.exe |
Beyu Denis, oscd.community |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_susp_dxcap.yml |
|
Windows: Suspicious Eventlog Clear or Configuration Using Wevtutil or Powershell or Wmic |
Ecco, Daniil Yugoslavskiy, oscd.community |
|
|
Windows: Executables Started in Suspicious Folder |
Florian Roth |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_susp_exec_folder.yml |
|
Windows: Execution in Non-Executable Folder |
Florian Roth |
|
|
Windows: Execution in Webserver Root Folder |
Florian Roth |
|
|
Windows: Explorer Root Flag Process Tree Break |
Florian Roth |
|
|
Windows: Suspicious File Characteristics Due to Missing Fields |
Markus Neis, Sander Wiebing |
|
|
Windows: Findstr Launching lnk File |
Trent Liffick |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_susp_findstr_lnk.yml |
|
Windows: Firewall Disabled via Netsh |
Fatih Sirin |
|
|
Windows: Fsutil Suspicious Invocation |
Ecco, E.M. Anhaus, oscd.community |
|
|
Windows: Suspicious GUP.exe Usage |
Florian Roth |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_susp_gup.yml |
|
Windows: IIS Native-Code Module Command Line Installation |
Florian Roth |
|
|
Windows: Windows Defender Download Activity |
Matthew Matchen |
|
|
Windows: Suspicious MsiExec Directory |
Florian Roth |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_susp_msiexec_cwd.yml |
|
Windows: MsiExec Web Install |
Florian Roth |
|
|
Windows: Malicious Payload Download via Office Binaries |
Beyu Denis, oscd.community |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_susp_msoffice.yml |
|
Windows: Net.exe Execution For Discovery |
Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements) |
|
|
Windows: Suspicious Netsh.DLL Persistence |
Victor Sergeev, oscd.community |
|
|
Windows: Invocation of Active Directory Diagnostic Tool ntdsutil exe |
Thomas Patzke |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_susp_ntdsutil.yml |
|
Windows: Application Allowlisting Bypass via DLL Loaded by odbcconf exe |
Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_susp_odbcconf.yml |
|
Windows: OpenWith.exe Executing Specified Binary |
Beyu Denis, oscd.community (rule), @harr0ey (idea) |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_susp_openwith.yml |
|
Windows: Suspicious Execution from Outlook |
Markus Neis |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_susp_outlook.yml |
|
Windows: Execution in Outlook Temp Folder |
Florian Roth |
|
|
Windows: Ping Hex IP |
Florian Roth |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_susp_ping_hex_ip.yml |
|
Windows: Empire PowerShell Launch Parameters |
Florian Roth |
|
|
Windows: Empire PowerShell UAC Bypass |
Ecco |
|
|
Windows: Suspicious Encoded PowerShell Command Line |
Florian Roth, Markus Neis |
|
|
Windows: PowerShell Encoded Character Syntax |
Florian Roth |
|
|
Windows: Malicious Base64 Encoded PowerShell Keywords in Command Lines |
John Lambert (rule) |
|
|
Windows: Suspicious PowerShell Invocation Based on Parent Process |
Florian Roth |
|
|
Windows: Suspicious PowerShell Parent Process |
Teymur Kheirkhabarov, Harish Segar (rule) |
|
|
Windows: Suspicious Use of Procdump |
Florian Roth |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_susp_procdump.yml |
|
Windows: Programs starting from Suspicious Location |
Florian Roth |
|
|
Windows: PowerShell Script Run in AppData |
Florian Roth |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_susp_ps_appdata.yml |
|
Windows: PowerShell DownloadFile |
Florian Roth |
|
|
Windows: Psr.exe Capture Screenshots |
Beyu Denis, oscd.community |
|
|
Windows: Rar with Password or Compression Level |
@ROxPinTeddy |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_susp_rar_flags.yml |
|
Windows: Suspicious RASdial Activity |
juju4 |
|
|
Windows: Suspicious Reconnaissance Activity via net group or localgroup |
Florian Roth, omkar72 |
|
|
Windows: Suspicious Regsvr32 Usage |
Florian Roth |
|
|
Windows: Regsvr32 Flags Anomaly |
Florian Roth |
|
|
Windows: Renamed ZOHO Dctask64 |
Florian Roth |
|
|
Windows: Renamed SysInternals Debug View |
Florian Roth |
|
|
Windows: Suspicious Process Start Locations |
juju4 |
|
|
Windows: Suspicious Arguments in Rundll32 Usage |
juju4 |
|
|
Windows: Suspicious DLL Call by Ordinal |
Florian Roth |
|
|
Windows: Scheduled Task Creation |
Florian Roth |
|
|
Windows: WSF JSE JS VBA VBE File Execution |
Michael Haag |
|
|
Windows: Suspicious Service Path Modification |
Victor Sergeev, oscd.community |
|
|
Windows: Squirrel Lolbin |
Karneades / Markus Neis |
|
|
Windows: Suspicious Svchost Process |
Florian Roth |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_susp_svchost.yml |
|
Windows: Suspect Svchost Activity |
David Burkett |
|
|
Windows: Sysprep on AppData Folder |
Florian Roth |
|
|
Windows: Suspicious SYSVOL Domain Group Policy Access |
Markus Neis |
|
|
Windows: Taskmgr Created By Local SYSTEM Account |
Florian Roth |
|
|
Windows: Process Launch from Taskmgr |
Florian Roth |
|
|
Windows: Suspicious tscon.exe Created By Local SYSTEM Account |
Florian Roth |
|
|
Windows: Suspicious RDP Redirect Using tscon.exe |
Florian Roth |
|
|
Windows: Suspicious Use of CSharp Interactive Console |
Michael R. (@nahamike01) |
|
|
Windows: Suspicious Userinit Child Process |
Florian Roth (rule), Samir Bousseaden (idea) |
|
|
Windows: Whoami Execution |
Florian Roth |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_susp_whoami.yml |
|
Windows: Suspicious WMI Execution |
Michael Haag, Florian Roth, juju4 |
|
|
Windows: Sysmon Driver Unload |
Kirill Kiryanov, oscd.community |
|
|
Windows: System File Execution Location Anomaly |
Florian Roth, Patrick Bareiss |
|
|
Windows: Tap Installer Execution |
Daniil Yugoslavskiy, Ian Davis, oscd.community |
|
|
Windows: Tasks Folder Evasion |
Sreeman |
|
|
Windows: Terminal Service Process Spawn |
Florian Roth |
|
|
Windows: Domain Trust Discovery |
E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community, omkar72 |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_dsquery_domain_trust_discovery.yml ; https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_trust_discovery.yml |
|
Windows: Bypass UAC via CMSTP |
E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_uac_cmstp.yml |
|
Windows: Bypass UAC via Fodhelper.exe |
E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_uac_fodhelper.yml |
|
Windows: Bypass UAC via WSReset exe |
E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_uac_wsreset.yml |
|
Windows: Possible Privilege Escalation via Weak Service Permissions |
Teymur Kheirkhabarov |
|
|
Windows: Java Running with Remote Debugging |
Florian Roth |
|
|
Windows: Webshell Detection With Command Line Keywords |
Florian Roth |
|
|
Windows: Webshell Recon Detection Via CommandLine Processes |
Cian Heasley |
|
|
Windows: Shells Spawned by Web Servers |
Thomas Patzke |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_webshell_spawn.yml |
|
Windows: Run Whoami as SYSTEM |
Teymur Kheirkhabarov |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_whoami_as_system.yml |
|
Windows: Windows 10 Scheduled Task SandboxEscaper 0-day |
Olaf Hartong |
|
|
Windows: WMI Backdoor Exchange Transport Agent |
Florian Roth |
|
|
Windows: WMI Persistence - Script Event Consumer |
Thomas Patzke |
|
|
Windows: WMI Spawning Windows PowerShell |
Markus Neis / @Karneades |
|
|
Windows: Wmiprvse Spawning Process |
Roberto Rodriguez @Cyb3rWard0g |
|
|
Windows: Microsoft Workflow Compiler |
Nik Seetharaman |
|
|
Windows: Wsreset UAC Bypass |
Florian Roth |
|
|
Windows: XSL Script Processing |
Timur Zinniatullin, oscd.community |
|
|
Windows: Leviathan Registry Key Activity |
Aidan Bracher |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry_event/sysmon_apt_leviathan.yml |
|
Windows: OceanLotus Registry Activity |
megan201296 |
|
|
Windows: Pandemic Registry Key |
Florian Roth |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry_event/sysmon_apt_pandemic.yml |
|
Windows: Autorun Keys Modification |
Victor Sergeev, Daniil Yugoslavskiy, oscd.community |
|
|
Windows: Suspicious New Printer Ports in Registry CVE-2020-1048 |
EagleEye Team, Florian Roth, NVISO |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry_event/sysmon_cve-2020-1048.yml |
|
Windows: DHCP Callout DLL Installation |
Dimitrios Slamaris |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry_event/sysmon_dhcp_calloutdll.yml |
|
Windows: Disable Security Events Logging Adding Reg Key MiniNt |
Ilyas Ochkov, oscd.community |
|
|
Windows: DNS ServerLevelPluginDll Install |
Florian Roth |
|
|
Windows: COMPlus-ETWEnabled Registry Modification |
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_etw_modification.yml ; https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry_event/sysmon_etw_disabled.yml |
|
Windows: Windows Credential Editor Install Via Registry |
Florian Roth |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry_event/sysmon_hack_wce_reg.yml |
|
Windows: Logon Scripts UserInitMprLogonScript Registry |
Tom Ueltschi (@c_APT_ure) |
|
|
Windows: Narrator s Feedback-Hub Persistence |
Dmitriy Lifanov, oscd.community |
|
|
Windows: New DLL Added to AppCertDlls Registry Key |
Ilyas Ochkov, oscd.community |
|
|
Windows: New DLL Added to AppInit-DLLs Registry Key |
Ilyas Ochkov, oscd.community |
|
|
Windows: Possible Privilege Escalation via Service Permissions Weakness |
Teymur Kheirkhabarov |
|
|
Windows: RDP Registry Modification |
Roberto Rodriguez @Cyb3rWard0g |
|
|
Windows: RDP Sensitive Settings Changed |
Samir Bousseaden |
|
|
Windows: RedMimicry Winnti Playbook Registry Manipulation |
Alexander Rausch |
|
|
Windows: Office Security Settings Changed |
Trent Liffick (@tliffick) |
|
|
Windows: Windows Registry Persistence COM Key Linking |
Kutepov Anton, oscd.community |
|
|
Windows: Windows Registry Persistence COM Search Order Hijacking |
Maxime Thiebaut (@0xThiebaut) |
|
|
Windows: Windows Registry Trust Record Modification |
Antonlovesdnb |
|
|
Windows: Security Support Provider SSP Added to LSA Configuration |
iwillkeepwatch |
|
|
Windows: Sticky Key Like Backdoor Usage |
Florian Roth, @twjackomo |
|
|
Windows: Suspicious RUN Key from Download |
Florian Roth |
|
|
Windows: DLL Load via LSASS |
Florian Roth |
|
|
Windows: Suspicious Camera and Microphone Access |
Den Iuzvyk |
|
|
Windows: Registry Persistence via Explorer Run Key |
Florian Roth |
|
|
Windows: New RUN Key Pointing to Suspicious Folder |
Florian Roth, Markus Neis, Sander Wiebing |
|
|
Windows: Suspicious Service Installed |
xknow (@xknow_infosec), xorxes (@xor_xes) |
|
|
Windows: Suspicious Keyboard Layout Load |
Florian Roth |
|
|
Windows: Usage of Sysinternals Tools |
Markus Neis |
|
|
Windows: UAC Bypass via Event Viewer |
Florian Roth |
|
|
Windows: UAC Bypass via Sdclt |
Omer Yampel |
|
|
Windows: Registry Persistence Mechanisms |
Karneades |
|
|
Windows: Azure Browser SSO Abuse |
Den Iuzvyk |
|
|
Windows: Executable in ADS |
Florian Roth, @0xrawsec |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/sysmon/sysmon_ads_executable.yml |
|
Windows: Alternate PowerShell Hosts Pipe |
Roberto Rodriguez @Cyb3rWard0g |
|
|
Windows: Turla Group Named Pipes |
Markus Neis |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/sysmon/sysmon_apt_turla_namedpipes.yml |
|
Windows: CactusTorch Remote Thread Creation |
@SBousseaden (detection), Thomas Patzke (rule) |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/sysmon/sysmon_cactustorch.yml |
|
Windows: CMSTP Execution |
Nik Seetharaman |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry_event/sysmon_cmstp_execution.yml |
|
Windows: CobaltStrike Process Injection |
Olaf Hartong, Florian Roth, Aleksey Potapov, oscd.community |
|
|
Windows: CreateRemoteThread API and LoadLibrary |
Roberto Rodriguez @Cyb3rWard0g |
|
|
Windows: Cred Dump Tools Via Named Pipes |
Teymur Kheirkhabarov, oscd.community |
|
|
Windows: Malicious Named Pipe |
Florian Roth |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/sysmon/sysmon_mal_namedpipes.yml |
|
Windows: Password Dumper Remote Thread in LSASS |
Thomas Patzke |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/sysmon/sysmon_password_dumper_lsass.yml |
|
Windows: Possible DNS Rebinding |
Ilyas Ochkov, oscd.community |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/sysmon/sysmon_possible_dns_rebinding.yml |
|
Windows: Raw Disk Access Using Illegitimate Tools |
Teymur Kheirkhabarov, oscd.community |
|
|
Windows: PowerShell Rundll32 Remote Thread Creation |
Florian Roth |
|
|
Windows: Suspicious Remote Thread Created |
Perez Diego (@darkquassar), oscd.community |
|
|
Windows: WMI Event Subscription |
Tom Ueltschi (@c_APT_ure) |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/sysmon/sysmon_wmi_event_subscription.yml |
|
Windows: Suspicious Scripting in a WMI Consumer |
Florian Roth |
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/sysmon/sysmon_wmi_susp_scripting.yml |