Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation
Sponsored by
Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation
load malicious registered COM objects
Hides the file extension through modification of the registry
Hides the file extension through modification of the registry
The infrastructure for management data and operations that enables local and remote management of Windows personal computers and servers
Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.
Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start. Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services
Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start. Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services
Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profiliers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR. (Citation: Microsoft Profiling Mar 2017) (Citation: Microsoft COR_PROFILER Feb 2013)
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time
Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary’s executable to launch.
Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.
Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension
Running Chrome VPN Extensions via the Registry install 2 vpn extension
Adversaries may manipulate accounts to maintain access to victim systems. Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups
Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time.
Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain..
Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system. Office add-ins can be used to add functionality to Office programs
Change outlook email security settings
Detection of sc.exe utility adding a new service with special permission which hides that service.
Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation)
Detects suspicious shell spawn from Java host process (e.g. log4j exploitation)
Detects shell spawn from Java host process, which could a maintenance task or some kind of exploitation (e.g. log4j exploitation)
Identifies when an admission controller is executed in Azure Kubernetes. A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server. The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster. An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials. An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.
Identifies when an admission controller is executed in GCP Kubernetes. A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server. The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster. An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials. An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.
Identifies when a Azure Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. An Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.
Identifies when a Google Cloud Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. An Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.
Detects persistence registry keys for Recycle Bin
Detects the creation of tasks from processes executed from suspicious locations
Detects creation of cron files or files in Cron directories. Potential persistence.
Detects suspicious sub processes of web server processes
Detects when a possible suspicious driver is being installed via pnputil.exe lolbin
User Added to an Administrator’s Azure AD Role
Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018
Detects when an attempt at deactivating or resetting MFA.
Detects when a API token is created
Detects an authentication bypass vulnerability affecting the REST API URLs in ADSelfService Plus (CVE-2021-40539).
Detects when an Google Workspace user is granted admin privileges.
Detects when an API access service account is granted domain authority.
Detects a write of an Exchange CSR to an untypical directory or with aspx name suffix which can be used to place a webshell
Powerup tool’s Write Hijack DLL exploits DLL hijacking for privilege escalation. In it’s default mode, it builds a self deleting .bat file which executes malicious command. The detection rule relies on creation of the malicious bat file (debug.bat by default).
Detects transferring files from system on a server bitstransfer Powershell cmdlets
Detects a successful export of an Exchange mailbox to untypical directory or with aspx name suffix which can be used to place a webshell or the needed role assignment for it
Detects when an ElastiCache security group has been created.
Detects when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar.
Detects when a request has been made to transfer a Route 53 domain to another AWS account.
Suspicious behaviours related to an actor tracked by Microsoft as SOURGUM
Detects patterns as noticed in exploitation of Serv-U CVE-2021-35211 vulnerability by threat group DEV-0322
Detects the modification of Outlook Security Setting to allow unprompted execution. Goes with win_outlook_c2_macro_creation.yml and is particularly interesting if both events occur near to each other.
Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications.
Detects access to SUPERNOVA webshell as described in Guidepoint report
Detects suspicious shell spawn from MSSQL process, this might be sight of RCE or SQL Injection
An attacker with the iam:UpdateLoginProfile permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup. With this alert, it is used to detect anyone is changing password on behalf of other users.
Detects potential malicious modification of run keys by winekey or team9 backdoor
Detects the addition of office test registry that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started
Detects suspicious change of file privileges with chown and chmod commands
Detects a new and suspicious printer port creation in Registry that could be an attempt to exploit CVE-2020-1048
Detects potential COM object hijacking leveraging the COM Search Order
Detects creation of a local user via PowerShell
Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder’s content (i.e. renaming files) without changing them on disk.
Detects AWS API key creation for a user by another user. Backdoored users can be used to obtain persistence in the AWS environment. Also with this alert, you can detect a flow of AWS keys in your org.
The Tasks folder in system32 and syswow64 are globally writable paths. Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr
Detects Ryuk ransomware activity
Modifications to a config that will serve an adversary’s impacts or persistence
Find local accounts being created or modified as well as remote authentication configurations
Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.
Detects the creation of suspicious accounts similar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts.
When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.
IKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\Windows\System32\ by default. An attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services “svchost.exe -k netsvcs” to gain code execution on a remote machine.
Detect download by BITS jobs via PowerShell
Identifies creation of local users via the net.exe command.
Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand
Detects COM object hijacking via TreatAs subkey
Detects abusing Windows 10 Narrator’s Feedback-Hub
Detects service path modification to PowerShell or cmd.
Detects a change in profile.ps1 of the Powershell profile
Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[Wow6432Node]Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables.
Detects a reload or a start of a service.
Detects possible command execution by web application/web shell
Detects a method to load DLL via LSASS process using an undocumented Registry key
Detects a WMI backdoor in Exchange Transport Agents via WMI event filters
Detects the malicious use of a control panel item
Detects change of user environment. Adversaries can insert code into these files to gain persistence each time a user logs in or opens a new shell.
Detects local user creation on windows servers, which shouldn’t happen in an Active Directory environment. Apply this Sigma Use Case on your windows server logs and not on your DC logs.
Detects WMI script event consumers
Web servers that spawn shell processes could be the result of a successfully placed web shell or an other attack
Detects the creation of scheduled tasks in user session
Detects installation of a new shim using sdbinst.exe. A shim can be used to load malicious DLLs into applications.
Detects suspicious IIS native-code module installations via command line
Detects a suspicious program execution in a web service root folder (filter out false positives)
Detects creation of WMI event subscription persistence method
Detects creation or execution of UserInitMprLogonScript persistence method
This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018
Detects access to a webshell dropped into a keystore folder on the WebLogic server
Detects the creation of a schtask via PowerSploit or Empire Default Configuration.
Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen
Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group
Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.
This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET
Detects shellshock expressions in log files
This rule triggers on user accounts that are added to the local Administrators group, which could be legitimate activity or a sign of privilege escalation activity
The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence.
An attacker can use the SID history attribute to gain additional privileges.
Detects a driver load from a temporary directory
Detects webshells that use GET requests by keyword searches in URL strings
Detects suspicious failed logins with different user accounts from a single source system
This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.
Monitors for the hiding possible malicious files in the C:\Windows\Fonts\ location. This folder doesn’t require admin privillege to be written and executed from.
Detects signs of the WMI script host process %SystemRoot%\system32\wbem\scrcons.exe functionality being used via images being loaded by a process.
Detects file writes of WMI script event consumer
Detects WMI command line event consumers
Detect DLL deletions from Spooler Service driver folder
Detect DLL Load from Spooler Service backup folder
Detects unusual processes accessing desktop.ini remotely over network share, which can be leveraged to alter how Explorer displays a folder’s content (i.e. renaming files) without changing them on disk.
Certain strings in the uri_query field when combined with null referer and null user agent can indicate activity associated with the webshell ReGeorg.
Detects suspicious child process creations of VMware Tools process which may indicate persistence setup
Detects VBScript content stored into registry keys as seen being used by UNC2452 group
Attempts to load dismcore.dll after dropping it
Detects a creation of systemd services which could be used by adversaries to execute malicious code.
Detects WMIC executions in which a event consumer gets created in order to establish persistence
Detects suspicious inline VBScript keywords as used by UNC2452
Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through Component Object Model
Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through Component Object Model
Detects suspicious shell spawn from WinRM host process
Detects suspicious DACL modifications that can be used to hide services or make them unstopable
Detects the creation of scheduled tasks that involves a temporary folder and runs only once
Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories
Detects new commands that add new printer port which point to suspicious file
Detects a PowerShell New-MailboxExportRequest that exports a mailbox to a local share, as used in ProxyShell exploitations
Detects suspicious encoded payloads in WMI Event Consumers
Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through Component Object Model
Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).
Detects suspicious command line in which a user gets added to the local Remote Desktop Users group
This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky
Detects creation of startup item plist files that automatically get executed at boot initialization to establish persistence.
A General detection for files being created in the Windows startup directory. This could be an indicator of persistence.
Detects changes to the Registry in which a monitor program gets registered to monitor the exit of another process
Detects the modification of a ServiceDLL value in the service settings
Detects the use of at/atd
Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.
Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.
Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network
Detects remote task creation via at.exe or API interacting with ATSVC namedpipe
Detects remote task creation via at.exe or API interacting with ATSVC namedpipe
Detects remote service activity via remote access to the svcctl named pipe
Detects persistence method using windows telemetry
Detects suspicious command line reg.exe tool adding key to RUN key in Registry
backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer
Detects, possibly, malicious unauthorized usage of bcdedit.exe
Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report
Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report
Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report
Detects the manipulation of persistent URLs which can be malicious
Detects the manipulation of persistent URLs which could execute malicious code
Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale
Detects value modification of registry key containing path to binary used as screensaver.
Detects the creation of new Outlook form which can contain malicious code
Detects the creation of a macro file for Outlook. Goes with win_outlook_c2_registry_key. VbaProject.OTM is explicitly mentioned in T1137. Particularly interesting if both events Registry & File Creation happens at the same time.
Monitor the creation of a new key under ‘TaskCache’ when a new scheduled task is registered
Alert for the addition of a new federated domain.
Detects the Installation of a Exchange Transport Agent
Detects the use of Moriya rootkit as described in the securelist’s Operation TunnelSnake report
Detects modification of an existing service on a compromised host in order to execute an arbitrary payload when the service is started or killed as a method of persistence.
Windows DCE-RPC functions which indicate a persistence techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE.
Detects add-ins that load when Microsoft Word or Excel starts (.wll/.xll are simply .dll fit for Word or Excel).
Detects additions to the Emond Launch Daemon that adversaries may use to gain persistence and elevate privileges.
Detects creation or execution of UserInitMprLogonScript persistence method
Detects loading of kernel modules with insmod command. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. Adversaries may use LKMs to obtain persistence within the system or elevate the privileges.
Detects registry key used by Leviathan APT in Malaysian focused campaign
Rule to detect the Hybrid Connection Manager service running on an endpoint.
Rule to detect the Hybrid Connection Manager service installation.
Detects the creation of a local hidden user account which should not happen for event ID 4720.
The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.
Detects a failed installation of a Exchange Transport Agent
Rule to detect an adversary setting OabVirtualDirectory External URL property to a script in Exchange Management log
Detects activity observed by different researchers to be HAFNIUM group activity (or related) on Exchange servers
This rule detects cor_enable_profiling and cor_profiler environment variables being set and configured.
Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.
Detects Azure Hybrid Connection Manager services querying the Azure service bus service
Detection for when multi factor authentication has been disabled, which might indicate a malicious activity to bypass authentication mechanisms.
Detects access to DEWMODE webshell as described in FIREEYE report
Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.
Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.
Sysmon registry detection of a local hidden user account.
Detects the ld.so preload persistence file. See man ld.so for more information.
Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).
Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification
Detects Bitsadmin connections to domains with uncommon TLDs - https://twitter.com/jhencinski/status/1102695118455349248 - https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/
Detects usage of bitsadmin downloading a file
Detects creation/modification of Assisitive Technology applications and persistence with usage of ATs
Addition of domains is seldom and should be verified for legitimacy.
Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. The problem is, it will run any arbitrary command without restriction of location or type.
Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. The problem is, it will run any arbitrary command without restriction of location or type.