This section displays SIGMA rules belonging to category Sysmon. It updates itself automatically when new commits are available in quasarops.
| Title | Executable in ADS |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_ads_executable.yml |
| author | Florian Roth, @0xrawsec |
| status | experimental |
| date | 2018/06/03 |
| description | Detects the creation of an ADS data stream that contains an executable (non-empty imphash) |
| tags | attack.defense_evasion attack.t1027 attack.s0139 |
| Title | OceanLotus Registry Activity |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_apt_oceanlotus_registry.yml |
| author | megan201296 |
| status | experimental |
| date | 2019/04/14 |
| description | Detects registry keys created in OceanLotus (also known as APT32) attacks |
| tags | attack.t1112 |
| Title | Pandemic Registry Key |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_apt_pandemic.yml |
| author | Florian Roth |
| status | experimental |
| date | 2017/06/01 |
| description | Detects Pandemic Windows Implant |
| tags | attack.lateral_movement attack.t1105 |
| Title | Turla Group Named Pipes |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_apt_turla_namedpipes.yml |
| author | Markus Neis |
| status | experimental |
| date | 2017/11/06 |
| description | Detects a named pipe used by Turla group samples |
| tags | attack.g0010 |
| Title | CACTUSTORCH Remote Thread Creation |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_cactustorch.yml |
| author | @SBousseaden (detection), Thomas Patzke (rule) |
| status | experimental |
| date | 2019/02/01 |
| description | Detects remote thread creation from CACTUSTORCH as described in references. |
| tags | attack.execution attack.t1055 attack.t1064 |
| Title | CMSTP Execution |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_cmstp_execution.yml |
| author | Nik Seetharaman |
| status | stable |
| date | 2018/07/16 |
| description | Detects various indicators of Microsoft Connection Manager Profile Installer execution |
| tags | attack.defense_evasion attack.execution attack.t1191 attack.g0069 car.2019-04-001 |
| Title | CobaltStrike Process Injection |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_cobaltstrike_process_injection.yml |
| author | Olaf Hartong, Florian Roth, Aleksey Potapov, oscd.community |
| status | experimental |
| date | 2018/11/30 |
| description | Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons |
| tags | attack.defense_evasion attack.t1055 |
| Title | DHCP Callout DLL Installation |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_dhcp_calloutdll.yml |
| author | Dimitrios Slamaris |
| status | experimental |
| date | 2017/05/15 |
| description | Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required) |
| tags | attack.defense_evasion attack.t1073 attack.t1112 |
| Title | DNS ServerLevelPluginDll Install |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_dns_serverlevelplugindll.yml |
| author | Florian Roth |
| status | experimental |
| date | 2017/05/08 |
| description | Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server (restart required) |
| tags | attack.defense_evasion attack.t1073 |
| Title | Detection of SafetyKatz |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_ghostpack_safetykatz.yml |
| author | Markus Neis |
| status | experimental |
| date | 2018/07/24 |
| description | Detects possible SafetyKatz Behaviour |
| tags | attack.credential_access attack.t1003 |
| Title | Dumpert Process Dumper |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_hack_dumpert.yml |
| author | Florian Roth |
| status | |
| date | 2020/02/04 |
| description | Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory |
| tags | attack.credential_access attack.t1003 |
| Title | Windows Credential Editor |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_hack_wce.yml |
| author | Florian Roth |
| status | |
| date | 2019/12/31 |
| description | Detects the use of Windows Credential Editor (WCE) |
| tags | attack.credential_access attack.t1003 attack.s0005 |
| Title | Suspect Svchost Memory Asccess |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_invoke_phantom.yml |
| author | Tim Burrell |
| status | experimental |
| date | 2020/01/02 |
| description | Detects suspect access to svchost process memory such as that used by Invoke-Phantom to kill the winRM windows event logging service. |
| tags | attack.t1089 attack.defense_evasion |
| Title | Logon Scripts (UserInitMprLogonScript) |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml |
| author | Tom Ueltschi (@c_APT_ure) |
| status | experimental |
| date | 2019/01/12 |
| description | Detects creation or execution of UserInitMprLogonScript persistence method |
| tags | attack.t1037 attack.persistence attack.lateral_movement |
| Title | LSASS Memory Dump |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_lsass_memdump.yml |
| author | Samir Bousseaden |
| status | experimental |
| date | 2019/04/03 |
| description | Detects process LSASS memory dump using procdump or taskmgr based on the CallTrace pointing to dbghelp.dll or dbgcore.dll for win10 |
| tags | attack.t1003 attack.s0002 attack.credential_access |
| Title | Malicious Named Pipe |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_mal_namedpipes.yml |
| author | Florian Roth |
| status | experimental |
| date | 2017/11/06 |
| description | Detects the creation of a named pipe used by known APT malware |
| tags | attack.defense_evasion attack.privilege_escalation attack.t1055 |
| Title | Suspicious Typical Malware Back Connect Ports |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_malware_backconnect_ports.yml |
| author | Florian Roth |
| status | experimental |
| date | 2017/03/19 |
| description | Detects programs that connect to typical malware back connect ports based on statistical analysis from two different sandbox system databases |
| tags | attack.command_and_control attack.t1043 |
| Title | Malware Shellcode in Verclsid Target Process |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_malware_verclsid_shellcode.yml |
| author | John Lambert (tech), Florian Roth (rule) |
| status | experimental |
| date | 2017/03/04 |
| description | Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro |
| tags | attack.defense_evasion attack.privilege_escalation attack.t1055 |
| Title | Mimikatz Detection LSASS Access |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml |
| author | Sherif Eldeeb |
| status | experimental |
| date | 2017/10/18 |
| description | Detects process access to LSASS which is typical for Mimikatz (0x1000 PROCESS_QUERY_ LIMITED_INFORMATION, 0x0400 PROCESS_QUERY_ INFORMATION "only old versions", 0x0010 PROCESS_VM_READ) |
| tags | attack.t1003 attack.s0002 attack.credential_access car.2019-04-004 |
| Title | Mimikatz In-Memory |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml |
| author | |
| status | experimental |
| date | 2017/03/13 |
| description | Detects certain DLL loads when Mimikatz gets executed |
| tags | attack.s0002 attack.t1003 attack.lateral_movement attack.credential_access car.2019-04-004 |
| Title | Mimikatz through Windows Remote Management |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_mimikatz_trough_winrm.yml |
| author | Patryk Prauze - ING Tech |
| status | stable |
| date | 2019/05/20 |
| description | Detects usage of mimikatz through WinRM protocol by monitoring access to lsass process by wsmprovhost.exe. |
| tags | attack.credential_access attack.execution attack.t1003 attack.t1028 attack.s0005 |
| Title | Password Dumper Remote Thread in LSASS |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_password_dumper_lsass.yml |
| author | Thomas Patzke |
| status | stable |
| date | 2017/02/19 |
| description | Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundreds of events. |
| tags | attack.credential_access attack.t1003 attack.s0005 |
| Title | Malicious PowerShell Commandlet Names |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_powershell_exploit_scripts.yml |
| author | Markus Neis |
| status | experimental |
| date | 2018/04/07 |
| description | Detects the creation of known powershell scripts for exploitation |
| tags | attack.execution attack.t1086 |
| Title | PowerShell Network Connections |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_powershell_network_connection.yml |
| author | Florian Roth |
| status | experimental |
| date | 2017/03/13 |
| description | Detects a Powershell process that opens network connections - check for suspicious target ports and target systems - adjust to your environment (e.g. extend filters with company's ip range') |
| tags | attack.execution attack.t1086 |
| Title | QuarksPwDump Dump File |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_quarkspw_filedump.yml |
| author | Florian Roth |
| status | experimental |
| date | 2018/02/10 |
| description | Detects a dump file written by QuarksPwDump password dumper |
| tags | attack.credential_access attack.t1003 |
| Title | RDP Over Reverse SSH Tunnel |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_rdp_reverse_tunnel.yml |
| author | Samir Bousseaden |
| status | experimental |
| date | 2019/02/16 |
| description | Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389 |
| tags | attack.defense_evasion attack.command_and_control attack.t1076 car.2013-07-002 |
| Title | RDP Sensitive Settings Changed |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_rdp_settings_hijack.yml |
| author | Samir Bousseaden |
| status | |
| date | 2019/04/03 |
| description | Detects changes to RDP terminal service sensitive settings |
| tags | attack.defense_evasion |
| Title | Windows Registry Persistence COM Key Linking |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_registry_persistence_key_linking.yml |
| author | Kutepov Anton, oscd.community |
| status | experimental |
| date | 2019/10/23 |
| description | Detects COM object hijacking via TreatAs subkey |
| tags | attack.persistence attack.t1122 |
| Title | Renamed jusched.exe |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_renamed_jusched.yml |
| author | Markus Neis, Swisscom |
| status | experimental |
| date | 2019/06/04 |
| description | Detects renamed jusched.exe used by cobalt group |
| tags | attack.t1036 attack.execution |
| Title | Renamed PowerShell |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_renamed_powershell.yml |
| author | Florian Roth |
| status | experimental |
| date | 2019/08/22 |
| description | Detects the execution of a renamed PowerShell often used by attackers or malware |
| tags | car.2013-05-009 |
| Title | Renamed ProcDump |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_renamed_procdump.yml |
| author | Florian Roth |
| status | experimental |
| date | 2019/11/18 |
| description | Detects the execution of a renamed ProcDump executable often used by attackers or malware |
| tags | attack.defense_evasion attack.t1036 |
| Title | Renamed PsExec |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_renamed_psexec.yml |
| author | Florian Roth |
| status | experimental |
| date | 2019/05/21 |
| description | Detects the execution of a renamed PsExec often used by attackers or malware |
| tags | car.2013-05-009 |
| Title | Rundll32 Internet Connection |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_rundll32_net_connections.yml |
| author | Florian Roth |
| status | experimental |
| date | 2017/11/04 |
| description | Detects a rundll32 that communicates with public IP addresses |
| tags | attack.t1085 attack.defense_evasion attack.execution |
| Title | Security Support Provider (SSP) Added to LSA Configuration |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_ssp_added_lsa_config.yml |
| author | iwillkeepwatch |
| status | experimental |
| date | 2019/01/18 |
| description | Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows. |
| tags | attack.persistence attack.t1011 |
| Title | Sticky Key Like Backdoor Usage |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_stickykey_like_backdoor.yml |
| author | Florian Roth, @twjackomo |
| status | |
| date | 2018/03/15 |
| description | Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen |
| tags | attack.privilege_escalation attack.persistence attack.t1015 car.2014-11-003 car.2014-11-008 |
| Title | Suspicious RUN Key from Download |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_download_run_key.yml |
| author | Florian Roth |
| status | experimental |
| date | 2019/10/01 |
| description | Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories |
| tags | attack.persistence attack.t1060 |
| Title | Suspicious Driver Load from Temp |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_driver_load.yml |
| author | Florian Roth |
| status | |
| date | 2017/02/12 |
| description | Detects a driver load from a temporary directory |
| tags | attack.persistence attack.t1050 |
| Title | Suspicious File Characteristics Due to Missing Fields |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_file_characteristics.yml |
| author | Markus Neis |
| status | experimental |
| date | 2018/11/22 |
| description | Detects Executables without FileVersion,Description,Product,Company likely created with py2exe |
| tags | attack.defense_evasion attack.execution attack.t1064 |
| Title | Possible Process Hollowing Image Loading |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_image_load.yml |
| author | Markus Neis |
| status | experimental |
| date | 2018/01/07 |
| description | Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g. through process hollowing by Mimikatz |
| tags | attack.defense_evasion attack.t1073 |
| Title | DLL Load via LSASS |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_lsass_dll_load.yml |
| author | Florian Roth |
| status | experimental |
| date | 2019/10/16 |
| description | Detects a method to load DLL via LSASS process using an undocumented Registry key |
| tags | attack.execution attack.t1177 |
| Title | PowerShell Rundll32 Remote Thread Creation |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_powershell_rundll32.yml |
| author | Florian Roth |
| status | experimental |
| date | 2018/06/25 |
| description | Detects PowerShell remote thread creation in Rundll32.exe |
| tags | attack.defense_evasion attack.execution attack.t1085 attack.t1086 |
| Title | Suspicious Program Location with Network Connections |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_prog_location_network_connection.yml |
| author | Florian Roth |
| status | experimental |
| date | 2017/03/19 |
| description | Detects programs with network connections running in suspicious files system locations |
| tags |
| Title | Suspicious Outbound RDP Connections |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_rdp.yml |
| author | Markus Neis - Swisscom |
| status | experimental |
| date | 2019/05/15 |
| description | Detects Non-Standard Tools Connecting to TCP port 3389 indicating possible lateral movement |
| tags | attack.lateral_movement attack.t1210 car.2013-07-002 |
| Title | Registry Persistence via Explorer Run Key |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_reg_persist_explorer_run.yml |
| author | Florian Roth |
| status | experimental |
| date | 2018/07/18 |
| description | Detects a possible persistence mechanism using RUN key for Windows Explorer and poiting to a suspicious folder |
| tags | attack.persistence attack.t1060 capec.270 |
| Title | New RUN Key Pointing to Suspicious Folder |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_run_key_img_folder.yml |
| author | Florian Roth, Markus Neis |
| status | experimental |
| date | 2018/25/08 |
| description | Detects suspicious new RUN key element pointing to an executable in a suspicious folder |
| tags | attack.persistence attack.t1060 |
| Title | Windows Mangement Instrumentation DLL Loaded Via Microsoft Word |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_winword_wmidll_load.yml |
| author | Michael R. (@nahamike01) |
| status | experimental |
| date | 2019/12/26 |
| description | Detects DLL's Loaded Via Word Containing VBA Macros Executing WMI Commands |
| tags | attack.execution attack.t1047 |
| Title | Suspicious Keyboard Layout Load |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_suspicious_keyboard_layout_load.yml |
| author | Florian Roth |
| status | |
| date | 2019/10/12 |
| description | Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only |
| tags |
| Title | Svchost DLL Search Order Hijack |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_svchost_dll_search_order_hijack.yml |
| author | SBousseaden |
| status | experimental |
| date | 2019/10/28 |
| description | IKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\Windows\System32\ by default. An attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services "svchost.exe -k netsvcs" to gain code execution on a remote machine. |
| tags | attack.persistence attack.defense_evasion attack.t1073 attack.t1038 attack.t1112 |
| Title | Usage of Sysinternals Tools |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_sysinternals_eula_accepted.yml |
| author | Markus Neis |
| status | experimental |
| date | 2017/08/28 |
| description | Detects the usage of Sysinternals Tools due to accepteula key being added to Registry |
| tags |
| Title | Hijack Legit RDP Session to Move Laterally |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_tsclient_filewrite_startup.yml |
| author | Samir Bousseaden |
| status | experimental |
| date | 2019/02/21 |
| description | Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder |
| tags |
| Title | UAC Bypass via Event Viewer |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml |
| author | Florian Roth |
| status | experimental |
| date | 2017/03/19 |
| description | Detects UAC bypass method using Windows event viewer |
| tags | attack.defense_evasion attack.privilege_escalation attack.t1088 car.2019-04-001 |
| Title | UAC Bypass via Sdclt |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml |
| author | Omer Yampel |
| status | experimental |
| date | 2017/03/17 |
| description | Detects changes to HKCU:\Software\Classes\exefile\shell\runas\command\isolatedCommand |
| tags | attack.defense_evasion attack.privilege_escalation attack.t1088 car.2019-04-001 |
| Title | Windows Webshell Creation |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_webshell_creation_detect.yml |
| author | Beyu Denis, oscd.community |
| status | experimental |
| date | 2019/10/22 |
| description | Posible webshell file creation on a static web site |
| tags | attack.persistence attack.t1100 |
| Title | Microsoft Binary Github Communication |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_win_binary_github_com.yml |
| author | Michael Haag (idea), Florian Roth (rule) |
| status | experimental |
| date | 2017/08/24 |
| description | Detects an executable in the Windows folder accessing github.com |
| tags | attack.lateral_movement attack.t1105 |
| Title | Microsoft Binary Suspicious Communication Endpoint |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_win_binary_susp_com.yml |
| author | Florian Roth |
| status | experimental |
| date | 2018/08/30 |
| description | Detects an executable in the Windows folder accessing suspicious domains |
| tags | attack.lateral_movement attack.t1105 |
| Title | Registry Persistence Mechanisms |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_win_reg_persistence.yml |
| author | Karneades |
| status | |
| date | 2018/04/11 |
| description | Detects persistence registry keys |
| tags | attack.privilege_escalation attack.persistence attack.defense_evasion attack.t1183 car.2013-01-002 |
| Title | WMI Event Subscription |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_wmi_event_subscription.yml |
| author | Tom Ueltschi (@c_APT_ure) |
| status | experimental |
| date | 2019/01/12 |
| description | Detects creation of WMI event subscription persistence method |
| tags | attack.t1084 attack.persistence |
| Title | WMI Persistence - Command Line Event Consumer |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_wmi_persistence_commandline_event_consumer.yml |
| author | Thomas Patzke |
| status | experimental |
| date | 2018/03/07 |
| description | Detects WMI command line event consumers |
| tags | attack.t1084 attack.persistence |
| Title | WMI Persistence - Script Event Consumer File Write |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_wmi_persistence_script_event_consumer_write.yml |
| author | Thomas Patzke |
| status | experimental |
| date | 2018/03/07 |
| description | Detects file writes of WMI script event consumer |
| tags | attack.t1084 attack.persistence |
| Title | Suspicious Scripting in a WMI Consumer |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_wmi_susp_scripting.yml |
| author | Florian Roth |
| status | experimental |
| date | 2019/04/15 |
| description | Detects suspicious scripting in WMI Event Consumers |
| tags | attack.t1086 attack.execution |
| Title | Executable in ADS |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_ads_executable.yml |
| author | Florian Roth, @0xrawsec |
| status | experimental |
| date | 2018/06/03 |
| description | Detects the creation of an ADS data stream that contains an executable (non-empty imphash) |
| tags | attack.defense_evasion attack.t1027 attack.s0139 |
| Title | OceanLotus Registry Activity |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_apt_oceanlotus_registry.yml |
| author | megan201296 |
| status | experimental |
| date | 2019/04/14 |
| description | Detects registry keys created in OceanLotus (also known as APT32) attacks |
| tags | attack.t1112 |
| Title | Pandemic Registry Key |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_apt_pandemic.yml |
| author | Florian Roth |
| status | experimental |
| date | 2017/06/01 |
| description | Detects Pandemic Windows Implant |
| tags | attack.lateral_movement attack.t1105 |
| Title | Turla Group Named Pipes |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_apt_turla_namedpipes.yml |
| author | Markus Neis |
| status | experimental |
| date | 2017/11/06 |
| description | Detects a named pipe used by Turla group samples |
| tags | attack.g0010 |
| Title | CACTUSTORCH Remote Thread Creation |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_cactustorch.yml |
| author | @SBousseaden (detection), Thomas Patzke (rule) |
| status | experimental |
| date | 2019/02/01 |
| description | Detects remote thread creation from CACTUSTORCH as described in references. |
| tags | attack.execution attack.t1055 attack.t1064 |
| Title | CMSTP Execution |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_cmstp_execution.yml |
| author | Nik Seetharaman |
| status | stable |
| date | 2018/07/16 |
| description | Detects various indicators of Microsoft Connection Manager Profile Installer execution |
| tags | attack.defense_evasion attack.execution attack.t1191 attack.g0069 car.2019-04-001 |
| Title | CobaltStrike Process Injection |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_cobaltstrike_process_injection.yml |
| author | Olaf Hartong, Florian Roth, Aleksey Potapov, oscd.community |
| status | experimental |
| date | 2018/11/30 |
| description | Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons |
| tags | attack.defense_evasion attack.t1055 |
| Title | DHCP Callout DLL Installation |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_dhcp_calloutdll.yml |
| author | Dimitrios Slamaris |
| status | experimental |
| date | 2017/05/15 |
| description | Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required) |
| tags | attack.defense_evasion attack.t1073 attack.t1112 |
| Title | DNS ServerLevelPluginDll Install |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_dns_serverlevelplugindll.yml |
| author | Florian Roth |
| status | experimental |
| date | 2017/05/08 |
| description | Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server (restart required) |
| tags | attack.defense_evasion attack.t1073 |
| Title | Detection of SafetyKatz |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_ghostpack_safetykatz.yml |
| author | Markus Neis |
| status | experimental |
| date | 2018/07/24 |
| description | Detects possible SafetyKatz Behaviour |
| tags | attack.credential_access attack.t1003 |
| Title | Dumpert Process Dumper |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_hack_dumpert.yml |
| author | Florian Roth |
| status | |
| date | 2020/02/04 |
| description | Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory |
| tags | attack.credential_access attack.t1003 |
| Title | Windows Credential Editor |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_hack_wce.yml |
| author | Florian Roth |
| status | |
| date | 2019/12/31 |
| description | Detects the use of Windows Credential Editor (WCE) |
| tags | attack.credential_access attack.t1003 attack.s0005 |
| Title | Suspect Svchost Memory Asccess |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_invoke_phantom.yml |
| author | Tim Burrell |
| status | experimental |
| date | 2020/01/02 |
| description | Detects suspect access to svchost process memory such as that used by Invoke-Phantom to kill the winRM windows event logging service. |
| tags | attack.t1089 attack.defense_evasion |
| Title | Logon Scripts (UserInitMprLogonScript) |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml |
| author | Tom Ueltschi (@c_APT_ure) |
| status | experimental |
| date | 2019/01/12 |
| description | Detects creation or execution of UserInitMprLogonScript persistence method |
| tags | attack.t1037 attack.persistence attack.lateral_movement |
| Title | LSASS Memory Dump |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_lsass_memdump.yml |
| author | Samir Bousseaden |
| status | experimental |
| date | 2019/04/03 |
| description | Detects process LSASS memory dump using procdump or taskmgr based on the CallTrace pointing to dbghelp.dll or dbgcore.dll for win10 |
| tags | attack.t1003 attack.s0002 attack.credential_access |
| Title | Malicious Named Pipe |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_mal_namedpipes.yml |
| author | Florian Roth |
| status | experimental |
| date | 2017/11/06 |
| description | Detects the creation of a named pipe used by known APT malware |
| tags | attack.defense_evasion attack.privilege_escalation attack.t1055 |
| Title | Suspicious Typical Malware Back Connect Ports |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_malware_backconnect_ports.yml |
| author | Florian Roth |
| status | experimental |
| date | 2017/03/19 |
| description | Detects programs that connect to typical malware back connect ports based on statistical analysis from two different sandbox system databases |
| tags | attack.command_and_control attack.t1043 |
| Title | Malware Shellcode in Verclsid Target Process |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_malware_verclsid_shellcode.yml |
| author | John Lambert (tech), Florian Roth (rule) |
| status | experimental |
| date | 2017/03/04 |
| description | Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro |
| tags | attack.defense_evasion attack.privilege_escalation attack.t1055 |
| Title | Mimikatz Detection LSASS Access |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml |
| author | Sherif Eldeeb |
| status | experimental |
| date | 2017/10/18 |
| description | Detects process access to LSASS which is typical for Mimikatz (0x1000 PROCESS_QUERY_ LIMITED_INFORMATION, 0x0400 PROCESS_QUERY_ INFORMATION "only old versions", 0x0010 PROCESS_VM_READ) |
| tags | attack.t1003 attack.s0002 attack.credential_access car.2019-04-004 |
| Title | Mimikatz In-Memory |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml |
| author | |
| status | experimental |
| date | 2017/03/13 |
| description | Detects certain DLL loads when Mimikatz gets executed |
| tags | attack.s0002 attack.t1003 attack.lateral_movement attack.credential_access car.2019-04-004 |
| Title | Mimikatz through Windows Remote Management |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_mimikatz_trough_winrm.yml |
| author | Patryk Prauze - ING Tech |
| status | stable |
| date | 2019/05/20 |
| description | Detects usage of mimikatz through WinRM protocol by monitoring access to lsass process by wsmprovhost.exe. |
| tags | attack.credential_access attack.execution attack.t1003 attack.t1028 attack.s0005 |
| Title | Password Dumper Remote Thread in LSASS |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_password_dumper_lsass.yml |
| author | Thomas Patzke |
| status | stable |
| date | 2017/02/19 |
| description | Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundreds of events. |
| tags | attack.credential_access attack.t1003 attack.s0005 |
| Title | Malicious PowerShell Commandlet Names |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_powershell_exploit_scripts.yml |
| author | Markus Neis |
| status | experimental |
| date | 2018/04/07 |
| description | Detects the creation of known powershell scripts for exploitation |
| tags | attack.execution attack.t1086 |
| Title | PowerShell Network Connections |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_powershell_network_connection.yml |
| author | Florian Roth |
| status | experimental |
| date | 2017/03/13 |
| description | Detects a Powershell process that opens network connections - check for suspicious target ports and target systems - adjust to your environment (e.g. extend filters with company's ip range') |
| tags | attack.execution attack.t1086 |
| Title | QuarksPwDump Dump File |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_quarkspw_filedump.yml |
| author | Florian Roth |
| status | experimental |
| date | 2018/02/10 |
| description | Detects a dump file written by QuarksPwDump password dumper |
| tags | attack.credential_access attack.t1003 |
| Title | RDP Over Reverse SSH Tunnel |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_rdp_reverse_tunnel.yml |
| author | Samir Bousseaden |
| status | experimental |
| date | 2019/02/16 |
| description | Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389 |
| tags | attack.defense_evasion attack.command_and_control attack.t1076 car.2013-07-002 |
| Title | RDP Sensitive Settings Changed |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_rdp_settings_hijack.yml |
| author | Samir Bousseaden |
| status | |
| date | 2019/04/03 |
| description | Detects changes to RDP terminal service sensitive settings |
| tags | attack.defense_evasion |
| Title | Windows Registry Persistence COM Key Linking |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_registry_persistence_key_linking.yml |
| author | Kutepov Anton, oscd.community |
| status | experimental |
| date | 2019/10/23 |
| description | Detects COM object hijacking via TreatAs subkey |
| tags | attack.persistence attack.t1122 |
| Title | Renamed jusched.exe |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_renamed_jusched.yml |
| author | Markus Neis, Swisscom |
| status | experimental |
| date | 2019/06/04 |
| description | Detects renamed jusched.exe used by cobalt group |
| tags | attack.t1036 attack.execution |
| Title | Renamed PowerShell |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_renamed_powershell.yml |
| author | Florian Roth |
| status | experimental |
| date | 2019/08/22 |
| description | Detects the execution of a renamed PowerShell often used by attackers or malware |
| tags | car.2013-05-009 |
| Title | Renamed ProcDump |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_renamed_procdump.yml |
| author | Florian Roth |
| status | experimental |
| date | 2019/11/18 |
| description | Detects the execution of a renamed ProcDump executable often used by attackers or malware |
| tags | attack.defense_evasion attack.t1036 |
| Title | Renamed PsExec |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_renamed_psexec.yml |
| author | Florian Roth |
| status | experimental |
| date | 2019/05/21 |
| description | Detects the execution of a renamed PsExec often used by attackers or malware |
| tags | car.2013-05-009 |
| Title | Rundll32 Internet Connection |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_rundll32_net_connections.yml |
| author | Florian Roth |
| status | experimental |
| date | 2017/11/04 |
| description | Detects a rundll32 that communicates with public IP addresses |
| tags | attack.t1085 attack.defense_evasion attack.execution |
| Title | Security Support Provider (SSP) Added to LSA Configuration |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_ssp_added_lsa_config.yml |
| author | iwillkeepwatch |
| status | experimental |
| date | 2019/01/18 |
| description | Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows. |
| tags | attack.persistence attack.t1011 |
| Title | Sticky Key Like Backdoor Usage |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_stickykey_like_backdoor.yml |
| author | Florian Roth, @twjackomo |
| status | |
| date | 2018/03/15 |
| description | Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen |
| tags | attack.privilege_escalation attack.persistence attack.t1015 car.2014-11-003 car.2014-11-008 |
| Title | Suspicious RUN Key from Download |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_download_run_key.yml |
| author | Florian Roth |
| status | experimental |
| date | 2019/10/01 |
| description | Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories |
| tags | attack.persistence attack.t1060 |
| Title | Suspicious Driver Load from Temp |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_driver_load.yml |
| author | Florian Roth |
| status | |
| date | 2017/02/12 |
| description | Detects a driver load from a temporary directory |
| tags | attack.persistence attack.t1050 |
| Title | Suspicious File Characteristics Due to Missing Fields |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_file_characteristics.yml |
| author | Markus Neis |
| status | experimental |
| date | 2018/11/22 |
| description | Detects Executables without FileVersion,Description,Product,Company likely created with py2exe |
| tags | attack.defense_evasion attack.execution attack.t1064 |
| Title | Possible Process Hollowing Image Loading |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_image_load.yml |
| author | Markus Neis |
| status | experimental |
| date | 2018/01/07 |
| description | Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g. through process hollowing by Mimikatz |
| tags | attack.defense_evasion attack.t1073 |
| Title | DLL Load via LSASS |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_lsass_dll_load.yml |
| author | Florian Roth |
| status | experimental |
| date | 2019/10/16 |
| description | Detects a method to load DLL via LSASS process using an undocumented Registry key |
| tags | attack.execution attack.t1177 |
| Title | PowerShell Rundll32 Remote Thread Creation |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_powershell_rundll32.yml |
| author | Florian Roth |
| status | experimental |
| date | 2018/06/25 |
| description | Detects PowerShell remote thread creation in Rundll32.exe |
| tags | attack.defense_evasion attack.execution attack.t1085 attack.t1086 |
| Title | Suspicious Program Location with Network Connections |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_prog_location_network_connection.yml |
| author | Florian Roth |
| status | experimental |
| date | 2017/03/19 |
| description | Detects programs with network connections running in suspicious files system locations |
| tags |
| Title | Suspicious Outbound RDP Connections |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_rdp.yml |
| author | Markus Neis - Swisscom |
| status | experimental |
| date | 2019/05/15 |
| description | Detects Non-Standard Tools Connecting to TCP port 3389 indicating possible lateral movement |
| tags | attack.lateral_movement attack.t1210 car.2013-07-002 |
| Title | Registry Persistence via Explorer Run Key |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_reg_persist_explorer_run.yml |
| author | Florian Roth |
| status | experimental |
| date | 2018/07/18 |
| description | Detects a possible persistence mechanism using RUN key for Windows Explorer and poiting to a suspicious folder |
| tags | attack.persistence attack.t1060 capec.270 |
| Title | New RUN Key Pointing to Suspicious Folder |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_run_key_img_folder.yml |
| author | Florian Roth, Markus Neis |
| status | experimental |
| date | 2018/25/08 |
| description | Detects suspicious new RUN key element pointing to an executable in a suspicious folder |
| tags | attack.persistence attack.t1060 |
| Title | Windows Mangement Instrumentation DLL Loaded Via Microsoft Word |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_winword_wmidll_load.yml |
| author | Michael R. (@nahamike01) |
| status | experimental |
| date | 2019/12/26 |
| description | Detects DLL's Loaded Via Word Containing VBA Macros Executing WMI Commands |
| tags | attack.execution attack.t1047 |
| Title | Suspicious Keyboard Layout Load |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_suspicious_keyboard_layout_load.yml |
| author | Florian Roth |
| status | |
| date | 2019/10/12 |
| description | Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only |
| tags |
| Title | Svchost DLL Search Order Hijack |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_svchost_dll_search_order_hijack.yml |
| author | SBousseaden |
| status | experimental |
| date | 2019/10/28 |
| description | IKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\Windows\System32\ by default. An attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services "svchost.exe -k netsvcs" to gain code execution on a remote machine. |
| tags | attack.persistence attack.defense_evasion attack.t1073 attack.t1038 attack.t1112 |
| Title | Usage of Sysinternals Tools |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_sysinternals_eula_accepted.yml |
| author | Markus Neis |
| status | experimental |
| date | 2017/08/28 |
| description | Detects the usage of Sysinternals Tools due to accepteula key being added to Registry |
| tags |
| Title | Hijack Legit RDP Session to Move Laterally |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_tsclient_filewrite_startup.yml |
| author | Samir Bousseaden |
| status | experimental |
| date | 2019/02/21 |
| description | Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder |
| tags |
| Title | UAC Bypass via Event Viewer |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml |
| author | Florian Roth |
| status | experimental |
| date | 2017/03/19 |
| description | Detects UAC bypass method using Windows event viewer |
| tags | attack.defense_evasion attack.privilege_escalation attack.t1088 car.2019-04-001 |
| Title | UAC Bypass via Sdclt |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml |
| author | Omer Yampel |
| status | experimental |
| date | 2017/03/17 |
| description | Detects changes to HKCU:\Software\Classes\exefile\shell\runas\command\isolatedCommand |
| tags | attack.defense_evasion attack.privilege_escalation attack.t1088 car.2019-04-001 |
| Title | Windows Webshell Creation |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_webshell_creation_detect.yml |
| author | Beyu Denis, oscd.community |
| status | experimental |
| date | 2019/10/22 |
| description | Posible webshell file creation on a static web site |
| tags | attack.persistence attack.t1100 |
| Title | Microsoft Binary Github Communication |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_win_binary_github_com.yml |
| author | Michael Haag (idea), Florian Roth (rule) |
| status | experimental |
| date | 2017/08/24 |
| description | Detects an executable in the Windows folder accessing github.com |
| tags | attack.lateral_movement attack.t1105 |
| Title | Microsoft Binary Suspicious Communication Endpoint |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_win_binary_susp_com.yml |
| author | Florian Roth |
| status | experimental |
| date | 2018/08/30 |
| description | Detects an executable in the Windows folder accessing suspicious domains |
| tags | attack.lateral_movement attack.t1105 |
| Title | Registry Persistence Mechanisms |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_win_reg_persistence.yml |
| author | Karneades |
| status | |
| date | 2018/04/11 |
| description | Detects persistence registry keys |
| tags | attack.privilege_escalation attack.persistence attack.defense_evasion attack.t1183 car.2013-01-002 |
| Title | WMI Event Subscription |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_wmi_event_subscription.yml |
| author | Tom Ueltschi (@c_APT_ure) |
| status | experimental |
| date | 2019/01/12 |
| description | Detects creation of WMI event subscription persistence method |
| tags | attack.t1084 attack.persistence |
| Title | WMI Persistence - Command Line Event Consumer |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_wmi_persistence_commandline_event_consumer.yml |
| author | Thomas Patzke |
| status | experimental |
| date | 2018/03/07 |
| description | Detects WMI command line event consumers |
| tags | attack.t1084 attack.persistence |
| Title | WMI Persistence - Script Event Consumer File Write |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_wmi_persistence_script_event_consumer_write.yml |
| author | Thomas Patzke |
| status | experimental |
| date | 2018/03/07 |
| description | Detects file writes of WMI script event consumer |
| tags | attack.t1084 attack.persistence |
| Title | Suspicious Scripting in a WMI Consumer |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_wmi_susp_scripting.yml |
| author | Florian Roth |
| status | experimental |
| date | 2019/04/15 |
| description | Detects suspicious scripting in WMI Event Consumers |
| tags | attack.t1086 attack.execution |
| Title | Executable in ADS |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_ads_executable.yml |
| author | Florian Roth, @0xrawsec |
| status | experimental |
| date | 2018/06/03 |
| description | Detects the creation of an ADS data stream that contains an executable (non-empty imphash) |
| tags | attack.defense_evasion attack.t1027 attack.s0139 |
| Title | OceanLotus Registry Activity |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_apt_oceanlotus_registry.yml |
| author | megan201296 |
| status | experimental |
| date | 2019/04/14 |
| description | Detects registry keys created in OceanLotus (also known as APT32) attacks |
| tags | attack.t1112 |
| Title | Pandemic Registry Key |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_apt_pandemic.yml |
| author | Florian Roth |
| status | experimental |
| date | 2017/06/01 |
| description | Detects Pandemic Windows Implant |
| tags | attack.lateral_movement attack.t1105 |
| Title | Turla Group Named Pipes |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_apt_turla_namedpipes.yml |
| author | Markus Neis |
| status | experimental |
| date | 2017/11/06 |
| description | Detects a named pipe used by Turla group samples |
| tags | attack.g0010 |
| Title | CACTUSTORCH Remote Thread Creation |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_cactustorch.yml |
| author | @SBousseaden (detection), Thomas Patzke (rule) |
| status | experimental |
| date | 2019/02/01 |
| description | Detects remote thread creation from CACTUSTORCH as described in references. |
| tags | attack.execution attack.t1055 attack.t1064 |
| Title | CMSTP Execution |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_cmstp_execution.yml |
| author | Nik Seetharaman |
| status | stable |
| date | 2018/07/16 |
| description | Detects various indicators of Microsoft Connection Manager Profile Installer execution |
| tags | attack.defense_evasion attack.execution attack.t1191 attack.g0069 car.2019-04-001 |
| Title | CobaltStrike Process Injection |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_cobaltstrike_process_injection.yml |
| author | Olaf Hartong, Florian Roth, Aleksey Potapov, oscd.community |
| status | experimental |
| date | 2018/11/30 |
| description | Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons |
| tags | attack.defense_evasion attack.t1055 |
| Title | DHCP Callout DLL Installation |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_dhcp_calloutdll.yml |
| author | Dimitrios Slamaris |
| status | experimental |
| date | 2017/05/15 |
| description | Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required) |
| tags | attack.defense_evasion attack.t1073 attack.t1112 |
| Title | DNS ServerLevelPluginDll Install |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_dns_serverlevelplugindll.yml |
| author | Florian Roth |
| status | experimental |
| date | 2017/05/08 |
| description | Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server (restart required) |
| tags | attack.defense_evasion attack.t1073 |
| Title | Detection of SafetyKatz |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_ghostpack_safetykatz.yml |
| author | Markus Neis |
| status | experimental |
| date | 2018/07/24 |
| description | Detects possible SafetyKatz Behaviour |
| tags | attack.credential_access attack.t1003 |
| Title | Dumpert Process Dumper |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_hack_dumpert.yml |
| author | Florian Roth |
| status | |
| date | 2020/02/04 |
| description | Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory |
| tags | attack.credential_access attack.t1003 |
| Title | Windows Credential Editor |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_hack_wce.yml |
| author | Florian Roth |
| status | |
| date | 2019/12/31 |
| description | Detects the use of Windows Credential Editor (WCE) |
| tags | attack.credential_access attack.t1003 attack.s0005 |
| Title | Suspect Svchost Memory Asccess |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_invoke_phantom.yml |
| author | Tim Burrell |
| status | experimental |
| date | 2020/01/02 |
| description | Detects suspect access to svchost process memory such as that used by Invoke-Phantom to kill the winRM windows event logging service. |
| tags | attack.t1089 attack.defense_evasion |
| Title | Logon Scripts (UserInitMprLogonScript) |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml |
| author | Tom Ueltschi (@c_APT_ure) |
| status | experimental |
| date | 2019/01/12 |
| description | Detects creation or execution of UserInitMprLogonScript persistence method |
| tags | attack.t1037 attack.persistence attack.lateral_movement |
| Title | LSASS Memory Dump |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_lsass_memdump.yml |
| author | Samir Bousseaden |
| status | experimental |
| date | 2019/04/03 |
| description | Detects process LSASS memory dump using procdump or taskmgr based on the CallTrace pointing to dbghelp.dll or dbgcore.dll for win10 |
| tags | attack.t1003 attack.s0002 attack.credential_access |
| Title | Malicious Named Pipe |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_mal_namedpipes.yml |
| author | Florian Roth |
| status | experimental |
| date | 2017/11/06 |
| description | Detects the creation of a named pipe used by known APT malware |
| tags | attack.defense_evasion attack.privilege_escalation attack.t1055 |
| Title | Suspicious Typical Malware Back Connect Ports |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_malware_backconnect_ports.yml |
| author | Florian Roth |
| status | experimental |
| date | 2017/03/19 |
| description | Detects programs that connect to typical malware back connect ports based on statistical analysis from two different sandbox system databases |
| tags | attack.command_and_control attack.t1043 |
| Title | Malware Shellcode in Verclsid Target Process |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_malware_verclsid_shellcode.yml |
| author | John Lambert (tech), Florian Roth (rule) |
| status | experimental |
| date | 2017/03/04 |
| description | Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro |
| tags | attack.defense_evasion attack.privilege_escalation attack.t1055 |
| Title | Mimikatz Detection LSASS Access |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml |
| author | Sherif Eldeeb |
| status | experimental |
| date | 2017/10/18 |
| description | Detects process access to LSASS which is typical for Mimikatz (0x1000 PROCESS_QUERY_ LIMITED_INFORMATION, 0x0400 PROCESS_QUERY_ INFORMATION "only old versions", 0x0010 PROCESS_VM_READ) |
| tags | attack.t1003 attack.s0002 attack.credential_access car.2019-04-004 |
| Title | Mimikatz In-Memory |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml |
| author | |
| status | experimental |
| date | 2017/03/13 |
| description | Detects certain DLL loads when Mimikatz gets executed |
| tags | attack.s0002 attack.t1003 attack.lateral_movement attack.credential_access car.2019-04-004 |
| Title | Mimikatz through Windows Remote Management |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_mimikatz_trough_winrm.yml |
| author | Patryk Prauze - ING Tech |
| status | stable |
| date | 2019/05/20 |
| description | Detects usage of mimikatz through WinRM protocol by monitoring access to lsass process by wsmprovhost.exe. |
| tags | attack.credential_access attack.execution attack.t1003 attack.t1028 attack.s0005 |
| Title | Password Dumper Remote Thread in LSASS |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_password_dumper_lsass.yml |
| author | Thomas Patzke |
| status | stable |
| date | 2017/02/19 |
| description | Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundreds of events. |
| tags | attack.credential_access attack.t1003 attack.s0005 |
| Title | Malicious PowerShell Commandlet Names |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_powershell_exploit_scripts.yml |
| author | Markus Neis |
| status | experimental |
| date | 2018/04/07 |
| description | Detects the creation of known powershell scripts for exploitation |
| tags | attack.execution attack.t1086 |
| Title | PowerShell Network Connections |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_powershell_network_connection.yml |
| author | Florian Roth |
| status | experimental |
| date | 2017/03/13 |
| description | Detects a Powershell process that opens network connections - check for suspicious target ports and target systems - adjust to your environment (e.g. extend filters with company's ip range') |
| tags | attack.execution attack.t1086 |
| Title | QuarksPwDump Dump File |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_quarkspw_filedump.yml |
| author | Florian Roth |
| status | experimental |
| date | 2018/02/10 |
| description | Detects a dump file written by QuarksPwDump password dumper |
| tags | attack.credential_access attack.t1003 |
| Title | RDP Over Reverse SSH Tunnel |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_rdp_reverse_tunnel.yml |
| author | Samir Bousseaden |
| status | experimental |
| date | 2019/02/16 |
| description | Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389 |
| tags | attack.defense_evasion attack.command_and_control attack.t1076 car.2013-07-002 |
| Title | RDP Sensitive Settings Changed |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_rdp_settings_hijack.yml |
| author | Samir Bousseaden |
| status | |
| date | 2019/04/03 |
| description | Detects changes to RDP terminal service sensitive settings |
| tags | attack.defense_evasion |
| Title | Windows Registry Persistence COM Key Linking |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_registry_persistence_key_linking.yml |
| author | Kutepov Anton, oscd.community |
| status | experimental |
| date | 2019/10/23 |
| description | Detects COM object hijacking via TreatAs subkey |
| tags | attack.persistence attack.t1122 |
| Title | Renamed jusched.exe |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_renamed_jusched.yml |
| author | Markus Neis, Swisscom |
| status | experimental |
| date | 2019/06/04 |
| description | Detects renamed jusched.exe used by cobalt group |
| tags | attack.t1036 attack.execution |
| Title | Renamed PowerShell |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_renamed_powershell.yml |
| author | Florian Roth |
| status | experimental |
| date | 2019/08/22 |
| description | Detects the execution of a renamed PowerShell often used by attackers or malware |
| tags | car.2013-05-009 |
| Title | Renamed ProcDump |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_renamed_procdump.yml |
| author | Florian Roth |
| status | experimental |
| date | 2019/11/18 |
| description | Detects the execution of a renamed ProcDump executable often used by attackers or malware |
| tags | attack.defense_evasion attack.t1036 |
| Title | Renamed PsExec |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_renamed_psexec.yml |
| author | Florian Roth |
| status | experimental |
| date | 2019/05/21 |
| description | Detects the execution of a renamed PsExec often used by attackers or malware |
| tags | car.2013-05-009 |
| Title | Rundll32 Internet Connection |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_rundll32_net_connections.yml |
| author | Florian Roth |
| status | experimental |
| date | 2017/11/04 |
| description | Detects a rundll32 that communicates with public IP addresses |
| tags | attack.t1085 attack.defense_evasion attack.execution |
| Title | Security Support Provider (SSP) Added to LSA Configuration |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_ssp_added_lsa_config.yml |
| author | iwillkeepwatch |
| status | experimental |
| date | 2019/01/18 |
| description | Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows. |
| tags | attack.persistence attack.t1011 |
| Title | Sticky Key Like Backdoor Usage |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_stickykey_like_backdoor.yml |
| author | Florian Roth, @twjackomo |
| status | |
| date | 2018/03/15 |
| description | Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen |
| tags | attack.privilege_escalation attack.persistence attack.t1015 car.2014-11-003 car.2014-11-008 |
| Title | Suspicious RUN Key from Download |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_download_run_key.yml |
| author | Florian Roth |
| status | experimental |
| date | 2019/10/01 |
| description | Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories |
| tags | attack.persistence attack.t1060 |
| Title | Suspicious Driver Load from Temp |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_driver_load.yml |
| author | Florian Roth |
| status | |
| date | 2017/02/12 |
| description | Detects a driver load from a temporary directory |
| tags | attack.persistence attack.t1050 |
| Title | Suspicious File Characteristics Due to Missing Fields |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_file_characteristics.yml |
| author | Markus Neis |
| status | experimental |
| date | 2018/11/22 |
| description | Detects Executables without FileVersion,Description,Product,Company likely created with py2exe |
| tags | attack.defense_evasion attack.execution attack.t1064 |
| Title | Possible Process Hollowing Image Loading |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_image_load.yml |
| author | Markus Neis |
| status | experimental |
| date | 2018/01/07 |
| description | Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g. through process hollowing by Mimikatz |
| tags | attack.defense_evasion attack.t1073 |
| Title | DLL Load via LSASS |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_lsass_dll_load.yml |
| author | Florian Roth |
| status | experimental |
| date | 2019/10/16 |
| description | Detects a method to load DLL via LSASS process using an undocumented Registry key |
| tags | attack.execution attack.t1177 |
| Title | PowerShell Rundll32 Remote Thread Creation |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_powershell_rundll32.yml |
| author | Florian Roth |
| status | experimental |
| date | 2018/06/25 |
| description | Detects PowerShell remote thread creation in Rundll32.exe |
| tags | attack.defense_evasion attack.execution attack.t1085 attack.t1086 |
| Title | Suspicious Program Location with Network Connections |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_prog_location_network_connection.yml |
| author | Florian Roth |
| status | experimental |
| date | 2017/03/19 |
| description | Detects programs with network connections running in suspicious files system locations |
| tags |
| Title | Suspicious Outbound RDP Connections |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_rdp.yml |
| author | Markus Neis - Swisscom |
| status | experimental |
| date | 2019/05/15 |
| description | Detects Non-Standard Tools Connecting to TCP port 3389 indicating possible lateral movement |
| tags | attack.lateral_movement attack.t1210 car.2013-07-002 |
| Title | Registry Persistence via Explorer Run Key |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_reg_persist_explorer_run.yml |
| author | Florian Roth |
| status | experimental |
| date | 2018/07/18 |
| description | Detects a possible persistence mechanism using RUN key for Windows Explorer and poiting to a suspicious folder |
| tags | attack.persistence attack.t1060 capec.270 |
| Title | New RUN Key Pointing to Suspicious Folder |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_run_key_img_folder.yml |
| author | Florian Roth, Markus Neis |
| status | experimental |
| date | 2018/25/08 |
| description | Detects suspicious new RUN key element pointing to an executable in a suspicious folder |
| tags | attack.persistence attack.t1060 |
| Title | Windows Mangement Instrumentation DLL Loaded Via Microsoft Word |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_winword_wmidll_load.yml |
| author | Michael R. (@nahamike01) |
| status | experimental |
| date | 2019/12/26 |
| description | Detects DLL's Loaded Via Word Containing VBA Macros Executing WMI Commands |
| tags | attack.execution attack.t1047 |
| Title | Suspicious Keyboard Layout Load |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_suspicious_keyboard_layout_load.yml |
| author | Florian Roth |
| status | |
| date | 2019/10/12 |
| description | Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only |
| tags |
| Title | Svchost DLL Search Order Hijack |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_svchost_dll_search_order_hijack.yml |
| author | SBousseaden |
| status | experimental |
| date | 2019/10/28 |
| description | IKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\Windows\System32\ by default. An attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services "svchost.exe -k netsvcs" to gain code execution on a remote machine. |
| tags | attack.persistence attack.defense_evasion attack.t1073 attack.t1038 attack.t1112 |
| Title | Usage of Sysinternals Tools |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_sysinternals_eula_accepted.yml |
| author | Markus Neis |
| status | experimental |
| date | 2017/08/28 |
| description | Detects the usage of Sysinternals Tools due to accepteula key being added to Registry |
| tags |
| Title | Hijack Legit RDP Session to Move Laterally |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_tsclient_filewrite_startup.yml |
| author | Samir Bousseaden |
| status | experimental |
| date | 2019/02/21 |
| description | Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder |
| tags |
| Title | UAC Bypass via Event Viewer |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml |
| author | Florian Roth |
| status | experimental |
| date | 2017/03/19 |
| description | Detects UAC bypass method using Windows event viewer |
| tags | attack.defense_evasion attack.privilege_escalation attack.t1088 car.2019-04-001 |
| Title | UAC Bypass via Sdclt |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml |
| author | Omer Yampel |
| status | experimental |
| date | 2017/03/17 |
| description | Detects changes to HKCU:\Software\Classes\exefile\shell\runas\command\isolatedCommand |
| tags | attack.defense_evasion attack.privilege_escalation attack.t1088 car.2019-04-001 |
| Title | Windows Webshell Creation |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_webshell_creation_detect.yml |
| author | Beyu Denis, oscd.community |
| status | experimental |
| date | 2019/10/22 |
| description | Posible webshell file creation on a static web site |
| tags | attack.persistence attack.t1100 |
| Title | Microsoft Binary Github Communication |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_win_binary_github_com.yml |
| author | Michael Haag (idea), Florian Roth (rule) |
| status | experimental |
| date | 2017/08/24 |
| description | Detects an executable in the Windows folder accessing github.com |
| tags | attack.lateral_movement attack.t1105 |
| Title | Microsoft Binary Suspicious Communication Endpoint |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_win_binary_susp_com.yml |
| author | Florian Roth |
| status | experimental |
| date | 2018/08/30 |
| description | Detects an executable in the Windows folder accessing suspicious domains |
| tags | attack.lateral_movement attack.t1105 |
| Title | Registry Persistence Mechanisms |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_win_reg_persistence.yml |
| author | Karneades |
| status | |
| date | 2018/04/11 |
| description | Detects persistence registry keys |
| tags | attack.privilege_escalation attack.persistence attack.defense_evasion attack.t1183 car.2013-01-002 |
| Title | WMI Event Subscription |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_wmi_event_subscription.yml |
| author | Tom Ueltschi (@c_APT_ure) |
| status | experimental |
| date | 2019/01/12 |
| description | Detects creation of WMI event subscription persistence method |
| tags | attack.t1084 attack.persistence |
| Title | WMI Persistence - Command Line Event Consumer |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_wmi_persistence_commandline_event_consumer.yml |
| author | Thomas Patzke |
| status | experimental |
| date | 2018/03/07 |
| description | Detects WMI command line event consumers |
| tags | attack.t1084 attack.persistence |
| Title | WMI Persistence - Script Event Consumer File Write |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_wmi_persistence_script_event_consumer_write.yml |
| author | Thomas Patzke |
| status | experimental |
| date | 2018/03/07 |
| description | Detects file writes of WMI script event consumer |
| tags | attack.t1084 attack.persistence |
| Title | Suspicious Scripting in a WMI Consumer |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_wmi_susp_scripting.yml |
| author | Florian Roth |
| status | experimental |
| date | 2019/04/15 |
| description | Detects suspicious scripting in WMI Event Consumers |
| tags | attack.t1086 attack.execution |
| Title | Executable in ADS |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_ads_executable.yml |
| author | Florian Roth, @0xrawsec |
| status | experimental |
| date | 2018/06/03 |
| description | Detects the creation of an ADS data stream that contains an executable (non-empty imphash) |
| tags | attack.defense_evasion attack.t1027 attack.s0139 |
| Title | OceanLotus Registry Activity |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_apt_oceanlotus_registry.yml |
| author | megan201296 |
| status | experimental |
| date | 2019/04/14 |
| description | Detects registry keys created in OceanLotus (also known as APT32) attacks |
| tags | attack.t1112 |
| Title | Pandemic Registry Key |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_apt_pandemic.yml |
| author | Florian Roth |
| status | experimental |
| date | 2017/06/01 |
| description | Detects Pandemic Windows Implant |
| tags | attack.lateral_movement attack.t1105 |
| Title | Turla Group Named Pipes |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_apt_turla_namedpipes.yml |
| author | Markus Neis |
| status | experimental |
| date | 2017/11/06 |
| description | Detects a named pipe used by Turla group samples |
| tags | attack.g0010 |
| Title | CACTUSTORCH Remote Thread Creation |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_cactustorch.yml |
| author | @SBousseaden (detection), Thomas Patzke (rule) |
| status | experimental |
| date | 2019/02/01 |
| description | Detects remote thread creation from CACTUSTORCH as described in references. |
| tags | attack.execution attack.t1055 attack.t1064 |
| Title | CMSTP Execution |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_cmstp_execution.yml |
| author | Nik Seetharaman |
| status | stable |
| date | 2018/07/16 |
| description | Detects various indicators of Microsoft Connection Manager Profile Installer execution |
| tags | attack.defense_evasion attack.execution attack.t1191 attack.g0069 car.2019-04-001 |
| Title | CobaltStrike Process Injection |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_cobaltstrike_process_injection.yml |
| author | Olaf Hartong, Florian Roth, Aleksey Potapov, oscd.community |
| status | experimental |
| date | 2018/11/30 |
| description | Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons |
| tags | attack.defense_evasion attack.t1055 |
| Title | DHCP Callout DLL Installation |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_dhcp_calloutdll.yml |
| author | Dimitrios Slamaris |
| status | experimental |
| date | 2017/05/15 |
| description | Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required) |
| tags | attack.defense_evasion attack.t1073 attack.t1112 |
| Title | DNS ServerLevelPluginDll Install |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_dns_serverlevelplugindll.yml |
| author | Florian Roth |
| status | experimental |
| date | 2017/05/08 |
| description | Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server (restart required) |
| tags | attack.defense_evasion attack.t1073 |
| Title | Detection of SafetyKatz |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_ghostpack_safetykatz.yml |
| author | Markus Neis |
| status | experimental |
| date | 2018/07/24 |
| description | Detects possible SafetyKatz Behaviour |
| tags | attack.credential_access attack.t1003 |
| Title | Dumpert Process Dumper |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_hack_dumpert.yml |
| author | Florian Roth |
| status | |
| date | 2020/02/04 |
| description | Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory |
| tags | attack.credential_access attack.t1003 |
| Title | Windows Credential Editor |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_hack_wce.yml |
| author | Florian Roth |
| status | |
| date | 2019/12/31 |
| description | Detects the use of Windows Credential Editor (WCE) |
| tags | attack.credential_access attack.t1003 attack.s0005 |
| Title | Suspect Svchost Memory Asccess |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_invoke_phantom.yml |
| author | Tim Burrell |
| status | experimental |
| date | 2020/01/02 |
| description | Detects suspect access to svchost process memory such as that used by Invoke-Phantom to kill the winRM windows event logging service. |
| tags | attack.t1089 attack.defense_evasion |
| Title | Logon Scripts (UserInitMprLogonScript) |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml |
| author | Tom Ueltschi (@c_APT_ure) |
| status | experimental |
| date | 2019/01/12 |
| description | Detects creation or execution of UserInitMprLogonScript persistence method |
| tags | attack.t1037 attack.persistence attack.lateral_movement |
| Title | LSASS Memory Dump |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_lsass_memdump.yml |
| author | Samir Bousseaden |
| status | experimental |
| date | 2019/04/03 |
| description | Detects process LSASS memory dump using procdump or taskmgr based on the CallTrace pointing to dbghelp.dll or dbgcore.dll for win10 |
| tags | attack.t1003 attack.s0002 attack.credential_access |
| Title | Malicious Named Pipe |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_mal_namedpipes.yml |
| author | Florian Roth |
| status | experimental |
| date | 2017/11/06 |
| description | Detects the creation of a named pipe used by known APT malware |
| tags | attack.defense_evasion attack.privilege_escalation attack.t1055 |
| Title | Suspicious Typical Malware Back Connect Ports |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_malware_backconnect_ports.yml |
| author | Florian Roth |
| status | experimental |
| date | 2017/03/19 |
| description | Detects programs that connect to typical malware back connect ports based on statistical analysis from two different sandbox system databases |
| tags | attack.command_and_control attack.t1043 |
| Title | Malware Shellcode in Verclsid Target Process |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_malware_verclsid_shellcode.yml |
| author | John Lambert (tech), Florian Roth (rule) |
| status | experimental |
| date | 2017/03/04 |
| description | Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro |
| tags | attack.defense_evasion attack.privilege_escalation attack.t1055 |
| Title | Mimikatz Detection LSASS Access |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml |
| author | Sherif Eldeeb |
| status | experimental |
| date | 2017/10/18 |
| description | Detects process access to LSASS which is typical for Mimikatz (0x1000 PROCESS_QUERY_ LIMITED_INFORMATION, 0x0400 PROCESS_QUERY_ INFORMATION "only old versions", 0x0010 PROCESS_VM_READ) |
| tags | attack.t1003 attack.s0002 attack.credential_access car.2019-04-004 |
| Title | Mimikatz In-Memory |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml |
| author | |
| status | experimental |
| date | 2017/03/13 |
| description | Detects certain DLL loads when Mimikatz gets executed |
| tags | attack.s0002 attack.t1003 attack.lateral_movement attack.credential_access car.2019-04-004 |
| Title | Mimikatz through Windows Remote Management |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_mimikatz_trough_winrm.yml |
| author | Patryk Prauze - ING Tech |
| status | stable |
| date | 2019/05/20 |
| description | Detects usage of mimikatz through WinRM protocol by monitoring access to lsass process by wsmprovhost.exe. |
| tags | attack.credential_access attack.execution attack.t1003 attack.t1028 attack.s0005 |
| Title | Password Dumper Remote Thread in LSASS |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_password_dumper_lsass.yml |
| author | Thomas Patzke |
| status | stable |
| date | 2017/02/19 |
| description | Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundreds of events. |
| tags | attack.credential_access attack.t1003 attack.s0005 |
| Title | Malicious PowerShell Commandlet Names |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_powershell_exploit_scripts.yml |
| author | Markus Neis |
| status | experimental |
| date | 2018/04/07 |
| description | Detects the creation of known powershell scripts for exploitation |
| tags | attack.execution attack.t1086 |
| Title | PowerShell Network Connections |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_powershell_network_connection.yml |
| author | Florian Roth |
| status | experimental |
| date | 2017/03/13 |
| description | Detects a Powershell process that opens network connections - check for suspicious target ports and target systems - adjust to your environment (e.g. extend filters with company's ip range') |
| tags | attack.execution attack.t1086 |
| Title | QuarksPwDump Dump File |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_quarkspw_filedump.yml |
| author | Florian Roth |
| status | experimental |
| date | 2018/02/10 |
| description | Detects a dump file written by QuarksPwDump password dumper |
| tags | attack.credential_access attack.t1003 |
| Title | RDP Over Reverse SSH Tunnel |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_rdp_reverse_tunnel.yml |
| author | Samir Bousseaden |
| status | experimental |
| date | 2019/02/16 |
| description | Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389 |
| tags | attack.defense_evasion attack.command_and_control attack.t1076 car.2013-07-002 |
| Title | RDP Sensitive Settings Changed |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_rdp_settings_hijack.yml |
| author | Samir Bousseaden |
| status | |
| date | 2019/04/03 |
| description | Detects changes to RDP terminal service sensitive settings |
| tags | attack.defense_evasion |
| Title | Windows Registry Persistence COM Key Linking |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_registry_persistence_key_linking.yml |
| author | Kutepov Anton, oscd.community |
| status | experimental |
| date | 2019/10/23 |
| description | Detects COM object hijacking via TreatAs subkey |
| tags | attack.persistence attack.t1122 |
| Title | Renamed jusched.exe |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_renamed_jusched.yml |
| author | Markus Neis, Swisscom |
| status | experimental |
| date | 2019/06/04 |
| description | Detects renamed jusched.exe used by cobalt group |
| tags | attack.t1036 attack.execution |
| Title | Renamed PowerShell |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_renamed_powershell.yml |
| author | Florian Roth |
| status | experimental |
| date | 2019/08/22 |
| description | Detects the execution of a renamed PowerShell often used by attackers or malware |
| tags | car.2013-05-009 |
| Title | Renamed ProcDump |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_renamed_procdump.yml |
| author | Florian Roth |
| status | experimental |
| date | 2019/11/18 |
| description | Detects the execution of a renamed ProcDump executable often used by attackers or malware |
| tags | attack.defense_evasion attack.t1036 |
| Title | Renamed PsExec |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_renamed_psexec.yml |
| author | Florian Roth |
| status | experimental |
| date | 2019/05/21 |
| description | Detects the execution of a renamed PsExec often used by attackers or malware |
| tags | car.2013-05-009 |
| Title | Rundll32 Internet Connection |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_rundll32_net_connections.yml |
| author | Florian Roth |
| status | experimental |
| date | 2017/11/04 |
| description | Detects a rundll32 that communicates with public IP addresses |
| tags | attack.t1085 attack.defense_evasion attack.execution |
| Title | Security Support Provider (SSP) Added to LSA Configuration |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_ssp_added_lsa_config.yml |
| author | iwillkeepwatch |
| status | experimental |
| date | 2019/01/18 |
| description | Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows. |
| tags | attack.persistence attack.t1011 |
| Title | Sticky Key Like Backdoor Usage |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_stickykey_like_backdoor.yml |
| author | Florian Roth, @twjackomo |
| status | |
| date | 2018/03/15 |
| description | Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen |
| tags | attack.privilege_escalation attack.persistence attack.t1015 car.2014-11-003 car.2014-11-008 |
| Title | Suspicious RUN Key from Download |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_download_run_key.yml |
| author | Florian Roth |
| status | experimental |
| date | 2019/10/01 |
| description | Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories |
| tags | attack.persistence attack.t1060 |
| Title | Suspicious Driver Load from Temp |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_driver_load.yml |
| author | Florian Roth |
| status | |
| date | 2017/02/12 |
| description | Detects a driver load from a temporary directory |
| tags | attack.persistence attack.t1050 |
| Title | Suspicious File Characteristics Due to Missing Fields |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_file_characteristics.yml |
| author | Markus Neis |
| status | experimental |
| date | 2018/11/22 |
| description | Detects Executables without FileVersion,Description,Product,Company likely created with py2exe |
| tags | attack.defense_evasion attack.execution attack.t1064 |
| Title | Possible Process Hollowing Image Loading |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_image_load.yml |
| author | Markus Neis |
| status | experimental |
| date | 2018/01/07 |
| description | Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g. through process hollowing by Mimikatz |
| tags | attack.defense_evasion attack.t1073 |
| Title | DLL Load via LSASS |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_lsass_dll_load.yml |
| author | Florian Roth |
| status | experimental |
| date | 2019/10/16 |
| description | Detects a method to load DLL via LSASS process using an undocumented Registry key |
| tags | attack.execution attack.t1177 |
| Title | PowerShell Rundll32 Remote Thread Creation |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_powershell_rundll32.yml |
| author | Florian Roth |
| status | experimental |
| date | 2018/06/25 |
| description | Detects PowerShell remote thread creation in Rundll32.exe |
| tags | attack.defense_evasion attack.execution attack.t1085 attack.t1086 |
| Title | Suspicious Program Location with Network Connections |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_prog_location_network_connection.yml |
| author | Florian Roth |
| status | experimental |
| date | 2017/03/19 |
| description | Detects programs with network connections running in suspicious files system locations |
| tags |
| Title | Suspicious Outbound RDP Connections |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_rdp.yml |
| author | Markus Neis - Swisscom |
| status | experimental |
| date | 2019/05/15 |
| description | Detects Non-Standard Tools Connecting to TCP port 3389 indicating possible lateral movement |
| tags | attack.lateral_movement attack.t1210 car.2013-07-002 |
| Title | Registry Persistence via Explorer Run Key |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_reg_persist_explorer_run.yml |
| author | Florian Roth |
| status | experimental |
| date | 2018/07/18 |
| description | Detects a possible persistence mechanism using RUN key for Windows Explorer and poiting to a suspicious folder |
| tags | attack.persistence attack.t1060 capec.270 |
| Title | New RUN Key Pointing to Suspicious Folder |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_run_key_img_folder.yml |
| author | Florian Roth, Markus Neis |
| status | experimental |
| date | 2018/25/08 |
| description | Detects suspicious new RUN key element pointing to an executable in a suspicious folder |
| tags | attack.persistence attack.t1060 |
| Title | Windows Mangement Instrumentation DLL Loaded Via Microsoft Word |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_winword_wmidll_load.yml |
| author | Michael R. (@nahamike01) |
| status | experimental |
| date | 2019/12/26 |
| description | Detects DLL's Loaded Via Word Containing VBA Macros Executing WMI Commands |
| tags | attack.execution attack.t1047 |
| Title | Suspicious Keyboard Layout Load |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_suspicious_keyboard_layout_load.yml |
| author | Florian Roth |
| status | |
| date | 2019/10/12 |
| description | Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only |
| tags |
| Title | Svchost DLL Search Order Hijack |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_svchost_dll_search_order_hijack.yml |
| author | SBousseaden |
| status | experimental |
| date | 2019/10/28 |
| description | IKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\Windows\System32\ by default. An attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services "svchost.exe -k netsvcs" to gain code execution on a remote machine. |
| tags | attack.persistence attack.defense_evasion attack.t1073 attack.t1038 attack.t1112 |
| Title | Usage of Sysinternals Tools |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_sysinternals_eula_accepted.yml |
| author | Markus Neis |
| status | experimental |
| date | 2017/08/28 |
| description | Detects the usage of Sysinternals Tools due to accepteula key being added to Registry |
| tags |
| Title | Hijack Legit RDP Session to Move Laterally |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_tsclient_filewrite_startup.yml |
| author | Samir Bousseaden |
| status | experimental |
| date | 2019/02/21 |
| description | Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder |
| tags |
| Title | UAC Bypass via Event Viewer |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml |
| author | Florian Roth |
| status | experimental |
| date | 2017/03/19 |
| description | Detects UAC bypass method using Windows event viewer |
| tags | attack.defense_evasion attack.privilege_escalation attack.t1088 car.2019-04-001 |
| Title | UAC Bypass via Sdclt |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml |
| author | Omer Yampel |
| status | experimental |
| date | 2017/03/17 |
| description | Detects changes to HKCU:\Software\Classes\exefile\shell\runas\command\isolatedCommand |
| tags | attack.defense_evasion attack.privilege_escalation attack.t1088 car.2019-04-001 |
| Title | Windows Webshell Creation |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_webshell_creation_detect.yml |
| author | Beyu Denis, oscd.community |
| status | experimental |
| date | 2019/10/22 |
| description | Posible webshell file creation on a static web site |
| tags | attack.persistence attack.t1100 |
| Title | Microsoft Binary Github Communication |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_win_binary_github_com.yml |
| author | Michael Haag (idea), Florian Roth (rule) |
| status | experimental |
| date | 2017/08/24 |
| description | Detects an executable in the Windows folder accessing github.com |
| tags | attack.lateral_movement attack.t1105 |
| Title | Microsoft Binary Suspicious Communication Endpoint |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_win_binary_susp_com.yml |
| author | Florian Roth |
| status | experimental |
| date | 2018/08/30 |
| description | Detects an executable in the Windows folder accessing suspicious domains |
| tags | attack.lateral_movement attack.t1105 |
| Title | Registry Persistence Mechanisms |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_win_reg_persistence.yml |
| author | Karneades |
| status | |
| date | 2018/04/11 |
| description | Detects persistence registry keys |
| tags | attack.privilege_escalation attack.persistence attack.defense_evasion attack.t1183 car.2013-01-002 |
| Title | WMI Event Subscription |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_wmi_event_subscription.yml |
| author | Tom Ueltschi (@c_APT_ure) |
| status | experimental |
| date | 2019/01/12 |
| description | Detects creation of WMI event subscription persistence method |
| tags | attack.t1084 attack.persistence |
| Title | WMI Persistence - Command Line Event Consumer |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_wmi_persistence_commandline_event_consumer.yml |
| author | Thomas Patzke |
| status | experimental |
| date | 2018/03/07 |
| description | Detects WMI command line event consumers |
| tags | attack.t1084 attack.persistence |
| Title | WMI Persistence - Script Event Consumer File Write |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_wmi_persistence_script_event_consumer_write.yml |
| author | Thomas Patzke |
| status | experimental |
| date | 2018/03/07 |
| description | Detects file writes of WMI script event consumer |
| tags | attack.t1084 attack.persistence |
| Title | Suspicious Scripting in a WMI Consumer |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_wmi_susp_scripting.yml |
| author | Florian Roth |
| status | experimental |
| date | 2019/04/15 |
| description | Detects suspicious scripting in WMI Event Consumers |
| tags | attack.t1086 attack.execution |
| Title | Executable in ADS |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_ads_executable.yml |
| author | Florian Roth, @0xrawsec |
| status | experimental |
| date | 2018/06/03 |
| description | Detects the creation of an ADS data stream that contains an executable (non-empty imphash) |
| tags | attack.defense_evasion attack.t1027 attack.s0139 |
| Title | OceanLotus Registry Activity |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_apt_oceanlotus_registry.yml |
| author | megan201296 |
| status | experimental |
| date | 2019/04/14 |
| description | Detects registry keys created in OceanLotus (also known as APT32) attacks |
| tags | attack.t1112 |
| Title | Pandemic Registry Key |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_apt_pandemic.yml |
| author | Florian Roth |
| status | experimental |
| date | 2017/06/01 |
| description | Detects Pandemic Windows Implant |
| tags | attack.lateral_movement attack.t1105 |
| Title | Turla Group Named Pipes |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_apt_turla_namedpipes.yml |
| author | Markus Neis |
| status | experimental |
| date | 2017/11/06 |
| description | Detects a named pipe used by Turla group samples |
| tags | attack.g0010 |
| Title | CACTUSTORCH Remote Thread Creation |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_cactustorch.yml |
| author | @SBousseaden (detection), Thomas Patzke (rule) |
| status | experimental |
| date | 2019/02/01 |
| description | Detects remote thread creation from CACTUSTORCH as described in references. |
| tags | attack.execution attack.t1055 attack.t1064 |
| Title | CMSTP Execution |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_cmstp_execution.yml |
| author | Nik Seetharaman |
| status | stable |
| date | 2018/07/16 |
| description | Detects various indicators of Microsoft Connection Manager Profile Installer execution |
| tags | attack.defense_evasion attack.execution attack.t1191 attack.g0069 car.2019-04-001 |
| Title | CobaltStrike Process Injection |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_cobaltstrike_process_injection.yml |
| author | Olaf Hartong, Florian Roth, Aleksey Potapov, oscd.community |
| status | experimental |
| date | 2018/11/30 |
| description | Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons |
| tags | attack.defense_evasion attack.t1055 |
| Title | DHCP Callout DLL Installation |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_dhcp_calloutdll.yml |
| author | Dimitrios Slamaris |
| status | experimental |
| date | 2017/05/15 |
| description | Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required) |
| tags | attack.defense_evasion attack.t1073 attack.t1112 |
| Title | DNS ServerLevelPluginDll Install |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_dns_serverlevelplugindll.yml |
| author | Florian Roth |
| status | experimental |
| date | 2017/05/08 |
| description | Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server (restart required) |
| tags | attack.defense_evasion attack.t1073 |
| Title | Detection of SafetyKatz |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_ghostpack_safetykatz.yml |
| author | Markus Neis |
| status | experimental |
| date | 2018/07/24 |
| description | Detects possible SafetyKatz Behaviour |
| tags | attack.credential_access attack.t1003 |
| Title | Dumpert Process Dumper |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_hack_dumpert.yml |
| author | Florian Roth |
| status | |
| date | 2020/02/04 |
| description | Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory |
| tags | attack.credential_access attack.t1003 |
| Title | Windows Credential Editor |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_hack_wce.yml |
| author | Florian Roth |
| status | |
| date | 2019/12/31 |
| description | Detects the use of Windows Credential Editor (WCE) |
| tags | attack.credential_access attack.t1003 attack.s0005 |
| Title | Suspect Svchost Memory Asccess |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_invoke_phantom.yml |
| author | Tim Burrell |
| status | experimental |
| date | 2020/01/02 |
| description | Detects suspect access to svchost process memory such as that used by Invoke-Phantom to kill the winRM windows event logging service. |
| tags | attack.t1089 attack.defense_evasion |
| Title | Logon Scripts (UserInitMprLogonScript) |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml |
| author | Tom Ueltschi (@c_APT_ure) |
| status | experimental |
| date | 2019/01/12 |
| description | Detects creation or execution of UserInitMprLogonScript persistence method |
| tags | attack.t1037 attack.persistence attack.lateral_movement |
| Title | LSASS Memory Dump |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_lsass_memdump.yml |
| author | Samir Bousseaden |
| status | experimental |
| date | 2019/04/03 |
| description | Detects process LSASS memory dump using procdump or taskmgr based on the CallTrace pointing to dbghelp.dll or dbgcore.dll for win10 |
| tags | attack.t1003 attack.s0002 attack.credential_access |
| Title | Malicious Named Pipe |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_mal_namedpipes.yml |
| author | Florian Roth |
| status | experimental |
| date | 2017/11/06 |
| description | Detects the creation of a named pipe used by known APT malware |
| tags | attack.defense_evasion attack.privilege_escalation attack.t1055 |
| Title | Suspicious Typical Malware Back Connect Ports |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_malware_backconnect_ports.yml |
| author | Florian Roth |
| status | experimental |
| date | 2017/03/19 |
| description | Detects programs that connect to typical malware back connect ports based on statistical analysis from two different sandbox system databases |
| tags | attack.command_and_control attack.t1043 |
| Title | Malware Shellcode in Verclsid Target Process |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_malware_verclsid_shellcode.yml |
| author | John Lambert (tech), Florian Roth (rule) |
| status | experimental |
| date | 2017/03/04 |
| description | Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro |
| tags | attack.defense_evasion attack.privilege_escalation attack.t1055 |
| Title | Mimikatz Detection LSASS Access |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml |
| author | Sherif Eldeeb |
| status | experimental |
| date | 2017/10/18 |
| description | Detects process access to LSASS which is typical for Mimikatz (0x1000 PROCESS_QUERY_ LIMITED_INFORMATION, 0x0400 PROCESS_QUERY_ INFORMATION "only old versions", 0x0010 PROCESS_VM_READ) |
| tags | attack.t1003 attack.s0002 attack.credential_access car.2019-04-004 |
| Title | Mimikatz In-Memory |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml |
| author | |
| status | experimental |
| date | 2017/03/13 |
| description | Detects certain DLL loads when Mimikatz gets executed |
| tags | attack.s0002 attack.t1003 attack.lateral_movement attack.credential_access car.2019-04-004 |
| Title | Mimikatz through Windows Remote Management |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_mimikatz_trough_winrm.yml |
| author | Patryk Prauze - ING Tech |
| status | stable |
| date | 2019/05/20 |
| description | Detects usage of mimikatz through WinRM protocol by monitoring access to lsass process by wsmprovhost.exe. |
| tags | attack.credential_access attack.execution attack.t1003 attack.t1028 attack.s0005 |
| Title | Password Dumper Remote Thread in LSASS |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_password_dumper_lsass.yml |
| author | Thomas Patzke |
| status | stable |
| date | 2017/02/19 |
| description | Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundreds of events. |
| tags | attack.credential_access attack.t1003 attack.s0005 |
| Title | Malicious PowerShell Commandlet Names |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_powershell_exploit_scripts.yml |
| author | Markus Neis |
| status | experimental |
| date | 2018/04/07 |
| description | Detects the creation of known powershell scripts for exploitation |
| tags | attack.execution attack.t1086 |
| Title | PowerShell Network Connections |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_powershell_network_connection.yml |
| author | Florian Roth |
| status | experimental |
| date | 2017/03/13 |
| description | Detects a Powershell process that opens network connections - check for suspicious target ports and target systems - adjust to your environment (e.g. extend filters with company's ip range') |
| tags | attack.execution attack.t1086 |
| Title | QuarksPwDump Dump File |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_quarkspw_filedump.yml |
| author | Florian Roth |
| status | experimental |
| date | 2018/02/10 |
| description | Detects a dump file written by QuarksPwDump password dumper |
| tags | attack.credential_access attack.t1003 |
| Title | RDP Over Reverse SSH Tunnel |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_rdp_reverse_tunnel.yml |
| author | Samir Bousseaden |
| status | experimental |
| date | 2019/02/16 |
| description | Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389 |
| tags | attack.defense_evasion attack.command_and_control attack.t1076 car.2013-07-002 |
| Title | RDP Sensitive Settings Changed |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_rdp_settings_hijack.yml |
| author | Samir Bousseaden |
| status | |
| date | 2019/04/03 |
| description | Detects changes to RDP terminal service sensitive settings |
| tags | attack.defense_evasion |
| Title | Windows Registry Persistence COM Key Linking |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_registry_persistence_key_linking.yml |
| author | Kutepov Anton, oscd.community |
| status | experimental |
| date | 2019/10/23 |
| description | Detects COM object hijacking via TreatAs subkey |
| tags | attack.persistence attack.t1122 |
| Title | Renamed jusched.exe |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_renamed_jusched.yml |
| author | Markus Neis, Swisscom |
| status | experimental |
| date | 2019/06/04 |
| description | Detects renamed jusched.exe used by cobalt group |
| tags | attack.t1036 attack.execution |
| Title | Renamed PowerShell |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_renamed_powershell.yml |
| author | Florian Roth |
| status | experimental |
| date | 2019/08/22 |
| description | Detects the execution of a renamed PowerShell often used by attackers or malware |
| tags | car.2013-05-009 |
| Title | Renamed ProcDump |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_renamed_procdump.yml |
| author | Florian Roth |
| status | experimental |
| date | 2019/11/18 |
| description | Detects the execution of a renamed ProcDump executable often used by attackers or malware |
| tags | attack.defense_evasion attack.t1036 |
| Title | Renamed PsExec |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_renamed_psexec.yml |
| author | Florian Roth |
| status | experimental |
| date | 2019/05/21 |
| description | Detects the execution of a renamed PsExec often used by attackers or malware |
| tags | car.2013-05-009 |
| Title | Rundll32 Internet Connection |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_rundll32_net_connections.yml |
| author | Florian Roth |
| status | experimental |
| date | 2017/11/04 |
| description | Detects a rundll32 that communicates with public IP addresses |
| tags | attack.t1085 attack.defense_evasion attack.execution |
| Title | Security Support Provider (SSP) Added to LSA Configuration |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_ssp_added_lsa_config.yml |
| author | iwillkeepwatch |
| status | experimental |
| date | 2019/01/18 |
| description | Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows. |
| tags | attack.persistence attack.t1011 |
| Title | Sticky Key Like Backdoor Usage |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_stickykey_like_backdoor.yml |
| author | Florian Roth, @twjackomo |
| status | |
| date | 2018/03/15 |
| description | Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen |
| tags | attack.privilege_escalation attack.persistence attack.t1015 car.2014-11-003 car.2014-11-008 |
| Title | Suspicious RUN Key from Download |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_download_run_key.yml |
| author | Florian Roth |
| status | experimental |
| date | 2019/10/01 |
| description | Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories |
| tags | attack.persistence attack.t1060 |
| Title | Suspicious Driver Load from Temp |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_driver_load.yml |
| author | Florian Roth |
| status | |
| date | 2017/02/12 |
| description | Detects a driver load from a temporary directory |
| tags | attack.persistence attack.t1050 |
| Title | Suspicious File Characteristics Due to Missing Fields |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_file_characteristics.yml |
| author | Markus Neis |
| status | experimental |
| date | 2018/11/22 |
| description | Detects Executables without FileVersion,Description,Product,Company likely created with py2exe |
| tags | attack.defense_evasion attack.execution attack.t1064 |
| Title | Possible Process Hollowing Image Loading |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_image_load.yml |
| author | Markus Neis |
| status | experimental |
| date | 2018/01/07 |
| description | Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g. through process hollowing by Mimikatz |
| tags | attack.defense_evasion attack.t1073 |
| Title | DLL Load via LSASS |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_lsass_dll_load.yml |
| author | Florian Roth |
| status | experimental |
| date | 2019/10/16 |
| description | Detects a method to load DLL via LSASS process using an undocumented Registry key |
| tags | attack.execution attack.t1177 |
| Title | PowerShell Rundll32 Remote Thread Creation |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_powershell_rundll32.yml |
| author | Florian Roth |
| status | experimental |
| date | 2018/06/25 |
| description | Detects PowerShell remote thread creation in Rundll32.exe |
| tags | attack.defense_evasion attack.execution attack.t1085 attack.t1086 |
| Title | Suspicious Program Location with Network Connections |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_prog_location_network_connection.yml |
| author | Florian Roth |
| status | experimental |
| date | 2017/03/19 |
| description | Detects programs with network connections running in suspicious files system locations |
| tags |
| Title | Suspicious Outbound RDP Connections |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_rdp.yml |
| author | Markus Neis - Swisscom |
| status | experimental |
| date | 2019/05/15 |
| description | Detects Non-Standard Tools Connecting to TCP port 3389 indicating possible lateral movement |
| tags | attack.lateral_movement attack.t1210 car.2013-07-002 |
| Title | Registry Persistence via Explorer Run Key |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_reg_persist_explorer_run.yml |
| author | Florian Roth |
| status | experimental |
| date | 2018/07/18 |
| description | Detects a possible persistence mechanism using RUN key for Windows Explorer and poiting to a suspicious folder |
| tags | attack.persistence attack.t1060 capec.270 |
| Title | New RUN Key Pointing to Suspicious Folder |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_run_key_img_folder.yml |
| author | Florian Roth, Markus Neis |
| status | experimental |
| date | 2018/25/08 |
| description | Detects suspicious new RUN key element pointing to an executable in a suspicious folder |
| tags | attack.persistence attack.t1060 |
| Title | Windows Mangement Instrumentation DLL Loaded Via Microsoft Word |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_winword_wmidll_load.yml |
| author | Michael R. (@nahamike01) |
| status | experimental |
| date | 2019/12/26 |
| description | Detects DLL's Loaded Via Word Containing VBA Macros Executing WMI Commands |
| tags | attack.execution attack.t1047 |
| Title | Suspicious Keyboard Layout Load |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_suspicious_keyboard_layout_load.yml |
| author | Florian Roth |
| status | |
| date | 2019/10/12 |
| description | Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only |
| tags |
| Title | Svchost DLL Search Order Hijack |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_svchost_dll_search_order_hijack.yml |
| author | SBousseaden |
| status | experimental |
| date | 2019/10/28 |
| description | IKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\Windows\System32\ by default. An attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services "svchost.exe -k netsvcs" to gain code execution on a remote machine. |
| tags | attack.persistence attack.defense_evasion attack.t1073 attack.t1038 attack.t1112 |
| Title | Usage of Sysinternals Tools |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_sysinternals_eula_accepted.yml |
| author | Markus Neis |
| status | experimental |
| date | 2017/08/28 |
| description | Detects the usage of Sysinternals Tools due to accepteula key being added to Registry |
| tags |
| Title | Hijack Legit RDP Session to Move Laterally |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_tsclient_filewrite_startup.yml |
| author | Samir Bousseaden |
| status | experimental |
| date | 2019/02/21 |
| description | Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder |
| tags |
| Title | UAC Bypass via Event Viewer |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml |
| author | Florian Roth |
| status | experimental |
| date | 2017/03/19 |
| description | Detects UAC bypass method using Windows event viewer |
| tags | attack.defense_evasion attack.privilege_escalation attack.t1088 car.2019-04-001 |
| Title | UAC Bypass via Sdclt |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml |
| author | Omer Yampel |
| status | experimental |
| date | 2017/03/17 |
| description | Detects changes to HKCU:\Software\Classes\exefile\shell\runas\command\isolatedCommand |
| tags | attack.defense_evasion attack.privilege_escalation attack.t1088 car.2019-04-001 |
| Title | Windows Webshell Creation |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_webshell_creation_detect.yml |
| author | Beyu Denis, oscd.community |
| status | experimental |
| date | 2019/10/22 |
| description | Posible webshell file creation on a static web site |
| tags | attack.persistence attack.t1100 |
| Title | Microsoft Binary Github Communication |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_win_binary_github_com.yml |
| author | Michael Haag (idea), Florian Roth (rule) |
| status | experimental |
| date | 2017/08/24 |
| description | Detects an executable in the Windows folder accessing github.com |
| tags | attack.lateral_movement attack.t1105 |
| Title | Microsoft Binary Suspicious Communication Endpoint |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_win_binary_susp_com.yml |
| author | Florian Roth |
| status | experimental |
| date | 2018/08/30 |
| description | Detects an executable in the Windows folder accessing suspicious domains |
| tags | attack.lateral_movement attack.t1105 |
| Title | Registry Persistence Mechanisms |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_win_reg_persistence.yml |
| author | Karneades |
| status | |
| date | 2018/04/11 |
| description | Detects persistence registry keys |
| tags | attack.privilege_escalation attack.persistence attack.defense_evasion attack.t1183 car.2013-01-002 |
| Title | WMI Event Subscription |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_wmi_event_subscription.yml |
| author | Tom Ueltschi (@c_APT_ure) |
| status | experimental |
| date | 2019/01/12 |
| description | Detects creation of WMI event subscription persistence method |
| tags | attack.t1084 attack.persistence |
| Title | WMI Persistence - Command Line Event Consumer |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_wmi_persistence_commandline_event_consumer.yml |
| author | Thomas Patzke |
| status | experimental |
| date | 2018/03/07 |
| description | Detects WMI command line event consumers |
| tags | attack.t1084 attack.persistence |
| Title | WMI Persistence - Script Event Consumer File Write |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_wmi_persistence_script_event_consumer_write.yml |
| author | Thomas Patzke |
| status | experimental |
| date | 2018/03/07 |
| description | Detects file writes of WMI script event consumer |
| tags | attack.t1084 attack.persistence |
| Title | Suspicious Scripting in a WMI Consumer |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_wmi_susp_scripting.yml |
| author | Florian Roth |
| status | experimental |
| date | 2019/04/15 |
| description | Detects suspicious scripting in WMI Event Consumers |
| tags | attack.t1086 attack.execution |
| Title | Executable in ADS |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_ads_executable.yml |
| author | Florian Roth, @0xrawsec |
| status | experimental |
| date | 2018/06/03 |
| description | Detects the creation of an ADS data stream that contains an executable (non-empty imphash) |
| tags | attack.defense_evasion attack.t1027 attack.s0139 |
| Title | OceanLotus Registry Activity |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_apt_oceanlotus_registry.yml |
| author | megan201296 |
| status | experimental |
| date | 2019/04/14 |
| description | Detects registry keys created in OceanLotus (also known as APT32) attacks |
| tags | attack.t1112 |
| Title | Pandemic Registry Key |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_apt_pandemic.yml |
| author | Florian Roth |
| status | experimental |
| date | 2017/06/01 |
| description | Detects Pandemic Windows Implant |
| tags | attack.lateral_movement attack.t1105 |
| Title | Turla Group Named Pipes |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_apt_turla_namedpipes.yml |
| author | Markus Neis |
| status | experimental |
| date | 2017/11/06 |
| description | Detects a named pipe used by Turla group samples |
| tags | attack.g0010 |
| Title | CACTUSTORCH Remote Thread Creation |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_cactustorch.yml |
| author | @SBousseaden (detection), Thomas Patzke (rule) |
| status | experimental |
| date | 2019/02/01 |
| description | Detects remote thread creation from CACTUSTORCH as described in references. |
| tags | attack.execution attack.t1055 attack.t1064 |
| Title | CMSTP Execution |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_cmstp_execution.yml |
| author | Nik Seetharaman |
| status | stable |
| date | 2018/07/16 |
| description | Detects various indicators of Microsoft Connection Manager Profile Installer execution |
| tags | attack.defense_evasion attack.execution attack.t1191 attack.g0069 car.2019-04-001 |
| Title | CobaltStrike Process Injection |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_cobaltstrike_process_injection.yml |
| author | Olaf Hartong, Florian Roth, Aleksey Potapov, oscd.community |
| status | experimental |
| date | 2018/11/30 |
| description | Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons |
| tags | attack.defense_evasion attack.t1055 |
| Title | DHCP Callout DLL Installation |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_dhcp_calloutdll.yml |
| author | Dimitrios Slamaris |
| status | experimental |
| date | 2017/05/15 |
| description | Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required) |
| tags | attack.defense_evasion attack.t1073 attack.t1112 |
| Title | DNS ServerLevelPluginDll Install |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_dns_serverlevelplugindll.yml |
| author | Florian Roth |
| status | experimental |
| date | 2017/05/08 |
| description | Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server (restart required) |
| tags | attack.defense_evasion attack.t1073 |
| Title | Detection of SafetyKatz |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_ghostpack_safetykatz.yml |
| author | Markus Neis |
| status | experimental |
| date | 2018/07/24 |
| description | Detects possible SafetyKatz Behaviour |
| tags | attack.credential_access attack.t1003 |
| Title | Dumpert Process Dumper |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_hack_dumpert.yml |
| author | Florian Roth |
| status | |
| date | 2020/02/04 |
| description | Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory |
| tags | attack.credential_access attack.t1003 |
| Title | Windows Credential Editor |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_hack_wce.yml |
| author | Florian Roth |
| status | |
| date | 2019/12/31 |
| description | Detects the use of Windows Credential Editor (WCE) |
| tags | attack.credential_access attack.t1003 attack.s0005 |
| Title | Suspect Svchost Memory Asccess |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_invoke_phantom.yml |
| author | Tim Burrell |
| status | experimental |
| date | 2020/01/02 |
| description | Detects suspect access to svchost process memory such as that used by Invoke-Phantom to kill the winRM windows event logging service. |
| tags | attack.t1089 attack.defense_evasion |
| Title | Logon Scripts (UserInitMprLogonScript) |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml |
| author | Tom Ueltschi (@c_APT_ure) |
| status | experimental |
| date | 2019/01/12 |
| description | Detects creation or execution of UserInitMprLogonScript persistence method |
| tags | attack.t1037 attack.persistence attack.lateral_movement |
| Title | LSASS Memory Dump |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_lsass_memdump.yml |
| author | Samir Bousseaden |
| status | experimental |
| date | 2019/04/03 |
| description | Detects process LSASS memory dump using procdump or taskmgr based on the CallTrace pointing to dbghelp.dll or dbgcore.dll for win10 |
| tags | attack.t1003 attack.s0002 attack.credential_access |
| Title | Malicious Named Pipe |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_mal_namedpipes.yml |
| author | Florian Roth |
| status | experimental |
| date | 2017/11/06 |
| description | Detects the creation of a named pipe used by known APT malware |
| tags | attack.defense_evasion attack.privilege_escalation attack.t1055 |
| Title | Suspicious Typical Malware Back Connect Ports |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_malware_backconnect_ports.yml |
| author | Florian Roth |
| status | experimental |
| date | 2017/03/19 |
| description | Detects programs that connect to typical malware back connect ports based on statistical analysis from two different sandbox system databases |
| tags | attack.command_and_control attack.t1043 |
| Title | Malware Shellcode in Verclsid Target Process |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_malware_verclsid_shellcode.yml |
| author | John Lambert (tech), Florian Roth (rule) |
| status | experimental |
| date | 2017/03/04 |
| description | Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro |
| tags | attack.defense_evasion attack.privilege_escalation attack.t1055 |
| Title | Mimikatz Detection LSASS Access |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml |
| author | Sherif Eldeeb |
| status | experimental |
| date | 2017/10/18 |
| description | Detects process access to LSASS which is typical for Mimikatz (0x1000 PROCESS_QUERY_ LIMITED_INFORMATION, 0x0400 PROCESS_QUERY_ INFORMATION "only old versions", 0x0010 PROCESS_VM_READ) |
| tags | attack.t1003 attack.s0002 attack.credential_access car.2019-04-004 |
| Title | Mimikatz In-Memory |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_mimikatz_inmemory_detection.yml |
| author | |
| status | experimental |
| date | 2017/03/13 |
| description | Detects certain DLL loads when Mimikatz gets executed |
| tags | attack.s0002 attack.t1003 attack.lateral_movement attack.credential_access car.2019-04-004 |
| Title | Mimikatz through Windows Remote Management |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_mimikatz_trough_winrm.yml |
| author | Patryk Prauze - ING Tech |
| status | stable |
| date | 2019/05/20 |
| description | Detects usage of mimikatz through WinRM protocol by monitoring access to lsass process by wsmprovhost.exe. |
| tags | attack.credential_access attack.execution attack.t1003 attack.t1028 attack.s0005 |
| Title | Password Dumper Remote Thread in LSASS |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_password_dumper_lsass.yml |
| author | Thomas Patzke |
| status | stable |
| date | 2017/02/19 |
| description | Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundreds of events. |
| tags | attack.credential_access attack.t1003 attack.s0005 |
| Title | Malicious PowerShell Commandlet Names |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_powershell_exploit_scripts.yml |
| author | Markus Neis |
| status | experimental |
| date | 2018/04/07 |
| description | Detects the creation of known powershell scripts for exploitation |
| tags | attack.execution attack.t1086 |
| Title | PowerShell Network Connections |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_powershell_network_connection.yml |
| author | Florian Roth |
| status | experimental |
| date | 2017/03/13 |
| description | Detects a Powershell process that opens network connections - check for suspicious target ports and target systems - adjust to your environment (e.g. extend filters with company's ip range') |
| tags | attack.execution attack.t1086 |
| Title | QuarksPwDump Dump File |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_quarkspw_filedump.yml |
| author | Florian Roth |
| status | experimental |
| date | 2018/02/10 |
| description | Detects a dump file written by QuarksPwDump password dumper |
| tags | attack.credential_access attack.t1003 |
| Title | RDP Over Reverse SSH Tunnel |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_rdp_reverse_tunnel.yml |
| author | Samir Bousseaden |
| status | experimental |
| date | 2019/02/16 |
| description | Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389 |
| tags | attack.defense_evasion attack.command_and_control attack.t1076 car.2013-07-002 |
| Title | RDP Sensitive Settings Changed |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_rdp_settings_hijack.yml |
| author | Samir Bousseaden |
| status | |
| date | 2019/04/03 |
| description | Detects changes to RDP terminal service sensitive settings |
| tags | attack.defense_evasion |
| Title | Windows Registry Persistence COM Key Linking |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_registry_persistence_key_linking.yml |
| author | Kutepov Anton, oscd.community |
| status | experimental |
| date | 2019/10/23 |
| description | Detects COM object hijacking via TreatAs subkey |
| tags | attack.persistence attack.t1122 |
| Title | Renamed jusched.exe |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_renamed_jusched.yml |
| author | Markus Neis, Swisscom |
| status | experimental |
| date | 2019/06/04 |
| description | Detects renamed jusched.exe used by cobalt group |
| tags | attack.t1036 attack.execution |
| Title | Renamed PowerShell |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_renamed_powershell.yml |
| author | Florian Roth |
| status | experimental |
| date | 2019/08/22 |
| description | Detects the execution of a renamed PowerShell often used by attackers or malware |
| tags | car.2013-05-009 |
| Title | Renamed ProcDump |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_renamed_procdump.yml |
| author | Florian Roth |
| status | experimental |
| date | 2019/11/18 |
| description | Detects the execution of a renamed ProcDump executable often used by attackers or malware |
| tags | attack.defense_evasion attack.t1036 |
| Title | Renamed PsExec |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_renamed_psexec.yml |
| author | Florian Roth |
| status | experimental |
| date | 2019/05/21 |
| description | Detects the execution of a renamed PsExec often used by attackers or malware |
| tags | car.2013-05-009 |
| Title | Rundll32 Internet Connection |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_rundll32_net_connections.yml |
| author | Florian Roth |
| status | experimental |
| date | 2017/11/04 |
| description | Detects a rundll32 that communicates with public IP addresses |
| tags | attack.t1085 attack.defense_evasion attack.execution |
| Title | Security Support Provider (SSP) Added to LSA Configuration |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_ssp_added_lsa_config.yml |
| author | iwillkeepwatch |
| status | experimental |
| date | 2019/01/18 |
| description | Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows. |
| tags | attack.persistence attack.t1011 |
| Title | Sticky Key Like Backdoor Usage |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_stickykey_like_backdoor.yml |
| author | Florian Roth, @twjackomo |
| status | |
| date | 2018/03/15 |
| description | Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen |
| tags | attack.privilege_escalation attack.persistence attack.t1015 car.2014-11-003 car.2014-11-008 |
| Title | Suspicious RUN Key from Download |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_download_run_key.yml |
| author | Florian Roth |
| status | experimental |
| date | 2019/10/01 |
| description | Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories |
| tags | attack.persistence attack.t1060 |
| Title | Suspicious Driver Load from Temp |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_driver_load.yml |
| author | Florian Roth |
| status | |
| date | 2017/02/12 |
| description | Detects a driver load from a temporary directory |
| tags | attack.persistence attack.t1050 |
| Title | Suspicious File Characteristics Due to Missing Fields |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_file_characteristics.yml |
| author | Markus Neis |
| status | experimental |
| date | 2018/11/22 |
| description | Detects Executables without FileVersion,Description,Product,Company likely created with py2exe |
| tags | attack.defense_evasion attack.execution attack.t1064 |
| Title | Possible Process Hollowing Image Loading |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_image_load.yml |
| author | Markus Neis |
| status | experimental |
| date | 2018/01/07 |
| description | Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g. through process hollowing by Mimikatz |
| tags | attack.defense_evasion attack.t1073 |
| Title | DLL Load via LSASS |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_lsass_dll_load.yml |
| author | Florian Roth |
| status | experimental |
| date | 2019/10/16 |
| description | Detects a method to load DLL via LSASS process using an undocumented Registry key |
| tags | attack.execution attack.t1177 |
| Title | PowerShell Rundll32 Remote Thread Creation |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_powershell_rundll32.yml |
| author | Florian Roth |
| status | experimental |
| date | 2018/06/25 |
| description | Detects PowerShell remote thread creation in Rundll32.exe |
| tags | attack.defense_evasion attack.execution attack.t1085 attack.t1086 |
| Title | Suspicious Program Location with Network Connections |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_prog_location_network_connection.yml |
| author | Florian Roth |
| status | experimental |
| date | 2017/03/19 |
| description | Detects programs with network connections running in suspicious files system locations |
| tags |
| Title | Suspicious Outbound RDP Connections |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_rdp.yml |
| author | Markus Neis - Swisscom |
| status | experimental |
| date | 2019/05/15 |
| description | Detects Non-Standard Tools Connecting to TCP port 3389 indicating possible lateral movement |
| tags | attack.lateral_movement attack.t1210 car.2013-07-002 |
| Title | Registry Persistence via Explorer Run Key |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_reg_persist_explorer_run.yml |
| author | Florian Roth |
| status | experimental |
| date | 2018/07/18 |
| description | Detects a possible persistence mechanism using RUN key for Windows Explorer and poiting to a suspicious folder |
| tags | attack.persistence attack.t1060 capec.270 |
| Title | New RUN Key Pointing to Suspicious Folder |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_run_key_img_folder.yml |
| author | Florian Roth, Markus Neis |
| status | experimental |
| date | 2018/25/08 |
| description | Detects suspicious new RUN key element pointing to an executable in a suspicious folder |
| tags | attack.persistence attack.t1060 |
| Title | Windows Mangement Instrumentation DLL Loaded Via Microsoft Word |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_susp_winword_wmidll_load.yml |
| author | Michael R. (@nahamike01) |
| status | experimental |
| date | 2019/12/26 |
| description | Detects DLL's Loaded Via Word Containing VBA Macros Executing WMI Commands |
| tags | attack.execution attack.t1047 |
| Title | Suspicious Keyboard Layout Load |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_suspicious_keyboard_layout_load.yml |
| author | Florian Roth |
| status | |
| date | 2019/10/12 |
| description | Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only |
| tags |
| Title | Svchost DLL Search Order Hijack |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_svchost_dll_search_order_hijack.yml |
| author | SBousseaden |
| status | experimental |
| date | 2019/10/28 |
| description | IKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\Windows\System32\ by default. An attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services "svchost.exe -k netsvcs" to gain code execution on a remote machine. |
| tags | attack.persistence attack.defense_evasion attack.t1073 attack.t1038 attack.t1112 |
| Title | Usage of Sysinternals Tools |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_sysinternals_eula_accepted.yml |
| author | Markus Neis |
| status | experimental |
| date | 2017/08/28 |
| description | Detects the usage of Sysinternals Tools due to accepteula key being added to Registry |
| tags |
| Title | Hijack Legit RDP Session to Move Laterally |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_tsclient_filewrite_startup.yml |
| author | Samir Bousseaden |
| status | experimental |
| date | 2019/02/21 |
| description | Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder |
| tags |
| Title | UAC Bypass via Event Viewer |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml |
| author | Florian Roth |
| status | experimental |
| date | 2017/03/19 |
| description | Detects UAC bypass method using Windows event viewer |
| tags | attack.defense_evasion attack.privilege_escalation attack.t1088 car.2019-04-001 |
| Title | UAC Bypass via Sdclt |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_uac_bypass_sdclt.yml |
| author | Omer Yampel |
| status | experimental |
| date | 2017/03/17 |
| description | Detects changes to HKCU:\Software\Classes\exefile\shell\runas\command\isolatedCommand |
| tags | attack.defense_evasion attack.privilege_escalation attack.t1088 car.2019-04-001 |
| Title | Windows Webshell Creation |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_webshell_creation_detect.yml |
| author | Beyu Denis, oscd.community |
| status | experimental |
| date | 2019/10/22 |
| description | Posible webshell file creation on a static web site |
| tags | attack.persistence attack.t1100 |
| Title | Microsoft Binary Github Communication |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_win_binary_github_com.yml |
| author | Michael Haag (idea), Florian Roth (rule) |
| status | experimental |
| date | 2017/08/24 |
| description | Detects an executable in the Windows folder accessing github.com |
| tags | attack.lateral_movement attack.t1105 |
| Title | Microsoft Binary Suspicious Communication Endpoint |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_win_binary_susp_com.yml |
| author | Florian Roth |
| status | experimental |
| date | 2018/08/30 |
| description | Detects an executable in the Windows folder accessing suspicious domains |
| tags | attack.lateral_movement attack.t1105 |
| Title | Registry Persistence Mechanisms |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_win_reg_persistence.yml |
| author | Karneades |
| status | |
| date | 2018/04/11 |
| description | Detects persistence registry keys |
| tags | attack.privilege_escalation attack.persistence attack.defense_evasion attack.t1183 car.2013-01-002 |
| Title | WMI Event Subscription |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_wmi_event_subscription.yml |
| author | Tom Ueltschi (@c_APT_ure) |
| status | experimental |
| date | 2019/01/12 |
| description | Detects creation of WMI event subscription persistence method |
| tags | attack.t1084 attack.persistence |
| Title | WMI Persistence - Command Line Event Consumer |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_wmi_persistence_commandline_event_consumer.yml |
| author | Thomas Patzke |
| status | experimental |
| date | 2018/03/07 |
| description | Detects WMI command line event consumers |
| tags | attack.t1084 attack.persistence |
| Title | WMI Persistence - Script Event Consumer File Write |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_wmi_persistence_script_event_consumer_write.yml |
| author | Thomas Patzke |
| status | experimental |
| date | 2018/03/07 |
| description | Detects file writes of WMI script event consumer |
| tags | attack.t1084 attack.persistence |
| Title | Suspicious Scripting in a WMI Consumer |
|---|---|
| rule_category | sysmon |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_wmi_susp_scripting.yml |
| author | Florian Roth |
| status | experimental |
| date | 2019/04/15 |
| description | Detects suspicious scripting in WMI Event Consumers |
| tags | attack.t1086 attack.execution |