SystemNightmare Exploitation Script Execution
|
Detects the exploitation of PrinterNightmare to get a shell as LOCAL_SYSTEM
More details
Rule ID
process_creation_commandline_1
Query
{'selection': {'CommandLine|contains': ['printnightmare.gentilkiwi.com', ' /user:gentilguest ', 'Kiwi Legit Printer']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,c01f7bd6-0c1d-47aa-9c61-187b91273a16
Author: Florian Roth (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.003, T1068
References
N/A
Severity
95
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2021/08/11 |
critical |
|
|
Suspicious Reg Add Open Command
|
Threat actors performed dumping of SAM, SECURITY and SYSTEM registry hives using DelegateExecute key
More details
Rule ID
process_creation_commandline_2
Query
{'selection_1': {'CommandLine|contains|all': ['reg', 'add', 'hkcu\\software\\classes\\ms-settings\\shell\\open\\command', '/ve ', '/d']}, 'selection_2': {'CommandLine|contains|all': ['reg', 'add', 'hkcu\\software\\classes\\ms-settings\\shell\\open\\command', '/v', 'DelegateExecute']}, 'selection_3': {'CommandLine|contains|all': ['reg', 'delete', 'hkcu\\software\\classes\\ms-settings']}, 'condition': '1 of selection_*'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,dd3ee8cc-f751-41c9-ba53-5a32ed47e563
Author: frack113
Tactics, Techniques, and Procedures
T1003, T1059.003
References
N/A
Severity
49
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2021/12/20 |
medium |
|
|
CL_LoadAssembly.ps1 Proxy Execution
|
Detects the use of a Microsoft signed script to execute commands and bypassing AppLocker.
More details
Rule ID
process_creation_commandline_3
Query
{'selection': {'CommandLine|contains': ['\\CL_LoadAssembly.ps1', 'LoadAssemblyFromPath ']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,c57872c7-614f-4d7f-a40d-b78c8df2d30d
Author: frack113, Nasreddine Bencherchali (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.003, T1216
References
N/A
Severity
49
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
experimental |
2022/05/21 |
medium |
|
|
Suspicious Characters in CommandLine
|
Detects suspicious Unicode characters in the command line, which could be a sign of obfuscation or defense evasion
More details
Rule ID
process_creation_commandline_4
Query
{'selection_spacing_modifiers': {'CommandLine|contains': ['ˣ', '˪', 'ˢ']}, 'selection_unicode_slashes': {'CommandLine|contains': ['∕', '⁄']}, 'selection_unicode_hyphens': {'CommandLine|contains': ['―', '—']}, 'condition': '1 of selection*'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,2c0d2d7b-30d6-4d14-9751-7b9113042ab9
Author: Florian Roth (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.003
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
experimental |
2022/04/27 |
high |
|
|
Firewall Disabled via Netsh.EXE
|
Detects netsh commands that turns off the Windows firewall
More details
Rule ID
process_creation_commandline_5
Query
{'selection_img': [{'Image|endswith': '\\netsh.exe'}, {'OriginalFileName': 'netsh.exe'}], 'selection_cli_1': {'CommandLine|contains|all': ['firewall', 'set', 'opmode', 'disable']}, 'selection_cli_2': {'CommandLine|contains|all': ['advfirewall', 'set', 'state', 'off']}, 'condition': 'selection_img and 1 of selection_cli_*'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,57c4bf16-227f-4394-8ec7-1b745ee061c3
Author: Fatih Sirin
Tactics, Techniques, and Procedures
T1059.003, T1562.004
References
N/A
Severity
49
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2019/11/01 |
medium |
|
|
Ke3chang Registry Key Modifications
|
Detects Registry modifications performed by Ke3chang malware in campaigns running in 2019 and 2020
More details
Rule ID
process_creation_commandline_6
Query
{'selection1': {'CommandLine|contains': ['-Property DWORD -name DisableFirstRunCustomize -value 2 -Force', '-Property String -name Check_Associations -value', '-Property DWORD -name IEHarden -value 0 -Force']}, 'condition': 'selection1'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,7b544661-69fc-419f-9a59-82ccc328f205
Author: Markus Neis, Swisscom
Tactics, Techniques, and Procedures
T1059.003, T1562.001
References
N/A
Severity
95
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2020/06/18 |
critical |
|
|
Potential PowerShell Obfuscation Via WCHAR
|
Detects suspicious encoded character syntax often used for defense evasion
More details
Rule ID
process_creation_commandline_7
Query
{'selection': {'CommandLine|contains': '(WCHAR)0x'}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,e312efd0-35a1-407f-8439-b8d434b438a6
Author: Florian Roth (Nextron Systems)
Tactics, Techniques, and Procedures
T1027, T1059.001, T1059.003
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2020/07/09 |
high |
|
|
Conti Volume Shadow Listing
|
Detects a command used by conti to find volume shadow backups
More details
Rule ID
process_creation_commandline_8
Query
{'selection': {'CommandLine|contains|all': ['vssadmin list shadows', 'log.txt']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,7b30e0a7-c675-4b24-8a46-82fa67e2433d
Author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.003, T1587.001
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2021/08/09 |
high |
|
|
InfDefaultInstall.exe .inf Execution
|
Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.
More details
Rule ID
process_creation_commandline_9
Query
{'selection': {'CommandLine|contains|all': ['InfDefaultInstall.exe ', '.inf']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,ce7cf472-6fcc-490a-9481-3786840b5d9b
Author: frack113
Tactics, Techniques, and Procedures
T1059.003, T1218
References
N/A
Severity
49
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2021/07/13 |
medium |
|
|
Root Certificate Installed From Susp Locations
|
Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
More details
Rule ID
process_creation_commandline_10
Query
{'selection': {'CommandLine|contains|all': ['Import-Certificate', ' -FilePath ', 'Cert:\\LocalMachine\\Root'], 'CommandLine|contains': ['\\AppData\\Local\\Temp\\', ':\\Windows\\TEMP\\', '\\Desktop\\', '\\Downloads\\', '\\Perflogs\\', ':\\Users\\Public\\']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,5f6a601c-2ecb-498b-9c33-660362323afa
Author: Nasreddine Bencherchali (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.003, T1553.004
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
experimental |
2022/09/09 |
high |
|
|
Suspicious PrinterPorts Creation (CVE-2020-1048)
|
Detects new commands that add new printer port which point to suspicious file
More details
Rule ID
process_creation_commandline_11
Query
{'selection1': {'CommandLine|contains': 'Add-PrinterPort -Name'}, 'selection2': {'CommandLine|contains': ['.exe', '.dll', '.bat']}, 'selection3': {'CommandLine|contains': 'Generic / Text Only'}, 'condition': '(selection1 and selection2) or selection3'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,cc08d590-8b90-413a-aff6-31d1a99678d7
Author: EagleEye Team, Florian Roth
Tactics, Techniques, and Procedures
T1059.001, T1059.003
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2020/05/13 |
high |
|
|
PowerShell Script Run in AppData
|
Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder
More details
Rule ID
process_creation_commandline_12
Query
{'selection1': {'CommandLine|contains': ['powershell.exe', '\\powershell', '\\pwsh', 'pwsh.exe']}, 'selection2': {'CommandLine|contains|all': ['/c ', '\\AppData\\'], 'CommandLine|contains': ['Local\\', 'Roaming\\']}, 'condition': 'all of selection*'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,ac175779-025a-4f12-98b0-acdaeb77ea85
Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community
Tactics, Techniques, and Procedures
T1059.001, T1059.003
References
N/A
Severity
49
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
experimental |
2019/01/09 |
medium |
|
|
Potential Remote Desktop Tunneling
|
Detects potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.
More details
Rule ID
process_creation_commandline_13
Query
{'selection': {'CommandLine|contains': ':3389'}, 'selection_opt': {'CommandLine|contains': [' -L ', ' -P ', ' -R ', ' -pw ', ' -ssh ']}, 'condition': 'all of selection*'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,8a3038e8-9c9d-46f8-b184-66234a160f6f
Author: Tim Rauch
Tactics, Techniques, and Procedures
T1021, T1059.003
References
N/A
Severity
49
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
experimental |
2022/09/27 |
medium |
|
|
MSTSC Shadowing
|
Detects RDP session hijacking by using MSTSC shadowing
More details
Rule ID
process_creation_commandline_14
Query
{'selection': {'CommandLine|contains|all': ['noconsentprompt', 'shadow:']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,6ba5a05f-b095-4f0a-8654-b825f4f16334
Author: Florian Roth (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.003, T1563.002
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2020/01/24 |
high |
|
|
Suspicious Scan Loop Network
|
Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system
More details
Rule ID
process_creation_commandline_15
Query
{'selection_loop': {'CommandLine|contains': ['for ', 'foreach ']}, 'selection_tools': {'CommandLine|contains': ['nslookup', 'ping']}, 'condition': 'all of selection_*'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,f8ad2e2c-40b6-4117-84d7-20b89896ab23
Author: frack113
Tactics, Techniques, and Procedures
T1018, T1059, T1059.003
References
N/A
Severity
49
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2022/03/12 |
medium |
|
|
Obfuscated IP Download
|
Detects use of an encoded/obfuscated version of an IP address (hex, octal...) in an URL combined with a download command
More details
Rule ID
process_creation_commandline_16
Query
{'selection_img': {'CommandLine|contains': ['Invoke-WebRequest', 'iwr ', 'wget ', 'curl ', 'DownloadFile', 'DownloadString']}, 'selection_ip': [{'CommandLine|contains': ['//0x', '.0x', '.00x']}, {'CommandLine|contains|all': ['http://%', '%2e']}], 'condition': 'all of selection*'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,cb5a2333-56cf-4562-8fcb-22ba1bca728d
Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.003
References
N/A
Severity
49
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
experimental |
2022/08/03 |
medium |
|
|
MSExchange Transport Agent Installation
|
Detects the Installation of a Exchange Transport Agent
More details
Rule ID
process_creation_commandline_17
Query
{'selection': {'CommandLine|contains': 'Install-TransportAgent'}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,83809e84-4475-4b69-bc3e-4aad8568612f
Author: Tobias Michalski (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.003, T1505.002
References
N/A
Severity
49
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2021/06/08 |
medium |
|
|
Pubprn.vbs Proxy Execution
|
Detects the use of the 'Pubprn.vbs' Microsoft signed script to execute commands.
More details
Rule ID
process_creation_commandline_18
Query
{'selection': {'CommandLine|contains|all': ['\\pubprn.vbs', 'script:']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,1fb76ab8-fa60-4b01-bddd-71e89bf555da
Author: frack113
Tactics, Techniques, and Procedures
T1059.003, T1216.001
References
N/A
Severity
49
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
experimental |
2022/05/28 |
medium |
|
|
Tamper Windows Defender Remove-MpPreference
|
Detects attempts to remove windows defender configuration using the 'MpPreference' cmdlet
More details
Rule ID
process_creation_commandline_19
Query
{'selection_remove': {'CommandLine|contains': 'Remove-MpPreference'}, 'selection_tamper': {'CommandLine|contains': ['-ControlledFolderAccessProtectedFolders ', '-AttackSurfaceReductionRules_Ids ', '-AttackSurfaceReductionRules_Actions ', '-CheckForSignaturesBeforeRunningScan ']}, 'condition': 'all of selection_*'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,07e3cb2c-0608-410d-be4b-1511cb1a0448
Author: Nasreddine Bencherchali (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.003, T1562.001
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
experimental |
2022/08/05 |
high |
|
|
AnyDesk Silent Installation
|
Detects AnyDesk Remote Desktop silent installation. Which can be used by attackers to gain remote access.
More details
Rule ID
process_creation_commandline_20
Query
{'selection': {'CommandLine|contains|all': ['--install', '--start-with-win', '--silent']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,114e7f1c-f137-48c8-8f54-3088c24ce4b9
Author: Ján Trenčanský
Tactics, Techniques, and Procedures
T1059.003, T1219
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2021/08/06 |
high |
|
|
Execution via CL_Invocation.ps1
|
Detects Execution via SyncInvoke in CL_Invocation.ps1 module
More details
Rule ID
process_creation_commandline_21
Query
{'selection': {'CommandLine|contains|all': ['CL_Invocation.ps1', 'SyncInvoke']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,a0459f02-ac51-4c09-b511-b8c9203fc429
Author: Nasreddine Bencherchali (Nextron Systems), oscd.community, Natalia Shornikova
Tactics, Techniques, and Procedures
T1059.003, T1216
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2020/10/14 |
high |
|
|
Writing Of Malicious Files To The Fonts Folder
|
Monitors for the hiding possible malicious files in the C:\Windows\Fonts\ location. This folder doesn't require admin privillege to be written and executed from.
More details
Rule ID
process_creation_commandline_24
Query
{'selection_1': {'CommandLine|contains': ['echo', 'copy', 'type', 'file createnew', 'cacls']}, 'selection_2': {'CommandLine|contains': 'C:\\Windows\\Fonts\\'}, 'selection_3': {'CommandLine|contains': ['.sh', '.exe', '.dll', '.bin', '.bat', '.cmd', '.js', '.msh', '.reg', '.scr', '.ps', '.vb', '.jar', '.pl', '.inf', '.cpl', '.hta', '.msi', '.vbs']}, 'condition': 'all of selection_*'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,ae9b0bd7-8888-4606-b444-0ed7410cb728
Author: Sreeman
Tactics, Techniques, and Procedures
T1059, T1059.003, T1211
References
N/A
Severity
49
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2020/04/21 |
medium |
|
|
Suspicious FromBase64String Usage On Gzip Archive - Process Creation
|
Detects attempts of decoding a base64 Gzip archive via PowerShell. This technique is often used as a method to load malicious content into memory afterward.
More details
Rule ID
process_creation_commandline_25
Query
{'selection': {'CommandLine|contains|all': ['FromBase64String', 'MemoryStream', 'H4sI']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,d75d6b6b-adb9-48f7-824b-ac2e786efe1f
Author: frack113
Tactics, Techniques, and Procedures
T1059.003
References
N/A
Severity
49
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
experimental |
2022/12/23 |
medium |
|
|
Suspicious Usage Of ShellExec_RunDLL
|
Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack
More details
Rule ID
process_creation_commandline_26
Query
{'selection_openasrundll': {'CommandLine|contains': 'ShellExec_RunDLL'}, 'selection_suspcli': {'CommandLine|contains': ['regsvr32', 'msiexec', '\\Users\\Public\\', 'odbcconf', '\\Desktop\\', '\\Temp\\', 'Invoke-', 'iex', 'comspec']}, 'condition': 'all of selection_*'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,d87bd452-6da1-456e-8155-7dc988157b7d
Author: Nasreddine Bencherchali (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.003
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
experimental |
2022/09/01 |
high |
|
|
Turla Group Lateral Movement
|
Detects automated lateral movement by Turla group
More details
Rule ID
process_creation_commandline_27
Query
{'selection': {'CommandLine': ['net use \\\\%DomainController%\\C$ "P@ssw0rd" *', 'dir c:\\*.doc* /s', 'dir %TEMP%\\*.exe']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,c601f20d-570a-4cde-a7d6-e17f99cb8e7f
Author: Markus Neis
Tactics, Techniques, and Procedures
T1021.002, T1059, T1059.003, T1083, T1135
References
N/A
Severity
95
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2017/11/07 |
critical |
|
|
Netsh RDP Port Opening
|
Detects netsh commands that opens the port 3389 used for RDP, used in Sarwent Malware
More details
Rule ID
process_creation_commandline_28
Query
{'selection1': {'CommandLine|contains|all': ['netsh', 'firewall add portopening', 'tcp 3389']}, 'selection2': {'CommandLine|contains|all': ['netsh', 'advfirewall firewall add rule', 'action=allow', 'protocol=TCP', 'localport=3389']}, 'condition': '1 of selection*'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,01aeb693-138d-49d2-9403-c4f52d7d3d62
Author: Sander Wiebing
Tactics, Techniques, and Procedures
T1059.003, T1562.004
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2020/05/23 |
high |
|
|
PowerShell DownloadFile
|
Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line
More details
Rule ID
process_creation_commandline_29
Query
{'selection': {'CommandLine|contains|all': ['powershell', '.DownloadFile', 'System.Net.WebClient']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,8f70ac5f-1f6f-4f8e-b454-db19561216c5
Author: Florian Roth (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.001, T1059.003, T1104, T1105
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2020/08/28 |
high |
|
|
Powershell Defender Exclusion
|
Detects requests to exclude files, folders or processes from Antivirus scanning using PowerShell cmdlets
More details
Rule ID
process_creation_commandline_30
Query
{'selection1': {'CommandLine|contains': ['Add-MpPreference ', 'Set-MpPreference ']}, 'selection2': {'CommandLine|contains': [' -ExclusionPath ', ' -ExclusionExtension ', ' -ExclusionProcess ', ' -ExclusionIpAddress ']}, 'condition': 'all of selection*'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,17769c90-230e-488b-a463-e05c08e9d48f
Author: Florian Roth (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.003, T1562.001
References
N/A
Severity
49
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
experimental |
2021/04/29 |
medium |
|
|
Lazarus Loaders
|
Detects different loaders as described in various threat reports on Lazarus group activity
More details
Rule ID
process_creation_commandline_31
Query
{'selection_cmd1': {'CommandLine|contains|all': ['cmd.exe /c ', ' -p 0x']}, 'selection_cmd2': {'CommandLine|contains': ['C:\\ProgramData\\', 'C:\\RECYCLER\\']}, 'selection_rundll1': {'CommandLine|contains|all': ['rundll32.exe ', 'C:\\ProgramData\\']}, 'selection_rundll2': {'CommandLine|contains': ['.bin,', '.tmp,', '.dat,', '.io,', '.ini,', '.db,']}, 'condition': '( selection_cmd1 and selection_cmd2 ) or ( selection_rundll1 and selection_rundll2 )'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,7b49c990-4a9a-4e65-ba95-47c9cc448f6e
Author: Florian Roth (Nextron Systems), wagga
Tactics, Techniques, and Procedures
T1059, T1059.003
References
N/A
Severity
95
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2020/12/23 |
critical |
|
|
Suspicious GrpConv Execution
|
Detects the suspicious execution of a utility to convert Windows 3.x .grp files or for persistence purposes by malicious software or actors
More details
Rule ID
process_creation_commandline_32
Query
{'selection': {'CommandLine|contains': ['grpconv.exe -o', 'grpconv -o']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,f14e169e-9978-4c69-acb3-1cff8200bc36
Author: Florian Roth (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.003, T1547
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
experimental |
2022/05/19 |
high |
|
|
Disabled RestrictedAdminMode For RDS - ProcCreation
|
Detect activation of DisableRestrictedAdmin to desable RestrictedAdmin mode. RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise
More details
Rule ID
process_creation_commandline_33
Query
{'selection': {'CommandLine|contains|all': ['\\System\\CurrentControlSet\\Control\\Lsa\\', 'DisableRestrictedAdmin', ' 1']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,28ac00d6-22d9-4a3c-927f-bbd770104573
Author: frack113
Tactics, Techniques, and Procedures
T1059.003, T1112
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
experimental |
2023/01/13 |
high |
|
|
Malicious Base64 Encoded Powershell Invoke Cmdlets
|
Detects base64 encoded powershell cmdlet invocation of known suspicious cmdlets
More details
Rule ID
process_creation_commandline_34
Query
{'selection': {'CommandLine|contains': ['SQBuAHYAbwBrAGUALQBCAGwAbwBvAGQASABvAHUAbgBkA', 'kAbgB2AG8AawBlAC0AQgBsAG8AbwBkAEgAbwB1AG4AZA', 'JAG4AdgBvAGsAZQAtAEIAbABvAG8AZABIAG8AdQBuAGQA', 'SQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoA', 'kAbgB2AG8AawBlAC0ATQBpAG0AaQBrAGEAdAB6A', 'JAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAeg', 'SQBuAHYAbwBrAGUALQBXAE0ASQBFAHgAZQBjA', 'kAbgB2AG8AawBlAC0AVwBNAEkARQB4AGUAYw', 'JAG4AdgBvAGsAZQAtAFcATQBJAEUAeABlAGMA']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,fd6e2919-3936-40c9-99db-0aa922c356f7
Author: pH-T (Nextron Systems)
Tactics, Techniques, and Procedures
T1027, T1059.001, T1059.003
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2022/05/31 |
high |
|
|
Uninstall Crowdstrike Falcon
|
Adversaries may disable security tools to avoid possible detection of their tools and activities by uninstalling Crowdstrike Falcon
More details
Rule ID
process_creation_commandline_35
Query
{'selection': {'CommandLine|contains|all': ['\\WindowsSensor.exe', ' /uninstall', ' /quiet']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,f0f7be61-9cf5-43be-9836-99d6ef448a18
Author: frack113
Tactics, Techniques, and Procedures
T1059.003, T1562.001
References
N/A
Severity
49
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2021/07/12 |
medium |
|
|
Suspicious Powershell No File or Command
|
Detects suspicious powershell execution that ends with a common flag instead of a command or a filename to execute (could be a sign of implicit execution that uses files in WindowsApps directory)
More details
Rule ID
process_creation_commandline_36
Query
{'selection': {'CommandLine|endswith': [' -windowstyle hidden"', ' -windowstyle hidden', " -windowstyle hidden'", ' -w hidden"', ' -w hidden', " -w hidden'", ' -ep bypass"', ' -ep bypass', " -ep bypass'", ' -noni"', ' -noni', " -noni'"]}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,b66474aa-bd92-4333-a16c-298155b120df
Author: pH-T (Nextron Systems), Florian Roth (Nextron Systems)
Tactics, Techniques, and Procedures
T1053.005, T1059.001, T1059.003
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
experimental |
2022/04/08 |
high |
|
|
New Network Provider - CommandLine
|
Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it
More details
Rule ID
process_creation_commandline_37
Query
{'selection': {'CommandLine|contains|all': ['\\System\\CurrentControlSet\\Services\\', '\\NetworkProvider']}, 'filter': {'CommandLine|contains': ['\\System\\CurrentControlSet\\Services\\WebClient\\NetworkProvider', '\\System\\CurrentControlSet\\Services\\LanmanWorkstation\\NetworkProvider', '\\System\\CurrentControlSet\\Services\\RDPNP\\NetworkProvider']}, 'condition': 'selection and not filter'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,baef1ec6-2ca9-47a3-97cc-4cf2bda10b77
Author: Nasreddine Bencherchali (Nextron Systems)
Tactics, Techniques, and Procedures
T1003, T1059.003
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
experimental |
2022/08/23 |
high |
|
|
Turla Group Commands May 2020
|
Detects commands used by Turla group as reported by ESET in May 2020
More details
Rule ID
process_creation_commandline_38
Query
{'selection1': {'CommandLine|contains': ['tracert -h 10 yahoo.com', '.WSqmCons))|iex;', 'Fr`omBa`se6`4Str`ing']}, 'selection2': {'CommandLine|contains|all': ['net use https://docs.live.net', '@aol.co.uk']}, 'condition': '1 of selection*'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,9e2e51c5-c699-4794-ba5a-29f5da40ac0c
Author: Florian Roth (Nextron Systems)
Tactics, Techniques, and Procedures
T1027, T1053.005, T1059.001, T1059.003
References
N/A
Severity
95
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2020/05/26 |
critical |
|
|
Potential Data Stealing Via Chromium Headless Debugging
|
Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control
More details
Rule ID
process_creation_commandline_39
Query
{'selection': {'CommandLine|contains|all': ['--remote-debugging-', '--user-data-dir', '--headless']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,3e8207c5-fcd2-4ea6-9418-15d45b4890e4
Author: Nasreddine Bencherchali (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.003, T1185
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
experimental |
2022/12/23 |
high |
|
|
Invoke-Obfuscation Via Use MSHTA
|
Detects Obfuscated Powershell via use MSHTA in Scripts
More details
Rule ID
process_creation_commandline_40
Query
{'selection': {'CommandLine|contains|all': ['set', '&&', 'mshta', 'vbscript:createobject', '.run', '(window.close)']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,ac20ae82-8758-4f38-958e-b44a3140ca88
Author: Nikita Nazarov, oscd.community
Tactics, Techniques, and Procedures
T1027, T1059.001, T1059.003
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2020/10/08 |
high |
|
|
Suspicious Rundll32 Script in CommandLine
|
Detects suspicious process related to rundll32 based on arguments
More details
Rule ID
process_creation_commandline_41
Query
{'selection': {'CommandLine|contains|all': ['rundll32', 'mshtml,RunHTMLApplication'], 'CommandLine|contains': ['javascript:', 'vbscript:']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,73fcad2e-ff14-4c38-b11d-4172c8ac86c7
Author: frack113, Zaw Min Htun (ZETA)
Tactics, Techniques, and Procedures
T1059.003, T1218.011
References
N/A
Severity
49
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
experimental |
2021/12/04 |
medium |
|
|
Suspicious Base64 Encoded Powershell Invoke
|
Detects base64 encoded powershell 'Invoke-' call
More details
Rule ID
process_creation_commandline_42
Query
{'selection': {'CommandLine|contains': ['SQBuAHYAbwBrAGUALQ', 'kAbgB2AG8AawBlAC0A', 'JAG4AdgBvAGsAZQAtA']}, 'filter_other_rule': {'CommandLine|contains': ['SQBuAHYAbwBrAGUALQBCAGwAbwBvAGQASABvAHUAbgBkA', 'kAbgB2AG8AawBlAC0AQgBsAG8AbwBkAEgAbwB1AG4AZA', 'JAG4AdgBvAGsAZQAtAEIAbABvAG8AZABIAG8AdQBuAGQA', 'SQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoA', 'kAbgB2AG8AawBlAC0ATQBpAG0AaQBrAGEAdAB6A', 'JAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAeg', 'SQBuAHYAbwBrAGUALQBXAE0ASQBFAHgAZQBjA', 'kAbgB2AG8AawBlAC0AVwBNAEkARQB4AGUAYw', 'JAG4AdgBvAGsAZQAtAFcATQBJAEUAeABlAGMA']}, 'condition': 'selection and not 1 of filter*'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,6385697e-9f1b-40bd-8817-f4a91f40508e
Author: pH-T (Nextron Systems), Harjot Singh, @cyb3rjy0t
Tactics, Techniques, and Procedures
T1027, T1059.001, T1059.003
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2022/05/20 |
high |
|
|
HackTool - Bloodhound/Sharphound Execution
|
Detects command line parameters used by Bloodhound and Sharphound hack tools
More details
Rule ID
process_creation_commandline_44
Query
{'selection_cli_1': {'CommandLine|contains': [' -CollectionMethod All ', ' --CollectionMethods Session ', ' --Loop --Loopduration ', ' --PortScanTimeout ', '.exe -c All -d ', 'Invoke-Bloodhound', 'Get-BloodHoundData']}, 'selection_cli_2': {'CommandLine|contains|all': [' -JsonFolder ', ' -ZipFileName ']}, 'selection_cli_3': {'CommandLine|contains|all': [' DCOnly ', ' --NoSaveCache ']}, 'condition': '1 of selection_*'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,f376c8a7-a2d0-4ddc-aa0c-16c17236d962
Author: Florian Roth (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.001, T1069.001, T1069.002, T1087.001, T1087.002, T1482
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2019/12/20 |
high |
|
|
Explorer Process Tree Break
|
Detects a command line process that uses explorer.exe to launch arbitrary commands or binaries, which is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer spawning from "svchost"
More details
Rule ID
process_creation_commandline_45
Query
{'selection': [{'CommandLine|contains': '/factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b}'}, {'CommandLine|contains|all': ['explorer.exe', ' /root,']}], 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,949f1ffb-6e85-4f00-ae1e-c3c5b190d605
Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), @gott_cyber
Tactics, Techniques, and Procedures
T1036, T1059.003
References
N/A
Severity
49
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2019/06/29 |
medium |
|
|
Suspicious Del in CommandLine
|
Detects suspicious command line to remove and 'exe' or 'dll'
More details
Rule ID
process_creation_commandline_46
Query
{'susp_del_exe': {'CommandLine|contains|all': ['del ', '*.exe', '/f ', '/q ']}, 'susp_del_dll': {'CommandLine|contains|all': ['del ', '*.dll', 'C:\\ProgramData\\']}, 'condition': 'susp_del_exe or susp_del_dll'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,204b17ae-4007-471b-917b-b917b315c5db
Author: frack113 , X__Junior (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.003, T1070.004
References
N/A
Severity
49
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
experimental |
2021/12/02 |
medium |
|
|
Invoke-Obfuscation COMPRESS OBFUSCATION
|
Detects Obfuscated Powershell via COMPRESS OBFUSCATION
More details
Rule ID
process_creation_commandline_47
Query
{'selection': {'CommandLine|contains|all': ['new-object', 'text.encoding]::ascii'], 'CommandLine|contains': ['system.io.compression.deflatestream', 'system.io.streamreader', 'readtoend(']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,7eedcc9d-9fdb-4d94-9c54-474e8affc0c7
Author: Timur Zinniatullin, oscd.community
Tactics, Techniques, and Procedures
T1027, T1059.001, T1059.003
References
N/A
Severity
49
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2020/10/18 |
medium |
|
|
Operation Wocao Activity
|
Detects activity mentioned in Operation Wocao report
More details
Rule ID
process_creation_commandline_48
Query
{'selection': {'CommandLine|contains': ['checkadmin.exe 127.0.0.1 -all', 'netsh advfirewall firewall add rule name=powershell dir=in', 'cmd /c powershell.exe -ep bypass -file c:\\s.ps1', '/tn win32times /f', 'create win32times binPath=', '\\c$\\windows\\system32\\devmgr.dll', ' -exec bypass -enc JgAg', 'type *keepass\\KeePass.config.xml', 'iie.exe iie.txt', 'reg query HKEY_CURRENT_USER\\Software\\*\\PuTTY\\Sessions\\']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,1cfac73c-be78-4f9a-9b08-5bde0c3953ab
Author: Florian Roth (Nextron Systems), frack113
Tactics, Techniques, and Procedures
T1012, T1027, T1036.004, T1053.005, T1059.001, T1059.003
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2019/12/20 |
high |
|
|
Fireball Archer Install
|
Detects Archer malware invocation via rundll32
More details
Rule ID
process_creation_commandline_49
Query
{'selection': {'CommandLine|contains|all': ['rundll32.exe', 'InstallArcherSvc']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,3d4aebe0-6d29-45b2-a8a4-3dfde586a26d
Author: Florian Roth (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.003, T1218.011
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2017/06/03 |
high |
|
|
Zip A Folder With PowerShell For Staging In Temp
|
Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration
More details
Rule ID
process_creation_commandline_50
Query
{'selection': {'CommandLine|contains|all': ['Compress-Archive ', ' -Path ', ' -DestinationPath ', '$env:TEMP\\']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98
Author: Nasreddine Bencherchali (Nextron Systems), frack113
Tactics, Techniques, and Procedures
T1059.003, T1074.001
References
N/A
Severity
49
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2021/07/20 |
medium |
|
|
Registry Dump of SAM Creds and Secrets
|
Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through Windows Registry where the SAM database is stored
More details
Rule ID
process_creation_commandline_51
Query
{'selection_reg': {'CommandLine|contains': ' save '}, 'selection_key': {'CommandLine|contains': ['HKLM\\sam', 'HKLM\\system', 'HKLM\\security']}, 'condition': 'all of selection_*'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,038cd51c-3ad8-41c5-ba8f-5d1c92f3cc1e
Author: frack113
Tactics, Techniques, and Procedures
T1003.002, T1059.003
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2022/01/05 |
high |
|
|
Procdump Evasion
|
Detects uses of the SysInternals Procdump utility in which procdump or its output get renamed or a dump file is moved ot copied to a different name
More details
Rule ID
process_creation_commandline_52
Query
{'selection1': {'CommandLine|contains': ['copy procdump', 'move procdump']}, 'selection2': {'CommandLine|contains|all': ['copy ', '.dmp '], 'CommandLine|contains': ['2.dmp', 'lsass', 'out.dmp']}, 'selection3': {'CommandLine|contains': ['copy lsass.exe_', 'move lsass.exe_']}, 'condition': '1 of selection*'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,79b06761-465f-4f88-9ef2-150e24d3d737
Author: Florian Roth (Nextron Systems)
Tactics, Techniques, and Procedures
T1003.001, T1036, T1059.003
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2022/01/11 |
high |
|
|
Powershell Token Obfuscation - Process Creation
|
Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation
More details
Rule ID
process_creation_commandline_53
Query
{'selection': [{'CommandLine|re': '\\w+`(\\w+|-|.)`[\\w+|\\s]'}, {'CommandLine|re': '"(\\{\\d\\})+"\\s*-f'}, {'CommandLine|re': '\\$\\{((e|n|v)*`(e|n|v)*)+:path\\}|\\$\\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\\}|\\$\\{env:((p|a|t|h)*`(p|a|t|h)*)+\\}'}], 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,deb9b646-a508-44ee-b7c9-d8965921c6b6
Author: frack113
Tactics, Techniques, and Procedures
T1027.009, T1059.003
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
experimental |
2022/12/27 |
high |
|
|
Suspicious Minimized MSEdge Start
|
Detects the suspicious minimized start of MsEdge browser, which can be used to download files from the Internet
More details
Rule ID
process_creation_commandline_54
Query
{'selection': {'CommandLine|contains': 'start /min msedge'}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,94771a71-ba41-4b6e-a757-b531372eaab6
Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.003, T1105
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2022/01/11 |
high |
|
|
Suspicious PowerShell Download and Execute Pattern
|
Detects suspicious PowerShell download patterns that are often used in malicious scripts, stagers or downloaders (make sure that your backend applies the strings case-insensitive)
More details
Rule ID
process_creation_commandline_55
Query
{'selection': {'CommandLine|contains': ['IEX ((New-Object Net.WebClient).DownloadString', 'IEX (New-Object Net.WebClient).DownloadString', 'IEX((New-Object Net.WebClient).DownloadString', 'IEX(New-Object Net.WebClient).DownloadString', ' -command (New-Object System.Net.WebClient).DownloadFile(', ' -c (New-Object System.Net.WebClient).DownloadFile(']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,e6c54d94-498c-4562-a37c-b469d8e9a275
Author: Florian Roth (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.001, T1059.003
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
experimental |
2022/02/28 |
high |
|
|
Add User to Local Administrators
|
Detects suspicious command line that adds an account to the local administrators/administrateurs group
More details
Rule ID
process_creation_commandline_56
Query
{'selection_main': [{'CommandLine|contains|all': ['localgroup ', ' /add']}, {'CommandLine|contains|all': ['Add-LocalGroupMember ', ' -Group ']}], 'selection_group': {'CommandLine|contains': [' administrators ', ' administrateur']}, 'condition': 'all of selection_*'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,ad720b90-25ad-43ff-9b5e-5c841facc8e5
Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.003, T1098
References
N/A
Severity
49
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
experimental |
2022/08/12 |
medium |
|
|
Taskkill Symantec Endpoint Protection
|
Detects one of the possible scenarios for disabling symantec endpoint protection. Symantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism. As a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service.
More details
Rule ID
process_creation_commandline_57
Query
{'selection': {'CommandLine|contains|all': ['taskkill', ' /F ', ' /IM ', 'ccSvcHst.exe']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,4a6713f6-3331-11ed-a261-0242ac120002
Author: Ilya Krestinichev, Florian Roth (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.003, T1562.001
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
experimental |
2022/09/13 |
high |
|
|
MsiExec Web Install
|
Detects suspicious msiexec process starts with web addresses as parameter
More details
Rule ID
process_creation_commandline_58
Query
{'selection': {'CommandLine|contains|all': [' msiexec', '://']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,f7b5f842-a6af-4da5-9e95-e32478f3cd2f
Author: Florian Roth (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.003, T1105, T1218.007
References
N/A
Severity
49
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2018/02/09 |
medium |
|
|
PsExec Service Start
|
Detects a PsExec service start
More details
Rule ID
process_creation_commandline_59
Query
{'selection': {'CommandLine': 'C:\\Windows\\PSEXESVC.exe'}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,3ede524d-21cc-472d-a3ce-d21b568d8db7
Author: Florian Roth (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.003, T1569.002
References
N/A
Severity
24
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2018/03/13 |
low |
|
|
Scheduled Task WScript VBScript
|
Detects specific process parameters as used by ACTINIUM scheduled task persistence creation.
More details
Rule ID
process_creation_commandline_60
Query
{'selection': {'CommandLine|contains|all': ['schtasks', 'create', 'wscript', 'e:vbscript']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,e1118a8f-82f5-44b3-bb6b-8a284e5df602
Author: Andreas Hunkeler (@Karneades)
Tactics, Techniques, and Procedures
T1053, T1053.005, T1059.003
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2022/02/07 |
high |
|
|
Dropping Of Password Filter DLL
|
Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS
More details
Rule ID
process_creation_commandline_61
Query
{'selection_cmdline': {'CommandLine|contains|all': ['HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa', 'scecli\\0*', 'reg add']}, 'condition': 'selection_cmdline'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,b7966f4a-b333-455b-8370-8ca53c229762
Author: Sreeman
Tactics, Techniques, and Procedures
T1059.003, T1556.002
References
N/A
Severity
49
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2020/10/29 |
medium |
|
|
Suspicious UltraVNC Execution
|
Detects suspicious UltraVNC command line flag combination that indicate a auto reconnect upon execution, e.g. startup (as seen being used by Gamaredon threat group)
More details
Rule ID
process_creation_commandline_62
Query
{'selection': {'CommandLine|contains|all': ['-autoreconnect ', '-connect ', '-id:']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,871b9555-69ca-4993-99d3-35a59f9f3599
Author: Bhabesh Raj
Tactics, Techniques, and Procedures
T1021.005, T1059.003
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2022/03/04 |
high |
|
|
Potential AMSI Bypass Using NULL Bits - ProcessCreation
|
Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities
More details
Rule ID
process_creation_commandline_63
Query
{'selection': {'CommandLine|contains': ["if(0){{{0}}}' -f $(0 -as [char]) +", '#<NULL>']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,92a974db-ab84-457f-9ec0-55db83d7a825
Author: Nasreddine Bencherchali (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.003, T1562.001
References
N/A
Severity
49
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
experimental |
2023/01/04 |
medium |
|
|
Invoke-Obfuscation CLIP+ Launcher
|
Detects Obfuscated use of Clip.exe to execute PowerShell
More details
Rule ID
process_creation_commandline_65
Query
{'selection': {'CommandLine|contains|all': ['cmd', '&&', 'clipboard]::', '-f'], 'CommandLine|contains': ['/c', '/r']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,b222df08-0e07-11eb-adc1-0242ac120002
Author: Jonathan Cheong, oscd.community
Tactics, Techniques, and Procedures
T1027, T1059.001, T1059.003
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2020/10/13 |
high |
|
|
SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code
|
Executes arbitrary PowerShell code using SyncAppvPublishingServer.vbs
More details
Rule ID
process_creation_commandline_67
Query
{'selection': {'CommandLine|contains|all': ['\\SyncAppvPublishingServer.vbs', ';']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,36475a7d-0f6d-4dce-9b01-6aeb473bbaf1
Author: frack113
Tactics, Techniques, and Procedures
T1059.003, T1216, T1218
References
N/A
Severity
49
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
experimental |
2021/07/16 |
medium |
|
|
Suspicious Add User to Remote Desktop Users Group
|
Detects suspicious command line in which a user gets added to the local Remote Desktop Users group
More details
Rule ID
process_creation_commandline_68
Query
{'selection_main': [{'CommandLine|contains|all': ['localgroup ', ' /add']}, {'CommandLine|contains|all': ['Add-LocalGroupMember ', ' -Group ']}], 'selection_group': {'CommandLine|contains': ['Remote Desktop Users', 'Utilisateurs du Bureau à distance', 'Usuarios de escritorio remoto']}, 'condition': 'all of selection_*'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,ffa28e60-bdb1-46e0-9f82-05f7a61cc06e
Author: Florian Roth (Nextron Systems)
Tactics, Techniques, and Procedures
T1021.001, T1059.003, T1133, T1136.001
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
experimental |
2021/12/06 |
high |
|
|
GatherNetworkInfo.vbs Script Usage
|
Adversaries can abuse of C:\Windows\System32\gatherNetworkInfo.vbs script along with cscript.exe to gather information about the target
More details
Rule ID
process_creation_commandline_69
Query
{'selection': {'CommandLine|contains|all': ['cscript.exe', 'gatherNetworkInfo.vbs']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,575dce0c-8139-4e30-9295-1ee75969f7fe
Author: blueteamer8699
Tactics, Techniques, and Procedures
T1059.003, T1059.005, T1615
References
N/A
Severity
49
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2022/01/03 |
medium |
|
|
APT29
|
This method detects a suspicious PowerShell command line combination as used by APT29 in a campaign against U.S. think tanks.
More details
Rule ID
process_creation_commandline_70
Query
{'selection': {'CommandLine|contains|all': ['-noni', '-ep', 'bypass', '$']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,033fe7d6-66d1-4240-ac6b-28908009c71f
Author: Florian Roth (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.001, T1059.003
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2018/12/04 |
high |
|
|
Suspicious WMIC ActiveScriptEventConsumer Creation
|
Detects WMIC executions in which a event consumer gets created in order to establish persistence
More details
Rule ID
process_creation_commandline_71
Query
{'selection': {'CommandLine|contains|all': ['ActiveScriptEventConsumer', ' CREATE ']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,ebef4391-1a81-4761-a40a-1db446c0e625
Author: Florian Roth (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.003, T1546.003
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2021/06/25 |
high |
|
|
TAIDOOR RAT DLL Load
|
Detects specific process characteristics of Chinese TAIDOOR RAT malware load
More details
Rule ID
process_creation_commandline_72
Query
{'selection1': {'CommandLine|contains': ['dll,MyStart', 'dll MyStart']}, 'selection2a': {'CommandLine|endswith': ' MyStart'}, 'selection2b': {'CommandLine|contains': 'rundll32.exe'}, 'condition': 'selection1 or ( selection2a and selection2b )'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,d1aa3382-abab-446f-96ea-4de52908210b
Author: Florian Roth (Nextron Systems)
Tactics, Techniques, and Procedures
T1055.001, T1059.003
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2020/07/30 |
high |
|
|
Empire PowerShell UAC Bypass
|
Detects some Empire PowerShell UAC bypass methods
More details
Rule ID
process_creation_commandline_73
Query
{'selection': {'CommandLine|contains': [' -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update)', ' -NoP -NonI -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update);']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,3268b746-88d8-4cd3-bffc-30077d02c787
Author: Ecco
Tactics, Techniques, and Procedures
T1059.003, T1548.002
References
N/A
Severity
95
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
stable |
2019/08/30 |
critical |
|
|
Emotet Process Creation
|
Detects all Emotet like process executions that are not covered by the more generic rules
More details
Rule ID
process_creation_commandline_74
Query
{'selection': {'CommandLine|contains': [' -e* PAA', 'JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ', 'QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA', 'kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA', 'IgAoACcAKgAnACkAOwAkA', 'IAKAAnACoAJwApADsAJA', 'iACgAJwAqACcAKQA7ACQA', 'JABGAGwAeAByAGgAYwBmAGQ', 'PQAkAGUAbgB2ADoAdABlAG0AcAArACgA', '0AJABlAG4AdgA6AHQAZQBtAHAAKwAoA', '9ACQAZQBuAHYAOgB0AGUAbQBwACsAKA']}, 'filter': {'CommandLine|contains': ['fAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgAgAC0ARQByAHIAbwByAEEAYwB0AGkAbwBuACAAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQ', 'wAIABDAG8AbgB2AGUAcgB0AFQAbwAtAEoAcwBvAG4AIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUA', '8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlA']}, 'condition': 'selection and not filter'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,d02e8cf5-6099-48cf-9bfc-1eec2d0c7b18
Author: Florian Roth (Nextron Systems)
Tactics, Techniques, and Procedures
T1027, T1059.001, T1059.003
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
stable |
2019/09/30 |
high |
|
|
Esentutl Gather Credentials
|
Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab.
More details
Rule ID
process_creation_commandline_75
Query
{'selection': {'CommandLine|contains|all': ['esentutl', ' /p']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,7df1713a-1a5b-4a4b-a071-dc83b144a101
Author: sam0x90
Tactics, Techniques, and Procedures
T1003, T1003.003, T1059.003
References
N/A
Severity
49
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2021/08/06 |
medium |
|
|
EvilNum Golden Chickens Deployment via OCX Files
|
Detects Golden Chickens deployment method as used by Evilnum in report published in July 2020
More details
Rule ID
process_creation_commandline_76
Query
{'selection': {'CommandLine|contains|all': ['regsvr32', '/s', '/i', '\\AppData\\Roaming\\', '.ocx']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,8acf3cfa-1e8c-4099-83de-a0c4038e18f0
Author: Florian Roth (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.003, T1218.011
References
N/A
Severity
95
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2020/07/10 |
critical |
|
|
Suspicious Dosfuscation Character in Commandline
|
Detects possible payload obfuscation via the commandline
More details
Rule ID
process_creation_commandline_77
Query
{'selection': {'CommandLine|contains': ['^^', ',;,', '%COMSPEC:~', ' s^et ', ' s^e^t ', ' se^t ']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,a77c1610-fc73-4019-8e29-0f51efc04a51
Author: frack113, Nasreddine Bencherchali (Nextron Systems)
Tactics, Techniques, and Procedures
T1059, T1059.003
References
N/A
Severity
49
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
experimental |
2022/02/15 |
medium |
|
|
WhoAmI as Parameter
|
Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato)
More details
Rule ID
process_creation_commandline_78
Query
{'selection': {'CommandLine|contains': '.exe whoami'}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,e9142d84-fbe0-401d-ac50-3e519fb00c89
Author: Florian Roth (Nextron Systems)
Tactics, Techniques, and Procedures
T1033, T1059.003
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2021/11/29 |
high |
|
|
Powershell Inline Execution From A File
|
Detects inline execution of PowerShell code from a file
More details
Rule ID
process_creation_commandline_79
Query
{'selection_exec': {'CommandLine|contains': ['iex ', 'Invoke-Expression ', 'Invoke-Command ', 'icm ']}, 'selection_read': {'CommandLine|contains': ['cat ', 'get-content ', 'type ']}, 'selection_raw': {'CommandLine|contains': ' -raw'}, 'condition': 'all of selection_*'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,ee218c12-627a-4d27-9e30-d6fb2fe22ed2
Author: frack113
Tactics, Techniques, and Procedures
T1059.003
References
N/A
Severity
49
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
experimental |
2022/12/25 |
medium |
|
|
Base64 Encoded PowerShell Command Detected
|
Detects usage of the "FromBase64String" function in the commandline which is used to decode a base64 encoded string
More details
Rule ID
process_creation_commandline_80
Query
{'selection': {'CommandLine|contains': '::FromBase64String('}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,e32d4572-9826-4738-b651-95fa63747e8a
Author: Florian Roth (Nextron Systems)
Tactics, Techniques, and Procedures
T1027, T1059.001, T1059.003, T1140
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2020/01/29 |
high |
|
|
CL_Mutexverifiers.ps1 Proxy Execution
|
Detects the use of a Microsoft signed script to execute commands
More details
Rule ID
process_creation_commandline_81
Query
{'selection': {'CommandLine|contains|all': ['\\CL_Mutexverifiers.ps1', 'runAfterCancelProcess ']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,1e0e1a81-e79b-44bc-935b-ddb9c8006b3d
Author: Nasreddine Bencherchali (Nextron Systems), oscd.community, Natalia Shornikova, frack113
Tactics, Techniques, and Procedures
T1059.003, T1216
References
N/A
Severity
49
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
experimental |
2022/05/21 |
medium |
|
|
Suspicious X509Enrollment - Process Creation
|
Detect use of X509Enrollment
More details
Rule ID
process_creation_commandline_82
Query
{'selection': {'CommandLine|contains': ['X509Enrollment.CBinaryConverter', '884e2002-217d-11da-b2a4-000e7bbb2b09']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,114de787-4eb2-48cc-abdb-c0b449f93ea4
Author: frack113
Tactics, Techniques, and Procedures
T1059.003
References
N/A
Severity
49
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
experimental |
2022/12/23 |
medium |
|
|
Suspicious Regsvr32 HTTP IP Pattern
|
Detects a certain command line flag combination used by regsvr32 when used to download and register a DLL from a remote address which uses HTTP (not HTTPS) and a IP address and not FQDN
More details
Rule ID
process_creation_commandline_83
Query
{'selection_flags': {'CommandLine|contains|all': [' /s', ' /u']}, 'selection_ip': {'CommandLine|contains': [' /i:http://1', ' /i:http://2', ' /i:http://3', ' /i:http://4', ' /i:http://5', ' /i:http://6', ' /i:http://7', ' /i:http://8', ' /i:http://9', ' /i:https://1', ' /i:https://2', ' /i:https://3', ' /i:https://4', ' /i:https://5', ' /i:https://6', ' /i:https://7', ' /i:https://8', ' /i:https://9']}, 'condition': 'all of selection_*'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,2dd2c217-bf68-437a-b57c-fe9fd01d5de8
Author: Florian Roth (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.003, T1218.010
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
experimental |
2022/01/11 |
high |
|
|
Rundll32 Without Parameters
|
Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module
More details
Rule ID
process_creation_commandline_84
Query
{'selection': {'CommandLine': 'rundll32.exe'}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,5bb68627-3198-40ca-b458-49f973db8752
Author: Bartlomiej Czyz, Relativity
Tactics, Techniques, and Procedures
T1021.002, T1059.003, T1569.002, T1570
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2021/01/31 |
high |
|
|
Suspicious Ntdll Pipe Redirection
|
Detects command that type the content of ntdll.dll to a different file or a pipe in order to evade AV / EDR detection
More details
Rule ID
process_creation_commandline_85
Query
{'selection': {'CommandLine|contains': ['type %windir%\\system32\\ntdll.dll', 'type %systemroot%\\system32\\ntdll.dll', 'type c:\\windows\\system32\\ntdll.dll', '\\ntdll.dll > \\\\.\\pipe\\']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,bbc865e4-7fcd-45a6-8ff1-95ced28ec5b2
Author: Florian Roth (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.003
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2022/03/05 |
high |
|
|
Raccine Uninstall
|
Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool.
More details
Rule ID
process_creation_commandline_86
Query
{'selection1': {'CommandLine|contains|all': ['taskkill ', 'RaccineSettings.exe']}, 'selection2': {'CommandLine|contains|all': ['reg.exe', 'delete', 'Raccine Tray']}, 'selection3': {'CommandLine|contains|all': ['schtasks', '/DELETE', 'Raccine Rules Updater']}, 'condition': '1 of selection*'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,a31eeaed-3fd5-478e-a8ba-e62c6b3f9ecc
Author: Florian Roth (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.003, T1562.001
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2021/01/21 |
high |
|
|
REGISTER_APP.VBS Proxy Execution
|
Detects the use of a Microsoft signed script 'REGISTER_APP.VBS' to register a VSS/VDS Provider as a COM+ application.
More details
Rule ID
process_creation_commandline_88
Query
{'selection': {'CommandLine|contains|all': ['\\register_app.vbs', '-register']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,1c8774a0-44d4-4db0-91f8-e792359c70bd
Author: Nasreddine Bencherchali (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.003, T1218
References
N/A
Severity
49
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
experimental |
2022/08/19 |
medium |
|
|
PowerShell Get-Process LSASS
|
Detects a "Get-Process" cmdlet and it's aliases on lsass process, which is in almost all cases a sign of malicious activity
More details
Rule ID
process_creation_commandline_89
Query
{'selection': {'CommandLine|contains': ['Get-Process lsas', 'ps lsas', 'gps lsas']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,b2815d0d-7481-4bf0-9b6c-a4c48a94b349
Author: Florian Roth (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.003, T1552.004
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2021/04/23 |
high |
|
|
Raspberry Robin Dot Ending File
|
Detects commandline containing reference to files ending with a "." This scheme has been seen used by raspberry-robin
More details
Rule ID
process_creation_commandline_90
Query
{'selection': {'CommandLine|re': '\\.[a-zA-Z0-9]{1,6}\\.[ |"|\']{1}'}, 'filter': {'CommandLine|re': '\\.[a-zA-Z0-9]{1,6}\\.[a-zA-Z0-9]{1}'}, 'condition': 'selection and not filter'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,a35c97c8-d9c4-4c89-a3e7-533dc0bcb73a
Author: Nasreddine Bencherchali (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.003
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
experimental |
2022/10/28 |
high |
|
|
LockerGoga Ransomware
|
Detects LockerGoga Ransomware command line.
More details
Rule ID
process_creation_commandline_91
Query
{'selection': {'CommandLine|contains': '-i SM-tgytutrc -s'}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,74db3488-fd28-480a-95aa-b7af626de068
Author: Vasiliy Burov, oscd.community
Tactics, Techniques, and Procedures
T1059.003, T1486
References
N/A
Severity
95
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
stable |
2020/10/18 |
critical |
|
|
Write Protect For Storage Disabled
|
Looks for changes to registry to disable any write-protect property for storage devices. This could be a precursor to a ransomware attack and has been an observed technique used by cypherpunk group.
More details
Rule ID
process_creation_commandline_92
Query
{'selection': {'CommandLine|contains|all': ['reg add', '\\system\\currentcontrolset\\control', 'write protection', '0'], 'CommandLine|contains': ['storage', 'storagedevicepolicies']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,75f7a0e2-7154-4c4d-9eae-5cdb4e0a5c13
Author: Sreeman
Tactics, Techniques, and Procedures
T1059.003, T1562
References
N/A
Severity
49
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
experimental |
2021/06/11 |
medium |
|
|
Audio Capture via PowerShell
|
Detects audio capture via PowerShell Cmdlet.
More details
Rule ID
process_creation_commandline_93
Query
{'selection': {'CommandLine|contains': 'WindowsAudioDevice-Powershell-Cmdlet'}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,932fb0d8-692b-4b0f-a26e-5643a50fe7d6
Author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community, Nasreddine Bencherchali (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.003, T1123
References
N/A
Severity
49
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2019/10/24 |
medium |
|
|
Potential Suspicious Windows Feature Enabled - ProcCreation
|
Detects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" used as a Deployment Image Servicing and Management tool. Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
More details
Rule ID
process_creation_commandline_94
Query
{'selection_cmd': {'CommandLine|contains|all': ['Enable-WindowsOptionalFeature', '-Online', '-FeatureName']}, 'selection_feature': {'CommandLine|contains': ['TelnetServer', 'Internet-Explorer-Optional-amd64', 'TFTP', 'SMB1Protocol', 'Client-ProjFS', 'Microsoft-Windows-Subsystem-Linux']}, 'condition': 'all of selection*'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,c740d4cf-a1e9-41de-bb16-8a46a4f57918
Author: Nasreddine Bencherchali (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.003
References
N/A
Severity
49
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
experimental |
2022/12/29 |
medium |
|
|
Reg Disable Security Service
|
Detects a suspicious reg.exe invocation that looks as if it would disable an important security service
More details
Rule ID
process_creation_commandline_96
Query
{'selection_reg_add': {'CommandLine|contains|all': ['reg', 'add']}, 'selection_cli_reg_start': {'CommandLine|contains|all': [' /d 4', ' /v Start'], 'CommandLine|contains': ['\\Sense', '\\WinDefend', '\\MsMpSvc', '\\NisSrv', '\\WdBoot', '\\WdNisDrv', '\\WdNisSvc', '\\wscsvc', '\\SecurityHealthService', '\\wuauserv', '\\UsoSvc', '\\WdFilter', '\\AppIDSvc']}, 'selection_cli_reg_disable_defender': {'CommandLine|contains|all': [' /d 1', 'Windows Defender'], 'CommandLine|contains': ['DisableIOAVProtection', 'DisableOnAccessProtection', 'DisableRoutinelyTakingAction', 'DisableScanOnRealtimeEnable', 'DisableBlockAtFirstSeen', 'DisableBehaviorMonitoring', 'DisableEnhancedNotifications', 'DisableAntiSpyware', 'DisableAntiSpywareRealtimeProtection', 'DisableConfig', 'DisablePrivacyMode', 'SignatureDisableUpdateOnStartupWithoutEngine', 'DisableArchiveScanning', 'DisableIntrusionPreventionSystem', 'DisableScriptScanning']}, 'condition': 'selection_reg_add and 1 of selection_cli_*'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,5e95028c-5229-4214-afae-d653d573d0ec
Author: Florian Roth (Nextron Systems), John Lambert (idea), elhoim
Tactics, Techniques, and Procedures
T1059.003, T1562.001
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
experimental |
2021/07/14 |
high |
|
|
Serv-U Exploitation CVE-2021-35211 by DEV-0322
|
Detects patterns as noticed in exploitation of Serv-U CVE-2021-35211 vulnerability by threat group DEV-0322
More details
Rule ID
process_creation_commandline_97
Query
{'selection_whoami': {'CommandLine|contains': 'whoami'}, 'selection_cmd_1': {'CommandLine|contains': ['./Client/Common/', '.\\Client\\Common\\']}, 'selection_cmd_2': {'CommandLine|contains': 'C:\\Windows\\Temp\\Serv-U.bat'}, 'condition': 'selection_whoami and 1 of selection_cmd*'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,75578840-9526-4b2a-9462-af469a45e767
Author: Florian Roth (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.003, T1136.001
References
N/A
Severity
95
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2021/07/14 |
critical |
|
|
Suspicious Debugger Registration Cmdline
|
Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).
More details
Rule ID
process_creation_commandline_98
Query
{'selection1': {'CommandLine|contains': '\\CurrentVersion\\Image File Execution Options\\'}, 'selection2': {'CommandLine|contains': ['sethc.exe', 'utilman.exe', 'osk.exe', 'magnify.exe', 'narrator.exe', 'displayswitch.exe', 'atbroker.exe', 'HelpPane.exe']}, 'condition': 'all of selection*'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,ae215552-081e-44c7-805f-be16f975c8a2
Author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro
Tactics, Techniques, and Procedures
T1059.003, T1546.008
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2019/09/06 |
high |
|
|
CrackMapExec Command Execution
|
Detect various execution methods of the CrackMapExec pentesting framework
More details
Rule ID
process_creation_commandline_99
Query
{'selection': {'CommandLine|endswith': ['cmd.exe /Q /c * 1> \\\\*\\*\\* 2>&1', 'cmd.exe /C * > \\\\*\\*\\* 2>&1', 'cmd.exe /C * > *\\Temp\\* 2>&1'], 'CommandLine|contains': ['powershell.exe -exec bypass -noni -nop -w 1 -C "', 'powershell.exe -noni -nop -w 1 -enc ']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,058f4380-962d-40a5-afce-50207d36d7e2
Author: Thomas Patzke
Tactics, Techniques, and Procedures
T1047, T1053, T1059.001, T1059.003, T1059.003
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
stable |
2020/05/22 |
high |
|
|
DevInit Lolbin Download
|
Detects a certain command line flag combination used by devinit.exe lolbin to download arbitrary MSI packages on a Windows system
More details
Rule ID
process_creation_commandline_100
Query
{'selection': {'CommandLine|contains|all': [' -t msi-install ', ' -i http']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,90d50722-0483-4065-8e35-57efaadd354d
Author: Florian Roth (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.003, T1218
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2022/01/11 |
high |
|
|
Sticky-Key Backdoor Copy Cmd.exe
|
By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system. When the sticky keys are "activated" the privilleged shell is launched.
More details
Rule ID
process_creation_commandline_101
Query
{'selection': {'CommandLine': 'copy /y C:\\windows\\system32\\cmd.exe C:\\windows\\system32\\sethc.exe'}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,1070db9a-3e5d-412e-8e7b-7183b616e1b3
Author: Sreeman
Tactics, Techniques, and Procedures
T1059.003, T1546.008
References
N/A
Severity
49
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
experimental |
2020/02/18 |
medium |
|
|
Suspicious Use of Procdump on LSASS
|
Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we're also able to catch cases in which the attacker has renamed the procdump executable.
More details
Rule ID
process_creation_commandline_102
Query
{'selection1': {'CommandLine|contains': [' -ma ', ' /ma ']}, 'selection2': {'CommandLine|contains': ' ls'}, 'condition': 'all of selection*'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,5afee48e-67dd-4e03-a783-f74259dcf998
Author: Florian Roth (Nextron Systems)
Tactics, Techniques, and Procedures
T1003.001, T1036, T1059.003
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
stable |
2018/10/30 |
high |
-
Unlikely, because no one should dump an lsass process memory
-
Another tool that uses the command line switches of Procdump
|
|
Suspicious Rundll32 Activity Invoking Sys File
|
Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452
More details
Rule ID
process_creation_commandline_103
Query
{'selection1': {'CommandLine|contains': 'rundll32.exe'}, 'selection2': {'CommandLine|contains': ['.sys,', '.sys ']}, 'condition': 'all of selection*'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,731231b9-0b5d-4219-94dd-abb6959aa7ea
Author: Florian Roth (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.003, T1218.011
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2021/03/05 |
high |
|
|
ETW Logging Tamper In .NET Processes
|
Detects changes to environment variables related to ETW logging. This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies.
More details
Rule ID
process_creation_commandline_104
Query
{'selection': {'CommandLine|contains': ['COMPlus_ETWEnabled', 'COMPlus_ETWFlags']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,41421f44-58f9-455d-838a-c398859841d4
Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
Tactics, Techniques, and Procedures
T1059.003, T1562
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2020/05/02 |
high |
|
|
Suspicious WMIC Execution - ProcessCallCreate
|
Detects WMIC executing "process call create" with suspicious calls to processes such as "rundll32", "regsrv32"...etc
More details
Rule ID
process_creation_commandline_105
Query
{'selection': {'CommandLine|contains|all': ['process ', 'call ', 'create '], 'CommandLine|contains': ['rundll32', 'bitsadmin', 'regsvr32', 'cmd.exe /c ', 'cmd.exe /k ', 'cmd.exe /r ', 'cmd /c ', 'cmd /k ', 'cmd /r ', 'powershell', 'pwsh', 'certutil', 'cscript', 'wscript', 'mshta', '\\Users\\Public\\', '\\Windows\\Temp\\', '\\AppData\\Local\\', '%temp%', '%tmp%', '%ProgramData%', '%appdata%', '%comspec%', '%localappdata%']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,3c89a1e8-0fba-449e-8f1b-8409d6267ec8
Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
Tactics, Techniques, and Procedures
T1047, T1059.003
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2020/10/12 |
high |
|
|
BlueMashroom DLL Load
|
Detects a suspicious DLL loading from AppData Local path as described in BlueMashroom report
More details
Rule ID
process_creation_commandline_106
Query
{'selection': [{'CommandLine|contains|all': ['\\regsvr32', '\\AppData\\Local\\']}, {'CommandLine|contains|all': ['\\AppData\\Local\\', ',DllEntry']}], 'filter_teams': [{'CommandLine|contains': 'AppData\\Local\\Microsoft\\TeamsMeetingAddin\\'}, {'CommandLine|endswith': ['\\x86\\Microsoft.Teams.AddinLoader.dll', '\\x86\\Microsoft.Teams.AddinLoader.dll"', '\\x64\\Microsoft.Teams.AddinLoader.dll', '\\x64\\Microsoft.Teams.AddinLoader.dll"']}], 'filter_webex': {'CommandLine|endswith': '\\AppData\\Local\\WebEx\\WebEx64\\Meetings\\atucfobj.dll'}, 'condition': 'selection and not 1 of filter*'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,bd70d3f8-e60e-4d25-89f0-0b5a9cff20e0
Author: Florian Roth (Nextron Systems), Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.003, T1218.010
References
N/A
Severity
95
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2019/10/02 |
critical |
|
|
Mshtml DLL RunHTMLApplication Abuse
|
Detects suspicious command line using the "mshtml.dll" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, htpp...)
More details
Rule ID
process_creation_commandline_107
Query
{'selection': {'CommandLine|contains|all': ['\\..\\', 'mshtml', 'RunHTMLApplication']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,4782eb5a-a513-4523-a0ac-f3082b26ac5c
Author: Nasreddine Bencherchali (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.003
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
experimental |
2022/08/14 |
high |
|
|
Persistence Via TypedPaths - CommandLine
|
Detects modification addition to the 'TypedPaths' key in the user or admin registry via the commandline. Which might indicate persistence attempt
More details
Rule ID
process_creation_commandline_109
Query
{'selection': {'CommandLine|contains': '\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths'}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,ec88289a-7e1a-4cc3-8d18-bd1f60e4b9ba
Author: Nasreddine Bencherchali (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.003
References
N/A
Severity
49
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
experimental |
2022/08/22 |
medium |
|
|
UtilityFunctions.ps1 Proxy Dll
|
Detects the use of a Microsoft signed script executing a managed DLL with PowerShell.
More details
Rule ID
process_creation_commandline_110
Query
{'selection': {'CommandLine|contains': ['UtilityFunctions.ps1', 'RegSnapin ']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,0403d67d-6227-4ea8-8145-4e72db7da120
Author: frack113
Tactics, Techniques, and Procedures
T1059.003, T1216
References
N/A
Severity
49
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
experimental |
2022/05/28 |
medium |
|
|
Unidentified Attacker November 2018
|
A sigma rule detecting an unidetefied attacker who used phishing emails to target high profile orgs on November 2018. The Actor shares some TTPs with YYTRIUM/APT29 campaign in 2016.
More details
Rule ID
process_creation_commandline_111
Query
{'selection': {'CommandLine|contains': 'cyzfc.dat,', 'CommandLine|endswith': 'PointFunctionCall'}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,7453575c-a747-40b9-839b-125a0aae324b
Author: Florian Roth (Nextron Systems), @41thexplorer
Tactics, Techniques, and Procedures
T1059.003, T1218.011
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
stable |
2018/11/20 |
high |
N/A
|
|
Powershell AMSI Bypass via .NET Reflection
|
Detects Request to "amsiInitFailed" that can be used to disable AMSI Scanning
More details
Rule ID
process_creation_commandline_112
Query
{'selection': {'CommandLine|contains': ['System.Management.Automation.AmsiUtils', 'amsiInitFailed']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,30edb182-aa75-42c0-b0a9-e998bb29067c
Author: Markus Neis, @Kostastsale
Tactics, Techniques, and Procedures
T1059.003, T1562.001
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2018/08/17 |
high |
|
|
PowerShell SAM Copy
|
Detects suspicious PowerShell scripts accessing SAM hives
More details
Rule ID
process_creation_commandline_113
Query
{'selection_1': {'CommandLine|contains|all': ['\\HarddiskVolumeShadowCopy', 'System32\\config\\sam']}, 'selection_2': {'CommandLine|contains': ['Copy-Item', 'cp $_.', 'cpi $_.', 'copy $_.', '.File]::Copy(']}, 'condition': 'all of selection*'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,1af57a4b-460a-4738-9034-db68b880c665
Author: Florian Roth (Nextron Systems)
Tactics, Techniques, and Procedures
T1003.002, T1059.003
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2021/07/29 |
high |
|
|
UAC Bypass Using Event Viewer RecentViews
|
Detects the pattern of UAC Bypass using Event Viewer RecentViews
More details
Rule ID
process_creation_commandline_114
Query
{'selection_path': {'CommandLine|contains': ['\\Event Viewer\\RecentViews', '\\EventV~1\\RecentViews']}, 'selection_redirect': {'CommandLine|contains': '>'}, 'condition': 'all of selection_*'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,30fc8de7-d833-40c4-96b6-28319fbc4f6c
Author: Nasreddine Bencherchali (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.003
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2022/11/22 |
high |
|
|
Suspicious Office Token Search Via CLI
|
Detects possible search for office tokens via CLI by looking for the string "eyJ0eX". This string is used as an anchor to look for the start of the JWT token used by office and similar apps.
More details
Rule ID
process_creation_commandline_115
Query
{'selection': {'CommandLine|contains': ['eyJ0eXAiOi', ' eyJ0eX', ' "eyJ0eX"', " 'eyJ0eX'"]}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,6d3a3952-6530-44a3-8554-cf17c116c615
Author: Nasreddine Bencherchali (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.003, T1528
References
N/A
Severity
49
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
experimental |
2022/10/25 |
medium |
|
|
Change Default File Association To Executable
|
Detects when a program changes the default file association of any extension to an executable
More details
Rule ID
process_creation_commandline_116
Query
{'selection': {'CommandLine|contains|all': ['cmd', 'assoc ', 'exefile'], 'CommandLine|contains': [' /c ', ' /r ', ' /k ']}, 'filter': {'CommandLine|contains': '.exe=exefile'}, 'condition': 'selection and not filter'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,ae6f14e6-14de-45b0-9f44-c0986f50dc89
Author: Nasreddine Bencherchali (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.003, T1546.001
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
experimental |
2022/06/28 |
high |
|
|
Conti Backup Database
|
Detects a command used by conti to dump database
More details
Rule ID
process_creation_commandline_118
Query
{'selection_tools': {'CommandLine|contains': ['sqlcmd ', 'sqlcmd.exe']}, 'selection_svr': {'CommandLine|contains': ' -S localhost '}, 'selection_query': {'CommandLine|contains': ['sys.sysprocesses', 'master.dbo.sysdatabases', 'BACKUP DATABASE']}, 'condition': 'all of selection*'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,2f47f1fd-0901-466e-a770-3b7092834a1b
Author: frack113
Tactics, Techniques, and Procedures
T1005, T1059.003
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2021/08/16 |
high |
|
|
Winnti Pipemon Characteristics
|
Detects specific process characteristics of Winnti Pipemon malware reported by ESET
More details
Rule ID
process_creation_commandline_119
Query
{'selection1': {'CommandLine|contains': 'setup0.exe -p'}, 'selection2a': {'CommandLine|contains': 'setup.exe'}, 'selection2b': {'CommandLine|endswith': ['-x:0', '-x:1', '-x:2']}, 'condition': 'selection1 or all of selection2*'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,73d70463-75c9-4258-92c6-17500fe972f2
Author: Florian Roth (Nextron Systems), oscd.community
Tactics, Techniques, and Procedures
T1059.003, T1574.002
References
N/A
Severity
95
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
stable |
2020/07/30 |
critical |
|
|
Suspicious ZipExec Execution
|
ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file.
More details
Rule ID
process_creation_commandline_120
Query
{'run': {'CommandLine|contains|all': ['/generic:Microsoft_Windows_Shell_ZipFolder:filename=', '.zip', '/pass:', '/user:']}, 'delete': {'CommandLine|contains|all': ['/delete', 'Microsoft_Windows_Shell_ZipFolder:filename=', '.zip']}, 'condition': 'run or delete'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,90dcf730-1b71-4ae7-9ffc-6fcf62bd0132
Author: frack113
Tactics, Techniques, and Procedures
T1059.003, T1202, T1218
References
N/A
Severity
49
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2021/11/07 |
medium |
|
|
NirCmd Tool Execution As LOCAL SYSTEM
|
Detects the use of NirCmd tool for command execution as SYSTEM user
More details
Rule ID
process_creation_commandline_121
Query
{'selection': {'CommandLine|contains': ' runassystem '}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,d9047477-0359-48c9-b8c7-792cedcdc9c4
Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.003, T1569.002
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2022/01/24 |
high |
|
|
Invoke-Obfuscation Via Use Clip
|
Detects Obfuscated Powershell via use Clip.exe in Scripts
More details
Rule ID
process_creation_commandline_122
Query
{'selection': {'CommandLine|contains|all': ['echo', 'clip', '&&'], 'CommandLine|contains': ['clipboard', 'invoke', 'i`', 'n`', 'v`', 'o`', 'k`', 'e`']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,e1561947-b4e3-4a74-9bdd-83baed21bdb5
Author: Nikita Nazarov, oscd.community
Tactics, Techniques, and Procedures
T1027, T1059.001, T1059.003
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2020/10/09 |
high |
|
|
PowerShell Base64 Encoded Shellcode
|
Detects Base64 encoded Shellcode
More details
Rule ID
process_creation_commandline_123
Query
{'selection': {'CommandLine|contains': ['OiCAAAAYInlM', 'OiJAAAAYInlM']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,2d117e49-e626-4c7c-bd1f-c3c0147774c8
Author: Florian Roth (Nextron Systems)
Tactics, Techniques, and Procedures
T1027, T1059.003
References
N/A
Severity
95
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
stable |
2018/11/17 |
critical |
|
|
Ryuk Ransomware
|
Detects Ryuk ransomware activity
More details
Rule ID
process_creation_commandline_124
Query
{'selection': {'CommandLine|contains|all': ['Microsoft\\Windows\\CurrentVersion\\Run', 'C:\\users\\Public\\']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,c37510b8-2107-4b78-aa32-72f251e7a844
Author: Florian Roth (Nextron Systems), Vasiliy Burov, Nasreddine Bencherchali (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.003, T1547.001
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
stable |
2019/12/16 |
high |
|
|
Arbitrary Shell Command Execution Via Settingcontent-Ms
|
The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create "shortcuts" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.
More details
Rule ID
process_creation_commandline_125
Query
{'selection': {'CommandLine|contains': '.SettingContent-ms'}, 'filter': {'CommandLine|contains': 'immersivecontrolpanel'}, 'condition': 'selection and not filter'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,24de4f3b-804c-4165-b442-5a06a2302c7e
Author: Sreeman
Tactics, Techniques, and Procedures
T1059.003, T1204, T1566.001
References
N/A
Severity
49
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
experimental |
2020/03/13 |
medium |
|
|
Base64 Encoded Reflective Assembly Load
|
Detects base64 encoded .NET reflective loading of Assembly
More details
Rule ID
process_creation_commandline_127
Query
{'selection': {'CommandLine|contains': ['WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA', 'sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA', 'bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA', 'AFsAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiAC', 'BbAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgAp', 'AWwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAK', 'WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAKQ', 'sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiACkA', 'bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgApA', 'WwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA', 'sAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA', 'bAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,62b7ccc9-23b4-471e-aa15-6da3663c4d59
Author: Christian Burkard (Nextron Systems), pH-T (Nextron Systems)
Tactics, Techniques, and Procedures
T1027, T1059.001, T1059.003, T1620
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2022/03/01 |
high |
|
|
Suspicious NT Resource Kit Auditpol Usage
|
Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.
More details
Rule ID
process_creation_commandline_128
Query
{'selection': {'CommandLine|contains': ['/logon:none', '/system:none', '/sam:none', '/privilege:none', '/object:none', '/process:none', '/policy:none']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,c6c56ada-612b-42d1-9a29-adad3c5c2c1e
Author: Nasreddine Bencherchali (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.003, T1562.002
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2021/12/18 |
high |
|
|
Weak or Abused Passwords In CLI
|
Detects weak passwords or often abused passwords (seen used by threat actors) via the CLI. An example would be a threat actor creating a new user via the net command and providing the password inline
More details
Rule ID
process_creation_commandline_129
Query
{'selection': {'CommandLine|contains': ['Asd123.aaaa', 'password123', '123456789', 'P@ssw0rd!']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,91edcfb1-2529-4ac2-9ecc-7617f895c7e4
Author: Nasreddine Bencherchali (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.003
References
N/A
Severity
49
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
experimental |
2022/09/14 |
medium |
|
|
Suspicious Encoded Obfuscated LOAD String
|
Detects suspicious base64 encoded and obbfuscated LOAD string often used for reflection.assembly load
More details
Rule ID
process_creation_commandline_130
Query
{'selection': {'CommandLine|contains': ['OgA6ACgAIgBMACIAKwAiAG8AYQBkACIAKQ', 'oAOgAoACIATAAiACsAIgBvAGEAZAAiACkA', '6ADoAKAAiAEwAIgArACIAbwBhAGQAIgApA', 'OgA6ACgAIgBMAG8AIgArACIAYQBkACIAKQ', 'oAOgAoACIATABvACIAKwAiAGEAZAAiACkA', '6ADoAKAAiAEwAbwAiACsAIgBhAGQAIgApA', 'OgA6ACgAIgBMAG8AYQAiACsAIgBkACIAKQ', 'oAOgAoACIATABvAGEAIgArACIAZAAiACkA', '6ADoAKAAiAEwAbwBhACIAKwAiAGQAIgApA', 'OgA6ACgAJwBMACcAKwAnAG8AYQBkACcAKQ', 'oAOgAoACcATAAnACsAJwBvAGEAZAAnACkA', '6ADoAKAAnAEwAJwArACcAbwBhAGQAJwApA', 'OgA6ACgAJwBMAG8AJwArACcAYQBkACcAKQ', 'oAOgAoACcATABvACcAKwAnAGEAZAAnACkA', '6ADoAKAAnAEwAbwAnACsAJwBhAGQAJwApA', 'OgA6ACgAJwBMAG8AYQAnACsAJwBkACcAKQ', 'oAOgAoACcATABvAGEAJwArACcAZAAnACkA', '6ADoAKAAnAEwAbwBhACcAKwAnAGQAJwApA']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,9c0295ce-d60d-40bd-bd74-84673b7592b1
Author: pH-T (Nextron Systems)
Tactics, Techniques, and Procedures
T1027, T1059.001, T1059.003
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2022/03/01 |
high |
|
|
RunXCmd Tool Execution As System
|
Detects the use of RunXCmd tool for command execution
More details
Rule ID
process_creation_commandline_131
Query
{'selection': {'CommandLine|contains|all': [' /account=system ', '/exec=']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,93199800-b52a-4dec-b762-75212c196542
Author: Florian Roth (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.003, T1569.002
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2022/01/24 |
high |
|
|
Base64 Encoded Listing of Shadowcopy
|
Detects base64 encoded listing Win32_Shadowcopy
More details
Rule ID
process_creation_commandline_132
Query
{'selection': {'CommandLine|contains': ['VwBpAG4AMwAyAF8AUwBoAGEAZABvAHcAYwBvAHAAeQAgAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQA', 'cAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0A', 'XAGkAbgAzADIAXwBTAGgAYQBkAG8AdwBjAG8AcAB5ACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdA']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,47688f1b-9f51-4656-b013-3cc49a166a36
Author: Christian Burkard (Nextron Systems)
Tactics, Techniques, and Procedures
T1027, T1059.001, T1059.003
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2022/03/01 |
high |
|
|
MERCURY Command Line Patterns
|
Detects suspicious command line patterns as seen being used by MERCURY threat actor
More details
Rule ID
process_creation_commandline_133
Query
{'selection_base': {'CommandLine|contains|all': ['-exec bypass -w 1 -enc', 'UwB0AGEAcgB0AC0ASgBvAGIAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAaw']}, 'condition': 'all of selection*'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,a62298a3-1fe0-422f-9a68-ffbcbc5a123d
Author: Florian Roth (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.001, T1059.003
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
experimental |
2022/08/26 |
high |
|
|
DTRACK Process Creation
|
Detects specific process parameters as seen in DTRACK infections
More details
Rule ID
process_creation_commandline_134
Query
{'selection': {'CommandLine|contains': ' echo EEEE > '}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,f1531fa4-5b84-4342-8f68-9cf3fdbd83d4
Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.003, T1490
References
N/A
Severity
95
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
stable |
2019/10/30 |
critical |
|
|
Suspicious Netsh Discovery Command
|
Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
More details
Rule ID
process_creation_commandline_135
Query
{'selection': {'CommandLine|contains|all': ['netsh ', 'show ', 'firewall '], 'CommandLine|contains': ['config ', 'state ', 'rule ', 'name=all']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,0e4164da-94bc-450d-a7be-a4b176179f1f
Author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'
Tactics, Techniques, and Procedures
T1016, T1059.003
References
N/A
Severity
24
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
experimental |
2021/12/07 |
low |
|
|
F-Secure C3 Load by Rundll32
|
F-Secure C3 produces DLLs with a default exported StartNodeRelay function.
More details
Rule ID
process_creation_commandline_136
Query
{'selection': {'CommandLine|contains|all': ['rundll32.exe', '.dll', 'StartNodeRelay']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,b18c9d4c-fac9-4708-bd06-dd5bfacf200f
Author: Alfie Champion (ajpc500)
Tactics, Techniques, and Procedures
T1059.003, T1218.011
References
N/A
Severity
95
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2021/06/02 |
critical |
|
|
Suspicious RunAs-Like Flag Combination
|
Detects suspicious command line flags that let the user set a target user and command as e.g. seen in PsExec-like tools
More details
Rule ID
process_creation_commandline_137
Query
{'selection_user': {'CommandLine|contains': [' -u system ', ' --user system ', ' -u NT', ' -u "NT', " -u 'NT", ' --system ', ' -u administrator ']}, 'selection_command': {'CommandLine|contains': [' -c cmd', ' -c "cmd', ' -c powershell', ' -c "powershell', ' --command cmd', ' --command powershell', ' -c whoami', ' -c wscript', ' -c cscript']}, 'condition': 'all of selection*'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,50d66fb0-03f8-4da0-8add-84e77d12a020
Author: Florian Roth (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.003
References
N/A
Severity
49
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
experimental |
2022/11/11 |
medium |
|
|
Stop Or Remove Antivirus Service
|
Detects usage of 'Stop-Service' or 'Remove-Service' powershell cmdlet to disable AV services. Adversaries may disable security tools to avoid possible detection of their tools and activities by stopping antivirus service
More details
Rule ID
process_creation_commandline_138
Query
{'selection_action': {'CommandLine|contains': ['Stop-Service ', 'Remove-Service ']}, 'selection_product': {'CommandLine|contains': [' McAfeeDLPAgentService', ' Trend Micro Deep Security Manager', ' TMBMServer', 'Sophos', 'Symantec']}, 'condition': 'all of selection*'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,6783aa9e-0dc3-49d4-a94a-8b39c5fd700b
Author: frack113
Tactics, Techniques, and Procedures
T1059.003, T1562.001
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
experimental |
2021/07/07 |
high |
|
|
Adwind RAT / JRAT
|
Detects javaw.exe in AppData folder as used by Adwind / JRAT
More details
Rule ID
process_creation_commandline_139
Query
{'selection': [{'CommandLine|contains|all': ['\\AppData\\Roaming\\Oracle', '\\java', '.exe ']}, {'CommandLine|contains|all': ['cscript.exe', 'Retrive', '.vbs ']}], 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,1fac1481-2dbc-48b2-9096-753c49b4ec71
Author: Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community
Tactics, Techniques, and Procedures
T1059.003, T1059.005, T1059.007
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2017/11/10 |
high |
N/A
|
|
Suspicious AdvancedRun Runas Priv User
|
Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts
More details
Rule ID
process_creation_commandline_140
Query
{'selection': {'CommandLine|contains': ['/EXEFilename', '/CommandLine']}, 'selection_runas': [{'CommandLine|contains': [' /RunAs 8 ', ' /RunAs 4 ', ' /RunAs 10 ', ' /RunAs 11 ']}, {'CommandLine|endswith': ['/RunAs 8', '/RunAs 4', '/RunAs 10', '/RunAs 11']}], 'condition': 'all of selection*'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,fa00b701-44c6-4679-994d-5a18afa8a707
Author: Florian Roth (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.003
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
experimental |
2022/01/20 |
high |
|
|
ShimCache Flush
|
Detects actions that clear the local ShimCache and remove forensic evidence
More details
Rule ID
process_creation_commandline_141
Query
{'selection1a': {'CommandLine|contains|all': ['rundll32', 'apphelp.dll']}, 'selection1b': {'CommandLine|contains': ['ShimFlushCache', '#250']}, 'selection2a': {'CommandLine|contains|all': ['rundll32', 'kernel32.dll']}, 'selection2b': {'CommandLine|contains': ['BaseFlushAppcompatCache', '#46']}, 'condition': '( selection1a and selection1b ) or ( selection2a and selection2b )'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,b0524451-19af-4efa-a46f-562a977f792e
Author: Florian Roth (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.003, T1112
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
stable |
2021/02/01 |
high |
|
|
Sliver C2 Implant Activity Pattern
|
Detects process activity patterns as seen being used by Sliver C2 framework implants
More details
Rule ID
process_creation_commandline_142
Query
{'selection_cmdline': {'CommandLine|contains': '-NoExit -Command [Console]::OutputEncoding=[Text.UTF8Encoding]::UTF8'}, 'condition': '1 of selection*'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,42333b2c-b425-441c-b70e-99404a17170f
Author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)
Tactics, Techniques, and Procedures
T1059, T1059.003
References
N/A
Severity
95
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
experimental |
2022/08/25 |
critical |
|
|
Disabled IE Security Features
|
Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features
More details
Rule ID
process_creation_commandline_143
Query
{'selection1': {'CommandLine|contains|all': [' -name IEHarden ', ' -value 0 ']}, 'selection2': {'CommandLine|contains|all': [' -name DEPOff ', ' -value 1 ']}, 'selection3': {'CommandLine|contains|all': [' -name DisableFirstRunCustomize ', ' -value 2 ']}, 'condition': '1 of selection*'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,fb50eb7a-5ab1-43ae-bcc9-091818cb8424
Author: Florian Roth (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.003, T1562.001
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2020/06/19 |
high |
|
|
Invoke-Obfuscation RUNDLL LAUNCHER
|
Detects Obfuscated Powershell via RUNDLL LAUNCHER
More details
Rule ID
process_creation_commandline_144
Query
{'selection': {'CommandLine|contains|all': ['rundll32.exe', 'shell32.dll', 'shellexec_rundll', 'powershell']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,056a7ee1-4853-4e67-86a0-3fd9ceed7555
Author: Timur Zinniatullin, oscd.community
Tactics, Techniques, and Procedures
T1027, T1059.001, T1059.003
References
N/A
Severity
49
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2020/10/18 |
medium |
|
|
Tasks Folder Evasion
|
The Tasks folder in system32 and syswow64 are globally writable paths. Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr
More details
Rule ID
process_creation_commandline_145
Query
{'selection1': {'CommandLine|contains': ['echo ', 'copy ', 'type ', 'file createnew']}, 'selection2': {'CommandLine|contains': [' C:\\Windows\\System32\\Tasks\\', ' C:\\Windows\\SysWow64\\Tasks\\']}, 'condition': 'all of selection*'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,cc4e02ba-9c06-48e2-b09e-2500cace9ae0
Author: Sreeman
Tactics, Techniques, and Procedures
T1059.003, T1574.002
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2020/01/13 |
high |
|
|
Sofacy Trojan Loader Activity
|
Detects Trojan loader activity as used by APT28
More details
Rule ID
process_creation_commandline_146
Query
{'selection1': {'CommandLine|contains|all': ['rundll32.exe', '%APPDATA%\\']}, 'selection2': [{'CommandLine|contains': '.dat",'}, {'CommandLine|endswith': ['.dll",#1', '.dll #1', '.dll" #1']}], 'condition': 'all of selection*'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,ba778144-5e3d-40cf-8af9-e28fb1df1e20
Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community
Tactics, Techniques, and Procedures
T1059.003, T1059.003, T1218.011
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2018/03/01 |
high |
|
|
Suspicious Commandline Escape
|
Detects suspicious process that use escape characters
More details
Rule ID
process_creation_commandline_147
Query
{'selection': {'CommandLine|contains': ['h^t^t^p', 'h"t"t"p']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,f0cdd048-82dc-4f7a-8a7a-b87a52b6d0fd
Author: juju4
Tactics, Techniques, and Procedures
T1059.003, T1140
References
N/A
Severity
24
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2018/12/11 |
low |
|
|
Suspicious Rundll32 Invoking Inline VBScript
|
Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452
More details
Rule ID
process_creation_commandline_148
Query
{'selection': {'CommandLine|contains|all': ['rundll32.exe', 'Execute', 'RegRead', 'window.close']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,1cc50f3f-1fc8-4acf-b2e9-6f172e1fdebd
Author: Florian Roth (Nextron Systems)
Tactics, Techniques, and Procedures
T1055, T1059.003
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2021/03/05 |
high |
|
|
Disabled Volume Snapshots
|
Detects commands that temporarily turn off Volume Snapshots
More details
Rule ID
process_creation_commandline_149
Query
{'selection': {'CommandLine|contains|all': ['reg', ' add ', '\\Services\\VSS\\Diag', '/d Disabled']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,dee4af55-1f22-4e1d-a9d2-4bdc7ecb472a
Author: Florian Roth (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.003, T1562.001
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2021/01/28 |
high |
|
|
PowerShell Get-Clipboard Cmdlet Via CLI
|
Detects usage of the 'Get-Clipboard' cmdlet via CLI
More details
Rule ID
process_creation_commandline_150
Query
{'selection': {'CommandLine|contains': 'Get-Clipboard'}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,b9aeac14-2ffd-4ad3-b967-1354a4e628c3
Author: Nasreddine Bencherchali (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.003, T1115
References
N/A
Severity
49
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2020/05/02 |
medium |
|
|
Suspicious Reg Add BitLocker
|
Detects suspicious addition to BitLocker related registry keys via the reg.exe utility
More details
Rule ID
process_creation_commandline_151
Query
{'selection': {'CommandLine|contains|all': ['REG', 'ADD', '\\SOFTWARE\\Policies\\Microsoft\\FVE', '/v', '/f'], 'CommandLine|contains': ['EnableBDEWithNoTPM', 'UseAdvancedStartup', 'UseTPM', 'UseTPMKey', 'UseTPMKeyPIN', 'RecoveryKeyMessageSource', 'UseTPMPIN', 'RecoveryKeyMessage']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,0e0255bf-2548-47b8-9582-c0955c9283f5
Author: frack113
Tactics, Techniques, and Procedures
T1059.003, T1486
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
experimental |
2021/11/15 |
high |
|
|
Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet
|
Detects suspicious reconnaissance command line activity on Windows systems using the PowerShell Get-LocalGroupMember Cmdlet
More details
Rule ID
process_creation_commandline_152
Query
{'selection_cmdlet': {'CommandLine|contains': 'Get-LocalGroupMember '}, 'selection_group': {'CommandLine|contains': ['domain admins', ' administrator', ' administrateur', 'enterprise admins', 'Exchange Trusted Subsystem', 'Remote Desktop Users', 'Utilisateurs du Bureau à distance', 'Usuarios de escritorio remoto']}, 'condition': 'all of selection_*'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,c8a180d6-47a3-4345-a609-53f9c3d834fc
Author: Nasreddine Bencherchali (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.003, T1087.001
References
N/A
Severity
49
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
experimental |
2022/10/10 |
medium |
|
|
Conti Ransomware Execution
|
Conti ransomware command line ioc
More details
Rule ID
process_creation_commandline_153
Query
{'selection': {'CommandLine|contains|all': ['-m ', '-net ', '-size ', '-nomutex ', '-p \\\\', '$']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,689308fc-cfba-4f72-9897-796c1dc61487
Author: frack113
Tactics, Techniques, and Procedures
T1059.003, T1486
References
N/A
Severity
95
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2021/10/12 |
critical |
|
|
Snatch Ransomware
|
Detects specific process characteristics of Snatch ransomware word document droppers
More details
Rule ID
process_creation_commandline_154
Query
{'selection': {'CommandLine|contains': ['shutdown /r /f /t 00', 'net stop SuperBackupMan']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,5325945e-f1f0-406e-97b8-65104d393fff
Author: Florian Roth (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.003, T1204
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
stable |
2020/08/26 |
high |
|
|
Copy from Volume Shadow Copy
|
Detects a copy execution that targets a shadow copy (sometimes used to copy registry hives that are in use)
More details
Rule ID
process_creation_commandline_155
Query
{'selection': {'CommandLine|contains': 'copy \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy'}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,c73124a7-3e89-44a3-bdc1-25fe4df754b1
Author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.003, T1490
References
N/A
Severity
49
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
experimental |
2021/08/09 |
medium |
|
|
Suspicious VBScript UN2452 Pattern
|
Detects suspicious inline VBScript keywords as used by UNC2452
More details
Rule ID
process_creation_commandline_156
Query
{'selection': {'CommandLine|contains|all': ['Execute', 'CreateObject', 'RegRead', 'window.close', '\\Microsoft\\Windows\\CurrentVersion']}, 'filter': {'CommandLine|contains': '\\Software\\Microsoft\\Windows\\CurrentVersion\\Run'}, 'condition': 'selection and not filter'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,20c3f09d-c53d-4e85-8b74-6aa50e2f1b61
Author: Florian Roth (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.003, T1547.001
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2021/03/05 |
high |
|
|
Sensitive Registry Access via Volume Shadow Copy
|
Detects a command that accesses password storing registry hives via volume shadow backups
More details
Rule ID
process_creation_commandline_157
Query
{'selection_1': {'CommandLine|contains': '\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy'}, 'selection_2': {'CommandLine|contains': ['\\NTDS.dit', '\\SYSTEM', '\\SECURITY', 'C:\\tmp\\log']}, 'condition': 'all of selection*'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,f57f8d16-1f39-4dcb-a604-6c73d9b54b3d
Author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.003, T1490
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
experimental |
2021/08/09 |
high |
|
|
Abusable Invoke-ATHRemoteFXvGPUDisablementCommand
|
RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).
More details
Rule ID
process_creation_commandline_158
Query
{'selection_cmd': {'CommandLine|contains': 'Invoke-ATHRemoteFXvGPUDisablementCommand '}, 'selection_opt': {'CommandLine|contains': ['-ModuleName ', '-ModulePath ', '-ScriptBlock ', '-RemoteFXvGPUDisablementFilePath']}, 'condition': 'all of selection_*'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,a6fc3c46-23b8-4996-9ea2-573f4c4d88c5
Author: frack113
Tactics, Techniques, and Procedures
T1059.003, T1218
References
N/A
Severity
49
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2021/07/13 |
medium |
|
|
Execute From Alternate Data Streams
|
Detects execution from an Alternate Data Stream (ADS). Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection
More details
Rule ID
process_creation_commandline_159
Query
{'selection_stream': {'CommandLine|contains': 'txt:'}, 'selection_tools_type': {'CommandLine|contains|all': ['type ', ' > ']}, 'selection_tools_makecab': {'CommandLine|contains|all': ['makecab ', '.cab']}, 'selection_tools_reg': {'CommandLine|contains|all': ['reg ', ' export ']}, 'selection_tools_regedit': {'CommandLine|contains|all': ['regedit ', ' /E ']}, 'selection_tools_esentutl': {'CommandLine|contains|all': ['esentutl ', ' /y ', ' /d ', ' /o ']}, 'condition': 'selection_stream and (1 of selection_tools_*)'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,7f43c430-5001-4f8b-aaa9-c3b88f18fa5c
Author: frack113
Tactics, Techniques, and Procedures
T1059.003, T1564.004
References
N/A
Severity
49
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2021/09/01 |
medium |
|
|
Potential Tampering With Security Products Via WMIC
|
Detects uninstallation or termination of security products using the WMIC utility
More details
Rule ID
process_creation_commandline_160
Query
{'selection_cli_1': {'CommandLine|contains|all': ['wmic', 'product where ', 'call uninstall', '/nointeractive']}, 'selection_cli_2': {'CommandLine|contains|all': ['wmic', 'caption like '], 'CommandLine|contains': ['call delete', 'call terminate']}, 'selection_cli_3': {'CommandLine|contains|all': ['process ', 'where ', 'delete']}, 'selection_product': {'CommandLine|contains': ['%carbon%', '%cylance%', '%endpoint%', '%eset%', '%malware%', '%Sophos%', '%symantec%', 'Antivirus', 'AVG ', 'Carbon Black', 'CarbonBlack', 'Cb Defense Sensor 64-bit', 'Crowdstrike Sensor', 'Cylance ', 'Dell Threat Defense', 'DLP Endpoint', 'Endpoint Detection', 'Endpoint Protection', 'Endpoint Security', 'Endpoint Sensor', 'ESET File Security', 'LogRhythm System Monitor Service', 'Malwarebytes', 'McAfee Agent', 'Microsoft Security Client', 'Sophos Anti-Virus', 'Sophos AutoUpdate', 'Sophos Credential Store', 'Sophos Management Console', 'Sophos Management Database', 'Sophos Management Server', 'Sophos Remote Management System', 'Sophos Update Manager', 'Threat Protection', 'VirusScan', 'Webroot SecureAnywhere', 'Windows Defender']}, 'condition': '1 of selection_cli_* and selection_product'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,847d5ff3-8a31-4737-a970-aeae8fe21765
Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.003, T1562.001
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2021/01/30 |
high |
|
|
Potential Download/Upload Activity Using Type Command
|
Detects usage of the "type" command to download/upload data from WebDAV server
More details
Rule ID
process_creation_commandline_161
Query
{'selection_upload': {'CommandLine|contains|all': ['type ', ' > \\\\']}, 'selection_download': {'CommandLine|contains|all': ['type \\\\', ' > ']}, 'condition': '1 of selection_*'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,aa0b3a82-eacc-4ec3-9150-b5a9a3e3f82f
Author: Nasreddine Bencherchali (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.003, T1105
References
N/A
Severity
49
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
experimental |
2022/12/14 |
medium |
|
|
Invoke-Obfuscation Via Stdin
|
Detects Obfuscated Powershell via Stdin in Scripts
More details
Rule ID
process_creation_commandline_162
Query
{'selection': {'CommandLine|contains|all': ['set', '&&'], 'CommandLine|contains': ['environment', 'invoke', 'input']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,9c14c9fa-1a63-4a64-8e57-d19280559490
Author: Nikita Nazarov, oscd.community
Tactics, Techniques, and Procedures
T1027, T1059.001, T1059.003
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2020/10/12 |
high |
|
|
Wscript Shell Run In CommandLine
|
Detects the presence of the keywords "Wscript", "Shell" and "Run" in the command, which could indicate a suspicious activity
More details
Rule ID
process_creation_commandline_163
Query
{'selection': {'CommandLine|contains|all': ['Wscript.', '.Shell', '.Run']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,2c28c248-7f50-417a-9186-a85b223010ee
Author: Nasreddine Bencherchali (Nextron Systems)
Tactics, Techniques, and Procedures
T1059, T1059.003
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
experimental |
2022/08/31 |
high |
|
|
Reg Add RUN Key
|
Detects suspicious command line reg.exe tool adding key to RUN key in Registry
More details
Rule ID
process_creation_commandline_164
Query
{'selection': {'CommandLine|contains|all': ['reg', ' ADD ', 'Software\\Microsoft\\Windows\\CurrentVersion\\Run']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,de587dce-915e-4218-aac4-835ca6af6f70
Author: Florian Roth (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.003, T1547.001
References
N/A
Severity
49
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2021/06/28 |
medium |
-
Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons.
-
Legitimate administrator sets up autorun keys for legitimate reasons.
-
Discord
|
|
Disable or Delete Windows Eventlog
|
Detects command that is used to disable or delete Windows eventlog via logman Windows utility
More details
Rule ID
process_creation_commandline_165
Query
{'selection_tools': {'CommandLine|contains': 'logman '}, 'selection_action': {'CommandLine|contains': ['stop ', 'delete ']}, 'selection_service': {'CommandLine|contains': 'EventLog-System'}, 'condition': 'all of selection*'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,cd1f961e-0b96-436b-b7c6-38da4583ec00
Author: Florian Roth (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.003, T1070.001, T1562.001
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2021/02/11 |
high |
-
Legitimate deactivation by administrative staff
-
Installer tools that disable services, e.g. before log collection agent installation
|
|
Java Running with Remote Debugging
|
Detects a JAVA process running with remote debugging allowing more than just localhost to connect
More details
Rule ID
process_creation_commandline_166
Query
{'selection_jdwp_transport': {'CommandLine|contains': 'transport=dt_socket,address='}, 'selection_old_jvm_version': {'CommandLine|contains': ['jre1.', 'jdk1.']}, 'exclusion': [{'CommandLine|contains': 'address=127.0.0.1'}, {'CommandLine|contains': 'address=localhost'}], 'condition': 'all of selection* and not exclusion'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,8f88e3f6-2a49-48f5-a5c4-2f7eedf78710
Author: Florian Roth (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.003, T1203
References
N/A
Severity
49
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2019/01/16 |
medium |
|
|
Monitoring For Persistence Via BITS
|
BITS will allow you to schedule a command to execute after a successful download to notify you that the job is finished. When the job runs on the system the command specified in the BITS job will be executed. This can be abused by actors to create a backdoor within the system and for persistence. It will be chained in a BITS job to schedule the download of malware/additional binaries and execute the program after being downloaded
More details
Rule ID
process_creation_commandline_167
Query
{'selection_1': {'CommandLine|contains|all': ['bitsadmin', '/SetNotifyCmdLine'], 'CommandLine|contains': ['%COMSPEC%', 'cmd.exe', 'regsvr32.exe']}, 'selection_2': {'CommandLine|contains|all': ['bitsadmin', '/Addfile'], 'CommandLine|contains': ['http:', 'https:', 'ftp:', 'ftps:']}, 'condition': '1 of selection_*'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,b9cbbc17-d00d-4e3d-a827-b06d03d2380d
Author: Sreeman
Tactics, Techniques, and Procedures
T1059.003, T1197
References
N/A
Severity
49
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2020/10/29 |
medium |
|
|
Obfuscated Command Line Using Special Unicode Characters
|
Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.
More details
Rule ID
process_creation_commandline_168
Query
{'selection': {'CommandLine|contains': ['â', '€', '£', '¯', '®', 'µ', '¶']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,e0552b19-5a83-4222-b141-b36184bb8d79
Author: frack113, Florian Roth (Nextron Systems)
Tactics, Techniques, and Procedures
T1027, T1059.003
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2022/01/15 |
high |
|
|
Compress Data and Lock With Password for Exfiltration With 7-ZIP
|
An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities
More details
Rule ID
process_creation_commandline_169
Query
{'selection_7z': {'CommandLine|contains': ['7z.exe', '7za.exe']}, 'selection_password': {'CommandLine|contains': ' -p'}, 'selection_action': {'CommandLine|contains': [' a ', ' u ']}, 'condition': 'all of selection*'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,9fbf5927-5261-4284-a71d-f681029ea574
Author: frack113
Tactics, Techniques, and Procedures
T1059.003, T1560.001
References
N/A
Severity
49
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2021/07/27 |
medium |
|
|
Suspicious DIR Execution
|
Detects usage of the "dir" command that's part of windows batch/cmd to collect information about directories
More details
Rule ID
process_creation_commandline_170
Query
{'selection': {'CommandLine|contains|all': ['dir ', ' /s', ' /b']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,7c9340a9-e2ee-4e43-94c5-c54ebbea1006
Author: frack113
Tactics, Techniques, and Procedures
T1059.003, T1217
References
N/A
Severity
24
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
experimental |
2021/12/13 |
low |
|
|
Suspicious Diantz Download and Compress Into a CAB File
|
Download and compress a remote file and store it in a cab file on local machine.
More details
Rule ID
process_creation_commandline_172
Query
{'selection': {'CommandLine|contains|all': ['diantz.exe', ' \\\\', '.cab']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,185d7418-f250-42d0-b72e-0c8b70661e93
Author: frack113
Tactics, Techniques, and Procedures
T1059.003, T1105
References
N/A
Severity
49
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
experimental |
2021/11/26 |
medium |
|
|
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
|
Detects Obfuscated Powershell via VAR++ LAUNCHER
More details
Rule ID
process_creation_commandline_173
Query
{'selection': {'CommandLine|contains|all': ['&&set', 'cmd', '/c', '-f'], 'CommandLine|contains': ['{0}', '{1}', '{2}', '{3}', '{4}', '{5}']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,e9f55347-2928-4c06-88e5-1a7f8169942e
Author: Timur Zinniatullin, oscd.community
Tactics, Techniques, and Procedures
T1027, T1059.001, T1059.003
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2020/10/13 |
high |
|
|
Ps.exe Renamed SysInternals Tool
|
Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report
More details
Rule ID
process_creation_commandline_174
Query
{'selection': {'CommandLine': 'ps.exe -accepteula'}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,18da1007-3f26-470f-875d-f77faf1cab31
Author: Florian Roth (Nextron Systems)
Tactics, Techniques, and Procedures
T1036.003, T1059.003
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2017/10/22 |
high |
|
|
TropicTrooper Campaign November 2018
|
Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia
More details
Rule ID
process_creation_commandline_175
Query
{'selection': {'CommandLine|contains': 'abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc'}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,8c7090c3-e0a0-4944-bd08-08c3a0cecf79
Author: @41thexplorer, Microsoft Defender ATP
Tactics, Techniques, and Procedures
T1059.001, T1059.003
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
stable |
2019/11/12 |
high |
N/A
|
|
Shadow Copies Access via Symlink
|
Shadow Copies storage symbolic link creation using operating systems utilities
More details
Rule ID
process_creation_commandline_176
Query
{'selection': {'CommandLine|contains|all': ['mklink', 'HarddiskVolumeShadowCopy']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,40b19fa6-d835-400c-b301-41f3a2baacaf
Author: Teymur Kheirkhabarov, oscd.community
Tactics, Techniques, and Procedures
T1003.002, T1003.003, T1059.003
References
N/A
Severity
49
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2019/10/22 |
medium |
|
|
Suspicious Desktopimgdownldr Command
|
Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet
More details
Rule ID
process_creation_commandline_177
Query
{'selection1': {'CommandLine|contains': ' /lockscreenurl:'}, 'selection1_filter': {'CommandLine|contains': ['.jpg', '.jpeg', '.png']}, 'selection_reg': {'CommandLine|contains|all': ['reg delete', '\\PersonalizationCSP']}, 'condition': '( selection1 and not selection1_filter ) or selection_reg'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,bb58aa4a-b80b-415a-a2c0-2f65a4c81009
Author: Florian Roth (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.003, T1105
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2020/07/03 |
high |
|
|
Rundll32 JS RunHTMLApplication Pattern
|
Detects suspicious command line patterns used when rundll32 is used to run JavaScript code
More details
Rule ID
process_creation_commandline_178
Query
{'selection1': {'CommandLine|contains|all': ['rundll32', 'javascript', '..\\..\\mshtml,RunHTMLApplication']}, 'selection2': {'CommandLine|contains': ';document.write();GetObject("script'}, 'condition': '1 of selection*'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,9f06447a-a33a-4cbe-a94f-a3f43184a7a3
Author: Florian Roth (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.003
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2022/01/14 |
high |
|
|
ADCSPwn Hack Tool
|
Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service
More details
Rule ID
process_creation_commandline_179
Query
{'selection': {'CommandLine|contains|all': [' --adcs ', ' --port ']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,cd8c163e-a19b-402e-bdd5-419ff5859f12
Author: Florian Roth (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.003, T1557.001
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2021/07/31 |
high |
|
|
Potential PowerShell Execution Policy Tampering - ProcCreation
|
Detects changes to the PowerShell execution policy registry key in order to bypass signing requirements for script execution from the CommandLine
More details
Rule ID
process_creation_commandline_180
Query
{'selection_path': {'CommandLine|contains': ['\\ShellIds\\Microsoft.PowerShell\\ExecutionPolicy', '\\Policies\\Microsoft\\Windows\\PowerShell\\ExecutionPolicy']}, 'selection_values': {'CommandLine|contains': ['Bypass', 'RemoteSigned', 'Unrestricted']}, 'condition': 'all of selection_*'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,cf2e938e-9a3e-4fe8-a347-411642b28a9f
Author: Nasreddine Bencherchali (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.003
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
experimental |
2023/01/11 |
high |
|
|
CrackMapExec PowerShell Obfuscation
|
The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.
More details
Rule ID
process_creation_commandline_181
Query
{'powershell_execution': {'CommandLine|contains': ['powershell.exe', 'pwsh.exe']}, 'snippets': {'CommandLine|contains': ['join*split', "( $ShellId[1]+$ShellId[13]+'x')", '( $PSHome[*]+$PSHOME[*]+', "( $env:Public[13]+$env:Public[5]+'x')", "( $env:ComSpec[4,*,25]-Join'')", "[1,3]+'x'-Join'')"]}, 'condition': 'powershell_execution and snippets'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,6f8b3439-a203-45dc-a88b-abf57ea15ccf
Author: Thomas Patzke
Tactics, Techniques, and Procedures
T1027.005, T1059.001, T1059.003
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2020/05/22 |
high |
|
|
Copy DMP Files From Share
|
Detects usage of the copy command to copy files with the .dmp extensions from a remote share
More details
Rule ID
process_creation_commandline_182
Query
{'selection': {'CommandLine|contains|all': ['.dmp', 'copy ', ' \\\\'], 'CommandLine|contains': [' /c ', ' /r ', ' /k ']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,044ba588-dff4-4918-9808-3f95e8160606
Author: Nasreddine Bencherchali (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.003
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
experimental |
2022/09/27 |
high |
|
|
Deletion of Volume Shadow Copies via WMI with PowerShell
|
Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil
More details
Rule ID
process_creation_commandline_183
Query
{'selection_get': {'CommandLine|contains': ['Get-WmiObject', 'gwmi', 'Get-CimInstance', 'gcim']}, 'selection_shadowcopy': {'CommandLine|contains': 'Win32_Shadowcopy'}, 'selection_delete': {'CommandLine|contains': ['.Delete()', 'Remove-WmiObject', 'rwmi', 'Remove-CimInstance', 'rcim']}, 'condition': 'all of selection*'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,21ff4ca9-f13a-41ad-b828-0077b2af2e40
Author: Tim Rauch
Tactics, Techniques, and Procedures
T1059.003, T1490
References
N/A
Severity
80
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
experimental |
2022/09/20 |
high |
|
|
ScreenConnect Remote Access
|
Detects ScreenConnect program starts that establish a remote access to that system (not meeting, not remote support)
More details
Rule ID
process_creation_commandline_184
Query
{'selection': {'CommandLine|contains|all': ['e=Access&', 'y=Guest&', '&p=', '&c=', '&k=']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,75bfe6e6-cd8e-429e-91d3-03921e1d7962
Author: Florian Roth (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.003, T1133
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2021/02/11 |
high |
|
|
Curl Start Combination
|
Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.
More details
Rule ID
process_creation_commandline_185
Query
{'selection': {'CommandLine|contains|all': [' /c ', 'curl ', 'http', '-o', '&']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,21dd6d38-2b18-4453-9404-a0fe4a0cc288
Author: Sreeman, Nasreddine Bencherchali (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.003, T1105, T1218
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2020/01/13 |
high |
|
|
Suspicious Usage of the Manage-bde.wsf Script
|
Detects usage of the manage-bde.wsf script that may indicate an attempt of proxy execution from script
More details
Rule ID
process_creation_commandline_186
Query
{'selection': {'CommandLine|contains|all': ['cscript', 'manage-bde.wsf']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,c363385c-f75d-4753-a108-c1a8e28bdbda
Author: oscd.community, Natalia Shornikova, Nasreddine Bencherchali (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.003, T1216
References
N/A
Severity
49
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2020/10/13 |
medium |
|
|
Potential COM Objects Download Cradles Usage - Process Creation
|
Detects usage of COM objects that can be abused to download files in PowerShell by CLSID
More details
Rule ID
process_creation_commandline_187
Query
{'selection_1': {'CommandLine|contains': '[Type]::GetTypeFromCLSID('}, 'selection_2': {'CommandLine|contains': ['0002DF01-0000-0000-C000-000000000046', 'F6D90F16-9C73-11D3-B32E-00C04F990BB4', 'F5078F35-C551-11D3-89B9-0000F81FE221', '88d96a0a-f192-11d4-a65f-0040963251e5', 'AFBA6B42-5692-48EA-8141-DC517DCF0EF1', 'AFB40FFD-B609-40A3-9828-F88BBE11E4E3', '88d96a0b-f192-11d4-a65f-0040963251e5', '2087c2f4-2cef-4953-a8ab-66779b670495', '000209FF-0000-0000-C000-000000000046', '00024500-0000-0000-C000-000000000046']}, 'condition': 'all of selection_*'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,02b64f1b-3f33-4e67-aede-ef3b0a5a8fcf
Author: frack113
Tactics, Techniques, and Procedures
T1059.003
References
N/A
Severity
49
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
experimental |
2022/12/25 |
medium |
|
|
Base64 MZ Header In CommandLine
|
Detects encoded base64 MZ header in the commandline
More details
Rule ID
process_creation_commandline_188
Query
{'selection': {'CommandLine|contains': ['TVqQAAMAAAAEAAAA', 'TVpQAAIAAAAEAA8A', 'TVqAAAEAAAAEABAA', 'TVoAAAAAAAAAAAAA', 'TVpTAQEAAAAEAAAA']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,22e58743-4ac8-4a9f-bf19-00a0428d8c5f
Author: Nasreddine Bencherchali (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.003
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
experimental |
2022/07/12 |
high |
|
|
Capture a Network Trace with netsh.exe
|
Detects capture a network trace via netsh.exe trace functionality
More details
Rule ID
process_creation_commandline_189
Query
{'selection': {'CommandLine|contains|all': ['netsh', 'trace', 'start']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,d3c3861d-c504-4c77-ba55-224ba82d0118
Author: Kutepov Anton, oscd.community
Tactics, Techniques, and Procedures
T1040, T1059.003
References
N/A
Severity
49
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2019/10/24 |
medium |
|
|
Baby Shark Activity
|
Detects activity that could be related to Baby Shark malware
More details
Rule ID
process_creation_commandline_190
Query
{'selection': {'CommandLine|contains': ['reg query "HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default"', 'powershell.exe mshta.exe http', 'cmd.exe /c taskkill /im cmd.exe']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,2b30fa36-3a18-402f-a22d-bf4ce2189f35
Author: Florian Roth (Nextron Systems)
Tactics, Techniques, and Procedures
T1012, T1059.001, T1059.003, T1059.003, T1218.005
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2019/02/24 |
high |
|
|
Suspicious Ping/Del Command Combination
|
Detects a method often used by ransomware. Which combines the "ping" to wait a couple of seconds and then "del" to delete the file in question. Its used to hide the file responsible for the initial infection for example
More details
Rule ID
process_creation_commandline_191
Query
{'selection_count': {'CommandLine|contains': [' -n ', ' /n ']}, 'selection_nul': {'CommandLine|contains': 'Nul'}, 'selection_del_param': {'CommandLine|contains': [' /f ', ' -f ', ' /q ', ' -q ']}, 'selection_all': {'CommandLine|contains|all': ['ping', 'del ']}, 'condition': 'all of selection_*'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,54786ddc-5b8a-11ed-9b6a-0242ac120002
Author: Ilya Krestinichev
Tactics, Techniques, and Procedures
T1059.003, T1070.004
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
experimental |
2022/11/03 |
high |
|
|
Change Default File Association
|
When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.
More details
Rule ID
process_creation_commandline_192
Query
{'selection': {'CommandLine|contains|all': ['cmd', 'assoc'], 'CommandLine|contains': [' /c ', ' /k ', ' /r ']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,3d3aa6cd-6272-44d6-8afc-7e88dfef7061
Author: Timur Zinniatullin, oscd.community
Tactics, Techniques, and Procedures
T1059.003, T1546.001
References
N/A
Severity
24
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2019/10/21 |
low |
|
|
PowerShell Web Download and Execution
|
Detects suspicious ways to download files or content and execute them using PowerShell Invoke-Expression
More details
Rule ID
process_creation_commandline_193
Query
{'selection_download': {'CommandLine|contains': ['.DownloadString(', '.DownloadFile(', 'Invoke-WebRequest ', 'iwr ']}, 'selection_iex': {'CommandLine|contains': ['IEX(', 'IEX (', 'I`EX', 'IE`X', 'I`E`X', '| IEX', '|IEX ', 'Invoke-Expression', ';iex $']}, 'condition': 'all of selection_*'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,85b0b087-eddf-4a2b-b033-d771fa2b9775
Author: Florian Roth (Nextron Systems)
Tactics, Techniques, and Procedures
T1059, T1059.003
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
experimental |
2022/03/24 |
high |
|
|
Empire PowerShell Launch Parameters
|
Detects suspicious powershell command line parameters used in Empire
More details
Rule ID
process_creation_commandline_194
Query
{'selection': {'CommandLine|contains': [' -NoP -sta -NonI -W Hidden -Enc ', ' -noP -sta -w 1 -enc ', ' -NoP -NonI -W Hidden -enc ', ' -noP -sta -w 1 -enc', ' -enc SQB', ' -nop -exec bypass -EncodedCommand ']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,79f4ede3-402e-41c8-bc3e-ebbf5f162581
Author: Florian Roth (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.001, T1059.003
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2019/04/20 |
high |
|
|
Invoke-Obfuscation STDIN+ Launcher
|
Detects Obfuscated use of stdin to execute PowerShell
More details
Rule ID
process_creation_commandline_195
Query
{'selection_main': {'CommandLine|contains|all': ['cmd', 'powershell'], 'CommandLine|contains': ['/c', '/r']}, 'selection_other': [{'CommandLine|contains': 'noexit'}, {'CommandLine|contains|all': ['input', '$']}], 'condition': 'all of selection_*'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,6c96fc76-0eb1-11eb-adc1-0242ac120002
Author: Jonathan Cheong, oscd.community
Tactics, Techniques, and Procedures
T1027, T1059.001, T1059.003
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2020/10/15 |
high |
|
|
Conti NTDS Exfiltration Command
|
Detects a command used by conti to exfiltrate NTDS
More details
Rule ID
process_creation_commandline_196
Query
{'selection': {'CommandLine|contains|all': ['7za.exe', '\\C$\\temp\\log.zip']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,aa92fd02-09f2-48b0-8a93-864813fb8f41
Author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.003, T1560
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2021/08/09 |
high |
|
|
Covenant Launcher Indicators
|
Detects suspicious command lines used in Covenant luanchers
More details
Rule ID
process_creation_commandline_198
Query
{'selection': {'CommandLine|contains|all': ['-Sta', '-Nop', '-Window', 'Hidden'], 'CommandLine|contains': ['-Command', '-EncodedCommand']}, 'selection2': {'CommandLine|contains': ['sv o (New-Object IO.MemorySteam);sv d ', 'mshta file.hta', 'GruntHTTP', '-EncodedCommand cwB2ACAAbwAgA']}, 'condition': 'selection or selection2'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,c260b6db-48ba-4b4a-a76f-2f67644e99d2
Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community
Tactics, Techniques, and Procedures
T1059.001, T1059.003, T1564.003
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2020/06/04 |
high |
N/A
|
|
UNC2452 PowerShell Pattern
|
Detects a specific PowerShell command line pattern used by the UNC2452 actors as mentioned in Microsoft and Symantec reports
More details
Rule ID
process_creation_commandline_199
Query
{'selection1': {'CommandLine|contains|all': ['Invoke-WMIMethod win32_process -name create -argumentlist', 'rundll32 c:\\windows']}, 'selection2': {'CommandLine|contains|all': ['wmic /node:', 'process call create "rundll32 c:\\windows']}, 'condition': '1 of selection*'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,b7155193-8a81-4d8f-805d-88de864ca50c
Author: Florian Roth (Nextron Systems)
Tactics, Techniques, and Procedures
T1047, T1059.001, T1059.003
References
N/A
Severity
95
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2021/01/20 |
critical |
|
|
Launch-VsDevShell.PS1 Proxy Execution
|
Detects the use of the 'Launch-VsDevShell.ps1' Microsoft signed script to execute commands.
More details
Rule ID
process_creation_commandline_200
Query
{'selection_script': {'CommandLine|contains': 'Launch-VsDevShell.ps1'}, 'selection_flags': {'CommandLine|contains': ['VsWherePath ', 'VsInstallationPath ']}, 'condition': 'all of selection_*'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,45d3a03d-f441-458c-8883-df101a3bb146
Author: Nasreddine Bencherchali (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.003, T1216.001
References
N/A
Severity
49
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
experimental |
2022/08/19 |
medium |
|
|
Detect Virtualbox Driver Installation OR Starting Of VMs
|
Adversaries can carry out malicious operations using a virtual instance to avoid detection. This rule is built to detect the registration of the Virtualbox driver or start of a Virtualbox VM.
More details
Rule ID
process_creation_commandline_201
Query
{'selection_1': {'CommandLine|contains': ['VBoxRT.dll,RTR3Init', 'VBoxC.dll', 'VBoxDrv.sys']}, 'selection_2': {'CommandLine|contains': ['startvm', 'controlvm']}, 'condition': '1 of selection_*'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,bab049ca-7471-4828-9024-38279a4c04da
Author: Janantha Marasinghe
Tactics, Techniques, and Procedures
T1059.003, T1564, T1564.006
References
N/A
Severity
24
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
experimental |
2020/09/26 |
low |
|
|
Suspicious RDP Redirect Using TSCON
|
Detects a suspicious RDP session redirect using tscon.exe
More details
Rule ID
process_creation_commandline_202
Query
{'selection': {'CommandLine|contains': ' /dest:rdp-tcp:'}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,f72aa3e8-49f9-4c7d-bd74-f8ab84ff9bbb
Author: Florian Roth (Nextron Systems)
Tactics, Techniques, and Procedures
T1021.001, T1059.003, T1563.002
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2018/03/17 |
high |
|
|
Rar Usage with Password and Compression Level
|
Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions.
More details
Rule ID
process_creation_commandline_203
Query
{'selection_password': {'CommandLine|contains': ' -hp'}, 'selection_other': {'CommandLine|contains': [' -m', ' a ']}, 'condition': 'selection_password and selection_other'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,faa48cae-6b25-4f00-a094-08947fef582f
Author: @ROxPinTeddy
Tactics, Techniques, and Procedures
T1059.003, T1560.001
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2020/05/12 |
high |
|
|
Invoke-Obfuscation VAR+ Launcher
|
Detects Obfuscated use of Environment Variables to execute PowerShell
More details
Rule ID
process_creation_commandline_204
Query
{'selection': {'CommandLine|contains|all': ['cmd', '"set', '-f'], 'CommandLine|contains': ['/c', '/r']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,27aec9c9-dbb0-4939-8422-1742242471d0
Author: Jonathan Cheong, oscd.community
Tactics, Techniques, and Procedures
T1027, T1059.001, T1059.003
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2020/10/15 |
high |
|
|
Suspicious SYSVOL Domain Group Policy Access
|
Detects Access to Domain Group Policies stored in SYSVOL
More details
Rule ID
process_creation_commandline_205
Query
{'selection': {'CommandLine|contains|all': ['\\SYSVOL\\', '\\policies\\']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,05f3c945-dcc8-4393-9f3d-af65077a8f86
Author: Markus Neis, Jonhnathan Ribeiro, oscd.community
Tactics, Techniques, and Procedures
T1059.003, T1552.006
References
N/A
Severity
49
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2018/04/09 |
medium |
|
|
AnyDesk Piped Password Via CLI
|
Detects piping the password to an anydesk instance via CMD and the '--set-password' flag.
More details
Rule ID
process_creation_commandline_206
Query
{'selection': {'CommandLine|contains|all': ['/c ', 'echo ', '.exe --set-password']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,b1377339-fda6-477a-b455-ac0923f9ec2c
Author: Nasreddine Bencherchali (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.003, T1219
References
N/A
Severity
49
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
experimental |
2022/09/28 |
medium |
|
|
Suspicious PowerShell Mailbox Export to Share
|
Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations
More details
Rule ID
process_creation_commandline_207
Query
{'selection': {'CommandLine|contains|all': ['New-MailboxExportRequest', ' -Mailbox ', ' -FilePath \\\\']}, 'condition': 'selection'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,889719ef-dd62-43df-86c3-768fb08dc7c0
Author: Florian Roth (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.003
References
N/A
Severity
95
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
experimental |
2021/08/07 |
critical |
|
|
Compress Data and Lock With Password for Exfiltration With WINZIP
|
An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities
More details
Rule ID
process_creation_commandline_208
Query
{'selection_winzip': {'CommandLine|contains': ['winzip.exe', 'winzip64.exe']}, 'selection_password': {'CommandLine|contains': '-s"'}, 'selection_other': {'CommandLine|contains': [' -min ', ' -a ']}, 'condition': 'all of selection*'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,e2e80da2-8c66-4e00-ae3c-2eebd29f6b6d
Author: frack113
Tactics, Techniques, and Procedures
T1059.003, T1560.001
References
N/A
Severity
49
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2021/07/27 |
medium |
|
|
Network Reconnaissance Activity
|
Detects a set of suspicious network related commands often used in recon stages
More details
Rule ID
process_creation_commandline_209
Query
{'selection_nslookup': {'CommandLine|contains|all': ['nslookup', '_ldap._tcp.dc._msdcs.']}, 'condition': '1 of selection*'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
SigmaHQ,e6313acd-208c-44fc-a0ff-db85d572e90e
Author: Florian Roth (Nextron Systems)
Tactics, Techniques, and Procedures
T1059.003, T1082, T1087
References
N/A
Severity
74
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2022/02/07 |
high |
|
|
File overwritten by cipher tool
|
The Windows tool cipher can be used to remove data from available unused disk space on the entire volume. Ransomware could use this technique to prevent the victim from using file recovery tools to recover their files.
More details
Rule ID
process_creation_commandline_301
Query
{'selection2': {'EventID': [1, 4688]}, 'selection3': {'Image|contains': '\\cipher.exe'}, 'selection5': {'CommandLine|re': '\\/w\\:[A-Z]{1}'}, 'condition': 'selection2 and selection3 and selection5'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
Developed internally by Stellar Cyber
Tactics, Techniques, and Procedures
T1070.004
References
N/A
Severity
50
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2022/05/01 |
medium |
N/A
|
|
PowerShell reverse shell one-liner
|
A PowerShell process with arguments that may indicate a reverse shell execution has been detected.
More details
Rule ID
process_creation_commandline_302
Query
{'selection2': {'EventID': [1, 4688]}, 'selection3': {'Image|contains': 'powershell.exe'}, 'selection5': {'CommandLine|contains': 'Sockets.TCPClient'}, 'selection6': {'CommandLine|contains': 'GetStream()'}, 'selection7': {'CommandLine|contains': 'IEX'}, 'selection8': {'CommandLine|contains': 'DownloadString'}, 'selection9': {'CommandLine|contains': 'mini-reverse.ps1'}, 'condition': 'selection2 and selection3 and ((selection5 and selection6) or (selection7 and selection8 and selection9))'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
Developed internally by Stellar Cyber
Tactics, Techniques, and Procedures
T1059.001
References
N/A
Severity
50
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2022/05/01 |
medium |
N/A
|
|
Shellcode execution via InstallUtil.exe
|
Suspicious file/code has been executed via InstallUtil.exe. This is a common technique used by malware to install additional malicious components and/or execute Shellcode.
More details
Rule ID
process_creation_commandline_303
Query
{'selection2': {'EventID': [1, 4688]}, 'selection3': {'Image|contains': 'InstallUtil.exe'}, 'selection4': {'CommandLine|contains': '/LogToConsole=false'}, 'selection5': {'CommandLine|contains': '/logfile= '}, 'condition': 'selection2 and selection3 and selection4 and selection5'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
Developed internally by Stellar Cyber
Tactics, Techniques, and Procedures
T1218.004
References
N/A
Severity
50
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2022/05/01 |
medium |
N/A
|
|
ALPC Task Scheduler Exploit LPE
|
Microsoft Windows task scheduler contains a local privilege escalation vulnerability in the Advanced Local Procedure Call (ALPC) interface, which can allow an attacker to perform a local privilege escalation.
More details
Rule ID
process_creation_commandline_304
Query
{'selection2': {'EventID': [1, 4688]}, 'selection3': {'Image|contains': '\\schtasks.exe'}, 'selection5': {'CommandLine|contains': '/change /TN'}, 'selection6': {'CommandLine|contains': '/RU'}, 'selection7': {'CommandLine|contains': '/RP'}, 'condition': 'selection2 and selection3 and selection5 and selection6 and selection7'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
Developed internally by Stellar Cyber
Tactics, Techniques, and Procedures
T1053.005
References
N/A
Severity
50
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2022/05/01 |
medium |
N/A
|
|
Behavior DNS cache cleared
|
The DNS cache has been cleared in the system.
More details
Rule ID
process_creation_commandline_305
Query
{'selection2': {'EventID': [1, 4688]}, 'selection3': {'Image|contains': '\\ipconfig.exe'}, 'selection4': {'CommandLine|contains': '/flushdns'}, 'condition': 'selection2 and selection3 and selection4'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
Developed internally by Stellar Cyber
Tactics, Techniques, and Procedures
T1070
References
N/A
Severity
50
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2022/05/01 |
medium |
N/A
|
|
WMIC sending output to clipboard
|
WMIC command is using /output:clipboard as a way to hide the normal output of process creation that is printed when creating a process with WMIC.
More details
Rule ID
process_creation_commandline_307
Query
{'selection2': {'EventID': [1, 4688]}, 'selection3': {'Image|contains': '\\wmic.exe'}, 'selection5': {'CommandLine|contains': '/output:clipboard'}, 'selection6': {'CommandLine|contains': 'process call create'}, 'condition': 'selection2 and selection3 and selection5 and selection6'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
Developed internally by Stellar Cyber
Tactics, Techniques, and Procedures
T1036
References
N/A
Severity
50
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2022/05/01 |
medium |
N/A
|
|
CnC Channel through Nslookup
|
A Windows process was detected using Nslookup with abnormal flag(s) usually used by malware to communicate with the Command and Control.
More details
Rule ID
process_creation_commandline_308
Query
{'selection2': {'EventID': [1, 4688]}, 'selection3': {'Image|contains': '\\slookup.exe'}, 'selection4': {'CommandLine|contains': ' aaaa'}, 'selection5': {'CommandLine|contains': '=aaaa'}, 'selection6': {'CommandLine|re': '[a-z0-9]{15,45}\\. [a-z0-9]{1,15}\\.[a-z0-9]{1,4}'}, 'condition': 'selection2 and selection3 and (selection4 or selection5) and selection6'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
Developed internally by Stellar Cyber
Tactics, Techniques, and Procedures
T1218
References
N/A
Severity
50
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2022/05/01 |
medium |
N/A
|
|
WMIC Retrieving Security Configuration
|
The wmic.exe command was executed to get information from the security configurations. This could be an indication of malicious activity.
More details
Rule ID
process_creation_commandline_309
Query
{'selection2': {'EventID': [1, 4688]}, 'selection3': {'Image|contains': '\\wmic.exe'}, 'selection4': {'CommandLine|contains': 'SecurityCenter2'}, 'selection5': {'CommandLine|contains': ['AntiVirusProduct', 'FirewallProduct']}, 'selection6': {'SourceUserName': ''}, 'condition': 'selection2 and selection3 and selection4 and selection5 and not selection6'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
Developed internally by Stellar Cyber
Tactics, Techniques, and Procedures
T1005
References
N/A
Severity
50
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2022/05/01 |
medium |
N/A
|
|
Taskkill killing Antivirus process
|
An attempt to kill an Antivirus process has been detected. This can be the result of a manual command used by an attacker or an automated process as part of malware being deployed in the system.
More details
Rule ID
process_creation_commandline_310
Query
{'selection2': {'EventID': [1, 4688]}, 'selection3': {'Image|contains': 'Taskkill'}, 'selection4': {'CommandLine|re': '(?:fsav32|MsMpEng|FPAVServer|TMBMSRV|Mcshield|avgnsx|AvastSvc|dwengine|secenter|avguard|ccSvcHst|avp|360sd|360tray|AvastUi)\\.exe'}, 'condition': 'selection2 and selection3 and selection4'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
Developed internally by Stellar Cyber
Tactics, Techniques, and Procedures
T1562
References
N/A
Severity
50
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2022/05/01 |
medium |
N/A
|
|
WSH Injection via PubPrn
|
An attempt to inject malicious code into a Microsoft signed WSH script has been detected. This can be an attempt to bypass whitelisting restrictions.
More details
Rule ID
process_creation_commandline_312
Query
{'selection2': {'EventID': [1, 4688]}, 'selection3': {'Image|contains': 'wscript.exe'}, 'selection4': {'CommandLine|contains': 'pubprn.vbs'}, 'selection5': {'CommandLine|contains': 'script:'}, 'condition': 'selection2 and selection3 and selection4 and selection5'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
Developed internally by Stellar Cyber
Tactics, Techniques, and Procedures
T1055
References
N/A
Severity
50
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2022/05/01 |
medium |
N/A
|
|
AppLocker Bypass
|
A successful attempt to bypass AppLocker has been detected. This can indicate an attacker is trying to bypass whitelisting technologhies and escalate privileges or/and move laterally in your network.
More details
Rule ID
process_creation_commandline_314
Query
{'selection2': {'EventID': [1, 4688]}, 'selection3': {'Image|contains': '\\regsvr32.exe'}, 'selection4': {'CommandLine|contains': '/s'}, 'selection5': {'CommandLine|contains': '/i:http'}, 'selection6': {'CommandLine|contains': 'scrobj.dll'}, 'condition': 'selection2 and selection3 and selection4 and selection5 and selection6'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
Developed internally by Stellar Cyber
Tactics, Techniques, and Procedures
T1218.010
References
N/A
Severity
50
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2022/05/01 |
medium |
N/A
|
|
File Deletion Backup files deleted recursively
|
An attempt to delete files and folders that migth contain backup data has been detected. This could be an indication of a ransomware infection or an attacker trying to cause damage.
More details
Rule ID
process_creation_commandline_315
Query
{'selection2': {'EventID': [1, 4688]}, 'selection3': {'Image|contains': '\\cmd.exe'}, 'selection4': {'CommandLine|contains': ' del '}, 'selection5': {'CommandLine|re': '(?:backup|bkup|\\.bak|\\.bac|\\.dsk|\\.win|\\.bkf|\\.wbcat)'}, 'condition': 'selection2 and selection3 and selection4 and selection5'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
Developed internally by Stellar Cyber
Tactics, Techniques, and Procedures
T1070.004
References
N/A
Severity
50
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2022/05/01 |
medium |
N/A
|
|
Attempt to stop or delete Windows Defender service
|
Windows Defender Real-time Protection scanning for malware and other potentially unwanted software has been stopped.
More details
Rule ID
process_creation_commandline_316
Query
{'selection2': {'EventID': [1, 4688]}, 'selection3': {'Image|contains': '\\et.exe'}, 'selection5': {'Image|contains': '\\sc.exe'}, 'selection7': {'CommandLine|contains': 'stop'}, 'selection8': {'CommandLine|contains': 'delete'}, 'selection9': {'CommandLine|contains': 'WinDefend'}, 'condition': 'selection2 and (selection3 or selection5) and (selection7 or selection8) and selection9'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
Developed internally by Stellar Cyber
Tactics, Techniques, and Procedures
T1562.001
References
N/A
Severity
50
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2022/05/01 |
medium |
N/A
|
|
Windows Process Argument contains Base64 Encoded PE Header
|
A process has been launched with a Base64 encoded argument. Once decoded, the argument corresponds to the PE Header. This can indicate an attacker is trying to bypass any present execution policy.
More details
Rule ID
process_creation_commandline_317
Query
{'selection2': {'EventID': [1, 4688]}, 'selection3': {'CommandLine|contains': 'TVqQAAMAAAAEAAA'}, 'condition': 'selection2 and selection3'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
Developed internally by Stellar Cyber
Tactics, Techniques, and Procedures
T1140
References
N/A
Severity
50
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2022/05/01 |
medium |
N/A
|
|
Cobalt Gang Windows script execution
|
A known Cobalt Gang script has been executed in the system. This could mean that your computer has been compromised and malicious code is running in your endpoint.
More details
Rule ID
process_creation_commandline_319
Query
{'selection2': {'EventID': [1, 4688]}, 'selection3': {'Image|contains': '\\wscript.exe'}, 'selection5': {'CommandLine|contains': 'error_log.vbe'}, 'condition': 'selection2 and (selection3) and selection5'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
Developed internally by Stellar Cyber
Tactics, Techniques, and Procedures
T1218
References
N/A
Severity
50
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2022/05/01 |
medium |
N/A
|
|
Windows execution using odbcconf tool
|
The odbcconf tool allows users to configure Open Database Connectivity (ODBC) drivers. The utility can be misused to execute malicious code and evade detection techniques.
More details
Rule ID
process_creation_commandline_320
Query
{'selection2': {'EventID': [1, 4688]}, 'selection3': {'Image|contains': '\\odbcconf.exe'}, 'selection5': {'CommandLine|contains': 'REGSVR'}, 'condition': 'selection2 and selection3 and selection5'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
Developed internally by Stellar Cyber
Tactics, Techniques, and Procedures
T1218
References
N/A
Severity
50
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2022/05/01 |
medium |
N/A
|
|
Windows INF file launch
|
The Advanced INF Package Installer (advpack.dll) can use the LaunchINFSection function to invoke a section from .inf files. This could be used by attackers to remotely launch staged SCT files with malicious code.
More details
Rule ID
process_creation_commandline_321
Query
{'selection2': {'EventID': [1, 4688]}, 'selection3': {'Image|contains': '\\rundll32.exe'}, 'selection5': {'CommandLine|re': 'advpack\\.dll, (?:LaunchINFSection|#46)\\s+'}, 'condition': 'selection2 and selection3 and selection5'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
Developed internally by Stellar Cyber
Tactics, Techniques, and Procedures
T1218
References
N/A
Severity
50
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2022/05/01 |
medium |
N/A
|
|
Windows MavInject DLL Injection
|
MavInject is a Windows utility that can be used to execute code. Mavinject can be used to inject a DLL into a running process.
More details
Rule ID
process_creation_commandline_322
Query
{'selection2': {'EventID': [1, 4688]}, 'selection3': {'Image|re': '\\\\Mavinject(?:32|64)?.exe'}, 'selection5': {'CommandLine|contains': '/INJECTRUNNING'}, 'condition': 'selection2 and selection3 and selection5'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
Developed internally by Stellar Cyber
Tactics, Techniques, and Procedures
T1218
References
N/A
Severity
50
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2022/05/01 |
medium |
N/A
|
|
Suspicious ACL Change
|
A suspicious change was detected to an access control list (ACL). In this case, 'Full Access' was granted to 'Everyone' on a file or folder.
More details
Rule ID
process_creation_commandline_324
Query
{'selection2': {'EventID': [1, 4688]}, 'selection3': {'Image|contains': '\\icacls.exe'}, 'selection4': {'CommandLine|re': '\\/grant(?::r)?\\s+Everyone:F'}, 'condition': 'selection2 and selection3 and selection4'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
Developed internally by Stellar Cyber
Tactics, Techniques, and Procedures
T1098
References
N/A
Severity
50
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2022/05/01 |
medium |
N/A
|
|
Credential Access Tool Detected - LaZagne
|
LaZagne is a multiplatform tool capable to retrieve user credentials from several system services and applications, such as web browsers.
More details
Rule ID
process_creation_commandline_325
Query
{'selection2': {'EventID': [1, 4688]}, 'selection3': {'Image|contains': '\\lazagne'}, 'selection4': {'CommandLine|contains': '-quiet'}, 'condition': 'selection2 and selection3 and selection4'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
Developed internally by Stellar Cyber
Tactics, Techniques, and Procedures
T1003.002
References
N/A
Severity
50
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2022/05/01 |
medium |
N/A
|
|
Indirect command execution using pcalua.exe
|
An user tried to use a Windows pcalua.exe utility to execute commands in an alternative way (without using cmd.exe or powershell.exe). Attackers may use this technique to avoid invoking the cmd but still execute commands.
More details
Rule ID
process_creation_commandline_327
Query
{'selection2': {'EventID': [1, 4688]}, 'selection3': {'Image|contains': '\\pcalua.exe'}, 'selection5': {'CommandLine|contains': ' - a '}, 'selection6': {'CommandLine|re': '\\.(?:hta|vbs|vbe|js|jse|wsf|wsh)'}, 'condition': 'selection2 and selection3 and selection5 and selection6'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
Developed internally by Stellar Cyber
Tactics, Techniques, and Procedures
T1202
References
N/A
Severity
50
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2022/05/01 |
medium |
N/A
|
|
Windows UAC Bypass
|
A User Account Control Bypass activity was detected. This can be due to either regular operation or because an attacker is trying to escalate privileges.
More details
Rule ID
process_creation_commandline_328
Query
{'selection2': {'EventID': [1, 4688]}, 'selection3': {'CommandLine|contains': 'TpmInitUACBypass.exe'}, 'condition': 'selection2 and selection3'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
Developed internally by Stellar Cyber
Tactics, Techniques, and Procedures
T1548.002
References
N/A
Severity
50
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2022/05/01 |
medium |
N/A
|
|
SAM, SECURITY or SYSTEM Registry Hive Export
|
These hives can be used with a password cracker or creddump to dump the LANMAN/NTLM hashes, view cached credentials, and decrypt LSA secrets. This could be an indication of a ransomware infection or an attacker trying to cause damage.
More details
Rule ID
process_creation_commandline_329
Query
{'selection2': {'EventID': [1, 4688]}, 'selection3': {'Image|contains': '\\reg.exe'}, 'selection4': {'CommandLine|re': 'save.+ (?:hklm|hkey_local_machine)\\\\(?:system|security|sam)'}, 'selection5': {'SourceUserName': ''}, 'condition': 'selection2 and selection3 and selection4 and not selection5'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
Developed internally by Stellar Cyber
Tactics, Techniques, and Procedures
T1003.002
References
N/A
Severity
50
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2022/05/01 |
medium |
N/A
|
|
Suspicious PowerShell Argument
|
PowerShell was executed with suspicious command line argument. The script is likely attempting to download files from a remote server. This could be an indication of malicious activity.
More details
Rule ID
process_creation_commandline_330
Query
{'selection2': {'EventID': [1, 4688]}, 'selection3': {'Image|contains': '\\powershell.exe'}, 'selection4': {'CommandLine|contains': 'Net.WebClient'}, 'selection5': {'CommandLine|contains': 'Download'}, 'selection6': {'SourceUserName': ''}, 'condition': 'selection2 and selection3 and selection4 and selection5 and not selection6'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
Developed internally by Stellar Cyber
Tactics, Techniques, and Procedures
T1059.001
References
N/A
Severity
50
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2022/05/01 |
medium |
N/A
|
|
Windows UAC bypass - UACME tool
|
User Account Control Bypass activity was detected. This can be due to either a regular operation or because an attacker is trying to escalate privileges.
More details
Rule ID
process_creation_commandline_331
Query
{'selection2': {'EventID': [1, 4688]}, 'selection9': {'CommandLine|re': '\\.exe\\".*cleanmgr\\.exe \\/autoclean'}, 'condition': 'selection2 and selection9'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
Developed internally by Stellar Cyber
Tactics, Techniques, and Procedures
T1548.002
References
N/A
Severity
50
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2022/05/01 |
medium |
N/A
|
|
Ransomware Decryption Instructions File Detected
|
After a ransomware malware infects a host machine, a file with instructions to recover the encrypted files is created. A file with these characteristics was opened in the system, what is an indicator of ransomware infection.
More details
Rule ID
process_creation_commandline_332
Query
{'selection2': {'EventID': [1, 4688]}, 'selection3': {'CommandLine|re': '_Locky_recover_instructions.txt|Coin.Locker.txt DECRYPT_ReadMe.TXT|Contact_Here_To_Recover_Your_Files.txt|DECRYPT_INSTRUCTION.TXT|DECRYPT_INSTRUCTIONS.TXT|DecryptAllFiles.txt|encryptor_raas_readme_liesmich.txt|FILESAREGONE.TXT|help_decrypt_your_files.html|HELP_RECOVER_FILES.txt|HELP_TO_DECRYPT_YOUR_FILES.txt|HELPDECRYPT.TXT|HELPDECYPRT_YOUR_FILES.HTML|How_To_Recover_Files.txt|Howto_Restore_FILES.TXT|HOW TO DECRYPT YOUR DATA.txt|IHAVEYOURSECRET.KEY|INSTRUCCIONES_DESCIFRADO.TXT|ReadDecryptFilesHere.txt|Readme to restore your files.txt|!SBLOCK_INFO!.rtf|КАК ВОССТАНОВИТЬ ЗАШИФРОВАННЫЕ ФАЙЛЫ.TXT|README_LOCKED.txt'}, 'condition': 'selection2 and selection3'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
Developed internally by Stellar Cyber
Tactics, Techniques, and Procedures
T1486
References
N/A
Severity
50
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2022/05/01 |
medium |
N/A
|
|
Windows Autorun Registry Entry Added via reg.exe
|
An executable was added to the Windows Autorun registry. While this may have occurred due to normal software installation, this is a common technique used by malware to ensure it is started after reboots.
More details
Rule ID
process_creation_commandline_333
Query
{'selection2': {'EventID': [1, 4688]}, 'selection3': {'Image|contains': 'reg.exe'}, 'selection4': {'CommandLine|contains': 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run'}, 'selection5': {'CommandLine|contains': ' add '}, 'condition': 'selection2 and selection3 and selection4 and selection5'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
Developed internally by Stellar Cyber
Tactics, Techniques, and Procedures
T1547.001
References
N/A
Severity
50
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2022/05/01 |
medium |
N/A
|
|
File Deletion Backup Catalog Deletion
|
If the backup catalog is deleted for a computer, you will not be able to access the backups created of that computer using the Windows Server Backup snap-in. This could be an indication of a ransomware infection or an attacker trying to cause damage.
More details
Rule ID
process_creation_commandline_334
Query
{'selection2': {'EventID': [1, 4688]}, 'selection3': {'Image|contains': '\\wbadmin.exe'}, 'selection4': {'CommandLine|contains': 'delete catalog'}, 'selection5': {'SourceUserName': ''}, 'condition': 'selection2 and selection3 and selection4 and not selection5'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
Developed internally by Stellar Cyber
Tactics, Techniques, and Procedures
T1070.004
References
N/A
Severity
50
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2022/05/01 |
medium |
N/A
|
|
Wireless Network Password Retrieval
|
The password of a wireless network was accessed. This could be an indication of malicious activity.
More details
Rule ID
process_creation_commandline_335
Query
{'selection2': {'EventID': [1, 4688]}, 'selection3': {'ParentImage|contains': '\\etsh.exe'}, 'selection5': {'CommandLine|contains': 'wlan'}, 'selection6': {'CommandLine|contains': 'key=clear'}, 'condition': 'selection2 and selection3 and selection5 and selection6'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
Developed internally by Stellar Cyber
Tactics, Techniques, and Procedures
T1555
References
N/A
Severity
50
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2022/05/01 |
medium |
N/A
|
|
Metasploit MSSQL Command Execution
|
An attacked gained access to the MSSQL Server database and is executing the Metasploit module mssql_exec.
More details
Rule ID
process_creation_commandline_337
Query
{'selection2': {'EventID': [1, 4688]}, 'selection3': {'ParentImage|contains': 'sqlservr.exe'}, 'selection4': {'CommandLine|contains': 'echo OWNED'}, 'condition': 'selection2 and selection3 and selection4'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
Developed internally by Stellar Cyber
Tactics, Techniques, and Procedures
T1190
References
N/A
Severity
50
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2022/05/01 |
medium |
N/A
|
|
Internet Explorer executing suspicious wmic command
|
An attacker can execute code after a successful exploit attack. Internet Explorer is a commonly targeted software in Exploit Kit campaigns.
More details
Rule ID
process_creation_commandline_338
Query
{'selection2': {'EventID': [1, 4688]}, 'selection3': {'ParentImage|contains': '\\iexplore.exe'}, 'selection4': {'Image|contains': '\\WMIC.exe'}, 'selection6': {'CommandLine|contains': 'process call create'}, 'selection7': {'CommandLine|contains': '\\Temp\\'}, 'condition': 'selection2 and selection3 and (selection4 and selection6 and selection7)'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
Developed internally by Stellar Cyber
Tactics, Techniques, and Procedures
T1203
References
N/A
Severity
50
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2022/05/01 |
medium |
N/A
|
|
File Deletion Windows Shadow Copies Deletion via Powershell
|
An attempt to delete all shadow copies using the Windows Volume Shadow Copy Service (VSS) via Powershell has been detected. This could be an indication of a ransomware infection or an attacker trying to cause damage.
More details
Rule ID
process_creation_commandline_339
Query
{'selection2': {'EventID': [1, 4688]}, 'selection7': {'Image|contains': '\\powershell.exe'}, 'selection8': {'CommandLine|contains': 'RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA=='}, 'condition': 'selection2 and (selection7 and selection8)'}
Log Source
Stellar Cyber
Windows Server Sensor configured for:
Rule Source
Developed internally by Stellar Cyber
Tactics, Techniques, and Procedures
T1070.004
References
N/A
Severity
50
Suppression Logic Based On
- hostip
- event_data.CommandLine
- stellar.rule_id
Additional Information
Maturity |
Creation Date |
Risk Level |
False Positives |
test |
2022/05/01 |
medium |
N/A
|
|