Sigma Templates
Selection of Sigma rules for use as guides or templates
Detection of Sysinternals Usage
description: Detects the usage of Sysinternals Tools
tags:
- attack.t1588.002
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains: ' -accepteula'
condition: selection
falsepositives:
- Legitimate use of SysInternals tools
LSASS Dump Detection
description: LSASS memory dump creation using operating systems utilities.
tags:
- attack.credential_access
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|contains: 'lsass'
TargetFilename|endswith: 'dmp'
condition: selection
fields:
- ComputerName
- TargetFilename
falsepositives:
- Admin activity
level: high
Suspicious Add Scheduled Task From User AppData Temp
description: schtasks.exe create suspicious task from user AppData\Local\Temp
tags:
- attack.execution
- attack.t1053.005
logsource:
product: windows
category: process_creation
detection:
schtasks:
Image|endswith: '\schtasks.exe'
suspcommand:
CommandLine|contains|all:
- '/Create '
- '\AppData\Local\Temp'
condition: schtasks and suspcommand
falsepositives:
- Unknown
level: high
Disable UAC Using Registry
description: Detects Disable User Account Control (UAC) Using Registry by changing its registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA from 1 to 0
tags:
- attack.privilege_escalation
- attack.defense_evasion
- attack.t1548.002
logsource:
category: registry_set
product: windows
detection:
selection:
EventType: SetValue
TargetObject|contains: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
Details: DWORD (0x00000000)
condition: selection
falsepositives:
- Unknown
level: medium
Windows Defender Service Disabled
description: Detects disables the Windows Defender service (WinDefend) via the registry
tags:
- attack.defense_evasion
- attack.t1562.001
logsource:
product: windows
category: registry_set
detection:
selection:
EventType: SetValue
TargetObject: 'HKLM\SYSTEM\CurrentControlSet\Services\WinDefend\Start'
Details: 'DWORD (0x00000004)'
condition: selection
falsepositives:
- Administrator actions
level: high
PowerShell Get-Clipboard Cmdlet Via CLI
description: Detects usage of the 'Get-Clipboard' cmdlet via CLI. Adversaries may collect data stored in the clipboard from users copying information within or between applications.
tags:
- attack.collection
- attack.t1115
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains: 'Get-Clipboard'
condition: selection
falsepositives:
- Unknown
level: medium
User Account Hidden By Registry
description: Detect modifications for a specific user in order to prevent that user from appearing on the logon screen.
tags:
- attack.defense_evasion
- attack.t1564.002
logsource:
product: windows
category: registry_set
detection:
selection:
EventType: SetValue
TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist\'
TargetObject|endswith: '$'
Details: DWORD (0x00000000)
condition: selection
falsepositives:
- Unknown
level: high
Last updated