Skip to content
XDR Forensics Knowledge Base

Sigma Templates

  • Detection of Sysinternals Usage
description: Detects the usage of Sysinternals Tools
tags:
    - attack.t1588.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains: ' -accepteula'
    condition: selection
falsepositives:
    - Legitimate use of SysInternals tools
  • LSASS Dump Detection
description: LSASS memory dump creation using operating systems utilities.
tags:
    - attack.credential_access
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|contains: 'lsass'
        TargetFilename|endswith: 'dmp'
    condition: selection
fields:
    - ComputerName
    - TargetFilename
falsepositives:
    - Admin activity
level: high
  • Suspicious Add Scheduled Task From User AppData Temp
description: schtasks.exe create suspicious task from user AppData\Local\Temp
tags:
    - attack.execution
    - attack.t1053.005
logsource:
    product: windows
    category: process_creation
detection:
    schtasks:
        Image|endswith: '\schtasks.exe'
    suspcommand:
        CommandLine|contains|all:
            - '/Create '
            - '\AppData\Local\Temp'
    condition: schtasks and suspcommand
falsepositives:
    - Unknown
level: high
  • Disable UAC Using Registry
description: Detects Disable User Account Control (UAC) Using Registry by changing its registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA from 1 to 0
tags:
    - attack.privilege_escalation
    - attack.defense_evasion
    - attack.t1548.002
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        EventType: SetValue
        TargetObject|contains: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
        Details: DWORD (0x00000000)
    condition: selection
falsepositives:
    - Unknown
level: medium
  • Windows Defender Service Disabled
description: Detects disables the  Windows Defender service (WinDefend) via the registry
tags:
    - attack.defense_evasion
    - attack.t1562.001
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        EventType: SetValue
        TargetObject: 'HKLM\SYSTEM\CurrentControlSet\Services\WinDefend\Start'
        Details: 'DWORD (0x00000004)'
    condition: selection
falsepositives:
    - Administrator actions
level: high
  • PowerShell Get-Clipboard Cmdlet Via CLI
description: Detects usage of the 'Get-Clipboard' cmdlet via CLI. Adversaries may collect data stored in the clipboard from users copying information within or between applications.
tags:
    - attack.collection
    - attack.t1115
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains: 'Get-Clipboard'
    condition: selection
falsepositives:
    - Unknown
level: medium
  • User Account Hidden By Registry
description: Detect modifications for a specific user in order to prevent that user from appearing on the logon screen.
tags:
    - attack.defense_evasion
    - attack.t1564.002
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        EventType: SetValue
        TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist\'
        TargetObject|endswith: '$'
        Details: DWORD (0x00000000)
    condition: selection
falsepositives:
    - Unknown
level: high