Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My Computer" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally.

Read More

Detects applications or users re-enabling old TLS versions by setting the "Enabled" value to "1" for the "Protocols" registry key.

Read More

Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications.

Read More

Detects setting of a new registry database value related to BgInfo configuration. Attackers can for example set this value to save the results of the commands executed by BgInfo in order to exfiltrate information.

Read More

Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom VBScript via "BgInfo.exe"

Read More

Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom WMI query via "BgInfo.exe"

Read More

Detects installation of NalDrv or PROCEXP152 services via registry-keys to non-system32 folders. Both services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU (https://github.com/hfiref0x/KDU)

Read More

Detect set Notification_Suppress to 1 to disable the Windows security center notification

Read More

Detects when an attacker adds a new "Debugger" value to the "AeDebug" key in order to achieve persistence which will get invoked when an application crashes

Read More

Detects when an attacker adds a new "Debugger" value to the "Hangs" key in order to achieve persistence which will get invoked when an application crashes

Read More

Detect set DisallowRun to 1 to prevent user running specific computer program

Read More

Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.

Read More

Detects javaw.exe in AppData folder as used by Adwind / JRAT

Read More

Detect enable rdp feature to allow specific user to rdp connect on the targeted machine

Read More

BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption

Read More

Attempts to detect system changes made by Blue Mockingbird

Read More

Bypasses User Account Control using a fileless method

Read More

Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification

Read More

There is an auto-elevated task called SilentCleanup located in %windir%\system32\cleanmgr.exe This can be abused to elevate any file with Administrator privileges without prompting UAC

Read More

Detects tampering with the "ChannelAccess" registry key in order to change access to Windows event channel

Read More

Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).

Read More

Detects modification of autostart extensibility point (ASEP) in registry.

Read More

Detects changes to the ClickOnce trust prompt registry key in order to enable an installation from different locations such as the Internet.

Read More

Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement. We can also catch this by system log 7045 (https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_cobaltstrike_service_installs.yml) In some SIEM you can catch those events also in HKLM\System\ControlSet001\Services or HKLM\System\ControlSet002\Services, however, this rule is based on a regular sysmon's events.

Read More

Detects changes to 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute'

Read More

Detect modification of TreatAs key to enable "rundll32.exe -sta" command

Read More

Detects modification of autostart extensibility point (ASEP) in registry.

Read More

Detects disabling the CrashDump per registry (as used by HermeticWiper)

Read More

Detects modification of autostart extensibility point (ASEP) in registry.

Read More

Detects modification of autostart extensibility point (ASEP) in registry.

Read More

Detects modification of autostart extensibility point (ASEP) in registry.

Read More

Detects the abuse of custom file open handler, executing powershell

Read More

Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)

Read More

Administrative shares are hidden network shares created by Microsoft Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system

Read More

Detects disabling Windows Defender Exploit Guard Network Protection

Read More

Detects registry modifications that change features of internal Windows tools (malware like Agent Tesla uses this technique)

Read More

Detects tampering with the MacroRuntimeScanScope registry key to disable runtime scanning of enabled macros

Read More

Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage

Read More

Detects registry modifications that disable Privacy Settings Experience

Read More

Detects disabling Windows Defender PUA protection

Read More

Detects changes in Sysmon driver altitude. If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.

Read More

Detects disabling Windows Defender Tamper Protection

Read More

Detects when an attacker tries to disable User Account Control (UAC) by changing its registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA from 1 to 0

Read More

Detects when attackers or tools disable Windows Defender functionalities via the Windows registry

Read More

Detects tampering with the "Enabled" registry key in order to disable Windows logging of a Windows event channel

Read More

Detect set EnableFirewall to 0 to disable the Windows firewall

Read More

Detect set UseActionCenterExperience to 0 to disable the Windows security center notification

Read More

Detect activation of DisableRestrictedAdmin to desable RestrictedAdmin mode. RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise

Read More

Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections

Read More

Detects when a user enables DNS-over-HTTPS. This can be used to hide internet activity or be used to hide the process of exfiltrating data. With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors.

Read More

Detects changes to the AppInstaller (winget) policy. Specifically the activation of the local manifest installation, which allows a user to install new packages via custom manifests.

Read More

Enable Dynamic Data Exchange protocol (DDE) in all supported editions of Microsoft Word or Excel.

Read More

This rule detects cor_enable_profiling and cor_profiler environment variables being set and configured.

Read More

Detects changes to the "ExtErrorInformation" key in order to disable ETW logging for rpcrt4.dll

Read More

Detects changes to the "TracingDisabled" key in order to disable ETW logging for services.exe (SCM)

Read More

Potential adversaries stopping ETW providers recording loaded .NET assemblies.

Read More

This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry.

Read More

Detects when the "index" value of a scheduled task is modified from the registry Which effectively hides it from any tooling such as "schtasks /query" (Read the referenced link for more information about the effects of this technique)

Read More

Hides the file extension through modification of the registry

Read More

Detects modification of autostart extensibility point (ASEP) in registry.

Read More

Detects changes to the Internet Explorer "DisableFirstRunCustomize" value, which prevents Internet Explorer from running the first run wizard the first time a user starts the browser after installing Internet Explorer or Windows.

Read More

Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any anomalous executables with suspicious arguments. The downloaded file will be in C:\Users\redacted\AppData\Local\Microsoft\OneDrive\StandaloneUpdaterreSignInSettingsConfig.json

Read More

Detects the setting of the "DumpType" registry value to "2" which stands for a "Full Dump". Technique such as LSASS Shtinkering requires this value to be "2" in order to dump LSASS.

Read More

Detects registry changes to Office trust records where the path is located in a potentially suspicious location

Read More

Detects changes to Microsoft Office protected view registry keys with which the attacker disables this feature.

Read More

Detects modifications to the hidden files keys in registry. This technique is abused by several malware families to hide their files from normal users.

Read More

Detects modification of the registry settings used for Internet Explorer and other Windows components that use these settings. An attacker can abuse this registry key to add a domain to the trusted sites Zone or insert javascript for persistence

Read More

Detect modification of the startup key to a path where a payload could be stored to be launched during startup

Read More

Detects changes to the NGenAssemblyUsageLog registry key. .NET Usage Log output location can be controlled by setting the NGenAssemblyUsageLog CLR configuration knob in the Registry or by configuring an environment variable (as described in the next section). By simplify specifying an arbitrary value (e.g. fake output location or junk data) for the expected value, a Usage Log file for the .NET execution context will not be created.

Read More

A General detection for a new application in AppCompat. This indicates an application executing for the first time on an endpoint.

Read More

Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)

Read More

Detects the abuse of the exefile handler in new file association. Used for bypass of security products.

Read More

Detects the registration of a new ODBC driver.

Read More

Detects the addition of new root, CA or AuthRoot certificates to the Windows registry

Read More

Detects suspicious new RUN key element pointing to an executable in a suspicious folder

Read More

Detects modification of autostart extensibility point (ASEP) in registry.

Read More

Detects registry changes to Microsoft Office "VBAWarning" to a value of "1" which enables the execution of all macros, whether signed or unsigned.

Read More

Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros

Read More

Detects the modification of Outlook security setting to allow unprompted execution of macros.

Read More

Detects changes to the registry values related to outlook security settings

Read More

Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence via autorun. The disk cleanup manager is part of the operating system. It displays the dialog box […] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI. Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications. Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler. Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.

Read More

Detects when an attacker modifies the registry value of the "hhctrl" to point to a custom binary

Read More

Detects when an attacker register a new SIP provider for persistence and defense evasion

Read More

Detects changes to the AMSI come server registry key in order disable AMSI scanning functionalities. When AMSI attempts to starts its COM component, it will query its registered CLSID and return a non-existent COM server. This causes a load failure and prevents any scanning methods from being accessed, ultimately rendering AMSI useless

Read More

Detects tampering with attachment manager settings policies associations to lower the default file type risks (See reference for more information)

Read More

Detects tampering with attachment manager settings policies attachments (See reference for more information)

Read More

Detects tampering with autologger trace sessions which is a technique used by attackers to disable logging

Read More

Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it

Read More

Detects tampering with EventLog service "file" key. In order to change the default location of an Evtx file. This technique is used to tamper with log collection and alerting

Read More

Detects potential persistence using Appx DebugPath

Read More

Detects changes to the "Default" property for keys located in the \Software\Microsoft\Windows\CurrentVersion\App Paths\ registry. Which might be used as a method of persistence The entries found under App Paths are used primarily for the following purposes. First, to map an application's executable file name to that file's fully qualified path. Second, to pre-pend information to the PATH environment variable on a per-application, per-process basis.

Read More

Detects change the the "AutodialDLL" key which could be used as a persistence method to load custom DLL via the "ws2_32" library

Read More

Detects when an attacker modifies the registry key "HtmlHelp Author" to achieve persistence

Read More

Detects potential COM object hijacking where the "Server" (In/Out) is pointing to a supsicious or unsuale location

Read More

Detects potential COM object hijacking leveraging the COM Search Order

Read More

Detects when an attacker adds a new "DLLPathOverride" value to the "Natural Language" key in order to achieve persistence which will get invoked by "SearchIndexer.exe" process

Read More

Detect potential persistence via the creation of an excel add-in (XLL) file to make it run automatically when Excel is started.

Read More

Detects when an attacker modifies the "REG_MULTI_SZ" value named "Extensions" to include a custom DLL to achieve persistence via lsass. The "Extensions" list contains filenames of DLLs being automatically loaded by lsass.exe. Each DLL has its InitializeLsaExtension() method called after loading.

Read More

Detects when an attacker register a new SIP provider for persistence and defense evasion

Read More

Detects modification to the "Default" value of the "MyComputer" key and subkeys to point to a custom binary that will be launched whenever the associated action is executed (see reference section for example)

Read More

Detects potential persistence activity via outlook home pages.

Read More

Detects the modification of Outlook setting "LoadMacroProviderOnBoot" which if enabled allows the automatic loading of any configured VBA project/module

Read More

Detects potential persistence activity via outlook today pages. An attacker can set a custom page to execute arbitrary code and link to it via the registry key "UserDefinedUrl".

Read More

Detect use of scrobj.dll as this DLL looks for the ScriptletURL key to get the location of the script to execute

Read More

Detects the installation of a new shim database where the file is located in a non-default location

Read More

Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time

Read More

Detects modification addition to the 'TypedPaths' key in the user or admin registry from a non standard application. Which might indicate persistence attempt

Read More

Detects changes to the PowerShell execution policy in order to bypass signing requirements for script execution

Read More

Detects potential abuse of the provisioning registry key for indirect command execution through "Provlaunch.exe".

Read More

Detects changes to the PSFactory COM InProcServer32 registry. This technique was used by RomCom to create persistence storing a malicious DLL.

Read More

Detect changes to the "LegalNoticeCaption" or "LegalNoticeText" registry values where the message set contains keywords often used in ransomware ransom messages

Read More

Detects the addition of the "Debugger" value to the "DbgManagedDebugger" key in order to achieve persistence. Which will get invoked when an application crashes

Read More

Detects potential persistence behavior using the windows telemetry registry key. Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. The problem is, it will run any arbitrary command without restriction of location or type.

Read More

Detects when the enablement of developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages.

Read More

Detects the registration of a new ODBC driver where the driver is located in a potentially suspicious location

Read More

Detects that a powershell code is written to the registry as a service.

Read More

Detects changes to the registry for the currently logged-in user. In order to disable PowerShell module logging, script block logging or transcription and script execution logging

Read More

Detects tampering of RDP Terminal Service/Server sensitive settings. Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc

Read More

Detects when an attacker register a new IFilter for an extension. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index. You can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files

Read More

Detects the modification of the registry to disable a system restore on the computer

Read More

Detects registry modifications that disable internal tools or functions in explorer (malware like Agent Tesla uses this technique)

Read More

Detects registry modifications that hide internal tools or functions from the user (malware like Agent Tesla, Hermetic Wiper uses this technique)

Read More

Hides the file extension through modification of the registry

Read More

Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder

Read More

Detects the modification of the registry to allow a driver or service to persist in Safe Mode.

Read More

Running Chrome VPN Extensions via the Registry install 2 vpn extension

Read More

Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious

Read More

Detects registry key established after masqueraded .scr file execution using Rundll32 through desk.cpl

Read More

Detects enabling TurnOffCheck which can be used to bypass defense of MSDT Follina vulnerability

Read More

Detect the creation of a service with a service binary located in a suspicious directory

Read More

Detect the creation of a service with a service binary located in a uncommon directory

Read More

Detects changes to the "ServiceDLL" value related to a service in the registry. This is often used as a method of persistence.

Read More

Detects modification of autostart extensibility point (ASEP) in registry.

Read More

Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProvider. Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains.

Read More

Detects applications being added to the "allowed applications" list of exploit guard in order to bypass controlled folder settings

Read More

Detects the creation of user-specific or system-wide environment variables via the registry. Which contains suspicious commands and strings

Read More

Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only

Read More

Detects a new and suspicious printer port creation in Registry that could be an attempt to exploit CVE-2020-1048

Read More

Detects potential PowerShell commands or code within registry run keys

Read More

Detects a suspicious printer driver installation with an empty Manufacturer value

Read More

Detects set value ms-msdt MSProtocol URI scheme in Registry that could be an attempt to exploit CVE-2022-30190.

Read More

Detects installation of new shim databases that try to patch sections of known processes for potential process injection or persistence.

Read More

Detects modification of autostart extensibility point (ASEP) in registry.

Read More

Detects tamper attempts to sophos av functionality via registry key modification

Read More

Detects registry changes to Microsoft Office "AccessVBOM" to a value of "1" which disables trust access for VBA on the victim machine and lets attackers execute malicious macros without any Microsoft Office warnings.

Read More

Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)

Read More

Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)

Read More

Detects the pattern of UAC Bypass using registry key manipulation of sdclt.exe (e.g. UACMe 53)

Read More

Detects changes to registry keys related to "Trusted Location" of Microsoft Office where the path is set to something uncommon. Attackers might add additional trusted locations to avoid macro security restrictions.

Read More

Detects non-sysinternals tools setting the "accepteula" key which normally is set on sysinternals tool execution

Read More

Detects VBScript content stored into registry keys as seen being used by UNC2452 group

Read More

Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to enable clear-text credentials

Read More

Detects the Setting of Windows Defender Exclusions

Read More

Detects when an attacker or tool disables the Windows Defender service (WinDefend) via the registry

Read More

Detects changes to the AppInstaller (winget) admin settings. Such as enabling local manifest installations or disabling installer hash checks

Read More

Detects when the 'AllowMultipleTSSessions' value is enabled. Which allows for multiple Remote Desktop connection sessions to be opened at once. This is often used by attacker as a way to connect to an RDP session without disconnecting the other users

Read More

Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.

Read More

Detects modification of autostart extensibility point (ASEP) in registry.

Read More

Detects modification of autostart extensibility point (ASEP) in registry.

Read More

Detects modification of autostart extensibility point (ASEP) in registry.

Read More

Detects modification of autostart extensibility point (ASEP) in registry.

Read More

Detects potential WerFault "ReflectDebugger" registry value abuse for persistence.

Read More

Detects registry persistence technique using the GlobalFlags and SilentProcessExit keys

Read More

Detects potential persistence activity via the registering of a new custom protocole handlers. While legitimate applications register protocole handlers often times during installation. And attacker can abuse this by setting a custom handler to be used as a persistence mechanism.

Read More

Detects potential registry persistence technique using the Event Viewer "Events.asp" technique

Read More

Detects tampering of RDP Terminal Service/Server sensitive settings. Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc.

Read More

Detects modifications to the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to "0" in order to hide user account from being listed on the logon screen.

Read More

Detects UAC bypass method using Windows event viewer

Read More

Detect changes to the "PendingFileRenameOperations" registry key from uncommon or suspicious images lcoations to stage currently used files for rename after reboot.

Read More

Detect possible persistence using Fax DLL load when service restart

Read More

Detect change of the user account associated with the FAX service to avoid the escalation problem.

Read More