Home/CVE-2023-40204/Sigma rules
Sigma

Sigma rules for CVE-2023-40204

6 rules · scoped to cve · back to CVE-2023-40204
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.

Detection rules

6 of 6
direct high
ISO File Created Within Temp Folders
Detects the creation of a ISO file in the Outlook temp folder or in the Appdata temp folder. Typical of Qakbot TTP from end-July 2022.
status test author @sam0x90 id 2f9356ae-bf43-41b8-b858-4496d83b2acb license Sigma · DRL-1.1
view Sigma YAML 
title: ISO File Created Within Temp Folders
id: 2f9356ae-bf43-41b8-b858-4496d83b2acb
status: test
description: Detects the creation of a ISO file in the Outlook temp folder or in the Appdata temp folder. Typical of Qakbot TTP from end-July 2022.
references:
    - https://twitter.com/Sam0x90/status/1552011547974696960
    - https://securityaffairs.co/wordpress/133680/malware/dll-sideloading-spread-qakbot.html
    - https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image
author: '@sam0x90'
date: 2022-07-30
tags:
    - attack.initial-access
    - attack.t1566.001
logsource:
    category: file_event
    product: windows
detection:
    selection_1:
        TargetFilename|contains|all:
            - '\AppData\Local\Temp\'
            - '.zip\'
        TargetFilename|endswith: '.iso'
    selection_2:
        TargetFilename|contains: '\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\'
        TargetFilename|endswith: '.iso'
    condition: 1 of selection*
falsepositives:
    - Potential FP by sysadmin opening a zip file containing a legitimate ISO file
level: high
direct high
User Shell Folders Registry Modification via CommandLine
Detects modifications to User Shell Folders registry values via reg.exe or PowerShell, which could indicate persistence attempts. Attackers may modify User Shell Folders registry values to point to malicious executables or scripts that will be executed during startup. This technique is often used to maintain persistence on a compromised system by ensuring that malicious payloads are executed automatically.
status experimental author Swachchhanda Shrawan Poudel (Nextron Systems) id 8f3ab69a-aa22-4943-aa58-e0a52fdf6818 license Sigma · DRL-1.1
view Sigma YAML 
title: User Shell Folders Registry Modification via CommandLine
id: 8f3ab69a-aa22-4943-aa58-e0a52fdf6818
related:
    - id: 9c226817-8dc9-46c2-a58d-66655aafd7dc
      type: similar
status: experimental
description: |
    Detects modifications to User Shell Folders registry values via reg.exe or PowerShell, which could indicate persistence attempts.
    Attackers may modify User Shell Folders registry values to point to malicious executables or scripts that will be executed during startup.
    This technique is often used to maintain persistence on a compromised system by ensuring that malicious payloads are executed automatically.
references:
    - https://www.welivesecurity.com/en/eset-research/muddywater-snakes-riverbank/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-01-05
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.defense-impairment
    - attack.t1547.001
    - attack.t1112
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\powershell.exe'
              - '\pwsh.exe'
              - '\reg.exe'
        - OriginalFileName:
              - 'powershell.exe'
              - 'pwsh.dll'
              - 'reg.exe'
    selection_cli_action:
        CommandLine|contains:
            - ' add ' # reg.exe modification
            - 'New-ItemProperty'
            - 'Set-ItemProperty'
            - 'si ' # short for Set-ItemProperty
    selection_cli_paths_root:
        CommandLine|contains:
            - '\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders'
            - '\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders'
    selection_cli_paths_suffix:
        CommandLine|contains: 'Startup' # covers both 'Startup' and 'Common Startup'
    condition: all of selection_*
falsepositives:
    - Usage of reg.exe or PowerShell to modify User Shell Folders for legitimate purposes; but rare.
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_user_shell_folders_registry_modification/info.yml
simulation:
    - type: atomic-red-team
      name: Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value
      technique: T1547.001
      atomic_guid: acfef903-7662-447e-a391-9c91c2f00f7b
direct high
Schtasks From Suspicious Folders
Detects scheduled task creations that have suspicious action command and folder combinations
status test author Florian Roth (Nextron Systems) id 8a8379b8-780b-4dbf-b1e9-31c8d112fefb license Sigma · DRL-1.1
view Sigma YAML 
title: Schtasks From Suspicious Folders
id: 8a8379b8-780b-4dbf-b1e9-31c8d112fefb
status: test
description: Detects scheduled task creations that have suspicious action command and folder combinations
references:
    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-dream-job-chemical
author: Florian Roth (Nextron Systems)
date: 2022-04-15
modified: 2022-11-18
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.t1053.005
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        - Image|endswith: '\schtasks.exe'
        - OriginalFileName: 'schtasks.exe'
    selection_create:
        CommandLine|contains: ' /create '
    selection_command:
        CommandLine|contains:
            - 'powershell'
            - 'pwsh'
            - 'cmd /c '
            - 'cmd /k '
            - 'cmd /r '
            - 'cmd.exe /c '
            - 'cmd.exe /k '
            - 'cmd.exe /r '
    selection_all_folders:
        CommandLine|contains:
            - 'C:\ProgramData\'
            - '%ProgramData%'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
direct high
Potential DLL Sideloading Of Non-Existent DLLs From System Folders
Detects loading of specific system DLL files that are usually not present on the system (or at least not in system directories) but may be loaded by legitimate processes, potentially indicating phantom DLL hijacking attempts. Phantom DLL hijacking involves placing malicious DLLs with names of non-existent system binaries in locations where legitimate applications may search for them, leading to execution of the malicious DLLs.
status test author Nasreddine Bencherchali (Nextron Systems), SBousseaden id 6b98b92b-4f00-4f62-b4fe-4d1920215771 license Sigma · DRL-1.1
view Sigma YAML 
title: Potential DLL Sideloading Of Non-Existent DLLs From System Folders
id: 6b98b92b-4f00-4f62-b4fe-4d1920215771
related:
    - id: df6ecb8b-7822-4f4b-b412-08f524b4576c # FileEvent rule
      type: similar
    - id: 602a1f13-c640-4d73-b053-be9a2fa58b77
      type: obsolete
status: test
description: |
    Detects loading of specific system DLL files that are usually not present on the system (or at least not in system directories) but may be loaded by legitimate processes, potentially indicating phantom DLL hijacking attempts.
    Phantom DLL hijacking involves placing malicious DLLs with names of non-existent system binaries in locations where legitimate applications may search for them, leading to execution of the malicious DLLs.
references:
    - http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html
    - https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/
    - https://decoded.avast.io/martinchlumecky/png-steganography/
    - https://github.com/Wh04m1001/SysmonEoP
    - https://itm4n.github.io/cdpsvc-dll-hijacking/
    - https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992
    - https://securelist.com/passiveneuron-campaign-with-apt-implants-and-cobalt-strike/117745/
    - https://www.crowdstrike.com/en-us/blog/4-ways-adversaries-hijack-dlls/
    - https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
    - https://www.hexacorn.com/blog/2025/06/14/wermgr-exe-boot-offdmpsvc-dll-lolbin/
    - https://www.hexacorn.com/blog/2025/06/14/wpr-exe-boottrace-phantom-dll-axeonoffhelper-dll-lolbin/
    - https://x.com/0gtweet/status/1564131230941122561
author: Nasreddine Bencherchali (Nextron Systems), SBousseaden
date: 2022-12-09
modified: 2026-01-24
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith:
            # Add other DLLs
            - ':\Windows\System32\axeonoffhelper.dll'
            - ':\Windows\System32\cdpsgshims.dll'
            - ':\Windows\System32\oci.dll'
            - ':\Windows\System32\offdmpsvc.dll'
            - ':\Windows\System32\shellchromeapi.dll'
            - ':\Windows\System32\TSMSISrv.dll'
            - ':\Windows\System32\TSVIPSrv.dll'
            - ':\Windows\System32\wbem\wbemcomn.dll'
            - ':\Windows\System32\WLBSCTRL.dll'
            - ':\Windows\System32\wow64log.dll'
            - ':\Windows\System32\WptsExtensions.dll'
    filter_main_ms_signed:
        Signed: 'true'
        SignatureStatus: 'Valid'
        # There could be other signatures (please add when found)
        Signature: 'Microsoft Windows'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high
direct high
Modify User Shell Folders Startup Value
Detect modification of the User Shell Folders registry values for Startup or Common Startup which could indicate persistence attempts. Attackers may modify User Shell Folders registry keys to point to malicious executables or scripts that will be executed during startup. This technique is often used to maintain persistence on a compromised system by ensuring that the malicious payload is executed automatically.
status test author frack113, Swachchhanda Shrawan Poudel (Nextron Systems) id 9c226817-8dc9-46c2-a58d-66655aafd7dc license Sigma · DRL-1.1
view Sigma YAML 
title: Modify User Shell Folders Startup Value
id: 9c226817-8dc9-46c2-a58d-66655aafd7dc
related:
    - id: 8f3ab69a-aa22-4943-aa58-e0a52fdf6818
      type: similar
status: test
description: |
    Detect modification of the User Shell Folders registry values for Startup or Common Startup which could indicate persistence attempts.
    Attackers may modify User Shell Folders registry keys to point to malicious executables or scripts that will be executed during startup.
    This technique is often used to maintain persistence on a compromised system by ensuring that the malicious payload is executed automatically.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1547.001/T1547.001.md
    - https://www.welivesecurity.com/en/eset-research/muddywater-snakes-riverbank/
author: frack113, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2022-10-01
modified: 2026-01-05
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1547.001
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|contains:
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders'
        TargetObject|endswith:
            - '\Common Startup'
            - '\Startup'
    filter_main_details_null:
        Details: null
    filter_main_programdata_startup:
        Details|contains:
            - 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup'
            - '%ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup'
    filter_main_userprofile_startup_1:
        Details|contains:
            - '%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'
            - '%%USERPROFILE%%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'
    filter_main_userprofile_startup_2:
        Details|contains|all:
            - 'C:\Users\'
            - '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'
    # Apply more filters if new legitimate paths are identified
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_susp_user_shell_folders/info.yml
simulation:
    - type: atomic-red-team
      name: Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value
      technique: T1547.001
      atomic_guid: acfef903-7662-447e-a391-9c91c2f00f7b
direct medium
Program Executions in Suspicious Folders
Detects program executions in suspicious non-program folders related to malware or hacking activity
status test author Florian Roth (Nextron Systems) id a39d7fa7-3fbd-4dc2-97e1-d87f546b1bbc license Sigma · DRL-1.1
view Sigma YAML 
title: Program Executions in Suspicious Folders
id: a39d7fa7-3fbd-4dc2-97e1-d87f546b1bbc
status: test
description: Detects program executions in suspicious non-program folders related to malware or hacking activity
references:
    - Internal Research
author: Florian Roth (Nextron Systems)
date: 2018-01-23
modified: 2021-11-27
tags:
    - attack.t1587
    - attack.t1584
    - attack.resource-development
logsource:
    product: linux
    service: auditd
detection:
    selection:
        type: 'SYSCALL'
        exe|startswith:
            # Temporary folder
            - '/tmp/'
            # Web server
            - '/var/www/'              # Standard
            - '/home/*/public_html/'   # Per-user
            - '/usr/local/apache2/'    # Classical Apache
            - '/usr/local/httpd/'      # Old SuSE Linux 6.* Apache
            - '/var/apache/'           # Solaris Apache
            - '/srv/www/'              # SuSE Linux 9.*
            - '/home/httpd/html/'      # Redhat 6 or older Apache
            - '/srv/http/'             # ArchLinux standard
            - '/usr/share/nginx/html/' # ArchLinux nginx
            # Data dirs of typically exploited services (incomplete list)
            - '/var/lib/pgsql/data/'
            - '/usr/local/mysql/data/'
            - '/var/lib/mysql/'
            - '/var/vsftpd/'
            - '/etc/bind/'
            - '/var/named/'
    condition: selection
falsepositives:
    - Admin activity (especially in /tmp folders)
    - Crazy web applications
level: medium
Showing 1-6 of 6
Prev 1 Next
SOC and Response
CVE triage
Stack monitoring
Am I affected
IOC triage
KEV catalog
Recently exploited
Daily brief
Change tracking
Detection Engineering
Coverage workspace
Detection coverage
Coverage check
Telemetry ceiling
SIEM query builder
Sigma rules
SIEM rules
YARA rules
Network rules
D3FEND
Threat Hunting
Threat actors
ATT&CK techniques
Attack paths
Indicators
Atomic tests
Red Team and Pentest
Exploitability triage
Recon pack
Attack paths
CAPEC patterns
Adversary emulation
Compliance and GRC
Framework mapping
Control assessment
Audit view
Atlas Search Threat actors Techniques Tools & malware CWE CAPEC KEV catalog Package vulns
About All capabilities Pricing API docs Live status Privacy policy Terms of service
threatengine.sh