Sigma rules for CVE-2025-61786
1 rules · scoped to cve · back to CVE-2025-61786
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Suspicious Deno File Written from Remote Source
id: 6c0ce3b6-85e2-49d4-9c3f-6e008ce9796e
status: experimental
description: |
Detects Deno writing a file from a direct HTTP(s) call and writing to the appdata folder or bringing it's own malicious DLL.
This behavior may indicate an attempt to execute remotely hosted, potentially malicious files through deno.
references:
- https://taggart-tech.com/evildeno/
author: Josh Nickels, Michael Taggart
date: 2025-05-22
tags:
- attack.execution
- attack.t1204
- attack.t1059.007
- attack.command-and-control
- attack.t1105
logsource:
category: file_event
product: windows
detection:
selection_path:
TargetFilename|contains:
- '\deno\gen\'
- '\deno\remote\https\'
TargetFilename|contains|all:
- ':\Users\'
- '\AppData\'
condition: selection_path
falsepositives:
- Legitimate usage of deno to request a file or bring a DLL to a host
level: low