Tool
EDR / XDR
VMware Carbon Black
1,677 rules · Sigma detections in VMware Carbon Black syntax
The same Sigma detection corpus, machine-rendered into VMware Carbon Black query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
Download all 3,646 rules (.zip, 1.2 MB)
Every VMware Carbon Black query in this view, packaged to deploy.
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance12
Resource Development10
Initial Access10
Execution30
Persistence42
Privilege Escalation20
Stealth79
Defense Impairment32
Credential Access35
Discovery33
Lateral Movement16
Collection20
Command and Control24
Exfiltration10
Impact18
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.
◈
Detection rules
50 shown of 1,677
high
Moderate
High FP
Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 1
Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.
view Sigma YAML
title: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 1
id: 4a30ac0c-b9d6-4e01-b71a-5f851bbf4259
status: test
description: Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.
author: '@Kostastsale, TheDFIRReport'
references:
- Internal Research
tags:
- attack.stealth
date: 2022-12-05
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|contains:
- '😀'
- '😃'
- '😄'
- '😁'
- '😆'
- '😅'
- '😂'
- '🤣'
- '🥲'
- '🥹'
- '☺️'
- '😊'
- '😇'
- '🙂'
- '🙃'
- '😉'
- '😌'
- '😍'
- '🥰'
- '😘'
- '😗'
- '😙'
- '😚'
- '😋'
- '😛'
- '😝'
- '😜'
- '🤪'
- '🤨'
- '🧐'
- '🤓'
- '😎'
- '🥸'
- '🤩'
- '🥳'
- '😏'
- '😒'
- '😞'
- '😔'
- '😟'
- '😕'
- '🙁'
- '☹️'
- '😣'
- '😖'
- '😫'
- '😩'
- '🥺'
- '😢'
- '😭'
- '😮💨'
- '😤'
- '😠'
- '😡'
- '🤬'
- '🤯'
- '😳'
- '🥵'
- '🥶'
- '😱'
- '😨'
- '😰'
- '😥'
- '😓'
- '🫣'
- '🤗'
- '🫡'
- '🤔'
- '🫢'
- '🤭'
- '🤫'
- '🤥'
- '😶'
- '😶🌫️'
- '😐'
- '😑'
- '😬'
- '🫠'
- '🙄'
- '😯'
- '😦'
- '😧'
- '😮'
- '😲'
- '🥱'
- '😴'
- '🤤'
- '😪'
- '😵'
- '😵💫'
- '🫥'
- '🤐'
- '🥴'
- '🤢'
- '🤮'
- '🤧'
- '😷'
- '🤒'
- '🤕'
- '🤑'
- '🤠'
- '😈'
- '👿'
- '👹'
- '👺'
- '🤡'
- '💩'
- '👻'
- '💀'
- '☠️'
- '👽'
- '👾'
- '🤖'
- '🎃'
- '😺'
- '😸'
- '😹'
- '😻'
- '😼'
- '😽'
- '🙀'
- '😿'
- '😾'
- '👋'
- '🤚'
- '🖐'
- '✋'
- '🖖'
- '👌'
- '🤌'
- '🤏'
- '✌️'
- '🤞'
- '🫰'
- '🤟'
- '🤘'
- '🤙'
- '🫵'
- '🫱'
- '🫲'
- '🫳'
- '🫴'
- '👈'
- '👉'
- '👆'
- '🖕'
- '👇'
- '☝️'
- '👍'
- '👎'
- '✊'
- '👊'
- '🤛'
- '🤜'
- '👏'
- '🫶'
- '🙌'
- '👐'
- '🤲'
- '🤝'
- '🙏'
- '✍️'
- '💪'
- '🦾'
- '🦵'
- '🦿'
- '🦶'
- '👣'
- '👂'
- '🦻'
- '👃'
- '🫀'
- '🫁'
- '🧠'
- '🦷'
- '🦴'
- '👀'
- '👁'
- '👅'
- '👄'
- '🫦'
- '💋'
- '🩸'
- '👶'
- '👧'
- '🧒'
- '👦'
- '👩'
- '🧑'
- '👨'
- '👩🦱'
- '🧑🦱'
- '👨🦱'
- '👩🦰'
- '🧑🦰'
- '👨🦰'
- '👱♀️'
- '👱'
- '👱♂️'
- '👩🦳'
- '🧑🦳'
- '👨🦳'
- '👩🦲'
- '🧑🦲'
- '👨🦲'
- '🧔♀️'
- '🧔'
- '🧔♂️'
- '👵'
- '🧓'
- '👴'
- '👲'
- '👳♀️'
- '👳'
- '👳♂️'
- '🧕'
- '👮♀️'
- '👮'
- '👮♂️'
- '👷♀️'
- '👷'
- '👷♂️'
- '💂♀️'
- '💂'
- '💂♂️'
- '🕵️♀️'
- '🕵️'
- '🕵️♂️'
- '👩⚕️'
- '🧑⚕️'
- '👨⚕️'
- '👩🌾'
- '🧑🌾'
- '👨🌾'
- '👩🍳'
- '🧑🍳'
- '👨🍳'
- '👩🎓'
- '🧑🎓'
- '👨🎓'
- '👩🎤'
- '🧑🎤'
- '👨🎤'
- '👩🏫'
- '🧑🏫'
- '👨🏫'
- '👩🏭'
- '🧑🏭'
- '👨🏭'
- '👩💻'
- '🧑💻'
- '👨💻'
- '👩💼'
- '🧑💼'
- '👨💼'
- '👩🔧'
- '🧑🔧'
- '👨🔧'
- '👩🔬'
- '🧑🔬'
- '👨🔬'
- '👩🎨'
- '🧑🎨'
- '👨🎨'
- '👩🚒'
- '🧑🚒'
- '👨🚒'
- '👩✈️'
- '🧑✈️'
- '👨✈️'
- '👩🚀'
- '🧑🚀'
- '👨🚀'
- '👩⚖️'
- '🧑⚖️'
- '👨⚖️'
- '👰♀️'
- '👰'
- '👰♂️'
- '🤵♀️'
- '🤵'
- '🤵♂️'
- '👸'
- '🫅'
- '🤴'
- '🥷'
- '🦸♀️'
- '🦸'
- '🦸♂️'
- '🦹♀️'
- '🦹'
- '🦹♂️'
- '🤶'
- '🧑🎄'
- '🎅'
- '🧙♀️'
- '🧙'
- '🧙♂️'
- '🧝♀️'
- '🧝'
- '🧝♂️'
- '🧛♀️'
- '🧛'
- '🧛♂️'
- '🧟♀️'
- '🧟'
- '🧟♂️'
- '🧞♀️'
- '🧞'
- '🧞♂️'
- '🧜♀️'
- '🧜'
- '🧜♂️'
- '🧚♀️'
- '🧚'
- '🧚♂️'
- '🧌'
- '👼'
- '🤰'
- '🫄'
- '🫃'
- '🤱'
- '👩🍼'
- '🧑🍼'
- '👨🍼'
- '🙇♀️'
- '🙇'
- '🙇♂️'
- '💁♀️'
- '💁'
- '💁♂️'
- '🙅♀️'
- '🙅'
- '🙅♂️'
- '🙆♀️'
- '🙆'
- '🙆♂️'
- '🙋♀️'
- '🙋'
- '🙋♂️'
- '🧏♀️'
- '🧏'
- '🧏♂️'
- '🤦♀️'
- '🤦'
- '🤦♂️'
- '🤷♀️'
- '🤷'
- '🤷♂️'
- '🙎♀️'
- '🙎'
- '🙎♂️'
- '🙍♀️'
- '🙍'
- '🙍♂️'
- '💇♀️'
- '💇'
- '💇♂️'
- '💆♀️'
- '💆'
- '💆♂️'
- '🧖♀️'
- '🧖'
- '🧖♂️'
- '💅'
- '💃'
- '🕺'
- '👯♀️'
- '👯'
- '👯♂️'
- '🕴'
- '👩🦽'
- '🧑🦽'
- '👨🦽'
- '👩🦼'
- '🧑🦼'
- '👨🦼'
- '🚶♀️'
- '🚶'
- '🚶♂️'
- '👩🦯'
- '🧑🦯'
- '👨🦯'
- '🧎♀️'
- '🧎'
- '🧎♂️'
- '🏃♀️'
- '🏃'
- '🏃♂️'
- '🧍♀️'
- '🧍'
- '🧍♂️'
- '👭'
- '🧑🤝🧑'
- '👬'
- '👫'
- '👩❤️👩'
- '💑'
- '👨❤️👨'
- '👩❤️👨'
- '👩❤️💋👩'
- '💏'
- '👨❤️💋👨'
- '👩❤️💋👨'
- '👪'
- '👨👩👦'
- '👨👩👧'
- '👨👩👧👦'
- '👨👩👦👦'
- '👨👩👧👧'
- '👨👨👦'
- '👨👨👧'
- '👨👨👧👦'
- '👨👨👦👦'
- '👨👨👧👧'
- '👩👩👦'
- '👩👩👧'
- '👩👩👧👦'
- '👩👩👦👦'
- '👩👩👧👧'
- '👨👦'
- '👨👦👦'
- '👨👧'
- '👨👧👦'
- '👨👧👧'
- '👩👦'
- '👩👦👦'
- '👩👧'
- '👩👧👦'
- '👩👧👧'
- '🗣'
- '👤'
- '👥'
- '🫂'
- '🧳'
- '🌂'
- '☂️'
- '🧵'
- '🪡'
- '🪢'
- '🧶'
- '👓'
- '🕶'
- '🥽'
- '🥼'
- '🦺'
- '👔'
- '👕'
- '👖'
- '🧣'
- '🧤'
- '🧥'
- '🧦'
- '👗'
- '👘'
- '🥻'
- '🩴'
- '🩱'
- '🩲'
- '🩳'
- '👙'
- '👚'
- '👛'
- '👜'
- '👝'
- '🎒'
- '👞'
- '👟'
- '🥾'
- '🥿'
- '👠'
- '👡'
- '🩰'
- '👢'
- '👑'
- '👒'
- '🎩'
- '🎓'
- '🧢'
- '⛑'
- '🪖'
- '💄'
- '💍'
- '💼'
- '👋🏻'
- '🤚🏻'
- '🖐🏻'
- '✋🏻'
- '🖖🏻'
- '👌🏻'
- '🤌🏻'
- '🤏🏻'
- '✌🏻'
- '🤞🏻'
- '🫰🏻'
- '🤟🏻'
- '🤘🏻'
- '🤙🏻'
- '🫵🏻'
- '🫱🏻'
- '🫲🏻'
- '🫳🏻'
- '🫴🏻'
- '👈🏻'
- '👉🏻'
- '👆🏻'
- '🖕🏻'
- '👇🏻'
- '☝🏻'
- '👍🏻'
- '👎🏻'
- '✊🏻'
- '👊🏻'
- '🤛🏻'
- '🤜🏻'
- '👏🏻'
- '🫶🏻'
- '🙌🏻'
- '👐🏻'
- '🤲🏻'
- '🙏🏻'
- '✍🏻'
- '💪🏻'
- '🦵🏻'
- '🦶🏻'
- '👂🏻'
- '🦻🏻'
- '👃🏻'
- '👶🏻'
- '👧🏻'
- '🧒🏻'
- '👦🏻'
- '👩🏻'
- '🧑🏻'
- '👨🏻'
- '👩🏻🦱'
- '🧑🏻🦱'
- '👨🏻🦱'
- '👩🏻🦰'
- '🧑🏻🦰'
- '👨🏻🦰'
- '👱🏻♀️'
- '👱🏻'
- '👱🏻♂️'
- '👩🏻🦳'
- '🧑🏻🦳'
- '👨🏻🦳'
- '👩🏻🦲'
- '🧑🏻🦲'
- '👨🏻🦲'
- '🧔🏻♀️'
- '🧔🏻'
- '🧔🏻♂️'
- '👵🏻'
- '🧓🏻'
- '👴🏻'
- '👲🏻'
- '👳🏻♀️'
- '👳🏻'
- '👳🏻♂️'
- '🧕🏻'
- '👮🏻♀️'
- '👮🏻'
- '👮🏻♂️'
- '👷🏻♀️'
- '👷🏻'
- '👷🏻♂️'
- '💂🏻♀️'
- '💂🏻'
- '💂🏻♂️'
- '🕵🏻♀️'
- '🕵🏻'
- '🕵🏻♂️'
- '👩🏻⚕️'
- '🧑🏻⚕️'
- '👨🏻⚕️'
- '👩🏻🌾'
- '🧑🏻🌾'
- '👨🏻🌾'
- '👩🏻🍳'
- '🧑🏻🍳'
- '👨🏻🍳'
- '👩🏻🎓'
- '🧑🏻🎓'
- '👨🏻🎓'
- '👩🏻🎤'
- '🧑🏻🎤'
- '👨🏻🎤'
- '👩🏻🏫'
- '🧑🏻🏫'
- '👨🏻🏫'
- '👩🏻🏭'
- '🧑🏻🏭'
- '👨🏻🏭'
- '👩🏻💻'
- '🧑🏻💻'
- '👨🏻💻'
- '👩🏻💼'
- '🧑🏻💼'
- '👨🏻💼'
- '👩🏻🔧'
- '🧑🏻🔧'
- '👨🏻🔧'
- '👩🏻🔬'
- '🧑🏻🔬'
- '👨🏻🔬'
- '👩🏻🎨'
- '🧑🏻🎨'
- '👨🏻🎨'
- '👩🏻🚒'
- '🧑🏻🚒'
- '👨🏻🚒'
- '👩🏻✈️'
- '🧑🏻✈️'
- '👨🏻✈️'
- '👩🏻🚀'
- '🧑🏻🚀'
- '👨🏻🚀'
- '👩🏻⚖️'
- '🧑🏻⚖️'
- '👨🏻⚖️'
- '👰🏻♀️'
- '👰🏻'
- '👰🏻♂️'
- '🤵🏻♀️'
- '🤵🏻'
- '🤵🏻♂️'
- '👸🏻'
- '🫅🏻'
- '🤴🏻'
- '🥷🏻'
- '🦸🏻♀️'
- '🦸🏻'
- '🦸🏻♂️'
- '🦹🏻♀️'
- '🦹🏻'
- '🦹🏻♂️'
- '🤶🏻'
- '🧑🏻🎄'
- '🎅🏻'
- '🧙🏻♀️'
- '🧙🏻'
- '🧙🏻♂️'
- '🧝🏻♀️'
- '🧝🏻'
- '🧝🏻♂️'
- '🧛🏻♀️'
- '🧛🏻'
- '🧛🏻♂️'
- '🧜🏻♀️'
- '🧜🏻'
- '🧜🏻♂️'
- '🧚🏻♀️'
- '🧚🏻'
- '🧚🏻♂️'
- '👼🏻'
- '🤰🏻'
- '🫄🏻'
- '🫃🏻'
- '🤱🏻'
- '👩🏻🍼'
- '🧑🏻🍼'
- '👨🏻🍼'
- '🙇🏻♀️'
- '🙇🏻'
- '🙇🏻♂️'
- '💁🏻♀️'
- '💁🏻'
- '💁🏻♂️'
- '🙅🏻♀️'
- '🙅🏻'
- '🙅🏻♂️'
- '🙆🏻♀️'
- '🙆🏻'
- '🙆🏻♂️'
- '🙋🏻♀️'
- '🙋🏻'
- '🙋🏻♂️'
- '🧏🏻♀️'
- '🧏🏻'
- '🧏🏻♂️'
- '🤦🏻♀️'
- '🤦🏻'
- '🤦🏻♂️'
- '🤷🏻♀️'
- '🤷🏻'
- '🤷🏻♂️'
- '🙎🏻♀️'
- '🙎🏻'
- '🙎🏻♂️'
- '🙍🏻♀️'
- '🙍🏻'
- '🙍🏻♂️'
- '💇🏻♀️'
- '💇🏻'
- '💇🏻♂️'
- '💆🏻♀️'
- '💆🏻'
- '💆🏻♂️'
- '🧖🏻♀️'
- '🧖🏻'
- '🧖🏻♂️'
- '💃🏻'
- '🕺🏻'
- '🕴🏻'
- '👩🏻🦽'
- '🧑🏻🦽'
- '👨🏻🦽'
- '👩🏻🦼'
- '🧑🏻🦼'
- '👨🏻🦼'
- '🚶🏻♀️'
- '🚶🏻'
- '🚶🏻♂️'
- '👩🏻🦯'
- '🧑🏻🦯'
- '👨🏻🦯'
- '🧎🏻♀️'
- '🧎🏻'
- '🧎🏻♂️'
- '🏃🏻♀️'
- '🏃🏻'
- '🏃🏻♂️'
- '🧍🏻♀️'
- '🧍🏻'
- '🧍🏻♂️'
- '👭🏻'
- '🧑🏻🤝🧑🏻'
- '👬🏻'
- '👫🏻'
- '🧗🏻♀️'
- '🧗🏻'
- '🧗🏻♂️'
- '🏇🏻'
- '🏂🏻'
- '🏌🏻♀️'
- '🏌🏻'
- '🏌🏻♂️'
- '🏄🏻♀️'
- '🏄🏻'
- '🏄🏻♂️'
- '🚣🏻♀️'
- '🚣🏻'
- '🚣🏻♂️'
- '🏊🏻♀️'
- '🏊🏻'
- '🏊🏻♂️'
- '⛹🏻♀️'
- '⛹🏻'
- '⛹🏻♂️'
- '🏋🏻♀️'
- '🏋🏻'
- '🏋🏻♂️'
- '🚴🏻♀️'
- '🚴🏻'
- '🚴🏻♂️'
- '🚵🏻♀️'
- '🚵🏻'
- '🚵🏻♂️'
- '🤸🏻♀️'
- '🤸🏻'
- '🤸🏻♂️'
- '🤽🏻♀️'
- '🤽🏻'
- '🤽🏻♂️'
- '🤾🏻♀️'
- '🤾🏻'
- '🤾🏻♂️'
- '🤹🏻♀️'
- '🤹🏻'
- '🤹🏻♂️'
- '🧘🏻♀️'
- '🧘🏻'
- '🧘🏻♂️'
- '🛀🏻'
- '🛌🏻'
- '👋🏼'
- '🤚🏼'
- '🖐🏼'
- '✋🏼'
- '🖖🏼'
- '👌🏼'
- '🤌🏼'
- '🤏🏼'
- '✌🏼'
- '🤞🏼'
- '🫰🏼'
- '🤟🏼'
- '🤘🏼'
- '🤙🏼'
- '🫵🏼'
- '🫱🏼'
- '🫲🏼'
- '🫳🏼'
- '🫴🏼'
- '👈🏼'
- '👉🏼'
- '👆🏼'
- '🖕🏼'
- '👇🏼'
- '☝🏼'
- '👍🏼'
- '👎🏼'
- '✊🏼'
- '👊🏼'
- '🤛🏼'
- '🤜🏼'
- '👏🏼'
- '🫶🏼'
- '🙌🏼'
- '👐🏼'
- '🤲🏼'
- '🙏🏼'
- '✍🏼'
- '💪🏼'
- '🦵🏼'
- '🦶🏼'
- '👂🏼'
- '🦻🏼'
- '👃🏼'
- '👶🏼'
- '👧🏼'
- '🧒🏼'
- '👦🏼'
- '👩🏼'
- '🧑🏼'
- '👨🏼'
- '👩🏼🦱'
- '🧑🏼🦱'
- '👨🏼🦱'
- '👩🏼🦰'
- '🧑🏼🦰'
- '👨🏼🦰'
- '👱🏼♀️'
- '👱🏼'
- '👱🏼♂️'
- '👩🏼🦳'
- '🧑🏼🦳'
- '👨🏼🦳'
- '👩🏼🦲'
- '🧑🏼🦲'
- '👨🏼🦲'
- '🧔🏼♀️'
- '🧔🏼'
- '🧔🏼♂️'
- '👵🏼'
- '🧓🏼'
- '👴🏼'
- '👲🏼'
- '👳🏼♀️'
- '👳🏼'
- '👳🏼♂️'
- '🧕🏼'
- '👮🏼♀️'
- '👮🏼'
- '👮🏼♂️'
- '👷🏼♀️'
- '👷🏼'
- '👷🏼♂️'
- '💂🏼♀️'
- '💂🏼'
- '💂🏼♂️'
- '🕵🏼♀️'
- '🕵🏼'
- '🕵🏼♂️'
- '👩🏼⚕️'
- '🧑🏼⚕️'
- '👨🏼⚕️'
- '👩🏼🌾'
- '🧑🏼🌾'
- '👨🏼🌾'
- '👩🏼🍳'
- '🧑🏼🍳'
- '👨🏼🍳'
- '👩🏼🎓'
- '🧑🏼🎓'
- '👨🏼🎓'
- '👩🏼🎤'
- '🧑🏼🎤'
- '👨🏼🎤'
- '👩🏼🏫'
- '🧑🏼🏫'
- '👨🏼🏫'
- '👩🏼🏭'
- '🧑🏼🏭'
- '👨🏼🏭'
- '👩🏼💻'
- '🧑🏼💻'
- '👨🏼💻'
- '👩🏼💼'
- '🧑🏼💼'
- '👨🏼💼'
- '👩🏼🔧'
- '🧑🏼🔧'
- '👨🏼🔧'
- '👩🏼🔬'
- '🧑🏼🔬'
- '👨🏼🔬'
- '👩🏼🎨'
- '🧑🏼🎨'
- '👨🏼🎨'
- '👩🏼🚒'
- '🧑🏼🚒'
- '👨🏼🚒'
- '👩🏼✈️'
- '🧑🏼✈️'
- '👨🏼✈️'
- '👩🏼🚀'
- '🧑🏼🚀'
- '👨🏼🚀'
- '👩🏼⚖️'
- '🧑🏼⚖️'
- '👨🏼⚖️'
- '👰🏼♀️'
- '👰🏼'
- '👰🏼♂️'
- '🤵🏼♀️'
- '🤵🏼'
- '🤵🏼♂️'
- '👸🏼'
- '🫅🏼'
- '🤴🏼'
- '🥷🏼'
- '🦸🏼♀️'
- '🦸🏼'
- '🦸🏼♂️'
- '🦹🏼♀️'
- '🦹🏼'
- '🦹🏼♂️'
- '🤶🏼'
- '🧑🏼🎄'
- '🎅🏼'
- '🧙🏼♀️'
- '🧙🏼'
- '🧙🏼♂️'
- '🧝🏼♀️'
- '🧝🏼'
- '🧝🏼♂️'
- '🧛🏼♀️'
- '🧛🏼'
- '🧛🏼♂️'
- '🧜🏼♀️'
- '🧜🏼'
- '🧜🏼♂️'
- '🧚🏼♀️'
- '🧚🏼'
- '🧚🏼♂️'
- '👼🏼'
- '🤰🏼'
- '🫄🏼'
- '🫃🏼'
- '🤱🏼'
- '👩🏼🍼'
- '🧑🏼🍼'
- '👨🏼🍼'
- '🙇🏼♀️'
- '🙇🏼'
- '🙇🏼♂️'
- '💁🏼♀️'
- '💁🏼'
- '💁🏼♂️'
- '🙅🏼♀️'
- '🙅🏼'
- '🙅🏼♂️'
- '🙆🏼♀️'
- '🙆🏼'
- '🙆🏼♂️'
- '🙋🏼♀️'
- '🙋🏼'
- '🙋🏼♂️'
- '🧏🏼♀️'
- '🧏🏼'
- '🧏🏼♂️'
- '🤦🏼♀️'
- '🤦🏼'
- '🤦🏼♂️'
- '🤷🏼♀️'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 2
Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.
view Sigma YAML
title: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 2
id: c98f2a0d-e1b8-4f76-90d3-359caf88d6b9
status: test
description: Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.
author: '@Kostastsale, TheDFIRReport'
references:
- Internal Research
tags:
- attack.stealth
date: 2022-12-05
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|contains:
- '🤷🏼'
- '🤷🏼♂️'
- '🙎🏼♀️'
- '🙎🏼'
- '🙎🏼♂️'
- '🙍🏼♀️'
- '🙍🏼'
- '🙍🏼♂️'
- '💇🏼♀️'
- '💇🏼'
- '💇🏼♂️'
- '💆🏼♀️'
- '💆🏼'
- '💆🏼♂️'
- '🧖🏼♀️'
- '🧖🏼'
- '🧖🏼♂️'
- '💃🏼'
- '🕺🏼'
- '🕴🏼'
- '👩🏼🦽'
- '🧑🏼🦽'
- '👨🏼🦽'
- '👩🏼🦼'
- '🧑🏼🦼'
- '👨🏼🦼'
- '🚶🏼♀️'
- '🚶🏼'
- '🚶🏼♂️'
- '👩🏼🦯'
- '🧑🏼🦯'
- '👨🏼🦯'
- '🧎🏼♀️'
- '🧎🏼'
- '🧎🏼♂️'
- '🏃🏼♀️'
- '🏃🏼'
- '🏃🏼♂️'
- '🧍🏼♀️'
- '🧍🏼'
- '🧍🏼♂️'
- '👭🏼'
- '🧑🏼🤝🧑🏼'
- '👬🏼'
- '👫🏼'
- '🧗🏼♀️'
- '🧗🏼'
- '🧗🏼♂️'
- '🏇🏼'
- '🏂🏼'
- '🏌🏼♀️'
- '🏌🏼'
- '🏌🏼♂️'
- '🏄🏼♀️'
- '🏄🏼'
- '🏄🏼♂️'
- '🚣🏼♀️'
- '🚣🏼'
- '🚣🏼♂️'
- '🏊🏼♀️'
- '🏊🏼'
- '🏊🏼♂️'
- '⛹🏼♀️'
- '⛹🏼'
- '⛹🏼♂️'
- '🏋🏼♀️'
- '🏋🏼'
- '🏋🏼♂️'
- '🚴🏼♀️'
- '🚴🏼'
- '🚴🏼♂️'
- '🚵🏼♀️'
- '🚵🏼'
- '🚵🏼♂️'
- '🤸🏼♀️'
- '🤸🏼'
- '🤸🏼♂️'
- '🤽🏼♀️'
- '🤽🏼'
- '🤽🏼♂️'
- '🤾🏼♀️'
- '🤾🏼'
- '🤾🏼♂️'
- '🤹🏼♀️'
- '🤹🏼'
- '🤹🏼♂️'
- '🧘🏼♀️'
- '🧘🏼'
- '🧘🏼♂️'
- '🛀🏼'
- '🛌🏼'
- '👋🏽'
- '🤚🏽'
- '🖐🏽'
- '✋🏽'
- '🖖🏽'
- '👌🏽'
- '🤌🏽'
- '🤏🏽'
- '✌🏽'
- '🤞🏽'
- '🫰🏽'
- '🤟🏽'
- '🤘🏽'
- '🤙🏽'
- '🫵🏽'
- '🫱🏽'
- '🫲🏽'
- '🫳🏽'
- '🫴🏽'
- '👈🏽'
- '👉🏽'
- '👆🏽'
- '🖕🏽'
- '👇🏽'
- '☝🏽'
- '👍🏽'
- '👎🏽'
- '✊🏽'
- '👊🏽'
- '🤛🏽'
- '🤜🏽'
- '👏🏽'
- '🫶🏽'
- '🙌🏽'
- '👐🏽'
- '🤲🏽'
- '🙏🏽'
- '✍🏽'
- '💪🏽'
- '🦵🏽'
- '🦶🏽'
- '👂🏽'
- '🦻🏽'
- '👃🏽'
- '👶🏽'
- '👧🏽'
- '🧒🏽'
- '👦🏽'
- '👩🏽'
- '🧑🏽'
- '👨🏽'
- '👩🏽🦱'
- '🧑🏽🦱'
- '👨🏽🦱'
- '👩🏽🦰'
- '🧑🏽🦰'
- '👨🏽🦰'
- '👱🏽♀️'
- '👱🏽'
- '👱🏽♂️'
- '👩🏽🦳'
- '🧑🏽🦳'
- '👨🏽🦳'
- '👩🏽🦲'
- '🧑🏽🦲'
- '👨🏽🦲'
- '🧔🏽♀️'
- '🧔🏽'
- '🧔🏽♂️'
- '👵🏽'
- '🧓🏽'
- '👴🏽'
- '👲🏽'
- '👳🏽♀️'
- '👳🏽'
- '👳🏽♂️'
- '🧕🏽'
- '👮🏽♀️'
- '👮🏽'
- '👮🏽♂️'
- '👷🏽♀️'
- '👷🏽'
- '👷🏽♂️'
- '💂🏽♀️'
- '💂🏽'
- '💂🏽♂️'
- '🕵🏽♀️'
- '🕵🏽'
- '🕵🏽♂️'
- '👩🏽⚕️'
- '🧑🏽⚕️'
- '👨🏽⚕️'
- '👩🏽🌾'
- '🧑🏽🌾'
- '👨🏽🌾'
- '👩🏽🍳'
- '🧑🏽🍳'
- '👨🏽🍳'
- '👩🏽🎓'
- '🧑🏽🎓'
- '👨🏽🎓'
- '👩🏽🎤'
- '🧑🏽🎤'
- '👨🏽🎤'
- '👩🏽🏫'
- '🧑🏽🏫'
- '👨🏽🏫'
- '👩🏽🏭'
- '🧑🏽🏭'
- '👨🏽🏭'
- '👩🏽💻'
- '🧑🏽💻'
- '👨🏽💻'
- '👩🏽💼'
- '🧑🏽💼'
- '👨🏽💼'
- '👩🏽🔧'
- '🧑🏽🔧'
- '👨🏽🔧'
- '👩🏽🔬'
- '🧑🏽🔬'
- '👨🏽🔬'
- '👩🏽🎨'
- '🧑🏽🎨'
- '👨🏽🎨'
- '👩🏽🚒'
- '🧑🏽🚒'
- '👨🏽🚒'
- '👩🏽✈️'
- '🧑🏽✈️'
- '👨🏽✈️'
- '👩🏽🚀'
- '🧑🏽🚀'
- '👨🏽🚀'
- '👩🏽⚖️'
- '🧑🏽⚖️'
- '👨🏽⚖️'
- '👰🏽♀️'
- '👰🏽'
- '👰🏽♂️'
- '🤵🏽♀️'
- '🤵🏽'
- '🤵🏽♂️'
- '👸🏽'
- '🫅🏽'
- '🤴🏽'
- '🥷🏽'
- '🦸🏽♀️'
- '🦸🏽'
- '🦸🏽♂️'
- '🦹🏽♀️'
- '🦹🏽'
- '🦹🏽♂️'
- '🤶🏽'
- '🧑🏽🎄'
- '🎅🏽'
- '🧙🏽♀️'
- '🧙🏽'
- '🧙🏽♂️'
- '🧝🏽♀️'
- '🧝🏽'
- '🧝🏽♂️'
- '🧛🏽♀️'
- '🧛🏽'
- '🧛🏽♂️'
- '🧜🏽♀️'
- '🧜🏽'
- '🧜🏽♂️'
- '🧚🏽♀️'
- '🧚🏽'
- '🧚🏽♂️'
- '👼🏽'
- '🤰🏽'
- '🫄🏽'
- '🫃🏽'
- '🤱🏽'
- '👩🏽🍼'
- '🧑🏽🍼'
- '👨🏽🍼'
- '🙇🏽♀️'
- '🙇🏽'
- '🙇🏽♂️'
- '💁🏽♀️'
- '💁🏽'
- '💁🏽♂️'
- '🙅🏽♀️'
- '🙅🏽'
- '🙅🏽♂️'
- '🙆🏽♀️'
- '🙆🏽'
- '🙆🏽♂️'
- '🙋🏽♀️'
- '🙋🏽'
- '🙋🏽♂️'
- '🧏🏽♀️'
- '🧏🏽'
- '🧏🏽♂️'
- '🤦🏽♀️'
- '🤦🏽'
- '🤦🏽♂️'
- '🤷🏽♀️'
- '🤷🏽'
- '🤷🏽♂️'
- '🙎🏽♀️'
- '🙎🏽'
- '🙎🏽♂️'
- '🙍🏽♀️'
- '🙍🏽'
- '🙍🏽♂️'
- '💇🏽♀️'
- '💇🏽'
- '💇🏽♂️'
- '💆🏽♀️'
- '💆🏽'
- '💆🏽♂️'
- '🧖🏽♀️'
- '🧖🏽'
- '🧖🏽♂️'
- '💃🏽'
- '🕺🏽'
- '🕴🏽'
- '👩🏽🦽'
- '🧑🏽🦽'
- '👨🏽🦽'
- '👩🏽🦼'
- '🧑🏽🦼'
- '👨🏽🦼'
- '🚶🏽♀️'
- '🚶🏽'
- '🚶🏽♂️'
- '👩🏽🦯'
- '🧑🏽🦯'
- '👨🏽🦯'
- '🧎🏽♀️'
- '🧎🏽'
- '🧎🏽♂️'
- '🏃🏽♀️'
- '🏃🏽'
- '🏃🏽♂️'
- '🧍🏽♀️'
- '🧍🏽'
- '🧍🏽♂️'
- '👭🏽'
- '🧑🏽🤝🧑🏽'
- '👬🏽'
- '👫🏽'
- '🧗🏽♀️'
- '🧗🏽'
- '🧗🏽♂️'
- '🏇🏽'
- '🏂🏽'
- '🏌🏽♀️'
- '🏌🏽'
- '🏌🏽♂️'
- '🏄🏽♀️'
- '🏄🏽'
- '🏄🏽♂️'
- '🚣🏽♀️'
- '🚣🏽'
- '🚣🏽♂️'
- '🏊🏽♀️'
- '🏊🏽'
- '🏊🏽♂️'
- '⛹🏽♀️'
- '⛹🏽'
- '⛹🏽♂️'
- '🏋🏽♀️'
- '🏋🏽'
- '🏋🏽♂️'
- '🚴🏽♀️'
- '🚴🏽'
- '🚴🏽♂️'
- '🚵🏽♀️'
- '🚵🏽'
- '🚵🏽♂️'
- '🤸🏽♀️'
- '🤸🏽'
- '🤸🏽♂️'
- '🤽🏽♀️'
- '🤽🏽'
- '🤽🏽♂️'
- '🤾🏽♀️'
- '🤾🏽'
- '🤾🏽♂️'
- '🤹🏽♀️'
- '🤹🏽'
- '🤹🏽♂️'
- '🧘🏽♀️'
- '🧘🏽'
- '🧘🏽♂️'
- '🛀🏽'
- '🛌🏽'
- '👋🏾'
- '🤚🏾'
- '🖐🏾'
- '✋🏾'
- '🖖🏾'
- '👌🏾'
- '🤌🏾'
- '🤏🏾'
- '✌🏾'
- '🤞🏾'
- '🫰🏾'
- '🤟🏾'
- '🤘🏾'
- '🤙🏾'
- '🫵🏾'
- '🫱🏾'
- '🫲🏾'
- '🫳🏾'
- '🫴🏾'
- '👈🏾'
- '👉🏾'
- '👆🏾'
- '🖕🏾'
- '👇🏾'
- '☝🏾'
- '👍🏾'
- '👎🏾'
- '✊🏾'
- '👊🏾'
- '🤛🏾'
- '🤜🏾'
- '👏🏾'
- '🫶🏾'
- '🙌🏾'
- '👐🏾'
- '🤲🏾'
- '🙏🏾'
- '✍🏾'
- '💪🏾'
- '🦵🏾'
- '🦶🏾'
- '👂🏾'
- '🦻🏾'
- '👃🏾'
- '👶🏾'
- '👧🏾'
- '🧒🏾'
- '👦🏾'
- '👩🏾'
- '🧑🏾'
- '👨🏾'
- '👩🏾🦱'
- '🧑🏾🦱'
- '👨🏾🦱'
- '👩🏾🦰'
- '🧑🏾🦰'
- '👨🏾🦰'
- '👱🏾♀️'
- '👱🏾'
- '👱🏾♂️'
- '👩🏾🦳'
- '🧑🏾🦳'
- '👨🏾🦳'
- '👩🏾🦲'
- '🧑🏾🦲'
- '👨🏾🦲'
- '🧔🏾♀️'
- '🧔🏾'
- '🧔🏾♂️'
- '👵🏾'
- '🧓🏾'
- '👴🏾'
- '👲🏾'
- '👳🏾♀️'
- '👳🏾'
- '👳🏾♂️'
- '🧕🏾'
- '👮🏾♀️'
- '👮🏾'
- '👮🏾♂️'
- '👷🏾♀️'
- '👷🏾'
- '👷🏾♂️'
- '💂🏾♀️'
- '💂🏾'
- '💂🏾♂️'
- '🕵🏾♀️'
- '🕵🏾'
- '🕵🏾♂️'
- '👩🏾⚕️'
- '🧑🏾⚕️'
- '👨🏾⚕️'
- '👩🏾🌾'
- '🧑🏾🌾'
- '👨🏾🌾'
- '👩🏾🍳'
- '🧑🏾🍳'
- '👨🏾🍳'
- '👩🏾🎓'
- '🧑🏾🎓'
- '👨🏾🎓'
- '👩🏾🎤'
- '🧑🏾🎤'
- '👨🏾🎤'
- '👩🏾🏫'
- '🧑🏾🏫'
- '👨🏾🏫'
- '👩🏾🏭'
- '🧑🏾🏭'
- '👨🏾🏭'
- '👩🏾💻'
- '🧑🏾💻'
- '👨🏾💻'
- '👩🏾💼'
- '🧑🏾💼'
- '👨🏾💼'
- '👩🏾🔧'
- '🧑🏾🔧'
- '👨🏾🔧'
- '👩🏾🔬'
- '🧑🏾🔬'
- '👨🏾🔬'
- '👩🏾🎨'
- '🧑🏾🎨'
- '👨🏾🎨'
- '👩🏾🚒'
- '🧑🏾🚒'
- '👨🏾🚒'
- '👩🏾✈️'
- '🧑🏾✈️'
- '👨🏾✈️'
- '👩🏾🚀'
- '🧑🏾🚀'
- '👨🏾🚀'
- '👩🏾⚖️'
- '🧑🏾⚖️'
- '👨🏾⚖️'
- '👰🏾♀️'
- '👰🏾'
- '👰🏾♂️'
- '🤵🏾♀️'
- '🤵🏾'
- '🤵🏾♂️'
- '👸🏾'
- '🫅🏾'
- '🤴🏾'
- '🥷🏾'
- '🦸🏾♀️'
- '🦸🏾'
- '🦸🏾♂️'
- '🦹🏾♀️'
- '🦹🏾'
- '🦹🏾♂️'
- '🤶🏾'
- '🧑🏾🎄'
- '🎅🏾'
- '🧙🏾♀️'
- '🧙🏾'
- '🧙🏾♂️'
- '🧝🏾♀️'
- '🧝🏾'
- '🧝🏾♂️'
- '🧛🏾♀️'
- '🧛🏾'
- '🧛🏾♂️'
- '🧜🏾♀️'
- '🧜🏾'
- '🧜🏾♂️'
- '🧚🏾♀️'
- '🧚🏾'
- '🧚🏾♂️'
- '👼🏾'
- '🤰🏾'
- '🫄🏾'
- '🫃🏾'
- '🤱🏾'
- '👩🏾🍼'
- '🧑🏾🍼'
- '👨🏾🍼'
- '🙇🏾♀️'
- '🙇🏾'
- '🙇🏾♂️'
- '💁🏾♀️'
- '💁🏾'
- '💁🏾♂️'
- '🙅🏾♀️'
- '🙅🏾'
- '🙅🏾♂️'
- '🙆🏾♀️'
- '🙆🏾'
- '🙆🏾♂️'
- '🙋🏾♀️'
- '🙋🏾'
- '🙋🏾♂️'
- '🧏🏾♀️'
- '🧏🏾'
- '🧏🏾♂️'
- '🤦🏾♀️'
- '🤦🏾'
- '🤦🏾♂️'
- '🤷🏾♀️'
- '🤷🏾'
- '🤷🏾♂️'
- '🙎🏾♀️'
- '🙎🏾'
- '🙎🏾♂️'
- '🙍🏾♀️'
- '🙍🏾'
- '🙍🏾♂️'
- '💇🏾♀️'
- '💇🏾'
- '💇🏾♂️'
- '💆🏾♀️'
- '💆🏾'
- '💆🏾♂️'
- '🧖🏾♀️'
- '🧖🏾'
- '🧖🏾♂️'
- '💃🏾'
- '🕺🏾'
- '👩🏾🦽'
- '🧑🏾🦽'
- '👨🏾🦽'
- '👩🏾🦼'
- '🧑🏾🦼'
- '👨🏾🦼'
- '🚶🏾♀️'
- '🚶🏾'
- '🚶🏾♂️'
- '👩🏾🦯'
- '🧑🏾🦯'
- '👨🏾🦯'
- '🧎🏾♀️'
- '🧎🏾'
- '🧎🏾♂️'
- '🏃🏾♀️'
- '🏃🏾'
- '🏃🏾♂️'
- '🧍🏾♀️'
- '🧍🏾'
- '🧍🏾♂️'
- '👭🏾'
- '🧑🏾🤝🧑🏾'
- '👬🏾'
- '👫🏾'
- '🧗🏾♀️'
- '🧗🏾'
- '🧗🏾♂️'
- '🏇🏾'
- '🏂🏾'
- '🏌🏾♀️'
- '🏌🏾'
- '🏌🏾♂️'
- '🏄🏾♀️'
- '🏄🏾'
- '🏄🏾♂️'
- '🚣🏾♀️'
- '🚣🏾'
- '🚣🏾♂️'
- '🏊🏾♀️'
- '🏊🏾'
- '🏊🏾♂️'
- '⛹🏾♀️'
- '⛹🏾'
- '⛹🏾♂️'
- '🏋🏾♀️'
- '🏋🏾'
- '🏋🏾♂️'
- '🚴🏾♀️'
- '🚴🏾'
- '🚴🏾♂️'
- '🚵🏾♀️'
- '🚵🏾'
- '🚵🏾♂️'
- '🤸🏾♀️'
- '🤸🏾'
- '🤸🏾♂️'
- '🤽🏾♀️'
- '🤽🏾'
- '🤽🏾♂️'
- '🤾🏾♀️'
- '🤾🏾'
- '🤾🏾♂️'
- '🤹🏾♀️'
- '🤹🏾'
- '🤹🏾♂️'
- '🧘🏾♀️'
- '🧘🏾'
- '🧘🏾♂️'
- '🛀🏾'
- '🛌🏾'
- '👋🏿'
- '🤚🏿'
- '🖐🏿'
- '✋🏿'
- '🖖🏿'
- '👌🏿'
- '🤌🏿'
- '🤏🏿'
- '✌🏿'
- '🤞🏿'
- '🫰🏿'
- '🤟🏿'
- '🤘🏿'
- '🤙🏿'
- '🫵🏿'
- '🫱🏿'
- '🫲🏿'
- '🫳🏿'
- '🫴🏿'
- '👈🏿'
- '👉🏿'
- '👆🏿'
- '🖕🏿'
- '👇🏿'
- '☝🏿'
- '👍🏿'
- '👎🏿'
- '✊🏿'
- '👊🏿'
- '🤛🏿'
- '🤜🏿'
- '👏🏿'
- '🫶🏿'
- '🙌🏿'
- '👐🏿'
- '🤲🏿'
- '🙏🏿'
- '✍🏿'
- '🤳🏿'
- '💪🏿'
- '🦵🏿'
- '🦶🏿'
- '👂🏿'
- '🦻🏿'
- '👃🏿'
- '👶🏿'
- '👧🏿'
- '🧒🏿'
- '👦🏿'
- '👩🏿'
- '🧑🏿'
- '👨🏿'
- '👩🏿🦱'
- '🧑🏿🦱'
- '👨🏿🦱'
- '👩🏿🦰'
- '🧑🏿🦰'
- '👨🏿🦰'
- '👱🏿♀️'
- '👱🏿'
- '👱🏿♂️'
- '👩🏿🦳'
- '🧑🏿🦳'
- '👨🏿🦳'
- '👩🏿🦲'
- '🧑🏿🦲'
- '👨🏿🦲'
- '🧔🏿♀️'
- '🧔🏿'
- '🧔🏿♂️'
- '👵🏿'
- '🧓🏿'
- '👴🏿'
- '👲🏿'
- '👳🏿♀️'
- '👳🏿'
- '👳🏿♂️'
- '🧕🏿'
- '👮🏿♀️'
- '👮🏿'
- '👮🏿♂️'
- '👷🏿♀️'
- '👷🏿'
- '👷🏿♂️'
- '💂🏿♀️'
- '💂🏿'
- '💂🏿♂️'
- '🕵🏿♀️'
- '🕵🏿'
- '🕵🏿♂️'
- '👩🏿⚕️'
- '🧑🏿⚕️'
- '👨🏿⚕️'
- '👩🏿🌾'
- '🧑🏿🌾'
- '👨🏿🌾'
- '👩🏿🍳'
- '🧑🏿🍳'
- '👨🏿🍳'
- '👩🏿🎓'
- '🧑🏿🎓'
- '👨🏿🎓'
- '👩🏿🎤'
- '🧑🏿🎤'
- '👨🏿🎤'
- '👩🏿🏫'
- '🧑🏿🏫'
- '👨🏿🏫'
- '👩🏿🏭'
- '🧑🏿🏭'
- '👨🏿🏭'
- '👩🏿💻'
- '🧑🏿💻'
- '👨🏿💻'
- '👩🏿💼'
- '🧑🏿💼'
- '👨🏿💼'
- '👩🏿🔧'
- '🧑🏿🔧'
- '👨🏿🔧'
- '👩🏿🔬'
- '🧑🏿🔬'
- '👨🏿🔬'
- '👩🏿🎨'
- '🧑🏿🎨'
- '👨🏿🎨'
- '👩🏿🚒'
- '🧑🏿🚒'
- '👨🏿🚒'
- '👩🏿✈️'
- '🧑🏿✈️'
- '👨🏿✈️'
- '👩🏿🚀'
- '🧑🏿🚀'
- '👨🏿🚀'
- '👩🏿⚖️'
- '🧑🏿⚖️'
- '👨🏿⚖️'
- '👰🏿♀️'
- '👰🏿'
- '👰🏿♂️'
- '🤵🏿♀️'
- '🤵🏿'
- '🤵🏿♂️'
- '👸🏿'
- '🫅🏿'
- '🤴🏿'
- '🥷🏿'
- '🦸🏿♀️'
- '🦸🏿'
- '🦸🏿♂️'
- '🦹🏿♀️'
- '🦹🏿'
- '🦹🏿♂️'
- '🤶🏿'
- '🧑🏿🎄'
- '🎅🏿'
- '🧙🏿♀️'
- '🧙🏿'
- '🧙🏿♂️'
- '🧝🏿♀️'
- '🧝🏿'
- '🧝🏿♂️'
- '🧛🏿♀️'
- '🧛🏿'
- '🧛🏿♂️'
- '🧜🏿♀️'
- '🧜🏿'
- '🧜🏿♂️'
- '🧚🏿♀️'
- '🧚🏿'
- '🧚🏿♂️'
- '👼🏿'
- '🤰🏿'
- '🫄🏿'
- '🫃🏿'
- '🤱🏿'
- '👩🏿🍼'
- '🧑🏿🍼'
- '👨🏿🍼'
- '🙇🏿♀️'
- '🙇🏿'
- '🙇🏿♂️'
- '💁🏿♀️'
- '💁🏿'
- '💁🏿♂️'
- '🙅🏿♀️'
- '🙅🏿'
- '🙅🏿♂️'
- '🙆🏿♀️'
- '🙆🏿'
- '🙆🏿♂️'
- '🙋🏿♀️'
- '🙋🏿'
- '🙋🏿♂️'
- '🧏🏿♀️'
- '🧏🏿'
- '🧏🏿♂️'
- '🤦🏿♀️'
- '🤦🏿'
- '🤦🏿♂️'
- '🤷🏿♀️'
- '🤷🏿'
- '🤷🏿♂️'
- '🙎🏿♀️'
- '🙎🏿'
- '🙎🏿♂️'
- '🙍🏿♀️'
- '🙍🏿'
- '🙍🏿♂️'
- '💇🏿♀️'
- '💇🏿'
- '💇🏿♂️'
- '💆🏿♀️'
- '💆🏿'
- '💆🏿♂️'
- '🧖🏿♀️'
- '🧖🏿'
- '🧖🏿♂️'
- '💃🏿'
- '🕺🏿'
- '🕴🏿'
- '👩🏿🦽'
- '🧑🏿🦽'
- '👨🏿🦽'
- '👩🏿🦼'
- '🧑🏿🦼'
- '👨🏿🦼'
- '🚶🏿♀️'
- '🚶🏿'
- '🚶🏿♂️'
- '👩🏿🦯'
- '🧑🏿🦯'
- '👨🏿🦯'
- '🧎🏿♀️'
- '🧎🏿'
- '🧎🏿♂️'
- '🏃🏿♀️'
- '🏃🏿'
- '🏃🏿♂️'
- '🧍🏿♀️'
- '🧍🏿'
- '🧍🏿♂️'
- '👭🏿'
- '🧑🏿🤝🧑🏿'
- '👬🏿'
- '👫🏿'
- '🧗🏿♀️'
- '🧗🏿'
- '🧗🏿♂️'
- '🏇🏿'
- '🏂🏿'
- '🏌🏿♀️'
- '🏌🏿'
- '🏌🏿♂️'
- '🏄🏿♀️'
- '🏄🏿'
- '🏄🏿♂️'
- '🚣🏿♀️'
- '🚣🏿'
- '🚣🏿♂️'
- '🏊🏿♀️'
- '🏊🏿'
- '🏊🏿♂️'
- '⛹🏿♀️'
- '⛹🏿'
- '⛹🏿♂️'
- '🏋🏿♀️'
- '🏋🏿'
- '🏋🏿♂️'
- '🚴🏿♀️'
- '🚴🏿'
- '🚴🏿♂️'
- '🚵🏿♀️'
- '🚵🏿'
- '🚵🏿♂️'
- '🤸🏿♀️'
- '🤸🏿'
- '🤸🏿♂️'
- '🤽🏿♀️'
- '🤽🏿'
- '🤽🏿♂️'
- '🤾🏿♀️'
- '🤾🏿'
- '🤾🏿♂️'
- '🤹🏿♀️'
- '🤹🏿'
- '🤹🏿♂️'
- '🧘🏿♀️'
- '🧘🏿'
- '🧘🏿♂️'
- '🛀🏿'
- '🛌🏿'
- '🐶'
- '🐱'
- '🐭'
- '🐹'
- '🐰'
- '🦊'
- '🐻'
- '🐼'
- '🐻❄️'
- '🐨'
- '🐯'
- '🦁'
- '🐮'
- '🐷'
- '🐽'
- '🐸'
- '🐵'
- '🙈'
- '🙉'
- '🙊'
- '🐒'
- '🐔'
- '🐧'
- '🐦'
- '🐤'
- '🐣'
- '🐥'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 3
Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.
view Sigma YAML
title: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 3
id: f9578658-9e71-4711-b634-3f9b50cd3c06
status: test
description: Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.
author: '@Kostastsale, TheDFIRReport'
references:
- Internal Research
tags:
- attack.stealth
date: 2022-12-05
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|contains:
- '🦆'
- '🦅'
- '🦉'
- '🦇'
- '🐺'
- '🐗'
- '🐴'
- '🦄'
- '🐝'
- '🪱'
- '🐛'
- '🦋'
- '🐌'
- '🐞'
- '🐜'
- '🪰'
- '🪲'
- '🪳'
- '🦟'
- '🦗'
- '🕷'
- '🕸'
- '🦂'
- '🐢'
- '🐍'
- '🦎'
- '🦖'
- '🦕'
- '🐙'
- '🦑'
- '🦐'
- '🦞'
- '🦀'
- '🪸'
- '🐡'
- '🐠'
- '🐟'
- '🐬'
- '🐳'
- '🐋'
- '🦈'
- '🐊'
- '🐅'
- '🐆'
- '🦓'
- '🦍'
- '🦧'
- '🦣'
- '🐘'
- '🦛'
- '🦏'
- '🐪'
- '🐫'
- '🦒'
- '🦘'
- '🦬'
- '🐃'
- '🐂'
- '🐄'
- '🐎'
- '🐖'
- '🐏'
- '🐑'
- '🦙'
- '🐐'
- '🦌'
- '🐕'
- '🐩'
- '🦮'
- '🐕🦺'
- '🐈'
- '🐈⬛'
- '🪶'
- '🐓'
- '🦃'
- '🦤'
- '🦚'
- '🦜'
- '🦢'
- '🦩'
- '🕊'
- '🐇'
- '🦝'
- '🦨'
- '🦡'
- '🦫'
- '🦦'
- '🦥'
- '🐁'
- '🐀'
- '🐿'
- '🦔'
- '🐾'
- '🐉'
- '🐲'
- '🌵'
- '🎄'
- '🌲'
- '🌳'
- '🌴'
- '🪹'
- '🪺'
- '🪵'
- '🌱'
- '🌿'
- '☘️'
- '🍀'
- '🎍'
- '🪴'
- '🎋'
- '🍃'
- '🍂'
- '🍁'
- '🍄'
- '🐚'
- '🪨'
- '🌾'
- '💐'
- '🌷'
- '🪷'
- '🌹'
- '🥀'
- '🌺'
- '🌸'
- '🌼'
- '🌻'
- '🌞'
- '🌝'
- '🌛'
- '🌜'
- '🌚'
- '🌕'
- '🌖'
- '🌗'
- '🌘'
- '🌑'
- '🌒'
- '🌓'
- '🌔'
- '🌙'
- '🌎'
- '🌍'
- '🌏'
- '🪐'
- '💫'
- '⭐️'
- '🌟'
- '✨'
- '⚡️'
- '☄️'
- '💥'
- '🔥'
- '🌪'
- '🌈'
- '☀️'
- '🌤'
- '⛅️'
- '🌥'
- '☁️'
- '🌦'
- '🌧'
- '⛈'
- '🌩'
- '🌨'
- '❄️'
- '☃️'
- '⛄️'
- '🌬'
- '💨'
- '💧'
- '💦'
- '🫧'
- '☔️'
- '☂️'
- '🌊'
- '🌫🍏'
- '🍎'
- '🍐'
- '🍊'
- '🍋'
- '🍌'
- '🍉'
- '🍇'
- '🍓'
- '🫐'
- '🍈'
- '🍒'
- '🍑'
- '🥭'
- '🍍'
- '🥥'
- '🥝'
- '🍅'
- '🍆'
- '🥑'
- '🥦'
- '🥬'
- '🥒'
- '🌶'
- '🫑'
- '🌽'
- '🥕'
- '🫒'
- '🧄'
- '🧅'
- '🥔'
- '🍠'
- '🫘'
- '🥐'
- '🥯'
- '🍞'
- '🥖'
- '🥨'
- '🧀'
- '🥚'
- '🍳'
- '🧈'
- '🥞'
- '🧇'
- '🥓'
- '🥩'
- '🍗'
- '🍖'
- '🦴'
- '🌭'
- '🍔'
- '🍟'
- '🍕'
- '🫓'
- '🥪'
- '🥙'
- '🧆'
- '🌮'
- '🌯'
- '🫔'
- '🥗'
- '🥘'
- '🫕'
- '🥫'
- '🍝'
- '🍜'
- '🍲'
- '🍛'
- '🍣'
- '🍱'
- '🥟'
- '🦪'
- '🍤'
- '🍙'
- '🍚'
- '🍘'
- '🍥'
- '🥠'
- '🥮'
- '🍢'
- '🍡'
- '🍧'
- '🍨'
- '🍦'
- '🥧'
- '🧁'
- '🍰'
- '🎂'
- '🍮'
- '🍭'
- '🍬'
- '🍫'
- '🍿'
- '🍩'
- '🍪'
- '🌰'
- '🥜'
- '🍯'
- '🥛'
- '🍼'
- '🫖'
- '☕️'
- '🍵'
- '🧃'
- '🥤'
- '🧋'
- '🫙'
- '🍶'
- '🍺'
- '🍻'
- '🥂'
- '🍷'
- '🫗'
- '🥃'
- '🍸'
- '🍹'
- '🧉'
- '🍾'
- '🧊'
- '🥄'
- '🍴'
- '🍽'
- '🥣'
- '🥡'
- '🥢'
- '🧂'
- '⚽️'
- '🏀'
- '🏈'
- '⚾️'
- '🥎'
- '🎾'
- '🏐'
- '🏉'
- '🥏'
- '🎱'
- '🪀'
- '🏓'
- '🏸'
- '🏒'
- '🏑'
- '🥍'
- '🏏'
- '🪃'
- '🥅'
- '⛳️'
- '🪁'
- '🏹'
- '🎣'
- '🤿'
- '🥊'
- '🥋'
- '🎽'
- '🛹'
- '🛼'
- '🛷'
- '⛸'
- '🥌'
- '🎿'
- '⛷'
- '🏂'
- '🪂'
- '🏋️♀️'
- '🏋️'
- '🏋️♂️'
- '🤼♀️'
- '🤼'
- '🤼♂️'
- '🤸♀️'
- '🤸'
- '🤸♂️'
- '⛹️♀️'
- '⛹️'
- '⛹️♂️'
- '🤺'
- '🤾♀️'
- '🤾'
- '🤾♂️'
- '🏌️♀️'
- '🏌️'
- '🏌️♂️'
- '🏇'
- '🧘♀️'
- '🧘'
- '🧘♂️'
- '🏄♀️'
- '🏄'
- '🏄♂️'
- '🏊♀️'
- '🏊'
- '🏊♂️'
- '🤽♀️'
- '🤽'
- '🤽♂️'
- '🚣♀️'
- '🚣'
- '🚣♂️'
- '🧗♀️'
- '🧗'
- '🧗♂️'
- '🚵♀️'
- '🚵'
- '🚵♂️'
- '🚴♀️'
- '🚴'
- '🚴♂️'
- '🏆'
- '🥇'
- '🥈'
- '🥉'
- '🏅'
- '🎖'
- '🏵'
- '🎗'
- '🎫'
- '🎟'
- '🎪'
- '🤹'
- '🤹♂️'
- '🤹♀️'
- '🎭'
- '🩰'
- '🎨'
- '🎬'
- '🎤'
- '🎧'
- '🎼'
- '🎹'
- '🥁'
- '🪘'
- '🎷'
- '🎺'
- '🪗'
- '🎸'
- '🪕'
- '🎻'
- '🎲'
- '♟'
- '🎯'
- '🎳'
- '🎮'
- '🎰'
- '🧩'
- '🚗'
- '🚕'
- '🚙'
- '🚌'
- '🚎'
- '🏎'
- '🚓'
- '🚑'
- '🚒'
- '🚐'
- '🛻'
- '🚚'
- '🚛'
- '🚜'
- '🦯'
- '🦽'
- '🦼'
- '🛴'
- '🚲'
- '🛵'
- '🏍'
- '🛺'
- '🚨'
- '🚔'
- '🚍'
- '🚘'
- '🚖'
- '🛞'
- '🚡'
- '🚠'
- '🚟'
- '🚃'
- '🚋'
- '🚞'
- '🚝'
- '🚄'
- '🚅'
- '🚈'
- '🚂'
- '🚆'
- '🚇'
- '🚊'
- '🚉'
- '✈️'
- '🛫'
- '🛬'
- '🛩'
- '💺'
- '🛰'
- '🚀'
- '🛸'
- '🚁'
- '🛶'
- '⛵️'
- '🚤'
- '🛥'
- '🛳'
- '⛴'
- '🚢'
- '⚓️'
- '🛟'
- '🪝'
- '⛽️'
- '🚧'
- '🚦'
- '🚥'
- '🚏'
- '🗺'
- '🗿'
- '🗽'
- '🗼'
- '🏰'
- '🏯'
- '🏟'
- '🎡'
- '🎢'
- '🛝'
- '🎠'
- '⛲️'
- '⛱'
- '🏖'
- '🏝'
- '🏜'
- '🌋'
- '⛰'
- '🏔'
- '🗻'
- '🏕'
- '⛺️'
- '🛖'
- '🏠'
- '🏡'
- '🏘'
- '🏚'
- '🏗'
- '🏭'
- '🏢'
- '🏬'
- '🏣'
- '🏤'
- '🏥'
- '🏦'
- '🏨'
- '🏪'
- '🏫'
- '🏩'
- '💒'
- '🏛'
- '⛪️'
- '🕌'
- '🕍'
- '🛕'
- '🕋'
- '⛩'
- '🛤'
- '🛣'
- '🗾'
- '🎑'
- '🏞'
- '🌅'
- '🌄'
- '🌠'
- '🎇'
- '🎆'
- '🌇'
- '🌆'
- '🏙'
- '🌃'
- '🌌'
- '🌉'
- '🌁'
- '⌚️'
- '📱'
- '📲'
- '💻'
- '⌨️'
- '🖥'
- '🖨'
- '🖱'
- '🖲'
- '🕹'
- '🗜'
- '💽'
- '💾'
- '💿'
- '📀'
- '📼'
- '📷'
- '📸'
- '📹'
- '🎥'
- '📽'
- '🎞'
- '📞'
- '☎️'
- '📟'
- '📠'
- '📺'
- '📻'
- '🎙'
- '🎚'
- '🎛'
- '🧭'
- '⏱'
- '⏲'
- '⏰'
- '🕰'
- '⌛️'
- '⏳'
- '📡'
- '🔋'
- '🪫'
- '🔌'
- '💡'
- '🔦'
- '🕯'
- '🪔'
- '🧯'
- '🛢'
- '💸'
- '💵'
- '💴'
- '💶'
- '💷'
- '🪙'
- '💰'
- '💳'
- '💎'
- '⚖️'
- '🪜'
- '🧰'
- '🪛'
- '🔧'
- '🔨'
- '⚒'
- '🛠'
- '⛏'
- '🪚'
- '🔩'
- '⚙️'
- '🪤'
- '🧱'
- '⛓'
- '🧲'
- '🔫'
- '💣'
- '🧨'
- '🪓'
- '🔪'
- '🗡'
- '⚔️'
- '🛡'
- '🚬'
- '⚰️'
- '🪦'
- '⚱️'
- '🏺'
- '🔮'
- '📿'
- '🧿'
- '🪬'
- '💈'
- '⚗️'
- '🔭'
- '🔬'
- '🕳'
- '🩹'
- '🩺'
- '🩻'
- '🩼'
- '💊'
- '💉'
- '🩸'
- '🧬'
- '🦠'
- '🧫'
- '🧪'
- '🌡'
- '🧹'
- '🪠'
- '🧺'
- '🧻'
- '🚽'
- '🚰'
- '🚿'
- '🛁'
- '🛀'
- '🧼'
- '🪥'
- '🪒'
- '🧽'
- '🪣'
- '🧴'
- '🛎'
- '🔑'
- '🗝'
- '🚪'
- '🪑'
- '🛋'
- '🛏'
- '🛌'
- '🧸'
- '🪆'
- '🖼'
- '🪞'
- '🪟'
- '🛍'
- '🛒'
- '🎁'
- '🎈'
- '🎏'
- '🎀'
- '🪄'
- '🪅'
- '🎊'
- '🎉'
- '🪩'
- '🎎'
- '🏮'
- '🎐'
- '🧧'
- '✉️'
- '📩'
- '📨'
- '📧'
- '💌'
- '📥'
- '📤'
- '📦'
- '🏷'
- '🪧'
- '📪'
- '📫'
- '📬'
- '📭'
- '📮'
- '📯'
- '📜'
- '📃'
- '📄'
- '📑'
- '🧾'
- '📊'
- '📈'
- '📉'
- '🗒'
- '🗓'
- '📆'
- '📅'
- '🗑'
- '🪪'
- '📇'
- '🗃'
- '🗳'
- '🗄'
- '📋'
- '📁'
- '📂'
- '🗂'
- '🗞'
- '📰'
- '📓'
- '📔'
- '📒'
- '📕'
- '📗'
- '📘'
- '📙'
- '📚'
- '📖'
- '🔖'
- '🧷'
- '🔗'
- '📎'
- '🖇'
- '📐'
- '📏'
- '🧮'
- '📌'
- '📍'
- '✂️'
- '🖊'
- '🖋'
- '✒️'
- '🖌'
- '🖍'
- '📝'
- '✏️'
- '🔍'
- '🔎'
- '🔏'
- '🔐'
- '🔒'
- '🔓❤️'
- '🧡'
- '💛'
- '💚'
- '💙'
- '💜'
- '🖤'
- '🤍'
- '🤎'
- '❤️🔥'
- '❤️🩹'
- '💔'
- '❣️'
- '💕'
- '💞'
- '💓'
- '💗'
- '💖'
- '💘'
- '💝'
- '💟'
- '☮️'
- '✝️'
- '☪️'
- '🕉'
- '☸️'
- '✡️'
- '🔯'
- '🕎'
- '☯️'
- '☦️'
- '🛐'
- '⛎'
- '♈️'
- '♉️'
- '♊️'
- '♋️'
- '♌️'
- '♍️'
- '♎️'
- '♏️'
- '♐️'
- '♑️'
- '♒️'
- '♓️'
- '🆔'
- '⚛️'
- '🉑'
- '☢️'
- '☣️'
- '📴'
- '📳'
- '🈶'
- '🈚️'
- '🈸'
- '🈺'
- '🈷️'
- '✴️'
- '🆚'
- '💮'
- '🉐'
- '㊙️'
- '㊗️'
- '🈴'
- '🈵'
- '🈹'
- '🈲'
- '🅰️'
- '🅱️'
- '🆎'
- '🆑'
- '🅾️'
- '🆘'
- '❌'
- '⭕️'
- '🛑'
- '⛔️'
- '📛'
- '🚫'
- '💯'
- '💢'
- '♨️'
- '🚷'
- '🚯'
- '🚳'
- '🚱'
- '🔞'
- '📵'
- '🚭'
- '❗️'
- '❕'
- '❓'
- '❔'
- '‼️'
- '⁉️'
- '🔅'
- '🔆'
- '〽️'
- '⚠️'
- '🚸'
- '🔱'
- '⚜️'
- '🔰'
- '♻️'
- '✅'
- '🈯️'
- '💹'
- '❇️'
- '✳️'
- '❎'
- '🌐'
- '💠'
- 'Ⓜ️'
- '🌀'
- '💤'
- '🏧'
- '🚾'
- '♿️'
- '🅿️'
- '🛗'
- '🈳'
- '🈂️'
- '🛂'
- '🛃'
- '🛄'
- '🛅'
- '🚹'
- '🚺'
- '🚼'
- '⚧'
- '🚻'
- '🚮'
- '🎦'
- '📶'
- '🈁'
- '🔣'
- 'ℹ️'
- '🔤'
- '🔡'
- '🔠'
- '🆖'
- '🆗'
- '🆙'
- '🆒'
- '🆕'
- '🆓'
- '0️⃣'
- '1️⃣'
- '2️⃣'
- '3️⃣'
- '4️⃣'
- '5️⃣'
- '6️⃣'
- '7️⃣'
- '8️⃣'
- '9️⃣'
- '🔟'
- '🔢'
- '#️⃣'
- '*️⃣'
- '⏏️'
- '▶️'
- '⏸'
- '⏯'
- '⏹'
- '⏺'
- '⏭'
- '⏮'
- '⏩'
- '⏪'
- '⏫'
- '⏬'
- '◀️'
- '🔼'
- '🔽'
- '➡️'
- '⬅️'
- '⬆️'
- '⬇️'
- '↗️'
- '↘️'
- '↙️'
- '↖️'
- '↕️'
- '↔️'
- '↪️'
- '↩️'
- '⤴️'
- '⤵️'
- '🔀'
- '🔁'
- '🔂'
- '🔄'
- '🔃'
- '🎵'
- '🎶'
- '➕'
- '➖'
- '➗'
- '✖️'
- '🟰'
- '♾'
- '💲'
- '💱'
- '™️'
- '©️'
- '®️'
- '〰️'
- '➰'
- '➿'
- '🔚'
- '🔙'
- '🔛'
- '🔝'
- '🔜'
- '✔️'
- '☑️'
- '🔘'
- '🔴'
- '🟠'
- '🟡'
- '🟢'
- '🔵'
- '🟣'
- '⚫️'
- '⚪️'
- '🟤'
- '🔺'
- '🔻'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 4
Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.
view Sigma YAML
title: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 4
id: 225274c4-8dd1-40db-9e09-71dff4f6fb3c
status: test
description: Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.
author: '@Kostastsale, TheDFIRReport'
references:
- Internal Research
tags:
- attack.stealth
date: 2022-12-05
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|contains:
- '🔸'
- '🔹'
- '🔶'
- '🔷'
- '🔳'
- '🔲'
- '▪️'
- '▫️'
- '◾️'
- '◽️'
- '◼️'
- '◻️'
- '🟥'
- '🟧'
- '🟨'
- '🟩'
- '🟦'
- '🟪'
- '⬛️'
- '⬜️'
- '🟫'
- '🔈'
- '🔇'
- '🔉'
- '🔊'
- '🔔'
- '🔕'
- '📣'
- '📢'
- '👁🗨'
- '💬'
- '💭'
- '🗯'
- '♠️'
- '♣️'
- '♥️'
- '♦️'
- '🃏'
- '🎴'
- '🀄️'
- '🕐'
- '🕑'
- '🕒'
- '🕓'
- '🕔'
- '🕕'
- '🕖'
- '🕗'
- '🕘'
- '🕙'
- '🕚'
- '🕛'
- '🕜'
- '🕝'
- '🕞'
- '🕟'
- '🕠'
- '🕡'
- '🕢'
- '🕣'
- '🕤'
- '🕥'
- '🕦'
- '🕧✢'
- '✣'
- '✤'
- '✥'
- '✦'
- '✧'
- '★'
- '☆'
- '✯'
- '✡︎'
- '✩'
- '✪'
- '✫'
- '✬'
- '✭'
- '✮'
- '✶'
- '✷'
- '✵'
- '✸'
- '✹'
- '→'
- '⇒'
- '⟹'
- '⇨'
- '⇾'
- '➾'
- '⇢'
- '☛'
- '☞'
- '➔'
- '➜'
- '➙'
- '➛'
- '➝'
- '➞'
- '♠︎'
- '♣︎'
- '♥︎'
- '♦︎'
- '♤'
- '♧'
- '♡'
- '♢'
- '♚'
- '♛'
- '♜'
- '♝'
- '♞'
- '♟'
- '♔'
- '♕'
- '♖'
- '♗'
- '♘'
- '♙'
- '⚀'
- '⚁'
- '⚂'
- '⚃'
- '⚄'
- '⚅'
- '🂠'
- '⚈'
- '⚉'
- '⚆'
- '⚇'
- '𓀀'
- '𓀁'
- '𓀂'
- '𓀃'
- '𓀄'
- '𓀅'
- '𓀆'
- '𓀇'
- '𓀈'
- '𓀉'
- '𓀊'
- '𓀋'
- '𓀌'
- '𓀍'
- '𓀎'
- '𓀏'
- '𓀐'
- '𓀑'
- '𓀒'
- '𓀓'
- '𓀔'
- '𓀕'
- '𓀖'
- '𓀗'
- '𓀘'
- '𓀙'
- '𓀚'
- '𓀛'
- '𓀜'
- '𓀝🏳️'
- '🏴'
- '🏁'
- '🚩'
- '🏳️🌈'
- '🏳️⚧️'
- '🏴☠️'
- '🇦🇫'
- '🇦🇽'
- '🇦🇱'
- '🇩🇿'
- '🇦🇸'
- '🇦🇩'
- '🇦🇴'
- '🇦🇮'
- '🇦🇶'
- '🇦🇬'
- '🇦🇷'
- '🇦🇲'
- '🇦🇼'
- '🇦🇺'
- '🇦🇹'
- '🇦🇿'
- '🇧🇸'
- '🇧🇭'
- '🇧🇩'
- '🇧🇧'
- '🇧🇾'
- '🇧🇪'
- '🇧🇿'
- '🇧🇯'
- '🇧🇲'
- '🇧🇹'
- '🇧🇴'
- '🇧🇦'
- '🇧🇼'
- '🇧🇷'
- '🇮🇴'
- '🇻🇬'
- '🇧🇳'
- '🇧🇬'
- '🇧🇫'
- '🇧🇮'
- '🇰🇭'
- '🇨🇲'
- '🇨🇦'
- '🇮🇨'
- '🇨🇻'
- '🇧🇶'
- '🇰🇾'
- '🇨🇫'
- '🇹🇩'
- '🇨🇱'
- '🇨🇳'
- '🇨🇽'
- '🇨🇨'
- '🇨🇴'
- '🇰🇲'
- '🇨🇬'
- '🇨🇩'
- '🇨🇰'
- '🇨🇷'
- '🇨🇮'
- '🇭🇷'
- '🇨🇺'
- '🇨🇼'
- '🇨🇾'
- '🇨🇿'
- '🇩🇰'
- '🇩🇯'
- '🇩🇲'
- '🇩🇴'
- '🇪🇨'
- '🇪🇬'
- '🇸🇻'
- '🇬🇶'
- '🇪🇷'
- '🇪🇪'
- '🇪🇹'
- '🇪🇺'
- '🇫🇰'
- '🇫🇴'
- '🇫🇯'
- '🇫🇮'
- '🇫🇷'
- '🇬🇫'
- '🇵🇫'
- '🇹🇫'
- '🇬🇦'
- '🇬🇲'
- '🇬🇪'
- '🇩🇪'
- '🇬🇭'
- '🇬🇮'
- '🇬🇷'
- '🇬🇱'
- '🇬🇩'
- '🇬🇵'
- '🇬🇺'
- '🇬🇹'
- '🇬🇬'
- '🇬🇳'
- '🇬🇼'
- '🇬🇾'
- '🇭🇹'
- '🇭🇳'
- '🇭🇰'
- '🇭🇺'
- '🇮🇸'
- '🇮🇳'
- '🇮🇩'
- '🇮🇷'
- '🇮🇶'
- '🇮🇪'
- '🇮🇲'
- '🇮🇱'
- '🇮🇹'
- '🇯🇲'
- '🇯🇵'
- '🎌'
- '🇯🇪'
- '🇯🇴'
- '🇰🇿'
- '🇰🇪'
- '🇰🇮'
- '🇽🇰'
- '🇰🇼'
- '🇰🇬'
- '🇱🇦'
- '🇱🇻'
- '🇱🇧'
- '🇱🇸'
- '🇱🇷'
- '🇱🇾'
- '🇱🇮'
- '🇱🇹'
- '🇱🇺'
- '🇲🇴'
- '🇲🇰'
- '🇲🇬'
- '🇲🇼'
- '🇲🇾'
- '🇲🇻'
- '🇲🇱'
- '🇲🇹'
- '🇲🇭'
- '🇲🇶'
- '🇲🇷'
- '🇲🇺'
- '🇾🇹'
- '🇲🇽'
- '🇫🇲'
- '🇲🇩'
- '🇲🇨'
- '🇲🇳'
- '🇲🇪'
- '🇲🇸'
- '🇲🇦'
- '🇲🇿'
- '🇲🇲'
- '🇳🇦'
- '🇳🇷'
- '🇳🇵'
- '🇳🇱'
- '🇳🇨'
- '🇳🇿'
- '🇳🇮'
- '🇳🇪'
- '🇳🇬'
- '🇳🇺'
- '🇳🇫'
- '🇰🇵'
- '🇲🇵'
- '🇳🇴'
- '🇴🇲'
- '🇵🇰'
- '🇵🇼'
- '🇵🇸'
- '🇵🇦'
- '🇵🇬'
- '🇵🇾'
- '🇵🇪'
- '🇵🇭'
- '🇵🇳'
- '🇵🇱'
- '🇵🇹'
- '🇵🇷'
- '🇶🇦'
- '🇷🇪'
- '🇷🇴'
- '🇷🇺'
- '🇷🇼'
- '🇼🇸'
- '🇸🇲'
- '🇸🇦'
- '🇸🇳'
- '🇷🇸'
- '🇸🇨'
- '🇸🇱'
- '🇸🇬'
- '🇸🇽'
- '🇸🇰'
- '🇸🇮'
- '🇬🇸'
- '🇸🇧'
- '🇸🇴'
- '🇿🇦'
- '🇰🇷'
- '🇸🇸'
- '🇪🇸'
- '🇱🇰'
- '🇧🇱'
- '🇸🇭'
- '🇰🇳'
- '🇱🇨'
- '🇵🇲'
- '🇻🇨'
- '🇸🇩'
- '🇸🇷'
- '🇸🇿'
- '🇸🇪'
- '🇨🇭'
- '🇸🇾'
- '🇹🇼'
- '🇹🇯'
- '🇹🇿'
- '🇹🇭'
- '🇹🇱'
- '🇹🇬'
- '🇹🇰'
- '🇹🇴'
- '🇹🇹'
- '🇹🇳'
- '🇹🇷'
- '🇹🇲'
- '🇹🇨'
- '🇹🇻'
- '🇻🇮'
- '🇺🇬'
- '🇺🇦'
- '🇦🇪'
- '🇬🇧'
- '🏴'
- '🏴'
- '🏴'
- '🇺🇳'
- '🇺🇸'
- '🇺🇾'
- '🇺🇿'
- '🇻🇺'
- '🇻🇦'
- '🇻🇪'
- '🇻🇳'
- '🇼🇫'
- '🇪🇭'
- '🇾🇪'
- '🇿🇲'
- '🇿🇼🫠'
- '🫢'
- '🫣'
- '🫡'
- '🫥'
- '🫤'
- '🥹'
- '🫱'
- '🫱🏻'
- '🫱🏼'
- '🫱🏽'
- '🫱🏾'
- '🫱🏿'
- '🫲'
- '🫲🏻'
- '🫲🏼'
- '🫲🏽'
- '🫲🏾'
- '🫲🏿'
- '🫳'
- '🫳🏻'
- '🫳🏼'
- '🫳🏽'
- '🫳🏾'
- '🫳🏿'
- '🫴'
- '🫴🏻'
- '🫴🏼'
- '🫴🏽'
- '🫴🏾'
- '🫴🏿'
- '🫰'
- '🫰🏻'
- '🫰🏼'
- '🫰🏽'
- '🫰🏾'
- '🫰🏿'
- '🫵'
- '🫵🏻'
- '🫵🏼'
- '🫵🏽'
- '🫵🏾'
- '🫵🏿'
- '🫶'
- '🫶🏻'
- '🫶🏼'
- '🫶🏽'
- '🫶🏾'
- '🫶🏿'
- '🤝🏻'
- '🤝🏼'
- '🤝🏽'
- '🤝🏾'
- '🤝🏿'
- '🫱🏻🫲🏼'
- '🫱🏻🫲🏽'
- '🫱🏻🫲🏾'
- '🫱🏻🫲🏿'
- '🫱🏼🫲🏻'
- '🫱🏼🫲🏽'
- '🫱🏼🫲🏾'
- '🫱🏼🫲🏿'
- '🫱🏽🫲🏻'
- '🫱🏽🫲🏼'
- '🫱🏽🫲🏾'
- '🫱🏽🫲🏿'
- '🫱🏾🫲🏻'
- '🫱🏾🫲🏼'
- '🫱🏾🫲🏽'
- '🫱🏾🫲🏿'
- '🫱🏿🫲🏻'
- '🫱🏿🫲🏼'
- '🫱🏿🫲🏽'
- '🫱🏿🫲🏾'
- '🫦'
- '🫅'
- '🫅🏻'
- '🫅🏼'
- '🫅🏽'
- '🫅🏾'
- '🫅🏿'
- '🫃'
- '🫃🏻'
- '🫃🏼'
- '🫃🏽'
- '🫃🏾'
- '🫃🏿'
- '🫄'
- '🫄🏻'
- '🫄🏼'
- '🫄🏽'
- '🫄🏾'
- '🫄🏿'
- '🧌'
- '🪸'
- '🪷'
- '🪹'
- '🪺'
- '🫘'
- '🫗'
- '🫙'
- '🛝'
- '🛞'
- '🛟'
- '🪬'
- '🪩'
- '🪫'
- '🩼'
- '🩻'
- '🫧'
- '🪪'
- '🟰'
- '😮💨'
- '😵💫'
- '😶🌫️'
- '❤️🔥'
- '❤️🩹'
- '🧔♀️'
- '🧔🏻♀️'
- '🧔🏼♀️'
- '🧔🏽♀️'
- '🧔🏾♀️'
- '🧔🏿♀️'
- '🧔♂️'
- '🧔🏻♂️'
- '🧔🏼♂️'
- '🧔🏽♂️'
- '🧔🏾♂️'
- '🧔🏿♂️'
- '💑🏻'
- '💑🏼'
- '💑🏽'
- '💑🏾'
- '💑🏿'
- '💏🏻'
- '💏🏼'
- '💏🏽'
- '💏🏾'
- '💏🏿'
- '👨🏻❤️👨🏻'
- '👨🏻❤️👨🏼'
- '👨🏻❤️👨🏽'
- '👨🏻❤️👨🏾'
- '👨🏻❤️👨🏿'
- '👨🏼❤️👨🏻'
- '👨🏼❤️👨🏼'
- '👨🏼❤️👨🏽'
- '👨🏼❤️👨🏾'
- '👨🏼❤️👨🏿'
- '👨🏽❤️👨🏻'
- '👨🏽❤️👨🏼'
- '👨🏽❤️👨🏽'
- '👨🏽❤️👨🏾'
- '👨🏽❤️👨🏿'
- '👨🏾❤️👨🏻'
- '👨🏾❤️👨🏼'
- '👨🏾❤️👨🏽'
- '👨🏾❤️👨🏾'
- '👨🏾❤️👨🏿'
- '👨🏿❤️👨🏻'
- '👨🏿❤️👨🏼'
- '👨🏿❤️👨🏽'
- '👨🏿❤️👨🏾'
- '👨🏿❤️👨🏿'
- '👩🏻❤️👨🏻'
- '👩🏻❤️👨🏼'
- '👩🏻❤️👨🏽'
- '👩🏻❤️👨🏾'
- '👩🏻❤️👨🏿'
- '👩🏻❤️👩🏻'
- '👩🏻❤️👩🏼'
- '👩🏻❤️👩🏽'
- '👩🏻❤️👩🏾'
- '👩🏻❤️👩🏿'
- '👩🏼❤️👨🏻'
- '👩🏼❤️👨🏼'
- '👩🏼❤️👨🏽'
- '👩🏼❤️👨🏾'
- '👩🏼❤️👨🏿'
- '👩🏼❤️👩🏻'
- '👩🏼❤️👩🏼'
- '👩🏼❤️👩🏽'
- '👩🏼❤️👩🏾'
- '👩🏼❤️👩🏿'
- '👩🏽❤️👨🏻'
- '👩🏽❤️👨🏼'
- '👩🏽❤️👨🏽'
- '👩🏽❤️👨🏾'
- '👩🏽❤️👨🏿'
- '👩🏽❤️👩🏻'
- '👩🏽❤️👩🏼'
- '👩🏽❤️👩🏽'
- '👩🏽❤️👩🏾'
- '👩🏽❤️👩🏿'
- '👩🏾❤️👨🏻'
- '👩🏾❤️👨🏼'
- '👩🏾❤️👨🏽'
- '👩🏾❤️👨🏾'
- '👩🏾❤️👨🏿'
- '👩🏾❤️👩🏻'
- '👩🏾❤️👩🏼'
- '👩🏾❤️👩🏽'
- '👩🏾❤️👩🏾'
- '👩🏾❤️👩🏿'
- '👩🏿❤️👨🏻'
- '👩🏿❤️👨🏼'
- '👩🏿❤️👨🏽'
- '👩🏿❤️👨🏾'
- '👩🏿❤️👨🏿'
- '👩🏿❤️👩🏻'
- '👩🏿❤️👩🏼'
- '👩🏿❤️👩🏽'
- '👩🏿❤️👩🏾'
- '👩🏿❤️👩🏿'
- '🧑🏻❤️🧑🏼'
- '🧑🏻❤️🧑🏽'
- '🧑🏻❤️🧑🏾'
- '🧑🏻❤️🧑🏿'
- '🧑🏼❤️🧑🏻'
- '🧑🏼❤️🧑🏽'
- '🧑🏼❤️🧑🏾'
- '🧑🏼❤️🧑🏿'
- '🧑🏽❤️🧑🏻'
- '🧑🏽❤️🧑🏼'
- '🧑🏽❤️🧑🏾'
- '🧑🏽❤️🧑🏿'
- '🧑🏾❤️🧑🏻'
- '🧑🏾❤️🧑🏼'
- '🧑🏾❤️🧑🏽'
- '🧑🏾❤️🧑🏿'
- '🧑🏿❤️🧑🏻'
- '🧑🏿❤️🧑🏼'
- '🧑🏿❤️🧑🏽'
- '🧑🏿❤️🧑🏾'
- '👨🏻❤️💋👨🏻'
- '👨🏻❤️💋👨🏼'
- '👨🏻❤️💋👨🏽'
- '👨🏻❤️💋👨🏾'
- '👨🏻❤️💋👨🏿'
- '👨🏼❤️💋👨🏻'
- '👨🏼❤️💋👨🏼'
- '👨🏼❤️💋👨🏽'
- '👨🏼❤️💋👨🏾'
- '👨🏼❤️💋👨🏿'
- '👨🏽❤️💋👨🏻'
- '👨🏽❤️💋👨🏼'
- '👨🏽❤️💋👨🏽'
- '👨🏽❤️💋👨🏾'
- '👨🏽❤️💋👨🏿'
- '👨🏾❤️💋👨🏻'
- '👨🏾❤️💋👨🏼'
- '👨🏾❤️💋👨🏽'
- '👨🏾❤️💋👨🏾'
- '👨🏾❤️💋👨🏿'
- '👨🏿❤️💋👨🏻'
- '👨🏿❤️💋👨🏼'
- '👨🏿❤️💋👨🏽'
- '👨🏿❤️💋👨🏾'
- '👨🏿❤️💋👨🏿'
- '👩🏻❤️💋👨🏻'
- '👩🏻❤️💋👨🏼'
- '👩🏻❤️💋👨🏽'
- '👩🏻❤️💋👨🏾'
- '👩🏻❤️💋👨🏿'
- '👩🏻❤️💋👩🏻'
- '👩🏻❤️💋👩🏼'
- '👩🏻❤️💋👩🏽'
- '👩🏻❤️💋👩🏾'
- '👩🏻❤️💋👩🏿'
- '👩🏼❤️💋👨🏻'
- '👩🏼❤️💋👨🏼'
- '👩🏼❤️💋👨🏽'
- '👩🏼❤️💋👨🏾'
- '👩🏼❤️💋👨🏿'
- '👩🏼❤️💋👩🏻'
- '👩🏼❤️💋👩🏼'
- '👩🏼❤️💋👩🏽'
- '👩🏼❤️💋👩🏾'
- '👩🏼❤️💋👩🏿'
- '👩🏽❤️💋👨🏻'
- '👩🏽❤️💋👨🏼'
- '👩🏽❤️💋👨🏽'
- '👩🏽❤️💋👨🏾'
- '👩🏽❤️💋👨🏿'
- '👩🏽❤️💋👩🏻'
- '👩🏽❤️💋👩🏼'
- '👩🏽❤️💋👩🏽'
- '👩🏽❤️💋👩🏾'
- '👩🏽❤️💋👩🏿'
- '👩🏾❤️💋👨🏻'
- '👩🏾❤️💋👨🏼'
- '👩🏾❤️💋👨🏽'
- '👩🏾❤️💋👨🏾'
- '👩🏾❤️💋👨🏿'
- '👩🏾❤️💋👩🏻'
- '👩🏾❤️💋👩🏼'
- '👩🏾❤️💋👩🏽'
- '👩🏾❤️💋👩🏾'
- '👩🏾❤️💋👩🏿'
- '👩🏿❤️💋👨🏻'
- '👩🏿❤️💋👨🏼'
- '👩🏿❤️💋👨🏽'
- '👩🏿❤️💋👨🏾'
- '👩🏿❤️💋👨🏿'
- '👩🏿❤️💋👩🏻'
- '👩🏿❤️💋👩🏼'
- '👩🏿❤️💋👩🏽'
- '👩🏿❤️💋👩🏾'
- '👩🏿❤️💋👩🏿'
- '🧑🏻❤️💋🧑🏼'
- '🧑🏻❤️💋🧑🏽'
- '🧑🏻❤️💋🧑🏾'
- '🧑🏻❤️💋🧑🏿'
- '🧑🏼❤️💋🧑🏻'
- '🧑🏼❤️💋🧑🏽'
- '🧑🏼❤️💋🧑🏾'
- '🧑🏼❤️💋🧑🏿'
- '🧑🏽❤️💋🧑🏻'
- '🧑🏽❤️💋🧑🏼'
- '🧑🏽❤️💋🧑🏾'
- '🧑🏽❤️💋🧑🏿'
- '🧑🏾❤️💋🧑🏻'
- '🧑🏾❤️💋🧑🏼'
- '🧑🏾❤️💋🧑🏽'
- '🧑🏾❤️💋🧑🏿'
- '🧑🏿❤️💋🧑🏻'
- '🧑🏿❤️💋🧑🏼'
- '🧑🏿❤️💋🧑🏽'
- '🧑🏿❤️💋🧑🏾'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Potential Defense Evasion Via Rename Of Highly Relevant Binaries
Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.
view Sigma YAML
title: Potential Defense Evasion Via Rename Of Highly Relevant Binaries
id: 0ba1da6d-b6ce-4366-828c-18826c9de23e
related:
- id: 36480ae1-a1cb-4eaa-a0d6-29801d7e9142
type: similar
- id: 2569ed8c-1147-498a-9b8c-2ad3656b10ed # Renamed Rundll32 Specific
type: derived
- id: a7a7e0e5-1d57-49df-9c58-9fe5bc0346a2 # Renamed PsExec
type: obsolete
- id: d178a2d7-129a-4ba4-8ee6-d6e1fecd5d20 # Renamed PowerShell
type: obsolete
- id: d4d2574f-ac17-4d9e-b986-aeeae0dc8fe2 # Renamed Rundll32
type: obsolete
status: test
description: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.
references:
- https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html
- https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html
- https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks
- https://twitter.com/christophetd/status/1164506034720952320
- https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/
- https://www.huntress.com/blog/malicious-browser-extention-crashfix-kongtuke
author: Matthew Green - @mgreen27, Florian Roth (Nextron Systems), frack113
date: 2019-06-15
modified: 2026-02-12
tags:
- attack.stealth
- attack.t1036.003
- car.2013-05-009
logsource:
category: process_creation
product: windows
detection:
selection:
- Description: 'Execute processes remotely'
- Product: 'Sysinternals PsExec'
- Description|startswith:
- 'Windows PowerShell'
- 'pwsh'
- OriginalFileName:
- 'certutil.exe'
- 'cmstp.exe'
- 'cscript.exe'
- 'IE4UINIT.EXE'
- 'finger.exe'
- 'mshta.exe'
- 'msiexec.exe'
- 'msxsl.exe'
- 'powershell_ise.exe'
- 'powershell.exe'
- 'psexec.c' # old versions of psexec (2016 seen)
- 'psexec.exe'
- 'psexesvc.exe'
- 'pwsh.dll'
- 'reg.exe'
- 'regsvr32.exe'
- 'rundll32.exe'
- 'WerMgr'
- 'wmic.exe'
- 'wscript.exe'
filter:
Image|endswith:
- '\certutil.exe'
- '\cmstp.exe'
- '\cscript.exe'
- '\ie4uinit.exe'
- '\finger.exe'
- '\mshta.exe'
- '\msiexec.exe'
- '\msxsl.exe'
- '\powershell_ise.exe'
- '\powershell.exe'
- '\psexec.exe'
- '\psexec64.exe'
- '\PSEXESVC.exe'
- '\pwsh.exe'
- '\reg.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\wermgr.exe'
- '\wmic.exe'
- '\wscript.exe'
condition: selection and not filter
falsepositives:
- Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist
- PsExec installed via Windows Store doesn't contain original filename field (False negative)
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant/info.yml
Convert to SIEM query
high
Strong
High FP
Potential Defense Evasion Via Right-to-Left Override
Detects the presence of the "u202+E" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence.
This character is used as an obfuscation and masquerading techniques by adversaries to trick users into opening malicious files.
view Sigma YAML
title: Potential Defense Evasion Via Right-to-Left Override
id: ad691d92-15f2-4181-9aa4-723c74f9ddc3
related:
- id: e0552b19-5a83-4222-b141-b36184bb8d79
type: derived
- id: 584bca0f-3608-4402-80fd-4075ff6072e3
type: derived
status: test
description: |
Detects the presence of the "u202+E" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence.
This character is used as an obfuscation and masquerading techniques by adversaries to trick users into opening malicious files.
references:
- https://redcanary.com/blog/right-to-left-override/
- https://www.malwarebytes.com/blog/news/2014/01/the-rtlo-method
- https://unicode-explorer.com/c/202E
- https://tria.ge/241015-l98snsyeje/behavioral2
- https://unprotect.it/technique/right-to-left-override-rlo-extension-spoofing/
author: Micah Babinski, @micahbabinski, Swachchhanda Shrawan Poudel (Nextron Systems), Luc Génaux
date: 2023-02-15
modified: 2026-03-20
tags:
- attack.stealth
- attack.t1036.002
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- '\u202e' # Unicode RTLO character
- '[U+202E]'
# Real char U+202E copied/pasted below
- ''
condition: selection
falsepositives:
- Commandlines that contains scriptures such as arabic or hebrew might make use of this character
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override/info.yml
Convert to SIEM query
high
Moderate
Medium FP
Potential Devil Bait Malware Reconnaissance
Detects specific process behavior observed with Devil Bait samples
view Sigma YAML
title: Potential Devil Bait Malware Reconnaissance
id: e8954be4-b2b8-4961-be18-da1a5bda709c
related:
- id: 8e0bb260-d4b2-4fff-bb8d-3f82118e6892
type: derived
status: test
description: Detects specific process behavior observed with Devil Bait samples
references:
- https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf
- https://www.virustotal.com/gui/file/fa71eee906a7849ba3f4bab74edb577bd1f1f8397ca428591b4a9872ce1f1e9b/behavior
author: Nasreddine Bencherchali (Nextron Systems), NCSC (Idea)
date: 2023-05-15
modified: 2025-10-19
tags:
- attack.stealth
- attack.t1218
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_redirect:
ParentImage|endswith: '\wscript.exe'
Image|endswith: '\cmd.exe'
CommandLine|contains: '>>%APPDATA%\Microsoft\'
CommandLine|endswith:
- '.xml'
- '.txt'
selection_recon_cmd:
- CommandLine|re: 'ipconfig\s+/all'
- CommandLine|contains:
# Taken from a6f9043627f8be2452153b5dbf6278e9b91763c3b5c2aea537a859e0c8c6b504
# If you find samples using other commands please add them
- 'dir'
- 'systeminfo'
- 'tasklist'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
Potential Devil Bait Related Indicator
Detects the creation of ".xml" and ".txt" files in folders of the "\AppData\Roaming\Microsoft" directory by uncommon processes. This behavior was seen common across different Devil Bait samples and stages as described by the NCSC
view Sigma YAML
title: Potential Devil Bait Related Indicator
id: 93d5f1b4-36df-45ed-8680-f66f242b8415
status: test
description: Detects the creation of ".xml" and ".txt" files in folders of the "\AppData\Roaming\Microsoft" directory by uncommon processes. This behavior was seen common across different Devil Bait samples and stages as described by the NCSC
references:
- https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-15
tags:
- detection.emerging-threats
- attack.stealth
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith:
- '\schtasks.exe'
- '\wscript.exe'
- '\mshta.exe'
# Example folders used by the samples include:
# - %AppData%\Microsoft\Network\
# - %AppData%\Microsoft\Office\
TargetFilename|contains: '\AppData\Roaming\Microsoft\'
TargetFilename|endswith:
- '.txt'
- '.xml'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential EACore.DLL Sideloading
Detects potential DLL sideloading of "EACore.dll"
view Sigma YAML
title: Potential EACore.DLL Sideloading
id: edd3ddc3-386f-4ba5-9ada-4376b2cfa7b5
status: test
description: Detects potential DLL sideloading of "EACore.dll"
references:
- https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/
author: X__Junior (Nextron Systems)
date: 2023-08-03
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\EACore.dll'
filter_main_legit_path:
Image|contains|all:
- 'C:\Program Files\Electronic Arts\EA Desktop\'
- '\EACoreServer.exe'
ImageLoaded|startswith: 'C:\Program Files\Electronic Arts\EA Desktop\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
Potential Edputil.DLL Sideloading
Detects potential DLL sideloading of "edputil.dll"
view Sigma YAML
title: Potential Edputil.DLL Sideloading
id: e4903324-1a10-4ed3-981b-f6fe3be3a2c2
status: test
description: Detects potential DLL sideloading of "edputil.dll"
references:
- https://alternativeto.net/news/2023/5/cybercriminals-use-wordpad-vulnerability-to-spread-qbot-malware/
author: X__Junior (Nextron Systems)
date: 2023-06-09
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\edputil.dll'
filter_main_generic:
ImageLoaded|startswith:
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
- 'C\Windows\WinSxS\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
High FP
Potential Emotet Activity
Detects all Emotet like process executions that are not covered by the more generic rules
view Sigma YAML
title: Potential Emotet Activity
id: d02e8cf5-6099-48cf-9bfc-1eec2d0c7b18
status: stable
description: Detects all Emotet like process executions that are not covered by the more generic rules
references:
- https://app.any.run/tasks/e13ab713-64cf-4b23-ad93-6dceaa5429ac/
- https://app.any.run/tasks/81f3c28c-c686-425d-8a2b-a98198d244e1/
- https://app.any.run/tasks/97f875e8-0e08-4328-815f-055e971ba754/
- https://app.any.run/tasks/84fc9b4a-ea2b-47b1-8aa6-9014402dfb56/
author: Florian Roth (Nextron Systems)
date: 2019-09-30
modified: 2023-02-04
tags:
- attack.execution
- attack.stealth
- attack.t1059.001
- attack.t1027
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- ' -e* PAA'
- 'JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ' # $env:userprofile
- 'QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA' # $env:userprofile
- 'kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA' # $env:userprofile
- 'IgAoACcAKgAnACkAOwAkA' # "('*');$
- 'IAKAAnACoAJwApADsAJA' # "('*');$
- 'iACgAJwAqACcAKQA7ACQA' # "('*');$
- 'JABGAGwAeAByAGgAYwBmAGQ'
- 'PQAkAGUAbgB2ADoAdABlAG0AcAArACgA' # =$env:temp+(
- '0AJABlAG4AdgA6AHQAZQBtAHAAKwAoA' # =$env:temp+(
- '9ACQAZQBuAHYAOgB0AGUAbQBwACsAKA' # =$env:temp+(
filter:
CommandLine|contains:
- 'fAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgAgAC0ARQByAHIAbwByAEEAYwB0AGkAbwBuACAAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQ'
- 'wAIABDAG8AbgB2AGUAcgB0AFQAbwAtAEoAcwBvAG4AIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUA'
- '8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlA'
condition: selection and not filter
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
Potential EmpireMonkey Activity
Detects potential EmpireMonkey APT activity
view Sigma YAML
title: Potential EmpireMonkey Activity
id: 10152a7b-b566-438f-a33c-390b607d1c8d
status: test
description: Detects potential EmpireMonkey APT activity
references:
- https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/
- https://malpedia.caad.fkie.fraunhofer.de/actor/anthropoid_spider
author: Markus Neis, Nasreddine Bencherchali (Nextron Systems)
date: 2019-04-02
modified: 2023-03-09
tags:
- attack.stealth
- attack.t1218.010
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- '/e:jscript' # This is a guess since the report doesn't mention the method of execution. This assumes that it is achieved via specifying the execution engine
- '\Local\Temp\Errors.bat'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential EventLog File Location Tampering
Detects tampering with EventLog service "file" key. In order to change the default location of an Evtx file. This technique is used to tamper with log collection and alerting
view Sigma YAML
title: Potential EventLog File Location Tampering
id: 0cb8d736-995d-4ce7-a31e-1e8d452a1459
status: test
description: Detects tampering with EventLog service "file" key. In order to change the default location of an Evtx file. This technique is used to tamper with log collection and alerting
references:
- https://learn.microsoft.com/en-us/windows/win32/eventlog/eventlog-key
author: D3F7A5105
date: 2023-01-02
modified: 2023-08-17
tags:
- attack.defense-impairment
- attack.t1685.001
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\SYSTEM\CurrentControlSet\Services\EventLog\'
TargetObject|endswith: '\File'
filter:
Details|contains: '\System32\Winevt\Logs\'
condition: selection and not filter
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp
Detects suspicious child processes of Excel which could be an indicator of lateral movement leveraging the "ActivateMicrosoftApp" Excel DCOM object.
view Sigma YAML
title: Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp
id: 551d9c1f-816c-445b-a7a6-7a3864720d60
status: test
description: |
Detects suspicious child processes of Excel which could be an indicator of lateral movement leveraging the "ActivateMicrosoftApp" Excel DCOM object.
references:
- https://posts.specterops.io/lateral-movement-abuse-the-power-of-dcom-excel-application-3c016d0d9922
- https://github.com/grayhatkiller/SharpExShell
- https://learn.microsoft.com/en-us/office/vba/api/excel.xlmsapplication
author: Aaron Stratton
date: 2023-11-13
tags:
- attack.t1021.003
- attack.lateral-movement
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\excel.exe'
selection_child:
- OriginalFileName:
- 'foxprow.exe'
- 'schdplus.exe'
- 'winproj.exe'
- Image|endswith:
- '\foxprow.exe'
- '\schdplus.exe'
- '\winproj.exe'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential Exploitation Attempt From Office Application
Detects Office applications executing a child process that includes directory traversal patterns. This could be an attempt to exploit CVE-2022-30190 (MSDT RCE) or CVE-2021-40444 (MSHTML RCE)
view Sigma YAML
title: Potential Exploitation Attempt From Office Application
id: 868955d9-697e-45d4-a3da-360cefd7c216
status: test
description: Detects Office applications executing a child process that includes directory traversal patterns. This could be an attempt to exploit CVE-2022-30190 (MSDT RCE) or CVE-2021-40444 (MSHTML RCE)
references:
- https://twitter.com/sbousseaden/status/1531653369546301440
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-40444
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190
author: Christian Burkard (Nextron Systems), @SBousseaden (idea)
date: 2022-06-02
modified: 2023-02-04
tags:
- attack.execution
- cve.2021-40444
- detection.emerging-threats
- attack.stealth
logsource:
product: windows
category: process_creation
detection:
selection:
ParentImage|endswith:
- '\winword.exe'
- '\excel.exe'
- '\powerpnt.exe'
- '\msaccess.exe'
- '\mspub.exe'
- '\eqnedt32.exe'
- '\visio.exe'
CommandLine|contains:
- '../../../..'
- '..\..\..\..'
- '..//..//..//..'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential Exploitation Attempt Of Undocumented WindowsServer RCE
Detects potential exploitation attempt of undocumented Windows Server Pre Auth Remote Code Execution (RCE)
view Sigma YAML
title: Potential Exploitation Attempt Of Undocumented WindowsServer RCE
id: 6d5b8176-d87d-4402-8af4-53aee9db7b5d
status: test
description: Detects potential exploitation attempt of undocumented Windows Server Pre Auth Remote Code Execution (RCE)
references:
- https://github.com/SigmaHQ/sigma/pull/3946
- https://twitter.com/hackerfantastic/status/1616455335203438592?s=20
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali
date: 2023-01-21
tags:
- attack.initial-access
- attack.t1190
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\svchost.exe'
Image|endswith: '\svchost.exe'
ParentCommandLine|contains: '-k DHCPServer'
CommandLine|contains: '-k DHCPServer'
User|contains: # Covers many language settings for Network Service. Please expand.
- 'NETWORK SERVICE'
- 'NETZWERKDIENST'
- 'SERVIZIO DI RETE'
- 'SERVICIO DE RED'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Potential Exploitation of CVE-2024-3094 - Suspicious SSH Child Process
Detects potentially suspicious child process of SSH process (sshd) with a specific execution user. This could be a sign of potential exploitation of CVE-2024-3094.
view Sigma YAML
title: Potential Exploitation of CVE-2024-3094 - Suspicious SSH Child Process
id: 9aa27839-e8ba-4d7a-ac1a-746c22c3d1e5
status: test
description: |
Detects potentially suspicious child process of SSH process (sshd) with a specific execution user. This could be a sign of potential exploitation of CVE-2024-3094.
references:
- https://github.com/amlweems/xzbot?tab=readme-ov-file#backdoor-demo
author: Arnim Rupp, Nasreddine Bencherchali, Thomas Patzke
date: 2024-04-01
modified: 2024-07-03
tags:
- attack.execution
- cve.2024-3094
- detection.emerging-threats
logsource:
category: process_creation
product: linux
detection:
selection:
ParentImage|endswith: '/sshd'
CommandLine|startswith:
- 'bash -c'
- 'sh -c'
User: 'root'
condition: selection
falsepositives:
- Administrative activity directly with root authentication might trigger this rule if it's unnecessarily prefixed with "sh -c" or "bash -c"
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential Exploitation of CVE-2024-37085 - Suspicious Creation Of ESX Admins Group
Detects execution of the "net.exe" command in order to add a group named "ESX Admins".
This could indicates a potential exploitation attempt of CVE-2024-37085, which allows an attacker to elevate their privileges to full administrative access on an domain-joined ESXi hypervisor.
VMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named "ESX Admins" to have full administrative access by default.
view Sigma YAML
title: Potential Exploitation of CVE-2024-37085 - Suspicious Creation Of ESX Admins Group
id: c408acfe-2870-41df-8d2f-9f4daa4555ed
status: test
description: |
Detects execution of the "net.exe" command in order to add a group named "ESX Admins".
This could indicates a potential exploitation attempt of CVE-2024-37085, which allows an attacker to elevate their privileges to full administrative access on an domain-joined ESXi hypervisor.
VMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named "ESX Admins" to have full administrative access by default.
references:
- https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/
author: frack113
date: 2024-07-29
tags:
- attack.execution
- cve.2024-37085
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_net_img:
- Image|endswith:
- '\net.exe'
- '\net1.exe'
- OriginalFileName:
- 'net.exe'
- 'net1.exe'
selection_net_cmd:
CommandLine|contains|all:
- '/add'
- '/domain'
- 'ESX Admins'
- 'group'
selection_powershell_img:
- Image|endswith:
- '\PowerShell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.exe'
- 'pwsh.dll'
selection_powershell_cli:
CommandLine|contains|all:
- 'New-ADGroup'
- 'ESX Admins'
condition: all of selection_net_* or all of selection_powershell_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Low FP
Potential Exploitation of CVE-2024-37085 - Suspicious ESX Admins Group Activity
Detects any creation or modification to a windows domain group with the name "ESX Admins".
This could indicates a potential exploitation attempt of CVE-2024-37085, which allows an attacker to elevate their privileges to full administrative access on an domain-joined ESXi hypervisor.
VMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named "ESX Admins" to have full administrative access by default.
view Sigma YAML
title: Potential Exploitation of CVE-2024-37085 - Suspicious ESX Admins Group Activity
id: 47a1658b-67a4-48e2-8ab1-c10437fc0148
status: test
description: |
Detects any creation or modification to a windows domain group with the name "ESX Admins".
This could indicates a potential exploitation attempt of CVE-2024-37085, which allows an attacker to elevate their privileges to full administrative access on an domain-joined ESXi hypervisor.
VMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named "ESX Admins" to have full administrative access by default.
references:
- https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-07-30
tags:
- attack.execution
- cve.2024-37085
- detection.emerging-threats
logsource:
product: windows
service: security
detection:
selection:
EventID:
- 4727
- 4728
- 4731
- 4737
- 4754
- 4755
- 4756
keyword_group:
- 'ESX Admins'
condition: selection and keyword_group
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential Exploitation of CVE-2025-4427/4428 Ivanti EPMM Pre-Auth RCE
Detects potential exploitation of a chained vulnerability attack targeting Ivanti EPMM 12.5.0.0.
CVE-2025-4427 allows unauthenticated access to protected API endpoints via an authentication bypass,
which can then be leveraged to trigger CVE-2025-4428 — a remote code execution vulnerability through
template injection. This sequence enables unauthenticated remote code execution, significantly increasing
the impact of exploitation.
view Sigma YAML
title: Potential Exploitation of CVE-2025-4427/4428 Ivanti EPMM Pre-Auth RCE
id: 41956f7c-7a6b-46d6-b6bb-da6eb2e83fbe
status: experimental
description: |
Detects potential exploitation of a chained vulnerability attack targeting Ivanti EPMM 12.5.0.0.
CVE-2025-4427 allows unauthenticated access to protected API endpoints via an authentication bypass,
which can then be leveraged to trigger CVE-2025-4428 — a remote code execution vulnerability through
template injection. This sequence enables unauthenticated remote code execution, significantly increasing
the impact of exploitation.
references:
- https://labs.watchtowr.com/expression-payloads-meet-mayhem-cve-2025-4427-and-cve-2025-4428/?123
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-05-20
tags:
- attack.initial-access
- attack.t1190
- attack.execution
- attack.t1203
- cve.2025-4427
- cve.2025-4428
- detection.emerging-threats
logsource:
category: webserver
detection:
selection_uri:
cs-uri-stem|contains: '/mifs/rs/api/v2/featureusage'
cs-uri-query|contains: 'format='
selection_exploit_rce:
- cs-uri-query|contains|all:
- 'java.lang.Runtime'
- '.getMethod'
- 'getRuntime'
- '.exec('
- cs-uri-query|contains|all:
- 'java%2elang%2eRuntime' # java.lang.Runtime
- '%2egetMethod' # .getMethod
- '%2eexec%28' # .exec(
- cs-uri-query|contains:
- '%6a%61%76%61%2e%6c%61%6e%67%2e%52%75%6e%74%69%6d%65%65%28%29' # java.lang.Runtime
- '%67%65%74%52%75%6e%74%69%6d%65' # getRuntime
- '%2e%65%78%65%63%28' # .exec(
selection_exploit_template_injection:
cs-uri-query|contains:
- '{7*7}'
- '%7B7*7%7D'
- '%7b7%2a7%7d'
condition: selection_uri and 1 of selection_exploit_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Potential Exploitation of CrushFTP RCE Vulnerability (CVE-2025-54309)
Detects suspicious child processes created by CrushFTP. It could be an indication of exploitation of a RCE vulnerability such as CVE-2025-54309.
view Sigma YAML
title: Potential Exploitation of CrushFTP RCE Vulnerability (CVE-2025-54309)
id: 0fdc7c7f-c690-4217-9ae3-31f5156eed72
status: experimental
description: Detects suspicious child processes created by CrushFTP. It could be an indication of exploitation of a RCE vulnerability such as CVE-2025-54309.
references:
- https://reliaquest.com/blog/threat-spotlight-cve-2025-54309-crushftp-exploit/
- https://pwn.guide/free/web/crushftp
- https://firecompass.com/crushftp-vulnerability-cve-2025-54309-securing-file-transfer-services/
author: Nisarg Suthar
date: 2025-08-01
tags:
- attack.privilege-escalation
- attack.initial-access
- attack.execution
- attack.t1059.001
- attack.t1059.003
- attack.t1068
- attack.t1190
- cve.2025-54309
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\crushftp.exe'
selection_child_powershell:
Image|endswith:
- '\powershell.exe'
- '\powershell_ise.exe'
- '\pwsh.exe'
CommandLine|contains|all:
- 'IEX'
- 'enc'
- 'Hidden'
- 'bypass'
selection_child_cmd:
Image|endswith: '\cmd.exe'
CommandLine|contains:
- '/c powershell'
- 'whoami'
- 'net.exe'
- 'net1.exe'
selection_child_others:
Image|endswith:
- '\bitsadmin.exe'
- '\certutil.exe'
- '\mshta.exe'
- '\cscript.exe'
- '\wscript.exe'
condition: selection_parent and 1 of selection_child_*
falsepositives:
- Legitimate administrative command execution
level: high
Convert to SIEM query
high
Strong
Medium FP
Potential Exploitation of GoAnywhere MFT Vulnerability
Detects suspicious command execution by child processes of the GoAnywhere Managed File Transfer (MFT) application, which may indicate exploitation such as CVE-2025-10035.
This behavior is indicative of post-exploitation activity related to CVE-2025-10035, as observed in campaigns by the threat actor Storm-1175.
view Sigma YAML
title: Potential Exploitation of GoAnywhere MFT Vulnerability
id: 6c76b3d0-afe4-4870-9443-ffe6773c5fef
status: experimental
description: |
Detects suspicious command execution by child processes of the GoAnywhere Managed File Transfer (MFT) application, which may indicate exploitation such as CVE-2025-10035.
This behavior is indicative of post-exploitation activity related to CVE-2025-10035, as observed in campaigns by the threat actor Storm-1175.
references:
- https://www.microsoft.com/en-us/security/blog/2025/10/06/investigating-active-exploitation-of-cve-2025-10035-goanywhere-managed-file-transfer-vulnerability/
author: MSFT (idea), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-10-07
tags:
- attack.initial-access
- attack.t1190
- attack.execution
- attack.t1059.001
- attack.persistence
- attack.t1133
- detection.emerging-threats
- cve.2025-10035
logsource:
category: process_creation
product: windows
detection:
# Detects the GoAnywhere Tomcat parent process based on path and command line arguments
selection_parent:
ParentImage|contains: '\GoAnywhere\tomcat\'
selection_powershell_img:
Image|endswith:
- '\powershell.exe'
- '\powershell_ise.exe'
- '\pwsh.exe'
selection_powershell_cmd:
- CommandLine|contains|all:
- 'IEX'
- 'enc'
- 'Hidden'
- 'bypass'
- CommandLine|re:
- 'net\s+user'
- 'net\s+group'
- 'query\s+session'
- CommandLine|contains:
- 'whoami'
- 'systeminfo'
- 'dsquery'
- 'localgroup administrators'
- 'nltest'
- 'samaccountname='
- 'adscredentials'
- 'o365accountconfiguration'
- '.DownloadString('
- '.DownloadFile('
- 'FromBase64String('
- 'System.IO.Compression'
- 'System.IO.MemoryStream'
- 'curl'
selection_child_cmd:
Image|endswith: '\cmd.exe'
CommandLine|contains:
- 'powershell'
- 'whoami'
- 'net.exe'
- 'net1.exe'
- 'rundll32'
- 'quser'
- 'nltest'
- 'curl'
selection_child_others:
CommandLine|contains:
- 'bitsadmin'
- 'certutil'
- 'mshta'
- 'cscript'
- 'wscript'
condition: selection_parent and (all of selection_powershell_* or 1 of selection_child_*)
falsepositives:
- Legitimate administrative scripts or built-in GoAnywhere functions could potentially trigger this rule. Tuning may be required based on normal activity in your environment.
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential Exploitation of RCE Vulnerability CVE-2025-33053
Detects potential exploitation of remote code execution vulnerability CVE-2025-33053
which involves unauthorized code execution via WebDAV through external control of file names or paths.
The exploit abuses legitimate utilities like iediagcmd.exe or CustomShellHost.exe by manipulating
their working directories to point to attacker-controlled WebDAV servers, causing them to execute
malicious executables (like route.exe) from the WebDAV path instead of legitimate system binaries
through Process.Start() search order manipulation.
view Sigma YAML
title: Potential Exploitation of RCE Vulnerability CVE-2025-33053
id: abe06362-a5b9-4371-8724-ebd00cd48a04
related:
- id: 9a2d8b3e-f5a1-4c68-9e21-7d9e1cf8a123
type: similar
- id: 04fc4b22-91a6-495a-879d-0144fec5ec03
type: similar
status: experimental
description: |
Detects potential exploitation of remote code execution vulnerability CVE-2025-33053
which involves unauthorized code execution via WebDAV through external control of file names or paths.
The exploit abuses legitimate utilities like iediagcmd.exe or CustomShellHost.exe by manipulating
their working directories to point to attacker-controlled WebDAV servers, causing them to execute
malicious executables (like route.exe) from the WebDAV path instead of legitimate system binaries
through Process.Start() search order manipulation.
references:
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-33053
- https://research.checkpoint.com/2025/stealth-falcon-zero-day/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-06-13
tags:
- attack.command-and-control
- attack.execution
- attack.stealth
- attack.t1218
- attack.lateral-movement
- attack.t1105
- detection.emerging-threats
- cve.2025-33053
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage:
- 'C:\Program Files\internet explorer\iediagcmd.exe'
- 'C:\Windows\System32\CustomShellHost.exe'
selection_child_current_dir:
- CurrentDirectory|startswith: '\\\\'
- CurrentDirectory|contains: '\DavWWWRoot\'
- Image|contains: '\DavWWWRoot\'
- Image|startswith: '\\\\'
selection_child_img:
Image|endswith:
- '\route.exe'
- '\netsh.exe'
- '\makecab.exe'
- '\dxdiag.exe'
- '\ipconfig.exe'
- '\explorer.exe'
filter_main_system:
Image|startswith:
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Image Load
Detects potential exploitation of remote code execution vulnerability CVE-2025-33053
by monitoring suspicious image loads from WebDAV paths. The exploit involves malicious executables from
attacker-controlled WebDAV servers loading the Windows system DLLs like gdi32.dll, netapi32.dll, etc.
view Sigma YAML
title: Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Image Load
id: 04fc4b22-91a6-495a-879d-0144fec5ec03
related:
- id: abe06362-a5b9-4371-8724-ebd00cd48a04
type: similar
- id: 9a2d8b3e-f5a1-4c68-9e21-7d9e1cf8a123
type: similar
status: experimental
description: |
Detects potential exploitation of remote code execution vulnerability CVE-2025-33053
by monitoring suspicious image loads from WebDAV paths. The exploit involves malicious executables from
attacker-controlled WebDAV servers loading the Windows system DLLs like gdi32.dll, netapi32.dll, etc.
references:
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-33053
- https://research.checkpoint.com/2025/stealth-falcon-zero-day/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-06-13
tags:
- attack.command-and-control
- attack.execution
- attack.stealth
- attack.t1218
- attack.lateral-movement
- attack.t1105
- detection.emerging-threats
- cve.2025-33053
logsource:
category: image_load
product: windows
detection:
selection_img_path:
Image|startswith: '\\\\'
Image|contains: '\DavWWWRoot\'
selection_img_bin:
Image|endswith:
- '\route.exe'
- '\netsh.exe'
- '\makecab.exe'
- '\dxdiag.exe'
- '\ipconfig.exe'
- '\explorer.exe'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Process Access
Detects potential exploitation of remote code execution vulnerability CVE-2025-33053
by looking for process access that involves legitimate Windows executables (iediagcmd.exe, CustomShellHost.exe)
accessing suspicious executables hosted on WebDAV shares. This indicates an attacker may be exploiting
Process.Start() search order manipulation to execute malicious code from attacker-controlled WebDAV servers
instead of legitimate system binaries. The vulnerability allows unauthorized code execution through
external control of file names or paths via WebDAV.
view Sigma YAML
title: Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Process Access
id: 9a2d8b3e-f5a1-4c68-9e21-7d9e1cf8a123
related:
- id: abe06362-a5b9-4371-8724-ebd00cd48a04
type: similar
- id: 04fc4b22-91a6-495a-879d-0144fec5ec03
type: similar
status: experimental
description: |
Detects potential exploitation of remote code execution vulnerability CVE-2025-33053
by looking for process access that involves legitimate Windows executables (iediagcmd.exe, CustomShellHost.exe)
accessing suspicious executables hosted on WebDAV shares. This indicates an attacker may be exploiting
Process.Start() search order manipulation to execute malicious code from attacker-controlled WebDAV servers
instead of legitimate system binaries. The vulnerability allows unauthorized code execution through
external control of file names or paths via WebDAV.
references:
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-33053
- https://research.checkpoint.com/2025/stealth-falcon-zero-day/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-06-13
tags:
- attack.command-and-control
- attack.execution
- attack.stealth
- attack.t1218
- attack.lateral-movement
- attack.t1105
- detection.emerging-threats
- cve.2025-33053
logsource:
category: process_access
product: windows
detection:
selection_src:
SourceImage:
- 'C:\Program Files\internet explorer\iediagcmd.exe'
- 'C:\Windows\System32\CustomShellHost.exe'
selection_target_dir:
- TargetImage|startswith: '\\\\'
- TargetImage|contains: '\DavWWWRoot\'
selection_target_exe:
TargetImage|endswith:
- '\route.exe'
- '\netsh.exe'
- '\makecab.exe'
- '\dxdiag.exe'
- '\ipconfig.exe'
- '\explorer.exe'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
High FP
Potential File Extension Spoofing Using Right-to-Left Override
Detects suspicious filenames that contain a right-to-left override character and a potentially spoofed file extensions.
view Sigma YAML
title: Potential File Extension Spoofing Using Right-to-Left Override
id: 979baf41-ca44-4540-9d0c-4fcef3b5a3a4
related:
- id: ad691d92-15f2-4181-9aa4-723c74f9ddc3
type: derived
status: test
description: |
Detects suspicious filenames that contain a right-to-left override character and a potentially spoofed file extensions.
references:
- https://redcanary.com/blog/right-to-left-override/
- https://www.malwarebytes.com/blog/news/2014/01/the-rtlo-method
- https://tria.ge/241015-l98snsyeje/behavioral2
- https://www.unicode.org/versions/Unicode5.2.0/ch02.pdf
author: Jonathan Peters (Nextron Systems), Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2024-11-17
modified: 2026-03-20
tags:
- attack.execution
- attack.stealth
- attack.t1036.002
logsource:
category: file_event
product: windows
detection:
selection_rtlo_unicode:
TargetFilename|contains:
- '\u202e' # Unicode RTLO character
- '[U+202E]'
# Real char U+202E copied/pasted below
- ''
selection_extensions:
TargetFilename|contains:
- '3pm.' # Reversed `.mp3`
- '4pm.' # Reversed `.mp4`
- 'cod.' # Reversed `.doc`
- 'fdp.' # Reversed `.pdf`
- 'ftr.' # Reversed `.rtf`
- 'gepj.' # Reversed `.jpeg`
- 'gnp.' # Reversed `.png`
- 'gpj.' # Reversed `.jpg`
- 'ism.' # Reversed `.msi`
- 'lmth.' # Reversed `.html`
- 'nls.' # Reversed `.sln`
- 'piz.' # Reversed `.zip`
- 'slx.' # Reversed `.xls`
- 'tdo.' # Reversed `.odt`
- 'vsc.' # Reversed `.csv`
- 'vwm.' # Reversed `.wmv`
- 'xcod.' # Reversed `.docx`
- 'xslx.' # Reversed `.xlsx`
- 'xtpp.' # Reversed `.pptx`
condition: all of selection_*
falsepositives:
- Filenames that contains scriptures such as arabic or hebrew might make use of this character
level: high
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_susp_right_to_left_override_extension_spoofing/info.yml
Convert to SIEM query
high
Moderate
Medium FP
Potential File Overwrite Via Sysinternals SDelete
Detects the use of SDelete to erase a file not the free space
view Sigma YAML
title: Potential File Overwrite Via Sysinternals SDelete
id: a4824fca-976f-4964-b334-0621379e84c4
status: test
description: Detects the use of SDelete to erase a file not the free space
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md
author: frack113
date: 2021-06-03
modified: 2023-02-28
tags:
- attack.impact
- attack.t1485
logsource:
category: process_creation
product: windows
detection:
selection:
OriginalFileName: sdelete.exe
filter:
CommandLine|contains:
- ' -h'
- ' -c'
- ' -z'
- ' /\?'
condition: selection and not filter
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential GobRAT File Discovery Via Grep
Detects the use of grep to discover specific files created by the GobRAT malware
view Sigma YAML
title: Potential GobRAT File Discovery Via Grep
id: e34cfa0c-0a50-4210-9cb3-5632d08eb041
status: test
description: Detects the use of grep to discover specific files created by the GobRAT malware
references:
- https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
- https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
- https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-06-02
tags:
- attack.discovery
- attack.t1082
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/grep'
CommandLine|contains:
- 'apached'
- 'frpc'
- 'sshd.sh'
- 'zone.arm'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Potential Goofy Guineapig Backdoor Activity
Detects a specific broken command that was used by Goofy-Guineapig as described by the NCSC report.
view Sigma YAML
title: Potential Goofy Guineapig Backdoor Activity
id: 477a5ed3-a374-4282-9f3b-ed94e159a108
status: test
description: Detects a specific broken command that was used by Goofy-Guineapig as described by the NCSC report.
references:
- https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf
author: X__Junior (Nextron Systems)
date: 2023-05-14
tags:
- attack.execution
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains: 'choice /t %d /d y /n >nul'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
Potential Goofy Guineapig GoolgeUpdate Process Anomaly
Detects "GoogleUpdate.exe" spawning a new instance of itself in an uncommon location as seen used by the Goofy Guineapig backdoor
view Sigma YAML
title: Potential Goofy Guineapig GoolgeUpdate Process Anomaly
id: bdbab15a-3826-48fa-a1b7-723cd8f32fcc
status: test
description: Detects "GoogleUpdate.exe" spawning a new instance of itself in an uncommon location as seen used by the Goofy Guineapig backdoor
references:
- https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf
author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-15
tags:
- detection.emerging-threats
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\GoogleUpdate.exe'
Image|endswith: '\GoogleUpdate.exe'
filter_main_legit_paths:
- Image|startswith:
- 'C:\Program Files\Google\'
- 'C:\Program Files (x86)\Google\'
- Image|contains: '\AppData\Local\Google\Update\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential Information Disclosure CVE-2023-43261 Exploitation - Proxy
Detects exploitation attempts of CVE-2023-43261 and information disclosure in Milesight UR5X, UR32L, UR32, UR35, UR41 before v35.3.0.7 that allows attackers to access sensitive router components in proxy logs.
view Sigma YAML
title: Potential Information Disclosure CVE-2023-43261 Exploitation - Proxy
id: f48f5368-355c-4a1b-8bf5-11c13d589eaa
related:
- id: a2bcca38-9f3a-4d5e-b603-0c587e8569d7
type: similar
status: test
description: |
Detects exploitation attempts of CVE-2023-43261 and information disclosure in Milesight UR5X, UR32L, UR32, UR35, UR41 before v35.3.0.7 that allows attackers to access sensitive router components in proxy logs.
references:
- https://thehackernews.com/2023/10/experts-warn-of-severe-flaws-affecting.html
- https://medium.com/@win3zz/inside-the-router-how-i-accessed-industrial-routers-and-reported-the-flaws-29c34213dfdf
- https://github.com/win3zz/CVE-2023-43261
- https://vulncheck.com/blog/real-world-cve-2023-43261
author: Nasreddine Bencherchali (Nextron Systems), Thurein Oo
date: 2023-10-20
modified: 2023-10-30
tags:
- attack.initial-access
- attack.t1190
- cve.2023-43621
- detection.emerging-threats
logsource:
category: proxy
detection:
selection:
cs-method: 'GET'
# Note: In theory the path can also be for other files. But since the logs can contains password and interesting information. Its most likely going to be targeted during a real attack
c-uri|contains: '/lang/log/httpd.log' # Als covered .old
sc-status: 200
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential Information Disclosure CVE-2023-43261 Exploitation - Web
Detects exploitation attempts of CVE-2023-43261 and information disclosure in Milesight UR5X, UR32L, UR32, UR35, UR41 before v35.3.0.7 that allows attackers to access sensitive router components in access logs.
view Sigma YAML
title: Potential Information Disclosure CVE-2023-43261 Exploitation - Web
id: a2bcca38-9f3a-4d5e-b603-0c587e8569d7
related:
- id: f48f5368-355c-4a1b-8bf5-11c13d589eaa
type: similar
status: test
description: |
Detects exploitation attempts of CVE-2023-43261 and information disclosure in Milesight UR5X, UR32L, UR32, UR35, UR41 before v35.3.0.7 that allows attackers to access sensitive router components in access logs.
references:
- https://thehackernews.com/2023/10/experts-warn-of-severe-flaws-affecting.html
- https://medium.com/@win3zz/inside-the-router-how-i-accessed-industrial-routers-and-reported-the-flaws-29c34213dfdf
- https://github.com/win3zz/CVE-2023-43261
- https://vulncheck.com/blog/real-world-cve-2023-43261
author: Nasreddine Bencherchali (Nextron Systems), Thurein Oo
date: 2023-10-20
modified: 2023-10-30
tags:
- attack.initial-access
- attack.t1190
- cve.2023-43621
- detection.emerging-threats
logsource:
category: webserver
definition: 'Requirements: In order for this detection to trigger, access logs of the router must be collected.'
detection:
selection:
cs-method: 'GET'
# Note: In theory the path can also be for other files. But since the logs can contains password and interesting information. Its most likely going to be targeted during a real attack
cs-uri-stem|contains: '/lang/log/httpd.log' # Als covered .old
sc-status: 200
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Potential Invoke-Mimikatz PowerShell Script
Detects Invoke-Mimikatz PowerShell script and alike. Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords.
view Sigma YAML
title: Potential Invoke-Mimikatz PowerShell Script
id: 189e3b02-82b2-4b90-9662-411eb64486d4
status: test
description: Detects Invoke-Mimikatz PowerShell script and alike. Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords.
references:
- https://www.elastic.co/guide/en/security/current/potential-invoke-mimikatz-powershell-script.html#potential-invoke-mimikatz-powershell-script
author: Tim Rauch, Elastic (idea)
date: 2022-09-28
tags:
- attack.credential-access
- attack.t1003
logsource:
category: ps_script
product: windows
detection:
selection_1:
ScriptBlockText|contains|all:
- 'DumpCreds'
- 'DumpCerts'
selection_2:
ScriptBlockText|contains: 'sekurlsa::logonpasswords'
selection_3:
ScriptBlockText|contains|all:
- 'crypto::certificates'
- 'CERT_SYSTEM_STORE_LOCAL_MACHINE'
condition: 1 of selection*
falsepositives:
- Mimikatz can be useful for testing the security of networks
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential Iviewers.DLL Sideloading
Detects potential DLL sideloading of "iviewers.dll" (OLE/COM Object Interface Viewer)
view Sigma YAML
title: Potential Iviewers.DLL Sideloading
id: 4c21b805-4dd7-469f-b47d-7383a8fcb437
status: test
description: Detects potential DLL sideloading of "iviewers.dll" (OLE/COM Object Interface Viewer)
references:
- https://www.secureworks.com/research/shadowpad-malware-analysis
author: X__Junior (Nextron Systems)
date: 2023-03-21
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\iviewers.dll'
filter:
ImageLoaded|startswith:
- 'C:\Program Files (x86)\Windows Kits\'
- 'C:\Program Files\Windows Kits\'
condition: selection and not filter
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential JLI.dll Side-Loading
Detects potential DLL side-loading of jli.dll.
JLI.dll has been observed being side-loaded by Java processes by various threat actors, including APT41, XWorm,
and others in order to load malicious payloads in context of legitimate Java processes.
view Sigma YAML
title: Potential JLI.dll Side-Loading
id: 7a3b6d1f-4a2b-4f8c-9d7e-e9f8cbf21a35
status: experimental
description: |
Detects potential DLL side-loading of jli.dll.
JLI.dll has been observed being side-loaded by Java processes by various threat actors, including APT41, XWorm,
and others in order to load malicious payloads in context of legitimate Java processes.
references:
- https://securelist.com/apt41-in-africa/116986/
- https://lab52.io/blog/snake-keylogger-in-geopolitical-affairs-abuse-of-trusted-java-utilities-in-cybercrime-operations/
- https://hijacklibs.net/entries/3rd_party/oracle/jli.html
- https://www.proofpoint.com/us/blog/threat-insight/phish-china-aligned-espionage-actors-ramp-up-taiwan-semiconductor-targeting
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-07-25
modified: 2025-10-06
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\jli.dll'
filter_main_legitimate_install_paths:
ImageLoaded|startswith:
# Keeping the paths generic as jli.dll was found inside various directories of installed software
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
Description: 'OpenJDK Platform binary'
OriginalFileName: 'jli.dll'
Product|startswith: 'OpenJDK Platform'
Signed: 'true'
filter_optional_eclipse:
ImageLoaded|startswith: 'C:\eclipse\plugins\'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential JNDI Injection Exploitation In JVM Based Application
Detects potential JNDI Injection exploitation. Often coupled with Log4Shell exploitation.
view Sigma YAML
title: Potential JNDI Injection Exploitation In JVM Based Application
id: bb0e9cec-d4da-46f5-997f-22efc59f3dca
status: test
description: Detects potential JNDI Injection exploitation. Often coupled with Log4Shell exploitation.
references:
- https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs
- https://secariolabs.com/research/analysing-and-reproducing-poc-for-log4j-2-15-0
author: Moti Harmats
date: 2023-02-11
tags:
- attack.initial-access
- attack.t1190
logsource:
category: application
product: jvm
definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)'
detection:
keywords:
- 'com.sun.jndi.ldap.'
- 'org.apache.logging.log4j.core.net.JndiManager'
condition: keywords
falsepositives:
- Application bugs
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential Java WebShell Upload in SAP NetViewer Server
Detects potential Java webshell uploads via HTTP requests with Content-Type 'application/octet-stream' and Java file extensions.
This behavior might indicate exploitation of vulnerabilities like CVE-2025-31324, which allows remote code execution through webshells in SAP NetViewer.
view Sigma YAML
title: Potential Java WebShell Upload in SAP NetViewer Server
id: 639b893f-f93a-4e53-a7c8-f08cf73fe7f7
status: experimental
description: |
Detects potential Java webshell uploads via HTTP requests with Content-Type 'application/octet-stream' and Java file extensions.
This behavior might indicate exploitation of vulnerabilities like CVE-2025-31324, which allows remote code execution through webshells in SAP NetViewer.
references:
- https://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-05-14
tags:
- attack.persistence
- attack.t1505.003
- detection.emerging-threats
- cve.2025-31324
logsource:
category: webserver
detection:
selection:
cs-content-type: 'application/octet-stream'
cs-method: 'POST'
cs-uri-stem|contains|all:
- '/irj/'
- '.jsp'
cs-uri-stem|endswith:
- '.class'
- '.java'
- '.jsp'
condition: selection
falsepositives:
- Legitimate uploads of Java files in development environments
level: high
Convert to SIEM query
high
Moderate
Low FP
Potential KDC RC4-HMAC Downgrade Exploit - CVE-2022-37966
Detects the exploitation of a security bypass and elevation of privilege vulnerability with Authentication Negotiation by using weak RC4-HMAC negotiation
view Sigma YAML
title: Potential KDC RC4-HMAC Downgrade Exploit - CVE-2022-37966
id: e6f81941-b1cd-4766-87db-9fc156f658ee
status: test
description: Detects the exploitation of a security bypass and elevation of privilege vulnerability with Authentication Negotiation by using weak RC4-HMAC negotiation
references:
- https://support.microsoft.com/en-us/topic/kb5021131-how-to-manage-the-kerberos-protocol-changes-related-to-cve-2022-37966-fd837ac3-cdec-4e76-a6ec-86e67501407d
author: Florian Roth (Nextron Systems)
date: 2022-11-09
modified: 2025-11-03
tags:
- attack.privilege-escalation
- detection.emerging-threats
- cve.2022-37966
logsource:
product: windows
service: system
detection:
selection:
EventID: 42
Provider_Name:
- 'Kerberos-Key-Distribution-Center'
- 'Microsoft-Windows-Kerberos-Key-Distribution-Center'
Level: 2 # Error
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Potential KamiKakaBot Activity - Winlogon Shell Persistence
Detects changes to the "Winlogon" registry key where a process will set the value of the "Shell" to a value that was observed being used by KamiKakaBot samples in order to achieve persistence.
view Sigma YAML
title: Potential KamiKakaBot Activity - Winlogon Shell Persistence
id: c9b86500-1ec2-4de6-9120-d744c8fb5caf
status: test
description: |
Detects changes to the "Winlogon" registry key where a process will set the value of the "Shell" to a value that was observed being used by KamiKakaBot samples in order to achieve persistence.
references:
- https://www.nextron-systems.com/2024/03/22/unveiling-kamikakabot-malware-analysis/
author: Nasreddine Bencherchali (Nextron Systems), X__Junior
date: 2024-03-22
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.001
- detection.emerging-threats
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell'
Details|contains|all:
- '-nop -w h'
- '$env'
- 'explorer.exe'
- 'Start-Process'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential Kapeka Decrypted Backdoor Indicator
Detects the presence of a file that is decrypted backdoor binary dropped by the Kapeka Dropper, which disguises itself as a hidden file under a folder named "Microsoft" within "CSIDL_COMMON_APPDATA" or "CSIDL_LOCAL_APPDATA", depending on the process privileges.
The file, typically 5-6 characters long with a random combination of consonants and vowels followed by a ".wll" extension to pose as a legitimate file to evade detection.
view Sigma YAML
title: Potential Kapeka Decrypted Backdoor Indicator
id: 20228d05-dd68-435d-8b4e-e7e64938880c
status: test
description: |
Detects the presence of a file that is decrypted backdoor binary dropped by the Kapeka Dropper, which disguises itself as a hidden file under a folder named "Microsoft" within "CSIDL_COMMON_APPDATA" or "CSIDL_LOCAL_APPDATA", depending on the process privileges.
The file, typically 5-6 characters long with a random combination of consonants and vowels followed by a ".wll" extension to pose as a legitimate file to evade detection.
references:
- https://labs.withsecure.com/publications/kapeka
- https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/
author: Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)
date: 2024-07-03
tags:
- detection.emerging-threats
- attack.stealth
logsource:
category: file_event
product: windows
detection:
selection_generic:
TargetFilename|contains:
- ':\ProgramData\'
- '\AppData\Local\'
TargetFilename|re: '\\[a-zA-Z]{5,6}\.wll'
selection_specific:
TargetFilename|endswith:
- '\win32log.exe'
- '\crdss.exe'
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Potential Ke3chang/TidePool Malware Activity
Detects registry modifications potentially related to the Ke3chang/TidePool malware as seen in campaigns running in 2019 and 2020
view Sigma YAML
title: Potential Ke3chang/TidePool Malware Activity
id: 7b544661-69fc-419f-9a59-82ccc328f205
status: test
description: Detects registry modifications potentially related to the Ke3chang/TidePool malware as seen in campaigns running in 2019 and 2020
references:
- https://web.archive.org/web/20200618080300/https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf
- https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/
author: Markus Neis, Swisscom
date: 2020-06-18
modified: 2023-03-10
tags:
- attack.defense-impairment
- attack.g0004
- attack.t1685
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
# Ke3chang and TidePool both modify the IEHarden registry key, as well as the following list of keys.
# Setting these registry keys is unique to the Ke3chang and TidePool malware families.
# HKCU\Software\Microsoft\Internet Explorer\Main\Check_Associations
# HKCU\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize
# HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IEharden
CommandLine|contains:
- '-Property DWORD -name DisableFirstRunCustomize -value 2 -Force'
- '-Property String -name Check_Associations -value'
- '-Property DWORD -name IEHarden -value 0 -Force'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation
Detects modifications to DNS records in Active Directory where the Distinguished Name (DN) contains a base64-encoded blob
matching the pattern "1UWhRCAAAAA...BAAAA". This pattern corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure,
commonly used in Kerberos coercion attacks. Adversaries may exploit this to coerce victim systems into authenticating to
attacker-controlled hosts by spoofing SPNs via DNS. It is one of the strong indicators of a Kerberos coercion attack,.
where adversaries manipulate DNS records to spoof Service Principal Names (SPNs) and redirect authentication requests like CVE-2025-33073.
Please investigate the user account that made the changes, as it is likely a low-privileged account that has been compromised.
view Sigma YAML
title: Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation
id: b07e58cf-cacc-4135-8473-ccb2eba63dd2
related:
- id: e7a21b5f-d8c4-4ae5-b8d9-93c5d3f28e1c # Suspicious DNS Query Indicating Kerberos Coercion via DNS Object Spoofing
type: similar
- id: 5588576c-5898-4fac-bcdd-7475a60e8f43 # Suspicious DNS Query Indicating Kerberos Coercion via DNS Object Spoofing - Network
type: similar
- id: 0ed99dda-6a35-11ef-8c99-0242ac120002 # Kerberos Coercion Via DNS SPN Spoofing Attempt
type: similar
status: experimental
description: |
Detects modifications to DNS records in Active Directory where the Distinguished Name (DN) contains a base64-encoded blob
matching the pattern "1UWhRCAAAAA...BAAAA". This pattern corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure,
commonly used in Kerberos coercion attacks. Adversaries may exploit this to coerce victim systems into authenticating to
attacker-controlled hosts by spoofing SPNs via DNS. It is one of the strong indicators of a Kerberos coercion attack,.
where adversaries manipulate DNS records to spoof Service Principal Names (SPNs) and redirect authentication requests like CVE-2025-33073.
Please investigate the user account that made the changes, as it is likely a low-privileged account that has been compromised.
references:
- https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html
- https://www.synacktiv.com/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-06-20
tags:
- attack.collection
- attack.credential-access
- attack.t1557.003
- attack.persistence
- attack.privilege-escalation
logsource:
product: windows
service: security
definition: |
By default these events are not logged by default for MicrosoftDNS objects in Active Directory.
To enable detection, configure an AuditRule on the DNS object container with the "CreateChild" permission for the "Everyone" principal.
This can be accomplished using tools such as Set-AuditRule (see https://github.com/OTRF/Set-AuditRule).
detection:
selection_directory_service_changes:
EventID:
- 5136
- 5137
ObjectClass: 'dnsNode'
ObjectDN|contains|all: # ObjectDN">DC=foo-11UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA,DC=domain.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=com</Data>
- 'UWhRCA'
- 'BAAAA'
- 'CN=MicrosoftDNS'
selection_directory_service_access:
EventID: 4662
AdditionalInfo|contains|all: # AdditionalInfo">DC=foo-11UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA,DC=domain.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=com</Data>
- 'UWhRCA'
- 'BAAAA'
- 'CN=MicrosoftDNS'
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
High FP
Potential LSASS Process Dump Via Procdump
Detects potential credential harvesting attempts through LSASS memory dumps using ProcDump.
This rule identifies suspicious command-line patterns that combine memory dump flags (-ma, -mm, -mp) with LSASS-related process markers.
LSASS (Local Security Authority Subsystem Service) contains sensitive authentication data including plaintext passwords, NTLM hashes, and Kerberos tickets in memory.
Attackers commonly dump LSASS memory to extract credentials for lateral movement and privilege escalation.
view Sigma YAML
title: Potential LSASS Process Dump Via Procdump
id: 5afee48e-67dd-4e03-a783-f74259dcf998
status: stable
description: |
Detects potential credential harvesting attempts through LSASS memory dumps using ProcDump.
This rule identifies suspicious command-line patterns that combine memory dump flags (-ma, -mm, -mp) with LSASS-related process markers.
LSASS (Local Security Authority Subsystem Service) contains sensitive authentication data including plaintext passwords, NTLM hashes, and Kerberos tickets in memory.
Attackers commonly dump LSASS memory to extract credentials for lateral movement and privilege escalation.
references:
- https://learn.microsoft.com/en-us/sysinternals/downloads/procdump
- https://research.splunk.com/endpoint/3742ebfe-64c2-11eb-ae93-0242ac130002
- https://x.com/wietze/status/1958302556033065292?s=12
author: Florian Roth (Nextron Systems)
date: 2018-10-30
modified: 2025-10-19
tags:
- attack.stealth
- attack.t1036
- attack.credential-access
- attack.t1003.001
- car.2013-05-009
logsource:
category: process_creation
product: windows
detection:
selection_flags:
CommandLine|contains|windash:
- ' -ma '
- ' -mm ' # Mini dump
- ' -mp ' # Miniplus dump
selection_process:
CommandLine|contains:
- ' ls' # Short for lsass
- ' keyiso'
- ' samss'
condition: all of selection_*
falsepositives:
- Unlikely, because no one should dump an lsass process memory
- Another tool that uses command line flags similar to ProcDump
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential LethalHTA Technique Execution
Detects potential LethalHTA technique where the "mshta.exe" is spawned by an "svchost.exe" process
view Sigma YAML
title: Potential LethalHTA Technique Execution
id: ed5d72a6-f8f4-479d-ba79-02f6a80d7471
status: test
description: Detects potential LethalHTA technique where the "mshta.exe" is spawned by an "svchost.exe" process
references:
- https://codewhitesec.blogspot.com/2018/07/lethalhta.html
author: Markus Neis
date: 2018-06-07
modified: 2023-02-07
tags:
- attack.stealth
- attack.t1218.005
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\svchost.exe'
Image|endswith: '\mshta.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Potential Local File Read Vulnerability In JVM Based Application
Detects potential local file read vulnerability in JVM based apps.
If the exceptions are caused due to user input and contain path traversal payloads then it's a red flag.
view Sigma YAML
title: Potential Local File Read Vulnerability In JVM Based Application
id: e032f5bc-4563-4096-ae3b-064bab588685
status: test
description: |
Detects potential local file read vulnerability in JVM based apps.
If the exceptions are caused due to user input and contain path traversal payloads then it's a red flag.
references:
- https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs
author: Moti Harmats
date: 2023-02-11
tags:
- attack.initial-access
- attack.t1190
logsource:
category: application
product: jvm
definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)'
detection:
keywords_local_file_read:
'|all':
- 'FileNotFoundException'
- '/../../..'
condition: keywords_local_file_read
falsepositives:
- Application bugs
level: high
Convert to SIEM query
high
Strong
Medium FP
Potential MFA Bypass Using Legacy Client Authentication
Detects successful authentication from potential clients using legacy authentication via user agent strings. This could be a sign of MFA bypass using a password spray attack.
view Sigma YAML
title: Potential MFA Bypass Using Legacy Client Authentication
id: 53bb4f7f-48a8-4475-ac30-5a82ddfdf6fc
status: test
description: Detects successful authentication from potential clients using legacy authentication via user agent strings. This could be a sign of MFA bypass using a password spray attack.
references:
- https://web.archive.org/web/20230217071802/https://blooteem.com/march-2022
- https://www.microsoft.com/en-us/security/blog/2021/10/26/protect-your-business-from-password-sprays-with-microsoft-dart-recommendations/
author: Harjot Singh, '@cyb3rjy0t'
date: 2023-03-20
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.credential-access
- attack.stealth
- attack.t1078.004
- attack.t1110
logsource:
product: azure
service: signinlogs
detection:
selection:
Status: 'Success'
userAgent|contains:
- 'BAV2ROPC'
- 'CBAinPROD'
- 'CBAinTAR'
condition: selection
falsepositives:
- Known Legacy Accounts
level: high
Convert to SIEM query
high
Strong
Medium FP
Potential MOVEit Transfer CVE-2023-34362 Exploitation - File Activity
Detects file indicators of potential exploitation of MOVEit CVE-2023-34362.
view Sigma YAML
title: Potential MOVEit Transfer CVE-2023-34362 Exploitation - File Activity
id: c3b2a774-3152-4989-83c1-7afc48fd1599
status: test
description: Detects file indicators of potential exploitation of MOVEit CVE-2023-34362.
references:
- https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/
- https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023
- https://www.rapid7.com/blog/post/2023/06/01/rapid7-observed-exploitation-of-critical-moveit-transfer-vulnerability/
- https://www.reddit.com/r/sysadmin/comments/13wxuej/comment/jmhdg55/
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-01
modified: 2024-08-13
tags:
- attack.initial-access
- attack.t1190
- cve.2023-34362
- detection.emerging-threats
logsource:
category: file_event
product: windows
detection:
selection_generic:
TargetFilename|contains:
- '\MOVEit Transfer\wwwroot\'
- '\MOVEitTransfer\wwwroot\'
TargetFilename|endswith:
- '.7z'
- '.bat'
- '.dll'
- '.exe'
- '.ps1'
- '.rar'
- '.vbe'
- '.vbs'
- '.zip'
selection_known_ioc:
TargetFilename|endswith:
- '\MOVEit Transfer\wwwroot\_human2.aspx.lnk'
- '\MOVEit Transfer\wwwroot\_human2.aspx'
- '\MOVEit Transfer\wwwroot\human2.aspx.lnk'
- '\MOVEit Transfer\wwwroot\human2.aspx'
- '\MOVEitTransfer\wwwroot\_human2.aspx.lnk'
- '\MOVEitTransfer\wwwroot\_human2.aspx'
- '\MOVEitTransfer\wwwroot\human2.aspx.lnk'
- '\MOVEitTransfer\wwwroot\human2.aspx'
# Uncomment selection if you wanna threat hunt for additional artifacts
# selection_cmdline:
# TargetFilename|contains: ':\Windows\TEMP\'
# TargetFilename|endswith: '.cmdline'
selection_compiled_asp:
CreationUtcTime|startswith:
- '2023-03- '
- '2023-04- '
- '2023-05- '
- '2023-06- '
TargetFilename|contains|all:
- '\Windows\Microsoft.net\Framework64\v'
- '\Temporary ASP.NET Files\'
- 'App_Web_'
TargetFilename|endswith: '.dll'
condition: 1 of selection_*
falsepositives:
- To avoid FP, this rule should only be applied on MOVEit servers.
level: high
Convert to SIEM query
high
Moderate
High FP
Potential MSTSC Shadowing Activity
Detects RDP session hijacking by using MSTSC shadowing
view Sigma YAML
title: Potential MSTSC Shadowing Activity
id: 6ba5a05f-b095-4f0a-8654-b825f4f16334
status: test
description: Detects RDP session hijacking by using MSTSC shadowing
references:
- https://twitter.com/kmkz_security/status/1220694202301976576
- https://github.com/kmkz/Pentesting/blob/47592e5e160d3b86c2024f09ef04ceb87d204995/Post-Exploitation-Cheat-Sheet
author: Florian Roth (Nextron Systems)
date: 2020-01-24
modified: 2023-02-05
tags:
- attack.lateral-movement
- attack.t1563.002
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'noconsentprompt'
- 'shadow:'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Potential Manage-bde.wsf Abuse To Proxy Execution
Detects potential abuse of the "manage-bde.wsf" script as a LOLBIN to proxy execution
view Sigma YAML
title: Potential Manage-bde.wsf Abuse To Proxy Execution
id: c363385c-f75d-4753-a108-c1a8e28bdbda
status: test
description: Detects potential abuse of the "manage-bde.wsf" script as a LOLBIN to proxy execution
references:
- https://lolbas-project.github.io/lolbas/Scripts/Manage-bde/
- https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712
- https://twitter.com/bohops/status/980659399495741441
- https://twitter.com/JohnLaTwC/status/1223292479270600706
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md
author: oscd.community, Natalia Shornikova, Nasreddine Bencherchali (Nextron Systems)
date: 2020-10-13
modified: 2023-02-03
tags:
- attack.stealth
- attack.t1216
logsource:
category: process_creation
product: windows
detection:
selection_wscript_img:
- Image|endswith: '\wscript.exe'
- OriginalFileName: 'wscript.exe'
selection_wscript_cli:
CommandLine|contains: 'manage-bde.wsf'
selection_parent:
ParentImage|endswith:
- '\cscript.exe'
- '\wscript.exe'
ParentCommandLine|contains: 'manage-bde.wsf'
selection_filter_cmd:
Image|endswith: '\cmd.exe'
condition: all of selection_wscript_* or (selection_parent and not selection_filter_cmd)
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
Medium FP
Potential Meterpreter/CobaltStrike Activity
Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting
view Sigma YAML
title: Potential Meterpreter/CobaltStrike Activity
id: 15619216-e993-4721-b590-4c520615a67d
status: test
description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting
references:
- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
- https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
author: Teymur Kheirkhabarov, Ecco, Florian Roth
date: 2019-10-26
modified: 2023-02-05
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1134.001
- attack.t1134.002
logsource:
category: process_creation
product: windows
detection:
selection_img:
ParentImage|endswith: '\services.exe'
selection_technique_1:
# Examples:
# Meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a
# CobaltStrike getsystem technique 1b (expanded env var): %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
# CobaltStrike getsystem technique 1: %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
CommandLine|contains|all:
- '/c'
- 'echo'
- '\pipe\'
CommandLine|contains:
- 'cmd'
- '%COMSPEC%'
selection_technique_2:
# meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn
CommandLine|contains|all:
- 'rundll32'
- '.dll,a'
- '/p:'
filter_defender:
CommandLine|contains: 'MpCmdRun'
condition: selection_img and 1 of selection_technique_* and not 1 of filter_*
falsepositives:
- Commandlines containing components like cmd accidentally
- Jobs and services started with cmd
level: high
Convert to SIEM query
Showing 851-900 of 1,677