Tool
EDR / XDR
VMware Carbon Black
1,440 rules · Sigma detections in VMware Carbon Black syntax
The same Sigma detection corpus, machine-rendered into VMware Carbon Black query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
Download all 3,646 rules (.zip, 1.2 MB)
Every VMware Carbon Black query in this view, packaged to deploy.
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance12
Resource Development10
Initial Access10
Execution30
Persistence42
Privilege Escalation20
Stealth79
Defense Impairment32
Credential Access35
Discovery33
Lateral Movement16
Collection20
Command and Control24
Exfiltration10
Impact18
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.
◈
Detection rules
50 shown of 1,440
medium
Moderate
High FP
Potential Cookies Session Hijacking
Detects execution of "curl.exe" with the "-c" flag in order to save cookie data.
view Sigma YAML
title: Potential Cookies Session Hijacking
id: 5a6e1e16-07de-48d8-8aae-faa766c05e88
status: test
description: Detects execution of "curl.exe" with the "-c" flag in order to save cookie data.
references:
- https://curl.se/docs/manpage.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-07-27
tags:
- attack.execution
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\curl.exe'
- OriginalFileName: 'curl.exe'
selection_cli:
- CommandLine|re: '\s-c\s'
- CommandLine|contains: '--cookie-jar'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_curl_cookie_hijacking/info.yml
Convert to SIEM query
medium
Strong
Medium FP
Potential Credential Dumping Activity Via LSASS
Detects process access requests to the LSASS process with specific call trace calls and access masks.
This behaviour is expressed by many credential dumping tools such as Mimikatz, NanoDump, Invoke-Mimikatz, Procdump and even the Taskmgr dumping feature.
view Sigma YAML
title: Potential Credential Dumping Activity Via LSASS
id: 5ef9853e-4d0e-4a70-846f-a9ca37d876da
status: test
description: |
Detects process access requests to the LSASS process with specific call trace calls and access masks.
This behaviour is expressed by many credential dumping tools such as Mimikatz, NanoDump, Invoke-Mimikatz, Procdump and even the Taskmgr dumping feature.
references:
- https://web.archive.org/web/20230329170326/https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html
- https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.001/T1003.001.md
- https://research.splunk.com/endpoint/windows_possible_credential_dumping/
author: Samir Bousseaden, Michael Haag
date: 2019-04-03
modified: 2024-03-02
tags:
- attack.credential-access
- attack.t1003.001
- attack.s0002
logsource:
category: process_access
product: windows
detection:
selection:
TargetImage|endswith: '\lsass.exe'
GrantedAccess|contains:
- '0x1038'
- '0x1438'
- '0x143a'
- '0x1fffff' # Too many false positives
# - '0x01000' # Too many false positives
# - '0x1010' # Too many false positives
# - '0x1400' # Too many false positives
# - '0x1410' # Too many false positives
# - '0x40' # Too many false positives
CallTrace|contains:
- 'dbgcore.dll'
- 'dbghelp.dll'
- 'kernel32.dll'
- 'kernelbase.dll'
- 'ntdll.dll'
filter_main_system_user:
SourceUser|contains: # Covers many language settings
- 'AUTHORI'
- 'AUTORI'
filter_optional_thor:
CallTrace|contains|all:
- ':\Windows\Temp\asgard2-agent\'
- '\thor\thor64.exe+'
- '|UNKNOWN('
GrantedAccess: '0x103800'
filter_optional_sysmon:
SourceImage|endswith: ':\Windows\Sysmon64.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potential Credential Dumping Attempt Using New NetworkProvider - REG
Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it
view Sigma YAML
title: Potential Credential Dumping Attempt Using New NetworkProvider - REG
id: 0442defa-b4a2-41c9-ae2c-ea7042fc4701
related:
- id: baef1ec6-2ca9-47a3-97cc-4cf2bda10b77
type: similar
status: test
description: Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it
references:
- https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/network-provider-settings-removed-in-place-upgrade
- https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-23
modified: 2023-08-17
tags:
- attack.credential-access
- attack.t1003
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains|all:
- '\System\CurrentControlSet\Services\'
- '\NetworkProvider'
filter:
TargetObject|contains:
- '\System\CurrentControlSet\Services\WebClient\NetworkProvider'
- '\System\CurrentControlSet\Services\LanmanWorkstation\NetworkProvider'
- '\System\CurrentControlSet\Services\RDPNP\NetworkProvider'
# - '\System\CurrentControlSet\Services\P9NP\NetworkProvider' # Related to WSL remove the comment if you use WSL in your ENV
filter_valid_procs:
Image: C:\Windows\System32\poqexec.exe
condition: selection and not 1 of filter*
falsepositives:
- Other legitimate network providers used and not filtred in this rule
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Potential Credential Dumping Attempt Via PowerShell
Detects a PowerShell process requesting access to "lsass.exe", which can be indicative of potential credential dumping attempts
view Sigma YAML
title: Potential Credential Dumping Attempt Via PowerShell
id: 0f920ebe-7aea-4c54-b202-9aa0c609cfe5
related:
- id: 3f07b9d1-2082-4c56-9277-613a621983cc
type: obsolete
- id: fb656378-f909-47c1-8747-278bf09f4f4f
type: similar
status: test
description: Detects a PowerShell process requesting access to "lsass.exe", which can be indicative of potential credential dumping attempts
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
author: oscd.community, Natalia Shornikova
date: 2020-10-06
modified: 2023-11-28
tags:
- attack.credential-access
- attack.t1003.001
- detection.threat-hunting
logsource:
product: windows
category: process_access
detection:
selection:
SourceImage|endswith:
- '\powershell.exe'
- '\pwsh.exe'
TargetImage|endswith: '\lsass.exe'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential DLL File Download Via PowerShell Invoke-WebRequest
Detects potential DLL files being downloaded using the PowerShell Invoke-WebRequest or Invoke-RestMethod cmdlets.
view Sigma YAML
title: Potential DLL File Download Via PowerShell Invoke-WebRequest
id: 0f0450f3-8b47-441e-a31b-15a91dc243e2
status: test
description: Detects potential DLL files being downloaded using the PowerShell Invoke-WebRequest or Invoke-RestMethod cmdlets.
references:
- https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution
author: Florian Roth (Nextron Systems), Hieu Tran
date: 2023-03-13
modified: 2025-07-18
tags:
- attack.command-and-control
- attack.execution
- attack.t1059.001
- attack.t1105
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|contains:
- 'Invoke-RestMethod '
- 'Invoke-WebRequest '
- 'IRM '
- 'IWR '
CommandLine|contains|all:
- 'http'
- 'OutFile'
- '.dll'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Potential DLL Injection Or Execution Using Tracker.exe
Detects potential DLL injection and execution using "Tracker.exe"
view Sigma YAML
title: Potential DLL Injection Or Execution Using Tracker.exe
id: 148431ce-4b70-403d-8525-fcc2993f29ea
status: test
description: Detects potential DLL injection and execution using "Tracker.exe"
references:
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Tracker/
author: 'Avneet Singh @v3t0_, oscd.community'
date: 2020-10-18
modified: 2023-01-09
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1055.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\tracker.exe'
- Description: 'Tracker'
selection_cli:
CommandLine|contains:
- ' /d '
- ' /c '
filter_msbuild1:
CommandLine|contains: ' /ERRORREPORT:PROMPT '
filter_msbuild2:
# Example:
# GrandparentImage: C:\Program Files\Microsoft Visual Studio\2022\Community\Msbuild\Current\Bin\MSBuild.exe
# ParentCommandLine: "C:\Program Files\Microsoft Visual Studio\2022\Community\MSBuild\Current\Bin\MSBuild.exe" /nologo /nodemode:1 /nodeReuse:true /low:false
# CommandLine: "C:\Program Files\Microsoft Visual Studio\2022\Community\MSBuild\Current\Bin\Tracker.exe" @"C:\Users\user\AppData\Local\Temp\tmp05c7789bc5534838bf96d7a0fed1ffff.tmp" /c "C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.29.30133\bin\HostX86\x64\Lib.exe"
ParentImage|endswith:
- '\Msbuild\Current\Bin\MSBuild.exe'
- '\Msbuild\Current\Bin\amd64\MSBuild.exe'
condition: all of selection_* and not 1 of filter_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
High FP
Potential DLL Injection Via AccCheckConsole
Detects the execution "AccCheckConsole" a command-line tool for verifying the accessibility implementation of an application's UI.
One of the tests that this checker can run are called "verification routine", which tests for things like Consistency, Navigation, etc.
The tool allows a user to provide a DLL that can contain a custom "verification routine". An attacker can build such DLLs and pass it via the CLI, which would then be loaded in the context of the "AccCheckConsole" utility.
view Sigma YAML
title: Potential DLL Injection Via AccCheckConsole
id: 0f6da907-5854-4be6-859a-e9958747b0aa
status: test
description: |
Detects the execution "AccCheckConsole" a command-line tool for verifying the accessibility implementation of an application's UI.
One of the tests that this checker can run are called "verification routine", which tests for things like Consistency, Navigation, etc.
The tool allows a user to provide a DLL that can contain a custom "verification routine". An attacker can build such DLLs and pass it via the CLI, which would then be loaded in the context of the "AccCheckConsole" utility.
references:
- https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340
- https://twitter.com/bohops/status/1477717351017680899?s=12
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/AccCheckConsole/
author: Florian Roth (Nextron Systems)
date: 2022-01-06
modified: 2024-08-29
tags:
- attack.execution
- detection.threat-hunting
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\AccCheckConsole.exe'
- OriginalFileName: 'AccCheckConsole.exe'
selection_cli:
CommandLine|contains:
- ' -hwnd'
- ' -process '
- ' -window '
condition: all of selection_*
falsepositives:
- Legitimate use of the UI Accessibility Checker
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential DLL Sideloading Activity Via ExtExport.EXE
Detects the execution of "Extexport.exe".A utility that is part of the Internet Explorer browser and is used to export and import various settings and data, particularly when switching between Internet Explorer and other web browsers like Firefox. It allows users to transfer bookmarks, browsing history, and other preferences from Internet Explorer to Firefox or vice versa.
It can be abused as a tool to side load any DLL. If a folder is provided in the command line it'll load any DLL with one of the following names "mozcrt19.dll", "mozsqlite3.dll", or "sqlite.dll".
Arbitrary DLLs can also be loaded if a specific number of flags was provided.
view Sigma YAML
title: Potential DLL Sideloading Activity Via ExtExport.EXE
id: fb0b815b-f5f6-4f50-970f-ffe21f253f7a
status: test
description: |
Detects the execution of "Extexport.exe".A utility that is part of the Internet Explorer browser and is used to export and import various settings and data, particularly when switching between Internet Explorer and other web browsers like Firefox. It allows users to transfer bookmarks, browsing history, and other preferences from Internet Explorer to Firefox or vice versa.
It can be abused as a tool to side load any DLL. If a folder is provided in the command line it'll load any DLL with one of the following names "mozcrt19.dll", "mozsqlite3.dll", or "sqlite.dll".
Arbitrary DLLs can also be loaded if a specific number of flags was provided.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Extexport/
- https://www.hexacorn.com/blog/2018/04/24/extexport-yet-another-lolbin/
- https://www.microsoft.com/en-us/security/blog/2020/03/23/latest-astaroth-living-off-the-land-attacks-are-even-more-invisible-but-not-less-observable/
- https://res.armor.com/resources/threat-intelligence/astaroth-banking-trojan/
- https://securelist.com/the-tetrade-brazilian-banking-malware/97779/
- https://www.welivesecurity.com/2020/03/05/guildma-devil-drives-electric/
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2021-11-26
modified: 2024-08-26
tags:
- attack.stealth
- attack.t1218
- detection.threat-hunting
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\Extexport.exe'
- OriginalFileName: 'extexport.exe'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potential DLL Sideloading Of DBGCORE.DLL
Detects DLL sideloading of "dbgcore.dll"
view Sigma YAML
title: Potential DLL Sideloading Of DBGCORE.DLL
id: 9ca2bf31-0570-44d8-a543-534c47c33ed7
status: test
description: Detects DLL sideloading of "dbgcore.dll"
references:
- https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there)
author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
date: 2022-10-25
modified: 2025-10-06
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\dbgcore.dll'
filter_main_generic:
ImageLoaded|startswith:
- 'C:\Program Files (x86)\'
- 'C:\Program Files\'
- 'C:\Windows\SoftwareDistribution\'
- 'C:\Windows\System32\'
- 'C:\Windows\SystemTemp\'
- 'C:\Windows\SysWOW64\'
- 'C:\Windows\WinSxS\'
filter_optional_steam:
ImageLoaded|endswith: '\Steam\bin\cef\cef.win7x64\dbgcore.dll'
filter_optional_opera:
# C:\\Users\\User\\AppData\\Local\\Temp\\.opera\\Opera Installer Temp\\opera_package_202311051506321\\assistant\\dbgcore.dll
ImageLoaded|contains: 'opera\Opera Installer Temp\opera_package'
ImageLoaded|endswith: '\assistant\dbgcore.dll'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Legitimate applications loading their own versions of the DLL mentioned in this rule
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potential DLL Sideloading Of DBGHELP.DLL
Detects potential DLL sideloading of "dbghelp.dll"
view Sigma YAML
title: Potential DLL Sideloading Of DBGHELP.DLL
id: 6414b5cd-b19d-447e-bb5e-9f03940b5784
status: test
description: Detects potential DLL sideloading of "dbghelp.dll"
references:
- https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there)
author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
date: 2022-10-25
modified: 2025-10-07
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\dbghelp.dll'
filter_main_generic:
ImageLoaded|startswith:
- 'C:\Program Files (x86)\'
- 'C:\Program Files\'
- 'C:\Windows\SoftwareDistribution\'
- 'C:\Windows\System32\'
- 'C:\Windows\SystemTemp\'
- 'C:\Windows\SysWOW64\'
- 'C:\Windows\WinSxS\'
filter_optional_anaconda:
ImageLoaded|endswith:
- '\Anaconda3\Lib\site-packages\vtrace\platforms\windll\amd64\dbghelp.dll'
- '\Anaconda3\Lib\site-packages\vtrace\platforms\windll\i386\dbghelp.dll'
filter_optional_epicgames:
ImageLoaded|endswith:
- '\Epic Games\Launcher\Engine\Binaries\ThirdParty\DbgHelp\dbghelp.dll'
- '\Epic Games\MagicLegends\x86\dbghelp.dll'
filter_optional_opera:
ImageLoaded|contains: 'opera\Opera Installer Temp\opera_package'
ImageLoaded|endswith: '\assistant\dbghelp.dll'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Legitimate applications loading their own versions of the DLL mentioned in this rule
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potential DLL Sideloading Of DbgModel.DLL
Detects potential DLL sideloading of "DbgModel.dll"
view Sigma YAML
title: Potential DLL Sideloading Of DbgModel.DLL
id: fef394cd-f44d-4040-9b18-95d92fe278c0
status: test
description: Detects potential DLL sideloading of "DbgModel.dll"
references:
- https://hijacklibs.net/entries/microsoft/built-in/dbgmodel.html
author: Gary Lobermier
date: 2024-07-11
modified: 2024-07-22
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
product: windows
category: image_load
detection:
selection:
ImageLoaded|endswith: '\dbgmodel.dll'
filter_main_generic:
ImageLoaded|startswith:
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
- 'C:\Windows\WinSxS\'
filter_optional_windbg:
ImageLoaded|startswith: 'C:\Program Files\WindowsApps\Microsoft.WinDbg_'
filter_optional_windows_kits:
ImageLoaded|startswith:
- 'C:\Program Files (x86)\Windows Kits\'
- 'C:\Program Files\Windows Kits\'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Legitimate applications loading their own versions of the DLL mentioned in this rule
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE
Detects potential DLL sideloading of "libcurl.dll" by the "gup.exe" process from an uncommon location
view Sigma YAML
title: Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE
id: e49b5745-1064-4ac1-9a2e-f687bc2dd37e
status: test
description: Detects potential DLL sideloading of "libcurl.dll" by the "gup.exe" process from an uncommon location
references:
- https://labs.withsecure.com/publications/fin7-target-veeam-servers
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-05
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith: '\gup.exe'
ImageLoaded|endswith: '\libcurl.dll'
filter_main_notepad_plusplus:
Image|endswith: '\Notepad++\updater\GUP.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential DLL Sideloading Of MpSvc.DLL
Detects potential DLL sideloading of "MpSvc.dll".
view Sigma YAML
title: Potential DLL Sideloading Of MpSvc.DLL
id: 5ba243e5-8165-4cf7-8c69-e1d3669654c1
status: test
description: Detects potential DLL sideloading of "MpSvc.dll".
references:
- https://hijacklibs.net/entries/microsoft/built-in/mpsvc.html
author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema
date: 2024-07-11
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
product: windows
category: image_load
detection:
selection:
ImageLoaded|endswith: '\MpSvc.dll'
filter_main_generic:
ImageLoaded|startswith:
- 'C:\Program Files\Windows Defender\'
- 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
- 'C:\Windows\WinSxS\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Legitimate applications loading their own versions of the DLL mentioned in this rule.
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential DLL Sideloading Of MsCorSvc.DLL
Detects potential DLL sideloading of "mscorsvc.dll".
view Sigma YAML
title: Potential DLL Sideloading Of MsCorSvc.DLL
id: cdb15e19-c2d0-432a-928e-e49c8c60dcf2
status: test
description: Detects potential DLL sideloading of "mscorsvc.dll".
references:
- https://hijacklibs.net/entries/microsoft/built-in/mscorsvc.html
author: Wietze Beukema
date: 2024-07-11
modified: 2025-02-26
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
product: windows
category: image_load
detection:
selection:
ImageLoaded|endswith: '\mscorsvc.dll'
filter_main_generic:
ImageLoaded|startswith:
- 'C:\Windows\Microsoft.NET\Framework\'
- 'C:\Windows\Microsoft.NET\Framework64\'
- 'C:\Windows\Microsoft.NET\FrameworkArm\'
- 'C:\Windows\Microsoft.NET\FrameworkArm64\'
- 'C:\Windows\WinSxS\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Legitimate applications loading their own versions of the DLL mentioned in this rule.
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential DLL Sideloading Using Coregen.exe
Detect usage of the "coregen.exe" (Microsoft CoreCLR Native Image Generator) binary to sideload arbitrary DLLs.
view Sigma YAML
title: Potential DLL Sideloading Using Coregen.exe
id: 0fa66f66-e3f6-4a9c-93f8-4f2610b00171
status: test
description: Detect usage of the "coregen.exe" (Microsoft CoreCLR Native Image Generator) binary to sideload arbitrary DLLs.
references:
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Coregen/
author: frack113
date: 2022-12-31
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1218
- attack.t1055
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith: '\coregen.exe'
filter_main_legit_paths:
ImageLoaded|startswith:
- 'C:\Program Files (x86)\Microsoft Silverlight\'
- 'C:\Program Files\Microsoft Silverlight\'
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Potential DLL Sideloading Via ClassicExplorer32.dll
Detects potential DLL sideloading using ClassicExplorer32.dll from the Classic Shell software
view Sigma YAML
title: Potential DLL Sideloading Via ClassicExplorer32.dll
id: caa02837-f659-466f-bca6-48bde2826ab4
status: test
description: Detects potential DLL sideloading using ClassicExplorer32.dll from the Classic Shell software
references:
- https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets
- https://app.any.run/tasks/6d8cabb0-dcda-44b6-8050-28d6ce281687/
author: frack113
date: 2022-12-13
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection_classicexplorer:
ImageLoaded|endswith: '\ClassicExplorer32.dll'
filter_classicexplorer:
ImageLoaded|startswith: 'C:\Program Files\Classic Shell\'
condition: selection_classicexplorer and not filter_classicexplorer
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential DLL Sideloading Via DeviceEnroller.EXE
Detects the use of the PhoneDeepLink parameter to potentially sideload a DLL file that does not exist. This non-existent DLL file is named "ShellChromeAPI.dll".
Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter
view Sigma YAML
title: Potential DLL Sideloading Via DeviceEnroller.EXE
id: e173ad47-4388-4012-ae62-bd13f71c18a8
related:
- id: ee4c5d06-3abc-48cc-8885-77f1c20f4451
type: similar
status: test
description: |
Detects the use of the PhoneDeepLink parameter to potentially sideload a DLL file that does not exist. This non-existent DLL file is named "ShellChromeAPI.dll".
Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter
references:
- https://mobile.twitter.com/0gtweet/status/1564131230941122561
- https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html
author: '@gott_cyber'
date: 2022-08-29
modified: 2023-02-04
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\deviceenroller.exe'
- OriginalFileName: 'deviceenroller.exe'
selection_cli:
CommandLine|contains: '/PhoneDeepLink'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Potential DLL Sideloading Via JsSchHlp
Detects potential DLL sideloading using JUSTSYSTEMS Japanese word processor
view Sigma YAML
title: Potential DLL Sideloading Via JsSchHlp
id: 68654bf0-4412-43d5-bfe8-5eaa393cd939
status: test
description: Detects potential DLL sideloading using JUSTSYSTEMS Japanese word processor
references:
- https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/
- http://www.windowexe.com/bbs/board.php?q=jsschhlp-exe-c-program-files-common-files-justsystem-jsschhlp-jsschhlp
author: frack113
date: 2022-12-14
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\JSESPR.dll'
filter:
ImageLoaded|startswith: 'C:\Program Files\Common Files\Justsystem\JsSchHlp\'
condition: selection and not filter
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential Data Exfiltration Over SMTP Via Send-MailMessage Cmdlet
Detects the execution of a PowerShell script with a call to the "Send-MailMessage" cmdlet along with the "-Attachments" flag. This could be a potential sign of data exfiltration via Email.
Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
view Sigma YAML
title: Potential Data Exfiltration Over SMTP Via Send-MailMessage Cmdlet
id: 9a7afa56-4762-43eb-807d-c3dc9ffe211b
status: test
description: |
Detects the execution of a PowerShell script with a call to the "Send-MailMessage" cmdlet along with the "-Attachments" flag. This could be a potential sign of data exfiltration via Email.
Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.4
- https://www.ietf.org/rfc/rfc2821.txt
author: frack113
date: 2022-09-26
modified: 2024-11-01
tags:
- attack.exfiltration
- attack.t1048.003
- detection.threat-hunting
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains: 'Send-MailMessage*-Attachments'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential Data Exfiltration Via Audio File
Detects potential exfiltration attempt via audio file using PowerShell
view Sigma YAML
title: Potential Data Exfiltration Via Audio File
id: e4f93c99-396f-47c8-bb0f-201b1fa69034
status: test
description: Detects potential exfiltration attempt via audio file using PowerShell
references:
- https://github.com/gtworek/PSBits/blob/e97cbbb173b31cbc4d37244d3412de0a114dacfb/NoDLP/bin2wav.ps1
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-16
tags:
- attack.exfiltration
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_main:
ScriptBlockText|contains|all:
- '[System.Math]::'
- '[IO.FileMode]::'
- 'BinaryWriter'
selection_header_wav:
ScriptBlockText|contains|all:
# Byte chunks from the WAV header used in the example POC
# You can extend this for different audio formats by adding different selections
- '0x52'
- '0x49'
- '0x46'
- '0x57'
- '0x41'
- '0x56'
- '0x45'
- '0xAC'
condition: selection_main and 1 of selection_header_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
High FP
Potential Data Exfiltration Via Curl.EXE
Detects the execution of the "curl" process with "upload" flags. Which might indicate potential data exfiltration
view Sigma YAML
title: Potential Data Exfiltration Via Curl.EXE
id: 00bca14a-df4e-4649-9054-3f2aa676bc04
status: test
description: Detects the execution of the "curl" process with "upload" flags. Which might indicate potential data exfiltration
references:
- https://twitter.com/d1r4c/status/1279042657508081664
- https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file
- https://curl.se/docs/manpage.html
author: Florian Roth (Nextron Systems), Cedric MAURUGEON (Update)
date: 2020-07-03
modified: 2023-05-02
tags:
- attack.exfiltration
- attack.command-and-control
- attack.t1567
- attack.t1105
- detection.threat-hunting
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\curl.exe'
- Product: 'The curl executable'
selection_cli:
- CommandLine|contains:
- ' --form' # Also covers the "--form-string"
- ' --upload-file '
- ' --data '
- ' --data-' # For flags like: "--data-ascii", "--data-binary", "--data-raw", "--data-urlencode"
- CommandLine|re: '\s-[FTd]\s' # We use regex to ensure a case sensitive argument detection
filter_optional_localhost:
CommandLine|contains:
- '://localhost'
- '://127.0.0.1'
condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
- Scripts created by developers and admins
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potential Defense Evasion Via Binary Rename
Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.
view Sigma YAML
title: Potential Defense Evasion Via Binary Rename
id: 36480ae1-a1cb-4eaa-a0d6-29801d7e9142
related:
- id: 0ba1da6d-b6ce-4366-828c-18826c9de23e
type: similar
status: test
description: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.
references:
- https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html
- https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html
- https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1036.003/T1036.003.md#atomic-test-1---masquerading-as-windows-lsass-process
- https://www.splunk.com/en_us/blog/security/inno-setup-malware-redline-stealer-campaign.html
author: Matthew Green @mgreen27, Ecco, James Pemberton @4A616D6573, oscd.community, Andreas Hunkeler (@Karneades)
date: 2019-06-15
modified: 2026-06-05
tags:
- attack.stealth
- attack.t1036.003
logsource:
category: process_creation
product: windows
detection:
selection:
OriginalFileName:
- 'Cmd.Exe'
- 'CONHOST.EXE'
- '7z.exe'
- '7za.exe'
- '7zr.exe'
- 'WinRAR.exe'
- 'wevtutil.exe'
- 'net.exe'
- 'net1.exe'
- 'netsh.exe'
- 'InstallUtil.exe'
filter:
Image|endswith:
- '\cmd.exe'
- '\conhost.exe'
- '\7z.exe'
- '\7za.exe'
- '\7zr.exe'
- '\WinRAR.exe'
- '\wevtutil.exe'
- '\net.exe'
- '\net1.exe'
- '\netsh.exe'
- '\InstallUtil.exe'
condition: selection and not filter
falsepositives:
- Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_renamed_binary/info.yml
Convert to SIEM query
medium
Strong
Medium FP
Potential Direct Syscall of NtOpenProcess
Detects potential calls to NtOpenProcess directly from NTDLL.
view Sigma YAML
title: Potential Direct Syscall of NtOpenProcess
id: 3f3f3506-1895-401b-9cc3-e86b16e630d0
status: test
description: Detects potential calls to NtOpenProcess directly from NTDLL.
references:
- https://medium.com/falconforce/falconfriday-direct-system-calls-and-cobalt-strike-bofs-0xff14-741fa8e1bdd6
author: Christian Burkard (Nextron Systems), Tim Shelton (FP)
date: 2021-07-28
modified: 2023-12-13
tags:
- attack.execution
- attack.t1106
logsource:
category: process_access
product: windows
detection:
selection:
CallTrace|startswith: 'UNKNOWN'
filter_main_vcredist:
TargetImage|endswith: 'vcredist_x64.exe'
SourceImage|endswith: 'vcredist_x64.exe'
filter_main_generic:
# Examples include "systeminfo", "backgroundTaskHost", "AUDIODG"
SourceImage|contains:
- ':\Program Files (x86)\'
- ':\Program Files\'
- ':\Windows\System32\'
- ':\Windows\SysWOW64\'
- ':\Windows\WinSxS\'
TargetImage|contains:
- ':\Program Files (x86)\'
- ':\Program Files\'
- ':\Windows\System32\'
- ':\Windows\SysWOW64\'
- ':\Windows\WinSxS\'
filter_main_kerneltrace_edge:
# Cases in which the CallTrace is just e.g. 'UNKNOWN(19290435374)' from Microsoft-Windows-Kernel-Audit-API-Calls provider
Provider_Name: 'Microsoft-Windows-Kernel-Audit-API-Calls'
filter_optional_vmware:
TargetImage|endswith: ':\Windows\system32\systeminfo.exe'
SourceImage|endswith: 'setup64.exe' # vmware
filter_optional_cylance:
SourceImage|endswith: ':\Windows\Explorer.EXE'
TargetImage|endswith: ':\Program Files\Cylance\Desktop\CylanceUI.exe'
filter_optional_amazon:
SourceImage|endswith: 'AmazonSSMAgentSetup.exe'
TargetImage|endswith: 'AmazonSSMAgentSetup.exe'
filter_optional_vscode: # VsCode
SourceImage|endswith: '\AppData\Local\Programs\Microsoft VS Code\Code.exe'
TargetImage|endswith: '\AppData\Local\Programs\Microsoft VS Code\Code.exe'
filter_optional_teams: # MS Teams
TargetImage|endswith: '\AppData\Local\Microsoft\Teams\current\Teams.exe'
SourceImage|endswith: '\AppData\Local\Microsoft\Teams\current\Teams.exe'
filter_optional_discord: # Discord
TargetImage|contains: '\AppData\Local\Discord\'
TargetImage|endswith: '\Discord.exe'
filter_optional_yammer:
SourceImage|contains: '\AppData\Local\yammerdesktop\app-'
SourceImage|endswith: '\Yammer.exe'
TargetImage|contains: '\AppData\Local\yammerdesktop\app-'
TargetImage|endswith: '\Yammer.exe'
GrantedAccess: '0x1000'
filter_optional_evernote:
TargetImage|endswith: '\Evernote\Evernote.exe'
filter_optional_adobe_acrobat:
SourceImage|contains: ':\Program Files\Adobe\Acrobat DC\Acrobat\'
SourceImage|endswith: '\AcroCEF.exe'
TargetImage|contains: ':\Program Files\Adobe\Acrobat DC\Acrobat\'
TargetImage|endswith: '\AcroCEF.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Potential Discovery Activity Using Find - Linux
Detects usage of "find" binary in a suspicious manner to perform discovery
view Sigma YAML
title: Potential Discovery Activity Using Find - Linux
id: 8344c0e5-5783-47cc-9cf9-a0f7fd03e6cf
related:
- id: 85de3a19-b675-4a51-bfc6-b11a5186c971
type: similar
status: test
description: Detects usage of "find" binary in a suspicious manner to perform discovery
references:
- https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-28
tags:
- attack.discovery
- attack.t1083
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/find'
CommandLine|contains:
- '-perm -4000'
- '-perm -2000'
- '-perm 0777'
- '-perm -222'
- '-perm -o w'
- '-perm -o x'
- '-perm -u=s'
- '-perm -g=s'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Potential Discovery Activity Using Find - MacOS
Detects usage of "find" binary in a suspicious manner to perform discovery
view Sigma YAML
title: Potential Discovery Activity Using Find - MacOS
id: 85de3a19-b675-4a51-bfc6-b11a5186c971
related:
- id: 8344c0e5-5783-47cc-9cf9-a0f7fd03e6cf
type: similar
status: test
description: Detects usage of "find" binary in a suspicious manner to perform discovery
references:
- https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-28
tags:
- attack.discovery
- attack.t1083
logsource:
category: process_creation
product: macos
detection:
selection:
Image|endswith: '/find'
CommandLine|contains:
- '-perm -4000'
- '-perm -2000'
- '-perm 0777'
- '-perm -222'
- '-perm -o w'
- '-perm -o x'
- '-perm -u=s'
- '-perm -g=s'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
High FP
Potential Discovery Activity Via Dnscmd.EXE
Detects an attempt to leverage dnscmd.exe to enumerate the DNS zones of a domain. DNS zones used to host the DNS records for a particular domain.
view Sigma YAML
title: Potential Discovery Activity Via Dnscmd.EXE
id: b6457d63-d2a2-4e29-859d-4e7affc153d1
status: test
description: Detects an attempt to leverage dnscmd.exe to enumerate the DNS zones of a domain. DNS zones used to host the DNS records for a particular domain.
references:
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd
- https://learn.microsoft.com/en-us/azure/dns/dns-zones-records
- https://lolbas-project.github.io/lolbas/Binaries/Dnscmd/
author: '@gott_cyber'
date: 2022-07-31
modified: 2023-02-04
tags:
- attack.discovery
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith: '\dnscmd.exe'
selection_cli:
CommandLine|contains:
- '/enumrecords'
- '/enumzones'
- '/ZonePrint'
- '/info'
condition: all of selection_*
falsepositives:
- Legitimate administration use
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential Dosfuscation Activity
Detects possible payload obfuscation via the commandline
view Sigma YAML
title: Potential Dosfuscation Activity
id: a77c1610-fc73-4019-8e29-0f51efc04a51
status: test
description: Detects possible payload obfuscation via the commandline
references:
- https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/dosfuscation-report.pdf
- https://github.com/danielbohannon/Invoke-DOSfuscation
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2022-02-15
modified: 2023-03-06
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- '^^'
- '^|^'
- ',;,'
- ';;;;'
- ';; ;;'
- '(,(,'
- '%COMSPEC:~'
- ' c^m^d'
- '^c^m^d'
- ' c^md'
- ' cm^d'
- '^cm^d'
- ' s^et '
- ' s^e^t '
- ' se^t '
# - '%%'
# - '&&'
# - '""'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential Download/Upload Activity Using Type Command
Detects usage of the "type" command to download/upload data from WebDAV server
view Sigma YAML
title: Potential Download/Upload Activity Using Type Command
id: aa0b3a82-eacc-4ec3-9150-b5a9a3e3f82f
status: test
description: Detects usage of the "type" command to download/upload data from WebDAV server
references:
- https://mr0range.com/a-new-lolbin-using-the-windows-type-command-to-upload-download-files-81d7b6179e22
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-14
tags:
- attack.command-and-control
- attack.t1105
logsource:
product: windows
category: process_creation
detection:
# Note that since built in CMD commands do not trigger a process creation. This would be detected only if used in a "/c" command
selection_upload:
CommandLine|contains|all:
- 'type '
- ' > \\\\'
selection_download:
CommandLine|contains|all:
- 'type \\\\'
- ' > ' # Space are added to increase atom length and speed up matching. If your backend can handle this remove the space
condition: 1 of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potential Dropper Script Execution Via WScript/CScript/MSHTA
Detects wscript/cscript/mshta executions of scripts located in user directories
view Sigma YAML
title: Potential Dropper Script Execution Via WScript/CScript/MSHTA
id: cea72823-df4d-4567-950c-0b579eaf0846
related:
- id: 1e33157c-53b1-41ad-bbcc-780b80b58288
type: similar
status: test
description: Detects wscript/cscript/mshta executions of scripts located in user directories
references:
- https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/
- https://redcanary.com/blog/gootloader/
- https://www.microsoft.com/en-us/security/blog/2025/03/06/malvertising-campaign-leads-to-info-stealers-hosted-on-github/
author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community, Nasreddine Bencherchali (Nextron Systems), Dave Johnson
date: 2019-01-16
modified: 2026-02-17
tags:
- attack.execution
- attack.t1059.005
- attack.t1059.007
logsource:
category: process_creation
product: windows
detection:
selection_exec:
Image|endswith:
- '\wscript.exe'
- '\cscript.exe'
- '\mshta.exe'
selection_paths:
CommandLine|contains:
- ':\Perflogs\'
- ':\Temp\'
- ':\Tmp\'
- ':\Users\Public\'
- ':\Windows\Temp\'
- '\AppData\Local\Temp\'
- '\AppData\Roaming\Temp\'
- '\Start Menu\Programs\Startup\'
- '\Temporary Internet'
- '\Windows\Temp'
- '%LocalAppData%\Temp\'
- '%TEMP%'
- '%TMP%'
selection_ext:
CommandLine|contains:
- '.hta'
- '.js'
- '.jse'
- '.vba'
- '.vbe'
- '.vbs'
- '.wsf'
- '.wsh'
condition: all of selection_*
falsepositives:
- Some installers might generate a similar behavior. An initial baseline is required
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential Encrypted Registry Blob Related To SNAKE Malware
Detects the creation of a registry value in the ".wav\OpenWithProgIds" key with an uncommon name. This could be related to SNAKE Malware as reported by CISA
view Sigma YAML
title: Potential Encrypted Registry Blob Related To SNAKE Malware
id: 7e163e96-b9a5-45d6-b2cd-d7d87b13c60b
status: test
description: Detects the creation of a registry value in the ".wav\OpenWithProgIds" key with an uncommon name. This could be related to SNAKE Malware as reported by CISA
references:
- https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-10
modified: 2023-08-17
tags:
- attack.persistence
- detection.emerging-threats
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\SOFTWARE\Classes\.wav\OpenWithProgIds\'
filter_main_wav:
- TargetObject|endswith: '.AssocFile.WAV'
- TargetObject|contains: '.wav.'
condition: selection and not 1 of filter_main_*
falsepositives:
- Some additional tuning might be required to tune out legitimate processes that write to this key by default
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potential Exploitation of CVE-2025-5054 or CVE-2025-4598
Detects attempts of an attacker to enable core dumps for set-user-ID (SUID) processes by modifying the system file /proc/sys/fs/suid_dumpable, typically by setting its value to 1 or 2.
Enabling this feature allows memory dumps (core dumps) of SUID processes, which usually run with elevated privileges.
These dumps may contain sensitive information such as passwords, cryptographic keys or other secrets.
CVE-2025-5054: Information leak via core dumps from SUID binaries using apport.
CVE-2025-4598: Information disclosure in systemd-coredump due to insecure handling of SUID process memory dumps.
view Sigma YAML
title: Potential Exploitation of CVE-2025-5054 or CVE-2025-4598
id: 33b3cfb1-574e-44b9-b527-fbf9303b9d7b
status: experimental
description: |
Detects attempts of an attacker to enable core dumps for set-user-ID (SUID) processes by modifying the system file /proc/sys/fs/suid_dumpable, typically by setting its value to 1 or 2.
Enabling this feature allows memory dumps (core dumps) of SUID processes, which usually run with elevated privileges.
These dumps may contain sensitive information such as passwords, cryptographic keys or other secrets.
CVE-2025-5054: Information leak via core dumps from SUID binaries using apport.
CVE-2025-4598: Information disclosure in systemd-coredump due to insecure handling of SUID process memory dumps.
references:
- https://nvd.nist.gov/vuln/detail/CVE-2025-5054
- https://nvd.nist.gov/vuln/detail/CVE-2025-4598
- https://blog.qualys.com/vulnerabilities-threat-research/2025/05/29/qualys-tru-discovers-two-local-information-disclosure-vulnerabilities-in-apport-and-systemd-coredump-cve-2025-5054-and-cve-2025-4598
author: Milad Cheraghi
date: 2026-04-28
tags:
- attack.privilege-escalation
- attack.credential-access
- attack.t1548
- attack.t1003
- cve.2025-5054
- cve.2025-4598
- detection.emerging-threats
logsource:
product: linux
category: process_creation
detection:
selection_suid_dumpable_sysctl:
Image|endswith:
- '/sbin/sysctl'
- '/bin/sysctl'
CommandLine|contains: 'fs.suid_dumpable='
selection_echo_proc_write:
Image|endswith:
- '/bin/bash'
- '/bin/sh'
CommandLine|contains:
- 'echo 1 > /proc/sys/fs/suid_dumpable'
- 'echo 2 > /proc/sys/fs/suid_dumpable'
- 'echo 1 >/proc/sys/fs/suid_dumpable'
- 'echo 2 >/proc/sys/fs/suid_dumpable'
- 'echo 1> /proc/sys/fs/suid_dumpable'
- 'echo 2> /proc/sys/fs/suid_dumpable'
- 'echo 1>/proc/sys/fs/suid_dumpable'
- 'echo 2>/proc/sys/fs/suid_dumpable'
condition: 1 of selection_*
falsepositives:
- System administrators enabling debugging temporarily
- Legitimate crash diagnostic operations
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Potential Fake Instance Of Hxtsr.EXE Executed
HxTsr.exe is a Microsoft compressed executable file called Microsoft Outlook Communications.
HxTsr.exe is part of Outlook apps, because it resides in a hidden "WindowsApps" subfolder of "C:\Program Files".
Any instances of hxtsr.exe not in this folder may be malware camouflaging itself as HxTsr.exe
view Sigma YAML
title: Potential Fake Instance Of Hxtsr.EXE Executed
id: 4e762605-34a8-406d-b72e-c1a089313320
status: test
description: |
HxTsr.exe is a Microsoft compressed executable file called Microsoft Outlook Communications.
HxTsr.exe is part of Outlook apps, because it resides in a hidden "WindowsApps" subfolder of "C:\Program Files".
Any instances of hxtsr.exe not in this folder may be malware camouflaging itself as HxTsr.exe
references:
- Internal Research
author: Sreeman
date: 2020-04-17
modified: 2024-02-08
tags:
- attack.stealth
- attack.t1036
logsource:
product: windows
category: process_creation
detection:
# TODO: Link this to the more generic system process rule
selection:
Image|endswith: '\hxtsr.exe'
filter_main_hxtsr:
Image|contains: ':\program files\windowsapps\microsoft.windowscommunicationsapps_'
Image|endswith: '\hxtsr.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential File Download Via MS-AppInstaller Protocol Handler
Detects usage of the "ms-appinstaller" protocol handler via command line to potentially download arbitrary files via AppInstaller.EXE
The downloaded files are temporarly stored in ":\Users\%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\<RANDOM-8-CHAR-DIRECTORY>"
view Sigma YAML
title: Potential File Download Via MS-AppInstaller Protocol Handler
id: 180c7c5c-d64b-4a63-86e9-68910451bc8b
related:
- id: 7cff77e1-9663-46a3-8260-17f2e1aa9d0a
type: derived
status: test
description: |
Detects usage of the "ms-appinstaller" protocol handler via command line to potentially download arbitrary files via AppInstaller.EXE
The downloaded files are temporarly stored in ":\Users\%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\<RANDOM-8-CHAR-DIRECTORY>"
references:
- https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/
author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel
date: 2023-11-09
tags:
- attack.execution
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'ms-appinstaller://?source='
- 'http'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potential Goopdate.DLL Sideloading
Detects potential DLL sideloading of "goopdate.dll", a DLL used by googleupdate.exe
view Sigma YAML
title: Potential Goopdate.DLL Sideloading
id: b6188d2f-b3c4-4d2c-a17d-9706e0851af0
status: test
description: Detects potential DLL sideloading of "goopdate.dll", a DLL used by googleupdate.exe
references:
- https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf
author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-15
modified: 2025-10-07
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\goopdate.dll'
filter_main_generic:
ImageLoaded|startswith:
# Many third party chromium based apps use this DLLs. It's better to create a baseline and add specific filters
- 'C:\Program Files (x86)\'
- 'C:\Program Files\'
filter_optional_dropbox_installer_temp:
Image|contains|all:
- '\AppData\Local\Temp\GUM'
- '.tmp\Dropbox'
ImageLoaded|contains|all:
- '\AppData\Local\Temp\GUM'
- '.tmp\goopdate.dll'
filter_optional_googleupdate_temp:
Image|contains:
- '\AppData\Local\Temp\GUM'
- ':\Windows\SystemTemp\GUM'
Image|endswith: '.tmp\GoogleUpdate.exe'
ImageLoaded|contains:
- '\AppData\Local\Temp\GUM'
- ':\Windows\SystemTemp\GUM'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- False positives are expected from Google Chrome installations running from user locations (AppData) and other custom locations. Apply additional filters accordingly.
- Other third party chromium browsers located in AppData
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Potential Hello-World Scraper Botnet Activity
Detects network traffic potentially associated with a scraper botnet variant that uses the "Hello-World/1.0" user-agent string.
view Sigma YAML
title: Potential Hello-World Scraper Botnet Activity
id: 1712bafe-be05-4a0e-89d4-17a3ed151bf5
status: experimental
description: |
Detects network traffic potentially associated with a scraper botnet variant that uses the "Hello-World/1.0" user-agent string.
references:
- https://www.greynoise.io/blog/new-scraper-botnet-concentrated-in-taiwan
- https://viz.greynoise.io/tags/hello-world-scraper-botnet?days=30
author: Joseph A. M.
date: 2025-08-02
tags:
- attack.reconnaissance
- attack.t1595
logsource:
category: proxy
detection:
selection:
c-useragent: 'Hello-World/1.0'
cs-method: 'GET'
condition: selection
falsepositives:
- Legitimate network monitoring or vulnerability scanning tools that may use this generic user agent.
- Internal development or testing scripts. Consider filtering by source IP if this is expected from certain systems.
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream
Detects the creation of hidden file/folder with the "::$index_allocation" stream. Which can be used as a technique to prevent access to folder and files from tooling such as "explorer.exe" and "powershell.exe"
view Sigma YAML
title: Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream
id: a8f866e1-bdd4-425e-a27a-37619238d9c7
related:
- id: 0900463c-b33b-49a8-be1d-552a3b553dae
type: similar
status: test
description: |
Detects the creation of hidden file/folder with the "::$index_allocation" stream. Which can be used as a technique to prevent access to folder and files from tooling such as "explorer.exe" and "powershell.exe"
references:
- https://twitter.com/pfiatde/status/1681977680688738305
- https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/
- https://sec-consult.com/blog/detail/pentesters-windows-ntfs-tricks-collection/
- https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3
author: Scoubi (@ScoubiMtl)
date: 2023-10-09
tags:
- attack.stealth
- attack.t1564.004
logsource:
product: windows
category: file_event
detection:
selection:
# Note: Both Sysmon and ETW are unable to log the presence of such streams in the CommandLine. But EDRs such as Crowdstrike are able to use e.g. CMD console history. Users are advised to test this before usage
TargetFilename|contains: '::$index_allocation'
condition: selection
falsepositives:
- Unlikely
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI
Detects command line containing reference to the "::$index_allocation" stream, which can be used as a technique to prevent access to folders or files from tooling such as "explorer.exe" or "powershell.exe"
view Sigma YAML
title: Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI
id: 0900463c-b33b-49a8-be1d-552a3b553dae
related:
- id: a8f866e1-bdd4-425e-a27a-37619238d9c7
type: similar
status: test
description: |
Detects command line containing reference to the "::$index_allocation" stream, which can be used as a technique to prevent access to folders or files from tooling such as "explorer.exe" or "powershell.exe"
references:
- https://twitter.com/pfiatde/status/1681977680688738305
- https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/
- https://sec-consult.com/blog/detail/pentesters-windows-ntfs-tricks-collection/
- https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3
author: Nasreddine Bencherchali (Nextron Systems), Scoubi (@ScoubiMtl)
date: 2023-10-09
tags:
- attack.stealth
- attack.t1564.004
logsource:
product: windows
category: process_creation
detection:
selection:
# Note: Both Sysmon and ETW are unable to log the presence of such stream in the CommandLine. But EDRs such as Crowdstrike are able to using for example CMD console history. Users are advised to test this before usage
CommandLine|contains: '::$index_allocation'
condition: selection
falsepositives:
- Unlikely
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential Homoglyph Attack Using Lookalike Characters
Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters.
This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that
are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters.
view Sigma YAML
title: Potential Homoglyph Attack Using Lookalike Characters
id: 32e280f1-8ad4-46ef-9e80-910657611fbc
status: test
description: |
Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters.
This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that
are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters.
references:
- https://redcanary.com/threat-detection-report/threats/socgholish/#threat-socgholish
- http://www.irongeek.com/homoglyph-attack-generator.php
author: Micah Babinski, @micahbabinski
date: 2023-05-07
tags:
- attack.stealth
- attack.t1036
- attack.t1036.003
logsource:
category: process_creation
product: windows
detection:
selection_upper:
CommandLine|contains:
- "\u0410" # А/A
- "\u0412" # В/B
- "\u0415" # Е/E
- "\u041a" # К/K
- "\u041c" # М/M
- "\u041d" # Н/H
- "\u041e" # О/O
- "\u0420" # Р/P
- "\u0421" # С/C
- "\u0422" # Т/T
- "\u0425" # Х/X
- "\u0405" # Ѕ/S
- "\u0406" # І/I
- "\u0408" # Ј/J
- "\u04ae" # Ү/Y
- "\u04c0" # Ӏ/I
- "\u050C" # Ԍ/G
- "\u051a" # Ԛ/Q
- "\u051c" # Ԝ/W
- "\u0391" # Α/A
- "\u0392" # Β/B
- "\u0395" # Ε/E
- "\u0396" # Ζ/Z
- "\u0397" # Η/H
- "\u0399" # Ι/I
- "\u039a" # Κ/K
- "\u039c" # Μ/M
- "\u039d" # Ν/N
- "\u039f" # Ο/O
- "\u03a1" # Ρ/P
- "\u03a4" # Τ/T
- "\u03a5" # Υ/Y
- "\u03a7" # Χ/X
selection_lower:
CommandLine|contains:
- "\u0430" # а/a
- "\u0435" # е/e
- "\u043e" # о/o
- "\u0440" # р/p
- "\u0441" # с/c
- "\u0445" # х/x
- "\u0455" # ѕ/s
- "\u0456" # і/i
- "\u04cf" # ӏ/l
- "\u0458" # ј/j
- "\u04bb" # һ/h
- "\u0501" # ԁ/d
- "\u051b" # ԛ/q
- "\u051d" # ԝ/w
- "\u03bf" # ο/o
condition: 1 of selection_*
falsepositives:
- Commandlines with legitimate Cyrillic text; will likely require tuning (or not be usable) in countries where these alphabets are in use.
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential Homoglyph Attack Using Lookalike Characters in Filename
Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters.
This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that
are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters.
view Sigma YAML
title: Potential Homoglyph Attack Using Lookalike Characters in Filename
id: 4f1707b1-b50b-45b4-b5a2-3978b5a5d0d6
status: test
description: |
Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters.
This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that
are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters.
references:
- https://redcanary.com/threat-detection-report/threats/socgholish/#threat-socgholish
- http://www.irongeek.com/homoglyph-attack-generator.php
author: Micah Babinski, @micahbabinski
date: 2023-05-08
tags:
- attack.stealth
- attack.t1036
- attack.t1036.003
logsource:
category: file_event
product: windows
detection:
selection_upper:
TargetFilename|contains:
- "\u0410" # А/A
- "\u0412" # В/B
- "\u0415" # Е/E
- "\u041a" # К/K
- "\u041c" # М/M
- "\u041d" # Н/H
- "\u041e" # О/O
- "\u0420" # Р/P
- "\u0421" # С/C
- "\u0422" # Т/T
- "\u0425" # Х/X
- "\u0405" # Ѕ/S
- "\u0406" # І/I
- "\u0408" # Ј/J
- "\u04ae" # Ү/Y
- "\u04c0" # Ӏ/I
- "\u050C" # Ԍ/G
- "\u051a" # Ԛ/Q
- "\u051c" # Ԝ/W
- "\u0391" # Α/A
- "\u0392" # Β/B
- "\u0395" # Ε/E
- "\u0396" # Ζ/Z
- "\u0397" # Η/H
- "\u0399" # Ι/I
- "\u039a" # Κ/K
- "\u039c" # Μ/M
- "\u039d" # Ν/N
- "\u039f" # Ο/O
- "\u03a1" # Ρ/P
- "\u03a4" # Τ/T
- "\u03a5" # Υ/Y
- "\u03a7" # Χ/X
selection_lower:
TargetFilename|contains:
- "\u0430" # а/a
- "\u0435" # е/e
- "\u043e" # о/o
- "\u0440" # р/p
- "\u0441" # с/c
- "\u0445" # х/x
- "\u0455" # ѕ/s
- "\u0456" # і/i
- "\u04cf" # ӏ/l
- "\u0458" # ј/j
- "\u04bb" # һ/h
- "\u0501" # ԁ/d
- "\u051b" # ԛ/q
- "\u051d" # ԝ/w
- "\u03bf" # ο/o
condition: 1 of selection_*
falsepositives:
- File names with legitimate Cyrillic text. Will likely require tuning (or not be usable) in countries where these alphabets are in use.
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential In-Memory Download And Compile Of Payloads
Detects potential in-memory downloading and compiling of applets using curl and osacompile as seen used by XCSSET malware
view Sigma YAML
title: Potential In-Memory Download And Compile Of Payloads
id: 13db8d2e-7723-4c2c-93c1-a4d36994f7ef
status: test
description: Detects potential in-memory downloading and compiling of applets using curl and osacompile as seen used by XCSSET malware
references:
- https://redcanary.com/blog/mac-application-bundles/
author: Sohan G (D4rkCiph3r), Red Canary (idea)
date: 2023-08-22
tags:
- attack.command-and-control
- attack.execution
- attack.t1059.007
- attack.t1105
logsource:
category: process_creation
product: macos
detection:
selection:
CommandLine|contains|all:
- 'osacompile'
- 'curl'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential In-Memory Execution Using Reflection.Assembly
Detects usage of "Reflection.Assembly" load functions to dynamically load assemblies in memory
view Sigma YAML
title: Potential In-Memory Execution Using Reflection.Assembly
id: ddcd88cb-7f62-4ce5-86f9-1704190feb0a
status: test
description: Detects usage of "Reflection.Assembly" load functions to dynamically load assemblies in memory
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=50
author: frack113
date: 2022-12-25
tags:
- attack.stealth
- attack.t1620
logsource:
product: windows
category: ps_script
definition: Script Block Logging must be enable
detection:
selection:
ScriptBlockText|contains: '[Reflection.Assembly]::load'
condition: selection
falsepositives:
- Legitimate use of the library
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potential Initial Access via DLL Search Order Hijacking
Detects attempts to create a DLL file to a known desktop application dependencies folder such as Slack, Teams or OneDrive and by an unusual process. This may indicate an attempt to load a malicious module via DLL search order hijacking.
view Sigma YAML
title: Potential Initial Access via DLL Search Order Hijacking
id: dbbd9f66-2ed3-4ca2-98a4-6ea985dd1a1c
status: test
description: Detects attempts to create a DLL file to a known desktop application dependencies folder such as Slack, Teams or OneDrive and by an unusual process. This may indicate an attempt to load a malicious module via DLL search order hijacking.
references:
- https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-5d46dd4ac6866b4337ec126be8cee0e115467b3e8703794ba6f6df6432c806bc
- https://posts.specterops.io/automating-dll-hijack-discovery-81c4295904b0
author: Tim Rauch (rule), Elastic (idea)
date: 2022-10-21
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1566
- attack.t1566.001
- attack.initial-access
- attack.t1574
- attack.t1574.001
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith:
# add more processes when you find them
- '\winword.exe'
- '\excel.exe'
- '\powerpnt.exe'
- '\MSACCESS.EXE'
- '\MSPUB.EXE'
- '\fltldr.exe'
- '\cmd.exe'
- '\certutil.exe'
- '\mshta.exe'
- '\cscript.exe'
- '\wscript.exe'
- '\curl.exe'
- '\powershell.exe'
- '\pwsh.exe'
TargetFilename|endswith: '.dll'
TargetFilename|contains|all:
- '\Users\'
- '\AppData\'
TargetFilename|contains:
# add more suspicious paths when you find them
- '\Microsoft\OneDrive\'
- '\Microsoft OneDrive\'
- '\Microsoft\Teams\'
- '\Local\slack\app-'
- '\Local\Programs\Microsoft VS Code\'
filter:
Image|endswith: '\cmd.exe'
TargetFilename|contains|all:
- '\Users\'
- '\AppData\'
- '\Microsoft\OneDrive\'
- '\api-ms-win-core-'
condition: selection and not filter
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential KamiKakaBot Activity - Lure Document Execution
Detects the execution of a Word document via the WinWord Start Menu shortcut.
This behavior was observed being used by KamiKakaBot samples in order to initiate the 2nd stage of the infection.
view Sigma YAML
title: Potential KamiKakaBot Activity - Lure Document Execution
id: 24474469-bd80-46cc-9e08-9fbe81bfaaca
status: test
description: |
Detects the execution of a Word document via the WinWord Start Menu shortcut.
This behavior was observed being used by KamiKakaBot samples in order to initiate the 2nd stage of the infection.
references:
- https://www.nextron-systems.com/2024/03/22/unveiling-kamikakabot-malware-analysis/
author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
date: 2024-03-22
tags:
- attack.execution
- attack.t1059
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\cmd.exe'
CommandLine|contains|all:
- '/c '
- '.lnk ~'
- 'Start Menu\Programs\Word'
CommandLine|endswith: '.doc'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Potential KamiKakaBot Activity - Shutdown Schedule Task Creation
Detects the creation of a schedule task that runs weekly and execute the "shutdown /l /f" command.
This behavior was observed being used by KamiKakaBot samples in order to achieve persistence on a system.
view Sigma YAML
title: Potential KamiKakaBot Activity - Shutdown Schedule Task Creation
id: fe9e8ba9-4419-41e6-a574-bd9f7b3af961
status: test
description: |
Detects the creation of a schedule task that runs weekly and execute the "shutdown /l /f" command.
This behavior was observed being used by KamiKakaBot samples in order to achieve persistence on a system.
references:
- https://www.nextron-systems.com/2024/03/22/unveiling-kamikakabot-malware-analysis/
- https://tria.ge/240123-rapteaahhr/behavioral1
author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
date: 2024-03-22
tags:
- attack.persistence
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\schtasks.exe'
CommandLine|contains|all:
- ' /create '
- 'shutdown /l /f'
- 'WEEKLY'
filter_main_system_user:
User|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential Keylogger Activity
Detects PowerShell scripts that contains reference to keystroke capturing functions
view Sigma YAML
title: Potential Keylogger Activity
id: 965e2db9-eddb-4cf6-a986-7a967df651e4
status: test
description: Detects PowerShell scripts that contains reference to keystroke capturing functions
references:
- https://twitter.com/ScumBots/status/1610626724257046529
- https://www.virustotal.com/gui/file/d4486b63512755316625230e0c9c81655093be93876e0d80732e7eeaf7d83476/content
- https://www.virustotal.com/gui/file/720a7ee9f2178c70501d7e3f4bcc28a4f456e200486dbd401b25af6da3b4da62/content
- https://learn.microsoft.com/en-us/dotnet/api/system.windows.input.keyboard.iskeydown?view=windowsdesktop-7.0
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-04
tags:
- attack.collection
- attack.credential-access
- attack.t1056.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains: '[Windows.Input.Keyboard]::IsKeyDown([System.Windows.Input.Key]::'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Potential Lateral Movement via Windows Remote Shell
Detects a child process spawned by 'winrshost.exe', which suggests remote command execution through Windows Remote Shell (WinRs) and may indicate potential lateral movement activity.
view Sigma YAML
title: Potential Lateral Movement via Windows Remote Shell
id: 79df3f68-dccb-48e9-9171-b75cbc37c51d
status: experimental
description: |
Detects a child process spawned by 'winrshost.exe', which suggests remote command execution through Windows Remote Shell (WinRs) and may indicate potential lateral movement activity.
references:
- https://cardinalops.com/blog/living-off-winrm-abusing-complexity-in-remote-management/
- https://www.ired.team/offensive-security/lateral-movement/winrs-for-lateral-movement
author: Liran Ravich
date: 2025-10-22
tags:
- attack.lateral-movement
- attack.t1021.006
logsource:
category: process_creation
product: windows
detection:
selection:
# Note: Example of command to simulate (winrm needs to be enabled): "c:\Windows\System32\winrs.exe" powershell
ParentImage|endswith: '\winrshost.exe'
filter_main_conhost:
Image: 'C:\Windows\System32\conhost.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Legitimate use of WinRM within the organization
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential Libvlc.DLL Sideloading
Detects potential DLL sideloading of "libvlc.dll", a DLL that is legitimately used by "VLC.exe"
view Sigma YAML
title: Potential Libvlc.DLL Sideloading
id: bf9808c4-d24f-44a2-8398-b65227d406b6
status: test
description: Detects potential DLL sideloading of "libvlc.dll", a DLL that is legitimately used by "VLC.exe"
references:
- https://www.trendmicro.com/en_us/research/23/c/earth-preta-updated-stealthy-strategies.html
- https://hijacklibs.net/entries/3rd_party/vlc/libvlc.html
author: X__Junior
date: 2023-04-17
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\libvlc.dll'
filter_main_vlc:
ImageLoaded|startswith:
- 'C:\Program Files (x86)\VideoLAN\VLC\'
- 'C:\Program Files\VideoLAN\VLC\'
condition: selection and not 1 of filter_main_*
falsepositives:
- False positives are expected if VLC is installed in non-default locations
level: medium
Convert to SIEM query
medium
Strong
High FP
Potential Linux Amazon SSM Agent Hijacking
Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report.
view Sigma YAML
title: Potential Linux Amazon SSM Agent Hijacking
id: f9b3edc5-3322-4fc7-8aa3-245d646cc4b7
status: test
description: Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report.
references:
- https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan
- https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/
- https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/
author: Muhammad Faisal
date: 2023-08-03
tags:
- attack.command-and-control
- attack.persistence
- attack.t1219.002
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/amazon-ssm-agent'
CommandLine|contains|all:
- '-register '
- '-code '
- '-id '
- '-region '
condition: selection
falsepositives:
- Legitimate activity of system administrators
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential Linux Process Code Injection Via DD Utility
Detects the injection of code by overwriting the memory map of a Linux process using the "dd" Linux command.
view Sigma YAML
title: Potential Linux Process Code Injection Via DD Utility
id: 4cad6c64-d6df-42d6-8dae-eb78defdc415
status: test
description: Detects the injection of code by overwriting the memory map of a Linux process using the "dd" Linux command.
references:
- https://www.aon.com/cyber-solutions/aon_cyber_labs/linux-based-inter-process-code-injection-without-ptrace2/
- https://github.com/AonCyberLabs/Cexigua/blob/34d338620afae4c6335ba8d8d499e1d7d3d5d7b5/overwrite.sh
author: Joseph Kamau
date: 2023-12-01
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1055.009
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith: '/dd'
CommandLine|contains|all:
- 'of='
- '/proc/'
- '/mem'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential MOVEit Transfer CVE-2023-34362 Exploitation - Dynamic Compilation Via Csc.EXE
Detects the execution of "csc.exe" via "w3wp.exe" process. MOVEit affected hosts execute "csc.exe" via the "w3wp.exe" process to dynamically compile malicious DLL files.
MOVEit is affected by a critical vulnerability. Exploited hosts show evidence of dynamically compiling a DLL and writing it under C:\\Windows\\Microsoft\.NET\\Framework64\\v4\.0\.30319\\Temporary ASP\.NET Files\\root\\([a-z0-9]{5,12})\\([a-z0-9]{5,12})\\App_Web_[a-z0-9]{5,12}\.dll.
Hunting Opportunity
Events from IIS dynamically compiling binaries via the csc.exe on behalf of the MOVEit application, especially since May 27th should be investigated.
view Sigma YAML
title: Potential MOVEit Transfer CVE-2023-34362 Exploitation - Dynamic Compilation Via Csc.EXE
id: 39ac1fb0-07f1-474b-b97e-c5c0eace0d79
status: test
description: |
Detects the execution of "csc.exe" via "w3wp.exe" process. MOVEit affected hosts execute "csc.exe" via the "w3wp.exe" process to dynamically compile malicious DLL files.
MOVEit is affected by a critical vulnerability. Exploited hosts show evidence of dynamically compiling a DLL and writing it under C:\\Windows\\Microsoft\.NET\\Framework64\\v4\.0\.30319\\Temporary ASP\.NET Files\\root\\([a-z0-9]{5,12})\\([a-z0-9]{5,12})\\App_Web_[a-z0-9]{5,12}\.dll.
Hunting Opportunity
Events from IIS dynamically compiling binaries via the csc.exe on behalf of the MOVEit application, especially since May 27th should be investigated.
references:
- https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response
- https://www.trustedsec.com/blog/critical-vulnerability-in-progress-moveit-transfer-technical-analysis-and-recommendations/
author: '@kostastsale'
date: 2023-06-01
tags:
- attack.execution
- attack.t1059
- cve.2023-34362
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\w3wp.exe'
ParentCommandLine|contains: 'moveitdmz pool'
Image|endswith: '\csc.exe'
condition: selection
falsepositives:
- Initial software installation and software updates.
level: medium
Convert to SIEM query
Showing 751-800 of 1,440