Tool
EDR / XDR
VMware Carbon Black
1,440 rules · Sigma detections in VMware Carbon Black syntax
The same Sigma detection corpus, machine-rendered into VMware Carbon Black query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
Download all 3,646 rules (.zip, 1.2 MB)
Every VMware Carbon Black query in this view, packaged to deploy.
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance12
Resource Development10
Initial Access10
Execution30
Persistence42
Privilege Escalation20
Stealth79
Defense Impairment32
Credential Access35
Discovery33
Lateral Movement16
Collection20
Command and Control24
Exfiltration10
Impact18
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.
◈
Detection rules
50 shown of 1,440
medium
Moderate
High FP
Powershell Executed From Headless ConHost Process
Detects the use of powershell commands from headless ConHost window.
The "--headless" flag hides the windows from the user upon execution.
view Sigma YAML
title: Powershell Executed From Headless ConHost Process
id: 056c7317-9a09-4bd4-9067-d051312752ea
related:
- id: 00ca75ab-d5ce-43be-b86c-55ff39c6abfc
type: derived
status: test
description: |
Detects the use of powershell commands from headless ConHost window.
The "--headless" flag hides the windows from the user upon execution.
references:
- https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software
author: Matt Anderson (Huntress)
date: 2024-07-23
tags:
- attack.execution
- attack.stealth
- attack.t1059.001
- attack.t1059.003
- attack.t1564.003
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\conhost.exe'
- OriginalFileName: 'CONHOST.EXE'
selection_cli:
CommandLine|contains|all:
- '--headless'
- 'powershell'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_conhost_headless_powershell/info.yml
Convert to SIEM query
medium
Moderate
Medium FP
Powershell Inline Execution From A File
Detects inline execution of PowerShell code from a file
view Sigma YAML
title: Powershell Inline Execution From A File
id: ee218c12-627a-4d27-9e30-d6fb2fe22ed2
status: test
description: Detects inline execution of PowerShell code from a file
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=50
author: frack113
date: 2022-12-25
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: process_creation
detection:
selection_exec:
CommandLine|contains:
- 'iex '
- 'Invoke-Expression '
- 'Invoke-Command '
- 'icm '
selection_read:
CommandLine|contains:
- 'cat '
- 'get-content '
- 'type '
selection_raw:
CommandLine|contains: ' -raw'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Powershell Keylogging
Adversaries may log user keystrokes to intercept credentials as the user types them.
view Sigma YAML
title: Powershell Keylogging
id: 34f90d3c-c297-49e9-b26d-911b05a4866c
status: test
description: Adversaries may log user keystrokes to intercept credentials as the user types them.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/src/Get-Keystrokes.ps1
author: frack113
date: 2021-07-30
modified: 2022-07-11
tags:
- attack.credential-access
- attack.collection
- attack.t1056.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_basic:
ScriptBlockText|contains: 'Get-Keystrokes'
selection_high: # want to run in background and keyboard
ScriptBlockText|contains|all:
- 'Get-ProcAddress user32.dll GetAsyncKeyState'
- 'Get-ProcAddress user32.dll GetForegroundWindow'
condition: 1 of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Powershell Local Email Collection
Adversaries may target user email on local systems to collect sensitive information.
Files containing email data can be acquired from a users local system, such as Outlook storage or cache files.
view Sigma YAML
title: Powershell Local Email Collection
id: 2837e152-93c8-43d2-85ba-c3cd3c2ae614
status: test
description: |
Adversaries may target user email on local systems to collect sensitive information.
Files containing email data can be acquired from a users local system, such as Outlook storage or cache files.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1114.001/T1114.001.md
author: frack113
date: 2021-07-21
modified: 2022-12-25
tags:
- attack.collection
- attack.t1114.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains:
- 'Get-Inbox.ps1'
- 'Microsoft.Office.Interop.Outlook'
- 'Microsoft.Office.Interop.Outlook.olDefaultFolders'
- '-comobject outlook.application'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Powershell LocalAccount Manipulation
Adversaries may manipulate accounts to maintain access to victim systems.
Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups
view Sigma YAML
title: Powershell LocalAccount Manipulation
id: 4fdc44df-bfe9-4fcc-b041-68f5a2d3031c
status: test
description: |
Adversaries may manipulate accounts to maintain access to victim systems.
Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1098/T1098.md#atomic-test-1---admin-account-manipulate
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/?view=powershell-5.1
author: frack113
date: 2021-12-28
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1098
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains:
- 'Disable-LocalUser'
- 'Enable-LocalUser'
- 'Get-LocalUser'
- 'Set-LocalUser'
- 'New-LocalUser'
- 'Rename-LocalUser'
- 'Remove-LocalUser'
condition: selection
falsepositives:
- Legitimate administrative script
level: medium
Convert to SIEM query
medium
Moderate
High FP
Powershell MsXml COM Object
Adversaries may abuse PowerShell commands and scripts for execution.
PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell)
Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code
view Sigma YAML
title: Powershell MsXml COM Object
id: 78aa1347-1517-4454-9982-b338d6df8343
status: test
description: |
Adversaries may abuse PowerShell commands and scripts for execution.
PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell)
Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-7---powershell-msxml-com-object---with-prompt
- https://learn.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85)
- https://www.trendmicro.com/en_id/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html
author: frack113, MatilJ
date: 2022-01-19
modified: 2022-05-19
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- 'New-Object'
- '-ComObject'
- 'MsXml2.'
- 'XmlHttp'
condition: selection
falsepositives:
- Legitimate administrative script
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Powershell Sensitive File Discovery
Detect adversaries enumerate sensitive files
view Sigma YAML
title: Powershell Sensitive File Discovery
id: 7d416556-6502-45b2-9bad-9d2f05f38997
related:
- id: d23f2ba5-9da0-4463-8908-8ee47f614bb9
type: derived
status: test
description: Detect adversaries enumerate sensitive files
references:
- https://twitter.com/malmoeb/status/1570814999370801158
author: frack113
date: 2022-09-16
tags:
- attack.discovery
- attack.t1083
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_action:
ScriptBlockText|contains:
- ls
- get-childitem
- gci
selection_recurse:
ScriptBlockText|contains: '-recurse'
selection_file:
ScriptBlockText|contains:
- '.pass'
- '.kdbx'
- '.kdb'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Powershell Store File In Alternate Data Stream
Storing files in Alternate Data Stream (ADS) similar to Astaroth malware.
view Sigma YAML
title: Powershell Store File In Alternate Data Stream
id: a699b30e-d010-46c8-bbd1-ee2e26765fe9
status: test
description: Storing files in Alternate Data Stream (ADS) similar to Astaroth malware.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md
author: frack113
date: 2021-09-02
modified: 2022-12-25
tags:
- attack.stealth
- attack.t1564.004
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_compspec:
ScriptBlockText|contains|all:
- 'Start-Process'
- '-FilePath "$env:comspec" '
- '-ArgumentList '
- '>'
condition: selection_compspec
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Powershell Timestomp
Adversaries may modify file time attributes to hide new or changes to existing files.
Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder.
view Sigma YAML
title: Powershell Timestomp
id: c6438007-e081-42ce-9483-b067fbef33c3
status: test
description: |
Adversaries may modify file time attributes to hide new or changes to existing files.
Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md
- https://www.offensive-security.com/metasploit-unleashed/timestomp/
author: frack113
date: 2021-08-03
modified: 2022-12-25
tags:
- attack.stealth
- attack.t1070.006
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_ioc:
ScriptBlockText|contains:
- '.CreationTime ='
- '.LastWriteTime ='
- '.LastAccessTime ='
- '[IO.File]::SetCreationTime'
- '[IO.File]::SetLastAccessTime'
- '[IO.File]::SetLastWriteTime'
condition: selection_ioc
falsepositives:
- Legitimate admin script
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Powershell Token Obfuscation - Powershell
Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation in Powershell scripts.
Use this rule as a threat-hunting baseline to find obfuscated scripts in your environment.
Once tested and tuned, consider deploying a production detection rule based on this hunting rule.
view Sigma YAML
title: Powershell Token Obfuscation - Powershell
id: f3a98ce4-6164-4dd4-867c-4d83de7eca51
related:
- id: deb9b646-a508-44ee-b7c9-d8965921c6b6
type: similar
status: test
description: |
Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation in Powershell scripts.
Use this rule as a threat-hunting baseline to find obfuscated scripts in your environment.
Once tested and tuned, consider deploying a production detection rule based on this hunting rule.
references:
- https://github.com/danielbohannon/Invoke-Obfuscation
author: frack113
date: 2022-12-27
modified: 2025-10-19
tags:
- attack.stealth
- attack.t1027.009
- detection.threat-hunting
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
# Examples:
# IN`V`o`Ke-eXp`ResSIOn (Ne`W-ob`ject Net.WebClient).DownloadString
# &('In'+'voke-Expressi'+'o'+'n') (.('New-Ob'+'jec'+'t') Net.WebClient).DownloadString
# &("{2}{3}{0}{4}{1}"-f 'e','Expression','I','nvok','-') (&("{0}{1}{2}"-f'N','ew-O','bject') Net.WebClient).DownloadString
- ScriptBlockText|re: '\w+`(\w+|-|.)`[\w+|\s]'
# - ScriptBlockText|re: '\((\'(\w|-|\.)+\'\+)+\'(\w|-|\.)+\'\)' TODO: fixme
- ScriptBlockText|re: '"(\{\d\}){2,}"\s*-f' # trigger on at least two placeholders. One might be used for legitimate string formatting
# ${e`Nv:pATh}
- ScriptBlockText|re: '(?i)\$\{`?e`?n`?v`?:`?p`?a`?t`?h`?\}'
filter_envpath:
ScriptBlockText|contains: '${env:path}' # TODO: Fix this. See https://github.com/SigmaHQ/sigma/pull/4964
filter_chocolatey:
ScriptBlockText|contains:
- 'it will return true or false instead' # Chocolatey install script https://github.com/chocolatey/chocolatey
- 'The function also prevents `Get-ItemProperty` from failing' # https://docs.chocolatey.org/en-us/create/functions/get-uninstallregistrykey
filter_exchange:
Path|startswith: 'C:\Program Files\Microsoft\Exchange Server\'
Path|endswith: '\bin\servicecontrol.ps1'
ScriptBlockText|contains: '`r`n'
condition: selection and not 1 of filter_*
falsepositives:
- Edge case might be possible with heavy use of string formatting or obfuscation in legitimate scripts.
level: medium
Convert to SIEM query
medium
Moderate
High FP
Powershell WMI Persistence
Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription.
view Sigma YAML
title: Powershell WMI Persistence
id: 9e07f6e7-83aa-45c6-998e-0af26efd0a85
status: test
description: Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.003/T1546.003.md
- https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/persistence/Persistence.psm1#L545
author: frack113
date: 2021-08-19
modified: 2022-12-25
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1546.003
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_ioc:
- ScriptBlockText|contains|all:
- 'New-CimInstance '
- '-Namespace root/subscription '
- '-ClassName __EventFilter '
- '-Property ' # is a variable name
- ScriptBlockText|contains|all:
- 'New-CimInstance '
- '-Namespace root/subscription '
- '-ClassName CommandLineEventConsumer '
- '-Property ' # is a variable name
condition: selection_ioc
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Powershell XML Execute Command
Adversaries may abuse PowerShell commands and scripts for execution.
PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell)
Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code
view Sigma YAML
title: Powershell XML Execute Command
id: 6c6c6282-7671-4fe9-a0ce-a2dcebdc342b
status: test
description: |
Adversaries may abuse PowerShell commands and scripts for execution.
PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell)
Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-8---powershell-xml-requests
author: frack113
date: 2022-01-19
modified: 2023-01-19
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_xml:
ScriptBlockText|contains|all:
- 'New-Object'
- 'System.Xml.XmlDocument'
- '.Load'
selection_exec:
ScriptBlockText|contains:
- 'IEX '
- 'Invoke-Expression '
- 'Invoke-Command '
- 'ICM -'
condition: all of selection_*
falsepositives:
- Legitimate administrative script
level: medium
Convert to SIEM query
medium
Moderate
High FP
Print History File Contents
Detects events in which someone prints the contents of history files to the commandline or redirects it to a file for reconnaissance
view Sigma YAML
title: Print History File Contents
id: d7821ff1-4527-4e33-9f84-d0d57fa2fb66
status: test
description: Detects events in which someone prints the contents of history files to the commandline or redirects it to a file for reconnaissance
references:
- https://github.com/sleventyeleven/linuxprivchecker/
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md
author: Florian Roth (Nextron Systems)
date: 2022-06-20
modified: 2022-09-15
tags:
- attack.reconnaissance
- attack.t1592.004
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith:
- '/cat'
- '/head'
- '/tail'
- '/more'
selection_history:
- CommandLine|contains:
- '/.bash_history'
- '/.zsh_history'
- CommandLine|endswith:
- '_history'
- '.history'
- 'zhistory'
condition: all of selection*
falsepositives:
- Legitimate administration activities
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Private Keys Reconnaissance Via CommandLine Tools
Adversaries may search for private key certificate files on compromised systems for insecurely stored credential
view Sigma YAML
title: Private Keys Reconnaissance Via CommandLine Tools
id: 213d6a77-3d55-4ce8-ba74-fcfef741974e
status: test
description: Adversaries may search for private key certificate files on compromised systems for insecurely stored credential
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.004/T1552.004.md
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2021-07-20
modified: 2023-03-06
tags:
- attack.credential-access
- attack.t1552.004
logsource:
category: process_creation
product: windows
detection:
selection_cmd_img:
- Image|endswith: '\cmd.exe'
- OriginalFileName: 'Cmd.Exe'
selection_cmd_cli:
CommandLine|contains: 'dir '
selection_pwsh_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_pwsh_cli:
CommandLine|contains: 'Get-ChildItem '
selection_findstr:
- Image|endswith: '\findstr.exe'
- OriginalFileName: 'FINDSTR.EXE'
selection_ext:
CommandLine|contains:
- '.key'
- '.pgp'
- '.gpg'
- '.ppk'
- '.p12'
- '.pem'
- '.pfx'
- '.cer'
- '.p7b'
- '.asc'
condition: selection_ext and (all of selection_cmd_* or all of selection_pwsh_* or selection_findstr)
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Privileged Account Creation
Detects when a new admin is created.
view Sigma YAML
title: Privileged Account Creation
id: f7b5b004-dece-46e4-a4a5-f6fd0e1c6947
status: test
description: Detects when a new admin is created.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#changes-to-privileged-accounts
author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H', Tim Shelton
date: 2022-08-11
modified: 2022-08-16
tags:
- attack.initial-access
- attack.persistence
- attack.privilege-escalation
- attack.stealth
- attack.t1078.004
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.message|contains|all:
- Add user
- Add member to role
Status: Success
condition: selection
falsepositives:
- A legitimate new admin account being created
level: medium
Convert to SIEM query
medium
Moderate
High FP
Procdump Execution
Detects usage of the SysInternals Procdump utility
view Sigma YAML
title: Procdump Execution
id: 2e65275c-8288-4ab4-aeb7-6274f58b6b20
status: test
description: Detects usage of the SysInternals Procdump utility
references:
- https://learn.microsoft.com/en-us/sysinternals/downloads/procdump
author: Florian Roth (Nextron Systems)
date: 2021-08-16
modified: 2023-02-28
tags:
- attack.stealth
- attack.t1036
- attack.t1003.001
- attack.credential-access
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\procdump.exe'
- '\procdump64.exe'
condition: selection
falsepositives:
- Legitimate use of procdump by a developer or administrator
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Process Creation Using Sysnative Folder
Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns)
view Sigma YAML
title: Process Creation Using Sysnative Folder
id: 3c1b5fb0-c72f-45ba-abd1-4d4c353144ab
status: test
description: Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns)
references:
- https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
author: Max Altgelt (Nextron Systems)
date: 2022-08-23
modified: 2025-10-08
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1055
logsource:
category: process_creation
product: windows
detection:
selection:
- CommandLine|contains: ':\Windows\Sysnative\'
- Image|contains: ':\Windows\Sysnative\'
filter_main_ngen:
Image|contains:
- 'C:\Windows\Microsoft.NET\Framework64\v'
- 'C:\Windows\Microsoft.NET\Framework\v'
- 'C:\Windows\Microsoft.NET\FrameworkArm\v'
- 'C:\Windows\Microsoft.NET\FrameworkArm64\v'
Image|endswith: '\ngen.exe'
CommandLine|contains: 'install'
filter_optional_xampp:
CommandLine|contains|all:
- '"C:\Windows\sysnative\cmd.exe"'
- '\xampp\'
- '\catalina_start.bat'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Process Launched Without Image Name
Detect the use of processes with no name (".exe"), which can be used to evade Image-based detections.
view Sigma YAML
title: Process Launched Without Image Name
id: f208d6d8-d83a-4c2c-960d-877c37da84e5
status: test
description: Detect the use of processes with no name (".exe"), which can be used to evade Image-based detections.
references:
- https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software
author: Matt Anderson (Huntress)
date: 2024-07-23
tags:
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\.exe'
condition: selection
falsepositives:
- Rare legitimate software.
level: medium
Convert to SIEM query
medium
Moderate
High FP
Process Memory Dump Via Dotnet-Dump
Detects the execution of "dotnet-dump" with the "collect" flag. The execution could indicate potential process dumping of critical processes such as LSASS.
view Sigma YAML
title: Process Memory Dump Via Dotnet-Dump
id: 53d8d3e1-ca33-4012-adf3-e05a4d652e34
status: test
description: |
Detects the execution of "dotnet-dump" with the "collect" flag. The execution could indicate potential process dumping of critical processes such as LSASS.
references:
- https://learn.microsoft.com/en-us/dotnet/core/diagnostics/dotnet-dump#dotnet-dump-collect
- https://twitter.com/bohops/status/1635288066909966338
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-14
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\dotnet-dump.exe'
- OriginalFileName: 'dotnet-dump.dll'
selection_cli:
CommandLine|contains: 'collect'
condition: all of selection_*
falsepositives:
- Process dumping is the expected behavior of the tool. So false positives are expected in legitimate usage. The PID/Process Name of the process being dumped needs to be investigated
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Process Monitor Driver Creation By Non-Sysinternals Binary
Detects creation of the Process Monitor driver by processes other than Process Monitor (procmon) itself.
view Sigma YAML
title: Process Monitor Driver Creation By Non-Sysinternals Binary
id: a05baa88-e922-4001-bc4d-8738135f27de
status: test
description: Detects creation of the Process Monitor driver by processes other than Process Monitor (procmon) itself.
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-05
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1068
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|contains: '\procmon'
TargetFilename|endswith: '.sys'
filter_main_process_explorer:
Image|endswith:
- '\procmon.exe'
- '\procmon64.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Some false positives may occur with legitimate renamed process monitor binaries
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Process Proxy Execution Via Squirrel.EXE
Detects the usage of the "Squirrel.exe" binary to execute arbitrary processes. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)
view Sigma YAML
title: Process Proxy Execution Via Squirrel.EXE
id: 45239e6a-b035-4aaf-b339-8ad379fcb67e
related:
- id: 1e75c1cc-c5d4-42aa-ac3d-91b0b68b3b4c
type: similar
- id: fa4b21c9-0057-4493-b289-2556416ae4d7
type: obsolete
status: test
description: |
Detects the usage of the "Squirrel.exe" binary to execute arbitrary processes. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)
references:
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/
- http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/
- http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/
author: Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community
date: 2022-06-09
modified: 2025-10-07
tags:
- attack.execution
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith:
- '\squirrel.exe'
- '\update.exe'
selection_exec:
CommandLine|contains:
- '--processStart'
- '--processStartAndWait'
- '--createShortcut'
filter_optional_discord:
CommandLine|contains|all:
- ':\Users\'
- '\AppData\Local\Discord\Update.exe'
- 'Discord.exe'
CommandLine|contains:
- '--createShortcut'
- '--processStart'
filter_optional_github_desktop:
CommandLine|contains|all:
- ':\Users\'
- '\AppData\Local\GitHubDesktop\Update.exe'
- 'GitHubDesktop.exe'
CommandLine|contains:
- '--createShortcut'
- '--processStartAndWait'
filter_optional_teams:
CommandLine|contains|all:
- ':\Users\'
- '\AppData\Local\Microsoft\Teams\Update.exe'
- 'Teams.exe'
CommandLine|contains:
- '--processStart'
- '--createShortcut'
filter_optional_yammer:
CommandLine|contains|all:
- ':\Users\'
- '\AppData\Local\yammerdesktop\Update.exe'
- 'Yammer.exe'
CommandLine|contains:
- '--processStart'
- '--createShortcut'
condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
- Expected FP with some Electron based applications such as (1Clipboard, Beaker Browser, Caret, Discord, GitHub Desktop, etc.)
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Process Reconnaissance Via Wmic.EXE
Detects the execution of "wmic" with the "process" flag, which adversary might use to list processes running on the compromised host or list installed software hotfixes and patches.
view Sigma YAML
title: Process Reconnaissance Via Wmic.EXE
id: 221b251a-357a-49a9-920a-271802777cc0
status: test
description: Detects the execution of "wmic" with the "process" flag, which adversary might use to list processes running on the compromised host or list installed software hotfixes and patches.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic
author: frack113
date: 2022-01-01
modified: 2023-02-14
tags:
- attack.execution
- attack.t1047
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\WMIC.exe'
- OriginalFileName: 'wmic.exe'
selection_cli:
CommandLine|contains: 'process'
filter_main_creation:
CommandLine|contains|all:
# Rule id 526be59f-a573-4eea-b5f7-f0973207634d for `wmic process call create #{process_to_execute}`
- 'call'
- 'create'
condition: all of selection* and not 1 of filter_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Processes Accessing the Microphone and Webcam
Potential adversaries accessing the microphone and webcam in an endpoint.
view Sigma YAML
title: Processes Accessing the Microphone and Webcam
id: 8cd538a4-62d5-4e83-810b-12d41e428d6e
status: test
description: Potential adversaries accessing the microphone and webcam in an endpoint.
references:
- https://twitter.com/duzvik/status/1269671601852813320
- https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-06-07
modified: 2021-11-27
tags:
- attack.collection
- attack.t1123
logsource:
product: windows
service: security
detection:
selection:
EventID:
- 4657
- 4656
- 4663
ObjectName|contains:
- '\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged'
- '\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam\NonPackaged'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
High FP
Program Executed Using Proxy/Local Command Via SSH.EXE
Detect usage of the "ssh.exe" binary as a proxy to launch other programs.
view Sigma YAML
title: Program Executed Using Proxy/Local Command Via SSH.EXE
id: 7d6d30b8-5b91-4b90-a891-46cccaf29598
status: test
description: Detect usage of the "ssh.exe" binary as a proxy to launch other programs.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Ssh/
- https://github.com/LOLBAS-Project/LOLBAS/pull/211/files
- https://gtfobins.github.io/gtfobins/ssh/
- https://man.openbsd.org/ssh_config#ProxyCommand
- https://man.openbsd.org/ssh_config#LocalCommand
author: frack113, Nasreddine Bencherchali
date: 2022-12-29
modified: 2025-10-16
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_parent:
# ParentCommandLine: '"C:\Windows\System32\OpenSSH\sshd.exe" -R'
ParentImage: 'C:\Windows\System32\OpenSSH\sshd.exe'
selection_cli_img:
- Image|endswith: '\ssh.exe'
- Product: 'OpenSSH for Windows'
- Hashes|contains:
- 'IMPHASH=55b4964d29aad5438b9e950052dbbbc0'
- 'IMPHASH=334d66c33503ccbf647c15b47c27eef4'
- 'IMPHASH=27b0da080ef92afb37983d30d839141e'
- 'IMPHASH=977eb4c263d384e47daa0712d34713ab'
- 'IMPHASH=3eaadce9ae43d5a918bb082065815c3b'
- 'IMPHASH=980fe6cf0d996ab1eedf877222e722aa'
- 'IMPHASH=5f959422308ac3d721010d66647e100e'
- 'IMPHASH=a49aaa3d03d1cd9c8dc7fca60f7f480b'
- 'IMPHASH=dd335f759b6d5d6a8382b71dd9d65791'
selection_cli_flags:
- CommandLine|contains: 'ProxyCommand='
- CommandLine|contains|all:
- 'PermitLocalCommand=yes'
- ' LocalCommand'
condition: selection_parent or all of selection_cli_*
falsepositives:
- Legitimate usage for administration purposes
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Program Executions in Suspicious Folders
Detects program executions in suspicious non-program folders related to malware or hacking activity
view Sigma YAML
title: Program Executions in Suspicious Folders
id: a39d7fa7-3fbd-4dc2-97e1-d87f546b1bbc
status: test
description: Detects program executions in suspicious non-program folders related to malware or hacking activity
references:
- Internal Research
author: Florian Roth (Nextron Systems)
date: 2018-01-23
modified: 2021-11-27
tags:
- attack.t1587
- attack.t1584
- attack.resource-development
logsource:
product: linux
service: auditd
detection:
selection:
type: 'SYSCALL'
exe|startswith:
# Temporary folder
- '/tmp/'
# Web server
- '/var/www/' # Standard
- '/home/*/public_html/' # Per-user
- '/usr/local/apache2/' # Classical Apache
- '/usr/local/httpd/' # Old SuSE Linux 6.* Apache
- '/var/apache/' # Solaris Apache
- '/srv/www/' # SuSE Linux 9.*
- '/home/httpd/html/' # Redhat 6 or older Apache
- '/srv/http/' # ArchLinux standard
- '/usr/share/nginx/html/' # ArchLinux nginx
# Data dirs of typically exploited services (incomplete list)
- '/var/lib/pgsql/data/'
- '/usr/local/mysql/data/'
- '/var/lib/mysql/'
- '/var/vsftpd/'
- '/etc/bind/'
- '/var/named/'
condition: selection
falsepositives:
- Admin activity (especially in /tmp folders)
- Crazy web applications
level: medium
Convert to SIEM query
medium
Moderate
High FP
Proxy Execution via Vshadow
Detects the invocation of vshadow.exe with the -exec parameter that executes a specified script or command after the shadow copies are created but before the VShadow tool exits.
VShadow is a command-line tool that you can use to create and manage volume shadow copies. While legitimate backup or administrative scripts may use this flag,
attackers can leverage this parameter to proxy the execution of malware.
view Sigma YAML
title: Proxy Execution via Vshadow
id: d7c75059-2901-4578-b209-8837fd31c6a8
status: experimental
description: |
Detects the invocation of vshadow.exe with the -exec parameter that executes a specified script or command after the shadow copies are created but before the VShadow tool exits.
VShadow is a command-line tool that you can use to create and manage volume shadow copies. While legitimate backup or administrative scripts may use this flag,
attackers can leverage this parameter to proxy the execution of malware.
author: David Faiss
date: 2025-05-26
references:
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vshadow/
- https://learn.microsoft.com/en-us/windows/win32/vss/vshadow-tool-and-sample
tags:
- attack.stealth
- attack.t1202
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\vshadow.exe'
- OriginalFileName: 'vshadow.exe'
selection_cli:
CommandLine|contains: '-exec'
condition: all of selection_*
falsepositives:
- System backup or administrator tools
- Legitimate administrative scripts
level: medium
Convert to SIEM query
medium
Moderate
High FP
PsExec Service Execution
Detects launch of the PSEXESVC service, which means that this system was the target of a psexec remote execution
view Sigma YAML
title: PsExec Service Execution
id: fdfcbd78-48f1-4a4b-90ac-d82241e368c5
related:
- id: fa91cc36-24c9-41ce-b3c8-3bbc3f2f67ba
type: obsolete
status: test
description: Detects launch of the PSEXESVC service, which means that this system was the target of a psexec remote execution
references:
- https://learn.microsoft.com/en-us/sysinternals/downloads/psexec
- https://www.youtube.com/watch?v=ro2QuZTIMBM
author: Thomas Patzke, Romaissa Adjailia, Florian Roth (Nextron Systems)
date: 2017-06-12
modified: 2023-02-28
tags:
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection:
- Image: 'C:\Windows\PSEXESVC.exe'
- OriginalFileName: 'psexesvc.exe'
condition: selection
falsepositives:
- Legitimate administrative tasks
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
PsExec Service Installation
Detects PsExec service installation and execution events
view Sigma YAML
title: PsExec Service Installation
id: 42c575ea-e41e-41f1-b248-8093c3e82a28
status: test
description: Detects PsExec service installation and execution events
references:
- https://www.jpcert.or.jp/english/pub/sr/ir_research.html
- https://jpcertcc.github.io/ToolAnalysisResultSheet
author: Thomas Patzke
date: 2017-06-12
modified: 2023-08-04
tags:
- attack.execution
- attack.t1569.002
- attack.s0029
logsource:
product: windows
service: system
detection:
selection_eid:
Provider_Name: 'Service Control Manager'
EventID: 7045
selection_service:
- ServiceName: 'PSEXESVC'
- ImagePath|endswith: '\PSEXESVC.exe'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
PsExec Tool Execution From Suspicious Locations - PipeName
Detects PsExec default pipe creation where the image executed is located in a suspicious location. Which could indicate that the tool is being used in an attack
view Sigma YAML
title: PsExec Tool Execution From Suspicious Locations - PipeName
id: 41504465-5e3a-4a5b-a5b4-2a0baadd4463
related:
- id: f3f3a972-f982-40ad-b63c-bca6afdfad7c
type: derived
status: test
description: Detects PsExec default pipe creation where the image executed is located in a suspicious location. Which could indicate that the tool is being used in an attack
references:
- https://www.jpcert.or.jp/english/pub/sr/ir_research.html
- https://jpcertcc.github.io/ToolAnalysisResultSheet
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-04
modified: 2023-09-20
tags:
- attack.execution
- attack.t1569.002
- attack.s0029
logsource:
category: pipe_created
product: windows
definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
detection:
selection:
PipeName: '\PSEXESVC'
Image|contains: # Add or remove locations depending on how and if you execute Psexec in your env
- ':\Users\Public\'
- ':\Windows\Temp\'
- '\AppData\Local\Temp\'
- '\Desktop\'
- '\Downloads\'
condition: selection
falsepositives:
- Rare legitimate use of psexec from the locations mentioned above. This will require initial tuning based on your environment.
level: medium
Convert to SIEM query
medium
Moderate
High FP
Psexec Execution
Detects user accept agreement execution in psexec commandline
view Sigma YAML
title: Psexec Execution
id: 730fc21b-eaff-474b-ad23-90fd265d4988
status: test
description: Detects user accept agreement execution in psexec commandline
references:
- https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
author: omkar72
date: 2020-10-30
modified: 2023-02-28
tags:
- attack.execution
- attack.lateral-movement
- attack.t1569
- attack.t1021
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\psexec.exe'
- OriginalFileName: 'psexec.c'
condition: selection
falsepositives:
- Administrative scripts.
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Publisher Attachment File Dropped In Suspicious Location
Detects creation of files with the ".pub" extension in suspicious or uncommon locations. This could be a sign of attackers abusing Publisher documents
view Sigma YAML
title: Publisher Attachment File Dropped In Suspicious Location
id: 3d2a2d59-929c-4b78-8c1a-145dfe9e07b1
status: test
description: Detects creation of files with the ".pub" extension in suspicious or uncommon locations. This could be a sign of attackers abusing Publisher documents
references:
- https://twitter.com/EmericNasi/status/1623224526220804098
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-08
tags:
- attack.stealth
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|contains:
- '\AppData\Local\Temp\'
- '\Users\Public\'
- '\Windows\Temp\'
- 'C:\Temp\'
TargetFilename|endswith: '.pub'
condition: selection
falsepositives:
- Legitimate usage of ".pub" files from those locations
level: medium
Convert to SIEM query
medium
Moderate
High FP
Pubprn.vbs Proxy Execution
Detects the use of the 'Pubprn.vbs' Microsoft signed script to execute commands.
view Sigma YAML
title: Pubprn.vbs Proxy Execution
id: 1fb76ab8-fa60-4b01-bddd-71e89bf555da
status: test
description: Detects the use of the 'Pubprn.vbs' Microsoft signed script to execute commands.
references:
- https://lolbas-project.github.io/lolbas/Scripts/Pubprn/
author: frack113
date: 2022-05-28
tags:
- attack.stealth
- attack.t1216.001
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- '\pubprn.vbs'
- 'script:'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Python Initiated Connection
Detects a Python process initiating a network connection. While this often relates to package installation, it can also indicate a potential malicious script communicating with a C&C server.
view Sigma YAML
title: Python Initiated Connection
id: bef0bc5a-b9ae-425d-85c6-7b2d705980c6
status: test
description: Detects a Python process initiating a network connection. While this often relates to package installation, it can also indicate a potential malicious script communicating with a C&C server.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-4---port-scan-using-python
- https://pypi.org/project/scapy/
author: frack113
date: 2021-12-10
modified: 2025-03-05
tags:
- attack.discovery
- attack.t1046
logsource:
category: network_connection
product: windows
definition: 'Requirements: Field enrichment is required for the filters to work. As field such as CommandLine and ParentImage are not available by default on this event type'
detection:
selection:
Initiated: 'true'
Image|contains|all:
- '\python'
- '.exe'
filter_optional_conda:
# Related to anaconda updates. Command example: "conda update conda"
# This filter will only work with aurora agent enriched data as Sysmon EID 3 doesn't contain CommandLine nor ParentImage
ParentImage: C:\ProgramData\Anaconda3\Scripts\conda.exe
CommandLine|contains|all:
- ':\ProgramData\Anaconda3\Scripts\conda-script.py'
- 'update'
filter_optional_conda_jupyter_notebook:
# Related to anaconda opening an instance of Jupyter Notebook
# This filter will only work with aurora agent enriched data as Sysmon EID 3 doesn't contain CommandLine nor ParentImage
ParentImage: C:\ProgramData\Anaconda3\python.exe
CommandLine|contains: 'C:\ProgramData\Anaconda3\Scripts\jupyter-notebook-script.py'
filter_main_local_communication:
# This could be caused when launching an instance of Jupyter Notebook locally for example but can also be caused by other instances of python opening sockets locally etc. So comment this out if you want to monitor for those instances
DestinationIp: 127.0.0.1
SourceIp: 127.0.0.1
filter_main_pip:
CommandLine|contains|all:
- 'pip.exe'
- 'install'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Legitimate python scripts using the socket library or similar will trigger this. Apply additional filters and perform an initial baseline before deploying.
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Python Inline Command Execution
Detects execution of python using the "-c" flag. This is could be used as a way to launch a reverse shell or execute live python code.
view Sigma YAML
title: Python Inline Command Execution
id: 899133d5-4d7c-4a7f-94ee-27355c879d90
status: test
description: Detects execution of python using the "-c" flag. This is could be used as a way to launch a reverse shell or execute live python code.
references:
- https://docs.python.org/3/using/cmdline.html#cmdoption-c
- https://www.revshells.com/
- https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-02
modified: 2025-10-07
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection_img:
- OriginalFileName: 'python.exe'
- Image|endswith:
- 'python.exe' # no \ bc of e.g. ipython.exe
- 'python3.exe'
- 'python2.exe'
selection_cli:
CommandLine|contains: ' -c'
filter_main_python_1: # Based on baseline
ParentImage|startswith:
- 'C:\Program Files\Python'
- 'C:\Program Files (x86)\Python'
ParentImage|endswith: '\python.exe'
ParentCommandLine|contains: '-E -s -m ensurepip -U --default-pip'
filter_main_python_trace: # Based on baseline
ParentImage|startswith:
- 'C:\Program Files\Python'
- 'C:\Program Files (x86)\Python'
CommandLine|contains|all:
# CommandLine: \"C:\\Program Files\\Python312\\python.exe\" -W ignore::DeprecationWarning -c \"\nimport runpy\nimport sys\nsys.path = ['C:\\\\Users\\\\User\\\\AppData\\\\Local\\\\Temp\\\\tmpdakwn6aj\\\\pip-23.2.1-py3-none-any.whl'] + sys.path\nsys.argv[1:] = ['install', '--no-cache-dir', '--no-index', '--find-links', 'C:\\\\Users\\\\User\\\\AppData\\\\Local\\\\Temp\\\\tmpdakwn6aj', '--upgrade', 'pip']\nrunpy.run_module(\\\"pip\\\", run_name=\\\"__main__\\\", alter_sys=True)\n\
- '-W ignore::DeprecationWarning'
- "['install', '--no-cache-dir', '--no-index', '--find-links',"
- "'--upgrade', 'pip'"
filter_optional_vscode:
- ParentImage|endswith: '\AppData\Local\Programs\Microsoft VS Code\Code.exe'
- ParentImage:
- 'C:\Program Files\Microsoft VS Code\Code.exe'
- 'C:\Program Files (x86)\Microsoft VS Code\Code.exe'
filter_optional_pip:
CommandLine|contains|all:
- '<pip-setuptools-caller>'
- 'exec(compile('
condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Python libraries that use a flag starting with "-c". Filter according to your environment
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Python Path Configuration File Creation - Linux
Detects creation of a Python path configuration file (.pth) in Python library folders, which can be maliciously abused for code execution and persistence.
Modules referenced by these files are run at every Python startup (v3.5+), regardless of whether the module is imported by the calling script.
Default paths are '\lib\site-packages\*.pth' (Windows) and '/lib/pythonX.Y/site-packages/*.pth' (Unix and macOS).
view Sigma YAML
title: Python Path Configuration File Creation - Linux
id: fb96c26c-9f85-4ae7-af0d-ed1ed1f1f5ce
related:
- id: e3652ba3-0ad8-4010-a957-b7ba369e7bac # Windows
type: similar
- id: 4f394635-13ef-4599-b677-3353e0f84f55 # MacOS
type: similar
status: test
description: |
Detects creation of a Python path configuration file (.pth) in Python library folders, which can be maliciously abused for code execution and persistence.
Modules referenced by these files are run at every Python startup (v3.5+), regardless of whether the module is imported by the calling script.
Default paths are '\lib\site-packages\*.pth' (Windows) and '/lib/pythonX.Y/site-packages/*.pth' (Unix and macOS).
references:
- https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/
- https://www.virustotal.com/gui/file/3de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927f9caac
- https://docs.python.org/3/library/site.html
author: Andreas Braathen (mnemonic.io)
date: 2024-04-25
tags:
- attack.execution
- attack.t1059.006
- detection.threat-hunting
logsource:
product: linux
category: file_event
detection:
selection:
TargetFilename|re: '(?i)/lib/python3\.([5-9]|[0-9]{2})/site-packages/' # Unix and macOS
TargetFilename|endswith: '.pth'
condition: selection
falsepositives:
- Although .pth files are discouraged due to potential security implications, these are legitimate files by specification.
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Python Path Configuration File Creation - MacOS
Detects creation of a Python path configuration file (.pth) in Python library folders, which can be maliciously abused for code execution and persistence.
Modules referenced by these files are run at every Python startup (v3.5+), regardless of whether the module is imported by the calling script.
Default paths are '\lib\site-packages\*.pth' (Windows) and '/lib/pythonX.Y/site-packages/*.pth' (Unix and macOS).
view Sigma YAML
title: Python Path Configuration File Creation - MacOS
id: 4f394635-13ef-4599-b677-3353e0f84f55
related:
- id: e3652ba3-0ad8-4010-a957-b7ba369e7bac # Windows
type: similar
- id: fb96c26c-9f85-4ae7-af0d-ed1ed1f1f5ce # Linux
type: similar
status: test
description: |
Detects creation of a Python path configuration file (.pth) in Python library folders, which can be maliciously abused for code execution and persistence.
Modules referenced by these files are run at every Python startup (v3.5+), regardless of whether the module is imported by the calling script.
Default paths are '\lib\site-packages\*.pth' (Windows) and '/lib/pythonX.Y/site-packages/*.pth' (Unix and macOS).
references:
- https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/
- https://www.virustotal.com/gui/file/3de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927f9caac
- https://docs.python.org/3/library/site.html
author: Andreas Braathen (mnemonic.io)
date: 2024-04-25
tags:
- attack.execution
- attack.t1059.006
- detection.threat-hunting
logsource:
product: macos
category: file_event
detection:
selection:
TargetFilename|re: '(?i)/lib/python3\.([5-9]|[0-9]{2})/site-packages/' # Unix and macOS
TargetFilename|endswith: '.pth'
condition: selection
falsepositives:
- Although .pth files are discouraged due to potential security implications, these are legitimate files by specification.
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Python Path Configuration File Creation - Windows
Detects creation of a Python path configuration file (.pth) in Python library folders, which can be maliciously abused for code execution and persistence.
Modules referenced by these files are run at every Python startup (v3.5+), regardless of whether the module is imported by the calling script.
Default paths are '\lib\site-packages\*.pth' (Windows) and '/lib/pythonX.Y/site-packages/*.pth' (Unix and macOS).
view Sigma YAML
title: Python Path Configuration File Creation - Windows
id: e3652ba3-0ad8-4010-a957-b7ba369e7bac
related:
- id: fb96c26c-9f85-4ae7-af0d-ed1ed1f1f5ce # Linux
type: similar
- id: 4f394635-13ef-4599-b677-3353e0f84f55 # MacOS
type: similar
status: test
description: |
Detects creation of a Python path configuration file (.pth) in Python library folders, which can be maliciously abused for code execution and persistence.
Modules referenced by these files are run at every Python startup (v3.5+), regardless of whether the module is imported by the calling script.
Default paths are '\lib\site-packages\*.pth' (Windows) and '/lib/pythonX.Y/site-packages/*.pth' (Unix and macOS).
references:
- https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/
- https://www.virustotal.com/gui/file/3de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927f9caac
- https://docs.python.org/3/library/site.html
author: Andreas Braathen (mnemonic.io), Nasreddine Bencherchali (Nextron Systems)
date: 2024-04-25
tags:
- attack.execution
- attack.t1059.006
- detection.threat-hunting
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|re: '(?i)\\(venv|python(.+)?)\\lib\\site-packages\\' # Covers both Virtual envs and default paths
TargetFilename|endswith: '.pth'
filter_main_python:
Image|endswith: '\python.exe'
TargetFilename|endswith:
- '\pywin32.pth' # VS Studio Python extension
- '\distutils-precedence.pth'
condition: selection and not 1 of filter_main_*
falsepositives:
- Although .pth files are discouraged due to potential security implications, these are legitimate files by specification.
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Python SQL Exceptions
Generic rule for SQL exceptions in Python according to PEP 249
view Sigma YAML
title: Python SQL Exceptions
id: 19aefed0-ffd4-47dc-a7fc-f8b1425e84f9
status: stable
description: Generic rule for SQL exceptions in Python according to PEP 249
references:
- https://www.python.org/dev/peps/pep-0249/#exceptions
author: Thomas Patzke
date: 2017-08-12
modified: 2020-09-01
tags:
- attack.initial-access
- attack.t1190
logsource:
category: application
product: python
detection:
keywords:
- DataError
- IntegrityError
- ProgrammingError
- OperationalError
condition: keywords
falsepositives:
- Application bugs
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Python Spawning Pretty TTY Via PTY Module
Detects a python process calling to the PTY module in order to spawn a pretty tty which could be indicative of potential reverse shell activity.
view Sigma YAML
title: Python Spawning Pretty TTY Via PTY Module
id: c4042d54-110d-45dd-a0e1-05c47822c937
related:
- id: 32e62bc7-3de0-4bb1-90af-532978fe42c0
type: similar
status: test
description: |
Detects a python process calling to the PTY module in order to spawn a pretty tty which could be indicative of potential reverse shell activity.
references:
- https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/
author: Nextron Systems
date: 2022-06-03
modified: 2024-11-04
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: linux
detection:
selection_img:
- Image|endswith:
- '/python'
- '/python2'
- '/python3'
- Image|contains:
- '/python2.' # python image is always of the form ../python3.10; ../python is just a symlink
- '/python3.'
selection_cli_import:
CommandLine|contains:
- 'import pty'
- 'from pty '
selection_cli_spawn:
CommandLine|contains: 'spawn'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Python WebServer Execution - Linux
Detects the execution of Python web servers via command line interface (CLI).
After gaining access to target systems, adversaries may use Python's built-in HTTP server modules to quickly establish a web server without requiring additional software.
This technique is commonly used in post-exploitation scenarios as it provides a simple method for transferring files between the compromised host and attacker-controlled systems.
view Sigma YAML
title: Python WebServer Execution - Linux
id: 3f0f5957-04f8-4792-ad89-192b0303bde6
status: experimental
description: |
Detects the execution of Python web servers via command line interface (CLI).
After gaining access to target systems, adversaries may use Python's built-in HTTP server modules to quickly establish a web server without requiring additional software.
This technique is commonly used in post-exploitation scenarios as it provides a simple method for transferring files between the compromised host and attacker-controlled systems.
references:
- https://www.atomicredteam.io/atomic-red-team/atomics/T1048.003#atomic-test-8---python3-httpserver
- https://docs.python.org/3/library/http.server.html
- https://docs.python.org/2/library/simplehttpserver.html
author: Mohamed LAKRI
date: 2025-10-17
tags:
- attack.exfiltration
- attack.t1048.003
logsource:
product: linux
category: process_creation
detection:
selection_img:
- Image|endswith:
- '/python'
- '/python2'
- '/python3'
- Image|contains:
- '/python2.' # python image is always of the form ../python3.10; ../python is just a symlink
- '/python3.'
selection_module:
CommandLine|contains:
- 'http.server'
- 'SimpleHTTPServer'
condition: all of selection_*
falsepositives:
- Testing or development activity
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Query Usage To Exfil Data
Detects usage of "query.exe" a system binary to exfil information such as "sessions" and "processes" for later use
view Sigma YAML
title: Query Usage To Exfil Data
id: 53ef0cef-fa24-4f25-a34a-6c72dfa2e6e2
status: test
description: Detects usage of "query.exe" a system binary to exfil information such as "sessions" and "processes" for later use
references:
- https://twitter.com/MichalKoczwara/status/1553634816016498688
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-01
modified: 2023-01-19
tags:
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: ':\Windows\System32\query.exe'
CommandLine|contains:
- 'session >'
- 'process >'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
RDP Enable or Disable via Win32_TerminalServiceSetting WMI Class
Detects enabling or disabling of Remote Desktop Protocol (RDP) using alternate methods such as WMIC or PowerShell.
In PowerShell one-liner commands, the "SetAllowTSConnections" method of the "Win32_TerminalServiceSetting" class may be used to enable or disable RDP.
In WMIC, the "rdtoggle" alias or "Win32_TerminalServiceSetting" class may be used for the same purpose.
view Sigma YAML
title: RDP Enable or Disable via Win32_TerminalServiceSetting WMI Class
id: 4b8f6d3a-9c5e-4f2a-a7d8-6b9c3e5f2a8d
related:
- id: a2863fbc-d5cb-48d5-83fb-d976d4b1743b
type: similar
status: experimental
description: |
Detects enabling or disabling of Remote Desktop Protocol (RDP) using alternate methods such as WMIC or PowerShell.
In PowerShell one-liner commands, the "SetAllowTSConnections" method of the "Win32_TerminalServiceSetting" class may be used to enable or disable RDP.
In WMIC, the "rdtoggle" alias or "Win32_TerminalServiceSetting" class may be used for the same purpose.
references:
- https://www.trendmicro.com/en_gb/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html
- https://github.com/HackTricks-wiki/hacktricks/blob/72f20a3fa26775b932bd819f1824c6377802a768/src/windows-hardening/basic-cmd-for-pentesters.md#firewall
- https://github.com/Lifailon/RSA/blob/rsa/Sources/RSA-1.4.1.ps1#L1468
author: Daniel Koifman (KoifSec), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-15
tags:
- attack.lateral-movement
- attack.t1021.001
- attack.execution
- attack.t1047
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\wmic.exe'
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'wmic.exe'
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_cli_method:
CommandLine|contains:
- 'rdtoggle'
- 'Win32_TerminalServiceSetting'
selection_cli_property:
CommandLine|contains: 'SetAllowTSConnections'
condition: all of selection_*
falsepositives:
- Legitimate system administrators enabling RDP for remote support
- System configuration scripts during deployment
level: medium
Convert to SIEM query
medium
Strong
Medium FP
RDP Sensitive Settings Changed to Zero
Detects tampering of RDP Terminal Service/Server sensitive settings.
Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc.
view Sigma YAML
title: RDP Sensitive Settings Changed to Zero
id: a2863fbc-d5cb-48d5-83fb-d976d4b1743b
related:
- id: 3f6b7b62-61aa-45db-96bd-9c31b36b653c
type: similar
- id: 4b8f6d3a-9c5e-4f2a-a7d8-6b9c3e5f2a8d
type: similar
status: test
description: |
Detects tampering of RDP Terminal Service/Server sensitive settings.
Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc.
references:
- https://web.archive.org/web/20200929062532/https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html # Related to RDP hijacking via the "ServiceDll" key
- http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/ # Related to the Shadow RPD technique
- https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03 # Related to the Shadow RPD technique
- https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html
- https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/
- http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/ # Contain description for most of the keys mentioned here (check it out if you want more information
- https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services # Contain description for most of the keys mentioned here (check it out if you want more information)
author: Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali
date: 2022-09-29
modified: 2022-11-26
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith:
- '\fDenyTSConnections' # Specifies whether Remote Desktop connections are enabled - When set to zero RDP is enabled
- '\fSingleSessionPerUser' # When changed to 0 it allows multiple RDP sessions
- '\UserAuthentication' # Specifies that Network-Level user authentication is not required before the remote desktop connection is established
Details: 'DWORD (0x00000000)'
condition: selection
falsepositives:
- Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way)
level: medium
Convert to SIEM query
medium
Moderate
Low FP
RDS Database Security Group Modification
Detects changes to the security group entries for RDS databases.
This can indicate that a misconfiguration has occurred which potentially exposes the database to the public internet, a wider audience within the VPC or that removal of valid rules has occurred which could impact the availability of the database to legitimate services and users.
view Sigma YAML
title: RDS Database Security Group Modification
id: 14f3f1c8-02d5-43a2-a191-91ffb52d3015
status: test
description: |
Detects changes to the security group entries for RDS databases.
This can indicate that a misconfiguration has occurred which potentially exposes the database to the public internet, a wider audience within the VPC or that removal of valid rules has occurred which could impact the availability of the database to legitimate services and users.
references:
- https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/
author: jamesc-grafana
date: 2024-07-11
tags:
- attack.initial-access
- attack.t1190
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: 'rds.amazonaws.com'
eventName:
- 'AuthorizeDBSecurityGroupIngress'
- 'CreateDBSecurityGroup'
- 'DeleteDBSecurityGroup'
- 'RevokeDBSecurityGroupIngress'
condition: selection
falsepositives:
- Creation of a new Database that needs new security group rules
level: medium
Convert to SIEM query
medium
Moderate
High FP
REGISTER_APP.VBS Proxy Execution
Detects the use of a Microsoft signed script 'REGISTER_APP.VBS' to register a VSS/VDS Provider as a COM+ application.
view Sigma YAML
title: REGISTER_APP.VBS Proxy Execution
id: 1c8774a0-44d4-4db0-91f8-e792359c70bd
status: test
description: Detects the use of a Microsoft signed script 'REGISTER_APP.VBS' to register a VSS/VDS Provider as a COM+ application.
references:
- https://twitter.com/sblmsrsn/status/1456613494783160325?s=20
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-19
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- '\register_app.vbs'
- '-register'
condition: selection
falsepositives:
- Legitimate usage of the script. Always investigate what's being registered to confirm if it's benign
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Rare Subscription-level Operations In Azure
Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.
view Sigma YAML
title: Rare Subscription-level Operations In Azure
id: c1182e02-49a3-481c-b3de-0fadc4091488
status: test
description: Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.
references:
- https://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/RareOperations.yaml
author: sawwinnnaung
date: 2020-05-07
modified: 2023-10-11
tags:
- attack.t1003
- attack.credential-access
logsource:
product: azure
service: activitylogs
detection:
keywords:
- Microsoft.DocumentDB/databaseAccounts/listKeys/action
- Microsoft.Maps/accounts/listKeys/action
- Microsoft.Media/mediaservices/listKeys/action
- Microsoft.CognitiveServices/accounts/listKeys/action
- Microsoft.Storage/storageAccounts/listKeys/action
- Microsoft.Compute/snapshots/write
- Microsoft.Network/networkSecurityGroups/write
condition: keywords
falsepositives:
- Valid change
level: medium
Convert to SIEM query
medium
Moderate
High FP
Rclone Activity via Proxy
Detects the use of rclone, a command-line program to manage files on cloud storage, via its default user-agent string
view Sigma YAML
title: Rclone Activity via Proxy
id: 2c03648b-e081-41a5-b9fb-7d854a915091
status: test
description: Detects the use of rclone, a command-line program to manage files on cloud storage, via its default user-agent string
references:
- https://rclone.org/
- https://www.kroll.com/en/insights/publications/cyber/new-m365-business-email-compromise-attacks-with-rclone
author: Janantha Marasinghe
date: 2022-10-18
tags:
- attack.exfiltration
- attack.t1567.002
logsource:
category: proxy
detection:
selection:
c-useragent|startswith: 'rclone/v'
condition: selection
falsepositives:
- Valid requests with this exact user agent to that is used by legitimate scripts or sysadmin operations
level: medium
Convert to SIEM query
medium
Moderate
High FP
Rclone Config File Creation
Detects Rclone config files being created
view Sigma YAML
title: Rclone Config File Creation
id: 34986307-b7f4-49be-92f3-e7a4d01ac5db
status: test
description: Detects Rclone config files being created
references:
- https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/
author: Aaron Greetham (@beardofbinary) - NCC Group
date: 2021-05-26
modified: 2023-05-09
tags:
- attack.exfiltration
- attack.t1567.002
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|contains|all:
- ':\Users\'
- '\.config\rclone\'
condition: selection
falsepositives:
- Legitimate Rclone usage
level: medium
Convert to SIEM query
medium
Moderate
High FP
Read Contents From Stdin Via Cmd.EXE
Detect the use of "<" to read and potentially execute a file via cmd.exe
view Sigma YAML
title: Read Contents From Stdin Via Cmd.EXE
id: 241e802a-b65e-484f-88cd-c2dc10f9206d
related:
- id: 00a4bacd-6db4-46d5-9258-a7d5ebff4003
type: obsolete
status: test
description: Detect the use of "<" to read and potentially execute a file via cmd.exe
references:
- https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1059.003/T1059.003.md
- https://web.archive.org/web/20220306121156/https://www.x86matthew.com/view_post?id=ntdll_pipe
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-07
tags:
- attack.execution
- attack.t1059.003
logsource:
category: process_creation
product: windows
detection:
selection_cmd:
- OriginalFileName: 'Cmd.Exe'
- Image|endswith: '\cmd.exe'
selection_cli:
CommandLine|contains: '<'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Rebuild Performance Counter Values Via Lodctr.EXE
Detects the execution of "lodctr.exe" to rebuild the performance counter registry values. This can be abused by attackers by providing a malicious config file to overwrite performance counter configuration to confuse and evade monitoring and security solutions.
view Sigma YAML
title: Rebuild Performance Counter Values Via Lodctr.EXE
id: cc9d3712-6310-4320-b2df-7cb408274d53
status: test
description: Detects the execution of "lodctr.exe" to rebuild the performance counter registry values. This can be abused by attackers by providing a malicious config file to overwrite performance counter configuration to confuse and evade monitoring and security solutions.
references:
- https://learn.microsoft.com/en-us/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-15
modified: 2024-03-05
tags:
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith: '\lodctr.exe'
OriginalFileName: 'LODCTR.EXE'
selection_cli:
CommandLine|contains|windash: ' -r'
condition: all of selection_*
falsepositives:
- Legitimate usage by an administrator
level: medium
Convert to SIEM query
Showing 951-1000 of 1,440