Tool
EDR / XDR
VMware Carbon Black
1,440 rules · Sigma detections in VMware Carbon Black syntax
The same Sigma detection corpus, machine-rendered into VMware Carbon Black query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
Download all 3,646 rules (.zip, 1.2 MB)
Every VMware Carbon Black query in this view, packaged to deploy.
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance12
Resource Development10
Initial Access10
Execution30
Persistence42
Privilege Escalation20
Stealth79
Defense Impairment32
Credential Access35
Discovery33
Lateral Movement16
Collection20
Command and Control24
Exfiltration10
Impact18
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.
◈
Detection rules
50 shown of 1,440
medium
Moderate
High FP
User Added to Local Administrators Group
Detects addition of users to the local administrator group via "Net" or "Add-LocalGroupMember".
view Sigma YAML
title: User Added to Local Administrators Group
id: ad720b90-25ad-43ff-9b5e-5c841facc8e5
related:
- id: ffa28e60-bdb1-46e0-9f82-05f7a61cc06e # Remote Desktop groups
type: similar
- id: 10fb649c-3600-4d37-b1e6-56ea90bb7e09 # Privileged groups
type: similar
status: test
description: Detects addition of users to the local administrator group via "Net" or "Add-LocalGroupMember".
references:
- https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-12
modified: 2023-03-02
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1098
logsource:
category: process_creation
product: windows
detection:
selection_main:
- CommandLine|contains|all:
# net.exe
- 'localgroup '
- ' /add'
- CommandLine|contains|all:
# powershell.exe
- 'Add-LocalGroupMember '
- ' -Group '
selection_group:
CommandLine|contains:
- ' administrators '
- ' administrateur' # Typo without an 'S' so we catch both
condition: all of selection_*
falsepositives:
- Administrative activity
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
User Added to an Administrator's Azure AD Role
User Added to an Administrator's Azure AD Role
view Sigma YAML
title: User Added to an Administrator's Azure AD Role
id: ebbeb024-5b1d-4e16-9c0c-917f86c708a7
status: test
description: User Added to an Administrator's Azure AD Role
references:
- https://m365internals.com/2021/07/13/what-ive-learned-from-doing-a-year-of-cloud-forensics-in-azure-ad/
author: Raphaël CALVET, @MetallicHack
date: 2021-10-04
modified: 2022-10-09
tags:
- attack.initial-access
- attack.persistence
- attack.privilege-escalation
- attack.stealth
- attack.t1098.003
- attack.t1078
logsource:
product: azure
service: activitylogs
detection:
selection:
Operation: 'Add member to role.'
Workload: 'AzureActiveDirectory'
ModifiedProperties{}.NewValue|endswith:
- 'Admins'
- 'Administrator'
condition: selection
falsepositives:
- PIM (Privileged Identity Management) generates this event each time 'eligible role' is enabled.
level: medium
Convert to SIEM query
medium
Moderate
High FP
User Discovery And Export Via Get-ADUser Cmdlet
Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file
view Sigma YAML
title: User Discovery And Export Via Get-ADUser Cmdlet
id: 1114e048-b69c-4f41-bc20-657245ae6e3f
related:
- id: c2993223-6da8-4b1a-88ee-668b8bf315e9
type: similar
status: test
description: Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file
references:
- http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
- https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-09
modified: 2022-11-17
tags:
- attack.discovery
- attack.t1033
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_cli:
CommandLine|contains|all:
- 'Get-ADUser '
- ' -Filter \*'
CommandLine|contains:
- ' > '
- ' | Select '
- 'Out-File'
- 'Set-Content'
- 'Add-Content'
condition: all of selection_*
falsepositives:
- Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often
level: medium
Convert to SIEM query
medium
Moderate
High FP
User Discovery And Export Via Get-ADUser Cmdlet - PowerShell
Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file
view Sigma YAML
title: User Discovery And Export Via Get-ADUser Cmdlet - PowerShell
id: c2993223-6da8-4b1a-88ee-668b8bf315e9
related:
- id: 1114e048-b69c-4f41-bc20-657245ae6e3f
type: similar
status: test
description: Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file
references:
- http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
- https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-11-17
tags:
- attack.discovery
- attack.t1033
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- 'Get-ADUser '
- ' -Filter \*'
ScriptBlockText|contains:
- ' > '
- ' | Select '
- 'Out-File'
- 'Set-Content'
- 'Add-Content'
condition: selection
falsepositives:
- Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often
level: medium
Convert to SIEM query
medium
Moderate
High FP
User Has Been Deleted Via Userdel
Detects execution of the "userdel" binary. Which is used to delete a user account and related files. This is sometimes abused by threat actors in order to cover their tracks
view Sigma YAML
title: User Has Been Deleted Via Userdel
id: 08f26069-6f80-474b-8d1f-d971c6fedea0
status: test
description: Detects execution of the "userdel" binary. Which is used to delete a user account and related files. This is sometimes abused by threat actors in order to cover their tracks
references:
- https://linuxize.com/post/how-to-delete-group-in-linux/
- https://www.cyberciti.biz/faq/linux-remove-user-command/
- https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/
- https://linux.die.net/man/8/userdel
author: Tuan Le (NCSGroup)
date: 2022-12-26
tags:
- attack.impact
- attack.t1531
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith: '/userdel'
condition: selection
falsepositives:
- Legitimate administrator activities
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
User Removed From Group With CA Policy Modification Access
Monitor and alert on group membership removal of groups that have CA policy modification access
view Sigma YAML
title: User Removed From Group With CA Policy Modification Access
id: 665e2d43-70dc-4ccc-9d27-026c9dd7ed9c
status: test
description: Monitor and alert on group membership removal of groups that have CA policy modification access
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access
author: Mark Morowczynski '@markmorow', Thomas Detzner '@tdetzner'
date: 2022-08-04
tags:
- attack.privilege-escalation
- attack.credential-access
- attack.persistence
- attack.defense-impairment
- attack.t1548
- attack.t1556
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.message: Remove member from group
condition: selection
falsepositives:
- User removed from the group is approved
level: medium
Convert to SIEM query
medium
Moderate
Low FP
User State Changed From Guest To Member
Detects the change of user type from "Guest" to "Member" for potential elevation of privilege.
view Sigma YAML
title: User State Changed From Guest To Member
id: 8dee7a0d-43fd-4b3c-8cd1-605e189d195e
status: test
description: Detects the change of user type from "Guest" to "Member" for potential elevation of privilege.
references:
- https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts#monitoring-external-user-sign-ins
author: MikeDuddington, '@dudders1'
date: 2022-06-30
tags:
- attack.persistence
- attack.privilege-escalation
- attack.initial-access
- attack.stealth
- attack.t1078.004
logsource:
product: azure
service: auditlogs
detection:
selection:
Category: 'UserManagement'
OperationName: 'Update user'
properties.message: '"displayName":"UserType","oldValue":"[\"Guest\"]","newValue":"[\"Member\"]"'
condition: selection
falsepositives:
- If this was approved by System Administrator.
level: medium
Convert to SIEM query
medium
Strong
Low FP
Users Authenticating To Other Azure AD Tenants
Detect when users in your Azure AD tenant are authenticating to other Azure AD Tenants.
view Sigma YAML
title: Users Authenticating To Other Azure AD Tenants
id: 5f521e4b-0105-4b72-845b-2198a54487b9
status: test
description: Detect when users in your Azure AD tenant are authenticating to other Azure AD Tenants.
references:
- https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts#monitoring-external-user-sign-ins
author: MikeDuddington, '@dudders1'
date: 2022-06-30
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.stealth
- attack.t1078.004
logsource:
product: azure
service: signinlogs
detection:
selection:
Status: 'Success'
HomeTenantId: 'HomeTenantID'
filter:
ResourceTenantId|contains: 'HomeTenantID'
condition: selection and not filter
falsepositives:
- If this was approved by System Administrator.
level: medium
Convert to SIEM query
medium
Moderate
High FP
UtilityFunctions.ps1 Proxy Dll
Detects the use of a Microsoft signed script executing a managed DLL with PowerShell.
view Sigma YAML
title: UtilityFunctions.ps1 Proxy Dll
id: 0403d67d-6227-4ea8-8145-4e72db7da120
status: test
description: Detects the use of a Microsoft signed script executing a managed DLL with PowerShell.
references:
- https://lolbas-project.github.io/lolbas/Scripts/UtilityFunctions/
author: frack113
date: 2022-05-28
tags:
- attack.stealth
- attack.t1216
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- 'UtilityFunctions.ps1'
- 'RegSnapin '
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
VHD Image Download Via Browser
Detects creation of ".vhd"/".vhdx" files by browser processes.
Malware can use mountable Virtual Hard Disk ".vhd" files to encapsulate payloads and evade security controls.
view Sigma YAML
title: VHD Image Download Via Browser
id: 8468111a-ef07-4654-903b-b863a80bbc95
status: test
description: |
Detects creation of ".vhd"/".vhdx" files by browser processes.
Malware can use mountable Virtual Hard Disk ".vhd" files to encapsulate payloads and evade security controls.
references:
- https://redcanary.com/blog/intelligence-insights-october-2021/
- https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/
- https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'
date: 2021-10-25
modified: 2023-05-05
tags:
- attack.resource-development
- attack.t1587.001
logsource:
category: file_event
product: windows
detection:
selection:
Image|endswith:
- '\brave.exe'
- '\chrome.exe'
- '\firefox.exe'
- '\iexplore.exe'
- '\maxthon.exe'
- '\MicrosoftEdge.exe'
- '\msedge.exe'
- '\msedgewebview2.exe'
- '\opera.exe'
- '\safari.exe'
- '\seamonkey.exe'
- '\vivaldi.exe'
- '\whale.exe'
# We don't use "endswith" to also match with ADS logs and ".vhdx". Example: "TargetFilename: C:\Users\xxx\Downloads\windows.vhd:Zone.Identifier"
TargetFilename|contains: '.vhd'
condition: selection
falsepositives:
- Legitimate downloads of ".vhd" files would also trigger this
level: medium
Convert to SIEM query
medium
Strong
Medium FP
VMGuestLib DLL Sideload
Detects DLL sideloading of VMGuestLib.dll by the WmiApSrv service.
view Sigma YAML
title: VMGuestLib DLL Sideload
id: 70e8e9b4-6a93-4cb7-8cde-da69502e7aff
status: test
description: Detects DLL sideloading of VMGuestLib.dll by the WmiApSrv service.
references:
- https://decoded.avast.io/martinchlumecky/png-steganography/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-01
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|contains|all:
- '\VMware\VMware Tools\vmStatsProvider\win32'
- '\vmGuestLib.dll'
Image|endswith: '\Windows\System32\wbem\WmiApSrv.exe'
filter:
Signed: 'true'
condition: selection and not filter
falsepositives:
- FP could occur if the legitimate version of vmGuestLib already exists on the system
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
VMMap Signed Dbghelp.DLL Potential Sideloading
Detects potential DLL sideloading of a signed dbghelp.dll by the Sysinternals VMMap.
view Sigma YAML
title: VMMap Signed Dbghelp.DLL Potential Sideloading
id: 98ffaed4-aec2-4e04-9b07-31492fe68b3d
related:
- id: 273a8dd8-3742-4302-bcc7-7df5a80fe425
type: similar
status: test
description: Detects potential DLL sideloading of a signed dbghelp.dll by the Sysinternals VMMap.
references:
- https://techcommunity.microsoft.com/t5/sysinternals-blog/zoomit-v7-1-procdump-2-0-for-linux-process-explorer-v17-05/ba-p/3884766
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-09-05
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|contains: 'C:\Debuggers\dbghelp.dll'
Image|endswith:
- '\vmmap.exe'
- '\vmmap64.exe'
Signed: 'true'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Veeam Backup Database Suspicious Query
Detects potentially suspicious SQL queries using SQLCmd targeting the Veeam backup databases in order to steal information.
view Sigma YAML
title: Veeam Backup Database Suspicious Query
id: 696bfb54-227e-4602-ac5b-30d9d2053312
status: test
description: Detects potentially suspicious SQL queries using SQLCmd targeting the Veeam backup databases in order to steal information.
references:
- https://labs.withsecure.com/publications/fin7-target-veeam-servers
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-04
tags:
- attack.collection
- attack.t1005
logsource:
category: process_creation
product: windows
detection:
selection_sql:
Image|endswith: '\sqlcmd.exe'
CommandLine|contains|all:
- 'VeeamBackup'
- 'From '
selection_db:
CommandLine|contains:
- 'BackupRepositories'
- 'Backups'
- 'Credentials'
- 'HostCreds'
- 'SmbFileShares'
- 'Ssh_creds'
- 'VSphereInfo'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Verclsid.exe Runs COM Object
Detects when verclsid.exe is used to run COM object via GUID
view Sigma YAML
title: Verclsid.exe Runs COM Object
id: d06be4b9-8045-428b-a567-740a26d9db25
status: test
description: Detects when verclsid.exe is used to run COM object via GUID
references:
- https://lolbas-project.github.io/lolbas/Binaries/Verclsid/
- https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5
- https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/
author: Victor Sergeev, oscd.community
date: 2020-10-09
modified: 2025-10-07
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\verclsid.exe'
- OriginalFileName: 'verclsid.exe'
selection_cli:
CommandLine|contains|all:
- '/S'
- '/C'
filter_main_runtimebroker:
ParentImage|endswith: 'C:\Windows\System32\RuntimeBroker.exe'
CommandLine|contains|all:
- 'verclsid.exe" /S /C {'
- '} /I {'
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Visual Studio Code Tunnel Remote File Creation
Detects the creation of file by the "node.exe" process in the ".vscode-server" directory. Could be a sign of remote file creation via VsCode tunnel feature
view Sigma YAML
title: Visual Studio Code Tunnel Remote File Creation
id: 56e05d41-ce99-4ecd-912d-93f019ee0b71
status: test
description: |
Detects the creation of file by the "node.exe" process in the ".vscode-server" directory. Could be a sign of remote file creation via VsCode tunnel feature
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-10-25
tags:
- attack.command-and-control
logsource:
category: file_event
product: windows
detection:
selection:
Image|contains: '\servers\Stable-'
Image|endswith: '\server\node.exe'
TargetFilename|contains: '\.vscode-server\data\User\History\'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Visual Studio Code Tunnel Service Installation
Detects the installation of VsCode tunnel (code-tunnel) as a service.
view Sigma YAML
title: Visual Studio Code Tunnel Service Installation
id: 30bf1789-379d-4fdc-900f-55cd0a90a801
status: test
description: Detects the installation of VsCode tunnel (code-tunnel) as a service.
references:
- https://ipfyx.fr/post/visual-studio-code-tunnel/
- https://badoption.eu/blog/2023/01/31/code_c2.html
- https://code.visualstudio.com/docs/remote/tunnels
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-10-25
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'tunnel '
- 'service'
- 'internal-run'
- 'tunnel-service.log'
condition: selection
falsepositives:
- Legitimate installation of code-tunnel as a service
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Visual Studio Code Tunnel Shell Execution
Detects the execution of a shell (powershell, bash, wsl...) via Visual Studio Code tunnel. Attackers can abuse this functionality to establish a C2 channel and execute arbitrary commands on the system.
view Sigma YAML
title: Visual Studio Code Tunnel Shell Execution
id: f4a623c2-4ef5-4c33-b811-0642f702c9f1
status: test
description: Detects the execution of a shell (powershell, bash, wsl...) via Visual Studio Code tunnel. Attackers can abuse this functionality to establish a C2 channel and execute arbitrary commands on the system.
references:
- https://ipfyx.fr/post/visual-studio-code-tunnel/
- https://badoption.eu/blog/2023/01/31/code_c2.html
- https://code.visualstudio.com/docs/remote/tunnels
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-10-25
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|contains: '\servers\Stable-'
ParentImage|endswith: '\server\node.exe'
ParentCommandLine|contains: '.vscode-server' # Technically one can host its own local server instead of using the VsCode one. And that would probably change the name (requires further research)
# Note: Child processes (ie: shells) can be whatever technically (with some efforts)
selection_child_1:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
CommandLine|contains: '\terminal\browser\media\shellIntegration.ps1'
selection_child_2:
Image|endswith:
- '\wsl.exe'
- '\bash.exe'
condition: selection_parent and 1 of selection_child_*
falsepositives:
- Legitimate use of Visual Studio Code tunnel and running code from there
level: medium
Convert to SIEM query
medium
Moderate
High FP
Visual Studio NodejsTools PressAnyKey Arbitrary Binary Execution
Detects child processes of Microsoft.NodejsTools.PressAnyKey.exe that can be used to execute any other binary
view Sigma YAML
title: Visual Studio NodejsTools PressAnyKey Arbitrary Binary Execution
id: a20391f8-76fb-437b-abc0-dba2df1952c6
related:
- id: 65c3ca2c-525f-4ced-968e-246a713d164f
type: similar
status: test
description: Detects child processes of Microsoft.NodejsTools.PressAnyKey.exe that can be used to execute any other binary
references:
- https://twitter.com/mrd0x/status/1463526834918854661
- https://gist.github.com/nasbench/a989ce64cefa8081bd50cf6ad8c491b5
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-01-11
modified: 2023-04-11
tags:
- attack.execution
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\Microsoft.NodejsTools.PressAnyKey.exe'
condition: selection
falsepositives:
- Legitimate use by developers as part of NodeJS development with Visual Studio Tools
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Visual Studio NodejsTools PressAnyKey Renamed Execution
Detects renamed execution of "Microsoft.NodejsTools.PressAnyKey.exe", which can be abused as a LOLBIN to execute arbitrary binaries
view Sigma YAML
title: Visual Studio NodejsTools PressAnyKey Renamed Execution
id: 65c3ca2c-525f-4ced-968e-246a713d164f
related:
- id: a20391f8-76fb-437b-abc0-dba2df1952c6
type: similar
status: test
description: Detects renamed execution of "Microsoft.NodejsTools.PressAnyKey.exe", which can be abused as a LOLBIN to execute arbitrary binaries
references:
- https://twitter.com/mrd0x/status/1463526834918854661
- https://gist.github.com/nasbench/a989ce64cefa8081bd50cf6ad8c491b5
author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)
date: 2023-04-11
tags:
- attack.execution
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
OriginalFileName: 'Microsoft.NodejsTools.PressAnyKey.exe'
filter_main_legit_name:
Image|endswith: '\Microsoft.NodejsTools.PressAnyKey.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
VsCode Code Tunnel Execution File Indicator
Detects the creation of a file with the name "code_tunnel.json" which indicate execution and usage of VsCode tunneling utility. Attackers can abuse this functionality to establish a C2 channel
view Sigma YAML
title: VsCode Code Tunnel Execution File Indicator
id: 9661ec9d-4439-4a7a-abed-d9be4ca43b6d
status: test
description: |
Detects the creation of a file with the name "code_tunnel.json" which indicate execution and usage of VsCode tunneling utility. Attackers can abuse this functionality to establish a C2 channel
references:
- https://ipfyx.fr/post/visual-studio-code-tunnel/
- https://badoption.eu/blog/2023/01/31/code_c2.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-10-25
tags:
- attack.command-and-control
- detection.threat-hunting
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|endswith: '\code_tunnel.json'
condition: selection
falsepositives:
- Legitimate usage of VsCode tunneling functionality will also trigger this
level: medium
Convert to SIEM query
medium
Moderate
High FP
VsCode Powershell Profile Modification
Detects the creation or modification of a vscode related powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence
view Sigma YAML
title: VsCode Powershell Profile Modification
id: 3a9fa2ec-30bc-4ebd-b49e-7c9cff225502
related:
- id: b5b78988-486d-4a80-b991-930eff3ff8bf
type: similar
status: test
description: Detects the creation or modification of a vscode related powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence
references:
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles?view=powershell-7.2
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-24
modified: 2023-01-06
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1546.013
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith: '\Microsoft.VSCode_profile.ps1'
condition: selection
falsepositives:
- Legitimate use of the profile by developers or administrators
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
WDAC Policy File Creation In CodeIntegrity Folder
Attackers can craft a custom Windows Defender Application Control (WDAC) policy that blocks Endpoint Detection and Response (EDR) components while allowing their own malicious code. The policy is placed in the privileged Windows Code Integrity folder (C:\Windows\System32\CodeIntegrity\). Upon reboot, the policy prevents EDR drivers from loading, effectively bypassing security measures and may further enable undetected lateral movement within an Active Directory environment.
view Sigma YAML
title: WDAC Policy File Creation In CodeIntegrity Folder
id: 121b25f7-b9d6-4b37-afa0-cba317ec52f3
status: experimental
description: |
Attackers can craft a custom Windows Defender Application Control (WDAC) policy that blocks Endpoint Detection and Response (EDR) components while allowing their own malicious code. The policy is placed in the privileged Windows Code Integrity folder (C:\Windows\System32\CodeIntegrity\). Upon reboot, the policy prevents EDR drivers from loading, effectively bypassing security measures and may further enable undetected lateral movement within an Active Directory environment.
references:
- https://beierle.win/2024-12-20-Weaponizing-WDAC-Killing-the-Dreams-of-EDR/
- https://www.virustotal.com/gui/file/d2a4f52a9923336f119a52e531bbb1e66f18322fd8efa9af1a64b94f4d36dc97
author: Andreas Braathen (mnemonic.io)
date: 2025-01-30
tags:
- attack.defense-impairment
- attack.t1685
- detection.threat-hunting
logsource:
category: file_event
product: windows
definition: 'Requirements: By default the file_event log source might not contain the IntegrityLevel of the Process. It should be collected in order to use this rule'
detection:
selection:
TargetFilename|contains: ':\Windows\System32\CodeIntegrity\'
TargetFilename|endswith:
- '.cip'
- '.p7b'
IntegrityLevel: 'High'
condition: selection
falsepositives:
- May occur legitimately as part of admin activity, but rarely with interactive elevation.
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
WFP Filter Added via Registry
Detects registry modifications that add Windows Filtering Platform (WFP) filters, which may be used to block security tools and EDR agents from reporting events.
view Sigma YAML
title: WFP Filter Added via Registry
id: 1f1d8209-636e-4c6c-a137-781cca8b82f9
status: experimental
description: |
Detects registry modifications that add Windows Filtering Platform (WFP) filters, which may be used to block security tools and EDR agents from reporting events.
references:
- https://github.com/netero1010/EDRSilencer/blob/0e73a7037ec65c52894d8208e6f605a7da0a34a6/EDRSilencer.c
- https://www.huntress.com/blog/silencing-the-edr-silencers
- https://www.trendmicro.com/en_us/research/24/j/edrsilencer-disrupting-endpoint-security-solutions.html
author: Frack113
date: 2025-10-23
tags:
- attack.execution
- attack.defense-impairment
- attack.t1685
- attack.t1569.002
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\BFE\Parameters\Policy\Persistent\Filter\'
filter_main_svchost:
Image:
- 'C:\Windows\System32\svchost.exe'
- 'C:\Windows\SysWOW64\svchost.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load
Detects signs of the WMI script host process "scrcons.exe" loading scripting DLLs which could indicates WMI ActiveScriptEventConsumers EventConsumers activity.
view Sigma YAML
title: WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load
id: b439f47d-ef52-4b29-9a2f-57d8a96cb6b8
status: test
description: Detects signs of the WMI script host process "scrcons.exe" loading scripting DLLs which could indicates WMI ActiveScriptEventConsumers EventConsumers activity.
references:
- https://twitter.com/HunterPlaybook/status/1301207718355759107
- https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/
- https://threathunterplaybook.com/hunts/windows/200902-RemoteWMIActiveScriptEventConsumers/notebook.html
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-09-02
modified: 2023-02-22
tags:
- attack.lateral-movement
- attack.privilege-escalation
- attack.persistence
- attack.t1546.003
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith: '\scrcons.exe'
ImageLoaded|endswith:
- '\vbscript.dll'
- '\wbemdisp.dll'
- '\wshom.ocx'
- '\scrrun.dll'
condition: selection
falsepositives:
- Legitimate event consumers
- Dell computers on some versions register an event consumer that is known to cause false positives when brightness is changed by the corresponding keyboard button
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
WMI Event Consumer Created Named Pipe
Detects the WMI Event Consumer service scrcons.exe creating a named pipe
view Sigma YAML
title: WMI Event Consumer Created Named Pipe
id: 493fb4ab-cdcc-4c4f-818c-0e363bd1e4bb
status: test
description: Detects the WMI Event Consumer service scrcons.exe creating a named pipe
references:
- https://github.com/RiccardoAncarani/LiquidSnake
author: Florian Roth (Nextron Systems)
date: 2021-09-01
modified: 2023-11-30
tags:
- attack.t1047
- attack.execution
logsource:
product: windows
category: pipe_created
definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
detection:
selection:
Image|endswith: '\scrcons.exe'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
WMI Event Subscription
Detects creation of WMI event subscription persistence method
view Sigma YAML
title: WMI Event Subscription
id: 0f06a3a5-6a09-413f-8743-e6cf35561297
status: test
description: Detects creation of WMI event subscription persistence method
references:
- https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-19-wmievent-wmieventfilter-activity-detected
- https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-20-wmievent-wmieventconsumer-activity-detected
- https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-21-wmievent-wmieventconsumertofilter-activity-detected
author: Tom Ueltschi (@c_APT_ure)
date: 2019-01-12
modified: 2021-11-27
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.003
logsource:
product: windows
category: wmi_event
detection:
selection:
EventID:
- 19
- 20
- 21
condition: selection
falsepositives:
- Exclude legitimate (vetted) use of WMI event subscription in your network
level: medium
Convert to SIEM query
medium
Strong
Low FP
WMI Persistence
Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.
view Sigma YAML
title: WMI Persistence
id: 0b7889b4-5577-4521-a60a-3376ee7f9f7b
status: test
description: Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.
references:
- https://twitter.com/mattifestation/status/899646620148539397
- https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
author: Florian Roth (Nextron Systems), Gleb Sukhodolskiy, Timur Zinniatullin oscd.community
date: 2017-08-22
modified: 2022-02-10
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1546.003
logsource:
product: windows
service: wmi
definition: 'WMI Namespaces Auditing and SACL should be configured, EventID 5861 and 5859 detection requires Windows 10, 2012 and higher'
detection:
wmi_filter_to_consumer_binding:
EventID: 5861
consumer_keywords:
- 'ActiveScriptEventConsumer'
- 'CommandLineEventConsumer'
- 'CommandLineTemplate'
# - 'Binding EventFilter' # too many false positive with HP Health Driver
wmi_filter_registration:
EventID: 5859
filter_scmevent:
Provider: 'SCM Event Provider'
Query: 'select * from MSFT_SCMEventLogEvent'
User: 'S-1-5-32-544'
PossibleCause: 'Permanent'
condition: ( (wmi_filter_to_consumer_binding and consumer_keywords) or (wmi_filter_registration) ) and not filter_scmevent
falsepositives:
- Unknown (data set is too small; further testing needed)
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
WMI Persistence - Script Event Consumer
Detects WMI script event consumers
view Sigma YAML
title: WMI Persistence - Script Event Consumer
id: ec1d5e28-8f3b-4188-a6f8-6e8df81dc28e
status: test
description: Detects WMI script event consumers
references:
- https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
author: Thomas Patzke
date: 2018-03-07
modified: 2022-10-11
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1546.003
logsource:
category: process_creation
product: windows
detection:
selection:
Image: C:\WINDOWS\system32\wbem\scrcons.exe
ParentImage: C:\Windows\System32\svchost.exe
condition: selection
falsepositives:
- Legitimate event consumers
- Dell computers on some versions register an event consumer that is known to cause false positives when brightness is changed by the corresponding keyboard button
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
WMI Persistence - Security
Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.
view Sigma YAML
title: WMI Persistence - Security
id: f033f3f3-fd24-4995-97d8-a3bb17550a88
related:
- id: 0b7889b4-5577-4521-a60a-3376ee7f9f7b
type: derived
status: test
description: Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.
references:
- https://twitter.com/mattifestation/status/899646620148539397
- https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
author: Florian Roth (Nextron Systems), Gleb Sukhodolskiy, Timur Zinniatullin oscd.community
date: 2017-08-22
modified: 2022-11-29
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1546.003
logsource:
product: windows
service: security
detection:
selection:
EventID: 4662
ObjectType: 'WMI Namespace'
ObjectName|contains: 'subscription'
condition: selection
falsepositives:
- Unknown (data set is too small; further testing needed)
level: medium
Convert to SIEM query
medium
Strong
Medium FP
WMIC Loading Scripting Libraries
Detects threat actors proxy executing code and bypassing application controls by leveraging wmic and the `/FORMAT` argument switch to download and execute an XSL file (i.e js, vbs, etc).
It could be an indicator of SquiblyTwo technique, which uses Windows Management Instrumentation (WMI) to execute malicious code.
view Sigma YAML
title: WMIC Loading Scripting Libraries
id: 06ce37c2-61ab-4f05-9ff5-b1a96d18ae32
related:
- id: 8d63dadf-b91b-4187-87b6-34a1114577ea
type: similar
- id: 05c36dd6-79d6-4a9a-97da-3db20298ab2d
type: similar
status: test
description: |
Detects threat actors proxy executing code and bypassing application controls by leveraging wmic and the `/FORMAT` argument switch to download and execute an XSL file (i.e js, vbs, etc).
It could be an indicator of SquiblyTwo technique, which uses Windows Management Instrumentation (WMI) to execute malicious code.
references:
- https://securitydatasets.com/notebooks/atomic/windows/defense_evasion/SDWIN-201017061100.html
- https://twitter.com/dez_/status/986614411711442944
- https://lolbas-project.github.io/lolbas/Binaries/Wmic/
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-10-17
modified: 2022-10-13
tags:
- attack.stealth
- attack.t1220
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith: '\wmic.exe'
ImageLoaded|endswith:
- '\jscript.dll'
- '\vbscript.dll'
condition: selection
falsepositives:
- The command wmic os get lastbootuptime loads vbscript.dll
- The command wmic os get locale loads vbscript.dll
- Since the ImageLoad event doesn't have enough information in this case. It's better to look at the recent process creation events that spawned the WMIC process and investigate the command line and parent/child processes to get more insights
- The command `wmic ntevent` loads vbscript.dll
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
WMIC Remote Command Execution
Detects the execution of WMIC to query information on a remote system
view Sigma YAML
title: WMIC Remote Command Execution
id: 7773b877-5abb-4a3e-b9c9-fd0369b59b00
related:
- id: e42af9df-d90b-4306-b7fb-05c863847ebd
type: obsolete
- id: 09af397b-c5eb-4811-b2bb-08b3de464ebf
type: obsolete
status: test
description: Detects the execution of WMIC to query information on a remote system
references:
- https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-14
modified: 2025-10-22
tags:
- attack.execution
- attack.t1047
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\WMIC.exe'
- OriginalFileName: 'wmic.exe'
selection_cli:
CommandLine|contains|windash: '/node:'
filter_main_localhost:
CommandLine|contains:
- 'localhost'
- '127.0.0.1'
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
WMIC Unquoted Services Path Lookup - PowerShell
Detects known WMI recon method to look for unquoted service paths, often used by pentest inside of powershell scripts attackers enum scripts
view Sigma YAML
title: WMIC Unquoted Services Path Lookup - PowerShell
id: 09658312-bc27-4a3b-91c5-e49ab9046d1b
related:
- id: 68bcd73b-37ef-49cb-95fc-edc809730be6
type: similar
status: test
description: Detects known WMI recon method to look for unquoted service paths, often used by pentest inside of powershell scripts attackers enum scripts
references:
- https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py
- https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1
- https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-20
modified: 2022-11-25
tags:
- attack.execution
- attack.t1047
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains:
- 'Get-WmiObject '
- 'gwmi '
ScriptBlockText|contains|all:
- ' Win32_Service '
- 'Name'
- 'DisplayName'
- 'PathName'
- 'StartMode'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Detects script file execution (.js, .jse, .vba, .vbe, .vbs, .wsf, .wsh) by Wscript/Cscript.
view Sigma YAML
title: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
id: 1e33157c-53b1-41ad-bbcc-780b80b58288
related:
- id: 23250293-eed5-4c39-b57a-841c8933a57d
type: obsolete
- id: cea72823-df4d-4567-950c-0b579eaf0846
type: derived
status: test
description: Detects script file execution (.js, .jse, .vba, .vbe, .vbs, .wsf, .wsh) by Wscript/Cscript.
references:
- https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/
- https://redcanary.com/blog/gootloader/
author: Michael Haag
date: 2019-01-16
modified: 2026-02-17
tags:
- attack.execution
- attack.t1059.005
- attack.t1059.007
- detection.threat-hunting
logsource:
category: process_creation
product: windows
detection:
selection_img:
- OriginalFileName:
- 'wscript.exe'
- 'cscript.exe'
- Image|endswith:
- '\wscript.exe'
- '\cscript.exe'
selection_cli:
CommandLine|contains:
- '.js'
- '.jse'
- '.vba'
- '.vbe'
- '.vbs'
- '.wsf'
- '.wsh'
condition: all of selection_*
falsepositives:
- Some additional tuning is required. It is recommended to add the user profile path in CommandLine if it is getting too noisy.
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
WSL Child Process Anomaly
Detects uncommon or suspicious child processes spawning from a WSL process. This could indicate an attempt to evade parent/child relationship detections or persistence attempts via cron using WSL
view Sigma YAML
title: WSL Child Process Anomaly
id: 2267fe65-0681-42ad-9a6d-46553d3f3480
related:
- id: dec44ca7-61ad-493c-bfd7-8819c5faa09b # LOLBIN Rule
type: derived
status: test
description: Detects uncommon or suspicious child processes spawning from a WSL process. This could indicate an attempt to evade parent/child relationship detections or persistence attempts via cron using WSL
references:
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/
- https://twitter.com/nas_bench/status/1535431474429808642
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-23
modified: 2023-08-15
tags:
- attack.execution
- attack.stealth
- attack.t1218
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith:
- '\wsl.exe'
- '\wslhost.exe'
selection_children_images:
Image|endswith:
# Add more suspicious/uncommon "lolbin" processes
- '\calc.exe'
- '\cmd.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\wscript.exe'
selection_children_paths:
Image|contains:
- '\AppData\Local\Temp\'
- 'C:\Users\Public\'
- 'C:\Windows\Temp\'
- 'C:\Temp\'
- '\Downloads\'
- '\Desktop\'
condition: selection_parent and 1 of selection_children_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Weak or Abused Passwords In CLI
Detects weak passwords or often abused passwords (seen used by threat actors) via the CLI.
An example would be a threat actor creating a new user via the net command and providing the password inline
view Sigma YAML
title: Weak or Abused Passwords In CLI
id: 91edcfb1-2529-4ac2-9ecc-7617f895c7e4
status: test
description: |
Detects weak passwords or often abused passwords (seen used by threat actors) via the CLI.
An example would be a threat actor creating a new user via the net command and providing the password inline
references:
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments
- https://thedfirreport.com/2022/09/26/bumblebee-round-two/
- https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/
- https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-14
modified: 2024-02-23
tags:
- attack.execution
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
# Add more passwords
- '123456789'
- '123123qwE'
- 'Asd123.aaaa'
- 'Decryptme'
- 'P@ssw0rd!'
- 'Pass8080'
- 'password123' # Also covers PASSWORD123123! as seen in https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/
- 'test@202' # Covers multiple years
condition: selection
falsepositives:
- Legitimate usage of the passwords by users via commandline (should be discouraged)
- Other currently unknown false positives
level: medium
Convert to SIEM query
medium
Strong
Medium FP
WebDAV Temporary Local File Creation
Detects the creation of WebDAV temporary files with potentially suspicious extensions
view Sigma YAML
title: WebDAV Temporary Local File Creation
id: 4c55738d-72d8-490e-a2db-7969654e375f
related:
- id: 1ae64f96-72b6-48b3-ad3d-e71dff6c6398
type: similar
status: test
description: Detects the creation of WebDAV temporary files with potentially suspicious extensions
references:
- https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html
- https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462
- https://dear-territory-023.notion.site/WebDav-Share-Testing-e4950fa0c00149c3aa430d779b9b1d0f?pvs=4
author: Micah Babinski
date: 2023-08-21
tags:
- attack.initial-access
- attack.resource-development
- attack.t1584
- attack.t1566
- detection.threat-hunting
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|contains: '\AppData\Local\Temp\TfsStore\Tfs_DAV\'
TargetFilename|endswith:
- '.7z'
- '.bat'
- '.dat'
- '.ico'
- '.js'
- '.lnk'
- '.ps1'
- '.rar'
- '.vbe'
- '.vbs'
- '.zip'
condition: selection
falsepositives:
- Legitimate use of WebDAV in an environment
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
WebDav Client Execution Via Rundll32.EXE
Detects "svchost.exe" spawning "rundll32.exe" with command arguments like "C:\windows\system32\davclnt.dll,DavSetCookie".
This could be an indicator of exfiltration or use of WebDav to launch code (hosted on a WebDav server).
view Sigma YAML
title: WebDav Client Execution Via Rundll32.EXE
id: 2dbd9d3d-9e27-42a8-b8df-f13825c6c3d5
status: test
description: |
Detects "svchost.exe" spawning "rundll32.exe" with command arguments like "C:\windows\system32\davclnt.dll,DavSetCookie".
This could be an indicator of exfiltration or use of WebDav to launch code (hosted on a WebDav server).
references:
- https://github.com/OTRF/detection-hackathon-apt29/issues/17
- https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.B.4_C10730EA-6345-4934-AA0F-B0EFCA0C4BA6.md
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-05-02
modified: 2023-09-18
tags:
- attack.exfiltration
- attack.t1048.003
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\svchost.exe'
selection_img:
- Image|endswith: '\rundll32.exe'
- OriginalFileName: 'RUNDLL32.EXE'
selection_cli:
CommandLine|contains: 'C:\windows\system32\davclnt.dll,DavSetCookie'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
WerFaultSecure Loading DbgCore or DbgHelp - EDR-Freeze
Detects the loading of dbgcore.dll or dbghelp.dll by WerFaultSecure.exe, which has been observed in EDR-Freeze attacks to suspend processes and evade detection.
However, this behavior has also been observed during normal software installations, so further investigation is required to confirm malicious activity.
When threat hunting, look for this activity in conjunction with other suspicious processes starting, network connections, or file modifications that occur shortly after the DLL load.
Pay special attention to timing - if other malicious activities occur during or immediately after this library loading, it may indicate EDR evasion attempts.
Also correlate with any EDR/AV process suspension events or gaps in security monitoring during the timeframe.
view Sigma YAML
title: WerFaultSecure Loading DbgCore or DbgHelp - EDR-Freeze
id: 8a2f4b1c-3d5e-4f7a-9b2c-1e4f6d8a9c2b
related:
- id: 387df17d-3b04-448f-8669-9e7fd5e5fd8c
type: similar
- id: 1f0b4cac-9c81-41f4-95d0-8475ff46b3e2
type: similar
status: experimental
description: |
Detects the loading of dbgcore.dll or dbghelp.dll by WerFaultSecure.exe, which has been observed in EDR-Freeze attacks to suspend processes and evade detection.
However, this behavior has also been observed during normal software installations, so further investigation is required to confirm malicious activity.
When threat hunting, look for this activity in conjunction with other suspicious processes starting, network connections, or file modifications that occur shortly after the DLL load.
Pay special attention to timing - if other malicious activities occur during or immediately after this library loading, it may indicate EDR evasion attempts.
Also correlate with any EDR/AV process suspension events or gaps in security monitoring during the timeframe.
references:
- https://github.com/TwoSevenOneT/EDR-Freeze
- https://blog.axelarator.net/hunting-for-edr-freeze/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-27
modified: 2026-01-09
tags:
- attack.defense-impairment
- attack.t1685
- detection.threat-hunting
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith: '\WerFaultSecure.exe'
ImageLoaded|endswith:
- '\dbgcore.dll'
- '\dbghelp.dll'
condition: selection
falsepositives:
- Unknown
level: medium
regression_tests_path: regression_data/rules-threat-hunting/windows/image_load/image_load_win_werfaultsecure_dbgcore_dbghelp_load/info.yml
Convert to SIEM query
medium
Strong
Medium FP
Wget Creating Files in Tmp Directory
Detects the use of wget to download content in a temporary directory such as "/tmp" or "/var/tmp"
view Sigma YAML
title: Wget Creating Files in Tmp Directory
id: 35a05c60-9012-49b6-a11f-6bab741c9f74
status: test
description: Detects the use of wget to download content in a temporary directory such as "/tmp" or "/var/tmp"
references:
- https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
- https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/
- https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
- https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-06-02
tags:
- attack.command-and-control
- attack.t1105
logsource:
product: linux
category: file_event
detection:
selection:
Image|endswith: '/wget'
TargetFilename|startswith:
- '/tmp/'
- '/var/tmp/'
condition: selection
falsepositives:
- Legitimate downloads of files in the tmp folder.
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Whoami.EXE Execution With Output Option
Detects the execution of "whoami.exe" with the "/FO" flag to choose CSV as output format or with redirection options to export the results to a file for later use.
view Sigma YAML
title: Whoami.EXE Execution With Output Option
id: c30fb093-1109-4dc8-88a8-b30d11c95a5d
status: test
description: Detects the execution of "whoami.exe" with the "/FO" flag to choose CSV as output format or with redirection options to export the results to a file for later use.
references:
- https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/
- https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/
- https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-28
modified: 2023-12-04
tags:
- attack.discovery
- attack.t1033
- car.2016-03-001
logsource:
category: process_creation
product: windows
detection:
selection_main_img:
- Image|endswith: '\whoami.exe'
- OriginalFileName: 'whoami.exe'
selection_main_cli:
CommandLine|contains:
- ' /FO CSV'
- ' -FO CSV'
selection_special:
CommandLine|contains: 'whoami*>'
condition: all of selection_main_* or selection_special
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
WinAPI Function Calls Via PowerShell Scripts
Detects calls to WinAPI functions from PowerShell scripts. Attackers can often leverage these APIs to avoid detection based on typical PowerShell function calls. Use this rule as a basis to hunt for interesting scripts.
view Sigma YAML
title: WinAPI Function Calls Via PowerShell Scripts
id: 9f22ccd5-a435-453b-af96-bf99cbb594d4
related:
- id: ba3f5c1b-6272-4119-9dbd-0bc8d21c2702
type: similar
- id: 03d83090-8cba-44a0-b02f-0b756a050306
type: similar
- id: 19d65a1c-8540-4140-8062-8eb00db0bba5
type: similar
status: test
description: Detects calls to WinAPI functions from PowerShell scripts. Attackers can often leverage these APIs to avoid detection based on typical PowerShell function calls. Use this rule as a basis to hunt for interesting scripts.
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
author: Nikita Nazarov, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2023-07-21
tags:
- attack.execution
- attack.t1059.001
- attack.t1106
- detection.threat-hunting
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains:
- 'AddSecurityPackage'
- 'AdjustTokenPrivileges'
- 'CloseHandle'
- 'CreateProcessWithToken'
- 'CreateRemoteThread'
- 'CreateThread'
- 'CreateUserThread'
- 'DangerousGetHandle'
- 'DuplicateTokenEx'
- 'EnumerateSecurityPackages'
- 'FreeLibrary'
- 'GetDelegateForFunctionPointer'
- 'GetLogonSessionData'
- 'GetModuleHandle'
- 'GetProcAddress'
- 'GetProcessHandle'
- 'GetTokenInformation'
- 'ImpersonateLoggedOnUser'
- 'LoadLibrary'
- 'memcpy'
- 'MiniDumpWriteDump'
- 'OpenDesktop'
- 'OpenProcess'
- 'OpenProcessToken'
- 'OpenThreadToken'
- 'OpenWindowStation'
- 'QueueUserApc'
- 'ReadProcessMemory'
- 'RevertToSelf'
- 'RtlCreateUserThread'
- 'SetThreadToken'
- 'VirtualAlloc'
- 'VirtualFree'
- 'VirtualProtect'
- 'WaitForSingleObject'
- 'WriteInt32'
- 'WriteProcessMemory'
- 'ZeroFreeGlobalAllocUnicode'
condition: selection
falsepositives:
- This rule is mainly used for hunting and will generate quite a lot of false positives when applied in production. It's best combined with other fields such as the path of execution, the parent process, etc.
level: medium
Convert to SIEM query
medium
Moderate
High FP
WinAPI Library Calls Via PowerShell Scripts
Detects calls to WinAPI libraries from PowerShell scripts. Attackers can often leverage these APIs to avoid detection based on typical PowerShell function calls. Use this rule as a basis to hunt for interesting scripts.
view Sigma YAML
title: WinAPI Library Calls Via PowerShell Scripts
id: 19d65a1c-8540-4140-8062-8eb00db0bba5
related:
- id: ba3f5c1b-6272-4119-9dbd-0bc8d21c2702
type: similar
- id: 03d83090-8cba-44a0-b02f-0b756a050306
type: similar
- id: 9f22ccd5-a435-453b-af96-bf99cbb594d4
type: similar
status: test
description: Detects calls to WinAPI libraries from PowerShell scripts. Attackers can often leverage these APIs to avoid detection based on typical PowerShell function calls. Use this rule as a basis to hunt for interesting scripts.
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
author: Nikita Nazarov, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2023-07-21
tags:
- attack.execution
- attack.t1059.001
- attack.t1106
- detection.threat-hunting
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains:
- 'Advapi32.dll'
- 'kernel32.dll'
- 'KernelBase.dll'
- 'ntdll.dll'
- 'secur32.dll'
- 'user32.dll'
condition: selection
falsepositives:
- Carbon PowerShell Module (https://github.com/webmd-health-services/Carbon)
- Chocolatey scripts
level: medium
Convert to SIEM query
medium
Strong
Medium FP
WinRAR Execution in Non-Standard Folder
Detects a suspicious WinRAR execution in a folder which is not the default installation folder
view Sigma YAML
title: WinRAR Execution in Non-Standard Folder
id: 4ede543c-e098-43d9-a28f-dd784a13132f
status: test
description: Detects a suspicious WinRAR execution in a folder which is not the default installation folder
references:
- https://twitter.com/cyb3rops/status/1460978167628406785
author: Florian Roth (Nextron Systems), Tigzy
date: 2021-11-17
modified: 2025-07-16
tags:
- attack.collection
- attack.t1560.001
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith:
- '\rar.exe'
- '\winrar.exe'
- Description:
- 'Command line RAR'
- 'WinRAR'
filter_main_unrar:
# Note: we filter unrar as it has the same description as the other utilities, and we're only interested in compression
Image|endswith: '\UnRAR.exe'
filter_main_path:
Image|contains:
- ':\Program Files (x86)\WinRAR\'
- ':\Program Files\WinRAR\'
filter_optional_temp:
# Note: in some occasion installers were seen dropping "rar" in TEMP
Image|contains: ':\Windows\Temp\'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Legitimate use of WinRAR in a folder of a software that bundles WinRAR
level: medium
Convert to SIEM query
medium
Strong
Medium FP
WinSock2 Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
view Sigma YAML
title: WinSock2 Autorun Keys Modification
id: d6c2ce7e-afb5-4337-9ca4-4b5254ed0565
related:
- id: 17f878b8-9968-4578-b814-c4217fc5768c
type: derived
status: test
description: Detects modification of autostart extensibility point (ASEP) in registry.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
- https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
- https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019-10-25
modified: 2023-08-17
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.001
logsource:
category: registry_set
product: windows
detection:
winsock_parameters_base:
TargetObject|contains: '\System\CurrentControlSet\Services\WinSock2\Parameters'
winsock_parameters:
TargetObject|contains:
- '\Protocol_Catalog9\Catalog_Entries'
- '\NameSpace_Catalog5\Catalog_Entries'
filter:
- Details: '(Empty)'
- Image: 'C:\Windows\System32\MsiExec.exe'
- Image: 'C:\Windows\syswow64\MsiExec.exe'
condition: winsock_parameters_base and winsock_parameters and not filter
falsepositives:
- Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
- Legitimate administrator sets up autorun keys for legitimate reason
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
WinSxS Executable File Creation By Non-System Process
Detects the creation of binaries in the WinSxS folder by non-system processes
view Sigma YAML
title: WinSxS Executable File Creation By Non-System Process
id: 34746e8c-5fb8-415a-b135-0abc167e912a
related:
- id: 64827580-e4c3-4c64-97eb-c72325d45399
type: derived
status: test
description: Detects the creation of binaries in the WinSxS folder by non-system processes
references:
- https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-11
tags:
- attack.execution
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|startswith: 'C:\Windows\WinSxS\'
TargetFilename|endswith: '.exe'
filter_main_system_location:
Image|startswith:
- 'C:\Windows\Systems32\'
- 'C:\Windows\SysWOW64\'
- 'C:\Windows\WinSxS\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Windows Admin Share Mount Via Net.EXE
Detects when an admin share is mounted using net.exe
view Sigma YAML
title: Windows Admin Share Mount Via Net.EXE
id: 3abd6094-7027-475f-9630-8ab9be7b9725
related:
- id: f117933c-980c-4f78-b384-e3d838111165
type: similar
status: test
description: Detects when an admin share is mounted using net.exe
references:
- https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
author: oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, wagga
date: 2020-10-05
modified: 2023-02-21
tags:
- attack.lateral-movement
- attack.t1021.002
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\net.exe'
- '\net1.exe'
- OriginalFileName:
- 'net.exe'
- 'net1.exe'
selection_cli:
CommandLine|contains|all:
- ' use '
- ' \\\\*\\*$'
condition: all of selection_*
falsepositives:
- Administrators
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Windows AppX Deployment Full Trust Package Installation
Detects the installation of MSIX/AppX packages with full trust privileges which run with elevated privileges outside normal AppX container restrictions
view Sigma YAML
title: Windows AppX Deployment Full Trust Package Installation
id: e54279c7-4910-4e2c-902c-c56a25b549f6
status: experimental
description: Detects the installation of MSIX/AppX packages with full trust privileges which run with elevated privileges outside normal AppX container restrictions
references:
- https://www.splunk.com/en_us/blog/security/msix-weaponization-threat-detection-splunk.html
author: Michael Haag, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-03
tags:
- attack.execution
- attack.defense-impairment
- attack.t1204.002
- attack.t1553.005
logsource:
product: windows
service: appxdeployment-server
detection:
selection:
EventID: 400
HasFullTrust: true
filter_main_legitpath:
PackageSourceUri|startswith:
- 'file:///C:/Program%20Files/'
- 'file:///C:/Program%20Files%20(x86)/'
filter_main_microsoft:
- PackageSourceUri|startswith: 'https://go.microsoft.com/fwlink/?linkid'
- PackageSourceUri|contains:
- '.cdn.microsoft.com'
- '.cdn.office.net/'
filter_main_callerprocess:
CallingProcess|startswith:
- 'sysprep.exe'
- 'svchost.exe,AppReadiness'
filter_optional_x_update:
PackageSourceUri|startswith: 'x-windowsupdate://'
filter_optional_microsoftclient:
PackageFullName|startswith: 'MicrosoftWindows.Client.'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Some legitimate applications installation which have been missed from filtering can generate fps, thus baselining and tuning is recommended before deploying to production
level: medium
Convert to SIEM query
medium
Moderate
Low FP
Windows AppX Deployment Unsigned Package Installation
Detects attempts to install unsigned MSIX/AppX packages using the -AllowUnsigned parameter via AppXDeployment-Server events
view Sigma YAML
title: Windows AppX Deployment Unsigned Package Installation
id: 9a025188-6f2d-42f8-bb2f-d3a83d24a5af
related:
- id: 37651c2a-42cd-4a69-ae0d-22a4349aa04a
type: similar
- id: 975b2262-9a49-439d-92a6-0709cccdf0b2
type: similar
status: experimental
description: Detects attempts to install unsigned MSIX/AppX packages using the -AllowUnsigned parameter via AppXDeployment-Server events
references:
- https://docs.microsoft.com/en-us/powershell/module/appx/add-appxpackage
- https://www.splunk.com/en_us/blog/security/msix-weaponization-threat-detection-splunk.html
author: Michael Haag, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-03
tags:
- attack.execution
- attack.defense-impairment
- attack.t1204.002
- attack.t1553.005
logsource:
product: windows
service: appxdeployment-server
detection:
selection:
EventID: 603
Flags: '8388608'
condition: selection
falsepositives:
- Legitimate installation of unsigned packages for legitimate purposes such as development or testing
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Windows Backup Deleted Via Wbadmin.EXE
Detects the deletion of backups or system state backups via "wbadmin.exe".
This technique is used by numerous ransomware families and actors.
This may only be successful on server platforms that have Windows Backup enabled.
view Sigma YAML
title: Windows Backup Deleted Via Wbadmin.EXE
id: 89f75308-5b1b-4390-b2d8-d6b2340efaf8
related:
- id: 639c9081-f482-47d3-a0bd-ddee3d4ecd76
type: derived
status: test
description: |
Detects the deletion of backups or system state backups via "wbadmin.exe".
This technique is used by numerous ransomware families and actors.
This may only be successful on server platforms that have Windows Backup enabled.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell
- https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md
- https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/
- https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted
- https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2021-12-13
modified: 2024-05-10
tags:
- attack.impact
- attack.t1490
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\wbadmin.exe'
- OriginalFileName: 'WBADMIN.EXE'
selection_cli:
CommandLine|contains|all:
- 'delete '
- 'backup' # Also covers "SYSTEMSTATEBACKUP"
filter_main_keep_versions:
# Note: We exclude this to avoid duplicate alerts with 639c9081-f482-47d3-a0bd-ddee3d4ecd76
CommandLine|contains: 'keepVersions:0'
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Legitimate backup activity from administration scripts and software.
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Windows Binary Executed From WSL
Detects the execution of Windows binaries from within a WSL instance.
This could be used to masquerade parent-child relationships
view Sigma YAML
title: Windows Binary Executed From WSL
id: ed825c86-c009-4014-b413-b76003e33d35
status: test
description: |
Detects the execution of Windows binaries from within a WSL instance.
This could be used to masquerade parent-child relationships
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-14
tags:
- attack.execution
- attack.stealth
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection:
Image|re: '[a-zA-Z]:\\'
CurrentDirectory|contains: '\\\\wsl.localhost' # Note: programs not supporting UNC paths (example: cmd.exe). Will default to another location
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
Showing 1351-1400 of 1,440