Tool
EDR / XDR
VMware Carbon Black
3,646 rules · Sigma detections in VMware Carbon Black syntax
The same Sigma detection corpus, machine-rendered into VMware Carbon Black query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
Download all 3,646 rules (.zip, 1.2 MB)
Every VMware Carbon Black query in this view, packaged to deploy.
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance12
Resource Development10
Initial Access10
Execution30
Persistence42
Privilege Escalation20
Stealth79
Defense Impairment32
Credential Access35
Discovery33
Lateral Movement16
Collection20
Command and Control24
Exfiltration10
Impact18
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.
◈
Detection rules
50 shown of 3,646
high
Moderate
High FP
Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell ScriptBlock
Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking.
view Sigma YAML
title: Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell ScriptBlock
id: cacef8fc-9d3d-41f7-956d-455c6e881bc5
related:
- id: a6fc3c46-23b8-4996-9ea2-573f4c4d88c5 # ProcCreation
type: similar
- id: f65e22f9-819e-4f96-9c7b-498364ae7a25 # PS Classic
type: similar
- id: 38a7625e-b2cb-485d-b83d-aff137d859f4 # PS Module
type: similar
status: test
description: Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md
- https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-09
tags:
- attack.stealth
- attack.t1218
logsource:
product: windows
category: ps_script
definition: bade5735-5ab0-4aa7-a642-a11be0e40872
detection:
selection:
ScriptBlockText|startswith: 'function Get-VMRemoteFXPhysicalVideoAdapter {'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential Renamed Rundll32 Execution
Detects when 'DllRegisterServer' is called in the commandline and the image is not rundll32. This could mean that the 'rundll32' utility has been renamed in order to avoid detection
view Sigma YAML
title: Potential Renamed Rundll32 Execution
id: 2569ed8c-1147-498a-9b8c-2ad3656b10ed
related:
- id: 0ba1da6d-b6ce-4366-828c-18826c9de23e
type: derived
status: test
description: Detects when 'DllRegisterServer' is called in the commandline and the image is not rundll32. This could mean that the 'rundll32' utility has been renamed in order to avoid detection
references:
- https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20
- https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-22
modified: 2023-02-03
tags:
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains: 'DllRegisterServer'
filter:
Image|endswith: '\rundll32.exe'
condition: selection and not filter
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
Potential RipZip Attack on Startup Folder
Detects a phishing attack which expands a ZIP file containing a malicious shortcut.
If the victim expands the ZIP file via the explorer process, then the explorer process expands the malicious ZIP file and drops a malicious shortcut redirected to a backdoor into the Startup folder.
Additionally, the file name of the malicious shortcut in Startup folder contains {0AFACED1-E828-11D1-9187-B532F1E9575D} meaning the folder shortcut operation.
view Sigma YAML
title: Potential RipZip Attack on Startup Folder
id: a6976974-ea6f-4e97-818e-ea08625c52cb
status: test
description: |
Detects a phishing attack which expands a ZIP file containing a malicious shortcut.
If the victim expands the ZIP file via the explorer process, then the explorer process expands the malicious ZIP file and drops a malicious shortcut redirected to a backdoor into the Startup folder.
Additionally, the file name of the malicious shortcut in Startup folder contains {0AFACED1-E828-11D1-9187-B532F1E9575D} meaning the folder shortcut operation.
references:
- https://twitter.com/jonasLyk/status/1549338335243534336?t=CrmPocBGLbDyE4p6zTX1cg&s=19
author: Greg (rule)
date: 2022-07-21
modified: 2023-01-05
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547
logsource:
category: file_event
product: windows
detection:
selection: # %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\target.lnk.{0AFACED1-E828-11D1-9187-B532F1E9575D}\target.lnk
TargetFilename|contains|all:
- '\Microsoft\Windows\Start Menu\Programs\Startup'
- '.lnk.{0AFACED1-E828-11D1-9187-B532F1E9575D}'
Image|endswith: '\explorer.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential RjvPlatform.DLL Sideloading From Non-Default Location
Detects potential DLL sideloading of "RjvPlatform.dll" by "SystemResetPlatform.exe" located in a non-default location.
view Sigma YAML
title: Potential RjvPlatform.DLL Sideloading From Non-Default Location
id: 0e0bc253-07ed-43f1-816d-e1b220fe8971
status: test
description: Detects potential DLL sideloading of "RjvPlatform.dll" by "SystemResetPlatform.exe" located in a non-default location.
references:
- https://twitter.com/0gtweet/status/1666716511988330499
author: X__Junior (Nextron Systems)
date: 2023-06-09
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\RjvPlatform.dll'
Image: '\SystemResetPlatform.exe'
filter_main_legit_path:
Image|startswith: 'C:\Windows\System32\SystemResetPlatform\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
Potential Rundll32 Execution With DLL Stored In ADS
Detects execution of rundll32 where the DLL being called is stored in an Alternate Data Stream (ADS).
view Sigma YAML
title: Potential Rundll32 Execution With DLL Stored In ADS
id: 9248c7e1-2bf3-4661-a22c-600a8040b446
status: test
description: Detects execution of rundll32 where the DLL being called is stored in an Alternate Data Stream (ADS).
references:
- https://lolbas-project.github.io/lolbas/Binaries/Rundll32
author: Harjot Singh, '@cyb3rjy0t'
date: 2023-01-21
modified: 2026-03-16
tags:
- attack.stealth
- attack.t1564.004
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\rundll32.exe'
- OriginalFileName: 'RUNDLL32.EXE'
selection_cli:
# Example:
# rundll32 "C:\ads\file.txt:ADSDLL.dll",DllMain
# Note: This doesn't cover the use case where a full path for the DLL isn't used. As it requires a more expensive regex
CommandLine|re: '[Rr][Uu][Nn][Dd][Ll][Ll]32(?:\.[Ee][Xx][Ee])? \S+?\w:\S+?:'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Potential Ryuk Ransomware Activity
Detects Ryuk ransomware activity
view Sigma YAML
title: Potential Ryuk Ransomware Activity
id: c37510b8-2107-4b78-aa32-72f251e7a844
related:
- id: 58bf96d9-ff5f-44bd-8dcc-1c4f79bf3a27
type: similar
- id: 0acaad27-9f02-4136-a243-c357202edd74
type: obsolete
status: stable
description: Detects Ryuk ransomware activity
references:
- https://app.any.run/tasks/d860402c-3ff4-4c1f-b367-0237da714ed1/
- https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/
author: Florian Roth (Nextron Systems), Vasiliy Burov, Nasreddine Bencherchali (Nextron Systems)
date: 2019-12-16
modified: 2023-02-03
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.001
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_reg:
CommandLine|contains|all:
- 'Microsoft\Windows\CurrentVersion\Run'
- 'C:\users\Public\'
selection_del:
CommandLine|contains|all:
- 'del /s /f /q c:\'
- '\*.bac'
- '\*.bak'
- '\*.bkf'
selection_net:
Image|endswith:
- '\net.exe'
- '\net1.exe'
CommandLine|contains|all:
- ' stop '
- ' /y'
CommandLine|contains:
- 'samss'
- 'audioendpointbuilder'
- 'unistoresvc_'
- 'AcrSch2Svc'
condition: 1 of selection_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
High FP
Potential SAM Database Dump
Detects the creation of files that look like exports of the local SAM (Security Account Manager)
view Sigma YAML
title: Potential SAM Database Dump
id: 4e87b8e2-2ee9-4b2a-a715-4727d297ece0
status: test
description: Detects the creation of files that look like exports of the local SAM (Security Account Manager)
references:
- https://github.com/search?q=CVE-2021-36934
- https://web.archive.org/web/20210725081645/https://github.com/cube0x0/CVE-2021-36934
- https://www.google.com/search?q=%22reg.exe+save%22+sam
- https://github.com/HuskyHacks/ShadowSteal
- https://github.com/FireFart/hivenightmare
author: Florian Roth (Nextron Systems)
date: 2022-02-11
modified: 2023-01-05
tags:
- attack.credential-access
- attack.t1003.002
logsource:
product: windows
category: file_event
detection:
selection:
- TargetFilename|endswith:
- '\Temp\sam'
- '\sam.sav'
- '\Intel\sam'
- '\sam.hive'
- '\Perflogs\sam'
- '\ProgramData\sam'
- '\Users\Public\sam'
- '\AppData\Local\sam'
- '\AppData\Roaming\sam'
- '_ShadowSteal.zip' # https://github.com/HuskyHacks/ShadowSteal
- '\Documents\SAM.export' # https://github.com/n3tsurge/CVE-2021-36934/
- ':\sam'
- TargetFilename|contains:
- '\hive_sam_' # https://github.com/FireFart/hivenightmare
- '\sam.save'
- '\sam.export'
- '\~reg_sam.save'
- '\sam_backup'
- '\sam.bck'
- '\sam.backup'
condition: selection
falsepositives:
- Rare cases of administrative activity
level: high
Convert to SIEM query
high
Moderate
High FP
Potential SAP NetViewer Webshell Command Execution
Detects potential command execution via webshell in SAP NetViewer through JSP files with cmd parameter.
This rule is created to detect exploitation of vulnerabilities like CVE-2025-31324, which allows remote code execution via a webshell.
view Sigma YAML
title: Potential SAP NetViewer Webshell Command Execution
id: 94e12f41-6cb3-45c5-97b1-c783a7bf2e72
status: experimental
description: |
Detects potential command execution via webshell in SAP NetViewer through JSP files with cmd parameter.
This rule is created to detect exploitation of vulnerabilities like CVE-2025-31324, which allows remote code execution via a webshell.
references:
- https://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-05-14
tags:
- attack.persistence
- attack.t1505.003
- attack.initial-access
- attack.t1190
- detection.emerging-threats
- cve.2025-31324
logsource:
category: webserver
detection:
selection_uri:
cs-uri-stem|contains|all:
- '/irj/'
- '.jsp'
selection_query:
- cs-uri-query|startswith:
- 'cmd='
- 'command='
- 'exec_cmd='
- 'exec='
- cs-uri-query|contains:
- '/dev/tcp'
- '/etc/passwd'
- '%2fdev%2ftcp' # URL encoded of /dev/tcp
- '%2fetc%2fpasswd' # URL encoded of /etc/passwd
- '=uname'
- '=whoami'
- 'ifconfig'
- 'ping'
- 'pwd'
- cs-uri-query|contains|all:
- 'echo'
- 'base64'
condition: all of selection_*
falsepositives:
- Legitimate applications using cmd parameter for non-malicious purposes
level: high
Convert to SIEM query
high
Moderate
High FP
Potential SNAKE Malware Installation CLI Arguments Indicator
Detects a specific command line arguments sequence seen used by SNAKE malware during its installation as described by CISA in their report
view Sigma YAML
title: Potential SNAKE Malware Installation CLI Arguments Indicator
id: 02cbc035-b390-49fe-a9ff-3bb402c826db
status: test
description: Detects a specific command line arguments sequence seen used by SNAKE malware during its installation as described by CISA in their report
references:
- https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-04
tags:
- attack.execution
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
# This CLI regex is based on the following description from the report:
# The jpsetup.exe installer requires two arguments to be passed via the command line for execution
# The first argument is a wide character string hashed with SHA-256 twice -> We assume that the first argument is of length SHA256
# The AES initialization vector (IV) consists of the first 16 bytes of the second argument to jpsetup.exe -> We assume that the second argument is of at least 16 bytes (16 characters)
CommandLine|re: '\s[a-fA-F0-9]{64}\s[a-fA-F0-9]{16}'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
Potential SNAKE Malware Persistence Service Execution
Detects a specific child/parent process relationship indicative of a "WerFault" process running from the "WinSxS" as a service. This could be indicative of potential SNAKE malware activity as reported by CISA.
view Sigma YAML
title: Potential SNAKE Malware Persistence Service Execution
id: f7536642-4a08-4dd9-b6d5-c3286d8975ed
status: test
description: Detects a specific child/parent process relationship indicative of a "WerFault" process running from the "WinSxS" as a service. This could be indicative of potential SNAKE malware activity as reported by CISA.
references:
- https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-04
tags:
- attack.execution
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\services.exe'
Image|startswith: 'C:\Windows\WinSxS\'
Image|endswith: '\WerFault.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential SSH Tunnel Persistence Install Using A Scheduled Task
Detects the creation of new scheduled tasks via commandline, using Schtasks.exe. This rule detects tasks creating that call OpenSSH, which may indicate the creation of reverse SSH tunnel to the attacker's server.
view Sigma YAML
title: Potential SSH Tunnel Persistence Install Using A Scheduled Task
id: 2daa93a0-a5fb-41c5-8cd8-3c11294bfd1f
status: experimental
description: Detects the creation of new scheduled tasks via commandline, using Schtasks.exe. This rule detects tasks creating that call OpenSSH, which may indicate the creation of reverse SSH tunnel to the attacker's server.
references:
- https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/
- https://www.kroll.com/en/insights/publications/cyber/cactus-ransomware-prickly-new-variant-evades-detection
author: Rory Duncan
date: 2025-07-14
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.t1053.005
- attack.command-and-control
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\schtasks.exe'
- OriginalFileName: 'schtasks.exe'
selection_cli_sshd:
CommandLine|contains|all:
- ' /create '
- 'sshd.exe'
- '-f'
selection_cli_ssh:
CommandLine|contains|all:
- ' /create '
- 'ssh.exe'
- '-i'
condition: selection_img and 1 of selection_cli_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential Server Side Template Injection In Velocity
Detects exceptions in velocity template renderer, this most likely happens due to dynamic rendering of user input and may lead to RCE.
view Sigma YAML
title: Potential Server Side Template Injection In Velocity
id: 16c86189-b556-4ee8-b4c7-7e350a195a4f
status: test
description: Detects exceptions in velocity template renderer, this most likely happens due to dynamic rendering of user input and may lead to RCE.
references:
- https://antgarsil.github.io/posts/velocity/
- https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs
author: Moti Harmats
date: 2023-02-11
tags:
- attack.initial-access
- attack.t1190
logsource:
category: application
product: velocity
definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)'
detection:
keywords:
- 'ParseErrorException'
- 'VelocityException'
- 'TemplateInitException'
condition: keywords
falsepositives:
- Application bugs
- Missing .vm files
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential SharePoint ToolShell CVE-2025-53770 Exploitation Indicators
Detects potential exploitation of CVE-2025-53770 by identifying indicators such as suspicious command lines discovered in Post-Exploitation activities.
CVE-2025-53770 is a zero-day vulnerability in SharePoint that allows remote code execution.
view Sigma YAML
title: Potential SharePoint ToolShell CVE-2025-53770 Exploitation Indicators
id: 7477881c-ec3b-49d6-aced-7255944e5c59
status: experimental
description: |
Detects potential exploitation of CVE-2025-53770 by identifying indicators such as suspicious command lines discovered in Post-Exploitation activities.
CVE-2025-53770 is a zero-day vulnerability in SharePoint that allows remote code execution.
references:
- https://research.eye.security/sharepoint-under-siege/
- https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-07-21
tags:
- attack.initial-access
- attack.t1190
- cve.2025-53770
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_img:
ParentImage|endswith: '\w3wp.exe'
selection_encoded_aspx:
- CommandLine|wide|base64offset|contains: 'spinstall0.aspx'
- CommandLine|base64|contains: 'spinstall0.aspx'
selection_encoded_path:
CommandLine|wide|base64offset|contains:
- ':\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\15\TEMPLATE\LAYOUTS'
- ':\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\16\TEMPLATE\LAYOUTS'
- ':\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\TEMPLATE\LAYOUTS'
- ':\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS'
selection_ioc:
CommandLine|contains:
- '-EncodedCommand JABiAGEAcwBlADYANABTAHQAcgBpAG4AZwAgAD0'
- 'TEMPLATE\LAYOUTS\spinstall0.aspx'
condition: (selection_img and 1 of selection_encoded_*) or selection_ioc
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential Signing Bypass Via Windows Developer Features
Detects when a user enable developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages.
view Sigma YAML
title: Potential Signing Bypass Via Windows Developer Features
id: a383dec4-deec-4e6e-913b-ed9249670848
related:
- id: b110ebaf-697f-4da1-afd5-b536fa27a2c1
type: similar
status: test
description: Detects when a user enable developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages.
references:
- Internal Research
- https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-11
tags:
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\SystemSettingsAdminFlows.exe'
- OriginalFileName: 'SystemSettingsAdminFlows.EXE'
selection_flag:
CommandLine|contains: 'TurnOnDeveloperFeatures'
selection_options:
CommandLine|contains:
- 'DeveloperUnlock'
- 'EnableSideloading'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential Signing Bypass Via Windows Developer Features - Registry
Detects when the enablement of developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages.
view Sigma YAML
title: Potential Signing Bypass Via Windows Developer Features - Registry
id: b110ebaf-697f-4da1-afd5-b536fa27a2c1
related:
- id: a383dec4-deec-4e6e-913b-ed9249670848
type: similar
status: test
description: Detects when the enablement of developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages.
references:
- https://twitter.com/malmoeb/status/1560536653709598721
- https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-12
modified: 2023-08-17
tags:
- attack.stealth
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains:
- '\Microsoft\Windows\CurrentVersion\AppModelUnlock'
- '\Policies\Microsoft\Windows\Appx\'
TargetObject|endswith:
- '\AllowAllTrustedApps'
- '\AllowDevelopmentWithoutDevLicense'
Details: 'DWORD (0x00000001)'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential SmadHook.DLL Sideloading
Detects potential DLL sideloading of "SmadHook.dll", a DLL used by SmadAV antivirus
view Sigma YAML
title: Potential SmadHook.DLL Sideloading
id: 24b6cf51-6122-469e-861a-22974e9c1e5b
status: test
description: Detects potential DLL sideloading of "SmadHook.dll", a DLL used by SmadAV antivirus
references:
- https://research.checkpoint.com/2023/malware-spotlight-camaro-dragons-tinynote-backdoor/
- https://www.qurium.org/alerts/targeted-malware-against-crph/
author: X__Junior (Nextron Systems)
date: 2023-06-01
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith:
- '\SmadHook32c.dll'
- '\SmadHook64c.dll'
filter_main_legit_path:
Image:
- 'C:\Program Files (x86)\SMADAV\SmadavProtect32.exe'
- 'C:\Program Files (x86)\SMADAV\SmadavProtect64.exe'
- 'C:\Program Files\SMADAV\SmadavProtect32.exe'
- 'C:\Program Files\SMADAV\SmadavProtect64.exe'
ImageLoaded|startswith:
- 'C:\Program Files (x86)\SMADAV\'
- 'C:\Program Files\SMADAV\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
High FP
Potential Snatch Ransomware Activity
Detects specific process characteristics of Snatch ransomware word document droppers
view Sigma YAML
title: Potential Snatch Ransomware Activity
id: 5325945e-f1f0-406e-97b8-65104d393fff
status: stable
description: Detects specific process characteristics of Snatch ransomware word document droppers
references:
- https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/
author: Florian Roth (Nextron Systems)
date: 2020-08-26
modified: 2025-10-19
tags:
- attack.execution
- attack.t1204
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
- CommandLine|re: 'shutdown\s+/r /f /t 00' # Shutdown in safe mode immediately
- CommandLine|re: 'net\s+stop SuperBackupMan'
condition: selection
falsepositives:
- Scripts that shutdown the system immediately and reboot them in safe mode are unlikely
level: high
Convert to SIEM query
high
Strong
Medium FP
Potential SocGholish Second Stage C2 DNS Query
Detects a DNS query initiated from a "wscript" process for domains matching a specific pattern that was seen being used by SocGholish for its Command and Control traffic
view Sigma YAML
title: Potential SocGholish Second Stage C2 DNS Query
id: 70761fe8-6aa2-4f80-98c1-a57049c08e66
status: test
description: Detects a DNS query initiated from a "wscript" process for domains matching a specific pattern that was seen being used by SocGholish for its Command and Control traffic
references:
- https://www.virustotal.com/gui/file/0e2854753d17b1bb534de8e765d5813c9fb584a745978b3d92bc6ca78e3e7735/relations
- https://www.virustotal.com/gui/file/d5661009c461a8b20e1ad22f48609cc84dd90aee9182e026659dde4d46aaf25e/relations
- https://www.proofpoint.com/us/blog/threat-insight/part-1-socgholish-very-real-threat-very-fake-update
author: Dusty Miller
date: 2023-02-23
tags:
- attack.command-and-control
- attack.t1219.002
- detection.emerging-threats
logsource:
product: windows
category: dns_query
detection:
selection:
Image|endswith: '\wscript.exe'
QueryName|re: '[a-f0-9]{4,8}\.(?:[a-z0-9\-]+\.){2}[a-z0-9\-]+'
condition: selection
falsepositives:
- Legitimate domain names matching the regex pattern by chance (e.g. domain controllers dc01.company.co.uk)
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential SpEL Injection In Spring Framework
Detects potential SpEL Injection exploitation, which may lead to RCE.
view Sigma YAML
title: Potential SpEL Injection In Spring Framework
id: e9edd087-89d8-48c9-b0b4-5b9bb10896b8
status: test
description: Detects potential SpEL Injection exploitation, which may lead to RCE.
references:
- https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection
- https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs
author: Moti Harmats
date: 2023-02-11
tags:
- attack.initial-access
- attack.t1190
logsource:
category: application
product: spring
definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)'
detection:
keywords:
- 'org.springframework.expression.ExpressionException'
condition: keywords
falsepositives:
- Application bugs
level: high
Convert to SIEM query
high
Strong
High FP
Potential Startup Shortcut Persistence Via PowerShell.EXE
Detects PowerShell writing startup shortcuts.
This procedure was highlighted in Red Canary Intel Insights Oct. 2021, "We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence.
Accordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats.
In the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL"
view Sigma YAML
title: Potential Startup Shortcut Persistence Via PowerShell.EXE
id: 92fa78e7-4d39-45f1-91a3-8b23f3f1088d
status: test
description: |
Detects PowerShell writing startup shortcuts.
This procedure was highlighted in Red Canary Intel Insights Oct. 2021, "We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence.
Accordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats.
In the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL"
references:
- https://redcanary.com/blog/intelligence-insights-october-2021/
- https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1547.001/T1547.001.md#atomic-test-7---add-executable-shortcut-link-to-user-startup-folder
author: Christopher Peacock '@securepeacock', SCYTHE
date: 2021-10-24
modified: 2023-02-23
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.001
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
TargetFilename|contains: '\start menu\programs\startup\'
TargetFilename|endswith: '.lnk'
condition: selection
falsepositives:
- Depending on your environment accepted applications may leverage this at times. It is recommended to search for anomalies inidicative of malware.
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential Suspicious BPF Activity - Linux
Detects the presence of "bpf_probe_write_user" BPF helper-generated warning messages. Which could be a sign of suspicious eBPF activity on the system.
view Sigma YAML
title: Potential Suspicious BPF Activity - Linux
id: 0fadd880-6af3-4610-b1e5-008dc3a11b8a
status: test
description: Detects the presence of "bpf_probe_write_user" BPF helper-generated warning messages. Which could be a sign of suspicious eBPF activity on the system.
references:
- https://redcanary.com/blog/ebpf-malware/
- https://man7.org/linux/man-pages/man7/bpf-helpers.7.html
author: Red Canary (idea), Nasreddine Bencherchali
date: 2023-01-25
tags:
- attack.persistence
- attack.stealth
logsource:
product: linux
detection:
selection:
- 'bpf_probe_write_user'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential Suspicious Child Process Of 3CXDesktopApp
Detects potential suspicious child processes of "3CXDesktopApp.exe". Which could be related to the 3CXDesktopApp supply chain compromise
view Sigma YAML
title: Potential Suspicious Child Process Of 3CXDesktopApp
id: 63f3605b-979f-48c2-b7cc-7f90523fed88
related:
- id: 3c4b3bbf-36b4-470c-b6cf-f07e8b1c7e26 # Proxy C2
type: similar
- id: 76bc1601-9546-4b75-9419-06e0e8d10651 # Proxy GH
type: similar
- id: bd03a0dc-5d93-49eb-b2e8-2dfd268600f8 # DNS C2
type: similar
- id: 51eecf75-d069-43c7-9ea2-63f75499edd4 # net_connection C2
type: similar
- id: 93bbde78-dc86-4e73-9ffc-ff8a384ca89c # ProcCreation Exec
type: similar
- id: e7581747-1e44-4d4b-85a6-0db0b4a00f2a # ProcCreation Update
type: similar
- id: d0b65ad3-e945-435e-a7a9-438e62dd48e9 # ImageLoad
type: similar
status: test
description: Detects potential suspicious child processes of "3CXDesktopApp.exe". Which could be related to the 3CXDesktopApp supply chain compromise
references:
- https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/
- https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-29
tags:
- attack.command-and-control
- attack.execution
- attack.stealth
- attack.t1218
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\3CXDesktopApp.exe'
Image|endswith:
- '\cmd.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\wscript.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Potential Suspicious Mofcomp Execution
Detects execution of the "mofcomp" utility as a child of a suspicious shell or script running utility or by having a suspicious path in the commandline.
The "mofcomp" utility parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository.
Attackers abuse this utility to install malicious MOF scripts
view Sigma YAML
title: Potential Suspicious Mofcomp Execution
id: 1dd05363-104e-4b4a-b963-196a534b03a1
status: test
description: |
Detects execution of the "mofcomp" utility as a child of a suspicious shell or script running utility or by having a suspicious path in the commandline.
The "mofcomp" utility parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository.
Attackers abuse this utility to install malicious MOF scripts
references:
- https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/
- https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml
- https://learn.microsoft.com/en-us/windows/win32/wmisdk/mofcomp
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-12
modified: 2023-04-11
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\mofcomp.exe'
- OriginalFileName: 'mofcomp.exe'
selection_case:
- ParentImage|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\wsl.exe'
- '\wscript.exe'
- '\cscript.exe'
- CommandLine|contains:
- '\AppData\Local\Temp'
- '\Users\Public\'
- '\WINDOWS\Temp\'
- '%temp%'
- '%tmp%'
- '%appdata%'
filter_main_wmiprvse:
ParentImage: 'C:\Windows\System32\wbem\WmiPrvSE.exe'
CommandLine|contains: 'C:\Windows\TEMP\'
CommandLine|endswith: '.mof'
filter_optional_null_parent:
# Sometimes the parent information isn't available from the Microsoft-Windows-Security-Auditing provider.
CommandLine|contains: 'C:\Windows\TEMP\'
CommandLine|endswith: '.mof'
condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential Suspicious Winget Package Installation
Detects potential suspicious winget package installation from a suspicious source.
view Sigma YAML
title: Potential Suspicious Winget Package Installation
id: a3f5c081-e75b-43a0-9f5b-51f26fe5dba2
status: test
description: Detects potential suspicious winget package installation from a suspicious source.
references:
- https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-18
tags:
- attack.persistence
- attack.stealth
logsource:
product: windows
category: create_stream_hash
detection:
selection:
Contents|startswith: '[ZoneTransfer] ZoneId=3'
Contents|contains:
# Note: Add any untrusted sources that are custom to your env
- '://1'
- '://2'
- '://3'
- '://4'
- '://5'
- '://6'
- '://7'
- '://8'
- '://9'
TargetFilename|endswith: ':Zone.Identifier'
TargetFilename|contains: '\AppData\Local\Temp\WinGet\'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Potential SysInternals ProcDump Evasion
Detects uses of the SysInternals ProcDump utility in which ProcDump or its output get renamed, or a dump file is moved or copied to a different name
view Sigma YAML
title: Potential SysInternals ProcDump Evasion
id: 79b06761-465f-4f88-9ef2-150e24d3d737
status: test
description: Detects uses of the SysInternals ProcDump utility in which ProcDump or its output get renamed, or a dump file is moved or copied to a different name
references:
- https://twitter.com/mrd0x/status/1480785527901204481
author: Florian Roth (Nextron Systems)
date: 2022-01-11
modified: 2023-05-09
tags:
- attack.stealth
- attack.t1036
- attack.t1003.001
- attack.credential-access
logsource:
category: process_creation
product: windows
detection:
selection_1:
CommandLine|contains:
- 'copy procdump'
- 'move procdump'
selection_2:
CommandLine|contains|all:
- 'copy '
- '.dmp '
CommandLine|contains:
- '2.dmp'
- 'lsass'
- 'out.dmp'
selection_3:
CommandLine|contains:
- 'copy lsass.exe_' # procdump default pattern e.g. lsass.exe_220111_085234.dmp
- 'move lsass.exe_' # procdump default pattern e.g. lsass.exe_220111_085234.dmp
condition: 1 of selection_*
falsepositives:
- False positives are expected in cases in which ProcDump just gets copied to a different directory without any renaming
level: high
Convert to SIEM query
high
Strong
Medium FP
Potential System DLL Sideloading From Non System Locations
Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64, etc.).
view Sigma YAML
title: Potential System DLL Sideloading From Non System Locations
id: 4fc0deee-0057-4998-ab31-d24e46e0aba4
status: test
description: Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64, etc.).
references:
- https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there). Wietze Beukema (project and research)
- https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/ # WindowsCodecs.dll
- https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/ # iphlpapi.dll
- https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md # XForceIR (SideLoadHunter Project), Chris Spehn (research WFH Dridex)
- https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-14
modified: 2025-12-03
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith:
- '\aclui.dll'
- '\activeds.dll'
- '\adsldpc.dll'
- '\aepic.dll'
- '\apphelp.dll'
- '\applicationframe.dll'
- '\appvpolicy.dll'
- '\appxalluserstore.dll'
- '\appxdeploymentclient.dll'
- '\archiveint.dll'
- '\atl.dll'
- '\audioses.dll'
- '\auditpolcore.dll'
- '\authfwcfg.dll'
- '\authz.dll'
- '\avrt.dll'
- '\batmeter.dll'
- '\bcd.dll'
- '\bcp47langs.dll'
- '\bcp47mrm.dll'
- '\bcrypt.dll'
- '\bderepair.dll'
- '\bootmenuux.dll'
- '\bootux.dll'
- '\cabinet.dll'
- '\cabview.dll'
- '\certcli.dll'
- '\certenroll.dll'
- '\cfgmgr32.dll'
- '\cldapi.dll'
- '\clipc.dll'
- '\clusapi.dll'
- '\cmpbk32.dll'
- '\cmutil.dll'
- '\coloradapterclient.dll'
- '\colorui.dll'
- '\comdlg32.dll'
- '\configmanager2.dll'
- '\connect.dll'
- '\coredplus.dll'
- '\coremessaging.dll'
- '\coreuicomponents.dll'
- '\credui.dll'
- '\cryptbase.dll'
- '\cryptdll.dll'
- '\cryptsp.dll'
- '\cryptui.dll'
- '\cryptxml.dll'
- '\cscapi.dll'
- '\cscobj.dll'
- '\cscui.dll'
- '\d2d1.dll'
- '\d3d10_1.dll'
- '\d3d10_1core.dll'
- '\d3d10.dll'
- '\d3d10core.dll'
- '\d3d10warp.dll'
- '\d3d11.dll'
- '\d3d12.dll'
- '\d3d9.dll'
- '\d3dx9_43.dll'
- '\dataexchange.dll'
- '\davclnt.dll'
- '\dcntel.dll'
- '\dcomp.dll'
- '\defragproxy.dll'
- '\desktopshellext.dll'
- '\deviceassociation.dll'
- '\devicecredential.dll'
- '\devicepairing.dll'
- '\devobj.dll'
- '\devrtl.dll'
- '\dhcpcmonitor.dll'
- '\dhcpcsvc.dll'
- '\dhcpcsvc6.dll'
- '\directmanipulation.dll'
- '\dismapi.dll'
- '\dismcore.dll'
- '\dmcfgutils.dll'
- '\dmcmnutils.dll'
- '\dmcommandlineutils.dll'
- '\dmenrollengine.dll'
- '\dmenterprisediagnostics.dll'
- '\dmiso8601utils.dll'
- '\dmoleaututils.dll'
- '\dmprocessxmlfiltered.dll'
- '\dmpushproxy.dll'
- '\dmxmlhelputils.dll'
- '\dnsapi.dll'
- '\dot3api.dll'
- '\dot3cfg.dll'
- '\dpx.dll'
- '\drprov.dll'
- '\drvstore.dll'
- '\dsclient.dll'
- '\dsparse.dll'
- '\dsprop.dll'
- '\dsreg.dll'
- '\dsrole.dll'
- '\dui70.dll'
- '\duser.dll'
- '\dusmapi.dll'
- '\dwmapi.dll'
- '\dwmcore.dll'
- '\dwrite.dll'
- '\dxcore.dll'
- '\dxgi.dll'
- '\dxva2.dll'
- '\dynamoapi.dll'
- '\eappcfg.dll'
- '\eappprxy.dll'
- '\edgeiso.dll'
- '\edputil.dll'
- '\efsadu.dll'
- '\efsutil.dll'
- '\esent.dll'
- '\execmodelproxy.dll'
- '\explorerframe.dll'
- '\fastprox.dll'
- '\faultrep.dll'
- '\fddevquery.dll'
- '\feclient.dll'
- '\fhcfg.dll'
- '\fhsvcctl.dll'
- '\firewallapi.dll'
- '\flightsettings.dll'
- '\fltlib.dll'
- '\framedynos.dll'
- '\fveapi.dll'
- '\fveskybackup.dll'
- '\fvewiz.dll'
- '\fwbase.dll'
- '\fwcfg.dll'
- '\fwpolicyiomgr.dll'
- '\fwpuclnt.dll'
- '\fxsapi.dll'
- '\fxsst.dll'
- '\fxstiff.dll'
- '\getuname.dll'
- '\gpapi.dll'
- '\hid.dll'
- '\hnetmon.dll'
- '\httpapi.dll'
- '\icmp.dll'
- '\idstore.dll'
- '\ieadvpack.dll'
- '\iedkcs32.dll'
- '\iernonce.dll'
- '\iertutil.dll'
- '\ifmon.dll'
- '\ifsutil.dll'
- '\inproclogger.dll'
- '\iphlpapi.dll'
- '\iri.dll'
- '\iscsidsc.dll'
- '\iscsium.dll'
- '\isv.exe_rsaenh.dll'
- '\iumbase.dll'
- '\iumsdk.dll'
- '\joinutil.dll'
- '\kdstub.dll'
- '\ksuser.dll'
- '\ktmw32.dll'
- '\licensemanagerapi.dll'
- '\licensingdiagspp.dll'
- '\linkinfo.dll'
- '\loadperf.dll'
- '\lockhostingframework.dll'
- '\logoncli.dll'
- '\logoncontroller.dll'
- '\lpksetupproxyserv.dll'
- '\lrwizdll.dll'
- '\magnification.dll'
- '\maintenanceui.dll'
- '\mapistub.dll'
- '\mbaexmlparser.dll'
- '\mdmdiagnostics.dll'
- '\mfc42u.dll'
- '\mfcore.dll'
- '\mfplat.dll'
- '\mi.dll'
- '\midimap.dll'
- '\mintdh.dll'
- '\miutils.dll'
- '\mlang.dll'
- '\mmdevapi.dll'
- '\mobilenetworking.dll'
- '\mpr.dll'
- '\mprapi.dll'
- '\mrmcorer.dll'
- '\msacm32.dll'
- '\mscms.dll'
- '\mscoree.dll'
- '\msctf.dll'
- '\msctfmonitor.dll'
- '\msdrm.dll'
- '\msdtctm.dll'
- '\msftedit.dll'
- '\msi.dll'
- '\msiso.dll'
- '\msutb.dll'
- '\msvcp110_win.dll'
- '\mswb7.dll'
- '\mswsock.dll'
- '\msxml3.dll'
- '\mtxclu.dll'
- '\napinsp.dll'
- '\ncrypt.dll'
- '\ndfapi.dll'
- '\netapi32.dll'
- '\netid.dll'
- '\netiohlp.dll'
- '\netjoin.dll'
- '\netplwiz.dll'
- '\netprofm.dll'
- '\netprovfw.dll'
- '\netsetupapi.dll'
- '\netshell.dll'
- '\nettrace.dll'
- '\netutils.dll'
- '\networkexplorer.dll'
- '\newdev.dll'
- '\ninput.dll'
- '\nlaapi.dll'
- '\nlansp_c.dll'
- '\npmproxy.dll'
- '\nshhttp.dll'
- '\nshipsec.dll'
- '\nshwfp.dll'
- '\ntdsapi.dll'
- '\ntlanman.dll'
- '\ntlmshared.dll'
- '\ntmarta.dll'
- '\ntshrui.dll'
- '\oleacc.dll'
- '\omadmapi.dll'
- '\onex.dll'
- '\opcservices.dll'
- '\osbaseln.dll'
- '\osksupport.dll'
- '\osuninst.dll'
- '\p2p.dll'
- '\p2pnetsh.dll'
- '\p9np.dll'
- '\pcaui.dll'
- '\pdh.dll'
- '\peerdistsh.dll'
- '\pkeyhelper.dll'
- '\pla.dll'
- '\playsndsrv.dll'
- '\pnrpnsp.dll'
- '\policymanager.dll'
- '\polstore.dll'
- '\powrprof.dll'
- '\printui.dll'
- '\prntvpt.dll'
- '\profapi.dll'
- '\propsys.dll'
- '\proximitycommon.dll'
- '\proximityservicepal.dll'
- '\prvdmofcomp.dll'
- '\puiapi.dll'
- '\radcui.dll'
- '\rasapi32.dll'
- '\rasdlg.dll'
- '\rasgcw.dll'
- '\rasman.dll'
- '\rasmontr.dll'
- '\reagent.dll'
- '\regapi.dll'
- '\reseteng.dll'
- '\resetengine.dll'
- '\resutils.dll'
- '\rmclient.dll'
- '\rpcnsh.dll'
- '\rsaenh.dll'
- '\rtutils.dll'
- '\rtworkq.dll'
- '\samcli.dll'
- '\samlib.dll'
- '\sapi_onecore.dll'
- '\sas.dll'
- '\scansetting.dll'
- '\scecli.dll'
- '\schedcli.dll'
- '\secur32.dll'
- '\security.dll'
- '\sensapi.dll'
- '\shell32.dll'
- '\shfolder.dll'
- '\slc.dll'
- '\snmpapi.dll'
- '\spectrumsyncclient.dll'
- '\spp.dll'
- '\sppc.dll'
- '\sppcext.dll'
- '\srclient.dll'
- '\srcore.dll'
- '\srmtrace.dll'
- '\srpapi.dll'
- '\srvcli.dll'
- '\ssp_isv.exe_rsaenh.dll'
- '\ssp.exe_rsaenh.dll'
- '\sspicli.dll'
- '\ssshim.dll'
- '\staterepository.core.dll'
- '\structuredquery.dll'
- '\sxshared.dll'
- '\systemsettingsthresholdadminflowui.dll'
- '\tapi32.dll'
- '\tbs.dll'
- '\tdh.dll'
- '\textshaping.dll'
- '\timesync.dll'
- '\tpmcoreprovisioning.dll'
- '\tquery.dll'
- '\tsworkspace.dll'
- '\ttdrecord.dll'
- '\twext.dll'
- '\twinapi.dll'
- '\twinui.appcore.dll'
- '\uianimation.dll'
- '\uiautomationcore.dll'
- '\uireng.dll'
- '\uiribbon.dll'
- '\umpdc.dll'
- '\unattend.dll'
- '\updatepolicy.dll'
- '\upshared.dll'
- '\urlmon.dll'
- '\userenv.dll'
- '\utildll.dll'
- '\uxinit.dll'
- '\uxtheme.dll'
- '\vaultcli.dll'
- '\vdsutil.dll'
- '\version.dll'
- '\virtdisk.dll'
- '\vssapi.dll'
- '\vsstrace.dll'
- '\wbemprox.dll'
- '\wbemsvc.dll'
- '\wcmapi.dll'
- '\wcnnetsh.dll'
- '\wdi.dll'
- '\wdscore.dll'
- '\webservices.dll'
- '\wecapi.dll'
- '\wer.dll'
- '\wevtapi.dll'
- '\whhelper.dll'
- '\wimgapi.dll'
- '\winbio.dll'
- '\winbrand.dll'
- '\windows.storage.dll'
- '\windows.storage.search.dll'
- '\windows.ui.immersive.dll'
- '\windowscodecs.dll'
- '\windowscodecsext.dll'
- '\windowsudk.shellcommon.dll'
- '\winhttp.dll'
- '\wininet.dll'
- '\winipsec.dll'
- '\winmde.dll'
- '\winmm.dll'
- '\winnsi.dll'
- '\winrnr.dll'
- '\winscard.dll'
- '\winsqlite3.dll'
- '\winsta.dll'
- '\winsync.dll'
- '\wkscli.dll'
- '\wlanapi.dll'
- '\wlancfg.dll'
- '\wldp.dll'
- '\wlidprov.dll'
- '\wmiclnt.dll'
- '\wmidcom.dll'
- '\wmiutils.dll'
- '\wmpdui.dll'
- '\wmsgapi.dll'
- '\wofutil.dll'
- '\wpdshext.dll'
- '\wscapi.dll'
- '\wsdapi.dll'
- '\wshbth.dll'
- '\wshelper.dll'
- '\wsmsvc.dll'
- '\wtsapi32.dll'
- '\wwancfg.dll'
- '\wwapi.dll'
- '\xmllite.dll'
- '\xolehlp.dll'
- '\xpsservices.dll'
- '\xwizards.dll'
- '\xwtpw32.dll'
# From https://github.com/XForceIR/SideLoadHunter/blob/main/SideLoads/README.md
- '\amsi.dll'
- '\appraiser.dll'
- '\COMRES.DLL'
- '\cryptnet.dll'
- '\DispBroker.dll'
- '\dsound.dll'
- '\dxilconv.dll'
- '\FxsCompose.dll'
- '\FXSRESM.DLL'
- '\msdtcVSp1res.dll'
- '\PrintIsolationProxy.dll'
- '\rdpendp.dll'
- '\rpchttp.dll'
- '\storageusage.dll'
- '\utcutil.dll'
- '\WfsR.dll'
# The DLLs below exists in "C:\Windows\System32\DriverStore\FileRepository\" folder. But there is also a copy located in "C:\ProgramData\Package Cache\XXXXXXX\Graphics\". If you see them being loaded from there. Please comment them out, don't add a filter for ProgramData :)
- '\igd10iumd64.dll'
- '\igd12umd64.dll'
- '\igdumdim64.dll'
- '\igdusc64.dll'
# Other
- '\TSMSISrv.dll'
- '\TSVIPSrv.dll'
- '\wbemcomn.dll'
- '\WLBSCTRL.dll'
- '\wow64log.dll'
- '\WptsExtensions.dll'
filter_main_generic:
# Note: this filter is generic on purpose to avoid insane amount of FP from legitimate third party applications. A better approach would be to baseline everything and add specific filters to avoid blind spots
ImageLoaded|contains:
- 'C:\$WINDOWS.~BT\'
- 'C:\$WinREAgent\'
- 'C:\Windows\SoftwareDistribution\'
- 'C:\Windows\System32\'
- 'C:\Windows\SystemTemp\'
- 'C:\Windows\SysWOW64\'
- 'C:\Windows\WinSxS\'
- 'C:\Windows\SyChpe32\' # “hybrid” binaries containing x86-to-ARM stubs to improve the x86 emulation performance
filter_main_windows_temp:
ImageLoaded|startswith: 'C:\Windows\Temp\'
Image|startswith:
- 'C:\Windows\WinSxS\arm64'
- 'C:\Windows\UUS\arm64\'
Image|endswith:
- '\TiWorker.exe'
- '\wuaucltcore.exe'
filter_main_dot_net:
ImageLoaded|startswith: 'C:\Windows\Microsoft.NET\'
ImageLoaded|endswith: '\cscui.dll'
filter_main_defender:
ImageLoaded|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
ImageLoaded|endswith: '\version.dll'
filter_main_directx:
ImageLoaded|startswith: 'C:\Program Files\WindowsApps\Microsoft.DirectXRuntime_'
ImageLoaded|endswith: '\d3dx9_43.dll'
filter_optional_exchange:
ImageLoaded|startswith: 'C:\Program Files\Microsoft\Exchange Server\'
ImageLoaded|endswith: '\mswb7.dll'
filter_optional_arsenal_image_mounter:
ImageLoaded|startswith: 'C:\Program Files\Arsenal-Image-Mounter-'
ImageLoaded|endswith:
- '\mi.dll'
- '\miutils.dl'
filter_optional_office_appvpolicy:
Image: 'C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe'
ImageLoaded: 'C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll'
filter_optional_azure:
ImageLoaded|startswith: 'C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\'
filter_optional_dell:
Image|contains:
- 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs'
- 'C:\Windows\System32\backgroundTaskHost.exe'
ImageLoaded|startswith: 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs'
filter_optional_dell_wldp:
Image|startswith: 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs'
Image|endswith: '\wldp.dll'
filter_optional_checkpoint:
Image|startswith:
- 'C:\Program Files\CheckPoint\'
- 'C:\Program Files (x86)\CheckPoint\'
Image|endswith: '\SmartConsole.exe'
ImageLoaded|startswith:
- 'C:\Program Files\CheckPoint\'
- 'C:\Program Files (x86)\CheckPoint\'
ImageLoaded|endswith: '\PolicyManager.dll'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Legitimate applications loading their own versions of the DLLs mentioned in this rule
level: high
Convert to SIEM query
high
Strong
Medium FP
Potential Tampering With RDP Related Registry Keys Via Reg.EXE
Detects the execution of "reg.exe" for enabling/disabling the RDP service on the host by tampering with the 'CurrentControlSet\Control\Terminal Server' values
view Sigma YAML
title: Potential Tampering With RDP Related Registry Keys Via Reg.EXE
id: 0d5675be-bc88-4172-86d3-1e96a4476536
status: test
description: Detects the execution of "reg.exe" for enabling/disabling the RDP service on the host by tampering with the 'CurrentControlSet\Control\Terminal Server' values
references:
- https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
- http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/ # Contain description for most of the keys mentioned here (check it out if you want more information
- http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/ # Related to the Shadow RPD technique
- https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services # Contain description for most of the keys mentioned here (check it out if you want more information)
- https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/
- https://blog.sekoia.io/darkgate-internals/
- https://blog.talosintelligence.com/understanding-the-phobos-affiliate-structure/
- https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-63---disable-remote-desktop-anti-alias-setting-through-registry
- https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-64---disable-remote-desktop-security-settings-through-registry
- https://github.com/redcanaryco/atomic-red-team/blob/dd526047b8c399c312fee47d1e6fb531164da54d/atomics/T1112/T1112.yaml#L790
- https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-terminalservices-rdp-winstationextensions-securitylayer
- https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html
- https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03 # Related to the Shadow RPD technique
- https://web.archive.org/web/20200929062532/https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html # Related to RDP hijacking via the "ServiceDll" key
- https://www.trendmicro.com/en_us/research/25/i/unmasking-the-gentlemen-ransomware.html
author: pH-T (Nextron Systems), @Kostastsale, TheDFIRReport
date: 2022-02-12
modified: 2025-11-22
tags:
- attack.persistence
- attack.lateral-movement
- attack.defense-impairment
- attack.t1021.001
- attack.t1112
logsource:
product: windows
category: process_creation
detection:
selection_main_img:
- Image|endswith: '\reg.exe'
- OriginalFileName: 'reg.exe'
selection_main_cli:
CommandLine|contains|all:
- ' add '
- '\CurrentControlSet\Control\Terminal Server'
- 'REG_DWORD'
- ' /f'
selection_values_1:
CommandLine|contains|all:
- 'Licensing Core'
- 'EnableConcurrentSessions'
selection_values_2:
CommandLine|contains:
- 'AllowTSConnections'
- 'fDenyTSConnections'
- 'fEnableWinStation'
- 'fSingleSessionPerUser'
- 'IdleWinStationPoolCount'
- 'MaxInstanceCount'
- 'SecurityLayer'
- 'TSAdvertise'
- 'TSAppCompat'
- 'TSEnabled'
- 'TSUserEnabled'
- 'WinStations\RDP-Tcp'
filter_main_values_tls:
CommandLine|contains|all:
- 'SecurityLayer'
- '02' # TLS Enabled
condition: all of selection_main_* and 1 of selection_values_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Potential Tampering With Security Products Via WMIC
Detects uninstallation or termination of security products using the WMIC utility
view Sigma YAML
title: Potential Tampering With Security Products Via WMIC
id: 847d5ff3-8a31-4737-a970-aeae8fe21765
related:
- id: b53317a0-8acf-4fd1-8de8-a5401e776b96 # Generic Uninstall
type: derived
status: test
description: Detects uninstallation or termination of security products using the WMIC utility
references:
- https://twitter.com/cglyer/status/1355171195654709249
- https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
- https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions
- https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/
- https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2021-01-30
modified: 2023-02-14
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_cli_1:
CommandLine|contains|all:
- 'wmic'
- 'product where '
- 'call'
- 'uninstall'
- '/nointeractive'
selection_cli_2:
CommandLine|contains|all:
- 'wmic'
- 'caption like '
CommandLine|contains:
- 'call delete'
- 'call terminate'
selection_cli_3:
CommandLine|contains|all:
- 'process '
- 'where '
- 'delete'
selection_product:
CommandLine|contains:
- '%carbon%'
- '%cylance%'
- '%endpoint%'
- '%eset%'
- '%malware%'
- '%Sophos%'
- '%symantec%'
- 'Antivirus'
- 'AVG '
- 'Carbon Black'
- 'CarbonBlack'
- 'Cb Defense Sensor 64-bit'
- 'Crowdstrike Sensor'
- 'Cylance '
- 'Dell Threat Defense'
- 'DLP Endpoint'
- 'Endpoint Detection'
- 'Endpoint Protection'
- 'Endpoint Security'
- 'Endpoint Sensor'
- 'ESET File Security'
- 'LogRhythm System Monitor Service'
- 'Malwarebytes'
- 'McAfee Agent'
- 'Microsoft Security Client'
- 'Sophos Anti-Virus'
- 'Sophos AutoUpdate'
- 'Sophos Credential Store'
- 'Sophos Management Console'
- 'Sophos Management Database'
- 'Sophos Management Server'
- 'Sophos Remote Management System'
- 'Sophos Update Manager'
- 'Threat Protection'
- 'VirusScan'
- 'Webroot SecureAnywhere'
- 'Windows Defender'
condition: 1 of selection_cli_* and selection_product
falsepositives:
- Legitimate administration
level: high
Convert to SIEM query
high
Moderate
High FP
Potential Ursnif Malware Activity - Registry
Detects registry keys related to Ursnif malware.
view Sigma YAML
title: Potential Ursnif Malware Activity - Registry
id: 21f17060-b282-4249-ade0-589ea3591558
status: test
description: Detects registry keys related to Ursnif malware.
references:
- https://blog.yoroi.company/research/ursnif-long-live-the-steganography/
- https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/
author: megan201296
date: 2019-02-13
modified: 2025-10-22
tags:
- attack.persistence
- attack.execution
- attack.defense-impairment
- attack.t1112
- detection.emerging-threats
logsource:
product: windows
category: registry_add
detection:
selection:
TargetObject|endswith: '\Software\AppDataLow\Software\Microsoft\3A861D62-51E0-7C9D-AB0E-15700F2219A4'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Potential Vcruntime140 DLL Sideloading
Detects potential DLL sideloading of vcruntime140.dll, a common C++ runtime library.
Threat actors have been observed using DLL sideloading techniques to load malicious payloads under the guise of legitimate applications such as SqlWriter, SqlDumper etc.
Notably, APT29 has been documented leveraging WinELOADER to sideload vcruntime140.dll for executing malicious code.
view Sigma YAML
title: Potential Vcruntime140 DLL Sideloading
id: d7a63acb-1284-49bc-bfea-7771146c8b1c
status: experimental
description: |
Detects potential DLL sideloading of vcruntime140.dll, a common C++ runtime library.
Threat actors have been observed using DLL sideloading techniques to load malicious payloads under the guise of legitimate applications such as SqlWriter, SqlDumper etc.
Notably, APT29 has been documented leveraging WinELOADER to sideload vcruntime140.dll for executing malicious code.
references:
- https://www.mandiant.com/resources/blog/apt29-wineloader-german-political-parties
- https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader
- https://www.nextron-systems.com/2023/09/15/detecting-janelarat-with-yara-and-thor/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-01-12
modified: 2026-05-18
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\vcruntime140.dll'
filter_main_legitimate_path:
ImageLoaded|startswith:
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
filter_main_legitimate_signer:
Signed: true
SignatureStatus: 'Valid'
Description|endswith: 'C Runtime Library'
filter_optional_onedrive:
Image|startswith: 'C:\Users\'
Image|contains: '\AppData\Local\Microsoft\OneDrive\'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/image_load/image_load_side_load_vcruntime140/info.yml
Convert to SIEM query
high
Moderate
Medium FP
Potential Waveedit.DLL Sideloading
Detects potential DLL sideloading of "waveedit.dll", which is part of the Nero WaveEditor audio editing software.
view Sigma YAML
title: Potential Waveedit.DLL Sideloading
id: 71b31e99-9ad0-47d4-aeb5-c0ca3928eeeb
status: test
description: Detects potential DLL sideloading of "waveedit.dll", which is part of the Nero WaveEditor audio editing software.
references:
- https://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html
author: X__Junior (Nextron Systems)
date: 2023-06-14
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\waveedit.dll'
filter_main_legit_path:
Image:
- 'C:\Program Files (x86)\Nero\Nero Apps\Nero WaveEditor\waveedit.exe'
- 'C:\Program Files\Nero\Nero Apps\Nero WaveEditor\waveedit.exe'
ImageLoaded|startswith:
- 'C:\Program Files (x86)\Nero\Nero Apps\Nero WaveEditor\'
- 'C:\Program Files\Nero\Nero Apps\Nero WaveEditor\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
Potential WerFault ReflectDebugger Registry Value Abuse
Detects potential WerFault "ReflectDebugger" registry value abuse for persistence.
view Sigma YAML
title: Potential WerFault ReflectDebugger Registry Value Abuse
id: 0cf2e1c6-8d10-4273-8059-738778f981ad
related:
- id: fabfb3a7-3ce1-4445-9c7c-3c27f1051cdd
type: derived
status: test
description: Detects potential WerFault "ReflectDebugger" registry value abuse for persistence.
references:
- https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html
- https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/
author: X__Junior
date: 2023-05-18
tags:
- attack.stealth
- attack.t1036.003
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\Microsoft\Windows\Windows Error Reporting\Hangs\ReflectDebugger'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Potential WinAPI Calls Via CommandLine
Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec
view Sigma YAML
title: Potential WinAPI Calls Via CommandLine
id: ba3f5c1b-6272-4119-9dbd-0bc8d21c2702
related:
- id: 03d83090-8cba-44a0-b02f-0b756a050306
type: derived
status: test
description: Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec
references:
- https://twitter.com/m417z/status/1566674631788007425
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-06
modified: 2025-03-06
tags:
- attack.execution
- attack.t1106
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- 'AddSecurityPackage'
- 'AdjustTokenPrivileges'
- 'Advapi32'
- 'CloseHandle'
- 'CreateProcessWithToken'
- 'CreatePseudoConsole'
- 'CreateRemoteThread'
- 'CreateThread'
- 'CreateUserThread'
- 'DangerousGetHandle'
- 'DuplicateTokenEx'
- 'EnumerateSecurityPackages'
- 'FreeHGlobal'
- 'FreeLibrary'
- 'GetDelegateForFunctionPointer'
- 'GetLogonSessionData'
- 'GetModuleHandle'
- 'GetProcAddress'
- 'GetProcessHandle'
- 'GetTokenInformation'
- 'ImpersonateLoggedOnUser'
- 'kernel32'
- 'LoadLibrary'
- 'memcpy'
- 'MiniDumpWriteDump'
# - 'msvcrt'
- 'ntdll'
- 'OpenDesktop'
- 'OpenProcess'
- 'OpenProcessToken'
- 'OpenThreadToken'
- 'OpenWindowStation'
- 'PtrToString'
- 'QueueUserApc'
- 'ReadProcessMemory'
- 'RevertToSelf'
- 'RtlCreateUserThread'
- 'secur32'
- 'SetThreadToken'
# - 'user32'
- 'VirtualAlloc'
- 'VirtualFree'
- 'VirtualProtect'
- 'WaitForSingleObject'
- 'WriteInt32'
- 'WriteProcessMemory'
- 'ZeroFreeGlobalAllocUnicode'
filter_optional_mpcmdrun:
Image|endswith: '\MpCmdRun.exe'
CommandLine|contains: 'GetLoadLibraryWAddress32'
filter_optional_compatTelRunner:
ParentImage|endswith: '\CompatTelRunner.exe'
CommandLine|contains:
- 'FreeHGlobal'
- 'PtrToString'
- 'kernel32'
- 'CloseHandle'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Some legitimate action or applications may use these functions. Investigate further to determine the legitimacy of the activity.
level: high
Convert to SIEM query
high
Strong
Medium FP
Potential WinAPI Calls Via PowerShell Scripts
Detects use of WinAPI functions in PowerShell scripts
view Sigma YAML
title: Potential WinAPI Calls Via PowerShell Scripts
id: 03d83090-8cba-44a0-b02f-0b756a050306
related:
- id: ba3f5c1b-6272-4119-9dbd-0bc8d21c2702
type: similar
status: test
description: Detects use of WinAPI functions in PowerShell scripts
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
author: Nasreddine Bencherchali (Nextron Systems), Nikita Nazarov, oscd.community
date: 2020-10-06
modified: 2023-06-20
tags:
- attack.execution
- attack.t1059.001
- attack.t1106
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
# Note: Add more suspicious combinations in the form of different selections
selection_injection:
ScriptBlockText|contains|all:
- 'VirtualAlloc'
- 'OpenProcess'
- 'WriteProcessMemory'
- 'CreateRemoteThread'
selection_token_steal:
ScriptBlockText|contains|all:
- 'OpenProcessToken'
- 'LookupPrivilegeValue'
- 'AdjustTokenPrivileges'
selection_duplicate_token:
ScriptBlockText|contains|all:
- 'OpenProcessToken'
- 'DuplicateTokenEx'
- 'CloseHandle'
selection_process_write_read:
ScriptBlockText|contains|all:
- 'WriteProcessMemory'
- 'VirtualAlloc'
- 'ReadProcessMemory'
- 'VirtualFree'
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential Windows Defender AV Bypass Via Dump64.EXE Rename
Detects when a user is potentially trying to bypass the Windows Defender AV by renaming a tool to dump64.exe and placing it in the Visual Studio folder.
Currently the rule is covering only usage of procdump but other utilities can be added in order to increase coverage.
view Sigma YAML
title: Potential Windows Defender AV Bypass Via Dump64.EXE Rename
id: 129966c9-de17-4334-a123-8b58172e664d
status: test
description: |
Detects when a user is potentially trying to bypass the Windows Defender AV by renaming a tool to dump64.exe and placing it in the Visual Studio folder.
Currently the rule is covering only usage of procdump but other utilities can be added in order to increase coverage.
references:
- https://twitter.com/mrd0x/status/1460597833917251595
author: Austin Songer @austinsonger, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2021-11-26
modified: 2024-06-21
tags:
- attack.credential-access
- attack.t1003.001
logsource:
product: windows
category: process_creation
detection:
selection_dump:
Image|startswith: ':\Program Files'
Image|contains: '\Microsoft Visual Studio\'
Image|endswith: '\dump64.exe'
selection_tools_procdump:
- OriginalFileName: 'procdump'
- CommandLine|contains:
- ' -ma ' # Full Dump
- ' -mp ' # Mini Plus
condition: selection_dump and 1 of selection_tools_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Potential Windows Defender Tampering Via Wmic.EXE
Detects potential tampering with Windows Defender settings such as adding exclusion using wmic
view Sigma YAML
title: Potential Windows Defender Tampering Via Wmic.EXE
id: 51cbac1e-eee3-4a90-b1b7-358efb81fa0a
status: test
description: Detects potential tampering with Windows Defender settings such as adding exclusion using wmic
references:
- https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1562.001/T1562.001.md
- https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/
- https://www.bleepingcomputer.com/news/security/iobit-forums-hacked-to-spread-ransomware-to-its-members/
author: frack113
date: 2022-12-11
modified: 2023-02-14
tags:
- attack.execution
- attack.defense-impairment
- attack.t1047
- attack.t1685
logsource:
product: windows
category: process_creation
detection:
selection_img:
- OriginalFileName: 'wmic.exe'
- Image|endswith: '\WMIC.exe'
selection_cli:
CommandLine|contains: '/Namespace:\\\\root\\Microsoft\\Windows\\Defender'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Potential Winnti Dropper Activity
Detects files dropped by Winnti as described in RedMimicry Winnti playbook
view Sigma YAML
title: Potential Winnti Dropper Activity
id: 130c9e58-28ac-4f83-8574-0a4cc913b97e
status: test
description: Detects files dropped by Winnti as described in RedMimicry Winnti playbook
references:
- https://redmimicry.com/posts/redmimicry-winnti/#dropper
author: Alexander Rausch
date: 2020-06-24
modified: 2023-01-05
tags:
- attack.stealth
- attack.t1027
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith:
- '\gthread-3.6.dll'
- '\sigcmm-2.4.dll'
- '\Windows\Temp\tmp.bat'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Potential WizardUpdate Malware Infection
Detects the execution traces of the WizardUpdate malware. WizardUpdate is a macOS trojan that attempts to infiltrate macOS machines to steal data and it is associated with other types of malicious payloads, increasing the chances of multiple infections on a device.
view Sigma YAML
title: Potential WizardUpdate Malware Infection
id: f68c4a4f-19ef-4817-952c-50dce331f4b0
status: test
description: Detects the execution traces of the WizardUpdate malware. WizardUpdate is a macOS trojan that attempts to infiltrate macOS machines to steal data and it is associated with other types of malicious payloads, increasing the chances of multiple infections on a device.
references:
- https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-c68a1fcbf7a3f80c87225d7fdc031f691e9f3b6a14a36754be00762bfe6eae97
- https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset
- https://www.microsoft.com/security/blog/2022/02/02/the-evolution-of-a-mac-trojan-updateagents-progression/
author: Tim Rauch (rule), Elastic (idea)
date: 2022-10-17
tags:
- attack.command-and-control
logsource:
category: process_creation
product: macos
detection:
selection_1:
Image|endswith: '/sh'
CommandLine|contains|all:
- '=$(curl '
- 'eval'
selection_2:
Image|endswith: '/curl'
CommandLine|contains: '_intermediate_agent_'
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Potential XXE Exploitation Attempt In JVM Based Application
Detects XML parsing issues, if the application expects to work with XML make sure that the parser is initialized safely.
view Sigma YAML
title: Potential XXE Exploitation Attempt In JVM Based Application
id: c4e06896-e27c-4583-95ac-91ce2279345d
status: test
description: Detects XML parsing issues, if the application expects to work with XML make sure that the parser is initialized safely.
references:
- https://rules.sonarsource.com/java/RSPEC-2755
- https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing
- https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs
author: Moti Harmats
date: 2023-02-11
tags:
- attack.initial-access
- attack.t1190
logsource:
category: application
product: jvm
definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)'
detection:
keywords:
- 'SAXParseException'
- 'DOMException'
condition: keywords
falsepositives:
- If the application expects to work with XML there may be parsing issues that don't necessarily mean XXE.
level: high
Convert to SIEM query
high
Strong
Low FP
Potential Zerologon (CVE-2020-1472) Exploitation
Detects potential Netlogon Elevation of Privilege Vulnerability aka Zerologon (CVE-2020-1472)
view Sigma YAML
title: Potential Zerologon (CVE-2020-1472) Exploitation
id: dd7876d8-0f09-11eb-adc1-0242ac120002
status: test
description: Detects potential Netlogon Elevation of Privilege Vulnerability aka Zerologon (CVE-2020-1472)
references:
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472
- https://www.logpoint.com/en/blog/detecting-zerologon-vulnerability-in-logpoint/
author: Aleksandr Akhremchik, @aleqs4ndr, ocsd.community
date: 2020-10-15
modified: 2023-12-15
tags:
- attack.privilege-escalation
- attack.t1068
- cve.2020-1472
logsource:
product: windows
service: security
detection:
selection:
EventID: 4742
SubjectUserName: 'ANONYMOUS LOGON'
TargetUserName|expand: '%DC-MACHINE-NAME%' # DC machine account name that ends with '$'
filter_main:
PasswordLastSet: '-'
condition: selection and not filter_main
falsepositives:
- Automatic DC computer account password change
- Legitimate DC computer account password change
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential appverifUI.DLL Sideloading
Detects potential DLL sideloading of "appverifUI.dll"
view Sigma YAML
title: Potential appverifUI.DLL Sideloading
id: ee6cea48-c5b6-4304-a332-10fc6446f484
status: test
description: Detects potential DLL sideloading of "appverifUI.dll"
references:
- https://web.archive.org/web/20220519091349/https://fatrodzianko.com/2020/02/15/dll-side-loading-appverif-exe/
author: X__Junior (Nextron Systems)
date: 2023-06-20
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\appverifUI.dll'
filter_main_legit_path:
Image:
- 'C:\Windows\SysWOW64\appverif.exe'
- 'C:\Windows\System32\appverif.exe'
ImageLoaded|startswith:
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
- 'C:\Windows\WinSxS\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
Potentially Suspicious ASP.NET Compilation Via AspNetCompiler
Detects execution of "aspnet_compiler.exe" with potentially suspicious paths for compilation.
view Sigma YAML
title: Potentially Suspicious ASP.NET Compilation Via AspNetCompiler
id: 9f50fe98-fe5c-4a2d-86c7-fad7f63ed622 # Susp Paths
related:
- id: 9ccba514-7cb6-4c5c-b377-700758f2f120 # SuspChild
type: similar
- id: 4c7f49ee-2638-43bb-b85b-ce676c30b260 # TMP File
type: similar
- id: a01b8329-5953-4f73-ae2d-aa01e1f35f00 # Exec
type: similar
status: test
description: Detects execution of "aspnet_compiler.exe" with potentially suspicious paths for compilation.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/
- https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-14
modified: 2025-02-24
tags:
- attack.execution
- attack.stealth
- attack.t1127
logsource:
category: process_creation
product: windows
detection:
selection:
Image|contains:
- ':\Windows\Microsoft.NET\Framework\'
- ':\Windows\Microsoft.NET\Framework64\'
- ':\Windows\Microsoft.NET\FrameworkArm\'
- ':\Windows\Microsoft.NET\FrameworkArm64\'
Image|endswith: '\aspnet_compiler.exe'
CommandLine|contains:
# Note: add other potential suspicious paths
- '\Users\Public\'
- '\AppData\Local\Temp\'
- '\AppData\Local\Roaming\'
- ':\Temp\'
- ':\Windows\Temp\'
- ':\Windows\System32\Tasks\'
- ':\Windows\Tasks\'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Potentially Suspicious Call To Win32_NTEventlogFile Class
Detects usage of the WMI class "Win32_NTEventlogFile" in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script
view Sigma YAML
title: Potentially Suspicious Call To Win32_NTEventlogFile Class
id: caf201a9-c2ce-4a26-9c3a-2b9525413711
related:
- id: e2812b49-bae0-4b21-b366-7c142eafcde2
type: similar
status: test
description: Detects usage of the WMI class "Win32_NTEventlogFile" in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script
references:
- https://learn.microsoft.com/en-us/previous-versions/windows/desktop/legacy/aa394225(v=vs.85)
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-07-13
tags:
- attack.defense-impairment
logsource:
category: process_creation
product: windows
detection:
selection_class:
CommandLine|contains: 'Win32_NTEventlogFile'
selection_function:
CommandLine|contains:
- '.BackupEventlog('
- '.ChangeSecurityPermissions('
- '.ChangeSecurityPermissionsEx('
- '.ClearEventLog('
- '.Delete('
- '.DeleteEx('
- '.Rename('
- '.TakeOwnerShip('
- '.TakeOwnerShipEx('
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Potentially Suspicious Child Process Of Regsvr32
Detects potentially suspicious child processes of "regsvr32.exe".
view Sigma YAML
title: Potentially Suspicious Child Process Of Regsvr32
id: 6f0947a4-1c5e-4e0d-8ac7-53159b8f23ca
related:
- id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d
type: obsolete
status: test
description: Detects potentially suspicious child processes of "regsvr32.exe".
references:
- https://redcanary.com/blog/intelligence-insights-april-2022/
- https://www.echotrail.io/insights/search/regsvr32.exe
- https://www.ired.team/offensive-security/code-execution/t1117-regsvr32-aka-squiblydoo
author: elhoim, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-05-05
modified: 2023-05-26
tags:
- attack.stealth
- attack.t1218.010
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\regsvr32.exe'
Image|endswith:
- '\calc.exe'
- '\cscript.exe'
- '\explorer.exe'
- '\mshta.exe'
- '\net.exe'
- '\net1.exe'
- '\nltest.exe'
- '\notepad.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\reg.exe'
- '\schtasks.exe'
- '\werfault.exe'
- '\wscript.exe'
filter_main_werfault:
Image|endswith: '\werfault.exe'
CommandLine|contains: ' -u -p '
condition: selection and not 1 of filter_main_*
falsepositives:
- Unlikely, but can rarely occur. Apply additional filters accordingly.
level: high
Convert to SIEM query
high
Moderate
High FP
Potentially Suspicious Child Processes Spawned by ConHost
Detects suspicious child processes related to Windows Shell utilities spawned by `conhost.exe`, which could indicate malicious activity using trusted system components.
view Sigma YAML
title: Potentially Suspicious Child Processes Spawned by ConHost
id: dfa03a09-8b92-4d83-8e74-f72839b1c407
related:
- id: 7dc2dedd-7603-461a-bc13-15803d132355
type: similar
status: experimental
description: Detects suspicious child processes related to Windows Shell utilities spawned by `conhost.exe`, which could indicate malicious activity using trusted system components.
references:
- https://tria.ge/241015-l98snsyeje/behavioral2
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-02-05
tags:
- attack.stealth
- attack.t1202
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\conhost.exe'
selection_child:
- Image|endswith:
- '\cmd.exe' # Windows Command Prompt
- '\cscript.exe' # Windows Script Host (used for scripting exploits)
- '\mshta.exe' # MSHTA (HTML Application Host, often abused)
- '\powershell_ise.exe' # PowerShell ISE
- '\powershell.exe' # Windows PowerShell
- '\pwsh.exe' # PowerShell Core
- '\regsvr32.exe' # Windows Registry Server (commonly used for exploits)
- '\wscript.exe' # Windows Script Host (for executing scripts)
- OriginalFileName:
- 'cmd.exe'
- 'cscript.exe'
- 'mshta.exe'
- 'powershell_ise.exe'
- 'powershell.exe'
- 'pwsh.dll'
- 'regsvr32.exe'
- 'wscript.exe'
condition: all of selection_*
falsepositives:
- Legitimate administrative tasks using `conhost.exe` to spawn child processes such as `cmd.exe`, `powershell.exe`, or `regsvr32.exe`.
level: high
Convert to SIEM query
high
Strong
Medium FP
Potentially Suspicious Command Executed Via Run Dialog Box - Registry
Detects execution of commands via the run dialog box on Windows by checking values of the "RunMRU" registry key.
This technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps.
view Sigma YAML
title: Potentially Suspicious Command Executed Via Run Dialog Box - Registry
id: a7df0e9e-91a5-459a-a003-4cde67c2ff5d
related:
- id: f9d091f6-f1c7-4873-a24f-050b4a02b4dd
type: derived
status: test
description: |
Detects execution of commands via the run dialog box on Windows by checking values of the "RunMRU" registry key.
This technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps.
references:
- https://medium.com/@ahmed.moh.farou2/fake-captcha-campaign-on-arabic-pirated-movie-sites-delivers-lumma-stealer-4f203f7adabf
- https://medium.com/@shaherzakaria8/downloading-trojan-lumma-infostealer-through-capatcha-1f25255a0e71
- https://www.forensafe.com/blogs/runmrukey.html
- https://redcanary.com/blog/threat-intelligence/intelligence-insights-october-2024/
author: Ahmed Farouk, Nasreddine Bencherchali
date: 2024-11-01
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: registry_set
detection:
selection_key:
TargetObject|contains: '\Microsoft\Windows\CurrentVersion\Explorer\RunMRU'
selection_powershell_command:
Details|contains:
- 'powershell'
- 'pwsh'
selection_powershell_susp_keywords:
Details|contains:
- ' -e '
- ' -ec '
- ' -en '
- ' -enc '
- ' -enco'
- 'ftp'
- 'Hidden'
- 'http'
- 'iex'
- 'Invoke-'
selection_wmic_command:
Details|contains: 'wmic'
selection_wmic_susp_keywords:
Details|contains:
- 'shadowcopy'
- 'process call create'
condition: selection_key and (all of selection_powershell_* or all of selection_wmic_*)
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Potentially Suspicious DLL Registered Via Odbcconf.EXE
Detects execution of "odbcconf" with the "REGSVR" action where the DLL in question doesn't contain a ".dll" extension. Which is often used as a method to evade defenses.
view Sigma YAML
title: Potentially Suspicious DLL Registered Via Odbcconf.EXE
id: ba4cfc11-d0fa-4d94-bf20-7c332c412e76
related:
- id: 9f0a8bf3-a65b-440a-8c1e-5cb1547c8e70
type: derived
status: test
description: Detects execution of "odbcconf" with the "REGSVR" action where the DLL in question doesn't contain a ".dll" extension. Which is often used as a method to evade defenses.
references:
- https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16
- https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/
- https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-22
tags:
- attack.stealth
- attack.t1218.008
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\odbcconf.exe'
- OriginalFileName: 'odbcconf.exe'
selection_cli:
# Note: The "/A" flag is not required to call a specific action
CommandLine|contains: 'REGSVR '
filter_main_dll_ext:
CommandLine|contains: '.dll'
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
Potentially Suspicious Event Viewer Child Process
Detects uncommon or suspicious child processes of "eventvwr.exe" which might indicate a UAC bypass attempt
view Sigma YAML
title: Potentially Suspicious Event Viewer Child Process
id: be344333-921d-4c4d-8bb8-e584cf584780
related:
- id: 7c81fec3-1c1d-43b0-996a-46753041b1b6
type: derived
status: test
description: Detects uncommon or suspicious child processes of "eventvwr.exe" which might indicate a UAC bypass attempt
references:
- https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
- https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100
author: Florian Roth (Nextron Systems)
date: 2017-03-19
modified: 2023-09-28
tags:
- attack.privilege-escalation
- attack.t1548.002
- car.2019-04-001
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\eventvwr.exe'
filter_main_generic:
Image|endswith:
- ':\Windows\System32\mmc.exe'
- ':\Windows\System32\WerFault.exe'
- ':\Windows\SysWOW64\WerFault.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Potentially Suspicious Execution From Parent Process In Public Folder
Detects a potentially suspicious execution of a parent process located in the "\Users\Public" folder executing a child process containing references to shell or scripting binaries and commandlines.
view Sigma YAML
title: Potentially Suspicious Execution From Parent Process In Public Folder
id: 69bd9b97-2be2-41b6-9816-fb08757a4d1a
status: test
description: |
Detects a potentially suspicious execution of a parent process located in the "\Users\Public" folder executing a child process containing references to shell or scripting binaries and commandlines.
references:
- https://redcanary.com/blog/blackbyte-ransomware/
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-02-25
modified: 2024-07-12
tags:
- attack.execution
- attack.stealth
- attack.t1564
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|contains: ':\Users\Public\'
selection_child:
- Image|endswith:
- '\bitsadmin.exe'
- '\certutil.exe'
- '\cmd.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\wscript.exe'
- CommandLine|contains:
- 'bitsadmin'
- 'certutil'
- 'cscript'
- 'mshta'
- 'powershell'
- 'regsvr32'
- 'rundll32'
- 'wscript'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE
Detects potentially suspicious file downloads from file sharing domains using PowerShell.exe
view Sigma YAML
title: Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE
id: b6e04788-29e1-4557-bb14-77f761848ab8
status: test
description: Detects potentially suspicious file downloads from file sharing domains using PowerShell.exe
references:
- https://labs.withsecure.com/publications/fin7-target-veeam-servers
- https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv
- https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
- https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-02-23
modified: 2024-12-10
tags:
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_websites:
CommandLine|contains:
# Note: You might want to baseline the github domain before including it
# - '.githubusercontent.com' # Includes both gists and github repositories / Michael Haag (idea).
- 'anonfiles.com'
- 'cdn.discordapp.com'
- 'ddns.net'
- 'dl.dropboxusercontent.com'
- 'ghostbin.co'
# - 'github.com' See note above
- 'glitch.me'
- 'gofile.io'
- 'hastebin.com'
- 'mediafire.com'
- 'mega.nz'
- 'onrender.com'
- 'pages.dev'
- 'paste.ee'
- 'pastebin.com'
- 'pastebin.pl'
- 'pastetext.net'
- 'pixeldrain.com'
- 'privatlab.com'
- 'privatlab.net'
- 'send.exploit.in'
- 'sendspace.com'
- 'storage.googleapis.com'
- 'storjshare.io'
- 'supabase.co'
- 'temp.sh'
- 'transfer.sh'
- 'trycloudflare.com'
- 'ufile.io'
- 'w3spaces.com'
- 'workers.dev'
selection_download:
CommandLine|contains:
- '.DownloadString('
- '.DownloadFile('
- 'Invoke-WebRequest '
- 'iwr '
- 'wget '
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
Showing 1151-1200 of 3,646