Tool
EDR / XDR
Palo Alto Cortex XDR
763 rules · Sigma detections in Palo Alto Cortex XDR syntax
The same Sigma detection corpus, machine-rendered into Palo Alto Cortex XDR query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
Download all 1,524 rules (.zip, 675 KB)
Every Palo Alto Cortex XDR query in this view, packaged to deploy.
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance4
Resource Development5
Initial Access7
Execution25
Persistence31
Privilege Escalation17
Stealth63
Defense Impairment16
Credential Access26
Discovery24
Lateral Movement10
Collection11
Command and Control18
Exfiltration7
Impact10
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.
◈
Detection rules
50 shown of 763
high
Moderate
Medium FP
Suspicious Microsoft Office Child Process - MacOS
Detects suspicious child processes spawning from microsoft office suite applications such as word or excel. This could indicates malicious macro execution
view Sigma YAML
title: Suspicious Microsoft Office Child Process - MacOS
id: 69483748-1525-4a6c-95ca-90dc8d431b68
status: test
description: Detects suspicious child processes spawning from microsoft office suite applications such as word or excel. This could indicates malicious macro execution
references:
- https://redcanary.com/blog/applescript/
- https://objective-see.org/blog/blog_0x4B.html
author: Sohan G (D4rkCiph3r)
date: 2023-01-31
modified: 2023-02-04
tags:
- attack.execution
- attack.persistence
- attack.t1059.002
- attack.t1137.002
- attack.t1204.002
logsource:
product: macos
category: process_creation
detection:
selection:
ParentImage|contains:
- 'Microsoft Word'
- 'Microsoft Excel'
- 'Microsoft PowerPoint'
- 'Microsoft OneNote'
Image|endswith:
- '/bash'
- '/curl'
- '/dash'
- '/fish'
- '/osacompile'
- '/osascript'
- '/sh'
- '/zsh'
- '/python'
- '/python3'
- '/wget'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious Modification Of Scheduled Tasks
Detects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location
Attackers can create a simple looking task in order to avoid detection on creation as it's often the most focused on
Instead they modify the task after creation to include their malicious payload
view Sigma YAML
title: Suspicious Modification Of Scheduled Tasks
id: 1c0e41cd-21bb-4433-9acc-4a2cd6367b9b
related:
- id: 614cf376-6651-47c4-9dcc-6b9527f749f4 # Security-Audting Eventlog
type: similar
status: test
description: |
Detects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location
Attackers can create a simple looking task in order to avoid detection on creation as it's often the most focused on
Instead they modify the task after creation to include their malicious payload
references:
- Internal Research
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-28
modified: 2022-11-18
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.t1053.005
logsource:
product: windows
category: process_creation
detection:
selection_schtasks:
Image|endswith: '\schtasks.exe'
CommandLine|contains|all:
- ' /Change '
- ' /TN '
selection_susp_locations:
CommandLine|contains:
- '\AppData\Local\Temp'
- '\AppData\Roaming\'
- '\Users\Public\'
- '\WINDOWS\Temp\'
- '\Desktop\'
- '\Downloads\'
- '\Temporary Internet'
- 'C:\ProgramData\'
- 'C:\Perflogs\'
- '%ProgramData%'
- '%appdata%'
- '%comspec%'
- '%localappdata%'
selection_susp_images:
CommandLine|contains:
- 'regsvr32'
- 'rundll32'
- 'cmd /c '
- 'cmd /k '
- 'cmd /r '
- 'cmd.exe /c '
- 'cmd.exe /k '
- 'cmd.exe /r '
- 'powershell'
- 'mshta'
- 'wscript'
- 'cscript'
- 'certutil'
- 'bitsadmin'
- 'bash.exe'
- 'bash '
- 'scrcons'
- 'wmic '
- 'wmic.exe'
- 'forfiles'
- 'scriptrunner'
- 'hh.exe'
- 'hh '
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious New Service Creation
Detects creation of a new service via "sc" command or the powershell "new-service" cmdlet with suspicious binary paths
view Sigma YAML
title: Suspicious New Service Creation
id: 17a1be64-8d88-40bf-b5ff-a4f7a50ebcc8
related:
- id: 7fe71fc9-de3b-432a-8d57-8c809efc10ab
type: derived
status: test
description: Detects creation of a new service via "sc" command or the powershell "new-service" cmdlet with suspicious binary paths
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md
- https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-14
modified: 2022-11-18
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1543.003
logsource:
category: process_creation
product: windows
detection:
selection_sc:
Image|endswith: '\sc.exe'
CommandLine|contains|all:
- 'create'
- 'binPath='
selection_posh:
CommandLine|contains|all:
- 'New-Service'
- '-BinaryPathName'
susp_binpath:
CommandLine|contains:
# Add more suspicious commands or binaries
- 'powershell'
- 'mshta'
- 'wscript'
- 'cscript'
- 'svchost'
- 'dllhost'
- 'cmd '
- 'cmd.exe /c'
- 'cmd.exe /k'
- 'cmd.exe /r'
- 'rundll32'
# Add more suspicious paths
- 'C:\Users\Public'
- '\Downloads\'
- '\Desktop\'
- '\Microsoft\Windows\Start Menu\Programs\Startup\'
- 'C:\Windows\TEMP\'
- '\AppData\Local\Temp'
condition: 1 of selection* and susp_binpath
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious Nohup Execution
Detects execution of binaries located in potentially suspicious locations via "nohup"
view Sigma YAML
title: Suspicious Nohup Execution
id: 457df417-8b9d-4912-85f3-9dbda39c3645
related:
- id: e4ffe466-6ff8-48d4-94bd-e32d1a6061e2
type: derived
status: test
description: Detects execution of binaries located in potentially suspicious locations via "nohup"
references:
- https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
- https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/
- https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
- https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-06-02
tags:
- attack.execution
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith: '/nohup'
CommandLine|contains: '/tmp/'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious Obfuscated PowerShell Code
Detects suspicious UTF16 and base64 encoded and often obfuscated PowerShell code often used in command lines
view Sigma YAML
title: Suspicious Obfuscated PowerShell Code
id: 8d01b53f-456f-48ee-90f6-bc28e67d4e35
status: test
description: Detects suspicious UTF16 and base64 encoded and often obfuscated PowerShell code often used in command lines
references:
- https://app.any.run/tasks/fcadca91-3580-4ede-aff4-4d2bf809bf99/
author: Florian Roth (Nextron Systems)
date: 2022-07-11
modified: 2023-02-14
tags:
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
# -bxor 0x
- 'IAAtAGIAeABvAHIAIAAwAHgA'
- 'AALQBiAHgAbwByACAAMAB4A'
- 'gAC0AYgB4AG8AcgAgADAAeA'
# .Invoke() |
- 'AC4ASQBuAHYAbwBrAGUAKAApACAAfAAg'
- 'AuAEkAbgB2AG8AawBlACgAKQAgAHwAI'
- 'ALgBJAG4AdgBvAGsAZQAoACkAIAB8AC'
# {1}{0}" -f
# {0}{3}" -f
# {2}{0}" -f
- 'AHsAMQB9AHsAMAB9ACIAIAAtAGYAI'
- 'B7ADEAfQB7ADAAfQAiACAALQBmAC'
- 'AewAxAH0AewAwAH0AIgAgAC0AZgAg'
- 'AHsAMAB9AHsAMwB9ACIAIAAtAGYAI'
- 'B7ADAAfQB7ADMAfQAiACAALQBmAC'
- 'AewAwAH0AewAzAH0AIgAgAC0AZgAg'
- 'AHsAMgB9AHsAMAB9ACIAIAAtAGYAI'
- 'B7ADIAfQB7ADAAfQAiACAALQBmAC'
- 'AewAyAH0AewAwAH0AIgAgAC0AZgAg'
# {1}{0}' -f
# {0}{3}' -f
# {2}{0}' -f
- 'AHsAMQB9AHsAMAB9ACcAIAAtAGYAI'
- 'B7ADEAfQB7ADAAfQAnACAALQBmAC'
- 'AewAxAH0AewAwAH0AJwAgAC0AZgAg'
- 'AHsAMAB9AHsAMwB9ACcAIAAtAGYAI'
- 'B7ADAAfQB7ADMAfQAnACAALQBmAC'
- 'AewAwAH0AewAzAH0AJwAgAC0AZgAg'
- 'AHsAMgB9AHsAMAB9ACcAIAAtAGYAI'
- 'B7ADIAfQB7ADAAfQAnACAALQBmAC'
- 'AewAyAH0AewAwAH0AJwAgAC0AZgAg'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious Outlook Child Process
Detects a suspicious process spawning from an Outlook process.
view Sigma YAML
title: Suspicious Outlook Child Process
id: 208748f7-881d-47ac-a29c-07ea84bf691d
related:
- id: 438025f9-5856-4663-83f7-52f878a70a50 # Office Child Processes
type: derived
- id: e212d415-0e93-435f-9e1a-f29005bb4723 # Outlook Remote Child Process
type: derived
status: test
description: Detects a suspicious process spawning from an Outlook process.
references:
- https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100
- https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
author: Michael Haag, Florian Roth (Nextron Systems), Markus Neis, Elastic, FPT.EagleEye Team
date: 2022-02-28
modified: 2023-02-04
tags:
- attack.execution
- attack.t1204.002
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\OUTLOOK.EXE'
Image|endswith:
- '\AppVLP.exe'
- '\bash.exe'
- '\cmd.exe'
- '\cscript.exe'
- '\forfiles.exe'
- '\hh.exe'
- '\mftrace.exe'
- '\msbuild.exe' # https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
- '\msdt.exe' # CVE-2022-30190
- '\mshta.exe'
- '\msiexec.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\schtasks.exe'
- '\scrcons.exe'
- '\scriptrunner.exe'
- '\sh.exe'
- '\svchost.exe' # https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html
- '\wmic.exe' # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/
- '\wscript.exe'
# Several FPs with rundll32.exe
# We started excluding specific use cases and ended up commenting out the rundll32.exe sub processes completely
# - '\rundll32.exe'
# filter_outlook_photoviewer: # https://twitter.com/Luke_Hamp/status/1495919717760237568
# ParentImage|endswith: '\OUTLOOK.EXE'
# Image|endswith: '\rundll32.exe'
# CommandLine|contains: '\PhotoViewer.dll'
# filter_outlook_printattachments: # https://twitter.com/KickaKamil/status/1496238278659485696
# ParentImage|endswith: '\OUTLOOK.EXE'
# Image|endswith: '\rundll32.exe'
# CommandLine|contains|all:
# - 'shell32.dll,Control_RunDLL'
# - '\SYSTEM32\SPOOL\DRIVERS\'
condition: selection # and not 1 of filter*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious Outlook Macro Created
Detects the creation of a macro file for Outlook.
view Sigma YAML
title: Suspicious Outlook Macro Created
id: 117d3d3a-755c-4a61-b23e-9171146d094c
related:
- id: 8c31f563-f9a7-450c-bfa8-35f8f32f1f61
type: derived
status: test
description: Detects the creation of a macro file for Outlook.
references:
- https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/
- https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53
- https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-08
tags:
- attack.privilege-escalation
- attack.persistence
- attack.command-and-control
- attack.t1137
- attack.t1008
- attack.t1546
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|endswith: '\Microsoft\Outlook\VbaProject.OTM'
filter:
Image|endswith: '\outlook.exe'
condition: selection and not filter
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious Parent Double Extension File Execution
Detect execution of suspicious double extension files in ParentCommandLine
view Sigma YAML
title: Suspicious Parent Double Extension File Execution
id: 5e6a80c8-2d45-4633-9ef4-fa2671a39c5c
related:
- id: 1cdd9a09-06c9-4769-99ff-626e2b3991b8 # Image/CommandLine
type: derived
status: test
description: Detect execution of suspicious double extension files in ParentCommandLine
references:
- https://www.virustotal.com/gui/file/7872d8845a332dce517adae9c3389fde5313ff2fed38c2577f3b498da786db68/behavior
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-06
modified: 2023-02-28
tags:
- attack.stealth
- attack.t1036.007
logsource:
category: process_creation
product: windows
detection:
selection:
- ParentImage|endswith:
- '.doc.lnk'
- '.docx.lnk'
- '.xls.lnk'
- '.xlsx.lnk'
- '.ppt.lnk'
- '.pptx.lnk'
- '.rtf.lnk'
- '.pdf.lnk'
- '.txt.lnk'
- '.doc.js'
- '.docx.js'
- '.xls.js'
- '.xlsx.js'
- '.ppt.js'
- '.pptx.js'
- '.rtf.js'
- '.pdf.js'
- '.txt.js'
- ParentCommandLine|contains:
- '.doc.lnk'
- '.docx.lnk'
- '.xls.lnk'
- '.xlsx.lnk'
- '.ppt.lnk'
- '.pptx.lnk'
- '.rtf.lnk'
- '.pdf.lnk'
- '.txt.lnk'
- '.doc.js'
- '.docx.js'
- '.xls.js'
- '.xlsx.js'
- '.ppt.js'
- '.pptx.js'
- '.rtf.js'
- '.pdf.js'
- '.txt.js'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious Path In Keyboard Layout IME File Registry Value
Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message.
Before doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named "Ime File" with a DLL path.
IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean.
view Sigma YAML
title: Suspicious Path In Keyboard Layout IME File Registry Value
id: 9d8f9bb8-01af-4e15-a3a2-349071530530
related:
- id: b888e3f2-224d-4435-b00b-9dd66e9ea1f1
type: derived
status: test
description: |
Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message.
Before doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named "Ime File" with a DLL path.
IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean.
references:
- https://www.linkedin.com/pulse/guntior-story-advanced-bootkit-doesnt-rely-windows-disk-baranov-wue8e/
author: X__Junior (Nextron Systems)
date: 2023-11-21
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: windows
category: registry_set
detection:
selection_registry:
TargetObject|contains|all:
- '\Control\Keyboard Layouts\'
- 'Ime File'
selection_folders_1:
Details|contains:
- ':\Perflogs\'
- ':\Users\Public\'
- ':\Windows\Temp\'
- '\AppData\Local\Temp\'
- '\AppData\Roaming\'
- '\Temporary Internet'
selection_folders_2:
- Details|contains|all:
- ':\Users\'
- '\Favorites\'
- Details|contains|all:
- ':\Users\'
- '\Favourites\'
- Details|contains|all:
- ':\Users\'
- '\Contacts\'
condition: selection_registry and 1 of selection_folders_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious Ping/Del Command Combination
Detects a method often used by ransomware. Which combines the "ping" to wait a couple of seconds and then "del" to delete the file in question. Its used to hide the file responsible for the initial infection for example
view Sigma YAML
title: Suspicious Ping/Del Command Combination
id: 54786ddc-5b8a-11ed-9b6a-0242ac120002
status: test
description: Detects a method often used by ransomware. Which combines the "ping" to wait a couple of seconds and then "del" to delete the file in question. Its used to hide the file responsible for the initial infection for example
references:
- https://blog.sygnia.co/kaseya-ransomware-supply-chain-attack
- https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf
- https://www.acronis.com/en-us/blog/posts/lockbit-ransomware/
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware
author: Ilya Krestinichev
date: 2022-11-03
modified: 2024-03-05
tags:
- attack.stealth
- attack.t1070.004
logsource:
category: process_creation
product: windows
detection:
# Note: In the case of sysmon and similar logging utilities, see this discussion https://github.com/SigmaHQ/sigma/discussions/4277
# Example: "C:\Windows\System32\cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "C:\Users\User\Desktop\lockbit\lockbit.exe" & Del /f /q "C:\Users\User\Desktop\lockbit\lockbit.exe".
selection_count:
CommandLine|contains|windash: ' -n '
selection_nul:
CommandLine|contains: 'Nul' # Covers "> Nul" and ">Nul "
selection_del_param:
CommandLine|contains|windash:
- ' -f '
- ' -q '
selection_all:
CommandLine|contains|all:
- 'ping' # Covers "ping" and "ping.exe"
- 'del '
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious PowerShell Download and Execute Pattern
Detects suspicious PowerShell download patterns that are often used in malicious scripts, stagers or downloaders (make sure that your backend applies the strings case-insensitive)
view Sigma YAML
title: Suspicious PowerShell Download and Execute Pattern
id: e6c54d94-498c-4562-a37c-b469d8e9a275
related:
- id: 3b6ab547-8ec2-4991-b9d2-2b06702a48d7
type: derived
status: test
description: Detects suspicious PowerShell download patterns that are often used in malicious scripts, stagers or downloaders (make sure that your backend applies the strings case-insensitive)
references:
- https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70
- https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html
author: Florian Roth (Nextron Systems)
date: 2022-02-28
modified: 2022-03-01
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains: # make sure that your backend applies the strings case-insensitive
- 'IEX ((New-Object Net.WebClient).DownloadString'
- 'IEX (New-Object Net.WebClient).DownloadString'
- 'IEX((New-Object Net.WebClient).DownloadString'
- 'IEX(New-Object Net.WebClient).DownloadString'
- ' -command (New-Object System.Net.WebClient).DownloadFile('
- ' -c (New-Object System.Net.WebClient).DownloadFile('
condition: selection
falsepositives:
- Software installers that pull packages from remote systems and execute them
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious PowerShell IEX Execution Patterns
Detects suspicious ways to run Invoke-Execution using IEX alias
view Sigma YAML
title: Suspicious PowerShell IEX Execution Patterns
id: 09576804-7a05-458e-a817-eb718ca91f54
status: test
description: Detects suspicious ways to run Invoke-Execution using IEX alias
references:
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-7.2
- https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-03-24
modified: 2022-11-28
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: process_creation
detection:
selection_combined_1:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
CommandLine|contains:
- ' | iex;'
- ' | iex '
- ' | iex}'
- ' | IEX ;'
- ' | IEX -Error'
- ' | IEX (new'
- ');IEX '
selection_combined_2:
CommandLine|contains:
- '::FromBase64String'
- '.GetString([System.Convert]::'
selection_standalone:
CommandLine|contains:
- ')|iex;$'
- ');iex($'
- ');iex $'
- ' | IEX | '
- ' | iex\"'
condition: all of selection_combined_* or selection_standalone
falsepositives:
- Legitimate scripts that use IEX
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious PowerShell Parameter Substring
Detects suspicious PowerShell invocation with a parameter substring
view Sigma YAML
title: Suspicious PowerShell Parameter Substring
id: 36210e0d-5b19-485d-a087-c096088885f0
status: test
description: Detects suspicious PowerShell invocation with a parameter substring
references:
- http://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier
author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix)
date: 2019-01-16
modified: 2022-07-14
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
CommandLine|contains:
- ' -windowstyle h '
- ' -windowstyl h'
- ' -windowsty h'
- ' -windowst h'
- ' -windows h'
- ' -windo h'
- ' -wind h'
- ' -win h'
- ' -wi h'
- ' -win h '
- ' -win hi '
- ' -win hid '
- ' -win hidd '
- ' -win hidde '
- ' -NoPr '
- ' -NoPro '
- ' -NoProf '
- ' -NoProfi '
- ' -NoProfil '
- ' -nonin '
- ' -nonint '
- ' -noninte '
- ' -noninter '
- ' -nonintera '
- ' -noninterac '
- ' -noninteract '
- ' -noninteracti '
- ' -noninteractiv '
- ' -ec '
- ' -encodedComman '
- ' -encodedComma '
- ' -encodedComm '
- ' -encodedCom '
- ' -encodedCo '
- ' -encodedC '
- ' -encoded '
- ' -encode '
- ' -encod '
- ' -enco '
- ' -en '
- ' -executionpolic '
- ' -executionpoli '
- ' -executionpol '
- ' -executionpo '
- ' -executionp '
- ' -execution bypass'
- ' -executio bypass'
- ' -executi bypass'
- ' -execut bypass'
- ' -execu bypass'
- ' -exec bypass'
- ' -exe bypass'
- ' -ex bypass'
- ' -ep bypass'
- ' /windowstyle h '
- ' /windowstyl h'
- ' /windowsty h'
- ' /windowst h'
- ' /windows h'
- ' /windo h'
- ' /wind h'
- ' /win h'
- ' /wi h'
- ' /win h '
- ' /win hi '
- ' /win hid '
- ' /win hidd '
- ' /win hidde '
- ' /NoPr '
- ' /NoPro '
- ' /NoProf '
- ' /NoProfi '
- ' /NoProfil '
- ' /nonin '
- ' /nonint '
- ' /noninte '
- ' /noninter '
- ' /nonintera '
- ' /noninterac '
- ' /noninteract '
- ' /noninteracti '
- ' /noninteractiv '
- ' /ec '
- ' /encodedComman '
- ' /encodedComma '
- ' /encodedComm '
- ' /encodedCom '
- ' /encodedCo '
- ' /encodedC '
- ' /encoded '
- ' /encode '
- ' /encod '
- ' /enco '
- ' /en '
- ' /executionpolic '
- ' /executionpoli '
- ' /executionpol '
- ' /executionpo '
- ' /executionp '
- ' /execution bypass'
- ' /executio bypass'
- ' /executi bypass'
- ' /execut bypass'
- ' /execu bypass'
- ' /exec bypass'
- ' /exe bypass'
- ' /ex bypass'
- ' /ep bypass'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious Printer Driver Empty Manufacturer
Detects a suspicious printer driver installation with an empty Manufacturer value
view Sigma YAML
title: Suspicious Printer Driver Empty Manufacturer
id: e0813366-0407-449a-9869-a2db1119dc41
status: test
description: Detects a suspicious printer driver installation with an empty Manufacturer value
references:
- https://twitter.com/SBousseaden/status/1410545674773467140
author: Florian Roth (Nextron Systems)
date: 2020-07-01
modified: 2023-08-17
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574
- cve.2021-1675
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains|all:
- '\Control\Print\Environments\Windows x64\Drivers'
- '\Manufacturer'
Details: '(Empty)'
filter_cutepdf:
TargetObject|contains: '\CutePDF Writer v4.0\'
filter_vnc:
TargetObject|contains:
- '\VNC Printer (PS)\'
- '\VNC Printer (UD)\'
filter_pdf24:
TargetObject|contains: '\Version-3\PDF24\'
condition: selection and not 1 of filter_*
falsepositives:
- Alerts on legitimate printer drivers that do not set any more details in the Manufacturer value
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious PrinterPorts Creation (CVE-2020-1048)
Detects new commands that add new printer port which point to suspicious file
view Sigma YAML
title: Suspicious PrinterPorts Creation (CVE-2020-1048)
id: cc08d590-8b90-413a-aff6-31d1a99678d7
status: test
description: Detects new commands that add new printer port which point to suspicious file
references:
- https://windows-internals.com/printdemon-cve-2020-1048/
author: EagleEye Team, Florian Roth
date: 2020-05-13
modified: 2021-11-27
tags:
- attack.persistence
- attack.execution
- attack.t1059.001
- cve.2020-1048
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection1:
CommandLine|contains: 'Add-PrinterPort -Name'
selection2:
CommandLine|contains:
- '.exe'
- '.dll'
- '.bat'
selection3:
CommandLine|contains: 'Generic / Text Only'
condition: (selection1 and selection2) or selection3
falsepositives:
- New printer port install on host
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious Process By Web Server Process
Detects potentially suspicious processes being spawned by a web server process which could be the result of a successfully placed web shell or exploitation
view Sigma YAML
title: Suspicious Process By Web Server Process
id: 8202070f-edeb-4d31-a010-a26c72ac5600
status: test
description: |
Detects potentially suspicious processes being spawned by a web server process which could be the result of a successfully placed web shell or exploitation
references:
- https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF
author: Thomas Patzke, Florian Roth (Nextron Systems), Zach Stanford @svch0st, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
date: 2019-01-16
modified: 2024-11-26
tags:
- attack.persistence
- attack.initial-access
- attack.t1505.003
- attack.t1190
logsource:
category: process_creation
product: windows
detection:
selection_webserver_image:
ParentImage|endswith:
- '\caddy.exe'
- '\httpd.exe'
- '\nginx.exe'
- '\php-cgi.exe'
- '\php.exe'
- '\tomcat.exe'
- '\UMWorkerProcess.exe' # https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html
- '\w3wp.exe'
- '\ws_TomcatService.exe'
selection_webserver_characteristics_tomcat1:
ParentImage|endswith:
- '\java.exe'
- '\javaw.exe'
ParentImage|contains:
- '-tomcat-'
- '\tomcat'
selection_webserver_characteristics_tomcat2:
ParentImage|endswith:
- '\java.exe'
- '\javaw.exe'
ParentCommandLine|contains:
- 'CATALINA_HOME'
- 'catalina.home'
- 'catalina.jar'
selection_anomaly_children:
Image|endswith:
- '\arp.exe'
- '\at.exe'
- '\bash.exe'
- '\bitsadmin.exe'
- '\certutil.exe'
- '\cmd.exe'
- '\cscript.exe'
- '\dsget.exe'
- '\hostname.exe'
- '\nbtstat.exe'
- '\net.exe'
- '\net1.exe'
- '\netdom.exe'
- '\netsh.exe'
- '\nltest.exe'
- '\ntdsutil.exe'
- '\powershell_ise.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\qprocess.exe'
- '\query.exe'
- '\qwinsta.exe'
- '\reg.exe'
- '\rundll32.exe'
- '\sc.exe'
- '\sh.exe'
- '\wmic.exe'
- '\wscript.exe'
- '\wusa.exe'
filter_main_fp_1:
ParentImage|endswith: '\java.exe'
CommandLine|endswith: 'Windows\system32\cmd.exe /c C:\ManageEngine\ADManager "Plus\ES\bin\elasticsearch.bat -Enode.name=RMP-NODE1 -pelasticsearch-pid.txt'
filter_main_fp_2:
ParentImage|endswith: '\java.exe'
CommandLine|contains|all:
- 'sc query'
- 'ADManager Plus'
condition: 1 of selection_webserver_* and selection_anomaly_children and not 1 of filter_main_*
falsepositives:
- Particular web applications may spawn a shell process legitimately
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious Process Created Via Wmic.EXE
Detects WMIC executing "process call create" with suspicious calls to processes such as "rundll32", "regsrv32", etc.
view Sigma YAML
title: Suspicious Process Created Via Wmic.EXE
id: 3c89a1e8-0fba-449e-8f1b-8409d6267ec8
related:
- id: 526be59f-a573-4eea-b5f7-f0973207634d # Generic
type: derived
status: test
description: Detects WMIC executing "process call create" with suspicious calls to processes such as "rundll32", "regsrv32", etc.
references:
- https://thedfirreport.com/2020/10/08/ryuks-return/
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2020-10-12
modified: 2023-02-14
tags:
- attack.execution
- attack.t1047
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'process '
- 'call '
- 'create '
CommandLine|contains:
# Add more susupicious paths and binaries as you see fit in your env
- 'rundll32'
- 'bitsadmin'
- 'regsvr32'
- 'cmd.exe /c '
- 'cmd.exe /k '
- 'cmd.exe /r '
- 'cmd /c '
- 'cmd /k '
- 'cmd /r '
- 'powershell'
- 'pwsh'
- 'certutil'
- 'cscript'
- 'wscript'
- 'mshta'
- '\Users\Public\'
- '\Windows\Temp\'
- '\AppData\Local\'
- '%temp%'
- '%tmp%'
- '%ProgramData%'
- '%appdata%'
- '%comspec%'
- '%localappdata%'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious Process Execution From Fake Recycle.Bin Folder
Detects process execution from a fake recycle bin folder, often used to avoid security solution.
view Sigma YAML
title: Suspicious Process Execution From Fake Recycle.Bin Folder
id: 5ce0f04e-3efc-42af-839d-5b3a543b76c0
related:
- id: cd8b36ac-8e4a-4c2f-a402-a29b8fbd5bca
type: derived
status: test
description: Detects process execution from a fake recycle bin folder, often used to avoid security solution.
references:
- https://www.mandiant.com/resources/blog/infected-usb-steal-secrets
- https://unit42.paloaltonetworks.com/cloaked-ursa-phishing/
author: X__Junior (Nextron Systems)
date: 2023-07-12
modified: 2023-12-11
tags:
- attack.persistence
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection:
Image|contains:
# e.g. C:\$RECYCLER.BIN
- 'RECYCLERS.BIN\'
- 'RECYCLER.BIN\'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious Process Patterns NTDS.DIT Exfil
Detects suspicious process patterns used in NTDS.DIT exfiltration
view Sigma YAML
title: Suspicious Process Patterns NTDS.DIT Exfil
id: 8bc64091-6875-4881-aaf9-7bd25b5dda08
status: test
description: Detects suspicious process patterns used in NTDS.DIT exfiltration
references:
- https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration
- https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/
- https://pentestlab.blog/tag/ntds-dit/
- https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1
- https://github.com/zcgonvh/NTDSDumpEx
- https://github.com/rapid7/metasploit-framework/blob/d297adcebb5c1df6fe30b12ca79b161deb71571c/data/post/powershell/NTDSgrab.ps1
- https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1
author: Florian Roth (Nextron Systems)
date: 2022-03-11
modified: 2022-11-10
tags:
- attack.credential-access
- attack.t1003.003
logsource:
product: windows
category: process_creation
detection:
selection_tool:
# https://github.com/zcgonvh/NTDSDumpEx
- Image|endswith:
- '\NTDSDump.exe'
- '\NTDSDumpEx.exe'
- CommandLine|contains|all:
# ntdsdumpex.exe -d ntds.dit -o hash.txt -s system.hiv
- 'ntds.dit'
- 'system.hiv'
- CommandLine|contains: 'NTDSgrab.ps1'
selection_oneliner_1:
# powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp' q q"
CommandLine|contains|all:
- 'ac i ntds'
- 'create full'
selection_onliner_2:
# cmd.exe /c copy z:\windows\ntds\ntds.dit c:\exfil\ntds.dit
CommandLine|contains|all:
- '/c copy '
- '\windows\ntds\ntds.dit'
selection_onliner_3:
# ntdsutil "activate instance ntds" "ifm" "create full c:\windows\temp\data\" "quit" "quit"
CommandLine|contains|all:
- 'activate instance ntds'
- 'create full'
selection_powershell:
CommandLine|contains|all:
- 'powershell'
- 'ntds.dit'
set1_selection_ntds_dit:
CommandLine|contains: 'ntds.dit'
set1_selection_image_folder:
- ParentImage|contains:
- '\apache'
- '\tomcat'
- '\AppData\'
- '\Temp\'
- '\Public\'
- '\PerfLogs\'
- Image|contains:
- '\apache'
- '\tomcat'
- '\AppData\'
- '\Temp\'
- '\Public\'
- '\PerfLogs\'
condition: 1 of selection* or all of set1*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious Process Spawned by CentreStack Portal AppPool
Detects unexpected command shell execution (cmd.exe) from w3wp.exe when tied to CentreStack's portal.config, indicating potential exploitation (e.g., CVE-2025-30406)
view Sigma YAML
title: Suspicious Process Spawned by CentreStack Portal AppPool
id: 2d79e371-2a27-42de-87a4-b4213fc72a6a
status: experimental
description: |
Detects unexpected command shell execution (cmd.exe) from w3wp.exe when tied to CentreStack's portal.config, indicating potential exploitation (e.g., CVE-2025-30406)
references:
- https://nvd.nist.gov/vuln/detail/CVE-2025-30406
- https://blackpointcyber.com/blog/racing-to-exploit-centrestacks-cve-2025-30406/
- https://gladinetsupport.s3.us-east-1.amazonaws.com/gladinet/securityadvisory-cve-2005.pdf
- https://www.bleepingcomputer.com/news/security/centrestack-rce-exploited-as-zero-day-to-breach-file-sharing-servers/
author: Jason Rathbun (Blackpoint Cyber)
date: 2025-04-17
tags:
- attack.persistence
- attack.execution
- attack.t1059.003
- attack.t1505.003
- cve.2025-30406
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\w3wp.exe'
ParentCommandLine|contains: '\portal\portal.config'
Image|endswith: '\cmd.exe'
condition: selection
falsepositives:
- Potentially if other portal services run on w3wp with a apppool\portal\portal.config, if you want to increase scope you could add user IIS APPPOOL\portal.
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious Processes Spawned by Java.EXE
Detects suspicious processes spawned from a Java host process which could indicate a sign of exploitation (e.g. log4j)
view Sigma YAML
title: Suspicious Processes Spawned by Java.EXE
id: 0d34ed8b-1c12-4ff2-828c-16fc860b766d
related:
- id: dff1e1cc-d3fd-47c8-bfc2-aeb878a754c0
type: similar
status: test
description: Detects suspicious processes spawned from a Java host process which could indicate a sign of exploitation (e.g. log4j)
references:
- https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/
author: Andreas Hunkeler (@Karneades), Florian Roth
date: 2021-12-17
modified: 2024-01-18
tags:
- attack.initial-access
- attack.persistence
- attack.privilege-escalation
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\java.exe'
Image|endswith:
- '\AppVLP.exe'
- '\bitsadmin.exe'
- '\certutil.exe'
- '\cscript.exe'
- '\curl.exe'
- '\forfiles.exe'
- '\hh.exe'
- '\mftrace.exe'
- '\mshta.exe'
- '\net.exe'
- '\net1.exe'
- '\query.exe'
- '\reg.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\schtasks.exe'
- '\scrcons.exe'
- '\scriptrunner.exe'
- '\sh.exe'
- '\systeminfo.exe'
- '\whoami.exe'
- '\wmic.exe' # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/
- '\wscript.exe'
condition: selection
falsepositives:
- Legitimate calls to system binaries
- Company specific internal usage
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious Processes Spawned by WinRM
Detects suspicious processes including shells spawnd from WinRM host process
view Sigma YAML
title: Suspicious Processes Spawned by WinRM
id: 5cc2cda8-f261-4d88-a2de-e9e193c86716
status: test
description: Detects suspicious processes including shells spawnd from WinRM host process
author: Andreas Hunkeler (@Karneades), Markus Neis
references:
- Internal Research
date: 2021-05-20
modified: 2022-07-14
tags:
- attack.t1190
- attack.initial-access
- attack.persistence
- attack.privilege-escalation
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\wsmprovhost.exe'
Image|endswith:
- '\cmd.exe'
- '\sh.exe'
- '\bash.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\wsl.exe'
- '\schtasks.exe'
- '\certutil.exe'
- '\whoami.exe'
- '\bitsadmin.exe'
condition: selection
falsepositives:
- Legitimate WinRM usage
level: high
Convert to SIEM query
high
Strong
High FP
Suspicious Program Names
Detects suspicious patterns in program names or folders that are often found in malicious samples or hacktools
view Sigma YAML
title: Suspicious Program Names
id: efdd8dd5-cee8-4e59-9390-7d4d5e4dd6f6
status: test
description: Detects suspicious patterns in program names or folders that are often found in malicious samples or hacktools
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md
author: Florian Roth (Nextron Systems)
date: 2022-02-11
modified: 2023-03-22
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection_image:
- Image|contains:
- '\CVE-202' # Update this when we reach the year 2100
- '\CVE202' # Update this when we reach the year 2100
- Image|endswith:
- '\poc.exe'
- '\artifact.exe'
- '\artifact64.exe'
- '\artifact_protected.exe'
- '\artifact32.exe'
- '\artifact32big.exe'
- 'obfuscated.exe'
- 'obfusc.exe'
- '\meterpreter'
selection_commandline:
CommandLine|contains:
- 'inject.ps1'
- 'Invoke-CVE'
- 'pupy.ps1'
- 'payload.ps1'
- 'beacon.ps1'
- 'PowerView.ps1'
- 'bypass.ps1'
- 'obfuscated.ps1'
- 'obfusc.ps1'
- 'obfus.ps1'
- 'obfs.ps1'
- 'evil.ps1'
- 'MiniDogz.ps1'
- '_enc.ps1'
- '\shell.ps1'
- '\rshell.ps1'
- 'revshell.ps1'
- '\av.ps1'
- '\av_test.ps1'
- 'adrecon.ps1'
- 'mimikatz.ps1'
- '\PowerUp_'
- 'powerup.ps1'
- '\Temp\a.ps1'
- '\Temp\p.ps1'
- '\Temp\1.ps1'
- 'Hound.ps1'
- 'encode.ps1'
- 'powercat.ps1'
condition: 1 of selection*
falsepositives:
- Legitimate tools that accidentally match on the searched patterns
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious Provlaunch.EXE Child Process
Detects suspicious child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution.
view Sigma YAML
title: Suspicious Provlaunch.EXE Child Process
id: f9999590-1f94-4a34-a91e-951e47bedefd
related:
- id: 7f5d1c9a-3e83-48df-95a7-2b98aae6c13c # CLI Generic
type: similar
- id: 2a4b3e61-9d22-4e4a-b60f-6e8f0cde6f25 # CLI Registry
type: similar
- id: 7021255e-5db3-4946-a8b9-0ba7a4644a69 # Registry
type: similar
status: test
description: Detects suspicious child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/
- https://twitter.com/0gtweet/status/1674399582162153472
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-08
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\provlaunch.exe'
selection_child:
- Image|endswith:
- '\calc.exe'
- '\cmd.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\notepad.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\wscript.exe'
- Image|contains:
- ':\PerfLogs\'
- ':\Temp\'
- ':\Users\Public\'
- '\AppData\Temp\'
- '\Windows\System32\Tasks\'
- '\Windows\Tasks\'
- '\Windows\Temp\'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious RDP Redirect Using TSCON
Detects a suspicious RDP session redirect using tscon.exe
view Sigma YAML
title: Suspicious RDP Redirect Using TSCON
id: f72aa3e8-49f9-4c7d-bd74-f8ab84ff9bbb
status: test
description: Detects a suspicious RDP session redirect using tscon.exe
references:
- http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html
- https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6
- https://www.hackingarticles.in/rdp-session-hijacking-with-tscon/
author: Florian Roth (Nextron Systems)
date: 2018-03-17
modified: 2023-05-16
tags:
- attack.lateral-movement
- attack.t1563.002
- attack.t1021.001
- car.2013-07-002
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains: ' /dest:rdp-tcp#'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious RazerInstaller Explorer Subprocess
Detects a explorer.exe sub process of the RazerInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM
view Sigma YAML
title: Suspicious RazerInstaller Explorer Subprocess
id: a4eaf250-7dc1-4842-862a-5e71cd59a167
status: test
description: Detects a explorer.exe sub process of the RazerInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM
references:
- https://twitter.com/j0nh4t/status/1429049506021138437
- https://streamable.com/q2dsji
author: Florian Roth (Nextron Systems), Maxime Thiebaut
date: 2021-08-23
modified: 2024-12-01
tags:
- attack.privilege-escalation
- attack.defense-impairment
- attack.t1553
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\RazerInstaller.exe'
IntegrityLevel:
- 'System'
- 'S-1-16-16384' # System
filter_main_razer:
Image|startswith: 'C:\Windows\Installer\Razer\Installer\'
condition: selection and not 1 of filter_main_*
falsepositives:
- User selecting a different installation folder (check for other sub processes of this explorer.exe process)
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS
Detects execution of the built-in script located in "C:\Windows\System32\gatherNetworkInfo.vbs". Which can be used to gather information about the target machine
view Sigma YAML
title: Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS
id: 07aa184a-870d-413d-893a-157f317f6f58
related:
- id: f92a6f1e-a512-4a15-9735-da09e78d7273 # FileCreate
type: similar
- id: 575dce0c-8139-4e30-9295-1ee75969f7fe # ProcCreation LOLBIN
type: similar
status: test
description: Detects execution of the built-in script located in "C:\Windows\System32\gatherNetworkInfo.vbs". Which can be used to gather information about the target machine
references:
- https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs
- https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-08
tags:
- attack.discovery
- attack.execution
- attack.t1615
- attack.t1059.005
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains: 'gatherNetworkInfo.vbs'
filter:
Image|endswith:
- '\cscript.exe'
- '\wscript.exe'
condition: selection and not filter
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious Redirection to Local Admin Share
Detects a suspicious output redirection to the local admins share, this technique is often found in malicious scripts or hacktool stagers
view Sigma YAML
title: Suspicious Redirection to Local Admin Share
id: ab9e3b40-0c85-4ba1-aede-455d226fd124
status: test
description: Detects a suspicious output redirection to the local admins share, this technique is often found in malicious scripts or hacktool stagers
references:
- https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/
- http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
author: Florian Roth (Nextron Systems)
date: 2022-01-16
modified: 2023-12-28
tags:
- attack.exfiltration
- attack.t1048
logsource:
category: process_creation
product: windows
detection:
selection_redirect:
CommandLine|contains: '>'
selection_share:
CommandLine|contains:
- '\\\\127.0.0.1\\admin$\\'
- '\\\\localhost\\admin$\\'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious Reg Add BitLocker
Detects suspicious addition to BitLocker related registry keys via the reg.exe utility
view Sigma YAML
title: Suspicious Reg Add BitLocker
id: 0e0255bf-2548-47b8-9582-c0955c9283f5
status: test
description: Detects suspicious addition to BitLocker related registry keys via the reg.exe utility
references:
- https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/
author: frack113
date: 2021-11-15
modified: 2022-09-09
tags:
- attack.impact
- attack.t1486
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'REG'
- 'ADD'
- '\SOFTWARE\Policies\Microsoft\FVE'
- '/v'
- '/f'
CommandLine|contains:
- 'EnableBDEWithNoTPM'
- 'UseAdvancedStartup'
- 'UseTPM'
- 'UseTPMKey'
- 'UseTPMKeyPIN'
- 'RecoveryKeyMessageSource'
- 'UseTPMPIN'
- 'RecoveryKeyMessage'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious Remote Child Process From Outlook
Detects a suspicious child process spawning from Outlook where the image is located in a remote location (SMB/WebDav shares).
view Sigma YAML
title: Suspicious Remote Child Process From Outlook
id: e212d415-0e93-435f-9e1a-f29005bb4723
related:
- id: 208748f7-881d-47ac-a29c-07ea84bf691d # Outlook Child Processes
type: similar
status: test
description: Detects a suspicious child process spawning from Outlook where the image is located in a remote location (SMB/WebDav shares).
references:
- https://github.com/sensepost/ruler
- https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html
- https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=49
author: Markus Neis, Nasreddine Bencherchali (Nextron Systems)
date: 2018-12-27
modified: 2023-02-09
tags:
- attack.execution
- attack.stealth
- attack.t1059
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\outlook.exe'
Image|startswith: '\\\\'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious Run Key from Download
Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories
view Sigma YAML
title: Suspicious Run Key from Download
id: 9c5037d1-c568-49b3-88c7-9846a5bdc2be
status: test
description: Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories
references:
- https://app.any.run/tasks/c5bef5b7-f484-4c43-9cf3-d5c5c7839def/
- https://github.com/HackTricks-wiki/hacktricks/blob/e4c7b21b8f36c97c35b7c622732b38a189ce18f7/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poude (Nextron Systems)
date: 2019-10-01
modified: 2025-02-17
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.001
logsource:
category: registry_event
product: windows
detection:
selection:
Image|contains:
- '\AppData\Local\Packages\Microsoft.Outlook_'
- '\AppData\Local\Microsoft\Olk\Attachments\'
- '\Downloads\'
- '\Temporary Internet Files\Content.Outlook\'
- '\Local Settings\Temporary Internet Files\'
TargetObject|contains:
- '\Software\Microsoft\Windows\CurrentVersion\Run'
- '\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run'
- '\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'
condition: selection
falsepositives:
- Software installers downloaded and used by users
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious Rundll32 Activity Invoking Sys File
Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452
view Sigma YAML
title: Suspicious Rundll32 Activity Invoking Sys File
id: 731231b9-0b5d-4219-94dd-abb6959aa7ea
status: test
description: Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452
references:
- https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
author: Florian Roth (Nextron Systems)
date: 2021-03-05
modified: 2022-10-09
tags:
- attack.stealth
- attack.t1218.011
logsource:
category: process_creation
product: windows
detection:
selection1:
CommandLine|contains: 'rundll32.exe'
selection2:
CommandLine|contains:
- '.sys,'
- '.sys '
condition: all of selection*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious Rundll32 Invoking Inline VBScript
Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452
view Sigma YAML
title: Suspicious Rundll32 Invoking Inline VBScript
id: 1cc50f3f-1fc8-4acf-b2e9-6f172e1fdebd
status: test
description: Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452
references:
- https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
author: Florian Roth (Nextron Systems)
date: 2021-03-05
modified: 2022-10-09
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1055
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'rundll32.exe'
- 'Execute'
- 'RegRead'
- 'window.close'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious SYSTEM User Process Creation
Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)
view Sigma YAML
title: Suspicious SYSTEM User Process Creation
id: 2617e7ed-adb7-40ba-b0f3-8f9945fe6c09
status: test
description: Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)
references:
- Internal Research
- https://tools.thehacker.recipes/mimikatz/modules
author: Florian Roth (Nextron Systems), David ANDRE (additional keywords)
date: 2021-12-20
modified: 2025-10-19
tags:
- attack.credential-access
- attack.privilege-escalation
- attack.stealth
- attack.t1134
- attack.t1003
- attack.t1027
logsource:
category: process_creation
product: windows
detection:
selection:
IntegrityLevel:
- 'System'
- 'S-1-16-16384'
User|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
selection_special:
- Image|endswith:
- '\calc.exe'
- '\cscript.exe'
- '\forfiles.exe'
- '\hh.exe'
- '\mshta.exe'
- '\ping.exe'
- '\wscript.exe'
- CommandLine|re: 'net\s+user\s+'
- CommandLine|contains:
# - 'sc stop ' # stops a system service # causes FPs
- ' -NoP ' # Often used in malicious PowerShell commands
- ' -W Hidden ' # Often used in malicious PowerShell commands
- ' -decode ' # Used with certutil
- ' /decode ' # Used with certutil
- ' /urlcache ' # Used with certutil
- ' -urlcache ' # Used with certutil
- ' -e* JAB' # PowerShell encoded commands
- ' -e* SUVYI' # PowerShell encoded commands
- ' -e* SQBFAFgA' # PowerShell encoded commands
- ' -e* aWV4I' # PowerShell encoded commands
- ' -e* IAB' # PowerShell encoded commands
- ' -e* PAA' # PowerShell encoded commands
- ' -e* aQBlAHgA' # PowerShell encoded commands
- 'vssadmin delete shadows' # Ransomware
- 'reg SAVE HKLM' # save registry SAM - syskey extraction
- ' -ma ' # ProcDump
- 'Microsoft\Windows\CurrentVersion\Run' # Run key in command line - often in combination with REG ADD
- '.downloadstring(' # PowerShell download command
- '.downloadfile(' # PowerShell download command
- ' /ticket:' # Rubeus
- 'dpapi::' # Mimikatz
- 'event::clear' # Mimikatz
- 'event::drop' # Mimikatz
- 'id::modify' # Mimikatz
- 'kerberos::' # Mimikatz
- 'lsadump::' # Mimikatz
- 'misc::' # Mimikatz
- 'privilege::' # Mimikatz
- 'rpc::' # Mimikatz
- 'sekurlsa::' # Mimikatz
- 'sid::' # Mimikatz
- 'token::' # Mimikatz
- 'vault::cred' # Mimikatz
- 'vault::list' # Mimikatz
- ' p::d ' # Mimikatz
- ';iex(' # PowerShell IEX
- 'MiniDump' # Process dumping method apart from procdump
filter_main_ping:
CommandLine|contains|all:
- 'ping'
- '127.0.0.1'
- ' -n '
filter_vs:
Image|endswith: '\PING.EXE'
ParentCommandLine|contains: '\DismFoDInstall.cmd'
filter_config_mgr:
ParentImage|contains: ':\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\'
filter_java:
ParentImage|contains:
- ':\Program Files (x86)\Java\'
- ':\Program Files\Java\'
ParentImage|endswith: '\bin\javaws.exe'
Image|contains:
- ':\Program Files (x86)\Java\'
- ':\Program Files\Java\'
Image|endswith: '\bin\jp2launcher.exe'
CommandLine|contains: ' -ma '
condition: all of selection* and not 1 of filter_*
falsepositives:
- Administrative activity
- Scripts and administrative tools used in the monitored environment
- Monitoring activity
level: high
Convert to SIEM query
high
Strong
High FP
Suspicious Scheduled Task Creation Involving Temp Folder
Detects the creation of scheduled tasks that involves a temporary folder and runs only once
view Sigma YAML
title: Suspicious Scheduled Task Creation Involving Temp Folder
id: 39019a4e-317f-4ce3-ae63-309a8c6b53c5
status: test
description: Detects the creation of scheduled tasks that involves a temporary folder and runs only once
references:
- https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3
author: Florian Roth (Nextron Systems)
date: 2021-03-11
modified: 2022-10-09
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1053.005
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\schtasks.exe'
CommandLine|contains|all:
- ' /create '
- ' /sc once '
- '\Temp\'
condition: selection
falsepositives:
- Administrative activity
- Software installation
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious Scheduled Task Write to System32 Tasks
Detects the creation of tasks from processes executed from suspicious locations
view Sigma YAML
title: Suspicious Scheduled Task Write to System32 Tasks
id: 80e1f67a-4596-4351-98f5-a9c3efabac95
status: test
description: Detects the creation of tasks from processes executed from suspicious locations
references:
- Internal Research
author: Florian Roth (Nextron Systems)
date: 2021-11-16
modified: 2022-01-12
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.t1053
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|contains: '\Windows\System32\Tasks'
Image|contains:
- '\AppData\'
- 'C:\PerfLogs'
- '\Windows\System32\config\systemprofile'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious Schtasks Execution AppData Folder
Detects the creation of a schtask that executes a file from C:\Users\<USER>\AppData\Local
view Sigma YAML
title: Suspicious Schtasks Execution AppData Folder
id: c5c00f49-b3f9-45a6-997e-cfdecc6e1967
status: test
description: 'Detects the creation of a schtask that executes a file from C:\Users\<USER>\AppData\Local'
references:
- https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-03-15
modified: 2022-07-28
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1053.005
- attack.t1059.001
logsource:
product: windows
category: process_creation
detection:
selection:
Image|endswith: '\schtasks.exe'
CommandLine|contains|all:
- '/Create'
- '/RU'
- '/TR'
- 'C:\Users\'
- '\AppData\Local\'
CommandLine|contains:
- 'NT AUT' # This covers the usual NT AUTHORITY\SYSTEM
- ' SYSTEM ' # SYSTEM is a valid value for schtasks hence it gets it's own value with space
filter:
# FP from test set in SIGMA
ParentImage|contains|all:
- '\AppData\Local\Temp\'
- 'TeamViewer_.exe'
Image|endswith: '\schtasks.exe'
CommandLine|contains: '/TN TVInstallRestore'
condition: selection and not filter
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious Serv-U Process Pattern
Detects a suspicious process pattern which could be a sign of an exploited Serv-U service
view Sigma YAML
title: Suspicious Serv-U Process Pattern
id: 58f4ea09-0fc2-4520-ba18-b85c540b0eaf
status: test
description: Detects a suspicious process pattern which could be a sign of an exploited Serv-U service
references:
- https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/
author: Florian Roth (Nextron Systems)
date: 2021-07-14
modified: 2022-07-14
tags:
- attack.credential-access
- attack.t1555
- cve.2021-35211
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\Serv-U.exe'
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\wscript.exe'
- '\cscript.exe'
- '\sh.exe'
- '\bash.exe'
- '\schtasks.exe'
- '\regsvr32.exe'
- '\wmic.exe' # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/
- '\mshta.exe'
- '\rundll32.exe'
- '\msiexec.exe'
- '\forfiles.exe'
- '\scriptrunner.exe'
condition: selection
falsepositives:
- Legitimate uses in which users or programs use the SSH service of Serv-U for remote command execution
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious Service Binary Directory
Detects a service binary running in a suspicious directory
view Sigma YAML
title: Suspicious Service Binary Directory
id: 883faa95-175a-4e22-8181-e5761aeb373c
status: test
description: Detects a service binary running in a suspicious directory
references:
- https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/
author: Florian Roth (Nextron Systems)
date: 2021-03-09
modified: 2022-10-09
tags:
- attack.stealth
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection:
Image|contains:
- '\Users\Public\'
- '\$Recycle.bin'
- '\Users\All Users\'
- '\Users\Default\'
- '\Users\Contacts\'
- '\Users\Searches\'
- 'C:\Perflogs\'
- '\config\systemprofile\'
- '\Windows\Fonts\'
- '\Windows\IME\'
- '\Windows\addins\'
ParentImage|endswith:
- '\services.exe'
- '\svchost.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious Service Path Modification
Detects service path modification via the "sc" binary to a suspicious command or path
view Sigma YAML
title: Suspicious Service Path Modification
id: 138d3531-8793-4f50-a2cd-f291b2863d78
status: test
description: Detects service path modification via the "sc" binary to a suspicious command or path
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md
- https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html
author: Victor Sergeev, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2019-10-21
modified: 2022-11-18
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1543.003
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\sc.exe'
CommandLine|contains|all:
- 'config'
- 'binPath'
CommandLine|contains:
# Add more suspicious commands or binaries
- 'powershell'
- 'cmd '
- 'mshta'
- 'wscript'
- 'cscript'
- 'rundll32'
- 'svchost'
- 'dllhost'
- 'cmd.exe /c'
- 'cmd.exe /k'
- 'cmd.exe /r'
- 'cmd /c'
- 'cmd /k'
- 'cmd /r'
# Add more suspicious paths
- 'C:\Users\Public'
- '\Downloads\'
- '\Desktop\'
- '\Microsoft\Windows\Start Menu\Programs\Startup\'
- 'C:\Windows\TEMP\'
- '\AppData\Local\Temp'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious ShellExec_RunDLL Call Via Ordinal
Detects suspicious call to the "ShellExec_RunDLL" exported function of SHELL32.DLL through the ordinal number to launch other commands.
Adversary might only use the ordinal number in order to bypass existing detection that alert on usage of ShellExec_RunDLL on CommandLine.
view Sigma YAML
title: Suspicious ShellExec_RunDLL Call Via Ordinal
id: 8823e85d-31d8-473e-b7f4-92da070f0fc6
related:
- id: d87bd452-6da1-456e-8155-7dc988157b7d
type: derived
status: test
description: |
Detects suspicious call to the "ShellExec_RunDLL" exported function of SHELL32.DLL through the ordinal number to launch other commands.
Adversary might only use the ordinal number in order to bypass existing detection that alert on usage of ShellExec_RunDLL on CommandLine.
references:
- https://redcanary.com/blog/raspberry-robin/
- https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/
- https://github.com/SigmaHQ/sigma/issues/1009
- https://strontic.github.io/xcyclopedia/library/shell32.dll-65DA072F25DE83D9F83653E3FEA3644D.html
author: Swachchhanda Shrawan Poudel
date: 2024-12-01
tags:
- attack.stealth
- attack.t1218.011
logsource:
category: process_creation
product: windows
detection:
selection_parent_img:
ParentCommandLine|contains: 'SHELL32.DLL'
selection_parent_ordinal:
ParentCommandLine|contains:
# Note: The ordinal number may differ depending on the DLL version
# Example: rundll32 SHELL32.DLL,#572 "cmd.exe" "/c calc.exe"
- '#568'
- '#570'
- '#572'
- '#576'
selection_susp_cli_parent:
# Note: Add additional binaries and suspicious paths to increase coverage
- ParentCommandLine|contains:
- 'comspec'
- 'iex'
- 'Invoke-'
- 'msiexec'
- 'odbcconf'
- 'regsvr32'
- ParentCommandLine|contains:
- '\Desktop\'
- '\ProgramData\'
- '\Temp\'
- '\Users\Public\'
selection_susp_child_img:
Image|endswith:
- '\bash.exe'
- '\bitsadmin.exe'
- '\cmd.exe'
- '\cscript.exe'
- '\curl.exe'
- '\mshta.exe'
- '\msiexec.exe'
- '\msxsl.exe'
- '\odbcconf.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\schtasks.exe'
- '\wmic.exe'
- '\wscript.exe'
condition: all of selection_parent_* and 1 of selection_susp_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious Shells Spawn by Java Utility Keytool
Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation)
view Sigma YAML
title: Suspicious Shells Spawn by Java Utility Keytool
id: 90fb5e62-ca1f-4e22-b42e-cc521874c938
status: test
description: Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation)
references:
- https://redcanary.com/blog/intelligence-insights-december-2021
- https://www.synacktiv.com/en/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html
author: Andreas Hunkeler (@Karneades)
date: 2021-12-22
modified: 2023-01-21
tags:
- attack.initial-access
- attack.persistence
- attack.privilege-escalation
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\keytool.exe'
Image|endswith:
- '\cmd.exe'
- '\sh.exe'
- '\bash.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\schtasks.exe'
- '\certutil.exe'
- '\whoami.exe'
- '\bitsadmin.exe'
- '\wscript.exe'
- '\cscript.exe'
- '\scrcons.exe'
- '\regsvr32.exe'
- '\hh.exe'
- '\wmic.exe'
- '\mshta.exe'
- '\rundll32.exe'
- '\forfiles.exe'
- '\scriptrunner.exe'
- '\mftrace.exe'
- '\AppVLP.exe'
- '\systeminfo.exe'
- '\reg.exe'
- '\query.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious Shim Database Patching Activity
Detects installation of new shim databases that try to patch sections of known processes for potential process injection or persistence.
view Sigma YAML
title: Suspicious Shim Database Patching Activity
id: bf344fea-d947-4ef4-9192-34d008315d3a
status: test
description: Detects installation of new shim databases that try to patch sections of known processes for potential process injection or persistence.
references:
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/
- https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-01
modified: 2023-12-06
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.011
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\'
TargetObject|endswith:
# Note: add other application to increase coverage
- '\csrss.exe'
- '\dllhost.exe'
- '\explorer.exe'
- '\RuntimeBroker.exe'
- '\services.exe'
- '\sihost.exe'
- '\svchost.exe'
- '\taskhostw.exe'
- '\winlogon.exe'
- '\WmiPrvSe.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious Space Characters in RunMRU Registry Path - ClickFix
Detects the occurrence of numerous space characters in RunMRU registry paths, which may indicate execution via phishing lures using clickfix techniques to hide malicious commands in the Windows Run dialog box from naked eyes.
view Sigma YAML
title: Suspicious Space Characters in RunMRU Registry Path - ClickFix
id: 7a1b4c5e-8f3d-4b9a-7c2e-1f4a5b8c6d9e
related:
- id: 3ae9974a-eb09-4044-8e70-8980a50c12c8
type: similar
status: experimental
description: |
Detects the occurrence of numerous space characters in RunMRU registry paths, which may indicate execution via phishing lures using clickfix techniques to hide malicious commands in the Windows Run dialog box from naked eyes.
references:
- https://expel.com/blog/cache-smuggling-when-a-picture-isnt-a-thousand-words/
- https://github.com/JohnHammond/recaptcha-phish
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-04
tags:
- attack.execution
- attack.stealth
- attack.t1204.004
- attack.t1027.010
logsource:
category: registry_set
product: windows
detection:
selection_key:
TargetObject|contains: '\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\'
Details|contains: '#'
selection_space_variation:
Details|contains:
- ' ' # En Quad (U+2000)
- ' ' # Em Quad (U+2001)
- ' ' # En Space (U+2002)
- ' ' # Em Space (U+2003)
- ' ' # Three-Per-Em Space (U+2004)
- ' ' # Four-Per-Em Space (U+2005)
- ' ' # Six-Per-Em Space (U+2006)
- ' ' # Figure Space (U+2007)
- ' ' # Punctuation Space (U+2008)
- ' ' # Thin Space (U+2009)
- ' ' # Hair Space (U+200A)
- ' ' # No-Break Space (U+00A0)
- ' ' # Normal space
condition: all of selection_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious Space Characters in TypedPaths Registry Path - FileFix
Detects the occurrence of numerous space characters in TypedPaths registry paths, which may indicate execution via phishing lures using file-fix techniques to hide malicious commands.
view Sigma YAML
title: Suspicious Space Characters in TypedPaths Registry Path - FileFix
id: 8f2a5c3d-9e4b-4a7c-8d1f-2e5a6b9c3d7e
related:
- id: 3ae9974a-eb09-4044-8e70-8980a50c12c8
type: similar
status: experimental
description: |
Detects the occurrence of numerous space characters in TypedPaths registry paths, which may indicate execution via phishing lures using file-fix techniques to hide malicious commands.
references:
- https://expel.com/blog/cache-smuggling-when-a-picture-isnt-a-thousand-words/
- https://mrd0x.com/filefix-clickfix-alternative/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-04
tags:
- attack.execution
- attack.stealth
- attack.t1204.004
- attack.t1027.010
logsource:
category: registry_set
product: windows
detection:
selection_key:
TargetObject|endswith: '\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths\url1'
Details|contains: '#'
selection_space_variation:
Details|contains:
- ' ' # En Quad (U+2000)
- ' ' # Em Quad (U+2001)
- ' ' # En Space (U+2002)
- ' ' # Em Space (U+2003)
- ' ' # Three-Per-Em Space (U+2004)
- ' ' # Four-Per-Em Space (U+2005)
- ' ' # Six-Per-Em Space (U+2006)
- ' ' # Figure Space (U+2007)
- ' ' # Punctuation Space (U+2008)
- ' ' # Thin Space (U+2009)
- ' ' # Hair Space (U+200A)
- ' ' # No-Break Space (U+00A0)
- ' ' # Normal space
condition: all of selection_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious Speech Runtime Binary Child Process
Detects suspicious Speech Runtime Binary Execution by monitoring its child processes.
Child processes spawned by SpeechRuntime.exe could indicate an attempt for lateral movement via COM & DCOM hijacking.
view Sigma YAML
title: Suspicious Speech Runtime Binary Child Process
id: 78f10490-f2f4-4d19-a75b-4e0683bf3b8d
status: experimental
description: |
Detects suspicious Speech Runtime Binary Execution by monitoring its child processes.
Child processes spawned by SpeechRuntime.exe could indicate an attempt for lateral movement via COM & DCOM hijacking.
references:
- https://github.com/rtecCyberSec/SpeechRuntimeMove
author: andrewdanis
date: 2025-10-23
logsource:
category: process_creation
product: windows
tags:
- attack.lateral-movement
- attack.stealth
- attack.t1021.003
- attack.t1218
detection:
selection:
ParentImage|endswith: '\SpeechRuntime.exe'
condition: selection
falsepositives:
- Unlikely.
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious Splwow64 Without Params
Detects suspicious Splwow64.exe process without any command line parameters
view Sigma YAML
title: Suspicious Splwow64 Without Params
id: 1f1a8509-2cbb-44f5-8751-8e1571518ce2
status: test
description: Detects suspicious Splwow64.exe process without any command line parameters
references:
- https://twitter.com/sbousseaden/status/1429401053229891590?s=12
author: Florian Roth (Nextron Systems)
date: 2021-08-23
modified: 2022-12-25
tags:
- attack.stealth
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\splwow64.exe'
CommandLine|endswith: 'splwow64.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious Startup Folder Persistence
Detects the creation of potentially malicious script and executable files in Windows startup folders, which is a common persistence technique used by threat actors.
These files (.ps1, .vbs, .js, .bat, etc.) are automatically executed when a user logs in, making the Startup folder an attractive target for attackers.
This technique is frequently observed in malvertising campaigns and malware distribution where attackers attempt to maintain long-term access to compromised systems.
view Sigma YAML
title: Suspicious Startup Folder Persistence
id: 28208707-fe31-437f-9a7f-4b1108b94d2e
related:
- id: 2aa0a6b4-a865-495b-ab51-c28249537b75
type: similar
status: test
description: |
Detects the creation of potentially malicious script and executable files in Windows startup folders, which is a common persistence technique used by threat actors.
These files (.ps1, .vbs, .js, .bat, etc.) are automatically executed when a user logs in, making the Startup folder an attractive target for attackers.
This technique is frequently observed in malvertising campaigns and malware distribution where attackers attempt to maintain long-term access to compromised systems.
references:
- https://github.com/last-byte/PersistenceSniper
- https://www.microsoft.com/en-us/security/blog/2025/03/06/malvertising-campaign-leads-to-info-stealers-hosted-on-github/
- https://github.com/redcanaryco/atomic-red-team/blob/5ede8f21e42ebe37e0a6eff757dba60bcfa85859/atomics/T1547.001/T1547.001.md
author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2022-08-10
modified: 2025-10-12
tags:
- attack.privilege-escalation
- attack.execution
- attack.t1204.002
- attack.persistence
- attack.t1547.001
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|contains: '\Windows\Start Menu\Programs\Startup\'
TargetFilename|endswith:
# Add or remove suspicious extensions according to your env needs
- '.bat'
- '.cmd'
- '.dll'
- '.hta'
- '.jar'
- '.js'
- '.jse'
- '.msi'
- '.ps1'
- '.psd1'
- '.psm1'
- '.scr'
- '.url'
- '.vba'
- '.vbe'
- '.vbs'
- '.wsf'
condition: selection
falsepositives:
- Rare legitimate usage of some of the extensions mentioned in the rule
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious TSCON Start as SYSTEM
Detects a tscon.exe start as LOCAL SYSTEM
view Sigma YAML
title: Suspicious TSCON Start as SYSTEM
id: 9847f263-4a81-424f-970c-875dab15b79b
status: test
description: Detects a tscon.exe start as LOCAL SYSTEM
references:
- http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html
- https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6
- https://www.ired.team/offensive-security/lateral-movement/t1076-rdp-hijacking-for-lateral-movement
author: Florian Roth (Nextron Systems)
date: 2018-03-17
modified: 2022-05-27
tags:
- attack.command-and-control
- attack.t1219.002
logsource:
category: process_creation
product: windows
detection:
selection:
User|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
Image|endswith: '\tscon.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious UltraVNC Execution
Detects suspicious UltraVNC command line flag combination that indicate a auto reconnect upon execution, e.g. startup (as seen being used by Gamaredon threat group)
view Sigma YAML
title: Suspicious UltraVNC Execution
id: 871b9555-69ca-4993-99d3-35a59f9f3599
status: test
description: Detects suspicious UltraVNC command line flag combination that indicate a auto reconnect upon execution, e.g. startup (as seen being used by Gamaredon threat group)
references:
- https://web.archive.org/web/20220224045756/https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine
- https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution
- https://uvnc.com/docs/uvnc-viewer/52-ultravnc-viewer-commandline-parameters.html
author: Bhabesh Raj
date: 2022-03-04
modified: 2022-03-09
tags:
- attack.lateral-movement
- attack.g0047
- attack.t1021.005
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- '-autoreconnect '
- '-connect '
- '-id:'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
Showing 601-650 of 763