Tool
EDR / XDR
Palo Alto Cortex XDR
763 rules · Sigma detections in Palo Alto Cortex XDR syntax
The same Sigma detection corpus, machine-rendered into Palo Alto Cortex XDR query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
Download all 1,524 rules (.zip, 675 KB)
Every Palo Alto Cortex XDR query in this view, packaged to deploy.
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance4
Resource Development5
Initial Access7
Execution25
Persistence31
Privilege Escalation17
Stealth63
Defense Impairment16
Credential Access26
Discovery24
Lateral Movement10
Collection11
Command and Control18
Exfiltration7
Impact10
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.
◈
Detection rules
50 shown of 763
high
Moderate
Medium FP
UAC Bypass Using Windows Media Player - Process
Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
view Sigma YAML
title: UAC Bypass Using Windows Media Player - Process
id: 0058b9e5-bcd7-40d4-9205-95ca5a16d7b2
status: test
description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
references:
- https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-23
modified: 2024-12-01
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: process_creation
product: windows
detection:
selection_img_1:
Image: 'C:\Program Files\Windows Media Player\osk.exe'
selection_img_2:
Image: 'C:\Windows\System32\cmd.exe'
ParentCommandLine: '"C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /s'
selection_integrity:
IntegrityLevel:
- 'High'
- 'System'
- 'S-1-16-16384' # System
- 'S-1-16-12288' # High
condition: 1 of selection_img_* and selection_integrity
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
UAC Bypass Using Windows Media Player - Registry
Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
view Sigma YAML
title: UAC Bypass Using Windows Media Player - Registry
id: 5f9db380-ea57-4d1e-beab-8a2d33397e93
status: test
description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
references:
- https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-23
modified: 2023-08-17
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Program Files\Windows Media Player\osk.exe'
Details: 'Binary Data'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
UAC Bypass Via Wsreset
Unfixed method for UAC bypass from Windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry.
view Sigma YAML
title: UAC Bypass Via Wsreset
id: 6ea3bf32-9680-422d-9f50-e90716b12a66
status: test
description: Unfixed method for UAC bypass from Windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry.
references:
- https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly
- https://lolbas-project.github.io/lolbas/Binaries/Wsreset
author: oscd.community, Dmitry Uchakin
date: 2020-10-07
modified: 2021-11-27
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: registry_event
product: windows
detection:
selection:
TargetObject|endswith: '\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
UAC Bypass WSReset
Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config
view Sigma YAML
title: UAC Bypass WSReset
id: 89a9a0e0-f61a-42e5-8957-b1479565a658
status: test
description: Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config
references:
- https://lolbas-project.github.io/lolbas/Binaries/Wsreset/
- https://github.com/hfiref0x/UACME
- https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf
author: Christian Burkard (Nextron Systems)
date: 2021-08-23
modified: 2024-12-01
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\wsreset.exe'
IntegrityLevel:
- 'High'
- 'System'
- 'S-1-16-16384' # System
- 'S-1-16-12288' # High
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
UAC Bypass With Fake DLL
Attempts to load dismcore.dll after dropping it
view Sigma YAML
title: UAC Bypass With Fake DLL
id: a5ea83a7-05a5-44c1-be2e-addccbbd8c03
status: test
description: Attempts to load dismcore.dll after dropping it
references:
- https://steemit.com/utopian-io/@ah101/uac-bypassing-utility
author: oscd.community, Dmitry Uchakin
date: 2020-10-06
modified: 2022-12-25
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1548.002
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith: '\dism.exe'
ImageLoaded|endswith: '\dismcore.dll'
filter:
ImageLoaded: 'C:\Windows\System32\Dism\dismcore.dll'
condition: selection and not filter
falsepositives:
- Actions of a legitimate telnet client
level: high
Convert to SIEM query
high
Moderate
High FP
UAC Bypass via Event Viewer
Detects UAC bypass method using Windows event viewer
view Sigma YAML
title: UAC Bypass via Event Viewer
id: 7c81fec3-1c1d-43b0-996a-46753041b1b6
status: test
description: Detects UAC bypass method using Windows event viewer
references:
- https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
- https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100
author: Florian Roth (Nextron Systems)
date: 2017-03-19
modified: 2023-09-28
tags:
- attack.privilege-escalation
- attack.t1548.002
- car.2019-04-001
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|endswith: '\mscfile\shell\open\command'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
UAC Bypass via Sdclt
Detects the pattern of UAC Bypass using registry key manipulation of sdclt.exe (e.g. UACMe 53)
view Sigma YAML
title: UAC Bypass via Sdclt
id: 5b872a46-3b90-45c1-8419-f675db8053aa
status: test
description: Detects the pattern of UAC Bypass using registry key manipulation of sdclt.exe (e.g. UACMe 53)
references:
- https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/
- https://github.com/hfiref0x/UACME
author: Omer Yampel, Christian Burkard (Nextron Systems)
date: 2017-03-17
modified: 2023-08-17
tags:
- attack.privilege-escalation
- attack.t1548.002
- car.2019-04-001
logsource:
category: registry_set
product: windows
detection:
selection1:
TargetObject|endswith: 'Software\Classes\exefile\shell\runas\command\isolatedCommand'
selection2:
TargetObject|endswith: 'Software\Classes\Folder\shell\open\command\SymbolicLinkValue'
Details|re: '-1[0-9]{3}\\Software\\Classes\\'
condition: 1 of selection*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
UEFI Persistence Via Wpbbin - FileCreation
Detects creation of a file named "wpbbin" in the "%systemroot%\system32\" directory. Which could be indicative of UEFI based persistence method
view Sigma YAML
title: UEFI Persistence Via Wpbbin - FileCreation
id: e94b9ddc-eec5-4bb8-8a58-b9dc5f4e185f
status: test
description: Detects creation of a file named "wpbbin" in the "%systemroot%\system32\" directory. Which could be indicative of UEFI based persistence method
references:
- https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c
- https://persistence-info.github.io/Data/wpbbin.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-18
tags:
- attack.persistence
- attack.stealth
- attack.t1542.001
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename: 'C:\Windows\System32\wpbbin.exe'
condition: selection
falsepositives:
- Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip)
level: high
Convert to SIEM query
high
Moderate
Medium FP
UEFI Persistence Via Wpbbin - ProcessCreation
Detects execution of the binary "wpbbin" which is used as part of the UEFI based persistence method described in the reference section
view Sigma YAML
title: UEFI Persistence Via Wpbbin - ProcessCreation
id: 4abc0ec4-db5a-412f-9632-26659cddf145
status: test
description: Detects execution of the binary "wpbbin" which is used as part of the UEFI based persistence method described in the reference section
references:
- https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c
- https://persistence-info.github.io/Data/wpbbin.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-18
tags:
- attack.persistence
- attack.stealth
- attack.t1542.001
logsource:
product: windows
category: process_creation
detection:
selection:
Image: 'C:\Windows\System32\wpbbin.exe'
condition: selection
falsepositives:
- Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip)
level: high
Convert to SIEM query
high
Strong
Medium FP
UNC2452 Process Creation Patterns
Detects a specific process creation patterns as seen used by UNC2452 and provided by Microsoft as Microsoft Defender ATP queries
view Sigma YAML
title: UNC2452 Process Creation Patterns
id: 9be34ad0-b6a7-4fbd-91cf-fc7ec1047f5f
status: test
description: Detects a specific process creation patterns as seen used by UNC2452 and provided by Microsoft as Microsoft Defender ATP queries
references:
- https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
author: Florian Roth (Nextron Systems)
date: 2021-01-22
modified: 2024-09-12
tags:
- attack.execution
- attack.t1059.001
- detection.emerging-threats
# - sunburst
# - unc2452
logsource:
category: process_creation
product: windows
detection:
# To avoid writing complex condition. "selection_generic_1" and "selection_generic_2" are the same except for the extension used.
selection_generic_1:
CommandLine|contains:
- '7z.exe a -v500m -mx9 -r0 -p'
- '7z.exe a -mx9 -r0 -p'
CommandLine|contains|all:
- '.zip'
- '.txt'
selection_generic_2:
CommandLine|contains:
- '7z.exe a -v500m -mx9 -r0 -p'
- '7z.exe a -mx9 -r0 -p'
CommandLine|contains|all:
- '.zip'
- '.log'
selection_generic_3:
ParentCommandLine|contains|all:
- 'wscript.exe'
- '.vbs'
CommandLine|contains|all:
- 'rundll32.exe'
- 'C:\Windows'
- '.dll,Tk_'
selection_generic_4:
ParentImage|endswith: '\rundll32.exe'
ParentCommandLine|contains|all:
- 'C:\Windows'
- '.dll'
CommandLine|contains: 'cmd.exe /C '
selection_generic_5:
ParentImage|endswith: '\rundll32.exe'
Image|endswith: '\dllhost.exe'
CommandLine: ''
condition: 1 of selection_generic_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
UNC4841 - Barracuda ESG Exploitation Indicators
Detects file indicators as seen used by UNC4841 during their Barracuda ESG zero day exploitation.
view Sigma YAML
title: UNC4841 - Barracuda ESG Exploitation Indicators
id: 5627c337-a9b2-407a-a82d-5fd97035ff39
status: test
description: Detects file indicators as seen used by UNC4841 during their Barracuda ESG zero day exploitation.
references:
- https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-16
modified: 2025-08-19
tags:
- attack.execution
- attack.persistence
- detection.emerging-threats
- attack.stealth
logsource:
product: linux
category: file_event
detection:
selection:
TargetFilename|endswith:
- '/11111.tar'
- '/aacore.sh'
- '/appcheck.sh'
- '/autoins'
- '/BarracudaMailService'
- '/etc/cron.daily/core_check.sh'
- '/etc/cron.daily/core.sh'
- '/etc/cron.hourly/aacore.sh'
- '/etc/cron.hourly/appcheck.sh'
- '/etc/cron.hourly/core.sh'
- '/get_fs_info.pl'
- '/imgdata.jpg'
- '/install_att_v2.tar'
- '/install_bvp74_auth.tar'
- '/install_helo.tar'
- '/install_reuse.tar'
- '/intent_helo'
- '/intent_reuse'
- '/intentbas'
# - '/mknod'
- '/mod_attachment.lua'
- '/mod_content.lua'
- '/mod_require_helo.lua'
- '/mod_rtf'
- '/mod_sender.lua'
- '/mod_udp.so'
- '/nfsd_stub.ko'
- '/resize_reisertab'
- '/resize_risertab'
- '/resize2fstab'
- '/rverify'
- '/saslautchd'
- '/sendscd'
- '/snapshot.tar'
- '/tmp/p'
- '/tmp/p7'
- '/tmp/t'
- '/update_v2.sh'
- '/update_v31.sh'
- '/update_v35.sh'
- '/update_version'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
UNC4841 - Download Compressed Files From Temp.sh Using Wget
Detects execution of "wget" to download a ".zip" or ".rar" files from "temp.sh". As seen used by UNC4841 during their Barracuda ESG zero day exploitation.
view Sigma YAML
title: UNC4841 - Download Compressed Files From Temp.sh Using Wget
id: 60d050c4-e253-4d9a-b673-5ac100cfddfb
status: test
description: Detects execution of "wget" to download a ".zip" or ".rar" files from "temp.sh". As seen used by UNC4841 during their Barracuda ESG zero day exploitation.
references:
- https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-16
tags:
- attack.stealth
- attack.t1140
- detection.emerging-threats
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith: '/wget'
CommandLine|contains: 'https://temp.sh/'
CommandLine|endswith:
- '.rar'
- '.zip'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
UNC4841 - Download Tar File From Untrusted Direct IP Via Wget
Detects execution of "wget" to download a "tar" from an IP address that doesn't have a trusted certificate. As seen used by UNC4841 during their Barracuda ESG zero day exploitation.
view Sigma YAML
title: UNC4841 - Download Tar File From Untrusted Direct IP Via Wget
id: 23835beb-ec38-4e74-a5d4-b99af6684e91
status: test
description: Detects execution of "wget" to download a "tar" from an IP address that doesn't have a trusted certificate. As seen used by UNC4841 during their Barracuda ESG zero day exploitation.
references:
- https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-16
tags:
- attack.stealth
- attack.t1140
- detection.emerging-threats
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith: '/wget'
CommandLine|re: 'https://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
CommandLine|contains: '--no-check-certificate'
CommandLine|endswith: '.tar'
filter_main_local_ips:
# Note: Uncomment this filter if you want to exclude local IPs
CommandLine|contains:
- 'https://10.' # 10.0.0.0/8
- 'https://192.168.' # 192.168.0.0/16
- 'https://172.16.' # 172.16.0.0/12
- 'https://172.17.'
- 'https://172.18.'
- 'https://172.19.'
- 'https://172.20.'
- 'https://172.21.'
- 'https://172.22.'
- 'https://172.23.'
- 'https://172.24.'
- 'https://172.25.'
- 'https://172.26.'
- 'https://172.27.'
- 'https://172.28.'
- 'https://172.29.'
- 'https://172.30.'
- 'https://172.31.'
- 'https://127.' # 127.0.0.0/8
- 'https://169.254.' # 169.254.0.0/16
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
UNC4841 - Email Exfiltration File Pattern
Detects filename pattern of email related data used by UNC4841 for staging and exfiltration
view Sigma YAML
title: UNC4841 - Email Exfiltration File Pattern
id: 0785f462-60b0-4031-9ff4-b4f3a0ba589a
status: test
description: Detects filename pattern of email related data used by UNC4841 for staging and exfiltration
references:
- https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-16
tags:
- attack.execution
- attack.persistence
- detection.emerging-threats
- attack.stealth
logsource:
product: linux
category: file_event
detection:
selection:
TargetFilename|re: '/mail/tmp/[a-zA-Z0-9]{3}[0-9]{3}\.tar\.gz'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
UNC4841 - SSL Certificate Exfiltration Via Openssl
Detects the execution of "openssl" to connect to an IP address. This techniques was used by UNC4841 to exfiltrate SSL certificates and as a C2 channel with named pipes. Investigate commands executed in the temporal vicinity of this command.
view Sigma YAML
title: UNC4841 - SSL Certificate Exfiltration Via Openssl
id: 60911c07-f989-4362-84af-c609828ef829
status: test
description: Detects the execution of "openssl" to connect to an IP address. This techniques was used by UNC4841 to exfiltrate SSL certificates and as a C2 channel with named pipes. Investigate commands executed in the temporal vicinity of this command.
references:
- https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-16
tags:
- attack.stealth
- attack.t1140
- detection.emerging-threats
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith: '/openssl'
CommandLine|re: '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
CommandLine|contains|all:
- 's_client'
- '-quiet'
- '-connect'
CommandLine|contains:
- ':443'
- ':8080'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Uncommon Child Process Of Setres.EXE
Detects uncommon child process of Setres.EXE.
Setres.EXE is a Windows server only process and tool that can be used to set the screen resolution.
It can potentially be abused in order to launch any arbitrary file with a name containing the word "choice" from the current execution path.
view Sigma YAML
title: Uncommon Child Process Of Setres.EXE
id: 835e75bf-4bfd-47a4-b8a6-b766cac8bcb7
status: test
description: |
Detects uncommon child process of Setres.EXE.
Setres.EXE is a Windows server only process and tool that can be used to set the screen resolution.
It can potentially be abused in order to launch any arbitrary file with a name containing the word "choice" from the current execution path.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Setres/
- https://twitter.com/0gtweet/status/1583356502340870144
- https://strontic.github.io/xcyclopedia/library/setres.exe-0E30E4C09637D7A128A37B59A3BC4D09.html
- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)
author: '@gott_cyber, Nasreddine Bencherchali (Nextron Systems)'
date: 2022-12-11
modified: 2024-06-26
tags:
- attack.stealth
- attack.t1218
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\setres.exe'
Image|contains: '\choice'
filter_main_legit_location:
Image|endswith:
- 'C:\Windows\System32\choice.exe'
- 'C:\Windows\SysWOW64\choice.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
High FP
Uncommon Extension In Keyboard Layout IME File Registry Value
Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message.
Before doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named "Ime File" with a DLL path.
IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean.
view Sigma YAML
title: Uncommon Extension In Keyboard Layout IME File Registry Value
id: b888e3f2-224d-4435-b00b-9dd66e9ea1f1
related:
- id: 9d8f9bb8-01af-4e15-a3a2-349071530530
type: derived
status: test
description: |
Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message.
Before doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named "Ime File" with a DLL path.
IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean.
references:
- https://www.linkedin.com/pulse/guntior-story-advanced-bootkit-doesnt-rely-windows-disk-baranov-wue8e/
author: X__Junior (Nextron Systems)
date: 2023-11-21
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|contains|all:
- '\Control\Keyboard Layouts\'
- 'Ime File'
filter_main_known_extension:
Details|endswith: '.ime'
condition: selection and not 1 of filter_main_*
falsepositives:
- IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean.
level: high
Convert to SIEM query
high
Strong
Medium FP
Uncommon File Created In Office Startup Folder
Detects the creation of a file with an uncommon extension in an Office application startup folder
view Sigma YAML
title: Uncommon File Created In Office Startup Folder
id: a10a2c40-2c4d-49f8-b557-1a946bc55d9d
status: test
description: Detects the creation of a file with an uncommon extension in an Office application startup folder
references:
- https://app.any.run/tasks/d6fe6624-6ef8-485d-aa75-3d1bdda2a08c/
- http://addbalance.com/word/startup.htm
- https://answers.microsoft.com/en-us/msoffice/forum/all/document-in-word-startup-folder-doesnt-open-when/44ab0932-2917-4150-8cdc-2f2cf39e86f3
- https://en.wikipedia.org/wiki/List_of_Microsoft_Office_filename_extensions
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-05
modified: 2023-12-13
tags:
- attack.resource-development
- attack.t1587.001
logsource:
product: windows
category: file_event
detection:
selection_word_paths:
- TargetFilename|contains: '\Microsoft\Word\STARTUP'
- TargetFilename|contains|all:
- '\Office'
- '\Program Files'
- '\STARTUP'
filter_exclude_word_ext:
TargetFilename|endswith:
- '.docb' # Word binary document introduced in Microsoft Office 2007
- '.docm' # Word macro-enabled document; same as docx, but may contain macros and scripts
- '.docx' # Word document
- '.dotm' # Word macro-enabled template; same as dotx, but may contain macros and scripts
- '.mdb' # MS Access DB
- '.mdw' # MS Access DB
- '.pdf' # PDF documents
- '.wll' # Word add-in
- '.wwl' # Word add-in
selection_excel_paths:
- TargetFilename|contains: '\Microsoft\Excel\XLSTART'
- TargetFilename|contains|all:
- '\Office'
- '\Program Files'
- '\XLSTART'
filter_exclude_excel_ext:
TargetFilename|endswith:
- '.xll'
- '.xls'
- '.xlsm'
- '.xlsx'
- '.xlt'
- '.xltm'
- '.xlw'
filter_main_office_click_to_run:
Image|contains: ':\Program Files\Common Files\Microsoft Shared\ClickToRun\'
Image|endswith: '\OfficeClickToRun.exe'
filter_main_office_apps:
Image|contains:
- ':\Program Files\Microsoft Office\'
- ':\Program Files (x86)\Microsoft Office\'
Image|endswith:
- '\winword.exe'
- '\excel.exe'
condition: ((selection_word_paths and not filter_exclude_word_ext) or (selection_excel_paths and not filter_exclude_excel_ext)) and not 1 of filter_main_*
falsepositives:
- False positive might stem from rare extensions used by other Office utilities.
level: high
Convert to SIEM query
high
Strong
Medium FP
Uncommon File Created by Notepad++ Updater Gup.EXE
Detects when the Notepad++ updater (gup.exe) creates files in suspicious or uncommon locations.
This could indicate potential exploitation of the updater component to deliver unwanted malware or unwarranted files.
view Sigma YAML
title: Uncommon File Created by Notepad++ Updater Gup.EXE
id: 3b8f4c92-6a51-4d7e-9c3a-8e2d1f5a7b09
status: experimental
description: |
Detects when the Notepad++ updater (gup.exe) creates files in suspicious or uncommon locations.
This could indicate potential exploitation of the updater component to deliver unwanted malware or unwarranted files.
references:
- https://notepad-plus-plus.org/news/v889-released/
- https://www.heise.de/en/news/Notepad-updater-installed-malware-11109726.html
- https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
- https://www.validin.com/blog/exploring_notepad_plus_plus_network_indicators/
- https://securelist.com/notepad-supply-chain-attack/118708/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-02-03
modified: 2026-03-16
tags:
- attack.collection
- attack.credential-access
- attack.t1195.002
- attack.initial-access
- attack.t1557
logsource:
category: file_event
product: windows
detection:
selection:
Image|endswith: '\gup.exe'
filter_main_legit_paths:
TargetFilename|startswith:
- 'C:\Program Files\Notepad++\'
- 'C:\Program Files (x86)\Notepad++\'
filter_main_temp_update_installer:
TargetFilename|startswith: 'C:\Users\'
TargetFilename|contains|all:
- '\AppData\Local\Temp\'
- 'npp.'
- '.Installer.'
- '.exe'
filter_main_temp_generic_zip:
TargetFilename|startswith: 'C:\Users\'
TargetFilename|contains|all:
- '\AppData\Local\Temp\'
- '.zip'
filter_main_recycle_bin:
TargetFilename|startswith: 'C:\$Recycle.Bin\S-1-5-21'
filter_main_plugins:
- TargetFilename|contains:
- '\plugins\JsonTools\testfiles\'
- '\Notepad++\plugins\ComparePlugin\'
- TargetFilename|contains|all:
- 'npp.'
- '.portable.'
- '\plugins\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Custom or portable Notepad++ installations in non-standard directories.
- Legitimate update processes creating temporary files in unexpected locations.
level: high
Convert to SIEM query
high
Moderate
Medium FP
Uncommon File Creation By Mysql Daemon Process
Detects the creation of files with scripting or executable extensions by Mysql daemon.
Which could be an indicator of "User Defined Functions" abuse to download malware.
view Sigma YAML
title: Uncommon File Creation By Mysql Daemon Process
id: c61daa90-3c1e-4f18-af62-8f288b5c9aaf
status: test
description: |
Detects the creation of files with scripting or executable extensions by Mysql daemon.
Which could be an indicator of "User Defined Functions" abuse to download malware.
references:
- https://asec.ahnlab.com/en/58878/
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-mysql-malware-infection-via-user-defined-functions-udf/
author: Joseph Kamau
date: 2024-05-27
tags:
- attack.stealth
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith:
- \mysqld.exe
- \mysqld-nt.exe
TargetFilename|endswith:
- '.bat'
- '.dat'
- '.dll'
- '.exe'
- '.ps1'
- '.psm1'
- '.vbe'
- '.vbs'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Uncommon FileSystem Load Attempt By Format.com
Detects the execution of format.com with an uncommon filesystem selection that could indicate a defense evasion activity in which "format.com" is used to load malicious DLL files or other programs.
view Sigma YAML
title: Uncommon FileSystem Load Attempt By Format.com
id: 9fb6b26e-7f9e-4517-a48b-8cac4a1b6c60
status: test
description: |
Detects the execution of format.com with an uncommon filesystem selection that could indicate a defense evasion activity in which "format.com" is used to load malicious DLL files or other programs.
references:
- https://twitter.com/0gtweet/status/1477925112561209344
- https://twitter.com/wdormann/status/1478011052130459653?s=20
author: Florian Roth (Nextron Systems)
date: 2022-01-04
modified: 2024-05-13
tags:
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\format.com'
CommandLine|contains: '/fs:'
filter_main_known_fs:
CommandLine|contains:
- '/fs:exFAT'
- '/fs:FAT'
- '/fs:NTFS'
- '/fs:ReFS'
- '/fs:UDF'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Uncommon Microsoft Office Trusted Location Added
Detects changes to registry keys related to "Trusted Location" of Microsoft Office where the path is set to something uncommon. Attackers might add additional trusted locations to avoid macro security restrictions.
view Sigma YAML
title: Uncommon Microsoft Office Trusted Location Added
id: f742bde7-9528-42e5-bd82-84f51a8387d2
related:
- id: a0bed973-45fa-4625-adb5-6ecdf9be70ac
type: derived
status: test
description: Detects changes to registry keys related to "Trusted Location" of Microsoft Office where the path is set to something uncommon. Attackers might add additional trusted locations to avoid macro security restrictions.
references:
- Internal Research
- https://admx.help/?Category=Office2016&Policy=excel16.Office.Microsoft.Policies.Windows::L_TrustedLoc01
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-21
modified: 2023-09-29
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: 'Security\Trusted Locations\Location'
TargetObject|endswith: '\Path'
filter_exclude_known_paths:
Details|contains:
- '%APPDATA%\Microsoft\Templates'
- '%%APPDATA%%\Microsoft\Templates'
- '%APPDATA%\Microsoft\Word\Startup'
- '%%APPDATA%%\Microsoft\Word\Startup'
- ':\Program Files (x86)\Microsoft Office\root\Templates\'
- ':\Program Files\Microsoft Office (x86)\Templates'
- ':\Program Files\Microsoft Office\root\Templates\'
- ':\Program Files\Microsoft Office\Templates\'
filter_main_office_click_to_run:
Image|contains: ':\Program Files\Common Files\Microsoft Shared\ClickToRun\'
Image|endswith: '\OfficeClickToRun.exe'
filter_main_office_apps:
Image|contains:
- ':\Program Files\Microsoft Office\'
- ':\Program Files (x86)\Microsoft Office\'
condition: selection and not 1 of filter_main_* and not 1 of filter_exclude_*
falsepositives:
- Other unknown legitimate or custom paths need to be filtered to avoid false positives
level: high
Convert to SIEM query
high
Moderate
High FP
Uninstall Crowdstrike Falcon Sensor
Adversaries may disable security tools to avoid possible detection of their tools and activities by uninstalling Crowdstrike Falcon
view Sigma YAML
title: Uninstall Crowdstrike Falcon Sensor
id: f0f7be61-9cf5-43be-9836-99d6ef448a18
status: test
description: Adversaries may disable security tools to avoid possible detection of their tools and activities by uninstalling Crowdstrike Falcon
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
author: frack113
date: 2021-07-12
modified: 2023-03-09
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- '\WindowsSensor.exe'
- ' /uninstall'
- ' /quiet'
condition: selection
falsepositives:
- Administrator might leverage the same command line for debugging or other purposes. However this action must be always investigated
level: high
Convert to SIEM query
high
Moderate
Medium FP
Unusual Child Process of dns.exe
Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
view Sigma YAML
title: Unusual Child Process of dns.exe
id: a4e3d776-f12e-42c2-8510-9e6ed1f43ec3
status: test
description: Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
references:
- https://www.elastic.co/guide/en/security/current/unusual-child-process-of-dns-exe.html
author: Tim Rauch, Elastic (idea)
date: 2022-09-27
modified: 2023-02-05
tags:
- attack.persistence
- attack.initial-access
- attack.t1133
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\dns.exe'
filter:
Image|endswith: '\conhost.exe'
condition: selection and not filter
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Unusual File Deletion by Dns.exe
Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
view Sigma YAML
title: Unusual File Deletion by Dns.exe
id: 8f0b1fb1-9bd4-4e74-8cdf-a8de4d2adfd0
related:
- id: 9f383dc0-fdeb-4d56-acbc-9f9f4f8f20f3 # FileChange version
type: similar
status: test
description: Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
references:
- https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns-exe.html
author: Tim Rauch (Nextron Systems), Elastic (idea)
date: 2022-09-27
modified: 2023-02-15
tags:
- attack.persistence
- attack.initial-access
- attack.t1133
logsource:
category: file_delete
product: windows
detection:
selection:
Image|endswith: '\dns.exe'
filter:
TargetFilename|endswith: '\dns.log'
condition: selection and not filter
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Unusual File Modification by dns.exe
Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
view Sigma YAML
title: Unusual File Modification by dns.exe
id: 9f383dc0-fdeb-4d56-acbc-9f9f4f8f20f3
related:
- id: 8f0b1fb1-9bd4-4e74-8cdf-a8de4d2adfd0 # FileDelete version
type: similar
status: test
description: Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
references:
- https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns-exe.html
author: Tim Rauch (Nextron Systems), Elastic (idea)
date: 2022-09-27
tags:
- attack.persistence
- attack.initial-access
- attack.t1133
logsource:
category: file_change
product: windows
detection:
selection:
Image|endswith: '\dns.exe'
filter:
TargetFilename|endswith: '\dns.log'
condition: selection and not filter
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Ursnif Redirection Of Discovery Commands
Detects the redirection of Ursnif discovery commands as part of the initial execution of the malware.
view Sigma YAML
title: Ursnif Redirection Of Discovery Commands
id: 7aaa5739-12fc-41aa-b98b-23ec27d42bdf
status: test
description: |
Detects the redirection of Ursnif discovery commands as part of the initial execution of the malware.
references:
- Internal Research
author: '@kostastsale'
date: 2023-07-16
tags:
- attack.execution
- attack.t1059
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\explorer.exe'
Image|endswith: '\cmd.exe'
CommandLine|contains|all:
- '/C '
- ' >> *\AppData\local\temp\*.bin'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
High FP
User Added To Highly Privileged Group
Detects addition of users to highly privileged groups via "Net" or "Add-LocalGroupMember".
view Sigma YAML
title: User Added To Highly Privileged Group
id: 10fb649c-3600-4d37-b1e6-56ea90bb7e09 # Privileged groups
related:
- id: ffa28e60-bdb1-46e0-9f82-05f7a61cc06e # Remote Desktop groups
type: similar
- id: ad720b90-25ad-43ff-9b5e-5c841facc8e5 # Admin groups
type: similar
status: test
description: Detects addition of users to highly privileged groups via "Net" or "Add-LocalGroupMember".
references:
- https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-02-23
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1098
logsource:
category: process_creation
product: windows
detection:
selection_main:
- CommandLine|contains|all:
# net.exe
- 'localgroup '
- ' /add'
- CommandLine|contains|all:
# powershell.exe
- 'Add-LocalGroupMember '
- ' -Group '
selection_group:
CommandLine|contains:
- 'Group Policy Creator Owners'
- 'Schema Admins'
condition: all of selection_*
falsepositives:
- Administrative activity that must be investigated
level: high
Convert to SIEM query
high
Strong
High FP
User Added to Remote Desktop Users Group
Detects addition of users to the local Remote Desktop Users group via "Net" or "Add-LocalGroupMember".
view Sigma YAML
title: User Added to Remote Desktop Users Group
id: ffa28e60-bdb1-46e0-9f82-05f7a61cc06e
related:
- id: ad720b90-25ad-43ff-9b5e-5c841facc8e5 # Admin groups
type: similar
- id: 10fb649c-3600-4d37-b1e6-56ea90bb7e09 # Privileged groups
type: similar
status: test
description: Detects addition of users to the local Remote Desktop Users group via "Net" or "Add-LocalGroupMember".
references:
- https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/
author: Florian Roth (Nextron Systems)
date: 2021-12-06
modified: 2022-09-09
tags:
- attack.initial-access
- attack.persistence
- attack.lateral-movement
- attack.t1133
- attack.t1136.001
- attack.t1021.001
logsource:
category: process_creation
product: windows
detection:
selection_main:
- CommandLine|contains|all:
- 'localgroup '
- ' /add'
- CommandLine|contains|all:
- 'Add-LocalGroupMember '
- ' -Group '
selection_group:
CommandLine|contains:
- 'Remote Desktop Users'
- 'Utilisateurs du Bureau à distance' # French for "Remote Desktop Users"
- 'Usuarios de escritorio remoto' # Spanish for "Remote Desktop Users"
condition: all of selection_*
falsepositives:
- Administrative activity
level: high
Convert to SIEM query
high
Moderate
High FP
Using SettingSyncHost.exe as LOLBin
Detects using SettingSyncHost.exe to run hijacked binary
view Sigma YAML
title: Using SettingSyncHost.exe as LOLBin
id: b2ddd389-f676-4ac4-845a-e00781a48e5f
status: test
description: Detects using SettingSyncHost.exe to run hijacked binary
references:
- https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin
author: Anton Kutepov, oscd.community
date: 2020-02-05
modified: 2021-11-27
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1574.008
logsource:
category: process_creation
product: windows
detection:
system_utility:
Image|startswith:
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
parent_is_settingsynchost:
ParentCommandLine|contains|all:
- 'cmd.exe /c'
- 'RoamDiag.cmd'
- '-outputpath'
condition: not system_utility and parent_is_settingsynchost
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
VBA DLL Loaded Via Office Application
Detects VB DLL's loaded by an office application. Which could indicate the presence of VBA Macros.
view Sigma YAML
title: VBA DLL Loaded Via Office Application
id: e6ce8457-68b1-485b-9bdd-3c2b5d679aa9
status: test
description: Detects VB DLL's loaded by an office application. Which could indicate the presence of VBA Macros.
references:
- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
author: Antonlovesdnb
date: 2020-02-19
modified: 2023-02-10
tags:
- attack.execution
- attack.t1204.002
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith:
- '\excel.exe'
- '\mspub.exe'
- '\onenote.exe'
- '\onenoteim.exe' # Just in case
- '\outlook.exe'
- '\powerpnt.exe'
- '\winword.exe'
ImageLoaded|endswith:
- '\VBE7.DLL'
- '\VBEUI.DLL'
- '\VBE7INTL.DLL'
condition: selection
falsepositives:
- Legitimate macro usage. Add the appropriate filter according to your environment
level: high
Convert to SIEM query
high
Strong
Medium FP
VBScript Payload Stored in Registry
Detects VBScript content stored into registry keys as seen being used by UNC2452 group
view Sigma YAML
title: VBScript Payload Stored in Registry
id: 46490193-1b22-4c29-bdd6-5bf63907216f
status: test
description: Detects VBScript content stored into registry keys as seen being used by UNC2452 group
references:
- https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
author: Florian Roth (Nextron Systems)
date: 2021-03-05
modified: 2023-08-17
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.001
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: 'Software\Microsoft\Windows\CurrentVersion'
Details|contains:
- 'vbscript:'
- 'jscript:'
- 'mshtml,'
- 'RunHTMLApplication'
- 'Execute('
- 'CreateObject'
- 'window.close'
filter:
TargetObject|contains: 'Software\Microsoft\Windows\CurrentVersion\Run'
filter_dotnet:
Image|endswith: '\msiexec.exe'
TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\'
Details|contains:
- '\Microsoft.NET\Primary Interop Assemblies\Microsoft.mshtml.dll'
- '<\Microsoft.mshtml,fileVersion='
- '_mshtml_dll_'
- '<\Microsoft.mshtml,culture='
condition: selection and not 1 of filter*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
VeeamBackup Database Credentials Dump Via Sqlcmd.EXE
Detects dump of credentials in VeeamBackup dbo
view Sigma YAML
title: VeeamBackup Database Credentials Dump Via Sqlcmd.EXE
id: b57ba453-b384-4ab9-9f40-1038086b4e53
status: test
description: Detects dump of credentials in VeeamBackup dbo
references:
- https://thedfirreport.com/2021/12/13/diavol-ransomware/
- https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html
author: frack113
date: 2021-12-20
modified: 2023-02-13
tags:
- attack.collection
- attack.t1005
logsource:
category: process_creation
product: windows
detection:
selection_tools:
Image|endswith: '\sqlcmd.exe'
selection_query:
CommandLine|contains|all:
- 'SELECT'
- 'TOP'
- '[VeeamBackup].[dbo].[Credentials]'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Vim GTFOBin Abuse - Linux
Detects the use of "vim" and it's siblings commands to execute a shell or proxy commands.
Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
view Sigma YAML
title: Vim GTFOBin Abuse - Linux
id: 7ab8f73a-fcff-428b-84aa-6a5ff7877dea
status: test
description: |
Detects the use of "vim" and it's siblings commands to execute a shell or proxy commands.
Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
references:
- https://gtfobins.github.io/gtfobins/vi/
- https://gtfobins.github.io/gtfobins/vim/
- https://gtfobins.github.io/gtfobins/rvim/
- https://gtfobins.github.io/gtfobins/vimdiff/
author: Nasreddine Bencherchali (Nextron Systems), Luc Génaux
date: 2022-12-28
modified: 2026-06-05
tags:
- attack.execution
- attack.discovery
- attack.t1059
- attack.t1083
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith:
- '/rvim'
- '/vi'
- '/vim'
- '/vimdiff'
CommandLine|contains:
- ' --cmd '
- ' -c'
selection_cli:
CommandLine|contains:
- ':!/'
- ':!$'
- ':!..'
- ':lua '
- ':py '
- ':shell'
- '/bin/bash'
- '/bin/dash'
- '/bin/fish'
- '/bin/sh'
- '/bin/csh'
- '/bin/ksh'
- '/bin/zsh'
- '/bin/tmux'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Visual Basic Command Line Compiler Usage
Detects successful code compilation via Visual Basic Command Line Compiler that utilizes Windows Resource to Object Converter.
view Sigma YAML
title: Visual Basic Command Line Compiler Usage
id: 7b10f171-7f04-47c7-9fa2-5be43c76e535
status: test
description: Detects successful code compilation via Visual Basic Command Line Compiler that utilizes Windows Resource to Object Converter.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Vbc/
author: 'Ensar Şamil, @sblmsrsn, @oscd_initiative'
date: 2020-10-07
modified: 2021-11-27
tags:
- attack.stealth
- attack.t1027.004
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\vbc.exe'
Image|endswith: '\cvtres.exe'
condition: selection
falsepositives:
- Utilization of this tool should not be seen in enterprise environment
level: high
Convert to SIEM query
high
Strong
High FP
VolumeShadowCopy Symlink Creation Via Mklink
Shadow Copies storage symbolic link creation using operating systems utilities
view Sigma YAML
title: VolumeShadowCopy Symlink Creation Via Mklink
id: 40b19fa6-d835-400c-b301-41f3a2baacaf
status: stable
description: Shadow Copies storage symbolic link creation using operating systems utilities
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
author: Teymur Kheirkhabarov, oscd.community
date: 2019-10-22
modified: 2023-03-06
tags:
- attack.credential-access
- attack.t1003.002
- attack.t1003.003
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'mklink'
- 'HarddiskVolumeShadowCopy'
condition: selection
falsepositives:
- Legitimate administrator working with shadow copies, access for backup purposes
level: high
Convert to SIEM query
high
Moderate
High FP
WINEKEY Registry Modification
Detects potential malicious modification of run keys by winekey or team9 backdoor
view Sigma YAML
title: WINEKEY Registry Modification
id: b98968aa-dbc0-4a9c-ac35-108363cbf8d5
status: test
description: Detects potential malicious modification of run keys by winekey or team9 backdoor
references:
- https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
author: omkar72
date: 2020-10-30
modified: 2021-11-27
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547
logsource:
category: registry_event
product: windows
detection:
selection:
TargetObject|endswith: 'Software\Microsoft\Windows\CurrentVersion\Run\Backup Mgr'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
WMI Persistence - Command Line Event Consumer
Detects WMI command line event consumers
view Sigma YAML
title: WMI Persistence - Command Line Event Consumer
id: 05936ce2-ee05-4dae-9d03-9a391cf2d2c6
status: test
description: Detects WMI command line event consumers
references:
- https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
author: Thomas Patzke
date: 2018-03-07
modified: 2021-11-27
tags:
- attack.privilege-escalation
- attack.t1546.003
- attack.persistence
logsource:
category: image_load
product: windows
detection:
selection:
Image: 'C:\Windows\System32\wbem\WmiPrvSE.exe'
ImageLoaded|endswith: '\wbemcons.dll'
condition: selection
falsepositives:
- Unknown (data set is too small; further testing needed)
level: high
Convert to SIEM query
high
Moderate
Medium FP
WMI Persistence - Script Event Consumer File Write
Detects file writes of WMI script event consumer
view Sigma YAML
title: WMI Persistence - Script Event Consumer File Write
id: 33f41cdd-35ac-4ba8-814b-c6a4244a1ad4
status: test
description: Detects file writes of WMI script event consumer
references:
- https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
author: Thomas Patzke
date: 2018-03-07
modified: 2021-11-27
tags:
- attack.privilege-escalation
- attack.t1546.003
- attack.persistence
logsource:
product: windows
category: file_event
detection:
selection:
Image: 'C:\WINDOWS\system32\wbem\scrcons.exe'
condition: selection
falsepositives:
- Dell Power Manager (C:\Program Files\Dell\PowerManager\DpmPowerPlanSetup.exe)
level: high
Convert to SIEM query
high
Strong
Medium FP
WSL Kali-Linux Usage
Detects the use of Kali Linux through Windows Subsystem for Linux
view Sigma YAML
title: WSL Kali-Linux Usage
id: 6f1a11aa-4b8a-4b7f-9e13-4d3e4ff0e0d4
status: experimental
description: Detects the use of Kali Linux through Windows Subsystem for Linux
references:
- https://medium.com/@redfanatic7/running-kali-linux-on-windows-51ad95166e6e
- https://learn.microsoft.com/en-us/windows/wsl/install
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-10-10
tags:
- attack.stealth
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection_img_appdata:
- Image|contains|all:
- ':\Users\'
- '\AppData\Local\packages\KaliLinux'
- Image|contains|all:
- ':\Users\'
- '\AppData\Local\Microsoft\WindowsApps\kali.exe'
selection_img_windowsapps:
Image|contains: ':\Program Files\WindowsApps\KaliLinux.'
Image|endswith: '\kali.exe'
selection_kali_wsl_parent:
ParentImage|endswith:
- '\wsl.exe'
- '\wslhost.exe'
selection_kali_wsl_child:
- Image|contains:
- '\kali.exe'
- '\KaliLinux'
- CommandLine|contains:
- 'Kali.exe'
- 'Kali-linux'
- 'kalilinux'
filter_main_install_uninstall:
CommandLine|contains:
- ' -i '
- ' --install '
- ' --unregister '
condition: 1 of selection_img_* or all of selection_kali_* and not 1 of filter_main_*
falsepositives:
- Legitimate installation or usage of Kali Linux WSL by administrators or security teams
level: high
Convert to SIEM query
high
Moderate
High FP
WScript or CScript Dropper - File
Detects a file ending in jse, vbe, js, vba, vbs, wsf, wsh written by cscript.exe or wscript.exe
view Sigma YAML
title: WScript or CScript Dropper - File
id: 002bdb95-0cf1-46a6-9e08-d38c128a6127
related:
- id: cea72823-df4d-4567-950c-0b579eaf0846
type: derived
status: test
description: Detects a file ending in jse, vbe, js, vba, vbs, wsf, wsh written by cscript.exe or wscript.exe
references:
- WScript or CScript Dropper (cea72823-df4d-4567-950c-0b579eaf0846)
author: Tim Shelton
date: 2022-01-10
modified: 2026-02-17
tags:
- attack.execution
- attack.t1059.005
- attack.t1059.007
logsource:
category: file_event
product: windows
detection:
selection:
Image|endswith:
- '\wscript.exe'
- '\cscript.exe'
TargetFilename|contains:
- ':\Perflogs\'
- ':\ProgramData\'
- ':\Temp\'
- ':\Tmp\'
- ':\Users\'
- ':\Windows\Temp\'
- '\AppData\Local\Temp'
- '\AppData\Roaming\Temp'
- '\Start Menu\Programs\Startup\'
- '\Temporary Internet'
TargetFilename|endswith:
- '.js'
- '.jse'
- '.vba'
- '.vbe'
- '.vbs'
- '.wsf'
- '.wsh'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Wab Execution From Non Default Location
Detects execution of wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) from non default locations as seen with bumblebee activity
view Sigma YAML
title: Wab Execution From Non Default Location
id: 395907ee-96e5-4666-af2e-2ca91688e151
status: test
description: Detects execution of wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) from non default locations as seen with bumblebee activity
references:
- https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime
- https://thedfirreport.com/2022/09/26/bumblebee-round-two/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-12
modified: 2022-09-27
tags:
- attack.execution
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\wab.exe'
- '\wabmig.exe'
filter:
Image|startswith:
- 'C:\Windows\WinSxS\'
- 'C:\Program Files\Windows Mail\'
- 'C:\Program Files (x86)\Windows Mail\'
condition: selection and not filter
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Wab/Wabmig Unusual Parent Or Child Processes
Detects unusual parent or children of the wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity
view Sigma YAML
title: Wab/Wabmig Unusual Parent Or Child Processes
id: 63d1ccc0-2a43-4f4b-9289-361b308991ff
status: test
description: Detects unusual parent or children of the wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity
references:
- https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime
- https://thedfirreport.com/2022/09/26/bumblebee-round-two/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-12
modified: 2022-09-27
tags:
- attack.execution
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith:
# Add more if known
- \WmiPrvSE.exe
- \svchost.exe
- \dllhost.exe
Image|endswith:
- '\wab.exe'
- '\wabmig.exe' # (Microsoft Address Book Import Tool)
selection_child:
# You can add specific suspicious child processes (such as cmd, powershell...) to increase the accuracy
ParentImage|endswith:
- '\wab.exe'
- '\wabmig.exe' # (Microsoft Address Book Import Tool)
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Wdigest CredGuard Registry Modification
Detects potential malicious modification of the property value of IsCredGuardEnabled from
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to disable Cred Guard on a system.
This is usually used with UseLogonCredential to manipulate the caching credentials.
view Sigma YAML
title: Wdigest CredGuard Registry Modification
id: 1a2d6c47-75b0-45bd-b133-2c0be75349fd
status: test
description: |
Detects potential malicious modification of the property value of IsCredGuardEnabled from
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to disable Cred Guard on a system.
This is usually used with UseLogonCredential to manipulate the caching credentials.
references:
- https://teamhydra.blog/2020/08/25/bypassing-credential-guard/
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2019-08-25
modified: 2021-11-27
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: registry_event
product: windows
detection:
selection:
TargetObject|endswith: '\IsCredGuardEnabled'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Wdigest Enable UseLogonCredential
Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to enable clear-text credentials
view Sigma YAML
title: Wdigest Enable UseLogonCredential
id: d6a9b252-c666-4de6-8806-5561bbbd3bdc
status: test
description: Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to enable clear-text credentials
references:
- https://threathunterplaybook.com/hunts/windows/190510-RegModWDigestDowngrade/notebook.html
- https://support.microsoft.com/en-us/topic/microsoft-security-advisory-update-to-improve-credentials-protection-and-management-may-13-2014-93434251-04ac-b7f3-52aa-9f951c14b649
- https://github.com/redcanaryco/atomic-red-team/blob/73fcfa1d4863f6a4e17f90e54401de6e30a312bb/atomics/T1112/T1112.md#atomic-test-3---modify-registry-to-store-logon-credentials
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2019-09-12
modified: 2023-08-17
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: 'WDigest\UseLogonCredential'
Details: DWORD (0x00000001)
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Webshell Hacking Activity Patterns
Detects certain parent child patterns found in cases in which a web shell is used to perform certain credential dumping or exfiltration activities on a compromised system
view Sigma YAML
title: Webshell Hacking Activity Patterns
id: 4ebc877f-4612-45cb-b3a5-8e3834db36c9
status: test
description: |
Detects certain parent child patterns found in cases in which a web shell is used to perform certain credential dumping or exfiltration activities on a compromised system
references:
- https://youtu.be/7aemGhaE9ds?t=641
author: Florian Roth (Nextron Systems)
date: 2022-03-17
modified: 2023-11-09
tags:
- attack.persistence
- attack.discovery
- attack.t1505.003
- attack.t1018
- attack.t1033
- attack.t1087
logsource:
category: process_creation
product: windows
detection:
# Webserver
selection_webserver_image:
ParentImage|endswith:
- '\caddy.exe'
- '\httpd.exe'
- '\nginx.exe'
- '\php-cgi.exe'
- '\w3wp.exe'
- '\ws_tomcatservice.exe'
selection_webserver_characteristics_tomcat1:
ParentImage|endswith:
- '\java.exe'
- '\javaw.exe'
ParentImage|contains:
- '-tomcat-'
- '\tomcat'
selection_webserver_characteristics_tomcat2:
ParentImage|endswith:
- '\java.exe'
- '\javaw.exe'
CommandLine|contains:
- 'catalina.jar'
- 'CATALINA_HOME'
# Suspicious child processes
selection_child_1:
# Process dumping
CommandLine|contains|all:
- 'rundll32'
- 'comsvcs'
selection_child_2:
# Winrar exfil
CommandLine|contains|all:
- ' -hp'
- ' a '
- ' -m'
selection_child_3:
# User add
CommandLine|contains|all:
- 'net'
- ' user '
- ' /add'
selection_child_4:
CommandLine|contains|all:
- 'net'
- ' localgroup '
- ' administrators '
- '/add'
selection_child_5:
Image|endswith:
# Credential stealing
- '\ntdsutil.exe'
# AD recon
- '\ldifde.exe'
- '\adfind.exe'
# Process dumping
- '\procdump.exe'
- '\Nanodump.exe'
# Destruction / ransom groups
- '\vssadmin.exe'
- '\fsutil.exe'
selection_child_6:
# SUspicious patterns
CommandLine|contains:
- ' -decode ' # Used with certutil
- ' -NoP ' # Often used in malicious PowerShell commands
- ' -W Hidden ' # Often used in malicious PowerShell commands
- ' /decode ' # Used with certutil
- ' /ticket:' # Rubeus
- ' sekurlsa' # Mimikatz
- '.dmp full' # Process dumping method apart from procdump
- '.downloadfile(' # PowerShell download command
- '.downloadstring(' # PowerShell download command
- 'FromBase64String' # PowerShell encoded payload
- 'process call create' # WMIC process creation
- 'reg save ' # save registry SAM - syskey extraction
- 'whoami /priv'
condition: 1 of selection_webserver_* and 1 of selection_child_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
Medium FP
Webshell Tool Reconnaissance Activity
Detects processes spawned from web servers (PHP, Tomcat, IIS, etc.) that perform reconnaissance looking for the existence of popular scripting tools (perl, python, wget) on the system via the help commands
view Sigma YAML
title: Webshell Tool Reconnaissance Activity
id: f64e5c19-879c-4bae-b471-6d84c8339677
status: test
description: |
Detects processes spawned from web servers (PHP, Tomcat, IIS, etc.) that perform reconnaissance looking for the existence of popular scripting tools (perl, python, wget) on the system via the help commands
references:
- https://ragged-lab.blogspot.com/2020/07/webshells-automating-reconnaissance.html
author: Cian Heasley, Florian Roth (Nextron Systems)
date: 2020-07-22
modified: 2023-11-09
tags:
- attack.persistence
- attack.t1505.003
logsource:
category: process_creation
product: windows
detection:
selection_webserver_image:
ParentImage|endswith:
- '\caddy.exe'
- '\httpd.exe'
- '\nginx.exe'
- '\php-cgi.exe'
- '\w3wp.exe'
- '\ws_tomcatservice.exe'
selection_webserver_characteristics_tomcat1:
ParentImage|endswith:
- '\java.exe'
- '\javaw.exe'
ParentImage|contains:
- '-tomcat-'
- '\tomcat'
selection_webserver_characteristics_tomcat2:
ParentImage|endswith:
- '\java.exe'
- '\javaw.exe'
CommandLine|contains:
- 'CATALINA_HOME'
- 'catalina.jar'
selection_recon:
CommandLine|contains:
- 'perl --help'
- 'perl -h'
- 'python --help'
- 'python -h'
- 'python3 --help'
- 'python3 -h'
- 'wget --help'
condition: 1 of selection_webserver_* and selection_recon
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
WerFault LSASS Process Memory Dump
Detects WerFault creating a dump file with a name that indicates that the dump file could be an LSASS process memory, which contains user credentials
view Sigma YAML
title: WerFault LSASS Process Memory Dump
id: c3e76af5-4ce0-4a14-9c9a-25ceb8fda182
status: test
description: Detects WerFault creating a dump file with a name that indicates that the dump file could be an LSASS process memory, which contains user credentials
references:
- https://github.com/helpsystems/nanodump
author: Florian Roth (Nextron Systems)
date: 2022-06-27
tags:
- attack.credential-access
- attack.t1003.001
logsource:
product: windows
category: file_event
detection:
selection:
Image: C:\WINDOWS\system32\WerFault.exe
TargetFilename|contains:
- '\lsass'
- 'lsass.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
WhoAmI as Parameter
Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato)
view Sigma YAML
title: WhoAmI as Parameter
id: e9142d84-fbe0-401d-ac50-3e519fb00c89
status: test
description: Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato)
references:
- https://twitter.com/blackarrowsec/status/1463805700602224645?s=12
author: Florian Roth (Nextron Systems)
date: 2021-11-29
modified: 2022-12-25
tags:
- attack.discovery
- attack.t1033
- car.2016-03-001
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains: '.exe whoami'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
WinRAR Creating Files in Startup Locations
Detects WinRAR creating files in Windows startup locations, which may indicate an attempt to establish persistence by adding malicious files to the Startup folder.
This kind of behaviour has been associated with exploitation of WinRAR path traversal vulnerability CVE-2025-6218 or CVE-2025-8088.
view Sigma YAML
title: WinRAR Creating Files in Startup Locations
id: 74a2b37d-fea4-41e0-9ac7-c9fbcf1f60cc
status: experimental
description: |
Detects WinRAR creating files in Windows startup locations, which may indicate an attempt to establish persistence by adding malicious files to the Startup folder.
This kind of behaviour has been associated with exploitation of WinRAR path traversal vulnerability CVE-2025-6218 or CVE-2025-8088.
references:
- https://github.com/mulwareX/CVE-2025-6218-POC
- https://x.com/0x534c/status/1944694507787710685
- https://www.welivesecurity.com/en/eset-research/update-winrar-tools-now-romcom-and-others-exploiting-zero-day-vulnerability/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-07-16
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.001
logsource:
category: file_event
product: windows
detection:
selection:
Image|endswith:
- '\WinRAR.exe'
- '\Rar.exe'
TargetFilename|contains: '\Start Menu\Programs\Startup\'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
Showing 701-750 of 763