Tool
EDR / XDR
Palo Alto Cortex XDR
763 rules · Sigma detections in Palo Alto Cortex XDR syntax
The same Sigma detection corpus, machine-rendered into Palo Alto Cortex XDR query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
Download all 1,524 rules (.zip, 675 KB)
Every Palo Alto Cortex XDR query in this view, packaged to deploy.
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance4
Resource Development5
Initial Access7
Execution25
Persistence31
Privilege Escalation17
Stealth63
Defense Impairment16
Credential Access26
Discovery24
Lateral Movement10
Collection11
Command and Control18
Exfiltration7
Impact10
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.
◈
Detection rules
13 shown of 763
high
Moderate
Medium FP
Windows Binaries Write Suspicious Extensions
Detects Windows executables that write files with suspicious extensions
view Sigma YAML
title: Windows Binaries Write Suspicious Extensions
id: b8fd0e93-ff58-4cbd-8f48-1c114e342e62
related:
- id: 1277f594-a7d1-4f28-a2d3-73af5cbeab43
type: derived
status: test
description: Detects Windows executables that write files with suspicious extensions
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-12
modified: 2025-10-07
tags:
- attack.stealth
- attack.t1036
logsource:
category: file_event
product: windows
detection:
selection_generic:
Image|endswith:
- '\csrss.exe'
- '\lsass.exe'
- '\RuntimeBroker.exe'
- '\sihost.exe'
- '\smss.exe'
- '\wininit.exe'
- '\winlogon.exe'
TargetFilename|endswith:
- '.bat'
- '.dll'
- '.exe'
- '.hta'
- '.iso'
- '.ps1'
- '.txt'
- '.vbe'
- '.vbs'
selection_special:
Image|endswith:
- '\dllhost.exe'
- '\rundll32.exe'
- '\svchost.exe'
TargetFilename|endswith:
- '.bat'
- '.hta'
- '.iso'
- '.ps1'
- '.vbe'
- '.vbs'
filter_main_AppLockerPolicyTest:
Image: 'C:\Windows\System32\dllhost.exe'
TargetFilename|contains|all:
- ':\Users\'
- '\AppData\Local\Temp\__PSScriptPolicyTest_'
TargetFilename|endswith: '.ps1'
filter_main_script_gpo_machine:
Image: 'C:\Windows\system32\svchost.exe'
TargetFilename|contains|all:
- 'C:\Windows\System32\GroupPolicy\DataStore\'
- '\sysvol\'
- '\Policies\'
- '\Machine\Scripts\Startup\'
TargetFilename|endswith:
- '.ps1'
- '.bat'
filter_main_clipchamp:
Image: 'C:\Windows\system32\svchost.exe'
TargetFilename|contains|all:
- 'C:\Program Files\WindowsApps\Clipchamp'
- '.ps1'
filter_main_powershell_preview:
Image:
- 'C:\Windows\system32\svchost.exe'
- 'C:\Windows\SysWOW64\svchost.exe'
TargetFilename|startswith:
- 'C:\Program Files\WindowsApps\Microsoft.PowerShellPreview'
- 'C:\Program Files (x86)\WindowsApps\Microsoft.PowerShellPreview'
TargetFilename|endswith: '.ps1'
condition: 1 of selection_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Windows Credential Guard Disabled - Registry
Detects attempts to disable Windows Credential Guard by setting registry values to 0. Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
Adversaries may disable Credential Guard to gain access to sensitive credentials stored in the system, such as NTLM hashes and Kerberos tickets, which can be used for lateral movement and privilege escalation.
view Sigma YAML
title: Windows Credential Guard Disabled - Registry
id: 73921b9c-cafd-4446-b0c6-fdb0ace42bc0
related:
- id: c17d47b7-dcd6-4109-87eb-d1817bd4cbc9
type: similar
status: experimental
description: |
Detects attempts to disable Windows Credential Guard by setting registry values to 0. Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
Adversaries may disable Credential Guard to gain access to sensitive credentials stored in the system, such as NTLM hashes and Kerberos tickets, which can be used for lateral movement and privilege escalation.
references:
- https://woshub.com/disable-credential-guard-windows/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-12-26
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith:
- '\DeviceGuard\EnableVirtualizationBasedSecurity'
- '\DeviceGuard\LsaCfgFlags'
- '\Lsa\LsaCfgFlags'
Details: 'DWORD (0x00000000)'
condition: selection
falsepositives:
- Unlikely
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_credential_guard_disabled/info.yml
Convert to SIEM query
high
Moderate
Medium FP
Windows Credential Guard Related Registry Value Deleted - Registry
Detects attempts to disable Windows Credential Guard by deleting registry values. Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
Adversaries may disable Credential Guard to gain access to sensitive credentials stored in the system, such as NTLM hashes and Kerberos tickets, which can be used for lateral movement and privilege escalation.
view Sigma YAML
title: Windows Credential Guard Related Registry Value Deleted - Registry
id: d645ef86-2396-48a1-a2b6-b629ca3f57ff
related:
- id: c17d47b7-dcd6-4109-87eb-d1817bd4cbc9
type: similar
status: experimental
description: |
Detects attempts to disable Windows Credential Guard by deleting registry values. Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
Adversaries may disable Credential Guard to gain access to sensitive credentials stored in the system, such as NTLM hashes and Kerberos tickets, which can be used for lateral movement and privilege escalation.
references:
- https://github.com/DambergC/SaveFolder/blob/90e945eba80fae85f2d54b4616e05a44ec90c500/Cygate%20Installation%20tool%206.22/Script/OSD/OSDeployment-CredentialGuardDisable.ps1#L50
- https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/configure
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-12-26
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: registry_delete
product: windows
detection:
selection:
TargetObject|endswith:
- '\DeviceGuard\EnableVirtualizationBasedSecurity'
- '\DeviceGuard\LsaCfgFlags'
- '\DeviceGuard\RequirePlatformSecurityFeatures'
- '\Lsa\LsaCfgFlags'
condition: selection
falsepositives:
- Unlikely
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_delete/registry_delete_disable_credential_guard/info.yml
Convert to SIEM query
high
Strong
Medium FP
Windows Defender Service Disabled - Registry
Detects when an attacker or tool disables the Windows Defender service (WinDefend) via the registry
view Sigma YAML
title: Windows Defender Service Disabled - Registry
id: e1aa95de-610a-427d-b9e7-9b46cfafbe6a
status: test
description: Detects when an attacker or tool disables the Windows Defender service (WinDefend) via the registry
references:
- https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
- https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105
author: Ján Trenčanský, frack113, AlertIQ, Nasreddine Bencherchali
date: 2022-08-01
modified: 2024-03-25
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|endswith: '\Services\WinDefend\Start'
Details: 'DWORD (0x00000004)'
condition: selection
falsepositives:
- Administrator actions
level: high
Convert to SIEM query
high
Moderate
Medium FP
Windows Defender Threat Severity Default Action Modified
Detects modifications or creations of Windows Defender's default threat action settings based on severity to 'allow' or take 'no action'.
This is a highly suspicious configuration change that effectively disables Defender's ability to automatically mitigate threats of a certain severity level,
allowing malicious software to run unimpeded. An attacker might use this technique to bypass defenses before executing payloads.
view Sigma YAML
title: Windows Defender Threat Severity Default Action Modified
id: 5a9e1b2c-8f7d-4a1e-9b3c-0f6d7e5a4b1f
related:
- id: 1e8a9b4d-3c2a-4f9b-8d1e-7c6a5b4f3d2e
type: similar
status: experimental
description: |
Detects modifications or creations of Windows Defender's default threat action settings based on severity to 'allow' or take 'no action'.
This is a highly suspicious configuration change that effectively disables Defender's ability to automatically mitigate threats of a certain severity level,
allowing malicious software to run unimpeded. An attacker might use this technique to bypass defenses before executing payloads.
references:
- https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference
- https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-threatseveritydefaultaction
- https://research.splunk.com/endpoint/7215831c-8252-4ae3-8d43-db588e82f952
- https://gist.github.com/Dump-GUY/8daef859f382b895ac6fd0cf094555d2
- https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
author: 'Matt Anderson (Huntress)'
date: 2025-07-11
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: registry_event
product: windows
detection:
selection:
TargetObject|contains: '\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction\'
TargetObject|endswith:
- '\1' # Low severity
- '\2' # Moderate severity
- '\4' # High severity
- '\5' # Severe severity
Details:
- 'DWORD (0x00000006)' # Allow
- 'DWORD (0x00000009)' # NoAction
condition: selection
falsepositives:
- Legitimate administration via scripts or tools (e.g., SCCM, Intune, GPO enforcement). Correlate with administrative activity.
- Software installations that legitimately modify Defender settings (less common for these specific keys).
level: high
Convert to SIEM query
high
Strong
Medium FP
Windows Hypervisor Enforced Code Integrity Disabled
Detects changes to the HypervisorEnforcedCodeIntegrity registry key and the "Enabled" value being set to 0 in order to disable the Hypervisor Enforced Code Integrity feature. This allows an attacker to load unsigned and untrusted code to be run in the kernel
view Sigma YAML
title: Windows Hypervisor Enforced Code Integrity Disabled
id: 8b7273a4-ba5d-4d8a-b04f-11f2900d043a
related:
- id: 6225c53a-a96e-4235-b28f-8d7997cd96eb
type: similar
status: test
description: |
Detects changes to the HypervisorEnforcedCodeIntegrity registry key and the "Enabled" value being set to 0 in order to disable the Hypervisor Enforced Code Integrity feature. This allows an attacker to load unsigned and untrusted code to be run in the kernel
references:
- https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/
- https://github.com/redcanaryco/atomic-red-team/blob/04e487c1828d76df3e834621f4f893ea756d5232/atomics/T1562.001/T1562.001.md#atomic-test-43---disable-hypervisor-enforced-code-integrity-hvci
author: Nasreddine Bencherchali (Nextron Systems), Anish Bogati
date: 2023-03-14
modified: 2024-07-05
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith:
- '\Control\DeviceGuard\HypervisorEnforcedCodeIntegrity'
- '\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity\Enabled'
- '\Microsoft\Windows\DeviceGuard\HypervisorEnforcedCodeIntegrity'
Details: 'DWORD (0x00000000)'
condition: selection
falsepositives:
- Legitimate system administration tasks that require disabling HVCI for troubleshooting purposes when certain drivers or applications are incompatible with it.
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled/info.yml
simulation:
- type: atomic-red-team
name: Disable Hypervisor-Enforced Code Integrity (HVCI)
technique: T1562.001
atomic_guid: 70bd71e6-eba4-4e00-92f7-617911dbe020
Convert to SIEM query
high
Moderate
Medium FP
Windows Shell/Scripting Application File Write to Suspicious Folder
Detects Windows shells and scripting applications that write files to suspicious folders
view Sigma YAML
title: Windows Shell/Scripting Application File Write to Suspicious Folder
id: 1277f594-a7d1-4f28-a2d3-73af5cbeab43
status: test
description: Detects Windows shells and scripting applications that write files to suspicious folders
references:
- Internal Research
author: Florian Roth (Nextron Systems)
date: 2021-11-20
modified: 2023-03-29
tags:
- attack.execution
- attack.t1059
logsource:
category: file_event
product: windows
detection:
selection_1:
Image|endswith:
- '\bash.exe'
- '\cmd.exe'
- '\cscript.exe'
- '\msbuild.exe' # https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
- '\powershell.exe'
- '\pwsh.exe'
- '\sh.exe'
- '\wscript.exe'
TargetFilename|startswith:
- 'C:\PerfLogs\'
- 'C:\Users\Public\'
selection_2:
Image|endswith:
- '\certutil.exe'
- '\forfiles.exe'
- '\mshta.exe'
# - '\rundll32.exe' # Potential FP
- '\schtasks.exe'
- '\scriptrunner.exe'
- '\wmic.exe' # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/
TargetFilename|contains:
- 'C:\PerfLogs\'
- 'C:\Users\Public\'
- 'C:\Windows\Temp\'
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Windows Shell/Scripting Processes Spawning Suspicious Programs
Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc.
view Sigma YAML
title: Windows Shell/Scripting Processes Spawning Suspicious Programs
id: 3a6586ad-127a-4d3b-a677-1e6eacdf8fde
status: test
description: Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc.
references:
- https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
author: Florian Roth (Nextron Systems), Tim Shelton
date: 2018-04-06
modified: 2023-05-23
tags:
- attack.execution
- attack.stealth
- attack.t1059.005
- attack.t1059.001
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\mshta.exe'
- '\powershell.exe'
- '\pwsh.exe'
# - '\cmd.exe' # too many false positives
- '\rundll32.exe'
- '\cscript.exe'
- '\wscript.exe'
- '\wmiprvse.exe'
- '\regsvr32.exe'
Image|endswith:
- '\schtasks.exe'
- '\nslookup.exe'
- '\certutil.exe'
- '\bitsadmin.exe'
- '\mshta.exe'
filter_ccmcache:
CurrentDirectory|contains: '\ccmcache\'
filter_amazon:
ParentCommandLine|contains:
# FP - Amazon Workspaces
- '\Program Files\Amazon\WorkSpacesConfig\Scripts\setup-scheduledtask.ps1'
- '\Program Files\Amazon\WorkSpacesConfig\Scripts\set-selfhealing.ps1'
- '\Program Files\Amazon\WorkSpacesConfig\Scripts\check-workspacehealth.ps1'
- '\nessus_' # Tenable/Nessus VA Scanner
filter_nessus:
CommandLine|contains: '\nessus_' # Tenable/Nessus VA Scanner
filter_sccm_install:
ParentImage|endswith: '\mshta.exe'
Image|endswith: '\mshta.exe'
ParentCommandLine|contains|all:
- 'C:\MEM_Configmgr_'
- '\splash.hta'
- '{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}'
CommandLine|contains|all:
- 'C:\MEM_Configmgr_'
- '\SMSSETUP\BIN\'
- '\autorun.hta'
- '{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}'
condition: selection and not 1 of filter_*
falsepositives:
- Administrative scripts
- Microsoft SCCM
level: high
Convert to SIEM query
high
Strong
Medium FP
Windows Suspicious Child Process from Node.js - React2Shell
Detects suspicious child processes started by Node.js server processes on Windows, which may indicate exploitation of vulnerabilities like CVE-2025-55182 (React2Shell).
Attackers can abuse the Node.js 'child_process' module to run system commands or scripts using methods such as spawn(), exec(), execFile(), fork(), or execSync().
If execSync() or exec() is used in the exploit, the command line often shows a shell (e.g., cmd.exe /d /s /c ...) running a suspicious command unless other shells are explicitly invoked.
For other methods, the spawned process appears directly in the Image field unless a shell is explicitly used.
view Sigma YAML
title: Windows Suspicious Child Process from Node.js - React2Shell
id: 271de298-cc0e-4842-acd8-079a0a99ea65
related:
- id: c70834fa-fb9d-4aa0-9e7d-45ceed36f3f7
type: similar
status: experimental
description: |
Detects suspicious child processes started by Node.js server processes on Windows, which may indicate exploitation of vulnerabilities like CVE-2025-55182 (React2Shell).
Attackers can abuse the Node.js 'child_process' module to run system commands or scripts using methods such as spawn(), exec(), execFile(), fork(), or execSync().
If execSync() or exec() is used in the exploit, the command line often shows a shell (e.g., cmd.exe /d /s /c ...) running a suspicious command unless other shells are explicitly invoked.
For other methods, the spawned process appears directly in the Image field unless a shell is explicitly used.
references:
- https://github.com/msanft/CVE-2025-55182
- https://nodejs.org/api/child_process.html#class-childprocess
- https://gist.github.com/swachchhanda000/a0228130f86a2dedfbcebb415b47f870
- https://github.com/nasbench/Misc-Research/blob/2f651ede832ab34027a7ba005b63bb78f1ade378/Other/React-Next-Child-Processes-Notes.md
author: Swachchhanda Shrawan Poudel (Nextron Systems), Nasreddine Bencherchali
date: 2025-12-05
tags:
- attack.execution
- attack.t1059
- attack.initial-access
- attack.t1190
- detection.emerging-threats
- cve.2025-55182
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\node.exe'
ParentCommandLine|contains:
- '--experimental-https'
- '--experimental-next-config-strip-types'
- '\node_modules\next'
- 'next dev'
- 'next start'
- 'next" start'
- 'node_modules\\.bin\\\\..\\next' # We escape every backslash to avoid confusion
- 'react-scripts start'
- 'start-server.js'
selection_generic_child_img:
# Observed when child_process.spawn(), child_process.exec(), child_process.execFile(), or child_process.fork() method is used to spawn suspicious processes
- Image|endswith:
- '\bash.exe'
- '\bitsadmin.exe'
- '\certutil.exe'
- '\cscript.exe'
- '\curl.exe'
- '\ipconfig.exe'
- '\mshta.exe'
- '\net.exe'
- '\net1.exe'
- '\netsh.exe'
- '\nslookup.exe'
- '\OpenConsole.exe'
- '\perl.exe'
- '\ping.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\py.exe'
- '\python.exe'
- '\pythonw.exe'
- '\pyw.exe'
- '\reg.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\sc.exe'
- '\sh.exe'
- '\systeminfo.exe'
- '\wget.exe'
- '\whoami.exe'
- '\wmic.exe'
- '\wscript.exe'
- '\wt.exe'
- Image|contains: '\python'
selection_generic_child_cli_susp_pattern:
# Observed when child_process.execSync() is used to spawn suspicious processes
# Reference: https://nodejs.org/api/child_process.html#child_processexecsynccommand-options
# In default, the cli will look something like `C:\WINDOWS\System32\cmd.exe /d /s /c "...susp..cli...."`
CommandLine|contains:
- '\net'
- 'bitsadmin'
- 'certutil '
- 'conhost --headless'
- 'cscript '
- 'curl'
- 'ipconfig'
- 'java'
- 'lua'
- 'mshta'
- 'netsh'
- 'nslookup '
- 'perl'
- 'ping '
- 'powershell'
- 'pwsh'
- 'python'
- 'reg '
- 'reg.exe'
- 'regsvr32'
- 'ruby'
- 'rundll32'
- 'sc.exe'
- 'systeminfo'
- 'wget'
- 'whoami'
- 'wmic'
- 'wscript'
selection_specific_cmd:
Image|endswith: '\cmd.exe'
selection_specific_cli:
CommandLine|contains: '/d /s /c '
filter_main_default_shell_flag:
CommandLine|contains: '/d /s /c '
filter_main_cli_git:
CommandLine|contains: 'git config --local --get remote.origin.url'
filter_main_cli_netstat:
CommandLine|contains|all:
- 'netstat -ano | findstr /C:'
- ' | findstr LISTENING'
filter_main_cli_mkcert_install:
CommandLine|contains|all:
- '\mkcert\'
- ' -install '
filter_main_cli_mkcert_caroot:
CommandLine|contains|all:
- '\mkcert\'
- ' -CAROOT'
condition:
selection_parent and
(
1 of selection_generic_*
or
(selection_specific_cmd and not filter_main_default_shell_flag)
or
(all of selection_specific_* and not 1 of filter_main_cli_*)
)
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules-emerging-threats/2025/Exploits/CVE-2025-55182/proc_creation_win_exploit_cve_2025_55182_susp_nodejs_server_child_process/info.yml
Convert to SIEM query
high
Moderate
Medium FP
Windows Vulnerable Driver Blocklist Disabled
Detects when the Windows Vulnerable Driver Blocklist is set to disabled. This setting is crucial for preventing the loading of known vulnerable drivers,
and its modification may indicate an attempt to bypass security controls. It is often targeted by threat actors to facilitate the installation of malicious or vulnerable drivers,
particularly in scenarios involving Endpoint Detection and Response (EDR) bypass techniques.
This rule applies to systems that support the Vulnerable Driver Blocklist feature, including Windows 10 version 1903 and later, and Windows Server 2022 and later.
Note that this change will require a reboot to take effect, and this rule only detects the registry modification action.
view Sigma YAML
title: Windows Vulnerable Driver Blocklist Disabled
id: d526c60a-e236-4011-b165-831ffa52ab70
related:
- id: 22154f0e-5132-4a54-aa78-cc62f6def531
type: similar
status: experimental
description: |
Detects when the Windows Vulnerable Driver Blocklist is set to disabled. This setting is crucial for preventing the loading of known vulnerable drivers,
and its modification may indicate an attempt to bypass security controls. It is often targeted by threat actors to facilitate the installation of malicious or vulnerable drivers,
particularly in scenarios involving Endpoint Detection and Response (EDR) bypass techniques.
This rule applies to systems that support the Vulnerable Driver Blocklist feature, including Windows 10 version 1903 and later, and Windows Server 2022 and later.
Note that this change will require a reboot to take effect, and this rule only detects the registry modification action.
references:
- https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules
- https://www.sophos.com/en-us/blog/sharpening-the-knife-gold-blades-strategic-evolution
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-01-26
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\Control\CI\Config\VulnerableDriverBlocklistEnable'
Details: 'DWORD (0x00000000)'
condition: selection
falsepositives:
- Unlikely and should be investigated immediately.
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_vulnerable_driver_blocklist_disable/info.yml
Convert to SIEM query
high
Moderate
Medium FP
Winlogon Notify Key Logon Persistence
Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in.
Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.
view Sigma YAML
title: Winlogon Notify Key Logon Persistence
id: bbf59793-6efb-4fa1-95ca-a7d288e52c88
status: test
description: |
Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in.
Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.004/T1547.004.md#atomic-test-3---winlogon-notify-key-logon-persistence---powershell
author: frack113
date: 2021-12-30
modified: 2023-08-17
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.004
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\logon'
Details|endswith: '.dll'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Wmiprvse Wbemcomn DLL Hijack
Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario.
view Sigma YAML
title: Wmiprvse Wbemcomn DLL Hijack
id: 7707a579-e0d8-4886-a853-ce47e4575aaa
status: test
description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario.
references:
- https://threathunterplaybook.com/hunts/windows/201009-RemoteWMIWbemcomnDLLHijack/notebook.html
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-10-12
modified: 2022-10-09
tags:
- attack.execution
- attack.t1047
- attack.lateral-movement
- attack.t1021.002
logsource:
product: windows
category: image_load
detection:
selection:
Image|endswith: '\wmiprvse.exe'
ImageLoaded|endswith: '\wbem\wbemcomn.dll'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Wusa.EXE Executed By Parent Process Located In Suspicious Location
Detects execution of the "wusa.exe" (Windows Update Standalone Installer) utility by a parent process that is located in a suspicious location.
Attackers could instantiate an instance of "wusa.exe" in order to bypass User Account Control (UAC). They can duplicate the access token from "wusa.exe" to gain elevated privileges.
view Sigma YAML
title: Wusa.EXE Executed By Parent Process Located In Suspicious Location
id: ef64fc9c-a45e-43cc-8fd8-7d75d73b4c99
status: test
description: |
Detects execution of the "wusa.exe" (Windows Update Standalone Installer) utility by a parent process that is located in a suspicious location.
Attackers could instantiate an instance of "wusa.exe" in order to bypass User Account Control (UAC). They can duplicate the access token from "wusa.exe" to gain elevated privileges.
references:
- https://www.fortinet.com/blog/threat-research/konni-campaign-distributed-via-malicious-document
author: X__Junior (Nextron Systems)
date: 2023-11-26
modified: 2024-08-15
tags:
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith: '\wusa.exe'
selection_paths_1:
ParentImage|contains:
# Note: Add additional suspicious locations to increase coverage
- ':\Perflogs\'
- ':\Users\Public\'
- ':\Windows\Temp\'
- '\Appdata\Local\Temp\'
- '\Temporary Internet'
selection_paths_2:
- ParentImage|contains|all:
- ':\Users\'
- '\Favorites\'
- ParentImage|contains|all:
- ':\Users\'
- '\Favourites\'
- ParentImage|contains|all:
- ':\Users\'
- '\Contacts\'
- ParentImage|contains|all:
- ':\Users\'
- '\Pictures\'
filter_main_msu:
# Note: We exclude MSU extension files. A better approach is to baseline installation of updates in your env to avoid false negatives.
CommandLine|contains: '.msu'
condition: selection_img and 1 of selection_paths_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
Showing 751-763 of 763