Tool
EDR / XDR
Palo Alto Cortex XDR
763 rules · Sigma detections in Palo Alto Cortex XDR syntax
The same Sigma detection corpus, machine-rendered into Palo Alto Cortex XDR query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
Download all 1,524 rules (.zip, 675 KB)
Every Palo Alto Cortex XDR query in this view, packaged to deploy.
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance4
Resource Development5
Initial Access7
Execution25
Persistence31
Privilege Escalation17
Stealth63
Defense Impairment16
Credential Access26
Discovery24
Lateral Movement10
Collection11
Command and Control18
Exfiltration7
Impact10
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.
◈
Detection rules
50 shown of 763
high
Moderate
High FP
Kaspersky Endpoint Security Stopped Via CommandLine - Linux
Detects execution of the Kaspersky init.d stop script on Linux systems either directly or via systemctl.
This activity may indicate a manual interruption of the antivirus service by an administrator, or it could be a sign of potential tampering or evasion attempts by malicious actors.
view Sigma YAML
title: Kaspersky Endpoint Security Stopped Via CommandLine - Linux
id: 36388120-b3f1-4ce9-b50b-280d9a7f4c04
status: experimental
description: |
Detects execution of the Kaspersky init.d stop script on Linux systems either directly or via systemctl.
This activity may indicate a manual interruption of the antivirus service by an administrator, or it could be a sign of potential tampering or evasion attempts by malicious actors.
references:
- https://support.kaspersky.com/KES4Linux/12.0.0/en-US/197929.htm
author: Milad Cheraghi
date: 2025-10-18
tags:
- attack.execution
- attack.defense-impairment
- attack.t1685
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith:
# Note: Add the list of shells allowed in your environment that can be used to run init.d scripts.
- '/systemctl'
- '/bash'
- '/sh'
CommandLine|contains|all:
- 'stop'
- 'kesl'
condition: selection
falsepositives:
- System administrator manually stopping Kaspersky services
level: high
Convert to SIEM query
high
Basic
High FP
Katz Stealer DLL Loaded
Detects loading of DLLs associated with Katz Stealer malware 2025 variants.
Katz Stealer is a malware variant that is known to be used for stealing sensitive information from compromised systems.
The process that loads these DLLs are very likely to be malicious.
view Sigma YAML
title: Katz Stealer DLL Loaded
id: e6c7ab7c-c79d-4b84-b913-b2ec3f8e8a98
status: experimental
description: |
Detects loading of DLLs associated with Katz Stealer malware 2025 variants.
Katz Stealer is a malware variant that is known to be used for stealing sensitive information from compromised systems.
The process that loads these DLLs are very likely to be malicious.
references:
- Internal Research
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-05-22
tags:
- attack.execution
- attack.t1129
- detection.emerging-threats
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith:
- '\katz_ontop.dll'
- '\AppData\Local\Temp\received_dll.dll'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
Kavremover Dropped Binary LOLBIN Usage
Detects the execution of a signed binary dropped by Kaspersky Lab Products Remover (kavremover) which can be abused as a LOLBIN to execute arbitrary commands and binaries.
view Sigma YAML
title: Kavremover Dropped Binary LOLBIN Usage
id: d047726b-c71c-4048-a99b-2e2f50dc107d
status: test
description: Detects the execution of a signed binary dropped by Kaspersky Lab Products Remover (kavremover) which can be abused as a LOLBIN to execute arbitrary commands and binaries.
references:
- https://nasbench.medium.com/lolbined-using-kaspersky-endpoint-security-kes-installer-to-execute-arbitrary-commands-1c999f1b7fea
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-11-01
tags:
- attack.execution
- attack.stealth
- attack.t1127
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|contains: ' run run-cmd '
filter_main_legit_parents:
ParentImage|endswith:
- '\cleanapi.exe' # When launched from KES installer
- '\kavremover.exe' # When launched from kavremover.exe
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
LSASS Dump Keyword In CommandLine
Detects the presence of the keywords "lsass" and ".dmp" in the commandline, which could indicate a potential attempt to dump or create a dump of the lsass process.
view Sigma YAML
title: LSASS Dump Keyword In CommandLine
id: ffa6861c-4461-4f59-8a41-578c39f3f23e
related:
- id: a5a2d357-1ab8-4675-a967-ef9990a59391
type: derived
status: test
description: |
Detects the presence of the keywords "lsass" and ".dmp" in the commandline, which could indicate a potential attempt to dump or create a dump of the lsass process.
references:
- https://github.com/Hackndo/lsassy
- https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf
- https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml
- https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/
- https://github.com/helpsystems/nanodump
- https://github.com/CCob/MirrorDump
author: E.M. Anhaus, Tony Lambert, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2019-10-24
modified: 2023-08-29
tags:
- attack.credential-access
- attack.t1003.001
logsource:
category: process_creation
product: windows
detection:
selection:
- CommandLine|contains:
- 'lsass.dmp'
- 'lsass.zip'
- 'lsass.rar'
- 'Andrew.dmp'
- 'Coredump.dmp'
- 'NotLSASS.zip' # https://github.com/CCob/MirrorDump
- 'lsass_2' # default format of procdump v9.0 is lsass_YYMMDD_HHmmss.dmp
- 'lsassdump'
- 'lsassdmp'
- CommandLine|contains|all:
- 'lsass'
- '.dmp'
- CommandLine|contains|all:
- 'SQLDmpr'
- '.mdmp'
- CommandLine|contains|all:
- 'nanodump'
- '.dmp'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
High FP
LSASS Process Dump Artefact In CrashDumps Folder
Detects the presence of an LSASS dump file in the "CrashDumps" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Error Reporting to dump said process.
view Sigma YAML
title: LSASS Process Dump Artefact In CrashDumps Folder
id: 6902955a-01b7-432c-b32a-6f5f81d8f625
status: test
description: Detects the presence of an LSASS dump file in the "CrashDumps" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Error Reporting to dump said process.
references:
- https://github.com/deepinstinct/Lsass-Shtinkering
- https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf
author: '@pbssubhash'
date: 2022-12-08
tags:
- attack.credential-access
- attack.t1003.001
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|startswith: 'C:\Windows\System32\config\systemprofile\AppData\Local\CrashDumps\'
TargetFilename|contains: 'lsass.exe.'
TargetFilename|endswith: '.dmp'
condition: selection
falsepositives:
- Rare legitimate dump of the process by the operating system due to a crash of lsass
level: high
Convert to SIEM query
high
Strong
High FP
LSASS Process Memory Dump Creation Via Taskmgr.EXE
Detects the creation of an "lsass.dmp" file by the taskmgr process. This indicates a manual dumping of the LSASS.exe process memory using Windows Task Manager.
view Sigma YAML
title: LSASS Process Memory Dump Creation Via Taskmgr.EXE
id: 69ca12af-119d-44ed-b50f-a47af0ebc364
status: test
description: Detects the creation of an "lsass.dmp" file by the taskmgr process. This indicates a manual dumping of the LSASS.exe process memory using Windows Task Manager.
author: Swachchhanda Shrawan Poudel
date: 2023-10-19
references:
- https://github.com/redcanaryco/atomic-red-team/blob/987e3ca988ae3cff4b9f6e388c139c05bf44bbb8/atomics/T1003.001/T1003.001.md#L1
tags:
- attack.credential-access
- attack.t1003.001
logsource:
category: file_event
product: windows
detection:
selection:
Image|endswith:
- ':\Windows\system32\taskmgr.exe'
- ':\Windows\SysWOW64\taskmgr.exe'
TargetFilename|contains|all:
- '\AppData\Local\Temp\'
- '\lsass'
- '.DMP'
condition: selection
falsepositives:
- Rare case of troubleshooting by an administrator or support that has to be investigated regardless
level: high
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_taskmgr_lsass_dump/info.yml
Convert to SIEM query
high
Strong
Medium FP
LSASS Process Memory Dump Files
Detects creation of files with names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials.
view Sigma YAML
title: LSASS Process Memory Dump Files
id: a5a2d357-1ab8-4675-a967-ef9990a59391
related:
- id: db2110f3-479d-42a6-94fb-d35bc1e46492
type: obsolete
- id: 5e3d3601-0662-4af0-b1d2-36a05e90c40a
type: obsolete
status: test
description: Detects creation of files with names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials.
references:
- https://www.google.com/search?q=procdump+lsass
- https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf
- https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml
- https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/
- https://github.com/helpsystems/nanodump
- https://github.com/CCob/MirrorDump
- https://github.com/safedv/RustiveDump/blob/1a9b026b477587becfb62df9677cede619d42030/src/main.rs#L35
- https://github.com/ricardojoserf/NativeDump/blob/01d8cd17f31f51f5955a38e85cd3c83a17596175/NativeDump/Program.cs#L258
author: Florian Roth (Nextron Systems)
date: 2021-11-15
modified: 2024-10-08
tags:
- attack.credential-access
- attack.t1003.001
logsource:
product: windows
category: file_event
detection:
selection_1:
TargetFilename|endswith:
- '\Andrew.dmp'
- '\Coredump.dmp'
- '\lsass.dmp'
- '\lsass.rar'
- '\lsass.zip'
- '\NotLSASS.zip' # https://github.com/CCob/MirrorDump
- '\PPLBlade.dmp' # https://github.com/tastypepperoni/PPLBlade
- '\rustive.dmp' # https://github.com/safedv/RustiveDump/blob/main/src/main.rs#L35
selection_2:
TargetFilename|contains:
- '\lsass_2' # default format of procdump v9.0 is lsass_YYMMDD_HHmmss.dmp
- '\lsassdmp'
- '\lsassdump'
selection_3:
TargetFilename|contains|all:
- '\lsass'
- '.dmp'
selection_4:
TargetFilename|contains: 'SQLDmpr'
TargetFilename|endswith: '.mdmp'
selection_5:
TargetFilename|contains:
- '\nanodump'
- '\proc_' # NativeDump pattern https://github.com/ricardojoserf/NativeDump/blob/01d8cd17f31f51f5955a38e85cd3c83a17596175/NativeDump/Program.cs#L258
TargetFilename|endswith: '.dmp'
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Lace Tempest Cobalt Strike Download
Detects specific command line execution used by Lace Tempest to download Cobalt Strike as reported by SysAid Team
view Sigma YAML
title: Lace Tempest Cobalt Strike Download
id: aa5b0a40-ed88-46aa-9fdc-0337b379ca9d
status: test
description: Detects specific command line execution used by Lace Tempest to download Cobalt Strike as reported by SysAid Team
references:
- https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-11-09
tags:
- attack.execution
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- -nop -w hidden -c IEX ((new-object net.webclient).downloadstring(
- /a')
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
Lace Tempest File Indicators
Detects PowerShell script file creation with specific names or suffixes which was seen being used often in PowerShell scripts by FIN7
view Sigma YAML
title: Lace Tempest File Indicators
id: e94486ea-2650-4548-bf25-88cbd0bb32d7
status: test
description: Detects PowerShell script file creation with specific names or suffixes which was seen being used often in PowerShell scripts by FIN7
references:
- https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-11-09
tags:
- attack.execution
- detection.emerging-threats
logsource:
category: file_event
product: windows
detection:
selection:
- TargetFilename|endswith:
- ':\Program Files\SysAidServer\tomcat\webapps\usersfiles\user.exe'
- ':\Program Files\SysAidServer\tomcat\webapps\usersfiles.war'
- ':\Program Files\SysAidServer\tomcat\webapps\leave'
- TargetFilename|contains: ':\Program Files\SysAidServer\tomcat\webapps\user.'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
Medium FP
Lazarus APT DLL Sideloading Activity
Detects sideloading of trojanized DLLs used in Lazarus APT campaign in the case of a Spanish aerospace company
view Sigma YAML
title: Lazarus APT DLL Sideloading Activity
id: 24007168-a26b-4049-90d0-ce138e13a5cf
status: test
description: Detects sideloading of trojanized DLLs used in Lazarus APT campaign in the case of a Spanish aerospace company
references:
- https://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/
- https://www.bleepingcomputer.com/news/security/lazarus-hackers-breach-aerospace-firm-with-new-lightlesscan-malware/
author: Thurein Oo, Nasreddine Bencherchali (Nextron Systems)
date: 2023-10-18
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1574.001
- attack.g0032
- detection.emerging-threats
logsource:
product: windows
category: image_load
detection:
selection_mscoree:
Image: 'C:\ProgramShared\PresentationHost.exe'
ImageLoaded: ':\ProgramShared\mscoree.dll'
selection_colorui:
Image: 'C:\ProgramData\Adobe\colorcpl.exe'
ImageLoaded: 'C:\ProgramData\Adobe\colorui.dll'
selection_mapistub:
Image: 'C:\ProgramData\Oracle\Java\fixmapi.exe'
ImageLoaded: 'C:\ProgramData\Oracle\Java\mapistub.dll'
selection_hid:
Image: 'C:\ProgramData\Adobe\ARM\tabcal.exe'
ImageLoaded: 'C:\ProgramData\Adobe\ARM\HID.dll'
condition: 1 of selection_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
Medium FP
Lazarus System Binary Masquerading
Detects binaries used by the Lazarus group which use system names but are executed and launched from non-default location
view Sigma YAML
title: Lazarus System Binary Masquerading
id: 3f7f5b0b-5b16-476c-a85f-ab477f6dd24b
status: test
description: Detects binaries used by the Lazarus group which use system names but are executed and launched from non-default location
references:
- https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf
author: Trent Liffick (@tliffick), Bartlomiej Czyz (@bczyz1)
date: 2020-06-03
modified: 2023-03-10
tags:
- attack.stealth
- attack.t1036.005
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\msdtc.exe'
- '\gpsvc.exe'
filter:
Image|startswith:
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
condition: selection and not filter
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
Medium FP
Legitimate Application Dropped Archive
Detects programs on a Windows system that should not write an archive to disk
view Sigma YAML
title: Legitimate Application Dropped Archive
id: 654fcc6d-840d-4844-9b07-2c3300e54a26
status: test
description: Detects programs on a Windows system that should not write an archive to disk
references:
- https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326
author: frack113, Florian Roth
date: 2022-08-21
tags:
- attack.stealth
- attack.t1218
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith:
# Microsoft Office Programs Dropping Executables
- \winword.exe
- \excel.exe
- \powerpnt.exe
- \msaccess.exe
- \mspub.exe
- \eqnedt32.exe
- \visio.exe
- \wordpad.exe
- \wordview.exe
# LOLBINs that can be used to download executables
- \certutil.exe
- \certoc.exe
- \CertReq.exe
# - \bitsadmin.exe (depends on the environment; comment in if you're sure that bitsadmin doesn't do that in your env)
- \Desktopimgdownldr.exe
- \esentutl.exe
# - \expand.exe
- \finger.exe
# Executables that should never drop an executable to disk (but may after a previous process injection or if it's malware that uses a legitimate name)
- \notepad.exe
- \AcroRd32.exe
- \RdrCEF.exe
- \mshta.exe
- \hh.exe
TargetFilename|endswith:
- '.zip'
- '.rar'
- '.7z'
- '.diagcab'
- '.appx'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Legitimate Application Dropped Executable
Detects programs on a Windows system that should not write executables to disk
view Sigma YAML
title: Legitimate Application Dropped Executable
id: f0540f7e-2db3-4432-b9e0-3965486744bc
status: test
description: Detects programs on a Windows system that should not write executables to disk
references:
- https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326
author: frack113, Florian Roth (Nextron Systems)
date: 2022-08-21
modified: 2023-06-22
tags:
- attack.stealth
- attack.t1218
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith:
# Microsoft Office Programs Dropping Executables / Rest of the apps are covered in: c7a74c80-ba5a-486e-9974-ab9e682bc5e4
- '\eqnedt32.exe'
- '\wordpad.exe'
- '\wordview.exe'
# LOLBINs that can be used to download executables
- '\certutil.exe'
- '\certoc.exe'
- '\CertReq.exe'
# - \bitsadmin.exe (depends on the environment; comment in if you're sure that bitsadmin doesn't do that in your env)
- '\Desktopimgdownldr.exe'
- '\esentutl.exe'
# - \expand.exe
- '\mshta.exe'
# Executables that should never drop an executable to disk (but may after a previous process injection or if it's malware that uses a legitimate name)
- '\AcroRd32.exe'
- '\RdrCEF.exe'
- '\hh.exe'
- '\finger.exe'
TargetFilename|endswith:
- '.exe'
- '.dll'
- '.ocx'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Legitimate Application Dropped Script
Detects programs on a Windows system that should not write scripts to disk
view Sigma YAML
title: Legitimate Application Dropped Script
id: 7d604714-e071-49ff-8726-edeb95a70679
status: test
description: Detects programs on a Windows system that should not write scripts to disk
references:
- https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326
author: frack113, Florian Roth (Nextron Systems)
date: 2022-08-21
modified: 2023-06-22
tags:
- attack.stealth
- attack.t1218
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith:
# Microsoft Office Programs Dropping Executables / Rest of the apps are covered in: c7a74c80-ba5a-486e-9974-ab9e682bc5e4
- \eqnedt32.exe
- \wordpad.exe
- \wordview.exe
# LOLBINs that can be used to download executables
- \certutil.exe
- \certoc.exe
- \CertReq.exe
# - \bitsadmin.exe (depends on the environment; comment in if you're sure that bitsadmin doesn't do that in your env)
- \Desktopimgdownldr.exe
- \esentutl.exe
# - \expand.exe
- '\mshta.exe'
# Executables that should never drop an executable to disk (but may after a previous process injection or if it's malware that uses a legitimate name)
- '\AcroRd32.exe'
- '\RdrCEF.exe'
- '\hh.exe'
- '\finger.exe'
TargetFilename|endswith:
- '.ps1'
- '.bat'
- '.vbs'
- '.scf'
- '.wsf'
- '.wsh'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Legitimate Application Writing Files In Uncommon Location
Detects legitimate applications writing any type of file to uncommon or suspicious locations that are not typical for application data storage or execution.
Adversaries may leverage legitimate applications (Living off the Land Binaries - LOLBins) to drop or download malicious files to uncommon locations on the system to evade detection by security solutions.
view Sigma YAML
title: Legitimate Application Writing Files In Uncommon Location
id: 1cf465a1-2609-4c15-9b66-c32dbe4bfd67
related:
- id: 2ddef153-167b-4e89-86b6-757a9e65dcac # bitsadmin dedicated rule
type: similar
status: experimental
description: |
Detects legitimate applications writing any type of file to uncommon or suspicious locations that are not typical for application data storage or execution.
Adversaries may leverage legitimate applications (Living off the Land Binaries - LOLBins) to drop or download malicious files to uncommon locations on the system to evade detection by security solutions.
references:
- https://lolbas-project.github.io/#/download
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-12-10
tags:
- attack.stealth
- attack.t1218
- attack.command-and-control
- attack.t1105
logsource:
product: windows
category: file_event
detection:
selection_img:
Image|endswith:
# Microsoft Office Programs Dropping Executables / Rest of the apps are covered in: c7a74c80-ba5a-486e-9974-ab9e682bc5e4
- '\eqnedt32.exe'
- '\wordpad.exe'
- '\wordview.exe'
# LOLBINs that can be used to download executables
- '\cmdl32.exe'
- '\certutil.exe'
- '\certoc.exe'
- '\CertReq.exe'
- '\bitsadmin.exe'
- '\Desktopimgdownldr.exe'
- '\esentutl.exe'
- '\expand.exe'
- '\extrac32.exe'
- '\replace.exe'
- '\mshta.exe'
- '\ftp.exe'
- '\Ldifde.exe'
- '\RdrCEF.exe'
- '\hh.exe'
- '\finger.exe'
- '\findstr.exe'
selection_locations:
TargetFilename|contains:
- ':\Perflogs'
- ':\ProgramData\'
- ':\Temp\'
- ':\Users\Public\'
- ':\Windows\'
- '\$Recycle.Bin\'
- '\AppData\Local\'
- '\AppData\Roaming\'
- '\Contacts\'
- '\Desktop\'
- '\Favorites\'
- '\Favourites\'
- '\inetpub\wwwroot\'
- '\Music\'
- '\Pictures\'
- '\Start Menu\Programs\Startup\'
- '\Users\Default\'
- '\Videos\'
condition: all of selection_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_in_uncommon_location/info.yml
Convert to SIEM query
high
Moderate
High FP
Linux Crypto Mining Indicators
Detects command line parameters or strings often used by crypto miners
view Sigma YAML
title: Linux Crypto Mining Indicators
id: 9069ea3c-b213-4c52-be13-86506a227ab1
status: test
description: Detects command line parameters or strings often used by crypto miners
references:
- https://www.poolwatch.io/coin/monero
author: Florian Roth (Nextron Systems)
date: 2021-10-26
modified: 2022-12-25
tags:
- attack.impact
- attack.t1496
logsource:
product: linux
category: process_creation
detection:
selection:
CommandLine|contains:
- ' --cpu-priority='
- '--donate-level=0'
- ' -o pool.'
- ' --nicehash'
- ' --algo=rx/0 '
- 'stratum+tcp://'
- 'stratum+udp://'
# Sub process started by xmrig - the most popular Monero crypto miner - unknown if this causes any false positives
- 'sh -c /sbin/modprobe msr allow_writes=on'
# base64 encoded: --donate-level=
- 'LS1kb25hdGUtbGV2ZWw9'
- '0tZG9uYXRlLWxldmVsP'
- 'tLWRvbmF0ZS1sZXZlbD'
# base64 encoded: stratum+tcp:// and stratum+udp://
- 'c3RyYXR1bSt0Y3A6Ly'
- 'N0cmF0dW0rdGNwOi8v'
- 'zdHJhdHVtK3RjcDovL'
- 'c3RyYXR1bSt1ZHA6Ly'
- 'N0cmF0dW0rdWRwOi8v'
- 'zdHJhdHVtK3VkcDovL'
condition: selection
falsepositives:
- Legitimate use of crypto miners
level: high
Convert to SIEM query
high
Strong
Medium FP
Linux Crypto Mining Pool Connections
Detects process connections to a Monero crypto mining pool
view Sigma YAML
title: Linux Crypto Mining Pool Connections
id: a46c93b7-55ed-4d27-a41b-c259456c4746
status: stable
description: Detects process connections to a Monero crypto mining pool
references:
- https://www.poolwatch.io/coin/monero
author: Florian Roth (Nextron Systems)
date: 2021-10-26
tags:
- attack.impact
- attack.t1496
logsource:
product: linux
category: network_connection
detection:
selection:
DestinationHostname:
- 'pool.minexmr.com'
- 'fr.minexmr.com'
- 'de.minexmr.com'
- 'sg.minexmr.com'
- 'ca.minexmr.com'
- 'us-west.minexmr.com'
- 'pool.supportxmr.com'
- 'mine.c3pool.com'
- 'xmr-eu1.nanopool.org'
- 'xmr-eu2.nanopool.org'
- 'xmr-us-east1.nanopool.org'
- 'xmr-us-west1.nanopool.org'
- 'xmr-asia1.nanopool.org'
- 'xmr-jp1.nanopool.org'
- 'xmr-au1.nanopool.org'
- 'xmr.2miners.com'
- 'xmr.hashcity.org'
- 'xmr.f2pool.com'
- 'xmrpool.eu'
- 'pool.hashvault.pro'
- 'moneroocean.stream'
- 'monerocean.stream'
condition: selection
falsepositives:
- Legitimate use of crypto miners
level: high
Convert to SIEM query
high
Strong
Medium FP
Linux HackTool Execution
Detects known hacktool execution based on image name.
view Sigma YAML
title: Linux HackTool Execution
id: a015e032-146d-4717-8944-7a1884122111
status: test
description: Detects known hacktool execution based on image name.
references:
- https://github.com/Gui774ume/ebpfkit
- https://github.com/pathtofile/bad-bpf
- https://github.com/carlospolop/PEASS-ng
- https://github.com/t3l3machus/hoaxshell
- https://github.com/t3l3machus/Villain
- https://github.com/HavocFramework/Havoc
- https://github.com/1N3/Sn1per
- https://github.com/Ne0nd0g/merlin
- https://github.com/Pennyw0rth/NetExec/
author: Nasreddine Bencherchali (Nextron Systems), Georg Lauenstein (sure[secure])
date: 2023-01-03
modified: 2024-09-19
tags:
- attack.execution
- attack.resource-development
- attack.t1587
logsource:
product: linux
category: process_creation
detection:
selection_c2_frameworks:
Image|endswith:
- '/crackmapexec'
- '/havoc'
- '/merlin-agent'
- '/merlinServer-Linux-x64'
- '/msfconsole'
- '/msfvenom'
- '/ps-empire server'
- '/ps-empire'
- '/sliver-client'
- '/sliver-server'
- '/Villain.py'
selection_c2_framework_cobaltstrike:
Image|contains:
- '/cobaltstrike'
- '/teamserver'
selection_scanners:
Image|endswith:
- '/autorecon'
- '/httpx'
- '/legion'
- '/naabu'
- '/netdiscover'
- '/nuclei'
- '/recon-ng'
selection_scanners_sniper:
Image|contains: '/sniper'
selection_web_enum:
Image|endswith:
- '/dirb'
- '/dirbuster'
- '/eyewitness'
- '/feroxbuster'
- '/ffuf'
- '/gobuster'
- '/wfuzz'
- '/whatweb'
selection_web_vuln:
Image|endswith:
- '/joomscan'
- '/nikto'
- '/wpscan'
selection_exploit_tools:
Image|endswith:
- '/aircrack-ng'
- '/bloodhound-python'
- '/bpfdos'
- '/ebpfki'
- '/evil-winrm'
- '/hashcat'
- '/hoaxshell.py'
- '/hydra'
- '/john'
- '/ncrack'
# default binary: https://github.com/Pennyw0rth/NetExec/releases/download/v1.0.0/nxc-ubuntu-latest
- '/nxc-ubuntu-latest'
- '/pidhide'
- '/pspy32'
- '/pspy32s'
- '/pspy64'
- '/pspy64s'
- '/setoolkit'
- '/sqlmap'
- '/writeblocker'
selection_linpeas:
# covers: all linux versions listed here: https://github.com/carlospolop/PEASS-ng/releases
Image|contains: '/linpeas'
condition: 1 of selection_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
Linux Recon Indicators
Detects events with patterns found in commands used for reconnaissance on linux systems
view Sigma YAML
title: Linux Recon Indicators
id: 0cf7a157-8879-41a2-8f55-388dd23746b7
status: test
description: Detects events with patterns found in commands used for reconnaissance on linux systems
references:
- https://github.com/sleventyeleven/linuxprivchecker/blob/0d701080bbf92efd464e97d71a70f97c6f2cd658/linuxprivchecker.py
author: Florian Roth (Nextron Systems)
date: 2022-06-20
tags:
- attack.reconnaissance
- attack.t1592.004
- attack.credential-access
- attack.t1552.001
logsource:
category: process_creation
product: linux
detection:
selection:
CommandLine|contains:
- ' -name .htpasswd'
- ' -perm -4000 '
condition: selection
falsepositives:
- Legitimate administration activities
level: high
Convert to SIEM query
high
Moderate
Medium FP
Linux Suspicious Child Process from Node.js - React2Shell
Detects suspicious child processes spawned from Node.js server processes on Linux systems, potentially indicating remote code execution exploitation such as CVE-2025-55182 (React2Shell).
This rule particularly looks for exploitation of vulnerability on Node.js Servers where attackers abuse Node.js child_process module to execute arbitrary system commands.
When execSync() or exec() is used, the command line often includes a shell invocation followed by suspicious commands or scripts (e.g., /bin/sh -c <malicious-command>).
For other methods, the Image field will show the spawned process directly.
view Sigma YAML
title: Linux Suspicious Child Process from Node.js - React2Shell
id: c70834fa-fb9d-4aa0-9e7d-45ceed36f3f7
related:
- id: 271de298-cc0e-4842-acd8-079a0a99ea65
type: similar
status: experimental
description: |
Detects suspicious child processes spawned from Node.js server processes on Linux systems, potentially indicating remote code execution exploitation such as CVE-2025-55182 (React2Shell).
This rule particularly looks for exploitation of vulnerability on Node.js Servers where attackers abuse Node.js child_process module to execute arbitrary system commands.
When execSync() or exec() is used, the command line often includes a shell invocation followed by suspicious commands or scripts (e.g., /bin/sh -c <malicious-command>).
For other methods, the Image field will show the spawned process directly.
references:
- https://github.com/msanft/CVE-2025-55182
- https://nodejs.org/api/child_process.html#class-childprocess
- https://gist.github.com/swachchhanda000/a0228130f86a2dedfbcebb415b47f870
- https://github.com/nasbench/Misc-Research/blob/2f651ede832ab34027a7ba005b63bb78f1ade378/Other/React-Next-Child-Processes-Notes.md
author: Swachchhanda Shrawan Poudel (Nextron Systems), Nasreddine Bencherchali
date: 2025-12-05
tags:
- attack.execution
- attack.t1059
- attack.initial-access
- attack.t1190
- detection.emerging-threats
- cve.2025-55182
logsource:
category: process_creation
product: linux
detection:
selection_parent:
ParentImage|endswith: '/node'
ParentCommandLine|contains:
- '--experimental-https'
- '--experimental-next-config-strip-types'
- '/node_modules/next'
- 'next dev'
- 'next start'
- 'node_modules/.bin'
- 'react-scripts start'
- 'start-server.js'
selection_generic_child_img:
# Observed when child_process.spawn(), child_process.exec(), child_process.execFile(), or child_process.fork() method is used to spawn suspicious processes in exploit
- Image|endswith:
- '/busybox'
- '/cat'
- '/curl'
- '/dash'
- '/dig'
- '/head'
- '/id'
- '/ifconfig'
- '/ip'
- '/java'
- '/less'
- '/lua'
- '/more'
- '/nc'
- '/ncat'
- '/netcat'
- '/netstat'
- '/nslookup'
- '/perl'
- '/ping'
- '/python'
- '/python2'
- '/ruby'
- '/socat'
- '/tail'
- '/wget'
- '/whoami'
- Image|contains: '/python'
selection_generic_child_cli:
# Observed when child_process.execSync() is used to spawn suspicious processes
# Reference: https://nodejs.org/api/child_process.html#child_processexecsynccommand-options
# By default, the cli will look something like `/bin/sh -c .......`
CommandLine|contains:
- '/dev/tcp/'
- '/dev/udp/'
- '/etc/hosts'
- '/etc/passwd'
- '/etc/shadow'
- 'base64'
- 'cat '
- 'curl'
- 'dig'
- 'ifconfig'
- 'IO::Socket::INET'
- 'java'
- 'less '
- 'lua'
- 'mkfifo '
- 'more'
- 'nc '
- 'ncat'
- 'netcat'
- 'netstat'
- 'nslookup'
- 'perl'
- 'php'
- 'ping'
- 'ps -ef'
- 'ps aux'
- 'python'
- 'rcat'
- 'ruby'
- 'sh -i 2>&1'
- '-c id'
- 'socat'
- 'uname'
- 'wget'
- 'whoami'
selection_specific_sh:
Image|endswith: '/sh'
selection_specific_cli:
Image|endswith: '-c'
filter_main_default_shell_flag:
Image|endswith: '-c'
condition:
selection_parent and
(
1 of selection_generic_*
or
(selection_specific_sh and not filter_main_default_shell_flag)
or
(all of selection_specific_* and selection_generic_child_cli)
)
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Linux Webshell Indicators
Detects suspicious sub processes of web server processes
view Sigma YAML
title: Linux Webshell Indicators
id: 818f7b24-0fba-4c49-a073-8b755573b9c7
status: test
description: Detects suspicious sub processes of web server processes
references:
- https://www.acunetix.com/blog/articles/web-shells-101-using-php-introduction-web-shells-part-2/
- https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2021-10-15
modified: 2022-12-28
tags:
- attack.persistence
- attack.t1505.003
logsource:
product: linux
category: process_creation
detection:
selection_general:
ParentImage|endswith:
- '/httpd'
- '/lighttpd'
- '/nginx'
- '/apache2'
- '/node'
- '/caddy'
selection_tomcat:
ParentCommandLine|contains|all:
- '/bin/java'
- 'tomcat'
selection_websphere: # ? just guessing
ParentCommandLine|contains|all:
- '/bin/java'
- 'websphere'
sub_processes:
Image|endswith:
- '/whoami'
- '/ifconfig'
- '/ip'
- '/bin/uname'
- '/bin/cat'
- '/bin/crontab'
- '/hostname'
- '/iptables'
- '/netstat'
- '/pwd'
- '/route'
condition: 1 of selection_* and sub_processes
falsepositives:
- Web applications that invoke Linux command line tools
level: high
Convert to SIEM query
high
Moderate
Medium FP
LiteLLM / TeamPCP Supply Chain Attack Indicators
Detects process executions related to the backdoored versions of LiteLLM (v1.82.7 or v1.82.8).
In March 2026, a supply chain attack was discovered involving the popular open-source LLM framework LiteLLM by Threat Actor TeamPCP.
The malicious package harvests every credential on the system, encrypts and exfiltrates them, and installs a persistent C2 backdoor.
view Sigma YAML
title: LiteLLM / TeamPCP Supply Chain Attack Indicators
id: 36603778-030c-43c4-8cbb-cd3c1d1a80c7
status: experimental
description: |
Detects process executions related to the backdoored versions of LiteLLM (v1.82.7 or v1.82.8).
In March 2026, a supply chain attack was discovered involving the popular open-source LLM framework LiteLLM by Threat Actor TeamPCP.
The malicious package harvests every credential on the system, encrypts and exfiltrates them, and installs a persistent C2 backdoor.
references:
- https://novasky.io/hunts/hunting-litellm-supply-chain
- https://www.virustotal.com/gui/file/71e35aef03099cd1f2d6446734273025a163597de93912df321ef118bf135238/
- https://huskyhacks.io/posts/litellm-cred-stealer/
- https://www.wiz.io/blog/threes-a-crowd-teampcp-trojanizes-litellm-in-continuation-of-campaign
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-03-30
tags:
- attack.initial-access
- attack.t1195.002
- attack.collection
- attack.t1560.001
- attack.persistence
- attack.privilege-escalation
- attack.t1543.002
- detection.emerging-threats
logsource:
category: process_creation
product: linux
detection:
selection_pth_package:
# Execution of .pth file
Image|contains: '/python3'
CommandLine|contains|all:
- "exec(base64.b64decode('aW1wb3J0"
- "kI2NF9TQ1JJUFQgPSAiYV"
selection_tar:
Image|endswith: '/tar'
CommandLine|contains|all:
- 'tpcp.tar.gz'
- 'payload.enc'
- 'session.key.enc'
selection_curl:
Image|endswith: '/curl'
CommandLine|contains|all:
- 'models.litellm.cloud'
- 'X-Filename: tpcp.tar.gz'
selection_sysmon_service:
ParentImage|contains: '/python3'
CommandLine|contains|all:
- 'systemctl'
- '--user'
- 'sysmon'
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
LiveKD Driver Creation By Uncommon Process
Detects the creation of the LiveKD driver by a process image other than "livekd.exe".
view Sigma YAML
title: LiveKD Driver Creation By Uncommon Process
id: 059c5af9-5131-4d8d-92b2-de4ad6146712
related:
- id: 16fe46bb-4f64-46aa-817d-ff7bec4a2352
type: similar
status: test
description: Detects the creation of the LiveKD driver by a process image other than "livekd.exe".
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-16
tags:
- attack.privilege-escalation
- attack.stealth
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename: 'C:\Windows\System32\drivers\LiveKdD.SYS'
filter_main_legit_name:
Image|endswith:
- '\livekd.exe'
- '\livek64.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Administrators might rename LiveKD before its usage which could trigger this. Add additional names you use to the filter
level: high
Convert to SIEM query
high
Moderate
Medium FP
LiveKD Kernel Memory Dump File Created
Detects the creation of a file that has the same name as the default LiveKD kernel memory dump.
view Sigma YAML
title: LiveKD Kernel Memory Dump File Created
id: 814ddeca-3d31-4265-8e07-8cc54fb44903
status: test
description: Detects the creation of a file that has the same name as the default LiveKD kernel memory dump.
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-16
tags:
- attack.privilege-escalation
- attack.stealth
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename: 'C:\Windows\livekd.dmp'
condition: selection
falsepositives:
- In rare occasions administrators might leverage LiveKD to perform live kernel debugging. This should not be allowed on production systems. Investigate and apply additional filters where necessary.
level: high
Convert to SIEM query
high
Moderate
High FP
Lolbas OneDriveStandaloneUpdater.exe Proxy Download
Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any
anomalous executables with suspicious arguments. The downloaded file will be in C:\Users\redacted\AppData\Local\Microsoft\OneDrive\StandaloneUpdaterreSignInSettingsConfig.json
view Sigma YAML
title: Lolbas OneDriveStandaloneUpdater.exe Proxy Download
id: 3aff0be0-7802-4a7e-a4fa-c60c74bc5e1d
status: test
description: |
Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any
anomalous executables with suspicious arguments. The downloaded file will be in C:\Users\redacted\AppData\Local\Microsoft\OneDrive\StandaloneUpdaterreSignInSettingsConfig.json
references:
- https://lolbas-project.github.io/lolbas/Binaries/OneDriveStandaloneUpdater/
author: frack113
date: 2022-05-28
modified: 2023-08-17
tags:
- attack.command-and-control
- attack.t1105
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\SOFTWARE\Microsoft\OneDrive\UpdateOfficeConfig\UpdateRingSettingURLFromOC'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Lsass Full Dump Request Via DumpType Registry Settings
Detects the setting of the "DumpType" registry value to "2" which stands for a "Full Dump". Technique such as LSASS Shtinkering requires this value to be "2" in order to dump LSASS.
view Sigma YAML
title: Lsass Full Dump Request Via DumpType Registry Settings
id: 33efc23c-6ea2-4503-8cfe-bdf82ce8f719
status: test
description: Detects the setting of the "DumpType" registry value to "2" which stands for a "Full Dump". Technique such as LSASS Shtinkering requires this value to be "2" in order to dump LSASS.
references:
- https://github.com/deepinstinct/Lsass-Shtinkering
- https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps
- https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf
author: '@pbssubhash'
date: 2022-12-08
modified: 2023-08-17
tags:
- attack.credential-access
- attack.t1003.001
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains:
- '\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\DumpType'
- '\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\lsass.exe\DumpType'
Details: 'DWORD (0x00000002)' # Full Dump
condition: selection
falsepositives:
- Legitimate application that needs to do a full dump of their process
level: high
Convert to SIEM query
high
Moderate
High FP
MERCURY APT Activity
Detects suspicious command line patterns seen being used by MERCURY APT
view Sigma YAML
title: MERCURY APT Activity
id: a62298a3-1fe0-422f-9a68-ffbcbc5a123d
status: test
description: Detects suspicious command line patterns seen being used by MERCURY APT
references:
- https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/
author: Florian Roth (Nextron Systems)
date: 2022-08-26
modified: 2023-03-10
tags:
- attack.execution
- attack.t1059.001
- attack.g0069
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- '-exec bypass -w 1 -enc'
- 'UwB0AGEAcgB0AC0ASgBvAGIAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAHsAKABzAGEAcABzACAAKAAiAHAA' # Start-Job -ScriptBlock
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
MMC Spawning Windows Shell
Detects a Windows command line executable started from MMC
view Sigma YAML
title: MMC Spawning Windows Shell
id: 05a2ab7e-ce11-4b63-86db-ab32e763e11d
status: test
description: Detects a Windows command line executable started from MMC
references:
- https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
author: Karneades, Swisscom CSIRT
date: 2019-08-05
modified: 2022-07-14
tags:
- attack.lateral-movement
- attack.t1021.003
logsource:
category: process_creation
product: windows
detection:
selection1:
ParentImage|endswith: '\mmc.exe'
selection2:
- Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\wscript.exe'
- '\cscript.exe'
- '\sh.exe'
- '\bash.exe'
- '\reg.exe'
- '\regsvr32.exe'
- Image|contains: '\BITSADMIN'
condition: all of selection*
level: high
Convert to SIEM query
high
Moderate
High FP
MMC20 Lateral Movement
Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of "-Embedding" as a child of svchost.exe
view Sigma YAML
title: MMC20 Lateral Movement
id: f1f3bf22-deb2-418d-8cce-e1a45e46a5bd
status: test
description: Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of "-Embedding" as a child of svchost.exe
references:
- https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
- https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view?usp=sharing
author: '@2xxeformyshirt (Security Risk Advisors) - rule; Teymur Kheirkhabarov (idea)'
date: 2020-03-04
modified: 2021-11-27
tags:
- attack.execution
- attack.lateral-movement
- attack.t1021.003
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\svchost.exe'
Image|endswith: '\mmc.exe'
CommandLine|contains: '-Embedding'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
Medium FP
MSDT Execution Via Answer File
Detects execution of "msdt.exe" using an answer file which is simulating the legitimate way of calling msdt via "pcwrun.exe" (For example from the compatibility tab).
view Sigma YAML
title: MSDT Execution Via Answer File
id: 9c8c7000-3065-44a8-a555-79bcba5d9955
status: test
description: |
Detects execution of "msdt.exe" using an answer file which is simulating the legitimate way of calling msdt via "pcwrun.exe" (For example from the compatibility tab).
references:
- https://lolbas-project.github.io/lolbas/Binaries/Msdt/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-13
modified: 2025-10-29
tags:
- attack.stealth
- attack.t1218
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\msdt.exe'
CommandLine|contains: '\WINDOWS\diagnostics\index\PCWDiagnostic.xml'
CommandLine|contains|windash: ' -af '
filter_main_pcwrun:
ParentImage|endswith: '\pcwrun.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Possible undocumented parents of "msdt" other than "pcwrun".
level: high
Convert to SIEM query
high
Moderate
High FP
Macro Enabled In A Potentially Suspicious Document
Detects registry changes to Office trust records where the path is located in a potentially suspicious location
view Sigma YAML
title: Macro Enabled In A Potentially Suspicious Document
id: a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd
related:
- id: 295a59c1-7b79-4b47-a930-df12c15fc9c2
type: derived
status: test
description: Detects registry changes to Office trust records where the path is located in a potentially suspicious location
references:
- https://twitter.com/inversecos/status/1494174785621819397
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-21
modified: 2023-08-17
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: registry_set
product: windows
detection:
selection_value:
TargetObject|contains: '\Security\Trusted Documents\TrustRecords'
selection_paths:
TargetObject|contains:
# Note: add more locations where you don't expect a user to executed macro enabled docs
- '/AppData/Local/Microsoft/Windows/INetCache/'
- '/AppData/Local/Temp/'
- '/PerfLogs/'
- 'C:/Users/Public/'
- 'file:///D:/'
- 'file:///E:/'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
Malicious DLL File Dropped in the Teams or OneDrive Folder
Detects creation of a malicious DLL file in the location where the OneDrive or Team applications
Upon execution of the Teams or OneDrive application, the dropped malicious DLL file ("iphlpapi.dll") is sideloaded
view Sigma YAML
title: Malicious DLL File Dropped in the Teams or OneDrive Folder
id: 1908fcc1-1b92-4272-8214-0fbaf2fa5163
status: test
description: |
Detects creation of a malicious DLL file in the location where the OneDrive or Team applications
Upon execution of the Teams or OneDrive application, the dropped malicious DLL file ("iphlpapi.dll") is sideloaded
references:
- https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/
author: frack113
date: 2022-08-12
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|contains|all:
- 'iphlpapi.dll'
- '\AppData\Local\Microsoft'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Malicious PowerShell Commandlets - ProcessCreation
Detects Commandlet names from well-known PowerShell exploitation frameworks
view Sigma YAML
title: Malicious PowerShell Commandlets - ProcessCreation
id: 02030f2f-6199-49ec-b258-ea71b07e03dc
related:
- id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
type: derived
- id: 7d0d0329-0ef1-4e84-a9f5-49500f9d7c6c
type: similar
status: test
description: Detects Commandlet names from well-known PowerShell exploitation frameworks
references:
- https://adsecurity.org/?p=2921
- https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries
- https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1
- https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1
- https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1
- https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1
- https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/ # Invoke-TotalExec
- https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ # Invoke-TotalExec
- https://github.com/calebstewart/CVE-2021-1675 # Invoke-Nightmare
- https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1
- https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html
- https://github.com/HarmJ0y/DAMP
- https://github.com/samratashok/nishang
- https://github.com/DarkCoderSc/PowerRunAsSystem/
- https://github.com/besimorhino/powercat
- https://github.com/Kevin-Robertson/Powermad
- https://github.com/adrecon/ADRecon
- https://github.com/adrecon/AzureADRecon
- https://github.com/sadshade/veeam-creds/blob/6010eaf31ba41011b58d6af3950cffbf6f5cea32/Veeam-Get-Creds.ps1
- https://github.com/The-Viper-One/Invoke-PowerDPAPI/
- https://github.com/Arno0x/DNSExfiltrator/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-02
modified: 2025-12-10
tags:
- attack.execution
- attack.discovery
- attack.t1482
- attack.t1087
- attack.t1087.001
- attack.t1087.002
- attack.t1069.001
- attack.t1069.002
- attack.t1069
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
# Note: Please ensure alphabetical order when adding new entries
CommandLine|contains:
- 'Add-Exfiltration'
- 'Add-Persistence'
- 'Add-RegBackdoor'
- 'Add-RemoteRegBackdoor'
- 'Add-ScrnSaveBackdoor'
- 'Check-VM'
- 'ConvertTo-Rc4ByteStream'
- 'Decrypt-Hash'
- 'Disable-ADIDNSNode'
- 'Disable-MachineAccount'
- 'Do-Exfiltration'
- 'Enable-ADIDNSNode'
- 'Enable-MachineAccount'
- 'Enabled-DuplicateToken'
- 'Exploit-Jboss'
- 'Export-ADR'
- 'Export-ADRCSV'
- 'Export-ADRExcel'
- 'Export-ADRHTML'
- 'Export-ADRJSON'
- 'Export-ADRXML'
- 'Find-Fruit'
- 'Find-GPOLocation'
- 'Find-TrustedDocuments'
- 'Get-ADIDNS' # Covers: Get-ADIDNSNodeAttribute, Get-ADIDNSNodeOwner, Get-ADIDNSNodeTombstoned, Get-ADIDNSPermission, Get-ADIDNSZone
- 'Get-ApplicationHost'
- 'Get-ChromeDump'
- 'Get-ClipboardContents'
- 'Get-FoxDump'
- 'Get-GPPPassword'
- 'Get-IndexedItem'
- 'Get-KerberosAESKey'
- 'Get-Keystrokes'
- 'Get-LSASecret'
- 'Get-MachineAccountAttribute'
- 'Get-MachineAccountCreator'
- 'Get-PassHashes'
- 'Get-RegAlwaysInstallElevated'
- 'Get-RegAutoLogon'
- 'Get-RemoteBootKey'
- 'Get-RemoteCachedCredential'
- 'Get-RemoteLocalAccountHash'
- 'Get-RemoteLSAKey'
- 'Get-RemoteMachineAccountHash'
- 'Get-RemoteNLKMKey'
- 'Get-RickAstley'
- 'Get-Screenshot'
- 'Get-SecurityPackages'
- 'Get-ServiceFilePermission'
- 'Get-ServicePermission'
- 'Get-ServiceUnquoted'
- 'Get-SiteListPassword'
- 'Get-System'
- 'Get-TimedScreenshot'
- 'Get-UnattendedInstallFile'
- 'Get-Unconstrained'
- 'Get-USBKeystrokes'
- 'Get-VaultCredential'
- 'Get-VulnAutoRun'
- 'Get-VulnSchTask'
- 'Grant-ADIDNSPermission'
- 'Gupt-Backdoor'
- 'HTTP-Login'
- 'Install-ServiceBinary'
- 'Install-SSP'
- 'Invoke-ACLScanner'
- 'Invoke-ADRecon'
- 'Invoke-ADSBackdoor'
- 'Invoke-AgentSmith'
- 'Invoke-AllChecks'
- 'Invoke-ARPScan'
- 'Invoke-AzureHound'
- 'Invoke-BackdoorLNK'
- 'Invoke-BadPotato'
- 'Invoke-BetterSafetyKatz'
- 'Invoke-BypassUAC'
- 'Invoke-Carbuncle'
- 'Invoke-Certify'
- 'Invoke-ConPtyShell'
- 'Invoke-CredentialInjection'
- 'Invoke-DAFT'
- 'Invoke-DCSync'
- 'Invoke-DinvokeKatz'
- 'Invoke-DllInjection'
- 'Invoke-DNSUpdate'
- 'Invoke-DNSExfiltrator'
- 'Invoke-DomainPasswordSpray'
- 'Invoke-DowngradeAccount'
- 'Invoke-EgressCheck'
- 'Invoke-Eyewitness'
- 'Invoke-FakeLogonScreen'
- 'Invoke-Farmer'
- 'Invoke-Get-RBCD-Threaded'
- 'Invoke-Gopher'
- 'Invoke-Grouper' # Also Covers Invoke-GrouperX
- 'Invoke-HandleKatz'
- 'Invoke-ImpersonatedProcess'
- 'Invoke-ImpersonateSystem'
- 'Invoke-InteractiveSystemPowerShell'
- 'Invoke-Internalmonologue'
- 'Invoke-Inveigh'
- 'Invoke-InveighRelay'
- 'Invoke-KrbRelay'
- 'Invoke-LdapSignCheck'
- 'Invoke-Lockless'
- 'Invoke-MalSCCM'
- 'Invoke-Mimikatz'
- 'Invoke-Mimikittenz'
- 'Invoke-MITM6'
- 'Invoke-NanoDump'
- 'Invoke-NetRipper'
- 'Invoke-Nightmare'
- 'Invoke-NinjaCopy'
- 'Invoke-OfficeScrape'
- 'Invoke-OxidResolver'
- 'Invoke-P0wnedshell'
- 'Invoke-Paranoia'
- 'Invoke-PortScan'
- 'Invoke-PoshRatHttp' # Also Covers Invoke-PoshRatHttps
- 'Invoke-PostExfil'
- 'Invoke-PowerDump'
- 'Invoke-PowerDPAPI'
- 'Invoke-PowerShellTCP'
- 'Invoke-PowerShellWMI'
- 'Invoke-PPLDump'
- 'Invoke-PsExec'
- 'Invoke-PSInject'
- 'Invoke-PsUaCme'
- 'Invoke-ReflectivePEInjection'
- 'Invoke-ReverseDNSLookup'
- 'Invoke-Rubeus'
- 'Invoke-RunAs'
- 'Invoke-SafetyKatz'
- 'Invoke-SauronEye'
- 'Invoke-SCShell'
- 'Invoke-Seatbelt'
- 'Invoke-ServiceAbuse'
- 'Invoke-ShadowSpray'
- 'Invoke-Sharp' # Covers all "Invoke-Sharp" variants
- 'Invoke-Shellcode'
- 'Invoke-SMBScanner'
- 'Invoke-Snaffler'
- 'Invoke-Spoolsample'
- 'Invoke-SpraySinglePassword'
- 'Invoke-SSHCommand'
- 'Invoke-StandIn'
- 'Invoke-StickyNotesExtract'
- 'Invoke-SystemCommand'
- 'Invoke-Tasksbackdoor'
- 'Invoke-Tater'
- 'Invoke-Thunderfox'
- 'Invoke-ThunderStruck'
- 'Invoke-TokenManipulation'
- 'Invoke-Tokenvator'
- 'Invoke-TotalExec'
- 'Invoke-UrbanBishop'
- 'Invoke-UserHunter'
- 'Invoke-VoiceTroll'
- 'Invoke-Whisker'
- 'Invoke-WinEnum'
- 'Invoke-winPEAS'
- 'Invoke-WireTap'
- 'Invoke-WmiCommand'
- 'Invoke-WMIExec'
- 'Invoke-WScriptBypassUAC'
- 'Invoke-Zerologon'
- 'MailRaider'
- 'New-ADIDNSNode'
- 'New-DNSRecordArray'
- 'New-HoneyHash'
- 'New-InMemoryModule'
- 'New-MachineAccount'
- 'New-SOASerialNumberArray'
- 'Out-Minidump'
- 'Port-Scan'
- 'PowerBreach'
- 'powercat '
- 'PowerUp'
- 'PowerView'
- 'Remove-ADIDNSNode'
- 'Remove-MachineAccount'
- 'Remove-Update'
- 'Rename-ADIDNSNode'
- 'Revoke-ADIDNSPermission'
- 'Set-ADIDNSNode' # Covers: Set-ADIDNSNodeAttribute, Set-ADIDNSNodeOwner
- 'Set-MacAttribute'
- 'Set-MachineAccountAttribute'
- 'Set-Wallpaper'
- 'Show-TargetScreen'
- 'Start-CaptureServer'
- 'Start-Dnscat2'
- 'Start-WebcamRecorder'
- 'Veeam-Get-Creds'
- 'VolumeShadowCopyTools'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Malicious PowerShell Scripts - FileCreation
Detects the creation of known offensive powershell scripts used for exploitation
view Sigma YAML
title: Malicious PowerShell Scripts - FileCreation
id: f331aa1f-8c53-4fc3-b083-cc159bc971cb
related:
- id: 41025fd7-0466-4650-a813-574aaacbe7f4
type: similar
status: test
description: Detects the creation of known offensive powershell scripts used for exploitation
references:
- https://github.com/PowerShellMafia/PowerSploit
- https://github.com/NetSPI/PowerUpSQL
- https://github.com/CsEnox/EventViewer-UACBypass
- https://web.archive.org/web/20210511204621/https://github.com/AlsidOfficial/WSUSpendu
- https://github.com/nettitude/Invoke-PowerThIEf
- https://github.com/S3cur3Th1sSh1t/WinPwn
- https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries
- https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1
- https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1
- https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1
- https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1
- https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/ # Invoke-TotalExec
- https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ # Invoke-TotalExec
- https://github.com/HarmJ0y/DAMP
- https://github.com/samratashok/nishang
- https://github.com/DarkCoderSc/PowerRunAsSystem/
- https://github.com/besimorhino/powercat
- https://github.com/Kevin-Robertson/Powermad
- https://github.com/adrecon/ADRecon
- https://github.com/adrecon/AzureADRecon
- https://github.com/sadshade/veeam-creds/blob/6010eaf31ba41011b58d6af3950cffbf6f5cea32/Veeam-Get-Creds.ps1
- https://github.com/The-Viper-One/Invoke-PowerDPAPI/
- https://github.com/Arno0x/DNSExfiltrator/
author: Markus Neis, Nasreddine Bencherchali (Nextron Systems), Mustafa Kaan Demir, Georg Lauenstein
date: 2018-04-07
modified: 2025-12-10
tags:
- attack.execution
- attack.t1059.001
logsource:
category: file_event
product: windows
detection:
selection_generic:
TargetFilename|endswith:
# Note: Please ensure alphabetical order when adding new entries
- '\Add-ConstrainedDelegationBackdoor.ps1'
- '\Add-Exfiltration.ps1'
- '\Add-Persistence.ps1'
- '\Add-RegBackdoor.ps1'
- '\Add-RemoteRegBackdoor.ps1'
- '\Add-ScrnSaveBackdoor.ps1'
- '\ADRecon.ps1'
- '\AzureADRecon.ps1'
- '\BadSuccessor.ps1'
- '\Check-VM.ps1'
- '\ConvertTo-ROT13.ps1'
- '\Copy-VSS.ps1'
- '\Create-MultipleSessions.ps1'
- '\DNS_TXT_Pwnage.ps1'
- '\dnscat2.ps1'
- '\Do-Exfiltration.ps1'
- '\DomainPasswordSpray.ps1'
- '\Download_Execute.ps1'
- '\Download-Execute-PS.ps1'
- '\Enable-DuplicateToken.ps1'
- '\Enabled-DuplicateToken.ps1'
- '\Execute-Command-MSSQL.ps1'
- '\Execute-DNSTXT-Code.ps1'
- '\Execute-OnTime.ps1'
- '\ExetoText.ps1'
- '\Exploit-Jboss.ps1'
- '\Find-AVSignature.ps1'
- '\Find-Fruit.ps1'
- '\Find-GPOLocation.ps1'
- '\Find-TrustedDocuments.ps1'
- '\FireBuster.ps1'
- '\FireListener.ps1'
- '\Get-ApplicationHost.ps1'
- '\Get-ChromeDump.ps1'
- '\Get-ClipboardContents.ps1'
- '\Get-ComputerDetail.ps1'
- '\Get-FoxDump.ps1'
- '\Get-GPPAutologon.ps1'
- '\Get-GPPPassword.ps1'
- '\Get-IndexedItem.ps1'
- '\Get-Keystrokes.ps1'
- '\Get-LSASecret.ps1'
- '\Get-MicrophoneAudio.ps1'
- '\Get-PassHashes.ps1'
- '\Get-PassHints.ps1'
- '\Get-RegAlwaysInstallElevated.ps1'
- '\Get-RegAutoLogon.ps1'
- '\Get-RickAstley.ps1'
- '\Get-Screenshot.ps1'
- '\Get-SecurityPackages.ps1'
- '\Get-ServiceFilePermission.ps1'
- '\Get-ServicePermission.ps1'
- '\Get-ServiceUnquoted.ps1'
- '\Get-SiteListPassword.ps1'
- '\Get-System.ps1'
- '\Get-TimedScreenshot.ps1'
- '\Get-UnattendedInstallFile.ps1'
- '\Get-Unconstrained.ps1'
- '\Get-USBKeystrokes.ps1'
- '\Get-VaultCredential.ps1'
- '\Get-VulnAutoRun.ps1'
- '\Get-VulnSchTask.ps1'
- '\Get-WebConfig.ps1'
- '\Get-WebCredentials.ps1'
- '\Get-WLAN-Keys.ps1'
- '\Gupt-Backdoor.ps1'
- '\HTTP-Backdoor.ps1'
- '\HTTP-Login.ps1'
- '\Install-ServiceBinary.ps1'
- '\Install-SSP.ps1'
- '\Invoke-ACLScanner.ps1'
- '\Invoke-ADSBackdoor.ps1'
- '\Invoke-AmsiBypass.ps1'
- '\Invoke-ARPScan.ps1'
- '\Invoke-BackdoorLNK.ps1'
- '\Invoke-BadPotato.ps1'
- '\Invoke-BetterSafetyKatz.ps1'
- '\Invoke-BruteForce.ps1'
- '\Invoke-BypassUAC.ps1'
- '\Invoke-Carbuncle.ps1'
- '\Invoke-Certify.ps1'
- '\Invoke-ConPtyShell.ps1'
- '\Invoke-CredentialInjection.ps1'
- '\Invoke-CredentialsPhish.ps1'
- '\Invoke-DAFT.ps1'
- '\Invoke-DCSync.ps1'
- '\Invoke-Decode.ps1'
- '\Invoke-DinvokeKatz.ps1'
- '\Invoke-DllInjection.ps1'
- '\Invoke-DNSExfiltrator.ps1'
- '\Invoke-DNSUpdate.ps1'
- '\Invoke-DowngradeAccount.ps1'
- '\Invoke-EgressCheck.ps1'
- '\Invoke-Encode.ps1'
- '\Invoke-EventViewer.ps1'
- '\Invoke-Eyewitness.ps1'
- '\Invoke-FakeLogonScreen.ps1'
- '\Invoke-Farmer.ps1'
- '\Invoke-Get-RBCD-Threaded.ps1'
- '\Invoke-Gopher.ps1'
- '\Invoke-Grouper2.ps1'
- '\Invoke-Grouper3.ps1'
- '\Invoke-HandleKatz.ps1'
- '\Invoke-Interceptor.ps1'
- '\Invoke-Internalmonologue.ps1'
- '\Invoke-Inveigh.ps1'
- '\Invoke-InveighRelay.ps1'
- '\Invoke-JSRatRegsvr.ps1'
- '\Invoke-JSRatRundll.ps1'
- '\Invoke-KrbRelay.ps1'
- '\Invoke-KrbRelayUp.ps1'
- '\Invoke-LdapSignCheck.ps1'
- '\Invoke-Lockless.ps1'
- '\Invoke-MalSCCM.ps1'
- '\Invoke-Mimikatz.ps1'
- '\Invoke-MimikatzWDigestDowngrade.ps1'
- '\Invoke-Mimikittenz.ps1'
- '\Invoke-MITM6.ps1'
- '\Invoke-NanoDump.ps1'
- '\Invoke-NetRipper.ps1'
- '\Invoke-NetworkRelay.ps1'
- '\Invoke-NinjaCopy.ps1'
- '\Invoke-OxidResolver.ps1'
- '\Invoke-P0wnedshell.ps1'
- '\Invoke-P0wnedshellx86.ps1'
- '\Invoke-Paranoia.ps1'
- '\Invoke-PortScan.ps1'
- '\Invoke-PoshRatHttp.ps1'
- '\Invoke-PoshRatHttps.ps1'
- '\Invoke-PostExfil.ps1'
- '\Invoke-PowerDump.ps1'
- '\Invoke-PowerDPAPI.ps1'
- '\Invoke-PowerShellIcmp.ps1'
- '\Invoke-PowerShellTCP.ps1'
- '\Invoke-PowerShellTcpOneLine.ps1'
- '\Invoke-PowerShellTcpOneLineBind.ps1'
- '\Invoke-PowerShellUdp.ps1'
- '\Invoke-PowerShellUdpOneLine.ps1'
- '\Invoke-PowerShellWMI.ps1'
- '\Invoke-PowerThIEf.ps1'
- '\Invoke-PPLDump.ps1'
- '\Invoke-Prasadhak.ps1'
- '\Invoke-PsExec.ps1'
- '\Invoke-PsGcat.ps1'
- '\Invoke-PsGcatAgent.ps1'
- '\Invoke-PSInject.ps1'
- '\Invoke-PsUaCme.ps1'
- '\Invoke-ReflectivePEInjection.ps1'
- '\Invoke-ReverseDNSLookup.ps1'
- '\Invoke-Rubeus.ps1'
- '\Invoke-RunAs.ps1'
- '\Invoke-SafetyKatz.ps1'
- '\Invoke-SauronEye.ps1'
- '\Invoke-SCShell.ps1'
- '\Invoke-Seatbelt.ps1'
- '\Invoke-ServiceAbuse.ps1'
- '\Invoke-SessionGopher.ps1'
- '\Invoke-ShellCode.ps1'
- '\Invoke-SMBScanner.ps1'
- '\Invoke-Snaffler.ps1'
- '\Invoke-Spoolsample.ps1'
- '\Invoke-SSHCommand.ps1'
- '\Invoke-SSIDExfil.ps1'
- '\Invoke-StandIn.ps1'
- '\Invoke-StickyNotesExtract.ps1'
- '\Invoke-Tater.ps1'
- '\Invoke-Thunderfox.ps1'
- '\Invoke-ThunderStruck.ps1'
- '\Invoke-TokenManipulation.ps1'
- '\Invoke-Tokenvator.ps1'
- '\Invoke-TotalExec.ps1'
- '\Invoke-UrbanBishop.ps1'
- '\Invoke-UserHunter.ps1'
- '\Invoke-VoiceTroll.ps1'
- '\Invoke-Whisker.ps1'
- '\Invoke-WinEnum.ps1'
- '\Invoke-winPEAS.ps1'
- '\Invoke-WireTap.ps1'
- '\Invoke-WmiCommand.ps1'
- '\Invoke-WScriptBypassUAC.ps1'
- '\Invoke-Zerologon.ps1'
- '\Keylogger.ps1'
- '\MailRaider.ps1'
- '\New-HoneyHash.ps1'
- '\OfficeMemScraper.ps1'
- '\Offline_Winpwn.ps1'
- '\Out-CHM.ps1'
- '\Out-DnsTxt.ps1'
- '\Out-Excel.ps1'
- '\Out-HTA.ps1'
- '\Out-Java.ps1'
- '\Out-JS.ps1'
- '\Out-Minidump.ps1'
- '\Out-RundllCommand.ps1'
- '\Out-SCF.ps1'
- '\Out-SCT.ps1'
- '\Out-Shortcut.ps1'
- '\Out-WebQuery.ps1'
- '\Out-Word.ps1'
- '\Parse_Keys.ps1'
- '\Port-Scan.ps1'
- '\PowerBreach.ps1'
- '\powercat.ps1'
- '\Powermad.ps1'
- '\PowerRunAsSystem.psm1'
- '\PowerSharpPack.ps1'
- '\PowerUp.ps1'
- '\PowerUpSQL.ps1'
- '\PowerView.ps1'
- '\PSAsyncShell.ps1'
- '\RemoteHashRetrieval.ps1'
- '\Remove-Persistence.ps1'
- '\Remove-PoshRat.ps1'
- '\Remove-Update.ps1'
- '\Run-EXEonRemote.ps1'
- '\Schtasks-Backdoor.ps1'
- '\Set-DCShadowPermissions.ps1'
- '\Set-MacAttribute.ps1'
- '\Set-RemotePSRemoting.ps1'
- '\Set-RemoteWMI.ps1'
- '\Set-Wallpaper.ps1'
- '\Show-TargetScreen.ps1'
- '\Speak.ps1'
- '\Start-CaptureServer.ps1'
- '\Start-WebcamRecorder.ps1'
- '\StringToBase64.ps1'
- '\TexttoExe.ps1'
- '\Veeam-Get-Creds.ps1'
- '\VolumeShadowCopyTools.ps1'
- '\WinPwn.ps1'
- '\WSUSpendu.ps1'
selection_invoke_sharp:
TargetFilename|contains: 'Invoke-Sharp' # Covers all "Invoke-Sharp" variants
TargetFilename|endswith: '.ps1'
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Mask System Power Settings Via Systemctl
Detects the use of systemctl mask to disable system power management targets such as suspend, hibernate, or hybrid sleep.
Adversaries may mask these targets to prevent a system from entering sleep or shutdown states, ensuring their malicious processes remain active and uninterrupted.
This behavior can be associated with persistence or defense evasion, as it impairs normal system power operations to maintain long-term access or avoid termination of malicious activity.
view Sigma YAML
title: Mask System Power Settings Via Systemctl
id: c172b7b5-f3a1-4af2-90b7-822c63df86cb
status: experimental
description: |
Detects the use of systemctl mask to disable system power management targets such as suspend, hibernate, or hybrid sleep.
Adversaries may mask these targets to prevent a system from entering sleep or shutdown states, ensuring their malicious processes remain active and uninterrupted.
This behavior can be associated with persistence or defense evasion, as it impairs normal system power operations to maintain long-term access or avoid termination of malicious activity.
author: Milad Cheraghi, Nasreddine Bencherchali
date: 2025-10-17
references:
- https://www.man7.org/linux/man-pages/man1/systemctl.1.html
- https://linux-audit.com/systemd/faq/what-is-the-difference-between-systemctl-disable-and-systemctl-mask/
tags:
- attack.persistence
- attack.impact
- attack.t1653
logsource:
category: process_creation
product: linux
detection:
selection_systemctl:
Image|endswith: '/systemctl'
CommandLine|contains: ' mask'
selection_power_options:
CommandLine|contains:
- 'suspend.target'
- 'hibernate.target'
- 'hybrid-sleep.target'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
Medium FP
Mavinject Inject DLL Into Running Process
Detects process injection using the signed Windows tool "Mavinject" via the "INJECTRUNNING" flag
view Sigma YAML
title: Mavinject Inject DLL Into Running Process
id: 4f73421b-5a0b-4bbf-a892-5a7fb99bea66
related:
- id: 17eb8e57-9983-420d-ad8a-2c4976c22eb8
type: obsolete
status: test
description: Detects process injection using the signed Windows tool "Mavinject" via the "INJECTRUNNING" flag
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md
- https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e
- https://twitter.com/gN3mes1s/status/941315826107510784
- https://reaqta.com/2017/12/mavinject-microsoft-injector/
- https://twitter.com/Hexacorn/status/776122138063409152 # Deleted tweet
- https://github.com/SigmaHQ/sigma/issues/3742
- https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection
author: frack113, Florian Roth
date: 2021-07-12
modified: 2022-12-05
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1055.001
- attack.t1218.013
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains: ' /INJECTRUNNING '
filter:
ParentImage: 'C:\Windows\System32\AppVClient.exe' # This parent is the expected process to launch "mavinject"
condition: selection and not filter
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Microsoft Office DLL Sideload
Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location
view Sigma YAML
title: Microsoft Office DLL Sideload
id: 829a3bdf-34da-4051-9cf4-8ed221a8ae4f
status: test
description: Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location
references:
- https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there)
author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
date: 2022-08-17
modified: 2023-03-15
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\outllib.dll'
filter:
ImageLoaded|startswith:
- 'C:\Program Files\Microsoft Office\OFFICE'
- 'C:\Program Files (x86)\Microsoft Office\OFFICE'
- 'C:\Program Files\Microsoft Office\Root\OFFICE'
- 'C:\Program Files (x86)\Microsoft Office\Root\OFFICE'
condition: selection and not filter
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
Medium FP
Microsoft Office Protected View Disabled
Detects changes to Microsoft Office protected view registry keys with which the attacker disables this feature.
view Sigma YAML
title: Microsoft Office Protected View Disabled
id: a5c7a43f-6009-4a8c-80c5-32abf1c53ecc
related:
- id: 7c637634-c95d-4bbf-b26c-a82510874b34
type: obsolete
status: test
description: Detects changes to Microsoft Office protected view registry keys with which the attacker disables this feature.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
- https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/
- https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/
- https://admx.help/HKCU/software/policies/microsoft/office/16.0/excel/security/protectedview
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2021-06-08
modified: 2023-08-17
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: windows
category: registry_set
detection:
selection_path:
TargetObject|contains|all:
- '\SOFTWARE\Microsoft\Office\'
- '\Security\ProtectedView\'
selection_values_1:
Details: 'DWORD (0x00000001)'
TargetObject|endswith:
- '\DisableAttachementsInPV' # Turn off Protected View for attachments opened from Outlook
- '\DisableInternetFilesInPV' # Turn off Protected View for files downloaded from Internet zone
- '\DisableIntranetCheck' # Turn off Protected View for file located in UNC paths
- '\DisableUnsafeLocationsInPV' # Turn off Protected View for unsafe locations
selection_values_0:
Details: 'DWORD (0x00000000)'
TargetObject|endswith:
- '\enabledatabasefileprotectedview'
- '\enableforeigntextfileprotectedview'
condition: selection_path and 1 of selection_values_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
Mint Sandstorm - Log4J Wstomcat Process Execution
Detects Log4J Wstomcat process execution as seen in Mint Sandstorm activity
view Sigma YAML
title: Mint Sandstorm - Log4J Wstomcat Process Execution
id: 7c97c625-0350-4f0a-8943-f6cadc88125e
status: test
description: Detects Log4J Wstomcat process execution as seen in Mint Sandstorm activity
references:
- https://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/
author: Nasreddine Bencherchali (Nextron Systems), MSTIC (idea)
date: 2023-04-20
modified: 2023-11-29
tags:
- attack.execution
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\ws_tomcatservice.exe'
filter_main_repadmin:
Image|endswith: '\repadmin.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Mshtml.DLL RunHTMLApplication Suspicious Usage
Detects execution of commands that leverage the "mshtml.dll" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, http...)
view Sigma YAML
title: Mshtml.DLL RunHTMLApplication Suspicious Usage
id: 4782eb5a-a513-4523-a0ac-f3082b26ac5c
related:
- id: 9f06447a-a33a-4cbe-a94f-a3f43184a7a3
type: obsolete
- id: 73fcad2e-ff14-4c38-b11d-4172c8ac86c7
type: obsolete
status: test
description: |
Detects execution of commands that leverage the "mshtml.dll" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, http...)
references:
- https://twitter.com/n1nj4sec/status/1421190238081277959
- https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_TROJAN.WIN32.POWESSERE.G_MITIGATION_BYPASS_PART2.txt
- http://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_DETECTION_BYPASS.txt
author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems), Josh Nickels, frack113, Zaw Min Htun (ZETA)
date: 2022-08-14
modified: 2024-02-23
tags:
- attack.execution
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- '\..\'
- 'mshtml'
CommandLine|contains:
- '#135'
- 'RunHTMLApplication'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
Mustang Panda Dropper
Detects specific process parameters as used by Mustang Panda droppers
view Sigma YAML
title: Mustang Panda Dropper
id: 2d87d610-d760-45ee-a7e6-7a6f2a65de00
status: test
description: Detects specific process parameters as used by Mustang Panda droppers
references:
- https://app.any.run/tasks/7ca5661d-a67b-43ec-98c1-dd7a8103c256/
- https://app.any.run/tasks/b12cccf3-1c22-4e28-9d3e-c7a6062f3914/
- https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations
author: Florian Roth (Nextron Systems), oscd.community
date: 2019-10-30
modified: 2021-11-27
tags:
- attack.t1587.001
- attack.resource-development
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_cli:
- CommandLine|contains:
- 'Temp\wtask.exe /create'
- '%windir:~-3,1%%PUBLIC:~-9,1%'
- '/tn "Security Script '
- '%windir:~-1,1%'
- CommandLine|contains|all:
- '/E:vbscript'
- 'C:\Users\'
- '.txt'
- '/F'
selection_img:
Image|endswith: 'Temp\winwsh.exe'
condition: 1 of selection_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
NET NGenAssemblyUsageLog Registry Key Tamper
Detects changes to the NGenAssemblyUsageLog registry key.
.NET Usage Log output location can be controlled by setting the NGenAssemblyUsageLog CLR configuration knob in the Registry or by configuring an environment variable (as described in the next section).
By simplify specifying an arbitrary value (e.g. fake output location or junk data) for the expected value, a Usage Log file for the .NET execution context will not be created.
view Sigma YAML
title: NET NGenAssemblyUsageLog Registry Key Tamper
id: 28036918-04d3-423d-91c0-55ecf99fb892
status: test
description: |
Detects changes to the NGenAssemblyUsageLog registry key.
.NET Usage Log output location can be controlled by setting the NGenAssemblyUsageLog CLR configuration knob in the Registry or by configuring an environment variable (as described in the next section).
By simplify specifying an arbitrary value (e.g. fake output location or junk data) for the expected value, a Usage Log file for the .NET execution context will not be created.
references:
- https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/
author: frack113
date: 2022-11-18
modified: 2023-08-17
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|endswith: 'SOFTWARE\Microsoft\.NETFramework\NGenAssemblyUsageLog'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
NTDS Exfiltration Filename Patterns
Detects creation of files with specific name patterns seen used in various tools that export the NTDS.DIT for exfiltration.
view Sigma YAML
title: NTDS Exfiltration Filename Patterns
id: 3a8da4e0-36c1-40d2-8b29-b3e890d5172a
status: test
description: Detects creation of files with specific name patterns seen used in various tools that export the NTDS.DIT for exfiltration.
references:
- https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/post/windows/gather/ntds_grabber.rb
- https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1
- https://github.com/SecureAuthCorp/impacket/blob/7d2991d78836b376452ca58b3d14daa61b67cb40/impacket/examples/secretsdump.py#L2405
author: Florian Roth (Nextron Systems)
date: 2022-03-11
modified: 2023-05-05
tags:
- attack.credential-access
- attack.t1003.003
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith:
- '\All.cab' # https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1
- '.ntds.cleartext' # https://github.com/SecureAuthCorp/impacket/blob/7d2991d78836b376452ca58b3d14daa61b67cb40/impacket/examples/secretsdump.py#L2405
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
NTDS.DIT Creation By Uncommon Parent Process
Detects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon parent process or directory
view Sigma YAML
title: NTDS.DIT Creation By Uncommon Parent Process
id: 4e7050dd-e548-483f-b7d6-527ab4fa784d
related:
- id: 11b1ed55-154d-4e82-8ad7-83739298f720
type: similar
status: test
description: Detects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon parent process or directory
references:
- https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration
- https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/
- https://pentestlab.blog/tag/ntds-dit/
- https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1
author: Florian Roth (Nextron Systems)
date: 2022-03-11
modified: 2023-01-05
tags:
- attack.credential-access
- attack.t1003.003
logsource:
product: windows
category: file_event
definition: 'Requirements: The "ParentImage" field is not available by default on EID 11 of Sysmon logs. To be able to use this rule to the full extent you need to enrich the log with additional ParentImage data'
detection:
selection_file:
TargetFilename|endswith: '\ntds.dit'
selection_process_parent:
# Note: ParentImage is a custom field and is not available by default on Sysmon EID 11
ParentImage|endswith:
- '\cscript.exe'
- '\httpd.exe'
- '\nginx.exe'
- '\php-cgi.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\w3wp.exe'
- '\wscript.exe'
selection_process_parent_path:
# Note: ParentImage is a custom field and is not available by default on Sysmon EID 11
ParentImage|contains:
- '\apache'
- '\tomcat'
- '\AppData\'
- '\Temp\'
- '\Public\'
- '\PerfLogs\'
condition: selection_file and 1 of selection_process_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
NTDS.DIT Creation By Uncommon Process
Detects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon process or a process located in a suspicious directory
view Sigma YAML
title: NTDS.DIT Creation By Uncommon Process
id: 11b1ed55-154d-4e82-8ad7-83739298f720
related:
- id: 4e7050dd-e548-483f-b7d6-527ab4fa784d
type: similar
status: test
description: Detects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon process or a process located in a suspicious directory
references:
- https://stealthbits.com/blog/extracting-password-hashes-from-the-ntds-dit-file/
- https://adsecurity.org/?p=2398
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-01-11
modified: 2022-07-14
tags:
- attack.credential-access
- attack.t1003.002
- attack.t1003.003
logsource:
product: windows
category: file_event
detection:
selection_ntds:
TargetFilename|endswith: '\ntds.dit'
selection_process_img:
Image|endswith:
# Add more suspicious processes as you see fit
- '\cmd.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\wscript.exe'
- '\wsl.exe'
- '\wt.exe'
selection_process_paths:
Image|contains:
- '\AppData\'
- '\Temp\'
- '\Public\'
- '\PerfLogs\'
condition: selection_ntds and 1 of selection_process_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
NetNTLM Downgrade Attack - Registry
Detects NetNTLM downgrade attack
view Sigma YAML
title: NetNTLM Downgrade Attack - Registry
id: d67572a0-e2ec-45d6-b8db-c100d14b8ef2
status: test
description: Detects NetNTLM downgrade attack
references:
- https://web.archive.org/web/20171113231705/https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks
- https://www.ultimatewindowssecurity.com/wiki/page.aspx?spid=NSrpcservers
author: Florian Roth (Nextron Systems), wagga, Nasreddine Bencherchali (Splunk STRT)
date: 2018-03-20
modified: 2024-12-03
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1685
- attack.t1112
logsource:
product: windows
category: registry_event
detection:
selection_regkey:
TargetObject|contains|all:
- 'SYSTEM\'
- 'ControlSet'
- '\Control\Lsa'
selection_value_lmcompatibilitylevel:
TargetObject|endswith: '\lmcompatibilitylevel'
Details:
- 'DWORD (0x00000000)'
- 'DWORD (0x00000001)'
- 'DWORD (0x00000002)'
selection_value_ntlmminclientsec:
TargetObject|endswith: '\NtlmMinClientSec'
Details:
- 'DWORD (0x00000000)' # No Security
- 'DWORD (0x00000010)' # Only Integrity
- 'DWORD (0x00000020)' # Only confidentiality
- 'DWORD (0x00000030)' # Both Integrity and confidentiality
selection_value_restrictsendingntlmtraffic:
# Note: The obvious values with issues are 0x00000000 (allow all) and 0x00000001 (audit).
# 0x00000002 can be secure but only if "ClientAllowedNTLMServers" is properly configured
# Hence all values should be monitored and investigated
TargetObject|endswith: '\RestrictSendingNTLMTraffic'
condition: selection_regkey and 1 of selection_value_*
falsepositives:
- Services or tools that set the values to more restrictive values
level: high
Convert to SIEM query
high
Moderate
Medium FP
Network Communication With Crypto Mining Pool
Detects initiated network connections to crypto mining pools
view Sigma YAML
title: Network Communication With Crypto Mining Pool
id: fa5b1358-b040-4403-9868-15f7d9ab6329
status: stable
description: Detects initiated network connections to crypto mining pools
references:
- https://www.poolwatch.io/coin/monero
- https://github.com/stamparm/maltrail/blob/3ea70459b9559134449423c0a7d8b965ac5c40ea/trails/static/suspicious/crypto_mining.txt
- https://www.virustotal.com/gui/search/behaviour_network%253A*.miningocean.org/files
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2021-10-26
modified: 2024-01-19
tags:
- attack.impact
- attack.t1496
logsource:
category: network_connection
product: windows
detection:
selection:
DestinationHostname:
- 'alimabi.cn'
- 'ap.luckpool.net'
- 'bcn.pool.minergate.com'
- 'bcn.vip.pool.minergate.com'
- 'bohemianpool.com'
- 'ca-aipg.miningocean.org'
- 'ca-dynex.miningocean.org'
- 'ca-neurai.miningocean.org'
- 'ca-qrl.miningocean.org'
- 'ca-upx.miningocean.org'
- 'ca-zephyr.miningocean.org'
- 'ca.minexmr.com'
- 'ca.monero.herominers.com'
- 'cbd.monerpool.org'
- 'cbdv2.monerpool.org'
- 'cryptmonero.com'
- 'crypto-pool.fr'
- 'crypto-pool.info'
- 'cryptonight-hub.miningpoolhub.com'
- 'd1pool.ddns.net'
- 'd5pool.us'
- 'daili01.monerpool.org'
- 'de-aipg.miningocean.org'
- 'de-dynex.miningocean.org'
- 'de-zephyr.miningocean.org'
- 'de.minexmr.com'
- 'dl.nbminer.com'
- 'donate.graef.in'
- 'donate.ssl.xmrig.com'
- 'donate.v2.xmrig.com'
- 'donate.xmrig.com'
- 'donate2.graef.in'
- 'drill.moneroworld.com'
- 'dwarfpool.com'
- 'emercoin.com'
- 'emercoin.net'
- 'emergate.net'
- 'ethereumpool.co'
- 'eu.luckpool.net'
- 'eu.minerpool.pw'
- 'fcn-xmr.pool.minergate.com'
- 'fee.xmrig.com'
- 'fr-aipg.miningocean.org'
- 'fr-dynex.miningocean.org'
- 'fr-neurai.miningocean.org'
- 'fr-qrl.miningocean.org'
- 'fr-upx.miningocean.org'
- 'fr-zephyr.miningocean.org'
- 'fr.minexmr.com'
- 'hellominer.com'
- 'herominers.com'
- 'hk-aipg.miningocean.org'
- 'hk-dynex.miningocean.org'
- 'hk-neurai.miningocean.org'
- 'hk-qrl.miningocean.org'
- 'hk-upx.miningocean.org'
- 'hk-zephyr.miningocean.org'
- 'huadong1-aeon.ppxxmr.com'
- 'iwanttoearn.money'
- 'jw-js1.ppxxmr.com'
- 'koto-pool.work'
- 'lhr.nbminer.com'
- 'lhr3.nbminer.com'
- 'linux.monerpool.org'
- 'lokiturtle.herominers.com'
- 'luckpool.net'
- 'masari.miner.rocks'
- 'mine.c3pool.com'
- 'mine.moneropool.com'
- 'mine.ppxxmr.com'
- 'mine.zpool.ca'
- 'mine1.ppxxmr.com'
- 'minemonero.gq'
- 'miner.ppxxmr.com'
- 'miner.rocks'
- 'minercircle.com'
- 'minergate.com'
- 'minerpool.pw'
- 'minerrocks.com'
- 'miners.pro'
- 'minerxmr.ru'
- 'minexmr.cn'
- 'minexmr.com'
- 'mining-help.ru'
- 'miningpoolhub.com'
- 'mixpools.org'
- 'moner.monerpool.org'
- 'moner1min.monerpool.org'
- 'monero-master.crypto-pool.fr'
- 'monero.crypto-pool.fr'
- 'monero.hashvault.pro'
- 'monero.herominers.com'
- 'monero.lindon-pool.win'
- 'monero.miners.pro'
- 'monero.riefly.id'
- 'monero.us.to'
- 'monerocean.stream'
- 'monerogb.com'
- 'monerohash.com'
- 'moneroocean.stream'
- 'moneropool.com'
- 'moneropool.nl'
- 'monerorx.com'
- 'monerpool.org'
- 'moriaxmr.com'
- 'mro.pool.minergate.com'
- 'multipool.us'
- 'myxmr.pw'
- 'na.luckpool.net'
- 'nanopool.org'
- 'nbminer.com'
- 'node3.luckpool.net'
- 'noobxmr.com'
- 'pangolinminer.comgandalph3000.com'
- 'pool.4i7i.com'
- 'pool.armornetwork.org'
- 'pool.cortins.tk'
- 'pool.gntl.co.uk'
- 'pool.hashvault.pro'
- 'pool.minergate.com'
- 'pool.minexmr.com'
- 'pool.monero.hashvault.pro'
- 'pool.ppxxmr.com'
- 'pool.somec.cc'
- 'pool.support'
- 'pool.supportxmr.com'
- 'pool.usa-138.com'
- 'pool.xmr.pt'
- 'pool.xmrfast.com'
- 'pool2.armornetwork.org'
- 'poolchange.ppxxmr.com'
- 'pooldd.com'
- 'poolmining.org'
- 'poolto.be'
- 'ppxvip1.ppxxmr.com'
- 'ppxxmr.com'
- 'prohash.net'
- 'r.twotouchauthentication.online'
- 'randomx.xmrig.com'
- 'ratchetmining.com'
- 'seed.emercoin.com'
- 'seed.emercoin.net'
- 'seed.emergate.net'
- 'seed1.joulecoin.org'
- 'seed2.joulecoin.org'
- 'seed3.joulecoin.org'
- 'seed4.joulecoin.org'
- 'seed5.joulecoin.org'
- 'seed6.joulecoin.org'
- 'seed7.joulecoin.org'
- 'seed8.joulecoin.org'
- 'sg-aipg.miningocean.org'
- 'sg-dynex.miningocean.org'
- 'sg-neurai.miningocean.org'
- 'sg-qrl.miningocean.org'
- 'sg-upx.miningocean.org'
- 'sg-zephyr.miningocean.org'
- 'sg.minexmr.com'
- 'sheepman.mine.bz'
- 'siamining.com'
- 'sumokoin.minerrocks.com'
- 'supportxmr.com'
- 'suprnova.cc'
- 'teracycle.net'
- 'trtl.cnpool.cc'
- 'trtl.pool.mine2gether.com'
- 'turtle.miner.rocks'
- 'us-aipg.miningocean.org'
- 'us-dynex.miningocean.org'
- 'us-neurai.miningocean.org'
- 'us-west.minexmr.com'
- 'us-zephyr.miningocean.org'
- 'usxmrpool.com'
- 'viaxmr.com'
- 'webservicepag.webhop.net'
- 'xiazai.monerpool.org'
- 'xiazai1.monerpool.org'
- 'xmc.pool.minergate.com'
- 'xmo.pool.minergate.com'
- 'xmr-asia1.nanopool.org'
- 'xmr-au1.nanopool.org'
- 'xmr-eu1.nanopool.org'
- 'xmr-eu2.nanopool.org'
- 'xmr-jp1.nanopool.org'
- 'xmr-us-east1.nanopool.org'
- 'xmr-us-west1.nanopool.org'
- 'xmr-us.suprnova.cc'
- 'xmr-usa.dwarfpool.com'
- 'xmr.2miners.com'
- 'xmr.5b6b7b.ru'
- 'xmr.alimabi.cn'
- 'xmr.bohemianpool.com'
- 'xmr.crypto-pool.fr'
- 'xmr.crypto-pool.info'
- 'xmr.f2pool.com'
- 'xmr.hashcity.org'
- 'xmr.hex7e4.ru'
- 'xmr.ip28.net'
- 'xmr.monerpool.org'
- 'xmr.mypool.online'
- 'xmr.nanopool.org'
- 'xmr.pool.gntl.co.uk'
- 'xmr.pool.minergate.com'
- 'xmr.poolto.be'
- 'xmr.ppxxmr.com'
- 'xmr.prohash.net'
- 'xmr.simka.pw'
- 'xmr.somec.cc'
- 'xmr.suprnova.cc'
- 'xmr.usa-138.com'
- 'xmr.vip.pool.minergate.com'
- 'xmr1min.monerpool.org'
- 'xmrf.520fjh.org'
- 'xmrf.fjhan.club'
- 'xmrfast.com'
- 'xmrigcc.graef.in'
- 'xmrminer.cc'
- 'xmrpool.de'
- 'xmrpool.eu'
- 'xmrpool.me'
- 'xmrpool.net'
- 'xmrpool.xyz'
- 'xx11m.monerpool.org'
- 'xx11mv2.monerpool.org'
- 'xxx.hex7e4.ru'
- 'zarabotaibitok.ru'
- 'zer0day.ru'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
Network Connection Initiated By Eqnedt32.EXE
Detects network connections from the Equation Editor process "eqnedt32.exe".
view Sigma YAML
title: Network Connection Initiated By Eqnedt32.EXE
id: a66bc059-c370-472c-a0d7-f8fd1bf9d583
status: test
description: Detects network connections from the Equation Editor process "eqnedt32.exe".
references:
- https://twitter.com/forensicitguy/status/1513538712986079238
- https://forensicitguy.github.io/xloader-formbook-velvetsweatshop-spreadsheet/
- https://news.sophos.com/en-us/2019/07/18/a-new-equation-editor-exploit-goes-commercial-as-maldoc-attacks-using-it-spike/
author: Max Altgelt (Nextron Systems)
date: 2022-04-14
modified: 2024-05-31
tags:
- attack.execution
- attack.t1203
logsource:
category: network_connection
product: windows
detection:
selection:
Image|endswith: '\eqnedt32.exe'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
Medium FP
Network Connection Initiated Via Notepad.EXE
Detects a network connection that is initiated by the "notepad.exe" process.
This might be a sign of process injection from a beacon process or something similar.
Notepad rarely initiates a network communication except when printing documents for example.
view Sigma YAML
title: Network Connection Initiated Via Notepad.EXE
id: e81528db-fc02-45e8-8e98-4e84aba1f10b
status: test
description: |
Detects a network connection that is initiated by the "notepad.exe" process.
This might be a sign of process injection from a beacon process or something similar.
Notepad rarely initiates a network communication except when printing documents for example.
references:
- https://web.archive.org/web/20200219102749/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492186586.pdf
- https://www.cobaltstrike.com/blog/why-is-notepad-exe-connecting-to-the-internet
author: EagleEye Team
date: 2020-05-14
modified: 2024-02-02
tags:
- attack.privilege-escalation
- attack.command-and-control
- attack.execution
- attack.stealth
- attack.t1055
logsource:
category: network_connection
product: windows
detection:
selection:
Image|endswith: '\notepad.exe'
filter_optional_printing:
DestinationPort: 9100
condition: selection and not 1 of filter_optional_*
falsepositives:
- Printing documents via notepad might cause communication with the printer via port 9100 or similar.
level: high
Convert to SIEM query
high
Moderate
High FP
Network Reconnaissance Activity
Detects a set of suspicious network related commands often used in recon stages
view Sigma YAML
title: Network Reconnaissance Activity
id: e6313acd-208c-44fc-a0ff-db85d572e90e
status: test
description: Detects a set of suspicious network related commands often used in recon stages
references:
- https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/
author: Florian Roth (Nextron Systems)
date: 2022-02-07
tags:
- attack.discovery
- attack.t1087
- attack.t1082
- car.2016-03-001
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'nslookup'
- '_ldap._tcp.dc._msdcs.'
condition: selection
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
level: high
Convert to SIEM query
Showing 201-250 of 763