Tool
EDR / XDR
Palo Alto Cortex XDR
559 rules · Sigma detections in Palo Alto Cortex XDR syntax
The same Sigma detection corpus, machine-rendered into Palo Alto Cortex XDR query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
Download all 1,524 rules (.zip, 675 KB)
Every Palo Alto Cortex XDR query in this view, packaged to deploy.
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance4
Resource Development5
Initial Access7
Execution25
Persistence31
Privilege Escalation17
Stealth63
Defense Impairment16
Credential Access26
Discovery24
Lateral Movement10
Collection11
Command and Control18
Exfiltration7
Impact10
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.
◈
Detection rules
50 shown of 559
medium
Strong
Medium FP
Indicator Removal on Host - Clear Mac System Logs
Detects deletion of local audit logs
view Sigma YAML
title: Indicator Removal on Host - Clear Mac System Logs
id: acf61bd8-d814-4272-81f0-a7a269aa69aa
status: test
description: Detects deletion of local audit logs
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.002/T1070.002.md
author: remotephone, oscd.community
date: 2020-10-11
modified: 2022-09-16
tags:
- attack.defense-impairment
- attack.t1685.006
logsource:
product: macos
category: process_creation
detection:
selection1:
Image|endswith:
- '/rm'
- '/unlink'
- '/shred'
selection_cli_1:
CommandLine|contains: '/var/log'
selection_cli_2:
CommandLine|contains|all:
- '/Users/'
- '/Library/Logs/'
condition: selection1 and 1 of selection_cli*
falsepositives:
- Legitimate administration activities
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Indirect Command Execution via SFTP ProxyCommand
Detects the use of SFTP.exe to execute commands indirectly via ProxyCommand parameter.
Threat actors were seen leveraging this legitimate Windows binary to bypass security controls and execute arbitrary commands while evading detection.
view Sigma YAML
title: Indirect Command Execution via SFTP ProxyCommand
id: 762bb580-79b4-40f4-8b9e-9349ce1710f4
status: experimental
description: |
Detects the use of SFTP.exe to execute commands indirectly via ProxyCommand parameter.
Threat actors were seen leveraging this legitimate Windows binary to bypass security controls and execute arbitrary commands while evading detection.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Sftp/
- https://news.sophos.com/en-us/2025/05/09/lumma-stealer-coming-and-going/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-04-27
tags:
- attack.stealth
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\sftp.exe'
CommandLine|contains: 'ProxyCommand='
condition: selection
falsepositives:
- Legitimate use of SFTP with proxy commands for administration or networking tasks
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_lolbin_sftp_indirect_cmd_execution/info.yml
Convert to SIEM query
medium
Moderate
High FP
InfDefaultInstall.exe .inf Execution
Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.
view Sigma YAML
title: InfDefaultInstall.exe .inf Execution
id: ce7cf472-6fcc-490a-9481-3786840b5d9b
status: test
description: Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md#atomic-test-4---infdefaultinstallexe-inf-execution
- https://lolbas-project.github.io/lolbas/Binaries/Infdefaultinstall/
author: frack113
date: 2021-07-13
modified: 2022-10-09
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'InfDefaultInstall.exe '
- '.inf'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Installation of TeamViewer Desktop
TeamViewer_Desktop.exe is create during install
view Sigma YAML
title: Installation of TeamViewer Desktop
id: 9711de76-5d4f-4c50-a94f-21e4e8f8384d
status: test
description: TeamViewer_Desktop.exe is create during install
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-1---teamviewer-files-detected-test-on-windows
author: frack113
date: 2022-01-28
tags:
- attack.command-and-control
- attack.t1219.002
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith: '\TeamViewer_Desktop.exe'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Interactive Bash Suspicious Children
Detects suspicious interactive bash as a parent to rather uncommon child processes
view Sigma YAML
title: Interactive Bash Suspicious Children
id: ea3ecad2-db86-4a89-ad0b-132a10d2db55
status: test
description: Detects suspicious interactive bash as a parent to rather uncommon child processes
references:
- Internal Research
author: Florian Roth (Nextron Systems)
date: 2022-03-14
tags:
- attack.execution
- attack.stealth
- attack.t1059.004
- attack.t1036
logsource:
product: linux
category: process_creation
detection:
selection:
ParentCommandLine: 'bash -i'
anomaly1:
CommandLine|contains:
- '-c import '
- 'base64'
- 'pty.spawn'
anomaly2:
Image|endswith:
- 'whoami'
- 'iptables'
- '/ncat'
- '/nc'
- '/netcat'
condition: selection and 1 of anomaly*
falsepositives:
- Legitimate software that uses these patterns
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Internet Explorer Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
view Sigma YAML
title: Internet Explorer Autorun Keys Modification
id: a80f662f-022f-4429-9b8c-b1a41aaa6688
related:
- id: 17f878b8-9968-4578-b814-c4217fc5768c
type: obsolete
status: test
description: Detects modification of autostart extensibility point (ASEP) in registry.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
- https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
- https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019-10-25
modified: 2023-08-17
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.001
logsource:
category: registry_set
product: windows
detection:
ie:
TargetObject|contains:
- '\Software\Wow6432Node\Microsoft\Internet Explorer'
- '\Software\Microsoft\Internet Explorer'
ie_details:
TargetObject|contains:
- '\Toolbar'
- '\Extensions'
- '\Explorer Bars'
filter_empty:
Details: '(Empty)'
filter_extensions:
TargetObject|contains:
- '\Extensions\{2670000A-7350-4f3c-8081-5663EE0C6C49}'
- '\Extensions\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}'
- '\Extensions\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}'
- '\Extensions\{A95fe080-8f5d-11d2-a20b-00aa003c157a}'
filter_toolbar:
TargetObject|endswith:
- '\Toolbar\ShellBrowser\ITBar7Layout'
- '\Toolbar\ShowDiscussionButton'
- '\Toolbar\Locked'
condition: ie and ie_details and not 1 of filter_*
falsepositives:
- Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
- Legitimate administrator sets up autorun keys for legitimate reason
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Internet Explorer DisableFirstRunCustomize Enabled
Detects changes to the Internet Explorer "DisableFirstRunCustomize" value, which prevents Internet Explorer from running the first run wizard the first time a user starts the browser after installing Internet Explorer or Windows.
view Sigma YAML
title: Internet Explorer DisableFirstRunCustomize Enabled
id: ab567429-1dfb-4674-b6d2-979fd2f9d125
status: test
description: |
Detects changes to the Internet Explorer "DisableFirstRunCustomize" value, which prevents Internet Explorer from running the first run wizard the first time a user starts the browser after installing Internet Explorer or Windows.
references:
- https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf
- https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/
- https://admx.help/?Category=InternetExplorer&Policy=Microsoft.Policies.InternetExplorer::NoFirstRunCustomise
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-16
modified: 2025-10-07
tags:
- attack.defense-impairment
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|endswith: '\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize'
Details:
- 'DWORD (0x00000001)' # Home Page
- 'DWORD (0x00000002)' # Welcome To IE
filter_main_generic:
Image:
- 'C:\Windows\explorer.exe'
- 'C:\Windows\System32\ie4uinit.exe'
filter_optional_avira:
Image|contains|all:
- '\Temp\'
- '\.cr\avira_'
Details|contains: 'DWORD (0x00000001)'
filter_optional_foxit:
Image:
- 'C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe'
- 'C:\Program Files\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe'
Details|contains: 'DWORD (0x00000001)'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- As this is controlled by group policy as well as user settings. Some false positives may occur.
level: medium
Convert to SIEM query
medium
Moderate
High FP
Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)
Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)
view Sigma YAML
title: Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)
id: 2afafd61-6aae-4df4-baed-139fa1f4c345
status: test
description: Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)
references:
- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm
author: Thomas Patzke
date: 2019-01-16
modified: 2022-03-11
tags:
- attack.credential-access
- attack.t1003.003
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\ntdsutil.exe'
condition: selection
falsepositives:
- NTDS maintenance
level: medium
Convert to SIEM query
medium
Moderate
High FP
Invoke-Obfuscation COMPRESS OBFUSCATION
Detects Obfuscated Powershell via COMPRESS OBFUSCATION
view Sigma YAML
title: Invoke-Obfuscation COMPRESS OBFUSCATION
id: 7eedcc9d-9fdb-4d94-9c54-474e8affc0c7
status: test
description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
references:
- https://github.com/SigmaHQ/sigma/issues/1009 # (Task 19)
author: Timur Zinniatullin, oscd.community
date: 2020-10-18
modified: 2022-12-29
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'new-object'
- 'text.encoding]::ascii'
CommandLine|contains:
- 'system.io.compression.deflatestream'
- 'system.io.streamreader'
- 'readtoend('
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
JAMF MDM Potential Suspicious Child Process
Detects potential suspicious child processes of "jamf". Could be a sign of potential abuse of Jamf as a C2 server as seen by Typhon MythicAgent.
view Sigma YAML
title: JAMF MDM Potential Suspicious Child Process
id: 2316929c-01aa-438c-970f-099145ab1ee6
status: test
description: Detects potential suspicious child processes of "jamf". Could be a sign of potential abuse of Jamf as a C2 server as seen by Typhon MythicAgent.
references:
- https://github.com/MythicAgents/typhon/
- https://www.zoocoup.org/casper/jamf_cheatsheet.pdf
- https://docs.jamf.com/10.30.0/jamf-pro/administrator-guide/Components_Installed_on_Managed_Computers.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-22
tags:
- attack.execution
logsource:
category: process_creation
product: macos
detection:
selection:
ParentImage|endswith: '/jamf'
Image|endswith:
# Note: Add additional binaries/commands that are uncommon during your typical admin usage of Jamf
- '/bash'
- '/sh'
condition: selection
falsepositives:
- Legitimate execution of custom scripts or commands by Jamf administrators. Apply additional filters accordingly
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Java Running with Remote Debugging
Detects a JAVA process running with remote debugging allowing more than just localhost to connect
view Sigma YAML
title: Java Running with Remote Debugging
id: 8f88e3f6-2a49-48f5-a5c4-2f7eedf78710
status: test
description: Detects a JAVA process running with remote debugging allowing more than just localhost to connect
references:
- https://dzone.com/articles/remote-debugging-java-applications-with-jdwp
author: Florian Roth (Nextron Systems)
date: 2019-01-16
modified: 2023-02-01
tags:
- attack.t1203
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection_jdwp_transport:
CommandLine|contains: 'transport=dt_socket,address='
selection_old_jvm_version:
CommandLine|contains:
- 'jre1.'
- 'jdk1.'
exclusion:
CommandLine|contains:
- 'address=127.0.0.1'
- 'address=localhost'
condition: all of selection_* and not exclusion
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Kapeka Backdoor Configuration Persistence
Detects registry set activity of a value called "Seed" stored in the "\Cryptography\Providers\" registry key.
The Kapeka backdoor leverages this location to register a new SIP provider for backdoor configuration persistence.
view Sigma YAML
title: Kapeka Backdoor Configuration Persistence
id: cbaa3ef3-07a9-4c8e-82d1-9e40578da7fd
status: test
description: |
Detects registry set activity of a value called "Seed" stored in the "\Cryptography\Providers\" registry key.
The Kapeka backdoor leverages this location to register a new SIP provider for backdoor configuration persistence.
references:
- https://labs.withsecure.com/publications/kapeka
- https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/
author: Swachchhanda Shrawan Poudel
date: 2024-07-03
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1553.003
- detection.emerging-threats
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\SOFTWARE\Microsoft\Cryptography\Providers\{'
TargetObject|endswith: '\Seed'
filter_main_empty:
Details|contains: '(Empty)'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Launch Agent/Daemon Execution Via Launchctl
Detects the execution of programs as Launch Agents or Launch Daemons using launchctl on macOS.
view Sigma YAML
title: Launch Agent/Daemon Execution Via Launchctl
id: ae9d710f-dcd1-4f75-a0a5-93a73b5dda0e
status: test
description: Detects the execution of programs as Launch Agents or Launch Daemons using launchctl on macOS.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1569.001/T1569.001.md
- https://www.sentinelone.com/labs/20-common-tools-techniques-used-by-macos-threat-actors-malware/
- https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/
- https://www.trendmicro.com/en_us/research/18/d/new-macos-backdoor-linked-to-oceanlotus-found.html
- https://www.loobins.io/binaries/launchctl/
author: Pratinav Chandra
date: 2024-05-13
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1569.001
- attack.t1543.001
- attack.t1543.004
logsource:
category: process_creation
product: macos
detection:
selection:
Image|endswith: '/launchctl'
CommandLine|contains:
- 'submit'
- 'load'
- 'start'
condition: selection
falsepositives:
- Legitimate administration activities is expected to trigger false positives. Investigate the command line being passed to determine if the service or launch agent are suspicious.
level: medium
Convert to SIEM query
medium
Moderate
High FP
Launch-VsDevShell.PS1 Proxy Execution
Detects the use of the 'Launch-VsDevShell.ps1' Microsoft signed script to execute commands.
view Sigma YAML
title: Launch-VsDevShell.PS1 Proxy Execution
id: 45d3a03d-f441-458c-8883-df101a3bb146
status: test
description: Detects the use of the 'Launch-VsDevShell.ps1' Microsoft signed script to execute commands.
references:
- https://twitter.com/nas_bench/status/1535981653239255040
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-19
tags:
- attack.stealth
- attack.t1216.001
logsource:
category: process_creation
product: windows
detection:
selection_script:
CommandLine|contains: 'Launch-VsDevShell.ps1'
selection_flags:
CommandLine|contains:
- 'VsWherePath '
- 'VsInstallationPath '
condition: all of selection_*
falsepositives:
- Legitimate usage of the script by a developer
level: medium
Convert to SIEM query
medium
Moderate
High FP
Linux Base64 Encoded Pipe to Shell
Detects suspicious process command line that uses base64 encoded input for execution with a shell
view Sigma YAML
title: Linux Base64 Encoded Pipe to Shell
id: ba592c6d-6888-43c3-b8c6-689b8fe47337
status: test
description: Detects suspicious process command line that uses base64 encoded input for execution with a shell
references:
- https://github.com/arget13/DDexec
- https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
author: pH-T (Nextron Systems)
date: 2022-07-26
modified: 2023-06-16
tags:
- attack.stealth
- attack.t1140
logsource:
product: linux
category: process_creation
detection:
selection_base64:
CommandLine|contains: 'base64 '
selection_exec:
- CommandLine|contains:
- '| bash '
- '| sh '
- '|bash '
- '|sh '
- CommandLine|endswith:
- ' |sh'
- '| bash'
- '| sh'
- '|bash'
condition: all of selection_*
falsepositives:
- Legitimate administration activities
level: medium
Convert to SIEM query
medium
Moderate
High FP
Linux Base64 Encoded Shebang In CLI
Detects the presence of a base64 version of the shebang in the commandline, which could indicate a malicious payload about to be decoded
view Sigma YAML
title: Linux Base64 Encoded Shebang In CLI
id: fe2f9663-41cb-47e2-b954-8a228f3b9dff
status: test
description: Detects the presence of a base64 version of the shebang in the commandline, which could indicate a malicious payload about to be decoded
references:
- https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html
- https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-15
tags:
- attack.stealth
- attack.t1140
logsource:
product: linux
category: process_creation
detection:
selection:
CommandLine|contains:
- "IyEvYmluL2Jhc2" # Note: #!/bin/bash"
- "IyEvYmluL2Rhc2" # Note: #!/bin/dash"
- "IyEvYmluL3pza" # Note: #!/bin/zsh"
- "IyEvYmluL2Zpc2" # Note: #!/bin/fish
- "IyEvYmluL3No" # Note: # !/bin/sh"
condition: selection
falsepositives:
- Legitimate administration activities
level: medium
Convert to SIEM query
medium
Moderate
High FP
Linux Doas Conf File Creation
Detects the creation of doas.conf file in linux host platform.
view Sigma YAML
title: Linux Doas Conf File Creation
id: 00eee2a5-fdb0-4746-a21d-e43fbdea5681
status: stable
description: Detects the creation of doas.conf file in linux host platform.
references:
- https://research.splunk.com/endpoint/linux_doas_conf_file_creation/
- https://www.makeuseof.com/how-to-install-and-use-doas/
author: Sittikorn S, Teoderick Contreras
date: 2022-01-20
modified: 2022-12-31
tags:
- attack.privilege-escalation
- attack.t1548
logsource:
product: linux
category: file_event
detection:
selection:
TargetFilename|endswith: '/etc/doas.conf'
condition: selection
falsepositives:
- Unlikely
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Linux Logs Clearing Attempts
Detects logs clearing attempts on Linux systems via utilities such as 'rm', 'rmdir', 'shred', and 'unlink' targeting log files and directories.
Adversaries often try to clear logs to cover their tracks after performing malicious activities.
view Sigma YAML
title: Linux Logs Clearing Attempts
id: 80915f59-9b56-4616-9de0-fd0dea6c12fe
status: stable
description: |
Detects logs clearing attempts on Linux systems via utilities such as 'rm', 'rmdir', 'shred', and 'unlink' targeting log files and directories.
Adversaries often try to clear logs to cover their tracks after performing malicious activities.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.002/T1070.002.md
author: Ömer Günal, oscd.community
date: 2020-10-07
modified: 2026-03-18
tags:
- attack.defense-impairment
- attack.t1685.006
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith:
- '/rm' # covers /rmdir as well
- '/rmdir'
- '/shred'
- '/unlink'
CommandLine|contains:
- '/var/log'
- '/var/spool/mail'
filter_main_legit_systat:
Image|endswith: '/rm'
CommandLine|startswith: 'rm -f /var/log/sysstat/'
filter_main_dmseg:
Image|endswith: '/rm'
CommandLine|startswith: 'rm -f -- /var/log//dmesg' # // before dmesg is not typo
condition: selection and not 1 of filter_main_*
falsepositives:
- Legitimate administration activities
level: medium
Convert to SIEM query
medium
Moderate
High FP
Linux Shell Pipe to Shell
Detects suspicious process command line that starts with a shell that executes something and finally gets piped into another shell
view Sigma YAML
title: Linux Shell Pipe to Shell
id: 880973f3-9708-491c-a77b-2a35a1921158
status: test
description: Detects suspicious process command line that starts with a shell that executes something and finally gets piped into another shell
references:
- Internal Research
author: Florian Roth (Nextron Systems)
date: 2022-03-14
modified: 2022-07-26
tags:
- attack.stealth
- attack.t1140
logsource:
product: linux
category: process_creation
detection:
selection:
CommandLine|startswith:
- 'sh -c '
- 'bash -c '
selection_exec:
- CommandLine|contains:
- '| bash '
- '| sh '
- '|bash '
- '|sh '
- CommandLine|endswith:
- '| bash'
- '| sh'
- '|bash'
- ' |sh'
condition: all of selection*
falsepositives:
- Legitimate software that uses these patterns
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
LiveKD Driver Creation
Detects the creation of the LiveKD driver, which is used for live kernel debugging
view Sigma YAML
title: LiveKD Driver Creation
id: 16fe46bb-4f64-46aa-817d-ff7bec4a2352
status: test
description: Detects the creation of the LiveKD driver, which is used for live kernel debugging
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-16
tags:
- attack.privilege-escalation
- attack.stealth
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename: 'C:\Windows\System32\drivers\LiveKdD.SYS'
Image|endswith:
- '\livekd.exe'
- '\livek64.exe'
condition: selection
falsepositives:
- Legitimate usage of LiveKD for debugging purposes will also trigger this
level: medium
Convert to SIEM query
medium
Moderate
High FP
Lolbin Runexehelper Use As Proxy
Detect usage of the "runexehelper.exe" binary as a proxy to launch other programs
view Sigma YAML
title: Lolbin Runexehelper Use As Proxy
id: cd71385d-fd9b-4691-9b98-2b1f7e508714
status: test
description: Detect usage of the "runexehelper.exe" binary as a proxy to launch other programs
references:
- https://twitter.com/0gtweet/status/1206692239839289344
- https://lolbas-project.github.io/lolbas/Binaries/Runexehelper/
author: frack113
date: 2022-12-29
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\runexehelper.exe'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
MMC Loading Script Engines DLLs
Detects when the Microsoft Management Console (MMC) loads the DLL libraries like vbscript, jscript etc which might indicate an attempt
to execute malicious scripts within a trusted system process for bypassing application whitelisting or defense evasion.
view Sigma YAML
title: MMC Loading Script Engines DLLs
id: a9c73e8b-3b2d-4c45-8ef2-5f9a9c9998ad
status: experimental
description: |
Detects when the Microsoft Management Console (MMC) loads the DLL libraries like vbscript, jscript etc which might indicate an attempt
to execute malicious scripts within a trusted system process for bypassing application whitelisting or defense evasion.
references:
- https://tria.ge/241015-l98snsyeje/behavioral2
- https://www.elastic.co/security-labs/grimresource
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-02-05
tags:
- attack.execution
- attack.stealth
- attack.t1059.005
- attack.t1218.014
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith: '\mmc.exe'
ImageLoaded|endswith:
- '\vbscript.dll'
- '\jscript.dll'
- '\jscript9.dll'
condition: selection
falsepositives:
- Legitimate MMC operations or extensions loading these libraries
level: medium
Convert to SIEM query
medium
Moderate
High FP
MSExchange Transport Agent Installation
Detects the Installation of a Exchange Transport Agent
view Sigma YAML
title: MSExchange Transport Agent Installation
id: 83809e84-4475-4b69-bc3e-4aad8568612f
related:
- id: 83809e84-4475-4b69-bc3e-4aad8568612f
type: similar
status: test
description: Detects the Installation of a Exchange Transport Agent
references:
- https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=7
author: Tobias Michalski (Nextron Systems)
date: 2021-06-08
modified: 2022-10-09
tags:
- attack.persistence
- attack.t1505.002
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|contains: 'Install-TransportAgent'
condition: selection
falsepositives:
- Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this.
level: medium
Convert to SIEM query
medium
Strong
Medium FP
MacOS Emond Launch Daemon
Detects additions to the Emond Launch Daemon that adversaries may use to gain persistence and elevate privileges.
view Sigma YAML
title: MacOS Emond Launch Daemon
id: 23c43900-e732-45a4-8354-63e4a6c187ce
status: test
description: Detects additions to the Emond Launch Daemon that adversaries may use to gain persistence and elevate privileges.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.014/T1546.014.md
- https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124
author: Alejandro Ortuno, oscd.community
date: 2020-10-23
modified: 2021-11-27
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1546.014
logsource:
category: file_event
product: macos
detection:
selection_1:
TargetFilename|contains: '/etc/emond.d/rules/'
TargetFilename|endswith: '.plist'
selection_2:
TargetFilename|contains: '/private/var/db/emondClients/'
condition: 1 of selection_*
falsepositives:
- Legitimate administration activities
level: medium
Convert to SIEM query
medium
Strong
Medium FP
MacOS Scripting Interpreter AppleScript
Detects execution of AppleScript of the macOS scripting language AppleScript.
view Sigma YAML
title: MacOS Scripting Interpreter AppleScript
id: 1bc2e6c5-0885-472b-bed6-be5ea8eace55
status: test
description: Detects execution of AppleScript of the macOS scripting language AppleScript.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.002/T1059.002.md
- https://redcanary.com/blog/applescript/
author: Alejandro Ortuno, oscd.community
date: 2020-10-21
modified: 2026-05-21
tags:
- attack.execution
- attack.t1059.002
logsource:
category: process_creation
product: macos
detection:
selection:
Image|endswith: '/osascript'
CommandLine|contains:
- ' -e '
- '.scpt'
- '.js'
filter_optional_opencode:
# OpenCode uses osascript to handle copying text from the TUI on MacOS devices. See https://github.com/anomalyco/opencode/blob/ca723f1cbc6fc4244ae57e61e9de8c4e37380ed4/packages/opencode/src/cli/cmd/tui/util/clipboard.ts#L65 for reference.
ParentImage|endswith: 'opencode'
CommandLine|contains|all:
- 'osascript'
- ' -e '
- 'set imageData to the clipboard'
- 'set fileRef'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Application installers might contain scripts as part of the installation process.
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Malicious PE Execution by Microsoft Visual Studio Debugger
There is an option for a MS VS Just-In-Time Debugger "vsjitdebugger.exe" to launch specified executable and attach a debugger.
This option may be used adversaries to execute malicious code by signed verified binary.
The debugger is installed alongside with Microsoft Visual Studio package.
view Sigma YAML
title: Malicious PE Execution by Microsoft Visual Studio Debugger
id: 15c7904e-6ad1-4a45-9b46-5fb25df37fd2
status: test
description: |
There is an option for a MS VS Just-In-Time Debugger "vsjitdebugger.exe" to launch specified executable and attach a debugger.
This option may be used adversaries to execute malicious code by signed verified binary.
The debugger is installed alongside with Microsoft Visual Studio package.
references:
- https://twitter.com/pabraeken/status/990758590020452353
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vsjitdebugger/
- https://learn.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019
author: Agro (@agro_sev), Ensar Şamil (@sblmsrsn), oscd.community
date: 2020-10-14
modified: 2022-10-09
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\vsjitdebugger.exe'
reduction1:
Image|endswith: '\vsimmersiveactivatehelper*.exe'
reduction2:
Image|endswith: '\devenv.exe'
condition: selection and not (reduction1 or reduction2)
falsepositives:
- The process spawned by vsjitdebugger.exe is uncommon.
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Manual Execution of Script Inside of a Compressed File
This is a threat-hunting query to collect information related to the interactive execution of a script from inside a compressed file (zip/rar). Windows will automatically run the script using scripting interpreters such as wscript and cscript binaries.
From the query below, the child process is the script interpreter that will execute the script. The script extension is also a set of standard extensions that Windows OS recognizes. Selections 1-3 contain three different execution scenarios.
1. Compressed file opened using 7zip.
2. Compressed file opened using WinRar.
3. Compressed file opened using native windows File Explorer capabilities.
When the malicious script is double-clicked, it will be extracted to the respected directories as signified by the CommandLine on each of the three Selections. It will then be executed using the relevant script interpreter."
view Sigma YAML
title: Manual Execution of Script Inside of a Compressed File
id: 95724fc1-a258-4674-97db-a30351981c5a
status: test
description: |
This is a threat-hunting query to collect information related to the interactive execution of a script from inside a compressed file (zip/rar). Windows will automatically run the script using scripting interpreters such as wscript and cscript binaries.
From the query below, the child process is the script interpreter that will execute the script. The script extension is also a set of standard extensions that Windows OS recognizes. Selections 1-3 contain three different execution scenarios.
1. Compressed file opened using 7zip.
2. Compressed file opened using WinRar.
3. Compressed file opened using native windows File Explorer capabilities.
When the malicious script is double-clicked, it will be extracted to the respected directories as signified by the CommandLine on each of the three Selections. It will then be executed using the relevant script interpreter."
references:
- https://app.any.run/tasks/25970bb5-f864-4e9e-9e1b-cc8ff9e6386a
- https://app.any.run/tasks/fa99cedc-9d2f-4115-a08e-291429ce3692
author: '@kostastsale'
date: 2023-02-15
modified: 2024-08-13
tags:
- attack.execution
- attack.t1059
- detection.threat-hunting
logsource:
category: process_creation
product: windows
detection:
selection_parent_7zip:
ParentImage|endswith: '\7z*.exe'
CommandLine|contains: '\AppData\local\temp\7z*\'
selection_parent_winrar:
ParentImage|endswith: '\winrar.exe'
CommandLine|contains: '\AppData\local\temp\rar*\'
selection_parent_explorer:
ParentImage|endswith: '\explorer.exe'
CommandLine|contains:
- '\AppData\local\temp\*.rar\'
- '\AppData\local\temp\*.zip\'
selection_child:
Image|endswith:
- '\cscript.exe'
- '\mshta.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\wscript.exe'
CommandLine|endswith:
- '.hta'
- '.js'
- '.jse'
- '.ps1'
- '.vbe'
- '.vbs'
- '.wsf'
- '.wsh'
condition: 1 of selection_parent_* and selection_child
falsepositives:
- Batch files may produce a lot of noise, as many applications appear to bundle them as part of their installation process. You should baseline your environment and generate a new query excluding the noisy and expected activity. Some false positives may come up depending on your environment. All results should be investigated thoroughly before filtering out results.
level: medium
Convert to SIEM query
medium
Moderate
High FP
Microsoft Excel Add-In Loaded From Uncommon Location
Detects Microsoft Excel loading an Add-In (.xll) file from an uncommon location
view Sigma YAML
title: Microsoft Excel Add-In Loaded From Uncommon Location
id: af4c4609-5755-42fe-8075-4effb49f5d44
related:
- id: c5f4b5cb-4c25-4249-ba91-aa03626e3185
type: derived
status: test
description: Detects Microsoft Excel loading an Add-In (.xll) file from an uncommon location
references:
- https://www.mandiant.com/resources/blog/lnk-between-browsers
- https://wazuh.com/blog/detecting-xll-files-used-for-dropping-fin7-jssloader-with-wazuh/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-12
tags:
- attack.execution
- attack.t1204.002
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith: '\excel.exe'
ImageLoaded|contains:
# Note: Add or remove locations from this list based on your internal policy
- '\Desktop\'
- '\Downloads\'
- '\Perflogs\'
- '\Temp\'
- '\Users\Public\'
- '\Windows\Tasks\'
ImageLoaded|endswith: '.xll'
condition: selection
falsepositives:
- Some tuning might be required to allow or remove certain locations used by the rule if you consider them as safe locations
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Microsoft Office Trusted Location Updated
Detects changes to the registry keys related to "Trusted Location" of Microsoft Office. Attackers might add additional trusted locations to avoid macro security restrictions.
view Sigma YAML
title: Microsoft Office Trusted Location Updated
id: a0bed973-45fa-4625-adb5-6ecdf9be70ac
related:
- id: f742bde7-9528-42e5-bd82-84f51a8387d2
type: similar
status: test
description: Detects changes to the registry keys related to "Trusted Location" of Microsoft Office. Attackers might add additional trusted locations to avoid macro security restrictions.
references:
- https://admx.help/?Category=Office2016&Policy=excel16.Office.Microsoft.Policies.Windows::L_TrustedLoc01
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-21
modified: 2023-08-17
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
- detection.threat-hunting
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: 'Security\Trusted Locations\Location'
TargetObject|endswith: '\Path'
filter_main_office_click_to_run:
Image|contains: ':\Program Files\Common Files\Microsoft Shared\ClickToRun\'
Image|endswith: '\OfficeClickToRun.exe'
filter_main_office_apps:
Image|contains:
- ':\Program Files\Microsoft Office\'
- ':\Program Files (x86)\Microsoft Office\'
condition: selection and not 1 of filter_main_*
falsepositives:
- During office installations or setup, trusted locations are added, which will trigger this rule.
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Microsoft Sync Center Suspicious Network Connections
Detects suspicious connections from Microsoft Sync Center to non-private IPs.
view Sigma YAML
title: Microsoft Sync Center Suspicious Network Connections
id: 9f2cc74d-78af-4eb2-bb64-9cd1d292b87b
status: test
description: Detects suspicious connections from Microsoft Sync Center to non-private IPs.
references:
- https://redcanary.com/blog/intelligence-insights-november-2021/
author: elhoim
date: 2022-04-28
modified: 2024-03-12
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1055
- attack.t1218
- attack.execution
logsource:
product: windows
category: network_connection
detection:
selection:
Image|endswith: '\mobsync.exe'
filter_main_local_ranges:
DestinationIp|cidr:
- '127.0.0.0/8'
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '169.254.0.0/16'
- '::1/128' # IPv6 loopback
- 'fe80::/10' # IPv6 link-local addresses
- 'fc00::/7' # IPv6 private addresses
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Microsoft VBA For Outlook Addin Loaded Via Outlook
Detects outlvba (Microsoft VBA for Outlook Addin) DLL being loaded by the outlook process
view Sigma YAML
title: Microsoft VBA For Outlook Addin Loaded Via Outlook
id: 9a0b8719-cd3c-4f0a-90de-765a4cb3f5ed
status: test
description: Detects outlvba (Microsoft VBA for Outlook Addin) DLL being loaded by the outlook process
references:
- https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=58
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-08
modified: 2024-03-12
tags:
- attack.execution
- attack.t1204.002
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith: '\outlook.exe'
ImageLoaded|endswith: '\outlvba.dll'
condition: selection
falsepositives:
- Legitimate macro usage. Add the appropriate filter according to your environment
level: medium
Convert to SIEM query
medium
Moderate
High FP
Mount Execution With Hidepid Parameter
Detects execution of the "mount" command with "hidepid" parameter to make invisible processes to other users from the system
view Sigma YAML
title: Mount Execution With Hidepid Parameter
id: ec52985a-d024-41e3-8ff6-14169039a0b3
status: test
description: Detects execution of the "mount" command with "hidepid" parameter to make invisible processes to other users from the system
references:
- https://blogs.blackberry.com/
- https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/
- https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-01-12
tags:
- attack.credential-access
- attack.stealth
- attack.t1564
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith: '/mount'
CommandLine|contains|all:
- 'hidepid=2'
- ' -o '
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
MsiExec Web Install
Detects suspicious msiexec process starts with web addresses as parameter
view Sigma YAML
title: MsiExec Web Install
id: f7b5f842-a6af-4da5-9e95-e32478f3cd2f
related:
- id: 8150732a-0c9d-4a99-82b9-9efb9b90c40c
type: similar
status: test
description: Detects suspicious msiexec process starts with web addresses as parameter
references:
- https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/
author: Florian Roth (Nextron Systems)
date: 2018-02-09
modified: 2022-01-07
tags:
- attack.stealth
- attack.t1218.007
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- ' msiexec'
- '://'
condition: selection
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
level: medium
Convert to SIEM query
medium
Moderate
High FP
Msxsl.EXE Execution
Detects the execution of the MSXSL utility. This can be used to execute Extensible Stylesheet Language (XSL) files. These files are commonly used to describe the processing and rendering of data within XML files.
Adversaries can abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.
view Sigma YAML
title: Msxsl.EXE Execution
id: 9e50a8b3-dd05-4eb8-9153-bdb6b79d50b0
status: test
description: |
Detects the execution of the MSXSL utility. This can be used to execute Extensible Stylesheet Language (XSL) files. These files are commonly used to describe the processing and rendering of data within XML files.
Adversaries can abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1220/T1220.md
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msxsl/
author: Timur Zinniatullin, oscd.community
date: 2019-10-21
modified: 2023-11-09
tags:
- attack.stealth
- attack.t1220
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\msxsl.exe'
condition: selection
falsepositives:
- Msxsl is not installed by default and is deprecated, so unlikely on most systems.
# Note: If you levreage this utility please consider adding additional filters. As this is looking for "any" type of execition
level: medium
Convert to SIEM query
medium
Moderate
High FP
New BgInfo.EXE Custom DB Path Registry Configuration
Detects setting of a new registry database value related to BgInfo configuration. Attackers can for example set this value to save the results of the commands executed by BgInfo in order to exfiltrate information.
view Sigma YAML
title: New BgInfo.EXE Custom DB Path Registry Configuration
id: 53330955-dc52-487f-a3a2-da24dcff99b5
status: test
description: Detects setting of a new registry database value related to BgInfo configuration. Attackers can for example set this value to save the results of the commands executed by BgInfo in order to exfiltrate information.
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-16
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\Software\Winternals\BGInfo\Database'
condition: selection
falsepositives:
- Legitimate use of external DB to save the results
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
New BgInfo.EXE Custom VBScript Registry Configuration
Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom VBScript via "BgInfo.exe"
view Sigma YAML
title: New BgInfo.EXE Custom VBScript Registry Configuration
id: 992dd79f-dde8-4bb0-9085-6350ba97cfb3
related:
- id: cd277474-5c52-4423-a52b-ac2d7969902f
type: similar
status: test
description: Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom VBScript via "BgInfo.exe"
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-16
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\Software\Winternals\BGInfo\UserFields\'
Details|startswith: '4' # WMI
condition: selection
falsepositives:
- Legitimate VBScript
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
New BgInfo.EXE Custom WMI Query Registry Configuration
Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom WMI query via "BgInfo.exe"
view Sigma YAML
title: New BgInfo.EXE Custom WMI Query Registry Configuration
id: cd277474-5c52-4423-a52b-ac2d7969902f
related:
- id: 992dd79f-dde8-4bb0-9085-6350ba97cfb3
type: similar
status: test
description: Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom WMI query via "BgInfo.exe"
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-16
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\Software\Winternals\BGInfo\UserFields\'
Details|startswith: '6' # WMI
condition: selection
falsepositives:
- Legitimate WMI query
level: medium
Convert to SIEM query
medium
Moderate
High FP
New Custom Shim Database Created
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.
The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time.
view Sigma YAML
title: New Custom Shim Database Created
id: ee63c85c-6d51-4d12-ad09-04e25877a947
status: test
description: |
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.
The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-2---new-shim-database-files-created-in-the-default-shim-database-directory
- https://www.mandiant.com/resources/blog/fin7-shim-databases-persistence
- https://liberty-shell.com/sec/2020/02/25/shim-persistence/
- https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2021-12-29
modified: 2023-12-06
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.009
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|contains:
- ':\Windows\apppatch\Custom\'
- ':\Windows\apppatch\CustomSDB\'
condition: selection
falsepositives:
- Legitimate custom SHIM installations will also trigger this rule
level: medium
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_creation_new_shim_database/info.yml
Convert to SIEM query
medium
Moderate
High FP
New File Exclusion Added To Time Machine Via Tmutil - MacOS
Detects the addition of a new file or path exclusion to MacOS Time Machine via the "tmutil" utility.
An adversary could exclude a path from Time Machine backups to prevent certain files from being backed up.
view Sigma YAML
title: New File Exclusion Added To Time Machine Via Tmutil - MacOS
id: 9acf45ed-3a26-4062-bf08-56857613eb52
status: test
description: |
Detects the addition of a new file or path exclusion to MacOS Time Machine via the "tmutil" utility.
An adversary could exclude a path from Time Machine backups to prevent certain files from being backed up.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine
- https://www.loobins.io/binaries/tmutil/
author: Pratinav Chandra
date: 2024-05-29
tags:
- attack.impact
- attack.t1490
logsource:
category: process_creation
product: macos
detection:
selection_img:
- Image|endswith: '/tmutil'
- CommandLine|contains: 'tmutil'
selection_cmd:
CommandLine|contains: 'addexclusion'
condition: all of selection_*
falsepositives:
- Legitimate administrator activity
level: medium
Convert to SIEM query
medium
Strong
Medium FP
New Kernel Driver Via SC.EXE
Detects creation of a new service (kernel driver) with the type "kernel"
view Sigma YAML
title: New Kernel Driver Via SC.EXE
id: 431a1fdb-4799-4f3b-91c3-a683b003fc49
status: test
description: Detects creation of a new service (kernel driver) with the type "kernel"
references:
- https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-14
modified: 2025-10-07
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1543.003
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\sc.exe'
CommandLine|contains:
- 'create'
- 'config'
CommandLine|contains|all:
- 'binPath'
- 'type'
- 'kernel'
filter_optional_avira_driver:
- CommandLine|contains|all:
- 'create netprotection_network_filter'
- 'type= kernel start= '
- 'binPath= System32\drivers\netprotection_network_filter'
- 'DisplayName= netprotection_network_filter'
- 'group= PNP_TDI tag= yes'
- CommandLine|contains|all:
- 'create avelam binpath=C:\Windows\system32\drivers\avelam.sys'
- 'type=kernel start=boot error=critical group=Early-Launch'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Rare legitimate installation of kernel drivers via sc.exe
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
New Outlook Macro Created
Detects the creation of a macro file for Outlook.
view Sigma YAML
title: New Outlook Macro Created
id: 8c31f563-f9a7-450c-bfa8-35f8f32f1f61
related:
- id: 117d3d3a-755c-4a61-b23e-9171146d094c
type: derived
status: test
description: Detects the creation of a macro file for Outlook.
references:
- https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/
author: '@ScoubiMtl'
date: 2021-04-05
modified: 2023-02-08
tags:
- attack.privilege-escalation
- attack.persistence
- attack.command-and-control
- attack.t1137
- attack.t1008
- attack.t1546
logsource:
category: file_event
product: windows
detection:
selection:
Image|endswith: '\outlook.exe'
TargetFilename|endswith: '\Microsoft\Outlook\VbaProject.OTM'
condition: selection
falsepositives:
- User genuinely creates a VB Macro for their email
level: medium
Convert to SIEM query
medium
Moderate
High FP
New PortProxy Registry Entry Added
Detects the modification of the PortProxy registry key which is used for port forwarding.
view Sigma YAML
title: New PortProxy Registry Entry Added
id: a54f842a-3713-4b45-8c84-5f136fdebd3c
status: test
description: Detects the modification of the PortProxy registry key which is used for port forwarding.
references:
- https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
- https://adepts.of0x.cc/netsh-portproxy-code/
- https://www.dfirnotes.net/portproxy_detection/
author: Andreas Hunkeler (@Karneades)
date: 2021-06-22
modified: 2024-03-25
tags:
- attack.lateral-movement
- attack.command-and-control
- attack.t1090
logsource:
category: registry_event
product: windows
detection:
selection:
# Example: HKLM\System\CurrentControlSet\Services\PortProxy\v4tov4\tcp\0.0.0.0/1337
TargetObject|contains: '\Services\PortProxy\v4tov4\tcp\'
condition: selection
falsepositives:
- WSL2 network bridge PowerShell script used for WSL/Kubernetes/Docker (e.g. https://github.com/microsoft/WSL/issues/4150#issuecomment-504209723)
- Synergy Software KVM (https://symless.com/synergy)
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
New Root or CA or AuthRoot Certificate to Store
Detects the addition of new root, CA or AuthRoot certificates to the Windows registry
view Sigma YAML
title: New Root or CA or AuthRoot Certificate to Store
id: d223b46b-5621-4037-88fe-fda32eead684
status: test
description: Detects the addition of new root, CA or AuthRoot certificates to the Windows registry
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md#atomic-test-6---add-root-certificate-to-currentuser-certificate-store
- https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec
author: frack113
date: 2022-04-04
modified: 2023-08-17
tags:
- attack.impact
- attack.t1490
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains:
- '\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\'
- '\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates\'
- '\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\'
- '\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\'
- '\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates\'
- '\SOFTWARE\Microsoft\EnterpriseCertificates\CA\Certificates\'
- '\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\'
- '\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\Certificates\'
- '\SOFTWARE\Microsoft\EnterpriseCertificates\AuthRoot\Certificates\'
TargetObject|endswith: '\Blob'
Details: 'Binary Data'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Node Process Executions
Detects the execution of other scripts using the Node executable packaged with Adobe Creative Cloud
view Sigma YAML
title: Node Process Executions
id: df1f26d3-bea7-4700-9ea2-ad3e990cf90e
status: test
description: Detects the execution of other scripts using the Node executable packaged with Adobe Creative Cloud
references:
- https://twitter.com/mttaggart/status/1511804863293784064
author: Max Altgelt (Nextron Systems)
date: 2022-04-06
tags:
- attack.execution
- attack.stealth
- attack.t1127
- attack.t1059.007
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\Adobe Creative Cloud Experience\libs\node.exe'
filter:
CommandLine|contains: 'Adobe Creative Cloud Experience\js' # Folder where Creative Cloud's JS resources are located
condition: selection and not filter
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Nohup Execution
Detects usage of nohup which could be leveraged by an attacker to keep a process running or break out from restricted environments
view Sigma YAML
title: Nohup Execution
id: e4ffe466-6ff8-48d4-94bd-e32d1a6061e2
status: test
description: Detects usage of nohup which could be leveraged by an attacker to keep a process running or break out from restricted environments
references:
- https://gtfobins.github.io/gtfobins/nohup/
- https://en.wikipedia.org/wiki/Nohup
- https://www.computerhope.com/unix/unohup.htm
author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io'
date: 2022-06-06
tags:
- attack.execution
- attack.t1059.004
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith: '/nohup'
condition: selection
falsepositives:
- Administrators or installed processes that leverage nohup
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Obfuscated IP Download Activity
Detects use of an encoded/obfuscated version of an IP address (hex, octal...) in an URL combined with a download command
view Sigma YAML
title: Obfuscated IP Download Activity
id: cb5a2333-56cf-4562-8fcb-22ba1bca728d
status: test
description: Detects use of an encoded/obfuscated version of an IP address (hex, octal...) in an URL combined with a download command
references:
- https://h.43z.one/ipconverter/
- https://twitter.com/Yasser_Elsnbary/status/1553804135354564608
- https://twitter.com/fr0s7_/status/1712780207105404948
author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems)
date: 2022-08-03
modified: 2026-03-16
tags:
- attack.discovery
logsource:
category: process_creation
product: windows
detection:
selection_command:
CommandLine|contains:
- 'Invoke-WebRequest'
- 'iwr '
- 'Invoke-RestMethod'
- 'irm '
- 'wget '
- 'curl '
- 'DownloadFile'
- 'DownloadString'
selection_ip_1:
CommandLine|contains:
- ' 0x'
- '//0x'
- '.0x'
- '.00x'
selection_ip_2:
CommandLine|contains|all:
- 'http://%'
- '%2e'
selection_ip_3:
# http://81.4.31754
- CommandLine|re: 'https?://[0-9]{1,3}\.[0-9]{1,3}\.0[0-9]{3,4}'
# http://81.293898
- CommandLine|re: 'https?://[0-9]{1,3}\.0[0-9]{3,7}'
# http://1359248394
- CommandLine|re: 'https?://0[0-9]{3,11}'
# http://0121.04.0174.012
- CommandLine|re: 'https?://(?:0[0-9]{1,11}\.){3}0[0-9]{1,11}'
# http://012101076012
- CommandLine|re: 'https?://0[0-9]{1,11}'
# For octal format
- CommandLine|re: ' [0-7]{7,13}'
filter_main_valid_ip:
CommandLine|re: 'https?://(?:(?:25[0-5]|(?:2[0-4]|1\d|[1-9])?\d)(?:\.|\b)){4}'
condition: selection_command and 1 of selection_ip_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Obfuscated IP Via CLI
Detects usage of an encoded/obfuscated version of an IP address (hex, octal, etc.) via command line
view Sigma YAML
title: Obfuscated IP Via CLI
id: 56d19cb4-6414-4769-9644-1ed35ffbb148
status: test
description: Detects usage of an encoded/obfuscated version of an IP address (hex, octal, etc.) via command line
references:
- https://h.43z.one/ipconverter/
- https://twitter.com/Yasser_Elsnbary/status/1553804135354564608
author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
date: 2022-08-03
modified: 2026-03-16
tags:
- attack.discovery
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith:
- '\ping.exe'
- '\arp.exe'
selection_ip_1:
CommandLine|contains:
- ' 0x'
- '//0x'
- '.0x'
- '.00x'
selection_ip_2:
CommandLine|contains|all:
- 'http://%'
- '%2e'
selection_ip_3:
# http://81.4.31754
- CommandLine|re: 'https?://[0-9]{1,3}\.[0-9]{1,3}\.0[0-9]{3,4}'
# http://81.293898
- CommandLine|re: 'https?://[0-9]{1,3}\.0[0-9]{3,7}'
# http://1359248394
- CommandLine|re: 'https?://0[0-9]{3,11}'
# http://0121.04.0174.012
- CommandLine|re: 'https?://(?:0[0-9]{1,11}\.){3}0[0-9]{1,11}'
# http://012101076012
- CommandLine|re: 'https?://0[0-9]{1,11}'
# For octal format
- CommandLine|re: ' [0-7]{7,13}'
filter_main_valid_ip:
CommandLine|re: 'https?://(?:(?:25[0-5]|(?:2[0-4]|1\d|[1-9])?\d)(?:\.|\b)){4}'
condition: selection_img and 1 of selection_ip_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Office Application Startup - Office Test
Detects the addition of office test registry that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started
view Sigma YAML
title: Office Application Startup - Office Test
id: 3d27f6dd-1c74-4687-b4fa-ca849d128d1c
status: test
description: Detects the addition of office test registry that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started
references:
- https://unit42.paloaltonetworks.com/unit42-technical-walkthrough-office-test-persistence-method-used-in-recent-sofacy-attacks/
author: omkar72
date: 2020-10-25
modified: 2023-11-08
tags:
- attack.persistence
- attack.t1137.002
logsource:
category: registry_event
product: windows
detection:
selection:
TargetObject|contains: '\Software\Microsoft\Office test\Special\Perf'
condition: selection
falsepositives:
- Unlikely
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Old TLS1.0/TLS1.1 Protocol Version Enabled
Detects applications or users re-enabling old TLS versions by setting the "Enabled" value to "1" for the "Protocols" registry key.
view Sigma YAML
title: Old TLS1.0/TLS1.1 Protocol Version Enabled
id: 439957a7-ad86-4a8f-9705-a28131c6821b
status: test
description: Detects applications or users re-enabling old TLS versions by setting the "Enabled" value to "1" for the "Protocols" registry key.
references:
- https://techcommunity.microsoft.com/t5/windows-it-pro-blog/tls-1-0-and-tls-1-1-soon-to-be-disabled-in-windows/ba-p/3887947
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-09-05
tags:
- attack.stealth
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains:
- '\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\'
- '\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\'
TargetObject|endswith: '\Enabled'
Details: 'DWORD (0x00000001)'
condition: selection
falsepositives:
- Legitimate enabling of the old tls versions due to incompatibility
level: medium
Convert to SIEM query
medium
Strong
Medium FP
OneNote Attachment File Dropped In Suspicious Location
Detects creation of files with the ".one"/".onepkg" extension in suspicious or uncommon locations. This could be a sign of attackers abusing OneNote attachments
view Sigma YAML
title: OneNote Attachment File Dropped In Suspicious Location
id: 7fd164ba-126a-4d9c-9392-0d4f7c243df0
status: test
description: Detects creation of files with the ".one"/".onepkg" extension in suspicious or uncommon locations. This could be a sign of attackers abusing OneNote attachments
references:
- https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/
- https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-22
modified: 2023-09-19
tags:
- attack.stealth
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|contains:
# Note: add more common locations for drops such as download folders and the like. Or baseline legitimate locations and alert on everything else
- '\AppData\Local\Temp\'
- '\Users\Public\'
- '\Windows\Temp\'
- ':\Temp\'
TargetFilename|endswith:
- '.one'
- '.onepkg'
filter_main_onenote:
Image|contains: ':\Program Files\Microsoft Office\'
Image|endswith: '\ONENOTE.EXE'
condition: selection and not 1 of filter_main_*
falsepositives:
- Legitimate usage of ".one" or ".onepkg" files from those locations
level: medium
Convert to SIEM query
Showing 151-200 of 559