Home/Detection rules/Palo Alto Cortex XDR
Tool
EDR / XDR

Palo Alto Cortex XDR

559 rules · Sigma detections in Palo Alto Cortex XDR syntax
The same Sigma detection corpus, machine-rendered into Palo Alto Cortex XDR query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
Download all 1,524 rules (.zip, 675 KB) Every Palo Alto Cortex XDR query in this view, packaged to deploy.
Severity critical high medium low all severities Export CSV Export .zip
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance4
Resource Development5
Initial Access7
Execution25
Persistence31
Privilege Escalation17
Stealth63
Defense Impairment16
Credential Access26
Discovery24
Lateral Movement10
Collection11
Command and Control18
Exfiltration7
Impact10
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.

Detection rules

50 shown of 559
medium Moderate Medium FP
Potential RjvPlatform.DLL Sideloading From Default Location
Detects loading of "RjvPlatform.dll" by the "SystemResetPlatform.exe" binary which can be abused as a method of DLL side loading since the "$SysReset" directory isn't created by default.
status test author X__Junior (Nextron Systems) ATT&CK sub-technique id 259dda31-b7a3-444f-b7d8-17f96e8a7d0d
cortex_xdr query
config case_sensitive = false | preset=xdr_image_load | filter event_type = ENUM.LOAD_IMAGE and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (actor_process_image_path = "C:\Windows\System32\SystemResetPlatform\SystemResetPlatform.exe" and 
 action_module_path = "C:\$SysReset\Framework\Stack\RjvPlatform.dll"))
view Sigma YAML 
title: Potential RjvPlatform.DLL Sideloading From Default Location
id: 259dda31-b7a3-444f-b7d8-17f96e8a7d0d
status: test
description: Detects loading of "RjvPlatform.dll" by the "SystemResetPlatform.exe" binary which can be abused as a method of DLL side loading since the "$SysReset" directory isn't created by default.
references:
    - https://twitter.com/0gtweet/status/1666716511988330499
author: X__Junior (Nextron Systems)
date: 2023-06-09
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image: 'C:\Windows\System32\SystemResetPlatform\SystemResetPlatform.exe'
        ImageLoaded: 'C:\$SysReset\Framework\Stack\RjvPlatform.dll'
    condition: selection
falsepositives:
    - Unknown
level: medium
Convert to SIEM query
medium Strong Medium FP
Potential RoboForm.DLL Sideloading
Detects potential DLL sideloading of "roboform.dll", a DLL used by RoboForm Password Manager
status test author X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) ATT&CK sub-technique id f64c9b2d-b0ad-481d-9d03-7fc75020892a
cortex_xdr query
config case_sensitive = false | preset=xdr_image_load | filter event_type = ENUM.LOAD_IMAGE and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_module_path in ("*\roboform.dll", "*\roboform-x64.dll")) and 
 (not 
 ((actor_process_image_path in (" C:\Program Files (x86)\Siber Systems\AI RoboForm\*", " C:\Program Files\Siber Systems\AI RoboForm\*")) and 
 (actor_process_image_path in ("*\robotaskbaricon.exe", "*\robotaskbaricon-x64.exe"))))))
view Sigma YAML 
title: Potential RoboForm.DLL Sideloading
id: f64c9b2d-b0ad-481d-9d03-7fc75020892a
status: test
description: Detects potential DLL sideloading of "roboform.dll", a DLL used by RoboForm Password Manager
references:
    - https://twitter.com/StopMalvertisin/status/1648604148848549888
    - https://twitter.com/t3ft3lb/status/1656194831830401024
    - https://www.roboform.com/
author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-14
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith:
            - '\roboform.dll'
            - '\roboform-x64.dll'
    filter_main_path:
        Image|startswith:
            - ' C:\Program Files (x86)\Siber Systems\AI RoboForm\'
            - ' C:\Program Files\Siber Systems\AI RoboForm\'
        Image|endswith:
            - '\robotaskbaricon.exe'
            - '\robotaskbaricon-x64.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - If installed on a per-user level, the path would be located in "AppData\Local". Add additional filters to reflect this mode of installation
level: medium
Convert to SIEM query
medium Moderate High FP
Potential Ruby Reverse Shell
Detects execution of ruby with the "-e" flag and calls to "socket" related functions. This could be an indication of a potential attempt to setup a reverse shell
status test author @d4ns4n_ ATT&CK tactic-only id b8bdac18-c06e-4016-ac30-221553e74f59
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_LINUX and 
 (action_process_image_path contains "ruby" and 
 (action_process_image_command_line contains " -e" and 
 action_process_image_command_line contains "rsocket" and 
 action_process_image_command_line contains "TCPSocket") and 
 (action_process_image_command_line in ("* ash*", "* bash*", "* bsh*", "* csh*", "* ksh*", "* pdksh*", "* sh*", "* tcsh*"))))
view Sigma YAML 
title: Potential Ruby Reverse Shell
id: b8bdac18-c06e-4016-ac30-221553e74f59
status: test
description: Detects execution of ruby with the "-e" flag and calls to "socket" related functions. This could be an indication of a potential attempt to setup a reverse shell
references:
    - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
    - https://www.revshells.com/
author: '@d4ns4n_'
date: 2023-04-07
tags:
    - attack.execution
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        Image|contains: 'ruby'
        CommandLine|contains|all:
            - ' -e'
            - 'rsocket'
            - 'TCPSocket'
        CommandLine|contains:
            - ' ash'
            - ' bash'
            - ' bsh'
            - ' csh'
            - ' ksh'
            - ' pdksh'
            - ' sh'
            - ' tcsh'
    condition: selection
falsepositives:
    - Unknown
level: medium
Convert to SIEM query
medium Moderate High FP
Potential SAP NetWeaver Webshell Creation
Detects the creation of suspicious files (jsp, java, class) in SAP NetWeaver directories, which may indicate exploitation attempts of vulnerabilities such as CVE-2025-31324.
status experimental author Elastic (idea), Swachchhanda Shrawan Poudel (Nextron Systems) ATT&CK sub-technique id 86a7c91f-98c3-4f14-a58d-d989421e1234
cortex_xdr query
config case_sensitive = false | preset=xdr_file | filter event_type = ENUM.FILE and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_file_name in ("*\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\work*", "*\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\root*")) and 
 (action_file_name in ("*.jsp", "*.java", "*.class"))))
view Sigma YAML 
title: Potential SAP NetWeaver Webshell Creation
id: 86a7c91f-98c3-4f14-a58d-d989421e1234
status: experimental
description: |
    Detects the creation of suspicious files (jsp, java, class) in SAP NetWeaver directories,
    which may indicate exploitation attempts of vulnerabilities such as CVE-2025-31324.
references:
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-31324
    - https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/
    - https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/
author: Elastic (idea), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-04-28
tags:
    - attack.execution
    - attack.initial-access
    - attack.t1190
    - attack.persistence
    - attack.t1059.003
    - cve.2025-31324
    - detection.emerging-threats
logsource:
    product: windows
    category: file_event
detection:
    selection_path:
        TargetFilename|contains:
            - '\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\work'
            - '\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\root'
    selection_ext:
        TargetFilename|endswith:
            - '.jsp'
            - '.java'
            - '.class'
    condition: all of selection_*
falsepositives:
    - Legitimate creation of jsc or java files in these locations
level: medium
Convert to SIEM query
medium Moderate High FP
Potential SAP NetWeaver Webshell Creation - Linux
Detects the creation of suspicious files (jsp, java, class) in SAP NetWeaver directories, which may indicate exploitation attempts of vulnerabilities such as CVE-2025-31324.
status experimental author Elastic (idea), Swachchhanda Shrawan Poudel (Nextron Systems) ATT&CK sub-technique id 5b91409c-cb18-4ab6-ac75-c5759f998409
cortex_xdr query
config case_sensitive = false | preset=xdr_file | filter event_type = ENUM.FILE and 
 (agent_os_type = ENUM.AGENT_OS_LINUX and 
 ((action_file_name in ("*/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/work/*", "*/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/root/*")) and 
 (action_file_name in ("*.jsp", "*.java", "*.class"))))
view Sigma YAML 
title: Potential SAP NetWeaver Webshell Creation - Linux
id: 5b91409c-cb18-4ab6-ac75-c5759f998409
status: experimental
description: |
    Detects the creation of suspicious files (jsp, java, class) in SAP NetWeaver directories,
    which may indicate exploitation attempts of vulnerabilities such as CVE-2025-31324.
references:
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-31324
    - https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/
    - https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/
author: Elastic (idea), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-04-28
tags:
    - attack.execution
    - attack.initial-access
    - attack.t1190
    - attack.persistence
    - attack.t1059.003
    - cve.2025-31324
    - detection.emerging-threats
logsource:
    product: linux
    category: file_event
detection:
    selection_path:
        TargetFilename|contains:
            - '/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/work/'
            - '/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/root/'
    selection_ext:
        TargetFilename|endswith:
            - '.jsp'
            - '.java'
            - '.class'
    condition: all of selection_*
falsepositives:
    - Legitimate creation of jsc or java files in these locations
level: medium
Convert to SIEM query
medium Moderate Medium FP
Potential Script Proxy Execution Via CL_Mutexverifiers.ps1
Detects the use of the Microsoft signed script "CL_mutexverifiers" to proxy the execution of additional PowerShell script commands
status test author Nasreddine Bencherchali (Nextron Systems), oscd.community, Natalia Shornikova, frack113 ATT&CK technique id 1e0e1a81-e79b-44bc-935b-ddb9c8006b3d
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (((actor_process_image_path in ("*\powershell.exe", "*\pwsh.exe")) and 
 action_process_image_path contains "\powershell.exe" and 
 action_process_image_command_line contains " -nologo -windowstyle minimized -file ") and 
 (action_process_image_command_line in ("*\AppData\Local\Temp\*", "*\Windows\Temp\*"))))
view Sigma YAML 
title: Potential Script Proxy Execution Via CL_Mutexverifiers.ps1
id: 1e0e1a81-e79b-44bc-935b-ddb9c8006b3d
status: test
description: Detects the use of the Microsoft signed script "CL_mutexverifiers" to proxy the execution of additional PowerShell script commands
references:
    - https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/
author: Nasreddine Bencherchali (Nextron Systems), oscd.community, Natalia Shornikova, frack113
date: 2022-05-21
modified: 2023-08-17
tags:
    - attack.stealth
    - attack.t1216
logsource:
    category: process_creation
    product: windows
detection:
    selection_pwsh:
        ParentImage|endswith:
            # Note: to avoid potential FPs we assume the script was launched from powershell. But in theory it can be launched by any Powershell like process
            - '\powershell.exe'
            - '\pwsh.exe'
        Image|endswith: '\powershell.exe'
        CommandLine|contains: ' -nologo -windowstyle minimized -file '
    selection_temp:
        # Note: Since the function uses "env:temp" the value will change depending on the context of exec
        CommandLine|contains:
            - '\AppData\Local\Temp\'
            - '\Windows\Temp\'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium
Convert to SIEM query
medium Moderate Medium FP
Potential SentinelOne Shell Context Menu Scan Command Tampering
Detects potentially suspicious changes to the SentinelOne context menu scan command by a process other than SentinelOne.
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK tactic-only id 6c304b02-06e6-402d-8be4-d5833cdf8198
cortex_xdr query
config case_sensitive = false | preset=xdr_registry | filter (event_type = ENUM.REGISTRY and 
 event_sub_type = ENUM.REGISTRY_SET_VALUE) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_registry_key_name contains "\shell\SentinelOneScan\command\" and 
 (not 
 ((((action_registry_value_name in ("C:\Program Files\SentinelOne\Sentinel Agent*", "C:\Program Files (x86)\SentinelOne\Sentinel Agent*")) or 
 (action_registry_data in ("C:\Program Files\SentinelOne\Sentinel Agent*", "C:\Program Files (x86)\SentinelOne\Sentinel Agent*"))) and 
 (action_registry_value_name contains "\SentinelScanFromContextMenu.exe" or 
 action_registry_data contains "\SentinelScanFromContextMenu.exe")) or 
 (actor_process_image_path in ("*C:\Program Files\SentinelOne\", "*C:\Program Files (x86)\SentinelOne\"))))))
view Sigma YAML 
title: Potential SentinelOne Shell Context Menu Scan Command Tampering
id: 6c304b02-06e6-402d-8be4-d5833cdf8198
status: test
description: Detects potentially suspicious changes to the SentinelOne context menu scan command by a process other than SentinelOne.
references:
    - https://mrd0x.com/sentinelone-persistence-via-menu-context/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-03-06
tags:
    - attack.persistence
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: '\shell\SentinelOneScan\command\'
    filter_main_sentinelone_default_scan_binary:
        Details|startswith:
            - 'C:\Program Files\SentinelOne\Sentinel Agent'
            - 'C:\Program Files (x86)\SentinelOne\Sentinel Agent'
        Details|contains: '\SentinelScanFromContextMenu.exe'
    filter_main_sentinelone_binary:
        Image|endswith:
            - 'C:\Program Files\SentinelOne\'
            - 'C:\Program Files (x86)\SentinelOne\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium
Convert to SIEM query
medium Moderate High FP
Potential ShellDispatch.DLL Sideloading
Detects potential DLL sideloading of "ShellDispatch.dll"
status test author X__Junior (Nextron Systems) ATT&CK sub-technique id 844f8eb2-610b-42c8-89a4-47596e089663
cortex_xdr query
config case_sensitive = false | preset=xdr_image_load | filter event_type = ENUM.LOAD_IMAGE and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_module_path contains "\ShellDispatch.dll" and 
 (not 
 ((action_module_path contains ":\Users\" and 
 action_module_path contains "\AppData\Local\Temp\") or 
 action_module_path contains ":\Windows\Temp\"))))
view Sigma YAML 
title: Potential ShellDispatch.DLL Sideloading
id: 844f8eb2-610b-42c8-89a4-47596e089663
status: test
description: Detects potential DLL sideloading of "ShellDispatch.dll"
references:
    - https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/
author: X__Junior (Nextron Systems)
date: 2023-06-20
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith: '\ShellDispatch.dll'
    filter_main_legit_path:
        - ImageLoaded|contains|all:
              - ':\Users\'
              - '\AppData\Local\Temp\'
        - ImageLoaded|contains: ':\Windows\Temp\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Some installers may trigger some false positives
level: medium
Convert to SIEM query
medium Moderate Medium FP
Potential SolidPDFCreator.DLL Sideloading
Detects potential DLL sideloading of "SolidPDFCreator.dll"
status test author X__Junior (Nextron Systems) ATT&CK sub-technique id a2edbce1-95c8-4291-8676-0d45146862b3
cortex_xdr query
config case_sensitive = false | preset=xdr_image_load | filter event_type = ENUM.LOAD_IMAGE and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_module_path contains "\SolidPDFCreator.dll" and 
 (not 
 (actor_process_image_path contains "\SolidPDFCreator.exe" and 
 (action_module_path in ("C:\Program Files (x86)\SolidDocuments\SolidPDFCreator\*", "C:\Program Files\SolidDocuments\SolidPDFCreator\*"))))))
view Sigma YAML 
title: Potential SolidPDFCreator.DLL Sideloading
id: a2edbce1-95c8-4291-8676-0d45146862b3
status: test
description: Detects potential DLL sideloading of "SolidPDFCreator.dll"
references:
    - https://lab52.io/blog/new-mustang-pandas-campaing-against-australia/
author: X__Junior (Nextron Systems)
date: 2023-05-07
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith: '\SolidPDFCreator.dll'
    filter_main_path:
        Image|endswith: '\SolidPDFCreator.exe'
        ImageLoaded|startswith:
            - 'C:\Program Files (x86)\SolidDocuments\SolidPDFCreator\'
            - 'C:\Program Files\SolidDocuments\SolidPDFCreator\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium
Convert to SIEM query
medium Strong Medium FP
Potential Suspicious Browser Launch From Document Reader Process
Detects when a browser process or browser tab is launched from an application that handles document files such as Adobe, Microsoft Office, etc. And connects to a web application over http(s), this could indicate a possible phishing attempt.
status test author Joseph Kamau ATT&CK sub-technique id 1193d960-2369-499f-a158-7b50a31df682
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (((actor_process_image_path in ("*Acrobat Reader*", "*Microsoft Office*", "*PDF Reader*")) and 
 (action_process_image_path in ("*\brave.exe", "*\chrome.exe", "*\firefox.exe", "*\msedge.exe", "*\opera.exe", "*\maxthon.exe", "*\seamonkey.exe", "*\vivaldi.exe")) and 
 action_process_image_command_line contains "http") and 
 (not 
 action_process_image_command_line contains "https://go.microsoft.com/fwlink/") and 
 (not 
 (action_process_image_command_line in ("*http://ad.foxitsoftware.com/adlog.php**", "*https://globe-map.foxitservice.com/go.php*do=redirect*")))))
view Sigma YAML 
title: Potential Suspicious Browser Launch From Document Reader Process
id: 1193d960-2369-499f-a158-7b50a31df682
status: test
description: |
    Detects when a browser process or browser tab is launched from an application that handles document files such as Adobe, Microsoft Office, etc. And connects to a web application over http(s), this could indicate a possible phishing attempt.
references:
    - https://app.any.run/tasks/69c5abaa-92ad-45ba-8c53-c11e23e05d04/ # PDF Document
    - https://app.any.run/tasks/64043a79-165f-4052-bcba-e6e49f847ec1/ # Office Document
author: Joseph Kamau
date: 2024-05-27
modified: 2025-10-07
tags:
    - attack.execution
    - attack.t1204.002
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        ParentImage|contains:
            - 'Acrobat Reader'
            - 'Microsoft Office'
            - 'PDF Reader'
        Image|endswith:
            - '\brave.exe'
            - '\chrome.exe'
            - '\firefox.exe'
            - '\msedge.exe'
            - '\opera.exe'
            - '\maxthon.exe'
            - '\seamonkey.exe'
            - '\vivaldi.exe'
        CommandLine|contains: 'http'
    filter_main_microsoft_help:
        CommandLine|contains: 'https://go.microsoft.com/fwlink/'
    filter_optional_foxit:
        CommandLine|contains:
            - 'http://ad.foxitsoftware.com/adlog.php?'
            - 'https://globe-map.foxitservice.com/go.php?do=redirect'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Unlikely in most cases, further investigation should be done in the commandline of the browser process to determine the context of the URL accessed.
level: medium
Convert to SIEM query
medium Strong Medium FP
Potential Suspicious Change To Sensitive/Critical Files
Detects changes of sensitive and critical files. Monitors files that you don't expect to change without planning on Linux system. These files include, but are not limited to, system configuration files, authentication files, and critical application files. Attackers often target these files to maintain persistence, escalate privileges, or disrupt system operations.
status test author @d4ns4n_ (Wuerth-Phoenix) ATT&CK sub-technique id 86157017-c2b1-4d4a-8c33-93b8e67e4af4
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_LINUX and 
 ((((action_process_image_path in ("*/cat", "*/echo", "*/grep", "*/head", "*/more", "*/tail")) and 
 action_process_image_command_line contains ">") or 
 (action_process_image_path in ("*/emacs", "*/nano", "*/sed", "*/vi", "*/vim"))) and 
 (action_process_image_command_line in ("*/bin/login*", "*/bin/passwd*", "*/boot/*", "*/etc/*.conf*", "*/etc/cron.*", "*/etc/crontab*", "*/etc/hosts*", "*/etc/init.d*", "*/etc/sudoers*", "*/opt/bin/*", "*/sbin*", "*/usr/bin/*", "*/usr/local/bin/*")) and 
 (not 
 (action_process_image_path contains "/bin/sed" and 
 (action_process_image_command_line in ("sed -i /^*", "sed -ne s/^*")) and 
 action_process_image_command_line contains "/etc/mdadm/mdadm.conf"))))
view Sigma YAML 
title: Potential Suspicious Change To Sensitive/Critical Files
id: 86157017-c2b1-4d4a-8c33-93b8e67e4af4
status: test
description: |
    Detects changes of sensitive and critical files. Monitors files that you don't expect to change without planning on Linux system.
    These files include, but are not limited to, system configuration files, authentication files, and critical application files.
    Attackers often target these files to maintain persistence, escalate privileges, or disrupt system operations.
references:
    - https://learn.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-overview#which-files-should-i-monitor
author: '@d4ns4n_ (Wuerth-Phoenix)'
date: 2023-05-30
modified: 2026-03-18
tags:
    - attack.impact
    - attack.t1565.001
logsource:
    category: process_creation
    product: linux
detection:
    selection_img_1:
        Image|endswith:
            - '/cat'
            - '/echo'
            - '/grep'
            - '/head'
            - '/more'
            - '/tail'
        CommandLine|contains: '>'
    selection_img_2:
        Image|endswith:
            - '/emacs'
            - '/nano'
            - '/sed'
            - '/vi'
            - '/vim'
    selection_paths:
        CommandLine|contains:
            - '/bin/login'
            - '/bin/passwd'
            - '/boot/'
            - '/etc/*.conf'
            - '/etc/cron.' # Covers different cron config files "daily", "hourly", etc.
            - '/etc/crontab'
            - '/etc/hosts'
            - '/etc/init.d'
            - '/etc/sudoers'
            - '/opt/bin/'
            - '/sbin' # Covers: '/opt/sbin', '/usr/local/sbin/', '/usr/sbin/'
            - '/usr/bin/'
            - '/usr/local/bin/'
    filter_main_mdadm.conf:
        Image|endswith: '/bin/sed'
        CommandLine|startswith:
            - 'sed -i /^*'
            - 'sed -ne s/^'
        CommandLine|endswith: '/etc/mdadm/mdadm.conf'
    condition: 1 of selection_img_* and selection_paths and not 1 of filter_main_*
falsepositives:
    - Some false positives are to be expected on user or administrator machines. Apply additional filters as needed.
level: medium
Convert to SIEM query
medium Moderate High FP
Potential Suspicious PowerShell Module File Created
Detects the creation of a new PowerShell module in the first folder of the module directory structure "\WindowsPowerShell\Modules\malware\malware.psm1". This is somewhat an uncommon practice as legitimate modules often includes a version folder.
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK tactic-only id e8a52bbd-bced-459f-bd93-64db45ce7657
cortex_xdr query
config case_sensitive = false | preset=xdr_file | filter event_type = ENUM.FILE and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_file_name in ("*\WindowsPowerShell\Modules\*\.ps", "*\WindowsPowerShell\Modules\*\.dll")))
view Sigma YAML 
title: Potential Suspicious PowerShell Module File Created
id: e8a52bbd-bced-459f-bd93-64db45ce7657
status: test
description: Detects the creation of a new PowerShell module in the first folder of the module directory structure "\WindowsPowerShell\Modules\malware\malware.psm1". This is somewhat an uncommon practice as legitimate modules often includes a version folder.
references:
    - Internal Research
    - https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-09
tags:
    - attack.persistence
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|endswith:
            # Note: Don't include PowerShell 7 as it has default modules that don't follow this logic
            - '\\WindowsPowerShell\\Modules\\*\.ps'
            - '\\WindowsPowerShell\\Modules\\*\.dll'
    condition: selection
falsepositives:
    - False positive rate will vary depending on the environments. Additional filters might be required to make this logic usable in production.
level: medium
Convert to SIEM query
medium Strong High FP
Potential Suspicious Windows Feature Enabled - ProcCreation
Detects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" used as a Deployment Image Servicing and Management tool. Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK tactic-only id c740d4cf-a1e9-41de-bb16-8a46a4f57918
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_process_image_command_line contains "Enable-WindowsOptionalFeature" and 
 action_process_image_command_line contains "-Online" and 
 action_process_image_command_line contains "-FeatureName") and 
 (action_process_image_command_line in ("*TelnetServer*", "*Internet-Explorer-Optional-amd64*", "*TFTP*", "*SMB1Protocol*", "*Client-ProjFS*", "*Microsoft-Windows-Subsystem-Linux*"))))
view Sigma YAML 
title: Potential Suspicious Windows Feature Enabled - ProcCreation
id: c740d4cf-a1e9-41de-bb16-8a46a4f57918
related:
    - id: 55c925c1-7195-426b-a136-a9396800e29b
      type: similar
status: test
description: |
    Detects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" used as a Deployment Image Servicing and Management tool.
    Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
references:
    - https://learn.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps
    - https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system
    - https://learn.microsoft.com/en-us/windows/wsl/install-on-server
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-29
tags:
    - attack.stealth
logsource:
    category: process_creation
    product: windows
detection:
    selection_cmd:
        CommandLine|contains|all:
            - 'Enable-WindowsOptionalFeature'
            - '-Online'
            - '-FeatureName'
    selection_feature:
        # Add any insecure/unusual windows features that you don't use in your environment
        CommandLine|contains:
            - 'TelnetServer'
            - 'Internet-Explorer-Optional-amd64'
            - 'TFTP'
            - 'SMB1Protocol'
            - 'Client-ProjFS'
            - 'Microsoft-Windows-Subsystem-Linux'
    condition: all of selection_*
falsepositives:
    - Legitimate usage of the features listed in the rule.
level: medium
Convert to SIEM query
medium Moderate Medium FP
Potential UAC Bypass Via Sdclt.EXE
A General detection for sdclt being spawned as an elevated process. This could be an indicator of sdclt being used for bypass UAC techniques.
status test author Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) ATT&CK sub-technique id 40f9af16-589d-4984-b78d-8c2aec023197
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_process_image_path contains "sdclt.exe" and 
 (action_process_integrity_level in ("High", "S-1-16-12288"))))
view Sigma YAML 
title: Potential UAC Bypass Via Sdclt.EXE
id: 40f9af16-589d-4984-b78d-8c2aec023197
status: test
description: A General detection for sdclt being spawned as an elevated process. This could be an indicator of sdclt being used for bypass UAC techniques.
references:
    - https://github.com/OTRF/detection-hackathon-apt29/issues/6
    - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-05-02
modified: 2024-12-01
tags:
    - attack.privilege-escalation
    - attack.t1548.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: 'sdclt.exe'
        IntegrityLevel:
            - 'High'
            - 'S-1-16-12288' # High
    condition: selection
falsepositives:
    - Unknown
level: medium
Convert to SIEM query
medium Moderate Medium FP
Potential Vivaldi_elf.DLL Sideloading
Detects potential DLL sideloading of "vivaldi_elf.dll"
status test author X__Junior (Nextron Systems) ATT&CK sub-technique id 2092cacb-d77b-4f98-ab0d-32b32f99a054
cortex_xdr query
config case_sensitive = false | preset=xdr_image_load | filter event_type = ENUM.LOAD_IMAGE and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_module_path contains "\vivaldi_elf.dll" and 
 (not 
 (actor_process_image_path contains "\Vivaldi\Application\vivaldi.exe" and 
 action_module_path contains "\Vivaldi\Application\"))))
view Sigma YAML 
title: Potential Vivaldi_elf.DLL Sideloading
id: 2092cacb-d77b-4f98-ab0d-32b32f99a054
status: test
description: Detects potential DLL sideloading of "vivaldi_elf.dll"
references:
    - https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/
author: X__Junior (Nextron Systems)
date: 2023-08-03
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith: '\vivaldi_elf.dll'
    filter_main_legit_path:
        Image|endswith: '\Vivaldi\Application\vivaldi.exe'
        ImageLoaded|contains: '\Vivaldi\Application\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium
Convert to SIEM query
medium Strong Medium FP
Potential WWlib.DLL Sideloading
Detects potential DLL sideloading of "wwlib.dll"
status test author X__Junior (Nextron Systems) ATT&CK sub-technique id e2e01011-5910-4267-9c3b-4149ed5479cf
cortex_xdr query
config case_sensitive = false | preset=xdr_image_load | filter event_type = ENUM.LOAD_IMAGE and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_module_path contains "\wwlib.dll" and 
 (not 
 ((actor_process_image_path in ("C:\Program Files (x86)\Microsoft Office\*", "C:\Program Files\Microsoft Office\*")) and 
 actor_process_image_path contains "\winword.exe" and 
 (action_module_path in ("C:\Program Files (x86)\Microsoft Office\*", "C:\Program Files\Microsoft Office\*"))))))
view Sigma YAML 
title: Potential WWlib.DLL Sideloading
id: e2e01011-5910-4267-9c3b-4149ed5479cf
status: test
description: Detects potential DLL sideloading of "wwlib.dll"
references:
    - https://twitter.com/WhichbufferArda/status/1658829954182774784
    - https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related/
    - https://securelist.com/apt-luminousmoth/103332/
author: X__Junior (Nextron Systems)
date: 2023-05-18
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith: '\wwlib.dll'
    filter_main_path:
        Image|startswith:
            - 'C:\Program Files (x86)\Microsoft Office\'
            - 'C:\Program Files\Microsoft Office\'
        Image|endswith: '\winword.exe'
        ImageLoaded|startswith:
            - 'C:\Program Files (x86)\Microsoft Office\'
            - 'C:\Program Files\Microsoft Office\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium
Convert to SIEM query
medium Strong Medium FP
Potential Wazuh Security Platform DLL Sideloading
Detects potential DLL side loading of DLLs that are part of the Wazuh security platform
status test author X__Junior (Nextron Systems) ATT&CK sub-technique id db77ce78-7e28-4188-9337-cf30e2b3ba9f
cortex_xdr query
config case_sensitive = false | preset=xdr_image_load | filter event_type = ENUM.LOAD_IMAGE and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_module_path in ("*\libwazuhshared.dll", "*\libwinpthread-1.dll")) and 
 (not 
 (action_module_path in ("C:\Program Files\*", "C:\Program Files (x86)\*"))) and 
 (not 
 ((action_module_path in ("*\AppData\Local\*", "*\ProgramData\*")) and 
 action_module_path contains "\mingw64\bin\libwinpthread-1.dll"))))
view Sigma YAML 
title: Potential Wazuh Security Platform DLL Sideloading
id: db77ce78-7e28-4188-9337-cf30e2b3ba9f
status: test
description: Detects potential DLL side loading of DLLs that are part of the Wazuh security platform
references:
    - https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html
author: X__Junior (Nextron Systems)
date: 2023-03-13
modified: 2023-05-12
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1574.001
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|endswith:
            - '\libwazuhshared.dll'
            - '\libwinpthread-1.dll'
    filter_main_generic:
        ImageLoaded|startswith:
            - 'C:\Program Files\'
            - 'C:\Program Files (x86)\'
    filter_optional_mingw64:
        # Note: Many third party apps installed in "AppData" or "ProgramData" and leverage "mingw64" make use of "libwinpthread-1.dll"
        # In production its best to make a list of these apps and replace this filter with a specific one.
        ImageLoaded|contains:
            - '\AppData\Local\'
            - '\ProgramData\'
        ImageLoaded|endswith: '\mingw64\bin\libwinpthread-1.dll'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Many legitimate applications leverage this DLL. (Visual Studio, JetBrains, Ruby, Anaconda, GithubDesktop, etc.)
level: medium
Convert to SIEM query
medium Strong Medium FP
Potential Webshell Creation On Static Website
Detects the creation of files with certain extensions on a static web site. This can be indicative of potential uploads of a web shell.
status test author Beyu Denis, oscd.community, Tim Shelton, Thurein Oo ATT&CK sub-technique id 39f1f9f2-9636-45de-98f6-a4046aa8e4b9
cortex_xdr query
config case_sensitive = false | preset=xdr_file | filter event_type = ENUM.FILE and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (((action_file_name contains "\inetpub\wwwroot\" and 
 (action_file_name in ("*.ashx*", "*.asp*", "*.ph*", "*.soap*"))) or 
 ((action_file_name in ("*\www\*", "*\htdocs\*", "*\html\*")) and 
 action_file_name contains ".ph")) and 
 (not 
 ((action_file_name in ("*\AppData\Local\Temp\*", "*\Windows\Temp\*")) or 
 actor_process_image_path = "System" or 
 action_file_name contains "\xampp"))))
view Sigma YAML 
title: Potential Webshell Creation On Static Website
id: 39f1f9f2-9636-45de-98f6-a4046aa8e4b9
status: test
description: Detects the creation of files with certain extensions on a static web site. This can be indicative of potential uploads of a web shell.
references:
    - PT ESC rule and personal experience
    - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/c95a0a1a2855dc0cd7f7327614545fe30482a636/Upload%20Insecure%20Files/README.md
author: Beyu Denis, oscd.community, Tim Shelton, Thurein Oo
date: 2019-10-22
modified: 2023-10-15
tags:
    - attack.persistence
    - attack.t1505.003
logsource:
    product: windows
    category: file_event
detection:
    selection_wwwroot_path:
        TargetFilename|contains: '\inetpub\wwwroot\'
    selection_wwwroot_ext:
        TargetFilename|contains:
            - '.ashx'
            - '.asp'
            - '.ph'
            - '.soap'
    selection_htdocs_path:
        TargetFilename|contains:
            - '\www\'
            - '\htdocs\'
            - '\html\'
    selection_htdocs_ext:
        TargetFilename|contains: '.ph'
    # selection_tomcat_path:
    #     TargetFilename|contains: '\webapps\ROOT'
    # selection_tomcat_ext:
    #     TargetFilename|contains:
    #         - '.jsp' # .jspx, .jspf
    #         - '.jsv'
    #         - '.jsw'
    filter_main_temp:  # FP when unpacking some executables in $TEMP
        TargetFilename|contains:
            - '\AppData\Local\Temp\'
            - '\Windows\Temp\'
    filter_main_system:
        Image: 'System' # FP when backup/restore from drivers
    filter_main_legitimate:
        TargetFilename|contains: '\xampp'
    condition: (all of selection_wwwroot_* or all of selection_htdocs_*) and not 1 of filter_main_*
falsepositives:
    - Legitimate administrator or developer creating legitimate executable files in a web application folder
level: medium
Convert to SIEM query
medium Strong Medium FP
Potential XCSSET Malware Infection
Identifies the execution traces of the XCSSET malware. XCSSET is a macOS trojan that primarily spreads via Xcode projects and maliciously modifies applications. Infected users are also vulnerable to having their credentials, accounts, and other vital data stolen.
status test author Tim Rauch (rule), Elastic (idea) ATT&CK tactic-only id 47d65ac0-c06f-4ba2-a2e3-d263139d0f51
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_MAC and 
 (((actor_process_image_path contains "/bash" and 
 action_process_image_path contains "/curl" and 
 (action_process_image_command_line in ("*/sys/log.php*", "*/sys/prepod.php*", "*/sys/bin/Pods*"))) and 
 action_process_image_command_line contains "https://") or 
 ((actor_process_image_path contains "/bash" and 
 action_process_image_path contains "/osacompile" and 
 (action_process_image_command_line contains "/Users/" and 
 action_process_image_command_line contains "/Library/Group Containers/")) or 
 (actor_process_image_path contains "/bash" and 
 action_process_image_path contains "/plutil" and 
 (action_process_image_command_line contains "LSUIElement" and 
 action_process_image_command_line contains "/Users/" and 
 action_process_image_command_line contains "/Library/Group Containers/")) or 
 (action_process_image_path contains "/zip" and 
 (action_process_image_command_line contains "-r" and 
 action_process_image_command_line contains "/Users/" and 
 action_process_image_command_line contains "/Library/Group Containers/")))))
view Sigma YAML 
title: Potential XCSSET Malware Infection
id: 47d65ac0-c06f-4ba2-a2e3-d263139d0f51
status: test
description: Identifies the execution traces of the XCSSET malware. XCSSET is a macOS trojan that primarily spreads via Xcode projects and maliciously modifies applications. Infected users are also vulnerable to having their credentials, accounts, and other vital data stolen.
references:
    - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-f5deb07688e1a8dec9530bc3071967b2da5c16b482e671812b864c37beb28f08
    - https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset
author: Tim Rauch (rule), Elastic (idea)
date: 2022-10-17
tags:
    - attack.command-and-control
logsource:
    category: process_creation
    product: macos
detection:
    selection_1_curl:
        ParentImage|endswith: '/bash'
        Image|endswith: '/curl'
        CommandLine|contains:
            - '/sys/log.php'
            - '/sys/prepod.php'
            - '/sys/bin/Pods'
    selection_1_https:
        CommandLine|contains: 'https://'
    selection_other_1:
        ParentImage|endswith: '/bash'
        Image|endswith: '/osacompile'
        CommandLine|contains|all:
            - '/Users/'
            - '/Library/Group Containers/'
    selection_other_2:
        ParentImage|endswith: '/bash'
        Image|endswith: '/plutil'
        CommandLine|contains|all:
            - 'LSUIElement'
            - '/Users/'
            - '/Library/Group Containers/'
    selection_other_3:
        Image|endswith: '/zip'
        CommandLine|contains|all:
            - '-r'
            - '/Users/'
            - '/Library/Group Containers/'
    condition: all of selection_1_* or 1 of selection_other_*
falsepositives:
    - Unknown
level: medium
Convert to SIEM query
medium Moderate High FP
Potential Xterm Reverse Shell
Detects usage of "xterm" as a potential reverse shell tunnel
status test author @d4ns4n_ ATT&CK technique id 4e25af4b-246d-44ea-8563-e42aacab006b
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_LINUX and 
 (action_process_image_path contains "xterm" and 
 action_process_image_command_line contains "-display" and 
 action_process_image_command_line contains ":1"))
view Sigma YAML 
title: Potential Xterm Reverse Shell
id: 4e25af4b-246d-44ea-8563-e42aacab006b
status: test
description: Detects usage of "xterm" as a potential reverse shell tunnel
references:
    - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
    - https://www.revshells.com/
author: '@d4ns4n_'
date: 2023-04-24
tags:
    - attack.execution
    - attack.t1059
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        Image|contains: 'xterm'
        CommandLine|contains: '-display'
        CommandLine|endswith: ':1'
    condition: selection
falsepositives:
    - Unknown
level: medium
Convert to SIEM query
medium Strong Medium FP
Potentially Suspicious Azure Front Door Connection
Detects connections with Azure Front Door (known legitimate service that can be leveraged for C2) that fall outside of known benign behavioral baseline (not using common apps or common azurefd.net endpoints)
status test author Isaac Dunham ATT&CK sub-technique id 8cb4d14e-776e-43c2-8fb9-91e7fcea32b4
cortex_xdr query
config case_sensitive = false | preset=network_story | filter event_type = ENUM.NETWORK and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_external_hostname contains "azurefd.net" and 
 (not 
 ((actor_process_image_path in ("*brave.exe", "*chrome.exe", "*chromium.exe", "*firefox.exe", "*msedge.exe", "*msedgewebview2.exe", "*opera.exe", "*vivaldi.exe")) or 
 actor_process_image_path contains "searchapp.exe" or 
 (action_external_hostname in ("*afdxtest.z01.azurefd.net*", "*fp-afd.azurefd.net*", "*fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net*", "*roxy.azurefd.net*", "*powershellinfraartifacts-gkhedzdeaghdezhr.z01.azurefd.net*", "*storage-explorer-publishing-feapcgfgbzc2cjek.b01.azurefd.net*", "*graph.azurefd.net*"))))))
view Sigma YAML 
title: Potentially Suspicious Azure Front Door Connection
id: 8cb4d14e-776e-43c2-8fb9-91e7fcea32b4
status: test
description: |
    Detects connections with Azure Front Door (known legitimate service that can be leveraged for C2)
    that fall outside of known benign behavioral baseline (not using common apps or common azurefd.net endpoints)
references:
    - https://lots-project.com/site/2a2e617a75726566642e6e6574
    - https://medium.com/r3d-buck3t/red-teaming-in-cloud-leverage-azure-frontdoor-cdn-for-c2-redirectors-79dd9ca98178
    - https://www.fortalicesolutions.com/posts/hiding-behind-the-front-door-with-azure-domain-fronting
author: Isaac Dunham
date: 2024-11-07
tags:
    - attack.command-and-control
    - attack.t1102.002
    - attack.t1090.004
    - detection.threat-hunting
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        DestinationHostname|contains: 'azurefd.net'
    filter_main_web_browsers:
        Image|endswith:
            - 'brave.exe'
            - 'chrome.exe'
            - 'chromium.exe'
            - 'firefox.exe'
            - 'msedge.exe'
            - 'msedgewebview2.exe'
            - 'opera.exe'
            - 'vivaldi.exe'
    filter_main_common_talkers:
        Image|endswith: 'searchapp.exe' # Windows search service uses signifcant amount of Azure FD
    filter_main_known_benign_domains:
        DestinationHostname|contains:
            - 'afdxtest.z01.azurefd.net' # used by Cortana; Cisco Umbrella top 1m
            - 'fp-afd.azurefd.net' # used by Cortana; Cisco Umbrella top 1m
            - 'fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net' # used by Cortana; Cisco Umbrella top 1m
            - 'roxy.azurefd.net' # used by Cortana; Cisco Umbrella top 1m
            - 'powershellinfraartifacts-gkhedzdeaghdezhr.z01.azurefd.net' # Used by VS Code; Cisco Umbrella top 1m
            - 'storage-explorer-publishing-feapcgfgbzc2cjek.b01.azurefd.net' # Used by Azure Storage Explorer; Cisco Umbrella top 1m
            - 'graph.azurefd.net' # MS Graph; Cisco Umbrella top 1m
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Results are not inherently suspicious, but should be investigated during threat hunting for potential cloud C2.
    - Organization-specific Azure Front Door endpoints
level: medium
Convert to SIEM query
medium Strong Medium FP
Potentially Suspicious Cabinet File Expansion
Detects the expansion or decompression of cabinet files from potentially suspicious or uncommon locations, e.g. seen in Iranian MeteorExpress related attacks
status test author Bhabesh Raj, X__Junior (Nextron Systems) ATT&CK technique id 9f107a84-532c-41af-b005-8d12a607639f
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_process_image_path contains "\expand.exe" and 
 (action_process_image_command_line contains "-F:" or 
 action_process_image_command_line contains "/F:" or 
 action_process_image_command_line contains "–F:" or 
 action_process_image_command_line contains "—F:" or 
 action_process_image_command_line contains "―F:")) and 
 ((action_process_image_command_line in ("*:\Perflogs\*", "*:\ProgramData*", "*:\Users\Public\*", "*:\Windows\Temp\*", "*\Admin$\*", "*\AppData\Local\Temp\*", "*\AppData\Roaming\*", "*\C$\*", "*\Temporary Internet*")) or 
 ((action_process_image_command_line contains ":\Users\" and 
 action_process_image_command_line contains "\Favorites\") or 
 (action_process_image_command_line contains ":\Users\" and 
 action_process_image_command_line contains "\Favourites\") or 
 (action_process_image_command_line contains ":\Users\" and 
 action_process_image_command_line contains "\Contacts\"))) and 
 (not 
 (actor_process_image_path = "C:\Program Files (x86)\Dell\UpdateService\ServiceShell.exe" and 
 action_process_image_command_line contains "C:\ProgramData\Dell\UpdateService\Temp\"))))
view Sigma YAML 
title: Potentially Suspicious Cabinet File Expansion
id: 9f107a84-532c-41af-b005-8d12a607639f
status: test
description: Detects the expansion or decompression of cabinet files from potentially suspicious or uncommon locations, e.g. seen in Iranian MeteorExpress related attacks
references:
    - https://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll
    - https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/
author: Bhabesh Raj, X__Junior (Nextron Systems)
date: 2021-07-30
modified: 2024-11-13
tags:
    - attack.stealth
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection_cmd:
        Image|endswith: '\expand.exe'
        CommandLine|contains|windash: '-F:'
    selection_folders_1:
        CommandLine|contains:
            - ':\Perflogs\'
            - ':\ProgramData'
            - ':\Users\Public\'
            - ':\Windows\Temp\'
            - '\Admin$\'
            - '\AppData\Local\Temp\'
            - '\AppData\Roaming\'
            - '\C$\'
            - '\Temporary Internet'
    selection_folders_2:
        - CommandLine|contains|all:
              - ':\Users\'
              - '\Favorites\'
        - CommandLine|contains|all:
              - ':\Users\'
              - '\Favourites\'
        - CommandLine|contains|all:
              - ':\Users\'
              - '\Contacts\'
    filter_optional_dell:
        # Launched by Dell ServiceShell.exe
        ParentImage: 'C:\Program Files (x86)\Dell\UpdateService\ServiceShell.exe'
        CommandLine|contains: 'C:\ProgramData\Dell\UpdateService\Temp\'
    condition: selection_cmd and 1 of selection_folders_* and not 1 of filter_optional_*
falsepositives:
    - System administrator Usage
level: medium
Convert to SIEM query
medium Moderate Medium FP
Potentially Suspicious Child Process Of ClickOnce Application
Detects potentially suspicious child processes of a ClickOnce deployment application
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK tactic-only id 67bc0e75-c0a9-4cfc-8754-84a505b63c04
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (actor_process_image_path contains "\AppData\Local\Apps\2.0\" and 
 (action_process_image_path in ("*\calc.exe", "*\cmd.exe", "*\cscript.exe", "*\explorer.exe", "*\mshta.exe", "*\net.exe", "*\net1.exe", "*\nltest.exe", "*\notepad.exe", "*\powershell.exe", "*\pwsh.exe", "*\reg.exe", "*\regsvr32.exe", "*\rundll32.exe", "*\schtasks.exe", "*\werfault.exe", "*\wscript.exe"))))
view Sigma YAML 
title: Potentially Suspicious Child Process Of ClickOnce Application
id: 67bc0e75-c0a9-4cfc-8754-84a505b63c04
status: test
description: Detects potentially suspicious child processes of a ClickOnce deployment application
references:
    - https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-12
tags:
    - attack.execution
    - attack.stealth
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|contains: '\AppData\Local\Apps\2.0\'
        Image|endswith:
            # Add more suspicious processes
            - '\calc.exe'
            - '\cmd.exe'
            - '\cscript.exe'
            - '\explorer.exe'
            - '\mshta.exe'
            - '\net.exe'
            - '\net1.exe'
            - '\nltest.exe'
            - '\notepad.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\reg.exe'
            - '\regsvr32.exe'
            - '\rundll32.exe'
            - '\schtasks.exe'
            - '\werfault.exe'
            - '\wscript.exe'
    condition: selection
falsepositives:
    - Unknown
level: medium
Convert to SIEM query
medium Strong Medium FP
Potentially Suspicious Child Process Of DiskShadow.EXE
Detects potentially suspicious child processes of "Diskshadow.exe". This could be an attempt to bypass parent/child relationship detection or application whitelisting rules.
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK technique id 9f546b25-5f12-4c8d-8532-5893dcb1e4b8
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (actor_process_image_path contains "\diskshadow.exe" and 
 (action_process_image_path in ("*\certutil.exe", "*\cscript.exe", "*\mshta.exe", "*\powershell.exe", "*\pwsh.exe", "*\regsvr32.exe", "*\rundll32.exe", "*\wscript.exe"))))
view Sigma YAML 
title: Potentially Suspicious Child Process Of DiskShadow.EXE
id: 9f546b25-5f12-4c8d-8532-5893dcb1e4b8
related:
    - id: fa1a7e52-3d02-435b-81b8-00da14dd66c1 # Diskshadow Script Mode - Execution From Potential Suspicious Location
      type: similar
    - id: 1dde5376-a648-492e-9e54-4241dd9b0c7f # Diskshadow Script Mode - Uncommon Script Extension Execution
      type: similar
    - id: 56b1dde8-b274-435f-a73a-fb75eb81262a # Diskshadow Child Process Spawned
      type: similar
    - id: 0c2f8629-7129-4a8a-9897-7e0768f13ff2 # Diskshadow Script Mode Execution
      type: similar
status: test
description: Detects potentially suspicious child processes of "Diskshadow.exe". This could be an attempt to bypass parent/child relationship detection or application whitelisting rules.
references:
    - https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/
    - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration
    - https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow
    - https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf
    - https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware
    - https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-09-15
tags:
    - attack.stealth
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\diskshadow.exe'
        Image|endswith:
            # Note: add or remove additional binaries according to your org needs
            - '\certutil.exe'
            - '\cscript.exe'
            - '\mshta.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\regsvr32.exe'
            - '\rundll32.exe'
            - '\wscript.exe'
    condition: selection
falsepositives:
    - False postitve can occur in cases where admin scripts levreage the "exec" flag to execute applications
level: medium
Convert to SIEM query
medium Strong Medium FP
Potentially Suspicious Child Process Of VsCode
Detects uncommon or suspicious child processes spawning from a VsCode "code.exe" process. This could indicate an attempt of persistence via VsCode tasks or terminal profiles.
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK technique id 5a3164f2-b373-4152-93cf-090b13c12d27
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (actor_process_image_path contains "\code.exe" and 
 ((action_process_image_path in ("*\calc.exe", "*\regsvr32.exe", "*\rundll32.exe", "*\cscript.exe", "*\wscript.exe")) or 
 ((action_process_image_path in ("*\powershell.exe", "*\pwsh.exe", "*\cmd.exe")) and 
 (action_process_image_command_line in ("*Invoke-Expressions*", "*IEX*", "*Invoke-Command*", "*ICM*", "*DownloadString*", "*rundll32*", "*regsvr32*", "*wscript*", "*cscript*"))) or 
 (action_process_image_path in ("*:\Users\Public\*", "*:\Windows\Temp\*", "*:\Temp\*")))))
view Sigma YAML 
title: Potentially Suspicious Child Process Of VsCode
id: 5a3164f2-b373-4152-93cf-090b13c12d27
status: test
description: Detects uncommon or suspicious child processes spawning from a VsCode "code.exe" process. This could indicate an attempt of persistence via VsCode tasks or terminal profiles.
references:
    - https://twitter.com/nas_bench/status/1618021838407495681
    - https://twitter.com/nas_bench/status/1618021415852335105
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-26
modified: 2023-10-25
tags:
    - attack.execution
    - attack.stealth
    - attack.t1218
    - attack.t1202
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith: '\code.exe'
    selection_children_images:
        Image|endswith:
            - '\calc.exe'
            - '\regsvr32.exe'
            - '\rundll32.exe'
            - '\cscript.exe'
            - '\wscript.exe'
    selection_children_cli:
        Image|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\cmd.exe'
        CommandLine|contains:
            - 'Invoke-Expressions'
            - 'IEX'
            - 'Invoke-Command'
            - 'ICM'
            - 'DownloadString'
            - 'rundll32'
            - 'regsvr32'
            - 'wscript'
            - 'cscript'
    selection_children_paths:
        Image|contains:
            # Add more suspicious locations
            - ':\Users\Public\'
            - ':\Windows\Temp\'
            - ':\Temp\'
    condition: selection_parent and 1 of selection_children_*
falsepositives:
    - In development environment where VsCode is used heavily. False positives may occur when developers use task to compile or execute different types of code. Remove or add processes accordingly
level: medium
Convert to SIEM query
medium Moderate High FP
Potentially Suspicious Command Targeting Teams Sensitive Files
Detects a commandline containing references to the Microsoft Teams database or cookies files from a process other than Teams. The database might contain authentication tokens and other sensitive information about the logged in accounts.
status test author @SerkinValery ATT&CK technique id d2eb17db-1d39-41dc-b57f-301f6512fa75
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_process_image_command_line in ("*\Microsoft\Teams\Cookies*", "*\Microsoft\Teams\Local Storage\leveldb*")) and 
 (not 
 action_process_image_path contains "\Microsoft\Teams\current\Teams.exe")))
view Sigma YAML 
title: Potentially Suspicious Command Targeting Teams Sensitive Files
id: d2eb17db-1d39-41dc-b57f-301f6512fa75
status: test
description: |
    Detects a commandline containing references to the Microsoft Teams database or cookies files from a process other than Teams.
    The database might contain authentication tokens and other sensitive information about the logged in accounts.
references:
    - https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/
    - https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens
author: '@SerkinValery'
date: 2022-09-16
modified: 2023-12-18
tags:
    - attack.credential-access
    - attack.t1528
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        CommandLine|contains:
            - '\Microsoft\Teams\Cookies'
            - '\Microsoft\Teams\Local Storage\leveldb'
    filter_main_legit_locations:
        Image|endswith: '\Microsoft\Teams\current\Teams.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium
Convert to SIEM query
medium Moderate Medium FP
Potentially Suspicious DMP/HDMP File Creation
Detects the creation of a file with the ".dmp"/".hdmp" extension by a shell or scripting application such as "cmd", "powershell", etc. Often created by software during a crash. Memory dumps can sometimes contain sensitive information such as credentials. It's best to determine the source of the crash.
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK tactic-only id aba15bdd-657f-422a-bab3-ac2d2a0d6f1c
cortex_xdr query
config case_sensitive = false | preset=xdr_file | filter event_type = ENUM.FILE and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((actor_process_image_path in ("*\cmd.exe", "*\cscript.exe", "*\mshta.exe", "*\powershell.exe", "*\pwsh.exe", "*\wscript.exe")) and 
 (action_file_name in ("*.dmp", "*.dump", "*.hdmp"))))
view Sigma YAML 
title: Potentially Suspicious DMP/HDMP File Creation
id: aba15bdd-657f-422a-bab3-ac2d2a0d6f1c
related:
    - id: 3a525307-d100-48ae-b3b9-0964699d7f97
      type: similar
status: test
description: Detects the creation of a file with the ".dmp"/".hdmp" extension by a shell or scripting application such as "cmd", "powershell", etc. Often created by software during a crash. Memory dumps can sometimes contain sensitive information such as credentials. It's best to determine the source of the crash.
references:
    - https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-09-07
tags:
    - attack.stealth
logsource:
    category: file_event
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\cscript.exe'
            - '\mshta.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\wscript.exe'
        TargetFilename|endswith:
            - '.dmp'
            - '.dump'
            - '.hdmp'
    condition: selection
falsepositives:
    - Some administrative PowerShell or VB scripts might have the ability to collect dumps and move them to other folders which might trigger a false positive.
level: medium
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_dump_file_susp_creation/info.yml
Convert to SIEM query
medium Strong Medium FP
Potentially Suspicious Desktop Background Change Via Registry
Detects registry value settings that would replace the user's desktop background. This is a common technique used by malware to change the desktop background to a ransom note or other image.
status test author Nasreddine Bencherchali (Nextron Systems), Stephen Lincoln @slincoln-aiq (AttackIQ) ATT&CK sub-technique id 85b88e05-dadc-430b-8a9e-53ff1cd30aae
cortex_xdr query
config case_sensitive = false | preset=xdr_registry | filter (event_type = ENUM.REGISTRY and 
 event_sub_type = ENUM.REGISTRY_SET_VALUE) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_registry_key_name in ("*Control Panel\Desktop*", "*CurrentVersion\Policies\ActiveDesktop*", "*CurrentVersion\Policies\System*")) and 
 ((action_registry_key_name contains "NoChangingWallpaper" and 
 (action_registry_value_name = "DWORD (0x00000001)" or 
 action_registry_data = "DWORD (0x00000001)")) or 
 action_registry_key_name contains "\Wallpaper" or 
 (action_registry_key_name contains "\WallpaperStyle" and 
 (action_registry_value_name = "2" or 
 action_registry_data = "2"))) and 
 (not 
 (actor_process_image_path contains "\svchost.exe" or 
 (action_registry_key_name contains "\Control Panel\Desktop\Wallpaper" and 
 (action_registry_value_name = "(Empty)" or 
 action_registry_data = "(Empty)")) or 
 actor_process_image_path contains "C:\Windows\Explorer.EXE")) and 
 (not 
 ((actor_process_image_path in ("C:\Program Files\Amazon\EC2Launch\EC2Launch.exe", "C:\Program Files (x86)\Amazon\EC2Launch\EC2Launch.exe")) and 
 action_registry_key_name contains "\Control Panel\Desktop\Wallpaper"))))
view Sigma YAML 
title: Potentially Suspicious Desktop Background Change Via Registry
id: 85b88e05-dadc-430b-8a9e-53ff1cd30aae
related:
    - id: 8cbc9475-8d05-4e27-9c32-df960716c701
      type: similar
status: test
description: |
    Detects registry value settings that would replace the user's desktop background.
    This is a common technique used by malware to change the desktop background to a ransom note or other image.
references:
    - https://www.attackiq.com/2023/09/20/emulating-rhysida/
    - https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/
    - https://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html
    - https://www.virustotal.com/gui/file/a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6/behavior
    - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDesktop::Wallpaper
    - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanelDisplay::CPL_Personalization_NoDesktopBackgroundUI
author: Nasreddine Bencherchali (Nextron Systems), Stephen Lincoln @slincoln-aiq (AttackIQ)
date: 2023-12-21
modified: 2025-10-17
tags:
    - attack.persistence
    - attack.impact
    - attack.defense-impairment
    - attack.t1112
    - attack.t1491.001
logsource:
    product: windows
    category: registry_set
detection:
    selection_keys:
        TargetObject|contains:
            - 'Control Panel\Desktop'
            - 'CurrentVersion\Policies\ActiveDesktop'
            - 'CurrentVersion\Policies\System'
    selection_values_1:
        TargetObject|endswith: 'NoChangingWallpaper'
        Details: 'DWORD (0x00000001)' # Prevent changing desktop background
    selection_values_2:
        TargetObject|endswith: '\Wallpaper'
    selection_values_3:
        TargetObject|endswith: '\WallpaperStyle'
        Details: '2' # Stretch
    filter_main_svchost:
        # Note: Excluding GPO changes
        Image|endswith: '\svchost.exe'
    filter_main_empty:
        TargetObject|endswith: '\Control Panel\Desktop\Wallpaper'
        Details: '(Empty)'
    filter_main_explorer:
        # Normally Explorer.exe is the process that changes the desktop background
        Image|endswith: 'C:\Windows\Explorer.EXE'
    filter_optional_ec2launch:
        Image:
            - 'C:\Program Files\Amazon\EC2Launch\EC2Launch.exe'
            - 'C:\Program Files (x86)\Amazon\EC2Launch\EC2Launch.exe'
        TargetObject|endswith: '\Control Panel\Desktop\Wallpaper'
    condition: selection_keys and 1 of selection_values_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Administrative scripts that change the desktop background to a company logo or other image.
level: medium
Convert to SIEM query
medium Moderate High FP
Potentially Suspicious Execution From Tmp Folder
Detects a potentially suspicious execution of a process located in the '/tmp/' folder
status test author Joseliyo Sanchez, @Joseliyo_Jstnk ATT&CK technique id 312b42b1-bded-4441-8b58-163a3af58775
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_LINUX and 
 (action_process_image_path contains "/tmp/" and 
 (not 
 action_process_image_path contains "/usr/bin/nextcloud")))
view Sigma YAML 
title: Potentially Suspicious Execution From Tmp Folder
id: 312b42b1-bded-4441-8b58-163a3af58775
status: test
description: Detects a potentially suspicious execution of a process located in the '/tmp/' folder
references:
    - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
    - https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/
    - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
    - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-06-02
modified: 2025-08-05
tags:
    - attack.stealth
    - attack.t1036
logsource:
    product: linux
    category: process_creation
detection:
    selection:
        Image|startswith: '/tmp/'
    filter_optional_nextcloud:
        Image|endswith: '/usr/bin/nextcloud'
    condition: selection and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: medium
Convert to SIEM query
medium Moderate High FP
Potentially Suspicious Execution Of PDQDeployRunner
Detects suspicious execution of "PDQDeployRunner" which is part of the PDQDeploy service stack that is responsible for executing commands and packages on a remote machines
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK tactic-only id 12b8e9f5-96b2-41e1-9a42-8c6779a5c184
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (actor_process_image_path contains "\PDQDeployRunner-" and 
 ((action_process_image_path in ("*\bash.exe", "*\certutil.exe", "*\cmd.exe", "*\csc.exe", "*\cscript.exe", "*\dllhost.exe", "*\mshta.exe", "*\msiexec.exe", "*\regsvr32.exe", "*\rundll32.exe", "*\scriptrunner.exe", "*\wmic.exe", "*\wscript.exe", "*\wsl.exe")) or 
 (action_process_image_path in ("*:\ProgramData\*", "*:\Users\Public\*", "*:\Windows\TEMP\*", "*\AppData\Local\Temp*")) or 
 (action_process_image_command_line in ("* -decode *", "* -enc *", "* -encodedcommand *", "* -w hidden*", "*DownloadString*", "*FromBase64String*", "*http*", "*iex *", "*Invoke-*")))))
view Sigma YAML 
title: Potentially Suspicious Execution Of PDQDeployRunner
id: 12b8e9f5-96b2-41e1-9a42-8c6779a5c184
related:
    - id: d679950c-abb7-43a6-80fb-2a480c4fc450
      type: similar
status: test
description: Detects suspicious execution of "PDQDeployRunner" which is part of the PDQDeploy service stack that is responsible for executing commands and packages on a remote machines
references:
    - https://twitter.com/malmoeb/status/1550483085472432128
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-22
modified: 2024-05-02
tags:
    - attack.execution
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|contains: '\PDQDeployRunner-'
    selection_child:
        # Improve this section by adding other suspicious processes, commandlines or paths
        - Image|endswith:
              # If you use any of the following processes legitimately comment them out
              - '\bash.exe'
              - '\certutil.exe'
              - '\cmd.exe'
              - '\csc.exe'
              - '\cscript.exe'
              - '\dllhost.exe'
              - '\mshta.exe'
              - '\msiexec.exe'
              - '\regsvr32.exe'
              - '\rundll32.exe'
              - '\scriptrunner.exe'
              - '\wmic.exe'
              - '\wscript.exe'
              - '\wsl.exe'
        - Image|contains:
              - ':\ProgramData\'
              - ':\Users\Public\'
              - ':\Windows\TEMP\'
              - '\AppData\Local\Temp'
        - CommandLine|contains:
              - ' -decode '
              - ' -enc '
              - ' -encodedcommand '
              - ' -w hidden'
              - 'DownloadString'
              - 'FromBase64String'
              - 'http'
              - 'iex '
              - 'Invoke-'
    condition: all of selection_*
falsepositives:
    - Legitimate use of the PDQDeploy tool to execute these commands
level: medium
Convert to SIEM query
medium Moderate High FP
Potentially Suspicious File Creation by OpenEDR's ITSMService
Detects the creation of potentially suspicious files by OpenEDR's ITSMService process. The ITSMService is responsible for remote management operations and can create files on the system through the Process Explorer or file management features. While legitimate for IT operations, creation of executable or script files could indicate unauthorized file uploads, data staging, or malicious file deployment.
status experimental author @kostastsale ATT&CK technique id 9e4b7d3a-6f2c-4e9a-8d1b-3c5e7a9f2b4d
cortex_xdr query
config case_sensitive = false | preset=xdr_file | filter event_type = ENUM.FILE and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (actor_process_image_path contains "\COMODO\Endpoint Manager\ITSMService.exe" and 
 (action_file_name in ("*.7z", "*.bat", "*.cmd", "*.com", "*.dll", "*.exe", "*.hta", "*.js", "*.pif", "*.ps1", "*.rar", "*.scr", "*.vbe", "*.vbs", "*.zip"))))
view Sigma YAML 
title: Potentially Suspicious File Creation by OpenEDR's ITSMService
id: 9e4b7d3a-6f2c-4e9a-8d1b-3c5e7a9f2b4d
status: experimental
description: |
    Detects the creation of potentially suspicious files by OpenEDR's ITSMService process.
    The ITSMService is responsible for remote management operations and can create files on the system through the Process Explorer or file management features.
    While legitimate for IT operations, creation of executable or script files could indicate unauthorized file uploads, data staging, or malicious file deployment.
author: '@kostastsale'
date: 2026-02-19
references:
    - https://kostas-ts.medium.com/detecting-abuse-of-openedrs-permissive-edr-trial-a-security-researcher-s-perspective-fc55bf53972c
tags:
    - attack.command-and-control
    - attack.t1105
    - attack.lateral-movement
    - attack.t1570
    - attack.t1219
logsource:
    product: windows
    category: file_event
detection:
    selection_process:
        Image|endswith: '\COMODO\Endpoint Manager\ITSMService.exe'
    selection_suspicious_extensions:
        TargetFilename|endswith:
            - '.7z'
            - '.bat'
            - '.cmd'
            - '.com'
            - '.dll'
            - '.exe'
            - '.hta'
            - '.js'
            - '.pif'
            - '.ps1'
            - '.rar'
            - '.scr'
            - '.vbe'
            - '.vbs'
            - '.zip'
    condition: all of selection_*
falsepositives:
    - Legitimate OpenEDR file management operations
    - Authorized remote file uploads by IT administrators
    - Software deployment through OpenEDR console
level: medium
Convert to SIEM query
medium Moderate High FP
Potentially Suspicious JWT Token Search Via CLI
Detects potentially suspicious search for JWT tokens via CLI by looking for the string "eyJ0eX" or "eyJhbG". JWT tokens are often used for access-tokens across various applications and services like Microsoft 365, Azure, AWS, Google Cloud, and others. Threat actors may search for these tokens to steal them for lateral movement or privilege escalation.
status test author Nasreddine Bencherchali (Nextron Systems), kagebunsher ATT&CK sub-technique id 6d3a3952-6530-44a3-8554-cf17c116c615
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_process_image_command_line in ("*find *", "*find.exe*", "*findstr*", "*select-string *", "*strings*")) and 
 (action_process_image_command_line in ("*eyJ0eXAiOi*", "*eyJhbGciOi*", "* eyJ0eX*", "* \"eyJ0eX\"*", "* 'eyJ0eX'*", "* eyJhbG*", "* \"eyJhbG\"*", "* 'eyJhbG'*"))))
view Sigma YAML 
title: Potentially Suspicious JWT Token Search Via CLI
id: 6d3a3952-6530-44a3-8554-cf17c116c615
status: test
description: |
    Detects potentially suspicious search for JWT tokens via CLI by looking for the string "eyJ0eX" or "eyJhbG".
    JWT tokens are often used for access-tokens across various applications and services like Microsoft 365, Azure, AWS, Google Cloud, and others.
    Threat actors may search for these tokens to steal them for lateral movement or privilege escalation.
references:
    - https://mrd0x.com/stealing-tokens-from-office-applications/
    - https://www.scip.ch/en/?labs.20240523
author: Nasreddine Bencherchali (Nextron Systems), kagebunsher
date: 2022-10-25
modified: 2025-10-21
tags:
    - attack.credential-access
    - attack.t1528
    - attack.t1552.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_tools:
        CommandLine|contains:
            - 'find '
            - 'find.exe'
            - 'findstr'
            - 'select-string '
            - 'strings'
    selection_jwt_string:
        CommandLine|contains:
            - 'eyJ0eXAiOi' # {"typ":
            - 'eyJhbGciOi' # {"alg":
            - ' eyJ0eX'
            - ' "eyJ0eX"'
            - " 'eyJ0eX'"
            - ' eyJhbG'
            - ' "eyJhbG"'
            - " 'eyJhbG'"
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium
Convert to SIEM query
medium Moderate Medium FP
Potentially Suspicious Named Pipe Created Via Mkfifo
Detects the creation of a new named pipe using the "mkfifo" utility in a potentially suspicious location
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK tactic-only id 999c3b12-0a8c-40b6-8e13-dd7d62b75c7a
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_LINUX and 
 (action_process_image_path contains "/mkfifo" and 
 action_process_image_command_line contains " /tmp/"))
view Sigma YAML 
title: Potentially Suspicious Named Pipe Created Via Mkfifo
id: 999c3b12-0a8c-40b6-8e13-dd7d62b75c7a
related:
    - id: 9d779ce8-5256-4b13-8b6f-b91c602b43f4
      type: derived
status: test
description: Detects the creation of a new named pipe using the "mkfifo" utility in a potentially suspicious location
references:
    - https://dev.to/0xbf/use-mkfifo-to-create-named-pipe-linux-tips-5bbk
    - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-16
tags:
    - attack.execution
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        Image|endswith: '/mkfifo'
        # Note: Add more potentially suspicious locations
        CommandLine|contains: ' /tmp/'
    condition: selection
falsepositives:
    - Unknown
level: medium
Convert to SIEM query
medium Strong Medium FP
Potentially Suspicious PowerShell Child Processes
Detects potentially suspicious child processes spawned by PowerShell. Use this rule to hunt for potential anomalies initiating from PowerShell scripts and commands.
status test author Florian Roth (Nextron Systems), Tim Shelton ATT&CK sub-technique id e4b6d2a7-d8a4-4f19-acbd-943c16d90647
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (((actor_process_image_path in ("*\powershell_ise.exe", "*\powershell.exe", "*\pwsh.exe")) and 
 (action_process_image_path in ("*\bash.exe", "*\bitsadmin.exe", "*\certutil.exe", "*\cscript.exe", "*\forfiles.exe", "*\hh.exe", "*\mshta.exe", "*\regsvr32.exe", "*\rundll32.exe", "*\schtasks.exe", "*\scrcons.exe", "*\scriptrunner.exe", "*\sh.exe", "*\wmic.exe", "*\wscript.exe"))) and 
 (not 
 ((action_process_image_path contains "\certutil.exe" and 
 action_process_image_command_line contains "-verifystore ") or 
 (action_process_image_path contains "\wmic.exe" and 
 (action_process_image_command_line in ("*qfe list*", "*diskdrive *", "*csproduct *", "*computersystem *", "* os *", "*"))))) and 
 (not 
 (actor_process_command_line contains "\Program Files\Amazon\WorkspacesConfig\Scripts\" and 
 action_process_image_command_line contains "\Program Files\Amazon\WorkspacesConfig\Scripts\"))))
view Sigma YAML 
title: Potentially Suspicious PowerShell Child Processes
id: e4b6d2a7-d8a4-4f19-acbd-943c16d90647
status: test
description: |
    Detects potentially suspicious child processes spawned by PowerShell.
    Use this rule to hunt for potential anomalies initiating from PowerShell scripts and commands.
references:
    - https://twitter.com/ankit_anubhav/status/1518835408502620162
author: Florian Roth (Nextron Systems), Tim Shelton
date: 2022-04-26
modified: 2024-07-16
tags:
    - attack.execution
    - attack.t1059.001
    - detection.threat-hunting
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith:
            - '\powershell_ise.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
        Image|endswith:
            - '\bash.exe'
            - '\bitsadmin.exe'
            - '\certutil.exe'
            - '\cscript.exe'
            - '\forfiles.exe'
            - '\hh.exe'
            - '\mshta.exe'
            - '\regsvr32.exe'
            - '\rundll32.exe'
            - '\schtasks.exe'
            - '\scrcons.exe'
            - '\scriptrunner.exe'
            - '\sh.exe'
            - '\wmic.exe'
            - '\wscript.exe'
    filter_optional_amazon:
        ParentCommandLine|contains: '\Program Files\Amazon\WorkspacesConfig\Scripts\'  # AWS Workspaces
        CommandLine|contains: '\Program Files\Amazon\WorkspacesConfig\Scripts\'  # AWS Workspaces
    filter_main_certutil_verify_store:
        Image|endswith: '\certutil.exe'
        CommandLine|contains: '-verifystore '
    filter_main_wmic:
        Image|endswith: '\wmic.exe'
        CommandLine|contains:
            - 'qfe list'
            - 'diskdrive '
            - 'csproduct '
            - 'computersystem '
            - ' os '
            - ''
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - False positives are to be expected from PowerShell scripts that might make use of additional binaries such as "mshta", "bitsadmin", etc. Apply additional filters for those scripts.
level: medium
Convert to SIEM query
medium Strong Medium FP
Potentially Suspicious Powershell Script Execution From Temp Folder
Detects a potentially suspicious powershell script executions from temporary folder
status test author Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton ATT&CK sub-technique id a6a39bdb-935c-4f0a-ab77-35f4bbf44d33
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (((action_process_image_path in ("*\powershell.exe", "*\pwsh.exe")) and 
 (action_process_image_command_line in ("*\Windows\Temp*", "*\Temporary Internet*", "*\AppData\Local\Temp*", "*\AppData\Roaming\Temp*", "*%TEMP%*", "*%TMP%*", "*%LocalAppData%\Temp*"))) and 
 (not 
 (action_process_image_command_line contains "-WindowStyle hidden -Verb runAs" or 
 action_process_image_command_line contains "\Windows\system32\config\systemprofile\AppData\Local\Temp\Amazon\EC2-Windows\" or 
 (action_process_image_command_line in ("* >*", "*Out-File*", "*ConvertTo-Json*")) or 
 ((actor_process_image_path in ("C:\Windows\System32\Msiexec.exe", "C:\Windows\SysWOW64\Msiexec.exe")) and 
 action_process_image_path contains "\powershell.exe" and 
 (action_process_image_command_line contains "-NoProfile -ExecutionPolicy Bypass -Command" and 
 action_process_image_command_line contains "AppData\Local\Temp\" and 
 action_process_image_command_line contains "Install-Chocolatey.ps1"))))))
view Sigma YAML 
title: Potentially Suspicious Powershell Script Execution From Temp Folder
id: a6a39bdb-935c-4f0a-ab77-35f4bbf44d33
status: test
description: Detects a potentially suspicious powershell script executions from temporary folder
references:
    - https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/
author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton
date: 2021-07-14
modified: 2026-02-17
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
        CommandLine|contains:
            - '\Windows\Temp'
            - '\Temporary Internet'
            - '\AppData\Local\Temp'
            - '\AppData\Roaming\Temp'
            - '%TEMP%'
            - '%TMP%'
            - '%LocalAppData%\Temp'
    filter_optional_vscode:
        CommandLine|contains: '-WindowStyle hidden -Verb runAs'
    filter_optional_amazon_ec2:
        CommandLine|contains: '\Windows\system32\config\systemprofile\AppData\Local\Temp\Amazon\EC2-Windows\'
    filter_optional_generic:
        CommandLine|contains:
            - ' >'
            - 'Out-File'
            - 'ConvertTo-Json'
    filter_optional_chocolatey_installer:
        ParentImage:
            - 'C:\Windows\System32\Msiexec.exe'
            - 'C:\Windows\SysWOW64\Msiexec.exe'
        Image|endswith: '\powershell.exe'
        CommandLine|contains|all:
            - '-NoProfile -ExecutionPolicy Bypass -Command'
            - 'AppData\Local\Temp\'
            - 'Install-Chocolatey.ps1'
    condition: selection and not 1 of filter_optional_*
falsepositives:
    - Administrative scripts
level: medium
Convert to SIEM query
medium Strong Medium FP
Potentially Suspicious Rundll32 Activity
Detects suspicious execution of rundll32, with specific calls to some DLLs with known LOLBIN functionalities
status test author juju4, Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems) ATT&CK sub-technique id e593cf51-88db-4ee1-b920-37e89012a3c9
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (((action_process_image_command_line contains "javascript:" and 
 action_process_image_command_line contains ".RegisterXLL") or 
 (action_process_image_command_line contains "url.dll" and 
 action_process_image_command_line contains "OpenURL") or 
 (action_process_image_command_line contains "url.dll" and 
 action_process_image_command_line contains "OpenURLA") or 
 (action_process_image_command_line contains "url.dll" and 
 action_process_image_command_line contains "FileProtocolHandler") or 
 (action_process_image_command_line contains "zipfldr.dll" and 
 action_process_image_command_line contains "RouteTheCall") or 
 (action_process_image_command_line contains "shell32.dll" and 
 action_process_image_command_line contains "Control_RunDLL") or 
 (action_process_image_command_line contains "shell32.dll" and 
 action_process_image_command_line contains "ShellExec_RunDLL") or 
 (action_process_image_command_line contains "mshtml.dll" and 
 action_process_image_command_line contains "PrintHTML") or 
 (action_process_image_command_line contains "advpack.dll" and 
 action_process_image_command_line contains "LaunchINFSection") or 
 (action_process_image_command_line contains "advpack.dll" and 
 action_process_image_command_line contains "RegisterOCX") or 
 (action_process_image_command_line contains "ieadvpack.dll" and 
 action_process_image_command_line contains "LaunchINFSection") or 
 (action_process_image_command_line contains "ieadvpack.dll" and 
 action_process_image_command_line contains "RegisterOCX") or 
 (action_process_image_command_line contains "ieframe.dll" and 
 action_process_image_command_line contains "OpenURL") or 
 (action_process_image_command_line contains "shdocvw.dll" and 
 action_process_image_command_line contains "OpenURL") or 
 (action_process_image_command_line contains "syssetup.dll" and 
 action_process_image_command_line contains "SetupInfObjectInstallAction") or 
 (action_process_image_command_line contains "setupapi.dll" and 
 action_process_image_command_line contains "InstallHinfSection") or 
 (action_process_image_command_line contains "pcwutl.dll" and 
 action_process_image_command_line contains "LaunchApplication") or 
 (action_process_image_command_line contains "dfshim.dll" and 
 action_process_image_command_line contains "ShOpenVerbApplication") or 
 (action_process_image_command_line contains "dfshim.dll" and 
 action_process_image_command_line contains "ShOpenVerbShortcut") or 
 (action_process_image_command_line contains "scrobj.dll" and 
 action_process_image_command_line contains "GenerateTypeLib" and 
 action_process_image_command_line contains "http") or 
 (action_process_image_command_line contains "shimgvw.dll" and 
 action_process_image_command_line contains "ImageView_Fullscreen" and 
 action_process_image_command_line contains "http") or 
 (action_process_image_command_line contains "comsvcs.dll" and 
 action_process_image_command_line contains "MiniDump")) and 
 (not 
 (action_process_image_command_line contains "shell32.dll,Control_RunDLL desk.cpl,screensaver,@screensaver" or 
 (actor_process_image_path = "C:\Windows\System32\control.exe" and 
 actor_process_command_line contains ".cpl" and 
 (action_process_image_command_line contains "Shell32.dll" and 
 action_process_image_command_line contains "Control_RunDLL" and 
 action_process_image_command_line contains ".cpl")) or 
 (actor_process_image_path = "C:\Windows\System32\control.exe" and 
 action_process_image_command_line contains "\"C:\Windows\system32\rundll32.exe\" Shell32.dll,Control_RunDLL \"C:\Windows\System32\" and 
 action_process_image_command_line contains ".cpl\",")))))
view Sigma YAML 
title: Potentially Suspicious Rundll32 Activity
id: e593cf51-88db-4ee1-b920-37e89012a3c9
status: test
description: Detects suspicious execution of rundll32, with specific calls to some DLLs with known LOLBIN functionalities
references:
    - http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/
    - https://twitter.com/Hexacorn/status/885258886428725250
    - https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52
    - https://twitter.com/nas_bench/status/1433344116071583746 # dfshim.dll,ShOpenVerbShortcut
    - https://twitter.com/eral4m/status/1479106975967240209 # scrobj.dll,GenerateTypeLib
    - https://twitter.com/eral4m/status/1479080793003671557 # shimgvw.dll,ImageView_Fullscreen
author: juju4, Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2019-01-16
modified: 2023-05-17
tags:
    - attack.stealth
    - attack.t1218.011
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - CommandLine|contains|all:
              - 'javascript:'
              - '.RegisterXLL'
        - CommandLine|contains|all:
              - 'url.dll'
              - 'OpenURL'
        - CommandLine|contains|all:
              - 'url.dll'
              - 'OpenURLA'
        - CommandLine|contains|all:
              - 'url.dll'
              - 'FileProtocolHandler'
        - CommandLine|contains|all:
              - 'zipfldr.dll'
              - 'RouteTheCall'
        - CommandLine|contains|all:
              - 'shell32.dll'
              - 'Control_RunDLL'
        - CommandLine|contains|all:
              - 'shell32.dll'
              - 'ShellExec_RunDLL'
        - CommandLine|contains|all:
              - 'mshtml.dll'
              - 'PrintHTML'
        - CommandLine|contains|all:
              - 'advpack.dll'
              - 'LaunchINFSection'
        - CommandLine|contains|all:
              - 'advpack.dll'
              - 'RegisterOCX'
        - CommandLine|contains|all:
              - 'ieadvpack.dll'
              - 'LaunchINFSection'
        - CommandLine|contains|all:
              - 'ieadvpack.dll'
              - 'RegisterOCX'
        - CommandLine|contains|all:
              - 'ieframe.dll'
              - 'OpenURL'
        - CommandLine|contains|all:
              - 'shdocvw.dll'
              - 'OpenURL'
        - CommandLine|contains|all:
              - 'syssetup.dll'
              - 'SetupInfObjectInstallAction'
        - CommandLine|contains|all:
              - 'setupapi.dll'
              - 'InstallHinfSection'
        - CommandLine|contains|all:
              - 'pcwutl.dll'
              - 'LaunchApplication'
        - CommandLine|contains|all:
              - 'dfshim.dll'
              - 'ShOpenVerbApplication'
        - CommandLine|contains|all:
              - 'dfshim.dll'
              - 'ShOpenVerbShortcut'
        - CommandLine|contains|all:
              - 'scrobj.dll'
              - 'GenerateTypeLib'
              - 'http'
        - CommandLine|contains|all:
              - 'shimgvw.dll'
              - 'ImageView_Fullscreen'
              - 'http'
        - CommandLine|contains|all:
              - 'comsvcs.dll'
              - 'MiniDump'
    filter_main_screensaver:
        CommandLine|contains: 'shell32.dll,Control_RunDLL desk.cpl,screensaver,@screensaver'
    filter_main_parent_cpl:  # Settings
        ParentImage: 'C:\Windows\System32\control.exe'
        ParentCommandLine|contains: '.cpl'
        CommandLine|contains|all:
            - 'Shell32.dll'
            - 'Control_RunDLL'
            - '.cpl'
    filter_main_startmenu:
        ParentImage: 'C:\Windows\System32\control.exe'
        CommandLine|startswith: '"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\System32\'
        CommandLine|endswith: '.cpl",'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - False positives depend on scripts and administrative tools used in the monitored environment
level: medium
Convert to SIEM query
medium Moderate Medium FP
Potentially Suspicious Usage Of Qemu
Detects potentially suspicious execution of the Qemu utility in a Windows environment. Threat actors have leveraged this utility and this technique for achieving network access as reported by Kaspersky.
status test author Muhammad Faisal (@faisalusuf), Hunter Juhan (@threatHNTR) ATT&CK technique id 5fc297ae-25b6-488a-8f25-cc12ac29b744
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (((action_process_image_command_line in ("*-m 1M*", "*-m 2M*", "*-m 3M*")) and 
 (action_process_image_command_line contains "restrict=off" and 
 action_process_image_command_line contains "-netdev " and 
 action_process_image_command_line contains "connect=" and 
 action_process_image_command_line contains "-nographic")) and 
 (not 
 (action_process_image_command_line in ("* -cdrom *", "* type=virt *", "* -blockdev *")))))
view Sigma YAML 
title: Potentially Suspicious Usage Of Qemu
id: 5fc297ae-25b6-488a-8f25-cc12ac29b744
status: test
description: |
    Detects potentially suspicious execution of the Qemu utility in a Windows environment.
    Threat actors have leveraged this utility and this technique for achieving network access as reported by Kaspersky.
references:
    - https://securelist.com/network-tunneling-with-qemu/111803/
    - https://www.qemu.org/docs/master/system/invocation.html#hxtool-5
author: Muhammad Faisal (@faisalusuf), Hunter Juhan (@threatHNTR)
date: 2024-06-03
tags:
    - attack.command-and-control
    - attack.t1090
    - attack.t1572
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            - '-m 1M' # VM with just 1MB of ram is insufficient this is a suspicious flag
            - '-m 2M'
            - '-m 3M'
        CommandLine|contains|all:
            - 'restrict=off'
            - '-netdev '
            - 'connect='
            - '-nographic' # This is also a key detection no one invoke without UI from console usually its a flag.
    filter_main_normal_usecase:
        CommandLine|contains:
            - ' -cdrom ' # Normal usage cases
            - ' type=virt '
            - ' -blockdev '
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium
Convert to SIEM query
medium Strong Medium FP
Potentially Suspicious WDAC Policy File Creation
Detects suspicious Windows Defender Application Control (WDAC) policy file creation from abnormal processes that could be abused by attacker to block EDR/AV components while allowing their own malicious code to run on the system.
status experimental author X__Junior ATT&CK tactic-only id 1d2de8a6-4803-4fde-b85b-f58f3aa7a705
cortex_xdr query
config case_sensitive = false | preset=xdr_file | filter event_type = ENUM.FILE and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_file_name contains "\Windows\System32\CodeIntegrity\" and 
 (not 
 ((actor_process_image_path in ("*\Microsoft.ConfigurationManagement.exe", "*\WDAC Wizard.exe", "*C:\Program Files\PowerShell\7-preview\pwsh.exe", "*C:\Program Files\PowerShell\7\pwsh.exe", "*C:\Windows\System32\dllhost.exe", "*C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe", "*C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe", "*C:\Windows\SysWOW64\dllhost.exe", "*C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe", "*C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe")) or 
 ((actor_process_command_line contains "ConvertFrom-CIPolicy -XmlFilePath" and 
 actor_process_command_line contains "-BinaryFilePath ") or 
 actor_process_command_line contains "CiTool --update-policy" or 
 (actor_process_command_line contains "Copy-Item -Path" and 
 actor_process_command_line contains "-Destination")) or 
 actor_process_image_path = "System" or 
 actor_process_image_path = "C:\Windows\System32\wuauclt.exe" or 
 (actor_process_image_path in ("C:\Windows\UUS\arm64\wuaucltcore.exe", "C:\Windows\UUS\Packages\Preview\arm64\wuaucltcore.exe"))))))
view Sigma YAML 
title: Potentially Suspicious WDAC Policy File Creation
id: 1d2de8a6-4803-4fde-b85b-f58f3aa7a705
status: experimental
description: |
    Detects suspicious Windows Defender Application Control (WDAC) policy file creation from abnormal processes that could be abused by attacker to block EDR/AV components while allowing their own malicious code to run on the system.
references:
    - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-using-group-policy
    - https://beierle.win/2024-12-20-Weaponizing-WDAC-Killing-the-Dreams-of-EDR/
    - https://github.com/logangoins/Krueger/tree/main
    - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/deployment/appcontrol-deployment-guide
    - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-with-script
    - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-with-memcm
author: X__Junior
date: 2025-02-07
modified: 2026-05-18
tags:
    - attack.defense-impairment
logsource:
    category: file_event
    product: windows
detection:
    selection_target:
        # This is a default location but unfortunately it could be any path configured in Group Policy Management Editor.
        # No file extension needed because any extension would work, check first reference.
        TargetFilename|contains: '\Windows\System32\CodeIntegrity\'
    filter_main_images:
        Image|endswith:
            - '\Microsoft.ConfigurationManagement.exe' # Replace with full path to avoid false negatives
            - '\WDAC Wizard.exe' # Replace with full path to avoid false negatives
            - 'C:\Program Files\PowerShell\7-preview\pwsh.exe'
            - 'C:\Program Files\PowerShell\7\pwsh.exe'
            - 'C:\Windows\System32\dllhost.exe'
            - 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe'
            - 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
            - 'C:\Windows\SysWOW64\dllhost.exe'
            - 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe'
            - 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
    filter_main_cli:
        - CommandLine|contains|all:
              - 'ConvertFrom-CIPolicy -XmlFilePath'
              - '-BinaryFilePath '
        - CommandLine|contains: 'CiTool --update-policy'
        - CommandLine|contains|all:
              - 'Copy-Item -Path'
              - '-Destination'
    filter_main_system:
        Image: 'System'
    filter_main_wuauclt:
        Image: 'C:\Windows\System32\wuauclt.exe'
    filter_main_wuaucltcore:
        Image:
            - 'C:\Windows\UUS\arm64\wuaucltcore.exe'
            - 'C:\Windows\UUS\Packages\Preview\arm64\wuaucltcore.exe'
    condition: selection_target and not 1 of filter_main_*
falsepositives:
    - Administrators and security vendors could leverage WDAC, apply additional filters as needed.
level: medium
Convert to SIEM query
medium Moderate High FP
Potentially Suspicious WebDAV LNK Execution
Detects possible execution via LNK file accessed on a WebDAV server.
status test author Micah Babinski ATT&CK sub-technique id 1412aa78-a24c-4abd-83df-767dfb2c5bbe
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (actor_process_image_path contains "\explorer.exe" and 
 (action_process_image_path in ("*\cmd.exe", "*\cscript.exe", "*\mshta.exe", "*\powershell.exe", "*\pwsh.exe", "*\wscript.exe")) and 
 action_process_image_command_line contains "\DavWWWRoot\"))
view Sigma YAML 
title: Potentially Suspicious WebDAV LNK Execution
id: 1412aa78-a24c-4abd-83df-767dfb2c5bbe
related:
    - id: f0507c0f-a3a2-40f5-acc6-7f543c334993
      type: similar
status: test
description: Detects possible execution via LNK file accessed on a WebDAV server.
references:
    - https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html
    - https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462
author: Micah Babinski
date: 2023-08-21
tags:
    - attack.execution
    - attack.t1059.001
    - attack.t1204
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\explorer.exe'
        Image|endswith:
            - '\cmd.exe'
            - '\cscript.exe'
            - '\mshta.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\wscript.exe'
        CommandLine|contains: '\DavWWWRoot\'
    condition: selection
falsepositives:
    - Unknown
level: medium
Convert to SIEM query
medium Strong Medium FP
Potentially Suspicious Windows App Activity
Detects potentially suspicious child process of applications launched from inside the WindowsApps directory. This could be a sign of a rogue ".appx" package installation/execution
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK tactic-only id f91ed517-a6ba-471d-9910-b3b4a398c0f3
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (actor_process_image_path contains "C:\Program Files\WindowsApps\" and 
 ((action_process_image_path in ("*\cmd.exe", "*\cscript.exe", "*\mshta.exe", "*\powershell.exe", "*\powershell_ise.exe", "*\pwsh.exe", "*\regsvr32.exe", "*\rundll32.exe", "*\wscript.exe")) or 
 (action_process_image_command_line in ("*cmd /c*", "*Invoke-*", "*Base64*"))) and 
 (not 
 ((actor_process_image_path contains ":\Program Files\WindowsApps\Microsoft.WindowsTerminal" and 
 actor_process_image_path contains "\WindowsTerminal.exe" and 
 (action_process_image_path in ("*\powershell.exe", "*\cmd.exe", "*\pwsh.exe"))) or 
 (actor_process_image_path contains "C:\Program Files\WindowsApps\Microsoft.SysinternalsSuite" and 
 action_process_image_path contains "\cmd.exe")))))
view Sigma YAML 
title: Potentially Suspicious Windows App Activity
id: f91ed517-a6ba-471d-9910-b3b4a398c0f3
status: test
description: Detects potentially suspicious child process of applications launched from inside the WindowsApps directory. This could be a sign of a rogue ".appx" package installation/execution
references:
    - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
    - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-12
modified: 2025-10-07
tags:
    - attack.stealth
logsource:
    product: windows
    category: process_creation
detection:
    selection_parent:
        # GrandParentImage|endswith: '\sihost.exe'
        ParentImage|contains: 'C:\Program Files\WindowsApps\'
    selection_susp_img:
        Image|endswith:
            # You can add more LOLBINs
            - '\cmd.exe'
            - '\cscript.exe'
            - '\mshta.exe'
            - '\powershell.exe'
            - '\powershell_ise.exe'
            - '\pwsh.exe'
            - '\regsvr32.exe'
            - '\rundll32.exe'
            - '\wscript.exe'
    selection_susp_cli:
        # You can add more potentially suspicious keywords
        CommandLine|contains:
            - 'cmd /c'
            - 'Invoke-'
            - 'Base64'
    filter_optional_terminal:
        ParentImage|contains: ':\Program Files\WindowsApps\Microsoft.WindowsTerminal'
        ParentImage|endswith: '\WindowsTerminal.exe'
        # Note: to avoid FP add the default shells and profiles that your WT integrates
        Image|endswith:
            - '\powershell.exe'
            - '\cmd.exe'
            - '\pwsh.exe'
    filter_optional_sysinternals:
        ParentImage|startswith: 'C:\Program Files\WindowsApps\Microsoft.SysinternalsSuite'
        Image|endswith: '\cmd.exe'
    condition: selection_parent and 1 of selection_susp_* and not 1 of filter_optional_*
falsepositives:
    - Legitimate packages that make use of external binaries such as Windows Terminal
level: medium
Convert to SIEM query
medium Moderate Medium FP
PowerShell Console History Logs Deleted
Detects the deletion of the PowerShell console History logs which may indicate an attempt to destroy forensic evidence
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK technique id ff301988-c231-4bd0-834c-ac9d73b86586
cortex_xdr query
config case_sensitive = false | preset=xdr_file | filter (event_type = ENUM.FILE and 
 event_sub_type = ENUM.FILE_REMOVE) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 action_file_name contains "\PSReadLine\ConsoleHost_history.txt")
view Sigma YAML 
title: PowerShell Console History Logs Deleted
id: ff301988-c231-4bd0-834c-ac9d73b86586
status: test
description: Detects the deletion of the PowerShell console History logs which may indicate an attempt to destroy forensic evidence
references:
    - Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-15
tags:
    - attack.stealth
    - attack.t1070
logsource:
    category: file_delete
    product: windows
detection:
    selection:
        TargetFilename|endswith: '\PSReadLine\ConsoleHost_history.txt'
    condition: selection
falsepositives:
    - Unknown
level: medium
Convert to SIEM query
medium Moderate Medium FP
PowerShell Core DLL Loaded Via Office Application
Detects PowerShell core DLL being loaded by an Office Product
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK tactic-only id bb2ba6fb-95d4-4a25-89fc-30bb736c021a
cortex_xdr query
config case_sensitive = false | preset=xdr_image_load | filter event_type = ENUM.LOAD_IMAGE and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((actor_process_image_path in ("*\excel.exe", "*\mspub.exe", "*\outlook.exe", "*\onenote.exe", "*\onenoteim.exe", "*\powerpnt.exe", "*\winword.exe")) and 
 (action_module_path in ("*\System.Management.Automation.Dll*", "*\System.Management.Automation.ni.Dll*"))))
view Sigma YAML 
title: PowerShell Core DLL Loaded Via Office Application
id: bb2ba6fb-95d4-4a25-89fc-30bb736c021a
status: test
description: Detects PowerShell core DLL being loaded by an Office Product
references:
    - Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-01
tags:
    - attack.stealth
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith:
            - '\excel.exe'
            - '\mspub.exe'
            - '\outlook.exe'
            - '\onenote.exe'
            - '\onenoteim.exe' # Just in case
            - '\powerpnt.exe'
            - '\winword.exe'
        ImageLoaded|contains:
            - '\System.Management.Automation.Dll'
            - '\System.Management.Automation.ni.Dll'
    condition: selection
falsepositives:
    - Unknown
level: medium
Convert to SIEM query
medium Moderate High FP
PowerShell Get-Clipboard Cmdlet Via CLI
Detects usage of the 'Get-Clipboard' cmdlet via CLI
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK technique id b9aeac14-2ffd-4ad3-b967-1354a4e628c3
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 action_process_image_command_line contains "Get-Clipboard")
view Sigma YAML 
title: PowerShell Get-Clipboard Cmdlet Via CLI
id: b9aeac14-2ffd-4ad3-b967-1354a4e628c3
related:
    - id: 4cbd4f12-2e22-43e3-882f-bff3247ffb78
      type: derived
status: test
description: Detects usage of the 'Get-Clipboard' cmdlet via CLI
references:
    - https://github.com/OTRF/detection-hackathon-apt29/issues/16
    - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md
author: Nasreddine Bencherchali (Nextron Systems)
date: 2020-05-02
modified: 2022-12-25
tags:
    - attack.collection
    - attack.t1115
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains: 'Get-Clipboard'
    condition: selection
falsepositives:
    - Unknown
level: medium
Convert to SIEM query
medium Strong Medium FP
PowerShell Module File Created By Non-PowerShell Process
Detects the creation of a new PowerShell module ".psm1", ".psd1", ".dll", ".ps1", etc. by a non-PowerShell process
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK tactic-only id e3845023-ca9a-4024-b2b2-5422156d5527
cortex_xdr query
config case_sensitive = false | preset=xdr_file | filter event_type = ENUM.FILE and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_file_name in ("*\WindowsPowerShell\Modules\*", "*\PowerShell\7\Modules\*")) and 
 (not 
 ((actor_process_image_path in ("*:\Program Files\PowerShell\7-preview\pwsh.exe", "*:\Program Files\PowerShell\7\pwsh.exe", "*:\Windows\System32\poqexec.exe", "*:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe", "*:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe", "*:\Windows\SysWOW64\poqexec.exe", "*:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe", "*:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe")) or 
 (actor_process_image_path in ("C:\Windows\System32\msiexec.exe", "C:\Windows\SysWOW64\msiexec.exe"))))))
view Sigma YAML 
title: PowerShell Module File Created By Non-PowerShell Process
id: e3845023-ca9a-4024-b2b2-5422156d5527
status: test
description: Detects the creation of a new PowerShell module ".psm1", ".psd1", ".dll", ".ps1", etc. by a non-PowerShell process
references:
    - Internal Research
    - https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-09
modified: 2025-10-07
tags:
    - attack.persistence
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|contains:
            - '\WindowsPowerShell\Modules\'
            - '\PowerShell\7\Modules\'
    filter_main_pwsh:
        Image|endswith:
            - ':\Program Files\PowerShell\7-preview\pwsh.exe'
            - ':\Program Files\PowerShell\7\pwsh.exe'
            - ':\Windows\System32\poqexec.exe' # https://github.com/SigmaHQ/sigma/issues/4448
            - ':\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe'
            - ':\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
            - ':\Windows\SysWOW64\poqexec.exe' # https://github.com/SigmaHQ/sigma/issues/4448
            - ':\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe'
            - ':\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
    filter_main_msiexec:
        Image:
            - 'C:\Windows\System32\msiexec.exe'
            - 'C:\Windows\SysWOW64\msiexec.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium
Convert to SIEM query
medium Moderate High FP
PowerShell Profile Modification
Detects the creation or modification of a powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence
status test author HieuTT35, Nasreddine Bencherchali (Nextron Systems) ATT&CK sub-technique id b5b78988-486d-4a80-b991-930eff3ff8bf
cortex_xdr query
config case_sensitive = false | preset=xdr_file | filter event_type = ENUM.FILE and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_file_name in ("*\Microsoft.PowerShell_profile.ps1", "*\PowerShell\profile.ps1", "*\Program Files\PowerShell\7-preview\profile.ps1", "*\Program Files\PowerShell\7\profile.ps1", "*\Windows\System32\WindowsPowerShell\v1.0\profile.ps1", "*\WindowsPowerShell\profile.ps1")))
view Sigma YAML 
title: PowerShell Profile Modification
id: b5b78988-486d-4a80-b991-930eff3ff8bf
status: test
description: Detects the creation or modification of a powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence
references:
    - https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/
    - https://persistence-info.github.io/Data/powershellprofile.html
author: HieuTT35, Nasreddine Bencherchali (Nextron Systems)
date: 2019-10-24
modified: 2023-10-23
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1546.013
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|endswith:
            - '\Microsoft.PowerShell_profile.ps1'
            - '\PowerShell\profile.ps1'
            - '\Program Files\PowerShell\7-preview\profile.ps1'
            - '\Program Files\PowerShell\7\profile.ps1'
            - '\Windows\System32\WindowsPowerShell\v1.0\profile.ps1'
            - '\WindowsPowerShell\profile.ps1'
    condition: selection
falsepositives:
    - System administrator creating Powershell profile manually
level: medium
Convert to SIEM query
medium Strong Medium FP
PowerShell Script Run in AppData
Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder
status test author Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community ATT&CK sub-technique id ac175779-025a-4f12-98b0-acdaeb77ea85
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_process_image_command_line in ("*powershell.exe*", "*\powershell*", "*\pwsh*", "*pwsh.exe*")) and 
 ((action_process_image_command_line contains "/c " and 
 action_process_image_command_line contains "\AppData\") and 
 (action_process_image_command_line in ("*Local\*", "*Roaming\*")))))
view Sigma YAML 
title: PowerShell Script Run in AppData
id: ac175779-025a-4f12-98b0-acdaeb77ea85
status: test
description: Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder
references:
    - https://twitter.com/JohnLaTwC/status/1082851155481288706
    - https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03
author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community
date: 2019-01-09
modified: 2022-07-14
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection1:
        CommandLine|contains:
            - 'powershell.exe'
            - '\powershell'
            - '\pwsh'
            - 'pwsh.exe'
    selection2:
        CommandLine|contains|all:
            - '/c '
            - '\AppData\'
        CommandLine|contains:
            - 'Local\'
            - 'Roaming\'
    condition: all of selection*
falsepositives:
    - Administrative scripts
level: medium
Convert to SIEM query
medium Strong High FP
Powershell Defender Exclusion
Detects requests to exclude files, folders or processes from Antivirus scanning using PowerShell cmdlets
status test author Florian Roth (Nextron Systems) ATT&CK technique id 17769c90-230e-488b-a463-e05c08e9d48f
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_process_image_command_line in ("*Add-MpPreference *", "*Set-MpPreference *")) and 
 (action_process_image_command_line in ("* -ExclusionPath *", "* -ExclusionExtension *", "* -ExclusionProcess *", "* -ExclusionIpAddress *"))))
view Sigma YAML 
title: Powershell Defender Exclusion
id: 17769c90-230e-488b-a463-e05c08e9d48f
related:
    - id: c1344fa2-323b-4d2e-9176-84b4d4821c88
      type: similar
status: test
description: Detects requests to exclude files, folders or processes from Antivirus scanning using PowerShell cmdlets
references:
    - https://learn.microsoft.com/en-us/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
    - https://twitter.com/AdamTheAnalyst/status/1483497517119590403
author: Florian Roth (Nextron Systems)
date: 2021-04-29
modified: 2022-05-12
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: process_creation
    product: windows
detection:
    selection1:
        CommandLine|contains:
            - 'Add-MpPreference '
            - 'Set-MpPreference '
    selection2:
        CommandLine|contains:
            - ' -ExclusionPath '
            - ' -ExclusionExtension '
            - ' -ExclusionProcess '
            - ' -ExclusionIpAddress '
    condition: all of selection*
falsepositives:
    - Possible Admin Activity
    - Other Cmdlets that may use the same parameters
level: medium
Convert to SIEM query
medium Moderate Medium FP
Powershell Inline Execution From A File
Detects inline execution of PowerShell code from a file
status test author frack113 ATT&CK sub-technique id ee218c12-627a-4d27-9e30-d6fb2fe22ed2
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_process_image_command_line in ("*iex *", "*Invoke-Expression *", "*Invoke-Command *", "*icm *")) and 
 (action_process_image_command_line in ("*cat *", "*get-content *", "*type *")) and 
 action_process_image_command_line contains " -raw"))
view Sigma YAML 
title: Powershell Inline Execution From A File
id: ee218c12-627a-4d27-9e30-d6fb2fe22ed2
status: test
description: Detects inline execution of PowerShell code from a file
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=50
author: frack113
date: 2022-12-25
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: process_creation
detection:
    selection_exec:
        CommandLine|contains:
            - 'iex '
            - 'Invoke-Expression '
            - 'Invoke-Command '
            - 'icm '
    selection_read:
        CommandLine|contains:
            - 'cat '
            - 'get-content '
            - 'type '
    selection_raw:
        CommandLine|contains: ' -raw'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium
Convert to SIEM query
medium Moderate High FP
Print History File Contents
Detects events in which someone prints the contents of history files to the commandline or redirects it to a file for reconnaissance
status test author Florian Roth (Nextron Systems) ATT&CK sub-technique id d7821ff1-4527-4e33-9f84-d0d57fa2fb66
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_LINUX and 
 ((action_process_image_path in ("*/cat", "*/head", "*/tail", "*/more")) and 
 ((action_process_image_command_line in ("*/.bash_history*", "*/.zsh_history*")) or 
 (action_process_image_command_line in ("*_history", "*.history", "*zhistory")))))
view Sigma YAML 
title: Print History File Contents
id: d7821ff1-4527-4e33-9f84-d0d57fa2fb66
status: test
description: Detects events in which someone prints the contents of history files to the commandline or redirects it to a file for reconnaissance
references:
    - https://github.com/sleventyeleven/linuxprivchecker/
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md
author: Florian Roth (Nextron Systems)
date: 2022-06-20
modified: 2022-09-15
tags:
    - attack.reconnaissance
    - attack.t1592.004
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        Image|endswith:
            - '/cat'
            - '/head'
            - '/tail'
            - '/more'
    selection_history:
        - CommandLine|contains:
              - '/.bash_history'
              - '/.zsh_history'
        - CommandLine|endswith:
              - '_history'
              - '.history'
              - 'zhistory'
    condition: all of selection*
falsepositives:
    - Legitimate administration activities
level: medium
Convert to SIEM query
medium Moderate High FP
Procdump Execution
Detects usage of the SysInternals Procdump utility
status test author Florian Roth (Nextron Systems) ATT&CK sub-technique id 2e65275c-8288-4ab4-aeb7-6274f58b6b20
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_process_image_path in ("*\procdump.exe", "*\procdump64.exe")))
view Sigma YAML 
title: Procdump Execution
id: 2e65275c-8288-4ab4-aeb7-6274f58b6b20
status: test
description: Detects usage of the SysInternals Procdump utility
references:
    - https://learn.microsoft.com/en-us/sysinternals/downloads/procdump
author: Florian Roth (Nextron Systems)
date: 2021-08-16
modified: 2023-02-28
tags:
    - attack.stealth
    - attack.t1036
    - attack.t1003.001
    - attack.credential-access
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\procdump.exe'
            - '\procdump64.exe'
    condition: selection
falsepositives:
    - Legitimate use of procdump by a developer or administrator
level: medium
Convert to SIEM query
Showing 301-350 of 559
Prev 7 Next
SOC and Response
CVE triage
Stack monitoring
Am I affected
IOC triage
KEV catalog
Recently exploited
Daily brief
Change tracking
Detection Engineering
Detection coverage workspace
Saved stacks
SIEM query builder
Detection rules
D3FEND
Threat Hunting
Threat actors
ATT&CK techniques
Attack paths
Indicators
Ransomware groups
Atomic tests
Red Team and Pentest
Exploitability triage
Recon pack
Attack paths
CAPEC patterns
Adversary emulation
Compliance and GRC
Framework mapping
Control assessment
Audit view
Atlas Search Threat actors Techniques Detection coverage Tools & malware CWE CAPEC KEV catalog Package vulns
About All capabilities Pricing API docs Privacy policy Terms of service
threatengine.sh