Tool
EDR / XDR
Palo Alto Cortex XDR
1,524 rules · Sigma detections in Palo Alto Cortex XDR syntax
The same Sigma detection corpus, machine-rendered into Palo Alto Cortex XDR query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
Download all 1,524 rules (.zip, 675 KB)
Every Palo Alto Cortex XDR query in this view, packaged to deploy.
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance4
Resource Development5
Initial Access7
Execution25
Persistence31
Privilege Escalation17
Stealth63
Defense Impairment16
Credential Access26
Discovery24
Lateral Movement10
Collection11
Command and Control18
Exfiltration7
Impact10
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.
◈
Detection rules
50 shown of 1,524
high
Strong
Medium FP
Service Binary in Suspicious Folder
Detect the creation of a service with a service binary located in a suspicious directory
view Sigma YAML
title: Service Binary in Suspicious Folder
id: a07f0359-4c90-4dc4-a681-8ffea40b4f47
related:
- id: c0abc838-36b0-47c9-b3b3-a90c39455382
type: obsolete
status: test
description: Detect the creation of a service with a service binary located in a suspicious directory
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
author: Florian Roth (Nextron Systems), frack113
date: 2022-05-02
modified: 2025-10-07
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: registry_set
product: windows
detection:
selection_service_start:
TargetObject|startswith: 'HKLM\System\CurrentControlSet\Services\'
TargetObject|endswith: '\Start'
Image|contains:
- '\Users\Public\'
- '\Perflogs\'
- '\ADMIN$\'
- '\Temp\'
Details:
- 'DWORD (0x00000000)' # boot
- 'DWORD (0x00000001)' # System
- 'DWORD (0x00000002)' # Automatic
# 3 - Manual , 4 - Disabled
selection_service_imagepath:
TargetObject|startswith: 'HKLM\System\CurrentControlSet\Services\'
TargetObject|endswith: '\ImagePath'
Details|contains:
- '\Users\Public\'
- '\Perflogs\'
- '\ADMIN$\'
- '\Temp\'
filter_optional_avast:
Image|contains|all: # Filter FP with Avast software
- '\Common Files\'
- '\Temp\'
filter_optional_mbamservice:
TargetObject|endswith: '\CurrentControlSet\Services\MBAMInstallerService\ImagePath'
Details|endswith: '\AppData\Local\Temp\MBAMInstallerService.exe"'
Image: 'C:\Windows\system32\services.exe'
condition: 1 of selection_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Shai-Hulud 2.0 Malicious NPM Package Installation
Detects the command-line installation of specific malicious npm packages and versions associated with the Shai-Hulud 2.0 supply chain attack.
view Sigma YAML
title: Shai-Hulud 2.0 Malicious NPM Package Installation
id: bae7c70b-8569-44e9-accf-b30073da8a5d
related:
- id: 514f533b-f56e-421d-80b0-f7706a3e9d23
type: similar
status: experimental
description: |
Detects the command-line installation of specific malicious npm packages and versions associated with the Shai-Hulud 2.0 supply chain attack.
references:
- https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack
- https://github.com/wiz-sec-public/wiz-research-iocs/blob/a836ce8aacf12d6d2f6afc3c44b391dc4c08f46e/reports/shai-hulud-2-packages.csv
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-28
tags:
- attack.initial-access
- attack.execution
- attack.t1195.002
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith: '\node.exe'
CommandLine|contains:
- 'install'
- ' i '
# List of known malicious packages and versions from the Shai-Hulud 2.0 campaign
selection_packages:
CommandLine|contains:
- '[email protected]'
- '@accordproject/[email protected]'
- '@accordproject/[email protected]'
- '@accordproject/[email protected]'
- '@accordproject/[email protected]'
- '@accordproject/[email protected]'
- '@accordproject/[email protected]'
- '@accordproject/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@afetcan/[email protected]'
- '@afetcan/[email protected]'
- '@alaan/[email protected]'
- '@alexadark/[email protected]'
- '@alexadark/[email protected]'
- '@alexadark/[email protected]'
- '@alexadark/[email protected]'
- '@alexcolls/[email protected]'
- '@alexcolls/[email protected]'
- '@alexcolls/[email protected]'
- '@alexcolls/[email protected]'
- '@antstackio/[email protected]'
- '@antstackio/[email protected]'
- '@antstackio/[email protected]'
- '@antstackio/[email protected]'
- '@antstackio/[email protected]'
- '@aryanhussain/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@bdkinc/[email protected]'
- '@browserbasehq/[email protected]'
- '@browserbasehq/[email protected]'
- '@browserbasehq/[email protected]'
- '@browserbasehq/[email protected]'
- '@browserbasehq/[email protected]'
- '@browserbasehq/[email protected]'
- '@browserbasehq/[email protected]'
- '@caretive/[email protected]'
- '@chtijs/[email protected]'
- '@clausehq/[email protected]'
- '@clausehq/[email protected]'
- '@clausehq/[email protected]'
- '@clausehq/[email protected]'
- '@clausehq/[email protected]'
- '@cllbk/[email protected]'
- '@commute/[email protected]'
- '@commute/[email protected]'
- '@commute/[email protected]'
- '@dev-blinq/[email protected]'
- '@dev-blinq/[email protected]'
- '@dev-blinq/[email protected]'
- '@dev-blinq/[email protected]'
- '@dev-blinq/[email protected]'
- '@elsedev/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@everreal/[email protected]'
- '@everreal/[email protected]'
- '@everreal/[email protected]'
- '@everreal/[email protected]'
- '@everreal/[email protected]'
- '@everreal/[email protected]'
- '@faq-component/[email protected]'
- '@faq-component/[email protected]'
- '@fishingbooker/[email protected]'
- '@fishingbooker/[email protected]'
- '@fishingbooker/[email protected]'
- '@fishingbooker/[email protected]'
- '@fishingbooker/[email protected]'
- '@hapheus/[email protected]'
- '@hover-design/[email protected]'
- '@hover-design/[email protected]'
- '@huntersofbook/[email protected]'
- '@huntersofbook/[email protected]'
- '@huntersofbook/[email protected]'
- '@huntersofbook/[email protected]'
- '@huntersofbook/[email protected]'
- '@huntersofbook/[email protected]'
- '@hyperlook/[email protected]'
- '@ifelsedeveloper/[email protected]'
- '@ifelsedeveloper/[email protected]'
- '@ifings/[email protected]'
- '@ifings/[email protected]'
- '@jayeshsadhwani/[email protected]'
- '@kvytech/[email protected]'
- '@kvytech/[email protected]'
- '@kvytech/[email protected]'
- '@kvytech/[email protected]'
- '@kvytech/[email protected]'
- '@kvytech/[email protected]'
- '@kvytech/[email protected]'
- '@kvytech/[email protected]'
- '@kvytech/[email protected]'
- '@lessondesk/[email protected]'
- '@lessondesk/[email protected]'
- '@lessondesk/[email protected]'
- '@lessondesk/[email protected]'
- '@lessondesk/[email protected]'
- '@lessondesk/[email protected]'
- '@lessondesk/[email protected]'
- '@lessondesk/[email protected]'
- '@lessondesk/[email protected]'
- '@livecms/[email protected]'
- '@livecms/[email protected]'
- '@lokeswari-satyanarayanan/[email protected]'
- '@louisle2/[email protected]'
- '@louisle2/[email protected]'
- '@lpdjs/[email protected]'
- '@lui-ui/[email protected]'
- '@lui-ui/[email protected]'
- '@lui-ui/[email protected]'
- '@markvivanco/[email protected]'
- '@markvivanco/[email protected]'
- '@mcp-use/[email protected]'
- '@mcp-use/[email protected]'
- '@mcp-use/[email protected]'
- '@mcp-use/[email protected]'
- '@mcp-use/[email protected]'
- '@mcp-use/[email protected]'
- '@micado-digital/[email protected]'
- '@mizzle-dev/[email protected]'
- '@mparpaillon/[email protected]'
- '@mparpaillon/[email protected]'
- '@mparpaillon/[email protected]'
- '@ntnx/[email protected]'
- '@ntnx/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@orbitgtbelgium/[email protected]'
- '@orbitgtbelgium/[email protected]'
- '@orbitgtbelgium/[email protected]'
- '@orbitgtbelgium/[email protected]'
- '@osmanekrem/[email protected]'
- '@osmanekrem/[email protected]'
- '@pergel/[email protected]'
- '@pergel/[email protected]'
- '@pergel/[email protected]'
- '@pergel/[email protected]'
- '@pergel/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@pradhumngautam/[email protected]'
- '@productdevbook/[email protected]'
- '@productdevbook/[email protected]'
- '@productdevbook/[email protected]'
- '@productdevbook/[email protected]'
- '@productdevbook/[email protected]'
- '@pruthvi21/[email protected]'
- '@quick-start-soft/[email protected]'
- '@quick-start-soft/[email protected]'
- '@quick-start-soft/[email protected]'
- '@quick-start-soft/[email protected]'
- '@quick-start-soft/[email protected]'
- '@quick-start-soft/[email protected]'
- '@quick-start-soft/[email protected]'
- '@quick-start-soft/[email protected]'
- '@quick-start-soft/[email protected]'
- '@relyt/[email protected]'
- '@relyt/[email protected]'
- '@relyt/[email protected]'
- '@sameepsi/[email protected]'
- '@sameepsi/[email protected]'
- '@seezo/[email protected]'
- '@seung-ju/[email protected]'
- '@seung-ju/[email protected]'
- '@seung-ju/[email protected]'
- '@seung-ju/[email protected]'
- '@silgi/[email protected]'
- '@silgi/[email protected]'
- '@silgi/[email protected]'
- '@silgi/[email protected]'
- '@silgi/[email protected]'
- '@silgi/[email protected]'
- '@silgi/[email protected]'
- '@silgi/[email protected]'
- '@silgi/[email protected]'
- '@silgi/[email protected]'
- '@sme-ui/[email protected]'
- '@strapbuild/[email protected]'
- '@strapbuild/[email protected]'
- '@strapbuild/[email protected]'
- '@strapbuild/[email protected]'
- '@suraj_h/[email protected]'
- '@thedelta/[email protected]'
- '@tiaanduplessis/[email protected]'
- '@tiaanduplessis/[email protected]'
- '@tiaanduplessis/[email protected]'
- '@tiaanduplessis/[email protected]'
- '@trackstar/[email protected]'
- '@trackstar/[email protected]'
- '@trackstar/[email protected]'
- '@trackstar/[email protected]'
- '@trackstar/[email protected]'
- '@trefox/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trpc-rate-limiter/[email protected]'
- '@trpc-rate-limiter/[email protected]'
- '@varsityvibe/[email protected]'
- '@varsityvibe/[email protected]'
- '@varsityvibe/[email protected]'
- '@varsityvibe/[email protected]'
- '@varsityvibe/[email protected]'
- '@viapip/[email protected]'
- '@vishadtyagi/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@vucod/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
condition: all of selection_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules-emerging-threats/2025/Malware/Shai-Hulud/proc_creation_win_mal_shai_hulud_malicious_npm_package_installation/info.yml
Convert to SIEM query
high
Moderate
Medium FP
Shai-Hulud 2.0 Malicious NPM Package Installation - Linux
Detects the command-line installation of specific malicious npm packages and versions associated with the Shai-Hulud 2.0 supply chain attack.
view Sigma YAML
title: Shai-Hulud 2.0 Malicious NPM Package Installation - Linux
id: 514f533b-f56e-421d-80b0-f7706a3e9d23
related:
- id: bae7c70b-8569-44e9-accf-b30073da8a5d
type: similar
status: experimental
description: |
Detects the command-line installation of specific malicious npm packages and versions associated with the Shai-Hulud 2.0 supply chain attack.
references:
- https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack
- https://github.com/wiz-sec-public/wiz-research-iocs/blob/a836ce8aacf12d6d2f6afc3c44b391dc4c08f46e/reports/shai-hulud-2-packages.csv
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-28
tags:
- attack.initial-access
- attack.execution
- attack.t1195.002
- detection.emerging-threats
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith: '\node'
CommandLine|contains:
- 'install'
- ' i '
# List of known malicious packages and versions from the Shai-Hulud 2.0 campaign
selection_packages:
CommandLine|contains:
- '[email protected]'
- '@accordproject/[email protected]'
- '@accordproject/[email protected]'
- '@accordproject/[email protected]'
- '@accordproject/[email protected]'
- '@accordproject/[email protected]'
- '@accordproject/[email protected]'
- '@accordproject/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@afetcan/[email protected]'
- '@afetcan/[email protected]'
- '@alaan/[email protected]'
- '@alexadark/[email protected]'
- '@alexadark/[email protected]'
- '@alexadark/[email protected]'
- '@alexadark/[email protected]'
- '@alexcolls/[email protected]'
- '@alexcolls/[email protected]'
- '@alexcolls/[email protected]'
- '@alexcolls/[email protected]'
- '@antstackio/[email protected]'
- '@antstackio/[email protected]'
- '@antstackio/[email protected]'
- '@antstackio/[email protected]'
- '@antstackio/[email protected]'
- '@aryanhussain/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@bdkinc/[email protected]'
- '@browserbasehq/[email protected]'
- '@browserbasehq/[email protected]'
- '@browserbasehq/[email protected]'
- '@browserbasehq/[email protected]'
- '@browserbasehq/[email protected]'
- '@browserbasehq/[email protected]'
- '@browserbasehq/[email protected]'
- '@caretive/[email protected]'
- '@chtijs/[email protected]'
- '@clausehq/[email protected]'
- '@clausehq/[email protected]'
- '@clausehq/[email protected]'
- '@clausehq/[email protected]'
- '@clausehq/[email protected]'
- '@cllbk/[email protected]'
- '@commute/[email protected]'
- '@commute/[email protected]'
- '@commute/[email protected]'
- '@dev-blinq/[email protected]'
- '@dev-blinq/[email protected]'
- '@dev-blinq/[email protected]'
- '@dev-blinq/[email protected]'
- '@dev-blinq/[email protected]'
- '@elsedev/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@everreal/[email protected]'
- '@everreal/[email protected]'
- '@everreal/[email protected]'
- '@everreal/[email protected]'
- '@everreal/[email protected]'
- '@everreal/[email protected]'
- '@faq-component/[email protected]'
- '@faq-component/[email protected]'
- '@fishingbooker/[email protected]'
- '@fishingbooker/[email protected]'
- '@fishingbooker/[email protected]'
- '@fishingbooker/[email protected]'
- '@fishingbooker/[email protected]'
- '@hapheus/[email protected]'
- '@hover-design/[email protected]'
- '@hover-design/[email protected]'
- '@huntersofbook/[email protected]'
- '@huntersofbook/[email protected]'
- '@huntersofbook/[email protected]'
- '@huntersofbook/[email protected]'
- '@huntersofbook/[email protected]'
- '@huntersofbook/[email protected]'
- '@hyperlook/[email protected]'
- '@ifelsedeveloper/[email protected]'
- '@ifelsedeveloper/[email protected]'
- '@ifings/[email protected]'
- '@ifings/[email protected]'
- '@jayeshsadhwani/[email protected]'
- '@kvytech/[email protected]'
- '@kvytech/[email protected]'
- '@kvytech/[email protected]'
- '@kvytech/[email protected]'
- '@kvytech/[email protected]'
- '@kvytech/[email protected]'
- '@kvytech/[email protected]'
- '@kvytech/[email protected]'
- '@kvytech/[email protected]'
- '@lessondesk/[email protected]'
- '@lessondesk/[email protected]'
- '@lessondesk/[email protected]'
- '@lessondesk/[email protected]'
- '@lessondesk/[email protected]'
- '@lessondesk/[email protected]'
- '@lessondesk/[email protected]'
- '@lessondesk/[email protected]'
- '@lessondesk/[email protected]'
- '@livecms/[email protected]'
- '@livecms/[email protected]'
- '@lokeswari-satyanarayanan/[email protected]'
- '@louisle2/[email protected]'
- '@louisle2/[email protected]'
- '@lpdjs/[email protected]'
- '@lui-ui/[email protected]'
- '@lui-ui/[email protected]'
- '@lui-ui/[email protected]'
- '@markvivanco/[email protected]'
- '@markvivanco/[email protected]'
- '@mcp-use/[email protected]'
- '@mcp-use/[email protected]'
- '@mcp-use/[email protected]'
- '@mcp-use/[email protected]'
- '@mcp-use/[email protected]'
- '@mcp-use/[email protected]'
- '@micado-digital/[email protected]'
- '@mizzle-dev/[email protected]'
- '@mparpaillon/[email protected]'
- '@mparpaillon/[email protected]'
- '@mparpaillon/[email protected]'
- '@ntnx/[email protected]'
- '@ntnx/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@orbitgtbelgium/[email protected]'
- '@orbitgtbelgium/[email protected]'
- '@orbitgtbelgium/[email protected]'
- '@orbitgtbelgium/[email protected]'
- '@osmanekrem/[email protected]'
- '@osmanekrem/[email protected]'
- '@pergel/[email protected]'
- '@pergel/[email protected]'
- '@pergel/[email protected]'
- '@pergel/[email protected]'
- '@pergel/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@pradhumngautam/[email protected]'
- '@productdevbook/[email protected]'
- '@productdevbook/[email protected]'
- '@productdevbook/[email protected]'
- '@productdevbook/[email protected]'
- '@productdevbook/[email protected]'
- '@pruthvi21/[email protected]'
- '@quick-start-soft/[email protected]'
- '@quick-start-soft/[email protected]'
- '@quick-start-soft/[email protected]'
- '@quick-start-soft/[email protected]'
- '@quick-start-soft/[email protected]'
- '@quick-start-soft/[email protected]'
- '@quick-start-soft/[email protected]'
- '@quick-start-soft/[email protected]'
- '@quick-start-soft/[email protected]'
- '@relyt/[email protected]'
- '@relyt/[email protected]'
- '@relyt/[email protected]'
- '@sameepsi/[email protected]'
- '@sameepsi/[email protected]'
- '@seezo/[email protected]'
- '@seung-ju/[email protected]'
- '@seung-ju/[email protected]'
- '@seung-ju/[email protected]'
- '@seung-ju/[email protected]'
- '@silgi/[email protected]'
- '@silgi/[email protected]'
- '@silgi/[email protected]'
- '@silgi/[email protected]'
- '@silgi/[email protected]'
- '@silgi/[email protected]'
- '@silgi/[email protected]'
- '@silgi/[email protected]'
- '@silgi/[email protected]'
- '@silgi/[email protected]'
- '@sme-ui/[email protected]'
- '@strapbuild/[email protected]'
- '@strapbuild/[email protected]'
- '@strapbuild/[email protected]'
- '@strapbuild/[email protected]'
- '@suraj_h/[email protected]'
- '@thedelta/[email protected]'
- '@tiaanduplessis/[email protected]'
- '@tiaanduplessis/[email protected]'
- '@tiaanduplessis/[email protected]'
- '@tiaanduplessis/[email protected]'
- '@trackstar/[email protected]'
- '@trackstar/[email protected]'
- '@trackstar/[email protected]'
- '@trackstar/[email protected]'
- '@trackstar/[email protected]'
- '@trefox/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trpc-rate-limiter/[email protected]'
- '@trpc-rate-limiter/[email protected]'
- '@varsityvibe/[email protected]'
- '@varsityvibe/[email protected]'
- '@varsityvibe/[email protected]'
- '@varsityvibe/[email protected]'
- '@varsityvibe/[email protected]'
- '@viapip/[email protected]'
- '@vishadtyagi/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@vucod/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Shai-Hulud Malicious Bun Execution
Detects the execution of `bun_environment.js` via the Bun runtime, a behavior associated with the Shai-Hulud "Second Coming" NPM supply chain attack.
The malware uses a `setup_bun.js` script to install the Bun runtime if not present, and then executes the malicious `bun_environment.js` payload.
view Sigma YAML
title: Shai-Hulud Malicious Bun Execution
id: 5299fadf-f228-4526-8274-251db1960be9
related:
- id: eb827bbd-670a-4d58-8446-c464d8ac2323
type: similar
status: experimental
description: |
Detects the execution of `bun_environment.js` via the Bun runtime, a behavior associated with the Shai-Hulud "Second Coming" NPM supply chain attack.
The malware uses a `setup_bun.js` script to install the Bun runtime if not present, and then executes the malicious `bun_environment.js` payload.
references:
- https://www.aikido.dev/blog/shai-hulud-strikes-again-hitting-zapier-ensdomains
- https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack
- https://github.com/asyncapi/cli/blob/2efa4dff59bc3d3cecdf897ccf178f99b115d63d/setup_bun.js
- https://semgrep.dev/blog/2025/digging-for-secrets-sha1-hulud-the-second-coming-of-the-npm-worm/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-25
tags:
- attack.t1195.002
- attack.t1203
- attack.execution
- attack.initial-access
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\node.exe'
selection_child_bun_script:
Image|endswith: '\bun.exe'
CommandLine|contains:
- 'bun_environment.js'
- 'https://github.com/actions/runner/releases/download/v2.330.0'
condition: selection_parent and 1 of selection_child_*
falsepositives:
- Legitimate but uncommon use of files named `bun_environment.js` could trigger this rule.
level: high
regression_tests_path: regression_data/rules-emerging-threats/2025/Malware/Shai-Hulud/proc_creation_win_mal_shai_hulud_malicious_node_bun_execution/info.yml
Convert to SIEM query
high
Strong
Medium FP
Shai-Hulud Malicious Bun Execution - Linux
Detects the execution of `bun_environment.js` via the Bun runtime, a behavior associated with the Shai-Hulud "Second Coming" NPM supply chain attack.
The malware uses a `setup_bun.js` script to install the Bun runtime if not present, and then executes the malicious `bun_environment.js` payload.
view Sigma YAML
title: Shai-Hulud Malicious Bun Execution - Linux
id: eb827bbd-670a-4d58-8446-c464d8ac2323
related:
- id: 5299fadf-f228-4526-8274-251db1960be9
type: similar
status: experimental
description: |
Detects the execution of `bun_environment.js` via the Bun runtime, a behavior associated with the Shai-Hulud "Second Coming" NPM supply chain attack.
The malware uses a `setup_bun.js` script to install the Bun runtime if not present, and then executes the malicious `bun_environment.js` payload.
references:
- https://www.aikido.dev/blog/shai-hulud-strikes-again-hitting-zapier-ensdomains
- https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack
- https://github.com/asyncapi/cli/blob/2efa4dff59bc3d3cecdf897ccf178f99b115d63d/setup_bun.js
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-25
tags:
- attack.t1195.002
- attack.t1203
- attack.execution
- attack.initial-access
- detection.emerging-threats
logsource:
category: process_creation
product: linux
detection:
selection_parent:
ParentImage|endswith: '/node'
selection_child_bun:
Image|endswith: '/bun'
CommandLine|contains:
- 'bun_environment.js'
- 'https://github.com/actions/runner/releases/download/v2.330.0'
selection_child_setup_curl:
CommandLine|contains|all:
- 'curl '
- '-fsSL'
- 'https://bun.sh/install'
- 'bash'
selection_child_path_reload:
CommandLine|contains|all:
- 'bash -c "source '
- '&& echo'
condition: selection_parent and 1 of selection_child_*
falsepositives:
- Legitimate but uncommon use of files named `bun_environment.js` could trigger this rule.
level: high
Convert to SIEM query
high
Moderate
High FP
Shai-Hulud Malicious GitHub Workflow Creation
Detects creation of shai-hulud-workflow.yml file associated with Shai Hulud worm targeting NPM supply chain attack that exfiltrates GitHub secrets
view Sigma YAML
title: Shai-Hulud Malicious GitHub Workflow Creation
id: 0aba5685-6db6-486f-88ef-29a99c545cfd
status: experimental
description: Detects creation of shai-hulud-workflow.yml file associated with Shai Hulud worm targeting NPM supply chain attack that exfiltrates GitHub secrets
references:
- https://www.safetycli.com/blog/shai-hulud-npm-attack-runs-malicious-github-action
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-09-24
modified: 2026-01-24
tags:
- attack.persistence
- attack.credential-access
- attack.t1552.001
- attack.collection
- attack.t1119
- detection.emerging-threats
logsource:
product: linux
category: file_event
detection:
selection:
TargetFilename|endswith:
- '.github/workflows/shai-hulud-workflow.yaml'
- '.github/workflows/shai-hulud-workflow.yml'
- '.github/workflows/shai-hulud.yaml'
- '.github/workflows/shai-hulud.yml'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
Shai-Hulud Malware Indicators - Linux
Detects potential Shai-Hulud malware indicators based on specific command line arguments associated with its execution.
view Sigma YAML
title: Shai-Hulud Malware Indicators - Linux
id: 11bb9b26-4179-4a06-afcb-1ec31fce1627
related:
- id: 540703fb-a874-4385-a9d6-7cd1bfab268c
type: similar
- id: 8f2a9c3b-7e5d-4f1a-9b8e-2c4d6a8f9e1b
type: similar
status: experimental
description: |
Detects potential Shai-Hulud malware indicators based on specific command line arguments associated with its execution.
references:
- https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack
- https://www.aikido.dev/blog/shai-hulud-strikes-again-hitting-zapier-ensdomains
- https://semgrep.dev/blog/2025/digging-for-secrets-sha1-hulud-the-second-coming-of-the-npm-worm/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-25
tags:
- attack.execution
- attack.t1059
- detection.emerging-threats
logsource:
category: process_creation
product: linux
detection:
selection:
CommandLine|contains:
- 'Shai-Hulud'
- 'SHA1HULUD'
condition: selection
falsepositives:
- Legitimate software containing similar strings
level: high
Convert to SIEM query
high
Moderate
High FP
Shai-Hulud Malware Indicators - Windows
Detects potential Shai-Hulud malware indicators based on specific command line arguments associated with its execution.
view Sigma YAML
title: Shai-Hulud Malware Indicators - Windows
id: 540703fb-a874-4385-a9d6-7cd1bfab268c
related:
- id: 11bb9b26-4179-4a06-afcb-1ec31fce1627
type: similar
- id: 8f2a9c3b-7e5d-4f1a-9b8e-2c4d6a8f9e1b
type: similar
status: experimental
description: |
Detects potential Shai-Hulud malware indicators based on specific command line arguments associated with its execution.
references:
- https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack
- https://www.aikido.dev/blog/shai-hulud-strikes-again-hitting-zapier-ensdomains
- https://semgrep.dev/blog/2025/digging-for-secrets-sha1-hulud-the-second-coming-of-the-npm-worm/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-25
tags:
- attack.execution
- attack.t1059
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- 'Shai-Hulud'
- 'SHA1HULUD'
condition: selection
falsepositives:
- Legitimate software containing similar strings
level: high
regression_tests_path: regression_data/rules-emerging-threats/2025/Malware/Shai-Hulud/proc_creation_win_mal_shai_hulud_indicator/info.yml
Convert to SIEM query
high
Moderate
High FP
Shai-Hulud NPM Package Malicious Exfiltration via Curl
Detects potential Shai Hulud NPM package attack attempting to exfiltrate data via curl to external webhook sites.
view Sigma YAML
title: Shai-Hulud NPM Package Malicious Exfiltration via Curl
id: efd2eb09-b72e-4a61-8dc7-b1382a1e8983
status: experimental
description: Detects potential Shai Hulud NPM package attack attempting to exfiltrate data via curl to external webhook sites.
references:
- https://www.getsafety.com/blog-posts/shai-hulud-npm-attack
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-09-24
tags:
- attack.exfiltration
- attack.t1041
- attack.collection
- attack.t1005
- detection.emerging-threats
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/curl'
CommandLine|contains|all:
- 'curl'
- '-d'
- 'webhook.site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
Medium FP
Shell Execution GCC - Linux
Detects the use of the "gcc" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
view Sigma YAML
title: Shell Execution GCC - Linux
id: 9b5de532-a757-4d70-946c-1f3e44f48b4d
status: test
description: |
Detects the use of the "gcc" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
references:
- https://gtfobins.github.io/gtfobins/gcc/#shell
- https://gtfobins.github.io/gtfobins/c89/#shell
- https://gtfobins.github.io/gtfobins/c99/#shell
- https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
date: 2024-09-02
tags:
- attack.discovery
- attack.t1083
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith:
- '/c89'
- '/c99'
- '/gcc'
CommandLine|contains: '-wrapper'
selection_cli:
CommandLine|contains:
- '/bin/bash,-s'
- '/bin/dash,-s'
- '/bin/fish,-s'
- '/bin/sh,-s'
- '/bin/zsh,-s'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Shell Execution Of Process Located In Tmp Directory
Detects execution of shells from a parent process located in a temporary (/tmp) directory
view Sigma YAML
title: Shell Execution Of Process Located In Tmp Directory
id: 2fade0b6-7423-4835-9d4f-335b39b83867
status: test
description: Detects execution of shells from a parent process located in a temporary (/tmp) directory
references:
- https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
- https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/
- https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
- https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-06-02
tags:
- attack.execution
logsource:
product: linux
category: process_creation
detection:
selection:
ParentImage|startswith: '/tmp/'
Image|endswith:
- '/bash'
- '/csh'
- '/dash'
- '/fish'
- '/ksh'
- '/sh'
- '/zsh'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Shell Execution via Find - Linux
Detects the use of the find command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or exploitation attempt.
view Sigma YAML
title: Shell Execution via Find - Linux
id: 6adfbf8f-52be-4444-9bac-81b539624146
status: test
description: |
Detects the use of the find command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or exploitation attempt.
references:
- https://gtfobins.github.io/gtfobins/find/#shell
- https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
date: 2024-09-02
tags:
- attack.discovery
- attack.t1083
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith: '/find'
CommandLine|contains|all:
- ' . '
- '-exec'
selection_cli:
CommandLine|contains:
- '/bin/bash'
- '/bin/dash'
- '/bin/fish'
- '/bin/sh'
- '/bin/zsh'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Shell Execution via Flock - Linux
Detects the use of the "flock" command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
view Sigma YAML
title: Shell Execution via Flock - Linux
id: 4b09c71e-4269-4111-9cdd-107d8867f0cc
status: test
description: |
Detects the use of the "flock" command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
references:
- https://gtfobins.github.io/gtfobins/flock/#shell
- https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
date: 2024-09-02
tags:
- attack.discovery
- attack.t1083
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith: '/flock'
CommandLine|contains: ' -u '
selection_cli:
CommandLine|contains:
- '/bin/bash'
- '/bin/dash'
- '/bin/fish'
- '/bin/sh'
- '/bin/zsh'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Shell Execution via Git - Linux
Detects the use of the "git" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
view Sigma YAML
title: Shell Execution via Git - Linux
id: 47b3bbd4-1bf7-48cc-84ab-995362aaa75a
status: test
description: |
Detects the use of the "git" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
references:
- https://gtfobins.github.io/gtfobins/git/#shell
author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
date: 2024-09-02
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: linux
detection:
selection:
ParentImage|endswith: '/git'
ParentCommandLine|contains|all:
- ' -p '
- 'help'
CommandLine|contains:
- 'bash 0<&1'
- 'dash 0<&1'
- 'sh 0<&1'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Shell Execution via Nice - Linux
Detects the use of the "nice" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
view Sigma YAML
title: Shell Execution via Nice - Linux
id: 093d68c7-762a-42f4-9f46-95e79142571a
status: test
description: |
Detects the use of the "nice" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
references:
- https://gtfobins.github.io/gtfobins/nice/#shell
- https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
date: 2024-09-02
tags:
- attack.discovery
- attack.t1083
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/nice'
CommandLine|endswith:
- '/bin/bash'
- '/bin/dash'
- '/bin/fish'
- '/bin/sh'
- '/bin/zsh'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Shell Execution via Rsync - Linux
Detects the use of the "rsync" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
view Sigma YAML
title: Shell Execution via Rsync - Linux
id: e2326866-609f-4015-aea9-7ec634e8aa04
status: experimental
description: |
Detects the use of the "rsync" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
references:
- https://gtfobins.github.io/gtfobins/rsync/#shell
author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.), Florian Roth
date: 2024-09-02
modified: 2025-01-18
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith:
- '/rsync'
- '/rsyncd'
CommandLine|contains: ' -e '
selection_cli:
CommandLine|contains:
- '/ash '
- '/bash '
- '/dash '
- '/csh '
- '/sh '
- '/zsh '
- '/tcsh '
- '/ksh '
- "'ash "
- "'bash "
- "'dash "
- "'csh "
- "'sh "
- "'zsh "
- "'tcsh "
- "'ksh "
condition: all of selection_*
falsepositives:
- Legitimate cases in which "rsync" is used to execute a shell
level: high
Convert to SIEM query
high
Moderate
Medium FP
Shell Invocation Via Ssh - Linux
Detects the use of the "ssh" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
view Sigma YAML
title: Shell Invocation Via Ssh - Linux
id: 8737b7f6-8df3-4bb7-b1da-06019b99b687
status: test
description: |
Detects the use of the "ssh" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
references:
- https://gtfobins.github.io/gtfobins/ssh/
- https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
date: 2024-08-29
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith: '/ssh'
CommandLine|contains:
- 'ProxyCommand=;'
- 'permitlocalcommand=yes'
- 'localhost'
selection_cli:
CommandLine|contains:
- '/bin/bash'
- '/bin/dash'
- '/bin/fish'
- '/bin/sh'
- '/bin/zsh'
- 'sh 0<&2 1>&2'
- 'sh 1>&2 0<&2'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Shell Invocation via Env Command - Linux
Detects the use of the env command to invoke a shell. This may indicate an attempt to bypass restricted environments, escalate privileges, or execute arbitrary commands.
view Sigma YAML
title: Shell Invocation via Env Command - Linux
id: bed978f8-7f3a-432b-82c5-9286a9b3031a
status: test
description: |
Detects the use of the env command to invoke a shell. This may indicate an attempt to bypass restricted environments, escalate privileges, or execute arbitrary commands.
references:
- https://gtfobins.github.io/gtfobins/env/#shell
- https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
date: 2024-09-02
modified: 2026-01-08
tags:
- attack.execution
- attack.t1059.004
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/env'
CommandLine|contains:
- '/bin/bash'
- '/bin/dash'
- '/bin/fish'
- '/bin/sh'
- '/bin/zsh'
condition: selection
falsepositives:
- Github operations such as ghe-backup
level: high
Convert to SIEM query
high
Strong
Medium FP
ShimCache Flush
Detects actions that clear the local ShimCache and remove forensic evidence
view Sigma YAML
title: ShimCache Flush
id: b0524451-19af-4efa-a46f-562a977f792e
status: stable
description: Detects actions that clear the local ShimCache and remove forensic evidence
references:
- https://medium.com/@blueteamops/shimcache-flush-89daff28d15e
author: Florian Roth (Nextron Systems)
date: 2021-02-01
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: process_creation
product: windows
detection:
selection1a:
CommandLine|contains|all:
- 'rundll32'
- 'apphelp.dll'
selection1b:
CommandLine|contains:
- 'ShimFlushCache'
- '#250'
selection2a:
CommandLine|contains|all:
- 'rundll32'
- 'kernel32.dll'
selection2b:
CommandLine|contains:
- 'BaseFlushAppcompatCache'
- '#46'
condition: ( selection1a and selection1b ) or ( selection2a and selection2b )
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Small Sieve Malware CommandLine Indicator
Detects specific command line argument being passed to a binary as seen being used by the malware Small Sieve.
view Sigma YAML
title: Small Sieve Malware CommandLine Indicator
id: 21117127-21c8-437a-ae03-4b51e5a8a088
status: test
description: Detects specific command line argument being passed to a binary as seen being used by the malware Small Sieve.
references:
- https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-19
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1574.001
- detection.emerging-threats
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|endswith: '.exe Platypus'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
Medium FP
Small Sieve Malware File Indicator Creation
Detects filename indicators that contain a specific typo seen used by the Small Sieve malware.
view Sigma YAML
title: Small Sieve Malware File Indicator Creation
id: 39466c42-c189-476a-989f-8cdb135c163a
status: test
description: Detects filename indicators that contain a specific typo seen used by the Small Sieve malware.
references:
- https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf
author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
date: 2023-05-19
tags:
- attack.stealth
- attack.t1036.005
- detection.emerging-threats
logsource:
product: windows
category: file_event
detection:
selection_typo_path:
TargetFilename|contains|all:
- ':\Users\'
- '\AppData\'
TargetFilename|contains:
- '\Roaming\'
- '\Local\'
selection_typo_keyword:
TargetFilename|contains: 'Microsift'
selection_ioc:
TargetFilename|endswith: '\AppData\Local\MicrosoftWindowsOutlookDataPlus.txt'
condition: all of selection_typo_* or selection_ioc
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
Small Sieve Malware Registry Persistence
Detects registry value with specific intentional typo and strings seen used by the Small Sieve malware
view Sigma YAML
title: Small Sieve Malware Registry Persistence
id: 65c6e3c1-fb28-4c03-a51e-84919d8185f1
status: test
description: Detects registry value with specific intentional typo and strings seen used by the Small Sieve malware
references:
- https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-19
modified: 2023-08-17
tags:
- attack.persistence
- detection.emerging-threats
logsource:
category: registry_set
product: windows
detection:
selection_path:
TargetObject|contains: '\Microsoft\Windows\CurrentVersion\Run\'
selection_value:
- TargetObject|contains: 'Microsift'
- Details|contains: '.exe Platypus'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
Medium FP
Sofacy Trojan Loader Activity
Detects Trojan loader activity as used by APT28
view Sigma YAML
title: Sofacy Trojan Loader Activity
id: ba778144-5e3d-40cf-8af9-e28fb1df1e20
status: test
description: Detects Trojan loader activity as used by APT28
references:
- https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/
- https://www.hybrid-analysis.com/sample/ff808d0a12676bfac88fd26f955154f8884f2bb7c534b9936510fd6296c543e8?environmentId=110
- https://twitter.com/ClearskySec/status/960924755355369472
author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community
date: 2018-03-01
modified: 2023-05-31
tags:
- attack.execution
- attack.stealth
- attack.g0007
- attack.t1059.003
- attack.t1218.011
- car.2013-10-002
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_path:
Image|endswith: '\rundll32.exe'
CommandLine|contains:
- '%LOCALAPPDATA%'
- '\AppData\Local\'
selection_extensions:
- CommandLine|contains: '.dat",'
- CommandLine|endswith:
- '.dll #1'
- '.dll" #1'
- '.dll",#1'
filter_main_exclude_temp:
CommandLine|contains: '\AppData\Local\Temp\'
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Sudo Privilege Escalation CVE-2019-14287
Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287
view Sigma YAML
title: Sudo Privilege Escalation CVE-2019-14287
id: f74107df-b6c6-4e80-bf00-4170b658162b
status: test
description: Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287
references:
- https://www.openwall.com/lists/oss-security/2019/10/14/1
- https://access.redhat.com/security/cve/cve-2019-14287
- https://twitter.com/matthieugarin/status/1183970598210412546
author: Florian Roth (Nextron Systems)
date: 2019-10-15
modified: 2022-10-05
tags:
- attack.privilege-escalation
- attack.t1068
- attack.t1548.003
- cve.2019-14287
- detection.emerging-threats
logsource:
product: linux
category: process_creation
detection:
selection:
CommandLine|contains: ' -u#'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious ASPX File Drop by Exchange
Detects suspicious file type dropped by an Exchange component in IIS into a suspicious folder
view Sigma YAML
title: Suspicious ASPX File Drop by Exchange
id: bd1212e5-78da-431e-95fa-c58e3237a8e6
related:
- id: 6b269392-9eba-40b5-acb6-55c882b20ba6
type: similar
status: test
description: Detects suspicious file type dropped by an Exchange component in IIS into a suspicious folder
references:
- https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/
- https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html
- https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html
author: Florian Roth (Nextron Systems), MSTI (query, idea)
date: 2022-10-01
tags:
- attack.persistence
- attack.t1505.003
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith: '\w3wp.exe'
CommandLine|contains: 'MSExchange'
TargetFilename|contains:
- 'FrontEnd\HttpProxy\' # from GTSC and MSTI reports
- '\inetpub\wwwroot\aspnet_client\' # from GTSC report
selection_types:
TargetFilename|endswith:
- '.aspx'
- '.asp'
- '.ashx'
condition: all of selection*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious Application Allowed Through Exploit Guard
Detects applications being added to the "allowed applications" list of exploit guard in order to bypass controlled folder settings
view Sigma YAML
title: Suspicious Application Allowed Through Exploit Guard
id: 42205c73-75c8-4a63-9db1-e3782e06fda0
status: test
description: Detects applications being added to the "allowed applications" list of exploit guard in order to bypass controlled folder settings
references:
- https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-05
modified: 2023-08-17
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: registry_set
product: windows
detection:
selection_key:
TargetObject|contains: 'SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\AllowedApplications'
selection_paths:
TargetObject|contains:
# Add more paths you don't allow in your org
- '\Users\Public\'
- '\AppData\Local\Temp\'
- '\Desktop\'
- '\PerfLogs\'
- '\Windows\Temp\'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious ArcSOC.exe Child Process
Detects script interpreters, command-line tools, and similar suspicious child processes of ArcSOC.exe.
ArcSOC.exe is the process name which hosts ArcGIS Server REST services. If an attacker compromises an ArcGIS
Server system and uploads a malicious Server Object Extension (SOE), they can send crafted requests to the corresponding
service endpoint and remotely execute code from the ArcSOC.exe process.
view Sigma YAML
title: Suspicious ArcSOC.exe Child Process
id: 8e95e73e-ba02-4a87-b4d7-0929b8053038
status: experimental
description: |
Detects script interpreters, command-line tools, and similar suspicious child processes of ArcSOC.exe.
ArcSOC.exe is the process name which hosts ArcGIS Server REST services. If an attacker compromises an ArcGIS
Server system and uploads a malicious Server Object Extension (SOE), they can send crafted requests to the corresponding
service endpoint and remotely execute code from the ArcSOC.exe process.
references:
- https://reliaquest.com/blog/threat-spotlight-inside-flax-typhoons-arcgis-compromise/
- https://enterprise.arcgis.com/en/server/12.0/administer/windows/inside-an-arcgis-server-site.htm
author: Micah Babinski
date: 2025-11-25
tags:
- attack.execution
- attack.t1059
- attack.t1203
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\ArcSOC.exe'
Image|endswith:
- '\cmd.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\wmic.exe'
- '\wscript.exe'
filter_main_cmd:
Image|endswith: '\cmd.exe'
CommandLine: 'cmd.exe /c "ver"'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious Binaries and Scripts in Public Folder
Detects the creation of a file with a suspicious extension in the public folder, which could indicate potential malicious activity.
view Sigma YAML
title: Suspicious Binaries and Scripts in Public Folder
id: b447f7de-1e53-4cbf-bfb4-f1f6d0b04e4e
status: experimental
description: Detects the creation of a file with a suspicious extension in the public folder, which could indicate potential malicious activity.
references:
- https://intel.thedfirreport.com/events/view/30032 # Private Report
- https://intel.thedfirreport.com/eventReports/view/70 # Private Report
- https://thedfirreport.com/2025/01/27/cobalt-strike-and-a-pair-of-socks-lead-to-lockbit-ransomware/
author: 'The DFIR Report'
date: 2025-01-23
tags:
- attack.execution
- attack.t1204
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|contains: ':\Users\Public\'
TargetFilename|endswith:
- '.bat'
- '.dll'
- '.exe'
- '.hta'
- '.js'
- '.ps1'
- '.vbe'
- '.vbs'
condition: selection
falsepositives:
- Administrators deploying legitimate binaries to public folders.
level: high
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_susp_public_folder_extension/info.yml
Convert to SIEM query
high
Moderate
Medium FP
Suspicious Binary In User Directory Spawned From Office Application
Detects an executable in the users directory started from one of the Microsoft Office suite applications (Word, Excel, PowerPoint, Publisher, Visio)
view Sigma YAML
title: Suspicious Binary In User Directory Spawned From Office Application
id: aa3a6f94-890e-4e22-b634-ffdfd54792cc
status: test
description: Detects an executable in the users directory started from one of the Microsoft Office suite applications (Word, Excel, PowerPoint, Publisher, Visio)
references:
- https://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign
- https://www.virustotal.com/gui/file/23160972c6ae07f740800fa28e421a81d7c0ca5d5cab95bc082b4a986fbac57
author: Jason Lynch
date: 2019-04-02
modified: 2023-02-04
tags:
- attack.execution
- attack.t1204.002
- attack.g0046
- car.2013-05-002
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\WINWORD.EXE'
- '\EXCEL.EXE'
- '\POWERPNT.exe'
- '\MSPUB.exe'
- '\VISIO.exe'
- '\MSACCESS.exe'
- '\EQNEDT32.exe'
# - '\OUTLOOK.EXE' too many FPs
Image|startswith: 'C:\users\'
Image|endswith: '.exe'
filter:
Image|endswith: '\Teams.exe'
condition: selection and not filter
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious Binary Writes Via AnyDesk
Detects AnyDesk writing binary files to disk other than "gcapi.dll".
According to RedCanary research it is highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll,
which is a legitimate DLL that is part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details)
view Sigma YAML
title: Suspicious Binary Writes Via AnyDesk
id: 2d367498-5112-4ae5-a06a-96e7bc33a211
status: test
description: |
Detects AnyDesk writing binary files to disk other than "gcapi.dll".
According to RedCanary research it is highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll,
which is a legitimate DLL that is part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details)
references:
- https://redcanary.com/blog/misbehaving-rats/
- https://thedfirreport.com/2025/02/24/confluence-exploit-leads-to-lockbit-ransomware/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-28
modified: 2025-02-24
tags:
- attack.command-and-control
- attack.t1219.002
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith:
- '\AnyDesk.exe'
- '\AnyDeskMSI.exe'
TargetFilename|endswith:
- '.dll'
- '.exe'
filter_dlls:
TargetFilename|endswith: '\gcapi.dll'
condition: selection and not 1 of filter_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious BitLocker Access Agent Update Utility Execution
Detects the execution of the BitLocker Access Agent Update Utility (baaupdate.exe) which is not a common parent process for other processes.
Suspicious child processes spawned by baaupdate.exe could indicate an attempt at lateral movement via BitLocker DCOM & COM Hijacking.
view Sigma YAML
title: Suspicious BitLocker Access Agent Update Utility Execution
id: 9f38c1db-e2ae-40bf-81d0-5b68f73fb512
related:
- id: 6e8fe0a8-ba0b-4a93-8f9e-82657e7a5984 # BaaUpdate.exe Suspicious DLL Load
type: similar
status: experimental
description: |
Detects the execution of the BitLocker Access Agent Update Utility (baaupdate.exe) which is not a common parent process for other processes.
Suspicious child processes spawned by baaupdate.exe could indicate an attempt at lateral movement via BitLocker DCOM & COM Hijacking.
references:
- https://github.com/rtecCyberSec/BitlockMove
author: andrewdanis, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-10-18
tags:
- attack.stealth
- attack.t1218
- attack.lateral-movement
- attack.t1021.003
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\baaupdate.exe'
Image|endswith:
- '\bitsadmin.exe'
- '\cmd.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\powershell_ise.exe'
- '\powershell.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\schtasks.exe'
- '\wmic.exe'
- '\wscript.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious Calculator Usage
Detects suspicious use of 'calc.exe' with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion.
view Sigma YAML
title: Suspicious Calculator Usage
id: 737e618a-a410-49b5-bec3-9e55ff7fbc15
status: test
description: |
Detects suspicious use of 'calc.exe' with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion.
references:
- https://twitter.com/ItsReallyNick/status/1094080242686312448
author: Florian Roth (Nextron Systems)
date: 2019-02-09
modified: 2023-11-09
tags:
- attack.stealth
- attack.t1036
logsource:
category: process_creation
product: windows
detection:
selection_1:
CommandLine|contains: '\calc.exe '
selection_2:
Image|endswith: '\calc.exe'
filter_main_known_locations:
Image|contains:
- ':\Windows\System32\'
- ':\Windows\SysWOW64\'
- ':\Windows\WinSxS\'
condition: selection_1 or ( selection_2 and not filter_main_known_locations )
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious Camera and Microphone Access
Detects Processes accessing the camera and microphone from suspicious folder
view Sigma YAML
title: Suspicious Camera and Microphone Access
id: 62120148-6b7a-42be-8b91-271c04e281a3
status: test
description: Detects Processes accessing the camera and microphone from suspicious folder
references:
- https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072
author: Den Iuzvyk
date: 2020-06-07
modified: 2022-10-09
tags:
- attack.collection
- attack.t1125
- attack.t1123
logsource:
category: registry_event
product: windows
detection:
selection_1:
TargetObject|contains|all:
- '\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\'
- '\NonPackaged'
selection_2:
TargetObject|contains:
- microphone
- webcam
selection_3:
TargetObject|contains:
- ':#Windows#Temp#'
- ':#$Recycle.bin#'
- ':#Temp#'
- ':#Users#Public#'
- ':#Users#Default#'
- ':#Users#Desktop#'
condition: all of selection_*
falsepositives:
- Unlikely, there could be conferencing software running from a Temp folder accessing the devices
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious Child Process Created as System
Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE accounts
view Sigma YAML
title: Suspicious Child Process Created as System
id: 590a5f4c-6c8c-4f10-8307-89afe9453a9d
status: test
description: Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE accounts
references:
- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
- https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/
- https://github.com/antonioCoco/RogueWinRM
- https://twitter.com/Cyb3rWard0g/status/1453123054243024897
author: Teymur Kheirkhabarov, Roberto Rodriguez (@Cyb3rWard0g), Open Threat Research (OTR)
date: 2019-10-26
modified: 2024-12-01
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1134.002
logsource:
category: process_creation
product: windows
definition: 'Requirements: ParentUser field needs sysmon >= 13.30'
detection:
selection:
ParentUser|contains:
- 'AUTHORI'
- 'AUTORI'
ParentUser|endswith:
- '\NETWORK SERVICE'
- '\LOCAL SERVICE'
User|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
User|endswith: # System
- '\SYSTEM'
- '\Système'
- '\СИСТЕМА'
IntegrityLevel:
- 'System'
- 'S-1-16-16384'
filter_rundll32:
Image|endswith: '\rundll32.exe'
CommandLine|contains: 'DavSetCookie'
condition: selection and not 1 of filter_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious Child Process Of BgInfo.EXE
Detects suspicious child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript
view Sigma YAML
title: Suspicious Child Process Of BgInfo.EXE
id: 811f459f-9231-45d4-959a-0266c6311987
related:
- id: aaf46cdc-934e-4284-b329-34aa701e3771
type: similar
status: test
description: Detects suspicious child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript
references:
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/
- https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-16
tags:
- attack.execution
- attack.stealth
- attack.t1059.005
- attack.t1218
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith:
- '\bginfo.exe'
- '\bginfo64.exe'
selection_child:
- Image|endswith:
- '\calc.exe'
- '\cmd.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\notepad.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\wscript.exe'
- Image|contains:
- '\AppData\Local\'
- '\AppData\Roaming\'
- ':\Users\Public\'
- ':\Temp\'
- ':\Windows\Temp\'
- ':\PerfLogs\'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious Child Process Of Manage Engine ServiceDesk
Detects suspicious child processes of the "Manage Engine ServiceDesk Plus" Java web service
view Sigma YAML
title: Suspicious Child Process Of Manage Engine ServiceDesk
id: cea2b7ea-792b-405f-95a1-b903ea06458f
status: test
description: Detects suspicious child processes of the "Manage Engine ServiceDesk Plus" Java web service
references:
- https://www.horizon3.ai/manageengine-cve-2022-47966-technical-deep-dive/
- https://github.com/horizon3ai/CVE-2022-47966/blob/3a51c6b72ebbd87392babd955a8fbeaee2090b35/CVE-2022-47966.py
- https://blog.viettelcybersecurity.com/saml-show-stopper/
author: Florian Roth (Nextron Systems)
date: 2023-01-18
modified: 2023-08-29
tags:
- attack.command-and-control
- attack.t1102
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|contains|all:
- '\ManageEngine\ServiceDesk\'
- '\java.exe'
Image|endswith:
- '\AppVLP.exe'
- '\bash.exe'
- '\bitsadmin.exe'
- '\calc.exe'
- '\certutil.exe'
- '\cscript.exe'
- '\curl.exe'
- '\forfiles.exe'
- '\mftrace.exe'
- '\mshta.exe'
- '\net.exe'
- '\net1.exe'
- '\notepad.exe' # Often used in POCs
- '\powershell.exe'
- '\pwsh.exe'
- '\query.exe'
- '\reg.exe'
- '\schtasks.exe'
- '\scrcons.exe'
- '\sh.exe'
- '\systeminfo.exe'
- '\whoami.exe' # Often used in POCs
- '\wmic.exe'
- '\wscript.exe'
# - '\hh.exe'
# - '\regsvr32.exe'
# - '\rundll32.exe'
# - '\scriptrunner.exe'
filter_main_net:
Image|endswith:
- '\net.exe'
- '\net1.exe'
CommandLine|contains: ' stop'
condition: selection and not 1 of filter_main_*
falsepositives:
- Legitimate sub processes started by Manage Engine ServiceDesk Pro
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious Child Process Of SQL Server
Detects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection.
view Sigma YAML
title: Suspicious Child Process Of SQL Server
id: 869b9ca7-9ea2-4a5a-8325-e80e62f75445
related:
- id: 344482e4-a477-436c-aa70-7536d18a48c7
type: obsolete
status: test
description: Detects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection.
references:
- Internal Research
author: FPT.EagleEye Team, wagga
date: 2020-12-11
modified: 2023-05-04
tags:
- attack.t1505.003
- attack.t1190
- attack.initial-access
- attack.persistence
- attack.privilege-escalation
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\sqlservr.exe'
Image|endswith:
# You can add other uncommon or suspicious processes
- '\bash.exe'
- '\bitsadmin.exe'
- '\cmd.exe'
- '\netstat.exe'
- '\nltest.exe'
- '\ping.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\sh.exe'
- '\systeminfo.exe'
- '\tasklist.exe'
- '\wsl.exe'
filter_optional_datev:
ParentImage|startswith: 'C:\Program Files\Microsoft SQL Server\'
ParentImage|endswith: 'DATEV_DBENGINE\MSSQL\Binn\sqlservr.exe'
Image: 'C:\Windows\System32\cmd.exe'
CommandLine|startswith: '"C:\Windows\system32\cmd.exe" '
condition: selection and not 1 of filter_optional_*
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious Child Process Of Wermgr.EXE
Detects suspicious Windows Error Reporting manager (wermgr.exe) child process
view Sigma YAML
title: Suspicious Child Process Of Wermgr.EXE
id: 396f6630-f3ac-44e3-bfc8-1b161bc00c4e
related:
- id: 5394fcc7-aeb2-43b5-9a09-cac9fc5edcd5
type: similar
status: test
description: Detects suspicious Windows Error Reporting manager (wermgr.exe) child process
references:
- https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html
- https://www.echotrail.io/insights/search/wermgr.exe
- https://github.com/binderlabs/DirCreate2System
author: Florian Roth (Nextron Systems)
date: 2022-10-14
modified: 2024-08-29
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1055
- attack.t1036
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\wermgr.exe'
Image|endswith:
- '\cmd.exe'
- '\cscript.exe'
- '\ipconfig.exe'
- '\mshta.exe'
- '\net.exe'
- '\net1.exe'
- '\netstat.exe'
- '\nslookup.exe'
- '\powershell_ise.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\systeminfo.exe'
- '\whoami.exe'
- '\wscript.exe'
filter_main_rundll32:
Image|endswith: '\rundll32.exe'
CommandLine|contains|all:
- 'C:\Windows\system32\WerConCpl.dll'
- 'LaunchErcApp '
CommandLine|contains:
- '-queuereporting'
- '-responsepester'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious Child Process of AspNetCompiler
Detects potentially suspicious child processes of "aspnet_compiler.exe".
view Sigma YAML
title: Suspicious Child Process of AspNetCompiler
id: 9ccba514-7cb6-4c5c-b377-700758f2f120 # SuspChild
related:
- id: 4c7f49ee-2638-43bb-b85b-ce676c30b260 # TMP File
type: similar
- id: 9f50fe98-fe5c-4a2d-86c7-fad7f63ed622 # Susp Paths
type: similar
- id: a01b8329-5953-4f73-ae2d-aa01e1f35f00 # Exec
type: similar
status: test
description: Detects potentially suspicious child processes of "aspnet_compiler.exe".
references:
- https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/
- https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-14
tags:
- attack.execution
- attack.stealth
- attack.t1127
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\aspnet_compiler.exe'
selection_child:
# Note: add other potential suspicious child processes and paths
- Image|endswith:
- '\calc.exe'
- '\notepad.exe'
- Image|contains:
- '\Users\Public\'
- '\AppData\Local\Temp\'
- '\AppData\Local\Roaming\'
- ':\Temp\'
- ':\Windows\Temp\'
- ':\Windows\System32\Tasks\'
- ':\Windows\Tasks\'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious Child Process of Notepad++ Updater - GUP.Exe
Detects suspicious child process creation by the Notepad++ updater process (gup.exe).
This could indicate potential exploitation of the updater component to deliver unwanted malware.
view Sigma YAML
title: Suspicious Child Process of Notepad++ Updater - GUP.Exe
id: bb0e87ce-c89f-4857-84fa-095e4483e9cb
status: experimental
description: |
Detects suspicious child process creation by the Notepad++ updater process (gup.exe).
This could indicate potential exploitation of the updater component to deliver unwanted malware.
references:
- https://notepad-plus-plus.org/news/v889-released/
- https://www.heise.de/en/news/Notepad-updater-installed-malware-11109726.html
- https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
- https://www.validin.com/blog/exploring_notepad_plus_plus_network_indicators/
- https://securelist.com/notepad-supply-chain-attack/118708/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-02-03
tags:
- attack.collection
- attack.credential-access
- attack.t1195.002
- attack.initial-access
- attack.t1557
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\gup.exe'
selection_child_img:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\cscript.exe'
- '\wscript.exe'
- '\mshta.exe'
selection_child_cli:
CommandLine|contains:
- 'bitsadmin'
- 'certutil'
- 'curl'
- 'finger'
- 'forfiles'
- 'regsvr32'
- 'rundll32'
- 'wget'
condition: selection_parent and 1 of selection_child_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious Child Process of SolarWinds WebHelpDesk
Detects suspicious child processes spawned by SolarWinds WebHelpDesk (WHD) application, which may indicate exploitation activity leveraging RCE vulnerabilities such as CVE-2025-40551, CVE-2025-40536, or CVE-2025-26399
view Sigma YAML
title: Suspicious Child Process of SolarWinds WebHelpDesk
id: 8c7f4a2d-3b9e-4f1c-9a6d-2e8f5c3d9a1b
status: experimental
description: |
Detects suspicious child processes spawned by SolarWinds WebHelpDesk (WHD) application, which may indicate exploitation activity leveraging RCE vulnerabilities such as CVE-2025-40551, CVE-2025-40536, or CVE-2025-26399
references:
- https://www.microsoft.com/en-us/security/blog/2026/02/06/active-exploitation-solarwinds-web-help-desk/
- https://www.huntress.com/blog/active-exploitation-solarwinds-web-help-desk-cve-2025-26399
- https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_2026-1_release_notes.htm
author: Huntress Team, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-02-11
tags:
- attack.initial-access
- attack.t1190
- cve.2025-26399
- cve.2025-40536
- cve.2025-40551
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|contains: '\WebHelpDesk\bin\'
ParentImage|endswith:
- '\java.exe'
- '\javaw.exe'
ParentCommandLine|contains: 'tomcat'
selection_suspicious_child:
CommandLine|contains:
- '-enc'
- 'base64'
- 'bitsadmin'
- 'certutil'
- 'curl'
- 'Invoke-RestMethod'
- 'Invoke-WebRequest'
- 'irm '
- 'iwr '
- 'mshta'
- 'msiexec'
- 'Net.WebClient'
- 'Start-BitsTransfer'
- 'wget'
- 'wmic'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
High FP
Suspicious Chromium Browser Instance Executed With Custom Extension
Detects a suspicious process spawning a Chromium based browser process with the 'load-extension' flag to start an instance with a custom extension
view Sigma YAML
title: Suspicious Chromium Browser Instance Executed With Custom Extension
id: 27ba3207-dd30-4812-abbf-5d20c57d474e
related:
- id: 88d6e60c-759d-4ac1-a447-c0f1466c2d21
type: similar
status: test
description: Detects a suspicious process spawning a Chromium based browser process with the 'load-extension' flag to start an instance with a custom extension
references:
- https://redcanary.com/blog/chromeloader/
- https://emkc.org/s/RJjuLa
- https://www.mandiant.com/resources/blog/lnk-between-browsers
author: Aedan Russell, frack113, X__Junior (Nextron Systems)
date: 2022-06-19
modified: 2023-11-28
tags:
- attack.persistence
- attack.t1176.001
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\cmd.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\wscript.exe'
Image|endswith:
- '\brave.exe'
- '\chrome.exe'
- '\msedge.exe'
- '\opera.exe'
- '\vivaldi.exe'
CommandLine|contains: '--load-extension='
condition: selection
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension/info.yml
Convert to SIEM query
high
Moderate
Medium FP
Suspicious ClickFix/FileFix Execution Pattern
Detects suspicious execution patterns where users are tricked into running malicious commands via clipboard manipulation, either through the Windows Run dialog (ClickFix) or File Explorer address bar (FileFix).
Attackers leverage social engineering campaigns—such as fake CAPTCHA challenges or urgent alerts—encouraging victims to paste clipboard contents, often executing mshta.exe, powershell.exe, or similar commands to infect systems.
view Sigma YAML
title: Suspicious ClickFix/FileFix Execution Pattern
id: d487ed4a-fd24-436d-a0b2-f4e95f7b2635
related:
- id: f5fe36cf-f1ec-4c23-903d-09a3110f6bbb
type: similar
status: experimental
description: |
Detects suspicious execution patterns where users are tricked into running malicious commands via clipboard manipulation, either through the Windows Run dialog (ClickFix) or File Explorer address bar (FileFix).
Attackers leverage social engineering campaigns—such as fake CAPTCHA challenges or urgent alerts—encouraging victims to paste clipboard contents, often executing mshta.exe, powershell.exe, or similar commands to infect systems.
references:
- https://github.com/JohnHammond/recaptcha-phish
- https://www.zscaler.com/blogs/security-research/deepseek-lure-using-captchas-spread-malware
- https://www.threatdown.com/blog/clipboard-hijacker-tries-to-install-a-trojan/
- https://app.any.run/tasks/5c16b4db-4b36-4039-a0ed-9b09abff8be2
- https://www.esentire.com/security-advisories/netsupport-rat-clickfix-distribution
- https://www.scpx.com.au/2025/11/16/decades-old-finger-protocol-abused-in-clickfix-malware-attacks/ # filefix variant
author: montysecurity, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-19
tags:
- attack.execution
- attack.t1204.001
- attack.t1204.004
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\explorer.exe'
CommandLine|contains: '#'
selection_cli_captcha:
CommandLine|contains:
- 'account'
- 'anti-bot'
- 'botcheck'
- 'captcha'
- 'challenge'
- 'confirmation'
- 'fraud'
- 'human'
- 'identification'
- 'identificator'
- 'identity'
- 'robot'
- 'validation'
- 'verification'
- 'verify'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious Command Patterns In Scheduled Task Creation
Detects scheduled task creation using "schtasks" that contain potentially suspicious or uncommon commands
view Sigma YAML
title: Suspicious Command Patterns In Scheduled Task Creation
id: f2c64357-b1d2-41b7-849f-34d2682c0fad
status: test
description: Detects scheduled task creation using "schtasks" that contain potentially suspicious or uncommon commands
references:
- https://app.any.run/tasks/512c1352-6380-4436-b27d-bb62f0c020d6/
- https://twitter.com/RedDrip7/status/1506480588827467785
- https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf
author: Florian Roth (Nextron Systems)
date: 2022-02-23
modified: 2024-03-19
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.t1053.005
logsource:
product: windows
category: process_creation
detection:
selection_schtasks:
Image|endswith: '\schtasks.exe'
CommandLine|contains: '/Create '
selection_pattern_1:
CommandLine|contains:
- '/sc minute '
- '/ru system '
selection_pattern_2:
CommandLine|contains:
- 'cmd /c'
- 'cmd /k'
- 'cmd /r'
- 'cmd.exe /c '
- 'cmd.exe /k '
- 'cmd.exe /r '
selection_uncommon:
CommandLine|contains:
- ' -decode '
- ' -enc '
- ' -w hidden '
- ' bypass '
- ' IEX'
- '.DownloadData'
- '.DownloadFile'
- '.DownloadString'
- '/c start /min ' # https://twitter.com/RedDrip7/status/1506480588827467785
- 'FromBase64String'
- 'mshta http'
- 'mshta.exe http'
selection_anomaly_1:
CommandLine|contains:
- ':\ProgramData\'
- ':\Temp\'
- ':\Tmp\'
- ':\Users\Public\'
- ':\Windows\Temp\'
- '\AppData\'
- '%AppData%'
- '%Temp%'
- '%tmp%'
selection_anomaly_2:
CommandLine|contains:
- 'cscript'
- 'curl'
- 'wscript'
condition: selection_schtasks and ( all of selection_pattern_* or selection_uncommon or all of selection_anomaly_* )
falsepositives:
- Software installers that run from temporary folders and also install scheduled tasks are expected to generate some false positives
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious Creation with Colorcpl
Once executed, colorcpl.exe will copy the arbitrary file to c:\windows\system32\spool\drivers\color\
view Sigma YAML
title: Suspicious Creation with Colorcpl
id: e15b518d-b4ce-4410-a9cd-501f23ce4a18
status: test
description: Once executed, colorcpl.exe will copy the arbitrary file to c:\windows\system32\spool\drivers\color\
references:
- https://twitter.com/eral4m/status/1480468728324231172?s=20
author: frack113
date: 2022-01-21
modified: 2023-01-05
tags:
- attack.stealth
- attack.t1564
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith: '\colorcpl.exe'
filter_ext:
TargetFilename|endswith:
- '.icm'
- '.gmmp'
- '.cdmp'
- '.camp'
condition: selection and not 1 of filter_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious Curl.EXE Download
Detects a suspicious curl process start on Windows and outputs the requested document to a local file
view Sigma YAML
title: Suspicious Curl.EXE Download
id: e218595b-bbe7-4ee5-8a96-f32a24ad3468
related:
- id: bbeaed61-1990-4773-bf57-b81dbad7db2d # Basic curl execution
type: derived
- id: 9a517fca-4ba3-4629-9278-a68694697b81 # Curl download
type: similar
status: test
description: Detects a suspicious curl process start on Windows and outputs the requested document to a local file
references:
- https://twitter.com/max_mal_/status/1542461200797163522
- https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464
- https://github.com/pr0xylife/Qakbot/blob/4f0795d79dabee5bc9dd69f17a626b48852e7869/Qakbot_AA_23.06.2022.txt
- https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/
- https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1105/T1105.md#atomic-test-18---curl-download-file
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2020-07-03
modified: 2023-02-21
tags:
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection_curl:
- Image|endswith: '\curl.exe'
- Product: 'The curl executable'
selection_susp_locations:
CommandLine|contains:
- '%AppData%'
- '%Public%'
- '%Temp%'
- '%tmp%'
- '\AppData\'
- '\Desktop\'
- '\Temp\'
- '\Users\Public\'
- 'C:\PerfLogs\'
- 'C:\ProgramData\'
- 'C:\Windows\Temp\'
selection_susp_extensions:
CommandLine|endswith:
- '.dll'
- '.gif'
- '.jpeg'
- '.jpg'
- '.png'
- '.temp'
- '.tmp'
- '.txt'
- '.vbe'
- '.vbs'
filter_optional_git_windows:
# Example FP
# CommandLine: "C:\Program Files\Git\mingw64\bin\curl.exe" --silent --show-error --output C:/Users/test/AppData/Local/Temp/gfw-httpget-jVOEoxbS.txt --write-out %{http_code} https://gitforwindows.org/latest-tag.txt
ParentImage: 'C:\Program Files\Git\usr\bin\sh.exe'
Image: 'C:\Program Files\Git\mingw64\bin\curl.exe'
CommandLine|contains|all:
- '--silent --show-error --output '
- 'gfw-httpget-'
- 'AppData'
condition: selection_curl and 1 of selection_susp_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_curl_susp_download/info.yml
simulation:
- type: atomic-red-team
name: Curl Download File
technique: T1105
atomic_guid: 2b080b99-0deb-4d51-af0f-833d37c4ca6a
Convert to SIEM query
high
Strong
Medium FP
Suspicious CustomShellHost Execution
Detects the execution of CustomShellHost.exe where the child isn't located in 'C:\Windows\explorer.exe'. CustomShellHost is a known LOLBin that can be abused by attackers for defense evasion techniques.
view Sigma YAML
title: Suspicious CustomShellHost Execution
id: 84b14121-9d14-416e-800b-f3b829c5a14d
status: test
description: |
Detects the execution of CustomShellHost.exe where the child isn't located in 'C:\Windows\explorer.exe'. CustomShellHost is a known LOLBin that can be abused by attackers for defense evasion techniques.
references:
- https://github.com/LOLBAS-Project/LOLBAS/pull/180
- https://lolbas-project.github.io/lolbas/Binaries/CustomShellHost/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-19
modified: 2025-10-29
tags:
- attack.stealth
- attack.t1216
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\CustomShellHost.exe'
filter_main_explorer:
Image: 'C:\Windows\explorer.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- False positives are unlikely, investigate matches carefully.
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious Debugger Registration Cmdline
Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).
view Sigma YAML
title: Suspicious Debugger Registration Cmdline
id: ae215552-081e-44c7-805f-be16f975c8a2
status: test
description: Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).
references:
- https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/
- https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/
author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro
date: 2019-09-06
modified: 2022-08-06
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1546.008
logsource:
category: process_creation
product: windows
detection:
selection1:
CommandLine|contains: '\CurrentVersion\Image File Execution Options\'
selection2:
CommandLine|contains:
- 'sethc.exe'
- 'utilman.exe'
- 'osk.exe'
- 'magnify.exe'
- 'narrator.exe'
- 'displayswitch.exe'
- 'atbroker.exe'
- 'HelpPane.exe'
condition: all of selection*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious Desktopimgdownldr Command
Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet
view Sigma YAML
title: Suspicious Desktopimgdownldr Command
id: bb58aa4a-b80b-415a-a2c0-2f65a4c81009
status: test
description: Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet
references:
- https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/
- https://twitter.com/SBousseaden/status/1278977301745741825
author: Florian Roth (Nextron Systems)
date: 2020-07-03
modified: 2021-11-27
tags:
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection1:
CommandLine|contains: ' /lockscreenurl:'
selection1_filter:
CommandLine|contains:
- '.jpg'
- '.jpeg'
- '.png'
selection_reg:
CommandLine|contains|all:
- 'reg delete'
- '\PersonalizationCSP'
condition: ( selection1 and not selection1_filter ) or selection_reg
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious Desktopimgdownldr Target File
Detects a suspicious Microsoft desktopimgdownldr file creation that stores a file to a suspicious location or contains a file with a suspicious extension
view Sigma YAML
title: Suspicious Desktopimgdownldr Target File
id: fc4f4817-0c53-4683-a4ee-b17a64bc1039
status: test
description: Detects a suspicious Microsoft desktopimgdownldr file creation that stores a file to a suspicious location or contains a file with a suspicious extension
references:
- https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/
- https://twitter.com/SBousseaden/status/1278977301745741825
author: Florian Roth (Nextron Systems)
date: 2020-07-03
modified: 2022-06-02
tags:
- attack.command-and-control
- attack.t1105
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith: '\svchost.exe'
TargetFilename|contains: '\Personalization\LockScreenImage\'
filter1:
TargetFilename|contains: 'C:\Windows\'
filter2:
TargetFilename|contains:
- '.jpg'
- '.jpeg'
- '.png'
condition: selection and not filter1 and not filter2
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
level: high
Convert to SIEM query
Showing 601-650 of 1,524