Tool
EDR / XDR
Palo Alto Cortex XDR
1,524 rules · Sigma detections in Palo Alto Cortex XDR syntax
The same Sigma detection corpus, machine-rendered into Palo Alto Cortex XDR query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
Download all 1,524 rules (.zip, 675 KB)
Every Palo Alto Cortex XDR query in this view, packaged to deploy.
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance4
Resource Development5
Initial Access7
Execution25
Persistence31
Privilege Escalation17
Stealth63
Defense Impairment16
Credential Access26
Discovery24
Lateral Movement10
Collection11
Command and Control18
Exfiltration7
Impact10
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.
◈
Detection rules
50 shown of 1,524
high
Moderate
High FP
Suspicious Process Execution From Fake Recycle.Bin Folder
Detects process execution from a fake recycle bin folder, often used to avoid security solution.
view Sigma YAML
title: Suspicious Process Execution From Fake Recycle.Bin Folder
id: 5ce0f04e-3efc-42af-839d-5b3a543b76c0
related:
- id: cd8b36ac-8e4a-4c2f-a402-a29b8fbd5bca
type: derived
status: test
description: Detects process execution from a fake recycle bin folder, often used to avoid security solution.
references:
- https://www.mandiant.com/resources/blog/infected-usb-steal-secrets
- https://unit42.paloaltonetworks.com/cloaked-ursa-phishing/
author: X__Junior (Nextron Systems)
date: 2023-07-12
modified: 2023-12-11
tags:
- attack.persistence
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection:
Image|contains:
# e.g. C:\$RECYCLER.BIN
- 'RECYCLERS.BIN\'
- 'RECYCLER.BIN\'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious Process Patterns NTDS.DIT Exfil
Detects suspicious process patterns used in NTDS.DIT exfiltration
view Sigma YAML
title: Suspicious Process Patterns NTDS.DIT Exfil
id: 8bc64091-6875-4881-aaf9-7bd25b5dda08
status: test
description: Detects suspicious process patterns used in NTDS.DIT exfiltration
references:
- https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration
- https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/
- https://pentestlab.blog/tag/ntds-dit/
- https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1
- https://github.com/zcgonvh/NTDSDumpEx
- https://github.com/rapid7/metasploit-framework/blob/d297adcebb5c1df6fe30b12ca79b161deb71571c/data/post/powershell/NTDSgrab.ps1
- https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1
author: Florian Roth (Nextron Systems)
date: 2022-03-11
modified: 2022-11-10
tags:
- attack.credential-access
- attack.t1003.003
logsource:
product: windows
category: process_creation
detection:
selection_tool:
# https://github.com/zcgonvh/NTDSDumpEx
- Image|endswith:
- '\NTDSDump.exe'
- '\NTDSDumpEx.exe'
- CommandLine|contains|all:
# ntdsdumpex.exe -d ntds.dit -o hash.txt -s system.hiv
- 'ntds.dit'
- 'system.hiv'
- CommandLine|contains: 'NTDSgrab.ps1'
selection_oneliner_1:
# powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp' q q"
CommandLine|contains|all:
- 'ac i ntds'
- 'create full'
selection_onliner_2:
# cmd.exe /c copy z:\windows\ntds\ntds.dit c:\exfil\ntds.dit
CommandLine|contains|all:
- '/c copy '
- '\windows\ntds\ntds.dit'
selection_onliner_3:
# ntdsutil "activate instance ntds" "ifm" "create full c:\windows\temp\data\" "quit" "quit"
CommandLine|contains|all:
- 'activate instance ntds'
- 'create full'
selection_powershell:
CommandLine|contains|all:
- 'powershell'
- 'ntds.dit'
set1_selection_ntds_dit:
CommandLine|contains: 'ntds.dit'
set1_selection_image_folder:
- ParentImage|contains:
- '\apache'
- '\tomcat'
- '\AppData\'
- '\Temp\'
- '\Public\'
- '\PerfLogs\'
- Image|contains:
- '\apache'
- '\tomcat'
- '\AppData\'
- '\Temp\'
- '\Public\'
- '\PerfLogs\'
condition: 1 of selection* or all of set1*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious Process Spawned by CentreStack Portal AppPool
Detects unexpected command shell execution (cmd.exe) from w3wp.exe when tied to CentreStack's portal.config, indicating potential exploitation (e.g., CVE-2025-30406)
view Sigma YAML
title: Suspicious Process Spawned by CentreStack Portal AppPool
id: 2d79e371-2a27-42de-87a4-b4213fc72a6a
status: experimental
description: |
Detects unexpected command shell execution (cmd.exe) from w3wp.exe when tied to CentreStack's portal.config, indicating potential exploitation (e.g., CVE-2025-30406)
references:
- https://nvd.nist.gov/vuln/detail/CVE-2025-30406
- https://blackpointcyber.com/blog/racing-to-exploit-centrestacks-cve-2025-30406/
- https://gladinetsupport.s3.us-east-1.amazonaws.com/gladinet/securityadvisory-cve-2005.pdf
- https://www.bleepingcomputer.com/news/security/centrestack-rce-exploited-as-zero-day-to-breach-file-sharing-servers/
author: Jason Rathbun (Blackpoint Cyber)
date: 2025-04-17
tags:
- attack.persistence
- attack.execution
- attack.t1059.003
- attack.t1505.003
- cve.2025-30406
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\w3wp.exe'
ParentCommandLine|contains: '\portal\portal.config'
Image|endswith: '\cmd.exe'
condition: selection
falsepositives:
- Potentially if other portal services run on w3wp with a apppool\portal\portal.config, if you want to increase scope you could add user IIS APPPOOL\portal.
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious Processes Spawned by Java.EXE
Detects suspicious processes spawned from a Java host process which could indicate a sign of exploitation (e.g. log4j)
view Sigma YAML
title: Suspicious Processes Spawned by Java.EXE
id: 0d34ed8b-1c12-4ff2-828c-16fc860b766d
related:
- id: dff1e1cc-d3fd-47c8-bfc2-aeb878a754c0
type: similar
status: test
description: Detects suspicious processes spawned from a Java host process which could indicate a sign of exploitation (e.g. log4j)
references:
- https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/
author: Andreas Hunkeler (@Karneades), Florian Roth
date: 2021-12-17
modified: 2024-01-18
tags:
- attack.initial-access
- attack.persistence
- attack.privilege-escalation
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\java.exe'
Image|endswith:
- '\AppVLP.exe'
- '\bitsadmin.exe'
- '\certutil.exe'
- '\cscript.exe'
- '\curl.exe'
- '\forfiles.exe'
- '\hh.exe'
- '\mftrace.exe'
- '\mshta.exe'
- '\net.exe'
- '\net1.exe'
- '\query.exe'
- '\reg.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\schtasks.exe'
- '\scrcons.exe'
- '\scriptrunner.exe'
- '\sh.exe'
- '\systeminfo.exe'
- '\whoami.exe'
- '\wmic.exe' # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/
- '\wscript.exe'
condition: selection
falsepositives:
- Legitimate calls to system binaries
- Company specific internal usage
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious Processes Spawned by WinRM
Detects suspicious processes including shells spawnd from WinRM host process
view Sigma YAML
title: Suspicious Processes Spawned by WinRM
id: 5cc2cda8-f261-4d88-a2de-e9e193c86716
status: test
description: Detects suspicious processes including shells spawnd from WinRM host process
author: Andreas Hunkeler (@Karneades), Markus Neis
references:
- Internal Research
date: 2021-05-20
modified: 2022-07-14
tags:
- attack.t1190
- attack.initial-access
- attack.persistence
- attack.privilege-escalation
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\wsmprovhost.exe'
Image|endswith:
- '\cmd.exe'
- '\sh.exe'
- '\bash.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\wsl.exe'
- '\schtasks.exe'
- '\certutil.exe'
- '\whoami.exe'
- '\bitsadmin.exe'
condition: selection
falsepositives:
- Legitimate WinRM usage
level: high
Convert to SIEM query
high
Strong
High FP
Suspicious Program Names
Detects suspicious patterns in program names or folders that are often found in malicious samples or hacktools
view Sigma YAML
title: Suspicious Program Names
id: efdd8dd5-cee8-4e59-9390-7d4d5e4dd6f6
status: test
description: Detects suspicious patterns in program names or folders that are often found in malicious samples or hacktools
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md
author: Florian Roth (Nextron Systems)
date: 2022-02-11
modified: 2023-03-22
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection_image:
- Image|contains:
- '\CVE-202' # Update this when we reach the year 2100
- '\CVE202' # Update this when we reach the year 2100
- Image|endswith:
- '\poc.exe'
- '\artifact.exe'
- '\artifact64.exe'
- '\artifact_protected.exe'
- '\artifact32.exe'
- '\artifact32big.exe'
- 'obfuscated.exe'
- 'obfusc.exe'
- '\meterpreter'
selection_commandline:
CommandLine|contains:
- 'inject.ps1'
- 'Invoke-CVE'
- 'pupy.ps1'
- 'payload.ps1'
- 'beacon.ps1'
- 'PowerView.ps1'
- 'bypass.ps1'
- 'obfuscated.ps1'
- 'obfusc.ps1'
- 'obfus.ps1'
- 'obfs.ps1'
- 'evil.ps1'
- 'MiniDogz.ps1'
- '_enc.ps1'
- '\shell.ps1'
- '\rshell.ps1'
- 'revshell.ps1'
- '\av.ps1'
- '\av_test.ps1'
- 'adrecon.ps1'
- 'mimikatz.ps1'
- '\PowerUp_'
- 'powerup.ps1'
- '\Temp\a.ps1'
- '\Temp\p.ps1'
- '\Temp\1.ps1'
- 'Hound.ps1'
- 'encode.ps1'
- 'powercat.ps1'
condition: 1 of selection*
falsepositives:
- Legitimate tools that accidentally match on the searched patterns
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious Provlaunch.EXE Child Process
Detects suspicious child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution.
view Sigma YAML
title: Suspicious Provlaunch.EXE Child Process
id: f9999590-1f94-4a34-a91e-951e47bedefd
related:
- id: 7f5d1c9a-3e83-48df-95a7-2b98aae6c13c # CLI Generic
type: similar
- id: 2a4b3e61-9d22-4e4a-b60f-6e8f0cde6f25 # CLI Registry
type: similar
- id: 7021255e-5db3-4946-a8b9-0ba7a4644a69 # Registry
type: similar
status: test
description: Detects suspicious child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/
- https://twitter.com/0gtweet/status/1674399582162153472
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-08
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\provlaunch.exe'
selection_child:
- Image|endswith:
- '\calc.exe'
- '\cmd.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\notepad.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\wscript.exe'
- Image|contains:
- ':\PerfLogs\'
- ':\Temp\'
- ':\Users\Public\'
- '\AppData\Temp\'
- '\Windows\System32\Tasks\'
- '\Windows\Tasks\'
- '\Windows\Temp\'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious RDP Redirect Using TSCON
Detects a suspicious RDP session redirect using tscon.exe
view Sigma YAML
title: Suspicious RDP Redirect Using TSCON
id: f72aa3e8-49f9-4c7d-bd74-f8ab84ff9bbb
status: test
description: Detects a suspicious RDP session redirect using tscon.exe
references:
- http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html
- https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6
- https://www.hackingarticles.in/rdp-session-hijacking-with-tscon/
author: Florian Roth (Nextron Systems)
date: 2018-03-17
modified: 2023-05-16
tags:
- attack.lateral-movement
- attack.t1563.002
- attack.t1021.001
- car.2013-07-002
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains: ' /dest:rdp-tcp#'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious RazerInstaller Explorer Subprocess
Detects a explorer.exe sub process of the RazerInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM
view Sigma YAML
title: Suspicious RazerInstaller Explorer Subprocess
id: a4eaf250-7dc1-4842-862a-5e71cd59a167
status: test
description: Detects a explorer.exe sub process of the RazerInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM
references:
- https://twitter.com/j0nh4t/status/1429049506021138437
- https://streamable.com/q2dsji
author: Florian Roth (Nextron Systems), Maxime Thiebaut
date: 2021-08-23
modified: 2024-12-01
tags:
- attack.privilege-escalation
- attack.defense-impairment
- attack.t1553
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\RazerInstaller.exe'
IntegrityLevel:
- 'System'
- 'S-1-16-16384' # System
filter_main_razer:
Image|startswith: 'C:\Windows\Installer\Razer\Installer\'
condition: selection and not 1 of filter_main_*
falsepositives:
- User selecting a different installation folder (check for other sub processes of this explorer.exe process)
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS
Detects execution of the built-in script located in "C:\Windows\System32\gatherNetworkInfo.vbs". Which can be used to gather information about the target machine
view Sigma YAML
title: Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS
id: 07aa184a-870d-413d-893a-157f317f6f58
related:
- id: f92a6f1e-a512-4a15-9735-da09e78d7273 # FileCreate
type: similar
- id: 575dce0c-8139-4e30-9295-1ee75969f7fe # ProcCreation LOLBIN
type: similar
status: test
description: Detects execution of the built-in script located in "C:\Windows\System32\gatherNetworkInfo.vbs". Which can be used to gather information about the target machine
references:
- https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs
- https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-08
tags:
- attack.discovery
- attack.execution
- attack.t1615
- attack.t1059.005
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains: 'gatherNetworkInfo.vbs'
filter:
Image|endswith:
- '\cscript.exe'
- '\wscript.exe'
condition: selection and not filter
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious Redirection to Local Admin Share
Detects a suspicious output redirection to the local admins share, this technique is often found in malicious scripts or hacktool stagers
view Sigma YAML
title: Suspicious Redirection to Local Admin Share
id: ab9e3b40-0c85-4ba1-aede-455d226fd124
status: test
description: Detects a suspicious output redirection to the local admins share, this technique is often found in malicious scripts or hacktool stagers
references:
- https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/
- http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
author: Florian Roth (Nextron Systems)
date: 2022-01-16
modified: 2023-12-28
tags:
- attack.exfiltration
- attack.t1048
logsource:
category: process_creation
product: windows
detection:
selection_redirect:
CommandLine|contains: '>'
selection_share:
CommandLine|contains:
- '\\\\127.0.0.1\\admin$\\'
- '\\\\localhost\\admin$\\'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious Reg Add BitLocker
Detects suspicious addition to BitLocker related registry keys via the reg.exe utility
view Sigma YAML
title: Suspicious Reg Add BitLocker
id: 0e0255bf-2548-47b8-9582-c0955c9283f5
status: test
description: Detects suspicious addition to BitLocker related registry keys via the reg.exe utility
references:
- https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/
author: frack113
date: 2021-11-15
modified: 2022-09-09
tags:
- attack.impact
- attack.t1486
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'REG'
- 'ADD'
- '\SOFTWARE\Policies\Microsoft\FVE'
- '/v'
- '/f'
CommandLine|contains:
- 'EnableBDEWithNoTPM'
- 'UseAdvancedStartup'
- 'UseTPM'
- 'UseTPMKey'
- 'UseTPMKeyPIN'
- 'RecoveryKeyMessageSource'
- 'UseTPMPIN'
- 'RecoveryKeyMessage'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious Remote Child Process From Outlook
Detects a suspicious child process spawning from Outlook where the image is located in a remote location (SMB/WebDav shares).
view Sigma YAML
title: Suspicious Remote Child Process From Outlook
id: e212d415-0e93-435f-9e1a-f29005bb4723
related:
- id: 208748f7-881d-47ac-a29c-07ea84bf691d # Outlook Child Processes
type: similar
status: test
description: Detects a suspicious child process spawning from Outlook where the image is located in a remote location (SMB/WebDav shares).
references:
- https://github.com/sensepost/ruler
- https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html
- https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=49
author: Markus Neis, Nasreddine Bencherchali (Nextron Systems)
date: 2018-12-27
modified: 2023-02-09
tags:
- attack.execution
- attack.stealth
- attack.t1059
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\outlook.exe'
Image|startswith: '\\\\'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious Run Key from Download
Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories
view Sigma YAML
title: Suspicious Run Key from Download
id: 9c5037d1-c568-49b3-88c7-9846a5bdc2be
status: test
description: Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories
references:
- https://app.any.run/tasks/c5bef5b7-f484-4c43-9cf3-d5c5c7839def/
- https://github.com/HackTricks-wiki/hacktricks/blob/e4c7b21b8f36c97c35b7c622732b38a189ce18f7/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poude (Nextron Systems)
date: 2019-10-01
modified: 2025-02-17
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.001
logsource:
category: registry_event
product: windows
detection:
selection:
Image|contains:
- '\AppData\Local\Packages\Microsoft.Outlook_'
- '\AppData\Local\Microsoft\Olk\Attachments\'
- '\Downloads\'
- '\Temporary Internet Files\Content.Outlook\'
- '\Local Settings\Temporary Internet Files\'
TargetObject|contains:
- '\Software\Microsoft\Windows\CurrentVersion\Run'
- '\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run'
- '\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'
condition: selection
falsepositives:
- Software installers downloaded and used by users
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious Rundll32 Activity Invoking Sys File
Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452
view Sigma YAML
title: Suspicious Rundll32 Activity Invoking Sys File
id: 731231b9-0b5d-4219-94dd-abb6959aa7ea
status: test
description: Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452
references:
- https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
author: Florian Roth (Nextron Systems)
date: 2021-03-05
modified: 2022-10-09
tags:
- attack.stealth
- attack.t1218.011
logsource:
category: process_creation
product: windows
detection:
selection1:
CommandLine|contains: 'rundll32.exe'
selection2:
CommandLine|contains:
- '.sys,'
- '.sys '
condition: all of selection*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious Rundll32 Invoking Inline VBScript
Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452
view Sigma YAML
title: Suspicious Rundll32 Invoking Inline VBScript
id: 1cc50f3f-1fc8-4acf-b2e9-6f172e1fdebd
status: test
description: Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452
references:
- https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
author: Florian Roth (Nextron Systems)
date: 2021-03-05
modified: 2022-10-09
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1055
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'rundll32.exe'
- 'Execute'
- 'RegRead'
- 'window.close'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious SYSTEM User Process Creation
Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)
view Sigma YAML
title: Suspicious SYSTEM User Process Creation
id: 2617e7ed-adb7-40ba-b0f3-8f9945fe6c09
status: test
description: Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)
references:
- Internal Research
- https://tools.thehacker.recipes/mimikatz/modules
author: Florian Roth (Nextron Systems), David ANDRE (additional keywords)
date: 2021-12-20
modified: 2025-10-19
tags:
- attack.credential-access
- attack.privilege-escalation
- attack.stealth
- attack.t1134
- attack.t1003
- attack.t1027
logsource:
category: process_creation
product: windows
detection:
selection:
IntegrityLevel:
- 'System'
- 'S-1-16-16384'
User|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
selection_special:
- Image|endswith:
- '\calc.exe'
- '\cscript.exe'
- '\forfiles.exe'
- '\hh.exe'
- '\mshta.exe'
- '\ping.exe'
- '\wscript.exe'
- CommandLine|re: 'net\s+user\s+'
- CommandLine|contains:
# - 'sc stop ' # stops a system service # causes FPs
- ' -NoP ' # Often used in malicious PowerShell commands
- ' -W Hidden ' # Often used in malicious PowerShell commands
- ' -decode ' # Used with certutil
- ' /decode ' # Used with certutil
- ' /urlcache ' # Used with certutil
- ' -urlcache ' # Used with certutil
- ' -e* JAB' # PowerShell encoded commands
- ' -e* SUVYI' # PowerShell encoded commands
- ' -e* SQBFAFgA' # PowerShell encoded commands
- ' -e* aWV4I' # PowerShell encoded commands
- ' -e* IAB' # PowerShell encoded commands
- ' -e* PAA' # PowerShell encoded commands
- ' -e* aQBlAHgA' # PowerShell encoded commands
- 'vssadmin delete shadows' # Ransomware
- 'reg SAVE HKLM' # save registry SAM - syskey extraction
- ' -ma ' # ProcDump
- 'Microsoft\Windows\CurrentVersion\Run' # Run key in command line - often in combination with REG ADD
- '.downloadstring(' # PowerShell download command
- '.downloadfile(' # PowerShell download command
- ' /ticket:' # Rubeus
- 'dpapi::' # Mimikatz
- 'event::clear' # Mimikatz
- 'event::drop' # Mimikatz
- 'id::modify' # Mimikatz
- 'kerberos::' # Mimikatz
- 'lsadump::' # Mimikatz
- 'misc::' # Mimikatz
- 'privilege::' # Mimikatz
- 'rpc::' # Mimikatz
- 'sekurlsa::' # Mimikatz
- 'sid::' # Mimikatz
- 'token::' # Mimikatz
- 'vault::cred' # Mimikatz
- 'vault::list' # Mimikatz
- ' p::d ' # Mimikatz
- ';iex(' # PowerShell IEX
- 'MiniDump' # Process dumping method apart from procdump
filter_main_ping:
CommandLine|contains|all:
- 'ping'
- '127.0.0.1'
- ' -n '
filter_vs:
Image|endswith: '\PING.EXE'
ParentCommandLine|contains: '\DismFoDInstall.cmd'
filter_config_mgr:
ParentImage|contains: ':\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\'
filter_java:
ParentImage|contains:
- ':\Program Files (x86)\Java\'
- ':\Program Files\Java\'
ParentImage|endswith: '\bin\javaws.exe'
Image|contains:
- ':\Program Files (x86)\Java\'
- ':\Program Files\Java\'
Image|endswith: '\bin\jp2launcher.exe'
CommandLine|contains: ' -ma '
condition: all of selection* and not 1 of filter_*
falsepositives:
- Administrative activity
- Scripts and administrative tools used in the monitored environment
- Monitoring activity
level: high
Convert to SIEM query
high
Strong
High FP
Suspicious Scheduled Task Creation Involving Temp Folder
Detects the creation of scheduled tasks that involves a temporary folder and runs only once
view Sigma YAML
title: Suspicious Scheduled Task Creation Involving Temp Folder
id: 39019a4e-317f-4ce3-ae63-309a8c6b53c5
status: test
description: Detects the creation of scheduled tasks that involves a temporary folder and runs only once
references:
- https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3
author: Florian Roth (Nextron Systems)
date: 2021-03-11
modified: 2022-10-09
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1053.005
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\schtasks.exe'
CommandLine|contains|all:
- ' /create '
- ' /sc once '
- '\Temp\'
condition: selection
falsepositives:
- Administrative activity
- Software installation
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious Scheduled Task Write to System32 Tasks
Detects the creation of tasks from processes executed from suspicious locations
view Sigma YAML
title: Suspicious Scheduled Task Write to System32 Tasks
id: 80e1f67a-4596-4351-98f5-a9c3efabac95
status: test
description: Detects the creation of tasks from processes executed from suspicious locations
references:
- Internal Research
author: Florian Roth (Nextron Systems)
date: 2021-11-16
modified: 2022-01-12
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.t1053
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|contains: '\Windows\System32\Tasks'
Image|contains:
- '\AppData\'
- 'C:\PerfLogs'
- '\Windows\System32\config\systemprofile'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious Schtasks Execution AppData Folder
Detects the creation of a schtask that executes a file from C:\Users\<USER>\AppData\Local
view Sigma YAML
title: Suspicious Schtasks Execution AppData Folder
id: c5c00f49-b3f9-45a6-997e-cfdecc6e1967
status: test
description: 'Detects the creation of a schtask that executes a file from C:\Users\<USER>\AppData\Local'
references:
- https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-03-15
modified: 2022-07-28
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1053.005
- attack.t1059.001
logsource:
product: windows
category: process_creation
detection:
selection:
Image|endswith: '\schtasks.exe'
CommandLine|contains|all:
- '/Create'
- '/RU'
- '/TR'
- 'C:\Users\'
- '\AppData\Local\'
CommandLine|contains:
- 'NT AUT' # This covers the usual NT AUTHORITY\SYSTEM
- ' SYSTEM ' # SYSTEM is a valid value for schtasks hence it gets it's own value with space
filter:
# FP from test set in SIGMA
ParentImage|contains|all:
- '\AppData\Local\Temp\'
- 'TeamViewer_.exe'
Image|endswith: '\schtasks.exe'
CommandLine|contains: '/TN TVInstallRestore'
condition: selection and not filter
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious Serv-U Process Pattern
Detects a suspicious process pattern which could be a sign of an exploited Serv-U service
view Sigma YAML
title: Suspicious Serv-U Process Pattern
id: 58f4ea09-0fc2-4520-ba18-b85c540b0eaf
status: test
description: Detects a suspicious process pattern which could be a sign of an exploited Serv-U service
references:
- https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/
author: Florian Roth (Nextron Systems)
date: 2021-07-14
modified: 2022-07-14
tags:
- attack.credential-access
- attack.t1555
- cve.2021-35211
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\Serv-U.exe'
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\wscript.exe'
- '\cscript.exe'
- '\sh.exe'
- '\bash.exe'
- '\schtasks.exe'
- '\regsvr32.exe'
- '\wmic.exe' # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/
- '\mshta.exe'
- '\rundll32.exe'
- '\msiexec.exe'
- '\forfiles.exe'
- '\scriptrunner.exe'
condition: selection
falsepositives:
- Legitimate uses in which users or programs use the SSH service of Serv-U for remote command execution
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious Service Binary Directory
Detects a service binary running in a suspicious directory
view Sigma YAML
title: Suspicious Service Binary Directory
id: 883faa95-175a-4e22-8181-e5761aeb373c
status: test
description: Detects a service binary running in a suspicious directory
references:
- https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/
author: Florian Roth (Nextron Systems)
date: 2021-03-09
modified: 2022-10-09
tags:
- attack.stealth
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection:
Image|contains:
- '\Users\Public\'
- '\$Recycle.bin'
- '\Users\All Users\'
- '\Users\Default\'
- '\Users\Contacts\'
- '\Users\Searches\'
- 'C:\Perflogs\'
- '\config\systemprofile\'
- '\Windows\Fonts\'
- '\Windows\IME\'
- '\Windows\addins\'
ParentImage|endswith:
- '\services.exe'
- '\svchost.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious Service Path Modification
Detects service path modification via the "sc" binary to a suspicious command or path
view Sigma YAML
title: Suspicious Service Path Modification
id: 138d3531-8793-4f50-a2cd-f291b2863d78
status: test
description: Detects service path modification via the "sc" binary to a suspicious command or path
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md
- https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html
author: Victor Sergeev, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2019-10-21
modified: 2022-11-18
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1543.003
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\sc.exe'
CommandLine|contains|all:
- 'config'
- 'binPath'
CommandLine|contains:
# Add more suspicious commands or binaries
- 'powershell'
- 'cmd '
- 'mshta'
- 'wscript'
- 'cscript'
- 'rundll32'
- 'svchost'
- 'dllhost'
- 'cmd.exe /c'
- 'cmd.exe /k'
- 'cmd.exe /r'
- 'cmd /c'
- 'cmd /k'
- 'cmd /r'
# Add more suspicious paths
- 'C:\Users\Public'
- '\Downloads\'
- '\Desktop\'
- '\Microsoft\Windows\Start Menu\Programs\Startup\'
- 'C:\Windows\TEMP\'
- '\AppData\Local\Temp'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious ShellExec_RunDLL Call Via Ordinal
Detects suspicious call to the "ShellExec_RunDLL" exported function of SHELL32.DLL through the ordinal number to launch other commands.
Adversary might only use the ordinal number in order to bypass existing detection that alert on usage of ShellExec_RunDLL on CommandLine.
view Sigma YAML
title: Suspicious ShellExec_RunDLL Call Via Ordinal
id: 8823e85d-31d8-473e-b7f4-92da070f0fc6
related:
- id: d87bd452-6da1-456e-8155-7dc988157b7d
type: derived
status: test
description: |
Detects suspicious call to the "ShellExec_RunDLL" exported function of SHELL32.DLL through the ordinal number to launch other commands.
Adversary might only use the ordinal number in order to bypass existing detection that alert on usage of ShellExec_RunDLL on CommandLine.
references:
- https://redcanary.com/blog/raspberry-robin/
- https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/
- https://github.com/SigmaHQ/sigma/issues/1009
- https://strontic.github.io/xcyclopedia/library/shell32.dll-65DA072F25DE83D9F83653E3FEA3644D.html
author: Swachchhanda Shrawan Poudel
date: 2024-12-01
tags:
- attack.stealth
- attack.t1218.011
logsource:
category: process_creation
product: windows
detection:
selection_parent_img:
ParentCommandLine|contains: 'SHELL32.DLL'
selection_parent_ordinal:
ParentCommandLine|contains:
# Note: The ordinal number may differ depending on the DLL version
# Example: rundll32 SHELL32.DLL,#572 "cmd.exe" "/c calc.exe"
- '#568'
- '#570'
- '#572'
- '#576'
selection_susp_cli_parent:
# Note: Add additional binaries and suspicious paths to increase coverage
- ParentCommandLine|contains:
- 'comspec'
- 'iex'
- 'Invoke-'
- 'msiexec'
- 'odbcconf'
- 'regsvr32'
- ParentCommandLine|contains:
- '\Desktop\'
- '\ProgramData\'
- '\Temp\'
- '\Users\Public\'
selection_susp_child_img:
Image|endswith:
- '\bash.exe'
- '\bitsadmin.exe'
- '\cmd.exe'
- '\cscript.exe'
- '\curl.exe'
- '\mshta.exe'
- '\msiexec.exe'
- '\msxsl.exe'
- '\odbcconf.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\schtasks.exe'
- '\wmic.exe'
- '\wscript.exe'
condition: all of selection_parent_* and 1 of selection_susp_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious Shells Spawn by Java Utility Keytool
Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation)
view Sigma YAML
title: Suspicious Shells Spawn by Java Utility Keytool
id: 90fb5e62-ca1f-4e22-b42e-cc521874c938
status: test
description: Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation)
references:
- https://redcanary.com/blog/intelligence-insights-december-2021
- https://www.synacktiv.com/en/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html
author: Andreas Hunkeler (@Karneades)
date: 2021-12-22
modified: 2023-01-21
tags:
- attack.initial-access
- attack.persistence
- attack.privilege-escalation
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\keytool.exe'
Image|endswith:
- '\cmd.exe'
- '\sh.exe'
- '\bash.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\schtasks.exe'
- '\certutil.exe'
- '\whoami.exe'
- '\bitsadmin.exe'
- '\wscript.exe'
- '\cscript.exe'
- '\scrcons.exe'
- '\regsvr32.exe'
- '\hh.exe'
- '\wmic.exe'
- '\mshta.exe'
- '\rundll32.exe'
- '\forfiles.exe'
- '\scriptrunner.exe'
- '\mftrace.exe'
- '\AppVLP.exe'
- '\systeminfo.exe'
- '\reg.exe'
- '\query.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious Shim Database Patching Activity
Detects installation of new shim databases that try to patch sections of known processes for potential process injection or persistence.
view Sigma YAML
title: Suspicious Shim Database Patching Activity
id: bf344fea-d947-4ef4-9192-34d008315d3a
status: test
description: Detects installation of new shim databases that try to patch sections of known processes for potential process injection or persistence.
references:
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/
- https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-01
modified: 2023-12-06
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.011
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\'
TargetObject|endswith:
# Note: add other application to increase coverage
- '\csrss.exe'
- '\dllhost.exe'
- '\explorer.exe'
- '\RuntimeBroker.exe'
- '\services.exe'
- '\sihost.exe'
- '\svchost.exe'
- '\taskhostw.exe'
- '\winlogon.exe'
- '\WmiPrvSe.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious Space Characters in RunMRU Registry Path - ClickFix
Detects the occurrence of numerous space characters in RunMRU registry paths, which may indicate execution via phishing lures using clickfix techniques to hide malicious commands in the Windows Run dialog box from naked eyes.
view Sigma YAML
title: Suspicious Space Characters in RunMRU Registry Path - ClickFix
id: 7a1b4c5e-8f3d-4b9a-7c2e-1f4a5b8c6d9e
related:
- id: 3ae9974a-eb09-4044-8e70-8980a50c12c8
type: similar
status: experimental
description: |
Detects the occurrence of numerous space characters in RunMRU registry paths, which may indicate execution via phishing lures using clickfix techniques to hide malicious commands in the Windows Run dialog box from naked eyes.
references:
- https://expel.com/blog/cache-smuggling-when-a-picture-isnt-a-thousand-words/
- https://github.com/JohnHammond/recaptcha-phish
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-04
tags:
- attack.execution
- attack.stealth
- attack.t1204.004
- attack.t1027.010
logsource:
category: registry_set
product: windows
detection:
selection_key:
TargetObject|contains: '\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\'
Details|contains: '#'
selection_space_variation:
Details|contains:
- ' ' # En Quad (U+2000)
- ' ' # Em Quad (U+2001)
- ' ' # En Space (U+2002)
- ' ' # Em Space (U+2003)
- ' ' # Three-Per-Em Space (U+2004)
- ' ' # Four-Per-Em Space (U+2005)
- ' ' # Six-Per-Em Space (U+2006)
- ' ' # Figure Space (U+2007)
- ' ' # Punctuation Space (U+2008)
- ' ' # Thin Space (U+2009)
- ' ' # Hair Space (U+200A)
- ' ' # No-Break Space (U+00A0)
- ' ' # Normal space
condition: all of selection_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious Space Characters in TypedPaths Registry Path - FileFix
Detects the occurrence of numerous space characters in TypedPaths registry paths, which may indicate execution via phishing lures using file-fix techniques to hide malicious commands.
view Sigma YAML
title: Suspicious Space Characters in TypedPaths Registry Path - FileFix
id: 8f2a5c3d-9e4b-4a7c-8d1f-2e5a6b9c3d7e
related:
- id: 3ae9974a-eb09-4044-8e70-8980a50c12c8
type: similar
status: experimental
description: |
Detects the occurrence of numerous space characters in TypedPaths registry paths, which may indicate execution via phishing lures using file-fix techniques to hide malicious commands.
references:
- https://expel.com/blog/cache-smuggling-when-a-picture-isnt-a-thousand-words/
- https://mrd0x.com/filefix-clickfix-alternative/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-04
tags:
- attack.execution
- attack.stealth
- attack.t1204.004
- attack.t1027.010
logsource:
category: registry_set
product: windows
detection:
selection_key:
TargetObject|endswith: '\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths\url1'
Details|contains: '#'
selection_space_variation:
Details|contains:
- ' ' # En Quad (U+2000)
- ' ' # Em Quad (U+2001)
- ' ' # En Space (U+2002)
- ' ' # Em Space (U+2003)
- ' ' # Three-Per-Em Space (U+2004)
- ' ' # Four-Per-Em Space (U+2005)
- ' ' # Six-Per-Em Space (U+2006)
- ' ' # Figure Space (U+2007)
- ' ' # Punctuation Space (U+2008)
- ' ' # Thin Space (U+2009)
- ' ' # Hair Space (U+200A)
- ' ' # No-Break Space (U+00A0)
- ' ' # Normal space
condition: all of selection_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious Speech Runtime Binary Child Process
Detects suspicious Speech Runtime Binary Execution by monitoring its child processes.
Child processes spawned by SpeechRuntime.exe could indicate an attempt for lateral movement via COM & DCOM hijacking.
view Sigma YAML
title: Suspicious Speech Runtime Binary Child Process
id: 78f10490-f2f4-4d19-a75b-4e0683bf3b8d
status: experimental
description: |
Detects suspicious Speech Runtime Binary Execution by monitoring its child processes.
Child processes spawned by SpeechRuntime.exe could indicate an attempt for lateral movement via COM & DCOM hijacking.
references:
- https://github.com/rtecCyberSec/SpeechRuntimeMove
author: andrewdanis
date: 2025-10-23
logsource:
category: process_creation
product: windows
tags:
- attack.lateral-movement
- attack.stealth
- attack.t1021.003
- attack.t1218
detection:
selection:
ParentImage|endswith: '\SpeechRuntime.exe'
condition: selection
falsepositives:
- Unlikely.
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious Splwow64 Without Params
Detects suspicious Splwow64.exe process without any command line parameters
view Sigma YAML
title: Suspicious Splwow64 Without Params
id: 1f1a8509-2cbb-44f5-8751-8e1571518ce2
status: test
description: Detects suspicious Splwow64.exe process without any command line parameters
references:
- https://twitter.com/sbousseaden/status/1429401053229891590?s=12
author: Florian Roth (Nextron Systems)
date: 2021-08-23
modified: 2022-12-25
tags:
- attack.stealth
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\splwow64.exe'
CommandLine|endswith: 'splwow64.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious Startup Folder Persistence
Detects the creation of potentially malicious script and executable files in Windows startup folders, which is a common persistence technique used by threat actors.
These files (.ps1, .vbs, .js, .bat, etc.) are automatically executed when a user logs in, making the Startup folder an attractive target for attackers.
This technique is frequently observed in malvertising campaigns and malware distribution where attackers attempt to maintain long-term access to compromised systems.
view Sigma YAML
title: Suspicious Startup Folder Persistence
id: 28208707-fe31-437f-9a7f-4b1108b94d2e
related:
- id: 2aa0a6b4-a865-495b-ab51-c28249537b75
type: similar
status: test
description: |
Detects the creation of potentially malicious script and executable files in Windows startup folders, which is a common persistence technique used by threat actors.
These files (.ps1, .vbs, .js, .bat, etc.) are automatically executed when a user logs in, making the Startup folder an attractive target for attackers.
This technique is frequently observed in malvertising campaigns and malware distribution where attackers attempt to maintain long-term access to compromised systems.
references:
- https://github.com/last-byte/PersistenceSniper
- https://www.microsoft.com/en-us/security/blog/2025/03/06/malvertising-campaign-leads-to-info-stealers-hosted-on-github/
- https://github.com/redcanaryco/atomic-red-team/blob/5ede8f21e42ebe37e0a6eff757dba60bcfa85859/atomics/T1547.001/T1547.001.md
author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2022-08-10
modified: 2025-10-12
tags:
- attack.privilege-escalation
- attack.execution
- attack.t1204.002
- attack.persistence
- attack.t1547.001
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|contains: '\Windows\Start Menu\Programs\Startup\'
TargetFilename|endswith:
# Add or remove suspicious extensions according to your env needs
- '.bat'
- '.cmd'
- '.dll'
- '.hta'
- '.jar'
- '.js'
- '.jse'
- '.msi'
- '.ps1'
- '.psd1'
- '.psm1'
- '.scr'
- '.url'
- '.vba'
- '.vbe'
- '.vbs'
- '.wsf'
condition: selection
falsepositives:
- Rare legitimate usage of some of the extensions mentioned in the rule
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious TSCON Start as SYSTEM
Detects a tscon.exe start as LOCAL SYSTEM
view Sigma YAML
title: Suspicious TSCON Start as SYSTEM
id: 9847f263-4a81-424f-970c-875dab15b79b
status: test
description: Detects a tscon.exe start as LOCAL SYSTEM
references:
- http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html
- https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6
- https://www.ired.team/offensive-security/lateral-movement/t1076-rdp-hijacking-for-lateral-movement
author: Florian Roth (Nextron Systems)
date: 2018-03-17
modified: 2022-05-27
tags:
- attack.command-and-control
- attack.t1219.002
logsource:
category: process_creation
product: windows
detection:
selection:
User|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
Image|endswith: '\tscon.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious UltraVNC Execution
Detects suspicious UltraVNC command line flag combination that indicate a auto reconnect upon execution, e.g. startup (as seen being used by Gamaredon threat group)
view Sigma YAML
title: Suspicious UltraVNC Execution
id: 871b9555-69ca-4993-99d3-35a59f9f3599
status: test
description: Detects suspicious UltraVNC command line flag combination that indicate a auto reconnect upon execution, e.g. startup (as seen being used by Gamaredon threat group)
references:
- https://web.archive.org/web/20220224045756/https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine
- https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution
- https://uvnc.com/docs/uvnc-viewer/52-ultravnc-viewer-commandline-parameters.html
author: Bhabesh Raj
date: 2022-03-04
modified: 2022-03-09
tags:
- attack.lateral-movement
- attack.g0047
- attack.t1021.005
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- '-autoreconnect '
- '-connect '
- '-id:'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious Usage Of ShellExec_RunDLL
Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack
view Sigma YAML
title: Suspicious Usage Of ShellExec_RunDLL
id: d87bd452-6da1-456e-8155-7dc988157b7d
related:
- id: 36c5146c-d127-4f85-8e21-01bf62355d5a
type: obsolete
- id: 8823e85d-31d8-473e-b7f4-92da070f0fc6
type: similar
status: test
description: Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack
references:
- https://redcanary.com/blog/raspberry-robin/
- https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/
- https://github.com/SigmaHQ/sigma/issues/1009
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-01
modified: 2022-12-30
tags:
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection_openasrundll:
CommandLine|contains: 'ShellExec_RunDLL'
selection_suspcli:
CommandLine|contains:
# Note: The ordinal number may differ depending on the DLL version
- '\Desktop\'
- '\Temp\'
- '\Users\Public\'
- 'comspec'
- 'iex'
- 'Invoke-'
- 'msiexec'
- 'odbcconf'
- 'regsvr32'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious VBScript UN2452 Pattern
Detects suspicious inline VBScript keywords as used by UNC2452
view Sigma YAML
title: Suspicious VBScript UN2452 Pattern
id: 20c3f09d-c53d-4e85-8b74-6aa50e2f1b61
status: test
description: Detects suspicious inline VBScript keywords as used by UNC2452
references:
- https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
author: Florian Roth (Nextron Systems)
date: 2021-03-05
modified: 2022-10-09
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.001
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'Execute'
- 'CreateObject'
- 'RegRead'
- 'window.close'
- '\Microsoft\Windows\CurrentVersion'
filter:
CommandLine|contains: '\Software\Microsoft\Windows\CurrentVersion\Run'
condition: selection and not filter
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious Velociraptor Child Process
Detects the suspicious use of the Velociraptor DFIR tool to execute other tools or download additional payloads, as seen in a campaign where it was abused for remote access and to stage further attacks.
view Sigma YAML
title: Suspicious Velociraptor Child Process
id: 4bc90587-e6ca-4b41-be0b-ed4d04e4ed0c
status: experimental
description: Detects the suspicious use of the Velociraptor DFIR tool to execute other tools or download additional payloads, as seen in a campaign where it was abused for remote access and to stage further attacks.
references:
- https://news.sophos.com/en-us/2025/08/26/velociraptor-incident-response-tool-abused-for-remote-access/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-08-29
tags:
- attack.command-and-control
- attack.persistence
- attack.t1219
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\Velociraptor.exe'
selection_child_vscode_tunnel:
CommandLine|contains|all:
- 'code.exe'
- 'tunnel'
- '--accept-server-license-terms'
selection_child_msiexec:
CommandLine|contains|all:
- 'msiexec'
- '/i'
- 'http'
selection_child_powershell:
Image|endswith:
- '\powershell.exe'
- '\powershell_ise.exe'
- '\pwsh.exe'
CommandLine|contains:
- 'Invoke-WebRequest '
- 'IWR '
- '.DownloadFile'
- '.DownloadString'
# Add more child process patterns as needed
condition: selection_parent and 1 of selection_child_*
falsepositives:
- Legitimate administrators or incident responders might use Velociraptor to execute scripts or tools. However, the combination of Velociraptor spawning these specific processes with these command lines is suspicious. Tuning may be required to exclude known administrative actions or specific scripts.
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious WebDav Client Execution Via Rundll32.EXE
Detects "svchost.exe" spawning "rundll32.exe" with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397
view Sigma YAML
title: Suspicious WebDav Client Execution Via Rundll32.EXE
id: 982e9f2d-1a85-4d5b-aea4-31f5e97c6555
status: test
description: |
Detects "svchost.exe" spawning "rundll32.exe" with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397
references:
- https://twitter.com/aceresponder/status/1636116096506818562
- https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/
- https://www.pwndefend.com/2023/03/15/the-long-game-persistent-hash-theft/
- https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2023/03/Figure-7-sample-webdav-process-create-event.png
- https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/
author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)
date: 2023-03-16
modified: 2023-09-18
tags:
- attack.exfiltration
- attack.t1048.003
- cve.2023-23397
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\svchost.exe'
ParentCommandLine|contains: '-s WebClient'
Image|endswith: '\rundll32.exe'
CommandLine|contains: 'C:\windows\system32\davclnt.dll,DavSetCookie'
CommandLine|re: '://\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}'
filter_local_ips:
CommandLine|contains:
- '://10.' # 10.0.0.0/8
- '://192.168.' # 192.168.0.0/16
- '://172.16.' # 172.16.0.0/12
- '://172.17.'
- '://172.18.'
- '://172.19.'
- '://172.20.'
- '://172.21.'
- '://172.22.'
- '://172.23.'
- '://172.24.'
- '://172.25.'
- '://172.26.'
- '://172.27.'
- '://172.28.'
- '://172.29.'
- '://172.30.'
- '://172.31.'
- '://127.' # 127.0.0.0/8
- '://169.254.' # 169.254.0.0/16
condition: selection and not 1 of filter_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious WmiPrvSE Child Process
Detects suspicious and uncommon child processes of WmiPrvSE
view Sigma YAML
title: Suspicious WmiPrvSE Child Process
id: 8a582fe2-0882-4b89-a82a-da6b2dc32937
related:
- id: 692f0bec-83ba-4d04-af7e-e884a96059b6
type: similar
- id: d21374ff-f574-44a7-9998-4a8c8bf33d7d
type: similar
- id: 18cf6cf0-39b0-4c22-9593-e244bdc9a2d4
type: obsolete
status: test
description: Detects suspicious and uncommon child processes of WmiPrvSE
references:
- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
- https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/
- https://twitter.com/ForensicITGuy/status/1334734244120309760
author: Vadim Khrykov (ThreatIntel), Cyb3rEng, Florian Roth (Nextron Systems)
date: 2021-08-23
modified: 2023-11-10
tags:
- attack.execution
- attack.stealth
- attack.t1047
- attack.t1204.002
- attack.t1218.010
logsource:
product: windows
category: process_creation
detection:
selection_parent:
ParentImage|endswith: '\wbem\WmiPrvSE.exe'
selection_children_1:
# TODO: Add more LOLBINs or suspicious processes that make sens in your environment
Image|endswith:
- '\certutil.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\msiexec.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\verclsid.exe'
- '\wscript.exe'
selection_children_2:
# This is in a separate selection due to the nature of FP generated with CMD
Image|endswith: '\cmd.exe'
CommandLine|contains:
- 'cscript'
- 'mshta'
- 'powershell'
- 'pwsh'
- 'regsvr32'
- 'rundll32'
- 'wscript'
filter_main_werfault:
Image|endswith: '\WerFault.exe'
filter_main_wmiprvse:
Image|endswith: '\WmiPrvSE.exe' # In some legitimate case WmiPrvSE was seen spawning itself
filter_main_msiexec:
Image|endswith: '\msiexec.exe'
CommandLine|contains: '/i '
condition: selection_parent and 1 of selection_children_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious Word Cab File Write CVE-2021-40444
Detects file creation patterns noticeable during the exploitation of CVE-2021-40444
view Sigma YAML
title: Suspicious Word Cab File Write CVE-2021-40444
id: 60c0a111-787a-4e8a-9262-ee485f3ef9d5
status: test
description: Detects file creation patterns noticeable during the exploitation of CVE-2021-40444
references:
- https://twitter.com/RonnyTNL/status/1436334640617373699?s=20
- https://twitter.com/vanitasnk/status/1437329511142420483?s=21
author: Florian Roth (Nextron Systems), Sittikorn S
date: 2021-09-10
modified: 2023-06-22
tags:
- attack.resource-development
- attack.t1587
- detection.emerging-threats
logsource:
product: windows
category: file_event
detection:
selection_cab:
Image|endswith: '\winword.exe'
TargetFilename|contains: '\Windows\INetCache'
TargetFilename|endswith: '.cab'
selection_inf:
Image|endswith: '\winword.exe'
TargetFilename|contains|all:
- '\AppData\Local\Temp\'
- '.inf'
filter_main_legit:
TargetFilename|startswith: 'C:\Users\'
TargetFilename|contains: 'AppData\Local\Temp'
TargetFilename|endswith: '\Content.inf'
condition: 1 of selection_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Syslog Clearing or Removal Via System Utilities
Detects specific commands commonly used to remove or empty the syslog. Which is a technique often used by attacker as a method to hide their tracks
view Sigma YAML
title: Syslog Clearing or Removal Via System Utilities
id: 3fcc9b35-39e4-44c0-a2ad-9e82b6902b31
status: test
description: |
Detects specific commands commonly used to remove or empty the syslog. Which is a technique often used by attacker as a method to hide their tracks
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.002/T1070.002.md
- https://www.virustotal.com/gui/file/54d60fd58d7fa3475fa123985bfc1594df26da25c1f5fbc7dfdba15876dd8ac5/behavior
author: Max Altgelt (Nextron Systems), Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
date: 2021-10-15
modified: 2025-10-15
tags:
- attack.defense-impairment
- attack.t1685.006
logsource:
product: linux
category: process_creation
detection:
selection_file:
CommandLine|contains: '/var/log/syslog'
selection_command_rm:
# Examples:
# rm -f /var/log/syslog
Image|endswith: '/rm'
CommandLine|contains:
- ' -r '
- ' -f '
- ' -rf '
- '/var/log/syslog' # We use this to avoid re-writing a separate selection
selection_command_unlink:
# Examples:
# unlink /var/log/syslog
Image|endswith: '/unlink'
selection_command_mv:
# Examples:
# mv /var/log/syslog
Image|endswith: '/mv'
selection_command_truncate:
# Examples:
# truncate --size 0 /var/log/syslog
Image|endswith: '/truncate'
CommandLine|contains|all:
- '0 '
- '/var/log/syslog' # We use this to avoid re-writing a separate selection
CommandLine|contains:
- '-s '
- '-c '
- '--size'
selection_command_ln:
# Examples:
# ln -sfn /dev/null /var/log/syslog
Image|endswith: '/ln'
CommandLine|contains|all:
- '/dev/null '
- '/var/log/syslog' # We use this to avoid re-writing a separate selection
CommandLine|contains:
- '-sf '
- '-sfn '
- '-sfT '
selection_command_cp:
# Examples:
# cp /dev/null /var/log/syslog
Image|endswith: '/cp'
CommandLine|contains: '/dev/null'
selection_command_shred:
# Examples:
# shred -u /var/log/syslog
Image|endswith: '/shred'
CommandLine|contains: '-u '
selection_unique_other:
CommandLine|contains:
- ' > /var/log/syslog'
- ' >/var/log/syslog'
- ' >| /var/log/syslog' # redirection empties w spacing, noclobber
- ': > /var/log/syslog'
- ':> /var/log/syslog'
- ':>/var/log/syslog'
- '>|/var/log/syslog'
selection_unique_journalctl:
CommandLine|contains:
- 'journalctl --vacuum'
- 'journalctl --rotate' # archives current journal files and creates new empty ones
condition: (selection_file and 1 of selection_command_*) or 1 of selection_unique_*
falsepositives:
- Log rotation.
- Maintenance.
level: high
Convert to SIEM query
high
Strong
Medium FP
Sysmon Driver Altitude Change
Detects changes in Sysmon driver altitude value.
If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.
view Sigma YAML
title: Sysmon Driver Altitude Change
id: 4916a35e-bfc4-47d0-8e25-a003d7067061
status: test
description: |
Detects changes in Sysmon driver altitude value.
If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.
references:
- https://posts.specterops.io/shhmon-silencing-sysmon-via-driver-unload-682b5be57650
- https://youtu.be/zSihR3lTf7g
author: B.Talebi
date: 2022-07-28
modified: 2024-03-25
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\Services\'
TargetObject|endswith: '\Instances\Sysmon Instance\Altitude'
condition: selection
falsepositives:
- Legitimate driver altitude change to hide sysmon
level: high
Convert to SIEM query
high
Strong
High FP
System Control Panel Item Loaded From Uncommon Location
Detects image load events of system control panel items (.cpl) from uncommon or non-system locations that may indicate DLL sideloading or other abuse techniques.
view Sigma YAML
title: System Control Panel Item Loaded From Uncommon Location
id: 2b140a5c-dc02-4bb8-b6b1-8bdb45714cde
status: test
description: |
Detects image load events of system control panel items (.cpl) from uncommon or non-system locations that may indicate DLL sideloading or other abuse techniques.
references:
- https://www.hexacorn.com/blog/2024/01/06/1-little-known-secret-of-fondue-exe/
- https://www.hexacorn.com/blog/2024/01/01/1-little-known-secret-of-hdwwiz-exe/
- https://github.com/mhaskar/FsquirtCPLPoC
- https://securelist.com/sidewinder-apt/114089/
author: Anish Bogati
date: 2024-01-09
modified: 2026-02-17
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
product: windows
category: image_load
detection:
selection:
ImageLoaded|endswith:
- '\appwiz.cpl' # Usually loaded by fondue.exe
- '\bthprops.cpl' # Usually loaded by fsquirt.exe
- '\hdwwiz.cpl' # Usually loaded by hdwwiz.exe
filter_main_legit_location:
ImageLoaded|startswith:
- 'C:\Windows\Prefetch\'
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
- 'C:\Windows\WinSxS\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/image_load/image_load_side_load_cpl_from_non_system_location/info.yml
Convert to SIEM query
high
Strong
Medium FP
System File Execution Location Anomaly
Detects the execution of a Windows system binary that is usually located in the system folder from an uncommon location.
view Sigma YAML
title: System File Execution Location Anomaly
id: e4a6b256-3e47-40fc-89d2-7a477edd6915
related:
- id: be58d2e2-06c8-4f58-b666-b99f6dc3b6cd # Dedicated SvcHost rule
type: derived
status: test
description: |
Detects the execution of a Windows system binary that is usually located in the system folder from an uncommon location.
references:
- https://twitter.com/GelosSnake/status/934900723426439170
- https://asec.ahnlab.com/en/39828/
- https://www.splunk.com/en_us/blog/security/inno-setup-malware-redline-stealer-campaign.html
author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2017-11-27
modified: 2026-02-12
tags:
- attack.stealth
- attack.t1036
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\atbroker.exe'
- '\audiodg.exe'
- '\bcdedit.exe'
- '\bitsadmin.exe'
- '\certreq.exe'
- '\certutil.exe'
- '\cmstp.exe'
- '\conhost.exe'
- '\consent.exe'
- '\cscript.exe'
- '\csrss.exe'
- '\dashost.exe'
- '\defrag.exe'
- '\dfrgui.exe' # Was seen used by Lazarus Group - https://asec.ahnlab.com/en/39828/
- '\dism.exe'
- '\dllhost.exe'
- '\dllhst3g.exe'
- '\dwm.exe'
- '\eventvwr.exe'
- '\fsquirt.exe' # was seen used by sidewinder APT - https://securelist.com/sidewinder-apt/114089/
- '\finger.exe'
- '\logonui.exe'
- '\LsaIso.exe'
- '\lsass.exe'
- '\lsm.exe'
- '\msiexec.exe'
- '\ntoskrnl.exe'
- '\powershell_ise.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\runonce.exe'
- '\RuntimeBroker.exe'
- '\schtasks.exe'
- '\services.exe'
- '\sihost.exe'
- '\smartscreen.exe'
- '\smss.exe'
- '\spoolsv.exe'
- '\svchost.exe'
- '\taskhost.exe'
- '\taskhostw.exe'
- '\Taskmgr.exe'
- '\userinit.exe'
- '\werfault.exe'
- '\werfaultsecure.exe'
- '\wininit.exe'
- '\winlogon.exe'
- '\winver.exe'
- '\wlanext.exe'
- '\wscript.exe'
- '\wsl.exe'
- '\wsmprovhost.exe' # Was seen used by Lazarus Group - https://asec.ahnlab.com/en/39828/
filter_main_generic:
Image|startswith:
- 'C:\$WINDOWS.~BT\'
- 'C:\$WinREAgent\'
- 'C:\Windows\SoftwareDistribution\'
- 'C:\Windows\System32\'
- 'C:\Windows\SystemTemp\'
- 'C:\Windows\SysWOW64\'
- 'C:\Windows\uus\'
- 'C:\Windows\WinSxS\'
filter_optional_system32:
Image|contains: '\SystemRoot\System32\'
filter_main_powershell:
Image|contains:
- 'C:\Program Files\PowerShell\7\'
- 'C:\Program Files\PowerShell\7-preview\'
- 'C:\Program Files\WindowsApps\Microsoft.PowerShellPreview'
- '\AppData\Local\Microsoft\WindowsApps\Microsoft.PowerShellPreview' # pwsh installed from Microsoft Store
Image|endswith: '\pwsh.exe'
filter_main_wsl_programfiles:
Image|startswith:
- 'C:\Program Files\WindowsApps\MicrosoftCorporationII.WindowsSubsystemForLinux'
- 'C:\Program Files\WSL\'
Image|endswith: '\wsl.exe'
filter_main_wsl_appdata:
Image|startswith: C:\Users\'
Image|contains: '\AppData\Local\Microsoft\WindowsApps\'
Image|endswith: '\wsl.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly/info.yml
Convert to SIEM query
high
Moderate
Medium FP
TAIDOOR RAT DLL Load
Detects specific process characteristics of Chinese TAIDOOR RAT malware load
view Sigma YAML
title: TAIDOOR RAT DLL Load
id: d1aa3382-abab-446f-96ea-4de52908210b
status: test
description: Detects specific process characteristics of Chinese TAIDOOR RAT malware load
references:
- https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a
author: Florian Roth (Nextron Systems)
date: 2020-07-30
modified: 2021-11-27
tags:
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1055.001
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection1:
CommandLine|contains:
- 'dll,MyStart'
- 'dll MyStart'
selection2a:
CommandLine|endswith: ' MyStart'
selection2b:
CommandLine|contains: 'rundll32.exe'
condition: selection1 or ( selection2a and selection2b )
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
High FP
Tamper Windows Defender Remove-MpPreference
Detects attempts to remove Windows Defender configurations using the 'MpPreference' cmdlet
view Sigma YAML
title: Tamper Windows Defender Remove-MpPreference
id: 07e3cb2c-0608-410d-be4b-1511cb1a0448
related:
- id: ae2bdd58-0681-48ac-be7f-58ab4e593458
type: similar
status: test
description: Detects attempts to remove Windows Defender configurations using the 'MpPreference' cmdlet
references:
- https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-05
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: windows
category: process_creation
detection:
selection_remove:
CommandLine|contains: 'Remove-MpPreference'
selection_tamper:
CommandLine|contains:
- '-ControlledFolderAccessProtectedFolders '
- '-AttackSurfaceReductionRules_Ids '
- '-AttackSurfaceReductionRules_Actions '
- '-CheckForSignaturesBeforeRunningScan '
condition: all of selection_*
falsepositives:
- Legitimate PowerShell scripts
level: high
Convert to SIEM query
high
Strong
Medium FP
Tamper With Sophos AV Registry Keys
Detects tamper attempts to sophos av functionality via registry key modification
view Sigma YAML
title: Tamper With Sophos AV Registry Keys
id: 9f4662ac-17ca-43aa-8f12-5d7b989d0101
status: test
description: Detects tamper attempts to sophos av functionality via registry key modification
references:
- https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-02
modified: 2023-08-17
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains:
- '\Sophos Endpoint Defense\TamperProtection\Config\SAVEnabled'
- '\Sophos Endpoint Defense\TamperProtection\Config\SEDEnabled'
- '\Sophos\SAVService\TamperProtection\Enabled'
Details: DWORD (0x00000000)
condition: selection
falsepositives:
- Some FP may occur when the feature is disabled by the AV itself, you should always investigate if the action was legitimate
level: high
Convert to SIEM query
high
Moderate
High FP
Taskkill Symantec Endpoint Protection
Detects one of the possible scenarios for disabling Symantec Endpoint Protection.
Symantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism.
As a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service.
view Sigma YAML
title: Taskkill Symantec Endpoint Protection
id: 4a6713f6-3331-11ed-a261-0242ac120002
status: test
description: |
Detects one of the possible scenarios for disabling Symantec Endpoint Protection.
Symantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism.
As a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service.
references:
- https://www.exploit-db.com/exploits/37525
- https://community.spiceworks.com/topic/2195015-batch-script-to-uninstall-symantec-endpoint-protection
- https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?MessageKey=6ce94b67-74e1-4333-b16f-000b7fd874f0&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=digestviewer
author: Ilya Krestinichev, Florian Roth (Nextron Systems)
date: 2022-09-13
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'taskkill'
- ' /F '
- ' /IM '
- 'ccSvcHst.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Taskmgr as LOCAL_SYSTEM
Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM
view Sigma YAML
title: Taskmgr as LOCAL_SYSTEM
id: 9fff585c-c33e-4a86-b3cd-39312079a65f
status: test
description: Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM
references:
- Internal Research
author: Florian Roth (Nextron Systems)
date: 2018-03-18
modified: 2022-05-27
tags:
- attack.stealth
- attack.t1036
logsource:
category: process_creation
product: windows
detection:
selection:
User|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
Image|endswith: '\taskmgr.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Tasks Folder Evasion
The Tasks folder in system32 and syswow64 are globally writable paths.
Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application
in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr
view Sigma YAML
title: Tasks Folder Evasion
id: cc4e02ba-9c06-48e2-b09e-2500cace9ae0
status: test
description: |
The Tasks folder in system32 and syswow64 are globally writable paths.
Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application
in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr
references:
- https://twitter.com/subTee/status/1216465628946563073
- https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26
author: Sreeman
date: 2020-01-13
modified: 2022-12-25
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
product: windows
category: process_creation
detection:
selection1:
CommandLine|contains:
- 'echo '
- 'copy '
- 'type '
- 'file createnew'
selection2:
CommandLine|contains:
- ' C:\Windows\System32\Tasks\'
- ' C:\Windows\SysWow64\Tasks\'
condition: all of selection*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
TeamPCP LiteLLM Supply Chain Attack Persistence Indicators
Detects the creation of specific persistence files as observed in the LiteLLM PyPI supply chain attack.
In March 2026, a supply chain attack was discovered involving the popular open-source LLM framework LiteLLM by Threat Actor TeamPCP.
The malicious package harvests every credential on the system, encrypts and exfiltrates them, and installs a persistent C2 backdoor.
view Sigma YAML
title: TeamPCP LiteLLM Supply Chain Attack Persistence Indicators
id: 81c0b7f5-81c9-435e-a291-bc32fc2b72cd
status: experimental
description: |
Detects the creation of specific persistence files as observed in the LiteLLM PyPI supply chain attack.
In March 2026, a supply chain attack was discovered involving the popular open-source LLM framework LiteLLM by Threat Actor TeamPCP.
The malicious package harvests every credential on the system, encrypts and exfiltrates them, and installs a persistent C2 backdoor.
references:
- https://novasky.io/hunts/hunting-litellm-supply-chain
- https://www.virustotal.com/gui/file/71e35aef03099cd1f2d6446734273025a163597de93912df321ef118bf135238/
- https://huskyhacks.io/posts/litellm-cred-stealer/
- https://www.wiz.io/blog/threes-a-crowd-teampcp-trojanizes-litellm-in-continuation-of-campaign
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-03-30
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1543.002
- attack.initial-access
- attack.t1195.002
- detection.emerging-threats
logsource:
category: file_event
product: linux
detection:
selection:
Image|contains: '/python3'
TargetFilename|endswith:
- '/.config/sysmon/sysmon.py'
- '/.config/systemd/user/sysmon.service'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
Showing 701-750 of 1,524