Tool
EDR / XDR
Palo Alto Cortex XDR
1,524 rules · Sigma detections in Palo Alto Cortex XDR syntax
The same Sigma detection corpus, machine-rendered into Palo Alto Cortex XDR query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
Download all 1,524 rules (.zip, 675 KB)
Every Palo Alto Cortex XDR query in this view, packaged to deploy.
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance4
Resource Development5
Initial Access7
Execution25
Persistence31
Privilege Escalation17
Stealth63
Defense Impairment16
Credential Access26
Discovery24
Lateral Movement10
Collection11
Command and Control18
Exfiltration7
Impact10
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.
◈
Detection rules
50 shown of 1,524
medium
Strong
Medium FP
Wow6432Node Classes Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
view Sigma YAML
title: Wow6432Node Classes Autorun Keys Modification
id: 18f2065c-d36c-464a-a748-bcf909acb2e3
related:
- id: 17f878b8-9968-4578-b814-c4217fc5768c
type: obsolete
status: test
description: Detects modification of autostart extensibility point (ASEP) in registry.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
- https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
- https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019-10-25
modified: 2023-08-17
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.001
logsource:
category: registry_set
product: windows
detection:
wow_classes_base:
TargetObject|contains: '\Software\Wow6432Node\Classes'
wow_classes:
TargetObject|contains:
- '\Folder\ShellEx\ExtShellFolderViews'
- '\Folder\ShellEx\DragDropHandlers'
- '\Folder\ShellEx\ColumnHandlers'
- '\Directory\Shellex\DragDropHandlers'
- '\Directory\Shellex\CopyHookHandlers'
- '\CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance'
- '\CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance'
- '\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance'
- '\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance'
- '\AllFileSystemObjects\ShellEx\DragDropHandlers'
- '\ShellEx\PropertySheetHandlers'
- '\ShellEx\ContextMenuHandlers'
filter:
Details: '(Empty)'
condition: wow_classes_base and wow_classes and not filter
falsepositives:
- Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
- Legitimate administrator sets up autorun keys for legitimate reason
level: medium
Convert to SIEM query
medium
Moderate
High FP
Write Protect For Storage Disabled
Detects applications trying to modify the registry in order to disable any write-protect property for storage devices.
This could be a precursor to a ransomware attack and has been an observed technique used by cypherpunk group.
view Sigma YAML
title: Write Protect For Storage Disabled
id: 75f7a0e2-7154-4c4d-9eae-5cdb4e0a5c13
status: test
description: |
Detects applications trying to modify the registry in order to disable any write-protect property for storage devices.
This could be a precursor to a ransomware attack and has been an observed technique used by cypherpunk group.
references:
- https://www.manageengine.com/products/desktop-central/os-imaging-deployment/media-is-write-protected.html
author: Sreeman
date: 2021-06-11
modified: 2024-01-18
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|contains|all:
- '\System\CurrentControlSet\Control'
- 'Write Protection'
- '0'
- 'storage'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Writing Local Admin Share
Aversaries may use to interact with a remote network share using Server Message Block (SMB).
This technique is used by post-exploitation frameworks.
view Sigma YAML
title: Writing Local Admin Share
id: 4aafb0fa-bff5-4b9d-b99e-8093e659c65f
status: test
description: |
Aversaries may use to interact with a remote network share using Server Message Block (SMB).
This technique is used by post-exploitation frameworks.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-4---execute-command-writing-output-to-local-admin-share
author: frack113
date: 2022-01-01
modified: 2022-08-13
tags:
- attack.privilege-escalation
- attack.persistence
- attack.lateral-movement
- attack.t1546.002
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|contains|all:
- '\\\\127.0.0'
- '\ADMIN$\'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Writing Of Malicious Files To The Fonts Folder
Monitors for the hiding possible malicious files in the C:\Windows\Fonts\ location. This folder doesn't require admin privillege to be written and executed from.
view Sigma YAML
title: Writing Of Malicious Files To The Fonts Folder
id: ae9b0bd7-8888-4606-b444-0ed7410cb728
status: test
description: Monitors for the hiding possible malicious files in the C:\Windows\Fonts\ location. This folder doesn't require admin privillege to be written and executed from.
references:
- https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/
author: Sreeman
date: 2020-04-21
modified: 2022-03-08
tags:
- attack.stealth
- attack.t1211
- attack.t1059
- attack.persistence
- attack.execution
logsource:
product: windows
category: process_creation
detection:
selection_1:
CommandLine|contains:
- 'echo'
- 'copy'
- 'type'
- 'file createnew'
- 'cacls'
selection_2:
CommandLine|contains: 'C:\Windows\Fonts\'
selection_3:
CommandLine|contains:
- '.sh'
- '.exe'
- '.dll'
- '.bin'
- '.bat'
- '.cmd'
- '.js'
- '.msh'
- '.reg'
- '.scr'
- '.ps'
- '.vb'
- '.jar'
- '.pl'
- '.inf'
- '.cpl'
- '.hta'
- '.msi'
- '.vbs'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Wscript Shell Run In CommandLine
Detects the presence of the keywords "Wscript", "Shell" and "Run" in the command, which could indicate a suspicious activity
view Sigma YAML
title: Wscript Shell Run In CommandLine
id: 2c28c248-7f50-417a-9186-a85b223010ee
status: test
description: Detects the presence of the keywords "Wscript", "Shell" and "Run" in the command, which could indicate a suspicious activity
references:
- https://web.archive.org/web/20220830122045/http://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html
- https://blog.talosintelligence.com/modernloader-delivers-multiple-stealers-cryptominers-and-rats/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-31
modified: 2023-05-15
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'Wscript.'
- '.Shell'
- '.Run'
condition: selection
falsepositives:
- Inline scripting can be used by some rare third party applications or administrators. Investigate and apply additional filters accordingly
level: medium
Convert to SIEM query
low
Moderate
High FP
ADS Zone.Identifier Deleted
Detects the deletion of the "Zone.Identifier" ADS. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps.
view Sigma YAML
title: ADS Zone.Identifier Deleted
id: 7eac0a16-5832-4e81-865f-0268a6d19e4b
related:
- id: 3109530e-ab47-4cc6-a953-cac5ebcc93ae
type: similar
status: test
description: Detects the deletion of the "Zone.Identifier" ADS. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps.
references:
- https://securityliterate.com/how-malware-abuses-the-zone-identifier-to-circumvent-detection-and-analysis/
author: frack113
date: 2023-09-04
tags:
- attack.stealth
- attack.t1070.004
- detection.threat-hunting
logsource:
product: windows
category: file_delete
detection:
selection:
TargetFilename|endswith: ':Zone.Identifier'
condition: selection
falsepositives:
- Likely
level: low
Convert to SIEM query
low
Moderate
High FP
BITS Client BitsProxy DLL Loaded By Uncommon Process
Detects an uncommon process loading the "BitsProxy.dll". This DLL is used when the BITS COM instance or API is used.
This detection can be used to hunt for uncommon processes loading this DLL in your environment. Which may indicate potential suspicious activity occurring.
view Sigma YAML
title: BITS Client BitsProxy DLL Loaded By Uncommon Process
id: e700ff14-1bff-4d1d-9438-738dff5f0466
status: experimental
description: |
Detects an uncommon process loading the "BitsProxy.dll". This DLL is used when the BITS COM instance or API is used.
This detection can be used to hunt for uncommon processes loading this DLL in your environment. Which may indicate potential suspicious activity occurring.
references:
- https://unicornofhunt.com/2025/05/22/When-Unicorns-Go-Quiet-BITS-Jobs-and-the-Art-of-Stealthy-Transfers/
author: UnicornOfHunt
date: 2025-06-04
tags:
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1197
- detection.threat-hunting
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\BitsProxy.dll'
filter_main_system:
Image:
- 'C:\Windows\System32\aitstatic.exe'
- 'C:\Windows\System32\bitsadmin.exe'
- 'C:\Windows\System32\desktopimgdownldr.exe'
- 'C:\Windows\System32\DeviceEnroller.exe'
- 'C:\Windows\System32\MDMAppInstaller.exe'
- 'C:\Windows\System32\ofdeploy.exe'
- 'C:\Windows\System32\RecoveryDrive.exe'
- 'C:\Windows\System32\Speech_OneCore\common\SpeechModelDownload.exe'
# - 'C:\Windows\System32\svchost.exe' # BITS Service - If you collect CommandLine info. Apply a filter for the specific BITS service.
- 'C:\Windows\SysWOW64\bitsadmin.exe'
- 'C:\Windows\SysWOW64\OneDriveSetup.exe'
- 'C:\Windows\SysWOW64\Speech_OneCore\Common\SpeechModelDownload.exe'
filter_optional_chrome:
Image: 'C:\Program Files\Google\Chrome\Application\chrome.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Allowed binaries in the environment that do BITS Jobs
level: low
Convert to SIEM query
low
Moderate
High FP
Bash Interactive Shell
Detects execution of the bash shell with the interactive flag "-i".
view Sigma YAML
title: Bash Interactive Shell
id: 6104e693-a7d6-4891-86cb-49a258523559
status: test
description: Detects execution of the bash shell with the interactive flag "-i".
references:
- https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
- https://www.revshells.com/
- https://linux.die.net/man/1/bash
author: '@d4ns4n_'
date: 2023-04-07
tags:
- attack.execution
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/bash'
CommandLine|contains: ' -i '
condition: selection
falsepositives:
- Unknown
level: low
Convert to SIEM query
low
Moderate
High FP
BitLockerTogo.EXE Execution
Detects the execution of "BitLockerToGo.EXE".
BitLocker To Go is BitLocker Drive Encryption on removable data drives. This feature includes the encryption of, USB flash drives, SD cards, External hard disk drives, Other drives that are formatted by using the NTFS, FAT16, FAT32, or exFAT file system.
This is a rarely used application and usage of it at all is worth investigating.
Malware such as Lumma stealer has been seen using this process as a target for process hollowing.
view Sigma YAML
title: BitLockerTogo.EXE Execution
id: 7f2376f9-42ee-4dfc-9360-fecff9a88fc8
status: test
description: |
Detects the execution of "BitLockerToGo.EXE".
BitLocker To Go is BitLocker Drive Encryption on removable data drives. This feature includes the encryption of, USB flash drives, SD cards, External hard disk drives, Other drives that are formatted by using the NTFS, FAT16, FAT32, or exFAT file system.
This is a rarely used application and usage of it at all is worth investigating.
Malware such as Lumma stealer has been seen using this process as a target for process hollowing.
references:
- https://tria.ge/240521-ynezpagf56/behavioral1
- https://any.run/report/6eea2773c1b4b5c6fb7c142933e220c96f9a4ec89055bf0cf54accdcde7df535/a407f006-ee45-420d-b576-f259094df091
- https://bazaar.abuse.ch/sample/8c75f8e94486f5bbf461505823f5779f328c5b37f1387c18791e0c21f3fdd576/
- https://bazaar.abuse.ch/sample/64e6605496919cd76554915cbed88e56fdec10dec6523918a631754664b8c8d3/
author: Josh Nickels, mttaggart
date: 2024-07-11
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\BitLockerToGo.exe'
condition: selection
falsepositives:
- Legitimate usage of BitLockerToGo.exe to encrypt portable devices.
level: low
Convert to SIEM query
low
Moderate
High FP
Browser Execution In Headless Mode
Detects execution of Chromium based browser in headless mode
view Sigma YAML
title: Browser Execution In Headless Mode
id: ef9dcfed-690c-4c5d-a9d1-482cd422225c
related:
- id: 0e8cfe08-02c9-4815-a2f8-0d157b7ed33e
type: derived
status: test
description: Detects execution of Chromium based browser in headless mode
references:
- https://twitter.com/mrd0x/status/1478234484881436672?s=12
- https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-09-12
tags:
- attack.command-and-control
- attack.stealth
- attack.t1105
- attack.t1564.003
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\brave.exe'
- '\chrome.exe'
- '\msedge.exe'
- '\opera.exe'
- '\vivaldi.exe'
CommandLine|contains: '--headless'
condition: selection
falsepositives:
- Unknown
level: low
Convert to SIEM query
low
Strong
High FP
CVE-2023-40477 Potential Exploitation - .REV File Creation
Detects the creation of ".rev" files by WinRAR. Could be indicative of potential exploitation of CVE-2023-40477. Look for a suspicious execution shortly after creation or a WinRAR application crash.
view Sigma YAML
title: CVE-2023-40477 Potential Exploitation - .REV File Creation
id: c3bd6c55-d495-4c34-918e-e03e8828c074
status: test
description: Detects the creation of ".rev" files by WinRAR. Could be indicative of potential exploitation of CVE-2023-40477. Look for a suspicious execution shortly after creation or a WinRAR application crash.
references:
- https://wildptr.io/winrar-cve-2023-40477-poc-new-vulnerability-winrar-security-research/
- https://github.com/wildptr-io/Winrar-CVE-2023-40477-POC
- https://www.rarlab.com/vuln_rev3_names.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-31
tags:
- attack.execution
- cve.2023-40477
- detection.emerging-threats
logsource:
category: file_event
product: windows
detection:
selection:
Image|endswith:
- '\explorer.exe' # When extracted via context menu
- '\WinRAR.exe'
TargetFilename|endswith: '.rev'
condition: selection
falsepositives:
- Legitimate extraction of multipart or recovery volumes ZIP files
level: low
Convert to SIEM query
low
Moderate
High FP
Capabilities Discovery - Linux
Detects usage of "getcap" binary. This is often used during recon activity to determine potential binaries that can be abused as GTFOBins or other.
view Sigma YAML
title: Capabilities Discovery - Linux
id: d8d97d51-122d-4cdd-9e2f-01b4b4933530
status: test
description: Detects usage of "getcap" binary. This is often used during recon activity to determine potential binaries that can be abused as GTFOBins or other.
references:
- https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes
- https://github.com/carlospolop/PEASS-ng
- https://github.com/diego-treitos/linux-smart-enumeration
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-28
modified: 2026-01-24
tags:
- attack.discovery
- attack.t1083
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/getcap'
CommandLine|contains: ' -r '
condition: selection
falsepositives:
- Unknown
level: low
Convert to SIEM query
low
Moderate
High FP
Clipboard Collection with Xclip Tool
Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed.
Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.
view Sigma YAML
title: Clipboard Collection with Xclip Tool
id: ec127035-a636-4b9a-8555-0efd4e59f316
status: test
description: |
Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed.
Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.
references:
- https://www.packetlabs.net/posts/clipboard-data-security/
author: Pawel Mazur, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
date: 2021-10-15
modified: 2022-09-15
tags:
- attack.collection
- attack.t1115
logsource:
product: linux
category: process_creation
detection:
selection:
Image|contains: 'xclip'
CommandLine|contains|all:
- '-sel'
- 'clip'
- '-o'
condition: selection
falsepositives:
- Legitimate usage of xclip tools.
level: low
Convert to SIEM query
low
Strong
High FP
Command Executed Via Run Dialog Box - Registry
Detects execution of commands via the run dialog box on Windows by checking values of the "RunMRU" registry key.
This technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps.
view Sigma YAML
title: Command Executed Via Run Dialog Box - Registry
id: f9d091f6-f1c7-4873-a24f-050b4a02b4dd
related:
- id: a7df0e9e-91a5-459a-a003-4cde67c2ff5d
type: derived
status: test
description: |
Detects execution of commands via the run dialog box on Windows by checking values of the "RunMRU" registry key.
This technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps.
references:
- https://www.forensafe.com/blogs/runmrukey.html
- https://medium.com/@shaherzakaria8/downloading-trojan-lumma-infostealer-through-capatcha-1f25255a0e71
- https://redcanary.com/blog/threat-intelligence/intelligence-insights-october-2024/
author: Ahmed Farouk, Nasreddine Bencherchali
date: 2024-11-01
tags:
- detection.threat-hunting
- attack.execution
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|contains: '\Microsoft\Windows\CurrentVersion\Explorer\RunMRU'
filter_main_mrulist:
TargetObject|endswith: '\MRUList'
filter_optional_ping:
Details|contains: 'ping'
filter_optional_generic:
Details:
- '%appdata%\1'
- '%localappdata%\1'
- '%public%\1'
- '%temp%\1'
- 'calc\1'
- 'dxdiag\1'
- 'explorer\1'
- 'gpedit.msc\1'
- 'mmc\1'
- 'notepad\1'
- 'regedit\1'
- 'services.msc\1'
- 'winver\1'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Likely
level: low
Convert to SIEM query
low
Moderate
High FP
Connection Proxy
Detects setting proxy configuration
view Sigma YAML
title: Connection Proxy
id: 72f4ab3f-787d-495d-a55d-68c2ff46cf4c
status: test
description: Detects setting proxy configuration
author: Ömer Günal
date: 2020-06-17
modified: 2022-10-05
tags:
- attack.command-and-control
- attack.t1090
logsource:
product: linux
category: process_creation
detection:
selection:
CommandLine|contains:
- 'http_proxy='
- 'https_proxy='
condition: selection
falsepositives:
- Legitimate administration activities
level: low
Convert to SIEM query
low
Strong
High FP
Container Residence Discovery Via Proc Virtual FS
Detects potential container discovery via listing of certain kernel features in the "/proc" virtual filesystem
view Sigma YAML
title: Container Residence Discovery Via Proc Virtual FS
id: 746c86fb-ccda-4816-8997-01386263acc4
status: test
description: Detects potential container discovery via listing of certain kernel features in the "/proc" virtual filesystem
references:
- https://blog.skyplabs.net/posts/container-detection/
- https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker
tags:
- attack.discovery
- attack.t1082
author: Seth Hanford
date: 2023-08-23
logsource:
category: process_creation
product: linux
detection:
selection_tools:
Image|endswith:
- 'awk'
- '/cat'
- 'grep'
- '/head'
- '/less'
- '/more'
- '/nl'
- '/tail'
selection_procfs_kthreadd: # outside containers, PID 2 == kthreadd
CommandLine|contains: '/proc/2/'
selection_procfs_target:
CommandLine|contains: '/proc/'
CommandLine|endswith:
- '/cgroup' # cgroups end in ':/' outside containers
- '/sched' # PID mismatch when run in containers
condition: selection_tools and 1 of selection_procfs_*
falsepositives:
- Legitimate system administrator usage of these commands
- Some container tools or deployments may use these techniques natively to determine how they proceed with execution, and will need to be filtered
level: low
Convert to SIEM query
low
Strong
High FP
Creation Of A Local User Account
Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.
view Sigma YAML
title: Creation Of A Local User Account
id: 51719bf5-e4fd-4e44-8ba8-b830e7ac0731
status: test
description: Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md
- https://ss64.com/osx/sysadminctl.html
author: Alejandro Ortuno, oscd.community
date: 2020-10-06
modified: 2023-02-18
tags:
- attack.t1136.001
- attack.persistence
logsource:
category: process_creation
product: macos
detection:
selection_dscl:
Image|endswith: '/dscl'
CommandLine|contains: 'create'
selection_sysadminctl:
Image|endswith: '/sysadminctl'
CommandLine|contains: 'addUser'
condition: 1 of selection_*
falsepositives:
- Legitimate administration activities
level: low
Convert to SIEM query
low
Moderate
High FP
Creation of an Executable by an Executable
Detects the creation of an executable by another executable.
view Sigma YAML
title: Creation of an Executable by an Executable
id: 297afac9-5d02-4138-8c58-b977bac60556
status: test
description: Detects the creation of an executable by another executable.
references:
- Internal Research
author: frack113
date: 2022-03-09
modified: 2025-02-24
tags:
- attack.resource-development
- attack.t1587.001
- detection.threat-hunting
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith: '.exe'
TargetFilename|endswith: '.exe'
filter_main_generic_1:
Image|endswith:
- ':\Windows\System32\msiexec.exe'
- ':\Windows\system32\cleanmgr.exe'
- ':\Windows\explorer.exe'
- ':\WINDOWS\system32\dxgiadaptercache.exe'
- ':\WINDOWS\system32\Dism.exe'
- ':\Windows\System32\wuauclt.exe'
filter_main_update:
# Security_UserID: S-1-5-18
# Example:
# TargetFilename: C:\Windows\SoftwareDistribution\Download\803d1df4c931df4f3e50a022cda56e88\WindowsUpdateBox.exe
Image|endswith: ':\WINDOWS\system32\svchost.exe'
TargetFilename|contains: ':\Windows\SoftwareDistribution\Download\'
filter_main_upgrade:
Image|endswith: ':\Windows\system32\svchost.exe'
TargetFilename|contains|all:
# Example:
# This example was seen during windows upgrade
# TargetFilename: :\WUDownloadCache\803d1df4c931df4f3e50a022cda56e29\WindowsUpdateBox.exe
- ':\WUDownloadCache\'
- '\WindowsUpdateBox.exe'
filter_main_windows_update_box:
# This FP was seen during Windows Upgrade
# ParentCommandLine: C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s wuauserv
Image|contains: ':\WINDOWS\SoftwareDistribution\Download\'
Image|endswith: '\WindowsUpdateBox.Exe'
TargetFilename|contains: ':\$WINDOWS.~BT\Sources\'
filter_main_tiworker:
Image|contains: ':\Windows\WinSxS\'
Image|endswith: '\TiWorker.exe'
filter_main_programfiles:
- Image|contains:
- ':\Program Files\'
- ':\Program Files (x86)\'
- TargetFilename|contains:
- ':\Program Files\'
- ':\Program Files (x86)\'
filter_main_defender:
Image|contains:
- ':\ProgramData\Microsoft\Windows Defender\'
- ':\Program Files\Windows Defender\'
filter_main_windows_apps:
TargetFilename|contains: '\AppData\Local\Microsoft\WindowsApps\'
filter_main_teams:
Image|endswith: '\AppData\Local\Microsoft\Teams\Update.exe'
TargetFilename|endswith:
- '\AppData\Local\Microsoft\Teams\stage\Teams.exe'
- '\AppData\Local\Microsoft\Teams\stage\Squirrel.exe'
- '\AppData\Local\Microsoft\SquirrelTemp\tempb\'
filter_main_mscorsvw:
# Example:
# ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe" ExecuteQueuedItems /LegacyServiceBehavior
# Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
# TargetFilename: C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\4f8c-0\MSBuild.exe
# TargetFilename: C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\49bc-0\testhost.net47.x86.exe
# TargetFilename: C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\39d8-0\fsc.exe
Image|contains:
- ':\Windows\Microsoft.NET\Framework\'
- ':\Windows\Microsoft.NET\Framework64\'
- ':\Windows\Microsoft.NET\FrameworkArm\'
- ':\Windows\Microsoft.NET\FrameworkArm64\'
Image|endswith: '\mscorsvw.exe'
TargetFilename|contains: ':\Windows\assembly\NativeImages_'
filter_main_vscode:
Image|contains: '\AppData\Local\'
Image|endswith: '\Microsoft VS Code\Code.exe'
TargetFilename|contains: '\.vscode\extensions\'
filter_main_githubdesktop:
Image|endswith: '\AppData\Local\GitHubDesktop\Update.exe'
# Example TargetFileName:
# \AppData\Local\SquirrelTemp\tempb\lib\net45\GitHubDesktop_ExecutionStub.exe
# \AppData\Local\SquirrelTemp\tempb\lib\net45\squirrel.exe
TargetFilename|contains: '\AppData\Local\SquirrelTemp\'
filter_main_windows_temp:
- Image|contains: ':\WINDOWS\TEMP\'
- TargetFilename|contains: ':\WINDOWS\TEMP\'
filter_optional_python:
Image|contains: '\Python27\python.exe'
TargetFilename|contains:
- '\Python27\Lib\site-packages\'
- '\Python27\Scripts\'
- '\AppData\Local\Temp\'
filter_optional_squirrel:
Image|contains: '\AppData\Local\SquirrelTemp\Update.exe'
TargetFilename|contains: '\AppData\Local'
filter_main_temp_installers:
- Image|contains: '\AppData\Local\Temp\'
- TargetFilename|contains: '\AppData\Local\Temp\'
filter_optional_chrome:
Image|endswith: '\ChromeSetup.exe'
TargetFilename|contains: '\Google'
filter_main_dot_net:
Image|contains: ':\Windows\Microsoft.NET\Framework'
Image|endswith: '\mscorsvw.exe'
TargetFilename|contains: ':\Windows\assembly'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
# Please contribute to FP to increase the level
- Software installers
- Update utilities
- 32bit applications launching their 64bit versions
level: low
Convert to SIEM query
low
Strong
High FP
Crontab Enumeration
Detects usage of crontab to list the tasks of the user
view Sigma YAML
title: Crontab Enumeration
id: 403ed92c-b7ec-4edd-9947-5b535ee12d46
status: test
description: Detects usage of crontab to list the tasks of the user
references:
- https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
- https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/
- https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
- https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-06-02
tags:
- attack.discovery
- attack.t1007
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith: '/crontab'
CommandLine|contains: ' -l'
condition: selection
falsepositives:
- Legitimate use of crontab
level: low
Convert to SIEM query
low
Moderate
High FP
Curl Usage on Linux
Detects a curl process start on linux, which indicates a file download from a remote location or a simple web request to a remote server
view Sigma YAML
title: Curl Usage on Linux
id: ea34fb97-e2c4-4afb-810f-785e4459b194
status: test
description: Detects a curl process start on linux, which indicates a file download from a remote location or a simple web request to a remote server
references:
- https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-15
tags:
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/curl'
condition: selection
falsepositives:
- Scripts created by developers and admins
- Administrative activity
level: low
Convert to SIEM query
low
Moderate
High FP
Curl.EXE Execution
Detects a curl process start on Windows, which could indicates a file download from a remote location or a simple web request to a remote server
view Sigma YAML
title: Curl.EXE Execution
id: bbeaed61-1990-4773-bf57-b81dbad7db2d
related:
- id: e218595b-bbe7-4ee5-8a96-f32a24ad3468 # Suspicious curl execution
type: derived
status: test
description: Detects a curl process start on Windows, which could indicates a file download from a remote location or a simple web request to a remote server
references:
- https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464
author: Florian Roth (Nextron Systems)
date: 2022-07-05
modified: 2023-02-21
tags:
- attack.command-and-control
- attack.t1105
- detection.threat-hunting
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\curl.exe'
- Product: 'The curl executable'
condition: selection
falsepositives:
- Scripts created by developers and admins
- Administrative activity
level: low
Convert to SIEM query
low
Strong
High FP
DD File Overwrite
Detects potential overwriting and deletion of a file using DD.
view Sigma YAML
title: DD File Overwrite
id: 2953194b-e33c-4859-b9e8-05948c167447
status: test
description: Detects potential overwriting and deletion of a file using DD.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md#atomic-test-2---macoslinux---overwrite-file-with-dd
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
date: 2021-10-15
modified: 2022-07-07
tags:
- attack.impact
- attack.t1485
logsource:
product: linux
category: process_creation
detection:
selection1:
Image:
- '/bin/dd'
- '/usr/bin/dd'
selection2:
CommandLine|contains: 'of='
selection3:
CommandLine|contains:
- 'if=/dev/zero'
- 'if=/dev/null'
condition: all of selection*
falsepositives:
- Any user deleting files that way.
level: low
Convert to SIEM query
low
Moderate
High FP
DMP/HDMP File Creation
Detects the creation of a file with the ".dmp"/".hdmp" extension. Often created by software during a crash. Memory dumps can sometimes contain sensitive information such as credentials. It's best to determine the source of the crash.
view Sigma YAML
title: DMP/HDMP File Creation
id: 3a525307-d100-48ae-b3b9-0964699d7f97
status: test
description: Detects the creation of a file with the ".dmp"/".hdmp" extension. Often created by software during a crash. Memory dumps can sometimes contain sensitive information such as credentials. It's best to determine the source of the crash.
references:
- https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-09-07
tags:
- detection.threat-hunting
- attack.stealth
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|endswith:
- '.dmp'
- '.dump'
- '.hdmp'
condition: selection
falsepositives:
- Likely during crashes of software
level: low
Convert to SIEM query
low
Moderate
High FP
Decode Base64 Encoded Text
Detects usage of base64 utility to decode arbitrary base64-encoded text
view Sigma YAML
title: Decode Base64 Encoded Text
id: e2072cab-8c9a-459b-b63c-40ae79e27031
status: test
description: Detects usage of base64 utility to decode arbitrary base64-encoded text
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md
author: Daniil Yugoslavskiy, oscd.community
date: 2020-10-19
modified: 2021-11-27
tags:
- attack.stealth
- attack.t1027
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/base64'
CommandLine|contains: '-d' # Also covers "--decode"
condition: selection
falsepositives:
- Legitimate activities
level: low
Convert to SIEM query
low
Moderate
High FP
Decode Base64 Encoded Text -MacOs
Detects usage of base64 utility to decode arbitrary base64-encoded text
view Sigma YAML
title: Decode Base64 Encoded Text -MacOs
id: 719c22d7-c11a-4f2c-93a6-2cfdd5412f68
status: test
description: Detects usage of base64 utility to decode arbitrary base64-encoded text
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md
author: Daniil Yugoslavskiy, oscd.community
date: 2020-10-19
modified: 2022-11-26
tags:
- attack.stealth
- attack.t1027
logsource:
category: process_creation
product: macos
detection:
selection:
Image: '/usr/bin/base64'
CommandLine|contains: '-d'
condition: selection
falsepositives:
- Legitimate activities
level: low
Convert to SIEM query
low
Strong
High FP
Discovery of a System Time
Identifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system.
view Sigma YAML
title: Discovery of a System Time
id: b243b280-65fe-48df-ba07-6ddea7646427
status: test
description: Identifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system.
references:
- https://eqllib.readthedocs.io/en/latest/analytics/fcdb99c2-ac3c-4bde-b664-4b336329bed2.html
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1124/T1124.md
author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
date: 2019-10-24
modified: 2022-06-28
tags:
- attack.discovery
- attack.t1124
logsource:
category: process_creation
product: windows
detection:
selection_time:
Image|endswith:
- '\net.exe'
- '\net1.exe'
CommandLine|contains: 'time'
selection_w32tm:
Image|endswith: '\w32tm.exe'
CommandLine|contains: 'tz'
condition: 1 of selection_*
falsepositives:
- Legitimate use of the system utilities to discover system time for legitimate reason
level: low
Convert to SIEM query
low
Moderate
High FP
Docker Container Discovery Via Dockerenv Listing
Detects listing or file reading of ".dockerenv" which can be a sing of potential container discovery
view Sigma YAML
title: Docker Container Discovery Via Dockerenv Listing
id: 11701de9-d5a5-44aa-8238-84252f131895
status: test
description: Detects listing or file reading of ".dockerenv" which can be a sing of potential container discovery
references:
- https://blog.skyplabs.net/posts/container-detection/
- https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker
tags:
- attack.discovery
- attack.t1082
author: Seth Hanford
date: 2023-08-23
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith:
# Note: add additional tools and utilities to increase coverage
- '/cat'
- '/dir'
- '/find'
- '/ls'
- '/stat'
- '/test'
- 'grep'
CommandLine|endswith: '.dockerenv'
condition: selection
falsepositives:
- Legitimate system administrator usage of these commands
- Some container tools or deployments may use these techniques natively to determine how they proceed with execution, and will need to be filtered
level: low
Convert to SIEM query
low
Moderate
High FP
Dynamic CSharp Compile Artefact
When C# is compiled dynamically, a .cmdline file will be created as a part of the process.
Certain processes are not typically observed compiling C# code, but can do so without touching disk.
This can be used to unpack a payload for execution
view Sigma YAML
title: Dynamic CSharp Compile Artefact
id: e4a74e34-ecde-4aab-b2fb-9112dd01aed0
status: test
description: |
When C# is compiled dynamically, a .cmdline file will be created as a part of the process.
Certain processes are not typically observed compiling C# code, but can do so without touching disk.
This can be used to unpack a payload for execution
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.004/T1027.004.md#atomic-test-2---dynamic-c-compile
author: frack113
date: 2022-01-09
modified: 2023-02-17
tags:
- attack.stealth
- attack.t1027.004
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith: '.cmdline'
condition: selection
falsepositives:
- Unknown
level: low
Convert to SIEM query
low
Moderate
High FP
ETW Logging Disabled For SCM
Detects changes to the "TracingDisabled" key in order to disable ETW logging for services.exe (SCM)
view Sigma YAML
title: ETW Logging Disabled For SCM
id: 4f281b83-0200-4b34-bf35-d24687ea57c2
status: test
description: Detects changes to the "TracingDisabled" key in order to disable ETW logging for services.exe (SCM)
references:
- http://redplait.blogspot.com/2020/07/whats-wrong-with-etw.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-09
modified: 2023-08-17
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
- attack.t1685
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|endswith: 'Software\Microsoft\Windows NT\CurrentVersion\Tracing\SCM\Regular\TracingDisabled'
Details: 'DWORD (0x00000001)' # Funny (sad) enough, this value is by default 1.
condition: selection
falsepositives:
- Unknown
level: low
Convert to SIEM query
low
Moderate
High FP
ETW Logging Disabled For rpcrt4.dll
Detects changes to the "ExtErrorInformation" key in order to disable ETW logging for rpcrt4.dll
view Sigma YAML
title: ETW Logging Disabled For rpcrt4.dll
id: 90f342e1-1aaa-4e43-b092-39fda57ed11e
status: test
description: Detects changes to the "ExtErrorInformation" key in order to disable ETW logging for rpcrt4.dll
references:
- http://redplait.blogspot.com/2020/07/whats-wrong-with-etw.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-09
modified: 2023-08-17
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
- attack.t1685
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|endswith: '\Microsoft\Windows NT\Rpc\ExtErrorInformation'
Details:
# This is disabled by default for some reason
- 'DWORD (0x00000000)' # Off
- 'DWORD (0x00000002)' # Off with exceptions
condition: selection
falsepositives:
- Unknown
level: low
Convert to SIEM query
low
Moderate
High FP
Files Added To An Archive Using Rar.EXE
Detects usage of "rar" to add files to an archive for potential compression. An adversary may compress data (e.g. sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
view Sigma YAML
title: Files Added To An Archive Using Rar.EXE
id: 6f3e2987-db24-4c78-a860-b4f4095a7095
status: test
description: Detects usage of "rar" to add files to an archive for potential compression. An adversary may compress data (e.g. sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md
- https://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html
author: Timur Zinniatullin, E.M. Anhaus, oscd.community
date: 2019-10-21
modified: 2023-02-05
tags:
- attack.collection
- attack.t1560.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\rar.exe'
CommandLine|contains: ' a '
condition: selection
falsepositives:
- Highly likely if rar is a default archiver in the monitored environment.
level: low
Convert to SIEM query
low
Strong
High FP
GUI Input Capture - macOS
Detects attempts to use system dialog prompts to capture user credentials
view Sigma YAML
title: GUI Input Capture - macOS
id: 60f1ce20-484e-41bd-85f4-ac4afec2c541
status: test
description: Detects attempts to use system dialog prompts to capture user credentials
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md
- https://scriptingosx.com/2018/08/user-interaction-from-bash-scripts/
author: remotephone, oscd.community
date: 2020-10-13
modified: 2025-12-05
tags:
- attack.collection
- attack.credential-access
- attack.t1056.002
logsource:
product: macos
category: process_creation
detection:
selection_img:
Image|endswith: '/osascript'
selection_cli_1:
CommandLine|contains|all:
- '-e'
- 'display'
- 'dialog'
- 'answer'
selection_cli_2:
CommandLine|contains:
- 'admin'
- 'administrator'
- 'authenticate'
- 'authentication'
- 'credentials'
- 'pass'
- 'password'
- 'unlock'
condition: all of selection_*
falsepositives:
- Legitimate administration tools and activities
level: low
Convert to SIEM query
low
Moderate
High FP
Gatekeeper Bypass via Xattr
Detects macOS Gatekeeper bypass via xattr utility
view Sigma YAML
title: Gatekeeper Bypass via Xattr
id: f5141b6d-9f42-41c6-a7bf-2a780678b29b
status: test
description: Detects macOS Gatekeeper bypass via xattr utility
references:
- https://github.com/redcanaryco/atomic-red-team/blob/1fed40dc7e48f16ed44dcdd9c73b9222a70cca85/atomics/T1553.001/T1553.001.md
- https://www.loobins.io/binaries/xattr/
author: Daniil Yugoslavskiy, oscd.community
date: 2020-10-19
modified: 2024-04-18
tags:
- attack.defense-impairment
- attack.t1553.001
logsource:
category: process_creation
product: macos
detection:
selection:
Image|endswith: '/xattr'
CommandLine|contains|all:
- '-d'
- 'com.apple.quarantine'
condition: selection
falsepositives:
- Legitimate activities
level: low
Convert to SIEM query
low
Moderate
High FP
Guest Account Enabled Via Sysadminctl
Detects attempts to enable the guest account using the sysadminctl utility
view Sigma YAML
title: Guest Account Enabled Via Sysadminctl
id: d7329412-13bd-44ba-a072-3387f804a106
status: test
description: Detects attempts to enable the guest account using the sysadminctl utility
references:
- https://ss64.com/osx/sysadminctl.html
author: Sohan G (D4rkCiph3r)
date: 2023-02-18
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.stealth
- attack.t1078
- attack.t1078.001
logsource:
category: process_creation
product: macos
detection:
selection:
Image|endswith: '/sysadminctl'
CommandLine|contains|all:
# By default the guest account is not active
- ' -guestAccount'
- ' on'
condition: selection
falsepositives:
- Unknown
level: low
Convert to SIEM query
low
Moderate
High FP
HTML File Opened From Download Folder
Detects web browser process opening an HTML file from a user's Downloads folder.
This behavior is could be associated with phishing attacks where threat actors send HTML attachments to users.
When a user opens such an attachment, it can lead to the execution of malicious scripts or the download of malware.
During investigation, analyze the HTML file for embedded scripts or links, check for any subsequent downloads or process executions, and investigate the source of the email or message containing the attachment.
view Sigma YAML
title: HTML File Opened From Download Folder
id: 538c5851-8c03-4724-8ec4-623bc7aadaea
status: experimental
description: |
Detects web browser process opening an HTML file from a user's Downloads folder.
This behavior is could be associated with phishing attacks where threat actors send HTML attachments to users.
When a user opens such an attachment, it can lead to the execution of malicious scripts or the download of malware.
During investigation, analyze the HTML file for embedded scripts or links, check for any subsequent downloads or process executions, and investigate the source of the email or message containing the attachment.
references:
- https://app.any.run/tasks/ae3c4ded-fd6a-43ed-8215-ba0ba574ad33
- https://app.any.run/tasks/8901e2d5-0c5a-48ba-a8e9-10b5ed7e06f4
author: Joseph Kamau
date: 2025-12-05
tags:
- attack.t1598.002
- attack.t1566.001
- attack.initial-access
- attack.reconnaissance
- detection.threat-hunting
logsource:
product: windows
category: process_creation
detection:
selection:
Image|endswith:
- '\brave.exe'
- '\chrome.exe'
- '\firefox.exe'
- '\msedge.exe'
- '\opera.exe'
- '\vivaldi.exe'
CommandLine|contains|all:
- ':\users\'
- '\Downloads\'
- '.htm'
condition: selection
falsepositives:
- Opening any HTML file located in users directories via a browser process will trigger this.
level: low
Convert to SIEM query
low
Moderate
High FP
Indirect Command Execution By Program Compatibility Wizard
Detect indirect command execution via Program Compatibility Assistant pcwrun.exe
view Sigma YAML
title: Indirect Command Execution By Program Compatibility Wizard
id: b97cd4b1-30b8-4a9d-bd72-6293928d52bc
status: test
description: Detect indirect command execution via Program Compatibility Assistant pcwrun.exe
references:
- https://twitter.com/pabraeken/status/991335019833708544
- https://lolbas-project.github.io/lolbas/Binaries/Pcwrun/
author: A. Sungurov , oscd.community
date: 2020-10-12
modified: 2021-11-27
tags:
- attack.stealth
- attack.t1218
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\pcwrun.exe'
condition: selection
falsepositives:
- Need to use extra processing with 'unique_count' / 'filter' to focus on outliers as opposed to commonly seen artifacts
- Legit usage of scripts
level: low
Convert to SIEM query
low
Moderate
High FP
Install Root Certificate
Detects installation of new certificate on the system which attackers may use to avoid warnings when connecting to controlled web servers or C2s
view Sigma YAML
title: Install Root Certificate
id: 78a80655-a51e-4669-bc6b-e9d206a462ee
status: test
description: Detects installation of new certificate on the system which attackers may use to avoid warnings when connecting to controlled web servers or C2s
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md
author: Ömer Günal, oscd.community
date: 2020-10-05
modified: 2022-07-07
tags:
- attack.defense-impairment
- attack.t1553.004
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith:
- '/update-ca-certificates'
- '/update-ca-trust'
condition: selection
falsepositives:
- Legitimate administration activities
level: low
Convert to SIEM query
low
Strong
High FP
JAMF MDM Execution
Detects execution of the "jamf" binary to create user accounts and run commands. For example, the binary can be abused by attackers on the system in order to bypass security controls or remove application control polices.
view Sigma YAML
title: JAMF MDM Execution
id: be2e3a5c-9cc7-4d02-842a-68e9cb26ec49
status: test
description: |
Detects execution of the "jamf" binary to create user accounts and run commands. For example, the binary can be abused by attackers on the system in order to bypass security controls or remove application control polices.
references:
- https://github.com/MythicAgents/typhon/
- https://www.zoocoup.org/casper/jamf_cheatsheet.pdf
- https://docs.jamf.com/10.30.0/jamf-pro/administrator-guide/Components_Installed_on_Managed_Computers.html
author: Jay Pandit
date: 2023-08-22
tags:
- attack.execution
logsource:
category: process_creation
product: macos
detection:
selection:
Image|endswith: '/jamf'
CommandLine|contains:
# Note: add or remove commands according to your policy
- 'createAccount'
- 'manage'
- 'removeFramework'
- 'removeMdmProfile'
- 'resetPassword'
- 'setComputerName'
condition: selection
falsepositives:
- Legitimate use of the JAMF CLI tool by IT support and administrators
level: low
Convert to SIEM query
low
Moderate
High FP
Linux Doas Tool Execution
Detects the doas tool execution in linux host platform. This utility tool allow standard users to perform tasks as root, the same way sudo does.
view Sigma YAML
title: Linux Doas Tool Execution
id: 067d8238-7127-451c-a9ec-fa78045b618b
status: stable
description: Detects the doas tool execution in linux host platform. This utility tool allow standard users to perform tasks as root, the same way sudo does.
references:
- https://research.splunk.com/endpoint/linux_doas_tool_execution/
- https://www.makeuseof.com/how-to-install-and-use-doas/
author: Sittikorn S, Teoderick Contreras
date: 2022-01-20
tags:
- attack.privilege-escalation
- attack.t1548
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith: '/doas'
condition: selection
falsepositives:
- Unlikely
level: low
Convert to SIEM query
low
Strong
High FP
Linux Network Service Scanning Tools Execution
Detects execution of network scanning and reconnaisance tools. These tools can be used for the enumeration of local or remote network services for example.
view Sigma YAML
title: Linux Network Service Scanning Tools Execution
id: 3e102cd9-a70d-4a7a-9508-403963092f31
status: test
description: Detects execution of network scanning and reconnaisance tools. These tools can be used for the enumeration of local or remote network services for example.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md
- https://github.com/projectdiscovery/naabu
- https://github.com/Tib3rius/AutoRecon
author: Alejandro Ortuno, oscd.community, Georg Lauenstein (sure[secure])
date: 2020-10-21
modified: 2024-09-19
tags:
- attack.discovery
- attack.t1046
logsource:
category: process_creation
product: linux
detection:
selection_netcat:
Image|endswith:
- '/nc'
- '/ncat'
- '/netcat'
- '/socat'
selection_network_scanning_tools:
Image|endswith:
- '/autorecon'
- '/hping'
- '/hping2'
- '/hping3'
- '/naabu'
- '/nmap'
- '/nping'
- '/telnet' # could be wget, curl, ssh, many things. basically everything that is able to do network connection. consider fine tuning
- '/zenmap'
filter_main_netcat_listen_flag:
CommandLine|contains:
- ' --listen '
- ' -l '
condition: (selection_netcat and not filter_main_netcat_listen_flag) or selection_network_scanning_tools
falsepositives:
- Legitimate administration activities
level: low
Convert to SIEM query
low
Strong
High FP
Linux Package Uninstall
Detects linux package removal using builtin tools such as "yum", "apt", "apt-get" or "dpkg".
view Sigma YAML
title: Linux Package Uninstall
id: 95d61234-7f56-465c-6f2d-b562c6fedbc4
status: test
description: Detects linux package removal using builtin tools such as "yum", "apt", "apt-get" or "dpkg".
references:
- https://sysdig.com/blog/mitre-defense-evasion-falco
- https://www.tutorialspoint.com/how-to-install-a-software-on-linux-using-yum-command
- https://linuxhint.com/uninstall_yum_package/
- https://linuxhint.com/uninstall-debian-packages/
author: Tuan Le (NCSGroup), Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-09
tags:
- attack.stealth
- attack.t1070
logsource:
product: linux
category: process_creation
detection:
selection_yum:
Image|endswith: '/yum'
CommandLine|contains:
- 'erase'
- 'remove'
selection_apt:
Image|endswith:
- '/apt'
- '/apt-get'
CommandLine|contains:
- 'remove'
- 'purge'
selection_dpkg:
Image|endswith: '/dpkg'
CommandLine|contains:
- '--remove '
- ' -r '
selection_rpm:
Image|endswith: '/rpm'
CommandLine|contains: ' -e '
condition: 1 of selection_*
falsepositives:
- Administrator or administrator scripts might delete packages for several reasons (debugging, troubleshooting).
level: low
Convert to SIEM query
low
Strong
High FP
Linux Remote System Discovery
Detects the enumeration of other remote systems.
view Sigma YAML
title: Linux Remote System Discovery
id: 11063ec2-de63-4153-935e-b1a8b9e616f1
status: test
description: Detects the enumeration of other remote systems.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md
author: Alejandro Ortuno, oscd.community
date: 2020-10-22
modified: 2021-11-27
tags:
- attack.discovery
- attack.t1018
logsource:
category: process_creation
product: linux
detection:
selection_1:
Image|endswith: '/arp'
CommandLine|contains: '-a'
selection_2:
Image|endswith: '/ping'
CommandLine|contains:
- ' 10.' # 10.0.0.0/8
- ' 192.168.' # 192.168.0.0/16
- ' 172.16.' # 172.16.0.0/12
- ' 172.17.'
- ' 172.18.'
- ' 172.19.'
- ' 172.20.'
- ' 172.21.'
- ' 172.22.'
- ' 172.23.'
- ' 172.24.'
- ' 172.25.'
- ' 172.26.'
- ' 172.27.'
- ' 172.28.'
- ' 172.29.'
- ' 172.30.'
- ' 172.31.'
- ' 127.' # 127.0.0.0/8
- ' 169.254.' # 169.254.0.0/16
condition: 1 of selection*
falsepositives:
- Legitimate administration activities
level: low
Convert to SIEM query
low
Moderate
High FP
Linux Setgid Capability Set on a Binary via Setcap Utility
Detects the use of the 'setcap' utility to set the 'setgid' capability (cap_setgid) on a binary file.
This capability allows a non privileged process to make arbitrary manipulations of group IDs (GIDs), including setting its current GID to a value that would otherwise be restricted (i.e. GID 0, the root group).
This behavior can be used by adversaries to backdoor a binary in order to escalate privileges again in the future if needed.
view Sigma YAML
title: Linux Setgid Capability Set on a Binary via Setcap Utility
id: 3a716279-c18c-4488-83be-f9ececbfb9fc
status: experimental
description: |
Detects the use of the 'setcap' utility to set the 'setgid' capability (cap_setgid) on a binary file.
This capability allows a non privileged process to make arbitrary manipulations of group IDs (GIDs), including setting its current GID to a value that would otherwise be restricted (i.e. GID 0, the root group).
This behavior can be used by adversaries to backdoor a binary in order to escalate privileges again in the future if needed.
references:
- https://man7.org/linux/man-pages/man8/setcap.8.html
- https://dfir.ch/posts/linux_capabilities/
- https://juggernaut-sec.com/capabilities/#cap_setgid
author: Luc Génaux
date: 2026-01-24
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1548
- attack.t1554
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith: '/setcap'
CommandLine|contains: 'cap_setgid'
condition: selection
falsepositives:
- Unknown
level: low
Convert to SIEM query
low
Moderate
High FP
Linux Setuid Capability Set on a Binary via Setcap Utility
Detects the use of the 'setcap' utility to set the 'setuid' capability (cap_setuid) on a binary file.
This capability allows a non privileged process to make arbitrary manipulations of user IDs (UIDs), including setting its current UID to a value that would otherwise be restricted (i.e. UID 0, the root user).
This behavior can be used by adversaries to backdoor a binary in order to escalate privileges again in the future if needed.
view Sigma YAML
title: Linux Setuid Capability Set on a Binary via Setcap Utility
id: ed447910-bc30-4575-a598-3a2e49516a7a
status: experimental
description: |
Detects the use of the 'setcap' utility to set the 'setuid' capability (cap_setuid) on a binary file.
This capability allows a non privileged process to make arbitrary manipulations of user IDs (UIDs), including setting its current UID to a value that would otherwise be restricted (i.e. UID 0, the root user).
This behavior can be used by adversaries to backdoor a binary in order to escalate privileges again in the future if needed.
references:
- https://man7.org/linux/man-pages/man8/setcap.8.html
- https://dfir.ch/posts/linux_capabilities/
- https://juggernaut-sec.com/capabilities/#cap_setuid
author: Luc Génaux
date: 2026-01-24
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1548
- attack.t1554
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith: '/setcap'
CommandLine|contains: 'cap_setuid'
condition: selection
falsepositives:
- Unknown
level: low
Convert to SIEM query
low
Moderate
High FP
Linux Sudo Chroot Execution
Detects the execution of 'sudo' command with '--chroot' option, which is used to change the root directory for command execution.
Attackers may use this technique to evade detection and execute commands in a modified environment.
This can be part of a privilege escalation strategy, as it allows the execution of commands with elevated privileges in a controlled environment as seen in CVE-2025-32463.
While investigating, look out for unusual or unexpected use of 'sudo --chroot' in conjunction with other commands or scripts such as execution from temporary directories or unusual user accounts.
view Sigma YAML
title: Linux Sudo Chroot Execution
id: f2bed782-994e-4f40-9cd5-518198cb3fba
status: experimental
description: |
Detects the execution of 'sudo' command with '--chroot' option, which is used to change the root directory for command execution.
Attackers may use this technique to evade detection and execute commands in a modified environment.
This can be part of a privilege escalation strategy, as it allows the execution of commands with elevated privileges in a controlled environment as seen in CVE-2025-32463.
While investigating, look out for unusual or unexpected use of 'sudo --chroot' in conjunction with other commands or scripts such as execution from temporary directories or unusual user accounts.
references:
- https://github.com/kh4sh3i/CVE-2025-32463/blob/81bb430f84fa2089224733c3ed4bfa434c197ad4/exploit.sh
author: Swachchhanda Shrawn Poudel (Nextron Systems)
date: 2025-10-02
tags:
- attack.privilege-escalation
- attack.t1068
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/sudo'
CommandLine|contains:
- ' --chroot '
- 'sudo -R '
condition: selection
falsepositives:
- Legitimate administrative tasks or scripts that use 'sudo --chroot' for containerization, testing, or system management.
level: low
Convert to SIEM query
low
Strong
High FP
Local Groups Discovery - Linux
Detects enumeration of local system groups. Adversaries may attempt to find local system groups and permission settings
view Sigma YAML
title: Local Groups Discovery - Linux
id: 676381a6-15ca-4d73-a9c8-6a22e970b90d
status: test
description: Detects enumeration of local system groups. Adversaries may attempt to find local system groups and permission settings
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md
author: Ömer Günal, Alejandro Ortuno, oscd.community
date: 2020-10-11
modified: 2025-06-04
tags:
- attack.discovery
- attack.t1069.001
logsource:
category: process_creation
product: linux
detection:
selection_1:
Image|endswith: '/groups'
selection_2:
Image|endswith:
- '/cat'
- '/ed'
- '/head'
- '/less'
- '/more'
- '/nano'
- '/tail'
- '/vi'
- '/vim'
CommandLine|contains: '/etc/group'
condition: 1 of selection_*
falsepositives:
- Legitimate administration activities
level: low
Convert to SIEM query
low
Strong
High FP
Local System Accounts Discovery - Linux
Detects enumeration of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.
view Sigma YAML
title: Local System Accounts Discovery - Linux
id: b45e3d6f-42c6-47d8-a478-df6bd6cf534c
status: test
description: Detects enumeration of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.001/T1087.001.md
- https://my.f5.com/manage/s/article/K589
- https://man.freebsd.org/cgi/man.cgi?pwd_mkdb
author: Alejandro Ortuno, oscd.community, CheraghiMilad
date: 2020-10-08
modified: 2024-12-10
tags:
- attack.discovery
- attack.t1087.001
logsource:
category: process_creation
product: linux
detection:
selection_1:
Image|endswith: '/lastlog'
selection_2:
CommandLine|contains: '''x:0:'''
selection_3:
Image|endswith:
- '/cat'
- '/ed'
- '/head'
- '/more'
- '/nano'
- '/tail'
- '/vi'
- '/vim'
- '/less'
- '/emacs'
- '/sqlite3'
- '/makemap'
CommandLine|contains:
- '/etc/passwd'
- '/etc/shadow'
- '/etc/sudoers'
- '/etc/spwd.db'
- '/etc/pwd.db'
- '/etc/master.passwd'
selection_4:
Image|endswith: '/id'
selection_5:
Image|endswith: '/lsof'
CommandLine|contains: '-u'
condition: 1 of selection*
falsepositives:
- Legitimate administration activities
level: low
Convert to SIEM query
low
Strong
High FP
Local System Accounts Discovery - MacOs
Detects enumeration of local systeam accounts on MacOS
view Sigma YAML
title: Local System Accounts Discovery - MacOs
id: ddf36b67-e872-4507-ab2e-46bda21b842c
status: test
description: Detects enumeration of local systeam accounts on MacOS
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.001/T1087.001.md
author: Alejandro Ortuno, oscd.community
date: 2020-10-08
modified: 2022-11-27
tags:
- attack.discovery
- attack.t1087.001
logsource:
category: process_creation
product: macos
detection:
selection_1:
Image|endswith: '/dscl'
CommandLine|contains|all:
- 'list'
- '/users'
selection_2:
Image|endswith: '/dscacheutil'
CommandLine|contains|all:
- '-q'
- 'user'
selection_3:
CommandLine|contains: '''x:0:'''
selection_4:
Image|endswith: '/cat'
CommandLine|contains:
- '/etc/passwd'
- '/etc/sudoers'
selection_5:
Image|endswith: '/id'
selection_6:
Image|endswith: '/lsof'
CommandLine|contains: '-u'
condition: 1 of selection*
falsepositives:
- Legitimate administration activities
level: low
Convert to SIEM query
low
Strong
High FP
MacOS Network Service Scanning
Detects enumeration of local or remote network services.
view Sigma YAML
title: MacOS Network Service Scanning
id: 84bae5d4-b518-4ae0-b331-6d4afd34d00f
status: test
description: Detects enumeration of local or remote network services.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md
author: Alejandro Ortuno, oscd.community
date: 2020-10-21
modified: 2021-11-27
tags:
- attack.discovery
- attack.t1046
logsource:
category: process_creation
product: macos
detection:
selection_1:
Image|endswith:
- '/nc'
- '/netcat'
selection_2:
Image|endswith:
- '/nmap'
- '/telnet'
filter:
CommandLine|contains: 'l'
condition: (selection_1 and not filter) or selection_2
falsepositives:
- Legitimate administration activities
level: low
Convert to SIEM query
low
Moderate
High FP
MaxMpxCt Registry Value Changed
Detects changes to the "MaxMpxCt" registry value.
MaxMpxCt specifies the maximum outstanding network requests for the server per client, which is used when negotiating a Server Message Block (SMB) connection with a client. Note if the value is set beyond 125 older Windows 9x clients will fail to negotiate.
Ransomware threat actors and operators (specifically BlackCat) were seen increasing this value in order to handle a higher volume of traffic.
view Sigma YAML
title: MaxMpxCt Registry Value Changed
id: 0e6a9e62-627e-496c-aef5-bfa39da29b5e
status: test
description: |
Detects changes to the "MaxMpxCt" registry value.
MaxMpxCt specifies the maximum outstanding network requests for the server per client, which is used when negotiating a Server Message Block (SMB) connection with a client. Note if the value is set beyond 125 older Windows 9x clients will fail to negotiate.
Ransomware threat actors and operators (specifically BlackCat) were seen increasing this value in order to handle a higher volume of traffic.
references:
- https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps
- https://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware
- https://www.intrinsec.com/alphv-ransomware-gang-analysis/?cn-reloaded=1
- https://www.sentinelone.com/labs/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-03-19
tags:
- attack.stealth
- attack.t1070.005
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\Services\LanmanServer\Parameters\MaxMpxCt'
condition: selection
falsepositives:
- Unknown
level: low
Convert to SIEM query
Showing 1401-1450 of 1,524