Tool
EDR / XDR
Palo Alto Cortex XDR
1,524 rules · Sigma detections in Palo Alto Cortex XDR syntax
The same Sigma detection corpus, machine-rendered into Palo Alto Cortex XDR query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
Download all 1,524 rules (.zip, 675 KB)
Every Palo Alto Cortex XDR query in this view, packaged to deploy.
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance4
Resource Development5
Initial Access7
Execution25
Persistence31
Privilege Escalation17
Stealth63
Defense Impairment16
Credential Access26
Discovery24
Lateral Movement10
Collection11
Command and Control18
Exfiltration7
Impact10
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.
◈
Detection rules
50 shown of 1,524
low
Moderate
High FP
Microsoft Excel Add-In Loaded
Detects Microsoft Excel loading an Add-In (.xll) file
view Sigma YAML
title: Microsoft Excel Add-In Loaded
id: c5f4b5cb-4c25-4249-ba91-aa03626e3185
status: test
description: Detects Microsoft Excel loading an Add-In (.xll) file
references:
- https://www.mandiant.com/resources/blog/lnk-between-browsers
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-12
tags:
- attack.execution
- attack.t1204.002
- detection.threat-hunting
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith: '\excel.exe'
ImageLoaded|endswith: '.xll'
condition: selection
falsepositives:
- The rules is only looking for ".xll" loads. So some false positives are expected with legitimate and allowed XLLs
level: low
Convert to SIEM query
low
Moderate
High FP
Microsoft Word Add-In Loaded
Detects Microsoft Word loading an Add-In (.wll) file which can be used by threat actors for initial access or persistence.
view Sigma YAML
title: Microsoft Word Add-In Loaded
id: 1337afba-d17d-4d23-bd55-29b927603b30
status: test
description: |
Detects Microsoft Word loading an Add-In (.wll) file which can be used by threat actors for initial access or persistence.
references:
- https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence
- https://nored0x.github.io/red-teaming/office-persistence/#what-is-a-wll-file
author: Steffen Rogge (dr0pd34d)
date: 2024-07-10
tags:
- attack.execution
- attack.t1204.002
- detection.threat-hunting
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith: '\winword.exe'
ImageLoaded|endswith: '.wll'
condition: selection
falsepositives:
- The rules is only looking for ".wll" loads. So some false positives are expected with legitimate and allowed WLLs.
level: low
Convert to SIEM query
low
Moderate
High FP
NTDS.DIT Created
Detects creation of a file named "ntds.dit" (Active Directory Database)
view Sigma YAML
title: NTDS.DIT Created
id: 0b8baa3f-575c-46ee-8715-d6f28cc7d33c
status: test
description: Detects creation of a file named "ntds.dit" (Active Directory Database)
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-05
tags:
- attack.credential-access
- attack.t1003.003
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith: 'ntds.dit'
condition: selection
falsepositives:
- Unknown
level: low
Convert to SIEM query
low
Moderate
High FP
Named Pipe Created Via Mkfifo
Detects the creation of a new named pipe using the "mkfifo" utility
view Sigma YAML
title: Named Pipe Created Via Mkfifo
id: 9d779ce8-5256-4b13-8b6f-b91c602b43f4
status: test
description: Detects the creation of a new named pipe using the "mkfifo" utility
references:
- https://dev.to/0xbf/use-mkfifo-to-create-named-pipe-linux-tips-5bbk
- https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-16
tags:
- attack.execution
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/mkfifo'
condition: selection
falsepositives:
- Unknown
level: low
Convert to SIEM query
low
Moderate
High FP
New Cron File Created
Detects the creation of cron files in Cron directories, which could indicate potential persistence mechanisms being established by an attacker.
Note that not all cron file creations are malicious - legitimate system administration activities and software installations may also create cron files.
This detection should be investigated in context, considering factors such as the user creating the file, the timing of creation, and the contents of the cron job.
Focus investigation on unexpected cron files created by non-administrative users or during suspicious timeframes.
Additionally, it is recommended to review the contents of the newly created cron files to assess their intent.
Furthermore, it is suggested to baseline normal cron file creation and apply additional filters to reduce false positives based on the specific environment.
view Sigma YAML
title: New Cron File Created
id: 6c4e2f43-d94d-4ead-b64d-97e53fa2bd05
status: experimental
description: |
Detects the creation of cron files in Cron directories, which could indicate potential persistence mechanisms being established by an attacker.
Note that not all cron file creations are malicious - legitimate system administration activities and software installations may also create cron files.
This detection should be investigated in context, considering factors such as the user creating the file, the timing of creation, and the contents of the cron job.
Focus investigation on unexpected cron files created by non-administrative users or during suspicious timeframes.
Additionally, it is recommended to review the contents of the newly created cron files to assess their intent.
Furthermore, it is suggested to baseline normal cron file creation and apply additional filters to reduce false positives based on the specific environment.
references:
- https://github.com/microsoft/MSTIC-Sysmon/blob/f1477c0512b0747c1455283069c21faec758e29d/linux/configs/attack-based/persistence/T1053.003_Cron_Activity.xml
- https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/
- https://www.elastic.co/security-labs/primer-on-persistence-mechanisms
- https://snehbavarva.medium.com/privilege-escalation-techniques-series-linux-cron-jobs-a5b797b424b4
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
date: 2021-10-15
modified: 2026-04-28
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1053.003
logsource:
product: linux
category: file_event
detection:
selection_cron_dirs:
TargetFilename|startswith:
- '/etc/cron.d/'
- '/etc/cron.daily/'
- '/etc/cron.hourly/'
- '/etc/cron.monthly/'
- '/etc/cron.weekly/'
- '/var/spool/cron/crontabs/'
- '/var/spool/cron/root'
selection_cron_special_files:
TargetFilename|contains:
- '/etc/cron.allow'
- '/etc/cron.deny'
- '/etc/crontab'
filter_optional_legit_cron:
# Note: FPs on docker images: golang, postgres, python, redis, ruby
TargetFilename:
- '/etc/cron.daily/apt'
- '/etc/cron.daily/dpkg'
- '/etc/cron.daily/passwd'
- '/etc/crontabs/root'
condition: 1 of selection_* and not 1 of filter_optional_*
falsepositives:
- Legitimate administrative tasks, package managers, containers, configuration management tools, cloud agents, or system maintenance operations might cause false positives. Apply baselining before deployment.
level: low
Convert to SIEM query
low
Strong
High FP
New ODBC Driver Registered
Detects the registration of a new ODBC driver.
view Sigma YAML
title: New ODBC Driver Registered
id: 3390fbef-c98d-4bdd-a863-d65ed7c610dd
status: test
description: Detects the registration of a new ODBC driver.
references:
- https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-23
modified: 2023-08-17
tags:
- attack.persistence
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\SOFTWARE\ODBC\ODBCINST.INI\'
TargetObject|endswith: '\Driver'
filter_main_sqlserver:
TargetObject|contains: '\SQL Server\'
Details: '%WINDIR%\System32\SQLSRV32.dll'
filter_optional_office_access:
TargetObject|contains: '\Microsoft Access '
Details|startswith: 'C:\Progra'
Details|endswith: '\ACEODBC.DLL'
filter_optional_office_excel:
TargetObject|contains: '\Microsoft Excel Driver'
Details|startswith: 'C:\Progra'
Details|endswith: '\ACEODBC.DLL'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Likely
level: low
Convert to SIEM query
low
Moderate
High FP
New Process Created Via Taskmgr.EXE
Detects the creation of a process via the Windows task manager. This might be an attempt to bypass UAC
view Sigma YAML
title: New Process Created Via Taskmgr.EXE
id: 3d7679bd-0c00-440c-97b0-3f204273e6c7
status: test
description: Detects the creation of a process via the Windows task manager. This might be an attempt to bypass UAC
references:
- https://twitter.com/ReneFreingruber/status/1172244989335810049
author: Florian Roth (Nextron Systems)
date: 2018-03-13
modified: 2024-01-18
tags:
- attack.stealth
- attack.t1036
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\taskmgr.exe'
filter_main_generic:
Image|endswith:
- ':\Windows\System32\mmc.exe'
- ':\Windows\System32\resmon.exe'
- ':\Windows\System32\Taskmgr.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Administrative activity
level: low
Convert to SIEM query
low
Moderate
High FP
New Service Creation Using PowerShell
Detects the creation of a new service using powershell.
view Sigma YAML
title: New Service Creation Using PowerShell
id: c02e96b7-c63a-4c47-bd83-4a9f74afcfb2
related:
- id: 85ff530b-261d-48c6-a441-facaa2e81e48 # Using Sc.EXE
type: similar
status: test
description: Detects the creation of a new service using powershell.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md
author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community
date: 2023-02-20
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1543.003
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'New-Service'
- '-BinaryPathName'
condition: selection
falsepositives:
- Legitimate administrator or user creates a service for legitimate reasons.
- Software installation
level: low
Convert to SIEM query
low
Strong
High FP
New Service Creation Using Sc.EXE
Detects the creation of a new service using the "sc.exe" utility.
view Sigma YAML
title: New Service Creation Using Sc.EXE
id: 85ff530b-261d-48c6-a441-facaa2e81e48
related:
- id: c02e96b7-c63a-4c47-bd83-4a9f74afcfb2 # Using PowerShell
type: similar
status: test
description: Detects the creation of a new service using the "sc.exe" utility.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md
author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community
date: 2023-02-20
modified: 2025-09-01
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1543.003
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\sc.exe'
CommandLine|contains|all:
- 'create'
- 'binPath'
filter_optional_dropbox:
ParentImage|startswith:
- 'C:\Program Files (x86)\Dropbox\Client\'
- 'C:\Program Files\Dropbox\Client\'
ParentImage|endswith: '\Dropbox.exe'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Legitimate administrator or user creates a service for legitimate reasons.
- Software installation
level: low
Convert to SIEM query
low
Moderate
High FP
Notepad Password Files Discovery
Detects the execution of Notepad to open a file that has the string "password" which may indicate unauthorized access to credentials or suspicious activity.
view Sigma YAML
title: Notepad Password Files Discovery
id: 3b4e950b-a3ea-44d3-877e-432071990709
status: experimental
description: Detects the execution of Notepad to open a file that has the string "password" which may indicate unauthorized access to credentials or suspicious activity.
references:
- https://thedfirreport.com/2025/02/24/confluence-exploit-leads-to-lockbit-ransomware/
- https://intel.thedfirreport.com/eventReports/view/57 # Private Report
author: 'The DFIR Report'
tags:
- attack.discovery
- attack.t1083
date: 2025-02-21
logsource:
product: windows
category: process_creation
detection:
selection:
ParentImage|endswith: '\explorer.exe'
Image|endswith: '\notepad.exe'
CommandLine|endswith:
# Note: Commandline to contain a file with the string password and a specific extension
- 'password*.txt'
- 'password*.csv'
- 'password*.doc'
- 'password*.xls'
condition: selection
falsepositives:
- Legitimate use of opening files from remote hosts by administrators or users. However, storing passwords in text readable format could potentially be a violation of the organization's policy. Any match should be investigated further.
level: low
Convert to SIEM query
low
Moderate
High FP
OS Architecture Discovery Via Grep
Detects the use of grep to identify information about the operating system architecture. Often combined beforehand with the execution of "uname" or "cat /proc/cpuinfo"
view Sigma YAML
title: OS Architecture Discovery Via Grep
id: d27ab432-2199-483f-a297-03633c05bae6
status: test
description: |
Detects the use of grep to identify information about the operating system architecture. Often combined beforehand with the execution of "uname" or "cat /proc/cpuinfo"
references:
- https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
- https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/
- https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
- https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-06-02
tags:
- attack.discovery
- attack.t1082
logsource:
category: process_creation
product: linux
detection:
selection_process:
Image|endswith: '/grep'
selection_architecture:
CommandLine|endswith:
- 'aarch64'
- 'arm'
- 'i386'
- 'i686'
- 'mips'
- 'x86_64'
condition: all of selection_*
falsepositives:
- Unknown
level: low
Convert to SIEM query
low
Strong
High FP
Office Macro File Creation
Detects the creation of a new office macro files on the systems
view Sigma YAML
title: Office Macro File Creation
id: 91174a41-dc8f-401b-be89-7bfc140612a0
related:
- id: 0e29e3a7-1ad8-40aa-b691-9f82ecd33d66
type: similar
status: test
description: Detects the creation of a new office macro files on the systems
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md
- https://learn.microsoft.com/en-us/deployoffice/compat/office-file-format-reference
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-01-23
modified: 2026-01-09
tags:
- attack.initial-access
- attack.t1566.001
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|endswith:
- '.docm'
- '.dotm'
- '.xlsm'
- '.xltm'
- '.potm'
- '.pptm'
filter_main_office:
Image|startswith:
- 'C:\Program Files\Microsoft Office\'
- 'C:\Program Files (x86)\Microsoft Office\'
Image|endswith:
- '\WINWORD.EXE'
- '\EXCEL.EXE'
- '\POWERPNT.EXE'
TargetFilename|contains: '\~$' # Temporary files created by Office applications
condition: selection and not 1 of filter_main_*
falsepositives:
- Very common in environments that rely heavily on macro documents
level: low
Convert to SIEM query
low
Moderate
High FP
Office Macro File Download
Detects the creation of a new office macro files on the system via an application (browser, mail client).
This can help identify potential malicious activity, such as the download of macro-enabled documents that could be used for exploitation.
view Sigma YAML
title: Office Macro File Download
id: 0e29e3a7-1ad8-40aa-b691-9f82ecd33d66
related:
- id: 91174a41-dc8f-401b-be89-7bfc140612a0
type: similar
status: test
description: |
Detects the creation of a new office macro files on the system via an application (browser, mail client).
This can help identify potential malicious activity, such as the download of macro-enabled documents that could be used for exploitation.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md
- https://learn.microsoft.com/en-us/deployoffice/compat/office-file-format-reference
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-01-23
modified: 2025-10-29
tags:
- attack.initial-access
- attack.t1566.001
logsource:
category: file_event
product: windows
detection:
selection_processes:
Image|endswith:
# Email clients
- '\RuntimeBroker.exe' # Windows Email clients uses RuntimeBroker to create the files
- '\outlook.exe'
- '\thunderbird.exe'
# Browsers
- '\brave.exe'
- '\chrome.exe'
- '\firefox.exe'
- '\iexplore.exe'
- '\maxthon.exe'
- '\MicrosoftEdge.exe'
- '\msedge.exe'
- '\msedgewebview2.exe'
- '\opera.exe'
- '\safari.exe'
- '\seamonkey.exe'
- '\vivaldi.exe'
- '\whale.exe'
selection_ext:
- TargetFilename|endswith:
- '.docm'
- '.dotm'
- '.xlsm'
- '.xltm'
- '.potm'
- '.pptm'
- TargetFilename|contains:
- '.docm:Zone'
- '.dotm:Zone'
- '.xlsm:Zone'
- '.xltm:Zone'
- '.potm:Zone'
- '.pptm:Zone'
condition: all of selection_*
falsepositives:
- Legitimate macro files downloaded from the internet
- Legitimate macro files sent as attachments via emails
level: low
Convert to SIEM query
low
Moderate
High FP
Outlook Task/Note Reminder Received
Detects changes to the registry values related to outlook that indicates that a reminder was triggered for a Note or Task item. This could be a sign of exploitation of CVE-2023-23397. Further investigation is required to determine the success of an exploitation.
view Sigma YAML
title: Outlook Task/Note Reminder Received
id: fc06e655-d98c-412f-ac76-05c2698b1cb2
status: test
description: Detects changes to the registry values related to outlook that indicates that a reminder was triggered for a Note or Task item. This could be a sign of exploitation of CVE-2023-23397. Further investigation is required to determine the success of an exploitation.
references:
- https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-05
modified: 2023-08-17
tags:
- attack.persistence
- attack.t1137
- cve.2023-23397
- detection.emerging-threats
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains|all:
- '\SOFTWARE\Microsoft\Office\'
- '\Outlook\'
TargetObject|contains:
- '\Tasks\'
- '\Notes\'
condition: selection
falsepositives:
- Legitimate reminders received for a task or a note will also trigger this rule.
level: low
Convert to SIEM query
low
Strong
High FP
PFX File Creation
Detects the creation of PFX files (Personal Information Exchange format).
PFX files contain private keys and certificates bundled together, making them valuable targets for attackers seeking to:
- Exfiltrate digital certificates for impersonation or signing malicious code
- Establish persistent access through certificate-based authentication
- Bypass security controls that rely on certificate validation
Analysts should investigate PFX file creation events by examining which process created the PFX file and its parent process chain, as well as unusual locations outside standard certificate stores or development environments.
view Sigma YAML
title: PFX File Creation
id: dca1b3e8-e043-4ec8-85d7-867f334b5724
status: test
description: |
Detects the creation of PFX files (Personal Information Exchange format).
PFX files contain private keys and certificates bundled together, making them valuable targets for attackers seeking to:
- Exfiltrate digital certificates for impersonation or signing malicious code
- Establish persistent access through certificate-based authentication
- Bypass security controls that rely on certificate validation
Analysts should investigate PFX file creation events by examining which process created the PFX file and its parent process chain, as well as unusual locations outside standard certificate stores or development environments.
references:
- https://github.com/OTRF/detection-hackathon-apt29/issues/14
- https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/6.B.1_6392C9F1-D975-4F75-8A70-433DEDD7F622.md
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-05-02
modified: 2025-10-19
tags:
- attack.credential-access
- attack.t1552.004
- detection.threat-hunting
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith: '.pfx'
filter_optional_onedrive:
Image:
- 'C:\Program Files\Microsoft OneDrive\OneDrive.exe'
- 'C:\Program Files (x86)\Microsoft OneDrive\OneDrive.exe'
TargetFilename|endswith: '\OneDrive\CodeSigning.pfx'
filter_optional_visual_studio:
TargetFilename|startswith:
- 'C:\Program Files (x86)\Microsoft Visual Studio\'
- 'C:\Program Files\Microsoft Visual Studio\'
filter_optional_cmake:
TargetFilename|startswith: 'C:\Program Files\CMake\'
condition: selection and not 1 of filter_optional_*
falsepositives:
- System administrators legitimately managing certificates and PKI infrastructure
- Development environments where developers create test certificates for application signing
- Automated certificate deployment tools and scripts used in enterprise environments
- Software installation processes that include certificate provisioning (e.g., web servers, VPN clients)
- Certificate backup and recovery operations performed by IT staff
- Build systems and CI/CD pipelines that generate code signing certificates
- Third-party applications that create temporary certificates for secure communications
level: low
Convert to SIEM query
low
Moderate
High FP
PUA - Adidnsdump Execution
This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks Python 3 and python.exe must be installed,
Usee to Query/modify DNS records for Active Directory integrated DNS via LDAP
view Sigma YAML
title: PUA - Adidnsdump Execution
id: 26d3f0a2-f514-4a3f-a8a7-e7e48a8d9160
status: test
description: |
This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks Python 3 and python.exe must be installed,
Usee to Query/modify DNS records for Active Directory integrated DNS via LDAP
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md#atomic-test-9---remote-system-discovery---adidnsdump
author: frack113
date: 2022-01-01
modified: 2023-02-21
tags:
- attack.discovery
- attack.t1018
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\python.exe'
CommandLine|contains: 'adidnsdump'
condition: selection
falsepositives:
- Unknown
level: low
Convert to SIEM query
low
Moderate
High FP
PUA - Sysinternal Tool Execution - Registry
Detects the execution of a Sysinternals Tool via the creation of the "accepteula" registry key
view Sigma YAML
title: PUA - Sysinternal Tool Execution - Registry
id: 25ffa65d-76d8-4da5-a832-3f2b0136e133
status: test
description: Detects the execution of a Sysinternals Tool via the creation of the "accepteula" registry key
references:
- https://twitter.com/Moti_B/status/1008587936735035392
author: Markus Neis
date: 2017-08-28
modified: 2025-10-26
tags:
- attack.resource-development
- attack.t1588.002
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|endswith: '\EulaAccepted'
condition: selection
falsepositives:
- Legitimate use of SysInternals tools
- Programs that use the same Registry Key
level: low
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_pua_sysinternals_execution_via_eula/info.yml
Convert to SIEM query
low
Strong
High FP
Potential 7za.DLL Sideloading
Detects potential DLL sideloading of "7za.dll"
view Sigma YAML
title: Potential 7za.DLL Sideloading
id: 4f6edb78-5c21-42ab-a558-fd2a6fc1fd57
status: test
description: Detects potential DLL sideloading of "7za.dll"
references:
- https://www.gov.pl/attachment/ee91f24d-3e67-436d-aa50-7fa56acf789d
author: X__Junior
date: 2023-06-09
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\7za.dll'
filter_main_legit_path:
Image|startswith:
- 'C:\Program Files (x86)\'
- 'C:\Program Files\'
ImageLoaded|startswith:
- 'C:\Program Files (x86)\'
- 'C:\Program Files\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Legitimate third party application located in "AppData" may leverage this DLL to offer 7z compression functionality and may generate false positives. Apply additional filters as needed.
level: low
Convert to SIEM query
low
Strong
High FP
Potential Container Discovery Via Inodes Listing
Detects listing of the inodes of the "/" directory to determine if the we are running inside of a container.
view Sigma YAML
title: Potential Container Discovery Via Inodes Listing
id: 43e26eb5-cd58-48d1-8ce9-a273f5d298d8
status: test
description: Detects listing of the inodes of the "/" directory to determine if the we are running inside of a container.
references:
- https://blog.skyplabs.net/posts/container-detection/
- https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker
tags:
- attack.discovery
- attack.t1082
author: Seth Hanford
date: 2023-08-23
modified: 2025-11-24
logsource:
category: process_creation
product: linux
detection:
selection_ls_img:
Image|endswith: '/ls' # inode outside containers low, inside high
selection_ls_cli:
- CommandLine|endswith: ' /'
- CommandLine|contains: ' / '
selection_regex_inode:
CommandLine|re: '(?:\s-[^-\s]{0,20}i|\s--inode\s)' # -i finds inode number
selection_regex_dir:
CommandLine|re: '(?:\s-[^-\s]{0,20}d|\s--directory\s)' # -d gets directory itself, not contents
condition: all of selection_*
falsepositives:
- Legitimate system administrator usage of these commands
- Some container tools or deployments may use these techniques natively to determine how they proceed with execution, and will need to be filtered
level: low
Convert to SIEM query
low
Moderate
High FP
Potential Execution of Sysinternals Tools
Detects command lines that contain the 'accepteula' flag which could be a sign of execution of one of the Sysinternals tools
view Sigma YAML
title: Potential Execution of Sysinternals Tools
id: 7cccd811-7ae9-4ebe-9afd-cb5c406b824b
related:
- id: 25ffa65d-76d8-4da5-a832-3f2b0136e133
type: derived
status: test
description: Detects command lines that contain the 'accepteula' flag which could be a sign of execution of one of the Sysinternals tools
references:
- https://twitter.com/Moti_B/status/1008587936735035392
author: Markus Neis
date: 2017-08-28
modified: 2024-03-13
tags:
- attack.resource-development
- attack.t1588.002
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|windash: ' -accepteula'
condition: selection
falsepositives:
- Legitimate use of SysInternals tools
- Programs that use the same command line flag
level: low
Convert to SIEM query
low
Moderate
High FP
Potential Proxy Execution Via Explorer.EXE From Shell Process
Detects the creation of a child "explorer.exe" process from a shell like process such as "cmd.exe" or "powershell.exe".
Attackers can use "explorer.exe" for evading defense mechanisms by proxying the execution through the latter.
While this is often a legitimate action, this rule can be use to hunt for anomalies.
Muddy Waters threat actor was seeing using this technique.
view Sigma YAML
title: Potential Proxy Execution Via Explorer.EXE From Shell Process
id: 9eb271b9-24ae-4cd4-9465-19cfc1047f3e
status: test
description: |
Detects the creation of a child "explorer.exe" process from a shell like process such as "cmd.exe" or "powershell.exe".
Attackers can use "explorer.exe" for evading defense mechanisms by proxying the execution through the latter.
While this is often a legitimate action, this rule can be use to hunt for anomalies.
Muddy Waters threat actor was seeing using this technique.
references:
- https://twitter.com/CyberRaiju/status/1273597319322058752
- https://app.any.run/tasks/9a8fd563-4c54-4d0a-9ad8-1fe08339cbc3/
author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative
date: 2020-10-05
modified: 2024-06-21
tags:
- attack.stealth
- attack.t1218
- detection.threat-hunting
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
Image|endswith: '\explorer.exe'
CommandLine|contains: 'explorer.exe'
condition: selection
falsepositives:
- Legitimate explorer.exe run from a shell host like "cmd.exe" or "powershell.exe"
level: low
Convert to SIEM query
low
Strong
High FP
Potential Raspberry Robin Registry Set Internet Settings ZoneMap
Detects registry modifications related to the proxy configuration of the system, potentially associated with the Raspberry Robin malware, as seen in campaigns running in Q1 2024.
Raspberry Robin may alter proxy settings to circumvent security measures, ensuring unhindered connection with Command and Control servers for maintaining control over compromised systems if there are any proxy settings that are blocking connections.
view Sigma YAML
title: Potential Raspberry Robin Registry Set Internet Settings ZoneMap
id: 16a4c7b3-4681-49d0-8d58-3e9b796dcb43
status: test
description: |
Detects registry modifications related to the proxy configuration of the system, potentially associated with the Raspberry Robin malware, as seen in campaigns running in Q1 2024.
Raspberry Robin may alter proxy settings to circumvent security measures, ensuring unhindered connection with Command and Control servers for maintaining control over compromised systems if there are any proxy settings that are blocking connections.
references:
- https://tria.ge/240225-jlylpafb24/behavioral1/analog?main_event=Registry&op=SetValueKeyInt
- https://tria.ge/240307-1hlldsfe7t/behavioral2/analog?main_event=Registry&op=SetValueKeyInt
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_ProxyByPass
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_UNCAsIntranet
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_IncludeUnspecifiedLocalSites
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::SecurityPage_AutoDetect
- https://bazaar.abuse.ch/browse/signature/RaspberryRobin/
author: Swachchhanda Shrawan Poudel
date: 2024-07-31
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
- detection.emerging-threats
logsource:
category: registry_set
product: windows
definition: 'Requirements: The registry key "\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\" and its sub keys must be monitored'
detection:
selection_registry_image:
- Image|contains:
- '\AppData\Local\Temp\'
- '\Downloads\'
- '\Users\Public\'
- '\Windows\Temp\'
- Image|endswith: '\control.exe'
selection_registry_object:
TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\'
selection_value_enable:
TargetObject|endswith:
- '\IntranetName'
- '\ProxyByPass'
- '\UNCAsIntranet'
Details|contains: 'DWORD (0x00000001)'
selection_value_disable:
TargetObject|endswith: '\AutoDetect'
Details|contains: 'DWORD (0x00000000)'
condition: all of selection_registry_* and 1 of selection_value_*
falsepositives:
- Unknown
# Note: can be upgraded to medium after an initial baseline
level: low
Convert to SIEM query
low
Moderate
High FP
Potentially Suspicious Long Filename Pattern - Linux
Detects the creation of files with unusually long filenames (100 or more characters), which may indicate obfuscation techniques used by malware such as VShell.
This is a hunting rule to identify potential threats that use long filenames to evade detection. Keep in mind that on a legitimate system, such long filenames can and are common. Run this detection in the context of threat hunting rather than alerting.
Adjust the threshold of filename length as needed based on your environment.
view Sigma YAML
title: Potentially Suspicious Long Filename Pattern - Linux
id: 11629c4d-0fe6-465b-be62-b39a1c442aad
status: experimental
description: |
Detects the creation of files with unusually long filenames (100 or more characters), which may indicate obfuscation techniques used by malware such as VShell.
This is a hunting rule to identify potential threats that use long filenames to evade detection. Keep in mind that on a legitimate system, such long filenames can and are common. Run this detection in the context of threat hunting rather than alerting.
Adjust the threshold of filename length as needed based on your environment.
references:
- https://www.trellix.com/blogs/research/the-silent-fileless-threat-of-vshell/
author: '@kostastsale'
date: 2025-11-22
tags:
- attack.execution
- attack.stealth
- attack.t1059.004
- attack.t1027
- detection.threat-hunting
logsource:
product: linux
category: file_event
detection:
selection:
TargetFilename|re: '[^/]{100,}$'
filter_optional_known_good:
TargetFilename|startswith:
- '/run/systemd/units/invocation:systemd-fsck@'
- '/sys/firmware/'
- '/var/log/journal/'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Legitimate files with long filenames.
level: low
Convert to SIEM query
low
Strong
High FP
Potentially Suspicious Network Connection To Notion API
Detects a non-browser process communicating with the Notion API. This could indicate potential use of a covert C2 channel such as "OffensiveNotion C2"
view Sigma YAML
title: Potentially Suspicious Network Connection To Notion API
id: 7e9cf7b6-e827-11ed-a05b-15959c120003
status: test
description: Detects a non-browser process communicating with the Notion API. This could indicate potential use of a covert C2 channel such as "OffensiveNotion C2"
references:
- https://github.com/mttaggart/OffensiveNotion
- https://medium.com/@huskyhacks.mk/we-put-a-c2-in-your-notetaking-app-offensivenotion-3e933bace332
author: Gavin Knapp
date: 2023-05-03
tags:
- attack.command-and-control
- attack.t1102
logsource:
product: windows
category: network_connection
detection:
selection:
DestinationHostname|contains: 'api.notion.com'
filter_main_notion:
Image|endswith: '\AppData\Local\Programs\Notion\Notion.exe'
filter_main_brave:
Image|endswith: '\brave.exe'
filter_main_chrome:
Image:
- 'C:\Program Files\Google\Chrome\Application\chrome.exe'
- 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
filter_main_firefox:
Image:
- 'C:\Program Files\Mozilla Firefox\firefox.exe'
- 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
filter_main_ie:
Image:
- 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
- 'C:\Program Files\Internet Explorer\iexplore.exe'
filter_main_maxthon:
Image|endswith: '\maxthon.exe'
filter_main_edge_1:
- Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
- Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
- Image:
- 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
- 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
filter_main_edge_2:
Image|startswith:
- 'C:\Program Files (x86)\Microsoft\EdgeCore\'
- 'C:\Program Files\Microsoft\EdgeCore\'
Image|endswith:
- '\msedge.exe'
- '\msedgewebview2.exe'
filter_main_opera:
Image|endswith: '\opera.exe'
filter_main_safari:
Image|endswith: '\safari.exe'
filter_main_seamonkey:
Image|endswith: '\seamonkey.exe'
filter_main_vivaldi:
Image|endswith: '\vivaldi.exe'
filter_main_whale:
Image|endswith: '\whale.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Legitimate applications communicating with the "api.notion.com" endpoint that are not already in the exclusion list. The desktop and browser applications do not appear to be using the API by default unless integrations are configured.
level: low
Convert to SIEM query
low
Strong
High FP
Potentially Suspicious Shell Script Creation in Profile Folder
Detects the creation of shell scripts under the "profile.d" path.
view Sigma YAML
title: Potentially Suspicious Shell Script Creation in Profile Folder
id: 13f08f54-e705-4498-91fd-cce9d9cee9f1
status: test
description: Detects the creation of shell scripts under the "profile.d" path.
references:
- https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
- https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/
- https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
- https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-06-02
tags:
- attack.persistence
logsource:
product: linux
category: file_event
detection:
selection:
TargetFilename|contains: '/etc/profile.d/'
TargetFilename|endswith:
- '.csh'
- '.sh'
condition: selection
falsepositives:
- Legitimate shell scripts in the "profile.d" directory could be common in your environment. Apply additional filter accordingly via "image", by adding specific filenames you "trust" or by correlating it with other events.
- Regular file creation during system update or software installation by the package manager
level: low # Can be increased to a higher level after some tuning
Convert to SIEM query
low
Moderate
High FP
PowerShell Module File Created
Detects the creation of a new PowerShell module ".psm1", ".psd1", ".dll", ".ps1", etc.
view Sigma YAML
title: PowerShell Module File Created
id: e36941d0-c0f0-443f-bc6f-cb2952eb69ea
status: test
description: Detects the creation of a new PowerShell module ".psm1", ".psd1", ".dll", ".ps1", etc.
references:
- Internal Research
- https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-09
tags:
- attack.persistence
logsource:
category: file_event
product: windows
detection:
selection:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
TargetFilename|contains:
- '\WindowsPowerShell\Modules\'
- '\PowerShell\7\Modules\'
condition: selection
falsepositives:
- Likely
level: low
Convert to SIEM query
low
Strong
High FP
PowerShell Script Dropped Via PowerShell.EXE
Detects PowerShell creating a PowerShell file (.ps1). While often times this behavior is benign, sometimes it can be a sign of a dropper script trying to achieve persistence.
view Sigma YAML
title: PowerShell Script Dropped Via PowerShell.EXE
id: 576426ad-0131-4001-ae01-be175da0c108
status: test
description: Detects PowerShell creating a PowerShell file (.ps1). While often times this behavior is benign, sometimes it can be a sign of a dropper script trying to achieve persistence.
references:
- https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution
author: frack113
date: 2023-05-09
tags:
- attack.persistence
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
TargetFilename|endswith: '.ps1'
filter_main_psscriptpolicytest:
TargetFilename|contains: '__PSScriptPolicyTest_'
filter_main_appdata:
TargetFilename|startswith: 'C:\Users\'
TargetFilename|contains: '\AppData\Local\Temp\'
filter_main_windows_temp:
TargetFilename|startswith: 'C:\Windows\Temp\'
condition: selection and not 1 of filter_main_*
falsepositives:
- False positives will differ depending on the environment and scripts used. Apply additional filters accordingly.
level: low
Convert to SIEM query
low
Moderate
High FP
PowerShell Script Execution Policy Enabled
Detects the enabling of the PowerShell script execution policy. Once enabled, this policy allows scripts to be executed.
view Sigma YAML
title: PowerShell Script Execution Policy Enabled
id: 8218c875-90b9-42e2-b60d-0b0069816d10
related:
- id: fad91067-08c5-4d1a-8d8c-d96a21b37814
type: derived
status: test
description: Detects the enabling of the PowerShell script execution policy. Once enabled, this policy allows scripts to be executed.
references:
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.PowerShell::EnableScripts
author: Nasreddine Bencherchali (Nextron Systems), Thurein Oo
date: 2023-10-18
tags:
- attack.execution
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\Policies\Microsoft\Windows\PowerShell\EnableScripts'
Details: 'DWORD (0x00000001)'
condition: selection
falsepositives:
- Likely
level: low
Convert to SIEM query
low
Moderate
High FP
Process Discovery
Detects process discovery commands. Adversaries may attempt to get information about running processes on a system.
Information obtained could be used to gain an understanding of common software/applications running on systems within the network
view Sigma YAML
title: Process Discovery
id: 4e2f5868-08d4-413d-899f-dc2f1508627b
status: stable
description: |
Detects process discovery commands. Adversaries may attempt to get information about running processes on a system.
Information obtained could be used to gain an understanding of common software/applications running on systems within the network
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md
- https://www.cyberciti.biz/faq/show-all-running-processes-in-linux/
author: Ömer Günal, oscd.community, CheraaghiMilad
date: 2020-10-06
modified: 2022-07-07
tags:
- attack.discovery
- attack.t1057
- detection.threat-hunting
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith:
- '/atop'
- '/htop'
- '/pgrep'
- '/ps'
- '/pstree'
- '/top'
condition: selection
falsepositives:
- Legitimate administration activities
level: low
Convert to SIEM query
low
Moderate
High FP
Process Execution From WebDAV Share
Detects execution of processes with image paths starting with WebDAV shares (\\), which might indicate malicious file execution from remote web shares.
Execution of processes from WebDAV shares can be a sign of lateral movement or exploitation attempts, especially if the process is not a known legitimate application.
Exploitation Attempt of vulnerabilities like CVE-2025-33053 also involves executing processes from WebDAV paths.
view Sigma YAML
title: Process Execution From WebDAV Share
id: f8de9dd5-7a63-4cfd-9d0c-ae124878b5a9
status: experimental
description: |
Detects execution of processes with image paths starting with WebDAV shares (\\), which might indicate malicious file execution from remote web shares.
Execution of processes from WebDAV shares can be a sign of lateral movement or exploitation attempts, especially if the process is not a known legitimate application.
Exploitation Attempt of vulnerabilities like CVE-2025-33053 also involves executing processes from WebDAV paths.
references:
- https://research.checkpoint.com/2025/stealth-falcon-zero-day/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-06-13
tags:
- attack.execution
- attack.command-and-control
- attack.lateral-movement
- attack.t1105
- detection.threat-hunting
logsource:
category: process_creation
product: windows
detection:
selection:
Image|startswith: '\\\\'
Image|contains: '\DavWWWRoot\'
condition: selection
falsepositives:
- Legitimate use of WebDAV shares for process execution
- Known applications executing from WebDAV paths
level: low
Convert to SIEM query
low
Moderate
High FP
PsExec Service File Creation
Detects default PsExec service filename which indicates PsExec service installation and execution
view Sigma YAML
title: PsExec Service File Creation
id: 259e5a6a-b8d2-4c38-86e2-26c5e651361d
related:
- id: 42c575ea-e41e-41f1-b248-8093c3e82a28
type: derived
status: test
description: Detects default PsExec service filename which indicates PsExec service installation and execution
references:
- https://www.jpcert.or.jp/english/pub/sr/ir_research.html
- https://jpcertcc.github.io/ToolAnalysisResultSheet
author: Thomas Patzke
date: 2017-06-12
modified: 2022-10-26
tags:
- attack.execution
- attack.t1569.002
- attack.s0029
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|endswith: '\PSEXESVC.exe'
condition: selection
falsepositives:
- Unknown
level: low
Convert to SIEM query
low
Moderate
High FP
QuickAssist Execution
Detects the execution of Microsoft Quick Assist tool "QuickAssist.exe". This utility can be used by attackers to gain remote access.
view Sigma YAML
title: QuickAssist Execution
id: e20b5b14-ce93-4230-88af-981983ef6e74
status: experimental
description: |
Detects the execution of Microsoft Quick Assist tool "QuickAssist.exe". This utility can be used by attackers to gain remote access.
references:
- https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/
- https://www.linkedin.com/posts/kevin-beaumont-security_ive-been-assisting-a-few-orgs-hit-with-successful-activity-7268055739116445701-xxjZ/
- https://x.com/cyb3rops/status/1862406110365245506
- https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist
author: Muhammad Faisal (@faisalusuf)
date: 2024-12-19
tags:
- attack.command-and-control
- attack.t1219.002
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\QuickAssist.exe'
condition: selection
falsepositives:
- Legitimate use of Quick Assist in the environment.
level: low
Convert to SIEM query
low
Moderate
High FP
Remote Access Tool - ScreenConnect Temporary File
Detects the creation of files in a specific location by ScreenConnect RMM.
ScreenConnect has feature to remotely execute binaries on a target machine. These binaries will be dropped to ":\Users\<username>\Documents\ConnectWiseControl\Temp\" before execution.
view Sigma YAML
title: Remote Access Tool - ScreenConnect Temporary File
id: 0afecb6e-6223-4a82-99fb-bf5b981e92a5
related:
- id: b1f73849-6329-4069-bc8f-78a604bb8b23
type: similar
status: test
description: |
Detects the creation of files in a specific location by ScreenConnect RMM.
ScreenConnect has feature to remotely execute binaries on a target machine. These binaries will be dropped to ":\Users\<username>\Documents\ConnectWiseControl\Temp\" before execution.
references:
- https://github.com/SigmaHQ/sigma/pull/4467
author: Ali Alwashali
date: 2023-10-10
tags:
- attack.execution
- attack.t1059.003
logsource:
category: file_event
product: windows
detection:
selection:
Image|endswith: '\ScreenConnect.WindowsClient.exe'
TargetFilename|contains: '\Documents\ConnectWiseControl\Temp\'
condition: selection
falsepositives:
- Legitimate use of ScreenConnect
# Note: Incase the level if ScreenConnect is not used
level: low
Convert to SIEM query
low
Moderate
High FP
Remote Access Tool - Team Viewer Session Started On Linux Host
Detects the command line executed when TeamViewer starts a session started by a remote host.
Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.
view Sigma YAML
title: Remote Access Tool - Team Viewer Session Started On Linux Host
id: 1f6b8cd4-3e60-47cc-b282-5aa1cbc9182d
related:
- id: ab70c354-d9ac-4e11-bbb6-ec8e3b153357
type: similar
- id: f459ccb4-9805-41ea-b5b2-55e279e2424a
type: similar
status: test
description: |
Detects the command line executed when TeamViewer starts a session started by a remote host.
Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.
references:
- Internal Research
author: Josh Nickels, Qi Nan
date: 2024-03-11
tags:
- attack.persistence
- attack.initial-access
- attack.t1133
logsource:
category: process_creation
product: linux
detection:
selection:
ParentImage|endswith: '/TeamViewer_Service'
Image|endswith: '/TeamViewer_Desktop'
CommandLine|endswith: '/TeamViewer_Desktop --IPCport 5939 --Module 1'
condition: selection
falsepositives:
- Legitimate usage of TeamViewer
level: low
Convert to SIEM query
low
Moderate
High FP
Remote Access Tool - Team Viewer Session Started On MacOS Host
Detects the command line executed when TeamViewer starts a session started by a remote host.
Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.
view Sigma YAML
title: Remote Access Tool - Team Viewer Session Started On MacOS Host
id: f459ccb4-9805-41ea-b5b2-55e279e2424a
related:
- id: ab70c354-d9ac-4e11-bbb6-ec8e3b153357
type: similar
- id: 1f6b8cd4-3e60-47cc-b282-5aa1cbc9182d
type: similar
status: test
description: |
Detects the command line executed when TeamViewer starts a session started by a remote host.
Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.
references:
- Internal Research
author: Josh Nickels, Qi Nan
date: 2024-03-11
tags:
- attack.persistence
- attack.initial-access
- attack.t1133
logsource:
category: process_creation
product: macos
detection:
selection:
ParentImage|endswith: '/TeamViewer_Service'
Image|endswith: '/TeamViewer_Desktop'
CommandLine|endswith: '/TeamViewer_Desktop --IPCport 5939 --Module 1'
condition: selection
falsepositives:
- Legitimate usage of TeamViewer
level: low
Convert to SIEM query
low
Moderate
High FP
Remote Access Tool - Team Viewer Session Started On Windows Host
Detects the command line executed when TeamViewer starts a session started by a remote host.
Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.
view Sigma YAML
title: Remote Access Tool - Team Viewer Session Started On Windows Host
id: ab70c354-d9ac-4e11-bbb6-ec8e3b153357
related:
- id: 1f6b8cd4-3e60-47cc-b282-5aa1cbc9182d
type: similar
- id: f459ccb4-9805-41ea-b5b2-55e279e2424a
type: similar
status: test
description: |
Detects the command line executed when TeamViewer starts a session started by a remote host.
Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.
references:
- Internal Research
author: Josh Nickels, Qi Nan
date: 2024-03-11
tags:
- attack.persistence
- attack.initial-access
- attack.t1133
logsource:
category: process_creation
product: windows
detection:
selection:
Image: 'TeamViewer_Desktop.exe'
ParentImage: 'TeamViewer_Service.exe'
CommandLine|endswith: 'TeamViewer_Desktop.exe --IPCport 5939 --Module 1'
condition: selection
falsepositives:
- Legitimate usage of TeamViewer
level: low
Convert to SIEM query
low
Moderate
High FP
SNAKE Malware Installer Name Indicators
Detects filename indicators associated with the SNAKE malware as reported by CISA in their report
view Sigma YAML
title: SNAKE Malware Installer Name Indicators
id: 99eccc2b-7182-442f-8806-b76cc36d866b
status: test
description: Detects filename indicators associated with the SNAKE malware as reported by CISA in their report
references:
- https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-10
tags:
- attack.execution
- detection.emerging-threats
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|endswith:
- '\jpsetup.exe'
- '\jpinst.exe'
condition: selection
falsepositives:
- Some legitimate software was also seen using these names. Apply additional filters and use this rule as a hunting basis.
level: low
Convert to SIEM query
low
Moderate
High FP
Scheduled Task Created - FileCreation
Detects the creation of a scheduled task via file creation.
view Sigma YAML
title: Scheduled Task Created - FileCreation
id: a762e74f-4dce-477c-b023-4ed81df600f9
status: test
description: Detects the creation of a scheduled task via file creation.
references:
- https://center-for-threat-informed-defense.github.io/summiting-the-pyramid/analytics/task_scheduling/
- https://posts.specterops.io/abstracting-scheduled-tasks-3b6451f6a1c5
author: Center for Threat Informed Defense (CTID) Summiting the Pyramid Team
date: 2023-09-27
tags:
- attack.execution
- attack.persistence
- attack.privilege-escalation
- attack.t1053.005
- attack.s0111
- car.2013-08-001
- detection.threat-hunting
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|contains:
- ':\Windows\System32\Tasks\'
- ':\Windows\SysWOW64\Tasks\'
- ':\Windows\Tasks\'
condition: selection
falsepositives:
- Normal behaviour on Windows
level: low
Convert to SIEM query
low
Moderate
High FP
Scheduled Task Created - Registry
Detects the creation of a scheduled task via Registry keys.
view Sigma YAML
title: Scheduled Task Created - Registry
id: 93ff0ceb-e0ef-4586-8cd8-a6c277d738e3
status: test
description: Detects the creation of a scheduled task via Registry keys.
references:
- https://center-for-threat-informed-defense.github.io/summiting-the-pyramid/analytics/task_scheduling/
- https://posts.specterops.io/abstracting-scheduled-tasks-3b6451f6a1c5
author: Center for Threat Informed Defense (CTID) Summiting the Pyramid Team
date: 2023-09-27
tags:
- attack.execution
- attack.persistence
- attack.privilege-escalation
- attack.s0111
- attack.t1053.005
- car.2013-08-001
- detection.threat-hunting
logsource:
product: windows
category: registry_event
detection:
selection:
TargetObject|contains:
- '\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\'
- '\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\'
condition: selection
falsepositives:
- Likely as this is a normal behaviour on Windows
level: low
Convert to SIEM query
low
Strong
High FP
Scheduled Task Creation Via Schtasks.EXE
Detects the creation of scheduled tasks by user accounts via the "schtasks" utility.
view Sigma YAML
title: Scheduled Task Creation Via Schtasks.EXE
id: 92626ddd-662c-49e3-ac59-f6535f12d189
status: test
description: Detects the creation of scheduled tasks by user accounts via the "schtasks" utility.
references:
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create
author: Florian Roth (Nextron Systems)
date: 2019-01-16
modified: 2025-10-22
tags:
- attack.execution
- attack.persistence
- attack.privilege-escalation
- attack.t1053.005
- attack.s0111
- car.2013-08-001
- stp.1u
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\schtasks.exe'
CommandLine|contains: ' /create '
filter_main_system_user:
User|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
filter_optional_msoffice:
# schtasks.exe /Create /tn "Microsoft\Office\Office Performance Monitor" /XML "C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_Office Performance Monitor.xml"
ParentImage:
- 'C:\Program Files\Microsoft Office\root\integration\integrator.exe'
- 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe'
Image:
- 'C:\Windows\System32\schtasks.exe'
- 'C:\Windows\SysWOW64\schtasks.exe'
CommandLine|contains: 'Microsoft\Office\Office Performance Monitor'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Administrative activity
- Software installation
level: low
Convert to SIEM query
low
Moderate
High FP
Scheduled Task/Job At
Detects the use of at/atd which are utilities that are used to schedule tasks.
They are often abused by adversaries to maintain persistence or to perform task scheduling for initial or recurring execution of malicious code
view Sigma YAML
title: Scheduled Task/Job At
id: d2d642d7-b393-43fe-bae4-e81ed5915c4b
status: stable
description: |
Detects the use of at/atd which are utilities that are used to schedule tasks.
They are often abused by adversaries to maintain persistence or to perform task scheduling for initial or recurring execution of malicious code
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.002/T1053.002.md
author: Ömer Günal, oscd.community
date: 2020-10-06
modified: 2022-07-07
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1053.002
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith:
- '/at'
- '/atd'
condition: selection
falsepositives:
- Legitimate administration activities
level: low
Convert to SIEM query
low
Moderate
High FP
Screen Capture - macOS
Detects attempts to use screencapture to collect macOS screenshots
view Sigma YAML
title: Screen Capture - macOS
id: 0877ed01-da46-4c49-8476-d49cdd80dfa7
status: test
description: Detects attempts to use screencapture to collect macOS screenshots
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md
- https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/screenshot.py
author: remotephone, oscd.community
date: 2020-10-13
modified: 2021-11-27
tags:
- attack.collection
- attack.t1113
logsource:
product: macos
category: process_creation
detection:
selection:
Image: '/usr/sbin/screencapture'
condition: selection
falsepositives:
- Legitimate user activity taking screenshots
level: low
Convert to SIEM query
low
Moderate
High FP
Security Software Discovery - Linux
Detects usage of system utilities (only grep and egrep for now) to discover security software discovery
view Sigma YAML
title: Security Software Discovery - Linux
id: c9d8b7fd-78e4-44fe-88f6-599135d46d60
status: test
description: Detects usage of system utilities (only grep and egrep for now) to discover security software discovery
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md
author: Daniil Yugoslavskiy, oscd.community
date: 2020-10-19
modified: 2022-11-27
tags:
- attack.discovery
- attack.t1518.001
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith:
# You can add more grep variations such as fgrep, rgrep...etc
- '/grep'
- '/egrep'
CommandLine|contains:
- 'nessusd' # nessus vulnerability scanner
- 'td-agent' # fluentd log shipper
- 'packetbeat' # elastic network logger/shipper
- 'filebeat' # elastic log file shipper
- 'auditbeat' # elastic auditing agent/log shipper
- 'osqueryd' # facebook osquery
- 'cbagentd' # carbon black
- 'falcond' # crowdstrike falcon
condition: selection
falsepositives:
- Legitimate activities
level: low
Convert to SIEM query
low
Moderate
High FP
Setuid and Setgid
Detects suspicious change of file privileges with chown and chmod commands
view Sigma YAML
title: Setuid and Setgid
id: c21c4eaa-ba2e-419a-92b2-8371703cbe21
status: test
description: Detects suspicious change of file privileges with chown and chmod commands
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.001/T1548.001.md
author: Ömer Günal
date: 2020-06-16
modified: 2022-10-05
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1548.001
logsource:
product: linux
category: process_creation
detection:
selection_root:
CommandLine|contains: 'chown root'
selection_perm:
CommandLine|contains:
- ' chmod u+s'
- ' chmod g+s'
condition: all of selection_*
falsepositives:
- Legitimate administration activities
level: low
Convert to SIEM query
low
Moderate
High FP
Shell Context Menu Command Tampering
Detects changes to shell context menu commands. Use this rule to hunt for potential anomalies and suspicious shell commands.
view Sigma YAML
title: Shell Context Menu Command Tampering
id: 868df2d1-0939-4562-83a7-27408c4a1ada
status: test
description: Detects changes to shell context menu commands. Use this rule to hunt for potential anomalies and suspicious shell commands.
references:
- https://mrd0x.com/sentinelone-persistence-via-menu-context/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-03-06
tags:
- attack.persistence
- detection.threat-hunting
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains|all:
- '\Software\Classes\'
- '\shell\'
- '\command\'
condition: selection
falsepositives:
- Likely from new software installation suggesting to add context menu items. Such as "PowerShell", "Everything", "Git", etc.
level: low
Convert to SIEM query
low
Moderate
High FP
Space After Filename - macOS
Detects attempts to masquerade as legitimate files by adding a space to the end of the filename.
view Sigma YAML
title: Space After Filename - macOS
id: b6e2a2e3-2d30-43b1-a4ea-071e36595690
status: test
description: Detects attempts to masquerade as legitimate files by adding a space to the end of the filename.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036.006/T1036.006.md
author: remotephone
date: 2021-11-20
modified: 2023-01-04
tags:
- attack.stealth
- attack.t1036.006
logsource:
product: macos
category: process_creation
detection:
selection1:
CommandLine|endswith: ' '
selection2:
Image|endswith: ' '
condition: 1 of selection*
falsepositives:
- Mistyped commands or legitimate binaries named to match the pattern
level: low
Convert to SIEM query
low
Moderate
High FP
Split A File Into Pieces
Detection use of the command "split" to split files into parts and possible transfer.
view Sigma YAML
title: Split A File Into Pieces
id: 7f2bb9d5-6395-4de5-969c-70c11fbe6b12
status: test
description: Detection use of the command "split" to split files into parts and possible transfer.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1030/T1030.md
author: 'Igor Fits, Mikhail Larin, oscd.community'
date: 2020-10-15
modified: 2021-11-27
tags:
- attack.exfiltration
- attack.t1030
logsource:
product: macos
category: process_creation
detection:
selection:
Image|endswith: '/split'
condition: selection
falsepositives:
- Legitimate administrative activity
level: low
Convert to SIEM query
low
Moderate
High FP
Startup Item File Created - MacOS
Detects the creation of a startup item plist file, that automatically get executed at boot initialization to establish persistence.
Adversaries may use startup items automatically executed at boot initialization to establish persistence.
Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items.
view Sigma YAML
title: Startup Item File Created - MacOS
id: dfe8b941-4e54-4242-b674-6b613d521962
status: test
description: |
Detects the creation of a startup item plist file, that automatically get executed at boot initialization to establish persistence.
Adversaries may use startup items automatically executed at boot initialization to establish persistence.
Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1037.005/T1037.005.md
- https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html
author: Alejandro Ortuno, oscd.community
date: 2020-10-14
modified: 2024-08-11
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1037.005
logsource:
category: file_event
product: macos
detection:
selection:
TargetFilename|startswith:
- '/Library/StartupItems/'
- '/System/Library/StartupItems'
TargetFilename|endswith: '.plist'
condition: selection
falsepositives:
- Legitimate administration activities
level: low
Convert to SIEM query
low
Moderate
High FP
Suspicious Deno File Written from Remote Source
Detects Deno writing a file from a direct HTTP(s) call and writing to the appdata folder or bringing it's own malicious DLL.
This behavior may indicate an attempt to execute remotely hosted, potentially malicious files through deno.
view Sigma YAML
title: Suspicious Deno File Written from Remote Source
id: 6c0ce3b6-85e2-49d4-9c3f-6e008ce9796e
status: experimental
description: |
Detects Deno writing a file from a direct HTTP(s) call and writing to the appdata folder or bringing it's own malicious DLL.
This behavior may indicate an attempt to execute remotely hosted, potentially malicious files through deno.
references:
- https://taggart-tech.com/evildeno/
author: Josh Nickels, Michael Taggart
date: 2025-05-22
tags:
- attack.execution
- attack.t1204
- attack.t1059.007
- attack.command-and-control
- attack.t1105
logsource:
category: file_event
product: windows
detection:
selection_path:
TargetFilename|contains:
- '\deno\gen\'
- '\deno\remote\https\'
TargetFilename|contains|all:
- ':\Users\'
- '\AppData\'
condition: selection_path
falsepositives:
- Legitimate usage of deno to request a file or bring a DLL to a host
level: low
Convert to SIEM query
low
Moderate
High FP
Suspicious Execution of Hostname
Use of hostname to get information
view Sigma YAML
title: Suspicious Execution of Hostname
id: 7be5fb68-f9ef-476d-8b51-0256ebece19e
status: test
description: Use of hostname to get information
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-6---hostname-discovery-windows
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/hostname
author: frack113
date: 2022-01-01
tags:
- attack.discovery
- attack.t1082
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\HOSTNAME.EXE'
condition: selection
falsepositives:
- Unknown
level: low
Convert to SIEM query
Showing 1451-1500 of 1,524