Tool
EDR / XDR
Palo Alto Cortex XDR
1,524 rules · Sigma detections in Palo Alto Cortex XDR syntax
The same Sigma detection corpus, machine-rendered into Palo Alto Cortex XDR query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
Download all 1,524 rules (.zip, 675 KB)
Every Palo Alto Cortex XDR query in this view, packaged to deploy.
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance4
Resource Development5
Initial Access7
Execution25
Persistence31
Privilege Escalation17
Stealth63
Defense Impairment16
Credential Access26
Discovery24
Lateral Movement10
Collection11
Command and Control18
Exfiltration7
Impact10
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.
◈
Detection rules
50 shown of 1,524
high
Moderate
Medium FP
Potential COLDSTEEL RAT File Indicators
Detects the creation of a file named "dllhost.exe" in the "C:\users\public\Documents\" directory. Seen being used by the COLDSTEEL RAT in some of its variants.
view Sigma YAML
title: Potential COLDSTEEL RAT File Indicators
id: c708a93f-46b4-4674-a5b8-54aa6219c5fa
status: test
description: Detects the creation of a file named "dllhost.exe" in the "C:\users\public\Documents\" directory. Seen being used by the COLDSTEEL RAT in some of its variants.
references:
- https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-30
tags:
- attack.persistence
- detection.emerging-threats
- attack.stealth
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename: 'C:\users\public\Documents\dllhost.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Potential COLDSTEEL RAT Windows User Creation
Detects creation of a new user profile with a specific username, seen being used by some variants of the COLDSTEEL RAT.
view Sigma YAML
title: Potential COLDSTEEL RAT Windows User Creation
id: 95214813-4c7a-4a50-921b-ee5c538e1d16
status: test
description: Detects creation of a new user profile with a specific username, seen being used by some variants of the COLDSTEEL RAT.
references:
- https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-02
modified: 2023-08-17
tags:
- attack.persistence
- detection.emerging-threats
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains|all:
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-'
- '\ProfileImagePath'
Details|contains:
- 'ANONYMOUS'
- '_DomainUser_'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Potential CSharp Streamer RAT Loading .NET Executable Image
Detects potential CSharp Streamer RAT loading .NET executable image by using the default file name and path associated with the tool.
view Sigma YAML
title: Potential CSharp Streamer RAT Loading .NET Executable Image
id: 6f6afac3-8e7a-4e4b-9588-2608ffe08f82
status: test
description: |
Detects potential CSharp Streamer RAT loading .NET executable image by using the default file name and path associated with the tool.
references:
- https://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/#detections
- https://cyber.wtf/2023/12/06/the-csharp-streamer-rat/
author: Luca Di Bartolomeo
date: 2024-06-22
tags:
- attack.command-and-control
- attack.t1219.002
- detection.emerging-threats
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|re: '\\AppData\\Local\\Temp\\dat[0-9A-Z]{4}\.tmp'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential CVE-2021-26857 Exploitation Attempt
Detects possible successful exploitation for vulnerability described in CVE-2021-26857 by looking for | abnormal subprocesses spawning by Exchange Server's Unified Messaging service
view Sigma YAML
title: Potential CVE-2021-26857 Exploitation Attempt
id: cd479ccc-d8f0-4c66-ba7d-e06286f3f887
status: stable
description: Detects possible successful exploitation for vulnerability described in CVE-2021-26857 by looking for | abnormal subprocesses spawning by Exchange Server's Unified Messaging service
references:
- https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
author: Bhabesh Raj
date: 2021-03-03
modified: 2023-02-07
tags:
- attack.t1203
- attack.execution
- cve.2021-26857
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\UMWorkerProcess.exe'
filter:
Image|endswith:
- 'wermgr.exe'
- 'WerFault.exe'
condition: selection and not filter
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Potential CVE-2021-40444 Exploitation Attempt
Detects potential exploitation of CVE-2021-40444 via suspicious process patterns seen in in-the-wild exploitations
view Sigma YAML
title: Potential CVE-2021-40444 Exploitation Attempt
id: 894397c6-da03-425c-a589-3d09e7d1f750
status: test
description: Detects potential exploitation of CVE-2021-40444 via suspicious process patterns seen in in-the-wild exploitations
references:
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444
- https://twitter.com/neonprimetime/status/1435584010202255375
- https://www.joesandbox.com/analysis/476188/1/iochtml
author: Florian Roth (Nextron Systems), @neonprimetime
date: 2021-09-08
modified: 2023-02-04
tags:
- attack.execution
- attack.t1059
- cve.2021-40444
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\control.exe'
ParentImage|endswith:
- '\winword.exe'
- '\powerpnt.exe'
- '\excel.exe'
filter:
CommandLine|endswith:
- '\control.exe input.dll'
- '\control.exe" input.dll'
condition: selection and not filter
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Potential CVE-2021-44228 Exploitation Attempt - VMware Horizon
Detects potential initial exploitation attempts against VMware Horizon deployments running a vulnerable versions of Log4j.
view Sigma YAML
title: Potential CVE-2021-44228 Exploitation Attempt - VMware Horizon
id: 3eb91f0a-0060-424a-a676-59f5fdd75610
status: test
description: |
Detects potential initial exploitation attempts against VMware Horizon deployments running a vulnerable versions of Log4j.
references:
- https://portswigger.net/daily-swig/vmware-horizon-under-attack-as-china-based-ransomware-group-targets-log4j-vulnerability
- https://twitter.com/TheDFIRReport/status/1482078434327244805
- https://www.pwndefend.com/2022/01/07/log4shell-exploitation-and-hunting-on-vmware-horizon-cve-2021-44228/
author: '@kostastsale'
date: 2022-01-14
tags:
- attack.initial-access
- attack.t1190
- cve.2021-44228
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\ws_TomcatService.exe'
filter_main_shells:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
Medium FP
Potential CVE-2022-26809 Exploitation Attempt
Detects suspicious remote procedure call (RPC) service anomalies based on the spawned sub processes (long shot to detect the exploitation of vulnerabilities like CVE-2022-26809)
view Sigma YAML
title: Potential CVE-2022-26809 Exploitation Attempt
id: a7cd7306-df8b-4398-b711-6f3e4935cf16
status: test
description: Detects suspicious remote procedure call (RPC) service anomalies based on the spawned sub processes (long shot to detect the exploitation of vulnerabilities like CVE-2022-26809)
references:
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809
- https://www.bleepingcomputer.com/startups/RpcSs.exe-14544.html
- https://twitter.com/cyb3rops/status/1514217991034097664
- https://www.securonix.com/blog/cve-2022-26809-remote-procedure-call-runtime-remote-code-execution-vulnerability-and-coverage/
author: Florian Roth (Nextron Systems)
date: 2022-04-13
modified: 2023-02-03
tags:
- attack.initial-access
- attack.t1190
- attack.execution
- attack.t1569.002
- cve.2022-26809
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage: 'C:\Windows\System32\svchost.exe'
ParentCommandLine|contains: '-k RPCSS'
condition: selection
falsepositives:
- Unknown
- Some cases in which the service spawned a werfault.exe process
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential CVE-2023-21554 QueueJumper Exploitation
Detects potential exploitation of CVE-2023-21554 (dubbed QueueJumper)
view Sigma YAML
title: Potential CVE-2023-21554 QueueJumper Exploitation
id: 53207cc2-0745-4c19-bc72-80be1cc16b3f
status: test
description: Detects potential exploitation of CVE-2023-21554 (dubbed QueueJumper)
references:
- https://research.checkpoint.com/2023/queuejumper-critical-unauthorized-rce-vulnerability-in-msmq-service/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-12
tags:
- attack.privilege-escalation
- attack.execution
- cve.2023-21554
- detection.emerging-threats
logsource:
product: windows
category: process_creation
detection:
selection:
ParentImage|endswith: '\Windows\System32\mqsvc.exe'
Image|endswith:
- '\cmd.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\schtasks.exe'
- '\wmic.exe'
- '\wscript.exe'
- '\wsl.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Potential CVE-2023-27363 Exploitation - HTA File Creation By FoxitPDFReader
Detects suspicious ".hta" file creation in the startup folder by Foxit Reader. This can be an indication of CVE-2023-27363 exploitation.
view Sigma YAML
title: Potential CVE-2023-27363 Exploitation - HTA File Creation By FoxitPDFReader
id: 9cae055f-e1d2-4f81-b8a5-1986a68cdd84
status: test
description: Detects suspicious ".hta" file creation in the startup folder by Foxit Reader. This can be an indication of CVE-2023-27363 exploitation.
references:
- https://github.com/j00sean/SecBugs/tree/ff72d553f75d93e1a0652830c0f74a71b3f19c46/CVEs/CVE-2023-27363
- https://www.zerodayinitiative.com/advisories/ZDI-23-491/
- https://www.tarlogic.com/blog/cve-2023-27363-foxit-reader/
author: Gregory
date: 2023-10-11
tags:
- attack.persistence
- attack.t1505.001
- cve.2023-27363
- detection.emerging-threats
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith: '\FoxitPDFReader.exe'
TargetFilename|contains: '\Microsoft\Windows\Start Menu\Programs\Startup\'
TargetFilename|endswith: '.hta'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Potential CVE-2023-36874 Exploitation - Fake Wermgr.Exe Creation
Detects the creation of a file named "wermgr.exe" being created in an uncommon directory. This could be a sign of potential exploitation of CVE-2023-36874.
view Sigma YAML
title: Potential CVE-2023-36874 Exploitation - Fake Wermgr.Exe Creation
id: ad0960eb-0015-4d16-be13-b3d9f18f1342
status: test
description: Detects the creation of a file named "wermgr.exe" being created in an uncommon directory. This could be a sign of potential exploitation of CVE-2023-36874.
references:
- https://github.com/Wh04m1001/CVE-2023-36874
- https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-23
modified: 2025-01-13
tags:
- attack.execution
- cve.2023-36874
- detection.emerging-threats
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|endswith: '\wermgr.exe'
filter_main_locations:
TargetFilename|contains:
- ':\$WINDOWS.~BT\NewOS\'
- ':\$WinREAgent\' # From "wuauclt.exe"
- ':\Windows\servicing\LCU\'
- ':\Windows\System32\'
- ':\Windows\SysWOW64\'
- ':\Windows\WinSxS\'
- ':\WUDownloadCache\' # Windows Update Download Cache
- ':\Windows\SoftwareDistribution\Download\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Potential CVE-2026-33829 Exploitation - Windows Snipping Tool Remote File Path URI
Detects potential exploitation of CVE-2026-33829, a vulnerability in the Windows Snipping Tool URI handler (ms-screensketch:).
An attacker can abuse the 'filePath' parameter to supply a UNC path or HTTP URL, causing SnippingTool.exe to initiate a connection to a remote resource.
When a UNC path is used (e.g. \\attacker.com\share), this triggers an outbound NTLM authentication attempt, allowing the attacker to capture or relay the victim's Net-NTLMv2 hash.
HTTP-based paths may result in remote file loading or server-side request forgery (SSRF)-style access.
The URI can be delivered via a malicious hyperlink, phishing email, or web page.
view Sigma YAML
title: Potential CVE-2026-33829 Exploitation - Windows Snipping Tool Remote File Path URI
id: 7c3a5b1d-9e2f-4a8c-b5d7-1e0f3c6a9b2d
status: test
description: |
Detects potential exploitation of CVE-2026-33829, a vulnerability in the Windows Snipping Tool URI handler (ms-screensketch:).
An attacker can abuse the 'filePath' parameter to supply a UNC path or HTTP URL, causing SnippingTool.exe to initiate a connection to a remote resource.
When a UNC path is used (e.g. \\attacker.com\share), this triggers an outbound NTLM authentication attempt, allowing the attacker to capture or relay the victim's Net-NTLMv2 hash.
HTTP-based paths may result in remote file loading or server-side request forgery (SSRF)-style access.
The URI can be delivered via a malicious hyperlink, phishing email, or web page.
references:
- https://x.com/BlackArrowSec/status/2044374743491424508
- https://x.com/SBousseaden/status/2044417029721997635
author: Samir Bousseaden, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-04-28
tags:
- attack.credential-access
- attack.t1187
- detection.emerging-threats
- cve.2026-33829
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\SnippingTool.exe'
CommandLine|contains:
# '\\\\' = literal double backslash (UNC path start); '%5C' and '%%5C' are URL-encoded variations of the same backslash character
- 'ms-screensketch:edit?&filePath=\\\\'
- 'ms-screensketch:edit?&filePath=%%5C'
- 'ms-screensketch:edit?&filePath=%5C'
- 'ms-screensketch:edit?&filePath=http'
condition: selection
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules-emerging-threats/2026/Exploits/CVE-2026-33829/proc_creation_win_exploit_cve_2026_33829/info.yml
Convert to SIEM query
high
Strong
Medium FP
Potential ClickFix Execution Pattern - Registry
Detects potential ClickFix malware execution patterns by monitoring registry modifications in RunMRU keys containing HTTP/HTTPS links.
ClickFix is known to be distributed through phishing campaigns and uses techniques like clipboard hijacking and fake CAPTCHA pages.
Through the fakecaptcha pages, the adversary tricks users into opening the Run dialog box and pasting clipboard-hijacked content,
such as one-liners that execute remotely hosted malicious files or scripts.
view Sigma YAML
title: Potential ClickFix Execution Pattern - Registry
id: f5fe36cf-f1ec-4c23-903d-09a3110f6bbb
related:
- id: d487ed4a-fd24-436d-a0b2-f4e95f7b2635
type: similar
status: experimental
description: |
Detects potential ClickFix malware execution patterns by monitoring registry modifications in RunMRU keys containing HTTP/HTTPS links.
ClickFix is known to be distributed through phishing campaigns and uses techniques like clipboard hijacking and fake CAPTCHA pages.
Through the fakecaptcha pages, the adversary tricks users into opening the Run dialog box and pasting clipboard-hijacked content,
such as one-liners that execute remotely hosted malicious files or scripts.
references:
- https://github.com/JohnHammond/recaptcha-phish
- https://www.zscaler.com/blogs/security-research/deepseek-lure-using-captchas-spread-malware
- https://www.threatdown.com/blog/clipboard-hijacker-tries-to-install-a-trojan/
- https://app.any.run/tasks/5c16b4db-4b36-4039-a0ed-9b09abff8be2
- https://www.esentire.com/security-advisories/netsupport-rat-clickfix-distribution
- https://medium.com/@boutnaru/the-windows-foreniscs-journey-run-mru-run-dialog-box-most-recently-used-57375a02d724
- https://unit42.paloaltonetworks.com/preventing-clickfix-attack-vector/
- https://medium.com/@poudelswachchhanda123/preventing-lnk-and-fakecaptcha-threats-a-system-hardening-approach-2f7b7ed2e493
- https://www.scpx.com.au/2025/11/16/decades-old-finger-protocol-abused-in-clickfix-malware-attacks/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-03-25
modified: 2025-11-19
tags:
- attack.execution
- attack.t1204.001
logsource:
category: registry_set
product: windows
detection:
selection_registry:
TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\'
selection_details:
Details|contains:
- 'http://'
- 'https://'
selection_susp_pattern:
- Details|contains:
# Add more suspicious keywords
- 'account'
- 'anti-bot'
- 'botcheck'
- 'captcha'
- 'challenge'
- 'confirmation'
- 'fraud'
- 'human'
- 'identification'
- 'identificator'
- 'identity'
- 'robot'
- 'validation'
- 'verification'
- 'verify'
- Details|contains:
- '%comspec%'
- 'bitsadmin'
- 'certutil'
- 'cmd'
- 'cscript'
- 'curl'
- 'finger'
- 'mshta'
- 'powershell'
- 'pwsh'
- 'regsvr32'
- 'rundll32'
- 'schtasks'
- 'wget'
- 'wscript'
condition: all of selection_*
falsepositives:
- Legitimate applications using RunMRU with HTTP links
level: high
Convert to SIEM query
high
Strong
Medium FP
Potential CobaltStrike Process Patterns
Detects potential process patterns related to Cobalt Strike beacon activity
view Sigma YAML
title: Potential CobaltStrike Process Patterns
id: f35c5d71-b489-4e22-a115-f003df287317
status: test
description: Detects potential process patterns related to Cobalt Strike beacon activity
references:
- https://hausec.com/2021/07/26/cobalt-strike-and-tradecraft/
- https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2021-07-27
modified: 2023-03-29
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection_generic_1:
CommandLine|endswith: 'cmd.exe /C whoami'
ParentImage|startswith: 'C:\Temp\'
selection_generic_2:
ParentImage|endswith:
- '\runonce.exe'
- '\dllhost.exe'
CommandLine|contains|all:
- 'cmd.exe /c echo'
- '> \\\\.\\pipe'
selection_conhost_1:
ParentCommandLine|contains|all:
- 'cmd.exe /C echo'
- ' > \\\\.\\pipe'
CommandLine|endswith: 'conhost.exe 0xffffffff -ForceV1'
selection_conhost_2:
ParentCommandLine|endswith: '/C whoami'
CommandLine|endswith: 'conhost.exe 0xffffffff -ForceV1'
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Potential CobaltStrike Service Installations - Registry
Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.
view Sigma YAML
title: Potential CobaltStrike Service Installations - Registry
id: 61a7697c-cb79-42a8-a2ff-5f0cdfae0130
status: test
description: |
Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.
references:
- https://www.sans.org/webcasts/tech-tuesday-workshop-cobalt-strike-detection-log-analysis-119395
author: Wojciech Lesicki
date: 2021-06-29
modified: 2024-03-25
tags:
- attack.persistence
- attack.execution
- attack.privilege-escalation
- attack.lateral-movement
- attack.t1021.002
- attack.t1543.003
- attack.t1569.002
logsource:
category: registry_set
product: windows
detection:
selection_key:
- TargetObject|contains: '\System\CurrentControlSet\Services'
- TargetObject|contains|all:
- '\System\ControlSet'
- '\Services'
selection_details:
- Details|contains|all:
- 'ADMIN$'
- '.exe'
- Details|contains|all:
- '%COMSPEC%'
- 'start'
- 'powershell'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential Compromised 3CXDesktopApp Beaconing Activity - Netcon
Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise
view Sigma YAML
title: Potential Compromised 3CXDesktopApp Beaconing Activity - Netcon
id: 51eecf75-d069-43c7-9ea2-63f75499edd4
related:
- id: 3c4b3bbf-36b4-470c-b6cf-f07e8b1c7e26 # Proxy C2
type: similar
- id: 76bc1601-9546-4b75-9419-06e0e8d10651 # Proxy GH
type: similar
- id: bd03a0dc-5d93-49eb-b2e8-2dfd268600f8 # DNS C2
type: similar
- id: 93bbde78-dc86-4e73-9ffc-ff8a384ca89c # ProcCreation Exec
type: similar
- id: 63f3605b-979f-48c2-b7cc-7f90523fed88 # ProcCreation ChildProc
type: similar
- id: e7581747-1e44-4d4b-85a6-0db0b4a00f2a # ProcCreation Update
type: similar
- id: d0b65ad3-e945-435e-a7a9-438e62dd48e9 # ImageLoad
type: similar
status: test
description: Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise
references:
- https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-29
modified: 2023-03-31
tags:
- attack.command-and-control
- detection.emerging-threats
logsource:
category: network_connection
product: windows
detection:
selection:
Image|endswith: '\3CXDesktopApp.exe'
DestinationHostname|contains:
- 'akamaicontainer.com'
- 'akamaitechcloudservices.com'
- 'azuredeploystore.com'
- 'azureonlinecloud.com'
- 'azureonlinestorage.com'
- 'dunamistrd.com'
- 'glcloudservice.com'
- 'journalide.org'
- 'msedgepackageinfo.com'
- 'msstorageazure.com'
- 'msstorageboxes.com'
- 'officeaddons.com'
- 'officestoragebox.com'
- 'pbxcloudeservices.com'
- 'pbxphonenetwork.com'
- 'pbxsources.com'
- 'qwepoi123098.com'
- 'sbmsa.wiki'
- 'sourceslabs.com'
- 'visualstudiofactory.com'
- 'zacharryblogs.com'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
Potential Compromised 3CXDesktopApp Update Activity
Detects the 3CXDesktopApp updater downloading a known compromised version of the 3CXDesktopApp software
view Sigma YAML
title: Potential Compromised 3CXDesktopApp Update Activity
id: e7581747-1e44-4d4b-85a6-0db0b4a00f2a
related:
- id: 3c4b3bbf-36b4-470c-b6cf-f07e8b1c7e26 # Proxy C2
type: similar
- id: 76bc1601-9546-4b75-9419-06e0e8d10651 # Proxy GH
type: similar
- id: bd03a0dc-5d93-49eb-b2e8-2dfd268600f8 # DNS C2
type: similar
- id: 51eecf75-d069-43c7-9ea2-63f75499edd4 # net_connection C2
type: similar
- id: 93bbde78-dc86-4e73-9ffc-ff8a384ca89c # ProcCreation Exec
type: similar
- id: 63f3605b-979f-48c2-b7cc-7f90523fed88 # ProcCreation ChildProc
type: similar
- id: d0b65ad3-e945-435e-a7a9-438e62dd48e9 # ImageLoad
type: similar
status: test
description: Detects the 3CXDesktopApp updater downloading a known compromised version of the 3CXDesktopApp software
references:
- https://www.linkedin.com/feed/update/urn:li:activity:7047435754834198529/
- https://www.huntress.com/blog/3cx-voip-software-compromise-supply-chain-threats
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-29
tags:
- attack.stealth
- attack.t1218
- attack.execution
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\3CXDesktopApp\app\update.exe'
CommandLine|contains|all:
- '--update'
- 'http'
- '/electron/update/win32/18.12'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Potential Conti Ransomware Database Dumping Activity Via SQLCmd
Detects a command used by conti to dump database
view Sigma YAML
title: Potential Conti Ransomware Database Dumping Activity Via SQLCmd
id: 2f47f1fd-0901-466e-a770-3b7092834a1b
status: test
description: Detects a command used by conti to dump database
references:
- https://twitter.com/vxunderground/status/1423336151860002816?s=20 # The leak info not the files itself
- https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection
- https://docs.microsoft.com/en-us/sql/tools/sqlcmd-utility?view=sql-server-ver15
author: frack113
date: 2021-08-16
modified: 2023-05-04
tags:
- attack.collection
- attack.t1005
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_tools:
- Image|endswith: '\sqlcmd.exe'
- CommandLine|contains:
- 'sqlcmd '
- 'sqlcmd.exe'
selection_svr:
CommandLine|contains: ' -S localhost '
selection_query:
CommandLine|contains:
- 'sys.sysprocesses'
- 'master.dbo.sysdatabases'
- 'BACKUP DATABASE'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Potential Credential Dumping Attempt Using New NetworkProvider - CLI
Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it
view Sigma YAML
title: Potential Credential Dumping Attempt Using New NetworkProvider - CLI
id: baef1ec6-2ca9-47a3-97cc-4cf2bda10b77
related:
- id: 0442defa-b4a2-41c9-ae2c-ea7042fc4701
type: similar
status: test
description: Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it
references:
- https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/network-provider-settings-removed-in-place-upgrade
- https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-23
modified: 2023-02-02
tags:
- attack.credential-access
- attack.t1003
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- '\System\CurrentControlSet\Services\'
- '\NetworkProvider'
# filter:
# CommandLine|contains:
# - '\System\CurrentControlSet\Services\WebClient\NetworkProvider'
# - '\System\CurrentControlSet\Services\LanmanWorkstation\NetworkProvider'
# - '\System\CurrentControlSet\Services\RDPNP\NetworkProvider'
# - '\System\CurrentControlSet\Services\P9NP\NetworkProvider' # Related to WSL remove the comment if you use WSL in your ENV
condition: selection
falsepositives:
- Other legitimate network providers used and not filtred in this rule
level: high
Convert to SIEM query
high
Strong
Medium FP
Potential Crypto Mining Activity
Detects command line parameters or strings often used by crypto miners
view Sigma YAML
title: Potential Crypto Mining Activity
id: 66c3b204-9f88-4d0a-a7f7-8a57d521ca55
status: stable
description: Detects command line parameters or strings often used by crypto miners
references:
- https://www.poolwatch.io/coin/monero
author: Florian Roth (Nextron Systems)
date: 2021-10-26
modified: 2023-02-13
tags:
- attack.impact
- attack.t1496
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- ' --cpu-priority='
- '--donate-level=0'
- ' -o pool.'
- ' --nicehash'
- ' --algo=rx/0 '
- 'stratum+tcp://'
- 'stratum+udp://'
# base64 encoded: --donate-level=
- 'LS1kb25hdGUtbGV2ZWw9'
- '0tZG9uYXRlLWxldmVsP'
- 'tLWRvbmF0ZS1sZXZlbD'
# base64 encoded: stratum+tcp:// and stratum+udp://
- 'c3RyYXR1bSt0Y3A6Ly'
- 'N0cmF0dW0rdGNwOi8v'
- 'zdHJhdHVtK3RjcDovL'
- 'c3RyYXR1bSt1ZHA6Ly'
- 'N0cmF0dW0rdWRwOi8v'
- 'zdHJhdHVtK3VkcDovL'
filter:
CommandLine|contains:
- ' pool.c '
- ' pool.o '
- 'gcc -'
condition: selection and not filter
falsepositives:
- Legitimate use of crypto miners
- Some build frameworks
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential DLL Sideloading Via VMware Xfer
Detects loading of a DLL by the VMware Xfer utility from the non-default directory which may be an attempt to sideload arbitrary DLL
view Sigma YAML
title: Potential DLL Sideloading Via VMware Xfer
id: 9313dc13-d04c-46d8-af4a-a930cc55d93b
status: test
description: Detects loading of a DLL by the VMware Xfer utility from the non-default directory which may be an attempt to sideload arbitrary DLL
references:
- https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-02
modified: 2023-02-17
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
product: windows
category: image_load
detection:
selection:
Image|endswith: '\VMwareXferlogs.exe'
ImageLoaded|endswith: '\glib-2.0.dll'
filter: # VMware might be installed in another path so update the rule accordingly
ImageLoaded|startswith: 'C:\Program Files\VMware\'
condition: selection and not filter
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential DLL Sideloading Via comctl32.dll
Detects potential DLL sideloading using comctl32.dll to obtain system privileges
view Sigma YAML
title: Potential DLL Sideloading Via comctl32.dll
id: 6360757a-d460-456c-8b13-74cf0e60cceb
status: test
description: Detects potential DLL sideloading using comctl32.dll to obtain system privileges
references:
- https://github.com/binderlabs/DirCreate2System
- https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt
author: Nasreddine Bencherchali (Nextron Systems), Subhash Popuri (@pbssubhash)
date: 2022-12-16
modified: 2022-12-19
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|startswith:
- 'C:\Windows\System32\logonUI.exe.local\'
- 'C:\Windows\System32\werFault.exe.local\'
- 'C:\Windows\System32\consent.exe.local\'
- 'C:\Windows\System32\narrator.exe.local\'
- 'C:\windows\system32\wermgr.exe.local\'
ImageLoaded|endswith: '\comctl32.dll'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
Medium FP
Potential Data Exfiltration Activity Via CommandLine Tools
Detects the use of various CLI utilities exfiltrating data via web requests
view Sigma YAML
title: Potential Data Exfiltration Activity Via CommandLine Tools
id: 7d1aaf3d-4304-425c-b7c3-162055e0b3ab
status: test
description: Detects the use of various CLI utilities exfiltrating data via web requests
references:
- https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-02
modified: 2025-10-19
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection_iwr:
Image|endswith:
- '\powershell_ise.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\cmd.exe'
CommandLine|contains:
- 'curl '
- 'Invoke-RestMethod'
- 'Invoke-WebRequest'
- 'irm '
- 'iwr '
- 'wget '
CommandLine|contains|all:
- ' -ur' # Shortest possible version of the -uri flag
- ' -me' # Shortest possible version of the -method flag
- ' -b'
- ' POST '
selection_curl:
Image|endswith: '\curl.exe'
CommandLine|contains: '--ur' # Shortest possible version of the --uri flag
selection_curl_data:
CommandLine|contains:
- ' -d ' # Shortest possible version of the --data flag
- ' --data '
selection_wget:
Image|endswith: '\wget.exe'
CommandLine|contains:
- '--post-data'
- '--post-file'
payloads:
- CommandLine|re:
- 'net\s+view'
- 'sc\s+query'
- CommandLine|contains:
- 'Get-Content'
- 'GetBytes'
- 'hostname'
- 'ifconfig'
- 'ipconfig'
- 'netstat'
- 'nltest'
- 'qprocess'
- 'systeminfo'
- 'tasklist'
- 'ToBase64String'
- 'whoami'
- CommandLine|contains|all:
- 'type '
- ' > '
- ' C:\'
condition: (selection_iwr or all of selection_curl* or selection_wget) and payloads
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
Potential Data Stealing Via Chromium Headless Debugging
Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control
view Sigma YAML
title: Potential Data Stealing Via Chromium Headless Debugging
id: 3e8207c5-fcd2-4ea6-9418-15d45b4890e4
related:
- id: b3d34dc5-2efd-4ae3-845f-8ec14921f449
type: derived
status: test
description: Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control
references:
- https://github.com/defaultnamehere/cookie_crimes/
- https://mango.pdf.zone/stealing-chrome-cookies-without-a-password
- https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/
- https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-23
tags:
- attack.credential-access
- attack.collection
- attack.stealth
- attack.t1185
- attack.t1564.003
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- '--remote-debugging-' # Covers: --remote-debugging-address, --remote-debugging-port, --remote-debugging-socket-name, --remote-debugging-pipe....etc
- '--user-data-dir'
- '--headless'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 1
Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.
view Sigma YAML
title: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 1
id: 4a30ac0c-b9d6-4e01-b71a-5f851bbf4259
status: test
description: Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.
author: '@Kostastsale, TheDFIRReport'
references:
- Internal Research
tags:
- attack.stealth
date: 2022-12-05
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|contains:
- '😀'
- '😃'
- '😄'
- '😁'
- '😆'
- '😅'
- '😂'
- '🤣'
- '🥲'
- '🥹'
- '☺️'
- '😊'
- '😇'
- '🙂'
- '🙃'
- '😉'
- '😌'
- '😍'
- '🥰'
- '😘'
- '😗'
- '😙'
- '😚'
- '😋'
- '😛'
- '😝'
- '😜'
- '🤪'
- '🤨'
- '🧐'
- '🤓'
- '😎'
- '🥸'
- '🤩'
- '🥳'
- '😏'
- '😒'
- '😞'
- '😔'
- '😟'
- '😕'
- '🙁'
- '☹️'
- '😣'
- '😖'
- '😫'
- '😩'
- '🥺'
- '😢'
- '😭'
- '😮💨'
- '😤'
- '😠'
- '😡'
- '🤬'
- '🤯'
- '😳'
- '🥵'
- '🥶'
- '😱'
- '😨'
- '😰'
- '😥'
- '😓'
- '🫣'
- '🤗'
- '🫡'
- '🤔'
- '🫢'
- '🤭'
- '🤫'
- '🤥'
- '😶'
- '😶🌫️'
- '😐'
- '😑'
- '😬'
- '🫠'
- '🙄'
- '😯'
- '😦'
- '😧'
- '😮'
- '😲'
- '🥱'
- '😴'
- '🤤'
- '😪'
- '😵'
- '😵💫'
- '🫥'
- '🤐'
- '🥴'
- '🤢'
- '🤮'
- '🤧'
- '😷'
- '🤒'
- '🤕'
- '🤑'
- '🤠'
- '😈'
- '👿'
- '👹'
- '👺'
- '🤡'
- '💩'
- '👻'
- '💀'
- '☠️'
- '👽'
- '👾'
- '🤖'
- '🎃'
- '😺'
- '😸'
- '😹'
- '😻'
- '😼'
- '😽'
- '🙀'
- '😿'
- '😾'
- '👋'
- '🤚'
- '🖐'
- '✋'
- '🖖'
- '👌'
- '🤌'
- '🤏'
- '✌️'
- '🤞'
- '🫰'
- '🤟'
- '🤘'
- '🤙'
- '🫵'
- '🫱'
- '🫲'
- '🫳'
- '🫴'
- '👈'
- '👉'
- '👆'
- '🖕'
- '👇'
- '☝️'
- '👍'
- '👎'
- '✊'
- '👊'
- '🤛'
- '🤜'
- '👏'
- '🫶'
- '🙌'
- '👐'
- '🤲'
- '🤝'
- '🙏'
- '✍️'
- '💪'
- '🦾'
- '🦵'
- '🦿'
- '🦶'
- '👣'
- '👂'
- '🦻'
- '👃'
- '🫀'
- '🫁'
- '🧠'
- '🦷'
- '🦴'
- '👀'
- '👁'
- '👅'
- '👄'
- '🫦'
- '💋'
- '🩸'
- '👶'
- '👧'
- '🧒'
- '👦'
- '👩'
- '🧑'
- '👨'
- '👩🦱'
- '🧑🦱'
- '👨🦱'
- '👩🦰'
- '🧑🦰'
- '👨🦰'
- '👱♀️'
- '👱'
- '👱♂️'
- '👩🦳'
- '🧑🦳'
- '👨🦳'
- '👩🦲'
- '🧑🦲'
- '👨🦲'
- '🧔♀️'
- '🧔'
- '🧔♂️'
- '👵'
- '🧓'
- '👴'
- '👲'
- '👳♀️'
- '👳'
- '👳♂️'
- '🧕'
- '👮♀️'
- '👮'
- '👮♂️'
- '👷♀️'
- '👷'
- '👷♂️'
- '💂♀️'
- '💂'
- '💂♂️'
- '🕵️♀️'
- '🕵️'
- '🕵️♂️'
- '👩⚕️'
- '🧑⚕️'
- '👨⚕️'
- '👩🌾'
- '🧑🌾'
- '👨🌾'
- '👩🍳'
- '🧑🍳'
- '👨🍳'
- '👩🎓'
- '🧑🎓'
- '👨🎓'
- '👩🎤'
- '🧑🎤'
- '👨🎤'
- '👩🏫'
- '🧑🏫'
- '👨🏫'
- '👩🏭'
- '🧑🏭'
- '👨🏭'
- '👩💻'
- '🧑💻'
- '👨💻'
- '👩💼'
- '🧑💼'
- '👨💼'
- '👩🔧'
- '🧑🔧'
- '👨🔧'
- '👩🔬'
- '🧑🔬'
- '👨🔬'
- '👩🎨'
- '🧑🎨'
- '👨🎨'
- '👩🚒'
- '🧑🚒'
- '👨🚒'
- '👩✈️'
- '🧑✈️'
- '👨✈️'
- '👩🚀'
- '🧑🚀'
- '👨🚀'
- '👩⚖️'
- '🧑⚖️'
- '👨⚖️'
- '👰♀️'
- '👰'
- '👰♂️'
- '🤵♀️'
- '🤵'
- '🤵♂️'
- '👸'
- '🫅'
- '🤴'
- '🥷'
- '🦸♀️'
- '🦸'
- '🦸♂️'
- '🦹♀️'
- '🦹'
- '🦹♂️'
- '🤶'
- '🧑🎄'
- '🎅'
- '🧙♀️'
- '🧙'
- '🧙♂️'
- '🧝♀️'
- '🧝'
- '🧝♂️'
- '🧛♀️'
- '🧛'
- '🧛♂️'
- '🧟♀️'
- '🧟'
- '🧟♂️'
- '🧞♀️'
- '🧞'
- '🧞♂️'
- '🧜♀️'
- '🧜'
- '🧜♂️'
- '🧚♀️'
- '🧚'
- '🧚♂️'
- '🧌'
- '👼'
- '🤰'
- '🫄'
- '🫃'
- '🤱'
- '👩🍼'
- '🧑🍼'
- '👨🍼'
- '🙇♀️'
- '🙇'
- '🙇♂️'
- '💁♀️'
- '💁'
- '💁♂️'
- '🙅♀️'
- '🙅'
- '🙅♂️'
- '🙆♀️'
- '🙆'
- '🙆♂️'
- '🙋♀️'
- '🙋'
- '🙋♂️'
- '🧏♀️'
- '🧏'
- '🧏♂️'
- '🤦♀️'
- '🤦'
- '🤦♂️'
- '🤷♀️'
- '🤷'
- '🤷♂️'
- '🙎♀️'
- '🙎'
- '🙎♂️'
- '🙍♀️'
- '🙍'
- '🙍♂️'
- '💇♀️'
- '💇'
- '💇♂️'
- '💆♀️'
- '💆'
- '💆♂️'
- '🧖♀️'
- '🧖'
- '🧖♂️'
- '💅'
- '💃'
- '🕺'
- '👯♀️'
- '👯'
- '👯♂️'
- '🕴'
- '👩🦽'
- '🧑🦽'
- '👨🦽'
- '👩🦼'
- '🧑🦼'
- '👨🦼'
- '🚶♀️'
- '🚶'
- '🚶♂️'
- '👩🦯'
- '🧑🦯'
- '👨🦯'
- '🧎♀️'
- '🧎'
- '🧎♂️'
- '🏃♀️'
- '🏃'
- '🏃♂️'
- '🧍♀️'
- '🧍'
- '🧍♂️'
- '👭'
- '🧑🤝🧑'
- '👬'
- '👫'
- '👩❤️👩'
- '💑'
- '👨❤️👨'
- '👩❤️👨'
- '👩❤️💋👩'
- '💏'
- '👨❤️💋👨'
- '👩❤️💋👨'
- '👪'
- '👨👩👦'
- '👨👩👧'
- '👨👩👧👦'
- '👨👩👦👦'
- '👨👩👧👧'
- '👨👨👦'
- '👨👨👧'
- '👨👨👧👦'
- '👨👨👦👦'
- '👨👨👧👧'
- '👩👩👦'
- '👩👩👧'
- '👩👩👧👦'
- '👩👩👦👦'
- '👩👩👧👧'
- '👨👦'
- '👨👦👦'
- '👨👧'
- '👨👧👦'
- '👨👧👧'
- '👩👦'
- '👩👦👦'
- '👩👧'
- '👩👧👦'
- '👩👧👧'
- '🗣'
- '👤'
- '👥'
- '🫂'
- '🧳'
- '🌂'
- '☂️'
- '🧵'
- '🪡'
- '🪢'
- '🧶'
- '👓'
- '🕶'
- '🥽'
- '🥼'
- '🦺'
- '👔'
- '👕'
- '👖'
- '🧣'
- '🧤'
- '🧥'
- '🧦'
- '👗'
- '👘'
- '🥻'
- '🩴'
- '🩱'
- '🩲'
- '🩳'
- '👙'
- '👚'
- '👛'
- '👜'
- '👝'
- '🎒'
- '👞'
- '👟'
- '🥾'
- '🥿'
- '👠'
- '👡'
- '🩰'
- '👢'
- '👑'
- '👒'
- '🎩'
- '🎓'
- '🧢'
- '⛑'
- '🪖'
- '💄'
- '💍'
- '💼'
- '👋🏻'
- '🤚🏻'
- '🖐🏻'
- '✋🏻'
- '🖖🏻'
- '👌🏻'
- '🤌🏻'
- '🤏🏻'
- '✌🏻'
- '🤞🏻'
- '🫰🏻'
- '🤟🏻'
- '🤘🏻'
- '🤙🏻'
- '🫵🏻'
- '🫱🏻'
- '🫲🏻'
- '🫳🏻'
- '🫴🏻'
- '👈🏻'
- '👉🏻'
- '👆🏻'
- '🖕🏻'
- '👇🏻'
- '☝🏻'
- '👍🏻'
- '👎🏻'
- '✊🏻'
- '👊🏻'
- '🤛🏻'
- '🤜🏻'
- '👏🏻'
- '🫶🏻'
- '🙌🏻'
- '👐🏻'
- '🤲🏻'
- '🙏🏻'
- '✍🏻'
- '💪🏻'
- '🦵🏻'
- '🦶🏻'
- '👂🏻'
- '🦻🏻'
- '👃🏻'
- '👶🏻'
- '👧🏻'
- '🧒🏻'
- '👦🏻'
- '👩🏻'
- '🧑🏻'
- '👨🏻'
- '👩🏻🦱'
- '🧑🏻🦱'
- '👨🏻🦱'
- '👩🏻🦰'
- '🧑🏻🦰'
- '👨🏻🦰'
- '👱🏻♀️'
- '👱🏻'
- '👱🏻♂️'
- '👩🏻🦳'
- '🧑🏻🦳'
- '👨🏻🦳'
- '👩🏻🦲'
- '🧑🏻🦲'
- '👨🏻🦲'
- '🧔🏻♀️'
- '🧔🏻'
- '🧔🏻♂️'
- '👵🏻'
- '🧓🏻'
- '👴🏻'
- '👲🏻'
- '👳🏻♀️'
- '👳🏻'
- '👳🏻♂️'
- '🧕🏻'
- '👮🏻♀️'
- '👮🏻'
- '👮🏻♂️'
- '👷🏻♀️'
- '👷🏻'
- '👷🏻♂️'
- '💂🏻♀️'
- '💂🏻'
- '💂🏻♂️'
- '🕵🏻♀️'
- '🕵🏻'
- '🕵🏻♂️'
- '👩🏻⚕️'
- '🧑🏻⚕️'
- '👨🏻⚕️'
- '👩🏻🌾'
- '🧑🏻🌾'
- '👨🏻🌾'
- '👩🏻🍳'
- '🧑🏻🍳'
- '👨🏻🍳'
- '👩🏻🎓'
- '🧑🏻🎓'
- '👨🏻🎓'
- '👩🏻🎤'
- '🧑🏻🎤'
- '👨🏻🎤'
- '👩🏻🏫'
- '🧑🏻🏫'
- '👨🏻🏫'
- '👩🏻🏭'
- '🧑🏻🏭'
- '👨🏻🏭'
- '👩🏻💻'
- '🧑🏻💻'
- '👨🏻💻'
- '👩🏻💼'
- '🧑🏻💼'
- '👨🏻💼'
- '👩🏻🔧'
- '🧑🏻🔧'
- '👨🏻🔧'
- '👩🏻🔬'
- '🧑🏻🔬'
- '👨🏻🔬'
- '👩🏻🎨'
- '🧑🏻🎨'
- '👨🏻🎨'
- '👩🏻🚒'
- '🧑🏻🚒'
- '👨🏻🚒'
- '👩🏻✈️'
- '🧑🏻✈️'
- '👨🏻✈️'
- '👩🏻🚀'
- '🧑🏻🚀'
- '👨🏻🚀'
- '👩🏻⚖️'
- '🧑🏻⚖️'
- '👨🏻⚖️'
- '👰🏻♀️'
- '👰🏻'
- '👰🏻♂️'
- '🤵🏻♀️'
- '🤵🏻'
- '🤵🏻♂️'
- '👸🏻'
- '🫅🏻'
- '🤴🏻'
- '🥷🏻'
- '🦸🏻♀️'
- '🦸🏻'
- '🦸🏻♂️'
- '🦹🏻♀️'
- '🦹🏻'
- '🦹🏻♂️'
- '🤶🏻'
- '🧑🏻🎄'
- '🎅🏻'
- '🧙🏻♀️'
- '🧙🏻'
- '🧙🏻♂️'
- '🧝🏻♀️'
- '🧝🏻'
- '🧝🏻♂️'
- '🧛🏻♀️'
- '🧛🏻'
- '🧛🏻♂️'
- '🧜🏻♀️'
- '🧜🏻'
- '🧜🏻♂️'
- '🧚🏻♀️'
- '🧚🏻'
- '🧚🏻♂️'
- '👼🏻'
- '🤰🏻'
- '🫄🏻'
- '🫃🏻'
- '🤱🏻'
- '👩🏻🍼'
- '🧑🏻🍼'
- '👨🏻🍼'
- '🙇🏻♀️'
- '🙇🏻'
- '🙇🏻♂️'
- '💁🏻♀️'
- '💁🏻'
- '💁🏻♂️'
- '🙅🏻♀️'
- '🙅🏻'
- '🙅🏻♂️'
- '🙆🏻♀️'
- '🙆🏻'
- '🙆🏻♂️'
- '🙋🏻♀️'
- '🙋🏻'
- '🙋🏻♂️'
- '🧏🏻♀️'
- '🧏🏻'
- '🧏🏻♂️'
- '🤦🏻♀️'
- '🤦🏻'
- '🤦🏻♂️'
- '🤷🏻♀️'
- '🤷🏻'
- '🤷🏻♂️'
- '🙎🏻♀️'
- '🙎🏻'
- '🙎🏻♂️'
- '🙍🏻♀️'
- '🙍🏻'
- '🙍🏻♂️'
- '💇🏻♀️'
- '💇🏻'
- '💇🏻♂️'
- '💆🏻♀️'
- '💆🏻'
- '💆🏻♂️'
- '🧖🏻♀️'
- '🧖🏻'
- '🧖🏻♂️'
- '💃🏻'
- '🕺🏻'
- '🕴🏻'
- '👩🏻🦽'
- '🧑🏻🦽'
- '👨🏻🦽'
- '👩🏻🦼'
- '🧑🏻🦼'
- '👨🏻🦼'
- '🚶🏻♀️'
- '🚶🏻'
- '🚶🏻♂️'
- '👩🏻🦯'
- '🧑🏻🦯'
- '👨🏻🦯'
- '🧎🏻♀️'
- '🧎🏻'
- '🧎🏻♂️'
- '🏃🏻♀️'
- '🏃🏻'
- '🏃🏻♂️'
- '🧍🏻♀️'
- '🧍🏻'
- '🧍🏻♂️'
- '👭🏻'
- '🧑🏻🤝🧑🏻'
- '👬🏻'
- '👫🏻'
- '🧗🏻♀️'
- '🧗🏻'
- '🧗🏻♂️'
- '🏇🏻'
- '🏂🏻'
- '🏌🏻♀️'
- '🏌🏻'
- '🏌🏻♂️'
- '🏄🏻♀️'
- '🏄🏻'
- '🏄🏻♂️'
- '🚣🏻♀️'
- '🚣🏻'
- '🚣🏻♂️'
- '🏊🏻♀️'
- '🏊🏻'
- '🏊🏻♂️'
- '⛹🏻♀️'
- '⛹🏻'
- '⛹🏻♂️'
- '🏋🏻♀️'
- '🏋🏻'
- '🏋🏻♂️'
- '🚴🏻♀️'
- '🚴🏻'
- '🚴🏻♂️'
- '🚵🏻♀️'
- '🚵🏻'
- '🚵🏻♂️'
- '🤸🏻♀️'
- '🤸🏻'
- '🤸🏻♂️'
- '🤽🏻♀️'
- '🤽🏻'
- '🤽🏻♂️'
- '🤾🏻♀️'
- '🤾🏻'
- '🤾🏻♂️'
- '🤹🏻♀️'
- '🤹🏻'
- '🤹🏻♂️'
- '🧘🏻♀️'
- '🧘🏻'
- '🧘🏻♂️'
- '🛀🏻'
- '🛌🏻'
- '👋🏼'
- '🤚🏼'
- '🖐🏼'
- '✋🏼'
- '🖖🏼'
- '👌🏼'
- '🤌🏼'
- '🤏🏼'
- '✌🏼'
- '🤞🏼'
- '🫰🏼'
- '🤟🏼'
- '🤘🏼'
- '🤙🏼'
- '🫵🏼'
- '🫱🏼'
- '🫲🏼'
- '🫳🏼'
- '🫴🏼'
- '👈🏼'
- '👉🏼'
- '👆🏼'
- '🖕🏼'
- '👇🏼'
- '☝🏼'
- '👍🏼'
- '👎🏼'
- '✊🏼'
- '👊🏼'
- '🤛🏼'
- '🤜🏼'
- '👏🏼'
- '🫶🏼'
- '🙌🏼'
- '👐🏼'
- '🤲🏼'
- '🙏🏼'
- '✍🏼'
- '💪🏼'
- '🦵🏼'
- '🦶🏼'
- '👂🏼'
- '🦻🏼'
- '👃🏼'
- '👶🏼'
- '👧🏼'
- '🧒🏼'
- '👦🏼'
- '👩🏼'
- '🧑🏼'
- '👨🏼'
- '👩🏼🦱'
- '🧑🏼🦱'
- '👨🏼🦱'
- '👩🏼🦰'
- '🧑🏼🦰'
- '👨🏼🦰'
- '👱🏼♀️'
- '👱🏼'
- '👱🏼♂️'
- '👩🏼🦳'
- '🧑🏼🦳'
- '👨🏼🦳'
- '👩🏼🦲'
- '🧑🏼🦲'
- '👨🏼🦲'
- '🧔🏼♀️'
- '🧔🏼'
- '🧔🏼♂️'
- '👵🏼'
- '🧓🏼'
- '👴🏼'
- '👲🏼'
- '👳🏼♀️'
- '👳🏼'
- '👳🏼♂️'
- '🧕🏼'
- '👮🏼♀️'
- '👮🏼'
- '👮🏼♂️'
- '👷🏼♀️'
- '👷🏼'
- '👷🏼♂️'
- '💂🏼♀️'
- '💂🏼'
- '💂🏼♂️'
- '🕵🏼♀️'
- '🕵🏼'
- '🕵🏼♂️'
- '👩🏼⚕️'
- '🧑🏼⚕️'
- '👨🏼⚕️'
- '👩🏼🌾'
- '🧑🏼🌾'
- '👨🏼🌾'
- '👩🏼🍳'
- '🧑🏼🍳'
- '👨🏼🍳'
- '👩🏼🎓'
- '🧑🏼🎓'
- '👨🏼🎓'
- '👩🏼🎤'
- '🧑🏼🎤'
- '👨🏼🎤'
- '👩🏼🏫'
- '🧑🏼🏫'
- '👨🏼🏫'
- '👩🏼🏭'
- '🧑🏼🏭'
- '👨🏼🏭'
- '👩🏼💻'
- '🧑🏼💻'
- '👨🏼💻'
- '👩🏼💼'
- '🧑🏼💼'
- '👨🏼💼'
- '👩🏼🔧'
- '🧑🏼🔧'
- '👨🏼🔧'
- '👩🏼🔬'
- '🧑🏼🔬'
- '👨🏼🔬'
- '👩🏼🎨'
- '🧑🏼🎨'
- '👨🏼🎨'
- '👩🏼🚒'
- '🧑🏼🚒'
- '👨🏼🚒'
- '👩🏼✈️'
- '🧑🏼✈️'
- '👨🏼✈️'
- '👩🏼🚀'
- '🧑🏼🚀'
- '👨🏼🚀'
- '👩🏼⚖️'
- '🧑🏼⚖️'
- '👨🏼⚖️'
- '👰🏼♀️'
- '👰🏼'
- '👰🏼♂️'
- '🤵🏼♀️'
- '🤵🏼'
- '🤵🏼♂️'
- '👸🏼'
- '🫅🏼'
- '🤴🏼'
- '🥷🏼'
- '🦸🏼♀️'
- '🦸🏼'
- '🦸🏼♂️'
- '🦹🏼♀️'
- '🦹🏼'
- '🦹🏼♂️'
- '🤶🏼'
- '🧑🏼🎄'
- '🎅🏼'
- '🧙🏼♀️'
- '🧙🏼'
- '🧙🏼♂️'
- '🧝🏼♀️'
- '🧝🏼'
- '🧝🏼♂️'
- '🧛🏼♀️'
- '🧛🏼'
- '🧛🏼♂️'
- '🧜🏼♀️'
- '🧜🏼'
- '🧜🏼♂️'
- '🧚🏼♀️'
- '🧚🏼'
- '🧚🏼♂️'
- '👼🏼'
- '🤰🏼'
- '🫄🏼'
- '🫃🏼'
- '🤱🏼'
- '👩🏼🍼'
- '🧑🏼🍼'
- '👨🏼🍼'
- '🙇🏼♀️'
- '🙇🏼'
- '🙇🏼♂️'
- '💁🏼♀️'
- '💁🏼'
- '💁🏼♂️'
- '🙅🏼♀️'
- '🙅🏼'
- '🙅🏼♂️'
- '🙆🏼♀️'
- '🙆🏼'
- '🙆🏼♂️'
- '🙋🏼♀️'
- '🙋🏼'
- '🙋🏼♂️'
- '🧏🏼♀️'
- '🧏🏼'
- '🧏🏼♂️'
- '🤦🏼♀️'
- '🤦🏼'
- '🤦🏼♂️'
- '🤷🏼♀️'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 2
Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.
view Sigma YAML
title: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 2
id: c98f2a0d-e1b8-4f76-90d3-359caf88d6b9
status: test
description: Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.
author: '@Kostastsale, TheDFIRReport'
references:
- Internal Research
tags:
- attack.stealth
date: 2022-12-05
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|contains:
- '🤷🏼'
- '🤷🏼♂️'
- '🙎🏼♀️'
- '🙎🏼'
- '🙎🏼♂️'
- '🙍🏼♀️'
- '🙍🏼'
- '🙍🏼♂️'
- '💇🏼♀️'
- '💇🏼'
- '💇🏼♂️'
- '💆🏼♀️'
- '💆🏼'
- '💆🏼♂️'
- '🧖🏼♀️'
- '🧖🏼'
- '🧖🏼♂️'
- '💃🏼'
- '🕺🏼'
- '🕴🏼'
- '👩🏼🦽'
- '🧑🏼🦽'
- '👨🏼🦽'
- '👩🏼🦼'
- '🧑🏼🦼'
- '👨🏼🦼'
- '🚶🏼♀️'
- '🚶🏼'
- '🚶🏼♂️'
- '👩🏼🦯'
- '🧑🏼🦯'
- '👨🏼🦯'
- '🧎🏼♀️'
- '🧎🏼'
- '🧎🏼♂️'
- '🏃🏼♀️'
- '🏃🏼'
- '🏃🏼♂️'
- '🧍🏼♀️'
- '🧍🏼'
- '🧍🏼♂️'
- '👭🏼'
- '🧑🏼🤝🧑🏼'
- '👬🏼'
- '👫🏼'
- '🧗🏼♀️'
- '🧗🏼'
- '🧗🏼♂️'
- '🏇🏼'
- '🏂🏼'
- '🏌🏼♀️'
- '🏌🏼'
- '🏌🏼♂️'
- '🏄🏼♀️'
- '🏄🏼'
- '🏄🏼♂️'
- '🚣🏼♀️'
- '🚣🏼'
- '🚣🏼♂️'
- '🏊🏼♀️'
- '🏊🏼'
- '🏊🏼♂️'
- '⛹🏼♀️'
- '⛹🏼'
- '⛹🏼♂️'
- '🏋🏼♀️'
- '🏋🏼'
- '🏋🏼♂️'
- '🚴🏼♀️'
- '🚴🏼'
- '🚴🏼♂️'
- '🚵🏼♀️'
- '🚵🏼'
- '🚵🏼♂️'
- '🤸🏼♀️'
- '🤸🏼'
- '🤸🏼♂️'
- '🤽🏼♀️'
- '🤽🏼'
- '🤽🏼♂️'
- '🤾🏼♀️'
- '🤾🏼'
- '🤾🏼♂️'
- '🤹🏼♀️'
- '🤹🏼'
- '🤹🏼♂️'
- '🧘🏼♀️'
- '🧘🏼'
- '🧘🏼♂️'
- '🛀🏼'
- '🛌🏼'
- '👋🏽'
- '🤚🏽'
- '🖐🏽'
- '✋🏽'
- '🖖🏽'
- '👌🏽'
- '🤌🏽'
- '🤏🏽'
- '✌🏽'
- '🤞🏽'
- '🫰🏽'
- '🤟🏽'
- '🤘🏽'
- '🤙🏽'
- '🫵🏽'
- '🫱🏽'
- '🫲🏽'
- '🫳🏽'
- '🫴🏽'
- '👈🏽'
- '👉🏽'
- '👆🏽'
- '🖕🏽'
- '👇🏽'
- '☝🏽'
- '👍🏽'
- '👎🏽'
- '✊🏽'
- '👊🏽'
- '🤛🏽'
- '🤜🏽'
- '👏🏽'
- '🫶🏽'
- '🙌🏽'
- '👐🏽'
- '🤲🏽'
- '🙏🏽'
- '✍🏽'
- '💪🏽'
- '🦵🏽'
- '🦶🏽'
- '👂🏽'
- '🦻🏽'
- '👃🏽'
- '👶🏽'
- '👧🏽'
- '🧒🏽'
- '👦🏽'
- '👩🏽'
- '🧑🏽'
- '👨🏽'
- '👩🏽🦱'
- '🧑🏽🦱'
- '👨🏽🦱'
- '👩🏽🦰'
- '🧑🏽🦰'
- '👨🏽🦰'
- '👱🏽♀️'
- '👱🏽'
- '👱🏽♂️'
- '👩🏽🦳'
- '🧑🏽🦳'
- '👨🏽🦳'
- '👩🏽🦲'
- '🧑🏽🦲'
- '👨🏽🦲'
- '🧔🏽♀️'
- '🧔🏽'
- '🧔🏽♂️'
- '👵🏽'
- '🧓🏽'
- '👴🏽'
- '👲🏽'
- '👳🏽♀️'
- '👳🏽'
- '👳🏽♂️'
- '🧕🏽'
- '👮🏽♀️'
- '👮🏽'
- '👮🏽♂️'
- '👷🏽♀️'
- '👷🏽'
- '👷🏽♂️'
- '💂🏽♀️'
- '💂🏽'
- '💂🏽♂️'
- '🕵🏽♀️'
- '🕵🏽'
- '🕵🏽♂️'
- '👩🏽⚕️'
- '🧑🏽⚕️'
- '👨🏽⚕️'
- '👩🏽🌾'
- '🧑🏽🌾'
- '👨🏽🌾'
- '👩🏽🍳'
- '🧑🏽🍳'
- '👨🏽🍳'
- '👩🏽🎓'
- '🧑🏽🎓'
- '👨🏽🎓'
- '👩🏽🎤'
- '🧑🏽🎤'
- '👨🏽🎤'
- '👩🏽🏫'
- '🧑🏽🏫'
- '👨🏽🏫'
- '👩🏽🏭'
- '🧑🏽🏭'
- '👨🏽🏭'
- '👩🏽💻'
- '🧑🏽💻'
- '👨🏽💻'
- '👩🏽💼'
- '🧑🏽💼'
- '👨🏽💼'
- '👩🏽🔧'
- '🧑🏽🔧'
- '👨🏽🔧'
- '👩🏽🔬'
- '🧑🏽🔬'
- '👨🏽🔬'
- '👩🏽🎨'
- '🧑🏽🎨'
- '👨🏽🎨'
- '👩🏽🚒'
- '🧑🏽🚒'
- '👨🏽🚒'
- '👩🏽✈️'
- '🧑🏽✈️'
- '👨🏽✈️'
- '👩🏽🚀'
- '🧑🏽🚀'
- '👨🏽🚀'
- '👩🏽⚖️'
- '🧑🏽⚖️'
- '👨🏽⚖️'
- '👰🏽♀️'
- '👰🏽'
- '👰🏽♂️'
- '🤵🏽♀️'
- '🤵🏽'
- '🤵🏽♂️'
- '👸🏽'
- '🫅🏽'
- '🤴🏽'
- '🥷🏽'
- '🦸🏽♀️'
- '🦸🏽'
- '🦸🏽♂️'
- '🦹🏽♀️'
- '🦹🏽'
- '🦹🏽♂️'
- '🤶🏽'
- '🧑🏽🎄'
- '🎅🏽'
- '🧙🏽♀️'
- '🧙🏽'
- '🧙🏽♂️'
- '🧝🏽♀️'
- '🧝🏽'
- '🧝🏽♂️'
- '🧛🏽♀️'
- '🧛🏽'
- '🧛🏽♂️'
- '🧜🏽♀️'
- '🧜🏽'
- '🧜🏽♂️'
- '🧚🏽♀️'
- '🧚🏽'
- '🧚🏽♂️'
- '👼🏽'
- '🤰🏽'
- '🫄🏽'
- '🫃🏽'
- '🤱🏽'
- '👩🏽🍼'
- '🧑🏽🍼'
- '👨🏽🍼'
- '🙇🏽♀️'
- '🙇🏽'
- '🙇🏽♂️'
- '💁🏽♀️'
- '💁🏽'
- '💁🏽♂️'
- '🙅🏽♀️'
- '🙅🏽'
- '🙅🏽♂️'
- '🙆🏽♀️'
- '🙆🏽'
- '🙆🏽♂️'
- '🙋🏽♀️'
- '🙋🏽'
- '🙋🏽♂️'
- '🧏🏽♀️'
- '🧏🏽'
- '🧏🏽♂️'
- '🤦🏽♀️'
- '🤦🏽'
- '🤦🏽♂️'
- '🤷🏽♀️'
- '🤷🏽'
- '🤷🏽♂️'
- '🙎🏽♀️'
- '🙎🏽'
- '🙎🏽♂️'
- '🙍🏽♀️'
- '🙍🏽'
- '🙍🏽♂️'
- '💇🏽♀️'
- '💇🏽'
- '💇🏽♂️'
- '💆🏽♀️'
- '💆🏽'
- '💆🏽♂️'
- '🧖🏽♀️'
- '🧖🏽'
- '🧖🏽♂️'
- '💃🏽'
- '🕺🏽'
- '🕴🏽'
- '👩🏽🦽'
- '🧑🏽🦽'
- '👨🏽🦽'
- '👩🏽🦼'
- '🧑🏽🦼'
- '👨🏽🦼'
- '🚶🏽♀️'
- '🚶🏽'
- '🚶🏽♂️'
- '👩🏽🦯'
- '🧑🏽🦯'
- '👨🏽🦯'
- '🧎🏽♀️'
- '🧎🏽'
- '🧎🏽♂️'
- '🏃🏽♀️'
- '🏃🏽'
- '🏃🏽♂️'
- '🧍🏽♀️'
- '🧍🏽'
- '🧍🏽♂️'
- '👭🏽'
- '🧑🏽🤝🧑🏽'
- '👬🏽'
- '👫🏽'
- '🧗🏽♀️'
- '🧗🏽'
- '🧗🏽♂️'
- '🏇🏽'
- '🏂🏽'
- '🏌🏽♀️'
- '🏌🏽'
- '🏌🏽♂️'
- '🏄🏽♀️'
- '🏄🏽'
- '🏄🏽♂️'
- '🚣🏽♀️'
- '🚣🏽'
- '🚣🏽♂️'
- '🏊🏽♀️'
- '🏊🏽'
- '🏊🏽♂️'
- '⛹🏽♀️'
- '⛹🏽'
- '⛹🏽♂️'
- '🏋🏽♀️'
- '🏋🏽'
- '🏋🏽♂️'
- '🚴🏽♀️'
- '🚴🏽'
- '🚴🏽♂️'
- '🚵🏽♀️'
- '🚵🏽'
- '🚵🏽♂️'
- '🤸🏽♀️'
- '🤸🏽'
- '🤸🏽♂️'
- '🤽🏽♀️'
- '🤽🏽'
- '🤽🏽♂️'
- '🤾🏽♀️'
- '🤾🏽'
- '🤾🏽♂️'
- '🤹🏽♀️'
- '🤹🏽'
- '🤹🏽♂️'
- '🧘🏽♀️'
- '🧘🏽'
- '🧘🏽♂️'
- '🛀🏽'
- '🛌🏽'
- '👋🏾'
- '🤚🏾'
- '🖐🏾'
- '✋🏾'
- '🖖🏾'
- '👌🏾'
- '🤌🏾'
- '🤏🏾'
- '✌🏾'
- '🤞🏾'
- '🫰🏾'
- '🤟🏾'
- '🤘🏾'
- '🤙🏾'
- '🫵🏾'
- '🫱🏾'
- '🫲🏾'
- '🫳🏾'
- '🫴🏾'
- '👈🏾'
- '👉🏾'
- '👆🏾'
- '🖕🏾'
- '👇🏾'
- '☝🏾'
- '👍🏾'
- '👎🏾'
- '✊🏾'
- '👊🏾'
- '🤛🏾'
- '🤜🏾'
- '👏🏾'
- '🫶🏾'
- '🙌🏾'
- '👐🏾'
- '🤲🏾'
- '🙏🏾'
- '✍🏾'
- '💪🏾'
- '🦵🏾'
- '🦶🏾'
- '👂🏾'
- '🦻🏾'
- '👃🏾'
- '👶🏾'
- '👧🏾'
- '🧒🏾'
- '👦🏾'
- '👩🏾'
- '🧑🏾'
- '👨🏾'
- '👩🏾🦱'
- '🧑🏾🦱'
- '👨🏾🦱'
- '👩🏾🦰'
- '🧑🏾🦰'
- '👨🏾🦰'
- '👱🏾♀️'
- '👱🏾'
- '👱🏾♂️'
- '👩🏾🦳'
- '🧑🏾🦳'
- '👨🏾🦳'
- '👩🏾🦲'
- '🧑🏾🦲'
- '👨🏾🦲'
- '🧔🏾♀️'
- '🧔🏾'
- '🧔🏾♂️'
- '👵🏾'
- '🧓🏾'
- '👴🏾'
- '👲🏾'
- '👳🏾♀️'
- '👳🏾'
- '👳🏾♂️'
- '🧕🏾'
- '👮🏾♀️'
- '👮🏾'
- '👮🏾♂️'
- '👷🏾♀️'
- '👷🏾'
- '👷🏾♂️'
- '💂🏾♀️'
- '💂🏾'
- '💂🏾♂️'
- '🕵🏾♀️'
- '🕵🏾'
- '🕵🏾♂️'
- '👩🏾⚕️'
- '🧑🏾⚕️'
- '👨🏾⚕️'
- '👩🏾🌾'
- '🧑🏾🌾'
- '👨🏾🌾'
- '👩🏾🍳'
- '🧑🏾🍳'
- '👨🏾🍳'
- '👩🏾🎓'
- '🧑🏾🎓'
- '👨🏾🎓'
- '👩🏾🎤'
- '🧑🏾🎤'
- '👨🏾🎤'
- '👩🏾🏫'
- '🧑🏾🏫'
- '👨🏾🏫'
- '👩🏾🏭'
- '🧑🏾🏭'
- '👨🏾🏭'
- '👩🏾💻'
- '🧑🏾💻'
- '👨🏾💻'
- '👩🏾💼'
- '🧑🏾💼'
- '👨🏾💼'
- '👩🏾🔧'
- '🧑🏾🔧'
- '👨🏾🔧'
- '👩🏾🔬'
- '🧑🏾🔬'
- '👨🏾🔬'
- '👩🏾🎨'
- '🧑🏾🎨'
- '👨🏾🎨'
- '👩🏾🚒'
- '🧑🏾🚒'
- '👨🏾🚒'
- '👩🏾✈️'
- '🧑🏾✈️'
- '👨🏾✈️'
- '👩🏾🚀'
- '🧑🏾🚀'
- '👨🏾🚀'
- '👩🏾⚖️'
- '🧑🏾⚖️'
- '👨🏾⚖️'
- '👰🏾♀️'
- '👰🏾'
- '👰🏾♂️'
- '🤵🏾♀️'
- '🤵🏾'
- '🤵🏾♂️'
- '👸🏾'
- '🫅🏾'
- '🤴🏾'
- '🥷🏾'
- '🦸🏾♀️'
- '🦸🏾'
- '🦸🏾♂️'
- '🦹🏾♀️'
- '🦹🏾'
- '🦹🏾♂️'
- '🤶🏾'
- '🧑🏾🎄'
- '🎅🏾'
- '🧙🏾♀️'
- '🧙🏾'
- '🧙🏾♂️'
- '🧝🏾♀️'
- '🧝🏾'
- '🧝🏾♂️'
- '🧛🏾♀️'
- '🧛🏾'
- '🧛🏾♂️'
- '🧜🏾♀️'
- '🧜🏾'
- '🧜🏾♂️'
- '🧚🏾♀️'
- '🧚🏾'
- '🧚🏾♂️'
- '👼🏾'
- '🤰🏾'
- '🫄🏾'
- '🫃🏾'
- '🤱🏾'
- '👩🏾🍼'
- '🧑🏾🍼'
- '👨🏾🍼'
- '🙇🏾♀️'
- '🙇🏾'
- '🙇🏾♂️'
- '💁🏾♀️'
- '💁🏾'
- '💁🏾♂️'
- '🙅🏾♀️'
- '🙅🏾'
- '🙅🏾♂️'
- '🙆🏾♀️'
- '🙆🏾'
- '🙆🏾♂️'
- '🙋🏾♀️'
- '🙋🏾'
- '🙋🏾♂️'
- '🧏🏾♀️'
- '🧏🏾'
- '🧏🏾♂️'
- '🤦🏾♀️'
- '🤦🏾'
- '🤦🏾♂️'
- '🤷🏾♀️'
- '🤷🏾'
- '🤷🏾♂️'
- '🙎🏾♀️'
- '🙎🏾'
- '🙎🏾♂️'
- '🙍🏾♀️'
- '🙍🏾'
- '🙍🏾♂️'
- '💇🏾♀️'
- '💇🏾'
- '💇🏾♂️'
- '💆🏾♀️'
- '💆🏾'
- '💆🏾♂️'
- '🧖🏾♀️'
- '🧖🏾'
- '🧖🏾♂️'
- '💃🏾'
- '🕺🏾'
- '👩🏾🦽'
- '🧑🏾🦽'
- '👨🏾🦽'
- '👩🏾🦼'
- '🧑🏾🦼'
- '👨🏾🦼'
- '🚶🏾♀️'
- '🚶🏾'
- '🚶🏾♂️'
- '👩🏾🦯'
- '🧑🏾🦯'
- '👨🏾🦯'
- '🧎🏾♀️'
- '🧎🏾'
- '🧎🏾♂️'
- '🏃🏾♀️'
- '🏃🏾'
- '🏃🏾♂️'
- '🧍🏾♀️'
- '🧍🏾'
- '🧍🏾♂️'
- '👭🏾'
- '🧑🏾🤝🧑🏾'
- '👬🏾'
- '👫🏾'
- '🧗🏾♀️'
- '🧗🏾'
- '🧗🏾♂️'
- '🏇🏾'
- '🏂🏾'
- '🏌🏾♀️'
- '🏌🏾'
- '🏌🏾♂️'
- '🏄🏾♀️'
- '🏄🏾'
- '🏄🏾♂️'
- '🚣🏾♀️'
- '🚣🏾'
- '🚣🏾♂️'
- '🏊🏾♀️'
- '🏊🏾'
- '🏊🏾♂️'
- '⛹🏾♀️'
- '⛹🏾'
- '⛹🏾♂️'
- '🏋🏾♀️'
- '🏋🏾'
- '🏋🏾♂️'
- '🚴🏾♀️'
- '🚴🏾'
- '🚴🏾♂️'
- '🚵🏾♀️'
- '🚵🏾'
- '🚵🏾♂️'
- '🤸🏾♀️'
- '🤸🏾'
- '🤸🏾♂️'
- '🤽🏾♀️'
- '🤽🏾'
- '🤽🏾♂️'
- '🤾🏾♀️'
- '🤾🏾'
- '🤾🏾♂️'
- '🤹🏾♀️'
- '🤹🏾'
- '🤹🏾♂️'
- '🧘🏾♀️'
- '🧘🏾'
- '🧘🏾♂️'
- '🛀🏾'
- '🛌🏾'
- '👋🏿'
- '🤚🏿'
- '🖐🏿'
- '✋🏿'
- '🖖🏿'
- '👌🏿'
- '🤌🏿'
- '🤏🏿'
- '✌🏿'
- '🤞🏿'
- '🫰🏿'
- '🤟🏿'
- '🤘🏿'
- '🤙🏿'
- '🫵🏿'
- '🫱🏿'
- '🫲🏿'
- '🫳🏿'
- '🫴🏿'
- '👈🏿'
- '👉🏿'
- '👆🏿'
- '🖕🏿'
- '👇🏿'
- '☝🏿'
- '👍🏿'
- '👎🏿'
- '✊🏿'
- '👊🏿'
- '🤛🏿'
- '🤜🏿'
- '👏🏿'
- '🫶🏿'
- '🙌🏿'
- '👐🏿'
- '🤲🏿'
- '🙏🏿'
- '✍🏿'
- '🤳🏿'
- '💪🏿'
- '🦵🏿'
- '🦶🏿'
- '👂🏿'
- '🦻🏿'
- '👃🏿'
- '👶🏿'
- '👧🏿'
- '🧒🏿'
- '👦🏿'
- '👩🏿'
- '🧑🏿'
- '👨🏿'
- '👩🏿🦱'
- '🧑🏿🦱'
- '👨🏿🦱'
- '👩🏿🦰'
- '🧑🏿🦰'
- '👨🏿🦰'
- '👱🏿♀️'
- '👱🏿'
- '👱🏿♂️'
- '👩🏿🦳'
- '🧑🏿🦳'
- '👨🏿🦳'
- '👩🏿🦲'
- '🧑🏿🦲'
- '👨🏿🦲'
- '🧔🏿♀️'
- '🧔🏿'
- '🧔🏿♂️'
- '👵🏿'
- '🧓🏿'
- '👴🏿'
- '👲🏿'
- '👳🏿♀️'
- '👳🏿'
- '👳🏿♂️'
- '🧕🏿'
- '👮🏿♀️'
- '👮🏿'
- '👮🏿♂️'
- '👷🏿♀️'
- '👷🏿'
- '👷🏿♂️'
- '💂🏿♀️'
- '💂🏿'
- '💂🏿♂️'
- '🕵🏿♀️'
- '🕵🏿'
- '🕵🏿♂️'
- '👩🏿⚕️'
- '🧑🏿⚕️'
- '👨🏿⚕️'
- '👩🏿🌾'
- '🧑🏿🌾'
- '👨🏿🌾'
- '👩🏿🍳'
- '🧑🏿🍳'
- '👨🏿🍳'
- '👩🏿🎓'
- '🧑🏿🎓'
- '👨🏿🎓'
- '👩🏿🎤'
- '🧑🏿🎤'
- '👨🏿🎤'
- '👩🏿🏫'
- '🧑🏿🏫'
- '👨🏿🏫'
- '👩🏿🏭'
- '🧑🏿🏭'
- '👨🏿🏭'
- '👩🏿💻'
- '🧑🏿💻'
- '👨🏿💻'
- '👩🏿💼'
- '🧑🏿💼'
- '👨🏿💼'
- '👩🏿🔧'
- '🧑🏿🔧'
- '👨🏿🔧'
- '👩🏿🔬'
- '🧑🏿🔬'
- '👨🏿🔬'
- '👩🏿🎨'
- '🧑🏿🎨'
- '👨🏿🎨'
- '👩🏿🚒'
- '🧑🏿🚒'
- '👨🏿🚒'
- '👩🏿✈️'
- '🧑🏿✈️'
- '👨🏿✈️'
- '👩🏿🚀'
- '🧑🏿🚀'
- '👨🏿🚀'
- '👩🏿⚖️'
- '🧑🏿⚖️'
- '👨🏿⚖️'
- '👰🏿♀️'
- '👰🏿'
- '👰🏿♂️'
- '🤵🏿♀️'
- '🤵🏿'
- '🤵🏿♂️'
- '👸🏿'
- '🫅🏿'
- '🤴🏿'
- '🥷🏿'
- '🦸🏿♀️'
- '🦸🏿'
- '🦸🏿♂️'
- '🦹🏿♀️'
- '🦹🏿'
- '🦹🏿♂️'
- '🤶🏿'
- '🧑🏿🎄'
- '🎅🏿'
- '🧙🏿♀️'
- '🧙🏿'
- '🧙🏿♂️'
- '🧝🏿♀️'
- '🧝🏿'
- '🧝🏿♂️'
- '🧛🏿♀️'
- '🧛🏿'
- '🧛🏿♂️'
- '🧜🏿♀️'
- '🧜🏿'
- '🧜🏿♂️'
- '🧚🏿♀️'
- '🧚🏿'
- '🧚🏿♂️'
- '👼🏿'
- '🤰🏿'
- '🫄🏿'
- '🫃🏿'
- '🤱🏿'
- '👩🏿🍼'
- '🧑🏿🍼'
- '👨🏿🍼'
- '🙇🏿♀️'
- '🙇🏿'
- '🙇🏿♂️'
- '💁🏿♀️'
- '💁🏿'
- '💁🏿♂️'
- '🙅🏿♀️'
- '🙅🏿'
- '🙅🏿♂️'
- '🙆🏿♀️'
- '🙆🏿'
- '🙆🏿♂️'
- '🙋🏿♀️'
- '🙋🏿'
- '🙋🏿♂️'
- '🧏🏿♀️'
- '🧏🏿'
- '🧏🏿♂️'
- '🤦🏿♀️'
- '🤦🏿'
- '🤦🏿♂️'
- '🤷🏿♀️'
- '🤷🏿'
- '🤷🏿♂️'
- '🙎🏿♀️'
- '🙎🏿'
- '🙎🏿♂️'
- '🙍🏿♀️'
- '🙍🏿'
- '🙍🏿♂️'
- '💇🏿♀️'
- '💇🏿'
- '💇🏿♂️'
- '💆🏿♀️'
- '💆🏿'
- '💆🏿♂️'
- '🧖🏿♀️'
- '🧖🏿'
- '🧖🏿♂️'
- '💃🏿'
- '🕺🏿'
- '🕴🏿'
- '👩🏿🦽'
- '🧑🏿🦽'
- '👨🏿🦽'
- '👩🏿🦼'
- '🧑🏿🦼'
- '👨🏿🦼'
- '🚶🏿♀️'
- '🚶🏿'
- '🚶🏿♂️'
- '👩🏿🦯'
- '🧑🏿🦯'
- '👨🏿🦯'
- '🧎🏿♀️'
- '🧎🏿'
- '🧎🏿♂️'
- '🏃🏿♀️'
- '🏃🏿'
- '🏃🏿♂️'
- '🧍🏿♀️'
- '🧍🏿'
- '🧍🏿♂️'
- '👭🏿'
- '🧑🏿🤝🧑🏿'
- '👬🏿'
- '👫🏿'
- '🧗🏿♀️'
- '🧗🏿'
- '🧗🏿♂️'
- '🏇🏿'
- '🏂🏿'
- '🏌🏿♀️'
- '🏌🏿'
- '🏌🏿♂️'
- '🏄🏿♀️'
- '🏄🏿'
- '🏄🏿♂️'
- '🚣🏿♀️'
- '🚣🏿'
- '🚣🏿♂️'
- '🏊🏿♀️'
- '🏊🏿'
- '🏊🏿♂️'
- '⛹🏿♀️'
- '⛹🏿'
- '⛹🏿♂️'
- '🏋🏿♀️'
- '🏋🏿'
- '🏋🏿♂️'
- '🚴🏿♀️'
- '🚴🏿'
- '🚴🏿♂️'
- '🚵🏿♀️'
- '🚵🏿'
- '🚵🏿♂️'
- '🤸🏿♀️'
- '🤸🏿'
- '🤸🏿♂️'
- '🤽🏿♀️'
- '🤽🏿'
- '🤽🏿♂️'
- '🤾🏿♀️'
- '🤾🏿'
- '🤾🏿♂️'
- '🤹🏿♀️'
- '🤹🏿'
- '🤹🏿♂️'
- '🧘🏿♀️'
- '🧘🏿'
- '🧘🏿♂️'
- '🛀🏿'
- '🛌🏿'
- '🐶'
- '🐱'
- '🐭'
- '🐹'
- '🐰'
- '🦊'
- '🐻'
- '🐼'
- '🐻❄️'
- '🐨'
- '🐯'
- '🦁'
- '🐮'
- '🐷'
- '🐽'
- '🐸'
- '🐵'
- '🙈'
- '🙉'
- '🙊'
- '🐒'
- '🐔'
- '🐧'
- '🐦'
- '🐤'
- '🐣'
- '🐥'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 3
Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.
view Sigma YAML
title: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 3
id: f9578658-9e71-4711-b634-3f9b50cd3c06
status: test
description: Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.
author: '@Kostastsale, TheDFIRReport'
references:
- Internal Research
tags:
- attack.stealth
date: 2022-12-05
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|contains:
- '🦆'
- '🦅'
- '🦉'
- '🦇'
- '🐺'
- '🐗'
- '🐴'
- '🦄'
- '🐝'
- '🪱'
- '🐛'
- '🦋'
- '🐌'
- '🐞'
- '🐜'
- '🪰'
- '🪲'
- '🪳'
- '🦟'
- '🦗'
- '🕷'
- '🕸'
- '🦂'
- '🐢'
- '🐍'
- '🦎'
- '🦖'
- '🦕'
- '🐙'
- '🦑'
- '🦐'
- '🦞'
- '🦀'
- '🪸'
- '🐡'
- '🐠'
- '🐟'
- '🐬'
- '🐳'
- '🐋'
- '🦈'
- '🐊'
- '🐅'
- '🐆'
- '🦓'
- '🦍'
- '🦧'
- '🦣'
- '🐘'
- '🦛'
- '🦏'
- '🐪'
- '🐫'
- '🦒'
- '🦘'
- '🦬'
- '🐃'
- '🐂'
- '🐄'
- '🐎'
- '🐖'
- '🐏'
- '🐑'
- '🦙'
- '🐐'
- '🦌'
- '🐕'
- '🐩'
- '🦮'
- '🐕🦺'
- '🐈'
- '🐈⬛'
- '🪶'
- '🐓'
- '🦃'
- '🦤'
- '🦚'
- '🦜'
- '🦢'
- '🦩'
- '🕊'
- '🐇'
- '🦝'
- '🦨'
- '🦡'
- '🦫'
- '🦦'
- '🦥'
- '🐁'
- '🐀'
- '🐿'
- '🦔'
- '🐾'
- '🐉'
- '🐲'
- '🌵'
- '🎄'
- '🌲'
- '🌳'
- '🌴'
- '🪹'
- '🪺'
- '🪵'
- '🌱'
- '🌿'
- '☘️'
- '🍀'
- '🎍'
- '🪴'
- '🎋'
- '🍃'
- '🍂'
- '🍁'
- '🍄'
- '🐚'
- '🪨'
- '🌾'
- '💐'
- '🌷'
- '🪷'
- '🌹'
- '🥀'
- '🌺'
- '🌸'
- '🌼'
- '🌻'
- '🌞'
- '🌝'
- '🌛'
- '🌜'
- '🌚'
- '🌕'
- '🌖'
- '🌗'
- '🌘'
- '🌑'
- '🌒'
- '🌓'
- '🌔'
- '🌙'
- '🌎'
- '🌍'
- '🌏'
- '🪐'
- '💫'
- '⭐️'
- '🌟'
- '✨'
- '⚡️'
- '☄️'
- '💥'
- '🔥'
- '🌪'
- '🌈'
- '☀️'
- '🌤'
- '⛅️'
- '🌥'
- '☁️'
- '🌦'
- '🌧'
- '⛈'
- '🌩'
- '🌨'
- '❄️'
- '☃️'
- '⛄️'
- '🌬'
- '💨'
- '💧'
- '💦'
- '🫧'
- '☔️'
- '☂️'
- '🌊'
- '🌫🍏'
- '🍎'
- '🍐'
- '🍊'
- '🍋'
- '🍌'
- '🍉'
- '🍇'
- '🍓'
- '🫐'
- '🍈'
- '🍒'
- '🍑'
- '🥭'
- '🍍'
- '🥥'
- '🥝'
- '🍅'
- '🍆'
- '🥑'
- '🥦'
- '🥬'
- '🥒'
- '🌶'
- '🫑'
- '🌽'
- '🥕'
- '🫒'
- '🧄'
- '🧅'
- '🥔'
- '🍠'
- '🫘'
- '🥐'
- '🥯'
- '🍞'
- '🥖'
- '🥨'
- '🧀'
- '🥚'
- '🍳'
- '🧈'
- '🥞'
- '🧇'
- '🥓'
- '🥩'
- '🍗'
- '🍖'
- '🦴'
- '🌭'
- '🍔'
- '🍟'
- '🍕'
- '🫓'
- '🥪'
- '🥙'
- '🧆'
- '🌮'
- '🌯'
- '🫔'
- '🥗'
- '🥘'
- '🫕'
- '🥫'
- '🍝'
- '🍜'
- '🍲'
- '🍛'
- '🍣'
- '🍱'
- '🥟'
- '🦪'
- '🍤'
- '🍙'
- '🍚'
- '🍘'
- '🍥'
- '🥠'
- '🥮'
- '🍢'
- '🍡'
- '🍧'
- '🍨'
- '🍦'
- '🥧'
- '🧁'
- '🍰'
- '🎂'
- '🍮'
- '🍭'
- '🍬'
- '🍫'
- '🍿'
- '🍩'
- '🍪'
- '🌰'
- '🥜'
- '🍯'
- '🥛'
- '🍼'
- '🫖'
- '☕️'
- '🍵'
- '🧃'
- '🥤'
- '🧋'
- '🫙'
- '🍶'
- '🍺'
- '🍻'
- '🥂'
- '🍷'
- '🫗'
- '🥃'
- '🍸'
- '🍹'
- '🧉'
- '🍾'
- '🧊'
- '🥄'
- '🍴'
- '🍽'
- '🥣'
- '🥡'
- '🥢'
- '🧂'
- '⚽️'
- '🏀'
- '🏈'
- '⚾️'
- '🥎'
- '🎾'
- '🏐'
- '🏉'
- '🥏'
- '🎱'
- '🪀'
- '🏓'
- '🏸'
- '🏒'
- '🏑'
- '🥍'
- '🏏'
- '🪃'
- '🥅'
- '⛳️'
- '🪁'
- '🏹'
- '🎣'
- '🤿'
- '🥊'
- '🥋'
- '🎽'
- '🛹'
- '🛼'
- '🛷'
- '⛸'
- '🥌'
- '🎿'
- '⛷'
- '🏂'
- '🪂'
- '🏋️♀️'
- '🏋️'
- '🏋️♂️'
- '🤼♀️'
- '🤼'
- '🤼♂️'
- '🤸♀️'
- '🤸'
- '🤸♂️'
- '⛹️♀️'
- '⛹️'
- '⛹️♂️'
- '🤺'
- '🤾♀️'
- '🤾'
- '🤾♂️'
- '🏌️♀️'
- '🏌️'
- '🏌️♂️'
- '🏇'
- '🧘♀️'
- '🧘'
- '🧘♂️'
- '🏄♀️'
- '🏄'
- '🏄♂️'
- '🏊♀️'
- '🏊'
- '🏊♂️'
- '🤽♀️'
- '🤽'
- '🤽♂️'
- '🚣♀️'
- '🚣'
- '🚣♂️'
- '🧗♀️'
- '🧗'
- '🧗♂️'
- '🚵♀️'
- '🚵'
- '🚵♂️'
- '🚴♀️'
- '🚴'
- '🚴♂️'
- '🏆'
- '🥇'
- '🥈'
- '🥉'
- '🏅'
- '🎖'
- '🏵'
- '🎗'
- '🎫'
- '🎟'
- '🎪'
- '🤹'
- '🤹♂️'
- '🤹♀️'
- '🎭'
- '🩰'
- '🎨'
- '🎬'
- '🎤'
- '🎧'
- '🎼'
- '🎹'
- '🥁'
- '🪘'
- '🎷'
- '🎺'
- '🪗'
- '🎸'
- '🪕'
- '🎻'
- '🎲'
- '♟'
- '🎯'
- '🎳'
- '🎮'
- '🎰'
- '🧩'
- '🚗'
- '🚕'
- '🚙'
- '🚌'
- '🚎'
- '🏎'
- '🚓'
- '🚑'
- '🚒'
- '🚐'
- '🛻'
- '🚚'
- '🚛'
- '🚜'
- '🦯'
- '🦽'
- '🦼'
- '🛴'
- '🚲'
- '🛵'
- '🏍'
- '🛺'
- '🚨'
- '🚔'
- '🚍'
- '🚘'
- '🚖'
- '🛞'
- '🚡'
- '🚠'
- '🚟'
- '🚃'
- '🚋'
- '🚞'
- '🚝'
- '🚄'
- '🚅'
- '🚈'
- '🚂'
- '🚆'
- '🚇'
- '🚊'
- '🚉'
- '✈️'
- '🛫'
- '🛬'
- '🛩'
- '💺'
- '🛰'
- '🚀'
- '🛸'
- '🚁'
- '🛶'
- '⛵️'
- '🚤'
- '🛥'
- '🛳'
- '⛴'
- '🚢'
- '⚓️'
- '🛟'
- '🪝'
- '⛽️'
- '🚧'
- '🚦'
- '🚥'
- '🚏'
- '🗺'
- '🗿'
- '🗽'
- '🗼'
- '🏰'
- '🏯'
- '🏟'
- '🎡'
- '🎢'
- '🛝'
- '🎠'
- '⛲️'
- '⛱'
- '🏖'
- '🏝'
- '🏜'
- '🌋'
- '⛰'
- '🏔'
- '🗻'
- '🏕'
- '⛺️'
- '🛖'
- '🏠'
- '🏡'
- '🏘'
- '🏚'
- '🏗'
- '🏭'
- '🏢'
- '🏬'
- '🏣'
- '🏤'
- '🏥'
- '🏦'
- '🏨'
- '🏪'
- '🏫'
- '🏩'
- '💒'
- '🏛'
- '⛪️'
- '🕌'
- '🕍'
- '🛕'
- '🕋'
- '⛩'
- '🛤'
- '🛣'
- '🗾'
- '🎑'
- '🏞'
- '🌅'
- '🌄'
- '🌠'
- '🎇'
- '🎆'
- '🌇'
- '🌆'
- '🏙'
- '🌃'
- '🌌'
- '🌉'
- '🌁'
- '⌚️'
- '📱'
- '📲'
- '💻'
- '⌨️'
- '🖥'
- '🖨'
- '🖱'
- '🖲'
- '🕹'
- '🗜'
- '💽'
- '💾'
- '💿'
- '📀'
- '📼'
- '📷'
- '📸'
- '📹'
- '🎥'
- '📽'
- '🎞'
- '📞'
- '☎️'
- '📟'
- '📠'
- '📺'
- '📻'
- '🎙'
- '🎚'
- '🎛'
- '🧭'
- '⏱'
- '⏲'
- '⏰'
- '🕰'
- '⌛️'
- '⏳'
- '📡'
- '🔋'
- '🪫'
- '🔌'
- '💡'
- '🔦'
- '🕯'
- '🪔'
- '🧯'
- '🛢'
- '💸'
- '💵'
- '💴'
- '💶'
- '💷'
- '🪙'
- '💰'
- '💳'
- '💎'
- '⚖️'
- '🪜'
- '🧰'
- '🪛'
- '🔧'
- '🔨'
- '⚒'
- '🛠'
- '⛏'
- '🪚'
- '🔩'
- '⚙️'
- '🪤'
- '🧱'
- '⛓'
- '🧲'
- '🔫'
- '💣'
- '🧨'
- '🪓'
- '🔪'
- '🗡'
- '⚔️'
- '🛡'
- '🚬'
- '⚰️'
- '🪦'
- '⚱️'
- '🏺'
- '🔮'
- '📿'
- '🧿'
- '🪬'
- '💈'
- '⚗️'
- '🔭'
- '🔬'
- '🕳'
- '🩹'
- '🩺'
- '🩻'
- '🩼'
- '💊'
- '💉'
- '🩸'
- '🧬'
- '🦠'
- '🧫'
- '🧪'
- '🌡'
- '🧹'
- '🪠'
- '🧺'
- '🧻'
- '🚽'
- '🚰'
- '🚿'
- '🛁'
- '🛀'
- '🧼'
- '🪥'
- '🪒'
- '🧽'
- '🪣'
- '🧴'
- '🛎'
- '🔑'
- '🗝'
- '🚪'
- '🪑'
- '🛋'
- '🛏'
- '🛌'
- '🧸'
- '🪆'
- '🖼'
- '🪞'
- '🪟'
- '🛍'
- '🛒'
- '🎁'
- '🎈'
- '🎏'
- '🎀'
- '🪄'
- '🪅'
- '🎊'
- '🎉'
- '🪩'
- '🎎'
- '🏮'
- '🎐'
- '🧧'
- '✉️'
- '📩'
- '📨'
- '📧'
- '💌'
- '📥'
- '📤'
- '📦'
- '🏷'
- '🪧'
- '📪'
- '📫'
- '📬'
- '📭'
- '📮'
- '📯'
- '📜'
- '📃'
- '📄'
- '📑'
- '🧾'
- '📊'
- '📈'
- '📉'
- '🗒'
- '🗓'
- '📆'
- '📅'
- '🗑'
- '🪪'
- '📇'
- '🗃'
- '🗳'
- '🗄'
- '📋'
- '📁'
- '📂'
- '🗂'
- '🗞'
- '📰'
- '📓'
- '📔'
- '📒'
- '📕'
- '📗'
- '📘'
- '📙'
- '📚'
- '📖'
- '🔖'
- '🧷'
- '🔗'
- '📎'
- '🖇'
- '📐'
- '📏'
- '🧮'
- '📌'
- '📍'
- '✂️'
- '🖊'
- '🖋'
- '✒️'
- '🖌'
- '🖍'
- '📝'
- '✏️'
- '🔍'
- '🔎'
- '🔏'
- '🔐'
- '🔒'
- '🔓❤️'
- '🧡'
- '💛'
- '💚'
- '💙'
- '💜'
- '🖤'
- '🤍'
- '🤎'
- '❤️🔥'
- '❤️🩹'
- '💔'
- '❣️'
- '💕'
- '💞'
- '💓'
- '💗'
- '💖'
- '💘'
- '💝'
- '💟'
- '☮️'
- '✝️'
- '☪️'
- '🕉'
- '☸️'
- '✡️'
- '🔯'
- '🕎'
- '☯️'
- '☦️'
- '🛐'
- '⛎'
- '♈️'
- '♉️'
- '♊️'
- '♋️'
- '♌️'
- '♍️'
- '♎️'
- '♏️'
- '♐️'
- '♑️'
- '♒️'
- '♓️'
- '🆔'
- '⚛️'
- '🉑'
- '☢️'
- '☣️'
- '📴'
- '📳'
- '🈶'
- '🈚️'
- '🈸'
- '🈺'
- '🈷️'
- '✴️'
- '🆚'
- '💮'
- '🉐'
- '㊙️'
- '㊗️'
- '🈴'
- '🈵'
- '🈹'
- '🈲'
- '🅰️'
- '🅱️'
- '🆎'
- '🆑'
- '🅾️'
- '🆘'
- '❌'
- '⭕️'
- '🛑'
- '⛔️'
- '📛'
- '🚫'
- '💯'
- '💢'
- '♨️'
- '🚷'
- '🚯'
- '🚳'
- '🚱'
- '🔞'
- '📵'
- '🚭'
- '❗️'
- '❕'
- '❓'
- '❔'
- '‼️'
- '⁉️'
- '🔅'
- '🔆'
- '〽️'
- '⚠️'
- '🚸'
- '🔱'
- '⚜️'
- '🔰'
- '♻️'
- '✅'
- '🈯️'
- '💹'
- '❇️'
- '✳️'
- '❎'
- '🌐'
- '💠'
- 'Ⓜ️'
- '🌀'
- '💤'
- '🏧'
- '🚾'
- '♿️'
- '🅿️'
- '🛗'
- '🈳'
- '🈂️'
- '🛂'
- '🛃'
- '🛄'
- '🛅'
- '🚹'
- '🚺'
- '🚼'
- '⚧'
- '🚻'
- '🚮'
- '🎦'
- '📶'
- '🈁'
- '🔣'
- 'ℹ️'
- '🔤'
- '🔡'
- '🔠'
- '🆖'
- '🆗'
- '🆙'
- '🆒'
- '🆕'
- '🆓'
- '0️⃣'
- '1️⃣'
- '2️⃣'
- '3️⃣'
- '4️⃣'
- '5️⃣'
- '6️⃣'
- '7️⃣'
- '8️⃣'
- '9️⃣'
- '🔟'
- '🔢'
- '#️⃣'
- '*️⃣'
- '⏏️'
- '▶️'
- '⏸'
- '⏯'
- '⏹'
- '⏺'
- '⏭'
- '⏮'
- '⏩'
- '⏪'
- '⏫'
- '⏬'
- '◀️'
- '🔼'
- '🔽'
- '➡️'
- '⬅️'
- '⬆️'
- '⬇️'
- '↗️'
- '↘️'
- '↙️'
- '↖️'
- '↕️'
- '↔️'
- '↪️'
- '↩️'
- '⤴️'
- '⤵️'
- '🔀'
- '🔁'
- '🔂'
- '🔄'
- '🔃'
- '🎵'
- '🎶'
- '➕'
- '➖'
- '➗'
- '✖️'
- '🟰'
- '♾'
- '💲'
- '💱'
- '™️'
- '©️'
- '®️'
- '〰️'
- '➰'
- '➿'
- '🔚'
- '🔙'
- '🔛'
- '🔝'
- '🔜'
- '✔️'
- '☑️'
- '🔘'
- '🔴'
- '🟠'
- '🟡'
- '🟢'
- '🔵'
- '🟣'
- '⚫️'
- '⚪️'
- '🟤'
- '🔺'
- '🔻'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 4
Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.
view Sigma YAML
title: Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 4
id: 225274c4-8dd1-40db-9e09-71dff4f6fb3c
status: test
description: Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.
author: '@Kostastsale, TheDFIRReport'
references:
- Internal Research
tags:
- attack.stealth
date: 2022-12-05
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|contains:
- '🔸'
- '🔹'
- '🔶'
- '🔷'
- '🔳'
- '🔲'
- '▪️'
- '▫️'
- '◾️'
- '◽️'
- '◼️'
- '◻️'
- '🟥'
- '🟧'
- '🟨'
- '🟩'
- '🟦'
- '🟪'
- '⬛️'
- '⬜️'
- '🟫'
- '🔈'
- '🔇'
- '🔉'
- '🔊'
- '🔔'
- '🔕'
- '📣'
- '📢'
- '👁🗨'
- '💬'
- '💭'
- '🗯'
- '♠️'
- '♣️'
- '♥️'
- '♦️'
- '🃏'
- '🎴'
- '🀄️'
- '🕐'
- '🕑'
- '🕒'
- '🕓'
- '🕔'
- '🕕'
- '🕖'
- '🕗'
- '🕘'
- '🕙'
- '🕚'
- '🕛'
- '🕜'
- '🕝'
- '🕞'
- '🕟'
- '🕠'
- '🕡'
- '🕢'
- '🕣'
- '🕤'
- '🕥'
- '🕦'
- '🕧✢'
- '✣'
- '✤'
- '✥'
- '✦'
- '✧'
- '★'
- '☆'
- '✯'
- '✡︎'
- '✩'
- '✪'
- '✫'
- '✬'
- '✭'
- '✮'
- '✶'
- '✷'
- '✵'
- '✸'
- '✹'
- '→'
- '⇒'
- '⟹'
- '⇨'
- '⇾'
- '➾'
- '⇢'
- '☛'
- '☞'
- '➔'
- '➜'
- '➙'
- '➛'
- '➝'
- '➞'
- '♠︎'
- '♣︎'
- '♥︎'
- '♦︎'
- '♤'
- '♧'
- '♡'
- '♢'
- '♚'
- '♛'
- '♜'
- '♝'
- '♞'
- '♟'
- '♔'
- '♕'
- '♖'
- '♗'
- '♘'
- '♙'
- '⚀'
- '⚁'
- '⚂'
- '⚃'
- '⚄'
- '⚅'
- '🂠'
- '⚈'
- '⚉'
- '⚆'
- '⚇'
- '𓀀'
- '𓀁'
- '𓀂'
- '𓀃'
- '𓀄'
- '𓀅'
- '𓀆'
- '𓀇'
- '𓀈'
- '𓀉'
- '𓀊'
- '𓀋'
- '𓀌'
- '𓀍'
- '𓀎'
- '𓀏'
- '𓀐'
- '𓀑'
- '𓀒'
- '𓀓'
- '𓀔'
- '𓀕'
- '𓀖'
- '𓀗'
- '𓀘'
- '𓀙'
- '𓀚'
- '𓀛'
- '𓀜'
- '𓀝🏳️'
- '🏴'
- '🏁'
- '🚩'
- '🏳️🌈'
- '🏳️⚧️'
- '🏴☠️'
- '🇦🇫'
- '🇦🇽'
- '🇦🇱'
- '🇩🇿'
- '🇦🇸'
- '🇦🇩'
- '🇦🇴'
- '🇦🇮'
- '🇦🇶'
- '🇦🇬'
- '🇦🇷'
- '🇦🇲'
- '🇦🇼'
- '🇦🇺'
- '🇦🇹'
- '🇦🇿'
- '🇧🇸'
- '🇧🇭'
- '🇧🇩'
- '🇧🇧'
- '🇧🇾'
- '🇧🇪'
- '🇧🇿'
- '🇧🇯'
- '🇧🇲'
- '🇧🇹'
- '🇧🇴'
- '🇧🇦'
- '🇧🇼'
- '🇧🇷'
- '🇮🇴'
- '🇻🇬'
- '🇧🇳'
- '🇧🇬'
- '🇧🇫'
- '🇧🇮'
- '🇰🇭'
- '🇨🇲'
- '🇨🇦'
- '🇮🇨'
- '🇨🇻'
- '🇧🇶'
- '🇰🇾'
- '🇨🇫'
- '🇹🇩'
- '🇨🇱'
- '🇨🇳'
- '🇨🇽'
- '🇨🇨'
- '🇨🇴'
- '🇰🇲'
- '🇨🇬'
- '🇨🇩'
- '🇨🇰'
- '🇨🇷'
- '🇨🇮'
- '🇭🇷'
- '🇨🇺'
- '🇨🇼'
- '🇨🇾'
- '🇨🇿'
- '🇩🇰'
- '🇩🇯'
- '🇩🇲'
- '🇩🇴'
- '🇪🇨'
- '🇪🇬'
- '🇸🇻'
- '🇬🇶'
- '🇪🇷'
- '🇪🇪'
- '🇪🇹'
- '🇪🇺'
- '🇫🇰'
- '🇫🇴'
- '🇫🇯'
- '🇫🇮'
- '🇫🇷'
- '🇬🇫'
- '🇵🇫'
- '🇹🇫'
- '🇬🇦'
- '🇬🇲'
- '🇬🇪'
- '🇩🇪'
- '🇬🇭'
- '🇬🇮'
- '🇬🇷'
- '🇬🇱'
- '🇬🇩'
- '🇬🇵'
- '🇬🇺'
- '🇬🇹'
- '🇬🇬'
- '🇬🇳'
- '🇬🇼'
- '🇬🇾'
- '🇭🇹'
- '🇭🇳'
- '🇭🇰'
- '🇭🇺'
- '🇮🇸'
- '🇮🇳'
- '🇮🇩'
- '🇮🇷'
- '🇮🇶'
- '🇮🇪'
- '🇮🇲'
- '🇮🇱'
- '🇮🇹'
- '🇯🇲'
- '🇯🇵'
- '🎌'
- '🇯🇪'
- '🇯🇴'
- '🇰🇿'
- '🇰🇪'
- '🇰🇮'
- '🇽🇰'
- '🇰🇼'
- '🇰🇬'
- '🇱🇦'
- '🇱🇻'
- '🇱🇧'
- '🇱🇸'
- '🇱🇷'
- '🇱🇾'
- '🇱🇮'
- '🇱🇹'
- '🇱🇺'
- '🇲🇴'
- '🇲🇰'
- '🇲🇬'
- '🇲🇼'
- '🇲🇾'
- '🇲🇻'
- '🇲🇱'
- '🇲🇹'
- '🇲🇭'
- '🇲🇶'
- '🇲🇷'
- '🇲🇺'
- '🇾🇹'
- '🇲🇽'
- '🇫🇲'
- '🇲🇩'
- '🇲🇨'
- '🇲🇳'
- '🇲🇪'
- '🇲🇸'
- '🇲🇦'
- '🇲🇿'
- '🇲🇲'
- '🇳🇦'
- '🇳🇷'
- '🇳🇵'
- '🇳🇱'
- '🇳🇨'
- '🇳🇿'
- '🇳🇮'
- '🇳🇪'
- '🇳🇬'
- '🇳🇺'
- '🇳🇫'
- '🇰🇵'
- '🇲🇵'
- '🇳🇴'
- '🇴🇲'
- '🇵🇰'
- '🇵🇼'
- '🇵🇸'
- '🇵🇦'
- '🇵🇬'
- '🇵🇾'
- '🇵🇪'
- '🇵🇭'
- '🇵🇳'
- '🇵🇱'
- '🇵🇹'
- '🇵🇷'
- '🇶🇦'
- '🇷🇪'
- '🇷🇴'
- '🇷🇺'
- '🇷🇼'
- '🇼🇸'
- '🇸🇲'
- '🇸🇦'
- '🇸🇳'
- '🇷🇸'
- '🇸🇨'
- '🇸🇱'
- '🇸🇬'
- '🇸🇽'
- '🇸🇰'
- '🇸🇮'
- '🇬🇸'
- '🇸🇧'
- '🇸🇴'
- '🇿🇦'
- '🇰🇷'
- '🇸🇸'
- '🇪🇸'
- '🇱🇰'
- '🇧🇱'
- '🇸🇭'
- '🇰🇳'
- '🇱🇨'
- '🇵🇲'
- '🇻🇨'
- '🇸🇩'
- '🇸🇷'
- '🇸🇿'
- '🇸🇪'
- '🇨🇭'
- '🇸🇾'
- '🇹🇼'
- '🇹🇯'
- '🇹🇿'
- '🇹🇭'
- '🇹🇱'
- '🇹🇬'
- '🇹🇰'
- '🇹🇴'
- '🇹🇹'
- '🇹🇳'
- '🇹🇷'
- '🇹🇲'
- '🇹🇨'
- '🇹🇻'
- '🇻🇮'
- '🇺🇬'
- '🇺🇦'
- '🇦🇪'
- '🇬🇧'
- '🏴'
- '🏴'
- '🏴'
- '🇺🇳'
- '🇺🇸'
- '🇺🇾'
- '🇺🇿'
- '🇻🇺'
- '🇻🇦'
- '🇻🇪'
- '🇻🇳'
- '🇼🇫'
- '🇪🇭'
- '🇾🇪'
- '🇿🇲'
- '🇿🇼🫠'
- '🫢'
- '🫣'
- '🫡'
- '🫥'
- '🫤'
- '🥹'
- '🫱'
- '🫱🏻'
- '🫱🏼'
- '🫱🏽'
- '🫱🏾'
- '🫱🏿'
- '🫲'
- '🫲🏻'
- '🫲🏼'
- '🫲🏽'
- '🫲🏾'
- '🫲🏿'
- '🫳'
- '🫳🏻'
- '🫳🏼'
- '🫳🏽'
- '🫳🏾'
- '🫳🏿'
- '🫴'
- '🫴🏻'
- '🫴🏼'
- '🫴🏽'
- '🫴🏾'
- '🫴🏿'
- '🫰'
- '🫰🏻'
- '🫰🏼'
- '🫰🏽'
- '🫰🏾'
- '🫰🏿'
- '🫵'
- '🫵🏻'
- '🫵🏼'
- '🫵🏽'
- '🫵🏾'
- '🫵🏿'
- '🫶'
- '🫶🏻'
- '🫶🏼'
- '🫶🏽'
- '🫶🏾'
- '🫶🏿'
- '🤝🏻'
- '🤝🏼'
- '🤝🏽'
- '🤝🏾'
- '🤝🏿'
- '🫱🏻🫲🏼'
- '🫱🏻🫲🏽'
- '🫱🏻🫲🏾'
- '🫱🏻🫲🏿'
- '🫱🏼🫲🏻'
- '🫱🏼🫲🏽'
- '🫱🏼🫲🏾'
- '🫱🏼🫲🏿'
- '🫱🏽🫲🏻'
- '🫱🏽🫲🏼'
- '🫱🏽🫲🏾'
- '🫱🏽🫲🏿'
- '🫱🏾🫲🏻'
- '🫱🏾🫲🏼'
- '🫱🏾🫲🏽'
- '🫱🏾🫲🏿'
- '🫱🏿🫲🏻'
- '🫱🏿🫲🏼'
- '🫱🏿🫲🏽'
- '🫱🏿🫲🏾'
- '🫦'
- '🫅'
- '🫅🏻'
- '🫅🏼'
- '🫅🏽'
- '🫅🏾'
- '🫅🏿'
- '🫃'
- '🫃🏻'
- '🫃🏼'
- '🫃🏽'
- '🫃🏾'
- '🫃🏿'
- '🫄'
- '🫄🏻'
- '🫄🏼'
- '🫄🏽'
- '🫄🏾'
- '🫄🏿'
- '🧌'
- '🪸'
- '🪷'
- '🪹'
- '🪺'
- '🫘'
- '🫗'
- '🫙'
- '🛝'
- '🛞'
- '🛟'
- '🪬'
- '🪩'
- '🪫'
- '🩼'
- '🩻'
- '🫧'
- '🪪'
- '🟰'
- '😮💨'
- '😵💫'
- '😶🌫️'
- '❤️🔥'
- '❤️🩹'
- '🧔♀️'
- '🧔🏻♀️'
- '🧔🏼♀️'
- '🧔🏽♀️'
- '🧔🏾♀️'
- '🧔🏿♀️'
- '🧔♂️'
- '🧔🏻♂️'
- '🧔🏼♂️'
- '🧔🏽♂️'
- '🧔🏾♂️'
- '🧔🏿♂️'
- '💑🏻'
- '💑🏼'
- '💑🏽'
- '💑🏾'
- '💑🏿'
- '💏🏻'
- '💏🏼'
- '💏🏽'
- '💏🏾'
- '💏🏿'
- '👨🏻❤️👨🏻'
- '👨🏻❤️👨🏼'
- '👨🏻❤️👨🏽'
- '👨🏻❤️👨🏾'
- '👨🏻❤️👨🏿'
- '👨🏼❤️👨🏻'
- '👨🏼❤️👨🏼'
- '👨🏼❤️👨🏽'
- '👨🏼❤️👨🏾'
- '👨🏼❤️👨🏿'
- '👨🏽❤️👨🏻'
- '👨🏽❤️👨🏼'
- '👨🏽❤️👨🏽'
- '👨🏽❤️👨🏾'
- '👨🏽❤️👨🏿'
- '👨🏾❤️👨🏻'
- '👨🏾❤️👨🏼'
- '👨🏾❤️👨🏽'
- '👨🏾❤️👨🏾'
- '👨🏾❤️👨🏿'
- '👨🏿❤️👨🏻'
- '👨🏿❤️👨🏼'
- '👨🏿❤️👨🏽'
- '👨🏿❤️👨🏾'
- '👨🏿❤️👨🏿'
- '👩🏻❤️👨🏻'
- '👩🏻❤️👨🏼'
- '👩🏻❤️👨🏽'
- '👩🏻❤️👨🏾'
- '👩🏻❤️👨🏿'
- '👩🏻❤️👩🏻'
- '👩🏻❤️👩🏼'
- '👩🏻❤️👩🏽'
- '👩🏻❤️👩🏾'
- '👩🏻❤️👩🏿'
- '👩🏼❤️👨🏻'
- '👩🏼❤️👨🏼'
- '👩🏼❤️👨🏽'
- '👩🏼❤️👨🏾'
- '👩🏼❤️👨🏿'
- '👩🏼❤️👩🏻'
- '👩🏼❤️👩🏼'
- '👩🏼❤️👩🏽'
- '👩🏼❤️👩🏾'
- '👩🏼❤️👩🏿'
- '👩🏽❤️👨🏻'
- '👩🏽❤️👨🏼'
- '👩🏽❤️👨🏽'
- '👩🏽❤️👨🏾'
- '👩🏽❤️👨🏿'
- '👩🏽❤️👩🏻'
- '👩🏽❤️👩🏼'
- '👩🏽❤️👩🏽'
- '👩🏽❤️👩🏾'
- '👩🏽❤️👩🏿'
- '👩🏾❤️👨🏻'
- '👩🏾❤️👨🏼'
- '👩🏾❤️👨🏽'
- '👩🏾❤️👨🏾'
- '👩🏾❤️👨🏿'
- '👩🏾❤️👩🏻'
- '👩🏾❤️👩🏼'
- '👩🏾❤️👩🏽'
- '👩🏾❤️👩🏾'
- '👩🏾❤️👩🏿'
- '👩🏿❤️👨🏻'
- '👩🏿❤️👨🏼'
- '👩🏿❤️👨🏽'
- '👩🏿❤️👨🏾'
- '👩🏿❤️👨🏿'
- '👩🏿❤️👩🏻'
- '👩🏿❤️👩🏼'
- '👩🏿❤️👩🏽'
- '👩🏿❤️👩🏾'
- '👩🏿❤️👩🏿'
- '🧑🏻❤️🧑🏼'
- '🧑🏻❤️🧑🏽'
- '🧑🏻❤️🧑🏾'
- '🧑🏻❤️🧑🏿'
- '🧑🏼❤️🧑🏻'
- '🧑🏼❤️🧑🏽'
- '🧑🏼❤️🧑🏾'
- '🧑🏼❤️🧑🏿'
- '🧑🏽❤️🧑🏻'
- '🧑🏽❤️🧑🏼'
- '🧑🏽❤️🧑🏾'
- '🧑🏽❤️🧑🏿'
- '🧑🏾❤️🧑🏻'
- '🧑🏾❤️🧑🏼'
- '🧑🏾❤️🧑🏽'
- '🧑🏾❤️🧑🏿'
- '🧑🏿❤️🧑🏻'
- '🧑🏿❤️🧑🏼'
- '🧑🏿❤️🧑🏽'
- '🧑🏿❤️🧑🏾'
- '👨🏻❤️💋👨🏻'
- '👨🏻❤️💋👨🏼'
- '👨🏻❤️💋👨🏽'
- '👨🏻❤️💋👨🏾'
- '👨🏻❤️💋👨🏿'
- '👨🏼❤️💋👨🏻'
- '👨🏼❤️💋👨🏼'
- '👨🏼❤️💋👨🏽'
- '👨🏼❤️💋👨🏾'
- '👨🏼❤️💋👨🏿'
- '👨🏽❤️💋👨🏻'
- '👨🏽❤️💋👨🏼'
- '👨🏽❤️💋👨🏽'
- '👨🏽❤️💋👨🏾'
- '👨🏽❤️💋👨🏿'
- '👨🏾❤️💋👨🏻'
- '👨🏾❤️💋👨🏼'
- '👨🏾❤️💋👨🏽'
- '👨🏾❤️💋👨🏾'
- '👨🏾❤️💋👨🏿'
- '👨🏿❤️💋👨🏻'
- '👨🏿❤️💋👨🏼'
- '👨🏿❤️💋👨🏽'
- '👨🏿❤️💋👨🏾'
- '👨🏿❤️💋👨🏿'
- '👩🏻❤️💋👨🏻'
- '👩🏻❤️💋👨🏼'
- '👩🏻❤️💋👨🏽'
- '👩🏻❤️💋👨🏾'
- '👩🏻❤️💋👨🏿'
- '👩🏻❤️💋👩🏻'
- '👩🏻❤️💋👩🏼'
- '👩🏻❤️💋👩🏽'
- '👩🏻❤️💋👩🏾'
- '👩🏻❤️💋👩🏿'
- '👩🏼❤️💋👨🏻'
- '👩🏼❤️💋👨🏼'
- '👩🏼❤️💋👨🏽'
- '👩🏼❤️💋👨🏾'
- '👩🏼❤️💋👨🏿'
- '👩🏼❤️💋👩🏻'
- '👩🏼❤️💋👩🏼'
- '👩🏼❤️💋👩🏽'
- '👩🏼❤️💋👩🏾'
- '👩🏼❤️💋👩🏿'
- '👩🏽❤️💋👨🏻'
- '👩🏽❤️💋👨🏼'
- '👩🏽❤️💋👨🏽'
- '👩🏽❤️💋👨🏾'
- '👩🏽❤️💋👨🏿'
- '👩🏽❤️💋👩🏻'
- '👩🏽❤️💋👩🏼'
- '👩🏽❤️💋👩🏽'
- '👩🏽❤️💋👩🏾'
- '👩🏽❤️💋👩🏿'
- '👩🏾❤️💋👨🏻'
- '👩🏾❤️💋👨🏼'
- '👩🏾❤️💋👨🏽'
- '👩🏾❤️💋👨🏾'
- '👩🏾❤️💋👨🏿'
- '👩🏾❤️💋👩🏻'
- '👩🏾❤️💋👩🏼'
- '👩🏾❤️💋👩🏽'
- '👩🏾❤️💋👩🏾'
- '👩🏾❤️💋👩🏿'
- '👩🏿❤️💋👨🏻'
- '👩🏿❤️💋👨🏼'
- '👩🏿❤️💋👨🏽'
- '👩🏿❤️💋👨🏾'
- '👩🏿❤️💋👨🏿'
- '👩🏿❤️💋👩🏻'
- '👩🏿❤️💋👩🏼'
- '👩🏿❤️💋👩🏽'
- '👩🏿❤️💋👩🏾'
- '👩🏿❤️💋👩🏿'
- '🧑🏻❤️💋🧑🏼'
- '🧑🏻❤️💋🧑🏽'
- '🧑🏻❤️💋🧑🏾'
- '🧑🏻❤️💋🧑🏿'
- '🧑🏼❤️💋🧑🏻'
- '🧑🏼❤️💋🧑🏽'
- '🧑🏼❤️💋🧑🏾'
- '🧑🏼❤️💋🧑🏿'
- '🧑🏽❤️💋🧑🏻'
- '🧑🏽❤️💋🧑🏼'
- '🧑🏽❤️💋🧑🏾'
- '🧑🏽❤️💋🧑🏿'
- '🧑🏾❤️💋🧑🏻'
- '🧑🏾❤️💋🧑🏼'
- '🧑🏾❤️💋🧑🏽'
- '🧑🏾❤️💋🧑🏿'
- '🧑🏿❤️💋🧑🏻'
- '🧑🏿❤️💋🧑🏼'
- '🧑🏿❤️💋🧑🏽'
- '🧑🏿❤️💋🧑🏾'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
High FP
Potential Defense Evasion Via Right-to-Left Override
Detects the presence of the "u202+E" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence.
This character is used as an obfuscation and masquerading techniques by adversaries to trick users into opening malicious files.
view Sigma YAML
title: Potential Defense Evasion Via Right-to-Left Override
id: ad691d92-15f2-4181-9aa4-723c74f9ddc3
related:
- id: e0552b19-5a83-4222-b141-b36184bb8d79
type: derived
- id: 584bca0f-3608-4402-80fd-4075ff6072e3
type: derived
status: test
description: |
Detects the presence of the "u202+E" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence.
This character is used as an obfuscation and masquerading techniques by adversaries to trick users into opening malicious files.
references:
- https://redcanary.com/blog/right-to-left-override/
- https://www.malwarebytes.com/blog/news/2014/01/the-rtlo-method
- https://unicode-explorer.com/c/202E
- https://tria.ge/241015-l98snsyeje/behavioral2
- https://unprotect.it/technique/right-to-left-override-rlo-extension-spoofing/
author: Micah Babinski, @micahbabinski, Swachchhanda Shrawan Poudel (Nextron Systems), Luc Génaux
date: 2023-02-15
modified: 2026-03-20
tags:
- attack.stealth
- attack.t1036.002
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- '\u202e' # Unicode RTLO character
- '[U+202E]'
# Real char U+202E copied/pasted below
- ''
condition: selection
falsepositives:
- Commandlines that contains scriptures such as arabic or hebrew might make use of this character
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override/info.yml
Convert to SIEM query
high
Moderate
Medium FP
Potential Devil Bait Malware Reconnaissance
Detects specific process behavior observed with Devil Bait samples
view Sigma YAML
title: Potential Devil Bait Malware Reconnaissance
id: e8954be4-b2b8-4961-be18-da1a5bda709c
related:
- id: 8e0bb260-d4b2-4fff-bb8d-3f82118e6892
type: derived
status: test
description: Detects specific process behavior observed with Devil Bait samples
references:
- https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf
- https://www.virustotal.com/gui/file/fa71eee906a7849ba3f4bab74edb577bd1f1f8397ca428591b4a9872ce1f1e9b/behavior
author: Nasreddine Bencherchali (Nextron Systems), NCSC (Idea)
date: 2023-05-15
modified: 2025-10-19
tags:
- attack.stealth
- attack.t1218
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_redirect:
ParentImage|endswith: '\wscript.exe'
Image|endswith: '\cmd.exe'
CommandLine|contains: '>>%APPDATA%\Microsoft\'
CommandLine|endswith:
- '.xml'
- '.txt'
selection_recon_cmd:
- CommandLine|re: 'ipconfig\s+/all'
- CommandLine|contains:
# Taken from a6f9043627f8be2452153b5dbf6278e9b91763c3b5c2aea537a859e0c8c6b504
# If you find samples using other commands please add them
- 'dir'
- 'systeminfo'
- 'tasklist'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
Potential Devil Bait Related Indicator
Detects the creation of ".xml" and ".txt" files in folders of the "\AppData\Roaming\Microsoft" directory by uncommon processes. This behavior was seen common across different Devil Bait samples and stages as described by the NCSC
view Sigma YAML
title: Potential Devil Bait Related Indicator
id: 93d5f1b4-36df-45ed-8680-f66f242b8415
status: test
description: Detects the creation of ".xml" and ".txt" files in folders of the "\AppData\Roaming\Microsoft" directory by uncommon processes. This behavior was seen common across different Devil Bait samples and stages as described by the NCSC
references:
- https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-15
tags:
- detection.emerging-threats
- attack.stealth
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith:
- '\schtasks.exe'
- '\wscript.exe'
- '\mshta.exe'
# Example folders used by the samples include:
# - %AppData%\Microsoft\Network\
# - %AppData%\Microsoft\Office\
TargetFilename|contains: '\AppData\Roaming\Microsoft\'
TargetFilename|endswith:
- '.txt'
- '.xml'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential EACore.DLL Sideloading
Detects potential DLL sideloading of "EACore.dll"
view Sigma YAML
title: Potential EACore.DLL Sideloading
id: edd3ddc3-386f-4ba5-9ada-4376b2cfa7b5
status: test
description: Detects potential DLL sideloading of "EACore.dll"
references:
- https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/
author: X__Junior (Nextron Systems)
date: 2023-08-03
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\EACore.dll'
filter_main_legit_path:
Image|contains|all:
- 'C:\Program Files\Electronic Arts\EA Desktop\'
- '\EACoreServer.exe'
ImageLoaded|startswith: 'C:\Program Files\Electronic Arts\EA Desktop\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
Potential Edputil.DLL Sideloading
Detects potential DLL sideloading of "edputil.dll"
view Sigma YAML
title: Potential Edputil.DLL Sideloading
id: e4903324-1a10-4ed3-981b-f6fe3be3a2c2
status: test
description: Detects potential DLL sideloading of "edputil.dll"
references:
- https://alternativeto.net/news/2023/5/cybercriminals-use-wordpad-vulnerability-to-spread-qbot-malware/
author: X__Junior (Nextron Systems)
date: 2023-06-09
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\edputil.dll'
filter_main_generic:
ImageLoaded|startswith:
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
- 'C\Windows\WinSxS\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
High FP
Potential Emotet Activity
Detects all Emotet like process executions that are not covered by the more generic rules
view Sigma YAML
title: Potential Emotet Activity
id: d02e8cf5-6099-48cf-9bfc-1eec2d0c7b18
status: stable
description: Detects all Emotet like process executions that are not covered by the more generic rules
references:
- https://app.any.run/tasks/e13ab713-64cf-4b23-ad93-6dceaa5429ac/
- https://app.any.run/tasks/81f3c28c-c686-425d-8a2b-a98198d244e1/
- https://app.any.run/tasks/97f875e8-0e08-4328-815f-055e971ba754/
- https://app.any.run/tasks/84fc9b4a-ea2b-47b1-8aa6-9014402dfb56/
author: Florian Roth (Nextron Systems)
date: 2019-09-30
modified: 2023-02-04
tags:
- attack.execution
- attack.stealth
- attack.t1059.001
- attack.t1027
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- ' -e* PAA'
- 'JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ' # $env:userprofile
- 'QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA' # $env:userprofile
- 'kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA' # $env:userprofile
- 'IgAoACcAKgAnACkAOwAkA' # "('*');$
- 'IAKAAnACoAJwApADsAJA' # "('*');$
- 'iACgAJwAqACcAKQA7ACQA' # "('*');$
- 'JABGAGwAeAByAGgAYwBmAGQ'
- 'PQAkAGUAbgB2ADoAdABlAG0AcAArACgA' # =$env:temp+(
- '0AJABlAG4AdgA6AHQAZQBtAHAAKwAoA' # =$env:temp+(
- '9ACQAZQBuAHYAOgB0AGUAbQBwACsAKA' # =$env:temp+(
filter:
CommandLine|contains:
- 'fAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgAgAC0ARQByAHIAbwByAEEAYwB0AGkAbwBuACAAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQ'
- 'wAIABDAG8AbgB2AGUAcgB0AFQAbwAtAEoAcwBvAG4AIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUA'
- '8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlA'
condition: selection and not filter
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
Potential EmpireMonkey Activity
Detects potential EmpireMonkey APT activity
view Sigma YAML
title: Potential EmpireMonkey Activity
id: 10152a7b-b566-438f-a33c-390b607d1c8d
status: test
description: Detects potential EmpireMonkey APT activity
references:
- https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/
- https://malpedia.caad.fkie.fraunhofer.de/actor/anthropoid_spider
author: Markus Neis, Nasreddine Bencherchali (Nextron Systems)
date: 2019-04-02
modified: 2023-03-09
tags:
- attack.stealth
- attack.t1218.010
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- '/e:jscript' # This is a guess since the report doesn't mention the method of execution. This assumes that it is achieved via specifying the execution engine
- '\Local\Temp\Errors.bat'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential EventLog File Location Tampering
Detects tampering with EventLog service "file" key. In order to change the default location of an Evtx file. This technique is used to tamper with log collection and alerting
view Sigma YAML
title: Potential EventLog File Location Tampering
id: 0cb8d736-995d-4ce7-a31e-1e8d452a1459
status: test
description: Detects tampering with EventLog service "file" key. In order to change the default location of an Evtx file. This technique is used to tamper with log collection and alerting
references:
- https://learn.microsoft.com/en-us/windows/win32/eventlog/eventlog-key
author: D3F7A5105
date: 2023-01-02
modified: 2023-08-17
tags:
- attack.defense-impairment
- attack.t1685.001
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\SYSTEM\CurrentControlSet\Services\EventLog\'
TargetObject|endswith: '\File'
filter:
Details|contains: '\System32\Winevt\Logs\'
condition: selection and not filter
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential Exploitation Attempt From Office Application
Detects Office applications executing a child process that includes directory traversal patterns. This could be an attempt to exploit CVE-2022-30190 (MSDT RCE) or CVE-2021-40444 (MSHTML RCE)
view Sigma YAML
title: Potential Exploitation Attempt From Office Application
id: 868955d9-697e-45d4-a3da-360cefd7c216
status: test
description: Detects Office applications executing a child process that includes directory traversal patterns. This could be an attempt to exploit CVE-2022-30190 (MSDT RCE) or CVE-2021-40444 (MSHTML RCE)
references:
- https://twitter.com/sbousseaden/status/1531653369546301440
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-40444
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190
author: Christian Burkard (Nextron Systems), @SBousseaden (idea)
date: 2022-06-02
modified: 2023-02-04
tags:
- attack.execution
- cve.2021-40444
- detection.emerging-threats
- attack.stealth
logsource:
product: windows
category: process_creation
detection:
selection:
ParentImage|endswith:
- '\winword.exe'
- '\excel.exe'
- '\powerpnt.exe'
- '\msaccess.exe'
- '\mspub.exe'
- '\eqnedt32.exe'
- '\visio.exe'
CommandLine|contains:
- '../../../..'
- '..\..\..\..'
- '..//..//..//..'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential Exploitation Attempt Of Undocumented WindowsServer RCE
Detects potential exploitation attempt of undocumented Windows Server Pre Auth Remote Code Execution (RCE)
view Sigma YAML
title: Potential Exploitation Attempt Of Undocumented WindowsServer RCE
id: 6d5b8176-d87d-4402-8af4-53aee9db7b5d
status: test
description: Detects potential exploitation attempt of undocumented Windows Server Pre Auth Remote Code Execution (RCE)
references:
- https://github.com/SigmaHQ/sigma/pull/3946
- https://twitter.com/hackerfantastic/status/1616455335203438592?s=20
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali
date: 2023-01-21
tags:
- attack.initial-access
- attack.t1190
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\svchost.exe'
Image|endswith: '\svchost.exe'
ParentCommandLine|contains: '-k DHCPServer'
CommandLine|contains: '-k DHCPServer'
User|contains: # Covers many language settings for Network Service. Please expand.
- 'NETWORK SERVICE'
- 'NETZWERKDIENST'
- 'SERVIZIO DI RETE'
- 'SERVICIO DE RED'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Potential Exploitation of CVE-2024-3094 - Suspicious SSH Child Process
Detects potentially suspicious child process of SSH process (sshd) with a specific execution user. This could be a sign of potential exploitation of CVE-2024-3094.
view Sigma YAML
title: Potential Exploitation of CVE-2024-3094 - Suspicious SSH Child Process
id: 9aa27839-e8ba-4d7a-ac1a-746c22c3d1e5
status: test
description: |
Detects potentially suspicious child process of SSH process (sshd) with a specific execution user. This could be a sign of potential exploitation of CVE-2024-3094.
references:
- https://github.com/amlweems/xzbot?tab=readme-ov-file#backdoor-demo
author: Arnim Rupp, Nasreddine Bencherchali, Thomas Patzke
date: 2024-04-01
modified: 2024-07-03
tags:
- attack.execution
- cve.2024-3094
- detection.emerging-threats
logsource:
category: process_creation
product: linux
detection:
selection:
ParentImage|endswith: '/sshd'
CommandLine|startswith:
- 'bash -c'
- 'sh -c'
User: 'root'
condition: selection
falsepositives:
- Administrative activity directly with root authentication might trigger this rule if it's unnecessarily prefixed with "sh -c" or "bash -c"
level: high
Convert to SIEM query
high
Strong
Medium FP
Potential Exploitation of CrushFTP RCE Vulnerability (CVE-2025-54309)
Detects suspicious child processes created by CrushFTP. It could be an indication of exploitation of a RCE vulnerability such as CVE-2025-54309.
view Sigma YAML
title: Potential Exploitation of CrushFTP RCE Vulnerability (CVE-2025-54309)
id: 0fdc7c7f-c690-4217-9ae3-31f5156eed72
status: experimental
description: Detects suspicious child processes created by CrushFTP. It could be an indication of exploitation of a RCE vulnerability such as CVE-2025-54309.
references:
- https://reliaquest.com/blog/threat-spotlight-cve-2025-54309-crushftp-exploit/
- https://pwn.guide/free/web/crushftp
- https://firecompass.com/crushftp-vulnerability-cve-2025-54309-securing-file-transfer-services/
author: Nisarg Suthar
date: 2025-08-01
tags:
- attack.privilege-escalation
- attack.initial-access
- attack.execution
- attack.t1059.001
- attack.t1059.003
- attack.t1068
- attack.t1190
- cve.2025-54309
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\crushftp.exe'
selection_child_powershell:
Image|endswith:
- '\powershell.exe'
- '\powershell_ise.exe'
- '\pwsh.exe'
CommandLine|contains|all:
- 'IEX'
- 'enc'
- 'Hidden'
- 'bypass'
selection_child_cmd:
Image|endswith: '\cmd.exe'
CommandLine|contains:
- '/c powershell'
- 'whoami'
- 'net.exe'
- 'net1.exe'
selection_child_others:
Image|endswith:
- '\bitsadmin.exe'
- '\certutil.exe'
- '\mshta.exe'
- '\cscript.exe'
- '\wscript.exe'
condition: selection_parent and 1 of selection_child_*
falsepositives:
- Legitimate administrative command execution
level: high
Convert to SIEM query
high
Strong
Medium FP
Potential Exploitation of GoAnywhere MFT Vulnerability
Detects suspicious command execution by child processes of the GoAnywhere Managed File Transfer (MFT) application, which may indicate exploitation such as CVE-2025-10035.
This behavior is indicative of post-exploitation activity related to CVE-2025-10035, as observed in campaigns by the threat actor Storm-1175.
view Sigma YAML
title: Potential Exploitation of GoAnywhere MFT Vulnerability
id: 6c76b3d0-afe4-4870-9443-ffe6773c5fef
status: experimental
description: |
Detects suspicious command execution by child processes of the GoAnywhere Managed File Transfer (MFT) application, which may indicate exploitation such as CVE-2025-10035.
This behavior is indicative of post-exploitation activity related to CVE-2025-10035, as observed in campaigns by the threat actor Storm-1175.
references:
- https://www.microsoft.com/en-us/security/blog/2025/10/06/investigating-active-exploitation-of-cve-2025-10035-goanywhere-managed-file-transfer-vulnerability/
author: MSFT (idea), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-10-07
tags:
- attack.initial-access
- attack.t1190
- attack.execution
- attack.t1059.001
- attack.persistence
- attack.t1133
- detection.emerging-threats
- cve.2025-10035
logsource:
category: process_creation
product: windows
detection:
# Detects the GoAnywhere Tomcat parent process based on path and command line arguments
selection_parent:
ParentImage|contains: '\GoAnywhere\tomcat\'
selection_powershell_img:
Image|endswith:
- '\powershell.exe'
- '\powershell_ise.exe'
- '\pwsh.exe'
selection_powershell_cmd:
- CommandLine|contains|all:
- 'IEX'
- 'enc'
- 'Hidden'
- 'bypass'
- CommandLine|re:
- 'net\s+user'
- 'net\s+group'
- 'query\s+session'
- CommandLine|contains:
- 'whoami'
- 'systeminfo'
- 'dsquery'
- 'localgroup administrators'
- 'nltest'
- 'samaccountname='
- 'adscredentials'
- 'o365accountconfiguration'
- '.DownloadString('
- '.DownloadFile('
- 'FromBase64String('
- 'System.IO.Compression'
- 'System.IO.MemoryStream'
- 'curl'
selection_child_cmd:
Image|endswith: '\cmd.exe'
CommandLine|contains:
- 'powershell'
- 'whoami'
- 'net.exe'
- 'net1.exe'
- 'rundll32'
- 'quser'
- 'nltest'
- 'curl'
selection_child_others:
CommandLine|contains:
- 'bitsadmin'
- 'certutil'
- 'mshta'
- 'cscript'
- 'wscript'
condition: selection_parent and (all of selection_powershell_* or 1 of selection_child_*)
falsepositives:
- Legitimate administrative scripts or built-in GoAnywhere functions could potentially trigger this rule. Tuning may be required based on normal activity in your environment.
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential Exploitation of RCE Vulnerability CVE-2025-33053
Detects potential exploitation of remote code execution vulnerability CVE-2025-33053
which involves unauthorized code execution via WebDAV through external control of file names or paths.
The exploit abuses legitimate utilities like iediagcmd.exe or CustomShellHost.exe by manipulating
their working directories to point to attacker-controlled WebDAV servers, causing them to execute
malicious executables (like route.exe) from the WebDAV path instead of legitimate system binaries
through Process.Start() search order manipulation.
view Sigma YAML
title: Potential Exploitation of RCE Vulnerability CVE-2025-33053
id: abe06362-a5b9-4371-8724-ebd00cd48a04
related:
- id: 9a2d8b3e-f5a1-4c68-9e21-7d9e1cf8a123
type: similar
- id: 04fc4b22-91a6-495a-879d-0144fec5ec03
type: similar
status: experimental
description: |
Detects potential exploitation of remote code execution vulnerability CVE-2025-33053
which involves unauthorized code execution via WebDAV through external control of file names or paths.
The exploit abuses legitimate utilities like iediagcmd.exe or CustomShellHost.exe by manipulating
their working directories to point to attacker-controlled WebDAV servers, causing them to execute
malicious executables (like route.exe) from the WebDAV path instead of legitimate system binaries
through Process.Start() search order manipulation.
references:
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-33053
- https://research.checkpoint.com/2025/stealth-falcon-zero-day/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-06-13
tags:
- attack.command-and-control
- attack.execution
- attack.stealth
- attack.t1218
- attack.lateral-movement
- attack.t1105
- detection.emerging-threats
- cve.2025-33053
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage:
- 'C:\Program Files\internet explorer\iediagcmd.exe'
- 'C:\Windows\System32\CustomShellHost.exe'
selection_child_current_dir:
- CurrentDirectory|startswith: '\\\\'
- CurrentDirectory|contains: '\DavWWWRoot\'
- Image|contains: '\DavWWWRoot\'
- Image|startswith: '\\\\'
selection_child_img:
Image|endswith:
- '\route.exe'
- '\netsh.exe'
- '\makecab.exe'
- '\dxdiag.exe'
- '\ipconfig.exe'
- '\explorer.exe'
filter_main_system:
Image|startswith:
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Image Load
Detects potential exploitation of remote code execution vulnerability CVE-2025-33053
by monitoring suspicious image loads from WebDAV paths. The exploit involves malicious executables from
attacker-controlled WebDAV servers loading the Windows system DLLs like gdi32.dll, netapi32.dll, etc.
view Sigma YAML
title: Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Image Load
id: 04fc4b22-91a6-495a-879d-0144fec5ec03
related:
- id: abe06362-a5b9-4371-8724-ebd00cd48a04
type: similar
- id: 9a2d8b3e-f5a1-4c68-9e21-7d9e1cf8a123
type: similar
status: experimental
description: |
Detects potential exploitation of remote code execution vulnerability CVE-2025-33053
by monitoring suspicious image loads from WebDAV paths. The exploit involves malicious executables from
attacker-controlled WebDAV servers loading the Windows system DLLs like gdi32.dll, netapi32.dll, etc.
references:
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-33053
- https://research.checkpoint.com/2025/stealth-falcon-zero-day/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-06-13
tags:
- attack.command-and-control
- attack.execution
- attack.stealth
- attack.t1218
- attack.lateral-movement
- attack.t1105
- detection.emerging-threats
- cve.2025-33053
logsource:
category: image_load
product: windows
detection:
selection_img_path:
Image|startswith: '\\\\'
Image|contains: '\DavWWWRoot\'
selection_img_bin:
Image|endswith:
- '\route.exe'
- '\netsh.exe'
- '\makecab.exe'
- '\dxdiag.exe'
- '\ipconfig.exe'
- '\explorer.exe'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
High FP
Potential File Extension Spoofing Using Right-to-Left Override
Detects suspicious filenames that contain a right-to-left override character and a potentially spoofed file extensions.
view Sigma YAML
title: Potential File Extension Spoofing Using Right-to-Left Override
id: 979baf41-ca44-4540-9d0c-4fcef3b5a3a4
related:
- id: ad691d92-15f2-4181-9aa4-723c74f9ddc3
type: derived
status: test
description: |
Detects suspicious filenames that contain a right-to-left override character and a potentially spoofed file extensions.
references:
- https://redcanary.com/blog/right-to-left-override/
- https://www.malwarebytes.com/blog/news/2014/01/the-rtlo-method
- https://tria.ge/241015-l98snsyeje/behavioral2
- https://www.unicode.org/versions/Unicode5.2.0/ch02.pdf
author: Jonathan Peters (Nextron Systems), Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2024-11-17
modified: 2026-03-20
tags:
- attack.execution
- attack.stealth
- attack.t1036.002
logsource:
category: file_event
product: windows
detection:
selection_rtlo_unicode:
TargetFilename|contains:
- '\u202e' # Unicode RTLO character
- '[U+202E]'
# Real char U+202E copied/pasted below
- ''
selection_extensions:
TargetFilename|contains:
- '3pm.' # Reversed `.mp3`
- '4pm.' # Reversed `.mp4`
- 'cod.' # Reversed `.doc`
- 'fdp.' # Reversed `.pdf`
- 'ftr.' # Reversed `.rtf`
- 'gepj.' # Reversed `.jpeg`
- 'gnp.' # Reversed `.png`
- 'gpj.' # Reversed `.jpg`
- 'ism.' # Reversed `.msi`
- 'lmth.' # Reversed `.html`
- 'nls.' # Reversed `.sln`
- 'piz.' # Reversed `.zip`
- 'slx.' # Reversed `.xls`
- 'tdo.' # Reversed `.odt`
- 'vsc.' # Reversed `.csv`
- 'vwm.' # Reversed `.wmv`
- 'xcod.' # Reversed `.docx`
- 'xslx.' # Reversed `.xlsx`
- 'xtpp.' # Reversed `.pptx`
condition: all of selection_*
falsepositives:
- Filenames that contains scriptures such as arabic or hebrew might make use of this character
level: high
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_susp_right_to_left_override_extension_spoofing/info.yml
Convert to SIEM query
high
Moderate
Medium FP
Potential GobRAT File Discovery Via Grep
Detects the use of grep to discover specific files created by the GobRAT malware
view Sigma YAML
title: Potential GobRAT File Discovery Via Grep
id: e34cfa0c-0a50-4210-9cb3-5632d08eb041
status: test
description: Detects the use of grep to discover specific files created by the GobRAT malware
references:
- https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
- https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
- https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-06-02
tags:
- attack.discovery
- attack.t1082
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/grep'
CommandLine|contains:
- 'apached'
- 'frpc'
- 'sshd.sh'
- 'zone.arm'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Potential Goofy Guineapig Backdoor Activity
Detects a specific broken command that was used by Goofy-Guineapig as described by the NCSC report.
view Sigma YAML
title: Potential Goofy Guineapig Backdoor Activity
id: 477a5ed3-a374-4282-9f3b-ed94e159a108
status: test
description: Detects a specific broken command that was used by Goofy-Guineapig as described by the NCSC report.
references:
- https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf
author: X__Junior (Nextron Systems)
date: 2023-05-14
tags:
- attack.execution
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains: 'choice /t %d /d y /n >nul'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
Potential Goofy Guineapig GoolgeUpdate Process Anomaly
Detects "GoogleUpdate.exe" spawning a new instance of itself in an uncommon location as seen used by the Goofy Guineapig backdoor
view Sigma YAML
title: Potential Goofy Guineapig GoolgeUpdate Process Anomaly
id: bdbab15a-3826-48fa-a1b7-723cd8f32fcc
status: test
description: Detects "GoogleUpdate.exe" spawning a new instance of itself in an uncommon location as seen used by the Goofy Guineapig backdoor
references:
- https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf
author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-15
tags:
- detection.emerging-threats
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\GoogleUpdate.exe'
Image|endswith: '\GoogleUpdate.exe'
filter_main_legit_paths:
- Image|startswith:
- 'C:\Program Files\Google\'
- 'C:\Program Files (x86)\Google\'
- Image|contains: '\AppData\Local\Google\Update\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential Iviewers.DLL Sideloading
Detects potential DLL sideloading of "iviewers.dll" (OLE/COM Object Interface Viewer)
view Sigma YAML
title: Potential Iviewers.DLL Sideloading
id: 4c21b805-4dd7-469f-b47d-7383a8fcb437
status: test
description: Detects potential DLL sideloading of "iviewers.dll" (OLE/COM Object Interface Viewer)
references:
- https://www.secureworks.com/research/shadowpad-malware-analysis
author: X__Junior (Nextron Systems)
date: 2023-03-21
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\iviewers.dll'
filter:
ImageLoaded|startswith:
- 'C:\Program Files (x86)\Windows Kits\'
- 'C:\Program Files\Windows Kits\'
condition: selection and not filter
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Potential KamiKakaBot Activity - Winlogon Shell Persistence
Detects changes to the "Winlogon" registry key where a process will set the value of the "Shell" to a value that was observed being used by KamiKakaBot samples in order to achieve persistence.
view Sigma YAML
title: Potential KamiKakaBot Activity - Winlogon Shell Persistence
id: c9b86500-1ec2-4de6-9120-d744c8fb5caf
status: test
description: |
Detects changes to the "Winlogon" registry key where a process will set the value of the "Shell" to a value that was observed being used by KamiKakaBot samples in order to achieve persistence.
references:
- https://www.nextron-systems.com/2024/03/22/unveiling-kamikakabot-malware-analysis/
author: Nasreddine Bencherchali (Nextron Systems), X__Junior
date: 2024-03-22
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.001
- detection.emerging-threats
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell'
Details|contains|all:
- '-nop -w h'
- '$env'
- 'explorer.exe'
- 'Start-Process'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
Medium FP
Potential Kapeka Decrypted Backdoor Indicator
Detects the presence of a file that is decrypted backdoor binary dropped by the Kapeka Dropper, which disguises itself as a hidden file under a folder named "Microsoft" within "CSIDL_COMMON_APPDATA" or "CSIDL_LOCAL_APPDATA", depending on the process privileges.
The file, typically 5-6 characters long with a random combination of consonants and vowels followed by a ".wll" extension to pose as a legitimate file to evade detection.
view Sigma YAML
title: Potential Kapeka Decrypted Backdoor Indicator
id: 20228d05-dd68-435d-8b4e-e7e64938880c
status: test
description: |
Detects the presence of a file that is decrypted backdoor binary dropped by the Kapeka Dropper, which disguises itself as a hidden file under a folder named "Microsoft" within "CSIDL_COMMON_APPDATA" or "CSIDL_LOCAL_APPDATA", depending on the process privileges.
The file, typically 5-6 characters long with a random combination of consonants and vowels followed by a ".wll" extension to pose as a legitimate file to evade detection.
references:
- https://labs.withsecure.com/publications/kapeka
- https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/
author: Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)
date: 2024-07-03
tags:
- detection.emerging-threats
- attack.stealth
logsource:
category: file_event
product: windows
detection:
selection_generic:
TargetFilename|contains:
- ':\ProgramData\'
- '\AppData\Local\'
TargetFilename|re: '\\[a-zA-Z]{5,6}\.wll'
selection_specific:
TargetFilename|endswith:
- '\win32log.exe'
- '\crdss.exe'
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Potential Ke3chang/TidePool Malware Activity
Detects registry modifications potentially related to the Ke3chang/TidePool malware as seen in campaigns running in 2019 and 2020
view Sigma YAML
title: Potential Ke3chang/TidePool Malware Activity
id: 7b544661-69fc-419f-9a59-82ccc328f205
status: test
description: Detects registry modifications potentially related to the Ke3chang/TidePool malware as seen in campaigns running in 2019 and 2020
references:
- https://web.archive.org/web/20200618080300/https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf
- https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/
author: Markus Neis, Swisscom
date: 2020-06-18
modified: 2023-03-10
tags:
- attack.defense-impairment
- attack.g0004
- attack.t1685
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
# Ke3chang and TidePool both modify the IEHarden registry key, as well as the following list of keys.
# Setting these registry keys is unique to the Ke3chang and TidePool malware families.
# HKCU\Software\Microsoft\Internet Explorer\Main\Check_Associations
# HKCU\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize
# HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IEharden
CommandLine|contains:
- '-Property DWORD -name DisableFirstRunCustomize -value 2 -Force'
- '-Property String -name Check_Associations -value'
- '-Property DWORD -name IEHarden -value 0 -Force'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
Showing 401-450 of 1,524