Tool
SIEM
Sigma (generic) detection rules
1,715 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Expand any rule to see its raw YAML and convert it inline to native query syntax. Pick a platform above to browse every rule already rendered in that language.
Get the raw rules from SigmaHQ Detection Rules
The raw generic YAML, served by SigmaHQ. Pick a platform above to download a ready-to-deploy converted pack.
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance12
Resource Development10
Initial Access10
Execution30
Persistence43
Privilege Escalation20
Stealth83
Defense Impairment32
Credential Access35
Discovery33
Lateral Movement16
Collection20
Command and Control24
Exfiltration10
Impact18
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.
◈
Detection rules
50 shown of 1,715
high
Strong
Low FP
Security Eventlog Cleared
One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution
view Sigma YAML
title: Security Eventlog Cleared
id: d99b79d2-0a6f-4f46-ad8b-260b6e17f982
related:
- id: f2f01843-e7b8-4f95-a35a-d23584476423
type: obsolete
- id: a122ac13-daf8-4175-83a2-72c387be339d
type: obsolete
status: test
description: One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution
references:
- https://twitter.com/deviouspolack/status/832535435960209408
- https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100
- https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/SecurityEventLogCleared.yaml
author: Florian Roth (Nextron Systems)
date: 2017-01-10
modified: 2022-02-24
tags:
- attack.defense-impairment
- attack.t1685.005
- car.2016-04-002
logsource:
product: windows
service: security
detection:
selection_517:
EventID: 517
Provider_Name: Security
selection_1102:
EventID: 1102
Provider_Name: Microsoft-Windows-Eventlog
condition: 1 of selection_*
falsepositives:
- Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)
- System provisioning (system reset before the golden image creation)
level: high
Convert to SIEM query
high
Moderate
High FP
Security Privileges Enumeration Via Whoami.EXE
Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privileges. This is often used after a privilege escalation attempt.
view Sigma YAML
title: Security Privileges Enumeration Via Whoami.EXE
id: 97a80ec7-0e2f-4d05-9ef4-65760e634f6b
status: test
description: Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privileges. This is often used after a privilege escalation attempt.
references:
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/whoami
author: Florian Roth (Nextron Systems)
date: 2021-05-05
modified: 2023-02-28
tags:
- attack.privilege-escalation
- attack.discovery
- attack.t1033
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\whoami.exe'
- OriginalFileName: 'whoami.exe'
selection_cli:
CommandLine|contains:
- ' /priv'
- ' -priv'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Security Service Disabled Via Reg.EXE
Detects execution of "reg.exe" to disable security services such as Windows Defender.
view Sigma YAML
title: Security Service Disabled Via Reg.EXE
id: 5e95028c-5229-4214-afae-d653d573d0ec
status: test
description: Detects execution of "reg.exe" to disable security services such as Windows Defender.
references:
- https://twitter.com/JohnLaTwC/status/1415295021041979392
- https://github.com/gordonbay/Windows-On-Reins/blob/e587ac7a0407847865926d575e3c46f68cf7c68d/wor.ps1
- https://vms.drweb.fr/virus/?i=24144899
- https://bidouillesecurity.com/disable-windows-defender-in-powershell/
author: Florian Roth (Nextron Systems), John Lambert (idea), elhoim
date: 2021-07-14
modified: 2023-06-05
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_reg_add:
CommandLine|contains|all:
- 'reg'
- 'add'
selection_cli_reg_start:
CommandLine|contains|all:
- 'd 4'
- 'v Start'
CommandLine|contains:
- '\AppIDSvc'
- '\MsMpSvc'
- '\NisSrv'
- '\SecurityHealthService'
- '\Sense'
- '\UsoSvc'
- '\WdBoot'
- '\WdFilter'
- '\WdNisDrv'
- '\WdNisSvc'
- '\WinDefend'
- '\wscsvc'
- '\wuauserv'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
Medium FP
Security Support Provider (SSP) Added to LSA Configuration
Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.
view Sigma YAML
title: Security Support Provider (SSP) Added to LSA Configuration
id: eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc
status: test
description: |
Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.
references:
- https://powersploit.readthedocs.io/en/latest/Persistence/Install-SSP/
- https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/persistence/Install-SSP.ps1#L157
author: iwillkeepwatch
date: 2019-01-18
modified: 2026-03-30
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.005
logsource:
category: registry_event
product: windows
detection:
selection:
TargetObject|endswith:
- '\Control\Lsa\Security Packages'
- '\Control\Lsa\OSConfig\Security Packages'
filter_main_msiexec:
Image:
- 'C:\Windows\system32\msiexec.exe'
- 'C:\Windows\syswow64\MsiExec.exe'
filter_main_image_null:
Image: null
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location
Detects the use of iexpress.exe to create binaries via Self Extraction Directive (SED) files located in potentially suspicious locations.
This behavior has been observed in-the-wild by different threat actors.
view Sigma YAML
title: Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location
id: b2b048b0-7857-4380-b0fb-d3f0ab820b71
status: test
description: |
Detects the use of iexpress.exe to create binaries via Self Extraction Directive (SED) files located in potentially suspicious locations.
This behavior has been observed in-the-wild by different threat actors.
references:
- https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html
- https://en.wikipedia.org/wiki/IExpress
- https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/
- https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior
author: Joseliyo Sanchez, @Joseliyo_Jstnk, Nasreddine Bencherchali (Nextron Systems)
date: 2024-02-05
modified: 2024-06-04
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
# VT Query: behavior_processes:"iexpress.exe" and behavior_processes:"/n /q /m" and behavior_processes:"*.sed*" and p:5+
selection_img:
- Image|endswith: '\iexpress.exe'
- OriginalFileName: 'IEXPRESS.exe'
selection_cli:
CommandLine|contains|windash: ' /n '
selection_paths:
CommandLine|contains:
# Note: Add more uncommon paths that fit your organizational needs.
- ':\ProgramData\'
- ':\Temp\'
- ':\Windows\System32\Tasks\'
- ':\Windows\Tasks\'
- ':\Windows\Temp\'
- '\AppData\Local\Temp\'
condition: all of selection_*
falsepositives:
- Administrators building packages using iexpress.exe
level: high
Convert to SIEM query
high
Moderate
High FP
Sensitive File Access Via Volume Shadow Copy Backup
Detects a command that accesses the VolumeShadowCopy in order to extract sensitive files such as the Security or SAM registry hives or the AD database (ntds.dit)
view Sigma YAML
title: Sensitive File Access Via Volume Shadow Copy Backup
id: f57f8d16-1f39-4dcb-a604-6c73d9b54b3d
status: test
description: |
Detects a command that accesses the VolumeShadowCopy in order to extract sensitive files such as the Security or SAM registry hives or the AD database (ntds.dit)
references:
- https://twitter.com/vxunderground/status/1423336151860002816?s=20
- https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection
- https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/
author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)
date: 2021-08-09
modified: 2024-01-18
tags:
- attack.impact
- attack.t1490
logsource:
category: process_creation
product: windows
detection:
selection_1:
# copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\temp\ntds.dit 2>&1
# There is an additional "\" to escape the special "?"
CommandLine|contains: '\\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy'
selection_2:
CommandLine|contains:
- '\\NTDS.dit'
- '\\SYSTEM'
- '\\SECURITY'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
High FP
Sensitive File Dump Via Print.EXE
Detects the abuse of the Print.exe utility for credential harvesting which involves using Print.Exe to copy sensitive files such as ntds.dit, SAM, SECURITY, or SYSTEM from the Windows directory in order to extract credentials, locally or remotely.
view Sigma YAML
title: Sensitive File Dump Via Print.EXE
id: 2fcda7e2-8c57-4904-86ac-37fc3157e09d
status: test
description: |
Detects the abuse of the Print.exe utility for credential harvesting which involves using Print.Exe to copy sensitive files such as ntds.dit, SAM, SECURITY, or SYSTEM from the Windows directory in order to extract credentials, locally or remotely.
references:
- https://www.microsoft.com/en-us/security/blog/2026/02/06/active-exploitation-solarwinds-web-help-desk/
- https://www.huntress.com/blog/credential-theft-expanding-your-reach-pt-2
- https://lolbas-project.github.io/lolbas/Binaries/Print/
author: Ayush Anand (Securityinbits)
date: 2026-04-28
tags:
- attack.credential-access
- attack.stealth
- attack.t1003.003
- attack.t1003.002
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\print.exe'
- OriginalFileName: 'Print.EXE'
selection_cli:
CommandLine|contains|windash: '/D'
CommandLine|contains:
- '\config\SAM'
- '\config\SECURITY'
- '\config\SYSTEM'
- '\windows\ntds\ntds.dit'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_print_dump_sensitive_files/info.yml
Convert to SIEM query
high
Strong
Medium FP
Sensitive File Dump Via Wbadmin.EXE
Detects the dump of highly sensitive files such as "NTDS.DIT" and "SECURITY" hive.
Attackers can leverage the "wbadmin" utility in order to dump sensitive files that might contain credential or sensitive information.
view Sigma YAML
title: Sensitive File Dump Via Wbadmin.EXE
id: 8b93a509-1cb8-42e1-97aa-ee24224cdc15
status: test
description: |
Detects the dump of highly sensitive files such as "NTDS.DIT" and "SECURITY" hive.
Attackers can leverage the "wbadmin" utility in order to dump sensitive files that might contain credential or sensitive information.
references:
- https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml
- https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup
author: Nasreddine Bencherchali (Nextron Systems), frack113
date: 2024-05-10
tags:
- attack.credential-access
- attack.t1003.003
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\wbadmin.exe'
- OriginalFileName: 'WBADMIN.EXE'
selection_backup:
CommandLine|contains:
- 'start'
- 'backup'
selection_path:
CommandLine|contains:
- '\config\SAM'
- '\config\SECURITY'
- '\config\SYSTEM'
- '\Windows\NTDS\NTDS.dit'
condition: all of selection_*
falsepositives:
- Legitimate backup operation by authorized administrators. Matches must be investigated and allowed on a case by case basis.
level: high
Convert to SIEM query
high
Moderate
High FP
Sensitive File Recovery From Backup Via Wbadmin.EXE
Detects the dump of highly sensitive files such as "NTDS.DIT" and "SECURITY" hive.
Attackers can leverage the "wbadmin" utility in order to dump sensitive files that might contain credential or sensitive information.
view Sigma YAML
title: Sensitive File Recovery From Backup Via Wbadmin.EXE
id: 84972c80-251c-4c3a-9079-4f00aad93938
related:
- id: 6fe4aa1e-0531-4510-8be2-782154b73b48
type: derived
status: test
description: |
Detects the dump of highly sensitive files such as "NTDS.DIT" and "SECURITY" hive.
Attackers can leverage the "wbadmin" utility in order to dump sensitive files that might contain credential or sensitive information.
references:
- https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml
- https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup
author: Nasreddine Bencherchali (Nextron Systems), frack113
date: 2024-05-10
tags:
- attack.credential-access
- attack.t1003.003
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\wbadmin.exe'
- OriginalFileName: 'WBADMIN.EXE'
selection_backup:
CommandLine|contains|all:
- ' recovery'
- 'recoveryTarget'
- 'itemtype:File'
CommandLine|contains:
- '\config\SAM'
- '\config\SECURITY'
- '\config\SYSTEM'
- '\Windows\NTDS\NTDS.dit'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Serpent Backdoor Payload Execution Via Scheduled Task
Detects post exploitation execution technique of the Serpent backdoor.
According to Proofpoint, one of the commands that the backdoor ran was via creating a temporary scheduled task using an unusual method.
It creates a fictitious windows event and a trigger in which once the event is created, it executes the payload.
view Sigma YAML
title: Serpent Backdoor Payload Execution Via Scheduled Task
id: d5eb7432-fda4-4bba-a37f-ffa74d9ed639
status: test
description: |
Detects post exploitation execution technique of the Serpent backdoor.
According to Proofpoint, one of the commands that the backdoor ran was via creating a temporary scheduled task using an unusual method.
It creates a fictitious windows event and a trigger in which once the event is created, it executes the payload.
references:
- https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain
author: '@kostastsale'
date: 2022-03-21
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1053.005
- attack.t1059.006
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
CommandLine|contains|all:
- '[System/EventID='
- '/create'
- '/delete'
- '/ec'
- '/so'
- '/tn run'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
Low FP
Server Side Template Injection Strings
Detects SSTI attempts sent via GET requests in access logs
view Sigma YAML
title: Server Side Template Injection Strings
id: ada3bc4f-f0fd-42b9-ba91-e105e8af7342
status: test
description: Detects SSTI attempts sent via GET requests in access logs
references:
- https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection
- https://github.com/payloadbox/ssti-payloads
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-14
tags:
- attack.stealth
- attack.t1221
logsource:
category: webserver
detection:
select_method:
cs-method: 'GET'
keywords:
- '={{'
- '=%7B%7B'
- '=${'
- '=$%7B'
- '=<%='
- '=%3C%25='
- '=@('
- 'freemarker.template.utility.Execute'
- .getClass().forName('javax.script.ScriptEngineManager')
- 'T(org.apache.commons.io.IOUtils)'
filter:
sc-status: 404
condition: select_method and keywords and not filter
falsepositives:
- User searches in search boxes of the respective website
- Internal vulnerability scanners can cause some serious FPs when used, if you experience a lot of FPs due to this think of adding more filters such as "User Agent" strings and more response codes
level: high
Convert to SIEM query
high
Strong
Medium FP
Service Binary in Suspicious Folder
Detect the creation of a service with a service binary located in a suspicious directory
view Sigma YAML
title: Service Binary in Suspicious Folder
id: a07f0359-4c90-4dc4-a681-8ffea40b4f47
related:
- id: c0abc838-36b0-47c9-b3b3-a90c39455382
type: obsolete
status: test
description: Detect the creation of a service with a service binary located in a suspicious directory
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
author: Florian Roth (Nextron Systems), frack113
date: 2022-05-02
modified: 2025-10-07
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: registry_set
product: windows
detection:
selection_service_start:
TargetObject|startswith: 'HKLM\System\CurrentControlSet\Services\'
TargetObject|endswith: '\Start'
Image|contains:
- '\Users\Public\'
- '\Perflogs\'
- '\ADMIN$\'
- '\Temp\'
Details:
- 'DWORD (0x00000000)' # boot
- 'DWORD (0x00000001)' # System
- 'DWORD (0x00000002)' # Automatic
# 3 - Manual , 4 - Disabled
selection_service_imagepath:
TargetObject|startswith: 'HKLM\System\CurrentControlSet\Services\'
TargetObject|endswith: '\ImagePath'
Details|contains:
- '\Users\Public\'
- '\Perflogs\'
- '\ADMIN$\'
- '\Temp\'
filter_optional_avast:
Image|contains|all: # Filter FP with Avast software
- '\Common Files\'
- '\Temp\'
filter_optional_mbamservice:
TargetObject|endswith: '\CurrentControlSet\Services\MBAMInstallerService\ImagePath'
Details|endswith: '\AppData\Local\Temp\MBAMInstallerService.exe"'
Image: 'C:\Windows\system32\services.exe'
condition: 1 of selection_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Service DACL Abuse To Hide Services Via Sc.EXE
Detects usage of the "sc.exe" utility adding a new service with special permission seen used by threat actors which makes the service hidden and unremovable.
view Sigma YAML
title: Service DACL Abuse To Hide Services Via Sc.EXE
id: a537cfc3-4297-4789-92b5-345bfd845ad0
related:
- id: 99cf1e02-00fb-4c0d-8375-563f978dfd37 # Deny Service Access
type: similar
- id: 98c5aeef-32d5-492f-b174-64a691896d25 # Generic SD tampering
type: similar
status: test
description: Detects usage of the "sc.exe" utility adding a new service with special permission seen used by threat actors which makes the service hidden and unremovable.
references:
- https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html
- https://www.sans.org/blog/red-team-tactics-hiding-windows-services/
- https://twitter.com/Alh4zr3d/status/1580925761996828672
- https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/
author: Andreas Hunkeler (@Karneades)
date: 2021-12-20
modified: 2022-08-08
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.011
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\sc.exe'
- OriginalFileName: 'sc.exe'
selection_cli:
CommandLine|contains|all:
- 'sdset'
# Summary of permissions
# DC: Delete All Child Objects
# LC: List Contents
# WP: Write All Properties
# DT: Delete Subtree
# SD: Delete
- 'DCLCWPDTSD'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Service Installation with Suspicious Folder Pattern
Detects service installation with suspicious folder patterns
view Sigma YAML
title: Service Installation with Suspicious Folder Pattern
id: 1b2ae822-6fe1-43ba-aa7c-d1a3b3d1d5f2
status: test
description: Detects service installation with suspicious folder patterns
references:
- Internal Research
author: pH-T (Nextron Systems)
date: 2022-03-18
modified: 2022-03-24
tags:
- attack.persistence
- attack.privilege-escalation
- car.2013-09-005
- attack.t1543.003
logsource:
product: windows
service: system
detection:
selection_eid:
Provider_Name: 'Service Control Manager'
EventID: 7045
selection_img_paths:
- ImagePath|re: '^[Cc]:\\[Pp]rogram[Dd]ata\\.{1,9}\.exe'
- ImagePath|re: '^[Cc]:\\.{1,9}\.exe'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Service Installed By Unusual Client - Security
Detects a service installed by a client which has PID 0 or whose parent has PID 0
view Sigma YAML
title: Service Installed By Unusual Client - Security
id: c4e92a97-a9ff-4392-9d2d-7a4c642768ca
related:
- id: 71c276aa-49cd-43d2-b920-2dcd3e6962d5
type: similar
status: test
description: Detects a service installed by a client which has PID 0 or whose parent has PID 0
references:
- https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html
- https://www.x86matthew.com/view_post?id=create_svc_rpc
- https://twitter.com/SBousseaden/status/1490608838701166596
author: Tim Rauch (Nextron Systems), Elastic (idea)
date: 2022-09-15
modified: 2023-01-04
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1543
logsource:
service: security
product: windows
definition: 'Requirements: The System Security Extension audit subcategory need to be enabled to log the EID 4697'
detection:
selection_eid:
EventID: 4697
selection_pid:
- ClientProcessId: 0
- ParentProcessId: 0
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Low FP
Service Installed By Unusual Client - System
Detects a service installed by a client which has PID 0 or whose parent has PID 0
view Sigma YAML
title: Service Installed By Unusual Client - System
id: 71c276aa-49cd-43d2-b920-2dcd3e6962d5
related:
- id: c4e92a97-a9ff-4392-9d2d-7a4c642768ca
type: similar
status: test
description: Detects a service installed by a client which has PID 0 or whose parent has PID 0
references:
- https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html
author: Tim Rauch (Nextron Systems), Elastic (idea)
date: 2022-09-15
modified: 2023-01-04
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1543
logsource:
product: windows
service: system
detection:
selection:
Provider_Name: 'Service Control Manager'
EventID: 7045
ProcessId: 0
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Service Registry Key Deleted Via Reg.EXE
Detects execution of "reg.exe" commands with the "delete" flag on services registry key. Often used by attacker to remove AV software services
view Sigma YAML
title: Service Registry Key Deleted Via Reg.EXE
id: 05b2aa93-1210-42c8-8d9a-2fcc13b284f5
status: test
description: Detects execution of "reg.exe" commands with the "delete" flag on services registry key. Often used by attacker to remove AV software services
references:
- https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-01
modified: 2023-02-04
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: 'reg.exe'
- OriginalFileName: 'reg.exe'
selection_delete:
CommandLine|contains: ' delete '
selection_key:
# Add specific services if you would like the rule to be more specific
CommandLine|contains: '\SYSTEM\CurrentControlSet\services\'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
Medium FP
Set Suspicious Files as System Files Using Attrib.EXE
Detects the usage of attrib with the "+s" option to set scripts or executables located in suspicious locations as system files to hide them from users and make them unable to be deleted with simple rights. The rule limits the search to specific extensions and directories to avoid FPs
view Sigma YAML
title: Set Suspicious Files as System Files Using Attrib.EXE
id: efec536f-72e8-4656-8960-5e85d091345b
related:
- id: bb19e94c-59ae-4c15-8c12-c563d23fe52b
type: derived
status: test
description: |
Detects the usage of attrib with the "+s" option to set scripts or executables located in suspicious locations as system files to hide them from users and make them unable to be deleted with simple rights. The rule limits the search to specific extensions and directories to avoid FPs
references:
- https://app.any.run/tasks/c28cabc8-a19f-40f3-a78b-cae506a5c0d4
- https://app.any.run/tasks/cfc8870b-ccd7-4210-88cf-a8087476a6d0
- https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-28
modified: 2023-03-14
tags:
- attack.stealth
- attack.t1564.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\attrib.exe'
- OriginalFileName: 'ATTRIB.EXE'
selection_cli:
CommandLine|contains: ' +s'
selection_paths:
CommandLine|contains:
- ' %' # Custom Environment variable
- '\Users\Public\'
- '\AppData\Local\'
- '\ProgramData\'
- '\Downloads\'
- '\Windows\Temp\'
selection_ext:
CommandLine|contains:
- '.bat'
- '.dll'
- '.exe'
- '.hta'
- '.ps1'
- '.vbe'
- '.vbs'
filter_optional_installer:
CommandLine|contains|all:
- '\Windows\TEMP\'
- '.exe'
condition: all of selection* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Shadow Copies Deletion Using Operating Systems Utilities
Shadow Copies deletion using operating systems utilities
view Sigma YAML
title: Shadow Copies Deletion Using Operating Systems Utilities
id: c947b146-0abc-4c87-9c64-b17e9d7274a2
status: stable
description: Shadow Copies deletion using operating systems utilities
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
- https://blog.talosintelligence.com/2017/05/wannacry.html
- https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/
- https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/
- https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100
- https://github.com/Neo23x0/Raccine#the-process
- https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/gen_ransomware_command_lines.yar
- https://redcanary.com/blog/intelligence-insights-october-2021/
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware
author: Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades)
date: 2019-10-22
modified: 2022-11-03
tags:
- attack.impact
- attack.stealth
- attack.t1070
- attack.t1490
logsource:
category: process_creation
product: windows
detection:
selection1_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- '\wmic.exe'
- '\vssadmin.exe'
- '\diskshadow.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
- 'wmic.exe'
- 'VSSADMIN.EXE'
- 'diskshadow.exe'
selection1_cli:
CommandLine|contains|all:
- 'shadow' # will match "delete shadows" and "shadowcopy delete" and "shadowstorage"
- 'delete'
selection2_img:
- Image|endswith: '\wbadmin.exe'
- OriginalFileName: 'WBADMIN.EXE'
selection2_cli:
CommandLine|contains|all:
- 'delete'
- 'catalog'
- 'quiet' # will match -quiet or /quiet
selection3_img:
- Image|endswith: '\vssadmin.exe'
- OriginalFileName: 'VSSADMIN.EXE'
selection3_cli:
CommandLine|contains|all:
- 'resize'
- 'shadowstorage'
CommandLine|contains:
- 'unbounded'
- '/MaxSize='
condition: (all of selection1*) or (all of selection2*) or (all of selection3*)
falsepositives:
- Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason
- LANDesk LDClient Ivanti-PSModule (PS EncodedCommand)
level: high
Convert to SIEM query
high
Moderate
Medium FP
Shai-Hulud 2.0 Malicious NPM Package Installation
Detects the command-line installation of specific malicious npm packages and versions associated with the Shai-Hulud 2.0 supply chain attack.
view Sigma YAML
title: Shai-Hulud 2.0 Malicious NPM Package Installation
id: bae7c70b-8569-44e9-accf-b30073da8a5d
related:
- id: 514f533b-f56e-421d-80b0-f7706a3e9d23
type: similar
status: experimental
description: |
Detects the command-line installation of specific malicious npm packages and versions associated with the Shai-Hulud 2.0 supply chain attack.
references:
- https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack
- https://github.com/wiz-sec-public/wiz-research-iocs/blob/a836ce8aacf12d6d2f6afc3c44b391dc4c08f46e/reports/shai-hulud-2-packages.csv
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-28
tags:
- attack.initial-access
- attack.execution
- attack.t1195.002
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith: '\node.exe'
CommandLine|contains:
- 'install'
- ' i '
# List of known malicious packages and versions from the Shai-Hulud 2.0 campaign
selection_packages:
CommandLine|contains:
- '[email protected]'
- '@accordproject/[email protected]'
- '@accordproject/[email protected]'
- '@accordproject/[email protected]'
- '@accordproject/[email protected]'
- '@accordproject/[email protected]'
- '@accordproject/[email protected]'
- '@accordproject/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@afetcan/[email protected]'
- '@afetcan/[email protected]'
- '@alaan/[email protected]'
- '@alexadark/[email protected]'
- '@alexadark/[email protected]'
- '@alexadark/[email protected]'
- '@alexadark/[email protected]'
- '@alexcolls/[email protected]'
- '@alexcolls/[email protected]'
- '@alexcolls/[email protected]'
- '@alexcolls/[email protected]'
- '@antstackio/[email protected]'
- '@antstackio/[email protected]'
- '@antstackio/[email protected]'
- '@antstackio/[email protected]'
- '@antstackio/[email protected]'
- '@aryanhussain/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@bdkinc/[email protected]'
- '@browserbasehq/[email protected]'
- '@browserbasehq/[email protected]'
- '@browserbasehq/[email protected]'
- '@browserbasehq/[email protected]'
- '@browserbasehq/[email protected]'
- '@browserbasehq/[email protected]'
- '@browserbasehq/[email protected]'
- '@caretive/[email protected]'
- '@chtijs/[email protected]'
- '@clausehq/[email protected]'
- '@clausehq/[email protected]'
- '@clausehq/[email protected]'
- '@clausehq/[email protected]'
- '@clausehq/[email protected]'
- '@cllbk/[email protected]'
- '@commute/[email protected]'
- '@commute/[email protected]'
- '@commute/[email protected]'
- '@dev-blinq/[email protected]'
- '@dev-blinq/[email protected]'
- '@dev-blinq/[email protected]'
- '@dev-blinq/[email protected]'
- '@dev-blinq/[email protected]'
- '@elsedev/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@everreal/[email protected]'
- '@everreal/[email protected]'
- '@everreal/[email protected]'
- '@everreal/[email protected]'
- '@everreal/[email protected]'
- '@everreal/[email protected]'
- '@faq-component/[email protected]'
- '@faq-component/[email protected]'
- '@fishingbooker/[email protected]'
- '@fishingbooker/[email protected]'
- '@fishingbooker/[email protected]'
- '@fishingbooker/[email protected]'
- '@fishingbooker/[email protected]'
- '@hapheus/[email protected]'
- '@hover-design/[email protected]'
- '@hover-design/[email protected]'
- '@huntersofbook/[email protected]'
- '@huntersofbook/[email protected]'
- '@huntersofbook/[email protected]'
- '@huntersofbook/[email protected]'
- '@huntersofbook/[email protected]'
- '@huntersofbook/[email protected]'
- '@hyperlook/[email protected]'
- '@ifelsedeveloper/[email protected]'
- '@ifelsedeveloper/[email protected]'
- '@ifings/[email protected]'
- '@ifings/[email protected]'
- '@jayeshsadhwani/[email protected]'
- '@kvytech/[email protected]'
- '@kvytech/[email protected]'
- '@kvytech/[email protected]'
- '@kvytech/[email protected]'
- '@kvytech/[email protected]'
- '@kvytech/[email protected]'
- '@kvytech/[email protected]'
- '@kvytech/[email protected]'
- '@kvytech/[email protected]'
- '@lessondesk/[email protected]'
- '@lessondesk/[email protected]'
- '@lessondesk/[email protected]'
- '@lessondesk/[email protected]'
- '@lessondesk/[email protected]'
- '@lessondesk/[email protected]'
- '@lessondesk/[email protected]'
- '@lessondesk/[email protected]'
- '@lessondesk/[email protected]'
- '@livecms/[email protected]'
- '@livecms/[email protected]'
- '@lokeswari-satyanarayanan/[email protected]'
- '@louisle2/[email protected]'
- '@louisle2/[email protected]'
- '@lpdjs/[email protected]'
- '@lui-ui/[email protected]'
- '@lui-ui/[email protected]'
- '@lui-ui/[email protected]'
- '@markvivanco/[email protected]'
- '@markvivanco/[email protected]'
- '@mcp-use/[email protected]'
- '@mcp-use/[email protected]'
- '@mcp-use/[email protected]'
- '@mcp-use/[email protected]'
- '@mcp-use/[email protected]'
- '@mcp-use/[email protected]'
- '@micado-digital/[email protected]'
- '@mizzle-dev/[email protected]'
- '@mparpaillon/[email protected]'
- '@mparpaillon/[email protected]'
- '@mparpaillon/[email protected]'
- '@ntnx/[email protected]'
- '@ntnx/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@orbitgtbelgium/[email protected]'
- '@orbitgtbelgium/[email protected]'
- '@orbitgtbelgium/[email protected]'
- '@orbitgtbelgium/[email protected]'
- '@osmanekrem/[email protected]'
- '@osmanekrem/[email protected]'
- '@pergel/[email protected]'
- '@pergel/[email protected]'
- '@pergel/[email protected]'
- '@pergel/[email protected]'
- '@pergel/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@pradhumngautam/[email protected]'
- '@productdevbook/[email protected]'
- '@productdevbook/[email protected]'
- '@productdevbook/[email protected]'
- '@productdevbook/[email protected]'
- '@productdevbook/[email protected]'
- '@pruthvi21/[email protected]'
- '@quick-start-soft/[email protected]'
- '@quick-start-soft/[email protected]'
- '@quick-start-soft/[email protected]'
- '@quick-start-soft/[email protected]'
- '@quick-start-soft/[email protected]'
- '@quick-start-soft/[email protected]'
- '@quick-start-soft/[email protected]'
- '@quick-start-soft/[email protected]'
- '@quick-start-soft/[email protected]'
- '@relyt/[email protected]'
- '@relyt/[email protected]'
- '@relyt/[email protected]'
- '@sameepsi/[email protected]'
- '@sameepsi/[email protected]'
- '@seezo/[email protected]'
- '@seung-ju/[email protected]'
- '@seung-ju/[email protected]'
- '@seung-ju/[email protected]'
- '@seung-ju/[email protected]'
- '@silgi/[email protected]'
- '@silgi/[email protected]'
- '@silgi/[email protected]'
- '@silgi/[email protected]'
- '@silgi/[email protected]'
- '@silgi/[email protected]'
- '@silgi/[email protected]'
- '@silgi/[email protected]'
- '@silgi/[email protected]'
- '@silgi/[email protected]'
- '@sme-ui/[email protected]'
- '@strapbuild/[email protected]'
- '@strapbuild/[email protected]'
- '@strapbuild/[email protected]'
- '@strapbuild/[email protected]'
- '@suraj_h/[email protected]'
- '@thedelta/[email protected]'
- '@tiaanduplessis/[email protected]'
- '@tiaanduplessis/[email protected]'
- '@tiaanduplessis/[email protected]'
- '@tiaanduplessis/[email protected]'
- '@trackstar/[email protected]'
- '@trackstar/[email protected]'
- '@trackstar/[email protected]'
- '@trackstar/[email protected]'
- '@trackstar/[email protected]'
- '@trefox/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trpc-rate-limiter/[email protected]'
- '@trpc-rate-limiter/[email protected]'
- '@varsityvibe/[email protected]'
- '@varsityvibe/[email protected]'
- '@varsityvibe/[email protected]'
- '@varsityvibe/[email protected]'
- '@varsityvibe/[email protected]'
- '@viapip/[email protected]'
- '@vishadtyagi/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@vucod/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
condition: all of selection_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules-emerging-threats/2025/Malware/Shai-Hulud/proc_creation_win_mal_shai_hulud_malicious_npm_package_installation/info.yml
Convert to SIEM query
high
Moderate
Medium FP
Shai-Hulud 2.0 Malicious NPM Package Installation - Linux
Detects the command-line installation of specific malicious npm packages and versions associated with the Shai-Hulud 2.0 supply chain attack.
view Sigma YAML
title: Shai-Hulud 2.0 Malicious NPM Package Installation - Linux
id: 514f533b-f56e-421d-80b0-f7706a3e9d23
related:
- id: bae7c70b-8569-44e9-accf-b30073da8a5d
type: similar
status: experimental
description: |
Detects the command-line installation of specific malicious npm packages and versions associated with the Shai-Hulud 2.0 supply chain attack.
references:
- https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack
- https://github.com/wiz-sec-public/wiz-research-iocs/blob/a836ce8aacf12d6d2f6afc3c44b391dc4c08f46e/reports/shai-hulud-2-packages.csv
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-28
tags:
- attack.initial-access
- attack.execution
- attack.t1195.002
- detection.emerging-threats
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith: '\node'
CommandLine|contains:
- 'install'
- ' i '
# List of known malicious packages and versions from the Shai-Hulud 2.0 campaign
selection_packages:
CommandLine|contains:
- '[email protected]'
- '@accordproject/[email protected]'
- '@accordproject/[email protected]'
- '@accordproject/[email protected]'
- '@accordproject/[email protected]'
- '@accordproject/[email protected]'
- '@accordproject/[email protected]'
- '@accordproject/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@afetcan/[email protected]'
- '@afetcan/[email protected]'
- '@alaan/[email protected]'
- '@alexadark/[email protected]'
- '@alexadark/[email protected]'
- '@alexadark/[email protected]'
- '@alexadark/[email protected]'
- '@alexcolls/[email protected]'
- '@alexcolls/[email protected]'
- '@alexcolls/[email protected]'
- '@alexcolls/[email protected]'
- '@antstackio/[email protected]'
- '@antstackio/[email protected]'
- '@antstackio/[email protected]'
- '@antstackio/[email protected]'
- '@antstackio/[email protected]'
- '@aryanhussain/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@bdkinc/[email protected]'
- '@browserbasehq/[email protected]'
- '@browserbasehq/[email protected]'
- '@browserbasehq/[email protected]'
- '@browserbasehq/[email protected]'
- '@browserbasehq/[email protected]'
- '@browserbasehq/[email protected]'
- '@browserbasehq/[email protected]'
- '@caretive/[email protected]'
- '@chtijs/[email protected]'
- '@clausehq/[email protected]'
- '@clausehq/[email protected]'
- '@clausehq/[email protected]'
- '@clausehq/[email protected]'
- '@clausehq/[email protected]'
- '@cllbk/[email protected]'
- '@commute/[email protected]'
- '@commute/[email protected]'
- '@commute/[email protected]'
- '@dev-blinq/[email protected]'
- '@dev-blinq/[email protected]'
- '@dev-blinq/[email protected]'
- '@dev-blinq/[email protected]'
- '@dev-blinq/[email protected]'
- '@elsedev/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@everreal/[email protected]'
- '@everreal/[email protected]'
- '@everreal/[email protected]'
- '@everreal/[email protected]'
- '@everreal/[email protected]'
- '@everreal/[email protected]'
- '@faq-component/[email protected]'
- '@faq-component/[email protected]'
- '@fishingbooker/[email protected]'
- '@fishingbooker/[email protected]'
- '@fishingbooker/[email protected]'
- '@fishingbooker/[email protected]'
- '@fishingbooker/[email protected]'
- '@hapheus/[email protected]'
- '@hover-design/[email protected]'
- '@hover-design/[email protected]'
- '@huntersofbook/[email protected]'
- '@huntersofbook/[email protected]'
- '@huntersofbook/[email protected]'
- '@huntersofbook/[email protected]'
- '@huntersofbook/[email protected]'
- '@huntersofbook/[email protected]'
- '@hyperlook/[email protected]'
- '@ifelsedeveloper/[email protected]'
- '@ifelsedeveloper/[email protected]'
- '@ifings/[email protected]'
- '@ifings/[email protected]'
- '@jayeshsadhwani/[email protected]'
- '@kvytech/[email protected]'
- '@kvytech/[email protected]'
- '@kvytech/[email protected]'
- '@kvytech/[email protected]'
- '@kvytech/[email protected]'
- '@kvytech/[email protected]'
- '@kvytech/[email protected]'
- '@kvytech/[email protected]'
- '@kvytech/[email protected]'
- '@lessondesk/[email protected]'
- '@lessondesk/[email protected]'
- '@lessondesk/[email protected]'
- '@lessondesk/[email protected]'
- '@lessondesk/[email protected]'
- '@lessondesk/[email protected]'
- '@lessondesk/[email protected]'
- '@lessondesk/[email protected]'
- '@lessondesk/[email protected]'
- '@livecms/[email protected]'
- '@livecms/[email protected]'
- '@lokeswari-satyanarayanan/[email protected]'
- '@louisle2/[email protected]'
- '@louisle2/[email protected]'
- '@lpdjs/[email protected]'
- '@lui-ui/[email protected]'
- '@lui-ui/[email protected]'
- '@lui-ui/[email protected]'
- '@markvivanco/[email protected]'
- '@markvivanco/[email protected]'
- '@mcp-use/[email protected]'
- '@mcp-use/[email protected]'
- '@mcp-use/[email protected]'
- '@mcp-use/[email protected]'
- '@mcp-use/[email protected]'
- '@mcp-use/[email protected]'
- '@micado-digital/[email protected]'
- '@mizzle-dev/[email protected]'
- '@mparpaillon/[email protected]'
- '@mparpaillon/[email protected]'
- '@mparpaillon/[email protected]'
- '@ntnx/[email protected]'
- '@ntnx/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@orbitgtbelgium/[email protected]'
- '@orbitgtbelgium/[email protected]'
- '@orbitgtbelgium/[email protected]'
- '@orbitgtbelgium/[email protected]'
- '@osmanekrem/[email protected]'
- '@osmanekrem/[email protected]'
- '@pergel/[email protected]'
- '@pergel/[email protected]'
- '@pergel/[email protected]'
- '@pergel/[email protected]'
- '@pergel/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@pradhumngautam/[email protected]'
- '@productdevbook/[email protected]'
- '@productdevbook/[email protected]'
- '@productdevbook/[email protected]'
- '@productdevbook/[email protected]'
- '@productdevbook/[email protected]'
- '@pruthvi21/[email protected]'
- '@quick-start-soft/[email protected]'
- '@quick-start-soft/[email protected]'
- '@quick-start-soft/[email protected]'
- '@quick-start-soft/[email protected]'
- '@quick-start-soft/[email protected]'
- '@quick-start-soft/[email protected]'
- '@quick-start-soft/[email protected]'
- '@quick-start-soft/[email protected]'
- '@quick-start-soft/[email protected]'
- '@relyt/[email protected]'
- '@relyt/[email protected]'
- '@relyt/[email protected]'
- '@sameepsi/[email protected]'
- '@sameepsi/[email protected]'
- '@seezo/[email protected]'
- '@seung-ju/[email protected]'
- '@seung-ju/[email protected]'
- '@seung-ju/[email protected]'
- '@seung-ju/[email protected]'
- '@silgi/[email protected]'
- '@silgi/[email protected]'
- '@silgi/[email protected]'
- '@silgi/[email protected]'
- '@silgi/[email protected]'
- '@silgi/[email protected]'
- '@silgi/[email protected]'
- '@silgi/[email protected]'
- '@silgi/[email protected]'
- '@silgi/[email protected]'
- '@sme-ui/[email protected]'
- '@strapbuild/[email protected]'
- '@strapbuild/[email protected]'
- '@strapbuild/[email protected]'
- '@strapbuild/[email protected]'
- '@suraj_h/[email protected]'
- '@thedelta/[email protected]'
- '@tiaanduplessis/[email protected]'
- '@tiaanduplessis/[email protected]'
- '@tiaanduplessis/[email protected]'
- '@tiaanduplessis/[email protected]'
- '@trackstar/[email protected]'
- '@trackstar/[email protected]'
- '@trackstar/[email protected]'
- '@trackstar/[email protected]'
- '@trackstar/[email protected]'
- '@trefox/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trpc-rate-limiter/[email protected]'
- '@trpc-rate-limiter/[email protected]'
- '@varsityvibe/[email protected]'
- '@varsityvibe/[email protected]'
- '@varsityvibe/[email protected]'
- '@varsityvibe/[email protected]'
- '@varsityvibe/[email protected]'
- '@viapip/[email protected]'
- '@vishadtyagi/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@vucod/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Shai-Hulud Malicious Bun Execution
Detects the execution of `bun_environment.js` via the Bun runtime, a behavior associated with the Shai-Hulud "Second Coming" NPM supply chain attack.
The malware uses a `setup_bun.js` script to install the Bun runtime if not present, and then executes the malicious `bun_environment.js` payload.
view Sigma YAML
title: Shai-Hulud Malicious Bun Execution
id: 5299fadf-f228-4526-8274-251db1960be9
related:
- id: eb827bbd-670a-4d58-8446-c464d8ac2323
type: similar
status: experimental
description: |
Detects the execution of `bun_environment.js` via the Bun runtime, a behavior associated with the Shai-Hulud "Second Coming" NPM supply chain attack.
The malware uses a `setup_bun.js` script to install the Bun runtime if not present, and then executes the malicious `bun_environment.js` payload.
references:
- https://www.aikido.dev/blog/shai-hulud-strikes-again-hitting-zapier-ensdomains
- https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack
- https://github.com/asyncapi/cli/blob/2efa4dff59bc3d3cecdf897ccf178f99b115d63d/setup_bun.js
- https://semgrep.dev/blog/2025/digging-for-secrets-sha1-hulud-the-second-coming-of-the-npm-worm/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-25
tags:
- attack.t1195.002
- attack.t1203
- attack.execution
- attack.initial-access
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\node.exe'
selection_child_bun_script:
Image|endswith: '\bun.exe'
CommandLine|contains:
- 'bun_environment.js'
- 'https://github.com/actions/runner/releases/download/v2.330.0'
condition: selection_parent and 1 of selection_child_*
falsepositives:
- Legitimate but uncommon use of files named `bun_environment.js` could trigger this rule.
level: high
regression_tests_path: regression_data/rules-emerging-threats/2025/Malware/Shai-Hulud/proc_creation_win_mal_shai_hulud_malicious_node_bun_execution/info.yml
Convert to SIEM query
high
Strong
Medium FP
Shai-Hulud Malicious Bun Execution - Linux
Detects the execution of `bun_environment.js` via the Bun runtime, a behavior associated with the Shai-Hulud "Second Coming" NPM supply chain attack.
The malware uses a `setup_bun.js` script to install the Bun runtime if not present, and then executes the malicious `bun_environment.js` payload.
view Sigma YAML
title: Shai-Hulud Malicious Bun Execution - Linux
id: eb827bbd-670a-4d58-8446-c464d8ac2323
related:
- id: 5299fadf-f228-4526-8274-251db1960be9
type: similar
status: experimental
description: |
Detects the execution of `bun_environment.js` via the Bun runtime, a behavior associated with the Shai-Hulud "Second Coming" NPM supply chain attack.
The malware uses a `setup_bun.js` script to install the Bun runtime if not present, and then executes the malicious `bun_environment.js` payload.
references:
- https://www.aikido.dev/blog/shai-hulud-strikes-again-hitting-zapier-ensdomains
- https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack
- https://github.com/asyncapi/cli/blob/2efa4dff59bc3d3cecdf897ccf178f99b115d63d/setup_bun.js
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-25
tags:
- attack.t1195.002
- attack.t1203
- attack.execution
- attack.initial-access
- detection.emerging-threats
logsource:
category: process_creation
product: linux
detection:
selection_parent:
ParentImage|endswith: '/node'
selection_child_bun:
Image|endswith: '/bun'
CommandLine|contains:
- 'bun_environment.js'
- 'https://github.com/actions/runner/releases/download/v2.330.0'
selection_child_setup_curl:
CommandLine|contains|all:
- 'curl '
- '-fsSL'
- 'https://bun.sh/install'
- 'bash'
selection_child_path_reload:
CommandLine|contains|all:
- 'bash -c "source '
- '&& echo'
condition: selection_parent and 1 of selection_child_*
falsepositives:
- Legitimate but uncommon use of files named `bun_environment.js` could trigger this rule.
level: high
Convert to SIEM query
high
Moderate
High FP
Shai-Hulud Malicious GitHub Workflow Creation
Detects creation of shai-hulud-workflow.yml file associated with Shai Hulud worm targeting NPM supply chain attack that exfiltrates GitHub secrets
view Sigma YAML
title: Shai-Hulud Malicious GitHub Workflow Creation
id: 0aba5685-6db6-486f-88ef-29a99c545cfd
status: experimental
description: Detects creation of shai-hulud-workflow.yml file associated with Shai Hulud worm targeting NPM supply chain attack that exfiltrates GitHub secrets
references:
- https://www.safetycli.com/blog/shai-hulud-npm-attack-runs-malicious-github-action
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-09-24
modified: 2026-01-24
tags:
- attack.persistence
- attack.credential-access
- attack.t1552.001
- attack.collection
- attack.t1119
- detection.emerging-threats
logsource:
product: linux
category: file_event
detection:
selection:
TargetFilename|endswith:
- '.github/workflows/shai-hulud-workflow.yaml'
- '.github/workflows/shai-hulud-workflow.yml'
- '.github/workflows/shai-hulud.yaml'
- '.github/workflows/shai-hulud.yml'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
Shai-Hulud Malware Indicators - Linux
Detects potential Shai-Hulud malware indicators based on specific command line arguments associated with its execution.
view Sigma YAML
title: Shai-Hulud Malware Indicators - Linux
id: 11bb9b26-4179-4a06-afcb-1ec31fce1627
related:
- id: 540703fb-a874-4385-a9d6-7cd1bfab268c
type: similar
- id: 8f2a9c3b-7e5d-4f1a-9b8e-2c4d6a8f9e1b
type: similar
status: experimental
description: |
Detects potential Shai-Hulud malware indicators based on specific command line arguments associated with its execution.
references:
- https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack
- https://www.aikido.dev/blog/shai-hulud-strikes-again-hitting-zapier-ensdomains
- https://semgrep.dev/blog/2025/digging-for-secrets-sha1-hulud-the-second-coming-of-the-npm-worm/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-25
tags:
- attack.execution
- attack.t1059
- detection.emerging-threats
logsource:
category: process_creation
product: linux
detection:
selection:
CommandLine|contains:
- 'Shai-Hulud'
- 'SHA1HULUD'
condition: selection
falsepositives:
- Legitimate software containing similar strings
level: high
Convert to SIEM query
high
Moderate
High FP
Shai-Hulud Malware Indicators - Windows
Detects potential Shai-Hulud malware indicators based on specific command line arguments associated with its execution.
view Sigma YAML
title: Shai-Hulud Malware Indicators - Windows
id: 540703fb-a874-4385-a9d6-7cd1bfab268c
related:
- id: 11bb9b26-4179-4a06-afcb-1ec31fce1627
type: similar
- id: 8f2a9c3b-7e5d-4f1a-9b8e-2c4d6a8f9e1b
type: similar
status: experimental
description: |
Detects potential Shai-Hulud malware indicators based on specific command line arguments associated with its execution.
references:
- https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack
- https://www.aikido.dev/blog/shai-hulud-strikes-again-hitting-zapier-ensdomains
- https://semgrep.dev/blog/2025/digging-for-secrets-sha1-hulud-the-second-coming-of-the-npm-worm/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-25
tags:
- attack.execution
- attack.t1059
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- 'Shai-Hulud'
- 'SHA1HULUD'
condition: selection
falsepositives:
- Legitimate software containing similar strings
level: high
regression_tests_path: regression_data/rules-emerging-threats/2025/Malware/Shai-Hulud/proc_creation_win_mal_shai_hulud_indicator/info.yml
Convert to SIEM query
high
Moderate
High FP
Shai-Hulud NPM Package Malicious Exfiltration via Curl
Detects potential Shai Hulud NPM package attack attempting to exfiltrate data via curl to external webhook sites.
view Sigma YAML
title: Shai-Hulud NPM Package Malicious Exfiltration via Curl
id: efd2eb09-b72e-4a61-8dc7-b1382a1e8983
status: experimental
description: Detects potential Shai Hulud NPM package attack attempting to exfiltrate data via curl to external webhook sites.
references:
- https://www.getsafety.com/blog-posts/shai-hulud-npm-attack
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-09-24
tags:
- attack.exfiltration
- attack.t1041
- attack.collection
- attack.t1005
- detection.emerging-threats
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/curl'
CommandLine|contains|all:
- 'curl'
- '-d'
- 'webhook.site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
Low FP
SharpHound Recon Account Discovery
Detects remote RPC calls useb by SharpHound to map remote connections and local group membership.
view Sigma YAML
title: SharpHound Recon Account Discovery
id: 65f77b1e-8e79-45bf-bb67-5988a8ce45a5
status: test
description: Detects remote RPC calls useb by SharpHound to map remote connections and local group membership.
references:
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3
- https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-WKST.md
- https://github.com/zeronetworks/rpcfirewall
- https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
- attack.t1087
- attack.discovery
logsource:
product: rpc_firewall
category: application
definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:6bffd098-a112-3610-9833-46c3f87e345a opnum:2'
detection:
selection:
EventLog: RPCFW
EventID: 3
InterfaceUuid: 6bffd098-a112-3610-9833-46c3f87e345a
OpNum: 2
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Low FP
SharpHound Recon Sessions
Detects remote RPC calls useb by SharpHound to map remote connections and local group membership.
view Sigma YAML
title: SharpHound Recon Sessions
id: 6d580420-ff3f-4e0e-b6b0-41b90c787e28
status: test
description: Detects remote RPC calls useb by SharpHound to map remote connections and local group membership.
references:
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183
- https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md
- https://github.com/zeronetworks/rpcfirewall
- https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
- attack.discovery
- attack.t1033
logsource:
product: rpc_firewall
category: application
definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:4b324fc8-1670-01d3-1278-5a47bf6ee188 opnum:12'
detection:
selection:
EventLog: RPCFW
EventID: 3
InterfaceUuid: 4b324fc8-1670-01d3-1278-5a47bf6ee188
OpNum: 12
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Shell Execution GCC - Linux
Detects the use of the "gcc" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
view Sigma YAML
title: Shell Execution GCC - Linux
id: 9b5de532-a757-4d70-946c-1f3e44f48b4d
status: test
description: |
Detects the use of the "gcc" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
references:
- https://gtfobins.github.io/gtfobins/gcc/#shell
- https://gtfobins.github.io/gtfobins/c89/#shell
- https://gtfobins.github.io/gtfobins/c99/#shell
- https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
date: 2024-09-02
tags:
- attack.discovery
- attack.t1083
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith:
- '/c89'
- '/c99'
- '/gcc'
CommandLine|contains: '-wrapper'
selection_cli:
CommandLine|contains:
- '/bin/bash,-s'
- '/bin/dash,-s'
- '/bin/fish,-s'
- '/bin/sh,-s'
- '/bin/zsh,-s'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Shell Execution Of Process Located In Tmp Directory
Detects execution of shells from a parent process located in a temporary (/tmp) directory
view Sigma YAML
title: Shell Execution Of Process Located In Tmp Directory
id: 2fade0b6-7423-4835-9d4f-335b39b83867
status: test
description: Detects execution of shells from a parent process located in a temporary (/tmp) directory
references:
- https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
- https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/
- https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
- https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-06-02
tags:
- attack.execution
logsource:
product: linux
category: process_creation
detection:
selection:
ParentImage|startswith: '/tmp/'
Image|endswith:
- '/bash'
- '/csh'
- '/dash'
- '/fish'
- '/ksh'
- '/sh'
- '/zsh'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Shell Execution via Find - Linux
Detects the use of the find command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or exploitation attempt.
view Sigma YAML
title: Shell Execution via Find - Linux
id: 6adfbf8f-52be-4444-9bac-81b539624146
status: test
description: |
Detects the use of the find command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or exploitation attempt.
references:
- https://gtfobins.github.io/gtfobins/find/#shell
- https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
date: 2024-09-02
tags:
- attack.discovery
- attack.t1083
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith: '/find'
CommandLine|contains|all:
- ' . '
- '-exec'
selection_cli:
CommandLine|contains:
- '/bin/bash'
- '/bin/dash'
- '/bin/fish'
- '/bin/sh'
- '/bin/zsh'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Shell Execution via Flock - Linux
Detects the use of the "flock" command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
view Sigma YAML
title: Shell Execution via Flock - Linux
id: 4b09c71e-4269-4111-9cdd-107d8867f0cc
status: test
description: |
Detects the use of the "flock" command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
references:
- https://gtfobins.github.io/gtfobins/flock/#shell
- https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
date: 2024-09-02
tags:
- attack.discovery
- attack.t1083
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith: '/flock'
CommandLine|contains: ' -u '
selection_cli:
CommandLine|contains:
- '/bin/bash'
- '/bin/dash'
- '/bin/fish'
- '/bin/sh'
- '/bin/zsh'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Shell Execution via Git - Linux
Detects the use of the "git" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
view Sigma YAML
title: Shell Execution via Git - Linux
id: 47b3bbd4-1bf7-48cc-84ab-995362aaa75a
status: test
description: |
Detects the use of the "git" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
references:
- https://gtfobins.github.io/gtfobins/git/#shell
author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
date: 2024-09-02
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: linux
detection:
selection:
ParentImage|endswith: '/git'
ParentCommandLine|contains|all:
- ' -p '
- 'help'
CommandLine|contains:
- 'bash 0<&1'
- 'dash 0<&1'
- 'sh 0<&1'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Shell Execution via Nice - Linux
Detects the use of the "nice" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
view Sigma YAML
title: Shell Execution via Nice - Linux
id: 093d68c7-762a-42f4-9f46-95e79142571a
status: test
description: |
Detects the use of the "nice" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
references:
- https://gtfobins.github.io/gtfobins/nice/#shell
- https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
date: 2024-09-02
tags:
- attack.discovery
- attack.t1083
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/nice'
CommandLine|endswith:
- '/bin/bash'
- '/bin/dash'
- '/bin/fish'
- '/bin/sh'
- '/bin/zsh'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Shell Execution via Rsync - Linux
Detects the use of the "rsync" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
view Sigma YAML
title: Shell Execution via Rsync - Linux
id: e2326866-609f-4015-aea9-7ec634e8aa04
status: experimental
description: |
Detects the use of the "rsync" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
references:
- https://gtfobins.github.io/gtfobins/rsync/#shell
author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.), Florian Roth
date: 2024-09-02
modified: 2025-01-18
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith:
- '/rsync'
- '/rsyncd'
CommandLine|contains: ' -e '
selection_cli:
CommandLine|contains:
- '/ash '
- '/bash '
- '/dash '
- '/csh '
- '/sh '
- '/zsh '
- '/tcsh '
- '/ksh '
- "'ash "
- "'bash "
- "'dash "
- "'csh "
- "'sh "
- "'zsh "
- "'tcsh "
- "'ksh "
condition: all of selection_*
falsepositives:
- Legitimate cases in which "rsync" is used to execute a shell
level: high
Convert to SIEM query
high
Moderate
Medium FP
Shell Invocation Via Ssh - Linux
Detects the use of the "ssh" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
view Sigma YAML
title: Shell Invocation Via Ssh - Linux
id: 8737b7f6-8df3-4bb7-b1da-06019b99b687
status: test
description: |
Detects the use of the "ssh" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
references:
- https://gtfobins.github.io/gtfobins/ssh/
- https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
date: 2024-08-29
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith: '/ssh'
CommandLine|contains:
- 'ProxyCommand=;'
- 'permitlocalcommand=yes'
- 'localhost'
selection_cli:
CommandLine|contains:
- '/bin/bash'
- '/bin/dash'
- '/bin/fish'
- '/bin/sh'
- '/bin/zsh'
- 'sh 0<&2 1>&2'
- 'sh 1>&2 0<&2'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Shell Invocation via Env Command - Linux
Detects the use of the env command to invoke a shell. This may indicate an attempt to bypass restricted environments, escalate privileges, or execute arbitrary commands.
view Sigma YAML
title: Shell Invocation via Env Command - Linux
id: bed978f8-7f3a-432b-82c5-9286a9b3031a
status: test
description: |
Detects the use of the env command to invoke a shell. This may indicate an attempt to bypass restricted environments, escalate privileges, or execute arbitrary commands.
references:
- https://gtfobins.github.io/gtfobins/env/#shell
- https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
date: 2024-09-02
modified: 2026-01-08
tags:
- attack.execution
- attack.t1059.004
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/env'
CommandLine|contains:
- '/bin/bash'
- '/bin/dash'
- '/bin/fish'
- '/bin/sh'
- '/bin/zsh'
condition: selection
falsepositives:
- Github operations such as ghe-backup
level: high
Convert to SIEM query
high
Strong
Medium FP
Shell Open Registry Keys Manipulation
Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62)
view Sigma YAML
title: Shell Open Registry Keys Manipulation
id: 152f3630-77c1-4284-bcc0-4cc68ab2f6e7
related:
- id: dd3ee8cc-f751-41c9-ba53-5a32ed47e563
type: similar
status: test
description: Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62)
references:
- https://github.com/hfiref0x/UACME
- https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/
- https://github.com/RhinoSecurityLabs/Aggressor-Scripts/tree/master/UACBypass
- https://tria.ge/211119-gs7rtshcfr/behavioral2 [Lokibot sample from Nov 2021]
author: Christian Burkard (Nextron Systems)
date: 2021-08-30
modified: 2022-01-13
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1548.002
- attack.t1546.001
logsource:
category: registry_event
product: windows
detection:
selection1:
EventType: SetValue
TargetObject|endswith: 'Classes\ms-settings\shell\open\command\SymbolicLinkValue'
Details|contains: '\Software\Classes\{'
selection2:
TargetObject|endswith: 'Classes\ms-settings\shell\open\command\DelegateExecute'
selection3:
EventType: SetValue
TargetObject|endswith:
- 'Classes\ms-settings\shell\open\command\(Default)'
- 'Classes\exefile\shell\open\command\(Default)'
filter_sel3:
Details: '(Empty)'
condition: selection1 or selection2 or (selection3 and not filter_sel3)
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Shell32 DLL Execution in Suspicious Directory
Detects shell32.dll executing a DLL in a suspicious directory
view Sigma YAML
title: Shell32 DLL Execution in Suspicious Directory
id: 32b96012-7892-429e-b26c-ac2bf46066ff
status: test
description: Detects shell32.dll executing a DLL in a suspicious directory
references:
- https://www.group-ib.com/resources/threat-research/red-curl-2.html
author: Christian Burkard (Nextron Systems)
date: 2021-11-24
modified: 2023-02-09
tags:
- attack.execution
- attack.stealth
- attack.t1218.011
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\rundll32.exe'
- OriginalFileName: 'RUNDLL32.EXE'
selection_cli:
CommandLine|contains|all:
- 'shell32.dll'
- 'Control_RunDLL'
CommandLine|contains:
- '%AppData%'
- '%LocalAppData%'
- '%Temp%'
- '%tmp%'
- '\AppData\'
- '\Temp\'
- '\Users\Public\'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Shellshock Expression
Detects shellshock expressions in log files
view Sigma YAML
title: Shellshock Expression
id: c67e0c98-4d39-46ee-8f6b-437ebf6b950e
status: test
description: Detects shellshock expressions in log files
references:
- https://owasp.org/www-pdf-archive/Shellshock_-_Tudor_Enache.pdf
author: Florian Roth (Nextron Systems)
date: 2017-03-14
modified: 2022-10-09
tags:
- attack.persistence
- attack.t1505.003
logsource:
product: linux
detection:
keywords:
- '(){:;};'
- '() {:;};'
- '() { :;};'
- '() { :; };'
condition: keywords
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
ShimCache Flush
Detects actions that clear the local ShimCache and remove forensic evidence
view Sigma YAML
title: ShimCache Flush
id: b0524451-19af-4efa-a46f-562a977f792e
status: stable
description: Detects actions that clear the local ShimCache and remove forensic evidence
references:
- https://medium.com/@blueteamops/shimcache-flush-89daff28d15e
author: Florian Roth (Nextron Systems)
date: 2021-02-01
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: process_creation
product: windows
detection:
selection1a:
CommandLine|contains|all:
- 'rundll32'
- 'apphelp.dll'
selection1b:
CommandLine|contains:
- 'ShimFlushCache'
- '#250'
selection2a:
CommandLine|contains|all:
- 'rundll32'
- 'kernel32.dll'
selection2b:
CommandLine|contains:
- 'BaseFlushAppcompatCache'
- '#46'
condition: ( selection1a and selection1b ) or ( selection2a and selection2b )
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Sign-In From Malware Infected IP
Indicates sign-ins from IP addresses infected with malware that is known to actively communicate with a bot server.
view Sigma YAML
title: Sign-In From Malware Infected IP
id: 821b4dc3-1295-41e7-b157-39ab212dd6bd
status: test
description: Indicates sign-ins from IP addresses infected with malware that is known to actively communicate with a bot server.
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malware-linked-ip-address-deprecated
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-03
tags:
- attack.t1090
- attack.command-and-control
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'malwareInfectedIPAddress'
condition: selection
falsepositives:
- Using an IP address that is shared by many users
level: high
Convert to SIEM query
high
Strong
Low FP
Sign-in Failure Due to Conditional Access Requirements Not Met
Define a baseline threshold for failed sign-ins due to Conditional Access failures
view Sigma YAML
title: Sign-in Failure Due to Conditional Access Requirements Not Met
id: b4a6d707-9430-4f5f-af68-0337f52d5c42
status: test
description: Define a baseline threshold for failed sign-ins due to Conditional Access failures
references:
- https://learn.microsoft.com/en-gb/entra/architecture/security-operations-privileged-accounts
author: Yochana Henderson, '@Yochana-H'
date: 2022-06-01
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.credential-access
- attack.stealth
- attack.t1110
- attack.t1078.004
logsource:
product: azure
service: signinlogs
detection:
selection:
ResultType: 53003
Resultdescription: Blocked by Conditional Access
condition: selection
falsepositives:
- Service Account misconfigured
- Misconfigured Systems
- Vulnerability Scanners
level: high
Convert to SIEM query
high
Moderate
Medium FP
Sign-ins from Non-Compliant Devices
Monitor and alert for sign-ins where the device was non-compliant.
view Sigma YAML
title: Sign-ins from Non-Compliant Devices
id: 4f77e1d7-3982-4ee0-8489-abf2d6b75284
status: test
description: Monitor and alert for sign-ins where the device was non-compliant.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#non-compliant-device-sign-in
author: Michael Epping, '@mepples21'
date: 2022-06-28
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.stealth
- attack.t1078.004
logsource:
product: azure
service: signinlogs
detection:
selection:
DeviceDetail.isCompliant: 'false'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Silenttrinity Stager Msbuild Activity
Detects a possible remote connections to Silenttrinity c2
view Sigma YAML
title: Silenttrinity Stager Msbuild Activity
id: 50e54b8d-ad73-43f8-96a1-5191685b17a4
status: test
description: Detects a possible remote connections to Silenttrinity c2
references:
- https://www.blackhillsinfosec.com/my-first-joyride-with-silenttrinity/
author: Kiran kumar s, oscd.community
date: 2020-10-11
modified: 2022-10-05
tags:
- attack.execution
- attack.stealth
- attack.t1127.001
logsource:
category: network_connection
product: windows
detection:
selection:
Image|endswith: '\msbuild.exe'
filter:
DestinationPort:
- 80
- 443
Initiated: 'true'
condition: selection and filter
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Sitecore Pre-Auth RCE CVE-2021-42237
Detects exploitation attempts of Sitecore Experience Platform Pre-Auth RCE CVE-2021-42237 found in Report.ashx
view Sigma YAML
title: Sitecore Pre-Auth RCE CVE-2021-42237
id: 20c6ed1c-f7f0-4ea3-aa65-4f198e6acb0f
status: test
description: Detects exploitation attempts of Sitecore Experience Platform Pre-Auth RCE CVE-2021-42237 found in Report.ashx
references:
- https://blog.assetnote.io/2021/11/02/sitecore-rce/
- https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1000776
author: Florian Roth (Nextron Systems)
date: 2021-11-17
modified: 2023-01-02
tags:
- attack.initial-access
- attack.t1190
- cve.2021-42237
- detection.emerging-threats
logsource:
category: webserver
detection:
selection:
cs-method: 'POST'
cs-uri-query|contains: '/sitecore/shell/ClientBin/Reporting/Report.ashx'
sc-status: 200
condition: selection
falsepositives:
- Vulnerability Scanning
level: high
Convert to SIEM query
high
Moderate
Low FP
Sliver C2 Default Service Installation
Detects known malicious service installation that appear in cases in which a Sliver implants execute the PsExec commands
view Sigma YAML
title: Sliver C2 Default Service Installation
id: 31c51af6-e7aa-4da7-84d4-8f32cc580af2
status: test
description: Detects known malicious service installation that appear in cases in which a Sliver implants execute the PsExec commands
references:
- https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/client/command/commands.go#L1231
- https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-25
tags:
- attack.persistence
- attack.execution
- attack.privilege-escalation
- attack.t1543.003
- attack.t1569.002
logsource:
product: windows
service: system
detection:
selection_eid:
Provider_Name: 'Service Control Manager'
EventID: 7045
selection_service_1:
ImagePath|re: '^[a-zA-Z]:\\windows\\temp\\[a-zA-Z0-9]{10}\.exe'
selection_service_2:
ServiceName:
- 'Sliver'
- 'Sliver implant'
condition: selection_eid and 1 of selection_service_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Small Sieve Malware CommandLine Indicator
Detects specific command line argument being passed to a binary as seen being used by the malware Small Sieve.
view Sigma YAML
title: Small Sieve Malware CommandLine Indicator
id: 21117127-21c8-437a-ae03-4b51e5a8a088
status: test
description: Detects specific command line argument being passed to a binary as seen being used by the malware Small Sieve.
references:
- https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-19
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1574.001
- detection.emerging-threats
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|endswith: '.exe Platypus'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
Medium FP
Small Sieve Malware File Indicator Creation
Detects filename indicators that contain a specific typo seen used by the Small Sieve malware.
view Sigma YAML
title: Small Sieve Malware File Indicator Creation
id: 39466c42-c189-476a-989f-8cdb135c163a
status: test
description: Detects filename indicators that contain a specific typo seen used by the Small Sieve malware.
references:
- https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf
author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
date: 2023-05-19
tags:
- attack.stealth
- attack.t1036.005
- detection.emerging-threats
logsource:
product: windows
category: file_event
detection:
selection_typo_path:
TargetFilename|contains|all:
- ':\Users\'
- '\AppData\'
TargetFilename|contains:
- '\Roaming\'
- '\Local\'
selection_typo_keyword:
TargetFilename|contains: 'Microsift'
selection_ioc:
TargetFilename|endswith: '\AppData\Local\MicrosoftWindowsOutlookDataPlus.txt'
condition: all of selection_typo_* or selection_ioc
falsepositives:
- Unlikely
level: high
Convert to SIEM query
Showing 1251-1300 of 1,715