Tool
SIEM
Sigma (generic) detection rules
1,492 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Expand any rule to see its raw YAML and convert it inline to native query syntax. Pick a platform above to browse every rule already rendered in that language.
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
◈
Detection rules
50 shown of 1,492
medium
Potential Dosfuscation Activity
Detects possible payload obfuscation via the commandline
view Sigma YAML
title: Potential Dosfuscation Activity
id: a77c1610-fc73-4019-8e29-0f51efc04a51
status: test
description: Detects possible payload obfuscation via the commandline
references:
- https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/dosfuscation-report.pdf
- https://github.com/danielbohannon/Invoke-DOSfuscation
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2022-02-15
modified: 2023-03-06
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- '^^'
- '^|^'
- ',;,'
- ';;;;'
- ';; ;;'
- '(,(,'
- '%COMSPEC:~'
- ' c^m^d'
- '^c^m^d'
- ' c^md'
- ' cm^d'
- '^cm^d'
- ' s^et '
- ' s^e^t '
- ' se^t '
# - '%%'
# - '&&'
# - '""'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Potential Download/Upload Activity Using Type Command
Detects usage of the "type" command to download/upload data from WebDAV server
view Sigma YAML
title: Potential Download/Upload Activity Using Type Command
id: aa0b3a82-eacc-4ec3-9150-b5a9a3e3f82f
status: test
description: Detects usage of the "type" command to download/upload data from WebDAV server
references:
- https://mr0range.com/a-new-lolbin-using-the-windows-type-command-to-upload-download-files-81d7b6179e22
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-14
tags:
- attack.command-and-control
- attack.t1105
logsource:
product: windows
category: process_creation
detection:
# Note that since built in CMD commands do not trigger a process creation. This would be detected only if used in a "/c" command
selection_upload:
CommandLine|contains|all:
- 'type '
- ' > \\\\'
selection_download:
CommandLine|contains|all:
- 'type \\\\'
- ' > ' # Space are added to increase atom length and speed up matching. If your backend can handle this remove the space
condition: 1 of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Potential Dropper Script Execution Via WScript/CScript/MSHTA
Detects wscript/cscript/mshta executions of scripts located in user directories
view Sigma YAML
title: Potential Dropper Script Execution Via WScript/CScript/MSHTA
id: cea72823-df4d-4567-950c-0b579eaf0846
related:
- id: 1e33157c-53b1-41ad-bbcc-780b80b58288
type: similar
status: test
description: Detects wscript/cscript/mshta executions of scripts located in user directories
references:
- https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/
- https://redcanary.com/blog/gootloader/
- https://www.microsoft.com/en-us/security/blog/2025/03/06/malvertising-campaign-leads-to-info-stealers-hosted-on-github/
author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community, Nasreddine Bencherchali (Nextron Systems), Dave Johnson
date: 2019-01-16
modified: 2026-02-17
tags:
- attack.execution
- attack.t1059.005
- attack.t1059.007
logsource:
category: process_creation
product: windows
detection:
selection_exec:
Image|endswith:
- '\wscript.exe'
- '\cscript.exe'
- '\mshta.exe'
selection_paths:
CommandLine|contains:
- ':\Perflogs\'
- ':\Temp\'
- ':\Tmp\'
- ':\Users\Public\'
- ':\Windows\Temp\'
- '\AppData\Local\Temp\'
- '\AppData\Roaming\Temp\'
- '\Start Menu\Programs\Startup\'
- '\Temporary Internet'
- '\Windows\Temp'
- '%LocalAppData%\Temp\'
- '%TEMP%'
- '%TMP%'
selection_ext:
CommandLine|contains:
- '.hta'
- '.js'
- '.jse'
- '.vba'
- '.vbe'
- '.vbs'
- '.wsf'
- '.wsh'
condition: all of selection_*
falsepositives:
- Some installers might generate a similar behavior. An initial baseline is required
level: medium
Convert to SIEM query
medium
Potential Encrypted Registry Blob Related To SNAKE Malware
Detects the creation of a registry value in the ".wav\OpenWithProgIds" key with an uncommon name. This could be related to SNAKE Malware as reported by CISA
view Sigma YAML
title: Potential Encrypted Registry Blob Related To SNAKE Malware
id: 7e163e96-b9a5-45d6-b2cd-d7d87b13c60b
status: test
description: Detects the creation of a registry value in the ".wav\OpenWithProgIds" key with an uncommon name. This could be related to SNAKE Malware as reported by CISA
references:
- https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-10
modified: 2023-08-17
tags:
- attack.persistence
- detection.emerging-threats
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\SOFTWARE\Classes\.wav\OpenWithProgIds\'
filter_main_wav:
- TargetObject|endswith: '.AssocFile.WAV'
- TargetObject|contains: '.wav.'
condition: selection and not 1 of filter_main_*
falsepositives:
- Some additional tuning might be required to tune out legitimate processes that write to this key by default
level: medium
Convert to SIEM query
medium
Potential Exploitation of CVE-2025-5054 or CVE-2025-4598
Detects attempts of an attacker to enable core dumps for set-user-ID (SUID) processes by modifying the system file /proc/sys/fs/suid_dumpable, typically by setting its value to 1 or 2.
Enabling this feature allows memory dumps (core dumps) of SUID processes, which usually run with elevated privileges.
These dumps may contain sensitive information such as passwords, cryptographic keys or other secrets.
CVE-2025-5054: Information leak via core dumps from SUID binaries using apport.
CVE-2025-4598: Information disclosure in systemd-coredump due to insecure handling of SUID process memory dumps.
view Sigma YAML
title: Potential Exploitation of CVE-2025-5054 or CVE-2025-4598
id: 33b3cfb1-574e-44b9-b527-fbf9303b9d7b
status: experimental
description: |
Detects attempts of an attacker to enable core dumps for set-user-ID (SUID) processes by modifying the system file /proc/sys/fs/suid_dumpable, typically by setting its value to 1 or 2.
Enabling this feature allows memory dumps (core dumps) of SUID processes, which usually run with elevated privileges.
These dumps may contain sensitive information such as passwords, cryptographic keys or other secrets.
CVE-2025-5054: Information leak via core dumps from SUID binaries using apport.
CVE-2025-4598: Information disclosure in systemd-coredump due to insecure handling of SUID process memory dumps.
references:
- https://nvd.nist.gov/vuln/detail/CVE-2025-5054
- https://nvd.nist.gov/vuln/detail/CVE-2025-4598
- https://blog.qualys.com/vulnerabilities-threat-research/2025/05/29/qualys-tru-discovers-two-local-information-disclosure-vulnerabilities-in-apport-and-systemd-coredump-cve-2025-5054-and-cve-2025-4598
author: Milad Cheraghi
date: 2026-04-28
tags:
- attack.privilege-escalation
- attack.credential-access
- attack.t1548
- attack.t1003
- cve.2025-5054
- cve.2025-4598
- detection.emerging-threats
logsource:
product: linux
category: process_creation
detection:
selection_suid_dumpable_sysctl:
Image|endswith:
- '/sbin/sysctl'
- '/bin/sysctl'
CommandLine|contains: 'fs.suid_dumpable='
selection_echo_proc_write:
Image|endswith:
- '/bin/bash'
- '/bin/sh'
CommandLine|contains:
- 'echo 1 > /proc/sys/fs/suid_dumpable'
- 'echo 2 > /proc/sys/fs/suid_dumpable'
- 'echo 1 >/proc/sys/fs/suid_dumpable'
- 'echo 2 >/proc/sys/fs/suid_dumpable'
- 'echo 1> /proc/sys/fs/suid_dumpable'
- 'echo 2> /proc/sys/fs/suid_dumpable'
- 'echo 1>/proc/sys/fs/suid_dumpable'
- 'echo 2>/proc/sys/fs/suid_dumpable'
condition: 1 of selection_*
falsepositives:
- System administrators enabling debugging temporarily
- Legitimate crash diagnostic operations
level: medium
Convert to SIEM query
medium
Potential Fake Instance Of Hxtsr.EXE Executed
HxTsr.exe is a Microsoft compressed executable file called Microsoft Outlook Communications.
HxTsr.exe is part of Outlook apps, because it resides in a hidden "WindowsApps" subfolder of "C:\Program Files".
Any instances of hxtsr.exe not in this folder may be malware camouflaging itself as HxTsr.exe
view Sigma YAML
title: Potential Fake Instance Of Hxtsr.EXE Executed
id: 4e762605-34a8-406d-b72e-c1a089313320
status: test
description: |
HxTsr.exe is a Microsoft compressed executable file called Microsoft Outlook Communications.
HxTsr.exe is part of Outlook apps, because it resides in a hidden "WindowsApps" subfolder of "C:\Program Files".
Any instances of hxtsr.exe not in this folder may be malware camouflaging itself as HxTsr.exe
references:
- Internal Research
author: Sreeman
date: 2020-04-17
modified: 2024-02-08
tags:
- attack.stealth
- attack.t1036
logsource:
product: windows
category: process_creation
detection:
# TODO: Link this to the more generic system process rule
selection:
Image|endswith: '\hxtsr.exe'
filter_main_hxtsr:
Image|contains: ':\program files\windowsapps\microsoft.windowscommunicationsapps_'
Image|endswith: '\hxtsr.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Potential File Download Via MS-AppInstaller Protocol Handler
Detects usage of the "ms-appinstaller" protocol handler via command line to potentially download arbitrary files via AppInstaller.EXE
The downloaded files are temporarly stored in ":\Users\%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\<RANDOM-8-CHAR-DIRECTORY>"
view Sigma YAML
title: Potential File Download Via MS-AppInstaller Protocol Handler
id: 180c7c5c-d64b-4a63-86e9-68910451bc8b
related:
- id: 7cff77e1-9663-46a3-8260-17f2e1aa9d0a
type: derived
status: test
description: |
Detects usage of the "ms-appinstaller" protocol handler via command line to potentially download arbitrary files via AppInstaller.EXE
The downloaded files are temporarly stored in ":\Users\%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\<RANDOM-8-CHAR-DIRECTORY>"
references:
- https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/
author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel
date: 2023-11-09
tags:
- attack.execution
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'ms-appinstaller://?source='
- 'http'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Potential Goopdate.DLL Sideloading
Detects potential DLL sideloading of "goopdate.dll", a DLL used by googleupdate.exe
view Sigma YAML
title: Potential Goopdate.DLL Sideloading
id: b6188d2f-b3c4-4d2c-a17d-9706e0851af0
status: test
description: Detects potential DLL sideloading of "goopdate.dll", a DLL used by googleupdate.exe
references:
- https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf
author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-15
modified: 2025-10-07
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\goopdate.dll'
filter_main_generic:
ImageLoaded|startswith:
# Many third party chromium based apps use this DLLs. It's better to create a baseline and add specific filters
- 'C:\Program Files (x86)\'
- 'C:\Program Files\'
filter_optional_dropbox_installer_temp:
Image|contains|all:
- '\AppData\Local\Temp\GUM'
- '.tmp\Dropbox'
ImageLoaded|contains|all:
- '\AppData\Local\Temp\GUM'
- '.tmp\goopdate.dll'
filter_optional_googleupdate_temp:
Image|contains:
- '\AppData\Local\Temp\GUM'
- ':\Windows\SystemTemp\GUM'
Image|endswith: '.tmp\GoogleUpdate.exe'
ImageLoaded|contains:
- '\AppData\Local\Temp\GUM'
- ':\Windows\SystemTemp\GUM'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- False positives are expected from Google Chrome installations running from user locations (AppData) and other custom locations. Apply additional filters accordingly.
- Other third party chromium browsers located in AppData
level: medium
Convert to SIEM query
medium
Potential Hello-World Scraper Botnet Activity
Detects network traffic potentially associated with a scraper botnet variant that uses the "Hello-World/1.0" user-agent string.
view Sigma YAML
title: Potential Hello-World Scraper Botnet Activity
id: 1712bafe-be05-4a0e-89d4-17a3ed151bf5
status: experimental
description: |
Detects network traffic potentially associated with a scraper botnet variant that uses the "Hello-World/1.0" user-agent string.
references:
- https://www.greynoise.io/blog/new-scraper-botnet-concentrated-in-taiwan
- https://viz.greynoise.io/tags/hello-world-scraper-botnet?days=30
author: Joseph A. M.
date: 2025-08-02
tags:
- attack.reconnaissance
- attack.t1595
logsource:
category: proxy
detection:
selection:
c-useragent: 'Hello-World/1.0'
cs-method: 'GET'
condition: selection
falsepositives:
- Legitimate network monitoring or vulnerability scanning tools that may use this generic user agent.
- Internal development or testing scripts. Consider filtering by source IP if this is expected from certain systems.
level: medium
Convert to SIEM query
medium
Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream
Detects the creation of hidden file/folder with the "::$index_allocation" stream. Which can be used as a technique to prevent access to folder and files from tooling such as "explorer.exe" and "powershell.exe"
view Sigma YAML
title: Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream
id: a8f866e1-bdd4-425e-a27a-37619238d9c7
related:
- id: 0900463c-b33b-49a8-be1d-552a3b553dae
type: similar
status: test
description: |
Detects the creation of hidden file/folder with the "::$index_allocation" stream. Which can be used as a technique to prevent access to folder and files from tooling such as "explorer.exe" and "powershell.exe"
references:
- https://twitter.com/pfiatde/status/1681977680688738305
- https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/
- https://sec-consult.com/blog/detail/pentesters-windows-ntfs-tricks-collection/
- https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3
author: Scoubi (@ScoubiMtl)
date: 2023-10-09
tags:
- attack.stealth
- attack.t1564.004
logsource:
product: windows
category: file_event
detection:
selection:
# Note: Both Sysmon and ETW are unable to log the presence of such streams in the CommandLine. But EDRs such as Crowdstrike are able to use e.g. CMD console history. Users are advised to test this before usage
TargetFilename|contains: '::$index_allocation'
condition: selection
falsepositives:
- Unlikely
level: medium
Convert to SIEM query
medium
Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI
Detects command line containing reference to the "::$index_allocation" stream, which can be used as a technique to prevent access to folders or files from tooling such as "explorer.exe" or "powershell.exe"
view Sigma YAML
title: Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI
id: 0900463c-b33b-49a8-be1d-552a3b553dae
related:
- id: a8f866e1-bdd4-425e-a27a-37619238d9c7
type: similar
status: test
description: |
Detects command line containing reference to the "::$index_allocation" stream, which can be used as a technique to prevent access to folders or files from tooling such as "explorer.exe" or "powershell.exe"
references:
- https://twitter.com/pfiatde/status/1681977680688738305
- https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/
- https://sec-consult.com/blog/detail/pentesters-windows-ntfs-tricks-collection/
- https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3
author: Nasreddine Bencherchali (Nextron Systems), Scoubi (@ScoubiMtl)
date: 2023-10-09
tags:
- attack.stealth
- attack.t1564.004
logsource:
product: windows
category: process_creation
detection:
selection:
# Note: Both Sysmon and ETW are unable to log the presence of such stream in the CommandLine. But EDRs such as Crowdstrike are able to using for example CMD console history. Users are advised to test this before usage
CommandLine|contains: '::$index_allocation'
condition: selection
falsepositives:
- Unlikely
level: medium
Convert to SIEM query
medium
Potential Homoglyph Attack Using Lookalike Characters
Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters.
This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that
are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters.
view Sigma YAML
title: Potential Homoglyph Attack Using Lookalike Characters
id: 32e280f1-8ad4-46ef-9e80-910657611fbc
status: test
description: |
Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters.
This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that
are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters.
references:
- https://redcanary.com/threat-detection-report/threats/socgholish/#threat-socgholish
- http://www.irongeek.com/homoglyph-attack-generator.php
author: Micah Babinski, @micahbabinski
date: 2023-05-07
tags:
- attack.stealth
- attack.t1036
- attack.t1036.003
logsource:
category: process_creation
product: windows
detection:
selection_upper:
CommandLine|contains:
- "\u0410" # А/A
- "\u0412" # В/B
- "\u0415" # Е/E
- "\u041a" # К/K
- "\u041c" # М/M
- "\u041d" # Н/H
- "\u041e" # О/O
- "\u0420" # Р/P
- "\u0421" # С/C
- "\u0422" # Т/T
- "\u0425" # Х/X
- "\u0405" # Ѕ/S
- "\u0406" # І/I
- "\u0408" # Ј/J
- "\u04ae" # Ү/Y
- "\u04c0" # Ӏ/I
- "\u050C" # Ԍ/G
- "\u051a" # Ԛ/Q
- "\u051c" # Ԝ/W
- "\u0391" # Α/A
- "\u0392" # Β/B
- "\u0395" # Ε/E
- "\u0396" # Ζ/Z
- "\u0397" # Η/H
- "\u0399" # Ι/I
- "\u039a" # Κ/K
- "\u039c" # Μ/M
- "\u039d" # Ν/N
- "\u039f" # Ο/O
- "\u03a1" # Ρ/P
- "\u03a4" # Τ/T
- "\u03a5" # Υ/Y
- "\u03a7" # Χ/X
selection_lower:
CommandLine|contains:
- "\u0430" # а/a
- "\u0435" # е/e
- "\u043e" # о/o
- "\u0440" # р/p
- "\u0441" # с/c
- "\u0445" # х/x
- "\u0455" # ѕ/s
- "\u0456" # і/i
- "\u04cf" # ӏ/l
- "\u0458" # ј/j
- "\u04bb" # һ/h
- "\u0501" # ԁ/d
- "\u051b" # ԛ/q
- "\u051d" # ԝ/w
- "\u03bf" # ο/o
condition: 1 of selection_*
falsepositives:
- Commandlines with legitimate Cyrillic text; will likely require tuning (or not be usable) in countries where these alphabets are in use.
level: medium
Convert to SIEM query
medium
Potential Homoglyph Attack Using Lookalike Characters in Filename
Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters.
This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that
are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters.
view Sigma YAML
title: Potential Homoglyph Attack Using Lookalike Characters in Filename
id: 4f1707b1-b50b-45b4-b5a2-3978b5a5d0d6
status: test
description: |
Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters.
This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that
are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters.
references:
- https://redcanary.com/threat-detection-report/threats/socgholish/#threat-socgholish
- http://www.irongeek.com/homoglyph-attack-generator.php
author: Micah Babinski, @micahbabinski
date: 2023-05-08
tags:
- attack.stealth
- attack.t1036
- attack.t1036.003
logsource:
category: file_event
product: windows
detection:
selection_upper:
TargetFilename|contains:
- "\u0410" # А/A
- "\u0412" # В/B
- "\u0415" # Е/E
- "\u041a" # К/K
- "\u041c" # М/M
- "\u041d" # Н/H
- "\u041e" # О/O
- "\u0420" # Р/P
- "\u0421" # С/C
- "\u0422" # Т/T
- "\u0425" # Х/X
- "\u0405" # Ѕ/S
- "\u0406" # І/I
- "\u0408" # Ј/J
- "\u04ae" # Ү/Y
- "\u04c0" # Ӏ/I
- "\u050C" # Ԍ/G
- "\u051a" # Ԛ/Q
- "\u051c" # Ԝ/W
- "\u0391" # Α/A
- "\u0392" # Β/B
- "\u0395" # Ε/E
- "\u0396" # Ζ/Z
- "\u0397" # Η/H
- "\u0399" # Ι/I
- "\u039a" # Κ/K
- "\u039c" # Μ/M
- "\u039d" # Ν/N
- "\u039f" # Ο/O
- "\u03a1" # Ρ/P
- "\u03a4" # Τ/T
- "\u03a5" # Υ/Y
- "\u03a7" # Χ/X
selection_lower:
TargetFilename|contains:
- "\u0430" # а/a
- "\u0435" # е/e
- "\u043e" # о/o
- "\u0440" # р/p
- "\u0441" # с/c
- "\u0445" # х/x
- "\u0455" # ѕ/s
- "\u0456" # і/i
- "\u04cf" # ӏ/l
- "\u0458" # ј/j
- "\u04bb" # һ/h
- "\u0501" # ԁ/d
- "\u051b" # ԛ/q
- "\u051d" # ԝ/w
- "\u03bf" # ο/o
condition: 1 of selection_*
falsepositives:
- File names with legitimate Cyrillic text. Will likely require tuning (or not be usable) in countries where these alphabets are in use.
level: medium
Convert to SIEM query
medium
Potential In-Memory Download And Compile Of Payloads
Detects potential in-memory downloading and compiling of applets using curl and osacompile as seen used by XCSSET malware
view Sigma YAML
title: Potential In-Memory Download And Compile Of Payloads
id: 13db8d2e-7723-4c2c-93c1-a4d36994f7ef
status: test
description: Detects potential in-memory downloading and compiling of applets using curl and osacompile as seen used by XCSSET malware
references:
- https://redcanary.com/blog/mac-application-bundles/
author: Sohan G (D4rkCiph3r), Red Canary (idea)
date: 2023-08-22
tags:
- attack.command-and-control
- attack.execution
- attack.t1059.007
- attack.t1105
logsource:
category: process_creation
product: macos
detection:
selection:
CommandLine|contains|all:
- 'osacompile'
- 'curl'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Potential In-Memory Execution Using Reflection.Assembly
Detects usage of "Reflection.Assembly" load functions to dynamically load assemblies in memory
view Sigma YAML
title: Potential In-Memory Execution Using Reflection.Assembly
id: ddcd88cb-7f62-4ce5-86f9-1704190feb0a
status: test
description: Detects usage of "Reflection.Assembly" load functions to dynamically load assemblies in memory
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=50
author: frack113
date: 2022-12-25
tags:
- attack.stealth
- attack.t1620
logsource:
product: windows
category: ps_script
definition: Script Block Logging must be enable
detection:
selection:
ScriptBlockText|contains: '[Reflection.Assembly]::load'
condition: selection
falsepositives:
- Legitimate use of the library
level: medium
Convert to SIEM query
medium
Potential Initial Access via DLL Search Order Hijacking
Detects attempts to create a DLL file to a known desktop application dependencies folder such as Slack, Teams or OneDrive and by an unusual process. This may indicate an attempt to load a malicious module via DLL search order hijacking.
view Sigma YAML
title: Potential Initial Access via DLL Search Order Hijacking
id: dbbd9f66-2ed3-4ca2-98a4-6ea985dd1a1c
status: test
description: Detects attempts to create a DLL file to a known desktop application dependencies folder such as Slack, Teams or OneDrive and by an unusual process. This may indicate an attempt to load a malicious module via DLL search order hijacking.
references:
- https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-5d46dd4ac6866b4337ec126be8cee0e115467b3e8703794ba6f6df6432c806bc
- https://posts.specterops.io/automating-dll-hijack-discovery-81c4295904b0
author: Tim Rauch (rule), Elastic (idea)
date: 2022-10-21
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1566
- attack.t1566.001
- attack.initial-access
- attack.t1574
- attack.t1574.001
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith:
# add more processes when you find them
- '\winword.exe'
- '\excel.exe'
- '\powerpnt.exe'
- '\MSACCESS.EXE'
- '\MSPUB.EXE'
- '\fltldr.exe'
- '\cmd.exe'
- '\certutil.exe'
- '\mshta.exe'
- '\cscript.exe'
- '\wscript.exe'
- '\curl.exe'
- '\powershell.exe'
- '\pwsh.exe'
TargetFilename|endswith: '.dll'
TargetFilename|contains|all:
- '\Users\'
- '\AppData\'
TargetFilename|contains:
# add more suspicious paths when you find them
- '\Microsoft\OneDrive\'
- '\Microsoft OneDrive\'
- '\Microsoft\Teams\'
- '\Local\slack\app-'
- '\Local\Programs\Microsoft VS Code\'
filter:
Image|endswith: '\cmd.exe'
TargetFilename|contains|all:
- '\Users\'
- '\AppData\'
- '\Microsoft\OneDrive\'
- '\api-ms-win-core-'
condition: selection and not filter
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Potential KamiKakaBot Activity - Lure Document Execution
Detects the execution of a Word document via the WinWord Start Menu shortcut.
This behavior was observed being used by KamiKakaBot samples in order to initiate the 2nd stage of the infection.
view Sigma YAML
title: Potential KamiKakaBot Activity - Lure Document Execution
id: 24474469-bd80-46cc-9e08-9fbe81bfaaca
status: test
description: |
Detects the execution of a Word document via the WinWord Start Menu shortcut.
This behavior was observed being used by KamiKakaBot samples in order to initiate the 2nd stage of the infection.
references:
- https://www.nextron-systems.com/2024/03/22/unveiling-kamikakabot-malware-analysis/
author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
date: 2024-03-22
tags:
- attack.execution
- attack.t1059
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\cmd.exe'
CommandLine|contains|all:
- '/c '
- '.lnk ~'
- 'Start Menu\Programs\Word'
CommandLine|endswith: '.doc'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Potential KamiKakaBot Activity - Shutdown Schedule Task Creation
Detects the creation of a schedule task that runs weekly and execute the "shutdown /l /f" command.
This behavior was observed being used by KamiKakaBot samples in order to achieve persistence on a system.
view Sigma YAML
title: Potential KamiKakaBot Activity - Shutdown Schedule Task Creation
id: fe9e8ba9-4419-41e6-a574-bd9f7b3af961
status: test
description: |
Detects the creation of a schedule task that runs weekly and execute the "shutdown /l /f" command.
This behavior was observed being used by KamiKakaBot samples in order to achieve persistence on a system.
references:
- https://www.nextron-systems.com/2024/03/22/unveiling-kamikakabot-malware-analysis/
- https://tria.ge/240123-rapteaahhr/behavioral1
author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
date: 2024-03-22
tags:
- attack.persistence
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\schtasks.exe'
CommandLine|contains|all:
- ' /create '
- 'shutdown /l /f'
- 'WEEKLY'
filter_main_system_user:
User|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Potential Keylogger Activity
Detects PowerShell scripts that contains reference to keystroke capturing functions
view Sigma YAML
title: Potential Keylogger Activity
id: 965e2db9-eddb-4cf6-a986-7a967df651e4
status: test
description: Detects PowerShell scripts that contains reference to keystroke capturing functions
references:
- https://twitter.com/ScumBots/status/1610626724257046529
- https://www.virustotal.com/gui/file/d4486b63512755316625230e0c9c81655093be93876e0d80732e7eeaf7d83476/content
- https://www.virustotal.com/gui/file/720a7ee9f2178c70501d7e3f4bcc28a4f456e200486dbd401b25af6da3b4da62/content
- https://learn.microsoft.com/en-us/dotnet/api/system.windows.input.keyboard.iskeydown?view=windowsdesktop-7.0
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-04
tags:
- attack.collection
- attack.credential-access
- attack.t1056.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains: '[Windows.Input.Keyboard]::IsKeyDown([System.Windows.Input.Key]::'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Potential Lateral Movement via Windows Remote Shell
Detects a child process spawned by 'winrshost.exe', which suggests remote command execution through Windows Remote Shell (WinRs) and may indicate potential lateral movement activity.
view Sigma YAML
title: Potential Lateral Movement via Windows Remote Shell
id: 79df3f68-dccb-48e9-9171-b75cbc37c51d
status: experimental
description: |
Detects a child process spawned by 'winrshost.exe', which suggests remote command execution through Windows Remote Shell (WinRs) and may indicate potential lateral movement activity.
references:
- https://cardinalops.com/blog/living-off-winrm-abusing-complexity-in-remote-management/
- https://www.ired.team/offensive-security/lateral-movement/winrs-for-lateral-movement
author: Liran Ravich
date: 2025-10-22
tags:
- attack.lateral-movement
- attack.t1021.006
logsource:
category: process_creation
product: windows
detection:
selection:
# Note: Example of command to simulate (winrm needs to be enabled): "c:\Windows\System32\winrs.exe" powershell
ParentImage|endswith: '\winrshost.exe'
filter_main_conhost:
Image: 'C:\Windows\System32\conhost.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Legitimate use of WinRM within the organization
level: medium
Convert to SIEM query
medium
Potential Libvlc.DLL Sideloading
Detects potential DLL sideloading of "libvlc.dll", a DLL that is legitimately used by "VLC.exe"
view Sigma YAML
title: Potential Libvlc.DLL Sideloading
id: bf9808c4-d24f-44a2-8398-b65227d406b6
status: test
description: Detects potential DLL sideloading of "libvlc.dll", a DLL that is legitimately used by "VLC.exe"
references:
- https://www.trendmicro.com/en_us/research/23/c/earth-preta-updated-stealthy-strategies.html
- https://hijacklibs.net/entries/3rd_party/vlc/libvlc.html
author: X__Junior
date: 2023-04-17
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\libvlc.dll'
filter_main_vlc:
ImageLoaded|startswith:
- 'C:\Program Files (x86)\VideoLAN\VLC\'
- 'C:\Program Files\VideoLAN\VLC\'
condition: selection and not 1 of filter_main_*
falsepositives:
- False positives are expected if VLC is installed in non-default locations
level: medium
Convert to SIEM query
medium
Potential Linux Amazon SSM Agent Hijacking
Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report.
view Sigma YAML
title: Potential Linux Amazon SSM Agent Hijacking
id: f9b3edc5-3322-4fc7-8aa3-245d646cc4b7
status: test
description: Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report.
references:
- https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan
- https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/
- https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/
author: Muhammad Faisal
date: 2023-08-03
tags:
- attack.command-and-control
- attack.persistence
- attack.t1219.002
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/amazon-ssm-agent'
CommandLine|contains|all:
- '-register '
- '-code '
- '-id '
- '-region '
condition: selection
falsepositives:
- Legitimate activity of system administrators
level: medium
Convert to SIEM query
medium
Potential Linux Process Code Injection Via DD Utility
Detects the injection of code by overwriting the memory map of a Linux process using the "dd" Linux command.
view Sigma YAML
title: Potential Linux Process Code Injection Via DD Utility
id: 4cad6c64-d6df-42d6-8dae-eb78defdc415
status: test
description: Detects the injection of code by overwriting the memory map of a Linux process using the "dd" Linux command.
references:
- https://www.aon.com/cyber-solutions/aon_cyber_labs/linux-based-inter-process-code-injection-without-ptrace2/
- https://github.com/AonCyberLabs/Cexigua/blob/34d338620afae4c6335ba8d8d499e1d7d3d5d7b5/overwrite.sh
author: Joseph Kamau
date: 2023-12-01
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1055.009
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith: '/dd'
CommandLine|contains|all:
- 'of='
- '/proc/'
- '/mem'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Potential MOVEit Transfer CVE-2023-34362 Exploitation - Dynamic Compilation Via Csc.EXE
Detects the execution of "csc.exe" via "w3wp.exe" process. MOVEit affected hosts execute "csc.exe" via the "w3wp.exe" process to dynamically compile malicious DLL files.
MOVEit is affected by a critical vulnerability. Exploited hosts show evidence of dynamically compiling a DLL and writing it under C:\\Windows\\Microsoft\.NET\\Framework64\\v4\.0\.30319\\Temporary ASP\.NET Files\\root\\([a-z0-9]{5,12})\\([a-z0-9]{5,12})\\App_Web_[a-z0-9]{5,12}\.dll.
Hunting Opportunity
Events from IIS dynamically compiling binaries via the csc.exe on behalf of the MOVEit application, especially since May 27th should be investigated.
view Sigma YAML
title: Potential MOVEit Transfer CVE-2023-34362 Exploitation - Dynamic Compilation Via Csc.EXE
id: 39ac1fb0-07f1-474b-b97e-c5c0eace0d79
status: test
description: |
Detects the execution of "csc.exe" via "w3wp.exe" process. MOVEit affected hosts execute "csc.exe" via the "w3wp.exe" process to dynamically compile malicious DLL files.
MOVEit is affected by a critical vulnerability. Exploited hosts show evidence of dynamically compiling a DLL and writing it under C:\\Windows\\Microsoft\.NET\\Framework64\\v4\.0\.30319\\Temporary ASP\.NET Files\\root\\([a-z0-9]{5,12})\\([a-z0-9]{5,12})\\App_Web_[a-z0-9]{5,12}\.dll.
Hunting Opportunity
Events from IIS dynamically compiling binaries via the csc.exe on behalf of the MOVEit application, especially since May 27th should be investigated.
references:
- https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response
- https://www.trustedsec.com/blog/critical-vulnerability-in-progress-moveit-transfer-technical-analysis-and-recommendations/
author: '@kostastsale'
date: 2023-06-01
tags:
- attack.execution
- attack.t1059
- cve.2023-34362
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\w3wp.exe'
ParentCommandLine|contains: 'moveitdmz pool'
Image|endswith: '\csc.exe'
condition: selection
falsepositives:
- Initial software installation and software updates.
level: medium
Convert to SIEM query
medium
Potential Malicious AppX Package Installation Attempts
Detects potential installation or installation attempts of known malicious appx packages
view Sigma YAML
title: Potential Malicious AppX Package Installation Attempts
id: 09d3b48b-be17-47f5-bf4e-94e7e75d09ce
status: test
description: Detects potential installation or installation attempts of known malicious appx packages
references:
- https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
- https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
- https://forensicitguy.github.io/analyzing-magnitude-magniber-appx/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-11
modified: 2023-01-12
tags:
- attack.stealth
logsource:
product: windows
service: appxdeployment-server
detection:
selection:
EventID:
- 400
- 401
# Add more malicious package names
# TODO: Investigate the packages here https://github.com/sophoslabs/IoCs/blob/master/Troj-BazarBackdoor.csv based on this report https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
PackageFullName|contains: '3669e262-ec02-4e9d-bcb4-3d008b4afac9'
condition: selection
falsepositives:
- Rare occasions where a malicious package uses the exact same name and version as a legitimate application.
level: medium
Convert to SIEM query
medium
Potential Memory Dumping Activity Via LiveKD
Detects execution of LiveKD based on PE metadata or image name
view Sigma YAML
title: Potential Memory Dumping Activity Via LiveKD
id: a85f7765-698a-4088-afa0-ecfbf8d01fa4
status: test
description: Detects execution of LiveKD based on PE metadata or image name
references:
- https://learn.microsoft.com/en-us/sysinternals/downloads/livekd
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-15
tags:
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith:
- '\livekd.exe'
- '\livekd64.exe'
- OriginalFileName: 'livekd.exe'
condition: selection
falsepositives:
- Administration and debugging activity (must be investigated)
level: medium
Convert to SIEM query
medium
Potential Mfdetours.DLL Sideloading
Detects potential DLL sideloading of "mfdetours.dll". While using "mftrace.exe" it can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution.
view Sigma YAML
title: Potential Mfdetours.DLL Sideloading
id: d2605a99-2218-4894-8fd3-2afb7946514d
status: test
description: Detects potential DLL sideloading of "mfdetours.dll". While using "mftrace.exe" it can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution.
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-03
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\mfdetours.dll'
filter_main_legit_path:
ImageLoaded|contains: ':\Program Files (x86)\Windows Kits\10\bin\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unlikely
level: medium
Convert to SIEM query
medium
Potential Mftrace.EXE Abuse
Detects child processes of the "Trace log generation tool for Media Foundation Tools" (Mftrace.exe) which can abused to execute arbitrary binaries.
view Sigma YAML
title: Potential Mftrace.EXE Abuse
id: 3d48c9d3-1aa6-418d-98d3-8fd3c01a564e
status: test
description: Detects child processes of the "Trace log generation tool for Media Foundation Tools" (Mftrace.exe) which can abused to execute arbitrary binaries.
references:
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Mftrace/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-09
modified: 2023-08-03
tags:
- attack.execution
- attack.stealth
- attack.t1127
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\mftrace.exe'
condition: selection
falsepositives:
- Legitimate use for tracing purposes
level: medium
Convert to SIEM query
medium
Potential Mpclient.DLL Sideloading Via OfflineScannerShell.EXE Execution
Detects execution of Windows Defender "OfflineScannerShell.exe" from its non standard directory.
The "OfflineScannerShell.exe" binary is vulnerable to DLL side loading and will load any DLL named "mpclient.dll" from the current working directory.
view Sigma YAML
title: Potential Mpclient.DLL Sideloading Via OfflineScannerShell.EXE Execution
id: 02b18447-ea83-4b1b-8805-714a8a34546a
status: test
description: |
Detects execution of Windows Defender "OfflineScannerShell.exe" from its non standard directory.
The "OfflineScannerShell.exe" binary is vulnerable to DLL side loading and will load any DLL named "mpclient.dll" from the current working directory.
references:
- https://lolbas-project.github.io/lolbas/Binaries/OfflineScannerShell/
author: frack113
date: 2022-03-06
modified: 2023-08-03
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\OfflineScannerShell.exe'
- OriginalFileName: 'OfflineScannerShell.exe'
filter_main_legit_dir:
CurrentDirectory: 'C:\Program Files\Windows Defender\Offline\'
filter_main_empty:
CurrentDirectory: ''
filter_main_null:
CurrentDirectory: null
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Potential Network Sniffing Activity Using Network Tools
Detects potential network sniffing via use of network tools such as "tshark", "windump".
Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection.
An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
view Sigma YAML
title: Potential Network Sniffing Activity Using Network Tools
id: ba1f7802-adc7-48b4-9ecb-81e227fddfd5
status: test
description: |
Detects potential network sniffing via use of network tools such as "tshark", "windump".
Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection.
An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1040/T1040.md
author: Timur Zinniatullin, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2019-10-21
modified: 2023-02-20
tags:
- attack.credential-access
- attack.discovery
- attack.t1040
logsource:
category: process_creation
product: windows
detection:
selection_tshark:
Image|endswith: '\tshark.exe'
CommandLine|contains: '-i'
selection_windump:
Image|endswith: '\windump.exe'
condition: 1 of selection_*
falsepositives:
- Legitimate administration activity to troubleshoot network issues
level: medium
Convert to SIEM query
medium
Potential Obfuscated Ordinal Call Via Rundll32
Detects execution of "rundll32" with potential obfuscated ordinal calls
view Sigma YAML
title: Potential Obfuscated Ordinal Call Via Rundll32
id: 43fa5350-db63-4b8f-9a01-789a427074e1
status: test
description: Detects execution of "rundll32" with potential obfuscated ordinal calls
references:
- Internal Research
- https://www.youtube.com/watch?v=52tAmVLg1KM&t=2070s
author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2023-05-17
modified: 2025-02-23
tags:
- attack.stealth
- attack.t1027.010
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\rundll32.exe'
- OriginalFileName: 'RUNDLL32.EXE'
- CommandLine|contains: 'rundll32'
selection_cli:
CommandLine|contains:
- '#+'
- '#-'
# ordinal can be represented by adding any number of zeros in front ordinal number, for e.g. 000000024
- '#0'
# ordinal is 16 bit ordinal, so if you make the number large enough (don't fit in 16 bit space), then it normally wraps around.
# for e.g ordinal 24 can be also represented by 65560 (65536+24)
- '#655'
- '#656'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Potential Packet Capture Activity Via Start-NetEventSession - ScriptBlock
Detects the execution of powershell scripts with calls to the "Start-NetEventSession" cmdlet. Which allows an attacker to start event and packet capture for a network event session.
Adversaries may attempt to capture network to gather information over the course of an operation.
Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol.
view Sigma YAML
title: Potential Packet Capture Activity Via Start-NetEventSession - ScriptBlock
id: da34e323-1e65-42db-83be-a6725ac2caa3
status: test
description: |
Detects the execution of powershell scripts with calls to the "Start-NetEventSession" cmdlet. Which allows an attacker to start event and packet capture for a network event session.
Adversaries may attempt to capture network to gather information over the course of an operation.
Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/5f866ca4517e837c4ea576e7309d0891e78080a8/atomics/T1040/T1040.md#atomic-test-16---powershell-network-sniffing
- https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/7b8935fe4c82cb64d61343de1a8b2e38dd968534/handbooks/10_post_exploitation.md
- https://github.com/forgottentq/powershell/blob/9e616363d497143dc955c4fdce68e5c18d28a6cb/captureWindows-Endpoint.ps1#L13
author: frack113
date: 2024-05-12
tags:
- attack.credential-access
- attack.discovery
- attack.t1040
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains: 'Start-NetEventSession'
condition: selection
falsepositives:
- Legitimate network diagnostic scripts.
level: medium
Convert to SIEM query
medium
Potential Pass the Hash Activity
Detects the attack technique pass the hash which is used to move laterally inside the network
view Sigma YAML
title: Potential Pass the Hash Activity
id: f8d98d6c-7a07-4d74-b064-dd4a3c244528
status: test
description: Detects the attack technique pass the hash which is used to move laterally inside the network
references:
- https://github.com/nsacyber/Event-Forwarding-Guidance/tree/6e92d622fa33da911f79e7633da4263d632f9624/Events
author: Ilias el Matani (rule), The Information Assurance Directorate at the NSA (method)
date: 2017-03-08
modified: 2023-12-15
tags:
- attack.lateral-movement
- attack.t1550.002
- car.2016-04-004
logsource:
product: windows
service: security
definition: The successful use of PtH for lateral movement between workstations would trigger event ID 4624, a failed logon attempt would trigger an event ID 4625
detection:
selection:
EventID:
- 4624
- 4625
LogonType: 3
LogonProcessName: 'NtLmSsp'
WorkstationName|expand: '%Workstations%'
ComputerName|expand: '%Workstations%'
filter:
TargetUserName: 'ANONYMOUS LOGON'
condition: selection and not filter
falsepositives:
- Administrator activity
level: medium
Convert to SIEM query
medium
Potential Password Reconnaissance Via Findstr.EXE
Detects command line usage of "findstr" to search for the "passwords" keyword in a variety of different languages
view Sigma YAML
title: Potential Password Reconnaissance Via Findstr.EXE
id: 1a0f6f16-2099-4753-9a02-43b6ac7a1fa5
status: test
description: Detects command line usage of "findstr" to search for the "passwords" keyword in a variety of different languages
references:
- https://steflan-security.com/windows-privilege-escalation-credential-harvesting/
- https://adsecurity.org/?p=2288
author: Josh Nickels
date: 2023-05-18
tags:
- attack.credential-access
- attack.t1552.001
- detection.threat-hunting
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\findstr.exe'
- OriginalFileName: 'FINDSTR.EXE'
selection_cli:
CommandLine|contains:
- 'contraseña' # Spanish
- 'hasło' # Polish
- 'heslo' # Czech
- 'parola' # Italian
- 'passe' # French
- 'passw' # German, English
- 'senha' # Portuguese
- 'senord' # Swedish
- '密碼' # Cantonese
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Potential Password Spraying Attempt Using Dsacls.EXE
Detects possible password spraying attempts using Dsacls
view Sigma YAML
title: Potential Password Spraying Attempt Using Dsacls.EXE
id: bac9fb54-2da7-44e9-988f-11e9a5edbc0c
status: test
description: Detects possible password spraying attempts using Dsacls
references:
- https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/using-dsacls-to-check-ad-object-permissions#password-spraying-anyone
- https://ss64.com/nt/dsacls.html
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-20
modified: 2023-02-04
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\dsacls.exe'
- OriginalFileName: "DSACLS.EXE"
selection_cli:
CommandLine|contains|all:
- '/user:'
- '/passwd:'
condition: all of selection*
falsepositives:
- Legitimate use of dsacls to bind to an LDAP session
level: medium
Convert to SIEM query
medium
Potential Peach Sandstorm APT C2 Communication Activity
Detects potential C2 communication activity related to Peach Sandstorm APT
view Sigma YAML
title: Potential Peach Sandstorm APT C2 Communication Activity
id: b8225208-81d0-4715-a822-12bcdd583e0f
status: test
description: Detects potential C2 communication activity related to Peach Sandstorm APT
references:
- https://twitter.com/MsftSecIntel/status/1737895710169628824
- https://www.virustotal.com/gui/file/364275326bbfc4a3b89233dabdaf3230a3d149ab774678342a40644ad9f8d614/details
author: X__Junior (Nextron Systems)
date: 2024-01-15
tags:
- attack.command-and-control
- detection.emerging-threats
logsource:
category: proxy
detection:
selection:
cs-method: 'GET'
c-uri|endswith:
- '/api/Core/Command/Init'
- '/api/Core/Command/Restart'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Potential PendingFileRenameOperations Tampering
Detect changes to the "PendingFileRenameOperations" registry key from uncommon or suspicious images locations to stage currently used files for rename or deletion after reboot.
view Sigma YAML
title: Potential PendingFileRenameOperations Tampering
id: 4eec988f-7bf0-49f1-8675-1e6a510b3a2a
status: test
description: |
Detect changes to the "PendingFileRenameOperations" registry key from uncommon or suspicious images locations to stage currently used files for rename or deletion after reboot.
references:
- https://any.run/report/3ecd4763ffc944fdc67a9027e459cd4f448b1a8d1b36147977afaf86bbf2a261/64b0ba45-e7ce-423b-9a1d-5b4ea59521e6
- https://devblogs.microsoft.com/scripting/determine-pending-reboot-statuspowershell-style-part-1/
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc960241(v=technet.10)?redirectedfrom=MSDN
- https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html
- https://www.trendmicro.com/en_us/research/19/i/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell.html
author: frack113
date: 2023-01-27
modified: 2025-10-07
tags:
- attack.stealth
- attack.t1036.003
logsource:
category: registry_set
product: windows
detection:
selection_main:
TargetObject|contains: '\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations'
selection_susp_paths:
Image|contains: '\Users\Public\'
# - '\AppData\Local\Temp\' # Commented out as it's used by legitimate installers
selection_susp_images:
Image|endswith:
- '\reg.exe'
- '\regedit.exe'
condition: selection_main and 1 of selection_susp_*
falsepositives:
- Installers and updaters may set currently in use files for rename or deletion after a reboot.
level: medium
Convert to SIEM query
medium
Potential Persistence Attempt Via ErrorHandler.Cmd
Detects creation of a file named "ErrorHandler.cmd" in the "C:\WINDOWS\Setup\Scripts\" directory which could be used as a method of persistence
The content of C:\WINDOWS\Setup\Scripts\ErrorHandler.cmd is read whenever some tools under C:\WINDOWS\System32\oobe\ (e.g. Setup.exe) fail to run for any reason.
view Sigma YAML
title: Potential Persistence Attempt Via ErrorHandler.Cmd
id: 15904280-565c-4b73-9303-3291f964e7f9
status: test
description: |
Detects creation of a file named "ErrorHandler.cmd" in the "C:\WINDOWS\Setup\Scripts\" directory which could be used as a method of persistence
The content of C:\WINDOWS\Setup\Scripts\ErrorHandler.cmd is read whenever some tools under C:\WINDOWS\System32\oobe\ (e.g. Setup.exe) fail to run for any reason.
references:
- https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/
- https://github.com/last-byte/PersistenceSniper
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-09
modified: 2022-12-19
tags:
- attack.persistence
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|endswith: '\WINDOWS\Setup\Scripts\ErrorHandler.cmd'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Potential Persistence Attempt Via Existing Service Tampering
Detects the modification of an existing service in order to execute an arbitrary payload when the service is started or killed as a potential method for persistence.
view Sigma YAML
title: Potential Persistence Attempt Via Existing Service Tampering
id: 38879043-7e1e-47a9-8d46-6bec88e201df
status: test
description: Detects the modification of an existing service in order to execute an arbitrary payload when the service is started or killed as a potential method for persistence.
references:
- https://pentestlab.blog/2020/01/22/persistence-modify-existing-service/
author: Sreeman
date: 2020-09-29
modified: 2023-02-04
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1543.003
- attack.t1574.011
logsource:
category: process_creation
product: windows
detection:
selection_sc:
- CommandLine|contains|all:
- 'sc '
- 'config '
- 'binpath='
- CommandLine|contains|all:
- 'sc '
- 'failure'
- 'command='
selection_reg_img:
- CommandLine|contains|all:
- 'reg '
- 'add '
- 'FailureCommand'
- CommandLine|contains|all:
- 'reg '
- 'add '
- 'ImagePath'
selection_reg_ext:
CommandLine|contains:
- '.sh'
- '.exe'
- '.dll'
- '.bin$'
- '.bat'
- '.cmd'
- '.js'
- '.msh$'
- '.reg$'
- '.scr'
- '.ps'
- '.vb'
- '.jar'
- '.pl'
condition: selection_sc or all of selection_reg_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Potential Persistence Attempt Via Run Keys Using Reg.EXE
Detects suspicious command line reg.exe tool adding key to RUN key in Registry
view Sigma YAML
title: Potential Persistence Attempt Via Run Keys Using Reg.EXE
id: de587dce-915e-4218-aac4-835ca6af6f70
status: test
description: Detects suspicious command line reg.exe tool adding key to RUN key in Registry
references:
- https://app.any.run/tasks/9c0f37bc-867a-4314-b685-e101566766d7/
- https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
- https://github.com/HackTricks-wiki/hacktricks/blob/e4c7b21b8f36c97c35b7c622732b38a189ce18f7/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2021-06-28
modified: 2025-02-17
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\reg.exe'
CommandLine|contains|all:
- 'reg'
- ' add '
CommandLine|contains:
- 'Software\Microsoft\Windows\CurrentVersion\Run'
- '\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run'
- '\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'
condition: selection
falsepositives:
- Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons.
- Legitimate administrator sets up autorun keys for legitimate reasons.
- Discord
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_reg_add_run_key/info.yml
Convert to SIEM query
medium
Potential Persistence Using DebugPath
Detects potential persistence using Appx DebugPath
view Sigma YAML
title: Potential Persistence Using DebugPath
id: df4dc653-1029-47ba-8231-3c44238cc0ae
status: test
description: Detects potential persistence using Appx DebugPath
references:
- https://oddvar.moe/2018/09/06/persistence-using-universal-windows-platform-apps-appx/
- https://github.com/rootm0s/WinPwnage
author: frack113
date: 2022-07-27
modified: 2023-08-17
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.015
logsource:
category: registry_set
product: windows
detection:
selection_debug:
TargetObject|contains: 'Classes\ActivatableClasses\Package\Microsoft.'
TargetObject|endswith: '\DebugPath'
selection_default:
TargetObject|contains: '\Software\Microsoft\Windows\CurrentVersion\PackagedAppXDebug\Microsoft.'
TargetObject|endswith: '\(Default)'
condition: 1 of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Potential Persistence Via AppCompat RegisterAppRestart Layer
Detects the setting of the REGISTERAPPRESTART compatibility layer on an application.
This compatibility layer allows an application to register for restart using the "RegisterApplicationRestart" API.
This can be potentially abused as a persistence mechanism.
view Sigma YAML
title: Potential Persistence Via AppCompat RegisterAppRestart Layer
id: b86852fb-4c77-48f9-8519-eb1b2c308b59
status: test
description: |
Detects the setting of the REGISTERAPPRESTART compatibility layer on an application.
This compatibility layer allows an application to register for restart using the "RegisterApplicationRestart" API.
This can be potentially abused as a persistence mechanism.
references:
- https://github.com/nasbench/Misc-Research/blob/d114d6a5e0a437d3818e492ef9864367152543e7/Other/Persistence-Via-RegisterAppRestart-Shim.md
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-01-01
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.011
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\'
Details|contains: 'REGISTERAPPRESTART'
condition: selection
falsepositives:
- Legitimate applications making use of this feature for compatibility reasons
level: medium
Convert to SIEM query
medium
Potential Persistence Via Custom Protocol Handler
Detects potential persistence activity via the registering of a new custom protocole handlers. While legitimate applications register protocole handlers often times during installation. And attacker can abuse this by setting a custom handler to be used as a persistence mechanism.
view Sigma YAML
title: Potential Persistence Via Custom Protocol Handler
id: fdbf0b9d-0182-4c43-893b-a1eaab92d085
status: test
description: Detects potential persistence activity via the registering of a new custom protocole handlers. While legitimate applications register protocole handlers often times during installation. And attacker can abuse this by setting a custom handler to be used as a persistence mechanism.
references:
- https://ladydebug.com/blog/2019/06/21/custom-protocol-handler-cph/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-05-30
modified: 2023-05-12
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|startswith: 'HKCR\'
Details|startswith: 'URL:'
filter_main_ms_trusted:
Details|startswith: 'URL:ms-' # Microsoft Protocols usually start with "ms-"
filter_main_generic_locations:
Image|startswith: # Add more folders to avoid FP
- 'C:\Program Files (x86)'
- 'C:\Program Files\'
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
# Uncomment This section to add specific Protocol Handler names that are know
# filter_specific:
# Details: 'URL:'
condition: selection and not 1 of filter_main_*
falsepositives:
- Many legitimate applications can register a new custom protocol handler. Additional filters needs to applied according to your environment.
level: medium
Convert to SIEM query
medium
Potential Persistence Via Disk Cleanup Handler - Registry
Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence.
The disk cleanup manager is part of the operating system. It displays the dialog box […]
The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI.
Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications.
Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler.
Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.
view Sigma YAML
title: Potential Persistence Via Disk Cleanup Handler - Registry
id: d4f4e0be-cf12-439f-9e25-4e2cdcf7df5a
status: test
description: |
Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence.
The disk cleanup manager is part of the operating system. It displays the dialog box […]
The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI.
Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications.
Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler.
Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.
references:
- https://persistence-info.github.io/Data/diskcleanuphandler.html
- https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-21
modified: 2023-02-07
tags:
- attack.persistence
logsource:
product: windows
category: registry_add
detection:
selection:
EventType: CreateKey
TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\'
filter_main_default_keys:
# Default Keys
TargetObject|endswith:
- '\Active Setup Temp Folders'
- '\BranchCache'
- '\Content Indexer Cleaner'
- '\D3D Shader Cache'
- '\Delivery Optimization Files'
- '\Device Driver Packages'
- '\Diagnostic Data Viewer database files'
- '\Downloaded Program Files'
- '\DownloadsFolder'
- '\Feedback Hub Archive log files'
- '\Internet Cache Files'
- '\Language Pack'
- '\Microsoft Office Temp Files'
- '\Offline Pages Files'
- '\Old ChkDsk Files'
- '\Previous Installations'
- '\Recycle Bin'
- '\RetailDemo Offline Content'
- '\Setup Log Files'
- '\System error memory dump files'
- '\System error minidump files'
- '\Temporary Files'
- '\Temporary Setup Files'
- '\Temporary Sync Files'
- '\Thumbnail Cache'
- '\Update Cleanup'
- '\Upgrade Discarded Files'
- '\User file versions'
- '\Windows Defender'
- '\Windows Error Reporting Files'
- '\Windows ESD installation files'
- '\Windows Upgrade Log Files'
condition: selection and not 1 of filter_main_*
falsepositives:
- Legitimate new entry added by windows
level: medium
Convert to SIEM query
medium
Potential Persistence Via Event Viewer Events.asp
Detects potential registry persistence technique using the Event Viewer "Events.asp" technique
view Sigma YAML
title: Potential Persistence Via Event Viewer Events.asp
id: a1e11042-a74a-46e6-b07c-c4ce8ecc239b
status: test
description: Detects potential registry persistence technique using the Event Viewer "Events.asp" technique
references:
- https://twitter.com/nas_bench/status/1626648985824788480
- https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.InternetCommunicationManagement::EventViewer_DisableLinks
- https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/
- https://github.com/redcanaryco/atomic-red-team/blob/f296668303c29d3f4c07e42bdd2b28d8dd6625f9/atomics/T1112/T1112.md
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-17
modified: 2023-03-05
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: registry_set
product: windows
detection:
selection:
# Covers both "\Policies\" and "\Software\" paths for both "Machine" and "User" level configs
# Also "MicrosoftRedirectionProgramCommandLineParameters" key
TargetObject|contains:
- '\Microsoft\Windows NT\CurrentVersion\Event Viewer\MicrosoftRedirectionProgram'
- '\Microsoft\Windows NT\CurrentVersion\Event Viewer\MicrosoftRedirectionURL'
filter_default_redirect_program:
Image|endswith: 'C:\WINDOWS\system32\svchost.exe' # Set via GPO
TargetObject|endswith: '\Microsoft\Windows NT\CurrentVersion\Event Viewer\MicrosoftRedirectionProgram'
Details: '%%SystemRoot%%\PCHealth\HelpCtr\Binaries\HelpCtr.exe'
filter_default_redirect_program_cli:
Image|endswith: 'C:\WINDOWS\system32\svchost.exe' # Set via GPO
TargetObject|endswith: '\Microsoft\Windows NT\CurrentVersion\Event Viewer\MicrosoftRedirectionProgramCommandLineParameters'
Details: '-url hcp://services/centers/support?topic=%%s'
filter_url:
Details: 'http://go.microsoft.com/fwlink/events.asp'
filter_cleaner:
Details: '(Empty)'
condition: selection and not 1 of filter_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Potential Persistence Via Logon Scripts - Registry
Detects creation of "UserInitMprLogonScript" registry value which can be used as a persistence method by malicious actors
view Sigma YAML
title: Potential Persistence Via Logon Scripts - Registry
id: 9ace0707-b560-49b8-b6ca-5148b42f39fb
status: test
description: Detects creation of "UserInitMprLogonScript" registry value which can be used as a persistence method by malicious actors
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1037.001/T1037.001.md
author: Tom Ueltschi (@c_APT_ure)
date: 2019-01-12
modified: 2025-10-26
tags:
- attack.privilege-escalation
- attack.t1037.001
- attack.persistence
- attack.lateral-movement
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: 'UserInitMprLogonScript'
condition: selection
falsepositives:
- Investigate the contents of the "UserInitMprLogonScript" value to determine of the added script is legitimate
level: medium
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_persistence_logon_scripts_userinitmprlogonscript/info.yml
simulation:
- type: atomic-red-team
name: Logon Scripts
technique: T1037.001
atomic_guid: d6042746-07d4-4c92-9ad8-e644c114a231
Convert to SIEM query
medium
Potential Persistence Via Microsoft Compatibility Appraiser
Detects manual execution of the "Microsoft Compatibility Appraiser" task via schtasks.
In order to trigger persistence stored in the "\AppCompatFlags\TelemetryController" registry key.
view Sigma YAML
title: Potential Persistence Via Microsoft Compatibility Appraiser
id: f548a603-c9f2-4c89-b511-b089f7e94549
related:
- id: 73a883d0-0348-4be4-a8d8-51031c2564f8
type: derived
status: test
description: |
Detects manual execution of the "Microsoft Compatibility Appraiser" task via schtasks.
In order to trigger persistence stored in the "\AppCompatFlags\TelemetryController" registry key.
references:
- https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/
author: Sreeman
date: 2020-09-29
modified: 2023-02-10
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1053.005
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\schtasks.exe'
- OriginalFileName: 'schtasks.exe'
selection_cli:
CommandLine|contains|all:
- 'run '
- '\Application Experience\Microsoft Compatibility Appraiser'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Potential Persistence Via Netsh Helper DLL
Detects the execution of netsh with "add helper" flag in order to add a custom helper DLL. This technique can be abused to add a malicious helper DLL that can be used as a persistence proxy that gets called when netsh.exe is executed.
view Sigma YAML
title: Potential Persistence Via Netsh Helper DLL
id: 56321594-9087-49d9-bf10-524fe8479452
related:
- id: c90362e0-2df3-4e61-94fe-b37615814cb1
type: similar
- id: e7b18879-676e-4a0e-ae18-27039185a8e7
type: similar
status: test
description: |
Detects the execution of netsh with "add helper" flag in order to add a custom helper DLL. This technique can be abused to add a malicious helper DLL that can be used as a persistence proxy that gets called when netsh.exe is executed.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.007/T1546.007.md
- https://github.com/outflanknl/NetshHelperBeacon
- https://web.archive.org/web/20160928212230/https://www.adaptforward.com/2016/09/using-netshell-to-execute-evil-dlls-and-persist-on-a-host/
author: Victor Sergeev, oscd.community
date: 2019-10-25
modified: 2023-11-28
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.007
- attack.s0108
logsource:
category: process_creation
product: windows
detection:
selection_img:
- OriginalFileName: 'netsh.exe'
- Image|endswith: '\netsh.exe'
selection_cli:
CommandLine|contains|all:
- 'add'
- 'helper'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Potential Persistence Via Netsh Helper DLL - Registry
Detects changes to the Netsh registry key to add a new DLL value. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper
view Sigma YAML
title: Potential Persistence Via Netsh Helper DLL - Registry
id: c90362e0-2df3-4e61-94fe-b37615814cb1
related:
- id: 56321594-9087-49d9-bf10-524fe8479452
type: similar
- id: e7b18879-676e-4a0e-ae18-27039185a8e7
type: similar
status: test
description: |
Detects changes to the Netsh registry key to add a new DLL value. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper
references:
- https://www.ired.team/offensive-security/persistence/t1128-netsh-helper-dll
- https://pentestlab.blog/2019/10/29/persistence-netsh-helper-dll/
author: Anish Bogati
date: 2023-11-28
modified: 2025-10-08
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.007
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\SOFTWARE\Microsoft\NetSh'
Details|contains: '.dll'
filter_main_poqexec:
Image: 'C:\Windows\System32\poqexec.exe'
Details:
- 'ipmontr.dll'
- 'iasmontr.dll'
- 'ippromon.dll'
condition: selection and not 1 of filter_main_*
falsepositives:
- Legitimate helper added by different programs and the OS
level: medium
Convert to SIEM query
medium
Potential Persistence Via New AMSI Providers - Registry
Detects when an attacker adds a new AMSI provider via the Windows Registry to bypass AMSI (Antimalware Scan Interface) protections.
Attackers may add custom AMSI providers to persist on the system and evade detection by security software that relies on AMSI for scanning scripts and other content.
This technique is often used in conjunction with fileless malware and script-based attacks to maintain persistence while avoiding detection.
view Sigma YAML
title: Potential Persistence Via New AMSI Providers - Registry
id: 33efc23c-6ea2-4503-8cfe-bdf82ce8f705
status: test
description: |
Detects when an attacker adds a new AMSI provider via the Windows Registry to bypass AMSI (Antimalware Scan Interface) protections.
Attackers may add custom AMSI providers to persist on the system and evade detection by security software that relies on AMSI for scanning scripts and other content.
This technique is often used in conjunction with fileless malware and script-based attacks to maintain persistence while avoiding detection.
references:
- https://persistence-info.github.io/Data/amsi.html
- https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/FakeAMSI/FakeAMSI.c
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-21
modified: 2025-10-26
tags:
- attack.persistence
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains:
- '\SOFTWARE\Microsoft\AMSI\Providers\'
- '\SOFTWARE\WOW6432Node\Microsoft\AMSI\Providers\'
filter_optional_avast:
Image:
- 'C:\Program Files\Avast Software\Avast\RegSvr.exe'
- 'C:\Program Files\Avast Software\Avast\x86\RegSvr.exe'
TargetObject|contains: '\{FB904E4E-D2C7-4C8D-8492-B620BB9896B1}'
filter_optional_avg:
Image:
- 'C:\Program Files\AVG\Antivirus\RegSvr.exe'
- 'C:\Program Files\AVG\Antivirus\x86\RegSvr.exe'
TargetObject|contains: '\{FB904E4E-D2C7-4C8D-8492-B620BB9896B1}'
filter_optional_avira:
Image: 'C:\Program Files\Avira\Endpoint Protection SDK\endpointprotection.exe'
TargetObject|contains: '\{00000001-3DCC-4B48-A82E-E2071FE58E05}'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Legitimate security products adding their own AMSI providers. Filter these according to your environment.
level: medium
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_persistence_amsi_providers/info.yml
Convert to SIEM query
Showing 801-850 of 1,492