Tool
SIEM
Sigma (generic) detection rules
1,492 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Expand any rule to see its raw YAML and convert it inline to native query syntax. Pick a platform above to browse every rule already rendered in that language.
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
◈
Detection rules
50 shown of 1,492
medium
Potential Persistence Via Notepad++ Plugins
Detects creation of new ".dll" files inside the plugins directory of a notepad++ installation by a process other than "gup.exe". Which could indicates possible persistence
view Sigma YAML
title: Potential Persistence Via Notepad++ Plugins
id: 54127bd4-f541-4ac3-afdb-ea073f63f692
status: test
description: Detects creation of new ".dll" files inside the plugins directory of a notepad++ installation by a process other than "gup.exe". Which could indicates possible persistence
references:
- https://pentestlab.blog/2022/02/14/persistence-notepad-plugins/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-10
modified: 2025-09-01
tags:
- attack.persistence
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|contains: '\Notepad++\plugins\'
TargetFilename|endswith: '.dll'
filter_gup:
Image|endswith: '\Notepad++\updater\gup.exe'
filter_install:
# This filter is for Sigma dataset you could remove it or change when using the rule in your own env
Image|startswith: 'C:\Users\'
Image|contains: '\AppData\Local\Temp\'
Image|endswith:
- '\target.exe'
- 'Installer.x64.exe'
filter_main_installer:
Image|contains: '\npp.'
Image|endswith: '.exe'
TargetFilename:
- 'C:\Program Files\Notepad++\plugins\NppExport\NppExport.dll'
- 'C:\Program Files\Notepad++\plugins\mimeTools\mimeTools.dll'
- 'C:\Program Files\Notepad++\plugins\NppConverter\NppConverter.dll'
- 'C:\Program Files\Notepad++\plugins\Config\nppPluginList.dll'
condition: selection and not 1 of filter_*
falsepositives:
- Possible FPs during first installation of Notepad++
- Legitimate use of custom plugins by users in order to enhance notepad++ functionalities
level: medium
Convert to SIEM query
medium
Potential Persistence Via PowerShell User Profile Using Add-Content
Detects calls to "Add-Content" cmdlet in order to modify the content of the user profile and potentially adding suspicious commands for persistence
view Sigma YAML
title: Potential Persistence Via PowerShell User Profile Using Add-Content
id: 05b3e303-faf0-4f4a-9b30-46cc13e69152
status: test
description: Detects calls to "Add-Content" cmdlet in order to modify the content of the user profile and potentially adding suspicious commands for persistence
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.013/T1546.013.md
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2021-08-18
modified: 2023-05-04
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1546.013
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_add:
ScriptBlockText|contains: 'Add-Content $profile'
selection_options:
ScriptBlockText|contains:
# Note: You can add more suspicious values
- '-Value "IEX '
- '-Value "Invoke-Expression'
- '-Value "Invoke-WebRequest'
- '-Value "Start-Process'
- "-Value 'IEX "
- "-Value 'Invoke-Expression"
- "-Value 'Invoke-WebRequest"
- "-Value 'Start-Process"
condition: all of selection_*
falsepositives:
- Legitimate administration and tuning scripts that aim to add functionality to a user PowerShell session
level: medium
Convert to SIEM query
medium
Potential Persistence Via Scrobj.dll COM Hijacking
Detect use of scrobj.dll as this DLL looks for the ScriptletURL key to get the location of the script to execute
view Sigma YAML
title: Potential Persistence Via Scrobj.dll COM Hijacking
id: fe20dda1-6f37-4379-bbe0-a98d400cae90
status: test
description: Detect use of scrobj.dll as this DLL looks for the ScriptletURL key to get the location of the script to execute
references:
- https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md
author: frack113
date: 2022-08-20
modified: 2023-08-17
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.015
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: 'InprocServer32\(Default)'
Details: 'C:\WINDOWS\system32\scrobj.dll'
condition: selection
falsepositives:
- Legitimate use of the dll.
level: medium
Convert to SIEM query
medium
Potential Persistence Via Shim Database Modification
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.
The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time
view Sigma YAML
title: Potential Persistence Via Shim Database Modification
id: dfb5b4e8-91d0-4291-b40a-e3b0d3942c45
status: test
description: |
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.
The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-3---registry-key-creation-andor-modification-events-for-sdb
- https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
- https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/
author: frack113
date: 2021-12-30
modified: 2025-10-22
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.011
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains:
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\'
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\'
filter_main_empty_string:
Details: ''
filter_main_empty_value:
Details: '(Empty)'
filter_main_null:
Details: null
condition: selection and not 1 of filter_main_*
falsepositives:
- Legitimate custom SHIM installations will also trigger this rule
level: medium
Convert to SIEM query
medium
Potential Persistence Via VMwareToolBoxCmd.EXE VM State Change Script
Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script to run for a specific VM state
view Sigma YAML
title: Potential Persistence Via VMwareToolBoxCmd.EXE VM State Change Script
id: 7aa4e81a-a65c-4e10-9f81-b200eb229d7d
related:
- id: 236d8e89-ed95-4789-a982-36f4643738ba
type: derived
status: test
description: Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script to run for a specific VM state
references:
- https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/
- https://www.hexacorn.com/blog/2017/01/14/beyond-good-ol-run-key-part-53/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-14
tags:
- attack.execution
- attack.persistence
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\VMwareToolBoxCmd.exe'
- OriginalFileName: 'toolbox-cmd.exe'
selection_cli:
CommandLine|contains|all:
- ' script '
- ' set '
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Potential Persistence Via Visual Studio Tools for Office
Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications.
view Sigma YAML
title: Potential Persistence Via Visual Studio Tools for Office
id: 9d15044a-7cfe-4d23-8085-6ebc11df7685
status: test
description: Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications.
references:
- https://twitter.com/_vivami/status/1347925307643355138
- https://vanmieghem.io/stealth-outlook-persistence/
author: Bhabesh Raj
date: 2021-01-10
modified: 2026-01-09
tags:
- attack.t1137.006
- attack.persistence
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains:
- '\Software\Microsoft\Office\Outlook\Addins\'
- '\Software\Microsoft\Office\Word\Addins\'
- '\Software\Microsoft\Office\Excel\Addins\'
- '\Software\Microsoft\Office\Powerpoint\Addins\'
- '\Software\Microsoft\VSTO\Security\Inclusion\'
filter_main_system:
Image:
- 'C:\Windows\System32\msiexec.exe'
- 'C:\Windows\SysWOW64\msiexec.exe'
- 'C:\Windows\System32\regsvr32.exe'
- 'C:\Windows\SysWOW64\regsvr32.exe' # e.g. default Evernote installation
filter_main_office_click_to_run:
Image|startswith:
- 'C:\Program Files\Common Files (x86)\Microsoft Shared\ClickToRun\'
- 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
Image|endswith: '\OfficeClickToRun.exe'
filter_main_integrator:
Image:
- 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe'
- 'C:\Program Files\Microsoft Office\root\integration\integrator.exe'
filter_main_office_apps:
Image|startswith:
- 'C:\Program Files\Microsoft Office\OFFICE'
- 'C:\Program Files (x86)\Microsoft Office\OFFICE'
- 'C:\Program Files\Microsoft Office\Root\OFFICE'
- 'C:\Program Files (x86)\Microsoft Office\Root\OFFICE'
- 'C:\PROGRA~2\MICROS~2\Office'
Image|endswith:
- '\excel.exe'
- '\Integrator.exe'
- '\OneNote.exe'
- '\outlook.exe'
- '\powerpnt.exe'
- '\Teams.exe'
- '\visio.exe'
- '\winword.exe'
filter_main_vsto:
Image|startswith:
- 'C:\Program Files\Common Files\Microsoft Shared\VSTO\'
- 'C:\Program Files (x86)\Microsoft Shared\VSTO\'
Image|endswith: '\VSTOInstaller.exe'
filter_optional_avg:
Image:
- 'C:\Program Files\AVG\Antivirus\RegSvr.exe'
- 'C:\Program Files (x86)\AVG\Antivirus\RegSvr.exe'
TargetObject|contains: '\Microsoft\Office\Outlook\Addins\Antivirus.AsOutExt\'
filter_optional_avast:
Image:
- 'C:\Program Files\Avast Software\Avast\RegSvr.exe'
- 'C:\Program Files (x86)\Avast Software\Avast\RegSvr.exe'
TargetObject|contains: '\Microsoft\Office\Outlook\Addins\Avast.AsOutExt\'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Legitimate Addin Installation
level: medium
Convert to SIEM query
medium
Potential PetitPotam Attack Via EFS RPC Calls
Detects usage of the windows RPC library Encrypting File System Remote Protocol (MS-EFSRPC). Variations of this RPC are used within the attack refereed to as PetitPotam.
The usage of this RPC function should be rare if ever used at all.
Thus usage of this function is uncommon enough that any usage of this RPC function should warrant further investigation to determine if it is legitimate.
View surrounding logs (within a few minutes before and after) from the Source IP to. Logs from from the Source IP would include dce_rpc, smb_mapping, smb_files, rdp, ntlm, kerberos, etc..'
view Sigma YAML
title: Potential PetitPotam Attack Via EFS RPC Calls
id: 4096842a-8f9f-4d36-92b4-d0b2a62f9b2a
status: test
description: |
Detects usage of the windows RPC library Encrypting File System Remote Protocol (MS-EFSRPC). Variations of this RPC are used within the attack refereed to as PetitPotam.
The usage of this RPC function should be rare if ever used at all.
Thus usage of this function is uncommon enough that any usage of this RPC function should warrant further investigation to determine if it is legitimate.
View surrounding logs (within a few minutes before and after) from the Source IP to. Logs from from the Source IP would include dce_rpc, smb_mapping, smb_files, rdp, ntlm, kerberos, etc..'
references:
- https://github.com/topotam/PetitPotam/blob/d83ac8f2dd34654628c17490f99106eb128e7d1e/PetitPotam/PetitPotam.cpp
- https://msrc.microsoft.com/update-guide/vulnerability/ADV210003
- https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf
- https://threatpost.com/microsoft-petitpotam-poc/168163/
author: '@neu5ron, @Antonlovesdnb, Mike Remen'
date: 2021-08-17
modified: 2022-11-28
tags:
- attack.collection
- attack.credential-access
- attack.t1557.001
- attack.t1187
logsource:
product: zeek
service: dce_rpc
detection:
selection:
operation|startswith: 'efs'
condition: selection
falsepositives:
- Uncommon but legitimate windows administrator or software tasks that make use of the Encrypting File System RPC Calls. Verify if this is common activity (see description).
level: medium
Convert to SIEM query
medium
Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE
Detects the execution of concatenated commands via "cmd.exe". Pikabot often executes a combination of multiple commands via the command handler "cmd /c" in order to download and execute additional payloads.
Commands such as "curl", "wget" in order to download extra payloads. "ping" and "timeout" are abused to introduce delays in the command execution and "Rundll32" is also used to execute malicious DLL files.
In the observed Pikabot infections, a combination of the commands described above are used to orchestrate the download and execution of malicious DLL files.
view Sigma YAML
title: Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE
id: e5144106-8198-4f6e-bfc2-0a551cc8dd94
status: test
description: |
Detects the execution of concatenated commands via "cmd.exe". Pikabot often executes a combination of multiple commands via the command handler "cmd /c" in order to download and execute additional payloads.
Commands such as "curl", "wget" in order to download extra payloads. "ping" and "timeout" are abused to introduce delays in the command execution and "Rundll32" is also used to execute malicious DLL files.
In the observed Pikabot infections, a combination of the commands described above are used to orchestrate the download and execution of malicious DLL files.
references:
- https://github.com/pr0xylife/Pikabot/blob/7f7723a74ca325ec54c6e61e076acce9a4b20538/Pikabot_30.10.2023.txt
- https://github.com/pr0xylife/Pikabot/blob/7f7723a74ca325ec54c6e61e076acce9a4b20538/Pikabot_22.12.2023.txt
author: Alejandro Houspanossian ('@lekz86')
date: 2024-01-02
tags:
- attack.command-and-control
- attack.execution
- attack.stealth
- attack.t1059.003
- attack.t1105
- attack.t1218
- detection.emerging-threats
logsource:
product: windows
category: process_creation
detection:
selection_cmd:
CommandLine|contains|all:
- 'cmd'
- '/c'
selection_pipes:
CommandLine|contains:
- ' & '
- ' || '
selection_commands_1:
CommandLine|contains:
- ' curl'
- ' wget'
- ' timeout '
- ' ping '
selection_commands_2:
CommandLine|contains:
- ' rundll32'
- ' mkdir '
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Potential PowerShell Console History Access Attempt via History File
Detects potential access attempts to the PowerShell console history directly via history file (ConsoleHost_history.txt).
This can give access to plaintext passwords used in PowerShell commands or used for general reconnaissance.
view Sigma YAML
title: Potential PowerShell Console History Access Attempt via History File
id: f4ff7323-b5fc-4323-8b52-6b9408e15788
status: experimental
description: |
Detects potential access attempts to the PowerShell console history directly via history file (ConsoleHost_history.txt).
This can give access to plaintext passwords used in PowerShell commands or used for general reconnaissance.
references:
- https://0xdf.gitlab.io/2018/11/08/powershell-history-file.html
author: Luc Génaux
date: 2025-04-03
tags:
- attack.credential-access
- attack.t1552.001
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- 'ConsoleHost_history.txt'
- '(Get-PSReadLineOption).HistorySavePath'
condition: selection
falsepositives:
- Legitimate access of the console history file is possible
level: medium
Convert to SIEM query
medium
Potential PowerShell Downgrade Attack
Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
view Sigma YAML
title: Potential PowerShell Downgrade Attack
id: b3512211-c67e-4707-bedc-66efc7848863
related:
- id: 6331d09b-4785-4c13-980f-f96661356249
type: derived
status: test
description: Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
references:
- http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/
- https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#bypass-or-avoid-amsi-by-version-downgrade-
author: Harish Segar (rule)
date: 2020-03-20
modified: 2023-01-04
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\powershell.exe'
CommandLine|contains:
- ' -version 2 '
- ' -versio 2 '
- ' -versi 2 '
- ' -vers 2 '
- ' -ver 2 '
- ' -ve 2 '
- ' -v 2 '
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Potential PowerShell Execution Policy Tampering
Detects changes to the PowerShell execution policy in order to bypass signing requirements for script execution
view Sigma YAML
title: Potential PowerShell Execution Policy Tampering
id: fad91067-08c5-4d1a-8d8c-d96a21b37814
related:
- id: cf2e938e-9a3e-4fe8-a347-411642b28a9f # Registry
type: similar
- id: 87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180 # ProcCreation Cmdlet
type: similar
- id: 61d0475c-173f-4844-86f7-f3eebae1c66b # PowerShell ScriptBlock
type: similar
status: test
description: Detects changes to the PowerShell execution policy in order to bypass signing requirements for script execution
references:
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.3
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-11
modified: 2023-12-14
tags:
- attack.defense-impairment
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith:
# Note for future readers: For PowerShell 7+ the ExecutionPolicy is handled via a setting file due to the fact that PWSH7 is available for mac and linux
# Attackers can create a per-user setting file (powershell.config.json) and set the execution policy there
# Learn more here: https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_powershell_config?view=powershell-7.3
- '\ShellIds\Microsoft.PowerShell\ExecutionPolicy'
- '\Policies\Microsoft\Windows\PowerShell\ExecutionPolicy'
Details|contains:
- 'Bypass'
- 'Unrestricted'
filter_main_svchost:
# Note: We filter out "svchost" to avoid FP with changes using "gpedit" for example.
Image|contains:
- ':\Windows\System32\'
- ':\Windows\SysWOW64\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Potential Privileged System Service Operation - SeLoadDriverPrivilege
Detects the usage of the 'SeLoadDriverPrivilege' privilege. This privilege is required to load or unload a device driver.
With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode.
This user right does not apply to Plug and Play device drivers.
If you exclude privileged users/admins and processes, which are allowed to do so, you are maybe left with bad programs trying to load malicious kernel drivers.
This will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) and the usage of Sysinternals and various other tools. So you have to work with a whitelist to find the bad stuff.
view Sigma YAML
title: Potential Privileged System Service Operation - SeLoadDriverPrivilege
id: f63508a0-c809-4435-b3be-ed819394d612
status: test
description: |
Detects the usage of the 'SeLoadDriverPrivilege' privilege. This privilege is required to load or unload a device driver.
With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode.
This user right does not apply to Plug and Play device drivers.
If you exclude privileged users/admins and processes, which are allowed to do so, you are maybe left with bad programs trying to load malicious kernel drivers.
This will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) and the usage of Sysinternals and various other tools. So you have to work with a whitelist to find the bad stuff.
references:
- https://web.archive.org/web/20230331181619/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4673
author: xknow (@xknow_infosec), xorxes (@xor_xes)
date: 2019-04-08
modified: 2026-03-29
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: windows
service: security
detection:
selection_1:
EventID: 4673
PrivilegeList: 'SeLoadDriverPrivilege'
Service: '-'
filter_main_exact:
ProcessName:
- 'C:\Windows\explorer.exe'
- 'C:\Windows\HelpPane.exe'
- 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe'
- 'C:\Windows\System32\Dism.exe'
- 'C:\Windows\System32\fltMC.exe'
- 'C:\Windows\System32\mmc.exe'
- 'C:\Windows\System32\rundll32.exe'
- 'C:\Windows\System32\RuntimeBroker.exe'
- 'C:\Windows\System32\ShellHost.exe'
- 'C:\Windows\System32\svchost.exe'
- 'C:\Windows\System32\SystemSettingsBroker.exe'
- 'C:\Windows\System32\wimserv.exe'
filter_optional_others:
ProcessName|endswith:
- '\AppData\Local\Microsoft\Teams\current\Teams.exe'
- '\Google\Chrome\Application\chrome.exe'
- '\procexp.exe'
- '\procexp64.exe'
- '\procmon.exe'
- '\procmon64.exe'
filter_main_startswith:
ProcessName|startswith: 'C:\Program Files\WindowsApps\Microsoft'
filter_optional_dropbox:
ProcessName|startswith:
- 'C:\Program Files (x86)\Dropbox\'
- 'C:\Program Files\Dropbox\'
ProcessName|endswith: '\Dropbox.exe'
condition: selection_1 and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Other legimate tools loading drivers. Including but not limited to, Sysinternals, CPU-Z, AVs etc. A baseline needs to be created according to the used products and allowed tools. A good thing to do is to try and exclude users who are allowed to load drivers.
level: medium
Convert to SIEM query
medium
Potential Process Execution Proxy Via CL_Invocation.ps1
Detects calls to "SyncInvoke" that is part of the "CL_Invocation.ps1" script to proxy execution using "System.Diagnostics.Process"
view Sigma YAML
title: Potential Process Execution Proxy Via CL_Invocation.ps1
id: a0459f02-ac51-4c09-b511-b8c9203fc429
status: test
description: Detects calls to "SyncInvoke" that is part of the "CL_Invocation.ps1" script to proxy execution using "System.Diagnostics.Process"
references:
- https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/
- https://twitter.com/bohops/status/948061991012327424
author: Nasreddine Bencherchali (Nextron Systems), oscd.community, Natalia Shornikova
date: 2020-10-14
modified: 2023-08-17
tags:
- attack.stealth
- attack.t1216
logsource:
category: process_creation
product: windows
detection:
selection:
# Note: As this function is usually called from within powershell, classical process creation even would not catch it. This will only catch inline calls via "-Command" or "-ScriptBlock" flags for example.
CommandLine|contains: 'SyncInvoke '
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Potential Process Hollowing Activity
Detects when a memory process image does not match the disk image, indicative of process hollowing.
view Sigma YAML
title: Potential Process Hollowing Activity
id: c4b890e5-8d8c-4496-8c66-c805753817cd
status: test
description: Detects when a memory process image does not match the disk image, indicative of process hollowing.
references:
- https://twitter.com/SecurePeacock/status/1486054048390332423?s=20
- https://www.bleepingcomputer.com/news/microsoft/microsoft-sysmon-now-detects-malware-process-tampering-attempts/
author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Sittikorn S
date: 2022-01-25
modified: 2023-11-28
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1055.012
logsource:
product: windows
category: process_tampering
detection:
selection:
Type: 'Image is replaced'
filter_main_generic:
Image|contains:
- ':\Program Files (x86)'
- ':\Program Files\'
- ':\Windows\System32\wbem\WMIADAP.exe'
- ':\Windows\SysWOW64\wbem\WMIADAP.exe'
filter_optional_opera:
Image|contains: '\AppData\Local\Programs\Opera\'
Image|endswith: '\opera.exe'
filter_optional_edge:
Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Potential Product Class Reconnaissance Via Wmic.EXE
Detects the execution of WMIC in order to get a list of firewall, antivirus and antispywware products.
Adversaries often enumerate security products installed on a system to identify security controls and potential ways to evade detection or disable protection mechanisms.
This information helps them plan their next attack steps and choose appropriate techniques to bypass security measures.
view Sigma YAML
title: Potential Product Class Reconnaissance Via Wmic.EXE
id: e568650b-5dcd-4658-8f34-ded0b1e13992
status: test
description: |
Detects the execution of WMIC in order to get a list of firewall, antivirus and antispywware products.
Adversaries often enumerate security products installed on a system to identify security controls and potential ways to evade detection or disable protection mechanisms.
This information helps them plan their next attack steps and choose appropriate techniques to bypass security measures.
references:
- https://github.com/albertzsigovits/malware-notes/blob/c820c7fea76cf76a861b28ebc77e06100e20ec29/Ransomware/Maze.md
- https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1
- https://www.trendmicro.com/en_us/research/25/c/socgholishs-intrusion-techniques-facilitate-distribution-of-rans.html
author: Michael Haag, Florian Roth (Nextron Systems), juju4, oscd.community, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2023-02-14
modified: 2025-03-17
tags:
- attack.execution
- attack.t1047
- attack.discovery
- attack.t1082
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\wmic.exe'
- OriginalFileName: 'wmic.exe'
selection_cli:
# Example: wmic.exe /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
CommandLine|contains:
- 'AntiVirusProduct'
- 'AntiSpywareProduct'
- 'FirewallProduct'
condition: all of selection_*
falsepositives:
- Legitimate use of wmic.exe for reconnaissance of firewall, antivirus and antispywware products.
level: medium
Convert to SIEM query
medium
Potential Product Reconnaissance Via Wmic.EXE
Detects the execution of WMIC in order to get a list of firewall and antivirus products
view Sigma YAML
title: Potential Product Reconnaissance Via Wmic.EXE
id: 15434e33-5027-4914-88d5-3d4145ec25a9
status: test
description: Detects the execution of WMIC in order to get a list of firewall and antivirus products
references:
- https://thedfirreport.com/2023/03/06/2022-year-in-review/
- https://www.yeahhub.com/list-installed-programs-version-path-windows/
- https://learn.microsoft.com/en-us/answers/questions/253555/software-list-inventory-wmic-product
author: Nasreddine Bencherchali
date: 2023-02-14
modified: 2025-10-22
tags:
- attack.execution
- attack.t1047
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\wmic.exe'
- OriginalFileName: 'wmic.exe'
selection_cli:
CommandLine|contains: 'Product'
filter_main_call_operations:
# wmic /node:"#{node}" product where "name like '#{product}%%'" call uninstall
CommandLine|contains:
- ' uninstall'
- ' install'
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Potential Provlaunch.EXE Binary Proxy Execution Abuse
Detects child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution.
view Sigma YAML
title: Potential Provlaunch.EXE Binary Proxy Execution Abuse
id: 7f5d1c9a-3e83-48df-95a7-2b98aae6c13c
related:
- id: f9999590-1f94-4a34-a91e-951e47bedefd # CLI Abuse
type: similar
- id: 2a4b3e61-9d22-4e4a-b60f-6e8f0cde6f25 # CLI Registry
type: similar
- id: 7021255e-5db3-4946-a8b9-0ba7a4644a69 # Registry
type: similar
status: test
description: Detects child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/
- https://twitter.com/0gtweet/status/1674399582162153472
author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel
date: 2023-08-08
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\provlaunch.exe'
filter_main_covered_children:
# Note: this filter is here to avoid duplicate alerting by f9999590-1f94-4a34-a91e-951e47bedefd
- Image|endswith:
- '\calc.exe'
- '\cmd.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\notepad.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\wscript.exe'
- Image|contains:
- ':\PerfLogs\'
- ':\Temp\'
- ':\Users\Public\'
- '\AppData\Temp\'
- '\Windows\System32\Tasks\'
- '\Windows\Tasks\'
- '\Windows\Temp\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Potential Python DLL SideLoading
Detects potential DLL sideloading of Python DLL files.
view Sigma YAML
title: Potential Python DLL SideLoading
id: d36f7c12-14a3-4d48-b6b8-774b9c66f44d
status: test
description: Detects potential DLL sideloading of Python DLL files.
references:
- https://www.securonix.com/blog/seolurker-attack-campaign-uses-seo-poisoning-fake-google-ads-to-install-malware/
- https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/
- https://github.com/wietze/HijackLibs/tree/dc9c9f2f94e6872051dab58fbafb043fdd8b4176/yml/3rd_party/python
author: Swachchhanda Shrawan Poudel
date: 2024-10-06
modified: 2025-08-18
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith:
- '\python39.dll'
- '\python310.dll'
- '\python311.dll'
- '\python312.dll'
filter_main_default_install_paths:
- ImageLoaded|startswith:
- 'C:\Program Files\Python3'
- 'C:\Program Files (x86)\Python3'
- ImageLoaded|contains: '\AppData\Local\Programs\Python\Python3'
filter_optional_visual_studio:
ImageLoaded|startswith: 'C:\Program Files\Microsoft Visual Studio\'
filter_optional_anaconda:
ImageLoaded|startswith: 'C:\ProgramData\Anaconda3\' # Comment out if you don't use Anaconda in your environment
filter_optional_cpython:
ImageLoaded|contains:
- '\cpython\externals\'
- '\cpython\PCbuild\'
filter_optional_pyinstaller:
# Triggered by programs bundled with PyInstaller
ImageLoaded|startswith: 'C:\Users'
ImageLoaded|contains: '\AppData\Local\Temp\_MEI'
filter_main_legit_signature_details:
Product: 'Python'
Signed: 'true'
Description: 'Python'
Company: 'Python Software Foundation'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Legitimate software using Python DLLs
level: medium
Convert to SIEM query
medium
Potential RDP Exploit CVE-2019-0708
Detect suspicious error on protocol RDP, potential CVE-2019-0708
view Sigma YAML
title: Potential RDP Exploit CVE-2019-0708
id: aaa5b30d-f418-420b-83a0-299cb6024885
status: test
description: Detect suspicious error on protocol RDP, potential CVE-2019-0708
references:
- https://web.archive.org/web/20190710034152/https://github.com/zerosum0x0/CVE-2019-0708
- https://github.com/Ekultek/BlueKeep
author: 'Lionel PRAT, Christophe BROCAS, @atc_project (improvements)'
date: 2019-05-24
modified: 2022-12-25
tags:
- attack.lateral-movement
- attack.t1210
- car.2013-07-002
- cve.2019-0708
- detection.emerging-threats
logsource:
product: windows
service: system
detection:
selection:
EventID:
- 56
- 50
Provider_Name: TermDD
condition: selection
falsepositives:
- Bad connections or network interruptions
# too many false positives
level: medium
Convert to SIEM query
medium
Potential RDP Session Hijacking Activity
Detects potential RDP Session Hijacking activity on Windows systems
view Sigma YAML
title: Potential RDP Session Hijacking Activity
id: 224f140f-3553-4cd1-af78-13d81bf9f7cc
status: test
description: Detects potential RDP Session Hijacking activity on Windows systems
references:
- https://twitter.com/Moti_B/status/909449115477659651
author: '@juju4'
date: 2022-12-27
modified: 2024-12-01
tags:
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\tscon.exe'
- OriginalFileName: 'tscon.exe'
selection_integrity:
IntegrityLevel:
- 'System'
- 'S-1-16-16384'
condition: all of selection_*
falsepositives:
- Administrative activity
level: medium
Convert to SIEM query
medium
Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE
Detects potential malicious and unauthorized usage of bcdedit.exe
view Sigma YAML
title: Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE
id: c9fbe8e9-119d-40a6-9b59-dd58a5d84429
status: test
description: Detects potential malicious and unauthorized usage of bcdedit.exe
references:
- https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set
- https://twitter.com/malwrhunterteam/status/1372536434125512712/photo/2
author: '@neu5ron'
date: 2019-02-07
modified: 2023-02-15
tags:
- attack.stealth
- attack.t1070
- attack.persistence
- attack.t1542.003
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\bcdedit.exe'
- OriginalFileName: 'bcdedit.exe'
selection_cli:
CommandLine|contains:
- 'delete'
- 'deletevalue'
- 'import'
- 'safeboot'
- 'network'
condition: all of selection_*
level: medium
Convert to SIEM query
medium
Potential Recon Activity Via Nltest.EXE
Detects nltest commands that can be used for information discovery
view Sigma YAML
title: Potential Recon Activity Via Nltest.EXE
id: 5cc90652-4cbd-4241-aa3b-4b462fa5a248
related:
- id: 410ad193-a728-4107-bc79-4419789fcbf8
type: similar
- id: 903076ff-f442-475a-b667-4f246bcc203b
type: similar
- id: 77815820-246c-47b8-9741-e0def3f57308
type: obsolete
status: test
description: Detects nltest commands that can be used for information discovery
references:
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)
- https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/
- https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/
- https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters
- https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/
- https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html
- https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/
- https://github.com/redcanaryco/atomic-red-team/blob/5360c9d9ffa3b25f6495f7a16e267b719eba2c37/atomics/T1482/T1482.md#atomic-test-2---windows---discover-domain-trusts-with-nltest
author: Craig Young, oscd.community, Georg Lauenstein
date: 2021-07-24
modified: 2023-12-15
tags:
- attack.discovery
- attack.t1016
- attack.t1482
logsource:
category: process_creation
product: windows
detection:
selection_nltest:
- Image|endswith: '\nltest.exe'
- OriginalFileName: 'nltestrk.exe'
selection_recon:
- CommandLine|contains|all:
- 'server'
- 'query'
- CommandLine|contains:
- '/user'
- 'all_trusts' # Flag for /domain_trusts
- 'dclist:'
- 'dnsgetdc:'
- 'domain_trusts'
- 'dsgetdc:'
- 'parentdomain'
- 'trusted_domains'
condition: all of selection_*
falsepositives:
- Legitimate administration use but user and host must be investigated
level: medium
Convert to SIEM query
medium
Potential Reconnaissance Activity Via GatherNetworkInfo.VBS
Detects execution of the built-in script located in "C:\Windows\System32\gatherNetworkInfo.vbs". Which can be used to gather information about the target machine
view Sigma YAML
title: Potential Reconnaissance Activity Via GatherNetworkInfo.VBS
id: 575dce0c-8139-4e30-9295-1ee75969f7fe
related:
- id: f92a6f1e-a512-4a15-9735-da09e78d7273 # FileCreate
type: similar
- id: 07aa184a-870d-413d-893a-157f317f6f58 # ProcCreation Susp
type: similar
status: test
description: Detects execution of the built-in script located in "C:\Windows\System32\gatherNetworkInfo.vbs". Which can be used to gather information about the target machine
references:
- https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs
- https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government
author: blueteamer8699
date: 2022-01-03
modified: 2023-02-08
tags:
- attack.discovery
- attack.execution
- attack.t1615
- attack.t1059.005
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\cscript.exe'
- '\wscript.exe'
- OriginalFileName:
- 'cscript.exe'
- 'wscript.exe'
selection_cli:
CommandLine|contains: 'gatherNetworkInfo.vbs'
condition: all of selection_*
falsepositives:
- Administrative activity
level: medium
Convert to SIEM query
medium
Potential ReflectDebugger Content Execution Via WerFault.EXE
Detects execution of "WerFault.exe" with the "-pr" commandline flag that is used to run files stored in the ReflectDebugger key which could be used to store the path to the malware in order to masquerade the execution flow
view Sigma YAML
title: Potential ReflectDebugger Content Execution Via WerFault.EXE
id: fabfb3a7-3ce1-4445-9c7c-3c27f1051cdd
related:
- id: 0cf2e1c6-8d10-4273-8059-738778f981ad
type: derived
status: test
description: Detects execution of "WerFault.exe" with the "-pr" commandline flag that is used to run files stored in the ReflectDebugger key which could be used to store the path to the malware in order to masquerade the execution flow
references:
- https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html
- https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/
author: X__Junior (Nextron Systems)
date: 2023-06-30
tags:
- attack.execution
- attack.stealth
- attack.t1036
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\WerFault.exe'
- OriginalFileName: 'WerFault.exe'
selection_cli:
CommandLine|contains: ' -pr '
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Potential Register_App.Vbs LOLScript Abuse
Detects potential abuse of the "register_app.vbs" script that is part of the Windows SDK. The script offers the capability to register new VSS/VDS Provider as a COM+ application. Attackers can use this to install malicious DLLs for persistence and execution.
view Sigma YAML
title: Potential Register_App.Vbs LOLScript Abuse
id: 28c8f68b-098d-45af-8d43-8089f3e35403
status: test
description: Detects potential abuse of the "register_app.vbs" script that is part of the Windows SDK. The script offers the capability to register new VSS/VDS Provider as a COM+ application. Attackers can use this to install malicious DLLs for persistence and execution.
references:
- https://twitter.com/sblmsrsn/status/1456613494783160325?s=20
- https://github.com/microsoft/Windows-classic-samples/blob/7cbd99ac1d2b4a0beffbaba29ea63d024ceff700/Samples/Win7Samples/winbase/vss/vsssampleprovider/register_app.vbs
author: Austin Songer @austinsonger
date: 2021-11-05
modified: 2022-07-07
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\cscript.exe'
- '\wscript.exe'
- OriginalFileName:
- 'cscript.exe'
- 'wscript.exe'
selection_cli:
CommandLine|contains: '.vbs -register ' # register_app.vbs
condition: all of selection*
falsepositives:
- Other VB scripts that leverage the same starting command line flags
level: medium
Convert to SIEM query
medium
Potential Registry Persistence Attempt Via DbgManagedDebugger
Detects the addition of the "Debugger" value to the "DbgManagedDebugger" key in order to achieve persistence. Which will get invoked when an application crashes
view Sigma YAML
title: Potential Registry Persistence Attempt Via DbgManagedDebugger
id: 9827ae57-3802-418f-994b-d5ecf5cd974b
status: test
description: Detects the addition of the "Debugger" value to the "DbgManagedDebugger" key in order to achieve persistence. Which will get invoked when an application crashes
references:
- https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/
- https://github.com/last-byte/PersistenceSniper
author: frack113
date: 2022-08-07
modified: 2023-08-17
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1574
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\Microsoft\.NETFramework\DbgManagedDebugger'
filter:
Details: '"C:\Windows\system32\vsjitdebugger.exe" PID %d APPDOM %d EXTEXT "%s" EVTHDL %d'
condition: selection and not filter
falsepositives:
- Legitimate use of the key to setup a debugger. Which is often the case on developers machines
level: medium
Convert to SIEM query
medium
Potential Registry Reconnaissance Via PowerShell Script
Detects PowerShell scripts with potential registry reconnaissance capabilities. Adversaries may interact with the Windows registry to gather information about the system credentials, configuration, and installed software.
view Sigma YAML
title: Potential Registry Reconnaissance Via PowerShell Script
id: 064060aa-09fb-4636-817f-020a32aa7e9e
related:
- id: 970007b7-ce32-49d0-a4a4-fbef016950bd
type: similar
status: test
description: Detects PowerShell scripts with potential registry reconnaissance capabilities. Adversaries may interact with the Windows registry to gather information about the system credentials, configuration, and installed software.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1012/T1012.md
author: frack113
date: 2023-07-02
tags:
- attack.discovery
- attack.t1012
- attack.t1007
- detection.threat-hunting
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
# TODO: switch to |re|i: after sigma specification v2 is released
ScriptBlockText|re: '(Get-Item|gci|Get-ChildItem).{1,64}-Path.{1,64}\\(currentcontrolset\\services|CurrentVersion\\Policies\\Explorer\\Run|CurrentVersion\\Run|CurrentVersion\\ShellServiceObjectDelayLoad|CurrentVersion\\Windows\winlogon)\\'
condition: selection
falsepositives:
- Due to the nature of the script block, the matching of the string could sometimes result in a false positive. Use this rule to hunt for potential malicious or suspicious scripts.
level: medium
Convert to SIEM query
medium
Potential Regsvr32 Commandline Flag Anomaly
Detects a potential command line flag anomaly related to "regsvr32" in which the "/i" flag is used without the "/n" which should be uncommon.
view Sigma YAML
title: Potential Regsvr32 Commandline Flag Anomaly
id: b236190c-1c61-41e9-84b3-3fe03f6d76b0
status: test
description: Detects a potential command line flag anomaly related to "regsvr32" in which the "/i" flag is used without the "/n" which should be uncommon.
references:
- https://twitter.com/sbousseaden/status/1282441816986484737?s=12
author: Florian Roth (Nextron Systems)
date: 2019-07-13
modified: 2024-03-13
tags:
- attack.stealth
- attack.t1218.010
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\regsvr32.exe'
CommandLine|contains|windash: ' -i:'
filter_main_flag:
CommandLine|contains|windash: ' -n '
condition: selection and not 1 of filter_main_*
falsepositives:
- Administrator typo might cause some false positives
level: medium
Convert to SIEM query
medium
Potential Remote Command Execution In Pod Container
Detects attempts to execute remote commands, within a Pod's container using e.g. the "kubectl exec" command.
view Sigma YAML
title: Potential Remote Command Execution In Pod Container
id: a1b0ca4e-7835-413e-8471-3ff2b8a66be6
status: test
description: |
Detects attempts to execute remote commands, within a Pod's container using e.g. the "kubectl exec" command.
references:
- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Exec%20into%20container/
author: Leo Tsaousis (@laripping)
date: 2024-03-26
tags:
- attack.t1609
- attack.execution
logsource:
category: application
product: kubernetes
service: audit
detection:
selection:
verb: 'create'
objectRef.resource: 'pods'
objectRef.subresource: 'exec'
condition: selection
falsepositives:
- Legitimate debugging activity. Investigate the identity performing the requests and their authorization.
level: medium
Convert to SIEM query
medium
Potential Remote Desktop Connection to Non-Domain Host
Detects logons using NTLM to hosts that are potentially not part of the domain.
view Sigma YAML
title: Potential Remote Desktop Connection to Non-Domain Host
id: ce5678bb-b9aa-4fb5-be4b-e57f686256ad
status: test
description: Detects logons using NTLM to hosts that are potentially not part of the domain.
references:
- n/a
author: James Pemberton
date: 2020-05-22
modified: 2021-11-27
tags:
- attack.command-and-control
- attack.t1219.002
logsource:
product: windows
service: ntlm
definition: Requires events from Microsoft-Windows-NTLM/Operational
detection:
selection:
EventID: 8001
TargetName|startswith: 'TERMSRV'
condition: selection
falsepositives:
- Host connections to valid domains, exclude these.
- Host connections not using host FQDN.
- Host connections to external legitimate domains.
level: medium
Convert to SIEM query
medium
Potential Remote Desktop Tunneling
Detects potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.
view Sigma YAML
title: Potential Remote Desktop Tunneling
id: 8a3038e8-9c9d-46f8-b184-66234a160f6f
status: test
description: Detects potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.
references:
- https://www.elastic.co/guide/en/security/current/potential-remote-desktop-tunneling-detected.html
author: Tim Rauch, Elastic (idea)
date: 2022-09-27
tags:
- attack.lateral-movement
- attack.t1021
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains: ':3389' # RDP port and usual SSH tunneling related switches in command line
selection_opt:
CommandLine|contains:
- ' -L '
- ' -P '
- ' -R '
- ' -pw '
- ' -ssh '
condition: all of selection*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Potential Remote WMI ActiveScriptEventConsumers Activity
Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network.
This event is best correlated and used as an enrichment to determine the potential lateral movement activity.
view Sigma YAML
title: Potential Remote WMI ActiveScriptEventConsumers Activity
id: 9599c180-e3a8-4743-8f92-7fb96d3be648
status: test
description: |
Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network.
This event is best correlated and used as an enrichment to determine the potential lateral movement activity.
references:
- https://threathunterplaybook.com/hunts/windows/200902-RemoteWMIActiveScriptEventConsumers/notebook.html
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-09-02
modified: 2024-09-02
tags:
- attack.lateral-movement
- attack.privilege-escalation
- detection.threat-hunting
- attack.persistence
- attack.t1546.003
logsource:
product: windows
service: security
detection:
selection:
EventID: 4624
LogonType: 3
ProcessName|endswith: 'scrcons.exe'
filter_main_local_system:
TargetLogonId: '0x3e7' # Local System
condition: selection and not 1 of filter_main_*
falsepositives:
- SCCM
level: medium
Convert to SIEM query
medium
Potential RjvPlatform.DLL Sideloading From Default Location
Detects loading of "RjvPlatform.dll" by the "SystemResetPlatform.exe" binary which can be abused as a method of DLL side loading since the "$SysReset" directory isn't created by default.
view Sigma YAML
title: Potential RjvPlatform.DLL Sideloading From Default Location
id: 259dda31-b7a3-444f-b7d8-17f96e8a7d0d
status: test
description: Detects loading of "RjvPlatform.dll" by the "SystemResetPlatform.exe" binary which can be abused as a method of DLL side loading since the "$SysReset" directory isn't created by default.
references:
- https://twitter.com/0gtweet/status/1666716511988330499
author: X__Junior (Nextron Systems)
date: 2023-06-09
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
Image: 'C:\Windows\System32\SystemResetPlatform\SystemResetPlatform.exe'
ImageLoaded: 'C:\$SysReset\Framework\Stack\RjvPlatform.dll'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Potential RoboForm.DLL Sideloading
Detects potential DLL sideloading of "roboform.dll", a DLL used by RoboForm Password Manager
view Sigma YAML
title: Potential RoboForm.DLL Sideloading
id: f64c9b2d-b0ad-481d-9d03-7fc75020892a
status: test
description: Detects potential DLL sideloading of "roboform.dll", a DLL used by RoboForm Password Manager
references:
- https://twitter.com/StopMalvertisin/status/1648604148848549888
- https://twitter.com/t3ft3lb/status/1656194831830401024
- https://www.roboform.com/
author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-14
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith:
- '\roboform.dll'
- '\roboform-x64.dll'
filter_main_path:
Image|startswith:
- ' C:\Program Files (x86)\Siber Systems\AI RoboForm\'
- ' C:\Program Files\Siber Systems\AI RoboForm\'
Image|endswith:
- '\robotaskbaricon.exe'
- '\robotaskbaricon-x64.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- If installed on a per-user level, the path would be located in "AppData\Local". Add additional filters to reflect this mode of installation
level: medium
Convert to SIEM query
medium
Potential Ruby Reverse Shell
Detects execution of ruby with the "-e" flag and calls to "socket" related functions. This could be an indication of a potential attempt to setup a reverse shell
view Sigma YAML
title: Potential Ruby Reverse Shell
id: b8bdac18-c06e-4016-ac30-221553e74f59
status: test
description: Detects execution of ruby with the "-e" flag and calls to "socket" related functions. This could be an indication of a potential attempt to setup a reverse shell
references:
- https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
- https://www.revshells.com/
author: '@d4ns4n_'
date: 2023-04-07
tags:
- attack.execution
logsource:
category: process_creation
product: linux
detection:
selection:
Image|contains: 'ruby'
CommandLine|contains|all:
- ' -e'
- 'rsocket'
- 'TCPSocket'
CommandLine|contains:
- ' ash'
- ' bash'
- ' bsh'
- ' csh'
- ' ksh'
- ' pdksh'
- ' sh'
- ' tcsh'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Potential SAP NetWeaver Webshell Creation
Detects the creation of suspicious files (jsp, java, class) in SAP NetWeaver directories,
which may indicate exploitation attempts of vulnerabilities such as CVE-2025-31324.
view Sigma YAML
title: Potential SAP NetWeaver Webshell Creation
id: 86a7c91f-98c3-4f14-a58d-d989421e1234
status: experimental
description: |
Detects the creation of suspicious files (jsp, java, class) in SAP NetWeaver directories,
which may indicate exploitation attempts of vulnerabilities such as CVE-2025-31324.
references:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-31324
- https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/
- https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/
author: Elastic (idea), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-04-28
tags:
- attack.execution
- attack.initial-access
- attack.t1190
- attack.persistence
- attack.t1059.003
- cve.2025-31324
- detection.emerging-threats
logsource:
product: windows
category: file_event
detection:
selection_path:
TargetFilename|contains:
- '\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\work'
- '\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\root'
selection_ext:
TargetFilename|endswith:
- '.jsp'
- '.java'
- '.class'
condition: all of selection_*
falsepositives:
- Legitimate creation of jsc or java files in these locations
level: medium
Convert to SIEM query
medium
Potential SAP NetWeaver Webshell Creation - Linux
Detects the creation of suspicious files (jsp, java, class) in SAP NetWeaver directories,
which may indicate exploitation attempts of vulnerabilities such as CVE-2025-31324.
view Sigma YAML
title: Potential SAP NetWeaver Webshell Creation - Linux
id: 5b91409c-cb18-4ab6-ac75-c5759f998409
status: experimental
description: |
Detects the creation of suspicious files (jsp, java, class) in SAP NetWeaver directories,
which may indicate exploitation attempts of vulnerabilities such as CVE-2025-31324.
references:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-31324
- https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/
- https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/
author: Elastic (idea), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-04-28
tags:
- attack.execution
- attack.initial-access
- attack.t1190
- attack.persistence
- attack.t1059.003
- cve.2025-31324
- detection.emerging-threats
logsource:
product: linux
category: file_event
detection:
selection_path:
TargetFilename|contains:
- '/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/work/'
- '/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/root/'
selection_ext:
TargetFilename|endswith:
- '.jsp'
- '.java'
- '.class'
condition: all of selection_*
falsepositives:
- Legitimate creation of jsc or java files in these locations
level: medium
Convert to SIEM query
medium
Potential SPN Enumeration Via Setspn.EXE
Detects service principal name (SPN) enumeration used for Kerberoasting
view Sigma YAML
title: Potential SPN Enumeration Via Setspn.EXE
id: 1eeed653-dbc8-4187-ad0c-eeebb20e6599
status: test
description: Detects service principal name (SPN) enumeration used for Kerberoasting
references:
- https://web.archive.org/web/20200329173843/https://p16.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation
- https://www.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation/?edition=2019
author: Markus Neis, keepwatch
date: 2018-11-14
modified: 2023-10-23
tags:
- attack.credential-access
- attack.t1558.003
logsource:
category: process_creation
product: windows
detection:
selection_pe:
- Image|endswith: '\setspn.exe'
- OriginalFileName: 'setspn.exe'
- Description|contains|all:
- 'Query or reset the computer'
- 'SPN attribute'
selection_cli:
CommandLine|contains:
- ' -q '
- ' /q '
condition: all of selection_*
falsepositives:
- Administration activity
level: medium
Convert to SIEM query
medium
Potential Script Proxy Execution Via CL_Mutexverifiers.ps1
Detects the use of the Microsoft signed script "CL_mutexverifiers" to proxy the execution of additional PowerShell script commands
view Sigma YAML
title: Potential Script Proxy Execution Via CL_Mutexverifiers.ps1
id: 1e0e1a81-e79b-44bc-935b-ddb9c8006b3d
status: test
description: Detects the use of the Microsoft signed script "CL_mutexverifiers" to proxy the execution of additional PowerShell script commands
references:
- https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/
author: Nasreddine Bencherchali (Nextron Systems), oscd.community, Natalia Shornikova, frack113
date: 2022-05-21
modified: 2023-08-17
tags:
- attack.stealth
- attack.t1216
logsource:
category: process_creation
product: windows
detection:
selection_pwsh:
ParentImage|endswith:
# Note: to avoid potential FPs we assume the script was launched from powershell. But in theory it can be launched by any Powershell like process
- '\powershell.exe'
- '\pwsh.exe'
Image|endswith: '\powershell.exe'
CommandLine|contains: ' -nologo -windowstyle minimized -file '
selection_temp:
# Note: Since the function uses "env:temp" the value will change depending on the context of exec
CommandLine|contains:
- '\AppData\Local\Temp\'
- '\Windows\Temp\'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Potential Secure Deletion with SDelete
Detects files that have extensions commonly seen while SDelete is used to wipe files.
view Sigma YAML
title: Potential Secure Deletion with SDelete
id: 39a80702-d7ca-4a83-b776-525b1f86a36d
status: test
description: Detects files that have extensions commonly seen while SDelete is used to wipe files.
references:
- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/sdelete.htm
- https://www.jpcert.or.jp/english/pub/sr/ir_research.html
- https://learn.microsoft.com/en-gb/sysinternals/downloads/sdelete
author: Thomas Patzke
date: 2017-06-14
modified: 2024-12-13
tags:
- attack.impact
- attack.stealth
- attack.defense-impairment
- attack.t1070.004
- attack.t1027.005
- attack.t1485
- attack.t1553.002
- attack.s0195
logsource:
product: windows
service: security
detection:
selection:
EventID:
- 4656
- 4663
- 4658
ObjectName|endswith:
- '.AAA'
- '.ZZZ'
condition: selection
falsepositives:
- Legitimate usage of SDelete
- Files that are interacted with that have these extensions legitimately
level: medium
Convert to SIEM query
medium
Potential SentinelOne Shell Context Menu Scan Command Tampering
Detects potentially suspicious changes to the SentinelOne context menu scan command by a process other than SentinelOne.
view Sigma YAML
title: Potential SentinelOne Shell Context Menu Scan Command Tampering
id: 6c304b02-06e6-402d-8be4-d5833cdf8198
status: test
description: Detects potentially suspicious changes to the SentinelOne context menu scan command by a process other than SentinelOne.
references:
- https://mrd0x.com/sentinelone-persistence-via-menu-context/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-03-06
tags:
- attack.persistence
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\shell\SentinelOneScan\command\'
filter_main_sentinelone_default_scan_binary:
Details|startswith:
- 'C:\Program Files\SentinelOne\Sentinel Agent'
- 'C:\Program Files (x86)\SentinelOne\Sentinel Agent'
Details|contains: '\SentinelScanFromContextMenu.exe'
filter_main_sentinelone_binary:
Image|endswith:
- 'C:\Program Files\SentinelOne\'
- 'C:\Program Files (x86)\SentinelOne\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Potential ShellDispatch.DLL Functionality Abuse
Detects potential "ShellDispatch.dll" functionality abuse to execute arbitrary binaries via "ShellExecute"
view Sigma YAML
title: Potential ShellDispatch.DLL Functionality Abuse
id: 82343930-652f-43f5-ab70-2ee9fdd6d5e9
status: test
description: Detects potential "ShellDispatch.dll" functionality abuse to execute arbitrary binaries via "ShellExecute"
references:
- https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/
author: X__Junior (Nextron Systems)
date: 2023-06-20
tags:
- attack.execution
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\rundll32.exe'
- OriginalFileName: 'RUNDLL32.EXE'
selection_cli:
CommandLine|contains: 'RunDll_ShellExecuteW'
condition: all of selection_*
falsepositives:
- Unlikely
level: medium
Convert to SIEM query
medium
Potential ShellDispatch.DLL Sideloading
Detects potential DLL sideloading of "ShellDispatch.dll"
view Sigma YAML
title: Potential ShellDispatch.DLL Sideloading
id: 844f8eb2-610b-42c8-89a4-47596e089663
status: test
description: Detects potential DLL sideloading of "ShellDispatch.dll"
references:
- https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/
author: X__Junior (Nextron Systems)
date: 2023-06-20
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\ShellDispatch.dll'
filter_main_legit_path:
- ImageLoaded|contains|all:
- ':\Users\'
- '\AppData\Local\Temp\'
- ImageLoaded|contains: ':\Windows\Temp\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Some installers may trigger some false positives
level: medium
Convert to SIEM query
medium
Potential Shellcode Injection
Detects potential shellcode injection as seen used by tools such as Metasploit's migrate and Empire's psinject.
view Sigma YAML
title: Potential Shellcode Injection
id: 250ae82f-736e-4844-a68b-0b5e8cc887da
status: test
description: Detects potential shellcode injection as seen used by tools such as Metasploit's migrate and Empire's psinject.
references:
- https://github.com/EmpireProject/PSInject
author: Bhabesh Raj
date: 2022-03-11
modified: 2024-07-02
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1055
- detection.threat-hunting
logsource:
category: process_access
product: windows
detection:
selection:
GrantedAccess:
- '0x147a'
- '0x1f3fff'
CallTrace|contains: 'UNKNOWN'
filter_main_wmiprvse:
SourceImage: 'C:\Windows\System32\Wbem\Wmiprvse.exe'
TargetImage: 'C:\Windows\system32\lsass.exe'
filter_optional_dell_folders:
# If dell software is installed we get matches like these
# Example 1:
# SourceImage: C:\Program Files\Dell\SupportAssistAgent\bin\SupportAssistAgent.exe
# TargetImage: C:\Program Files\Dell\TechHub\Dell.TechHub.exe
# GrantedAccess: 0x1F3FFF
# Example 2:
# SourceImage: C:\Program Files (x86)\Dell\UpdateService\DCF\Dell.DCF.UA.Bradbury.API.SubAgent.exe
# TargetImage: C:\Program Files\Dell\TechHub\Dell.TechHub.exe
# GrantedAccess: 0x1F3FFF
# Example 3:
# SourceImage: C:\Program Files\Dell\TechHub\Dell.TechHub.exe
# TargetImage: C:\Program Files (x86)\Dell\UpdateService\DCF\Dell.DCF.UA.Bradbury.API.SubAgent.exe
# GrantedAccess: 0x1F3FFF
SourceImage|startswith:
- 'C:\Program Files\Dell\'
- 'C:\Program Files (x86)\Dell\'
TargetImage|startswith:
- 'C:\Program Files\Dell\'
- 'C:\Program Files (x86)\Dell\'
filter_optional_dell_specifc:
SourceImage: 'C:\Program Files (x86)\Dell\UpdateService\ServiceShell.exe'
TargetImage: 'C:\Windows\Explorer.EXE'
filter_optional_visual_studio:
SourceImage|startswith: 'C:\Program Files\Microsoft Visual Studio\'
TargetImage|startswith: 'C:\Program Files\Microsoft Visual Studio\'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Potential Shim Database Persistence via Sdbinst.EXE
Detects installation of a new shim using sdbinst.exe.
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims
view Sigma YAML
title: Potential Shim Database Persistence via Sdbinst.EXE
id: 517490a7-115a-48c6-8862-1a481504d5a8
related:
- id: 18ee686c-38a3-4f65-9f44-48a077141f42
type: similar
status: test
description: |
Detects installation of a new shim using sdbinst.exe.
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims
references:
- https://www.mandiant.com/resources/blog/fin7-shim-databases-persistence
author: Markus Neis
date: 2019-01-16
modified: 2023-12-06
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1546.011
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\sdbinst.exe'
- OriginalFileName: 'sdbinst.exe'
selection_cli:
CommandLine|contains: '.sdb'
filter_optional_iis:
ParentImage|endswith: '\msiexec.exe'
CommandLine|contains:
# Expected behavior for IIS Express (e.g. https://www.hybrid-analysis.com/sample/15d4ff941f77f7bdfc9dfb2399b7b952a0a2c860976ef3e835998ff4796e5e91?environmentId=120)
- ':\Program Files (x86)\IIS Express\iisexpressshim.sdb'
- ':\Program Files\IIS Express\iisexpressshim.sdb'
condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Potential Sidecar Injection Into Running Deployment
Detects attempts to inject a sidecar container into a running deployment.
A sidecar container is an additional container within a pod, that resides alongside the main container.
One way to add containers to running resources like Deployments/DeamonSets/StatefulSets, is via a "kubectl patch" operation.
By injecting a new container within a legitimate pod, an attacker can run their code and hide their activity, instead of running their own separated pod in the cluster.
view Sigma YAML
title: Potential Sidecar Injection Into Running Deployment
id: ad9012a6-e518-4432-9890-f3b82b8fc71f
status: test
description: |
Detects attempts to inject a sidecar container into a running deployment.
A sidecar container is an additional container within a pod, that resides alongside the main container.
One way to add containers to running resources like Deployments/DeamonSets/StatefulSets, is via a "kubectl patch" operation.
By injecting a new container within a legitimate pod, an attacker can run their code and hide their activity, instead of running their own separated pod in the cluster.
references:
- https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch
- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Sidecar%20Injection/
author: Leo Tsaousis (@laripping)
date: 2024-03-26
tags:
- attack.t1609
- attack.execution
logsource:
category: application
product: kubernetes
service: audit
detection:
selection:
verb: 'patch'
apiGroup: 'apps'
objectRef.resource: 'deployments'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Potential SolidPDFCreator.DLL Sideloading
Detects potential DLL sideloading of "SolidPDFCreator.dll"
view Sigma YAML
title: Potential SolidPDFCreator.DLL Sideloading
id: a2edbce1-95c8-4291-8676-0d45146862b3
status: test
description: Detects potential DLL sideloading of "SolidPDFCreator.dll"
references:
- https://lab52.io/blog/new-mustang-pandas-campaing-against-australia/
author: X__Junior (Nextron Systems)
date: 2023-05-07
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\SolidPDFCreator.dll'
filter_main_path:
Image|endswith: '\SolidPDFCreator.exe'
ImageLoaded|startswith:
- 'C:\Program Files (x86)\SolidDocuments\SolidPDFCreator\'
- 'C:\Program Files\SolidDocuments\SolidPDFCreator\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Potential Suspicious Activity Using SeCEdit
Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy
view Sigma YAML
title: Potential Suspicious Activity Using SeCEdit
id: c2c76b77-32be-4d1f-82c9-7e544bdfe0eb
status: test
description: Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy
references:
- https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/secedit
author: Janantha Marasinghe
date: 2022-11-18
modified: 2022-12-30
tags:
- attack.collection
- attack.discovery
- attack.persistence
- attack.credential-access
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.defense-impairment
- attack.t1685.001
- attack.t1547.001
- attack.t1505.005
- attack.t1556.002
- attack.t1685
- attack.t1574.007
- attack.t1564.002
- attack.t1546.008
- attack.t1546.007
- attack.t1547.014
- attack.t1547.010
- attack.t1547.002
- attack.t1557
- attack.t1082
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\secedit.exe'
- OriginalFileName: 'SeCEdit'
selection_flags_discovery:
CommandLine|contains|all:
- '/export'
- '/cfg'
selection_flags_configure:
CommandLine|contains|all:
- '/configure'
- '/db'
# filter:
# SubjectUserName|endswith: '$' SubjectUserName is from event ID 4719 in the Windows Security log
condition: selection_img and (1 of selection_flags_*)
falsepositives:
- Legitimate administrative use
level: medium
Convert to SIEM query
medium
Potential Suspicious Browser Launch From Document Reader Process
Detects when a browser process or browser tab is launched from an application that handles document files such as Adobe, Microsoft Office, etc. And connects to a web application over http(s), this could indicate a possible phishing attempt.
view Sigma YAML
title: Potential Suspicious Browser Launch From Document Reader Process
id: 1193d960-2369-499f-a158-7b50a31df682
status: test
description: |
Detects when a browser process or browser tab is launched from an application that handles document files such as Adobe, Microsoft Office, etc. And connects to a web application over http(s), this could indicate a possible phishing attempt.
references:
- https://app.any.run/tasks/69c5abaa-92ad-45ba-8c53-c11e23e05d04/ # PDF Document
- https://app.any.run/tasks/64043a79-165f-4052-bcba-e6e49f847ec1/ # Office Document
author: Joseph Kamau
date: 2024-05-27
modified: 2025-10-07
tags:
- attack.execution
- attack.t1204.002
logsource:
product: windows
category: process_creation
detection:
selection:
ParentImage|contains:
- 'Acrobat Reader'
- 'Microsoft Office'
- 'PDF Reader'
Image|endswith:
- '\brave.exe'
- '\chrome.exe'
- '\firefox.exe'
- '\msedge.exe'
- '\opera.exe'
- '\maxthon.exe'
- '\seamonkey.exe'
- '\vivaldi.exe'
CommandLine|contains: 'http'
filter_main_microsoft_help:
CommandLine|contains: 'https://go.microsoft.com/fwlink/'
filter_optional_foxit:
CommandLine|contains:
- 'http://ad.foxitsoftware.com/adlog.php?'
- 'https://globe-map.foxitservice.com/go.php?do=redirect'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unlikely in most cases, further investigation should be done in the commandline of the browser process to determine the context of the URL accessed.
level: medium
Convert to SIEM query
medium
Potential Suspicious Change To Sensitive/Critical Files
Detects changes of sensitive and critical files. Monitors files that you don't expect to change without planning on Linux system.
These files include, but are not limited to, system configuration files, authentication files, and critical application files.
Attackers often target these files to maintain persistence, escalate privileges, or disrupt system operations.
view Sigma YAML
title: Potential Suspicious Change To Sensitive/Critical Files
id: 86157017-c2b1-4d4a-8c33-93b8e67e4af4
status: test
description: |
Detects changes of sensitive and critical files. Monitors files that you don't expect to change without planning on Linux system.
These files include, but are not limited to, system configuration files, authentication files, and critical application files.
Attackers often target these files to maintain persistence, escalate privileges, or disrupt system operations.
references:
- https://learn.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-overview#which-files-should-i-monitor
author: '@d4ns4n_ (Wuerth-Phoenix)'
date: 2023-05-30
modified: 2026-03-18
tags:
- attack.impact
- attack.t1565.001
logsource:
category: process_creation
product: linux
detection:
selection_img_1:
Image|endswith:
- '/cat'
- '/echo'
- '/grep'
- '/head'
- '/more'
- '/tail'
CommandLine|contains: '>'
selection_img_2:
Image|endswith:
- '/emacs'
- '/nano'
- '/sed'
- '/vi'
- '/vim'
selection_paths:
CommandLine|contains:
- '/bin/login'
- '/bin/passwd'
- '/boot/'
- '/etc/*.conf'
- '/etc/cron.' # Covers different cron config files "daily", "hourly", etc.
- '/etc/crontab'
- '/etc/hosts'
- '/etc/init.d'
- '/etc/sudoers'
- '/opt/bin/'
- '/sbin' # Covers: '/opt/sbin', '/usr/local/sbin/', '/usr/sbin/'
- '/usr/bin/'
- '/usr/local/bin/'
filter_main_mdadm.conf:
Image|endswith: '/bin/sed'
CommandLine|startswith:
- 'sed -i /^*'
- 'sed -ne s/^'
CommandLine|endswith: '/etc/mdadm/mdadm.conf'
condition: 1 of selection_img_* and selection_paths and not 1 of filter_main_*
falsepositives:
- Some false positives are to be expected on user or administrator machines. Apply additional filters as needed.
level: medium
Convert to SIEM query
Showing 851-900 of 1,492