Tool
SIEM
Sigma (generic) detection rules
1,492 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Expand any rule to see its raw YAML and convert it inline to native query syntax. Pick a platform above to browse every rule already rendered in that language.
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
◈
Detection rules
50 shown of 1,492
medium
Potential Suspicious PowerShell Keywords
Detects potentially suspicious keywords that could indicate the use of a PowerShell exploitation framework
view Sigma YAML
title: Potential Suspicious PowerShell Keywords
id: 1f49f2ab-26bc-48b3-96cc-dcffbc93eadf
status: test
description: Detects potentially suspicious keywords that could indicate the use of a PowerShell exploitation framework
references:
- https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462
- https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/CodeExecution/Invoke-ReflectivePEInjection.ps1
- https://github.com/hlldz/Phant0m/blob/30c2935d8cf4aafda17ee2fab7cd0c4aa9a607c2/old/Invoke-Phant0m.ps1
- https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7
author: Florian Roth (Nextron Systems), Perez Diego (@darkquassar), Tuan Le (NCSGroup)
date: 2019-02-11
modified: 2023-04-21
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains:
- 'System.Reflection.Assembly.Load($'
- '[System.Reflection.Assembly]::Load($'
- '[Reflection.Assembly]::Load($'
- 'System.Reflection.AssemblyName'
- 'Reflection.Emit.AssemblyBuilderAccess'
- 'Reflection.Emit.CustomAttributeBuilder'
- 'Runtime.InteropServices.UnmanagedType'
- 'Runtime.InteropServices.DllImportAttribute'
- 'SuspendThread'
- 'rundll32'
# - 'FromBase64'
# - 'Invoke-WMIMethod' # Prone to FP
# - 'http://127.0.0.1' # Prone to FP
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Potential Suspicious PowerShell Module File Created
Detects the creation of a new PowerShell module in the first folder of the module directory structure "\WindowsPowerShell\Modules\malware\malware.psm1". This is somewhat an uncommon practice as legitimate modules often includes a version folder.
view Sigma YAML
title: Potential Suspicious PowerShell Module File Created
id: e8a52bbd-bced-459f-bd93-64db45ce7657
status: test
description: Detects the creation of a new PowerShell module in the first folder of the module directory structure "\WindowsPowerShell\Modules\malware\malware.psm1". This is somewhat an uncommon practice as legitimate modules often includes a version folder.
references:
- Internal Research
- https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-09
tags:
- attack.persistence
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|endswith:
# Note: Don't include PowerShell 7 as it has default modules that don't follow this logic
- '\\WindowsPowerShell\\Modules\\*\.ps'
- '\\WindowsPowerShell\\Modules\\*\.dll'
condition: selection
falsepositives:
- False positive rate will vary depending on the environments. Additional filters might be required to make this logic usable in production.
level: medium
Convert to SIEM query
medium
Potential Suspicious Registry File Imported Via Reg.EXE
Detects the import of '.reg' files from suspicious paths using the 'reg.exe' utility
view Sigma YAML
title: Potential Suspicious Registry File Imported Via Reg.EXE
id: 62e0298b-e994-4189-bc87-bc699aa62d97
related:
- id: 73bba97f-a82d-42ce-b315-9182e76c57b1
type: derived
status: test
description: Detects the import of '.reg' files from suspicious paths using the 'reg.exe' utility
references:
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/reg-import
author: frack113, Nasreddine Bencherchali
date: 2022-08-01
modified: 2023-02-05
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\reg.exe'
- OriginalFileName: 'reg.exe'
selection_cli:
CommandLine|contains: ' import '
selection_paths:
CommandLine|contains:
- 'C:\Users\'
- '%temp%'
- '%tmp%'
- '%appdata%'
- '\AppData\Local\Temp\'
- 'C:\Windows\Temp\'
- 'C:\ProgramData\'
condition: all of selection_*
falsepositives:
- Legitimate import of keys
level: medium
Convert to SIEM query
medium
Potential Suspicious Windows Feature Enabled
Detects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" used as a Deployment Image Servicing and Management tool.
Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
view Sigma YAML
title: Potential Suspicious Windows Feature Enabled
id: 55c925c1-7195-426b-a136-a9396800e29b
related:
- id: c740d4cf-a1e9-41de-bb16-8a46a4f57918
type: similar
status: test
description: |
Detects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" used as a Deployment Image Servicing and Management tool.
Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
references:
- https://learn.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps
- https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system
- https://learn.microsoft.com/en-us/windows/wsl/install-on-server
author: frack113
date: 2022-09-10
modified: 2022-12-29
tags:
- attack.stealth
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_cmd:
ScriptBlockText|contains|all:
- 'Enable-WindowsOptionalFeature'
- '-Online'
- '-FeatureName'
selection_feature:
# Add any insecure/unusual windows features to your env
ScriptBlockText|contains:
- 'TelnetServer'
- 'Internet-Explorer-Optional-amd64'
- 'TFTP'
- 'SMB1Protocol'
- 'Client-ProjFS'
- 'Microsoft-Windows-Subsystem-Linux'
condition: all of selection_*
falsepositives:
- Legitimate usage of the features listed in the rule.
level: medium
Convert to SIEM query
medium
Potential Suspicious Windows Feature Enabled - ProcCreation
Detects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" used as a Deployment Image Servicing and Management tool.
Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
view Sigma YAML
title: Potential Suspicious Windows Feature Enabled - ProcCreation
id: c740d4cf-a1e9-41de-bb16-8a46a4f57918
related:
- id: 55c925c1-7195-426b-a136-a9396800e29b
type: similar
status: test
description: |
Detects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" used as a Deployment Image Servicing and Management tool.
Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
references:
- https://learn.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps
- https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system
- https://learn.microsoft.com/en-us/windows/wsl/install-on-server
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-29
tags:
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection_cmd:
CommandLine|contains|all:
- 'Enable-WindowsOptionalFeature'
- '-Online'
- '-FeatureName'
selection_feature:
# Add any insecure/unusual windows features that you don't use in your environment
CommandLine|contains:
- 'TelnetServer'
- 'Internet-Explorer-Optional-amd64'
- 'TFTP'
- 'SMB1Protocol'
- 'Client-ProjFS'
- 'Microsoft-Windows-Subsystem-Linux'
condition: all of selection_*
falsepositives:
- Legitimate usage of the features listed in the rule.
level: medium
Convert to SIEM query
medium
Potential UAC Bypass Via Sdclt.EXE
A General detection for sdclt being spawned as an elevated process. This could be an indicator of sdclt being used for bypass UAC techniques.
view Sigma YAML
title: Potential UAC Bypass Via Sdclt.EXE
id: 40f9af16-589d-4984-b78d-8c2aec023197
status: test
description: A General detection for sdclt being spawned as an elevated process. This could be an indicator of sdclt being used for bypass UAC techniques.
references:
- https://github.com/OTRF/detection-hackathon-apt29/issues/6
- https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-05-02
modified: 2024-12-01
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: 'sdclt.exe'
IntegrityLevel:
- 'High'
- 'S-1-16-12288' # High
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Potential Unconstrained Delegation Discovery Via Get-ADComputer - ScriptBlock
Detects the use of the "Get-ADComputer" cmdlet in order to identify systems which are configured for unconstrained delegation.
view Sigma YAML
title: Potential Unconstrained Delegation Discovery Via Get-ADComputer - ScriptBlock
id: cdfa73b6-3c9d-4bb8-97f8-ddbd8921f5c5
status: experimental
description: Detects the use of the "Get-ADComputer" cmdlet in order to identify systems which are configured for unconstrained delegation.
references:
- https://pentestlab.blog/2022/03/21/unconstrained-delegation/
- https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-adcomputer?view=windowsserver2022-ps
author: frack113
date: 2025-03-05
tags:
- attack.reconnaissance
- attack.discovery
- attack.credential-access
- attack.t1018
- attack.t1558
- attack.t1589.002
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enable'
detection:
selection:
ScriptBlockText|contains:
- '-Properties*TrustedForDelegation'
- '-Properties*TrustedToAuthForDelegation'
- '-Properties*msDS-AllowedToDelegateTo'
- '-Properties*PrincipalsAllowedToDelegateToAccount'
- '-LDAPFilter*(userAccountControl:1.2.840.113556.1.4.803:=524288)'
condition: selection
falsepositives:
- Legitimate use of the library for administrative activity
level: medium
Convert to SIEM query
medium
Potential Unquoted Service Path Reconnaissance Via Wmic.EXE
Detects known WMI recon method to look for unquoted service paths using wmic. Often used by pentester and attacker enumeration scripts
view Sigma YAML
title: Potential Unquoted Service Path Reconnaissance Via Wmic.EXE
id: 68bcd73b-37ef-49cb-95fc-edc809730be6
related:
- id: 09658312-bc27-4a3b-91c5-e49ab9046d1b # PowerShell Variant
type: similar
- id: 76f55eaa-d27f-4213-9d45-7b0e4b60bbae
type: similar
status: test
description: Detects known WMI recon method to look for unquoted service paths using wmic. Often used by pentester and attacker enumeration scripts
references:
- https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py
- https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1
- https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-20
modified: 2023-09-11
tags:
- attack.execution
- attack.t1047
logsource:
category: process_creation
product: windows
detection:
selection_img:
- OriginalFileName: 'wmic.exe'
- Image|endswith: '\WMIC.exe'
selection_cli:
CommandLine|contains|all:
- ' service get '
- 'name,displayname,pathname,startmode'
condition: all of selection*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Potential Vivaldi_elf.DLL Sideloading
Detects potential DLL sideloading of "vivaldi_elf.dll"
view Sigma YAML
title: Potential Vivaldi_elf.DLL Sideloading
id: 2092cacb-d77b-4f98-ab0d-32b32f99a054
status: test
description: Detects potential DLL sideloading of "vivaldi_elf.dll"
references:
- https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/
author: X__Junior (Nextron Systems)
date: 2023-08-03
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\vivaldi_elf.dll'
filter_main_legit_path:
Image|endswith: '\Vivaldi\Application\vivaldi.exe'
ImageLoaded|contains: '\Vivaldi\Application\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell
Detects Powershell as a child of the WmiPrvSE process. Which could be a sign of lateral movement via WMI.
view Sigma YAML
title: Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell
id: 692f0bec-83ba-4d04-af7e-e884a96059b6
related:
- id: 8a582fe2-0882-4b89-a82a-da6b2dc32937
type: similar
- id: d21374ff-f574-44a7-9998-4a8c8bf33d7d
type: similar
status: stable
description: Detects Powershell as a child of the WmiPrvSE process. Which could be a sign of lateral movement via WMI.
references:
- https://any.run/report/68bc255f9b0db6a0d30a8f2dadfbee3256acfe12497bf93943bc1eab0735e45e/a2385d6f-34f7-403c-90d3-b1f9d2a90a5e
author: Markus Neis @Karneades
date: 2019-04-03
modified: 2023-03-29
tags:
- attack.execution
- attack.t1047
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\WmiPrvSE.exe'
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
condition: all of selection_*
falsepositives:
- AppvClient
- CCM
- WinRM
level: medium
Convert to SIEM query
medium
Potential WWlib.DLL Sideloading
Detects potential DLL sideloading of "wwlib.dll"
view Sigma YAML
title: Potential WWlib.DLL Sideloading
id: e2e01011-5910-4267-9c3b-4149ed5479cf
status: test
description: Detects potential DLL sideloading of "wwlib.dll"
references:
- https://twitter.com/WhichbufferArda/status/1658829954182774784
- https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related/
- https://securelist.com/apt-luminousmoth/103332/
author: X__Junior (Nextron Systems)
date: 2023-05-18
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\wwlib.dll'
filter_main_path:
Image|startswith:
- 'C:\Program Files (x86)\Microsoft Office\'
- 'C:\Program Files\Microsoft Office\'
Image|endswith: '\winword.exe'
ImageLoaded|startswith:
- 'C:\Program Files (x86)\Microsoft Office\'
- 'C:\Program Files\Microsoft Office\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Potential Wazuh Security Platform DLL Sideloading
Detects potential DLL side loading of DLLs that are part of the Wazuh security platform
view Sigma YAML
title: Potential Wazuh Security Platform DLL Sideloading
id: db77ce78-7e28-4188-9337-cf30e2b3ba9f
status: test
description: Detects potential DLL side loading of DLLs that are part of the Wazuh security platform
references:
- https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html
author: X__Junior (Nextron Systems)
date: 2023-03-13
modified: 2023-05-12
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith:
- '\libwazuhshared.dll'
- '\libwinpthread-1.dll'
filter_main_generic:
ImageLoaded|startswith:
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
filter_optional_mingw64:
# Note: Many third party apps installed in "AppData" or "ProgramData" and leverage "mingw64" make use of "libwinpthread-1.dll"
# In production its best to make a list of these apps and replace this filter with a specific one.
ImageLoaded|contains:
- '\AppData\Local\'
- '\ProgramData\'
ImageLoaded|endswith: '\mingw64\bin\libwinpthread-1.dll'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Many legitimate applications leverage this DLL. (Visual Studio, JetBrains, Ruby, Anaconda, GithubDesktop, etc.)
level: medium
Convert to SIEM query
medium
Potential Webshell Creation On Static Website
Detects the creation of files with certain extensions on a static web site. This can be indicative of potential uploads of a web shell.
view Sigma YAML
title: Potential Webshell Creation On Static Website
id: 39f1f9f2-9636-45de-98f6-a4046aa8e4b9
status: test
description: Detects the creation of files with certain extensions on a static web site. This can be indicative of potential uploads of a web shell.
references:
- PT ESC rule and personal experience
- https://github.com/swisskyrepo/PayloadsAllTheThings/blob/c95a0a1a2855dc0cd7f7327614545fe30482a636/Upload%20Insecure%20Files/README.md
author: Beyu Denis, oscd.community, Tim Shelton, Thurein Oo
date: 2019-10-22
modified: 2023-10-15
tags:
- attack.persistence
- attack.t1505.003
logsource:
product: windows
category: file_event
detection:
selection_wwwroot_path:
TargetFilename|contains: '\inetpub\wwwroot\'
selection_wwwroot_ext:
TargetFilename|contains:
- '.ashx'
- '.asp'
- '.ph'
- '.soap'
selection_htdocs_path:
TargetFilename|contains:
- '\www\'
- '\htdocs\'
- '\html\'
selection_htdocs_ext:
TargetFilename|contains: '.ph'
# selection_tomcat_path:
# TargetFilename|contains: '\webapps\ROOT'
# selection_tomcat_ext:
# TargetFilename|contains:
# - '.jsp' # .jspx, .jspf
# - '.jsv'
# - '.jsw'
filter_main_temp: # FP when unpacking some executables in $TEMP
TargetFilename|contains:
- '\AppData\Local\Temp\'
- '\Windows\Temp\'
filter_main_system:
Image: 'System' # FP when backup/restore from drivers
filter_main_legitimate:
TargetFilename|contains: '\xampp'
condition: (all of selection_wwwroot_* or all of selection_htdocs_*) and not 1 of filter_main_*
falsepositives:
- Legitimate administrator or developer creating legitimate executable files in a web application folder
level: medium
Convert to SIEM query
medium
Potential XCSSET Malware Infection
Identifies the execution traces of the XCSSET malware. XCSSET is a macOS trojan that primarily spreads via Xcode projects and maliciously modifies applications. Infected users are also vulnerable to having their credentials, accounts, and other vital data stolen.
view Sigma YAML
title: Potential XCSSET Malware Infection
id: 47d65ac0-c06f-4ba2-a2e3-d263139d0f51
status: test
description: Identifies the execution traces of the XCSSET malware. XCSSET is a macOS trojan that primarily spreads via Xcode projects and maliciously modifies applications. Infected users are also vulnerable to having their credentials, accounts, and other vital data stolen.
references:
- https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-f5deb07688e1a8dec9530bc3071967b2da5c16b482e671812b864c37beb28f08
- https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset
author: Tim Rauch (rule), Elastic (idea)
date: 2022-10-17
tags:
- attack.command-and-control
logsource:
category: process_creation
product: macos
detection:
selection_1_curl:
ParentImage|endswith: '/bash'
Image|endswith: '/curl'
CommandLine|contains:
- '/sys/log.php'
- '/sys/prepod.php'
- '/sys/bin/Pods'
selection_1_https:
CommandLine|contains: 'https://'
selection_other_1:
ParentImage|endswith: '/bash'
Image|endswith: '/osacompile'
CommandLine|contains|all:
- '/Users/'
- '/Library/Group Containers/'
selection_other_2:
ParentImage|endswith: '/bash'
Image|endswith: '/plutil'
CommandLine|contains|all:
- 'LSUIElement'
- '/Users/'
- '/Library/Group Containers/'
selection_other_3:
Image|endswith: '/zip'
CommandLine|contains|all:
- '-r'
- '/Users/'
- '/Library/Group Containers/'
condition: all of selection_1_* or 1 of selection_other_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Potential Xterm Reverse Shell
Detects usage of "xterm" as a potential reverse shell tunnel
view Sigma YAML
title: Potential Xterm Reverse Shell
id: 4e25af4b-246d-44ea-8563-e42aacab006b
status: test
description: Detects usage of "xterm" as a potential reverse shell tunnel
references:
- https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
- https://www.revshells.com/
author: '@d4ns4n_'
date: 2023-04-24
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: linux
detection:
selection:
Image|contains: 'xterm'
CommandLine|contains: '-display'
CommandLine|endswith: ':1'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Potentially Over Permissive Permissions Granted Using Dsacls.EXE
Detects usage of Dsacls to grant over permissive permissions
view Sigma YAML
title: Potentially Over Permissive Permissions Granted Using Dsacls.EXE
id: 01c42d3c-242d-4655-85b2-34f1739632f7
status: test
description: Detects usage of Dsacls to grant over permissive permissions
references:
- https://ss64.com/nt/dsacls.html
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-20
modified: 2023-02-04
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\dsacls.exe'
- OriginalFileName: "DSACLS.EXE"
selection_flag:
CommandLine|contains: ' /G '
selection_permissions:
CommandLine|contains: # Add more permissions as you see fit in your environment
- 'GR'
- 'GE'
- 'GW'
- 'GA'
- 'WP'
- 'WD'
condition: all of selection_*
falsepositives:
- Legitimate administrators granting over permissive permissions to users
level: medium
Convert to SIEM query
medium
Potentially Suspicious AccessMask Requested From LSASS
Detects process handle on LSASS process with certain access mask
view Sigma YAML
title: Potentially Suspicious AccessMask Requested From LSASS
id: 4a1b6da0-d94f-4fc3-98fc-2d9cb9e5ee76
status: test
description: Detects process handle on LSASS process with certain access mask
references:
- https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
author: Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update)
date: 2019-11-01
modified: 2023-12-19
tags:
- attack.credential-access
- car.2019-04-004
- attack.t1003.001
logsource:
product: windows
service: security
detection:
selection_1:
EventID: 4656 # A handle to an object was requested.
ObjectName|endswith: '\lsass.exe'
AccessMask|contains:
- '0x40'
- '0x1400'
# - '0x1000' # minimum access requirements to query basic info from service
- '0x100000'
- '0x1410' # car.2019-04-004
- '0x1010' # car.2019-04-004
- '0x1438' # car.2019-04-004
- '0x143a' # car.2019-04-004
- '0x1418' # car.2019-04-004
- '0x1f0fff'
- '0x1f1fff'
- '0x1f2fff'
- '0x1f3fff'
selection_2:
EventID: 4663 # An attempt was made to access an object
ObjectName|endswith: '\lsass.exe'
AccessList|contains:
- '4484'
- '4416'
filter_main_specific:
ProcessName|endswith:
- '\csrss.exe'
- '\GamingServices.exe'
- '\lsm.exe'
- '\MicrosoftEdgeUpdate.exe'
- '\minionhost.exe' # Cyberreason
- '\MRT.exe' # MS Malware Removal Tool
- '\MsMpEng.exe' # Defender
- '\perfmon.exe'
- '\procexp.exe'
- '\procexp64.exe'
- '\svchost.exe'
- '\taskmgr.exe'
- '\thor.exe' # THOR
- '\thor64.exe' # THOR
- '\vmtoolsd.exe'
- '\VsTskMgr.exe' # McAfee Enterprise
- '\wininit.exe'
- '\wmiprvse.exe'
- 'RtkAudUService64' # https://medium.com/falconforce/the-curious-case-of-realtek-and-lsass-33fc0c8482ff
ProcessName|contains:
- ':\Program Files (x86)\'
- ':\Program Files\'
- ':\ProgramData\Microsoft\Windows Defender\Platform\'
- ':\Windows\SysNative\'
- ':\Windows\System32\'
- ':\Windows\SysWow64\'
- ':\Windows\Temp\asgard2-agent\'
filter_main_generic:
ProcessName|contains: ':\Program Files' # too many false positives with legitimate AV and EDR solutions
filter_main_exact:
ProcessName|endswith:
- ':\Windows\System32\taskhostw.exe'
- ':\Windows\System32\msiexec.exe'
- ':\Windows\CCM\CcmExec.exe'
filter_main_sysmon:
ProcessName|endswith: ':\Windows\Sysmon64.exe'
AccessList|contains: '%%4484'
filter_main_aurora:
ProcessName|contains: ':\Windows\Temp\asgard2-agent-sc\aurora\'
ProcessName|endswith: '\aurora-agent-64.exe'
AccessList|contains: '%%4484'
filter_main_scenarioengine:
# Example: C:\a70de9569c3a5aa22184ef52a890177b\x64\SCENARIOENGINE.EXE
ProcessName|endswith: '\x64\SCENARIOENGINE.EXE'
AccessList|contains: '%%4484'
filter_main_avira1:
ProcessName|contains|all:
- ':\Users\'
- '\AppData\Local\Temp\is-'
ProcessName|endswith: '\avira_system_speedup.tmp'
AccessList|contains: '%%4484'
filter_main_avira2:
ProcessName|contains: ':\Windows\Temp\'
ProcessName|endswith: '\avira_speedup_setup_update.tmp'
AccessList|contains: '%%4484'
filter_main_snmp:
ProcessName|endswith: ':\Windows\System32\snmp.exe'
AccessList|contains: '%%4484'
filter_main_googleupdate:
ProcessName|contains: ':\Windows\SystemTemp\'
ProcessName|endswith: '\GoogleUpdate.exe'
AccessList|contains: '%%4484'
filter_optional_procmon:
ProcessName|endswith:
- '\procmon64.exe'
- '\procmon.exe'
AccessList|contains: '%%4484'
condition: 1 of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Legitimate software accessing LSASS process for legitimate reason; update the whitelist with it
level: medium
Convert to SIEM query
medium
Potentially Suspicious Azure Front Door Connection
Detects connections with Azure Front Door (known legitimate service that can be leveraged for C2)
that fall outside of known benign behavioral baseline (not using common apps or common azurefd.net endpoints)
view Sigma YAML
title: Potentially Suspicious Azure Front Door Connection
id: 8cb4d14e-776e-43c2-8fb9-91e7fcea32b4
status: test
description: |
Detects connections with Azure Front Door (known legitimate service that can be leveraged for C2)
that fall outside of known benign behavioral baseline (not using common apps or common azurefd.net endpoints)
references:
- https://lots-project.com/site/2a2e617a75726566642e6e6574
- https://medium.com/r3d-buck3t/red-teaming-in-cloud-leverage-azure-frontdoor-cdn-for-c2-redirectors-79dd9ca98178
- https://www.fortalicesolutions.com/posts/hiding-behind-the-front-door-with-azure-domain-fronting
author: Isaac Dunham
date: 2024-11-07
tags:
- attack.command-and-control
- attack.t1102.002
- attack.t1090.004
- detection.threat-hunting
logsource:
category: network_connection
product: windows
detection:
selection:
DestinationHostname|contains: 'azurefd.net'
filter_main_web_browsers:
Image|endswith:
- 'brave.exe'
- 'chrome.exe'
- 'chromium.exe'
- 'firefox.exe'
- 'msedge.exe'
- 'msedgewebview2.exe'
- 'opera.exe'
- 'vivaldi.exe'
filter_main_common_talkers:
Image|endswith: 'searchapp.exe' # Windows search service uses signifcant amount of Azure FD
filter_main_known_benign_domains:
DestinationHostname|contains:
- 'afdxtest.z01.azurefd.net' # used by Cortana; Cisco Umbrella top 1m
- 'fp-afd.azurefd.net' # used by Cortana; Cisco Umbrella top 1m
- 'fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net' # used by Cortana; Cisco Umbrella top 1m
- 'roxy.azurefd.net' # used by Cortana; Cisco Umbrella top 1m
- 'powershellinfraartifacts-gkhedzdeaghdezhr.z01.azurefd.net' # Used by VS Code; Cisco Umbrella top 1m
- 'storage-explorer-publishing-feapcgfgbzc2cjek.b01.azurefd.net' # Used by Azure Storage Explorer; Cisco Umbrella top 1m
- 'graph.azurefd.net' # MS Graph; Cisco Umbrella top 1m
condition: selection and not 1 of filter_main_*
falsepositives:
- Results are not inherently suspicious, but should be investigated during threat hunting for potential cloud C2.
- Organization-specific Azure Front Door endpoints
level: medium
Convert to SIEM query
medium
Potentially Suspicious CMD Shell Output Redirect
Detects inline Windows shell commands redirecting output via the ">" symbol to a suspicious location.
This technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as "hostname" and "dir" to files for future exfiltration.
view Sigma YAML
title: Potentially Suspicious CMD Shell Output Redirect
id: 8e0bb260-d4b2-4fff-bb8d-3f82118e6892
related:
- id: aa2efee7-34dd-446e-8a37-40790a66efd7
type: derived
- id: 4f4eaa9f-5ad4-410c-a4be-bc6132b0175a
type: similar
status: test
description: |
Detects inline Windows shell commands redirecting output via the ">" symbol to a suspicious location.
This technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as "hostname" and "dir" to files for future exfiltration.
references:
- https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-12
modified: 2024-03-19
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\cmd.exe'
- OriginalFileName: 'Cmd.Exe'
selection_cli_1:
CommandLine|contains:
# Note: Add more suspicious locations as you find them
# Note: The space from the start is missing to cover append operations ">>"
# Note: We use the "?" to account for both a single and a double quote
# Note: If you want to account for more spaces which is still a valid bypass option. Use a regex with "\s"
- '>?%APPDATA%\'
- '>?%TEMP%\'
- '>?%TMP%\'
- '>?%USERPROFILE%\'
- '>?C:\ProgramData\'
- '>?C:\Temp\'
- '>?C:\Users\Public\'
- '>?C:\Windows\Temp\'
selection_cli_2:
CommandLine|contains:
- ' >'
- '">'
- "'>"
CommandLine|contains|all:
- 'C:\Users\'
- '\AppData\Local\'
condition: selection_img and 1 of selection_cli_*
falsepositives:
- Legitimate admin or third party scripts used for diagnostic collection might generate some false positives
level: medium
Convert to SIEM query
medium
Potentially Suspicious Cabinet File Expansion
Detects the expansion or decompression of cabinet files from potentially suspicious or uncommon locations, e.g. seen in Iranian MeteorExpress related attacks
view Sigma YAML
title: Potentially Suspicious Cabinet File Expansion
id: 9f107a84-532c-41af-b005-8d12a607639f
status: test
description: Detects the expansion or decompression of cabinet files from potentially suspicious or uncommon locations, e.g. seen in Iranian MeteorExpress related attacks
references:
- https://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll
- https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/
author: Bhabesh Raj, X__Junior (Nextron Systems)
date: 2021-07-30
modified: 2024-11-13
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_cmd:
Image|endswith: '\expand.exe'
CommandLine|contains|windash: '-F:'
selection_folders_1:
CommandLine|contains:
- ':\Perflogs\'
- ':\ProgramData'
- ':\Users\Public\'
- ':\Windows\Temp\'
- '\Admin$\'
- '\AppData\Local\Temp\'
- '\AppData\Roaming\'
- '\C$\'
- '\Temporary Internet'
selection_folders_2:
- CommandLine|contains|all:
- ':\Users\'
- '\Favorites\'
- CommandLine|contains|all:
- ':\Users\'
- '\Favourites\'
- CommandLine|contains|all:
- ':\Users\'
- '\Contacts\'
filter_optional_dell:
# Launched by Dell ServiceShell.exe
ParentImage: 'C:\Program Files (x86)\Dell\UpdateService\ServiceShell.exe'
CommandLine|contains: 'C:\ProgramData\Dell\UpdateService\Temp\'
condition: selection_cmd and 1 of selection_folders_* and not 1 of filter_optional_*
falsepositives:
- System administrator Usage
level: medium
Convert to SIEM query
medium
Potentially Suspicious Call To Win32_NTEventlogFile Class - PSScript
Detects usage of the WMI class "Win32_NTEventlogFile" in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script
view Sigma YAML
title: Potentially Suspicious Call To Win32_NTEventlogFile Class - PSScript
id: e2812b49-bae0-4b21-b366-7c142eafcde2
status: test
description: Detects usage of the WMI class "Win32_NTEventlogFile" in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script
references:
- https://learn.microsoft.com/en-us/previous-versions/windows/desktop/legacy/aa394225(v=vs.85)
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-07-13
tags:
- attack.defense-impairment
logsource:
category: ps_script
product: windows
definition: bade5735-5ab0-4aa7-a642-a11be0e40872
detection:
selection_class:
ScriptBlockText|contains: 'Win32_NTEventlogFile'
selection_function:
ScriptBlockText|contains:
- '.BackupEventlog('
- '.ChangeSecurityPermissions('
- '.ChangeSecurityPermissionsEx('
- '.ClearEventLog('
- '.Delete('
- '.DeleteEx('
- '.Rename('
- '.TakeOwnerShip('
- '.TakeOwnerShipEx('
condition: all of selection_*
falsepositives:
- Legitimate administration and backup scripts
level: medium
Convert to SIEM query
medium
Potentially Suspicious Child Process Of ClickOnce Application
Detects potentially suspicious child processes of a ClickOnce deployment application
view Sigma YAML
title: Potentially Suspicious Child Process Of ClickOnce Application
id: 67bc0e75-c0a9-4cfc-8754-84a505b63c04
status: test
description: Detects potentially suspicious child processes of a ClickOnce deployment application
references:
- https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-12
tags:
- attack.execution
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|contains: '\AppData\Local\Apps\2.0\'
Image|endswith:
# Add more suspicious processes
- '\calc.exe'
- '\cmd.exe'
- '\cscript.exe'
- '\explorer.exe'
- '\mshta.exe'
- '\net.exe'
- '\net1.exe'
- '\nltest.exe'
- '\notepad.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\reg.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\schtasks.exe'
- '\werfault.exe'
- '\wscript.exe'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Potentially Suspicious Child Process Of DiskShadow.EXE
Detects potentially suspicious child processes of "Diskshadow.exe". This could be an attempt to bypass parent/child relationship detection or application whitelisting rules.
view Sigma YAML
title: Potentially Suspicious Child Process Of DiskShadow.EXE
id: 9f546b25-5f12-4c8d-8532-5893dcb1e4b8
related:
- id: fa1a7e52-3d02-435b-81b8-00da14dd66c1 # Diskshadow Script Mode - Execution From Potential Suspicious Location
type: similar
- id: 1dde5376-a648-492e-9e54-4241dd9b0c7f # Diskshadow Script Mode - Uncommon Script Extension Execution
type: similar
- id: 56b1dde8-b274-435f-a73a-fb75eb81262a # Diskshadow Child Process Spawned
type: similar
- id: 0c2f8629-7129-4a8a-9897-7e0768f13ff2 # Diskshadow Script Mode Execution
type: similar
status: test
description: Detects potentially suspicious child processes of "Diskshadow.exe". This could be an attempt to bypass parent/child relationship detection or application whitelisting rules.
references:
- https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/
- https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration
- https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow
- https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf
- https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware
- https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-09-15
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\diskshadow.exe'
Image|endswith:
# Note: add or remove additional binaries according to your org needs
- '\certutil.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\wscript.exe'
condition: selection
falsepositives:
- False postitve can occur in cases where admin scripts levreage the "exec" flag to execute applications
level: medium
Convert to SIEM query
medium
Potentially Suspicious Child Process Of VsCode
Detects uncommon or suspicious child processes spawning from a VsCode "code.exe" process. This could indicate an attempt of persistence via VsCode tasks or terminal profiles.
view Sigma YAML
title: Potentially Suspicious Child Process Of VsCode
id: 5a3164f2-b373-4152-93cf-090b13c12d27
status: test
description: Detects uncommon or suspicious child processes spawning from a VsCode "code.exe" process. This could indicate an attempt of persistence via VsCode tasks or terminal profiles.
references:
- https://twitter.com/nas_bench/status/1618021838407495681
- https://twitter.com/nas_bench/status/1618021415852335105
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-26
modified: 2023-10-25
tags:
- attack.execution
- attack.stealth
- attack.t1218
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\code.exe'
selection_children_images:
Image|endswith:
- '\calc.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\cscript.exe'
- '\wscript.exe'
selection_children_cli:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- '\cmd.exe'
CommandLine|contains:
- 'Invoke-Expressions'
- 'IEX'
- 'Invoke-Command'
- 'ICM'
- 'DownloadString'
- 'rundll32'
- 'regsvr32'
- 'wscript'
- 'cscript'
selection_children_paths:
Image|contains:
# Add more suspicious locations
- ':\Users\Public\'
- ':\Windows\Temp\'
- ':\Temp\'
condition: selection_parent and 1 of selection_children_*
falsepositives:
- In development environment where VsCode is used heavily. False positives may occur when developers use task to compile or execute different types of code. Remove or add processes accordingly
level: medium
Convert to SIEM query
medium
Potentially Suspicious Child Process Of WinRAR.EXE
Detects potentially suspicious child processes of WinRAR.exe.
view Sigma YAML
title: Potentially Suspicious Child Process Of WinRAR.EXE
id: 146aace8-9bd6-42ba-be7a-0070d8027b76
related:
- id: ec3a3c2f-9bb0-4a9b-8f4b-5ec386544343
type: similar
status: test
description: Detects potentially suspicious child processes of WinRAR.exe.
references:
- https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/
- https://github.com/knight0x07/WinRAR-Code-Execution-Vulnerability-CVE-2023-38831/blob/26ab6c40b6d2c09bb4fc60feaa4a3a90cfd20c23/Part-1-Overview.md
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-31
tags:
- attack.execution
- attack.t1203
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\WinRAR.exe'
selection_binaries:
# Note: add additional binaries that the attacker might use
- Image|endswith:
- '\cmd.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\wscript.exe'
- OriginalFileName:
- 'Cmd.Exe'
- 'cscript.exe'
- 'mshta.exe'
- 'PowerShell.EXE'
- 'pwsh.dll'
- 'regsvr32.exe'
- 'RUNDLL32.EXE'
- 'wscript.exe'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Potentially Suspicious Child Process of KeyScrambler.exe
Detects potentially suspicious child processes of KeyScrambler.exe
view Sigma YAML
title: Potentially Suspicious Child Process of KeyScrambler.exe
id: ca5583e9-8f80-46ac-ab91-7f314d13b984
related:
- id: d2451be2-b582-4e15-8701-4196ac180260
type: similar
status: test
description: Detects potentially suspicious child processes of KeyScrambler.exe
references:
- https://twitter.com/DTCERT/status/1712785421845790799
author: Swachchhanda Shrawan Poudel
date: 2024-05-13
tags:
- attack.persistence
- attack.execution
- attack.privilege-escalation
- attack.stealth
- attack.t1203
- attack.t1574.001
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\KeyScrambler.exe'
selection_binaries:
# Note: add additional binaries that the attacker might use
- Image|endswith:
- '\cmd.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\wscript.exe'
- OriginalFileName:
- 'Cmd.Exe'
- 'cscript.exe'
- 'mshta.exe'
- 'PowerShell.EXE'
- 'pwsh.dll'
- 'regsvr32.exe'
- 'RUNDLL32.EXE'
- 'wscript.exe'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Potentially Suspicious Command Targeting Teams Sensitive Files
Detects a commandline containing references to the Microsoft Teams database or cookies files from a process other than Teams.
The database might contain authentication tokens and other sensitive information about the logged in accounts.
view Sigma YAML
title: Potentially Suspicious Command Targeting Teams Sensitive Files
id: d2eb17db-1d39-41dc-b57f-301f6512fa75
status: test
description: |
Detects a commandline containing references to the Microsoft Teams database or cookies files from a process other than Teams.
The database might contain authentication tokens and other sensitive information about the logged in accounts.
references:
- https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/
- https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens
author: '@SerkinValery'
date: 2022-09-16
modified: 2023-12-18
tags:
- attack.credential-access
- attack.t1528
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|contains:
- '\Microsoft\Teams\Cookies'
- '\Microsoft\Teams\Local Storage\leveldb'
filter_main_legit_locations:
Image|endswith: '\Microsoft\Teams\current\Teams.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Potentially Suspicious Compression Tool Parameters
Detects potentially suspicious command line arguments of common data compression tools
view Sigma YAML
title: Potentially Suspicious Compression Tool Parameters
id: 27a72a60-7e5e-47b1-9d17-909c9abafdcd
status: test
description: Detects potentially suspicious command line arguments of common data compression tools
references:
- https://twitter.com/SBousseaden/status/1184067445612535811
author: Florian Roth (Nextron Systems), Samir Bousseaden
date: 2019-10-15
modified: 2023-08-29
tags:
- attack.collection
- attack.t1560.001
- detection.threat-hunting
logsource:
category: process_creation
product: windows
detection:
selection:
OriginalFileName:
- '7z*.exe'
- '*rar.exe'
- '*Command*Line*RAR*'
CommandLine|contains:
- ' -p'
- ' -ta'
- ' -tb'
- ' -sdel'
- ' -dw'
- ' -hp'
filter_main_generic:
ParentImage|contains:
- ':\Program Files\'
- ':\Program Files (x86)\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Potentially Suspicious DMP/HDMP File Creation
Detects the creation of a file with the ".dmp"/".hdmp" extension by a shell or scripting application such as "cmd", "powershell", etc. Often created by software during a crash. Memory dumps can sometimes contain sensitive information such as credentials. It's best to determine the source of the crash.
view Sigma YAML
title: Potentially Suspicious DMP/HDMP File Creation
id: aba15bdd-657f-422a-bab3-ac2d2a0d6f1c
related:
- id: 3a525307-d100-48ae-b3b9-0964699d7f97
type: similar
status: test
description: Detects the creation of a file with the ".dmp"/".hdmp" extension by a shell or scripting application such as "cmd", "powershell", etc. Often created by software during a crash. Memory dumps can sometimes contain sensitive information such as credentials. It's best to determine the source of the crash.
references:
- https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-09-07
tags:
- attack.stealth
logsource:
category: file_event
product: windows
detection:
selection:
Image|endswith:
- '\cmd.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\wscript.exe'
TargetFilename|endswith:
- '.dmp'
- '.dump'
- '.hdmp'
condition: selection
falsepositives:
- Some administrative PowerShell or VB scripts might have the ability to collect dumps and move them to other folders which might trigger a false positive.
level: medium
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_dump_file_susp_creation/info.yml
Convert to SIEM query
medium
Potentially Suspicious Desktop Background Change Using Reg.EXE
Detects the execution of "reg.exe" to alter registry keys that would replace the user's desktop background.
This is a common technique used by malware to change the desktop background to a ransom note or other image.
view Sigma YAML
title: Potentially Suspicious Desktop Background Change Using Reg.EXE
id: 8cbc9475-8d05-4e27-9c32-df960716c701
related:
- id: 85b88e05-dadc-430b-8a9e-53ff1cd30aae
type: similar
status: test
description: |
Detects the execution of "reg.exe" to alter registry keys that would replace the user's desktop background.
This is a common technique used by malware to change the desktop background to a ransom note or other image.
references:
- https://www.attackiq.com/2023/09/20/emulating-rhysida/
- https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/
- https://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html
- https://www.virustotal.com/gui/file/a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6/behavior
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDesktop::Wallpaper
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanelDisplay::CPL_Personalization_NoDesktopBackgroundUI
author: Stephen Lincoln @slincoln-aiq (AttackIQ)
date: 2023-12-21
tags:
- attack.persistence
- attack.impact
- attack.defense-impairment
- attack.t1112
- attack.t1491.001
logsource:
product: windows
category: process_creation
detection:
# TODO: Improve this to also focus on variation using PowerShell and other CLI tools
selection_reg_img:
- Image|endswith: '\reg.exe'
- OriginalFileName: 'reg.exe'
selection_reg_flag:
CommandLine|contains: 'add'
selection_keys:
CommandLine|contains:
- 'Control Panel\Desktop'
- 'CurrentVersion\Policies\ActiveDesktop'
- 'CurrentVersion\Policies\System'
selection_cli_reg_1:
CommandLine|contains|all:
- '/v NoChangingWallpaper'
- '/d 1' # Prevent changing desktop background
selection_cli_reg_2:
CommandLine|contains|all:
- '/v Wallpaper'
- '/t REG_SZ'
selection_cli_reg_3:
CommandLine|contains|all:
- '/v WallpaperStyle'
- '/d 2' # Stretch
condition: all of selection_reg_* and selection_keys and 1 of selection_cli_reg_*
falsepositives:
- Administrative scripts that change the desktop background to a company logo or other image.
level: medium
Convert to SIEM query
medium
Potentially Suspicious Desktop Background Change Via Registry
Detects registry value settings that would replace the user's desktop background.
This is a common technique used by malware to change the desktop background to a ransom note or other image.
view Sigma YAML
title: Potentially Suspicious Desktop Background Change Via Registry
id: 85b88e05-dadc-430b-8a9e-53ff1cd30aae
related:
- id: 8cbc9475-8d05-4e27-9c32-df960716c701
type: similar
status: test
description: |
Detects registry value settings that would replace the user's desktop background.
This is a common technique used by malware to change the desktop background to a ransom note or other image.
references:
- https://www.attackiq.com/2023/09/20/emulating-rhysida/
- https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/
- https://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html
- https://www.virustotal.com/gui/file/a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6/behavior
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDesktop::Wallpaper
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanelDisplay::CPL_Personalization_NoDesktopBackgroundUI
author: Nasreddine Bencherchali (Nextron Systems), Stephen Lincoln @slincoln-aiq (AttackIQ)
date: 2023-12-21
modified: 2025-10-17
tags:
- attack.persistence
- attack.impact
- attack.defense-impairment
- attack.t1112
- attack.t1491.001
logsource:
product: windows
category: registry_set
detection:
selection_keys:
TargetObject|contains:
- 'Control Panel\Desktop'
- 'CurrentVersion\Policies\ActiveDesktop'
- 'CurrentVersion\Policies\System'
selection_values_1:
TargetObject|endswith: 'NoChangingWallpaper'
Details: 'DWORD (0x00000001)' # Prevent changing desktop background
selection_values_2:
TargetObject|endswith: '\Wallpaper'
selection_values_3:
TargetObject|endswith: '\WallpaperStyle'
Details: '2' # Stretch
filter_main_svchost:
# Note: Excluding GPO changes
Image|endswith: '\svchost.exe'
filter_main_empty:
TargetObject|endswith: '\Control Panel\Desktop\Wallpaper'
Details: '(Empty)'
filter_main_explorer:
# Normally Explorer.exe is the process that changes the desktop background
Image|endswith: 'C:\Windows\Explorer.EXE'
filter_optional_ec2launch:
Image:
- 'C:\Program Files\Amazon\EC2Launch\EC2Launch.exe'
- 'C:\Program Files (x86)\Amazon\EC2Launch\EC2Launch.exe'
TargetObject|endswith: '\Control Panel\Desktop\Wallpaper'
condition: selection_keys and 1 of selection_values_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Administrative scripts that change the desktop background to a company logo or other image.
level: medium
Convert to SIEM query
medium
Potentially Suspicious Electron Application CommandLine
Detects potentially suspicious CommandLine of electron apps (teams, discord, slack, etc.). This could be a sign of abuse to proxy execution through a signed binary.
view Sigma YAML
title: Potentially Suspicious Electron Application CommandLine
id: 378a05d8-963c-46c9-bcce-13c7657eac99
related:
- id: f26eb764-fd89-464b-85e2-dc4a8e6e77b8
type: similar
status: test
description: Detects potentially suspicious CommandLine of electron apps (teams, discord, slack, etc.). This could be a sign of abuse to proxy execution through a signed binary.
references:
- https://positive.security/blog/ms-officecmd-rce
- https://lolbas-project.github.io/lolbas/Binaries/Teams/
- https://lolbas-project.github.io/lolbas/Binaries/Msedge/
- https://lolbas-project.github.io/lolbas/Binaries/msedgewebview2/
- https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf
- https://chromium.googlesource.com/chromium/chromium/+/master/content/public/common/content_switches.cc
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2023-09-05
modified: 2023-11-09
tags:
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
# Add more electron based app to the list
- '\chrome.exe'
- '\code.exe'
- '\discord.exe'
- '\GitHubDesktop.exe'
- '\keybase.exe'
- '\msedge_proxy.exe'
- '\msedge.exe'
- '\msedgewebview2.exe'
- '\msteams.exe'
- '\slack.exe'
- '\Teams.exe'
- OriginalFileName:
# Add more electron based app to the list
- 'chrome.exe'
- 'code.exe'
- 'discord.exe'
- 'GitHubDesktop.exe'
- 'keybase.exe'
- 'msedge_proxy.exe'
- 'msedge.exe'
- 'msedgewebview2.exe'
- 'msteams.exe'
- 'slack.exe'
- 'Teams.exe'
selection_cli:
CommandLine|contains:
- '--browser-subprocess-path'
- '--gpu-launcher'
- '--renderer-cmd-prefix'
- '--utility-cmd-prefix'
condition: all of selection_*
falsepositives:
- Legitimate usage for debugging purposes
# Increase the level once FP rate is known better (see status)
level: medium
Convert to SIEM query
medium
Potentially Suspicious EventLog Recon Activity Using Log Query Utilities
Detects execution of different log query utilities and commands to search and dump the content of specific event logs or look for specific event IDs.
This technique is used by threat actors in order to extract sensitive information from events logs such as usernames, IP addresses, hostnames, etc.
view Sigma YAML
title: Potentially Suspicious EventLog Recon Activity Using Log Query Utilities
id: beaa66d6-aa1b-4e3c-80f5-e0145369bfaf
related:
- id: 9cd55b6c-430a-4fa9-96f4-7cadf5229e9f
type: derived
status: test
description: |
Detects execution of different log query utilities and commands to search and dump the content of specific event logs or look for specific event IDs.
This technique is used by threat actors in order to extract sensitive information from events logs such as usernames, IP addresses, hostnames, etc.
references:
- http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
- https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a
- https://www.group-ib.com/blog/apt41-world-tour-2021/
- https://labs.withsecure.com/content/dam/labs/docs/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-7.3
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog?view=powershell-5.1
- http://www.solomonson.com/posts/2010-07-09-reading-eventviewer-command-line/
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil
- https://ptsecurity.com/research/pt-esc-threat-intelligence/striking-panda-attacks-apt31-today
- https://www.cybertriage.com/artifact/terminalservices_remoteconnectionmanager_log/
- https://ponderthebits.com/2018/02/windows-rdp-related-event-logs-identification-tracking-and-investigation/
author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
date: 2022-09-09
modified: 2025-12-02
tags:
- attack.credential-access
- attack.discovery
- attack.t1552
- attack.t1087
logsource:
category: process_creation
product: windows
detection:
selection_wmi:
CommandLine|contains|all:
- 'Select'
- 'Win32_NTLogEvent'
selection_wevtutil_img:
- Image|endswith: '\wevtutil.exe'
- OriginalFileName: 'wevtutil.exe'
selection_wevtutil_cli:
CommandLine|contains:
- ' qe '
- ' query-events '
selection_wmic_img:
- Image|endswith: '\wmic.exe'
- OriginalFileName: 'wmic.exe'
selection_wmic_cli:
CommandLine|contains: ' ntevent'
selection_cmdlet:
CommandLine|contains:
- 'Get-WinEvent '
- 'get-eventlog '
selection_logs_name:
CommandLine|contains:
# Note: Add more event log channels that are interesting for attackers
- 'Microsoft-Windows-PowerShell'
- 'Microsoft-Windows-Security-Auditing'
- 'Microsoft-Windows-TerminalServices-LocalSessionManager'
- 'Microsoft-Windows-TerminalServices-RemoteConnectionManager'
- 'Microsoft-Windows-Windows Defender'
- 'PowerShellCore'
- 'Security'
- 'Windows PowerShell'
selection_logs_eid:
CommandLine|contains:
# Note: We use the "?" to account for both a single and a double quote
# Note: Please add additional interesting event IDs
# Note: As this only focuses on EIDs and we know EIDs are not unique across providers. Rare FPs might occur with legit queries to EIDs from different providers.
# This covers EID 4624 and 4628 from Security Log
- '-InstanceId 462?'
- '.eventid -eq 462?'
- '.ID -eq 462?'
- 'EventCode=?462?'
- 'EventIdentifier=?462?'
- 'System[EventID=462?]'
# This covers EID 4778 from Security Log
- '-InstanceId 4778'
- '.eventid -eq 4778'
- '.ID -eq 4778'
- 'EventCode=?4778?'
- 'EventIdentifier=?4778?'
- 'System[EventID=4778]'
# This covers EID 25 from Microsoft-Windows-TerminalServices-LocalSessionManager/Operational log
- '-InstanceId 25'
- '.eventid -eq 25'
- '.ID -eq 25'
- 'EventCode=?25?'
- 'EventIdentifier=?25?'
- 'System[EventID=25]'
# This covers EID 1149 from Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational log
- '-InstanceId 1149'
- '.eventid -eq 1149'
- '.ID -eq 1149'
- 'EventCode=?1149?'
- 'EventIdentifier=?1149?'
- 'System[EventID=1149]'
# This covers EID 21 from Microsoft-Windows-TerminalServices-LocalSessionManager/Operational log
- '-InstanceId 21'
- '.eventid -eq 21'
- '.ID -eq 21'
- 'EventCode=?21?'
- 'EventIdentifier=?21?'
- 'System[EventID=21]'
# This covers EID 22 from Microsoft-Windows-TerminalServices-LocalSessionManager/Operational log
- '-InstanceId 22'
- '.eventid -eq 22'
- '.ID -eq 22'
- 'EventCode=?22?'
- 'EventIdentifier=?22?'
- 'System[EventID=22]'
condition: 1 of selection_logs_* and (selection_wmi or all of selection_wevtutil_* or all of selection_wmic_* or selection_cmdlet)
falsepositives:
- Legitimate usage of the utility by administrators to query the event log
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_susp_eventlog_content_recon/info.yml
Convert to SIEM query
medium
Potentially Suspicious Execution From Tmp Folder
Detects a potentially suspicious execution of a process located in the '/tmp/' folder
view Sigma YAML
title: Potentially Suspicious Execution From Tmp Folder
id: 312b42b1-bded-4441-8b58-163a3af58775
status: test
description: Detects a potentially suspicious execution of a process located in the '/tmp/' folder
references:
- https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
- https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/
- https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
- https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-06-02
modified: 2025-08-05
tags:
- attack.stealth
- attack.t1036
logsource:
product: linux
category: process_creation
detection:
selection:
Image|startswith: '/tmp/'
filter_optional_nextcloud:
Image|endswith: '/usr/bin/nextcloud'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Potentially Suspicious Execution Of PDQDeployRunner
Detects suspicious execution of "PDQDeployRunner" which is part of the PDQDeploy service stack that is responsible for executing commands and packages on a remote machines
view Sigma YAML
title: Potentially Suspicious Execution Of PDQDeployRunner
id: 12b8e9f5-96b2-41e1-9a42-8c6779a5c184
related:
- id: d679950c-abb7-43a6-80fb-2a480c4fc450
type: similar
status: test
description: Detects suspicious execution of "PDQDeployRunner" which is part of the PDQDeploy service stack that is responsible for executing commands and packages on a remote machines
references:
- https://twitter.com/malmoeb/status/1550483085472432128
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-22
modified: 2024-05-02
tags:
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|contains: '\PDQDeployRunner-'
selection_child:
# Improve this section by adding other suspicious processes, commandlines or paths
- Image|endswith:
# If you use any of the following processes legitimately comment them out
- '\bash.exe'
- '\certutil.exe'
- '\cmd.exe'
- '\csc.exe'
- '\cscript.exe'
- '\dllhost.exe'
- '\mshta.exe'
- '\msiexec.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\scriptrunner.exe'
- '\wmic.exe'
- '\wscript.exe'
- '\wsl.exe'
- Image|contains:
- ':\ProgramData\'
- ':\Users\Public\'
- ':\Windows\TEMP\'
- '\AppData\Local\Temp'
- CommandLine|contains:
- ' -decode '
- ' -enc '
- ' -encodedcommand '
- ' -w hidden'
- 'DownloadString'
- 'FromBase64String'
- 'http'
- 'iex '
- 'Invoke-'
condition: all of selection_*
falsepositives:
- Legitimate use of the PDQDeploy tool to execute these commands
level: medium
Convert to SIEM query
medium
Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
Detects potentially suspicious execution of the Regasm/Regsvcs utilities from a potentially suspicious location
view Sigma YAML
title: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
id: cc368ed0-2411-45dc-a222-510ace303cb2
related:
- id: e9f8f8cc-07cc-4e81-b724-f387db9175e4
type: derived
status: test
description: Detects potentially suspicious execution of the Regasm/Regsvcs utilities from a potentially suspicious location
references:
- https://www.fortiguard.com/threat-signal-report/4718?s=09
- https://lolbas-project.github.io/lolbas/Binaries/Regasm/
- https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-25
modified: 2023-02-13
tags:
- attack.stealth
- attack.t1218.009
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\Regsvcs.exe'
- '\Regasm.exe'
- OriginalFileName:
- 'RegSvcs.exe'
- 'RegAsm.exe'
selection_dir:
CommandLine|contains:
# Note: Add more potentially suspicious directories
- '\AppData\Local\Temp\'
- '\Microsoft\Windows\Start Menu\Programs\Startup\'
- '\PerfLogs\'
- '\Users\Public\'
- '\Windows\Temp\'
# - '\Desktop\'
# - '\Downloads\'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension
Detects potentially suspicious execution of the Regasm/Regsvcs utilities with an uncommon extension.
view Sigma YAML
title: Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension
id: e9f8f8cc-07cc-4e81-b724-f387db9175e4
related:
- id: cc368ed0-2411-45dc-a222-510ace303cb2
type: derived
status: test
description: Detects potentially suspicious execution of the Regasm/Regsvcs utilities with an uncommon extension.
references:
- https://www.fortiguard.com/threat-signal-report/4718?s=09
- https://lolbas-project.github.io/lolbas/Binaries/Regasm/
- https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-13
tags:
- attack.stealth
- attack.t1218.009
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\Regsvcs.exe'
- '\Regasm.exe'
- OriginalFileName:
- 'RegSvcs.exe'
- 'RegAsm.exe'
selection_extension:
CommandLine|contains:
# Note: Add more potentially uncommon extensions
- '.dat'
- '.gif'
- '.jpeg'
- '.jpg'
- '.png'
- '.txt'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Potentially Suspicious File Creation by OpenEDR's ITSMService
Detects the creation of potentially suspicious files by OpenEDR's ITSMService process.
The ITSMService is responsible for remote management operations and can create files on the system through the Process Explorer or file management features.
While legitimate for IT operations, creation of executable or script files could indicate unauthorized file uploads, data staging, or malicious file deployment.
view Sigma YAML
title: Potentially Suspicious File Creation by OpenEDR's ITSMService
id: 9e4b7d3a-6f2c-4e9a-8d1b-3c5e7a9f2b4d
status: experimental
description: |
Detects the creation of potentially suspicious files by OpenEDR's ITSMService process.
The ITSMService is responsible for remote management operations and can create files on the system through the Process Explorer or file management features.
While legitimate for IT operations, creation of executable or script files could indicate unauthorized file uploads, data staging, or malicious file deployment.
author: '@kostastsale'
date: 2026-02-19
references:
- https://kostas-ts.medium.com/detecting-abuse-of-openedrs-permissive-edr-trial-a-security-researcher-s-perspective-fc55bf53972c
tags:
- attack.command-and-control
- attack.t1105
- attack.lateral-movement
- attack.t1570
- attack.t1219
logsource:
product: windows
category: file_event
detection:
selection_process:
Image|endswith: '\COMODO\Endpoint Manager\ITSMService.exe'
selection_suspicious_extensions:
TargetFilename|endswith:
- '.7z'
- '.bat'
- '.cmd'
- '.com'
- '.dll'
- '.exe'
- '.hta'
- '.js'
- '.pif'
- '.ps1'
- '.rar'
- '.scr'
- '.vbe'
- '.vbs'
- '.zip'
condition: all of selection_*
falsepositives:
- Legitimate OpenEDR file management operations
- Authorized remote file uploads by IT administrators
- Software deployment through OpenEDR console
level: medium
Convert to SIEM query
medium
Potentially Suspicious GrantedAccess Flags On LSASS
Detects process access requests to LSASS process with potentially suspicious access flags
view Sigma YAML
title: Potentially Suspicious GrantedAccess Flags On LSASS
id: a18dd26b-6450-46de-8c91-9659150cf088
related:
- id: 32d0d3e2-e58d-4d41-926b-18b520b2b32d
type: similar
status: test
description: Detects process access requests to LSASS process with potentially suspicious access flags
references:
- https://learn.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights
- https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow
- https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
- https://web.archive.org/web/20230420013146/http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf
author: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community
date: 2021-11-22
modified: 2023-11-29
tags:
- attack.credential-access
- attack.t1003.001
- attack.s0002
logsource:
category: process_access
product: windows
detection:
selection_target:
TargetImage|endswith: '\lsass.exe'
selection_access:
- GrantedAccess|endswith:
# - '10' # covered in rule 678dfc63-fefb-47a5-a04c-26bcf8cc9f65
- '30'
- '50'
- '70'
- '90'
- 'B0'
- 'D0'
- 'F0'
- '18'
- '38'
- '58'
- '78'
- '98'
- 'B8'
- 'D8'
- 'F8'
- '1A'
- '3A'
- '5A'
- '7A'
- '9A'
- 'BA'
- 'DA'
- 'FA'
- '0x14C2' # https://github.com/b4rtik/ATPMiniDump/blob/76304f93b390af3bb66e4f451ca16562a479bdc9/ATPMiniDump/ATPMiniDump.c
- GrantedAccess|startswith:
- '0x100000'
- '0x1418' # car.2019-04-004
- '0x1438' # car.2019-04-004
- '0x143a' # car.2019-04-004
- '0x1f0fff'
- '0x1f1fff'
- '0x1f2fff'
- '0x1f3fff'
- '0x40'
# - '0x1000' # minimum access requirements to query basic info from service
# - '0x1010' # car.2019-04-004
# - '0x1400'
# - '0x1410' # car.2019-04-004 # Covered by 678dfc63-fefb-47a5-a04c-26bcf8cc9f65
filter_main_generic:
# When using this rule. Remove this filter and replace it by the path of the specific AV you use
SourceImage|contains:
- ':\Program Files (x86)\'
- ':\Program Files\'
- ':\Windows\System32\'
- ':\Windows\SysWOW64\'
filter_optional_malwarebytes:
SourceImage|endswith: ':\ProgramData\MALWAREBYTES\MBAMSERVICE\ctlrupdate\mbupdatr.exe'
filter_optional_vscode:
SourceImage|endswith: '\AppData\Local\Programs\Microsoft VS Code\Code.exe'
filter_main_windefend_1:
SourceImage|contains: ':\ProgramData\Microsoft\Windows Defender\'
SourceImage|endswith: '\MsMpEng.exe'
filter_main_windefend_2:
CallTrace|contains|all:
- '|?:\ProgramData\Microsoft\Windows Defender\Definition Updates\{'
- '}\mpengine.dll+'
GrantedAccess: '0x1418'
filter_main_windefend_3:
CallTrace|contains:
- '|c:\program files\windows defender\mprtp.dll'
- '|c:\program files\windows defender\MpClient.dll'
filter_optional_vmwaretools:
SourceImage|contains: ':\ProgramData\VMware\VMware Tools\'
SourceImage|endswith: '\vmtoolsd.exe'
filter_optional_sysinternals_process_explorer:
SourceImage|endswith:
- '\PROCEXP64.EXE'
- '\PROCEXP.EXE'
GrantedAccess: '0x40'
filter_optional_mbami:
SourceImage|endswith: '\MBAMInstallerService.exe'
GrantedAccess: '0x40'
filter_optional_nextron:
SourceImage|endswith:
- '\aurora-agent-64.exe'
- '\aurora-agent.exe'
- '\thor.exe'
- '\thor64.exe'
GrantedAccess: '0x40'
filter_main_explorer:
SourceImage|endswith: '\explorer.exe'
GrantedAccess: '0x401'
filter_optional_sysinternals_handle:
SourceImage|endswith:
- '\handle.exe'
- '\handle64.exe'
GrantedAccess: '0x40'
filter_optional_webex:
SourceImage|endswith: '\AppData\Local\WebEx\WebexHost.exe'
GrantedAccess: '0x401'
filter_optional_steam_apps:
SourceImage|contains: '\SteamLibrary\steamapps\'
condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Legitimate software such as AV and EDR
level: medium
Convert to SIEM query
medium
Potentially Suspicious Inline JavaScript Execution via NodeJS Binary
Detects potentially suspicious inline JavaScript execution using Node.js with specific keywords in the command line.
view Sigma YAML
title: Potentially Suspicious Inline JavaScript Execution via NodeJS Binary
id: 8537c866-072e-460d-bfff-aaf39cbd73d3
status: experimental
description: Detects potentially suspicious inline JavaScript execution using Node.js with specific keywords in the command line.
references:
- https://www.microsoft.com/en-us/security/blog/2025/04/15/threat-actors-misuse-node-js-to-deliver-malware-and-other-malicious-payloads/
author: Microsoft (idea), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-04-21
tags:
- attack.execution
- attack.t1059.007
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\node.exe'
- OriginalFileName: 'node.exe'
- Product: 'Node.js'
selection_cmd:
CommandLine|contains|all:
- 'http'
- 'execSync'
- 'spawn'
- 'fs'
- 'path'
- 'zlib'
condition: all of selection_*
falsepositives:
- Legitimate scripts using Node.js with these modules
level: medium
Convert to SIEM query
medium
Potentially Suspicious JWT Token Search Via CLI
Detects potentially suspicious search for JWT tokens via CLI by looking for the string "eyJ0eX" or "eyJhbG".
JWT tokens are often used for access-tokens across various applications and services like Microsoft 365, Azure, AWS, Google Cloud, and others.
Threat actors may search for these tokens to steal them for lateral movement or privilege escalation.
view Sigma YAML
title: Potentially Suspicious JWT Token Search Via CLI
id: 6d3a3952-6530-44a3-8554-cf17c116c615
status: test
description: |
Detects potentially suspicious search for JWT tokens via CLI by looking for the string "eyJ0eX" or "eyJhbG".
JWT tokens are often used for access-tokens across various applications and services like Microsoft 365, Azure, AWS, Google Cloud, and others.
Threat actors may search for these tokens to steal them for lateral movement or privilege escalation.
references:
- https://mrd0x.com/stealing-tokens-from-office-applications/
- https://www.scip.ch/en/?labs.20240523
author: Nasreddine Bencherchali (Nextron Systems), kagebunsher
date: 2022-10-25
modified: 2025-10-21
tags:
- attack.credential-access
- attack.t1528
- attack.t1552.001
logsource:
category: process_creation
product: windows
detection:
selection_tools:
CommandLine|contains:
- 'find '
- 'find.exe'
- 'findstr'
- 'select-string '
- 'strings'
selection_jwt_string:
CommandLine|contains:
- 'eyJ0eXAiOi' # {"typ":
- 'eyJhbGciOi' # {"alg":
- ' eyJ0eX'
- ' "eyJ0eX"'
- " 'eyJ0eX'"
- ' eyJhbG'
- ' "eyJhbG"'
- " 'eyJhbG'"
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Potentially Suspicious NTFS Symlink Behavior Modification
Detects the modification of NTFS symbolic link behavior using fsutil, which could be used to enable remote to local or remote to remote symlinks for potential attacks.
view Sigma YAML
title: Potentially Suspicious NTFS Symlink Behavior Modification
id: c0b2768a-dd06-4671-8339-b16ca8d1f27f
status: test
description: |
Detects the modification of NTFS symbolic link behavior using fsutil, which could be used to enable remote to local or remote to remote symlinks for potential attacks.
references:
- https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware
- https://learn.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior
- https://thedfirreport.com/2025/06/30/hide-your-rdp-password-spray-leads-to-ransomhub-deployment/
author: frack113, The DFIR Report
date: 2022-03-02
modified: 2025-11-13
tags:
- attack.execution
- attack.defense-impairment
- attack.t1059
- attack.t1222.001
logsource:
category: process_creation
product: windows
detection:
selection_img_proxy:
# Note: Example command observed: cmd.exe /c "fsutil behaviour set SymlinkEvaluation"
- Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'Cmd.Exe'
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_fsutil_cli:
CommandLine|contains|all:
- 'fsutil'
- 'behavior'
- 'set'
- 'SymlinkEvaluation'
selection_symlink_params:
CommandLine|contains:
- 'R2L:1' # Remote to Local
- 'R2R:1' # Remote to Remote
- 'L2L:1' # Local to Local
condition: all of selection_*
falsepositives:
- Legitimate usage, investigate the parent process and context to determine if benign.
level: medium
Convert to SIEM query
medium
Potentially Suspicious Named Pipe Created Via Mkfifo
Detects the creation of a new named pipe using the "mkfifo" utility in a potentially suspicious location
view Sigma YAML
title: Potentially Suspicious Named Pipe Created Via Mkfifo
id: 999c3b12-0a8c-40b6-8e13-dd7d62b75c7a
related:
- id: 9d779ce8-5256-4b13-8b6f-b91c602b43f4
type: derived
status: test
description: Detects the creation of a new named pipe using the "mkfifo" utility in a potentially suspicious location
references:
- https://dev.to/0xbf/use-mkfifo-to-create-named-pipe-linux-tips-5bbk
- https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-16
tags:
- attack.execution
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/mkfifo'
# Note: Add more potentially suspicious locations
CommandLine|contains: ' /tmp/'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Potentially Suspicious Ping/Copy Command Combination
Detects uncommon and potentially suspicious one-liner command containing both "ping" and "copy" at the same time, which is usually used by malware.
view Sigma YAML
title: Potentially Suspicious Ping/Copy Command Combination
id: ded2b07a-d12f-4284-9b76-653e37b6c8b0
status: test
description: |
Detects uncommon and potentially suspicious one-liner command containing both "ping" and "copy" at the same time, which is usually used by malware.
references:
- Internal Research
author: X__Junior (Nextron Systems)
date: 2023-07-18
modified: 2024-03-06
tags:
- attack.stealth
- attack.t1070.004
logsource:
category: process_creation
product: windows
detection:
# Note: In the case of sysmon and similar logging utilities, see this discussion https://github.com/SigmaHQ/sigma/discussions/4277
selection_cmd:
- Image|endswith: '\cmd.exe'
- OriginalFileName: 'Cmd.Exe'
selection_action:
CommandLine|contains|all:
- 'ping' # Covers "ping" and "ping.exe"
- 'copy '
selection_cli_1:
CommandLine|contains|windash: ' -n ' # Count
selection_cli_2:
CommandLine|contains|windash: ' -y '
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Potentially Suspicious PowerShell Child Processes
Detects potentially suspicious child processes spawned by PowerShell.
Use this rule to hunt for potential anomalies initiating from PowerShell scripts and commands.
view Sigma YAML
title: Potentially Suspicious PowerShell Child Processes
id: e4b6d2a7-d8a4-4f19-acbd-943c16d90647
status: test
description: |
Detects potentially suspicious child processes spawned by PowerShell.
Use this rule to hunt for potential anomalies initiating from PowerShell scripts and commands.
references:
- https://twitter.com/ankit_anubhav/status/1518835408502620162
author: Florian Roth (Nextron Systems), Tim Shelton
date: 2022-04-26
modified: 2024-07-16
tags:
- attack.execution
- attack.t1059.001
- detection.threat-hunting
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\powershell_ise.exe'
- '\powershell.exe'
- '\pwsh.exe'
Image|endswith:
- '\bash.exe'
- '\bitsadmin.exe'
- '\certutil.exe'
- '\cscript.exe'
- '\forfiles.exe'
- '\hh.exe'
- '\mshta.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\schtasks.exe'
- '\scrcons.exe'
- '\scriptrunner.exe'
- '\sh.exe'
- '\wmic.exe'
- '\wscript.exe'
filter_optional_amazon:
ParentCommandLine|contains: '\Program Files\Amazon\WorkspacesConfig\Scripts\' # AWS Workspaces
CommandLine|contains: '\Program Files\Amazon\WorkspacesConfig\Scripts\' # AWS Workspaces
filter_main_certutil_verify_store:
Image|endswith: '\certutil.exe'
CommandLine|contains: '-verifystore '
filter_main_wmic:
Image|endswith: '\wmic.exe'
CommandLine|contains:
- 'qfe list'
- 'diskdrive '
- 'csproduct '
- 'computersystem '
- ' os '
- ''
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- False positives are to be expected from PowerShell scripts that might make use of additional binaries such as "mshta", "bitsadmin", etc. Apply additional filters for those scripts.
level: medium
Convert to SIEM query
medium
Potentially Suspicious Powershell Script Execution From Temp Folder
Detects a potentially suspicious powershell script executions from temporary folder
view Sigma YAML
title: Potentially Suspicious Powershell Script Execution From Temp Folder
id: a6a39bdb-935c-4f0a-ab77-35f4bbf44d33
status: test
description: Detects a potentially suspicious powershell script executions from temporary folder
references:
- https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/
author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton
date: 2021-07-14
modified: 2026-02-17
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
CommandLine|contains:
- '\Windows\Temp'
- '\Temporary Internet'
- '\AppData\Local\Temp'
- '\AppData\Roaming\Temp'
- '%TEMP%'
- '%TMP%'
- '%LocalAppData%\Temp'
filter_optional_vscode:
CommandLine|contains: '-WindowStyle hidden -Verb runAs'
filter_optional_amazon_ec2:
CommandLine|contains: '\Windows\system32\config\systemprofile\AppData\Local\Temp\Amazon\EC2-Windows\'
filter_optional_generic:
CommandLine|contains:
- ' >'
- 'Out-File'
- 'ConvertTo-Json'
filter_optional_chocolatey_installer:
ParentImage:
- 'C:\Windows\System32\Msiexec.exe'
- 'C:\Windows\SysWOW64\Msiexec.exe'
Image|endswith: '\powershell.exe'
CommandLine|contains|all:
- '-NoProfile -ExecutionPolicy Bypass -Command'
- 'AppData\Local\Temp\'
- 'Install-Chocolatey.ps1'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Administrative scripts
level: medium
Convert to SIEM query
medium
Potentially Suspicious Regsvr32 HTTP/FTP Pattern
Detects regsvr32 execution to download/install/register new DLLs that are hosted on Web or FTP servers.
view Sigma YAML
title: Potentially Suspicious Regsvr32 HTTP/FTP Pattern
id: 867356ee-9352-41c9-a8f2-1be690d78216
related:
- id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d
type: obsolete
status: test
description: Detects regsvr32 execution to download/install/register new DLLs that are hosted on Web or FTP servers.
references:
- https://twitter.com/mrd0x/status/1461041276514623491
- https://twitter.com/tccontre18/status/1480950986650832903
- https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/
author: Florian Roth (Nextron Systems)
date: 2023-05-24
modified: 2023-05-26
tags:
- attack.stealth
- attack.t1218.010
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\regsvr32.exe'
- OriginalFileName: 'REGSVR32.EXE'
selection_flag:
CommandLine|contains:
- ' /i'
- ' -i'
selection_protocol:
CommandLine|contains:
- 'ftp'
- 'http'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Potentially Suspicious Rundll32 Activity
Detects suspicious execution of rundll32, with specific calls to some DLLs with known LOLBIN functionalities
view Sigma YAML
title: Potentially Suspicious Rundll32 Activity
id: e593cf51-88db-4ee1-b920-37e89012a3c9
status: test
description: Detects suspicious execution of rundll32, with specific calls to some DLLs with known LOLBIN functionalities
references:
- http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/
- https://twitter.com/Hexacorn/status/885258886428725250
- https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52
- https://twitter.com/nas_bench/status/1433344116071583746 # dfshim.dll,ShOpenVerbShortcut
- https://twitter.com/eral4m/status/1479106975967240209 # scrobj.dll,GenerateTypeLib
- https://twitter.com/eral4m/status/1479080793003671557 # shimgvw.dll,ImageView_Fullscreen
author: juju4, Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2019-01-16
modified: 2023-05-17
tags:
- attack.stealth
- attack.t1218.011
logsource:
category: process_creation
product: windows
detection:
selection:
- CommandLine|contains|all:
- 'javascript:'
- '.RegisterXLL'
- CommandLine|contains|all:
- 'url.dll'
- 'OpenURL'
- CommandLine|contains|all:
- 'url.dll'
- 'OpenURLA'
- CommandLine|contains|all:
- 'url.dll'
- 'FileProtocolHandler'
- CommandLine|contains|all:
- 'zipfldr.dll'
- 'RouteTheCall'
- CommandLine|contains|all:
- 'shell32.dll'
- 'Control_RunDLL'
- CommandLine|contains|all:
- 'shell32.dll'
- 'ShellExec_RunDLL'
- CommandLine|contains|all:
- 'mshtml.dll'
- 'PrintHTML'
- CommandLine|contains|all:
- 'advpack.dll'
- 'LaunchINFSection'
- CommandLine|contains|all:
- 'advpack.dll'
- 'RegisterOCX'
- CommandLine|contains|all:
- 'ieadvpack.dll'
- 'LaunchINFSection'
- CommandLine|contains|all:
- 'ieadvpack.dll'
- 'RegisterOCX'
- CommandLine|contains|all:
- 'ieframe.dll'
- 'OpenURL'
- CommandLine|contains|all:
- 'shdocvw.dll'
- 'OpenURL'
- CommandLine|contains|all:
- 'syssetup.dll'
- 'SetupInfObjectInstallAction'
- CommandLine|contains|all:
- 'setupapi.dll'
- 'InstallHinfSection'
- CommandLine|contains|all:
- 'pcwutl.dll'
- 'LaunchApplication'
- CommandLine|contains|all:
- 'dfshim.dll'
- 'ShOpenVerbApplication'
- CommandLine|contains|all:
- 'dfshim.dll'
- 'ShOpenVerbShortcut'
- CommandLine|contains|all:
- 'scrobj.dll'
- 'GenerateTypeLib'
- 'http'
- CommandLine|contains|all:
- 'shimgvw.dll'
- 'ImageView_Fullscreen'
- 'http'
- CommandLine|contains|all:
- 'comsvcs.dll'
- 'MiniDump'
filter_main_screensaver:
CommandLine|contains: 'shell32.dll,Control_RunDLL desk.cpl,screensaver,@screensaver'
filter_main_parent_cpl: # Settings
ParentImage: 'C:\Windows\System32\control.exe'
ParentCommandLine|contains: '.cpl'
CommandLine|contains|all:
- 'Shell32.dll'
- 'Control_RunDLL'
- '.cpl'
filter_main_startmenu:
ParentImage: 'C:\Windows\System32\control.exe'
CommandLine|startswith: '"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\System32\'
CommandLine|endswith: '.cpl",'
condition: selection and not 1 of filter_main_*
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
level: medium
Convert to SIEM query
medium
Potentially Suspicious Rundll32.EXE Execution of UDL File
Detects the execution of rundll32.exe with the oledb32.dll library to open a UDL file.
Threat actors can abuse this technique as a phishing vector to capture authentication credentials or other sensitive data.
view Sigma YAML
title: Potentially Suspicious Rundll32.EXE Execution of UDL File
id: 0ea52357-cd59-4340-9981-c46c7e900428
status: test
description: |
Detects the execution of rundll32.exe with the oledb32.dll library to open a UDL file.
Threat actors can abuse this technique as a phishing vector to capture authentication credentials or other sensitive data.
references:
- https://trustedsec.com/blog/oops-i-udld-it-again
author: '@kostastsale'
date: 2024-08-16
tags:
- attack.execution
- attack.command-and-control
- attack.stealth
- attack.t1218.011
- attack.t1071
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\explorer.exe'
selection_img:
- Image|endswith: '\rundll32.exe'
- OriginalFileName: 'RUNDLL32.EXE'
selection_cli:
CommandLine|contains|all:
- 'oledb32.dll'
- ',OpenDSLFile '
- '\\Users\\*\\Downloads\\' # Note: You can adjust the path to the download directory or other directories according to your environment.
CommandLine|endswith: '.udl'
condition: all of selection_*
falsepositives:
- UDL files serve as a convenient and flexible tool for managing and testing database connections in various development and administrative scenarios.
level: medium
Convert to SIEM query
medium
Potentially Suspicious Self Extraction Directive File Created
Detects the creation of a binary file with the ".sed" extension. The ".sed" extension stand for Self Extraction Directive files.
These files are used by the "iexpress.exe" utility in order to create self extracting packages.
Attackers were seen abusing this utility and creating PE files with embedded ".sed" entries.
Usually ".sed" files are simple ini files and not PE binaries.
view Sigma YAML
title: Potentially Suspicious Self Extraction Directive File Created
id: ab90dab8-c7da-4010-9193-563528cfa347
related:
- id: 760e75d8-c3b5-409b-a9bf-6130b4c4603f
type: derived
status: test
description: |
Detects the creation of a binary file with the ".sed" extension. The ".sed" extension stand for Self Extraction Directive files.
These files are used by the "iexpress.exe" utility in order to create self extracting packages.
Attackers were seen abusing this utility and creating PE files with embedded ".sed" entries.
Usually ".sed" files are simple ini files and not PE binaries.
references:
- https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html
- https://en.wikipedia.org/wiki/IExpress
- https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2024-02-05
tags:
- attack.stealth
- attack.t1218
logsource:
product: windows
category: file_executable_detected
detection:
selection:
TargetFilename|endswith: '.sed'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
Showing 901-950 of 1,492