Tool
SIEM
Sigma (generic) detection rules
1,492 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Expand any rule to see its raw YAML and convert it inline to native query syntax. Pick a platform above to browse every rule already rendered in that language.
Get the raw rules from SigmaHQ Detection Rules
The raw generic YAML, served by SigmaHQ. Pick a platform above to download a ready-to-deploy converted pack.
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
◈
Detection rules
50 shown of 1,492
medium
Service Started/Stopped Via Wmic.EXE
Detects usage of wmic to start or stop a service
view Sigma YAML
title: Service Started/Stopped Via Wmic.EXE
id: 0b7163dc-7eee-4960-af17-c0cd517f92da
status: test
description: Detects usage of wmic to start or stop a service
references:
- https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-20
modified: 2023-02-14
tags:
- attack.execution
- attack.t1047
logsource:
category: process_creation
product: windows
detection:
selection_img:
- OriginalFileName: 'wmic.exe'
- Image|endswith: '\WMIC.exe'
selection_cli:
CommandLine|contains|all:
- ' service '
- ' call '
CommandLine|contains:
- 'stopservice'
- 'startservice'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Service Startup Type Change Via Wmic.EXE
Detects changes to service startup type to 'disabled' or 'manual' using the WMIC command-line utility.
view Sigma YAML
title: Service Startup Type Change Via Wmic.EXE
id: c0514f28-fdae-42df-b886-06e2b2bc5b37
status: experimental
description: |
Detects changes to service startup type to 'disabled' or 'manual' using the WMIC command-line utility.
references:
- https://blog.talosintelligence.com/uncovering-qilin-attack-methods-exposed-through-multiple-cases/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-04-27
tags:
- attack.execution
- attack.defense-impairment
- attack.t1047
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\WMIC.exe'
- OriginalFileName: 'wmic.exe'
selection_cli:
CommandLine|contains|all:
- ' service '
- 'ChangeStartMode'
CommandLine|contains:
- 'Manual'
- 'Disabled'
condition: all of selection_*
falsepositives:
- Legitimate administrative changes to service startup types using WMIC, investigate accordingly.
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_wmic_service_startup_change/info.yml
Convert to SIEM query
medium
Service StartupType Change Via PowerShell Set-Service
Detects the use of the PowerShell "Set-Service" cmdlet to change the startup type of a service to "disabled" or "manual"
view Sigma YAML
title: Service StartupType Change Via PowerShell Set-Service
id: 62b20d44-1546-4e61-afce-8e175eb9473c
status: test
description: Detects the use of the PowerShell "Set-Service" cmdlet to change the startup type of a service to "disabled" or "manual"
references:
- https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-04
tags:
- attack.execution
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\powershell.exe'
- OriginalFileName: 'PowerShell.EXE'
selection_cli:
CommandLine|contains|all:
- 'Set-Service'
- '-StartupType'
CommandLine|contains:
- 'Disabled'
- 'Manual'
condition: all of selection_*
falsepositives:
- False positives may occur with troubleshooting scripts
level: medium
Convert to SIEM query
medium
Service StartupType Change Via Sc.EXE
Detect the use of "sc.exe" to change the startup type of a service to "disabled" or "demand"
view Sigma YAML
title: Service StartupType Change Via Sc.EXE
id: 85c312b7-f44d-4a51-a024-d671c40b49fc
status: test
description: Detect the use of "sc.exe" to change the startup type of a service to "disabled" or "demand"
references:
- https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-01
modified: 2023-03-04
tags:
- attack.execution
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\sc.exe'
- OriginalFileName: 'sc.exe'
selection_cli:
CommandLine|contains|all:
- ' config '
- 'start'
CommandLine|contains:
- 'disabled'
- 'demand'
condition: all of selection_*
falsepositives:
- False positives may occur with troubleshooting scripts
level: medium
Convert to SIEM query
medium
ServiceDll Hijack
Detects changes to the "ServiceDLL" value related to a service in the registry.
This is often used as a method of persistence.
view Sigma YAML
title: ServiceDll Hijack
id: 612e47e9-8a59-43a6-b404-f48683f45bd6
status: test
description: |
Detects changes to the "ServiceDLL" value related to a service in the registry.
This is often used as a method of persistence.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md#atomic-test-4---tinyturla-backdoor-service-w64time
- https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/
author: frack113
date: 2022-02-04
modified: 2024-04-03
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1543.003
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains|all:
- '\System\'
- 'ControlSet'
- '\Services\'
TargetObject|endswith: '\Parameters\ServiceDll'
filter_main_printextensionmanger:
Details: 'C:\Windows\system32\spool\drivers\x64\3\PrintConfig.dll'
filter_main_domain_controller:
Image: 'C:\Windows\system32\lsass.exe'
TargetObject|endswith: '\Services\NTDS\Parameters\ServiceDll'
Details: '%%systemroot%%\system32\ntdsa.dll'
filter_main_poqexec:
Image: 'C:\Windows\System32\poqexec.exe'
filter_optional_safetica:
Image|endswith: '\regsvr32.exe'
Details: 'C:\Windows\System32\STAgent.dll'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Administrative scripts
- Installation of a service
level: medium
Convert to SIEM query
medium
Session Manager Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
view Sigma YAML
title: Session Manager Autorun Keys Modification
id: 046218bd-e0d8-4113-a3c3-895a12b2b298
related:
- id: 17f878b8-9968-4578-b814-c4217fc5768c
type: obsolete
status: test
description: Detects modification of autostart extensibility point (ASEP) in registry.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
- https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
- https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019-10-25
modified: 2023-08-17
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.001
- attack.t1546.009
logsource:
category: registry_set
product: windows
detection:
session_manager_base:
TargetObject|contains: '\System\CurrentControlSet\Control\Session Manager'
session_manager:
TargetObject|contains:
- '\SetupExecute'
- '\S0InitialCommand'
- '\KnownDlls'
- '\Execute'
- '\BootExecute'
- '\AppCertDlls'
filter:
Details: '(Empty)'
condition: session_manager_base and session_manager and not filter
falsepositives:
- Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
- Legitimate administrator sets up autorun keys for legitimate reason
level: medium
Convert to SIEM query
medium
Setup16.EXE Execution With Custom .Lst File
Detects the execution of "Setup16.EXE" and old installation utility with a custom ".lst" file.
These ".lst" file can contain references to external program that "Setup16.EXE" will execute.
Attackers and adversaries might leverage this as a living of the land utility.
view Sigma YAML
title: Setup16.EXE Execution With Custom .Lst File
id: 99c8be4f-3087-4f9f-9c24-8c7e257b442e
status: test
description: |
Detects the execution of "Setup16.EXE" and old installation utility with a custom ".lst" file.
These ".lst" file can contain references to external program that "Setup16.EXE" will execute.
Attackers and adversaries might leverage this as a living of the land utility.
references:
- https://www.hexacorn.com/blog/2024/10/12/the-sweet16-the-oldbin-lolbin-called-setup16-exe/
author: frack113
date: 2024-12-01
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1574.005
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage: 'C:\Windows\SysWOW64\setup16.exe'
ParentCommandLine|contains: ' -m '
filter_optional_valid_path:
Image|startswith: 'C:\~MSSETUP.T\'
condition: selection and not 1 of filter_optional_*
falsepositives:
- On modern Windows system, the "Setup16" utility is practically never used, hence false positive should be very rare.
level: medium
Convert to SIEM query
medium
Shadow Copies Creation Using Operating Systems Utilities
Shadow Copies creation using operating systems utilities, possible credential access
view Sigma YAML
title: Shadow Copies Creation Using Operating Systems Utilities
id: b17ea6f7-6e90-447e-a799-e6c0a493d6ce
status: test
description: Shadow Copies creation using operating systems utilities, possible credential access
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tutorial-for-ntds-goodness-vssadmin-wmis-ntdsdit-system/
author: Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
date: 2019-10-22
modified: 2022-11-10
tags:
- attack.credential-access
- attack.t1003
- attack.t1003.002
- attack.t1003.003
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- '\wmic.exe'
- '\vssadmin.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
- 'wmic.exe'
- 'VSSADMIN.EXE'
selection_cli:
CommandLine|contains|all:
- 'shadow'
- 'create'
condition: all of selection_*
falsepositives:
- Legitimate administrator working with shadow copies, access for backup purposes
level: medium
Convert to SIEM query
medium
SharePoint ToolShell CVE-2025-53770 Exploitation - Web IIS
Detects access to vulnerable SharePoint components potentially being exploited in CVE-2025-53770 through IIS web server logs.
CVE-2025-53770 is a zero-day vulnerability in SharePoint that allows remote code execution.
view Sigma YAML
title: SharePoint ToolShell CVE-2025-53770 Exploitation - Web IIS
id: 48d053db-6a56-4866-b60d-0975647050ed
status: experimental
description: |
Detects access to vulnerable SharePoint components potentially being exploited in CVE-2025-53770 through IIS web server logs.
CVE-2025-53770 is a zero-day vulnerability in SharePoint that allows remote code execution.
references:
- https://www.linkedin.com/posts/mauricefielenbach_sharepoint-incidentresponse-windowssecurity-activity-7352653907363303425-bL2f
- https://research.eye.security/sharepoint-under-siege/
- https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-07-21
tags:
- attack.initial-access
- attack.t1190
- cve.2025-53770
- detection.emerging-threats
logsource:
category: webserver # IIS web server logs
detection:
selection_exploit_post:
cs-method: 'POST'
cs-uri-stem|contains: '/_layouts/15/ToolPane.aspx'
cs-uri-query|contains: 'DisplayMode=Edit&a=/ToolPane.aspx'
selection_exploit_get:
cs-method: 'GET'
cs-uri-stem|contains: '/_layouts/15/spinstall0.aspx'
selection_referer:
cs-referer|contains: '/_layouts/SignOut.aspx'
condition: 1 of selection_exploit_* and selection_referer
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Shell Invocation via Apt - Linux
Detects the use of the "apt" and "apt-get" commands to execute a shell or proxy commands.
Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
view Sigma YAML
title: Shell Invocation via Apt - Linux
id: bb382fd5-b454-47ea-a264-1828e4c766d6
status: test
description: |
Detects the use of the "apt" and "apt-get" commands to execute a shell or proxy commands.
Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
references:
- https://gtfobins.github.io/gtfobins/apt/
- https://gtfobins.github.io/gtfobins/apt-get/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-28
modified: 2024-09-02
tags:
- attack.discovery
- attack.t1083
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith:
- '/apt'
- '/apt-get'
CommandLine|contains: 'APT::Update::Pre-Invoke::='
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Shell Process Spawned by Java.EXE
Detects shell spawned from Java host process, which could be a sign of exploitation (e.g. log4j exploitation)
view Sigma YAML
title: Shell Process Spawned by Java.EXE
id: dff1e1cc-d3fd-47c8-bfc2-aeb878a754c0
related:
- id: 0d34ed8b-1c12-4ff2-828c-16fc860b766d
type: similar
status: test
description: Detects shell spawned from Java host process, which could be a sign of exploitation (e.g. log4j exploitation)
references:
- https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/
author: Andreas Hunkeler (@Karneades), Nasreddine Bencherchali
date: 2021-12-17
modified: 2024-01-18
tags:
- attack.initial-access
- attack.persistence
- attack.privilege-escalation
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\java.exe'
Image|endswith:
- '\bash.exe'
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
filter_main_build:
ParentImage|contains: 'build' # excluding CI build agents
CommandLine|contains: 'build' # excluding CI build agents
condition: selection and not 1 of filter_main_*
falsepositives:
- Legitimate calls to system binaries
- Company specific internal usage
level: medium
Convert to SIEM query
medium
Source Code Enumeration Detection by Keyword
Detects source code enumeration that use GET requests by keyword searches in URL strings
view Sigma YAML
title: Source Code Enumeration Detection by Keyword
id: 953d460b-f810-420a-97a2-cfca4c98e602
status: test
description: Detects source code enumeration that use GET requests by keyword searches in URL strings
references:
- https://pentester.land/tutorials/2018/10/25/source-code-disclosure-via-exposed-git-folder.html
- https://medium.com/@logicbomb_1/bugbounty-how-i-was-able-to-download-the-source-code-of-indias-largest-telecom-service-52cf5c5640a1
author: James Ahearn
date: 2019-06-08
modified: 2022-10-05
tags:
- attack.discovery
- attack.t1083
logsource:
category: webserver
detection:
keywords:
- '.git/'
condition: keywords
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Spring Framework Exceptions
Detects suspicious Spring framework exceptions that could indicate exploitation attempts
view Sigma YAML
title: Spring Framework Exceptions
id: ae48ab93-45f7-4051-9dfe-5d30a3f78e33
status: stable
description: Detects suspicious Spring framework exceptions that could indicate exploitation attempts
references:
- https://docs.spring.io/spring-security/site/docs/current/api/overview-tree.html
author: Thomas Patzke
date: 2017-08-06
modified: 2020-09-01
tags:
- attack.initial-access
- attack.t1190
logsource:
category: application
product: spring
detection:
keywords:
- AccessDeniedException
- CsrfException
- InvalidCsrfTokenException
- MissingCsrfTokenException
- CookieTheftException
- InvalidCookieException
- RequestRejectedException
condition: keywords
falsepositives:
- Application bugs
level: medium
Convert to SIEM query
medium
Standard User In High Privileged Group
Detect standard users login that are part of high privileged groups such as the Administrator group
view Sigma YAML
title: Standard User In High Privileged Group
id: 7ac407cc-0f48-4328-aede-de1d2e6fef41
status: test
description: Detect standard users login that are part of high privileged groups such as the Administrator group
references:
- https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers
- https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection
- https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml
author: frack113
date: 2023-01-13
modified: 2023-05-05
tags:
- attack.credential-access
- attack.privilege-escalation
logsource:
product: windows
service: lsa-server
definition: 'Requirements: Microsoft-Windows-LSA/Operational (199FE037-2B82-40A9-82AC-E1D46C792B99) Event Log must be enabled and collected in order to use this rule.'
detection:
selection:
EventID: 300
TargetUserSid|startswith: 'S-1-5-21-' # Standard user
SidList|contains:
- 'S-1-5-32-544' # Local admin
- '-500}' # Domain admin
- '-518}' # Schema admin
- '-519}' # Enterprise admin
filter_main_admin:
TargetUserSid|endswith:
- '-500' # Domain admin
- '-518' # Schema admin
- '-519' # Enterprise admin
condition: selection and not 1 of filter_main_*
falsepositives:
- Standard domain users who are part of the administrator group.
These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the "TargetUserName" field
level: medium
Convert to SIEM query
medium
Start of NT Virtual DOS Machine
Ntvdm.exe allows the execution of 16-bit Windows applications on 32-bit Windows operating systems, as well as the execution of both 16-bit and 32-bit DOS applications
view Sigma YAML
title: Start of NT Virtual DOS Machine
id: 16905e21-66ee-42fe-b256-1318ada2d770
status: test
description: Ntvdm.exe allows the execution of 16-bit Windows applications on 32-bit Windows operating systems, as well as the execution of both 16-bit and 32-bit DOS applications
references:
- https://learn.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support
- https://support.microsoft.com/fr-fr/topic/an-ms-dos-based-program-that-uses-the-ms-dos-protected-mode-interface-crashes-on-a-computer-that-is-running-windows-7-5dc739ea-987b-b458-15e4-d28d5cca63c7
- https://app.any.run/tasks/93fe92fa-8b2b-4d92-8c09-a841aed2e793/
- https://app.any.run/tasks/214094a7-0abc-4a7b-a564-1b757faed79d/
author: frack113
date: 2022-07-16
tags:
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\ntvdm.exe'
- '\csrstub.exe'
condition: selection
falsepositives:
- Legitimate use
level: medium
Convert to SIEM query
medium
Startup Folder File Write
A General detection for files being created in the Windows startup directory. This could be an indicator of persistence.
view Sigma YAML
title: Startup Folder File Write
id: 2aa0a6b4-a865-495b-ab51-c28249537b75
related:
- id: 28208707-fe31-437f-9a7f-4b1108b94d2e
type: similar
status: test
description: A General detection for files being created in the Windows startup directory. This could be an indicator of persistence.
references:
- https://github.com/OTRF/detection-hackathon-apt29/issues/12
- https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/5.B.1_611FCA99-97D0-4873-9E51-1C1BA2DBB40D.md
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-05-02
modified: 2025-12-03
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.001
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|contains: '\Microsoft\Windows\Start Menu\Programs\StartUp'
filter_main_update:
- Image:
- 'C:\Windows\System32\wuauclt.exe'
- 'C:\Windows\uus\ARM64\wuaucltcore.exe'
- TargetFilename|startswith:
- 'C:\$WINDOWS.~BT\NewOS\'
- 'C:\$WinREAgent\Scratch\Mount\'
filter_optional_onenote:
Image|endswith: '\ONENOTE.EXE'
TargetFilename|endswith: '\Send to OneNote.lnk'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- FP could be caused by legitimate application writing shortcuts for example. This folder should always be inspected to make sure that all the files in there are legitimate
level: medium
Convert to SIEM query
medium
Startup/Logon Script Added to Group Policy Object
Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.
view Sigma YAML
title: Startup/Logon Script Added to Group Policy Object
id: 123e4e6d-b123-48f8-b261-7214938acaf0
status: test
description: |
Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.
references:
- https://www.elastic.co/guide/en/security/current/startup-logon-script-added-to-group-policy-object.html
author: Elastic, Josh Nickels, Marius Rothenbücher
date: 2024-09-06
tags:
- attack.persistence
- attack.privilege-escalation
- attack.defense-impairment
- attack.t1484.001
- attack.t1547
logsource:
product: windows
service: security
definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
detection:
selection_eventid:
EventID:
- 5136
- 5145
selection_attributes_main:
AttributeLDAPDisplayName:
- 'gPCMachineExtensionNames'
- 'gPCUserExtensionNames'
AttributeValue|contains: '42B5FAAE-6536-11D2-AE5A-0000F87571E3'
selection_attributes_optional:
AttributeValue|contains:
- '40B6664F-4972-11D1-A7CA-0000F87571E3'
- '40B66650-4972-11D1-A7CA-0000F87571E3'
selection_share:
ShareName|endswith: '\SYSVOL'
RelativeTargetName|endswith:
- '\scripts.ini'
- '\psscripts.ini'
AccessList|contains: '%%4417'
condition: selection_eventid and (all of selection_attributes_* or selection_share)
falsepositives:
- Legitimate execution by system administrators.
level: medium
Convert to SIEM query
medium
Successful Authentications From Countries You Do Not Operate Out Of
Detect successful authentications from countries you do not operate out of.
view Sigma YAML
title: Successful Authentications From Countries You Do Not Operate Out Of
id: 8c944ecb-6970-4541-8496-be554b8e2846
status: test
description: Detect successful authentications from countries you do not operate out of.
references:
- https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts
author: MikeDuddington, '@dudders1'
date: 2022-07-28
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.credential-access
- attack.stealth
- attack.t1078.004
- attack.t1110
logsource:
product: azure
service: signinlogs
detection:
selection:
Status: 'Success'
filter:
Location|contains: '<Countries you DO operate out of e,g GB, use OR for multiple>'
condition: selection and not filter
falsepositives:
- If this was approved by System Administrator.
level: medium
Convert to SIEM query
medium
Successful IIS Shortname Fuzzing Scan
When IIS uses an old .Net Framework it's possible to enumerate folders with the symbol "~"
view Sigma YAML
title: Successful IIS Shortname Fuzzing Scan
id: 7cb02516-6d95-4ffc-8eee-162075e111ac
status: test
description: When IIS uses an old .Net Framework it's possible to enumerate folders with the symbol "~"
references:
- https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/fuzzing/iis-shortname.yaml
- https://www.exploit-db.com/exploits/19525
- https://github.com/lijiejie/IIS_shortname_Scanner
author: frack113
date: 2021-10-06
modified: 2023-01-02
tags:
- attack.initial-access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri-query|contains: '~1'
cs-uri-query|endswith: 'a.aspx'
cs-method:
- GET
- OPTIONS
# Success only
sc-status:
- 200
- 301
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Suspicious Access to Sensitive File Extensions
Detects known sensitive file extensions accessed on a network share
view Sigma YAML
title: Suspicious Access to Sensitive File Extensions
id: 91c945bc-2ad1-4799-a591-4d00198a1215
related:
- id: 286b47ed-f6fe-40b3-b3a8-35129acd43bc
type: similar
status: test
description: Detects known sensitive file extensions accessed on a network share
references:
- Internal Research
author: Samir Bousseaden
date: 2019-04-03
modified: 2025-10-17
tags:
- attack.collection
- attack.t1039
logsource:
product: windows
service: security
detection:
selection:
EventID: 5145
RelativeTargetName|endswith:
- '.bak'
- '.dmp'
- '.edb'
- '.kirbi'
- '.msg'
- '.nsf'
- '.nst'
- '.oab'
- '.ost'
- '.pst'
- '.rdp'
# - '\groups.xml' # Commented out: groups.xml is accessed legitimately by Group Policy processing; high FP rate in enterprise environments
condition: selection
falsepositives:
- Help Desk operator doing backup or re-imaging end user machine or backup software
- Users working with these data types or exchanging message files
level: medium
Convert to SIEM query
medium
Suspicious Access to Sensitive File Extensions - Zeek
Detects known sensitive file extensions via Zeek
view Sigma YAML
title: Suspicious Access to Sensitive File Extensions - Zeek
id: 286b47ed-f6fe-40b3-b3a8-35129acd43bc
related:
- id: 91c945bc-2ad1-4799-a591-4d00198a1215
type: derived
status: test
description: Detects known sensitive file extensions via Zeek
references:
- Internal Research
author: Samir Bousseaden, @neu5ron
date: 2020-04-02
modified: 2025-10-17
tags:
- attack.collection
logsource:
product: zeek
service: smb_files
detection:
selection:
name|endswith:
- '.pst'
- '.ost'
- '.msg'
- '.nst'
- '.oab'
- '.edb'
- '.nsf'
- '.bak'
- '.dmp'
- '.kirbi'
# - '\groups.xml' # Commented out: groups.xml is accessed legitimately by Group Policy processing; high FP rate in enterprise environments
- '.rdp'
condition: selection
falsepositives:
- Help Desk operator doing backup or re-imaging end user machine or backup software
- Users working with these data types or exchanging message files
level: medium
Convert to SIEM query
medium
Suspicious Appended Extension
Detects file renames where the target filename uses an uncommon double extension. Could indicate potential ransomware activity renaming files and adding a custom extension to the encrypted files, such as ".jpg.crypted", ".docx.locky", etc.
view Sigma YAML
title: Suspicious Appended Extension
id: e3f673b3-65d1-4d80-9146-466f8b63fa99
status: test
description: Detects file renames where the target filename uses an uncommon double extension. Could indicate potential ransomware activity renaming files and adding a custom extension to the encrypted files, such as ".jpg.crypted", ".docx.locky", etc.
references:
- https://app.any.run/tasks/d66ead5a-faf4-4437-93aa-65785afaf9e5/
- https://blog.cyble.com/2022/08/10/onyx-ransomware-renames-its-leak-site-to-vsop/
author: frack113
date: 2022-07-16
modified: 2023-11-11
tags:
- attack.impact
- attack.t1486
logsource:
product: windows
category: file_rename
definition: 'Requirements: Microsoft-Windows-Kernel-File Provider with at least the KERNEL_FILE_KEYWORD_RENAME_SETLINK_PATH keyword'
detection:
selection:
SourceFilename|endswith:
- '.doc'
- '.docx'
- '.jpeg'
- '.jpg'
- '.lnk'
- '.pdf'
- '.png'
- '.pst'
- '.rtf'
- '.xls'
- '.xlsx'
TargetFilename|contains:
- '.doc.'
- '.docx.'
- '.jpeg.'
- '.jpg.'
- '.lnk.'
- '.pdf.'
- '.png.'
- '.pst.'
- '.rtf.'
- '.xls.'
- '.xlsx.'
filter_main_generic:
TargetFilename|endswith:
# Note: Please add more used extensions by backup or recovery software
- '.backup'
- '.bak'
- '.old'
- '.orig'
- '.temp'
- '.tmp'
filter_optional_anaconda:
TargetFilename|contains: ':\ProgramData\Anaconda3\'
TargetFilename|endswith: '.c~'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Backup software
level: medium
Convert to SIEM query
medium
Suspicious Application Installed
Detects suspicious application installed by looking at the added shortcut to the app resolver cache
view Sigma YAML
title: Suspicious Application Installed
id: 83c161b6-ca67-4f33-8ad0-644a0737cf07
status: test
description: Detects suspicious application installed by looking at the added shortcut to the app resolver cache
references:
- https://nasbench.medium.com/finding-forensic-goodness-in-obscure-windows-event-logs-60e978ea45a3
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-14
tags:
- attack.execution
logsource:
product: windows
service: shell-core
detection:
selection_name:
EventID: 28115
Name|contains:
# Please add more
- 'Zenmap'
- 'AnyDesk'
- 'wireshark'
- 'openvpn'
selection_packageid:
EventID: 28115
AppID|contains:
# Please add more
- 'zenmap.exe'
- 'prokzult ad' # AnyDesk
- 'wireshark'
- 'openvpn'
condition: 1 of selection_*
falsepositives:
- Packages or applications being legitimately used by users or administrators
level: medium
Convert to SIEM query
medium
Suspicious Base64 Encoded User-Agent
Detects suspicious encoded User-Agent strings, as seen used by some malware.
view Sigma YAML
title: Suspicious Base64 Encoded User-Agent
id: d443095b-a221-4957-a2c4-cd1756c9b747
related:
- id: 894a8613-cf12-48b3-8e57-9085f54aa0c3
type: derived
status: test
description: Detects suspicious encoded User-Agent strings, as seen used by some malware.
references:
- https://deviceatlas.com/blog/list-of-user-agent-strings#desktop
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-04
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: proxy
detection:
selection:
c-useragent|startswith:
- 'Q2hyb21l' # Chrome Encoded with offset to not include padding
- 'QXBwbGVXZWJLaX' # AppleWebKit Encoded with offset to not include padding
- 'RGFsdmlr' # Dalvik Encoded with offset to not include padding
- 'TW96aWxsY' # Mozilla Encoded with offset to not include padding (as used by YamaBot)
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Suspicious Browser Child Process - MacOS
Detects suspicious child processes spawned from browsers. This could be a result of a potential web browser exploitation.
view Sigma YAML
title: Suspicious Browser Child Process - MacOS
id: 0250638a-2b28-4541-86fc-ea4c558fa0c6
status: test
description: Detects suspicious child processes spawned from browsers. This could be a result of a potential web browser exploitation.
references:
- https://fr.slideshare.net/codeblue_jp/cb19-recent-apt-attack-on-crypto-exchange-employees-by-heungsoo-kang
- https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/execution_initial_access_suspicious_browser_childproc.toml
author: Sohan G (D4rkCiph3r)
date: 2023-04-05
tags:
- attack.initial-access
- attack.execution
- attack.t1189
- attack.t1203
- attack.t1059
logsource:
category: process_creation
product: macos
detection:
selection:
ParentImage|contains:
- 'com.apple.WebKit.WebContent'
- 'firefox'
- 'Google Chrome Helper'
- 'Google Chrome'
- 'Microsoft Edge'
- 'Opera'
- 'Safari'
- 'Tor Browser'
Image|endswith:
- '/bash'
- '/curl'
- '/dash'
- '/ksh'
- '/osascript'
- '/perl'
- '/php'
- '/pwsh'
- '/python'
- '/sh'
- '/tcsh'
- '/wget'
- '/zsh'
filter_main_generic:
CommandLine|contains: '--defaults-torrc' # Informs tor to use default config file
filter_main_ms_autoupdate:
CommandLine|contains: '/Library/Application Support/Microsoft/MAU*/Microsoft AutoUpdate.app/Contents/MacOS/msupdate' # Microsoft AutoUpdate utility
filter_main_chrome:
ParentImage|contains:
- 'Google Chrome Helper'
- 'Google Chrome'
CommandLine|contains:
- '/Volumes/Google Chrome/Google Chrome.app/Contents/Frameworks/*/Resources/install.sh' # Install the Google Chrome browser
- '/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/*/Resources/keystone_promote_preflight.sh' # Updates the Google Chrome branding configuration files
- '/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/*/Resources/keystone_promote_postflight.sh' # Script that performs the post-installation tasks
filter_main_ms_edge:
ParentImage|contains: 'Microsoft Edge'
CommandLine|contains:
- 'IOPlatformExpertDevice' # Retrieves the IOPlatformUUID (parent process - Microsoft Edge)
- 'hw.model' # Retrieves model name of the computer's hardware (parent process - Microsoft Edge)
filter_main_chromerecovery:
ParentImage|contains:
- 'Google Chrome Helper'
- 'Google Chrome'
CommandLine|contains|all:
- '/Users/'
- '/Library/Application Support/Google/Chrome/recovery/'
- '/ChromeRecovery'
filter_optional_null:
# Aoids alerting for the events which do not have command-line arguments
CommandLine: null
filter_optional_empty:
# Aoids alerting for the events which do not have command-line arguments
CommandLine: ''
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Legitimate browser install, update and recovery scripts
level: medium
Convert to SIEM query
medium
Suspicious C2 Activities
Detects suspicious activities as declared by Florian Roth in its 'Best Practice Auditd Configuration'.
This includes the detection of the following commands; wget, curl, base64, nc, netcat, ncat, ssh, socat, wireshark, rawshark, rdesktop, nmap.
These commands match a few techniques from the tactics "Command and Control", including not exhaustively the following; Application Layer Protocol (T1071), Non-Application Layer Protocol (T1095), Data Encoding (T1132)
view Sigma YAML
title: Suspicious C2 Activities
id: f7158a64-6204-4d6d-868a-6e6378b467e0
status: test
description: |
Detects suspicious activities as declared by Florian Roth in its 'Best Practice Auditd Configuration'.
This includes the detection of the following commands; wget, curl, base64, nc, netcat, ncat, ssh, socat, wireshark, rawshark, rdesktop, nmap.
These commands match a few techniques from the tactics "Command and Control", including not exhaustively the following; Application Layer Protocol (T1071), Non-Application Layer Protocol (T1095), Data Encoding (T1132)
references:
- https://github.com/Neo23x0/auditd
author: Marie Euler
date: 2020-05-18
modified: 2021-11-27
tags:
- attack.command-and-control
logsource:
product: linux
service: auditd
definition: |
Required auditd configuration:
-w /usr/bin/wget -p x -k susp_activity
-w /usr/bin/curl -p x -k susp_activity
-w /usr/bin/base64 -p x -k susp_activity
-w /bin/nc -p x -k susp_activity
-w /bin/netcat -p x -k susp_activity
-w /usr/bin/ncat -p x -k susp_activity
-w /usr/bin/ss -p x -k susp_activity
-w /usr/bin/netstat -p x -k susp_activity
-w /usr/bin/ssh -p x -k susp_activity
-w /usr/bin/scp -p x -k susp_activity
-w /usr/bin/sftp -p x -k susp_activity
-w /usr/bin/ftp -p x -k susp_activity
-w /usr/bin/socat -p x -k susp_activity
-w /usr/bin/wireshark -p x -k susp_activity
-w /usr/bin/tshark -p x -k susp_activity
-w /usr/bin/rawshark -p x -k susp_activity
-w /usr/bin/rdesktop -p x -k susp_activity
-w /usr/local/bin/rdesktop -p x -k susp_activity
-w /usr/bin/wlfreerdp -p x -k susp_activity
-w /usr/bin/xfreerdp -p x -k susp_activity
-w /usr/local/bin/xfreerdp -p x -k susp_activity
-w /usr/bin/nmap -p x -k susp_activity
(via https://github.com/Neo23x0/auditd/blob/ddf2603dbc985f97538d102f13b4e4446b402bae/audit.rules#L336)
detection:
selection:
key: 'susp_activity'
condition: selection
falsepositives:
- Admin or User activity
level: medium
Convert to SIEM query
medium
Suspicious Cabinet File Execution Via Msdt.EXE
Detects execution of msdt.exe using the "cab" flag which could indicates suspicious diagcab files with embedded answer files leveraging CVE-2022-30190
view Sigma YAML
title: Suspicious Cabinet File Execution Via Msdt.EXE
id: dc4576d4-7467-424f-9eee-fd2b02855fe0
related:
- id: 6545ce61-a1bd-4119-b9be-fcbee42c0cf3
type: obsolete
status: test
description: Detects execution of msdt.exe using the "cab" flag which could indicates suspicious diagcab files with embedded answer files leveraging CVE-2022-30190
references:
- https://twitter.com/nas_bench/status/1537896324837781506
- https://github.com/GossiTheDog/ThreatHunting/blob/e85884abbf05d5b41efc809ea6532b10b45bd05c/AdvancedHuntingQueries/DogWalk-DiagCab
- https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-9015912909545e72ed42cbac4d1e96295e8964579c406d23fd9c47a8091576a0
- https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd
author: Nasreddine Bencherchali (Nextron Systems), GossiTheDog, frack113
date: 2022-06-21
modified: 2024-03-13
tags:
- attack.stealth
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\msdt.exe'
- OriginalFileName: 'msdt.exe'
selection_cmd:
CommandLine|contains|windash: ' -cab '
condition: all of selection_*
falsepositives:
- Legitimate usage of ".diagcab" files
level: medium
Convert to SIEM query
medium
Suspicious Child Process of SAP NetWeaver
Detects suspicious child processes spawned by SAP NetWeaver that could indicate potential
exploitation of vulnerability that allows arbitrary execution via webshells such as CVE-2025-31324.
view Sigma YAML
title: Suspicious Child Process of SAP NetWeaver
id: 5b304bcb-ac33-49d0-87af-fa1b3ca94333
status: experimental
description: |
Detects suspicious child processes spawned by SAP NetWeaver that could indicate potential
exploitation of vulnerability that allows arbitrary execution via webshells such as CVE-2025-31324.
author: Elastic (idea), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-04-28
tags:
- attack.execution
- attack.initial-access
- attack.t1190
- attack.persistence
- attack.t1059.003
- cve.2025-31324
- detection.emerging-threats
references:
- https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/
- https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/
logsource:
category: process_creation
product: windows
detection:
selection_parent_img:
ParentImage|contains:
- '\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\work'
- '\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\root'
selection_current_dict:
CurrentDirectory|contains:
- '\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\work'
- '\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\root'
selection_child:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\powershell_ise.exe'
- '\pwsh.exe'
- '\wscript.exe'
- '\cscript.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\mshta.exe'
- '\certutil.exe'
- '\bitsadmin.exe'
- '\python.exe'
condition: (selection_parent_img or selection_current_dict) and selection_child
falsepositives:
- Legitimate administrative activities such as software updates
level: medium
Convert to SIEM query
medium
Suspicious Child Process of SAP NetWeaver - Linux
Detects suspicious child processes spawned by SAP NetWeaver on Linux systems that could indicate potential
exploitation of vulnerability that allows arbitrary execution via webshells such as CVE-2025-31324.
view Sigma YAML
title: Suspicious Child Process of SAP NetWeaver - Linux
id: 69dea60b-2deb-4c9e-a685-ad542f4367f9
status: experimental
description: |
Detects suspicious child processes spawned by SAP NetWeaver on Linux systems that could indicate potential
exploitation of vulnerability that allows arbitrary execution via webshells such as CVE-2025-31324.
author: Elastic (idea), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-04-28
tags:
- attack.execution
- attack.initial-access
- attack.t1190
- attack.persistence
- attack.t1059.003
- cve.2025-31324
- detection.emerging-threats
references:
- https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/
- https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/
logsource:
category: process_creation
product: linux
detection:
selection_parent_img:
ParentImage|contains:
- '/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/work'
- '/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/root'
selection_current_dict:
CurrentDirectory|contains:
- '/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/work'
- '/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/root'
selection_child:
Image|endswith:
- '/ash'
- '/bash'
- '/csh'
- '/dash'
- '/ksh'
- '/sh'
- '/tcsh'
- '/zsh'
- '/python'
- '/python2'
- '/python3'
- '/perl'
- '/ruby'
- '/curl'
- '/wget'
- '/nc'
- '/netcat'
- '/ncat'
- '/socat'
- '/nmap'
- '/telnet'
- '/awk'
- '/sed'
condition: (selection_parent_img or selection_current_dict) and selection_child
falsepositives:
- Legitimate administrative activities such as software updates
level: medium
Convert to SIEM query
medium
Suspicious CodePage Switch Via CHCP
Detects a code page switch in command line or batch scripts to a rare language
view Sigma YAML
title: Suspicious CodePage Switch Via CHCP
id: c7942406-33dd-4377-a564-0f62db0593a3
status: test
description: Detects a code page switch in command line or batch scripts to a rare language
references:
- https://learn.microsoft.com/en-us/windows/win32/intl/code-page-identifiers
- https://twitter.com/cglyer/status/1183756892952248325
author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community
date: 2019-10-14
modified: 2023-03-07
tags:
- attack.stealth
- attack.t1036
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\chcp.com'
CommandLine|endswith:
- ' 936' # Chinese
# - ' 1256' # Arabic
- ' 1258' # Vietnamese
# - ' 855' # Russian
# - ' 866' # Russian
# - ' 864' # Arabic
condition: selection
falsepositives:
- Administrative activity (adjust code pages according to your organization's region)
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_chcp_codepage_switch/info.yml
Convert to SIEM query
medium
Suspicious Commands Linux
Detects relevant commands often related to malware or hacking activity
view Sigma YAML
title: Suspicious Commands Linux
id: 1543ae20-cbdf-4ec1-8d12-7664d667a825
status: test
description: Detects relevant commands often related to malware or hacking activity
references:
- Internal Research - mostly derived from exploit code including code in MSF
author: Florian Roth (Nextron Systems)
date: 2017-12-12
modified: 2022-10-05
tags:
- attack.execution
- attack.t1059.004
logsource:
product: linux
service: auditd
detection:
cmd1:
type: 'EXECVE'
a0: 'chmod'
a1: 777
cmd2:
type: 'EXECVE'
a0: 'chmod'
a1: 'u+s'
cmd3:
type: 'EXECVE'
a0: 'cp'
a1: '/bin/ksh'
cmd4:
type: 'EXECVE'
a0: 'cp'
a1: '/bin/sh'
condition: 1 of cmd*
falsepositives:
- Admin activity
level: medium
Convert to SIEM query
medium
Suspicious Computer Machine Password by PowerShell
The Reset-ComputerMachinePassword cmdlet changes the computer account password that the computers use to authenticate to the domain controllers in the domain.
You can use it to reset the password of the local computer.
view Sigma YAML
title: Suspicious Computer Machine Password by PowerShell
id: e3818659-5016-4811-a73c-dde4679169d2
status: test
description: |
The Reset-ComputerMachinePassword cmdlet changes the computer account password that the computers use to authenticate to the domain controllers in the domain.
You can use it to reset the password of the local computer.
references:
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1
- https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
author: frack113
date: 2022-02-21
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.stealth
- attack.t1078
logsource:
product: windows
category: ps_module
definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
selection:
ContextInfo|contains: 'Reset-ComputerMachinePassword'
condition: selection
falsepositives:
- Administrator PowerShell scripts
level: medium
Convert to SIEM query
medium
Suspicious Copy From or To System Directory
Detects a suspicious copy operation that tries to copy a program from system (System32, SysWOW64, WinSxS) directories to another on disk.
Often used to move LOLBINs such as 'certutil' or 'desktopimgdownldr' to a different location with a different name in order to bypass detections based on locations.
view Sigma YAML
title: Suspicious Copy From or To System Directory
id: fff9d2b7-e11c-4a69-93d3-40ef66189767
related:
- id: 855bc8b5-2ae8-402e-a9ed-b889e6df1900
type: derived
status: test
description: |
Detects a suspicious copy operation that tries to copy a program from system (System32, SysWOW64, WinSxS) directories to another on disk.
Often used to move LOLBINs such as 'certutil' or 'desktopimgdownldr' to a different location with a different name in order to bypass detections based on locations.
references:
- https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120
- https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html
- https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/
author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems)
date: 2020-07-03
modified: 2026-03-16
tags:
- attack.stealth
- attack.t1036.003
logsource:
category: process_creation
product: windows
detection:
selection_img_cmd:
Image|endswith: '\cmd.exe'
CommandLine|contains: 'copy '
selection_img_pwsh:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
CommandLine|contains:
- 'copy-item'
- ' copy '
- 'cpi '
- ' cp '
selection_img_other:
- Image|endswith:
- '\robocopy.exe'
- '\xcopy.exe'
- OriginalFileName:
- 'robocopy.exe'
- 'XCOPY.EXE'
selection_target:
CommandLine|re|i: \s['"]?C:\\Windows\\(?:System32|SysWOW64|WinSxS)
filter_optional_avira:
Image|endswith: '\cmd.exe'
CommandLine|contains|all:
- '/c copy'
- '\Temp\'
- '\avira_system_speedup.exe'
CommandLine|contains:
- 'C:\Program Files\Avira\'
- 'C:\Program Files (x86)\Avira\'
condition: 1 of selection_img_* and selection_target and not 1 of filter_optional_*
falsepositives:
- Depend on scripts and administrative tools used in the monitored environment (For example an admin scripts like https://www.itexperience.net/sccm-batch-files-and-32-bits-processes-on-64-bits-os/)
- When cmd.exe and xcopy.exe are called directly # C:\Windows\System32\cmd.exe /c copy file1 file2
- When the command contains the keywords but not in the correct order
level: medium
Convert to SIEM query
medium
Suspicious Creation TXT File in User Desktop
Detects creation of .txt files in user desktop folders via cmd.exe. This behavior may indicate ransomware deploying ransom notes, but can also occur during legitimate administrative tasks.
Analysts should investigate for suspicious filenames (e.g., "RANSOM", "DECRYPT", "READ_ME"), bulk file creation patterns, or concurrent encryption activity to determine if this is part of a ransomware attack.
view Sigma YAML
title: Suspicious Creation TXT File in User Desktop
id: caf02a0a-1e1c-4552-9b48-5e070bd88d11
status: test
description: |
Detects creation of .txt files in user desktop folders via cmd.exe. This behavior may indicate ransomware deploying ransom notes, but can also occur during legitimate administrative tasks.
Analysts should investigate for suspicious filenames (e.g., "RANSOM", "DECRYPT", "READ_ME"), bulk file creation patterns, or concurrent encryption activity to determine if this is part of a ransomware attack.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1486/T1486.md#atomic-test-5---purelocker-ransom-note
author: frack113
date: 2021-12-26
modified: 2026-01-09
tags:
- attack.impact
- attack.t1486
- detection.threat-hunting
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith: '\cmd.exe'
TargetFilename|contains|all:
- '\Users\'
- '\Desktop\'
TargetFilename|endswith: '.txt'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Suspicious Creation of .library-ms File — Potential CVE-2025-24054 Exploit
Detects creation of '.library-ms' files, which may indicate exploitation of CVE-2025-24054. This vulnerability allows an attacker to trigger an automatic outbound SMB or WebDAV authentication request to a remote server upon archive extraction.
If the system is unpatched, no user interaction is required beyond extracting a malicious archive—potentially exposing the user's NTLMv2-SSP hash to the attacker.
view Sigma YAML
title: Suspicious Creation of .library-ms File — Potential CVE-2025-24054 Exploit
id: 5a7132c0-86db-4e6b-95c0-f0e9d7f461aa
status: experimental
description: |
Detects creation of '.library-ms' files, which may indicate exploitation of CVE-2025-24054. This vulnerability allows an attacker to trigger an automatic outbound SMB or WebDAV authentication request to a remote server upon archive extraction.
If the system is unpatched, no user interaction is required beyond extracting a malicious archive—potentially exposing the user's NTLMv2-SSP hash to the attacker.
references:
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24054
- https://research.checkpoint.com/2025/cve-2025-24054-ntlm-exploit-in-the-wild/
author: Gene Kazimiarovich
date: 2025-04-20
tags:
- detection.emerging-threats
- attack.credential-access
- attack.t1187 # Forced Authentication
- cve.2025-24054
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith: '.library-ms'
Image|endswith:
- '\7z.exe'
- '\winrar.exe'
- '\explorer.exe'
condition: selection
falsepositives:
- Legitimate Library shortcuts under %APPDATA%\Microsoft\Windows\Libraries\ (rarely created by end-users)
- Custom corporate scripts that programmatically generate .library-ms Files
level: medium
Convert to SIEM query
medium
Suspicious CrushFTP Child Process
Detects suspicious child processes spawned by the CrushFTP service that may indicate exploitation of remote code execution vulnerabilities such as
CVE-2025-31161, where attackers can achieve RCE through crafted HTTP requests.
The detection focuses on commonly abused Windows executables (like powershell.exe, cmd.exe etc.) that attackers typically use post-exploitation to execute malicious commands.
view Sigma YAML
title: Suspicious CrushFTP Child Process
id: 459628e3-1b00-4e9b-9e5b-7da8961aea35
status: experimental
description: |
Detects suspicious child processes spawned by the CrushFTP service that may indicate exploitation of remote code execution vulnerabilities such as
CVE-2025-31161, where attackers can achieve RCE through crafted HTTP requests.
The detection focuses on commonly abused Windows executables (like powershell.exe, cmd.exe etc.) that attackers typically use post-exploitation to execute malicious commands.
references:
- https://nvd.nist.gov/vuln/detail/CVE-2025-2825
- https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update
- https://outpost24.com/blog/crushftp-auth-bypass-vulnerability/
- https://attackerkb.com/topics/k0EgiL9Psz/cve-2025-2825/rapid7-analysis
- https://projectdiscovery.io/blog/crushftp-authentication-bypass
author: Craig Sweeney, Matt Anderson, Jose Oregon, Tim Kasper, Faith Stratton, Samantha Shaw, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-04-10
tags:
- attack.initial-access
- attack.execution
- attack.t1059.001
- attack.t1059.003
- attack.t1190
- cve.2025-31161
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\crushftpservice.exe'
selection_child:
Image|endswith:
- '\bash.exe'
- '\cmd.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\powershell.exe'
- '\powershell_ise.exe'
- '\pwsh.exe'
- '\sh.exe'
- '\wscript.exe'
condition: all of selection_*
falsepositives:
- Legitimate CrushFTP administrative actions
- Software updates
level: medium
Convert to SIEM query
medium
Suspicious Csi.exe Usage
Csi.exe is a signed binary from Microsoft that comes with Visual Studio and provides C# interactive capabilities. It can be used to run C# code from a file passed as a parameter in command line. Early version of this utility provided with Microsoft “Roslyn” Community Technology Preview was named 'rcsi.exe'
view Sigma YAML
title: Suspicious Csi.exe Usage
id: 40b95d31-1afc-469e-8d34-9a3a667d058e
status: test
description: Csi.exe is a signed binary from Microsoft that comes with Visual Studio and provides C# interactive capabilities. It can be used to run C# code from a file passed as a parameter in command line. Early version of this utility provided with Microsoft “Roslyn” Community Technology Preview was named 'rcsi.exe'
references:
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Rcsi/
- https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/
- https://twitter.com/Z3Jpa29z/status/1317545798981324801
author: Konstantin Grishchenko, oscd.community
date: 2020-10-17
modified: 2022-07-11
tags:
- attack.lateral-movement
- attack.execution
- attack.stealth
- attack.t1072
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\csi.exe'
- '\rcsi.exe'
- OriginalFileName:
- 'csi.exe'
- 'rcsi.exe'
selection_cli:
Company: 'Microsoft Corporation'
condition: all of selection*
falsepositives:
- Legitimate usage by software developers
level: medium
Convert to SIEM query
medium
Suspicious Curl Change User Agents - Linux
Detects a suspicious curl process start on linux with set useragent options
view Sigma YAML
title: Suspicious Curl Change User Agents - Linux
id: b86d356d-6093-443d-971c-9b07db583c68
related:
- id: 3286d37a-00fd-41c2-a624-a672dcd34e60
type: derived
status: test
description: Detects a suspicious curl process start on linux with set useragent options
references:
- https://curl.se/docs/manpage.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-15
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/curl'
CommandLine|contains:
- ' -A '
- ' --user-agent '
condition: selection
falsepositives:
- Scripts created by developers and admins
- Administrative activity
level: medium
Convert to SIEM query
medium
Suspicious Curl File Upload - Linux
Detects a suspicious curl process start the adds a file to a web request
view Sigma YAML
title: Suspicious Curl File Upload - Linux
id: 00b90cc1-17ec-402c-96ad-3a8117d7a582
related:
- id: 00bca14a-df4e-4649-9054-3f2aa676bc04
type: derived
status: test
description: Detects a suspicious curl process start the adds a file to a web request
references:
- https://twitter.com/d1r4c/status/1279042657508081664
- https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file
- https://curl.se/docs/manpage.html
- https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html
author: Nasreddine Bencherchali (Nextron Systems), Cedric MAURUGEON (Update)
date: 2022-09-15
modified: 2023-05-02
tags:
- attack.exfiltration
- attack.command-and-control
- attack.t1567
- attack.t1105
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith: '/curl'
selection_cli:
- CommandLine|contains:
- ' --form' # Also covers the "--form-string"
- ' --upload-file '
- ' --data '
- ' --data-' # For flags like: "--data-ascii", "--data-binary", "--data-raw", "--data-urlencode"
- CommandLine|re: '\s-[FTd]\s' # We use regex to ensure a case sensitive argument detection
filter_optional_localhost:
CommandLine|contains:
- '://localhost'
- '://127.0.0.1'
condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
- Scripts created by developers and admins
level: medium
Convert to SIEM query
medium
Suspicious DNS Query for IP Lookup Service APIs
Detects DNS queries for IP lookup services such as "api.ipify.org" originating from a non browser process.
view Sigma YAML
title: Suspicious DNS Query for IP Lookup Service APIs
id: ec82e2a5-81ea-4211-a1f8-37a0286df2c2
status: test
description: Detects DNS queries for IP lookup services such as "api.ipify.org" originating from a non browser process.
references:
- https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon
- https://twitter.com/neonprimetime/status/1436376497980428318
- https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html
author: Brandon George (blog post), Thomas Patzke
date: 2021-07-08
modified: 2024-03-22
tags:
- attack.reconnaissance
- attack.t1590
logsource:
product: windows
category: dns_query
detection:
selection:
- QueryName:
- 'www.ip.cn'
- 'l2.io'
- QueryName|contains:
- 'api.2ip.ua'
- 'api.bigdatacloud.net'
- 'api.ipify.org'
- 'bot.whatismyipaddress.com'
- 'canireachthe.net'
- 'checkip.amazonaws.com'
- 'checkip.dyndns.org'
- 'curlmyip.com'
- 'db-ip.com'
- 'edns.ip-api.com'
- 'eth0.me'
- 'freegeoip.app'
- 'geoipy.com'
- 'getip.pro'
- 'icanhazip.com'
- 'ident.me'
- 'ifconfig.io'
- 'ifconfig.me'
- 'ip-api.com'
- 'ip.360.cn'
- 'ip.anysrc.net'
- 'ip.taobao.com'
- 'ip.tyk.nu'
- 'ipaddressworld.com'
- 'ipapi.co'
- 'ipconfig.io'
- 'ipecho.net'
- 'ipinfo.io'
- 'ipip.net'
- 'ipof.in'
- 'ipv4.icanhazip.com'
- 'ipv4bot.whatismyipaddress.com'
- 'ipv6-test.com'
- 'ipwho.is'
- 'jsonip.com'
- 'myexternalip.com'
- 'seeip.org'
- 'wgetip.com'
- 'whatismyip.akamai.com'
- 'whois.pconline.com.cn'
- 'wtfismyip.com'
filter_optional_brave:
Image|endswith: '\brave.exe'
filter_optional_chrome:
Image:
- 'C:\Program Files\Google\Chrome\Application\chrome.exe'
- 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
filter_optional_firefox:
Image:
- 'C:\Program Files\Mozilla Firefox\firefox.exe'
- 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
filter_optional_ie:
Image:
- 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
- 'C:\Program Files\Internet Explorer\iexplore.exe'
filter_optional_maxthon:
Image|endswith: '\maxthon.exe'
filter_optional_edge_1:
- Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
- Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
- Image:
- 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
- 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
filter_optional_edge_2:
Image|startswith:
- 'C:\Program Files (x86)\Microsoft\EdgeCore\'
- 'C:\Program Files\Microsoft\EdgeCore\'
Image|endswith:
- '\msedge.exe'
- '\msedgewebview2.exe'
filter_optional_opera:
Image|endswith: '\opera.exe'
filter_optional_safari:
Image|endswith: '\safari.exe'
filter_optional_seamonkey:
Image|endswith: '\seamonkey.exe'
filter_optional_vivaldi:
Image|endswith: '\vivaldi.exe'
filter_optional_whale:
Image|endswith: '\whale.exe'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Legitimate usage of IP lookup services such as ipify API
level: medium
Convert to SIEM query
medium
Suspicious DNS Query with B64 Encoded String
Detects suspicious DNS queries using base64 encoding
view Sigma YAML
title: Suspicious DNS Query with B64 Encoded String
id: 4153a907-2451-4e4f-a578-c52bb6881432
status: test
description: Detects suspicious DNS queries using base64 encoding
references:
- https://github.com/krmaxwell/dns-exfiltration
author: Florian Roth (Nextron Systems)
date: 2018-05-10
modified: 2022-10-09
tags:
- attack.exfiltration
- attack.t1048.003
- attack.command-and-control
- attack.t1071.004
logsource:
category: dns
detection:
selection:
query|contains: '==.'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Suspicious DNS Z Flag Bit Set
The DNS Z flag is bit within the DNS protocol header that is, per the IETF design, meant to be used reserved (unused).
Although recently it has been used in DNSSec, the value being set to anything other than 0 should be rare.
Otherwise if it is set to non 0 and DNSSec is being used, then excluding the legitimate domains is low effort and high reward.
Determine if multiple of these files were accessed in a short period of time to further enhance the possibility of seeing if this was a one off or the possibility of larger sensitive file gathering.
This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs'
view Sigma YAML
title: Suspicious DNS Z Flag Bit Set
id: ede05abc-2c9e-4624-9944-9ff17fdc0bf5
status: test
description: |
The DNS Z flag is bit within the DNS protocol header that is, per the IETF design, meant to be used reserved (unused).
Although recently it has been used in DNSSec, the value being set to anything other than 0 should be rare.
Otherwise if it is set to non 0 and DNSSec is being used, then excluding the legitimate domains is low effort and high reward.
Determine if multiple of these files were accessed in a short period of time to further enhance the possibility of seeing if this was a one off or the possibility of larger sensitive file gathering.
This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs'
references:
- https://twitter.com/neu5ron/status/1346245602502443009
- https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma
- https://tools.ietf.org/html/rfc2929#section-2.1
- https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS
author: '@neu5ron, SOC Prime Team, Corelight'
date: 2021-05-04
modified: 2022-11-29
tags:
- attack.t1095
- attack.t1571
- attack.command-and-control
logsource:
product: zeek
service: dns
detection:
z_flag_unset:
Z: 0
most_probable_valid_domain:
query|contains: '.'
exclude_tlds:
query|endswith:
- '.arpa'
- '.local'
- '.ultradns.net'
- '.twtrdns.net'
- '.azuredns-prd.info'
- '.azure-dns.com'
- '.azuredns-ff.info'
- '.azuredns-ff.org'
- '.azuregov-dns.org'
exclude_query_types:
qtype_name:
- 'ns'
- 'mx'
exclude_responses:
answers|endswith: '\\x00'
exclude_netbios:
id.resp_p:
- 137
- 138
- 139
condition: not z_flag_unset and most_probable_valid_domain and not (exclude_tlds or exclude_query_types or exclude_responses or exclude_netbios)
falsepositives:
- 'Internal or legitimate external domains using DNSSec. Verify if these are legitimate DNSSec domains and then exclude them.'
- 'If you work in a Public Sector then it may be good to exclude things like endswith ".edu", ".gov" and or ".mil"'
level: medium
Convert to SIEM query
medium
Suspicious Diantz Alternate Data Stream Execution
Compress target file into a cab file stored in the Alternate Data Stream (ADS) of the target file.
view Sigma YAML
title: Suspicious Diantz Alternate Data Stream Execution
id: 6b369ced-4b1d-48f1-b427-fdc0de0790bd
status: test
description: Compress target file into a cab file stored in the Alternate Data Stream (ADS) of the target file.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Diantz/
author: frack113
date: 2021-11-26
modified: 2022-12-31
tags:
- attack.stealth
- attack.t1564.004
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- diantz.exe
- .cab
CommandLine|re: ':[^\\]'
condition: selection
falsepositives:
- Very Possible
level: medium
Convert to SIEM query
medium
Suspicious Diantz Download and Compress Into a CAB File
Download and compress a remote file and store it in a cab file on local machine.
view Sigma YAML
title: Suspicious Diantz Download and Compress Into a CAB File
id: 185d7418-f250-42d0-b72e-0c8b70661e93
status: test
description: Download and compress a remote file and store it in a cab file on local machine.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Diantz/
author: frack113
date: 2021-11-26
modified: 2022-08-13
tags:
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- diantz.exe
- ' \\\\'
- '.cab'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Suspicious Digital Signature Of AppX Package
Detects execution of AppX packages with known suspicious or malicious signature
view Sigma YAML
title: Suspicious Digital Signature Of AppX Package
id: b5aa7d60-c17e-4538-97de-09029d6cd76b
status: test
description: Detects execution of AppX packages with known suspicious or malicious signature
references:
- Internal Research
- https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-16
tags:
- attack.execution
- attack.stealth
logsource:
product: windows
service: appxpackaging-om
detection:
selection:
EventID: 157
# Add more known suspicious/malicious certificates used in different attacks
subjectName: 'CN=Foresee Consulting Inc., O=Foresee Consulting Inc., L=North York, S=Ontario, C=CA, SERIALNUMBER=1004913-1, OID.1.3.6.1.4.1.311.60.2.1.3=CA, OID.2.5.4.15=Private Organization'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Suspicious Download Via Certutil.EXE
Detects the execution of certutil with certain flags that allow the utility to download files.
view Sigma YAML
title: Suspicious Download Via Certutil.EXE
id: 19b08b1c-861d-4e75-a1ef-ea0c1baf202b
related:
- id: 13e6fe51-d478-4c7e-b0f2-6da9b400a829
type: similar
status: test
description: Detects the execution of certutil with certain flags that allow the utility to download files.
references:
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
- https://forensicitguy.github.io/agenttesla-vba-certutil-download/
- https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/
- https://twitter.com/egre55/status/1087685529016193025
- https://lolbas-project.github.io/lolbas/Binaries/Certutil/
- https://www.hexacorn.com/blog/2020/08/23/certutil-one-more-gui-lolbin
author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-15
modified: 2025-12-01
tags:
- attack.stealth
- attack.t1027
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\certutil.exe'
- OriginalFileName: 'CertUtil.exe'
selection_flags:
CommandLine|contains:
- 'urlcache '
- 'verifyctl '
- 'URL '
selection_http:
CommandLine|contains: 'http'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_download/info.yml
Convert to SIEM query
medium
Suspicious Driver Install by pnputil.exe
Detects when a possible suspicious driver is being installed via pnputil.exe lolbin
view Sigma YAML
title: Suspicious Driver Install by pnputil.exe
id: a2ea3ae7-d3d0-40a0-a55c-25a45c87cac1
status: test
description: Detects when a possible suspicious driver is being installed via pnputil.exe lolbin
references:
- https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/pnputil-command-syntax
- https://strontic.github.io/xcyclopedia/library/pnputil.exe-60EDC5E6BDBAEE441F2E3AEACD0340D2.html
author: Hai Vaknin @LuxNoBulIshit, Avihay eldad @aloneliassaf, Austin Songer @austinsonger
date: 2021-09-30
modified: 2022-10-09
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- '-i'
- '/install'
- '-a'
- '/add-driver'
- '.inf'
Image|endswith: '\pnputil.exe'
condition: selection
falsepositives:
- Pnputil.exe being used may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Pnputil.exe being executed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
Convert to SIEM query
medium
Suspicious Electron Application Child Processes
Detects suspicious child processes of electron apps (teams, discord, slack, etc.). This could be a potential sign of ".asar" file tampering (See reference section for more information) or binary execution proxy through specific CLI arguments (see related rule)
view Sigma YAML
title: Suspicious Electron Application Child Processes
id: f26eb764-fd89-464b-85e2-dc4a8e6e77b8
related:
- id: 378a05d8-963c-46c9-bcce-13c7657eac99
type: similar
status: test
description: |
Detects suspicious child processes of electron apps (teams, discord, slack, etc.). This could be a potential sign of ".asar" file tampering (See reference section for more information) or binary execution proxy through specific CLI arguments (see related rule)
references:
- https://taggart-tech.com/quasar-electron/
- https://github.com/mttaggart/quasar
- https://positive.security/blog/ms-officecmd-rce
- https://lolbas-project.github.io/lolbas/Binaries/Msedge/
- https://lolbas-project.github.io/lolbas/Binaries/Teams/
- https://lolbas-project.github.io/lolbas/Binaries/msedgewebview2/
- https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-21
modified: 2024-07-12
tags:
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith:
# Add more electron based app to the list
- '\chrome.exe' # Might require additional tuning
- '\discord.exe'
- '\GitHubDesktop.exe'
- '\keybase.exe'
- '\msedge.exe'
- '\msedgewebview2.exe'
- '\msteams.exe'
- '\slack.exe'
- '\teams.exe'
# - '\code.exe' # Prone to a lot of FPs. Requires an additional baseline
selection_child_image:
Image|endswith:
# Add more suspicious/unexpected paths
- '\cmd.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\whoami.exe'
- '\wscript.exe'
selection_child_paths:
Image|contains:
# Add more suspicious/unexpected paths
- ':\ProgramData\'
- ':\Temp\'
- '\AppData\Local\Temp\'
- '\Users\Public\'
- '\Windows\Temp\'
filter_optional_discord:
ParentImage|endswith: '\Discord.exe'
Image|endswith: '\cmd.exe'
CommandLine|contains: '\NVSMI\nvidia-smi.exe'
condition: selection_parent and 1 of selection_child_* and not 1 of filter_optional_*
falsepositives:
- Unknown
# Increase the level once FP rate is reduced (see status)
level: medium
Convert to SIEM query
medium
Suspicious Email Delivered In Microsoft 365
Detects instances where an email, identified as malicious or suspicious by the Microsoft Defender for Office 365 (formerly ATP) engine, was delivered to a user's Inbox or Junk folder.
It might indicate that a potential threat, such as a spearphishing attachment or links, has bypassed initial blocking mechanisms and reached an end-user, requiring further investigation and potential remediation.
view Sigma YAML
title: Suspicious Email Delivered In Microsoft 365
id: 3569aefd-e535-4391-8c18-24bd01a21eaf
status: experimental
description: |
Detects instances where an email, identified as malicious or suspicious by the Microsoft Defender for Office 365 (formerly ATP) engine, was delivered to a user's Inbox or Junk folder.
It might indicate that a potential threat, such as a spearphishing attachment or links, has bypassed initial blocking mechanisms and reached an end-user, requiring further investigation and potential remediation.
references:
- https://learn.microsoft.com/en-us/defender-office-365/threat-explorer-real-time-detections-about
- https://research.splunk.com/cloud/605cc93a-70e4-4ee3-9a3d-1a62e8c9b6c2/
- https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules/blob/e7250648cb16d4a497ae8737943bf010ea96d2e6/Defender%20For%20Cloud%20Apps/MaliciousEmailDeliveredInMailbox.md
author: Marco Pedrinazzi (@pedrinazziM) (InTheCyber)
date: 2026-01-27
tags:
- attack.initial-access
- attack.t1566.001
- attack.t1566.002
logsource:
service: audit
product: m365
detection:
selection:
Workload: 'ThreatIntelligence'
Operation: 'TIMailData'
Directionality: 'Inbound'
filter_main_blocked:
DeliveryAction: 'Blocked'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unlikely
level: medium
Convert to SIEM query
medium
Suspicious Eventlog Clear
Detects usage of known powershell cmdlets such as "Clear-EventLog" to clear the Windows event logs
view Sigma YAML
title: Suspicious Eventlog Clear
id: 0f017df3-8f5a-414f-ad6b-24aff1128278
related:
- id: cc36992a-4671-4f21-a91d-6c2b72a2edf5
type: derived
status: test
description: Detects usage of known powershell cmdlets such as "Clear-EventLog" to clear the Windows event logs
references:
- https://twitter.com/oroneequalsone/status/1568432028361830402
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md
- https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html
- https://stackoverflow.com/questions/66011412/how-to-clear-a-event-log-in-powershell-7
- https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventing.reader.eventlogsession.clearlog?view=windowsdesktop-9.0&viewFallbackFrom=dotnet-plat-ext-5.0#System_Diagnostics_Eventing_Reader_EventLogSession_ClearLog_System_String_
- https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventlog.clear
author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2022-09-12
modified: 2025-10-06
tags:
- attack.defense-impairment
- attack.t1685.005
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
- ScriptBlockText|contains:
- 'Clear-EventLog '
- 'Remove-EventLog '
- 'Limit-EventLog '
- 'Clear-WinEvent '
- ScriptBlockText|contains|all:
- 'Eventing.Reader.EventLogSession' # [System.Diagnostics.Eventing.Reader.EventLogSession]::GlobalSession.ClearLog($_.LogName)
- 'ClearLog'
- ScriptBlockText|contains|all:
- 'Diagnostics.EventLog'
- 'Clear'
condition: selection
falsepositives:
- Rare need to clear logs before doing something. Sometimes used by installers or cleaner scripts. The script should be investigated to determine if it's legitimate
level: medium
Convert to SIEM query
Showing 1151-1200 of 1,492