Tool
SIEM
Sigma (generic) detection rules
1,492 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Expand any rule to see its raw YAML and convert it inline to native query syntax. Pick a platform above to browse every rule already rendered in that language.
Get the raw rules from SigmaHQ Detection Rules
The raw generic YAML, served by SigmaHQ. Pick a platform above to download a ready-to-deploy converted pack.
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
◈
Detection rules
50 shown of 1,492
medium
Suspicious Execution of InstallUtil Without Log
Uses the .NET InstallUtil.exe application in order to execute image without log
view Sigma YAML
title: Suspicious Execution of InstallUtil Without Log
id: d042284c-a296-4988-9be5-f424fadcc28c
status: test
description: Uses the .NET InstallUtil.exe application in order to execute image without log
references:
- https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/
- https://learn.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool
author: frack113
date: 2022-01-23
modified: 2022-02-04
tags:
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\InstallUtil.exe'
Image|contains: 'Microsoft.NET\Framework'
CommandLine|contains|all:
- '/logfile= '
- '/LogToConsole=false'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Suspicious Execution of Powershell with Base64
Commandline to launch powershell with a base64 payload
view Sigma YAML
title: Suspicious Execution of Powershell with Base64
id: fb843269-508c-4b76-8b8d-88679db22ce7
status: test
description: Commandline to launch powershell with a base64 payload
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-20---powershell-invoke-known-malicious-cmdlets
- https://unit42.paloaltonetworks.com/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/
- https://mikefrobbins.com/2017/06/15/simple-obfuscation-with-powershell-using-base64-encoding/
author: frack113
date: 2022-01-02
modified: 2023-01-05
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- \powershell.exe
- \pwsh.exe
CommandLine|contains:
- ' -e '
- ' -en '
- ' -enc '
- ' -enco'
- ' -ec '
filter_encoding:
CommandLine|contains: ' -Encoding '
filter_azure:
ParentImage|contains:
- 'C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\'
- '\gc_worker.exe'
condition: selection and not 1 of filter_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Suspicious Execution of Shutdown
Use of the commandline to shutdown or reboot windows
view Sigma YAML
title: Suspicious Execution of Shutdown
id: 34ebb878-1b15-4895-b352-ca2eeb99b274
status: test
description: Use of the commandline to shutdown or reboot windows
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1529/T1529.md
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown
author: frack113
date: 2022-01-01
tags:
- attack.impact
- attack.t1529
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\shutdown.exe'
CommandLine|contains:
- '/r '
- '/s '
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Suspicious Execution of Shutdown to Log Out
Detects the rare use of the command line tool shutdown to logoff a user
view Sigma YAML
title: Suspicious Execution of Shutdown to Log Out
id: ec290c06-9b6b-4338-8b6b-095c0f284f10
status: test
description: Detects the rare use of the command line tool shutdown to logoff a user
references:
- https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1529/T1529.md
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown
author: frack113
date: 2022-10-01
tags:
- attack.impact
- attack.t1529
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\shutdown.exe'
CommandLine|contains: '/l'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Suspicious Execution via macOS Script Editor
Detects when the macOS Script Editor utility spawns an unusual child process.
view Sigma YAML
title: Suspicious Execution via macOS Script Editor
id: 6e4dcdd1-e48b-42f7-b2d8-3b413fc58cb4
status: test
description: Detects when the macOS Script Editor utility spawns an unusual child process.
author: Tim Rauch (rule), Elastic (idea)
references:
- https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-7f541fbc4a4a28a92970e8bf53effea5bd934604429112c920affb457f5b2685
- https://wojciechregula.blog/post/macos-red-teaming-initial-access-via-applescript-url/
date: 2022-10-21
modified: 2022-12-28
logsource:
category: process_creation
product: macos
tags:
- attack.defense-impairment
- attack.t1566
- attack.t1566.002
- attack.initial-access
- attack.t1059
- attack.t1059.002
- attack.t1204
- attack.t1204.001
- attack.execution
- attack.persistence
- attack.t1553
detection:
selection_parent:
ParentImage|endswith: '/Script Editor'
selection_img:
- Image|endswith:
- '/curl'
- '/bash'
- '/sh'
- '/zsh'
- '/dash'
- '/fish'
- '/osascript'
- '/mktemp'
- '/chmod'
- '/php'
- '/nohup'
- '/openssl'
- '/plutil'
- '/PlistBuddy'
- '/xattr'
- '/sqlite'
- '/funzip'
- '/popen'
- Image|contains:
- 'python'
- 'perl'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Suspicious Extrac32 Alternate Data Stream Execution
Extract data from cab file and hide it in an alternate data stream
view Sigma YAML
title: Suspicious Extrac32 Alternate Data Stream Execution
id: 4b13db67-0c45-40f1-aba8-66a1a7198a1e
status: test
description: Extract data from cab file and hide it in an alternate data stream
references:
- https://lolbas-project.github.io/lolbas/Binaries/Extrac32/
author: frack113
date: 2021-11-26
modified: 2022-12-30
tags:
- attack.stealth
- attack.t1564.004
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- extrac32.exe
- .cab
CommandLine|re: ':[^\\]'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Suspicious Extrac32 Execution
Download or Copy file with Extrac32
view Sigma YAML
title: Suspicious Extrac32 Execution
id: aa8e035d-7be4-48d3-a944-102aec04400d
status: test
description: Download or Copy file with Extrac32
references:
- https://lolbas-project.github.io/lolbas/Binaries/Extrac32/
author: frack113
date: 2021-11-26
modified: 2022-08-13
tags:
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection_lolbas:
- CommandLine|contains: extrac32.exe
- Image|endswith: '\extrac32.exe'
- OriginalFileName: 'extrac32.exe'
selection_archive:
CommandLine|contains: '.cab'
selection_options:
CommandLine|contains:
- /C
- /Y
- ' \\\\'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Suspicious File Characteristics Due to Missing Fields
Detects Executables in the Downloads folder without FileVersion,Description,Product,Company likely created with py2exe
view Sigma YAML
title: Suspicious File Characteristics Due to Missing Fields
id: 9637e8a5-7131-4f7f-bdc7-2b05d8670c43
status: test
description: Detects Executables in the Downloads folder without FileVersion,Description,Product,Company likely created with py2exe
references:
- https://securelist.com/muddywater/88059/
- https://www.virustotal.com/#/file/276a765a10f98cda1a38d3a31e7483585ca3722ecad19d784441293acf1b7beb/detection
author: Markus Neis, Sander Wiebing
date: 2018-11-22
modified: 2022-10-09
tags:
- attack.execution
- attack.t1059.006
logsource:
product: windows
category: process_creation
detection:
selection1:
Description: '\?'
FileVersion: '\?'
selection2:
Description: '\?'
Product: '\?'
selection3:
Description: '\?'
Company: '\?'
folder:
Image|contains: '\Downloads\'
condition: (selection1 or selection2 or selection3) and folder
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Suspicious File Created In PerfLogs
Detects suspicious file based on their extension being created in "C:\PerfLogs\". Note that this directory mostly contains ".etl" files
view Sigma YAML
title: Suspicious File Created In PerfLogs
id: bbb7e38c-0b41-4a11-b306-d2a457b7ac2b
status: test
description: Detects suspicious file based on their extension being created in "C:\PerfLogs\". Note that this directory mostly contains ".etl" files
references:
- Internal Research
- https://labs.withsecure.com/publications/fin7-target-veeam-servers
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-05
tags:
- attack.execution
- attack.t1059
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|startswith: 'C:\PerfLogs\'
TargetFilename|endswith:
- '.7z'
- '.bat'
- '.bin'
- '.chm'
- '.dll'
- '.exe'
- '.hta'
- '.lnk'
- '.ps1'
- '.psm1'
- '.py'
- '.scr'
- '.sys'
- '.vbe'
- '.vbs'
- '.zip'
condition: selection
falsepositives:
- Unlikely
level: medium
Convert to SIEM query
medium
Suspicious File Drop by Exchange
Detects suspicious file type dropped by an Exchange component in IIS
view Sigma YAML
title: Suspicious File Drop by Exchange
id: 6b269392-9eba-40b5-acb6-55c882b20ba6
related:
- id: bd1212e5-78da-431e-95fa-c58e3237a8e6
type: similar
status: test
description: Detects suspicious file type dropped by an Exchange component in IIS
references:
- https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/
- https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html
- https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html
author: Florian Roth (Nextron Systems)
date: 2022-10-04
tags:
- attack.persistence
- attack.t1190
- attack.initial-access
- attack.t1505.003
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith: '\w3wp.exe'
CommandLine|contains: 'MSExchange'
selection_types:
TargetFilename|endswith:
- '.aspx'
- '.asp'
- '.ashx'
- '.ps1'
- '.bat'
- '.exe'
- '.dll'
- '.vbs'
condition: all of selection*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Suspicious File Write to Webapps Root Directory
Detects suspicious file writes to the root directory of web applications, particularly Apache web servers or Tomcat servers.
This may indicate an attempt to deploy malicious files such as web shells or other unauthorized scripts.
view Sigma YAML
title: Suspicious File Write to Webapps Root Directory
id: 89c42960-f244-4dad-9151-ae9b1a3287a2
status: experimental
description: |
Detects suspicious file writes to the root directory of web applications, particularly Apache web servers or Tomcat servers.
This may indicate an attempt to deploy malicious files such as web shells or other unauthorized scripts.
references:
- https://labs.watchtowr.com/guess-who-would-be-stupid-enough-to-rob-the-same-vault-twice-pre-auth-rce-chains-in-commvault/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-10-20
tags:
- attack.persistence
- attack.t1505.003
- attack.initial-access
- attack.t1190
logsource:
product: windows
category: file_event
detection:
# Add more suspicious processes or paths or extensions as needed
selection_susp_img:
Image|endswith:
- '\dotnet.exe'
- '\w3wp.exe'
- '\java.exe'
selection_servers:
TargetFilename|contains:
- '\apache'
- '\tomcat'
selection_path:
TargetFilename|contains: '\webapps\ROOT\'
selection_susp_extensions:
TargetFilename|endswith: '.jsp'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Suspicious Files in Default GPO Folder
Detects the creation of copy of suspicious files (EXE/DLL) to the default GPO storage folder
view Sigma YAML
title: Suspicious Files in Default GPO Folder
id: 5f87308a-0a5b-4623-ae15-d8fa1809bc60
status: test
description: Detects the creation of copy of suspicious files (EXE/DLL) to the default GPO storage folder
references:
- https://redcanary.com/blog/intelligence-insights-november-2021/
author: elhoim
date: 2022-04-28
tags:
- attack.stealth
- attack.t1036.005
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|contains: '\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\'
TargetFilename|endswith:
- '.dll'
- '.exe'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Suspicious FromBase64String Usage On Gzip Archive - Process Creation
Detects attempts of decoding a base64 Gzip archive via PowerShell. This technique is often used as a method to load malicious content into memory afterward.
view Sigma YAML
title: Suspicious FromBase64String Usage On Gzip Archive - Process Creation
id: d75d6b6b-adb9-48f7-824b-ac2e786efe1f
related:
- id: df69cb1d-b891-4cd9-90c7-d617d90100ce
type: similar
status: test
description: Detects attempts of decoding a base64 Gzip archive via PowerShell. This technique is often used as a method to load malicious content into memory afterward.
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=43
author: frack113
date: 2022-12-23
tags:
- attack.command-and-control
- attack.t1132.001
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|contains|all:
- 'FromBase64String'
- 'MemoryStream'
- 'H4sI'
condition: selection
falsepositives:
- Legitimate administrative script
level: medium
Convert to SIEM query
medium
Suspicious FromBase64String Usage On Gzip Archive - Ps Script
Detects attempts of decoding a base64 Gzip archive in a PowerShell script. This technique is often used as a method to load malicious content into memory afterward.
view Sigma YAML
title: Suspicious FromBase64String Usage On Gzip Archive - Ps Script
id: df69cb1d-b891-4cd9-90c7-d617d90100ce
related:
- id: d75d6b6b-adb9-48f7-824b-ac2e786efe1f
type: similar
status: test
description: Detects attempts of decoding a base64 Gzip archive in a PowerShell script. This technique is often used as a method to load malicious content into memory afterward.
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=43
author: frack113
date: 2022-12-23
tags:
- attack.command-and-control
- attack.t1132.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- 'FromBase64String'
- 'MemoryStream'
- 'H4sI'
condition: selection
falsepositives:
- Legitimate administrative script
level: medium
Convert to SIEM query
medium
Suspicious Get-ADReplAccount
The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory.
These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.
view Sigma YAML
title: Suspicious Get-ADReplAccount
id: 060c3ef1-fd0a-4091-bf46-e7d625f60b73
status: test
description: |
The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory.
These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.
references:
- https://www.powershellgallery.com/packages/DSInternals
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.006/T1003.006.md#atomic-test-2---run-dsinternals-get-adreplaccount
author: frack113
date: 2022-02-06
tags:
- attack.credential-access
- attack.t1003.006
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- Get-ADReplAccount
- '-All '
- '-Server '
condition: selection
falsepositives:
- Legitimate PowerShell scripts
level: medium
Convert to SIEM query
medium
Suspicious GetTypeFromCLSID ShellExecute
Detects suspicious Powershell code that execute COM Objects
view Sigma YAML
title: Suspicious GetTypeFromCLSID ShellExecute
id: 8bc063d5-3a3a-4f01-a140-bc15e55e8437
status: test
description: Detects suspicious Powershell code that execute COM Objects
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.015/T1546.015.md#atomic-test-2---powershell-execute-com-object
author: frack113
date: 2022-04-02
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.015
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- '::GetTypeFromCLSID('
- '.ShellExecute('
condition: selection
falsepositives:
- Legitimate PowerShell scripts
level: medium
Convert to SIEM query
medium
Suspicious Git Clone
Detects execution of "git" in order to clone a remote repository that contain suspicious keywords which might be suspicious
view Sigma YAML
title: Suspicious Git Clone
id: aef9d1f1-7396-4e92-a927-4567c7a495c1
status: test
description: Detects execution of "git" in order to clone a remote repository that contain suspicious keywords which might be suspicious
references:
- https://gist.githubusercontent.com/MichaelKoczwara/12faba9c061c12b5814b711166de8c2f/raw/e2068486692897b620c25fde1ea258c8218fe3d3/history.txt
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-03
modified: 2023-01-10
tags:
- attack.reconnaissance
- attack.t1593.003
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\git.exe'
- '\git-remote-https.exe'
- OriginalFileName: 'git.exe'
selection_cli:
CommandLine|contains:
- ' clone '
- 'git-remote-https '
selection_keyword:
CommandLine|contains:
# Add more suspicious keywords
- 'exploit'
- 'Vulns'
- 'vulnerability'
- 'RemoteCodeExecution'
- 'Invoke-'
- 'CVE-'
- 'poc-'
- 'ProofOfConcept'
# Add more vuln names
- 'proxyshell'
- 'log4shell'
- 'eternalblue'
- 'eternal-blue'
- 'MS17-'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Suspicious Git Clone - Linux
Detects execution of "git" in order to clone a remote repository that contain suspicious keywords which might be suspicious
view Sigma YAML
title: Suspicious Git Clone - Linux
id: cfec9d29-64ec-4a0f-9ffe-0fdb856d5446
status: test
description: Detects execution of "git" in order to clone a remote repository that contain suspicious keywords which might be suspicious
references:
- https://gist.githubusercontent.com/MichaelKoczwara/12faba9c061c12b5814b711166de8c2f/raw/e2068486692897b620c25fde1ea258c8218fe3d3/history.txt
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-03
modified: 2023-01-05
tags:
- attack.reconnaissance
- attack.t1593.003
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith: '/git'
CommandLine|contains: ' clone '
selection_keyword:
CommandLine|contains:
# Add more suspicious keywords
- 'exploit'
- 'Vulns'
- 'vulnerability'
- 'RCE'
- 'RemoteCodeExecution'
- 'Invoke-'
- 'CVE-'
- 'poc-'
- 'ProofOfConcept'
# Add more vuln names
- 'proxyshell'
- 'log4shell'
- 'eternalblue'
- 'eternal-blue'
- 'MS17-'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Suspicious Group And Account Reconnaissance Activity Using Net.EXE
Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE
Check if the user that executed the commands is suspicious (e.g. service accounts, LOCAL_SYSTEM)
view Sigma YAML
title: Suspicious Group And Account Reconnaissance Activity Using Net.EXE
id: d95de845-b83c-4a9a-8a6a-4fc802ebf6c0
status: test
description: |
Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE
Check if the user that executed the commands is suspicious (e.g. service accounts, LOCAL_SYSTEM)
references:
- https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/
- https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/
- https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/
author: Florian Roth (Nextron Systems), omkar72, @svch0st, Nasreddine Bencherchali (Nextron Systems)
date: 2019-01-16
modified: 2023-03-02
tags:
- attack.discovery
- attack.t1087.001
- attack.t1087.002
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\net.exe'
- '\net1.exe'
- OriginalFileName:
- 'net.exe'
- 'net1.exe'
# Covers group and localgroup flags
selection_group_root:
CommandLine|contains:
- ' group '
- ' localgroup '
selection_group_flags:
CommandLine|contains:
# Add more groups for other languages
- 'domain admins'
- ' administrator' # Typo without an 'S' so we catch both
- ' administrateur' # Typo without an 'S' so we catch both
- 'enterprise admins'
- 'Exchange Trusted Subsystem'
- 'Remote Desktop Users'
- 'Utilisateurs du Bureau à distance' # French for "Remote Desktop Users"
- 'Usuarios de escritorio remoto' # Spanish for "Remote Desktop Users"
- ' /do' # short for domain
filter_group_add:
# This filter is added to avoid the potential case where the point is not recon but addition
CommandLine|contains: ' /add'
# Covers 'accounts' flag
selection_accounts_root:
CommandLine|contains: ' accounts '
selection_accounts_flags:
CommandLine|contains: ' /do' # short for domain
condition: selection_img and ((all of selection_group_* and not filter_group_add) or all of selection_accounts_*)
falsepositives:
- Inventory tool runs
- Administrative activity
level: medium
Convert to SIEM query
medium
Suspicious History File Operations
Detects commandline operations on shell history files
view Sigma YAML
title: Suspicious History File Operations
id: 508a9374-ad52-4789-b568-fc358def2c65
status: test
description: Detects commandline operations on shell history files
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md
author: 'Mikhail Larin, oscd.community'
date: 2020-10-17
modified: 2021-11-27
tags:
- attack.credential-access
- attack.t1552.003
logsource:
product: macos
category: process_creation
detection:
selection:
CommandLine|contains:
- '.bash_history'
- '.zsh_history'
- '.zhistory'
- '.history'
- '.sh_history'
- 'fish_history'
condition: selection
falsepositives:
- Legitimate administrative activity
- Legitimate software, cleaning hist file
level: medium
Convert to SIEM query
medium
Suspicious History File Operations - Linux
Detects commandline operations on shell history files
view Sigma YAML
title: Suspicious History File Operations - Linux
id: eae8ce9f-bde9-47a6-8e79-f20d18419910
status: test
description: 'Detects commandline operations on shell history files'
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md
author: 'Mikhail Larin, oscd.community'
date: 2020-10-17
modified: 2022-11-28
tags:
- attack.credential-access
- attack.t1552.003
logsource:
product: linux
service: auditd
detection:
execve:
type: EXECVE
history:
- '.bash_history'
- '.zsh_history'
- '.zhistory'
- '.history'
- '.sh_history'
- 'fish_history'
condition: execve and history
falsepositives:
- Legitimate administrative activity
- Legitimate software, cleaning hist file
level: medium
Convert to SIEM query
medium
Suspicious Hyper-V Cmdlets
Adversaries may carry out malicious operations using a virtual instance to avoid detection
view Sigma YAML
title: Suspicious Hyper-V Cmdlets
id: 42d36aa1-3240-4db0-8257-e0118dcdd9cd
status: test
description: Adversaries may carry out malicious operations using a virtual instance to avoid detection
references:
- https://learn.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.006/T1564.006.md#atomic-test-3---create-and-start-hyper-v-virtual-machine
author: frack113
date: 2022-04-09
tags:
- attack.stealth
- attack.t1564.006
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains:
- New-VM
- Set-VMFirmware
- Start-VM
condition: selection
falsepositives:
- Legitimate PowerShell scripts
level: medium
Convert to SIEM query
medium
Suspicious IIS URL GlobalRules Rewrite Via AppCmd
Detects usage of "appcmd" to create new global URL rewrite rules. This behaviour has been observed being used by threat actors to add new rules so they can access their webshells.
view Sigma YAML
title: Suspicious IIS URL GlobalRules Rewrite Via AppCmd
id: 7c8af9b2-dcae-41a2-a9db-b28c288b5f08
status: test
description: Detects usage of "appcmd" to create new global URL rewrite rules. This behaviour has been observed being used by threat actors to add new rules so they can access their webshells.
references:
- https://twitter.com/malmoeb/status/1616702107242971144
- https://learn.microsoft.com/en-us/answers/questions/739120/how-to-add-re-write-global-rule-with-action-type-r
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-22
tags:
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\appcmd.exe'
- OriginalFileName: 'appcmd.exe'
selection_cli:
CommandLine|contains|all:
- 'set'
- 'config'
- 'section:system.webServer/rewrite/globalRules'
- 'commit:'
condition: all of selection_*
falsepositives:
- Legitimate usage of appcmd to add new URL rewrite rules
level: medium
Convert to SIEM query
medium
Suspicious IO.FileStream
Open a handle on the drive volume via the \\.\ DOS device path specifier and perform direct access read of the first few bytes of the volume.
view Sigma YAML
title: Suspicious IO.FileStream
id: 70ad982f-67c8-40e0-a955-b920c2fa05cb
status: test
description: Open a handle on the drive volume via the \\.\ DOS device path specifier and perform direct access read of the first few bytes of the volume.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1006/T1006.md
author: frack113
date: 2022-01-09
modified: 2022-03-05
tags:
- attack.stealth
- attack.t1070.003
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- New-Object
- IO.FileStream
- '\\\\.\\'
condition: selection
falsepositives:
- Legitimate PowerShell scripts
level: medium
Convert to SIEM query
medium
Suspicious Installer Package Child Process
Detects the execution of suspicious child processes from macOS installer package parent process. This includes osascript, JXA, curl and wget amongst other interpreters
view Sigma YAML
title: Suspicious Installer Package Child Process
id: e0cfaecd-602d-41af-988d-f6ccebb2af26
status: test
description: Detects the execution of suspicious child processes from macOS installer package parent process. This includes osascript, JXA, curl and wget amongst other interpreters
references:
- https://redcanary.com/blog/clipping-silver-sparrows-wings/
- https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/execution_installer_package_spawned_network_event.toml
author: Sohan G (D4rkCiph3r)
date: 2023-02-18
tags:
- attack.t1059
- attack.t1059.007
- attack.t1071
- attack.t1071.001
- attack.execution
- attack.command-and-control
logsource:
category: process_creation
product: macos
detection:
selection_installer:
ParentImage|endswith:
- '/package_script_service'
- '/installer'
Image|endswith:
- '/sh'
- '/bash'
- '/dash'
- '/python'
- '/ruby'
- '/perl'
- '/php'
- '/javascript'
- '/osascript'
- '/tclsh'
- '/curl'
- '/wget'
CommandLine|contains:
- 'preinstall'
- 'postinstall'
condition: selection_installer
falsepositives:
- Legitimate software uses the scripts (preinstall, postinstall)
level: medium
Convert to SIEM query
medium
Suspicious Invoke-Item From Mount-DiskImage
Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.
view Sigma YAML
title: Suspicious Invoke-Item From Mount-DiskImage
id: 902cedee-0398-4e3a-8183-6f3a89773a96
status: test
description: Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-2---mount-an-iso-image-and-run-executable-from-the-iso
- https://learn.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps
author: frack113
date: 2022-02-01
tags:
- attack.defense-impairment
- attack.t1553.005
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- 'Mount-DiskImage '
- '-ImagePath '
- Get-Volume
- '.DriveLetter'
- 'invoke-item '
- '):\'
condition: selection
falsepositives:
- Legitimate PowerShell scripts
level: medium
Convert to SIEM query
medium
Suspicious Invoke-WebRequest Execution With DirectIP
Detects calls to PowerShell with Invoke-WebRequest cmdlet using direct IP access
view Sigma YAML
title: Suspicious Invoke-WebRequest Execution With DirectIP
id: 1edff897-9146-48d2-9066-52e8d8f80a2f
status: test
description: Detects calls to PowerShell with Invoke-WebRequest cmdlet using direct IP access
references:
- https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-21
tags:
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell_ise.exe'
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'powershell_ise.EXE'
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_commands:
CommandLine|contains:
# These are all aliases of Invoke-WebRequest
- 'curl '
- 'Invoke-RestMethod'
- 'Invoke-WebRequest'
- ' irm ' # Space before and after to avoid false positives with 'irm' as a substring
- 'iwr '
- 'wget '
selection_ip:
# In case of FP with local IPs add additional filters
CommandLine|contains:
- '://1'
- '://2'
- '://3'
- '://4'
- '://5'
- '://6'
- '://7'
- '://8'
- '://9'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Suspicious Kerberos RC4 Ticket Encryption
Detects service ticket requests using RC4 encryption type
view Sigma YAML
title: Suspicious Kerberos RC4 Ticket Encryption
id: 496a0e47-0a33-4dca-b009-9e6ca3591f39
status: test
description: Detects service ticket requests using RC4 encryption type
references:
- https://adsecurity.org/?p=3458
- https://www.trimarcsecurity.com/single-post/TrimarcResearch/Detecting-Kerberoasting-Activity
author: Florian Roth (Nextron Systems)
date: 2017-02-06
modified: 2022-06-19
tags:
- attack.credential-access
- attack.t1558.003
logsource:
product: windows
service: security
detection:
selection:
EventID: 4769
TicketOptions: '0x40810000'
TicketEncryptionType: '0x17'
reduction:
ServiceName|endswith: '$'
condition: selection and not reduction
falsepositives:
- Service accounts used on legacy systems (e.g. NetApp)
- Windows Domains with DFL 2003 and legacy systems
level: medium
Convert to SIEM query
medium
Suspicious Keyboard Layout Load
Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only
view Sigma YAML
title: Suspicious Keyboard Layout Load
id: 34aa0252-6039-40ff-951f-939fd6ce47d8
status: test
description: Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only
references:
- https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index
- https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files
author: Florian Roth (Nextron Systems)
date: 2019-10-12
modified: 2023-08-17
tags:
- attack.resource-development
- attack.t1588.002
logsource:
category: registry_set
product: windows
definition: 'Requirements: Sysmon config that monitors \Keyboard Layout\Preload subkey of the HKLU hives - see https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files'
detection:
selection_registry:
TargetObject|contains:
- '\Keyboard Layout\Preload\'
- '\Keyboard Layout\Substitutes\'
Details|contains:
- 00000429 # Persian (Iran)
- 00050429 # Persian (Iran)
- 0000042a # Vietnamese
condition: selection_registry
falsepositives:
- Administrators or users that actually use the selected keyboard layouts (heavily depends on the organisation's user base)
level: medium
Convert to SIEM query
medium
Suspicious LNK Double Extension File Created
Detects the creation of files with an "LNK" as a second extension. This is sometimes used by malware as a method to abuse the fact that Windows hides the "LNK" extension by default.
view Sigma YAML
title: Suspicious LNK Double Extension File Created
id: 3215aa19-f060-4332-86d5-5602511f3ca8
related:
- id: b4926b47-a9d7-434c-b3a0-adc3fa0bd13e
type: derived
status: test
description: |
Detects the creation of files with an "LNK" as a second extension. This is sometimes used by malware as a method to abuse the fact that Windows hides the "LNK" extension by default.
references:
- https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/
- https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations
- https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles
- https://twitter.com/malwrhunterteam/status/1235135745611960321
- https://twitter.com/luc4m/status/1073181154126254080
author: Nasreddine Bencherchali (Nextron Systems), frack113
date: 2022-11-07
modified: 2023-10-18
tags:
- attack.stealth
- attack.t1036.007
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|endswith: '.lnk'
TargetFilename|contains:
- '.doc.'
- '.docx.'
- '.jpg.'
- '.pdf.'
- '.ppt.'
- '.pptx.'
- '.xls.'
- '.xlsx.'
filter_main_recent:
TargetFilename|contains: '\AppData\Roaming\Microsoft\Windows\Recent\'
filter_optional_office_recent:
Image|endswith:
# Note: Some additional office application might need to be added
- '\excel.exe'
- '\powerpnt.exe'
- '\winword.exe'
TargetFilename|contains: '\AppData\Roaming\Microsoft\Office\Recent\'
filter_optional_office_excel:
Image|endswith: '\excel.exe'
TargetFilename|contains: '\AppData\Roaming\Microsoft\Excel'
filter_optional_office_powerpoint:
Image|endswith: '\powerpnt.exe'
TargetFilename|contains: '\AppData\Roaming\Microsoft\PowerPoint'
filter_optional_office_word:
Image|endswith: '\winword.exe'
TargetFilename|contains: '\AppData\Roaming\Microsoft\Word'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Some tuning is required for other general purpose directories of third party apps
level: medium
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension/info.yml
Convert to SIEM query
medium
Suspicious Log Entries
Detects suspicious log entries in Linux log files
view Sigma YAML
title: Suspicious Log Entries
id: f64b6e9a-5d9d-48a5-8289-e1dd2b3876e1
status: test
description: Detects suspicious log entries in Linux log files
references:
- https://github.com/ossec/ossec-hids/blob/f6502012b7380208db81f82311ad4a1994d39905/etc/rules/syslog_rules.xml
author: Florian Roth (Nextron Systems)
date: 2017-03-25
modified: 2021-11-27
tags:
- attack.impact
logsource:
product: linux
detection:
keywords:
# Generic suspicious log lines
- 'entered promiscuous mode'
# OSSEC https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml
- 'Deactivating service'
- 'Oversized packet received from'
- 'imuxsock begins to drop messages'
condition: keywords
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Suspicious Login Activity Classified By Google
Detects Google Workspace login activity that's classified as suspicious by Google.
view Sigma YAML
title: Suspicious Login Activity Classified By Google
id: 38360161-76c4-4283-842e-efcf997dafc8
status: experimental
description: Detects Google Workspace login activity that's classified as suspicious by Google.
references:
- https://cloud.google.com/logging/docs/audit/gsuite-audit-logging
- https://cloud.google.com/logging/docs/audit/understanding-audit-logs
- https://developers.google.com/workspace/admin/reports/v1/appendix/activity/login#suspicious_login
- https://developers.google.com/workspace/admin/reports/v1/appendix/activity/login#suspicious_login_less_secure_app
- https://developers.google.com/workspace/admin/reports/v1/appendix/activity/login#suspicious_programmatic_login
author: Tom Kluter
date: 2026-04-28
tags:
- attack.initial-access
- attack.privilege-escalation
- attack.persistence
- attack.stealth
- attack.t1078.004
logsource:
product: gcp
service: google_workspace.login
detection:
selection:
protoPayload.Servicename: 'login.googleapis.com'
protoPayload.metadata.event.eventName:
- 'suspicious_login_less_secure_app'
- 'suspicious_login'
- 'suspicious_programmatic_login'
condition: selection
falsepositives:
- Legitimate logins
level: medium
Convert to SIEM query
medium
Suspicious MacOS Firmware Activity
Detects when a user manipulates with Firmward Password on MacOS. NOTE - this command has been disabled on silicon-based apple computers.
view Sigma YAML
title: Suspicious MacOS Firmware Activity
id: 7ed2c9f7-c59d-4c82-a7e2-f859aa676099
status: test
description: Detects when a user manipulates with Firmward Password on MacOS. NOTE - this command has been disabled on silicon-based apple computers.
references:
- https://github.com/usnistgov/macos_security/blob/932a51f3e819dd3e02ebfcf3ef433cfffafbe28b/rules/os/os_firmware_password_require.yaml
- https://www.manpagez.com/man/8/firmwarepasswd/
- https://support.apple.com/guide/security/firmware-password-protection-sec28382c9ca/web
author: Austin Songer @austinsonger
date: 2021-09-30
modified: 2022-10-09
tags:
- attack.impact
logsource:
category: process_creation
product: macos
detection:
selection1:
Image: '/usr/sbin/firmwarepasswd'
CommandLine|contains:
- 'setpasswd'
- 'full'
- 'delete'
- 'check'
condition: selection1
falsepositives:
- Legitimate administration activities
level: medium
Convert to SIEM query
medium
Suspicious Msbuild Execution By Uncommon Parent Process
Detects suspicious execution of 'Msbuild.exe' by a uncommon parent process
view Sigma YAML
title: Suspicious Msbuild Execution By Uncommon Parent Process
id: 33be4333-2c6b-44f4-ae28-102cdbde0a31
status: test
description: Detects suspicious execution of 'Msbuild.exe' by a uncommon parent process
references:
- https://app.any.run/tasks/abdf586e-df0c-4d39-89a7-06bf24913401/
- https://www.echotrail.io/insights/search/msbuild.exe
author: frack113
date: 2022-11-17
tags:
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\MSBuild.exe'
- OriginalFileName: 'MSBuild.exe'
filter_parent:
ParentImage|endswith:
- '\devenv.exe'
- '\cmd.exe'
- '\msbuild.exe'
- '\python.exe'
- '\explorer.exe'
- '\nuget.exe'
condition: selection and not filter_parent
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Suspicious MsiExec Embedding Parent
Adversaries may abuse msiexec.exe to proxy the execution of malicious payloads
view Sigma YAML
title: Suspicious MsiExec Embedding Parent
id: 4a2a2c3e-209f-4d01-b513-4155a540b469
status: test
description: Adversaries may abuse msiexec.exe to proxy the execution of malicious payloads
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md
author: frack113
date: 2022-04-16
modified: 2022-07-14
tags:
- attack.stealth
- attack.t1218.007
logsource:
product: windows
category: process_creation
detection:
selection:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- '\cmd.exe'
ParentCommandLine|contains|all:
- 'MsiExec.exe'
- '-Embedding '
filter_splunk_ufw:
Image|endswith: ':\Windows\System32\cmd.exe'
CommandLine|contains: 'C:\Program Files\SplunkUniversalForwarder\bin\'
filter_vs:
- CommandLine|contains: '\DismFoDInstall.cmd'
- ParentCommandLine|contains|all:
- '\MsiExec.exe -Embedding '
- 'Global\MSI0000'
condition: selection and not 1 of filter*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Suspicious Msiexec Execute Arbitrary DLL
Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.
Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)
view Sigma YAML
title: Suspicious Msiexec Execute Arbitrary DLL
id: 6f4191bb-912b-48a8-9ce7-682769541e6d
status: test
description: |
Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.
Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)
references:
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md
- https://twitter.com/_st0pp3r_/status/1583914515996897281
author: frack113
date: 2022-01-16
modified: 2026-01-09
tags:
- attack.stealth
- attack.t1218.007
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\msiexec.exe'
CommandLine|contains|windash: ' /Y'
filter_main_legit_path:
CommandLine|contains:
- '\MsiExec.exe" /Y "C:\Program Files\'
- '\MsiExec.exe" /Y "C:\Program Files (x86)\'
- '\MsiExec.exe" /Y "C:\Windows\System32\'
- '\MsiExec.exe" /Y "C:\Windows\SysWOW64\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Legitimate script
level: medium
Convert to SIEM query
medium
Suspicious Msiexec Quiet Install From Remote Location
Detects usage of Msiexec.exe to install packages hosted remotely quietly
view Sigma YAML
title: Suspicious Msiexec Quiet Install From Remote Location
id: 8150732a-0c9d-4a99-82b9-9efb9b90c40c
related:
- id: f7b5f842-a6af-4da5-9e95-e32478f3cd2f
type: similar
status: test
description: Detects usage of Msiexec.exe to install packages hosted remotely quietly
references:
- https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-28
modified: 2025-10-07
tags:
- attack.stealth
- attack.t1218.007
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\msiexec.exe'
- OriginalFileName: 'msiexec.exe'
selection_cli:
# Note that there is no space before and after the arguments because it's possible to write a commandline as such
# Example: msiexec -q/i [MSI Package]
CommandLine|contains|windash:
- '-i'
- '-package'
- '-a'
- '-j'
selection_quiet:
CommandLine|contains|windash: '-q'
selection_remote:
CommandLine|contains:
- 'http'
- '\\\\'
filter_optional_openoffice:
CommandLine|contains|all:
- '\AppData\Local\Temp\OpenOffice'
- 'Installation Files\openoffice'
condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Suspicious Network Connection to IP Lookup Service APIs
Detects external IP address lookups by non-browser processes via services such as "api.ipify.org". This could be indicative of potential post compromise internet test activity.
view Sigma YAML
title: Suspicious Network Connection to IP Lookup Service APIs
id: edf3485d-dac4-4d50-90e4-b0e5813f7e60
related:
- id: ec82e2a5-81ea-4211-a1f8-37a0286df2c2
type: derived
status: test
description: Detects external IP address lookups by non-browser processes via services such as "api.ipify.org". This could be indicative of potential post compromise internet test activity.
references:
- https://github.com/rsp/scripts/blob/c8bb272d68164a9836e4f273d8f924927f39b8c6/externalip-benchmark.md
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-302a
- https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/
- https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html
author: Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-24
modified: 2024-03-22
tags:
- attack.discovery
- attack.t1016
logsource:
category: network_connection
product: windows
detection:
selection:
- DestinationHostname:
- 'www.ip.cn'
- 'l2.io'
- DestinationHostname|contains:
- 'api.2ip.ua'
- 'api.bigdatacloud.net'
- 'api.ipify.org'
- 'bot.whatismyipaddress.com'
- 'canireachthe.net'
- 'checkip.amazonaws.com'
- 'checkip.dyndns.org'
- 'curlmyip.com'
- 'db-ip.com'
- 'edns.ip-api.com'
- 'eth0.me'
- 'freegeoip.app'
- 'geoipy.com'
- 'getip.pro'
- 'icanhazip.com'
- 'ident.me'
- 'ifconfig.io'
- 'ifconfig.me'
- 'ip-api.com'
- 'ip.360.cn'
- 'ip.anysrc.net'
- 'ip.taobao.com'
- 'ip.tyk.nu'
- 'ipaddressworld.com'
- 'ipapi.co'
- 'ipconfig.io'
- 'ipecho.net'
- 'ipinfo.io'
- 'ipip.net'
- 'ipof.in'
- 'ipv4.icanhazip.com'
- 'ipv4bot.whatismyipaddress.com'
- 'ipv6-test.com'
- 'ipwho.is'
- 'jsonip.com'
- 'myexternalip.com'
- 'seeip.org'
- 'wgetip.com'
- 'whatismyip.akamai.com'
- 'whois.pconline.com.cn'
- 'wtfismyip.com'
filter_optional_brave:
Image|endswith: '\brave.exe'
filter_optional_chrome:
Image:
- 'C:\Program Files\Google\Chrome\Application\chrome.exe'
- 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
filter_optional_firefox:
Image:
- 'C:\Program Files\Mozilla Firefox\firefox.exe'
- 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
filter_optional_ie:
Image:
- 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
- 'C:\Program Files\Internet Explorer\iexplore.exe'
filter_optional_maxthon:
Image|endswith: '\maxthon.exe'
filter_optional_edge_1:
- Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
- Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
- Image:
- 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
- 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
filter_optional_edge_2:
Image|startswith:
- 'C:\Program Files (x86)\Microsoft\EdgeCore\'
- 'C:\Program Files\Microsoft\EdgeCore\'
Image|endswith:
- '\msedge.exe'
- '\msedgewebview2.exe'
filter_optional_opera:
Image|endswith: '\opera.exe'
filter_optional_safari:
Image|endswith: '\safari.exe'
filter_optional_seamonkey:
Image|endswith: '\seamonkey.exe'
filter_optional_vivaldi:
Image|endswith: '\vivaldi.exe'
filter_optional_whale:
Image|endswith: '\whale.exe'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Legitimate use of the external websites for troubleshooting or network monitoring
level: medium
Convert to SIEM query
medium
Suspicious New Instance Of An Office COM Object
Detects an svchost process spawning an instance of an office application. This happens when the initial word application creates an instance of one of the Office COM objects such as 'Word.Application', 'Excel.Application', etc.
This can be used by malicious actors to create malicious Office documents with macros on the fly. (See vba2clr project in the references)
view Sigma YAML
title: Suspicious New Instance Of An Office COM Object
id: 9bdaf1e9-fdef-443b-8081-4341b74a7e28
status: test
description: |
Detects an svchost process spawning an instance of an office application. This happens when the initial word application creates an instance of one of the Office COM objects such as 'Word.Application', 'Excel.Application', etc.
This can be used by malicious actors to create malicious Office documents with macros on the fly. (See vba2clr project in the references)
references:
- https://learn.microsoft.com/en-us/previous-versions/office/troubleshoot/office-developer/automate-word-create-file-using-visual-basic
- https://github.com/med0x2e/vba2clr
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-13
modified: 2023-12-19
tags:
- attack.execution
- detection.threat-hunting
- attack.stealth
logsource:
product: windows
category: process_creation
detection:
selection:
ParentImage|endswith: '\svchost.exe'
Image|endswith:
- '\eqnedt32.exe'
- '\excel.exe'
- '\msaccess.exe'
- '\mspub.exe'
- '\powerpnt.exe'
- '\visio.exe'
- '\winword.exe'
condition: selection
falsepositives:
- Legitimate usage of office automation via scripting
level: medium
Convert to SIEM query
medium
Suspicious New-PSDrive to Admin Share
Adversaries may use to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.
view Sigma YAML
title: Suspicious New-PSDrive to Admin Share
id: 1c563233-030e-4a07-af8c-ee0490a66d3a
status: test
description: Adversaries may use to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-2---map-admin-share-powershell
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-psdrive?view=powershell-7.2
author: frack113
date: 2022-08-13
tags:
- attack.lateral-movement
- attack.t1021.002
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- 'New-PSDrive'
- '-psprovider '
- 'filesystem'
- '-root '
- '\\\\'
- '$'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Suspicious Non PowerShell WSMAN COM Provider
Detects suspicious use of the WSMAN provider without PowerShell.exe as the host application.
view Sigma YAML
title: Suspicious Non PowerShell WSMAN COM Provider
id: df9a0e0e-fedb-4d6c-8668-d765dfc92aa7
status: test
description: Detects suspicious use of the WSMAN provider without PowerShell.exe as the host application.
references:
- https://twitter.com/chadtilbury/status/1275851297770610688
- https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/
- https://github.com/bohops/WSMan-WinRM
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-06-24
modified: 2025-10-22
tags:
- attack.execution
- attack.t1059.001
- attack.lateral-movement
- attack.t1021.003
logsource:
product: windows
service: powershell-classic
detection:
selection:
Data|contains: 'ProviderName=WSMan'
filter_main_ps:
Data|contains:
- 'HostApplication=powershell'
- 'HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell'
- 'HostApplication=C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell'
# In some cases powershell was invoked with inverted slashes
- 'HostApplication=C:/Windows/System32/WindowsPowerShell/v1.0/powershell'
- 'HostApplication=C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell'
filter_main_host_application_null:
# Note: Since we're using the raw data field to match. There is no easy way to filter out cases where the "HostApplication" field is null (i.e doesn't exist). We're practically forced to use a regex.
# If you're already mapping and extracting the field, then obviously use that directly.
Data|re: 'HostId=[a-zA-Z0-9-]{36}\s+EngineVersion='
filter_optional_hexnode:
Data|contains: 'HostApplication=C:\Hexnode\Hexnode Agent\Current\HexnodeAgent.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Suspicious Non-Browser Network Communication With Google API
Detects a non-browser process interacting with the Google API which could indicate the use of a covert C2 such as Google Sheet C2 (GC2-sheet)
view Sigma YAML
title: Suspicious Non-Browser Network Communication With Google API
id: 7e9cf7b6-e827-11ed-a05b-0242ac120003
status: experimental
description: |
Detects a non-browser process interacting with the Google API which could indicate the use of a covert C2 such as Google Sheet C2 (GC2-sheet)
references:
- https://github.com/looCiprian/GC2-sheet
- https://youtu.be/n2dFlSaBBKo
- https://services.google.com/fh/files/blogs/gcat_threathorizons_full_apr2023.pdf
- https://www.tanium.com/blog/apt41-deploys-google-gc2-for-attacks-cyber-threat-intelligence-roundup/
- https://www.bleepingcomputer.com/news/security/hackers-abuse-google-command-and-control-red-team-tool-in-attacks/
author: Gavin Knapp
date: 2023-05-01
modified: 2025-02-22
tags:
- attack.command-and-control
- attack.t1102
logsource:
product: windows
category: network_connection
detection:
selection:
DestinationHostname|contains:
# Note: Please add additional google API related domains that might be abused.
- 'drive.googleapis.com'
- 'oauth2.googleapis.com'
- 'sheets.googleapis.com'
- 'www.googleapis.com'
filter_optional_brave:
Image|endswith: '\brave.exe'
filter_optional_chrome:
Image|endswith:
- ':\Program Files\Google\Chrome\Application\chrome.exe'
- ':\Program Files (x86)\Google\Chrome\Application\chrome.exe'
filter_optional_google_drive:
Image|contains: ':\Program Files\Google\Drive File Stream\'
Image|endswith: '\GoogleDriveFS.exe'
filter_optional_firefox:
Image|endswith:
- ':\Program Files\Mozilla Firefox\firefox.exe'
- ':\Program Files (x86)\Mozilla Firefox\firefox.exe'
filter_optional_ie:
Image|endswith:
- ':\Program Files (x86)\Internet Explorer\iexplore.exe'
- ':\Program Files\Internet Explorer\iexplore.exe'
filter_optional_maxthon:
Image|endswith: '\maxthon.exe'
filter_optional_edge_1:
- Image|contains: ':\Program Files (x86)\Microsoft\EdgeWebView\Application\'
- Image|endswith:
- ':\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
- ':\Program Files\Microsoft\Edge\Application\msedge.exe'
- '\WindowsApps\MicrosoftEdge.exe'
filter_optional_edge_2:
Image|contains:
- ':\Program Files (x86)\Microsoft\EdgeCore\'
- ':\Program Files\Microsoft\EdgeCore\'
Image|endswith:
- '\msedge.exe'
- '\msedgewebview2.exe'
filter_optional_opera:
Image|endswith: '\opera.exe'
filter_optional_safari:
Image|endswith: '\safari.exe'
filter_optional_seamonkey:
Image|endswith: '\seamonkey.exe'
filter_optional_vivaldi:
Image|endswith: '\vivaldi.exe'
filter_optional_whale:
Image|endswith: '\whale.exe'
filter_optional_googleupdate:
Image|endswith: '\GoogleUpdate.exe'
filter_optional_outlook_exe:
Image|endswith: '\outlook.exe'
filter_main_null:
Image: null
filter_main_empty:
Image: ''
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Legitimate applications communicating with the "googleapis.com" endpoints that are not already in the exclusion list. This is environmental dependent and requires further testing and tuning.
level: medium
Convert to SIEM query
medium
Suspicious Non-Browser Network Communication With Telegram API
Detects an a non-browser process interacting with the Telegram API which could indicate use of a covert C2
view Sigma YAML
title: Suspicious Non-Browser Network Communication With Telegram API
id: c3dbbc9f-ef1d-470a-a90a-d343448d5875
status: test
description: Detects an a non-browser process interacting with the Telegram API which could indicate use of a covert C2
references:
- https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-19
tags:
- attack.command-and-control
- attack.exfiltration
- attack.t1102
- attack.t1567
- attack.t1105
logsource:
product: windows
category: network_connection
detection:
selection:
DestinationHostname|contains: 'api.telegram.org'
# Other browsers or apps known to use telegram should be added
# TODO: Add full paths for default install locations
filter_main_brave:
Image|endswith: '\brave.exe'
filter_main_chrome:
Image:
- 'C:\Program Files\Google\Chrome\Application\chrome.exe'
- 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
filter_main_firefox:
Image:
- 'C:\Program Files\Mozilla Firefox\firefox.exe'
- 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
filter_main_ie:
Image:
- 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
- 'C:\Program Files\Internet Explorer\iexplore.exe'
filter_main_maxthon:
Image|endswith: '\maxthon.exe'
filter_main_edge_1:
- Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
- Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
- Image:
- 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
- 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
filter_main_edge_2:
Image|startswith:
- 'C:\Program Files (x86)\Microsoft\EdgeCore\'
- 'C:\Program Files\Microsoft\EdgeCore\'
Image|endswith:
- '\msedge.exe'
- '\msedgewebview2.exe'
filter_main_opera:
Image|endswith: '\opera.exe'
filter_main_safari:
Image|endswith: '\safari.exe'
filter_main_seamonkey:
Image|endswith: '\seamonkey.exe'
filter_main_vivaldi:
Image|endswith: '\vivaldi.exe'
filter_main_whale:
Image|endswith: '\whale.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Legitimate applications communicating with the Telegram API e.g. web browsers not in the exclusion list, app with an RSS etc.
level: medium
Convert to SIEM query
medium
Suspicious OAuth App File Download Activities
Detects when a Microsoft Cloud App Security reported when an app downloads multiple files from Microsoft SharePoint or Microsoft OneDrive in a manner that is unusual for the user.
view Sigma YAML
title: Suspicious OAuth App File Download Activities
id: ee111937-1fe7-40f0-962a-0eb44d57d174
status: test
description: Detects when a Microsoft Cloud App Security reported when an app downloads multiple files from Microsoft SharePoint or Microsoft OneDrive in a manner that is unusual for the user.
references:
- https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy
- https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference
author: Austin Songer @austinsonger
date: 2021-08-23
modified: 2022-10-09
tags:
- attack.exfiltration
logsource:
service: threat_management
product: m365
detection:
selection:
eventSource: SecurityComplianceCenter
eventName: 'Suspicious OAuth app file download activities'
status: success
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Suspicious OpenSSH Daemon Error
Detects suspicious SSH / SSHD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
view Sigma YAML
title: Suspicious OpenSSH Daemon Error
id: e76b413a-83d0-4b94-8e4c-85db4a5b8bdc
status: test
description: Detects suspicious SSH / SSHD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
references:
- https://github.com/openssh/openssh-portable/blob/c483a5c0fb8e8b8915fad85c5f6113386a4341ca/ssherr.c
- https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/sshd_rules.xml
author: Florian Roth (Nextron Systems)
date: 2017-06-30
modified: 2021-11-27
tags:
- attack.initial-access
- attack.t1190
logsource:
product: linux
service: sshd
detection:
keywords:
- 'unexpected internal error'
- 'unknown or unsupported key type'
- 'invalid certificate signing key'
- 'invalid elliptic curve value'
- 'incorrect signature'
- 'error in libcrypto'
- 'unexpected bytes remain after decoding'
- 'fatal: buffer_get_string: bad string'
- 'Local: crc32 compensation attack'
- 'bad client public DH value'
- 'Corrupted MAC on input'
condition: keywords
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Suspicious Outbound SMTP Connections
Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.
The data may also be sent to an alternate network location from the main command and control server.
view Sigma YAML
title: Suspicious Outbound SMTP Connections
id: 9976fa64-2804-423c-8a5b-646ade840773
status: test
description: |
Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.
The data may also be sent to an alternate network location from the main command and control server.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp
- https://www.ietf.org/rfc/rfc2821.txt
author: frack113
date: 2022-01-07
modified: 2022-09-21
tags:
- attack.exfiltration
- attack.t1048.003
logsource:
category: network_connection
product: windows
detection:
selection:
DestinationPort:
- 25
- 587
- 465
- 2525
Initiated: 'true'
filter_clients:
Image|endswith:
- \thunderbird.exe
- \outlook.exe
filter_mailserver:
Image|startswith: 'C:\Program Files\Microsoft\Exchange Server\'
filter_outlook:
Image|startswith: 'C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_'
Image|endswith: '\HxTsr.exe'
condition: selection and not 1 of filter_*
falsepositives:
- Other SMTP tools
level: medium
Convert to SIEM query
medium
Suspicious PROCEXP152.sys File Created In TMP
Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder.
This driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU.
view Sigma YAML
title: Suspicious PROCEXP152.sys File Created In TMP
id: 3da70954-0f2c-4103-adff-b7440368f50e
status: test
description: |
Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder.
This driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU.
references:
- https://web.archive.org/web/20230331181619/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/
author: xknow (@xknow_infosec), xorxes (@xor_xes)
date: 2019-04-08
modified: 2022-11-22
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|contains: '\AppData\Local\Temp\'
TargetFilename|endswith: 'PROCEXP152.sys'
filter:
Image|contains:
- '\procexp64.exe'
- '\procexp.exe'
- '\procmon64.exe'
- '\procmon.exe'
condition: selection and not filter
falsepositives:
- Other legimate tools using this driver and filename (like Sysinternals). Note - Clever attackers may easily bypass this detection by just renaming the driver filename. Therefore just Medium-level and don't rely on it.
level: medium
Convert to SIEM query
medium
Suspicious Package Installed - Linux
Detects installation of suspicious packages using system installation utilities
view Sigma YAML
title: Suspicious Package Installed - Linux
id: 700fb7e8-2981-401c-8430-be58e189e741
status: test
description: Detects installation of suspicious packages using system installation utilities
references:
- https://gist.githubusercontent.com/MichaelKoczwara/12faba9c061c12b5814b711166de8c2f/raw/e2068486692897b620c25fde1ea258c8218fe3d3/history.txt
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-03
modified: 2026-01-01
tags:
- attack.defense-impairment
- attack.t1553.004
logsource:
product: linux
category: process_creation
detection:
selection_tool_apt:
Image|endswith:
- '/apt'
- '/apt-get'
CommandLine|contains: 'install'
selection_tool_yum:
Image|endswith: '/yum'
CommandLine|contains:
- 'localinstall'
- 'install'
selection_tool_rpm:
Image|endswith: '/rpm'
CommandLine|contains: '-i'
selection_tool_dpkg:
Image|endswith: '/dpkg'
CommandLine|contains:
- '--install'
- '-i'
selection_keyword:
CommandLine|contains:
# Add more suspicious packages
- 'nmap'
- ' nc'
- 'netcat'
- 'wireshark'
- 'tshark'
- 'openconnect'
- 'proxychains'
- 'socat'
condition: 1 of selection_tool_* and selection_keyword
falsepositives:
- Legitimate administration activities
level: medium
Convert to SIEM query
medium
Suspicious PowerShell Download - PoshModule
Detects suspicious PowerShell download command
view Sigma YAML
title: Suspicious PowerShell Download - PoshModule
id: de41232e-12e8-49fa-86bc-c05c7e722df9
related:
- id: 65531a81-a694-4e31-ae04-f8ba5bc33759
type: derived
status: test
description: Detects suspicious PowerShell download command
references:
- https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadfile?view=net-8.0
- https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadstring?view=net-8.0
author: Florian Roth (Nextron Systems)
date: 2017-03-05
modified: 2023-01-20
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_module
definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
selection_webclient_:
ContextInfo|contains: 'System.Net.WebClient'
selection_function:
ContextInfo|contains:
- '.DownloadFile('
- '.DownloadString('
condition: all of selection_*
falsepositives:
- PowerShell scripts that download content from the Internet
level: medium
Convert to SIEM query
medium
Suspicious PowerShell Download - Powershell Script
Detects suspicious PowerShell download command
view Sigma YAML
title: Suspicious PowerShell Download - Powershell Script
id: 403c2cc0-7f6b-4925-9423-bfa573bed7eb
related:
- id: 65531a81-a694-4e31-ae04-f8ba5bc33759
type: derived
status: test
description: Detects suspicious PowerShell download command
references:
- https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadstring?view=net-8.0
- https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadfile?view=net-8.0
author: Florian Roth (Nextron Systems)
date: 2017-03-05
modified: 2022-12-02
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
webclient:
ScriptBlockText|contains: 'System.Net.WebClient'
download:
ScriptBlockText|contains:
- '.DownloadFile('
- '.DownloadFileAsync('
- '.DownloadString('
- '.DownloadStringAsync('
condition: webclient and download
falsepositives:
- PowerShell scripts that download content from the Internet
level: medium
Convert to SIEM query
Showing 1201-1250 of 1,492