Tool
SIEM
Sigma (generic) detection rules
3,750 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Expand any rule to see its raw YAML and convert it inline to native query syntax. Pick a platform above to browse every rule already rendered in that language.
◈
Detection rules
50 shown of 3,750
high
Kalambur Backdoor Curl TOR SOCKS Proxy Execution
Detects the execution of the "curl.exe" command, referencing "SOCKS" and ".onion" domains, which could be indicative of Kalambur backdoor activity.
view Sigma YAML
title: Kalambur Backdoor Curl TOR SOCKS Proxy Execution
id: e99375eb-3ee0-407a-9f90-79569cc6a01c
status: experimental
description: Detects the execution of the "curl.exe" command, referencing "SOCKS" and ".onion" domains, which could be indicative of Kalambur backdoor activity.
references:
- https://blog.eclecticiq.com/sandworm-apt-targets-ukrainian-users-with-trojanized-microsoft-kms-activation-tools-in-cyber-espionage-campaigns
author: Arda Buyukkaya (EclecticIQ)
date: 2025-02-11
tags:
- attack.execution
- attack.command-and-control
- attack.t1090
- attack.t1573
- attack.t1071.001
- attack.t1059.001
- attack.s0183
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith: '\curl.exe'
selection_socks:
CommandLine|contains:
- 'socks5h://'
- 'socks5://'
- 'socks4a://'
selection_onion:
CommandLine|contains: '.onion'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Kapeka Backdoor Autorun Persistence
Detects the setting of a new value in the Autorun key that is used by the Kapeka backdoor for persistence.
view Sigma YAML
title: Kapeka Backdoor Autorun Persistence
id: c0c67b21-eb8a-4c84-a395-40473ec3b482
related:
- id: 64a871dd-83f6-4e5f-80fc-5a7ca3a8a819
type: similar
status: test
description: Detects the setting of a new value in the Autorun key that is used by the Kapeka backdoor for persistence.
references:
- https://labs.withsecure.com/publications/kapeka
- https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/
author: Swachchhanda Shrawan Poudel
date: 2024-07-03
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.001
- detection.emerging-threats
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
TargetObject|endswith:
- '\Sens Api'
- '\OneDrive'
Details|contains|all:
- ':\WINDOWS\system32\rundll32.exe'
- '.wll'
- '#1'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Kapeka Backdoor Execution Via RunDLL32.EXE
Detects Kapeka backdoor process execution pattern, where the dropper launch the backdoor binary by calling rundll32 and passing the backdoor's first export ordinal (#1) with a "-d" argument.
view Sigma YAML
title: Kapeka Backdoor Execution Via RunDLL32.EXE
id: e98f741c-6a5b-4c83-bc2a-1f4e58d07b12
status: test
description: |
Detects Kapeka backdoor process execution pattern, where the dropper launch the backdoor binary by calling rundll32 and passing the backdoor's first export ordinal (#1) with a "-d" argument.
references:
- https://labs.withsecure.com/publications/kapeka
- https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/
author: Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)
date: 2024-07-03
tags:
- attack.stealth
- attack.t1218.011
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\rundll32.exe'
- OriginalFileName: 'RUNDLL32.EXE'
selection_backdoor_path:
CommandLine|contains:
- ':\ProgramData'
- '\AppData\Local'
selection_backdoor_exec_1:
CommandLine|contains|all:
- '.wll'
- '#1'
- ' -d'
selection_backdoor_exec_2:
# This account for the in the wild variant
CommandLine|contains: '.wll'
CommandLine|endswith: '#1'
condition: selection_img and selection_backdoor_path and 1 of selection_backdoor_exec_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Kapeka Backdoor Loaded Via Rundll32.EXE
Detects the Kapeka Backdoor binary being loaded by rundll32.exe.
The Kapeka loader drops a backdoor, which is a DLL with the '.wll' extension masquerading as a Microsoft Word Add-In.
view Sigma YAML
title: Kapeka Backdoor Loaded Via Rundll32.EXE
id: a7e6b1f9-8d2c-4f1e-9a7d-63e4c8a2bf4c
status: test
description: |
Detects the Kapeka Backdoor binary being loaded by rundll32.exe.
The Kapeka loader drops a backdoor, which is a DLL with the '.wll' extension masquerading as a Microsoft Word Add-In.
references:
- https://labs.withsecure.com/publications/kapeka
- https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/
author: Swachchhanda Shrawan Poudel
date: 2024-07-03
tags:
- attack.execution
- attack.stealth
- attack.t1204.002
- attack.t1218.011
- detection.emerging-threats
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith: '\rundll32.exe'
ImageLoaded|contains:
- ':\ProgramData'
- '\AppData\Local\'
ImageLoaded|re: '[a-zA-Z]{5,6}\.wll'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Kapeka Backdoor Persistence Activity
Detects Kapeka backdoor persistence activity.
Depending on the process privileges, the Kapeka dropper then sets persistence for the backdoor either as a scheduled task (if admin or SYSTEM) or autorun registry (if not).
For the scheduled task, it creates a scheduled task called "Sens Api" via schtasks command, which is set to run upon system startup as SYSTEM.
To establish persistence through the autorun utility, it adds an autorun entry called "Sens Api" under HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run via the "reg add" command.
Both persistence mechanisms are set to launch the binary by calling rundll32 and passing the backdoor's first export ordinal (#1) without any additional argument.
view Sigma YAML
title: Kapeka Backdoor Persistence Activity
id: 64a871dd-83f6-4e5f-80fc-5a7ca3a8a819
status: test
description: |
Detects Kapeka backdoor persistence activity.
Depending on the process privileges, the Kapeka dropper then sets persistence for the backdoor either as a scheduled task (if admin or SYSTEM) or autorun registry (if not).
For the scheduled task, it creates a scheduled task called "Sens Api" via schtasks command, which is set to run upon system startup as SYSTEM.
To establish persistence through the autorun utility, it adds an autorun entry called "Sens Api" under HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run via the "reg add" command.
Both persistence mechanisms are set to launch the binary by calling rundll32 and passing the backdoor's first export ordinal (#1) without any additional argument.
references:
- https://labs.withsecure.com/publications/kapeka
- https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/
- https://www.virustotal.com/gui/file/bd07fb1e9b4768e7202de6cc454c78c6891270af02085c51fce5539db1386c3f/behavior
author: Swachchhanda Shrawan Poudel
date: 2024-07-03
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1053.005
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_schtasks_img:
- Image|endswith: '\schtasks.exe'
- OriginalFileName: 'schtasks.exe'
selection_schtasks_flags:
CommandLine|contains|all:
- 'create'
- 'ONSTART'
selection_reg_img:
- Image|endswith: '\reg.exe'
- OriginalFileName: 'reg.exe'
selection_reg_flags:
CommandLine|contains|all:
- 'add'
- '\Software\Microsoft\Windows\CurrentVersion\Run'
selection_backdoor_command:
CommandLine|contains|all:
- 'rundll32'
- '.wll'
- '#1'
CommandLine|contains:
- 'Sens Api'
- 'OneDrive' # The scheduled task was called "OneDrive" instead of "Sens Api" in some cases
condition: (all of selection_schtasks_* or all of selection_reg_*) and selection_backdoor_command
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Kapeka Backdoor Scheduled Task Creation
Detects Kapeka backdoor scheduled task creation based on attributes such as paths, commands line flags, etc.
view Sigma YAML
title: Kapeka Backdoor Scheduled Task Creation
id: 6c130acd-0adb-4545-bcc4-2e85d0883c9a
related:
- id: 64a871dd-83f6-4e5f-80fc-5a7ca3a8a819
type: similar
status: test
description: Detects Kapeka backdoor scheduled task creation based on attributes such as paths, commands line flags, etc.
references:
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698
- https://labs.withsecure.com/publications/kapeka
- https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/
- https://www.virustotal.com/gui/file/bd07fb1e9b4768e7202de6cc454c78c6891270af02085c51fce5539db1386c3f/behavior
author: Swachchhanda Shrawan Poudel
date: 2024-07-03
tags:
- attack.execution
- attack.privilege-escalation
- attack.persistence
- attack.t1053.005
- detection.emerging-threats
logsource:
product: windows
service: security
definition: 'Requirements: The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to trigger this detection.'
detection:
selection_eid:
EventID: 4698
selection_paths:
TaskContent|contains:
- ':\ProgramData\'
- '\AppData\Local\'
selection_command:
TaskContent|contains|all:
- 'rundll32'
- '.wll'
- '#1'
selection_taskname:
TaskContent|contains:
- 'OneDrive' # The scheduled task was called “OneDrive” instead of “Sens Api” in some cases
- 'Sens Api'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Kaspersky Endpoint Security Stopped Via CommandLine - Linux
Detects execution of the Kaspersky init.d stop script on Linux systems either directly or via systemctl.
This activity may indicate a manual interruption of the antivirus service by an administrator, or it could be a sign of potential tampering or evasion attempts by malicious actors.
view Sigma YAML
title: Kaspersky Endpoint Security Stopped Via CommandLine - Linux
id: 36388120-b3f1-4ce9-b50b-280d9a7f4c04
status: experimental
description: |
Detects execution of the Kaspersky init.d stop script on Linux systems either directly or via systemctl.
This activity may indicate a manual interruption of the antivirus service by an administrator, or it could be a sign of potential tampering or evasion attempts by malicious actors.
references:
- https://support.kaspersky.com/KES4Linux/12.0.0/en-US/197929.htm
author: Milad Cheraghi
date: 2025-10-18
tags:
- attack.execution
- attack.defense-impairment
- attack.t1685
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith:
# Note: Add the list of shells allowed in your environment that can be used to run init.d scripts.
- '/systemctl'
- '/bash'
- '/sh'
CommandLine|contains|all:
- 'stop'
- 'kesl'
condition: selection
falsepositives:
- System administrator manually stopping Kaspersky services
level: high
Convert to SIEM query
high
Katz Stealer DLL Loaded
Detects loading of DLLs associated with Katz Stealer malware 2025 variants.
Katz Stealer is a malware variant that is known to be used for stealing sensitive information from compromised systems.
The process that loads these DLLs are very likely to be malicious.
view Sigma YAML
title: Katz Stealer DLL Loaded
id: e6c7ab7c-c79d-4b84-b913-b2ec3f8e8a98
status: experimental
description: |
Detects loading of DLLs associated with Katz Stealer malware 2025 variants.
Katz Stealer is a malware variant that is known to be used for stealing sensitive information from compromised systems.
The process that loads these DLLs are very likely to be malicious.
references:
- Internal Research
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-05-22
tags:
- attack.execution
- attack.t1129
- detection.emerging-threats
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith:
- '\katz_ontop.dll'
- '\AppData\Local\Temp\received_dll.dll'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Katz Stealer Suspicious User-Agent
Detects network connections with a suspicious user-agent string containing "katz-ontop", which may indicate Katz Stealer activity.
view Sigma YAML
title: Katz Stealer Suspicious User-Agent
id: 834c6d2f-5e98-4b2a-b453-0c4f234afedd
status: experimental
description: |
Detects network connections with a suspicious user-agent string containing "katz-ontop", which may indicate Katz Stealer activity.
references:
- Internal Research
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-05-22
tags:
- attack.command-and-control
- attack.t1071.001
- detection.emerging-threats
logsource:
product: zeek
service: http
detection:
selection:
user_agent|contains: 'katz-ontop'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Kavremover Dropped Binary LOLBIN Usage
Detects the execution of a signed binary dropped by Kaspersky Lab Products Remover (kavremover) which can be abused as a LOLBIN to execute arbitrary commands and binaries.
view Sigma YAML
title: Kavremover Dropped Binary LOLBIN Usage
id: d047726b-c71c-4048-a99b-2e2f50dc107d
status: test
description: Detects the execution of a signed binary dropped by Kaspersky Lab Products Remover (kavremover) which can be abused as a LOLBIN to execute arbitrary commands and binaries.
references:
- https://nasbench.medium.com/lolbined-using-kaspersky-endpoint-security-kes-installer-to-execute-arbitrary-commands-1c999f1b7fea
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-11-01
tags:
- attack.execution
- attack.stealth
- attack.t1127
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|contains: ' run run-cmd '
filter_main_legit_parents:
ParentImage|endswith:
- '\cleanapi.exe' # When launched from KES installer
- '\kavremover.exe' # When launched from kavremover.exe
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Kerberos Manipulation
Detects failed Kerberos TGT issue operation. This can be a sign of manipulations of TGT messages by an attacker.
view Sigma YAML
title: Kerberos Manipulation
id: f7644214-0eb0-4ace-9455-331ec4c09253
status: test
description: Detects failed Kerberos TGT issue operation. This can be a sign of manipulations of TGT messages by an attacker.
references:
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4771
author: Florian Roth (Nextron Systems)
date: 2017-02-10
modified: 2024-01-16
tags:
- attack.credential-access
- attack.t1212
logsource:
product: windows
service: security
detection:
selection:
EventID:
- 675
- 4768
- 4769
- 4771
Status:
- '0x9'
- '0xA'
- '0xB'
- '0xF'
- '0x10'
- '0x11'
- '0x13'
- '0x14'
- '0x1A'
- '0x1F'
- '0x21'
- '0x22'
- '0x23'
- '0x24'
- '0x26'
- '0x27'
- '0x28'
- '0x29'
- '0x2C'
- '0x2D'
- '0x2E'
- '0x2F'
- '0x31'
- '0x32'
- '0x3E'
- '0x3F'
- '0x40'
- '0x41'
- '0x43'
- '0x44'
condition: selection
falsepositives:
- Faulty legacy applications
level: high
Convert to SIEM query
high
Kernel Memory Dump Via LiveKD
Detects execution of LiveKD with the "-m" flag to potentially dump the kernel memory
view Sigma YAML
title: Kernel Memory Dump Via LiveKD
id: c7746f1c-47d3-43d6-8c45-cd1e54b6b0a2
status: test
description: Detects execution of LiveKD with the "-m" flag to potentially dump the kernel memory
references:
- https://learn.microsoft.com/en-us/sysinternals/downloads/livekd
- https://4sysops.com/archives/creating-a-complete-memory-dump-without-a-blue-screen/
- https://kb.acronis.com/content/60892
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-16
modified: 2024-03-13
tags:
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\livekd.exe'
- '\livekd64.exe'
- OriginalFileName: 'livekd.exe'
selection_cli:
CommandLine|contains|windash: ' -m'
condition: all of selection_*
falsepositives:
- Unlikely in production environment
level: high
Convert to SIEM query
high
KrbRelayUp Service Installation
Detects service creation from KrbRelayUp tool used for privilege escalation in Windows domain environments where LDAP signing is not enforced (the default settings)
view Sigma YAML
title: KrbRelayUp Service Installation
id: e97d9903-53b2-41fc-8cb9-889ed4093e80
status: test
description: Detects service creation from KrbRelayUp tool used for privilege escalation in Windows domain environments where LDAP signing is not enforced (the default settings)
references:
- https://github.com/Dec0ne/KrbRelayUp
author: Sittikorn S, Tim Shelton
date: 2022-05-11
modified: 2022-10-05
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1543
logsource:
product: windows
service: system
detection:
selection:
EventID: 7045
ServiceName: 'KrbSCM'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
LOL-Binary Copied From System Directory
Detects a suspicious copy operation that tries to copy a known LOLBIN from system (System32, SysWOW64, WinSxS) directories to another on disk in order to bypass detections based on locations.
view Sigma YAML
title: LOL-Binary Copied From System Directory
id: f5d19838-41b5-476c-98d8-ba8af4929ee2
related:
- id: fff9d2b7-e11c-4a69-93d3-40ef66189767
type: derived
status: test
description: |
Detects a suspicious copy operation that tries to copy a known LOLBIN from system (System32, SysWOW64, WinSxS) directories to another on disk in order to bypass detections based on locations.
references:
- https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120
- https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html
- https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/
- https://www.virustotal.com/gui/file/14e722855605ba78dc1d21153f0e1be90e7528149f2cd2d7d6eba8ef27534bdc/behavior
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-29
modified: 2025-11-27
tags:
- attack.stealth
- attack.t1036.003
logsource:
category: process_creation
product: windows
detection:
selection_tools_cmd:
Image|endswith: '\cmd.exe'
CommandLine|contains: 'copy '
selection_tools_pwsh:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
CommandLine|contains:
- 'copy-item'
- ' copy '
- 'cpi '
- ' cp '
selection_tools_other:
- Image|endswith:
- '\robocopy.exe'
- '\xcopy.exe'
- OriginalFileName:
- 'robocopy.exe'
- 'XCOPY.EXE'
selection_target_path:
CommandLine|contains:
- '\System32'
- '\SysWOW64'
- '\WinSxS'
selection_target_lolbin:
CommandLine|contains:
# Note: add more binaries to increase coverage
- '\bitsadmin.exe'
- '\calc.exe'
- '\certutil.exe'
- '\cmdl32.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\rundll32.exe'
- '\wscript.exe'
- '\ie4uinit.exe'
condition: 1 of selection_tools_* and all of selection_target_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
LPE InstallerFileTakeOver PoC CVE-2021-41379
Detects PoC tool used to exploit LPE vulnerability CVE-2021-41379
view Sigma YAML
title: LPE InstallerFileTakeOver PoC CVE-2021-41379
id: 7dbb86de-a0cc-494c-8aa8-b2996c9ef3c8
status: test
description: Detects PoC tool used to exploit LPE vulnerability CVE-2021-41379
references:
- https://web.archive.org/web/20220421061949/https://github.com/klinix5/InstallerFileTakeOver
author: Florian Roth (Nextron Systems)
date: 2021-11-22
modified: 2022-07-12
tags:
- attack.initial-access
- attack.t1190
- detection.emerging-threats
logsource:
product: windows
service: application
# warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
detection:
selection:
EventID: 1033
Provider_Name: 'MsiInstaller'
Data|contains: 'test pkg'
condition: selection
falsepositives:
- Other MSI packages for which your admins have used that name
level: high
Convert to SIEM query
high
LSASS Access Detected via Attack Surface Reduction
Detects Access to LSASS Process
view Sigma YAML
title: LSASS Access Detected via Attack Surface Reduction
id: a0a278fe-2c0e-4de2-ac3c-c68b08a9ba98
status: test
description: Detects Access to LSASS Process
references:
- https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction
author: Markus Neis
date: 2018-08-26
modified: 2022-08-13
tags:
- attack.credential-access
- attack.t1003.001
logsource:
product: windows
service: windefend
definition: 'Requirements:Enabled Block credential stealing from the Windows local security authority subsystem (lsass.exe) from Attack Surface Reduction (GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2)'
detection:
selection:
EventID: 1121
Path|endswith: '\lsass.exe'
filter_thor:
ProcessName|startswith: 'C:\Windows\Temp\asgard2-agent\'
ProcessName|endswith:
- '\thor64.exe'
- '\thor.exe'
filter_exact:
ProcessName:
- 'C:\Windows\System32\atiesrxx.exe'
- 'C:\Windows\System32\CompatTelRunner.exe'
- 'C:\Windows\System32\msiexec.exe'
- 'C:\Windows\System32\nvwmi64.exe'
- 'C:\Windows\System32\svchost.exe'
- 'C:\Windows\System32\Taskmgr.exe'
- 'C:\Windows\System32\wbem\WmiPrvSE.exe'
- 'C:\Windows\SysWOW64\msiexec.exe'
filter_begins:
ProcessName|startswith:
- 'C:\Windows\System32\DriverStore\'
- 'C:\WINDOWS\Installer\'
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
condition: selection and not 1 of filter_*
falsepositives:
- Google Chrome GoogleUpdate.exe
- Some Taskmgr.exe related activity
level: high
Convert to SIEM query
high
LSASS Access From Potentially White-Listed Processes
Detects a possible process memory dump that uses a white-listed filename like TrolleyExpress.exe as a way to dump the LSASS process memory without Microsoft Defender interference
view Sigma YAML
title: LSASS Access From Potentially White-Listed Processes
id: 4be8b654-0c01-4c9d-a10c-6b28467fc651
status: test
description: |
Detects a possible process memory dump that uses a white-listed filename like TrolleyExpress.exe as a way to dump the LSASS process memory without Microsoft Defender interference
references:
- https://twitter.com/_xpn_/status/1491557187168178176
- https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz
- https://twitter.com/mrd0x/status/1460597833917251595
author: Florian Roth (Nextron Systems)
date: 2022-02-10
modified: 2023-11-29
tags:
- attack.credential-access
- attack.t1003.001
- attack.s0002
logsource:
category: process_access
product: windows
detection:
selection:
TargetImage|endswith: '\lsass.exe'
SourceImage|endswith:
- '\TrolleyExpress.exe' # Citrix
- '\ProcessDump.exe' # Cisco Jabber
- '\dump64.exe' # Visual Studio
GrantedAccess|endswith:
- '10'
- '30'
- '50'
- '70'
- '90'
- 'B0'
- 'D0'
- 'F0'
- '18'
- '38'
- '58'
- '78'
- '98'
- 'B8'
- 'D8'
- 'F8'
- '1A'
- '3A'
- '5A'
- '7A'
- '9A'
- 'BA'
- 'DA'
- 'FA'
- '0x14C2' # https://github.com/b4rtik/ATPMiniDump/blob/76304f93b390af3bb66e4f451ca16562a479bdc9/ATPMiniDump/ATPMiniDump.c
- 'FF'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
LSASS Crash Via Netlogon Stack Buffer Overflow - CVE-2026-41089
Detects a crash of the LSASS process where netlogon.dll is the faulting module and the exception code is STATUS_STACK_BUFFER_OVERRUN (0xc0000409).
This crash, especially on Domain Controllers, might indicate the exploitation of CVE-2026-41089, a denial of service (DoS) vulnerability,
which exists in the Netlogon component of Windows and can be triggered by sending specially crafted requests to the Netlogon service,
leading to a stack-based buffer overflow and subsequent crash of the LSASS process.
view Sigma YAML
title: LSASS Crash Via Netlogon Stack Buffer Overflow - CVE-2026-41089
id: f8a66a02-4a16-46e5-b7fd-a42c8a93d137
status: experimental
description: |
Detects a crash of the LSASS process where netlogon.dll is the faulting module and the exception code is STATUS_STACK_BUFFER_OVERRUN (0xc0000409).
This crash, especially on Domain Controllers, might indicate the exploitation of CVE-2026-41089, a denial of service (DoS) vulnerability,
which exists in the Netlogon component of Windows and can be triggered by sending specially crafted requests to the Netlogon service,
leading to a stack-based buffer overflow and subsequent crash of the LSASS process.
references:
- https://aretiq.ai/research/vul260513-cve-2026-41089-microsoft-windows-netlogon-buildsamlogonresponse-stack-based-buffer-overflow-rce/
- https://learn.microsoft.com/en-us/shows/inside/c0000409
- https://github.com/p3Nt3st3r-sTAr/CVE-2026-41089
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41089
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-06-02
tags:
- attack.impact
- attack.t1499
- cve.2026-41089
- detection.emerging-threats
logsource:
product: windows
service: application
detection:
selection:
Provider_Name: 'Application Error'
EventID: 1000
AppName: 'lsass.exe'
ModuleName: 'netlogon.dll'
ExceptionCode: 'c0000409' # STATUS_STACK_BUFFER_OVERRUN
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
LSASS Dump Keyword In CommandLine
Detects the presence of the keywords "lsass" and ".dmp" in the commandline, which could indicate a potential attempt to dump or create a dump of the lsass process.
view Sigma YAML
title: LSASS Dump Keyword In CommandLine
id: ffa6861c-4461-4f59-8a41-578c39f3f23e
related:
- id: a5a2d357-1ab8-4675-a967-ef9990a59391
type: derived
status: test
description: |
Detects the presence of the keywords "lsass" and ".dmp" in the commandline, which could indicate a potential attempt to dump or create a dump of the lsass process.
references:
- https://github.com/Hackndo/lsassy
- https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf
- https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml
- https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/
- https://github.com/helpsystems/nanodump
- https://github.com/CCob/MirrorDump
author: E.M. Anhaus, Tony Lambert, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2019-10-24
modified: 2023-08-29
tags:
- attack.credential-access
- attack.t1003.001
logsource:
category: process_creation
product: windows
detection:
selection:
- CommandLine|contains:
- 'lsass.dmp'
- 'lsass.zip'
- 'lsass.rar'
- 'Andrew.dmp'
- 'Coredump.dmp'
- 'NotLSASS.zip' # https://github.com/CCob/MirrorDump
- 'lsass_2' # default format of procdump v9.0 is lsass_YYMMDD_HHmmss.dmp
- 'lsassdump'
- 'lsassdmp'
- CommandLine|contains|all:
- 'lsass'
- '.dmp'
- CommandLine|contains|all:
- 'SQLDmpr'
- '.mdmp'
- CommandLine|contains|all:
- 'nanodump'
- '.dmp'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
LSASS Memory Access by Tool With Dump Keyword In Name
Detects LSASS process access requests from a source process with the "dump" keyword in its image name.
view Sigma YAML
title: LSASS Memory Access by Tool With Dump Keyword In Name
id: 9bd012ee-0dff-44d7-84a0-aa698cfd87a3
status: test
description: Detects LSASS process access requests from a source process with the "dump" keyword in its image name.
references:
- https://twitter.com/_xpn_/status/1491557187168178176
- https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz
author: Florian Roth (Nextron Systems)
date: 2022-02-10
modified: 2023-11-29
tags:
- attack.credential-access
- attack.t1003.001
- attack.s0002
logsource:
category: process_access
product: windows
detection:
selection:
TargetImage|endswith: '\lsass.exe'
SourceImage|contains: 'dump'
GrantedAccess|endswith:
- '10'
- '30'
- '50'
- '70'
- '90'
- 'B0'
- 'D0'
- 'F0'
- '18'
- '38'
- '58'
- '78'
- '98'
- 'B8'
- 'D8'
- 'F8'
- '1A'
- '3A'
- '5A'
- '7A'
- '9A'
- 'BA'
- 'DA'
- 'FA'
- '0x14C2' # https://github.com/b4rtik/ATPMiniDump/blob/76304f93b390af3bb66e4f451ca16562a479bdc9/ATPMiniDump/ATPMiniDump.c
- 'FF'
condition: selection
falsepositives:
- Rare programs that contain the word dump in their name and access lsass
level: high
Convert to SIEM query
high
LSASS Process Crashed - Application
Detects Windows error reporting events where the process that crashed is LSASS (Local Security Authority Subsystem Service).
This could be the cause of a provoked crash by techniques such as Lsass-Shtinkering to dump credentials.
view Sigma YAML
title: LSASS Process Crashed - Application
id: a18e0862-127b-43ca-be12-1a542c75c7c5
status: experimental
description: |
Detects Windows error reporting events where the process that crashed is LSASS (Local Security Authority Subsystem Service).
This could be the cause of a provoked crash by techniques such as Lsass-Shtinkering to dump credentials.
references:
- https://github.com/deepinstinct/Lsass-Shtinkering
- https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-07
modified: 2025-12-03
tags:
- attack.credential-access
- attack.t1003.001
logsource:
product: windows
service: application
detection:
selection:
Provider_Name: 'Application Error'
EventID: 1000
AppName: 'lsass.exe'
ExceptionCode: 'c0000001' # STATUS_UNSUCCESSFUL
condition: selection
falsepositives:
- Rare legitimate crashing of the lsass process
level: high
Convert to SIEM query
high
LSASS Process Dump Artefact In CrashDumps Folder
Detects the presence of an LSASS dump file in the "CrashDumps" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Error Reporting to dump said process.
view Sigma YAML
title: LSASS Process Dump Artefact In CrashDumps Folder
id: 6902955a-01b7-432c-b32a-6f5f81d8f625
status: test
description: Detects the presence of an LSASS dump file in the "CrashDumps" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Error Reporting to dump said process.
references:
- https://github.com/deepinstinct/Lsass-Shtinkering
- https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf
author: '@pbssubhash'
date: 2022-12-08
tags:
- attack.credential-access
- attack.t1003.001
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|startswith: 'C:\Windows\System32\config\systemprofile\AppData\Local\CrashDumps\'
TargetFilename|contains: 'lsass.exe.'
TargetFilename|endswith: '.dmp'
condition: selection
falsepositives:
- Rare legitimate dump of the process by the operating system due to a crash of lsass
level: high
Convert to SIEM query
high
LSASS Process Memory Dump Creation Via Taskmgr.EXE
Detects the creation of an "lsass.dmp" file by the taskmgr process. This indicates a manual dumping of the LSASS.exe process memory using Windows Task Manager.
view Sigma YAML
title: LSASS Process Memory Dump Creation Via Taskmgr.EXE
id: 69ca12af-119d-44ed-b50f-a47af0ebc364
status: test
description: Detects the creation of an "lsass.dmp" file by the taskmgr process. This indicates a manual dumping of the LSASS.exe process memory using Windows Task Manager.
author: Swachchhanda Shrawan Poudel
date: 2023-10-19
references:
- https://github.com/redcanaryco/atomic-red-team/blob/987e3ca988ae3cff4b9f6e388c139c05bf44bbb8/atomics/T1003.001/T1003.001.md#L1
tags:
- attack.credential-access
- attack.t1003.001
logsource:
category: file_event
product: windows
detection:
selection:
Image|endswith:
- ':\Windows\system32\taskmgr.exe'
- ':\Windows\SysWOW64\taskmgr.exe'
TargetFilename|contains|all:
- '\AppData\Local\Temp\'
- '\lsass'
- '.DMP'
condition: selection
falsepositives:
- Rare case of troubleshooting by an administrator or support that has to be investigated regardless
level: high
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_taskmgr_lsass_dump/info.yml
Convert to SIEM query
high
LSASS Process Memory Dump Files
Detects creation of files with names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials.
view Sigma YAML
title: LSASS Process Memory Dump Files
id: a5a2d357-1ab8-4675-a967-ef9990a59391
related:
- id: db2110f3-479d-42a6-94fb-d35bc1e46492
type: obsolete
- id: 5e3d3601-0662-4af0-b1d2-36a05e90c40a
type: obsolete
status: test
description: Detects creation of files with names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials.
references:
- https://www.google.com/search?q=procdump+lsass
- https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf
- https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml
- https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/
- https://github.com/helpsystems/nanodump
- https://github.com/CCob/MirrorDump
- https://github.com/safedv/RustiveDump/blob/1a9b026b477587becfb62df9677cede619d42030/src/main.rs#L35
- https://github.com/ricardojoserf/NativeDump/blob/01d8cd17f31f51f5955a38e85cd3c83a17596175/NativeDump/Program.cs#L258
author: Florian Roth (Nextron Systems)
date: 2021-11-15
modified: 2024-10-08
tags:
- attack.credential-access
- attack.t1003.001
logsource:
product: windows
category: file_event
detection:
selection_1:
TargetFilename|endswith:
- '\Andrew.dmp'
- '\Coredump.dmp'
- '\lsass.dmp'
- '\lsass.rar'
- '\lsass.zip'
- '\NotLSASS.zip' # https://github.com/CCob/MirrorDump
- '\PPLBlade.dmp' # https://github.com/tastypepperoni/PPLBlade
- '\rustive.dmp' # https://github.com/safedv/RustiveDump/blob/main/src/main.rs#L35
selection_2:
TargetFilename|contains:
- '\lsass_2' # default format of procdump v9.0 is lsass_YYMMDD_HHmmss.dmp
- '\lsassdmp'
- '\lsassdump'
selection_3:
TargetFilename|contains|all:
- '\lsass'
- '.dmp'
selection_4:
TargetFilename|contains: 'SQLDmpr'
TargetFilename|endswith: '.mdmp'
selection_5:
TargetFilename|contains:
- '\nanodump'
- '\proc_' # NativeDump pattern https://github.com/ricardojoserf/NativeDump/blob/01d8cd17f31f51f5955a38e85cd3c83a17596175/NativeDump/Program.cs#L258
TargetFilename|endswith: '.dmp'
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
LSASS Process Reconnaissance Via Findstr.EXE
Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID
view Sigma YAML
title: LSASS Process Reconnaissance Via Findstr.EXE
id: fe63010f-8823-4864-a96b-a7b4a0f7b929
status: test
description: Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID
references:
- https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1
author: Florian Roth (Nextron Systems)
date: 2022-08-12
modified: 2024-06-04
tags:
- attack.credential-access
- attack.t1552.006
logsource:
category: process_creation
product: windows
detection:
selection_findstr_img:
- Image|endswith:
- '\find.exe'
- '\findstr.exe'
- OriginalFileName:
- 'FIND.EXE'
- 'FINDSTR.EXE'
selection_findstr_cli:
CommandLine|contains: 'lsass'
selection_special:
CommandLine|contains|windash:
- ' /i "lsass'
- ' /i lsass.exe'
- 'findstr "lsass'
- 'findstr lsass'
- 'findstr.exe "lsass'
- 'findstr.exe lsass'
condition: all of selection_findstr_* or selection_special
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_findstr_lsass/info.yml
Convert to SIEM query
high
Lace Tempest Cobalt Strike Download
Detects specific command line execution used by Lace Tempest to download Cobalt Strike as reported by SysAid Team
view Sigma YAML
title: Lace Tempest Cobalt Strike Download
id: aa5b0a40-ed88-46aa-9fdc-0337b379ca9d
status: test
description: Detects specific command line execution used by Lace Tempest to download Cobalt Strike as reported by SysAid Team
references:
- https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-11-09
tags:
- attack.execution
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- -nop -w hidden -c IEX ((new-object net.webclient).downloadstring(
- /a')
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Lace Tempest File Indicators
Detects PowerShell script file creation with specific names or suffixes which was seen being used often in PowerShell scripts by FIN7
view Sigma YAML
title: Lace Tempest File Indicators
id: e94486ea-2650-4548-bf25-88cbd0bb32d7
status: test
description: Detects PowerShell script file creation with specific names or suffixes which was seen being used often in PowerShell scripts by FIN7
references:
- https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-11-09
tags:
- attack.execution
- detection.emerging-threats
logsource:
category: file_event
product: windows
detection:
selection:
- TargetFilename|endswith:
- ':\Program Files\SysAidServer\tomcat\webapps\usersfiles\user.exe'
- ':\Program Files\SysAidServer\tomcat\webapps\usersfiles.war'
- ':\Program Files\SysAidServer\tomcat\webapps\leave'
- TargetFilename|contains: ':\Program Files\SysAidServer\tomcat\webapps\user.'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Lace Tempest Malware Loader Execution
Detects execution of a specific binary based on filename and hash used by Lace Tempest to load additional malware as reported by SysAid Team
view Sigma YAML
title: Lace Tempest Malware Loader Execution
id: 745ea50b-9673-4ba7-9426-cb45cf4a8e6d
status: test
description: Detects execution of a specific binary based on filename and hash used by Lace Tempest to load additional malware as reported by SysAid Team
references:
- https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-11-09
tags:
- attack.execution
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith: ':\Program Files\SysAidServer\tomcat\webapps\usersfiles\user.exe'
selection_hash:
Hashes|contains: 'SHA256=B5ACF14CDAC40BE590318DEE95425D0746E85B1B7B1CBD14DA66F21F2522BF4D'
condition: 1 of selection_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Lace Tempest PowerShell Evidence Eraser
Detects a PowerShell script used by Lace Tempest APT to erase evidence from victim servers by exploiting CVE-2023-47246 as reported by SysAid Team
view Sigma YAML
title: Lace Tempest PowerShell Evidence Eraser
id: b377ddab-502d-4519-9e8c-5590033d2d70
status: test
description: |
Detects a PowerShell script used by Lace Tempest APT to erase evidence from victim servers by exploiting CVE-2023-47246 as reported by SysAid Team
references:
- https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-11-09
tags:
- attack.execution
- attack.t1059.001
- detection.emerging-threats
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- 'cleanLL'
- 'usersfiles.war'
- 'Remove-Item -Path "$tomcat_dir'
- 'SysAidServer'
- 'sleep '
- 'while(1)'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Lace Tempest PowerShell Launcher
Detects a PowerShell script used by Lace Tempest APT to launch their malware loader by exploiting CVE-2023-47246 as reported by SysAid Team
view Sigma YAML
title: Lace Tempest PowerShell Launcher
id: 37dc5463-f7e3-4f61-ad76-ba59cd02a651
status: test
description: |
Detects a PowerShell script used by Lace Tempest APT to launch their malware loader by exploiting CVE-2023-47246 as reported by SysAid Team
references:
- https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-11-09
tags:
- attack.execution
- attack.t1059.001
- detection.emerging-threats
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- '\SysAidServer\tomcat\webapps'
- 'Starting user.exe'
- '\usersfiles\user.exe'
- 'Remove-Item -Force "$wapps'
- '(Sophos).'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Lazarus APT DLL Sideloading Activity
Detects sideloading of trojanized DLLs used in Lazarus APT campaign in the case of a Spanish aerospace company
view Sigma YAML
title: Lazarus APT DLL Sideloading Activity
id: 24007168-a26b-4049-90d0-ce138e13a5cf
status: test
description: Detects sideloading of trojanized DLLs used in Lazarus APT campaign in the case of a Spanish aerospace company
references:
- https://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/
- https://www.bleepingcomputer.com/news/security/lazarus-hackers-breach-aerospace-firm-with-new-lightlesscan-malware/
author: Thurein Oo, Nasreddine Bencherchali (Nextron Systems)
date: 2023-10-18
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1574.001
- attack.g0032
- detection.emerging-threats
logsource:
product: windows
category: image_load
detection:
selection_mscoree:
Image: 'C:\ProgramShared\PresentationHost.exe'
ImageLoaded: ':\ProgramShared\mscoree.dll'
selection_colorui:
Image: 'C:\ProgramData\Adobe\colorcpl.exe'
ImageLoaded: 'C:\ProgramData\Adobe\colorui.dll'
selection_mapistub:
Image: 'C:\ProgramData\Oracle\Java\fixmapi.exe'
ImageLoaded: 'C:\ProgramData\Oracle\Java\mapistub.dll'
selection_hid:
Image: 'C:\ProgramData\Adobe\ARM\tabcal.exe'
ImageLoaded: 'C:\ProgramData\Adobe\ARM\HID.dll'
condition: 1 of selection_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Lazarus System Binary Masquerading
Detects binaries used by the Lazarus group which use system names but are executed and launched from non-default location
view Sigma YAML
title: Lazarus System Binary Masquerading
id: 3f7f5b0b-5b16-476c-a85f-ab477f6dd24b
status: test
description: Detects binaries used by the Lazarus group which use system names but are executed and launched from non-default location
references:
- https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf
author: Trent Liffick (@tliffick), Bartlomiej Czyz (@bczyz1)
date: 2020-06-03
modified: 2023-03-10
tags:
- attack.stealth
- attack.t1036.005
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\msdtc.exe'
- '\gpsvc.exe'
filter:
Image|startswith:
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
condition: selection and not filter
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Legitimate Application Dropped Archive
Detects programs on a Windows system that should not write an archive to disk
view Sigma YAML
title: Legitimate Application Dropped Archive
id: 654fcc6d-840d-4844-9b07-2c3300e54a26
status: test
description: Detects programs on a Windows system that should not write an archive to disk
references:
- https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326
author: frack113, Florian Roth
date: 2022-08-21
tags:
- attack.stealth
- attack.t1218
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith:
# Microsoft Office Programs Dropping Executables
- \winword.exe
- \excel.exe
- \powerpnt.exe
- \msaccess.exe
- \mspub.exe
- \eqnedt32.exe
- \visio.exe
- \wordpad.exe
- \wordview.exe
# LOLBINs that can be used to download executables
- \certutil.exe
- \certoc.exe
- \CertReq.exe
# - \bitsadmin.exe (depends on the environment; comment in if you're sure that bitsadmin doesn't do that in your env)
- \Desktopimgdownldr.exe
- \esentutl.exe
# - \expand.exe
- \finger.exe
# Executables that should never drop an executable to disk (but may after a previous process injection or if it's malware that uses a legitimate name)
- \notepad.exe
- \AcroRd32.exe
- \RdrCEF.exe
- \mshta.exe
- \hh.exe
TargetFilename|endswith:
- '.zip'
- '.rar'
- '.7z'
- '.diagcab'
- '.appx'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Legitimate Application Dropped Executable
Detects programs on a Windows system that should not write executables to disk
view Sigma YAML
title: Legitimate Application Dropped Executable
id: f0540f7e-2db3-4432-b9e0-3965486744bc
status: test
description: Detects programs on a Windows system that should not write executables to disk
references:
- https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326
author: frack113, Florian Roth (Nextron Systems)
date: 2022-08-21
modified: 2023-06-22
tags:
- attack.stealth
- attack.t1218
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith:
# Microsoft Office Programs Dropping Executables / Rest of the apps are covered in: c7a74c80-ba5a-486e-9974-ab9e682bc5e4
- '\eqnedt32.exe'
- '\wordpad.exe'
- '\wordview.exe'
# LOLBINs that can be used to download executables
- '\certutil.exe'
- '\certoc.exe'
- '\CertReq.exe'
# - \bitsadmin.exe (depends on the environment; comment in if you're sure that bitsadmin doesn't do that in your env)
- '\Desktopimgdownldr.exe'
- '\esentutl.exe'
# - \expand.exe
- '\mshta.exe'
# Executables that should never drop an executable to disk (but may after a previous process injection or if it's malware that uses a legitimate name)
- '\AcroRd32.exe'
- '\RdrCEF.exe'
- '\hh.exe'
- '\finger.exe'
TargetFilename|endswith:
- '.exe'
- '.dll'
- '.ocx'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Legitimate Application Dropped Script
Detects programs on a Windows system that should not write scripts to disk
view Sigma YAML
title: Legitimate Application Dropped Script
id: 7d604714-e071-49ff-8726-edeb95a70679
status: test
description: Detects programs on a Windows system that should not write scripts to disk
references:
- https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326
author: frack113, Florian Roth (Nextron Systems)
date: 2022-08-21
modified: 2023-06-22
tags:
- attack.stealth
- attack.t1218
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith:
# Microsoft Office Programs Dropping Executables / Rest of the apps are covered in: c7a74c80-ba5a-486e-9974-ab9e682bc5e4
- \eqnedt32.exe
- \wordpad.exe
- \wordview.exe
# LOLBINs that can be used to download executables
- \certutil.exe
- \certoc.exe
- \CertReq.exe
# - \bitsadmin.exe (depends on the environment; comment in if you're sure that bitsadmin doesn't do that in your env)
- \Desktopimgdownldr.exe
- \esentutl.exe
# - \expand.exe
- '\mshta.exe'
# Executables that should never drop an executable to disk (but may after a previous process injection or if it's malware that uses a legitimate name)
- '\AcroRd32.exe'
- '\RdrCEF.exe'
- '\hh.exe'
- '\finger.exe'
TargetFilename|endswith:
- '.ps1'
- '.bat'
- '.vbs'
- '.scf'
- '.wsf'
- '.wsh'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Legitimate Application Writing Files In Uncommon Location
Detects legitimate applications writing any type of file to uncommon or suspicious locations that are not typical for application data storage or execution.
Adversaries may leverage legitimate applications (Living off the Land Binaries - LOLBins) to drop or download malicious files to uncommon locations on the system to evade detection by security solutions.
view Sigma YAML
title: Legitimate Application Writing Files In Uncommon Location
id: 1cf465a1-2609-4c15-9b66-c32dbe4bfd67
related:
- id: 2ddef153-167b-4e89-86b6-757a9e65dcac # bitsadmin dedicated rule
type: similar
status: experimental
description: |
Detects legitimate applications writing any type of file to uncommon or suspicious locations that are not typical for application data storage or execution.
Adversaries may leverage legitimate applications (Living off the Land Binaries - LOLBins) to drop or download malicious files to uncommon locations on the system to evade detection by security solutions.
references:
- https://lolbas-project.github.io/#/download
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-12-10
tags:
- attack.stealth
- attack.t1218
- attack.command-and-control
- attack.t1105
logsource:
product: windows
category: file_event
detection:
selection_img:
Image|endswith:
# Microsoft Office Programs Dropping Executables / Rest of the apps are covered in: c7a74c80-ba5a-486e-9974-ab9e682bc5e4
- '\eqnedt32.exe'
- '\wordpad.exe'
- '\wordview.exe'
# LOLBINs that can be used to download executables
- '\cmdl32.exe'
- '\certutil.exe'
- '\certoc.exe'
- '\CertReq.exe'
- '\bitsadmin.exe'
- '\Desktopimgdownldr.exe'
- '\esentutl.exe'
- '\expand.exe'
- '\extrac32.exe'
- '\replace.exe'
- '\mshta.exe'
- '\ftp.exe'
- '\Ldifde.exe'
- '\RdrCEF.exe'
- '\hh.exe'
- '\finger.exe'
- '\findstr.exe'
selection_locations:
TargetFilename|contains:
- ':\Perflogs'
- ':\ProgramData\'
- ':\Temp\'
- ':\Users\Public\'
- ':\Windows\'
- '\$Recycle.Bin\'
- '\AppData\Local\'
- '\AppData\Roaming\'
- '\Contacts\'
- '\Desktop\'
- '\Favorites\'
- '\Favourites\'
- '\inetpub\wwwroot\'
- '\Music\'
- '\Pictures\'
- '\Start Menu\Programs\Startup\'
- '\Users\Default\'
- '\Videos\'
condition: all of selection_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_in_uncommon_location/info.yml
Convert to SIEM query
high
Linux Command History Tampering
Detects commands that try to clear or tamper with the Linux command history.
This technique is used by threat actors in order to evade defenses and execute commands without them being recorded in files such as "bash_history" or "zsh_history".
view Sigma YAML
title: Linux Command History Tampering
id: fdc88d25-96fb-4b7c-9633-c0e417fdbd4e
status: test
description: |
Detects commands that try to clear or tamper with the Linux command history.
This technique is used by threat actors in order to evade defenses and execute commands without them being recorded in files such as "bash_history" or "zsh_history".
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.003/T1070.003.md
- https://www.hackers-arise.com/post/2016/06/20/covering-your-bash-shell-tracks-antiforensics
- https://www.cadosecurity.com/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence/
author: Patrick Bareiss
date: 2019-03-24
modified: 2024-04-17
tags:
- attack.stealth
- attack.t1070.003
logsource:
product: linux
detection:
keywords:
- 'cat /dev/null >*sh_history'
- 'cat /dev/zero >*sh_history'
- 'chattr +i*sh_history'
- 'echo "" >*sh_history'
- 'empty_bash_history'
- 'export HISTFILESIZE=0'
- 'history -c'
- 'history -w'
- 'ln -sf /dev/null *sh_history'
- 'ln -sf /dev/zero *sh_history'
- 'rm *sh_history'
- 'shopt -ou history'
- 'shopt -uo history'
- 'shred *sh_history'
- 'truncate -s0 *sh_history'
# - 'unset HISTFILE' # prone to false positives
condition: keywords
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Linux Crypto Mining Indicators
Detects command line parameters or strings often used by crypto miners
view Sigma YAML
title: Linux Crypto Mining Indicators
id: 9069ea3c-b213-4c52-be13-86506a227ab1
status: test
description: Detects command line parameters or strings often used by crypto miners
references:
- https://www.poolwatch.io/coin/monero
author: Florian Roth (Nextron Systems)
date: 2021-10-26
modified: 2022-12-25
tags:
- attack.impact
- attack.t1496
logsource:
product: linux
category: process_creation
detection:
selection:
CommandLine|contains:
- ' --cpu-priority='
- '--donate-level=0'
- ' -o pool.'
- ' --nicehash'
- ' --algo=rx/0 '
- 'stratum+tcp://'
- 'stratum+udp://'
# Sub process started by xmrig - the most popular Monero crypto miner - unknown if this causes any false positives
- 'sh -c /sbin/modprobe msr allow_writes=on'
# base64 encoded: --donate-level=
- 'LS1kb25hdGUtbGV2ZWw9'
- '0tZG9uYXRlLWxldmVsP'
- 'tLWRvbmF0ZS1sZXZlbD'
# base64 encoded: stratum+tcp:// and stratum+udp://
- 'c3RyYXR1bSt0Y3A6Ly'
- 'N0cmF0dW0rdGNwOi8v'
- 'zdHJhdHVtK3RjcDovL'
- 'c3RyYXR1bSt1ZHA6Ly'
- 'N0cmF0dW0rdWRwOi8v'
- 'zdHJhdHVtK3VkcDovL'
condition: selection
falsepositives:
- Legitimate use of crypto miners
level: high
Convert to SIEM query
high
Linux Crypto Mining Pool Connections
Detects process connections to a Monero crypto mining pool
view Sigma YAML
title: Linux Crypto Mining Pool Connections
id: a46c93b7-55ed-4d27-a41b-c259456c4746
status: stable
description: Detects process connections to a Monero crypto mining pool
references:
- https://www.poolwatch.io/coin/monero
author: Florian Roth (Nextron Systems)
date: 2021-10-26
tags:
- attack.impact
- attack.t1496
logsource:
product: linux
category: network_connection
detection:
selection:
DestinationHostname:
- 'pool.minexmr.com'
- 'fr.minexmr.com'
- 'de.minexmr.com'
- 'sg.minexmr.com'
- 'ca.minexmr.com'
- 'us-west.minexmr.com'
- 'pool.supportxmr.com'
- 'mine.c3pool.com'
- 'xmr-eu1.nanopool.org'
- 'xmr-eu2.nanopool.org'
- 'xmr-us-east1.nanopool.org'
- 'xmr-us-west1.nanopool.org'
- 'xmr-asia1.nanopool.org'
- 'xmr-jp1.nanopool.org'
- 'xmr-au1.nanopool.org'
- 'xmr.2miners.com'
- 'xmr.hashcity.org'
- 'xmr.f2pool.com'
- 'xmrpool.eu'
- 'pool.hashvault.pro'
- 'moneroocean.stream'
- 'monerocean.stream'
condition: selection
falsepositives:
- Legitimate use of crypto miners
level: high
Convert to SIEM query
high
Linux HackTool Execution
Detects known hacktool execution based on image name.
view Sigma YAML
title: Linux HackTool Execution
id: a015e032-146d-4717-8944-7a1884122111
status: test
description: Detects known hacktool execution based on image name.
references:
- https://github.com/Gui774ume/ebpfkit
- https://github.com/pathtofile/bad-bpf
- https://github.com/carlospolop/PEASS-ng
- https://github.com/t3l3machus/hoaxshell
- https://github.com/t3l3machus/Villain
- https://github.com/HavocFramework/Havoc
- https://github.com/1N3/Sn1per
- https://github.com/Ne0nd0g/merlin
- https://github.com/Pennyw0rth/NetExec/
author: Nasreddine Bencherchali (Nextron Systems), Georg Lauenstein (sure[secure])
date: 2023-01-03
modified: 2024-09-19
tags:
- attack.execution
- attack.resource-development
- attack.t1587
logsource:
product: linux
category: process_creation
detection:
selection_c2_frameworks:
Image|endswith:
- '/crackmapexec'
- '/havoc'
- '/merlin-agent'
- '/merlinServer-Linux-x64'
- '/msfconsole'
- '/msfvenom'
- '/ps-empire server'
- '/ps-empire'
- '/sliver-client'
- '/sliver-server'
- '/Villain.py'
selection_c2_framework_cobaltstrike:
Image|contains:
- '/cobaltstrike'
- '/teamserver'
selection_scanners:
Image|endswith:
- '/autorecon'
- '/httpx'
- '/legion'
- '/naabu'
- '/netdiscover'
- '/nuclei'
- '/recon-ng'
selection_scanners_sniper:
Image|contains: '/sniper'
selection_web_enum:
Image|endswith:
- '/dirb'
- '/dirbuster'
- '/eyewitness'
- '/feroxbuster'
- '/ffuf'
- '/gobuster'
- '/wfuzz'
- '/whatweb'
selection_web_vuln:
Image|endswith:
- '/joomscan'
- '/nikto'
- '/wpscan'
selection_exploit_tools:
Image|endswith:
- '/aircrack-ng'
- '/bloodhound-python'
- '/bpfdos'
- '/ebpfki'
- '/evil-winrm'
- '/hashcat'
- '/hoaxshell.py'
- '/hydra'
- '/john'
- '/ncrack'
# default binary: https://github.com/Pennyw0rth/NetExec/releases/download/v1.0.0/nxc-ubuntu-latest
- '/nxc-ubuntu-latest'
- '/pidhide'
- '/pspy32'
- '/pspy32s'
- '/pspy64'
- '/pspy64s'
- '/setoolkit'
- '/sqlmap'
- '/writeblocker'
selection_linpeas:
# covers: all linux versions listed here: https://github.com/carlospolop/PEASS-ng/releases
Image|contains: '/linpeas'
condition: 1 of selection_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Linux Keylogging with Pam.d
Detect attempt to enable auditing of TTY input
view Sigma YAML
title: Linux Keylogging with Pam.d
id: 49aae26c-450e-448b-911d-b3c13d178dfc
status: test
description: Detect attempt to enable auditing of TTY input
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/T1056.001.md
- https://linux.die.net/man/8/pam_tty_audit
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing
- https://access.redhat.com/articles/4409591#audit-record-types-2
author: 'Pawel Mazur'
date: 2021-05-24
modified: 2022-12-18
tags:
- attack.collection
- attack.credential-access
- attack.t1003
- attack.t1056.001
logsource:
product: linux
service: auditd
detection:
selection_path_events:
type: PATH
name:
- '/etc/pam.d/system-auth'
- '/etc/pam.d/password-auth'
selection_tty_events:
type:
- 'TTY'
- 'USER_TTY'
condition: 1 of selection_*
falsepositives:
- Administrative work
level: high
Convert to SIEM query
high
Linux Recon Indicators
Detects events with patterns found in commands used for reconnaissance on linux systems
view Sigma YAML
title: Linux Recon Indicators
id: 0cf7a157-8879-41a2-8f55-388dd23746b7
status: test
description: Detects events with patterns found in commands used for reconnaissance on linux systems
references:
- https://github.com/sleventyeleven/linuxprivchecker/blob/0d701080bbf92efd464e97d71a70f97c6f2cd658/linuxprivchecker.py
author: Florian Roth (Nextron Systems)
date: 2022-06-20
tags:
- attack.reconnaissance
- attack.t1592.004
- attack.credential-access
- attack.t1552.001
logsource:
category: process_creation
product: linux
detection:
selection:
CommandLine|contains:
- ' -name .htpasswd'
- ' -perm -4000 '
condition: selection
falsepositives:
- Legitimate administration activities
level: high
Convert to SIEM query
high
Linux Suspicious Child Process from Node.js - React2Shell
Detects suspicious child processes spawned from Node.js server processes on Linux systems, potentially indicating remote code execution exploitation such as CVE-2025-55182 (React2Shell).
This rule particularly looks for exploitation of vulnerability on Node.js Servers where attackers abuse Node.js child_process module to execute arbitrary system commands.
When execSync() or exec() is used, the command line often includes a shell invocation followed by suspicious commands or scripts (e.g., /bin/sh -c <malicious-command>).
For other methods, the Image field will show the spawned process directly.
view Sigma YAML
title: Linux Suspicious Child Process from Node.js - React2Shell
id: c70834fa-fb9d-4aa0-9e7d-45ceed36f3f7
related:
- id: 271de298-cc0e-4842-acd8-079a0a99ea65
type: similar
status: experimental
description: |
Detects suspicious child processes spawned from Node.js server processes on Linux systems, potentially indicating remote code execution exploitation such as CVE-2025-55182 (React2Shell).
This rule particularly looks for exploitation of vulnerability on Node.js Servers where attackers abuse Node.js child_process module to execute arbitrary system commands.
When execSync() or exec() is used, the command line often includes a shell invocation followed by suspicious commands or scripts (e.g., /bin/sh -c <malicious-command>).
For other methods, the Image field will show the spawned process directly.
references:
- https://github.com/msanft/CVE-2025-55182
- https://nodejs.org/api/child_process.html#class-childprocess
- https://gist.github.com/swachchhanda000/a0228130f86a2dedfbcebb415b47f870
- https://github.com/nasbench/Misc-Research/blob/2f651ede832ab34027a7ba005b63bb78f1ade378/Other/React-Next-Child-Processes-Notes.md
author: Swachchhanda Shrawan Poudel (Nextron Systems), Nasreddine Bencherchali
date: 2025-12-05
tags:
- attack.execution
- attack.t1059
- attack.initial-access
- attack.t1190
- detection.emerging-threats
- cve.2025-55182
logsource:
category: process_creation
product: linux
detection:
selection_parent:
ParentImage|endswith: '/node'
ParentCommandLine|contains:
- '--experimental-https'
- '--experimental-next-config-strip-types'
- '/node_modules/next'
- 'next dev'
- 'next start'
- 'node_modules/.bin'
- 'react-scripts start'
- 'start-server.js'
selection_generic_child_img:
# Observed when child_process.spawn(), child_process.exec(), child_process.execFile(), or child_process.fork() method is used to spawn suspicious processes in exploit
- Image|endswith:
- '/busybox'
- '/cat'
- '/curl'
- '/dash'
- '/dig'
- '/head'
- '/id'
- '/ifconfig'
- '/ip'
- '/java'
- '/less'
- '/lua'
- '/more'
- '/nc'
- '/ncat'
- '/netcat'
- '/netstat'
- '/nslookup'
- '/perl'
- '/ping'
- '/python'
- '/python2'
- '/ruby'
- '/socat'
- '/tail'
- '/wget'
- '/whoami'
- Image|contains: '/python'
selection_generic_child_cli:
# Observed when child_process.execSync() is used to spawn suspicious processes
# Reference: https://nodejs.org/api/child_process.html#child_processexecsynccommand-options
# By default, the cli will look something like `/bin/sh -c .......`
CommandLine|contains:
- '/dev/tcp/'
- '/dev/udp/'
- '/etc/hosts'
- '/etc/passwd'
- '/etc/shadow'
- 'base64'
- 'cat '
- 'curl'
- 'dig'
- 'ifconfig'
- 'IO::Socket::INET'
- 'java'
- 'less '
- 'lua'
- 'mkfifo '
- 'more'
- 'nc '
- 'ncat'
- 'netcat'
- 'netstat'
- 'nslookup'
- 'perl'
- 'php'
- 'ping'
- 'ps -ef'
- 'ps aux'
- 'python'
- 'rcat'
- 'ruby'
- 'sh -i 2>&1'
- '-c id'
- 'socat'
- 'uname'
- 'wget'
- 'whoami'
selection_specific_sh:
Image|endswith: '/sh'
selection_specific_cli:
Image|endswith: '-c'
filter_main_default_shell_flag:
Image|endswith: '-c'
condition:
selection_parent and
(
1 of selection_generic_*
or
(selection_specific_sh and not filter_main_default_shell_flag)
or
(all of selection_specific_* and selection_generic_child_cli)
)
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Linux Webshell Indicators
Detects suspicious sub processes of web server processes
view Sigma YAML
title: Linux Webshell Indicators
id: 818f7b24-0fba-4c49-a073-8b755573b9c7
status: test
description: Detects suspicious sub processes of web server processes
references:
- https://www.acunetix.com/blog/articles/web-shells-101-using-php-introduction-web-shells-part-2/
- https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2021-10-15
modified: 2022-12-28
tags:
- attack.persistence
- attack.t1505.003
logsource:
product: linux
category: process_creation
detection:
selection_general:
ParentImage|endswith:
- '/httpd'
- '/lighttpd'
- '/nginx'
- '/apache2'
- '/node'
- '/caddy'
selection_tomcat:
ParentCommandLine|contains|all:
- '/bin/java'
- 'tomcat'
selection_websphere: # ? just guessing
ParentCommandLine|contains|all:
- '/bin/java'
- 'websphere'
sub_processes:
Image|endswith:
- '/whoami'
- '/ifconfig'
- '/ip'
- '/bin/uname'
- '/bin/cat'
- '/bin/crontab'
- '/hostname'
- '/iptables'
- '/netstat'
- '/pwd'
- '/route'
condition: 1 of selection_* and sub_processes
falsepositives:
- Web applications that invoke Linux command line tools
level: high
Convert to SIEM query
high
LiteLLM / TeamPCP Supply Chain Attack Indicators
Detects process executions related to the backdoored versions of LiteLLM (v1.82.7 or v1.82.8).
In March 2026, a supply chain attack was discovered involving the popular open-source LLM framework LiteLLM by Threat Actor TeamPCP.
The malicious package harvests every credential on the system, encrypts and exfiltrates them, and installs a persistent C2 backdoor.
view Sigma YAML
title: LiteLLM / TeamPCP Supply Chain Attack Indicators
id: 36603778-030c-43c4-8cbb-cd3c1d1a80c7
status: experimental
description: |
Detects process executions related to the backdoored versions of LiteLLM (v1.82.7 or v1.82.8).
In March 2026, a supply chain attack was discovered involving the popular open-source LLM framework LiteLLM by Threat Actor TeamPCP.
The malicious package harvests every credential on the system, encrypts and exfiltrates them, and installs a persistent C2 backdoor.
references:
- https://novasky.io/hunts/hunting-litellm-supply-chain
- https://www.virustotal.com/gui/file/71e35aef03099cd1f2d6446734273025a163597de93912df321ef118bf135238/
- https://huskyhacks.io/posts/litellm-cred-stealer/
- https://www.wiz.io/blog/threes-a-crowd-teampcp-trojanizes-litellm-in-continuation-of-campaign
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-03-30
tags:
- attack.initial-access
- attack.t1195.002
- attack.collection
- attack.t1560.001
- attack.persistence
- attack.privilege-escalation
- attack.t1543.002
- detection.emerging-threats
logsource:
category: process_creation
product: linux
detection:
selection_pth_package:
# Execution of .pth file
Image|contains: '/python3'
CommandLine|contains|all:
- "exec(base64.b64decode('aW1wb3J0"
- "kI2NF9TQ1JJUFQgPSAiYV"
selection_tar:
Image|endswith: '/tar'
CommandLine|contains|all:
- 'tpcp.tar.gz'
- 'payload.enc'
- 'session.key.enc'
selection_curl:
Image|endswith: '/curl'
CommandLine|contains|all:
- 'models.litellm.cloud'
- 'X-Filename: tpcp.tar.gz'
selection_sysmon_service:
ParentImage|contains: '/python3'
CommandLine|contains|all:
- 'systemctl'
- '--user'
- 'sysmon'
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Live Memory Dump Using Powershell
Detects usage of a PowerShell command to dump the live memory of a Windows machine
view Sigma YAML
title: Live Memory Dump Using Powershell
id: cd185561-4760-45d6-a63e-a51325112cae
status: test
description: Detects usage of a PowerShell command to dump the live memory of a Windows machine
references:
- https://learn.microsoft.com/en-us/powershell/module/storage/get-storagediagnosticinfo?view=windowsserver2022-ps
author: Max Altgelt (Nextron Systems)
date: 2021-09-21
modified: 2022-12-25
tags:
- attack.credential-access
- attack.t1003
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- 'Get-StorageDiagnosticInfo'
- '-IncludeLiveDump'
condition: selection
falsepositives:
- Diagnostics
level: high
Convert to SIEM query
high
LiveKD Driver Creation By Uncommon Process
Detects the creation of the LiveKD driver by a process image other than "livekd.exe".
view Sigma YAML
title: LiveKD Driver Creation By Uncommon Process
id: 059c5af9-5131-4d8d-92b2-de4ad6146712
related:
- id: 16fe46bb-4f64-46aa-817d-ff7bec4a2352
type: similar
status: test
description: Detects the creation of the LiveKD driver by a process image other than "livekd.exe".
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-16
tags:
- attack.privilege-escalation
- attack.stealth
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename: 'C:\Windows\System32\drivers\LiveKdD.SYS'
filter_main_legit_name:
Image|endswith:
- '\livekd.exe'
- '\livek64.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Administrators might rename LiveKD before its usage which could trigger this. Add additional names you use to the filter
level: high
Convert to SIEM query
high
LiveKD Kernel Memory Dump File Created
Detects the creation of a file that has the same name as the default LiveKD kernel memory dump.
view Sigma YAML
title: LiveKD Kernel Memory Dump File Created
id: 814ddeca-3d31-4265-8e07-8cc54fb44903
status: test
description: Detects the creation of a file that has the same name as the default LiveKD kernel memory dump.
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-16
tags:
- attack.privilege-escalation
- attack.stealth
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename: 'C:\Windows\livekd.dmp'
condition: selection
falsepositives:
- In rare occasions administrators might leverage LiveKD to perform live kernel debugging. This should not be allowed on production systems. Investigate and apply additional filters where necessary.
level: high
Convert to SIEM query
high
Load Of RstrtMgr.DLL By A Suspicious Process
Detects the load of RstrtMgr DLL (Restart Manager) by a suspicious process.
This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows.
It could also be used for anti-analysis purposes by shut downing specific processes.
view Sigma YAML
title: Load Of RstrtMgr.DLL By A Suspicious Process
id: b48492dc-c5ef-4572-8dff-32bc241c15c8
related:
- id: 3669afd2-9891-4534-a626-e5cf03810a61
type: derived
status: test
description: |
Detects the load of RstrtMgr DLL (Restart Manager) by a suspicious process.
This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows.
It could also be used for anti-analysis purposes by shut downing specific processes.
references:
- https://www.crowdstrike.com/blog/windows-restart-manager-part-1/
- https://www.crowdstrike.com/blog/windows-restart-manager-part-2/
- https://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/
- https://taiwan.postsen.com/business/88601/Hamas-hackers-use-data-destruction-software-BiBi-which-consumes-a-lot-of-processor-resources-to-wipe-Windows-computer-data--iThome.html
author: Luc Génaux
date: 2023-11-28
tags:
- attack.impact
- attack.defense-impairment
- attack.t1486
- attack.t1685
logsource:
category: image_load
product: windows
detection:
selection_img:
- ImageLoaded|endswith: '\RstrtMgr.dll'
- OriginalFileName: 'RstrtMgr.dll'
selection_folders_1:
Image|contains:
# Note: increase coverage by adding more suspicious paths
- ':\Perflogs\'
- ':\Users\Public\'
- '\Temporary Internet'
selection_folders_2:
- Image|contains|all:
- ':\Users\'
- '\Favorites\'
- Image|contains|all:
- ':\Users\'
- '\Favourites\'
- Image|contains|all:
- ':\Users\'
- '\Contacts\'
condition: selection_img and 1 of selection_folders_*
falsepositives:
- Processes related to software installation
level: high
Convert to SIEM query
high
Loading Diagcab Package From Remote Path
Detects loading of diagcab packages from a remote path, as seen in DogWalk vulnerability
view Sigma YAML
title: Loading Diagcab Package From Remote Path
id: 50cb47b8-2c33-4b23-a2e9-4600657d9746
status: test
description: Detects loading of diagcab packages from a remote path, as seen in DogWalk vulnerability
references:
- https://twitter.com/nas_bench/status/1539679555908141061
- https://twitter.com/j00sean/status/1537750439701225472
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-14
tags:
- attack.execution
logsource:
product: windows
service: diagnosis-scripted
detection:
selection:
EventID: 101
PackagePath|contains: '\\\\' # Example would be: \\webdav-test.herokuapp.com@ssl\DavWWWRoot\package
condition: selection
falsepositives:
- Legitimate package hosted on a known and authorized remote location
level: high
Convert to SIEM query
Showing 701-750 of 3,750