Tool
SIEM
Sigma (generic) detection rules
3,751 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Expand any rule to see its raw YAML and convert it inline to native query syntax. Pick a platform above to browse every rule already rendered in that language.
Get the raw rules from SigmaHQ Detection Rules
The raw generic YAML, served by SigmaHQ. Pick a platform above to download a ready-to-deploy converted pack.
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance12
Resource Development10
Initial Access10
Execution30
Persistence43
Privilege Escalation20
Stealth83
Defense Impairment32
Credential Access35
Discovery33
Lateral Movement16
Collection20
Command and Control24
Exfiltration10
Impact18
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.
◈
Detection rules
50 shown of 3,751
medium
Moderate
High FP
Potential Process Execution Proxy Via CL_Invocation.ps1
Detects calls to "SyncInvoke" that is part of the "CL_Invocation.ps1" script to proxy execution using "System.Diagnostics.Process"
view Sigma YAML
title: Potential Process Execution Proxy Via CL_Invocation.ps1
id: a0459f02-ac51-4c09-b511-b8c9203fc429
status: test
description: Detects calls to "SyncInvoke" that is part of the "CL_Invocation.ps1" script to proxy execution using "System.Diagnostics.Process"
references:
- https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/
- https://twitter.com/bohops/status/948061991012327424
author: Nasreddine Bencherchali (Nextron Systems), oscd.community, Natalia Shornikova
date: 2020-10-14
modified: 2023-08-17
tags:
- attack.stealth
- attack.t1216
logsource:
category: process_creation
product: windows
detection:
selection:
# Note: As this function is usually called from within powershell, classical process creation even would not catch it. This will only catch inline calls via "-Command" or "-ScriptBlock" flags for example.
CommandLine|contains: 'SyncInvoke '
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potential Process Hollowing Activity
Detects when a memory process image does not match the disk image, indicative of process hollowing.
view Sigma YAML
title: Potential Process Hollowing Activity
id: c4b890e5-8d8c-4496-8c66-c805753817cd
status: test
description: Detects when a memory process image does not match the disk image, indicative of process hollowing.
references:
- https://twitter.com/SecurePeacock/status/1486054048390332423?s=20
- https://www.bleepingcomputer.com/news/microsoft/microsoft-sysmon-now-detects-malware-process-tampering-attempts/
author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Sittikorn S
date: 2022-01-25
modified: 2023-11-28
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1055.012
logsource:
product: windows
category: process_tampering
detection:
selection:
Type: 'Image is replaced'
filter_main_generic:
Image|contains:
- ':\Program Files (x86)'
- ':\Program Files\'
- ':\Windows\System32\wbem\WMIADAP.exe'
- ':\Windows\SysWOW64\wbem\WMIADAP.exe'
filter_optional_opera:
Image|contains: '\AppData\Local\Programs\Opera\'
Image|endswith: '\opera.exe'
filter_optional_edge:
Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Potential Process Reconnaissance via Wmic.EXE
Detects the execution of "wmic" with the "process" flag, which might indicate an attempt to perform reconnaissance on running processes.
Adversaries may use wmic to query for running processes and their details as part of their reconnaissance efforts.
view Sigma YAML
title: Potential Process Reconnaissance via Wmic.EXE
id: 221b251a-357a-49a9-920a-271802777cc0
status: test
description: |
Detects the execution of "wmic" with the "process" flag, which might indicate an attempt to perform reconnaissance on running processes.
Adversaries may use wmic to query for running processes and their details as part of their reconnaissance efforts.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic
author: frack113
date: 2022-01-01
modified: 2025-06-10
tags:
- attack.execution
- attack.t1047
- attack.discovery
- attack.t1057
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\WMIC.exe'
- OriginalFileName: 'wmic.exe'
selection_cli:
CommandLine|contains: 'process'
filter_main_creation:
CommandLine|contains|all:
# Rule id 526be59f-a573-4eea-b5f7-f0973207634d for `wmic process call create #{process_to_execute}`
- 'call'
- 'create'
filter_main_terminate:
CommandLine|contains|all:
# Rule id 49d9671b-0a0a-4c09-8280-d215bfd30662 for `wmic path win32_process where processid=#{processid_to_terminate} call terminate`
- 'call'
- 'terminate'
condition: all of selection* and not 1 of filter_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
High FP
Potential Product Class Reconnaissance Via Wmic.EXE
Detects the execution of WMIC in order to get a list of firewall, antivirus and antispywware products.
Adversaries often enumerate security products installed on a system to identify security controls and potential ways to evade detection or disable protection mechanisms.
This information helps them plan their next attack steps and choose appropriate techniques to bypass security measures.
view Sigma YAML
title: Potential Product Class Reconnaissance Via Wmic.EXE
id: e568650b-5dcd-4658-8f34-ded0b1e13992
status: test
description: |
Detects the execution of WMIC in order to get a list of firewall, antivirus and antispywware products.
Adversaries often enumerate security products installed on a system to identify security controls and potential ways to evade detection or disable protection mechanisms.
This information helps them plan their next attack steps and choose appropriate techniques to bypass security measures.
references:
- https://github.com/albertzsigovits/malware-notes/blob/c820c7fea76cf76a861b28ebc77e06100e20ec29/Ransomware/Maze.md
- https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1
- https://www.trendmicro.com/en_us/research/25/c/socgholishs-intrusion-techniques-facilitate-distribution-of-rans.html
author: Michael Haag, Florian Roth (Nextron Systems), juju4, oscd.community, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2023-02-14
modified: 2025-03-17
tags:
- attack.execution
- attack.t1047
- attack.discovery
- attack.t1082
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\wmic.exe'
- OriginalFileName: 'wmic.exe'
selection_cli:
# Example: wmic.exe /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
CommandLine|contains:
- 'AntiVirusProduct'
- 'AntiSpywareProduct'
- 'FirewallProduct'
condition: all of selection_*
falsepositives:
- Legitimate use of wmic.exe for reconnaissance of firewall, antivirus and antispywware products.
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potential Product Reconnaissance Via Wmic.EXE
Detects the execution of WMIC in order to get a list of firewall and antivirus products
view Sigma YAML
title: Potential Product Reconnaissance Via Wmic.EXE
id: 15434e33-5027-4914-88d5-3d4145ec25a9
status: test
description: Detects the execution of WMIC in order to get a list of firewall and antivirus products
references:
- https://thedfirreport.com/2023/03/06/2022-year-in-review/
- https://www.yeahhub.com/list-installed-programs-version-path-windows/
- https://learn.microsoft.com/en-us/answers/questions/253555/software-list-inventory-wmic-product
author: Nasreddine Bencherchali
date: 2023-02-14
modified: 2025-10-22
tags:
- attack.execution
- attack.t1047
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\wmic.exe'
- OriginalFileName: 'wmic.exe'
selection_cli:
CommandLine|contains: 'Product'
filter_main_call_operations:
# wmic /node:"#{node}" product where "name like '#{product}%%'" call uninstall
CommandLine|contains:
- ' uninstall'
- ' install'
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential Provlaunch.EXE Binary Proxy Execution Abuse
Detects child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution.
view Sigma YAML
title: Potential Provlaunch.EXE Binary Proxy Execution Abuse
id: 7f5d1c9a-3e83-48df-95a7-2b98aae6c13c
related:
- id: f9999590-1f94-4a34-a91e-951e47bedefd # CLI Abuse
type: similar
- id: 2a4b3e61-9d22-4e4a-b60f-6e8f0cde6f25 # CLI Registry
type: similar
- id: 7021255e-5db3-4946-a8b9-0ba7a4644a69 # Registry
type: similar
status: test
description: Detects child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/
- https://twitter.com/0gtweet/status/1674399582162153472
author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel
date: 2023-08-08
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\provlaunch.exe'
filter_main_covered_children:
# Note: this filter is here to avoid duplicate alerting by f9999590-1f94-4a34-a91e-951e47bedefd
- Image|endswith:
- '\calc.exe'
- '\cmd.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\notepad.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\wscript.exe'
- Image|contains:
- ':\PerfLogs\'
- ':\Temp\'
- ':\Users\Public\'
- '\AppData\Temp\'
- '\Windows\System32\Tasks\'
- '\Windows\Tasks\'
- '\Windows\Temp\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potential Python DLL SideLoading
Detects potential DLL sideloading of Python DLL files.
view Sigma YAML
title: Potential Python DLL SideLoading
id: d36f7c12-14a3-4d48-b6b8-774b9c66f44d
status: test
description: Detects potential DLL sideloading of Python DLL files.
references:
- https://www.securonix.com/blog/seolurker-attack-campaign-uses-seo-poisoning-fake-google-ads-to-install-malware/
- https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/
- https://github.com/wietze/HijackLibs/tree/dc9c9f2f94e6872051dab58fbafb043fdd8b4176/yml/3rd_party/python
author: Swachchhanda Shrawan Poudel
date: 2024-10-06
modified: 2025-08-18
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith:
- '\python39.dll'
- '\python310.dll'
- '\python311.dll'
- '\python312.dll'
filter_main_default_install_paths:
- ImageLoaded|startswith:
- 'C:\Program Files\Python3'
- 'C:\Program Files (x86)\Python3'
- ImageLoaded|contains: '\AppData\Local\Programs\Python\Python3'
filter_optional_visual_studio:
ImageLoaded|startswith: 'C:\Program Files\Microsoft Visual Studio\'
filter_optional_anaconda:
ImageLoaded|startswith: 'C:\ProgramData\Anaconda3\' # Comment out if you don't use Anaconda in your environment
filter_optional_cpython:
ImageLoaded|contains:
- '\cpython\externals\'
- '\cpython\PCbuild\'
filter_optional_pyinstaller:
# Triggered by programs bundled with PyInstaller
ImageLoaded|startswith: 'C:\Users'
ImageLoaded|contains: '\AppData\Local\Temp\_MEI'
filter_main_legit_signature_details:
Product: 'Python'
Signed: 'true'
Description: 'Python'
Company: 'Python Software Foundation'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Legitimate software using Python DLLs
level: medium
Convert to SIEM query
medium
Strong
Low FP
Potential RDP Exploit CVE-2019-0708
Detect suspicious error on protocol RDP, potential CVE-2019-0708
view Sigma YAML
title: Potential RDP Exploit CVE-2019-0708
id: aaa5b30d-f418-420b-83a0-299cb6024885
status: test
description: Detect suspicious error on protocol RDP, potential CVE-2019-0708
references:
- https://web.archive.org/web/20190710034152/https://github.com/zerosum0x0/CVE-2019-0708
- https://github.com/Ekultek/BlueKeep
author: 'Lionel PRAT, Christophe BROCAS, @atc_project (improvements)'
date: 2019-05-24
modified: 2022-12-25
tags:
- attack.lateral-movement
- attack.t1210
- car.2013-07-002
- cve.2019-0708
- detection.emerging-threats
logsource:
product: windows
service: system
detection:
selection:
EventID:
- 56
- 50
Provider_Name: TermDD
condition: selection
falsepositives:
- Bad connections or network interruptions
# too many false positives
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Potential RDP Session Hijacking Activity
Detects potential RDP Session Hijacking activity on Windows systems
view Sigma YAML
title: Potential RDP Session Hijacking Activity
id: 224f140f-3553-4cd1-af78-13d81bf9f7cc
status: test
description: Detects potential RDP Session Hijacking activity on Windows systems
references:
- https://twitter.com/Moti_B/status/909449115477659651
author: '@juju4'
date: 2022-12-27
modified: 2024-12-01
tags:
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\tscon.exe'
- OriginalFileName: 'tscon.exe'
selection_integrity:
IntegrityLevel:
- 'System'
- 'S-1-16-16384'
condition: all of selection_*
falsepositives:
- Administrative activity
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE
Detects potential malicious and unauthorized usage of bcdedit.exe
view Sigma YAML
title: Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE
id: c9fbe8e9-119d-40a6-9b59-dd58a5d84429
status: test
description: Detects potential malicious and unauthorized usage of bcdedit.exe
references:
- https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set
- https://twitter.com/malwrhunterteam/status/1372536434125512712/photo/2
author: '@neu5ron'
date: 2019-02-07
modified: 2023-02-15
tags:
- attack.stealth
- attack.t1070
- attack.persistence
- attack.t1542.003
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\bcdedit.exe'
- OriginalFileName: 'bcdedit.exe'
selection_cli:
CommandLine|contains:
- 'delete'
- 'deletevalue'
- 'import'
- 'safeboot'
- 'network'
condition: all of selection_*
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential Recon Activity Via Nltest.EXE
Detects nltest commands that can be used for information discovery
view Sigma YAML
title: Potential Recon Activity Via Nltest.EXE
id: 5cc90652-4cbd-4241-aa3b-4b462fa5a248
related:
- id: 410ad193-a728-4107-bc79-4419789fcbf8
type: similar
- id: 903076ff-f442-475a-b667-4f246bcc203b
type: similar
- id: 77815820-246c-47b8-9741-e0def3f57308
type: obsolete
status: test
description: Detects nltest commands that can be used for information discovery
references:
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)
- https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/
- https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/
- https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters
- https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/
- https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html
- https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/
- https://github.com/redcanaryco/atomic-red-team/blob/5360c9d9ffa3b25f6495f7a16e267b719eba2c37/atomics/T1482/T1482.md#atomic-test-2---windows---discover-domain-trusts-with-nltest
author: Craig Young, oscd.community, Georg Lauenstein
date: 2021-07-24
modified: 2023-12-15
tags:
- attack.discovery
- attack.t1016
- attack.t1482
logsource:
category: process_creation
product: windows
detection:
selection_nltest:
- Image|endswith: '\nltest.exe'
- OriginalFileName: 'nltestrk.exe'
selection_recon:
- CommandLine|contains|all:
- 'server'
- 'query'
- CommandLine|contains:
- '/user'
- 'all_trusts' # Flag for /domain_trusts
- 'dclist:'
- 'dnsgetdc:'
- 'domain_trusts'
- 'dsgetdc:'
- 'parentdomain'
- 'trusted_domains'
condition: all of selection_*
falsepositives:
- Legitimate administration use but user and host must be investigated
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential Reconnaissance Activity Via GatherNetworkInfo.VBS
Detects execution of the built-in script located in "C:\Windows\System32\gatherNetworkInfo.vbs". Which can be used to gather information about the target machine
view Sigma YAML
title: Potential Reconnaissance Activity Via GatherNetworkInfo.VBS
id: 575dce0c-8139-4e30-9295-1ee75969f7fe
related:
- id: f92a6f1e-a512-4a15-9735-da09e78d7273 # FileCreate
type: similar
- id: 07aa184a-870d-413d-893a-157f317f6f58 # ProcCreation Susp
type: similar
status: test
description: Detects execution of the built-in script located in "C:\Windows\System32\gatherNetworkInfo.vbs". Which can be used to gather information about the target machine
references:
- https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs
- https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government
author: blueteamer8699
date: 2022-01-03
modified: 2023-02-08
tags:
- attack.discovery
- attack.execution
- attack.t1615
- attack.t1059.005
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\cscript.exe'
- '\wscript.exe'
- OriginalFileName:
- 'cscript.exe'
- 'wscript.exe'
selection_cli:
CommandLine|contains: 'gatherNetworkInfo.vbs'
condition: all of selection_*
falsepositives:
- Administrative activity
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential ReflectDebugger Content Execution Via WerFault.EXE
Detects execution of "WerFault.exe" with the "-pr" commandline flag that is used to run files stored in the ReflectDebugger key which could be used to store the path to the malware in order to masquerade the execution flow
view Sigma YAML
title: Potential ReflectDebugger Content Execution Via WerFault.EXE
id: fabfb3a7-3ce1-4445-9c7c-3c27f1051cdd
related:
- id: 0cf2e1c6-8d10-4273-8059-738778f981ad
type: derived
status: test
description: Detects execution of "WerFault.exe" with the "-pr" commandline flag that is used to run files stored in the ReflectDebugger key which could be used to store the path to the malware in order to masquerade the execution flow
references:
- https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html
- https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/
author: X__Junior (Nextron Systems)
date: 2023-06-30
tags:
- attack.execution
- attack.stealth
- attack.t1036
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\WerFault.exe'
- OriginalFileName: 'WerFault.exe'
selection_cli:
CommandLine|contains: ' -pr '
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential Register_App.Vbs LOLScript Abuse
Detects potential abuse of the "register_app.vbs" script that is part of the Windows SDK. The script offers the capability to register new VSS/VDS Provider as a COM+ application. Attackers can use this to install malicious DLLs for persistence and execution.
view Sigma YAML
title: Potential Register_App.Vbs LOLScript Abuse
id: 28c8f68b-098d-45af-8d43-8089f3e35403
status: test
description: Detects potential abuse of the "register_app.vbs" script that is part of the Windows SDK. The script offers the capability to register new VSS/VDS Provider as a COM+ application. Attackers can use this to install malicious DLLs for persistence and execution.
references:
- https://twitter.com/sblmsrsn/status/1456613494783160325?s=20
- https://github.com/microsoft/Windows-classic-samples/blob/7cbd99ac1d2b4a0beffbaba29ea63d024ceff700/Samples/Win7Samples/winbase/vss/vsssampleprovider/register_app.vbs
author: Austin Songer @austinsonger
date: 2021-11-05
modified: 2022-07-07
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\cscript.exe'
- '\wscript.exe'
- OriginalFileName:
- 'cscript.exe'
- 'wscript.exe'
selection_cli:
CommandLine|contains: '.vbs -register ' # register_app.vbs
condition: all of selection*
falsepositives:
- Other VB scripts that leverage the same starting command line flags
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Potential Registry Persistence Attempt Via DbgManagedDebugger
Detects the addition of the "Debugger" value to the "DbgManagedDebugger" key in order to achieve persistence. Which will get invoked when an application crashes
view Sigma YAML
title: Potential Registry Persistence Attempt Via DbgManagedDebugger
id: 9827ae57-3802-418f-994b-d5ecf5cd974b
status: test
description: Detects the addition of the "Debugger" value to the "DbgManagedDebugger" key in order to achieve persistence. Which will get invoked when an application crashes
references:
- https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/
- https://github.com/last-byte/PersistenceSniper
author: frack113
date: 2022-08-07
modified: 2023-08-17
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1574
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\Microsoft\.NETFramework\DbgManagedDebugger'
filter:
Details: '"C:\Windows\system32\vsjitdebugger.exe" PID %d APPDOM %d EXTEXT "%s" EVTHDL %d'
condition: selection and not filter
falsepositives:
- Legitimate use of the key to setup a debugger. Which is often the case on developers machines
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential Registry Reconnaissance Via PowerShell Script
Detects PowerShell scripts with potential registry reconnaissance capabilities. Adversaries may interact with the Windows registry to gather information about the system credentials, configuration, and installed software.
view Sigma YAML
title: Potential Registry Reconnaissance Via PowerShell Script
id: 064060aa-09fb-4636-817f-020a32aa7e9e
related:
- id: 970007b7-ce32-49d0-a4a4-fbef016950bd
type: similar
status: test
description: Detects PowerShell scripts with potential registry reconnaissance capabilities. Adversaries may interact with the Windows registry to gather information about the system credentials, configuration, and installed software.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1012/T1012.md
author: frack113
date: 2023-07-02
tags:
- attack.discovery
- attack.t1012
- attack.t1007
- detection.threat-hunting
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
# TODO: switch to |re|i: after sigma specification v2 is released
ScriptBlockText|re: '(Get-Item|gci|Get-ChildItem).{1,64}-Path.{1,64}\\(currentcontrolset\\services|CurrentVersion\\Policies\\Explorer\\Run|CurrentVersion\\Run|CurrentVersion\\ShellServiceObjectDelayLoad|CurrentVersion\\Windows\winlogon)\\'
condition: selection
falsepositives:
- Due to the nature of the script block, the matching of the string could sometimes result in a false positive. Use this rule to hunt for potential malicious or suspicious scripts.
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potential Regsvr32 Commandline Flag Anomaly
Detects a potential command line flag anomaly related to "regsvr32" in which the "/i" flag is used without the "/n" which should be uncommon.
view Sigma YAML
title: Potential Regsvr32 Commandline Flag Anomaly
id: b236190c-1c61-41e9-84b3-3fe03f6d76b0
status: test
description: Detects a potential command line flag anomaly related to "regsvr32" in which the "/i" flag is used without the "/n" which should be uncommon.
references:
- https://twitter.com/sbousseaden/status/1282441816986484737?s=12
author: Florian Roth (Nextron Systems)
date: 2019-07-13
modified: 2024-03-13
tags:
- attack.stealth
- attack.t1218.010
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\regsvr32.exe'
CommandLine|contains|windash: ' -i:'
filter_main_flag:
CommandLine|contains|windash: ' -n '
condition: selection and not 1 of filter_main_*
falsepositives:
- Administrator typo might cause some false positives
level: medium
Convert to SIEM query
medium
Moderate
Low FP
Potential Remote Command Execution In Pod Container
Detects attempts to execute remote commands, within a Pod's container using e.g. the "kubectl exec" command.
view Sigma YAML
title: Potential Remote Command Execution In Pod Container
id: a1b0ca4e-7835-413e-8471-3ff2b8a66be6
status: test
description: |
Detects attempts to execute remote commands, within a Pod's container using e.g. the "kubectl exec" command.
references:
- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Exec%20into%20container/
author: Leo Tsaousis (@laripping)
date: 2024-03-26
tags:
- attack.t1609
- attack.execution
logsource:
category: application
product: kubernetes
service: audit
detection:
selection:
verb: 'create'
objectRef.resource: 'pods'
objectRef.subresource: 'exec'
condition: selection
falsepositives:
- Legitimate debugging activity. Investigate the identity performing the requests and their authorization.
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Potential Remote Desktop Connection to Non-Domain Host
Detects logons using NTLM to hosts that are potentially not part of the domain.
view Sigma YAML
title: Potential Remote Desktop Connection to Non-Domain Host
id: ce5678bb-b9aa-4fb5-be4b-e57f686256ad
status: test
description: Detects logons using NTLM to hosts that are potentially not part of the domain.
references:
- n/a
author: James Pemberton
date: 2020-05-22
modified: 2021-11-27
tags:
- attack.command-and-control
- attack.t1219.002
logsource:
product: windows
service: ntlm
definition: Requires events from Microsoft-Windows-NTLM/Operational
detection:
selection:
EventID: 8001
TargetName|startswith: 'TERMSRV'
condition: selection
falsepositives:
- Host connections to valid domains, exclude these.
- Host connections not using host FQDN.
- Host connections to external legitimate domains.
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential Remote Desktop Tunneling
Detects potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.
view Sigma YAML
title: Potential Remote Desktop Tunneling
id: 8a3038e8-9c9d-46f8-b184-66234a160f6f
status: test
description: Detects potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.
references:
- https://www.elastic.co/guide/en/security/current/potential-remote-desktop-tunneling-detected.html
author: Tim Rauch, Elastic (idea)
date: 2022-09-27
tags:
- attack.lateral-movement
- attack.t1021
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains: ':3389' # RDP port and usual SSH tunneling related switches in command line
selection_opt:
CommandLine|contains:
- ' -L '
- ' -P '
- ' -R '
- ' -pw '
- ' -ssh '
condition: all of selection*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Low FP
Potential Remote WMI ActiveScriptEventConsumers Activity
Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network.
This event is best correlated and used as an enrichment to determine the potential lateral movement activity.
view Sigma YAML
title: Potential Remote WMI ActiveScriptEventConsumers Activity
id: 9599c180-e3a8-4743-8f92-7fb96d3be648
status: test
description: |
Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network.
This event is best correlated and used as an enrichment to determine the potential lateral movement activity.
references:
- https://threathunterplaybook.com/hunts/windows/200902-RemoteWMIActiveScriptEventConsumers/notebook.html
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-09-02
modified: 2024-09-02
tags:
- attack.lateral-movement
- attack.privilege-escalation
- detection.threat-hunting
- attack.persistence
- attack.t1546.003
logsource:
product: windows
service: security
detection:
selection:
EventID: 4624
LogonType: 3
ProcessName|endswith: 'scrcons.exe'
filter_main_local_system:
TargetLogonId: '0x3e7' # Local System
condition: selection and not 1 of filter_main_*
falsepositives:
- SCCM
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Potential RjvPlatform.DLL Sideloading From Default Location
Detects loading of "RjvPlatform.dll" by the "SystemResetPlatform.exe" binary which can be abused as a method of DLL side loading since the "$SysReset" directory isn't created by default.
view Sigma YAML
title: Potential RjvPlatform.DLL Sideloading From Default Location
id: 259dda31-b7a3-444f-b7d8-17f96e8a7d0d
status: test
description: Detects loading of "RjvPlatform.dll" by the "SystemResetPlatform.exe" binary which can be abused as a method of DLL side loading since the "$SysReset" directory isn't created by default.
references:
- https://twitter.com/0gtweet/status/1666716511988330499
author: X__Junior (Nextron Systems)
date: 2023-06-09
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
Image: 'C:\Windows\System32\SystemResetPlatform\SystemResetPlatform.exe'
ImageLoaded: 'C:\$SysReset\Framework\Stack\RjvPlatform.dll'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potential RoboForm.DLL Sideloading
Detects potential DLL sideloading of "roboform.dll", a DLL used by RoboForm Password Manager
view Sigma YAML
title: Potential RoboForm.DLL Sideloading
id: f64c9b2d-b0ad-481d-9d03-7fc75020892a
status: test
description: Detects potential DLL sideloading of "roboform.dll", a DLL used by RoboForm Password Manager
references:
- https://twitter.com/StopMalvertisin/status/1648604148848549888
- https://twitter.com/t3ft3lb/status/1656194831830401024
- https://www.roboform.com/
author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-14
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith:
- '\roboform.dll'
- '\roboform-x64.dll'
filter_main_path:
Image|startswith:
- ' C:\Program Files (x86)\Siber Systems\AI RoboForm\'
- ' C:\Program Files\Siber Systems\AI RoboForm\'
Image|endswith:
- '\robotaskbaricon.exe'
- '\robotaskbaricon-x64.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- If installed on a per-user level, the path would be located in "AppData\Local". Add additional filters to reflect this mode of installation
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential Ruby Reverse Shell
Detects execution of ruby with the "-e" flag and calls to "socket" related functions. This could be an indication of a potential attempt to setup a reverse shell
view Sigma YAML
title: Potential Ruby Reverse Shell
id: b8bdac18-c06e-4016-ac30-221553e74f59
status: test
description: Detects execution of ruby with the "-e" flag and calls to "socket" related functions. This could be an indication of a potential attempt to setup a reverse shell
references:
- https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
- https://www.revshells.com/
author: '@d4ns4n_'
date: 2023-04-07
tags:
- attack.execution
logsource:
category: process_creation
product: linux
detection:
selection:
Image|contains: 'ruby'
CommandLine|contains|all:
- ' -e'
- 'rsocket'
- 'TCPSocket'
CommandLine|contains:
- ' ash'
- ' bash'
- ' bsh'
- ' csh'
- ' ksh'
- ' pdksh'
- ' sh'
- ' tcsh'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential SAP NetWeaver Webshell Creation
Detects the creation of suspicious files (jsp, java, class) in SAP NetWeaver directories,
which may indicate exploitation attempts of vulnerabilities such as CVE-2025-31324.
view Sigma YAML
title: Potential SAP NetWeaver Webshell Creation
id: 86a7c91f-98c3-4f14-a58d-d989421e1234
status: experimental
description: |
Detects the creation of suspicious files (jsp, java, class) in SAP NetWeaver directories,
which may indicate exploitation attempts of vulnerabilities such as CVE-2025-31324.
references:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-31324
- https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/
- https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/
author: Elastic (idea), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-04-28
tags:
- attack.execution
- attack.initial-access
- attack.t1190
- attack.persistence
- attack.t1059.003
- cve.2025-31324
- detection.emerging-threats
logsource:
product: windows
category: file_event
detection:
selection_path:
TargetFilename|contains:
- '\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\work'
- '\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\root'
selection_ext:
TargetFilename|endswith:
- '.jsp'
- '.java'
- '.class'
condition: all of selection_*
falsepositives:
- Legitimate creation of jsc or java files in these locations
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential SAP NetWeaver Webshell Creation - Linux
Detects the creation of suspicious files (jsp, java, class) in SAP NetWeaver directories,
which may indicate exploitation attempts of vulnerabilities such as CVE-2025-31324.
view Sigma YAML
title: Potential SAP NetWeaver Webshell Creation - Linux
id: 5b91409c-cb18-4ab6-ac75-c5759f998409
status: experimental
description: |
Detects the creation of suspicious files (jsp, java, class) in SAP NetWeaver directories,
which may indicate exploitation attempts of vulnerabilities such as CVE-2025-31324.
references:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-31324
- https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/
- https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/
author: Elastic (idea), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-04-28
tags:
- attack.execution
- attack.initial-access
- attack.t1190
- attack.persistence
- attack.t1059.003
- cve.2025-31324
- detection.emerging-threats
logsource:
product: linux
category: file_event
detection:
selection_path:
TargetFilename|contains:
- '/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/work/'
- '/j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/root/'
selection_ext:
TargetFilename|endswith:
- '.jsp'
- '.java'
- '.class'
condition: all of selection_*
falsepositives:
- Legitimate creation of jsc or java files in these locations
level: medium
Convert to SIEM query
medium
Strong
High FP
Potential SPN Enumeration Via Setspn.EXE
Detects service principal name (SPN) enumeration used for Kerberoasting
view Sigma YAML
title: Potential SPN Enumeration Via Setspn.EXE
id: 1eeed653-dbc8-4187-ad0c-eeebb20e6599
status: test
description: Detects service principal name (SPN) enumeration used for Kerberoasting
references:
- https://web.archive.org/web/20200329173843/https://p16.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation
- https://www.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation/?edition=2019
author: Markus Neis, keepwatch
date: 2018-11-14
modified: 2023-10-23
tags:
- attack.credential-access
- attack.t1558.003
logsource:
category: process_creation
product: windows
detection:
selection_pe:
- Image|endswith: '\setspn.exe'
- OriginalFileName: 'setspn.exe'
- Description|contains|all:
- 'Query or reset the computer'
- 'SPN attribute'
selection_cli:
CommandLine|contains:
- ' -q '
- ' /q '
condition: all of selection_*
falsepositives:
- Administration activity
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Potential Script Proxy Execution Via CL_Mutexverifiers.ps1
Detects the use of the Microsoft signed script "CL_mutexverifiers" to proxy the execution of additional PowerShell script commands
view Sigma YAML
title: Potential Script Proxy Execution Via CL_Mutexverifiers.ps1
id: 1e0e1a81-e79b-44bc-935b-ddb9c8006b3d
status: test
description: Detects the use of the Microsoft signed script "CL_mutexverifiers" to proxy the execution of additional PowerShell script commands
references:
- https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/
author: Nasreddine Bencherchali (Nextron Systems), oscd.community, Natalia Shornikova, frack113
date: 2022-05-21
modified: 2023-08-17
tags:
- attack.stealth
- attack.t1216
logsource:
category: process_creation
product: windows
detection:
selection_pwsh:
ParentImage|endswith:
# Note: to avoid potential FPs we assume the script was launched from powershell. But in theory it can be launched by any Powershell like process
- '\powershell.exe'
- '\pwsh.exe'
Image|endswith: '\powershell.exe'
CommandLine|contains: ' -nologo -windowstyle minimized -file '
selection_temp:
# Note: Since the function uses "env:temp" the value will change depending on the context of exec
CommandLine|contains:
- '\AppData\Local\Temp\'
- '\Windows\Temp\'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potential Secure Deletion with SDelete
Detects files that have extensions commonly seen while SDelete is used to wipe files.
view Sigma YAML
title: Potential Secure Deletion with SDelete
id: 39a80702-d7ca-4a83-b776-525b1f86a36d
status: test
description: Detects files that have extensions commonly seen while SDelete is used to wipe files.
references:
- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/sdelete.htm
- https://www.jpcert.or.jp/english/pub/sr/ir_research.html
- https://learn.microsoft.com/en-gb/sysinternals/downloads/sdelete
author: Thomas Patzke
date: 2017-06-14
modified: 2024-12-13
tags:
- attack.impact
- attack.stealth
- attack.defense-impairment
- attack.t1070.004
- attack.t1027.005
- attack.t1485
- attack.t1553.002
- attack.s0195
logsource:
product: windows
service: security
detection:
selection:
EventID:
- 4656
- 4663
- 4658
ObjectName|endswith:
- '.AAA'
- '.ZZZ'
condition: selection
falsepositives:
- Legitimate usage of SDelete
- Files that are interacted with that have these extensions legitimately
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Potential SentinelOne Shell Context Menu Scan Command Tampering
Detects potentially suspicious changes to the SentinelOne context menu scan command by a process other than SentinelOne.
view Sigma YAML
title: Potential SentinelOne Shell Context Menu Scan Command Tampering
id: 6c304b02-06e6-402d-8be4-d5833cdf8198
status: test
description: Detects potentially suspicious changes to the SentinelOne context menu scan command by a process other than SentinelOne.
references:
- https://mrd0x.com/sentinelone-persistence-via-menu-context/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-03-06
tags:
- attack.persistence
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\shell\SentinelOneScan\command\'
filter_main_sentinelone_default_scan_binary:
Details|startswith:
- 'C:\Program Files\SentinelOne\Sentinel Agent'
- 'C:\Program Files (x86)\SentinelOne\Sentinel Agent'
Details|contains: '\SentinelScanFromContextMenu.exe'
filter_main_sentinelone_binary:
Image|endswith:
- 'C:\Program Files\SentinelOne\'
- 'C:\Program Files (x86)\SentinelOne\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential ShellDispatch.DLL Functionality Abuse
Detects potential "ShellDispatch.dll" functionality abuse to execute arbitrary binaries via "ShellExecute"
view Sigma YAML
title: Potential ShellDispatch.DLL Functionality Abuse
id: 82343930-652f-43f5-ab70-2ee9fdd6d5e9
status: test
description: Detects potential "ShellDispatch.dll" functionality abuse to execute arbitrary binaries via "ShellExecute"
references:
- https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/
author: X__Junior (Nextron Systems)
date: 2023-06-20
tags:
- attack.execution
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\rundll32.exe'
- OriginalFileName: 'RUNDLL32.EXE'
selection_cli:
CommandLine|contains: 'RunDll_ShellExecuteW'
condition: all of selection_*
falsepositives:
- Unlikely
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential ShellDispatch.DLL Sideloading
Detects potential DLL sideloading of "ShellDispatch.dll"
view Sigma YAML
title: Potential ShellDispatch.DLL Sideloading
id: 844f8eb2-610b-42c8-89a4-47596e089663
status: test
description: Detects potential DLL sideloading of "ShellDispatch.dll"
references:
- https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/
author: X__Junior (Nextron Systems)
date: 2023-06-20
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\ShellDispatch.dll'
filter_main_legit_path:
- ImageLoaded|contains|all:
- ':\Users\'
- '\AppData\Local\Temp\'
- ImageLoaded|contains: ':\Windows\Temp\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Some installers may trigger some false positives
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potential Shellcode Injection
Detects potential shellcode injection as seen used by tools such as Metasploit's migrate and Empire's psinject.
view Sigma YAML
title: Potential Shellcode Injection
id: 250ae82f-736e-4844-a68b-0b5e8cc887da
status: test
description: Detects potential shellcode injection as seen used by tools such as Metasploit's migrate and Empire's psinject.
references:
- https://github.com/EmpireProject/PSInject
author: Bhabesh Raj
date: 2022-03-11
modified: 2024-07-02
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1055
- detection.threat-hunting
logsource:
category: process_access
product: windows
detection:
selection:
GrantedAccess:
- '0x147a'
- '0x1f3fff'
CallTrace|contains: 'UNKNOWN'
filter_main_wmiprvse:
SourceImage: 'C:\Windows\System32\Wbem\Wmiprvse.exe'
TargetImage: 'C:\Windows\system32\lsass.exe'
filter_optional_dell_folders:
# If dell software is installed we get matches like these
# Example 1:
# SourceImage: C:\Program Files\Dell\SupportAssistAgent\bin\SupportAssistAgent.exe
# TargetImage: C:\Program Files\Dell\TechHub\Dell.TechHub.exe
# GrantedAccess: 0x1F3FFF
# Example 2:
# SourceImage: C:\Program Files (x86)\Dell\UpdateService\DCF\Dell.DCF.UA.Bradbury.API.SubAgent.exe
# TargetImage: C:\Program Files\Dell\TechHub\Dell.TechHub.exe
# GrantedAccess: 0x1F3FFF
# Example 3:
# SourceImage: C:\Program Files\Dell\TechHub\Dell.TechHub.exe
# TargetImage: C:\Program Files (x86)\Dell\UpdateService\DCF\Dell.DCF.UA.Bradbury.API.SubAgent.exe
# GrantedAccess: 0x1F3FFF
SourceImage|startswith:
- 'C:\Program Files\Dell\'
- 'C:\Program Files (x86)\Dell\'
TargetImage|startswith:
- 'C:\Program Files\Dell\'
- 'C:\Program Files (x86)\Dell\'
filter_optional_dell_specifc:
SourceImage: 'C:\Program Files (x86)\Dell\UpdateService\ServiceShell.exe'
TargetImage: 'C:\Windows\Explorer.EXE'
filter_optional_visual_studio:
SourceImage|startswith: 'C:\Program Files\Microsoft Visual Studio\'
TargetImage|startswith: 'C:\Program Files\Microsoft Visual Studio\'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Potential Shim Database Persistence via Sdbinst.EXE
Detects installation of a new shim using sdbinst.exe.
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims
view Sigma YAML
title: Potential Shim Database Persistence via Sdbinst.EXE
id: 517490a7-115a-48c6-8862-1a481504d5a8
related:
- id: 18ee686c-38a3-4f65-9f44-48a077141f42
type: similar
status: test
description: |
Detects installation of a new shim using sdbinst.exe.
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims
references:
- https://www.mandiant.com/resources/blog/fin7-shim-databases-persistence
author: Markus Neis
date: 2019-01-16
modified: 2023-12-06
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1546.011
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\sdbinst.exe'
- OriginalFileName: 'sdbinst.exe'
selection_cli:
CommandLine|contains: '.sdb'
filter_optional_iis:
ParentImage|endswith: '\msiexec.exe'
CommandLine|contains:
# Expected behavior for IIS Express (e.g. https://www.hybrid-analysis.com/sample/15d4ff941f77f7bdfc9dfb2399b7b952a0a2c860976ef3e835998ff4796e5e91?environmentId=120)
- ':\Program Files (x86)\IIS Express\iisexpressshim.sdb'
- ':\Program Files\IIS Express\iisexpressshim.sdb'
condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Low FP
Potential Sidecar Injection Into Running Deployment
Detects attempts to inject a sidecar container into a running deployment.
A sidecar container is an additional container within a pod, that resides alongside the main container.
One way to add containers to running resources like Deployments/DeamonSets/StatefulSets, is via a "kubectl patch" operation.
By injecting a new container within a legitimate pod, an attacker can run their code and hide their activity, instead of running their own separated pod in the cluster.
view Sigma YAML
title: Potential Sidecar Injection Into Running Deployment
id: ad9012a6-e518-4432-9890-f3b82b8fc71f
status: test
description: |
Detects attempts to inject a sidecar container into a running deployment.
A sidecar container is an additional container within a pod, that resides alongside the main container.
One way to add containers to running resources like Deployments/DeamonSets/StatefulSets, is via a "kubectl patch" operation.
By injecting a new container within a legitimate pod, an attacker can run their code and hide their activity, instead of running their own separated pod in the cluster.
references:
- https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch
- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Sidecar%20Injection/
author: Leo Tsaousis (@laripping)
date: 2024-03-26
tags:
- attack.t1609
- attack.execution
logsource:
category: application
product: kubernetes
service: audit
detection:
selection:
verb: 'patch'
apiGroup: 'apps'
objectRef.resource: 'deployments'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Potential SolidPDFCreator.DLL Sideloading
Detects potential DLL sideloading of "SolidPDFCreator.dll"
view Sigma YAML
title: Potential SolidPDFCreator.DLL Sideloading
id: a2edbce1-95c8-4291-8676-0d45146862b3
status: test
description: Detects potential DLL sideloading of "SolidPDFCreator.dll"
references:
- https://lab52.io/blog/new-mustang-pandas-campaing-against-australia/
author: X__Junior (Nextron Systems)
date: 2023-05-07
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\SolidPDFCreator.dll'
filter_main_path:
Image|endswith: '\SolidPDFCreator.exe'
ImageLoaded|startswith:
- 'C:\Program Files (x86)\SolidDocuments\SolidPDFCreator\'
- 'C:\Program Files\SolidDocuments\SolidPDFCreator\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potential Suspicious Activity Using SeCEdit
Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy
view Sigma YAML
title: Potential Suspicious Activity Using SeCEdit
id: c2c76b77-32be-4d1f-82c9-7e544bdfe0eb
status: test
description: Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy
references:
- https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/secedit
author: Janantha Marasinghe
date: 2022-11-18
modified: 2022-12-30
tags:
- attack.collection
- attack.discovery
- attack.persistence
- attack.credential-access
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.defense-impairment
- attack.t1685.001
- attack.t1547.001
- attack.t1505.005
- attack.t1556.002
- attack.t1685
- attack.t1574.007
- attack.t1564.002
- attack.t1546.008
- attack.t1546.007
- attack.t1547.014
- attack.t1547.010
- attack.t1547.002
- attack.t1557
- attack.t1082
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\secedit.exe'
- OriginalFileName: 'SeCEdit'
selection_flags_discovery:
CommandLine|contains|all:
- '/export'
- '/cfg'
selection_flags_configure:
CommandLine|contains|all:
- '/configure'
- '/db'
# filter:
# SubjectUserName|endswith: '$' SubjectUserName is from event ID 4719 in the Windows Security log
condition: selection_img and (1 of selection_flags_*)
falsepositives:
- Legitimate administrative use
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potential Suspicious Browser Launch From Document Reader Process
Detects when a browser process or browser tab is launched from an application that handles document files such as Adobe, Microsoft Office, etc. And connects to a web application over http(s), this could indicate a possible phishing attempt.
view Sigma YAML
title: Potential Suspicious Browser Launch From Document Reader Process
id: 1193d960-2369-499f-a158-7b50a31df682
status: test
description: |
Detects when a browser process or browser tab is launched from an application that handles document files such as Adobe, Microsoft Office, etc. And connects to a web application over http(s), this could indicate a possible phishing attempt.
references:
- https://app.any.run/tasks/69c5abaa-92ad-45ba-8c53-c11e23e05d04/ # PDF Document
- https://app.any.run/tasks/64043a79-165f-4052-bcba-e6e49f847ec1/ # Office Document
author: Joseph Kamau
date: 2024-05-27
modified: 2025-10-07
tags:
- attack.execution
- attack.t1204.002
logsource:
product: windows
category: process_creation
detection:
selection:
ParentImage|contains:
- 'Acrobat Reader'
- 'Microsoft Office'
- 'PDF Reader'
Image|endswith:
- '\brave.exe'
- '\chrome.exe'
- '\firefox.exe'
- '\msedge.exe'
- '\opera.exe'
- '\maxthon.exe'
- '\seamonkey.exe'
- '\vivaldi.exe'
CommandLine|contains: 'http'
filter_main_microsoft_help:
CommandLine|contains: 'https://go.microsoft.com/fwlink/'
filter_optional_foxit:
CommandLine|contains:
- 'http://ad.foxitsoftware.com/adlog.php?'
- 'https://globe-map.foxitservice.com/go.php?do=redirect'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unlikely in most cases, further investigation should be done in the commandline of the browser process to determine the context of the URL accessed.
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potential Suspicious Change To Sensitive/Critical Files
Detects changes of sensitive and critical files. Monitors files that you don't expect to change without planning on Linux system.
These files include, but are not limited to, system configuration files, authentication files, and critical application files.
Attackers often target these files to maintain persistence, escalate privileges, or disrupt system operations.
view Sigma YAML
title: Potential Suspicious Change To Sensitive/Critical Files
id: 86157017-c2b1-4d4a-8c33-93b8e67e4af4
status: test
description: |
Detects changes of sensitive and critical files. Monitors files that you don't expect to change without planning on Linux system.
These files include, but are not limited to, system configuration files, authentication files, and critical application files.
Attackers often target these files to maintain persistence, escalate privileges, or disrupt system operations.
references:
- https://learn.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-overview#which-files-should-i-monitor
author: '@d4ns4n_ (Wuerth-Phoenix)'
date: 2023-05-30
modified: 2026-03-18
tags:
- attack.impact
- attack.t1565.001
logsource:
category: process_creation
product: linux
detection:
selection_img_1:
Image|endswith:
- '/cat'
- '/echo'
- '/grep'
- '/head'
- '/more'
- '/tail'
CommandLine|contains: '>'
selection_img_2:
Image|endswith:
- '/emacs'
- '/nano'
- '/sed'
- '/vi'
- '/vim'
selection_paths:
CommandLine|contains:
- '/bin/login'
- '/bin/passwd'
- '/boot/'
- '/etc/*.conf'
- '/etc/cron.' # Covers different cron config files "daily", "hourly", etc.
- '/etc/crontab'
- '/etc/hosts'
- '/etc/init.d'
- '/etc/sudoers'
- '/opt/bin/'
- '/sbin' # Covers: '/opt/sbin', '/usr/local/sbin/', '/usr/sbin/'
- '/usr/bin/'
- '/usr/local/bin/'
filter_main_mdadm.conf:
Image|endswith: '/bin/sed'
CommandLine|startswith:
- 'sed -i /^*'
- 'sed -ne s/^'
CommandLine|endswith: '/etc/mdadm/mdadm.conf'
condition: 1 of selection_img_* and selection_paths and not 1 of filter_main_*
falsepositives:
- Some false positives are to be expected on user or administrator machines. Apply additional filters as needed.
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential Suspicious PowerShell Keywords
Detects potentially suspicious keywords that could indicate the use of a PowerShell exploitation framework
view Sigma YAML
title: Potential Suspicious PowerShell Keywords
id: 1f49f2ab-26bc-48b3-96cc-dcffbc93eadf
status: test
description: Detects potentially suspicious keywords that could indicate the use of a PowerShell exploitation framework
references:
- https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462
- https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/CodeExecution/Invoke-ReflectivePEInjection.ps1
- https://github.com/hlldz/Phant0m/blob/30c2935d8cf4aafda17ee2fab7cd0c4aa9a607c2/old/Invoke-Phant0m.ps1
- https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7
author: Florian Roth (Nextron Systems), Perez Diego (@darkquassar), Tuan Le (NCSGroup)
date: 2019-02-11
modified: 2023-04-21
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains:
- 'System.Reflection.Assembly.Load($'
- '[System.Reflection.Assembly]::Load($'
- '[Reflection.Assembly]::Load($'
- 'System.Reflection.AssemblyName'
- 'Reflection.Emit.AssemblyBuilderAccess'
- 'Reflection.Emit.CustomAttributeBuilder'
- 'Runtime.InteropServices.UnmanagedType'
- 'Runtime.InteropServices.DllImportAttribute'
- 'SuspendThread'
- 'rundll32'
# - 'FromBase64'
# - 'Invoke-WMIMethod' # Prone to FP
# - 'http://127.0.0.1' # Prone to FP
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential Suspicious PowerShell Module File Created
Detects the creation of a new PowerShell module in the first folder of the module directory structure "\WindowsPowerShell\Modules\malware\malware.psm1". This is somewhat an uncommon practice as legitimate modules often includes a version folder.
view Sigma YAML
title: Potential Suspicious PowerShell Module File Created
id: e8a52bbd-bced-459f-bd93-64db45ce7657
status: test
description: Detects the creation of a new PowerShell module in the first folder of the module directory structure "\WindowsPowerShell\Modules\malware\malware.psm1". This is somewhat an uncommon practice as legitimate modules often includes a version folder.
references:
- Internal Research
- https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-09
tags:
- attack.persistence
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|endswith:
# Note: Don't include PowerShell 7 as it has default modules that don't follow this logic
- '\\WindowsPowerShell\\Modules\\*\.ps'
- '\\WindowsPowerShell\\Modules\\*\.dll'
condition: selection
falsepositives:
- False positive rate will vary depending on the environments. Additional filters might be required to make this logic usable in production.
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potential Suspicious Registry File Imported Via Reg.EXE
Detects the import of '.reg' files from suspicious paths using the 'reg.exe' utility
view Sigma YAML
title: Potential Suspicious Registry File Imported Via Reg.EXE
id: 62e0298b-e994-4189-bc87-bc699aa62d97
related:
- id: 73bba97f-a82d-42ce-b315-9182e76c57b1
type: derived
status: test
description: Detects the import of '.reg' files from suspicious paths using the 'reg.exe' utility
references:
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/reg-import
author: frack113, Nasreddine Bencherchali
date: 2022-08-01
modified: 2023-02-05
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\reg.exe'
- OriginalFileName: 'reg.exe'
selection_cli:
CommandLine|contains: ' import '
selection_paths:
CommandLine|contains:
- 'C:\Users\'
- '%temp%'
- '%tmp%'
- '%appdata%'
- '\AppData\Local\Temp\'
- 'C:\Windows\Temp\'
- 'C:\ProgramData\'
condition: all of selection_*
falsepositives:
- Legitimate import of keys
level: medium
Convert to SIEM query
medium
Strong
High FP
Potential Suspicious Windows Feature Enabled
Detects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" used as a Deployment Image Servicing and Management tool.
Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
view Sigma YAML
title: Potential Suspicious Windows Feature Enabled
id: 55c925c1-7195-426b-a136-a9396800e29b
related:
- id: c740d4cf-a1e9-41de-bb16-8a46a4f57918
type: similar
status: test
description: |
Detects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" used as a Deployment Image Servicing and Management tool.
Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
references:
- https://learn.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps
- https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system
- https://learn.microsoft.com/en-us/windows/wsl/install-on-server
author: frack113
date: 2022-09-10
modified: 2022-12-29
tags:
- attack.stealth
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_cmd:
ScriptBlockText|contains|all:
- 'Enable-WindowsOptionalFeature'
- '-Online'
- '-FeatureName'
selection_feature:
# Add any insecure/unusual windows features to your env
ScriptBlockText|contains:
- 'TelnetServer'
- 'Internet-Explorer-Optional-amd64'
- 'TFTP'
- 'SMB1Protocol'
- 'Client-ProjFS'
- 'Microsoft-Windows-Subsystem-Linux'
condition: all of selection_*
falsepositives:
- Legitimate usage of the features listed in the rule.
level: medium
Convert to SIEM query
medium
Strong
High FP
Potential Suspicious Windows Feature Enabled - ProcCreation
Detects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" used as a Deployment Image Servicing and Management tool.
Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
view Sigma YAML
title: Potential Suspicious Windows Feature Enabled - ProcCreation
id: c740d4cf-a1e9-41de-bb16-8a46a4f57918
related:
- id: 55c925c1-7195-426b-a136-a9396800e29b
type: similar
status: test
description: |
Detects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" used as a Deployment Image Servicing and Management tool.
Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
references:
- https://learn.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps
- https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system
- https://learn.microsoft.com/en-us/windows/wsl/install-on-server
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-29
tags:
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection_cmd:
CommandLine|contains|all:
- 'Enable-WindowsOptionalFeature'
- '-Online'
- '-FeatureName'
selection_feature:
# Add any insecure/unusual windows features that you don't use in your environment
CommandLine|contains:
- 'TelnetServer'
- 'Internet-Explorer-Optional-amd64'
- 'TFTP'
- 'SMB1Protocol'
- 'Client-ProjFS'
- 'Microsoft-Windows-Subsystem-Linux'
condition: all of selection_*
falsepositives:
- Legitimate usage of the features listed in the rule.
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Potential UAC Bypass Via Sdclt.EXE
A General detection for sdclt being spawned as an elevated process. This could be an indicator of sdclt being used for bypass UAC techniques.
view Sigma YAML
title: Potential UAC Bypass Via Sdclt.EXE
id: 40f9af16-589d-4984-b78d-8c2aec023197
status: test
description: A General detection for sdclt being spawned as an elevated process. This could be an indicator of sdclt being used for bypass UAC techniques.
references:
- https://github.com/OTRF/detection-hackathon-apt29/issues/6
- https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-05-02
modified: 2024-12-01
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: 'sdclt.exe'
IntegrityLevel:
- 'High'
- 'S-1-16-12288' # High
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential Unconstrained Delegation Discovery Via Get-ADComputer - ScriptBlock
Detects the use of the "Get-ADComputer" cmdlet in order to identify systems which are configured for unconstrained delegation.
view Sigma YAML
title: Potential Unconstrained Delegation Discovery Via Get-ADComputer - ScriptBlock
id: cdfa73b6-3c9d-4bb8-97f8-ddbd8921f5c5
status: experimental
description: Detects the use of the "Get-ADComputer" cmdlet in order to identify systems which are configured for unconstrained delegation.
references:
- https://pentestlab.blog/2022/03/21/unconstrained-delegation/
- https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-adcomputer?view=windowsserver2022-ps
author: frack113
date: 2025-03-05
tags:
- attack.reconnaissance
- attack.discovery
- attack.credential-access
- attack.t1018
- attack.t1558
- attack.t1589.002
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enable'
detection:
selection:
ScriptBlockText|contains:
- '-Properties*TrustedForDelegation'
- '-Properties*TrustedToAuthForDelegation'
- '-Properties*msDS-AllowedToDelegateTo'
- '-Properties*PrincipalsAllowedToDelegateToAccount'
- '-LDAPFilter*(userAccountControl:1.2.840.113556.1.4.803:=524288)'
condition: selection
falsepositives:
- Legitimate use of the library for administrative activity
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential Unquoted Service Path Reconnaissance Via Wmic.EXE
Detects known WMI recon method to look for unquoted service paths using wmic. Often used by pentester and attacker enumeration scripts
view Sigma YAML
title: Potential Unquoted Service Path Reconnaissance Via Wmic.EXE
id: 68bcd73b-37ef-49cb-95fc-edc809730be6
related:
- id: 09658312-bc27-4a3b-91c5-e49ab9046d1b # PowerShell Variant
type: similar
- id: 76f55eaa-d27f-4213-9d45-7b0e4b60bbae
type: similar
status: test
description: Detects known WMI recon method to look for unquoted service paths using wmic. Often used by pentester and attacker enumeration scripts
references:
- https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py
- https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1
- https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-20
modified: 2023-09-11
tags:
- attack.execution
- attack.t1047
logsource:
category: process_creation
product: windows
detection:
selection_img:
- OriginalFileName: 'wmic.exe'
- Image|endswith: '\WMIC.exe'
selection_cli:
CommandLine|contains|all:
- ' service get '
- 'name,displayname,pathname,startmode'
condition: all of selection*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Potential Vivaldi_elf.DLL Sideloading
Detects potential DLL sideloading of "vivaldi_elf.dll"
view Sigma YAML
title: Potential Vivaldi_elf.DLL Sideloading
id: 2092cacb-d77b-4f98-ab0d-32b32f99a054
status: test
description: Detects potential DLL sideloading of "vivaldi_elf.dll"
references:
- https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/
author: X__Junior (Nextron Systems)
date: 2023-08-03
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\vivaldi_elf.dll'
filter_main_legit_path:
Image|endswith: '\Vivaldi\Application\vivaldi.exe'
ImageLoaded|contains: '\Vivaldi\Application\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
High FP
Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell
Detects Powershell as a child of the WmiPrvSE process. Which could be a sign of lateral movement via WMI.
view Sigma YAML
title: Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell
id: 692f0bec-83ba-4d04-af7e-e884a96059b6
related:
- id: 8a582fe2-0882-4b89-a82a-da6b2dc32937
type: similar
- id: d21374ff-f574-44a7-9998-4a8c8bf33d7d
type: similar
status: stable
description: Detects Powershell as a child of the WmiPrvSE process. Which could be a sign of lateral movement via WMI.
references:
- https://any.run/report/68bc255f9b0db6a0d30a8f2dadfbee3256acfe12497bf93943bc1eab0735e45e/a2385d6f-34f7-403c-90d3-b1f9d2a90a5e
author: Markus Neis @Karneades
date: 2019-04-03
modified: 2023-03-29
tags:
- attack.execution
- attack.t1047
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\WmiPrvSE.exe'
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
condition: all of selection_*
falsepositives:
- AppvClient
- CCM
- WinRM
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potential WWlib.DLL Sideloading
Detects potential DLL sideloading of "wwlib.dll"
view Sigma YAML
title: Potential WWlib.DLL Sideloading
id: e2e01011-5910-4267-9c3b-4149ed5479cf
status: test
description: Detects potential DLL sideloading of "wwlib.dll"
references:
- https://twitter.com/WhichbufferArda/status/1658829954182774784
- https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related/
- https://securelist.com/apt-luminousmoth/103332/
author: X__Junior (Nextron Systems)
date: 2023-05-18
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\wwlib.dll'
filter_main_path:
Image|startswith:
- 'C:\Program Files (x86)\Microsoft Office\'
- 'C:\Program Files\Microsoft Office\'
Image|endswith: '\winword.exe'
ImageLoaded|startswith:
- 'C:\Program Files (x86)\Microsoft Office\'
- 'C:\Program Files\Microsoft Office\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
Showing 2751-2800 of 3,751