Tool
SIEM
Sigma (generic) detection rules
3,751 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Expand any rule to see its raw YAML and convert it inline to native query syntax. Pick a platform above to browse every rule already rendered in that language.
Get the raw rules from SigmaHQ Detection Rules
The raw generic YAML, served by SigmaHQ. Pick a platform above to download a ready-to-deploy converted pack.
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance12
Resource Development10
Initial Access10
Execution30
Persistence43
Privilege Escalation20
Stealth83
Defense Impairment32
Credential Access35
Discovery33
Lateral Movement16
Collection20
Command and Control24
Exfiltration10
Impact18
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.
◈
Detection rules
50 shown of 3,751
medium
Strong
Medium FP
Potential Wazuh Security Platform DLL Sideloading
Detects potential DLL side loading of DLLs that are part of the Wazuh security platform
view Sigma YAML
title: Potential Wazuh Security Platform DLL Sideloading
id: db77ce78-7e28-4188-9337-cf30e2b3ba9f
status: test
description: Detects potential DLL side loading of DLLs that are part of the Wazuh security platform
references:
- https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html
author: X__Junior (Nextron Systems)
date: 2023-03-13
modified: 2023-05-12
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith:
- '\libwazuhshared.dll'
- '\libwinpthread-1.dll'
filter_main_generic:
ImageLoaded|startswith:
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
filter_optional_mingw64:
# Note: Many third party apps installed in "AppData" or "ProgramData" and leverage "mingw64" make use of "libwinpthread-1.dll"
# In production its best to make a list of these apps and replace this filter with a specific one.
ImageLoaded|contains:
- '\AppData\Local\'
- '\ProgramData\'
ImageLoaded|endswith: '\mingw64\bin\libwinpthread-1.dll'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Many legitimate applications leverage this DLL. (Visual Studio, JetBrains, Ruby, Anaconda, GithubDesktop, etc.)
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potential Webshell Creation On Static Website
Detects the creation of files with certain extensions on a static web site. This can be indicative of potential uploads of a web shell.
view Sigma YAML
title: Potential Webshell Creation On Static Website
id: 39f1f9f2-9636-45de-98f6-a4046aa8e4b9
status: test
description: Detects the creation of files with certain extensions on a static web site. This can be indicative of potential uploads of a web shell.
references:
- PT ESC rule and personal experience
- https://github.com/swisskyrepo/PayloadsAllTheThings/blob/c95a0a1a2855dc0cd7f7327614545fe30482a636/Upload%20Insecure%20Files/README.md
author: Beyu Denis, oscd.community, Tim Shelton, Thurein Oo
date: 2019-10-22
modified: 2023-10-15
tags:
- attack.persistence
- attack.t1505.003
logsource:
product: windows
category: file_event
detection:
selection_wwwroot_path:
TargetFilename|contains: '\inetpub\wwwroot\'
selection_wwwroot_ext:
TargetFilename|contains:
- '.ashx'
- '.asp'
- '.ph'
- '.soap'
selection_htdocs_path:
TargetFilename|contains:
- '\www\'
- '\htdocs\'
- '\html\'
selection_htdocs_ext:
TargetFilename|contains: '.ph'
# selection_tomcat_path:
# TargetFilename|contains: '\webapps\ROOT'
# selection_tomcat_ext:
# TargetFilename|contains:
# - '.jsp' # .jspx, .jspf
# - '.jsv'
# - '.jsw'
filter_main_temp: # FP when unpacking some executables in $TEMP
TargetFilename|contains:
- '\AppData\Local\Temp\'
- '\Windows\Temp\'
filter_main_system:
Image: 'System' # FP when backup/restore from drivers
filter_main_legitimate:
TargetFilename|contains: '\xampp'
condition: (all of selection_wwwroot_* or all of selection_htdocs_*) and not 1 of filter_main_*
falsepositives:
- Legitimate administrator or developer creating legitimate executable files in a web application folder
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potential XCSSET Malware Infection
Identifies the execution traces of the XCSSET malware. XCSSET is a macOS trojan that primarily spreads via Xcode projects and maliciously modifies applications. Infected users are also vulnerable to having their credentials, accounts, and other vital data stolen.
view Sigma YAML
title: Potential XCSSET Malware Infection
id: 47d65ac0-c06f-4ba2-a2e3-d263139d0f51
status: test
description: Identifies the execution traces of the XCSSET malware. XCSSET is a macOS trojan that primarily spreads via Xcode projects and maliciously modifies applications. Infected users are also vulnerable to having their credentials, accounts, and other vital data stolen.
references:
- https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-f5deb07688e1a8dec9530bc3071967b2da5c16b482e671812b864c37beb28f08
- https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset
author: Tim Rauch (rule), Elastic (idea)
date: 2022-10-17
tags:
- attack.command-and-control
logsource:
category: process_creation
product: macos
detection:
selection_1_curl:
ParentImage|endswith: '/bash'
Image|endswith: '/curl'
CommandLine|contains:
- '/sys/log.php'
- '/sys/prepod.php'
- '/sys/bin/Pods'
selection_1_https:
CommandLine|contains: 'https://'
selection_other_1:
ParentImage|endswith: '/bash'
Image|endswith: '/osacompile'
CommandLine|contains|all:
- '/Users/'
- '/Library/Group Containers/'
selection_other_2:
ParentImage|endswith: '/bash'
Image|endswith: '/plutil'
CommandLine|contains|all:
- 'LSUIElement'
- '/Users/'
- '/Library/Group Containers/'
selection_other_3:
Image|endswith: '/zip'
CommandLine|contains|all:
- '-r'
- '/Users/'
- '/Library/Group Containers/'
condition: all of selection_1_* or 1 of selection_other_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potential Xterm Reverse Shell
Detects usage of "xterm" as a potential reverse shell tunnel
view Sigma YAML
title: Potential Xterm Reverse Shell
id: 4e25af4b-246d-44ea-8563-e42aacab006b
status: test
description: Detects usage of "xterm" as a potential reverse shell tunnel
references:
- https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
- https://www.revshells.com/
author: '@d4ns4n_'
date: 2023-04-24
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: linux
detection:
selection:
Image|contains: 'xterm'
CommandLine|contains: '-display'
CommandLine|endswith: ':1'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potentially Over Permissive Permissions Granted Using Dsacls.EXE
Detects usage of Dsacls to grant over permissive permissions
view Sigma YAML
title: Potentially Over Permissive Permissions Granted Using Dsacls.EXE
id: 01c42d3c-242d-4655-85b2-34f1739632f7
status: test
description: Detects usage of Dsacls to grant over permissive permissions
references:
- https://ss64.com/nt/dsacls.html
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-20
modified: 2023-02-04
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\dsacls.exe'
- OriginalFileName: "DSACLS.EXE"
selection_flag:
CommandLine|contains: ' /G '
selection_permissions:
CommandLine|contains: # Add more permissions as you see fit in your environment
- 'GR'
- 'GE'
- 'GW'
- 'GA'
- 'WP'
- 'WD'
condition: all of selection_*
falsepositives:
- Legitimate administrators granting over permissive permissions to users
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potentially Suspicious AccessMask Requested From LSASS
Detects process handle on LSASS process with certain access mask
view Sigma YAML
title: Potentially Suspicious AccessMask Requested From LSASS
id: 4a1b6da0-d94f-4fc3-98fc-2d9cb9e5ee76
status: test
description: Detects process handle on LSASS process with certain access mask
references:
- https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
author: Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update)
date: 2019-11-01
modified: 2023-12-19
tags:
- attack.credential-access
- car.2019-04-004
- attack.t1003.001
logsource:
product: windows
service: security
detection:
selection_1:
EventID: 4656 # A handle to an object was requested.
ObjectName|endswith: '\lsass.exe'
AccessMask|contains:
- '0x40'
- '0x1400'
# - '0x1000' # minimum access requirements to query basic info from service
- '0x100000'
- '0x1410' # car.2019-04-004
- '0x1010' # car.2019-04-004
- '0x1438' # car.2019-04-004
- '0x143a' # car.2019-04-004
- '0x1418' # car.2019-04-004
- '0x1f0fff'
- '0x1f1fff'
- '0x1f2fff'
- '0x1f3fff'
selection_2:
EventID: 4663 # An attempt was made to access an object
ObjectName|endswith: '\lsass.exe'
AccessList|contains:
- '4484'
- '4416'
filter_main_specific:
ProcessName|endswith:
- '\csrss.exe'
- '\GamingServices.exe'
- '\lsm.exe'
- '\MicrosoftEdgeUpdate.exe'
- '\minionhost.exe' # Cyberreason
- '\MRT.exe' # MS Malware Removal Tool
- '\MsMpEng.exe' # Defender
- '\perfmon.exe'
- '\procexp.exe'
- '\procexp64.exe'
- '\svchost.exe'
- '\taskmgr.exe'
- '\thor.exe' # THOR
- '\thor64.exe' # THOR
- '\vmtoolsd.exe'
- '\VsTskMgr.exe' # McAfee Enterprise
- '\wininit.exe'
- '\wmiprvse.exe'
- 'RtkAudUService64' # https://medium.com/falconforce/the-curious-case-of-realtek-and-lsass-33fc0c8482ff
ProcessName|contains:
- ':\Program Files (x86)\'
- ':\Program Files\'
- ':\ProgramData\Microsoft\Windows Defender\Platform\'
- ':\Windows\SysNative\'
- ':\Windows\System32\'
- ':\Windows\SysWow64\'
- ':\Windows\Temp\asgard2-agent\'
filter_main_generic:
ProcessName|contains: ':\Program Files' # too many false positives with legitimate AV and EDR solutions
filter_main_exact:
ProcessName|endswith:
- ':\Windows\System32\taskhostw.exe'
- ':\Windows\System32\msiexec.exe'
- ':\Windows\CCM\CcmExec.exe'
filter_main_sysmon:
ProcessName|endswith: ':\Windows\Sysmon64.exe'
AccessList|contains: '%%4484'
filter_main_aurora:
ProcessName|contains: ':\Windows\Temp\asgard2-agent-sc\aurora\'
ProcessName|endswith: '\aurora-agent-64.exe'
AccessList|contains: '%%4484'
filter_main_scenarioengine:
# Example: C:\a70de9569c3a5aa22184ef52a890177b\x64\SCENARIOENGINE.EXE
ProcessName|endswith: '\x64\SCENARIOENGINE.EXE'
AccessList|contains: '%%4484'
filter_main_avira1:
ProcessName|contains|all:
- ':\Users\'
- '\AppData\Local\Temp\is-'
ProcessName|endswith: '\avira_system_speedup.tmp'
AccessList|contains: '%%4484'
filter_main_avira2:
ProcessName|contains: ':\Windows\Temp\'
ProcessName|endswith: '\avira_speedup_setup_update.tmp'
AccessList|contains: '%%4484'
filter_main_snmp:
ProcessName|endswith: ':\Windows\System32\snmp.exe'
AccessList|contains: '%%4484'
filter_main_googleupdate:
ProcessName|contains: ':\Windows\SystemTemp\'
ProcessName|endswith: '\GoogleUpdate.exe'
AccessList|contains: '%%4484'
filter_optional_procmon:
ProcessName|endswith:
- '\procmon64.exe'
- '\procmon.exe'
AccessList|contains: '%%4484'
condition: 1 of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Legitimate software accessing LSASS process for legitimate reason; update the whitelist with it
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potentially Suspicious Azure Front Door Connection
Detects connections with Azure Front Door (known legitimate service that can be leveraged for C2)
that fall outside of known benign behavioral baseline (not using common apps or common azurefd.net endpoints)
view Sigma YAML
title: Potentially Suspicious Azure Front Door Connection
id: 8cb4d14e-776e-43c2-8fb9-91e7fcea32b4
status: test
description: |
Detects connections with Azure Front Door (known legitimate service that can be leveraged for C2)
that fall outside of known benign behavioral baseline (not using common apps or common azurefd.net endpoints)
references:
- https://lots-project.com/site/2a2e617a75726566642e6e6574
- https://medium.com/r3d-buck3t/red-teaming-in-cloud-leverage-azure-frontdoor-cdn-for-c2-redirectors-79dd9ca98178
- https://www.fortalicesolutions.com/posts/hiding-behind-the-front-door-with-azure-domain-fronting
author: Isaac Dunham
date: 2024-11-07
tags:
- attack.command-and-control
- attack.t1102.002
- attack.t1090.004
- detection.threat-hunting
logsource:
category: network_connection
product: windows
detection:
selection:
DestinationHostname|contains: 'azurefd.net'
filter_main_web_browsers:
Image|endswith:
- 'brave.exe'
- 'chrome.exe'
- 'chromium.exe'
- 'firefox.exe'
- 'msedge.exe'
- 'msedgewebview2.exe'
- 'opera.exe'
- 'vivaldi.exe'
filter_main_common_talkers:
Image|endswith: 'searchapp.exe' # Windows search service uses signifcant amount of Azure FD
filter_main_known_benign_domains:
DestinationHostname|contains:
- 'afdxtest.z01.azurefd.net' # used by Cortana; Cisco Umbrella top 1m
- 'fp-afd.azurefd.net' # used by Cortana; Cisco Umbrella top 1m
- 'fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net' # used by Cortana; Cisco Umbrella top 1m
- 'roxy.azurefd.net' # used by Cortana; Cisco Umbrella top 1m
- 'powershellinfraartifacts-gkhedzdeaghdezhr.z01.azurefd.net' # Used by VS Code; Cisco Umbrella top 1m
- 'storage-explorer-publishing-feapcgfgbzc2cjek.b01.azurefd.net' # Used by Azure Storage Explorer; Cisco Umbrella top 1m
- 'graph.azurefd.net' # MS Graph; Cisco Umbrella top 1m
condition: selection and not 1 of filter_main_*
falsepositives:
- Results are not inherently suspicious, but should be investigated during threat hunting for potential cloud C2.
- Organization-specific Azure Front Door endpoints
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potentially Suspicious CMD Shell Output Redirect
Detects inline Windows shell commands redirecting output via the ">" symbol to a suspicious location.
This technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as "hostname" and "dir" to files for future exfiltration.
view Sigma YAML
title: Potentially Suspicious CMD Shell Output Redirect
id: 8e0bb260-d4b2-4fff-bb8d-3f82118e6892
related:
- id: aa2efee7-34dd-446e-8a37-40790a66efd7
type: derived
- id: 4f4eaa9f-5ad4-410c-a4be-bc6132b0175a
type: similar
status: test
description: |
Detects inline Windows shell commands redirecting output via the ">" symbol to a suspicious location.
This technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as "hostname" and "dir" to files for future exfiltration.
references:
- https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-12
modified: 2024-03-19
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\cmd.exe'
- OriginalFileName: 'Cmd.Exe'
selection_cli_1:
CommandLine|contains:
# Note: Add more suspicious locations as you find them
# Note: The space from the start is missing to cover append operations ">>"
# Note: We use the "?" to account for both a single and a double quote
# Note: If you want to account for more spaces which is still a valid bypass option. Use a regex with "\s"
- '>?%APPDATA%\'
- '>?%TEMP%\'
- '>?%TMP%\'
- '>?%USERPROFILE%\'
- '>?C:\ProgramData\'
- '>?C:\Temp\'
- '>?C:\Users\Public\'
- '>?C:\Windows\Temp\'
selection_cli_2:
CommandLine|contains:
- ' >'
- '">'
- "'>"
CommandLine|contains|all:
- 'C:\Users\'
- '\AppData\Local\'
condition: selection_img and 1 of selection_cli_*
falsepositives:
- Legitimate admin or third party scripts used for diagnostic collection might generate some false positives
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potentially Suspicious Cabinet File Expansion
Detects the expansion or decompression of cabinet files from potentially suspicious or uncommon locations, e.g. seen in Iranian MeteorExpress related attacks
view Sigma YAML
title: Potentially Suspicious Cabinet File Expansion
id: 9f107a84-532c-41af-b005-8d12a607639f
status: test
description: Detects the expansion or decompression of cabinet files from potentially suspicious or uncommon locations, e.g. seen in Iranian MeteorExpress related attacks
references:
- https://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll
- https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/
author: Bhabesh Raj, X__Junior (Nextron Systems)
date: 2021-07-30
modified: 2024-11-13
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_cmd:
Image|endswith: '\expand.exe'
CommandLine|contains|windash: '-F:'
selection_folders_1:
CommandLine|contains:
- ':\Perflogs\'
- ':\ProgramData'
- ':\Users\Public\'
- ':\Windows\Temp\'
- '\Admin$\'
- '\AppData\Local\Temp\'
- '\AppData\Roaming\'
- '\C$\'
- '\Temporary Internet'
selection_folders_2:
- CommandLine|contains|all:
- ':\Users\'
- '\Favorites\'
- CommandLine|contains|all:
- ':\Users\'
- '\Favourites\'
- CommandLine|contains|all:
- ':\Users\'
- '\Contacts\'
filter_optional_dell:
# Launched by Dell ServiceShell.exe
ParentImage: 'C:\Program Files (x86)\Dell\UpdateService\ServiceShell.exe'
CommandLine|contains: 'C:\ProgramData\Dell\UpdateService\Temp\'
condition: selection_cmd and 1 of selection_folders_* and not 1 of filter_optional_*
falsepositives:
- System administrator Usage
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potentially Suspicious Call To Win32_NTEventlogFile Class - PSScript
Detects usage of the WMI class "Win32_NTEventlogFile" in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script
view Sigma YAML
title: Potentially Suspicious Call To Win32_NTEventlogFile Class - PSScript
id: e2812b49-bae0-4b21-b366-7c142eafcde2
status: test
description: Detects usage of the WMI class "Win32_NTEventlogFile" in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script
references:
- https://learn.microsoft.com/en-us/previous-versions/windows/desktop/legacy/aa394225(v=vs.85)
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-07-13
tags:
- attack.defense-impairment
logsource:
category: ps_script
product: windows
definition: bade5735-5ab0-4aa7-a642-a11be0e40872
detection:
selection_class:
ScriptBlockText|contains: 'Win32_NTEventlogFile'
selection_function:
ScriptBlockText|contains:
- '.BackupEventlog('
- '.ChangeSecurityPermissions('
- '.ChangeSecurityPermissionsEx('
- '.ClearEventLog('
- '.Delete('
- '.DeleteEx('
- '.Rename('
- '.TakeOwnerShip('
- '.TakeOwnerShipEx('
condition: all of selection_*
falsepositives:
- Legitimate administration and backup scripts
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Potentially Suspicious Child Process Of ClickOnce Application
Detects potentially suspicious child processes of a ClickOnce deployment application
view Sigma YAML
title: Potentially Suspicious Child Process Of ClickOnce Application
id: 67bc0e75-c0a9-4cfc-8754-84a505b63c04
status: test
description: Detects potentially suspicious child processes of a ClickOnce deployment application
references:
- https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-12
tags:
- attack.execution
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|contains: '\AppData\Local\Apps\2.0\'
Image|endswith:
# Add more suspicious processes
- '\calc.exe'
- '\cmd.exe'
- '\cscript.exe'
- '\explorer.exe'
- '\mshta.exe'
- '\net.exe'
- '\net1.exe'
- '\nltest.exe'
- '\notepad.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\reg.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\schtasks.exe'
- '\werfault.exe'
- '\wscript.exe'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potentially Suspicious Child Process Of DiskShadow.EXE
Detects potentially suspicious child processes of "Diskshadow.exe". This could be an attempt to bypass parent/child relationship detection or application whitelisting rules.
view Sigma YAML
title: Potentially Suspicious Child Process Of DiskShadow.EXE
id: 9f546b25-5f12-4c8d-8532-5893dcb1e4b8
related:
- id: fa1a7e52-3d02-435b-81b8-00da14dd66c1 # Diskshadow Script Mode - Execution From Potential Suspicious Location
type: similar
- id: 1dde5376-a648-492e-9e54-4241dd9b0c7f # Diskshadow Script Mode - Uncommon Script Extension Execution
type: similar
- id: 56b1dde8-b274-435f-a73a-fb75eb81262a # Diskshadow Child Process Spawned
type: similar
- id: 0c2f8629-7129-4a8a-9897-7e0768f13ff2 # Diskshadow Script Mode Execution
type: similar
status: test
description: Detects potentially suspicious child processes of "Diskshadow.exe". This could be an attempt to bypass parent/child relationship detection or application whitelisting rules.
references:
- https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/
- https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration
- https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow
- https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf
- https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware
- https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-09-15
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\diskshadow.exe'
Image|endswith:
# Note: add or remove additional binaries according to your org needs
- '\certutil.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\wscript.exe'
condition: selection
falsepositives:
- False postitve can occur in cases where admin scripts levreage the "exec" flag to execute applications
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potentially Suspicious Child Process Of VsCode
Detects uncommon or suspicious child processes spawning from a VsCode "code.exe" process. This could indicate an attempt of persistence via VsCode tasks or terminal profiles.
view Sigma YAML
title: Potentially Suspicious Child Process Of VsCode
id: 5a3164f2-b373-4152-93cf-090b13c12d27
status: test
description: Detects uncommon or suspicious child processes spawning from a VsCode "code.exe" process. This could indicate an attempt of persistence via VsCode tasks or terminal profiles.
references:
- https://twitter.com/nas_bench/status/1618021838407495681
- https://twitter.com/nas_bench/status/1618021415852335105
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-26
modified: 2023-10-25
tags:
- attack.execution
- attack.stealth
- attack.t1218
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\code.exe'
selection_children_images:
Image|endswith:
- '\calc.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\cscript.exe'
- '\wscript.exe'
selection_children_cli:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- '\cmd.exe'
CommandLine|contains:
- 'Invoke-Expressions'
- 'IEX'
- 'Invoke-Command'
- 'ICM'
- 'DownloadString'
- 'rundll32'
- 'regsvr32'
- 'wscript'
- 'cscript'
selection_children_paths:
Image|contains:
# Add more suspicious locations
- ':\Users\Public\'
- ':\Windows\Temp\'
- ':\Temp\'
condition: selection_parent and 1 of selection_children_*
falsepositives:
- In development environment where VsCode is used heavily. False positives may occur when developers use task to compile or execute different types of code. Remove or add processes accordingly
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potentially Suspicious Child Process Of WinRAR.EXE
Detects potentially suspicious child processes of WinRAR.exe.
view Sigma YAML
title: Potentially Suspicious Child Process Of WinRAR.EXE
id: 146aace8-9bd6-42ba-be7a-0070d8027b76
related:
- id: ec3a3c2f-9bb0-4a9b-8f4b-5ec386544343
type: similar
status: test
description: Detects potentially suspicious child processes of WinRAR.exe.
references:
- https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/
- https://github.com/knight0x07/WinRAR-Code-Execution-Vulnerability-CVE-2023-38831/blob/26ab6c40b6d2c09bb4fc60feaa4a3a90cfd20c23/Part-1-Overview.md
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-31
tags:
- attack.execution
- attack.t1203
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\WinRAR.exe'
selection_binaries:
# Note: add additional binaries that the attacker might use
- Image|endswith:
- '\cmd.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\wscript.exe'
- OriginalFileName:
- 'Cmd.Exe'
- 'cscript.exe'
- 'mshta.exe'
- 'PowerShell.EXE'
- 'pwsh.dll'
- 'regsvr32.exe'
- 'RUNDLL32.EXE'
- 'wscript.exe'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potentially Suspicious Child Process of KeyScrambler.exe
Detects potentially suspicious child processes of KeyScrambler.exe
view Sigma YAML
title: Potentially Suspicious Child Process of KeyScrambler.exe
id: ca5583e9-8f80-46ac-ab91-7f314d13b984
related:
- id: d2451be2-b582-4e15-8701-4196ac180260
type: similar
status: test
description: Detects potentially suspicious child processes of KeyScrambler.exe
references:
- https://twitter.com/DTCERT/status/1712785421845790799
author: Swachchhanda Shrawan Poudel
date: 2024-05-13
tags:
- attack.persistence
- attack.execution
- attack.privilege-escalation
- attack.stealth
- attack.t1203
- attack.t1574.001
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\KeyScrambler.exe'
selection_binaries:
# Note: add additional binaries that the attacker might use
- Image|endswith:
- '\cmd.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\wscript.exe'
- OriginalFileName:
- 'Cmd.Exe'
- 'cscript.exe'
- 'mshta.exe'
- 'PowerShell.EXE'
- 'pwsh.dll'
- 'regsvr32.exe'
- 'RUNDLL32.EXE'
- 'wscript.exe'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potentially Suspicious Command Targeting Teams Sensitive Files
Detects a commandline containing references to the Microsoft Teams database or cookies files from a process other than Teams.
The database might contain authentication tokens and other sensitive information about the logged in accounts.
view Sigma YAML
title: Potentially Suspicious Command Targeting Teams Sensitive Files
id: d2eb17db-1d39-41dc-b57f-301f6512fa75
status: test
description: |
Detects a commandline containing references to the Microsoft Teams database or cookies files from a process other than Teams.
The database might contain authentication tokens and other sensitive information about the logged in accounts.
references:
- https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/
- https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens
author: '@SerkinValery'
date: 2022-09-16
modified: 2023-12-18
tags:
- attack.credential-access
- attack.t1528
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|contains:
- '\Microsoft\Teams\Cookies'
- '\Microsoft\Teams\Local Storage\leveldb'
filter_main_legit_locations:
Image|endswith: '\Microsoft\Teams\current\Teams.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Potentially Suspicious Compression Tool Parameters
Detects potentially suspicious command line arguments of common data compression tools
view Sigma YAML
title: Potentially Suspicious Compression Tool Parameters
id: 27a72a60-7e5e-47b1-9d17-909c9abafdcd
status: test
description: Detects potentially suspicious command line arguments of common data compression tools
references:
- https://twitter.com/SBousseaden/status/1184067445612535811
author: Florian Roth (Nextron Systems), Samir Bousseaden
date: 2019-10-15
modified: 2023-08-29
tags:
- attack.collection
- attack.t1560.001
- detection.threat-hunting
logsource:
category: process_creation
product: windows
detection:
selection:
OriginalFileName:
- '7z*.exe'
- '*rar.exe'
- '*Command*Line*RAR*'
CommandLine|contains:
- ' -p'
- ' -ta'
- ' -tb'
- ' -sdel'
- ' -dw'
- ' -hp'
filter_main_generic:
ParentImage|contains:
- ':\Program Files\'
- ':\Program Files (x86)\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Potentially Suspicious DMP/HDMP File Creation
Detects the creation of a file with the ".dmp"/".hdmp" extension by a shell or scripting application such as "cmd", "powershell", etc. Often created by software during a crash. Memory dumps can sometimes contain sensitive information such as credentials. It's best to determine the source of the crash.
view Sigma YAML
title: Potentially Suspicious DMP/HDMP File Creation
id: aba15bdd-657f-422a-bab3-ac2d2a0d6f1c
related:
- id: 3a525307-d100-48ae-b3b9-0964699d7f97
type: similar
status: test
description: Detects the creation of a file with the ".dmp"/".hdmp" extension by a shell or scripting application such as "cmd", "powershell", etc. Often created by software during a crash. Memory dumps can sometimes contain sensitive information such as credentials. It's best to determine the source of the crash.
references:
- https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-09-07
tags:
- attack.stealth
logsource:
category: file_event
product: windows
detection:
selection:
Image|endswith:
- '\cmd.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\wscript.exe'
TargetFilename|endswith:
- '.dmp'
- '.dump'
- '.hdmp'
condition: selection
falsepositives:
- Some administrative PowerShell or VB scripts might have the ability to collect dumps and move them to other folders which might trigger a false positive.
level: medium
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_dump_file_susp_creation/info.yml
Convert to SIEM query
medium
Strong
Medium FP
Potentially Suspicious Desktop Background Change Using Reg.EXE
Detects the execution of "reg.exe" to alter registry keys that would replace the user's desktop background.
This is a common technique used by malware to change the desktop background to a ransom note or other image.
view Sigma YAML
title: Potentially Suspicious Desktop Background Change Using Reg.EXE
id: 8cbc9475-8d05-4e27-9c32-df960716c701
related:
- id: 85b88e05-dadc-430b-8a9e-53ff1cd30aae
type: similar
status: test
description: |
Detects the execution of "reg.exe" to alter registry keys that would replace the user's desktop background.
This is a common technique used by malware to change the desktop background to a ransom note or other image.
references:
- https://www.attackiq.com/2023/09/20/emulating-rhysida/
- https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/
- https://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html
- https://www.virustotal.com/gui/file/a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6/behavior
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDesktop::Wallpaper
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanelDisplay::CPL_Personalization_NoDesktopBackgroundUI
author: Stephen Lincoln @slincoln-aiq (AttackIQ)
date: 2023-12-21
tags:
- attack.persistence
- attack.impact
- attack.defense-impairment
- attack.t1112
- attack.t1491.001
logsource:
product: windows
category: process_creation
detection:
# TODO: Improve this to also focus on variation using PowerShell and other CLI tools
selection_reg_img:
- Image|endswith: '\reg.exe'
- OriginalFileName: 'reg.exe'
selection_reg_flag:
CommandLine|contains: 'add'
selection_keys:
CommandLine|contains:
- 'Control Panel\Desktop'
- 'CurrentVersion\Policies\ActiveDesktop'
- 'CurrentVersion\Policies\System'
selection_cli_reg_1:
CommandLine|contains|all:
- '/v NoChangingWallpaper'
- '/d 1' # Prevent changing desktop background
selection_cli_reg_2:
CommandLine|contains|all:
- '/v Wallpaper'
- '/t REG_SZ'
selection_cli_reg_3:
CommandLine|contains|all:
- '/v WallpaperStyle'
- '/d 2' # Stretch
condition: all of selection_reg_* and selection_keys and 1 of selection_cli_reg_*
falsepositives:
- Administrative scripts that change the desktop background to a company logo or other image.
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potentially Suspicious Desktop Background Change Via Registry
Detects registry value settings that would replace the user's desktop background.
This is a common technique used by malware to change the desktop background to a ransom note or other image.
view Sigma YAML
title: Potentially Suspicious Desktop Background Change Via Registry
id: 85b88e05-dadc-430b-8a9e-53ff1cd30aae
related:
- id: 8cbc9475-8d05-4e27-9c32-df960716c701
type: similar
status: test
description: |
Detects registry value settings that would replace the user's desktop background.
This is a common technique used by malware to change the desktop background to a ransom note or other image.
references:
- https://www.attackiq.com/2023/09/20/emulating-rhysida/
- https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/
- https://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html
- https://www.virustotal.com/gui/file/a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6/behavior
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDesktop::Wallpaper
- https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanelDisplay::CPL_Personalization_NoDesktopBackgroundUI
author: Nasreddine Bencherchali (Nextron Systems), Stephen Lincoln @slincoln-aiq (AttackIQ)
date: 2023-12-21
modified: 2025-10-17
tags:
- attack.persistence
- attack.impact
- attack.defense-impairment
- attack.t1112
- attack.t1491.001
logsource:
product: windows
category: registry_set
detection:
selection_keys:
TargetObject|contains:
- 'Control Panel\Desktop'
- 'CurrentVersion\Policies\ActiveDesktop'
- 'CurrentVersion\Policies\System'
selection_values_1:
TargetObject|endswith: 'NoChangingWallpaper'
Details: 'DWORD (0x00000001)' # Prevent changing desktop background
selection_values_2:
TargetObject|endswith: '\Wallpaper'
selection_values_3:
TargetObject|endswith: '\WallpaperStyle'
Details: '2' # Stretch
filter_main_svchost:
# Note: Excluding GPO changes
Image|endswith: '\svchost.exe'
filter_main_empty:
TargetObject|endswith: '\Control Panel\Desktop\Wallpaper'
Details: '(Empty)'
filter_main_explorer:
# Normally Explorer.exe is the process that changes the desktop background
Image|endswith: 'C:\Windows\Explorer.EXE'
filter_optional_ec2launch:
Image:
- 'C:\Program Files\Amazon\EC2Launch\EC2Launch.exe'
- 'C:\Program Files (x86)\Amazon\EC2Launch\EC2Launch.exe'
TargetObject|endswith: '\Control Panel\Desktop\Wallpaper'
condition: selection_keys and 1 of selection_values_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Administrative scripts that change the desktop background to a company logo or other image.
level: medium
Convert to SIEM query
medium
Strong
High FP
Potentially Suspicious Electron Application CommandLine
Detects potentially suspicious CommandLine of electron apps (teams, discord, slack, etc.). This could be a sign of abuse to proxy execution through a signed binary.
view Sigma YAML
title: Potentially Suspicious Electron Application CommandLine
id: 378a05d8-963c-46c9-bcce-13c7657eac99
related:
- id: f26eb764-fd89-464b-85e2-dc4a8e6e77b8
type: similar
status: test
description: Detects potentially suspicious CommandLine of electron apps (teams, discord, slack, etc.). This could be a sign of abuse to proxy execution through a signed binary.
references:
- https://positive.security/blog/ms-officecmd-rce
- https://lolbas-project.github.io/lolbas/Binaries/Teams/
- https://lolbas-project.github.io/lolbas/Binaries/Msedge/
- https://lolbas-project.github.io/lolbas/Binaries/msedgewebview2/
- https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf
- https://chromium.googlesource.com/chromium/chromium/+/master/content/public/common/content_switches.cc
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2023-09-05
modified: 2023-11-09
tags:
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
# Add more electron based app to the list
- '\chrome.exe'
- '\code.exe'
- '\discord.exe'
- '\GitHubDesktop.exe'
- '\keybase.exe'
- '\msedge_proxy.exe'
- '\msedge.exe'
- '\msedgewebview2.exe'
- '\msteams.exe'
- '\slack.exe'
- '\Teams.exe'
- OriginalFileName:
# Add more electron based app to the list
- 'chrome.exe'
- 'code.exe'
- 'discord.exe'
- 'GitHubDesktop.exe'
- 'keybase.exe'
- 'msedge_proxy.exe'
- 'msedge.exe'
- 'msedgewebview2.exe'
- 'msteams.exe'
- 'slack.exe'
- 'Teams.exe'
selection_cli:
CommandLine|contains:
- '--browser-subprocess-path'
- '--gpu-launcher'
- '--renderer-cmd-prefix'
- '--utility-cmd-prefix'
condition: all of selection_*
falsepositives:
- Legitimate usage for debugging purposes
# Increase the level once FP rate is known better (see status)
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potentially Suspicious EventLog Recon Activity Using Log Query Utilities
Detects execution of different log query utilities and commands to search and dump the content of specific event logs or look for specific event IDs.
This technique is used by threat actors in order to extract sensitive information from events logs such as usernames, IP addresses, hostnames, etc.
view Sigma YAML
title: Potentially Suspicious EventLog Recon Activity Using Log Query Utilities
id: beaa66d6-aa1b-4e3c-80f5-e0145369bfaf
related:
- id: 9cd55b6c-430a-4fa9-96f4-7cadf5229e9f
type: derived
status: test
description: |
Detects execution of different log query utilities and commands to search and dump the content of specific event logs or look for specific event IDs.
This technique is used by threat actors in order to extract sensitive information from events logs such as usernames, IP addresses, hostnames, etc.
references:
- http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
- https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a
- https://www.group-ib.com/blog/apt41-world-tour-2021/
- https://labs.withsecure.com/content/dam/labs/docs/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-7.3
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog?view=powershell-5.1
- http://www.solomonson.com/posts/2010-07-09-reading-eventviewer-command-line/
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil
- https://ptsecurity.com/research/pt-esc-threat-intelligence/striking-panda-attacks-apt31-today
- https://www.cybertriage.com/artifact/terminalservices_remoteconnectionmanager_log/
- https://ponderthebits.com/2018/02/windows-rdp-related-event-logs-identification-tracking-and-investigation/
author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
date: 2022-09-09
modified: 2025-12-02
tags:
- attack.credential-access
- attack.discovery
- attack.t1552
- attack.t1087
logsource:
category: process_creation
product: windows
detection:
selection_wmi:
CommandLine|contains|all:
- 'Select'
- 'Win32_NTLogEvent'
selection_wevtutil_img:
- Image|endswith: '\wevtutil.exe'
- OriginalFileName: 'wevtutil.exe'
selection_wevtutil_cli:
CommandLine|contains:
- ' qe '
- ' query-events '
selection_wmic_img:
- Image|endswith: '\wmic.exe'
- OriginalFileName: 'wmic.exe'
selection_wmic_cli:
CommandLine|contains: ' ntevent'
selection_cmdlet:
CommandLine|contains:
- 'Get-WinEvent '
- 'get-eventlog '
selection_logs_name:
CommandLine|contains:
# Note: Add more event log channels that are interesting for attackers
- 'Microsoft-Windows-PowerShell'
- 'Microsoft-Windows-Security-Auditing'
- 'Microsoft-Windows-TerminalServices-LocalSessionManager'
- 'Microsoft-Windows-TerminalServices-RemoteConnectionManager'
- 'Microsoft-Windows-Windows Defender'
- 'PowerShellCore'
- 'Security'
- 'Windows PowerShell'
selection_logs_eid:
CommandLine|contains:
# Note: We use the "?" to account for both a single and a double quote
# Note: Please add additional interesting event IDs
# Note: As this only focuses on EIDs and we know EIDs are not unique across providers. Rare FPs might occur with legit queries to EIDs from different providers.
# This covers EID 4624 and 4628 from Security Log
- '-InstanceId 462?'
- '.eventid -eq 462?'
- '.ID -eq 462?'
- 'EventCode=?462?'
- 'EventIdentifier=?462?'
- 'System[EventID=462?]'
# This covers EID 4778 from Security Log
- '-InstanceId 4778'
- '.eventid -eq 4778'
- '.ID -eq 4778'
- 'EventCode=?4778?'
- 'EventIdentifier=?4778?'
- 'System[EventID=4778]'
# This covers EID 25 from Microsoft-Windows-TerminalServices-LocalSessionManager/Operational log
- '-InstanceId 25'
- '.eventid -eq 25'
- '.ID -eq 25'
- 'EventCode=?25?'
- 'EventIdentifier=?25?'
- 'System[EventID=25]'
# This covers EID 1149 from Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational log
- '-InstanceId 1149'
- '.eventid -eq 1149'
- '.ID -eq 1149'
- 'EventCode=?1149?'
- 'EventIdentifier=?1149?'
- 'System[EventID=1149]'
# This covers EID 21 from Microsoft-Windows-TerminalServices-LocalSessionManager/Operational log
- '-InstanceId 21'
- '.eventid -eq 21'
- '.ID -eq 21'
- 'EventCode=?21?'
- 'EventIdentifier=?21?'
- 'System[EventID=21]'
# This covers EID 22 from Microsoft-Windows-TerminalServices-LocalSessionManager/Operational log
- '-InstanceId 22'
- '.eventid -eq 22'
- '.ID -eq 22'
- 'EventCode=?22?'
- 'EventIdentifier=?22?'
- 'System[EventID=22]'
condition: 1 of selection_logs_* and (selection_wmi or all of selection_wevtutil_* or all of selection_wmic_* or selection_cmdlet)
falsepositives:
- Legitimate usage of the utility by administrators to query the event log
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_susp_eventlog_content_recon/info.yml
Convert to SIEM query
medium
Moderate
High FP
Potentially Suspicious Execution From Tmp Folder
Detects a potentially suspicious execution of a process located in the '/tmp/' folder
view Sigma YAML
title: Potentially Suspicious Execution From Tmp Folder
id: 312b42b1-bded-4441-8b58-163a3af58775
status: test
description: Detects a potentially suspicious execution of a process located in the '/tmp/' folder
references:
- https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
- https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/
- https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
- https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-06-02
modified: 2025-08-05
tags:
- attack.stealth
- attack.t1036
logsource:
product: linux
category: process_creation
detection:
selection:
Image|startswith: '/tmp/'
filter_optional_nextcloud:
Image|endswith: '/usr/bin/nextcloud'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potentially Suspicious Execution Of PDQDeployRunner
Detects suspicious execution of "PDQDeployRunner" which is part of the PDQDeploy service stack that is responsible for executing commands and packages on a remote machines
view Sigma YAML
title: Potentially Suspicious Execution Of PDQDeployRunner
id: 12b8e9f5-96b2-41e1-9a42-8c6779a5c184
related:
- id: d679950c-abb7-43a6-80fb-2a480c4fc450
type: similar
status: test
description: Detects suspicious execution of "PDQDeployRunner" which is part of the PDQDeploy service stack that is responsible for executing commands and packages on a remote machines
references:
- https://twitter.com/malmoeb/status/1550483085472432128
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-22
modified: 2024-05-02
tags:
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|contains: '\PDQDeployRunner-'
selection_child:
# Improve this section by adding other suspicious processes, commandlines or paths
- Image|endswith:
# If you use any of the following processes legitimately comment them out
- '\bash.exe'
- '\certutil.exe'
- '\cmd.exe'
- '\csc.exe'
- '\cscript.exe'
- '\dllhost.exe'
- '\mshta.exe'
- '\msiexec.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\scriptrunner.exe'
- '\wmic.exe'
- '\wscript.exe'
- '\wsl.exe'
- Image|contains:
- ':\ProgramData\'
- ':\Users\Public\'
- ':\Windows\TEMP\'
- '\AppData\Local\Temp'
- CommandLine|contains:
- ' -decode '
- ' -enc '
- ' -encodedcommand '
- ' -w hidden'
- 'DownloadString'
- 'FromBase64String'
- 'http'
- 'iex '
- 'Invoke-'
condition: all of selection_*
falsepositives:
- Legitimate use of the PDQDeploy tool to execute these commands
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
Detects potentially suspicious execution of the Regasm/Regsvcs utilities from a potentially suspicious location
view Sigma YAML
title: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
id: cc368ed0-2411-45dc-a222-510ace303cb2
related:
- id: e9f8f8cc-07cc-4e81-b724-f387db9175e4
type: derived
status: test
description: Detects potentially suspicious execution of the Regasm/Regsvcs utilities from a potentially suspicious location
references:
- https://www.fortiguard.com/threat-signal-report/4718?s=09
- https://lolbas-project.github.io/lolbas/Binaries/Regasm/
- https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-25
modified: 2023-02-13
tags:
- attack.stealth
- attack.t1218.009
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\Regsvcs.exe'
- '\Regasm.exe'
- OriginalFileName:
- 'RegSvcs.exe'
- 'RegAsm.exe'
selection_dir:
CommandLine|contains:
# Note: Add more potentially suspicious directories
- '\AppData\Local\Temp\'
- '\Microsoft\Windows\Start Menu\Programs\Startup\'
- '\PerfLogs\'
- '\Users\Public\'
- '\Windows\Temp\'
# - '\Desktop\'
# - '\Downloads\'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension
Detects potentially suspicious execution of the Regasm/Regsvcs utilities with an uncommon extension.
view Sigma YAML
title: Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension
id: e9f8f8cc-07cc-4e81-b724-f387db9175e4
related:
- id: cc368ed0-2411-45dc-a222-510ace303cb2
type: derived
status: test
description: Detects potentially suspicious execution of the Regasm/Regsvcs utilities with an uncommon extension.
references:
- https://www.fortiguard.com/threat-signal-report/4718?s=09
- https://lolbas-project.github.io/lolbas/Binaries/Regasm/
- https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-13
tags:
- attack.stealth
- attack.t1218.009
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\Regsvcs.exe'
- '\Regasm.exe'
- OriginalFileName:
- 'RegSvcs.exe'
- 'RegAsm.exe'
selection_extension:
CommandLine|contains:
# Note: Add more potentially uncommon extensions
- '.dat'
- '.gif'
- '.jpeg'
- '.jpg'
- '.png'
- '.txt'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potentially Suspicious File Creation by OpenEDR's ITSMService
Detects the creation of potentially suspicious files by OpenEDR's ITSMService process.
The ITSMService is responsible for remote management operations and can create files on the system through the Process Explorer or file management features.
While legitimate for IT operations, creation of executable or script files could indicate unauthorized file uploads, data staging, or malicious file deployment.
view Sigma YAML
title: Potentially Suspicious File Creation by OpenEDR's ITSMService
id: 9e4b7d3a-6f2c-4e9a-8d1b-3c5e7a9f2b4d
status: experimental
description: |
Detects the creation of potentially suspicious files by OpenEDR's ITSMService process.
The ITSMService is responsible for remote management operations and can create files on the system through the Process Explorer or file management features.
While legitimate for IT operations, creation of executable or script files could indicate unauthorized file uploads, data staging, or malicious file deployment.
author: '@kostastsale'
date: 2026-02-19
references:
- https://kostas-ts.medium.com/detecting-abuse-of-openedrs-permissive-edr-trial-a-security-researcher-s-perspective-fc55bf53972c
tags:
- attack.command-and-control
- attack.t1105
- attack.lateral-movement
- attack.t1570
- attack.t1219
logsource:
product: windows
category: file_event
detection:
selection_process:
Image|endswith: '\COMODO\Endpoint Manager\ITSMService.exe'
selection_suspicious_extensions:
TargetFilename|endswith:
- '.7z'
- '.bat'
- '.cmd'
- '.com'
- '.dll'
- '.exe'
- '.hta'
- '.js'
- '.pif'
- '.ps1'
- '.rar'
- '.scr'
- '.vbe'
- '.vbs'
- '.zip'
condition: all of selection_*
falsepositives:
- Legitimate OpenEDR file management operations
- Authorized remote file uploads by IT administrators
- Software deployment through OpenEDR console
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potentially Suspicious GrantedAccess Flags On LSASS
Detects process access requests to LSASS process with potentially suspicious access flags
view Sigma YAML
title: Potentially Suspicious GrantedAccess Flags On LSASS
id: a18dd26b-6450-46de-8c91-9659150cf088
related:
- id: 32d0d3e2-e58d-4d41-926b-18b520b2b32d
type: similar
status: test
description: Detects process access requests to LSASS process with potentially suspicious access flags
references:
- https://learn.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights
- https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow
- https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
- https://web.archive.org/web/20230420013146/http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf
author: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community
date: 2021-11-22
modified: 2023-11-29
tags:
- attack.credential-access
- attack.t1003.001
- attack.s0002
logsource:
category: process_access
product: windows
detection:
selection_target:
TargetImage|endswith: '\lsass.exe'
selection_access:
- GrantedAccess|endswith:
# - '10' # covered in rule 678dfc63-fefb-47a5-a04c-26bcf8cc9f65
- '30'
- '50'
- '70'
- '90'
- 'B0'
- 'D0'
- 'F0'
- '18'
- '38'
- '58'
- '78'
- '98'
- 'B8'
- 'D8'
- 'F8'
- '1A'
- '3A'
- '5A'
- '7A'
- '9A'
- 'BA'
- 'DA'
- 'FA'
- '0x14C2' # https://github.com/b4rtik/ATPMiniDump/blob/76304f93b390af3bb66e4f451ca16562a479bdc9/ATPMiniDump/ATPMiniDump.c
- GrantedAccess|startswith:
- '0x100000'
- '0x1418' # car.2019-04-004
- '0x1438' # car.2019-04-004
- '0x143a' # car.2019-04-004
- '0x1f0fff'
- '0x1f1fff'
- '0x1f2fff'
- '0x1f3fff'
- '0x40'
# - '0x1000' # minimum access requirements to query basic info from service
# - '0x1010' # car.2019-04-004
# - '0x1400'
# - '0x1410' # car.2019-04-004 # Covered by 678dfc63-fefb-47a5-a04c-26bcf8cc9f65
filter_main_generic:
# When using this rule. Remove this filter and replace it by the path of the specific AV you use
SourceImage|contains:
- ':\Program Files (x86)\'
- ':\Program Files\'
- ':\Windows\System32\'
- ':\Windows\SysWOW64\'
filter_optional_malwarebytes:
SourceImage|endswith: ':\ProgramData\MALWAREBYTES\MBAMSERVICE\ctlrupdate\mbupdatr.exe'
filter_optional_vscode:
SourceImage|endswith: '\AppData\Local\Programs\Microsoft VS Code\Code.exe'
filter_main_windefend_1:
SourceImage|contains: ':\ProgramData\Microsoft\Windows Defender\'
SourceImage|endswith: '\MsMpEng.exe'
filter_main_windefend_2:
CallTrace|contains|all:
- '|?:\ProgramData\Microsoft\Windows Defender\Definition Updates\{'
- '}\mpengine.dll+'
GrantedAccess: '0x1418'
filter_main_windefend_3:
CallTrace|contains:
- '|c:\program files\windows defender\mprtp.dll'
- '|c:\program files\windows defender\MpClient.dll'
filter_optional_vmwaretools:
SourceImage|contains: ':\ProgramData\VMware\VMware Tools\'
SourceImage|endswith: '\vmtoolsd.exe'
filter_optional_sysinternals_process_explorer:
SourceImage|endswith:
- '\PROCEXP64.EXE'
- '\PROCEXP.EXE'
GrantedAccess: '0x40'
filter_optional_mbami:
SourceImage|endswith: '\MBAMInstallerService.exe'
GrantedAccess: '0x40'
filter_optional_nextron:
SourceImage|endswith:
- '\aurora-agent-64.exe'
- '\aurora-agent.exe'
- '\thor.exe'
- '\thor64.exe'
GrantedAccess: '0x40'
filter_main_explorer:
SourceImage|endswith: '\explorer.exe'
GrantedAccess: '0x401'
filter_optional_sysinternals_handle:
SourceImage|endswith:
- '\handle.exe'
- '\handle64.exe'
GrantedAccess: '0x40'
filter_optional_webex:
SourceImage|endswith: '\AppData\Local\WebEx\WebexHost.exe'
GrantedAccess: '0x401'
filter_optional_steam_apps:
SourceImage|contains: '\SteamLibrary\steamapps\'
condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Legitimate software such as AV and EDR
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potentially Suspicious Inline JavaScript Execution via NodeJS Binary
Detects potentially suspicious inline JavaScript execution using Node.js with specific keywords in the command line.
view Sigma YAML
title: Potentially Suspicious Inline JavaScript Execution via NodeJS Binary
id: 8537c866-072e-460d-bfff-aaf39cbd73d3
status: experimental
description: Detects potentially suspicious inline JavaScript execution using Node.js with specific keywords in the command line.
references:
- https://www.microsoft.com/en-us/security/blog/2025/04/15/threat-actors-misuse-node-js-to-deliver-malware-and-other-malicious-payloads/
author: Microsoft (idea), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-04-21
tags:
- attack.execution
- attack.t1059.007
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\node.exe'
- OriginalFileName: 'node.exe'
- Product: 'Node.js'
selection_cmd:
CommandLine|contains|all:
- 'http'
- 'execSync'
- 'spawn'
- 'fs'
- 'path'
- 'zlib'
condition: all of selection_*
falsepositives:
- Legitimate scripts using Node.js with these modules
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potentially Suspicious JWT Token Search Via CLI
Detects potentially suspicious search for JWT tokens via CLI by looking for the string "eyJ0eX" or "eyJhbG".
JWT tokens are often used for access-tokens across various applications and services like Microsoft 365, Azure, AWS, Google Cloud, and others.
Threat actors may search for these tokens to steal them for lateral movement or privilege escalation.
view Sigma YAML
title: Potentially Suspicious JWT Token Search Via CLI
id: 6d3a3952-6530-44a3-8554-cf17c116c615
status: test
description: |
Detects potentially suspicious search for JWT tokens via CLI by looking for the string "eyJ0eX" or "eyJhbG".
JWT tokens are often used for access-tokens across various applications and services like Microsoft 365, Azure, AWS, Google Cloud, and others.
Threat actors may search for these tokens to steal them for lateral movement or privilege escalation.
references:
- https://mrd0x.com/stealing-tokens-from-office-applications/
- https://www.scip.ch/en/?labs.20240523
author: Nasreddine Bencherchali (Nextron Systems), kagebunsher
date: 2022-10-25
modified: 2025-10-21
tags:
- attack.credential-access
- attack.t1528
- attack.t1552.001
logsource:
category: process_creation
product: windows
detection:
selection_tools:
CommandLine|contains:
- 'find '
- 'find.exe'
- 'findstr'
- 'select-string '
- 'strings'
selection_jwt_string:
CommandLine|contains:
- 'eyJ0eXAiOi' # {"typ":
- 'eyJhbGciOi' # {"alg":
- ' eyJ0eX'
- ' "eyJ0eX"'
- " 'eyJ0eX'"
- ' eyJhbG'
- ' "eyJhbG"'
- " 'eyJhbG'"
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potentially Suspicious NTFS Symlink Behavior Modification
Detects the modification of NTFS symbolic link behavior using fsutil, which could be used to enable remote to local or remote to remote symlinks for potential attacks.
view Sigma YAML
title: Potentially Suspicious NTFS Symlink Behavior Modification
id: c0b2768a-dd06-4671-8339-b16ca8d1f27f
status: test
description: |
Detects the modification of NTFS symbolic link behavior using fsutil, which could be used to enable remote to local or remote to remote symlinks for potential attacks.
references:
- https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware
- https://learn.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior
- https://thedfirreport.com/2025/06/30/hide-your-rdp-password-spray-leads-to-ransomhub-deployment/
author: frack113, The DFIR Report
date: 2022-03-02
modified: 2025-11-13
tags:
- attack.execution
- attack.defense-impairment
- attack.t1059
- attack.t1222.001
logsource:
category: process_creation
product: windows
detection:
selection_img_proxy:
# Note: Example command observed: cmd.exe /c "fsutil behaviour set SymlinkEvaluation"
- Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'Cmd.Exe'
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_fsutil_cli:
CommandLine|contains|all:
- 'fsutil'
- 'behavior'
- 'set'
- 'SymlinkEvaluation'
selection_symlink_params:
CommandLine|contains:
- 'R2L:1' # Remote to Local
- 'R2R:1' # Remote to Remote
- 'L2L:1' # Local to Local
condition: all of selection_*
falsepositives:
- Legitimate usage, investigate the parent process and context to determine if benign.
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Potentially Suspicious Named Pipe Created Via Mkfifo
Detects the creation of a new named pipe using the "mkfifo" utility in a potentially suspicious location
view Sigma YAML
title: Potentially Suspicious Named Pipe Created Via Mkfifo
id: 999c3b12-0a8c-40b6-8e13-dd7d62b75c7a
related:
- id: 9d779ce8-5256-4b13-8b6f-b91c602b43f4
type: derived
status: test
description: Detects the creation of a new named pipe using the "mkfifo" utility in a potentially suspicious location
references:
- https://dev.to/0xbf/use-mkfifo-to-create-named-pipe-linux-tips-5bbk
- https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-16
tags:
- attack.execution
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/mkfifo'
# Note: Add more potentially suspicious locations
CommandLine|contains: ' /tmp/'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Potentially Suspicious Ping/Copy Command Combination
Detects uncommon and potentially suspicious one-liner command containing both "ping" and "copy" at the same time, which is usually used by malware.
view Sigma YAML
title: Potentially Suspicious Ping/Copy Command Combination
id: ded2b07a-d12f-4284-9b76-653e37b6c8b0
status: test
description: |
Detects uncommon and potentially suspicious one-liner command containing both "ping" and "copy" at the same time, which is usually used by malware.
references:
- Internal Research
author: X__Junior (Nextron Systems)
date: 2023-07-18
modified: 2024-03-06
tags:
- attack.stealth
- attack.t1070.004
logsource:
category: process_creation
product: windows
detection:
# Note: In the case of sysmon and similar logging utilities, see this discussion https://github.com/SigmaHQ/sigma/discussions/4277
selection_cmd:
- Image|endswith: '\cmd.exe'
- OriginalFileName: 'Cmd.Exe'
selection_action:
CommandLine|contains|all:
- 'ping' # Covers "ping" and "ping.exe"
- 'copy '
selection_cli_1:
CommandLine|contains|windash: ' -n ' # Count
selection_cli_2:
CommandLine|contains|windash: ' -y '
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potentially Suspicious PowerShell Child Processes
Detects potentially suspicious child processes spawned by PowerShell.
Use this rule to hunt for potential anomalies initiating from PowerShell scripts and commands.
view Sigma YAML
title: Potentially Suspicious PowerShell Child Processes
id: e4b6d2a7-d8a4-4f19-acbd-943c16d90647
status: test
description: |
Detects potentially suspicious child processes spawned by PowerShell.
Use this rule to hunt for potential anomalies initiating from PowerShell scripts and commands.
references:
- https://twitter.com/ankit_anubhav/status/1518835408502620162
author: Florian Roth (Nextron Systems), Tim Shelton
date: 2022-04-26
modified: 2024-07-16
tags:
- attack.execution
- attack.t1059.001
- detection.threat-hunting
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\powershell_ise.exe'
- '\powershell.exe'
- '\pwsh.exe'
Image|endswith:
- '\bash.exe'
- '\bitsadmin.exe'
- '\certutil.exe'
- '\cscript.exe'
- '\forfiles.exe'
- '\hh.exe'
- '\mshta.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\schtasks.exe'
- '\scrcons.exe'
- '\scriptrunner.exe'
- '\sh.exe'
- '\wmic.exe'
- '\wscript.exe'
filter_optional_amazon:
ParentCommandLine|contains: '\Program Files\Amazon\WorkspacesConfig\Scripts\' # AWS Workspaces
CommandLine|contains: '\Program Files\Amazon\WorkspacesConfig\Scripts\' # AWS Workspaces
filter_main_certutil_verify_store:
Image|endswith: '\certutil.exe'
CommandLine|contains: '-verifystore '
filter_main_wmic:
Image|endswith: '\wmic.exe'
CommandLine|contains:
- 'qfe list'
- 'diskdrive '
- 'csproduct '
- 'computersystem '
- ' os '
- ''
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- False positives are to be expected from PowerShell scripts that might make use of additional binaries such as "mshta", "bitsadmin", etc. Apply additional filters for those scripts.
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potentially Suspicious Powershell Script Execution From Temp Folder
Detects a potentially suspicious powershell script executions from temporary folder
view Sigma YAML
title: Potentially Suspicious Powershell Script Execution From Temp Folder
id: a6a39bdb-935c-4f0a-ab77-35f4bbf44d33
status: test
description: Detects a potentially suspicious powershell script executions from temporary folder
references:
- https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/
author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton
date: 2021-07-14
modified: 2026-02-17
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
CommandLine|contains:
- '\Windows\Temp'
- '\Temporary Internet'
- '\AppData\Local\Temp'
- '\AppData\Roaming\Temp'
- '%TEMP%'
- '%TMP%'
- '%LocalAppData%\Temp'
filter_optional_vscode:
CommandLine|contains: '-WindowStyle hidden -Verb runAs'
filter_optional_amazon_ec2:
CommandLine|contains: '\Windows\system32\config\systemprofile\AppData\Local\Temp\Amazon\EC2-Windows\'
filter_optional_generic:
CommandLine|contains:
- ' >'
- 'Out-File'
- 'ConvertTo-Json'
filter_optional_chocolatey_installer:
ParentImage:
- 'C:\Windows\System32\Msiexec.exe'
- 'C:\Windows\SysWOW64\Msiexec.exe'
Image|endswith: '\powershell.exe'
CommandLine|contains|all:
- '-NoProfile -ExecutionPolicy Bypass -Command'
- 'AppData\Local\Temp\'
- 'Install-Chocolatey.ps1'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Administrative scripts
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potentially Suspicious Regsvr32 HTTP/FTP Pattern
Detects regsvr32 execution to download/install/register new DLLs that are hosted on Web or FTP servers.
view Sigma YAML
title: Potentially Suspicious Regsvr32 HTTP/FTP Pattern
id: 867356ee-9352-41c9-a8f2-1be690d78216
related:
- id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d
type: obsolete
status: test
description: Detects regsvr32 execution to download/install/register new DLLs that are hosted on Web or FTP servers.
references:
- https://twitter.com/mrd0x/status/1461041276514623491
- https://twitter.com/tccontre18/status/1480950986650832903
- https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/
author: Florian Roth (Nextron Systems)
date: 2023-05-24
modified: 2023-05-26
tags:
- attack.stealth
- attack.t1218.010
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\regsvr32.exe'
- OriginalFileName: 'REGSVR32.EXE'
selection_flag:
CommandLine|contains:
- ' /i'
- ' -i'
selection_protocol:
CommandLine|contains:
- 'ftp'
- 'http'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potentially Suspicious Rundll32 Activity
Detects suspicious execution of rundll32, with specific calls to some DLLs with known LOLBIN functionalities
view Sigma YAML
title: Potentially Suspicious Rundll32 Activity
id: e593cf51-88db-4ee1-b920-37e89012a3c9
status: test
description: Detects suspicious execution of rundll32, with specific calls to some DLLs with known LOLBIN functionalities
references:
- http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/
- https://twitter.com/Hexacorn/status/885258886428725250
- https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52
- https://twitter.com/nas_bench/status/1433344116071583746 # dfshim.dll,ShOpenVerbShortcut
- https://twitter.com/eral4m/status/1479106975967240209 # scrobj.dll,GenerateTypeLib
- https://twitter.com/eral4m/status/1479080793003671557 # shimgvw.dll,ImageView_Fullscreen
author: juju4, Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2019-01-16
modified: 2023-05-17
tags:
- attack.stealth
- attack.t1218.011
logsource:
category: process_creation
product: windows
detection:
selection:
- CommandLine|contains|all:
- 'javascript:'
- '.RegisterXLL'
- CommandLine|contains|all:
- 'url.dll'
- 'OpenURL'
- CommandLine|contains|all:
- 'url.dll'
- 'OpenURLA'
- CommandLine|contains|all:
- 'url.dll'
- 'FileProtocolHandler'
- CommandLine|contains|all:
- 'zipfldr.dll'
- 'RouteTheCall'
- CommandLine|contains|all:
- 'shell32.dll'
- 'Control_RunDLL'
- CommandLine|contains|all:
- 'shell32.dll'
- 'ShellExec_RunDLL'
- CommandLine|contains|all:
- 'mshtml.dll'
- 'PrintHTML'
- CommandLine|contains|all:
- 'advpack.dll'
- 'LaunchINFSection'
- CommandLine|contains|all:
- 'advpack.dll'
- 'RegisterOCX'
- CommandLine|contains|all:
- 'ieadvpack.dll'
- 'LaunchINFSection'
- CommandLine|contains|all:
- 'ieadvpack.dll'
- 'RegisterOCX'
- CommandLine|contains|all:
- 'ieframe.dll'
- 'OpenURL'
- CommandLine|contains|all:
- 'shdocvw.dll'
- 'OpenURL'
- CommandLine|contains|all:
- 'syssetup.dll'
- 'SetupInfObjectInstallAction'
- CommandLine|contains|all:
- 'setupapi.dll'
- 'InstallHinfSection'
- CommandLine|contains|all:
- 'pcwutl.dll'
- 'LaunchApplication'
- CommandLine|contains|all:
- 'dfshim.dll'
- 'ShOpenVerbApplication'
- CommandLine|contains|all:
- 'dfshim.dll'
- 'ShOpenVerbShortcut'
- CommandLine|contains|all:
- 'scrobj.dll'
- 'GenerateTypeLib'
- 'http'
- CommandLine|contains|all:
- 'shimgvw.dll'
- 'ImageView_Fullscreen'
- 'http'
- CommandLine|contains|all:
- 'comsvcs.dll'
- 'MiniDump'
filter_main_screensaver:
CommandLine|contains: 'shell32.dll,Control_RunDLL desk.cpl,screensaver,@screensaver'
filter_main_parent_cpl: # Settings
ParentImage: 'C:\Windows\System32\control.exe'
ParentCommandLine|contains: '.cpl'
CommandLine|contains|all:
- 'Shell32.dll'
- 'Control_RunDLL'
- '.cpl'
filter_main_startmenu:
ParentImage: 'C:\Windows\System32\control.exe'
CommandLine|startswith: '"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\System32\'
CommandLine|endswith: '.cpl",'
condition: selection and not 1 of filter_main_*
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potentially Suspicious Rundll32.EXE Execution of UDL File
Detects the execution of rundll32.exe with the oledb32.dll library to open a UDL file.
Threat actors can abuse this technique as a phishing vector to capture authentication credentials or other sensitive data.
view Sigma YAML
title: Potentially Suspicious Rundll32.EXE Execution of UDL File
id: 0ea52357-cd59-4340-9981-c46c7e900428
status: test
description: |
Detects the execution of rundll32.exe with the oledb32.dll library to open a UDL file.
Threat actors can abuse this technique as a phishing vector to capture authentication credentials or other sensitive data.
references:
- https://trustedsec.com/blog/oops-i-udld-it-again
author: '@kostastsale'
date: 2024-08-16
tags:
- attack.execution
- attack.command-and-control
- attack.stealth
- attack.t1218.011
- attack.t1071
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\explorer.exe'
selection_img:
- Image|endswith: '\rundll32.exe'
- OriginalFileName: 'RUNDLL32.EXE'
selection_cli:
CommandLine|contains|all:
- 'oledb32.dll'
- ',OpenDSLFile '
- '\\Users\\*\\Downloads\\' # Note: You can adjust the path to the download directory or other directories according to your environment.
CommandLine|endswith: '.udl'
condition: all of selection_*
falsepositives:
- UDL files serve as a convenient and flexible tool for managing and testing database connections in various development and administrative scenarios.
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Potentially Suspicious Self Extraction Directive File Created
Detects the creation of a binary file with the ".sed" extension. The ".sed" extension stand for Self Extraction Directive files.
These files are used by the "iexpress.exe" utility in order to create self extracting packages.
Attackers were seen abusing this utility and creating PE files with embedded ".sed" entries.
Usually ".sed" files are simple ini files and not PE binaries.
view Sigma YAML
title: Potentially Suspicious Self Extraction Directive File Created
id: ab90dab8-c7da-4010-9193-563528cfa347
related:
- id: 760e75d8-c3b5-409b-a9bf-6130b4c4603f
type: derived
status: test
description: |
Detects the creation of a binary file with the ".sed" extension. The ".sed" extension stand for Self Extraction Directive files.
These files are used by the "iexpress.exe" utility in order to create self extracting packages.
Attackers were seen abusing this utility and creating PE files with embedded ".sed" entries.
Usually ".sed" files are simple ini files and not PE binaries.
references:
- https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html
- https://en.wikipedia.org/wiki/IExpress
- https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2024-02-05
tags:
- attack.stealth
- attack.t1218
logsource:
product: windows
category: file_executable_detected
detection:
selection:
TargetFilename|endswith: '.sed'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Potentially Suspicious Usage Of Qemu
Detects potentially suspicious execution of the Qemu utility in a Windows environment.
Threat actors have leveraged this utility and this technique for achieving network access as reported by Kaspersky.
view Sigma YAML
title: Potentially Suspicious Usage Of Qemu
id: 5fc297ae-25b6-488a-8f25-cc12ac29b744
status: test
description: |
Detects potentially suspicious execution of the Qemu utility in a Windows environment.
Threat actors have leveraged this utility and this technique for achieving network access as reported by Kaspersky.
references:
- https://securelist.com/network-tunneling-with-qemu/111803/
- https://www.qemu.org/docs/master/system/invocation.html#hxtool-5
author: Muhammad Faisal (@faisalusuf), Hunter Juhan (@threatHNTR)
date: 2024-06-03
tags:
- attack.command-and-control
- attack.t1090
- attack.t1572
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- '-m 1M' # VM with just 1MB of ram is insufficient this is a suspicious flag
- '-m 2M'
- '-m 3M'
CommandLine|contains|all:
- 'restrict=off'
- '-netdev '
- 'connect='
- '-nographic' # This is also a key detection no one invoke without UI from console usually its a flag.
filter_main_normal_usecase:
CommandLine|contains:
- ' -cdrom ' # Normal usage cases
- ' type=virt '
- ' -blockdev '
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potentially Suspicious Volume Shadow Copy Vsstrace.dll Load
Detects the image load of VSS DLL by uncommon executables
view Sigma YAML
title: Potentially Suspicious Volume Shadow Copy Vsstrace.dll Load
id: 48bfd177-7cf2-412b-ad77-baf923489e82
related:
- id: 333cdbe8-27bb-4246-bf82-b41a0dca4b70 # vss_ps.dll
type: similar
- id: 37774c23-25a1-4adb-bb6d-8bb9fd59c0f8 # vssapi.dll
type: similar
status: test
description: Detects the image load of VSS DLL by uncommon executables
references:
- https://github.com/ORCx41/DeleteShadowCopies
author: frack113
date: 2023-02-17
modified: 2025-12-03
tags:
- attack.impact
- attack.t1490
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\vsstrace.dll'
filter_main_windows:
- Image:
- 'C:\Windows\explorer.exe'
- 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe'
- Image|startswith:
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
- 'C:\Windows\Temp\{' # Installers
- 'C:\Windows\WinSxS\'
- 'C:\ProgramData\Package Cache\{' # Microsoft Visual Redistributable installer VC_redist/vcredist EXE
filter_main_program_files:
# When using this rule in your environment replace the "Program Files" folder by the exact applications you know use this. Examples would be software such as backup solutions
Image|startswith:
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
filter_optional_recovery:
Image|startswith: 'C:\$WinREAgent\Scratch\'
filter_main_null_image:
Image: null # Observed through Aurora
filter_optional_avira:
Image|contains|all:
- '\temp\is-'
- '\avira_system_speedup.tmp'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potentially Suspicious WDAC Policy File Creation
Detects suspicious Windows Defender Application Control (WDAC) policy file creation from abnormal processes that could be abused by attacker to block EDR/AV components while allowing their own malicious code to run on the system.
view Sigma YAML
title: Potentially Suspicious WDAC Policy File Creation
id: 1d2de8a6-4803-4fde-b85b-f58f3aa7a705
status: experimental
description: |
Detects suspicious Windows Defender Application Control (WDAC) policy file creation from abnormal processes that could be abused by attacker to block EDR/AV components while allowing their own malicious code to run on the system.
references:
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-using-group-policy
- https://beierle.win/2024-12-20-Weaponizing-WDAC-Killing-the-Dreams-of-EDR/
- https://github.com/logangoins/Krueger/tree/main
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/deployment/appcontrol-deployment-guide
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-with-script
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-with-memcm
author: X__Junior
date: 2025-02-07
modified: 2026-05-18
tags:
- attack.defense-impairment
logsource:
category: file_event
product: windows
detection:
selection_target:
# This is a default location but unfortunately it could be any path configured in Group Policy Management Editor.
# No file extension needed because any extension would work, check first reference.
TargetFilename|contains: '\Windows\System32\CodeIntegrity\'
filter_main_images:
Image|endswith:
- '\Microsoft.ConfigurationManagement.exe' # Replace with full path to avoid false negatives
- '\WDAC Wizard.exe' # Replace with full path to avoid false negatives
- 'C:\Program Files\PowerShell\7-preview\pwsh.exe'
- 'C:\Program Files\PowerShell\7\pwsh.exe'
- 'C:\Windows\System32\dllhost.exe'
- 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe'
- 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
- 'C:\Windows\SysWOW64\dllhost.exe'
- 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe'
- 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
filter_main_cli:
- CommandLine|contains|all:
- 'ConvertFrom-CIPolicy -XmlFilePath'
- '-BinaryFilePath '
- CommandLine|contains: 'CiTool --update-policy'
- CommandLine|contains|all:
- 'Copy-Item -Path'
- '-Destination'
filter_main_system:
Image: 'System'
filter_main_wuauclt:
Image: 'C:\Windows\System32\wuauclt.exe'
filter_main_wuaucltcore:
Image:
- 'C:\Windows\UUS\arm64\wuaucltcore.exe'
- 'C:\Windows\UUS\Packages\Preview\arm64\wuaucltcore.exe'
condition: selection_target and not 1 of filter_main_*
falsepositives:
- Administrators and security vendors could leverage WDAC, apply additional filters as needed.
level: medium
Convert to SIEM query
medium
Moderate
High FP
Potentially Suspicious WebDAV LNK Execution
Detects possible execution via LNK file accessed on a WebDAV server.
view Sigma YAML
title: Potentially Suspicious WebDAV LNK Execution
id: 1412aa78-a24c-4abd-83df-767dfb2c5bbe
related:
- id: f0507c0f-a3a2-40f5-acc6-7f543c334993
type: similar
status: test
description: Detects possible execution via LNK file accessed on a WebDAV server.
references:
- https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html
- https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462
author: Micah Babinski
date: 2023-08-21
tags:
- attack.execution
- attack.t1059.001
- attack.t1204
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\explorer.exe'
Image|endswith:
- '\cmd.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\wscript.exe'
CommandLine|contains: '\DavWWWRoot\'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potentially Suspicious Windows App Activity
Detects potentially suspicious child process of applications launched from inside the WindowsApps directory. This could be a sign of a rogue ".appx" package installation/execution
view Sigma YAML
title: Potentially Suspicious Windows App Activity
id: f91ed517-a6ba-471d-9910-b3b4a398c0f3
status: test
description: Detects potentially suspicious child process of applications launched from inside the WindowsApps directory. This could be a sign of a rogue ".appx" package installation/execution
references:
- https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
- https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-12
modified: 2025-10-07
tags:
- attack.stealth
logsource:
product: windows
category: process_creation
detection:
selection_parent:
# GrandParentImage|endswith: '\sihost.exe'
ParentImage|contains: 'C:\Program Files\WindowsApps\'
selection_susp_img:
Image|endswith:
# You can add more LOLBINs
- '\cmd.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\powershell.exe'
- '\powershell_ise.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\wscript.exe'
selection_susp_cli:
# You can add more potentially suspicious keywords
CommandLine|contains:
- 'cmd /c'
- 'Invoke-'
- 'Base64'
filter_optional_terminal:
ParentImage|contains: ':\Program Files\WindowsApps\Microsoft.WindowsTerminal'
ParentImage|endswith: '\WindowsTerminal.exe'
# Note: to avoid FP add the default shells and profiles that your WT integrates
Image|endswith:
- '\powershell.exe'
- '\cmd.exe'
- '\pwsh.exe'
filter_optional_sysinternals:
ParentImage|startswith: 'C:\Program Files\WindowsApps\Microsoft.SysinternalsSuite'
Image|endswith: '\cmd.exe'
condition: selection_parent and 1 of selection_susp_* and not 1 of filter_optional_*
falsepositives:
- Legitimate packages that make use of external binaries such as Windows Terminal
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Potentially Suspicious Wuauclt Network Connection
Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making network connections.
One could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule.
view Sigma YAML
title: Potentially Suspicious Wuauclt Network Connection
id: c649a6c7-cd8c-4a78-9c04-000fc76df954
status: test
description: |
Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making network connections.
One could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule.
references:
- https://dtm.uk/wuauclt/
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-10-12
modified: 2024-03-12
tags:
- attack.stealth
- attack.t1218
logsource:
category: network_connection
product: windows
definition: 'Requirements: The CommandLine field enrichment is required in order for this rule to be used.'
detection:
selection:
Image|contains: 'wuauclt'
CommandLine|contains: ' /RunHandlerComServer'
# "C:\WINDOWS\uus\AMD64\wuauclt.exe" /DeploymentHandlerFullPath \\?\C:\Windows\UUS\AMD64\UpdateDeploy.dll /ClassId aaa256e1-5b21-4993-9188-18f07ccb3b98 /RunHandlerComServer
filter_main_ip:
DestinationIp|cidr: # Ranges excluded based on https://github.com/SigmaHQ/sigma/blob/0f176092326ab9d1e19384d30224e5f29f760d82/rules/windows/network_connection/net_connection_win_dllhost_net_connections.yml
- '127.0.0.0/8'
- '10.0.0.0/8'
- '169.254.0.0/16' # link-local address
- '172.16.0.0/12'
- '192.168.0.0/16'
- '::1/128' # IPv6 loopback
- 'fe80::/10' # IPv6 link-local addresses
- 'fc00::/7' # IPv6 private addresses
filter_main_msrange: # Sysmon
DestinationIp|cidr:
- '20.184.0.0/13' # Microsoft Corporation
- '20.192.0.0/10' # Microsoft Corporation
- '23.79.0.0/16' # Microsoft Corporation
- '51.10.0.0/15'
- '51.103.0.0/16' # Microsoft Corporation
- '51.104.0.0/15' # Microsoft Corporation
- '52.224.0.0/11' # Microsoft Corporation
filter_main_uus:
CommandLine|contains:
- ':\Windows\UUS\Packages\Preview\amd64\updatedeploy.dll /ClassId'
- ':\Windows\UUS\amd64\UpdateDeploy.dll /ClassId'
filter_main_winsxs:
CommandLine|contains|all:
- ':\Windows\WinSxS\'
- '\UpdateDeploy.dll /ClassId '
filter_main_cli_null:
CommandLine: null
filter_main_cli_empty:
CommandLine: ''
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
PowerShell Console History Logs Deleted
Detects the deletion of the PowerShell console History logs which may indicate an attempt to destroy forensic evidence
view Sigma YAML
title: PowerShell Console History Logs Deleted
id: ff301988-c231-4bd0-834c-ac9d73b86586
status: test
description: Detects the deletion of the PowerShell console History logs which may indicate an attempt to destroy forensic evidence
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-15
tags:
- attack.stealth
- attack.t1070
logsource:
category: file_delete
product: windows
detection:
selection:
TargetFilename|endswith: '\PSReadLine\ConsoleHost_history.txt'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
PowerShell Core DLL Loaded By Non PowerShell Process
Detects loading of essential DLLs used by PowerShell by non-PowerShell process.
Detects behavior similar to meterpreter's "load powershell" extension.
view Sigma YAML
title: PowerShell Core DLL Loaded By Non PowerShell Process
id: 092bc4b9-3d1d-43b4-a6b4-8c8acd83522f
related:
- id: 867613fb-fa60-4497-a017-a82df74a172c
type: obsolete
- id: fe6e002f-f244-4278-9263-20e4b593827f
type: obsolete
status: test
description: |
Detects loading of essential DLLs used by PowerShell by non-PowerShell process.
Detects behavior similar to meterpreter's "load powershell" extension.
references:
- https://adsecurity.org/?p=2921
- https://github.com/p3nt4/PowerShdll
author: Tom Kern, oscd.community, Natalia Shornikova, Tim Shelton, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2019-11-14
modified: 2025-10-07
tags:
- attack.t1059.001
- attack.execution
logsource:
category: image_load
product: windows
detection:
selection:
- Description: 'System.Management.Automation'
- OriginalFileName: 'System.Management.Automation.dll'
- ImageLoaded|endswith:
- '\System.Management.Automation.dll'
- '\System.Management.Automation.ni.dll'
filter_main_powershell:
Image:
- 'C:\Program Files\PowerShell\7-preview\pwsh.exe' # PowerShell 7 preview
- 'C:\Program Files\PowerShell\7\pwsh.exe' # PowerShell 7
- 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe'
- 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
- 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe'
- 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
filter_main_pwsh_preview:
Image|contains:
- 'C:\Program Files\WindowsApps\Microsoft.PowerShellPreview'
- '\AppData\Local\Microsoft\WindowsApps\Microsoft.PowerShellPreview'
Image|endswith: '\pwsh.exe'
filter_main_generic:
Image:
- 'C:\Windows\System32\dsac.exe'
- 'C:\WINDOWS\System32\RemoteFXvGPUDisablement.exe'
- 'C:\Windows\System32\runscripthelper.exe'
- 'C:\WINDOWS\System32\sdiagnhost.exe'
- 'C:\Windows\System32\ServerManager.exe'
- 'C:\Windows\System32\SyncAppvPublishingServer.exe'
- 'C:\Windows\System32\winrshost.exe'
- 'C:\Windows\System32\wsmprovhost.exe'
- 'C:\Windows\SysWOW64\winrshost.exe'
- 'C:\Windows\SysWOW64\wsmprovhost.exe'
filter_main_dotnet:
Image|startswith:
- 'C:\Windows\Microsoft.NET\Framework\'
- 'C:\Windows\Microsoft.NET\FrameworkArm\'
- 'C:\Windows\Microsoft.NET\FrameworkArm64\'
- 'C:\Windows\Microsoft.NET\Framework64\'
Image|endswith: '\mscorsvw.exe'
filter_optional_sql_server_mgmt:
Image|startswith:
- 'C:\Program Files (x86)\Microsoft SQL Server Management Studio'
- 'C:\Program Files\Microsoft SQL Server Management Studio'
Image|endswith: '\IDE\Ssms.exe'
filter_optional_sql_server_tools:
Image|startswith:
- 'C:\Program Files (x86)\Microsoft SQL Server\'
- 'C:\Program Files\Microsoft SQL Server\'
Image|endswith: '\Tools\Binn\SQLPS.exe'
filter_optional_citrix:
Image|endswith: '\Citrix\ConfigSync\ConfigSyncRun.exe'
filter_optional_vs:
Image|startswith:
- 'C:\Program Files (x86)\Microsoft Visual Studio\'
- 'C:\Program Files\Microsoft Visual Studio\'
filter_optional_chocolatey:
Image|startswith: 'C:\ProgramData\chocolatey\choco.exe'
filter_optional_nextron:
Image|startswith: 'C:\Windows\Temp\asgard2-agent\'
Image|endswith:
- '\thor64.exe'
- '\thor.exe'
# User: 'NT AUTHORITY\SYSTEM' # if set, matches all powershell processes not launched by SYSTEM
filter_optional_aurora:
# This filter is to avoid a race condition FP with this specific ETW provider in aurora
Image: null
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Used by some .NET binaries, minimal on user workstation.
- Used by Microsoft SQL Server Management Studio
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
PowerShell Core DLL Loaded Via Office Application
Detects PowerShell core DLL being loaded by an Office Product
view Sigma YAML
title: PowerShell Core DLL Loaded Via Office Application
id: bb2ba6fb-95d4-4a25-89fc-30bb736c021a
status: test
description: Detects PowerShell core DLL being loaded by an Office Product
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-01
tags:
- attack.stealth
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith:
- '\excel.exe'
- '\mspub.exe'
- '\outlook.exe'
- '\onenote.exe'
- '\onenoteim.exe' # Just in case
- '\powerpnt.exe'
- '\winword.exe'
ImageLoaded|contains:
- '\System.Management.Automation.Dll'
- '\System.Management.Automation.ni.Dll'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
PowerShell Create Local User
Detects creation of a local user via PowerShell
view Sigma YAML
title: PowerShell Create Local User
id: 243de76f-4725-4f2e-8225-a8a69b15ad61
status: test
description: Detects creation of a local user via PowerShell
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md
author: '@ROxPinTeddy'
date: 2020-04-11
modified: 2022-12-25
tags:
- attack.execution
- attack.t1059.001
- attack.persistence
- attack.t1136.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains: 'New-LocalUser'
condition: selection
falsepositives:
- Legitimate user creation
level: medium
Convert to SIEM query
medium
Moderate
High FP
PowerShell Deleted Mounted Share
Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation
view Sigma YAML
title: PowerShell Deleted Mounted Share
id: 66a4d409-451b-4151-94f4-a55d559c49b0
status: test
description: Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md
author: 'oscd.community, @redcanary, Zach Stanford @svch0st'
date: 2020-10-08
modified: 2025-10-07
tags:
- attack.stealth
- attack.t1070.005
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains:
- 'Remove-SmbShare'
- 'Remove-FileShare'
filter_main_module_load:
ScriptBlockText|contains|all:
- 'FileShare.cdxml'
- 'Microsoft.PowerShell.Core\Export-ModuleMember'
- 'ROOT/Microsoft/Windows/Storage/MSFT_FileShare'
- 'ObjectModelWrapper'
- 'Cmdletization.MethodParameter'
condition: selection and not 1 of filter_main_*
falsepositives:
- Administrators or Power users may remove their shares via cmd line
level: medium
Convert to SIEM query
Showing 2801-2850 of 3,751