Tool
SIEM
Sigma (generic) detection rules
3,751 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Expand any rule to see its raw YAML and convert it inline to native query syntax. Pick a platform above to browse every rule already rendered in that language.
Get the raw rules from SigmaHQ Detection Rules
The raw generic YAML, served by SigmaHQ. Pick a platform above to download a ready-to-deploy converted pack.
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance12
Resource Development10
Initial Access10
Execution30
Persistence43
Privilege Escalation20
Stealth83
Defense Impairment32
Credential Access35
Discovery33
Lateral Movement16
Collection20
Command and Control24
Exfiltration10
Impact18
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.
◈
Detection rules
50 shown of 3,751
medium
Strong
Medium FP
Remote Access Tool - MeshAgent Command Execution via MeshCentral
Detects the use of MeshAgent to execute commands on the target host, particularly when threat actors might abuse it to execute commands directly.
MeshAgent can execute commands on the target host by leveraging win-console to obscure their activities and win-dispatcher to run malicious code through IPC with child processes.
view Sigma YAML
title: Remote Access Tool - MeshAgent Command Execution via MeshCentral
id: 74a2b202-73e0-4693-9a3a-9d36146d0775
status: test
description: |
Detects the use of MeshAgent to execute commands on the target host, particularly when threat actors might abuse it to execute commands directly.
MeshAgent can execute commands on the target host by leveraging win-console to obscure their activities and win-dispatcher to run malicious code through IPC with child processes.
references:
- https://github.com/Ylianst/MeshAgent
- https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-dispatcher.js#L173
- https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-info.js#L55
author: '@Kostastsale'
date: 2024-09-22
tags:
- attack.command-and-control
- attack.t1219.002
logsource:
product: windows
category: process_creation
detection:
selection:
ParentImage|endswith: '\meshagent.exe'
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
condition: selection
falsepositives:
- False positives can be found in environments using MeshAgent for remote management, analysis should prioritize the grandparent process, MeshAgent.exe, and scrutinize the resulting child processes triggered by any suspicious interactive commands directed at the target host.
level: medium
Convert to SIEM query
medium
Moderate
High FP
Remote Access Tool - NetSupport Execution
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
view Sigma YAML
title: Remote Access Tool - NetSupport Execution
id: 758ff488-18d5-4cbe-8ec4-02b6285a434f
status: test
description: |
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md
author: frack113
date: 2022-09-25
modified: 2023-03-06
tags:
- attack.command-and-control
- attack.t1219.002
logsource:
category: process_creation
product: windows
detection:
selection:
- Description: NetSupport Client Configurator
- Product: NetSupport Remote Control
- Company: NetSupport Ltd
- OriginalFileName: PCICFGUI.EXE
condition: selection
falsepositives:
- Legitimate use
level: medium
Convert to SIEM query
medium
Moderate
High FP
Remote Access Tool - NetSupport Execution From Unusual Location
Detects execution of client32.exe (NetSupport RAT) from an unusual location (outside of 'C:\Program Files')
view Sigma YAML
title: Remote Access Tool - NetSupport Execution From Unusual Location
id: 37e8d358-6408-4853-82f4-98333fca7014
status: test
description: Detects execution of client32.exe (NetSupport RAT) from an unusual location (outside of 'C:\Program Files')
references:
- https://redcanary.com/blog/misbehaving-rats/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-19
modified: 2024-11-23
tags:
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\client32.exe'
- Product|contains: 'NetSupport Remote Control'
- OriginalFileName|contains: 'client32.exe'
- Hashes|contains: IMPHASH=a9d50692e95b79723f3e76fcf70d023e
filter:
Image|startswith:
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
condition: selection and not filter
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Remote Access Tool - Potential MeshAgent Execution - MacOS
Detects potential execution of MeshAgent which is a tool used for remote access.
Historical data shows that threat actors rename MeshAgent binary to evade detection.
Matching command lines with the '--meshServiceName' argument can indicate that the MeshAgent is being used for remote access.
view Sigma YAML
title: Remote Access Tool - Potential MeshAgent Execution - MacOS
id: 22c45af6-f590-4d44-bab3-b5b2d2a2b6d9
related:
- id: 2fbbe9ff-0afc-470b-bdc0-592198339968
type: similar
status: experimental
description: |
Detects potential execution of MeshAgent which is a tool used for remote access.
Historical data shows that threat actors rename MeshAgent binary to evade detection.
Matching command lines with the '--meshServiceName' argument can indicate that the MeshAgent is being used for remote access.
references:
- https://www.huntress.com/blog/know-thy-enemy-a-novel-november-case-on-persistent-remote-access
- https://thecyberexpress.com/ukraine-hit-by-meshagent-malware-campaign/
- https://wazuh.com/blog/how-to-detect-meshagent-with-wazuh/
- https://www.security.com/threat-intelligence/medusa-ransomware-attacks
author: Norbert Jaśniewicz (AlphaSOC)
date: 2025-05-19
tags:
- attack.command-and-control
- attack.t1219.002
logsource:
category: process_creation
product: macos
detection:
selection:
CommandLine|contains: '--meshServiceName'
condition: selection
falsepositives:
- Environments that legitimately use MeshAgent
level: medium
Convert to SIEM query
medium
Moderate
High FP
Remote Access Tool - Potential MeshAgent Execution - Windows
Detects potential execution of MeshAgent which is a tool used for remote access.
Historical data shows that threat actors rename MeshAgent binary to evade detection.
Matching command lines with the '--meshServiceName' argument can indicate that the MeshAgent is being used for remote access.
view Sigma YAML
title: Remote Access Tool - Potential MeshAgent Execution - Windows
id: 2fbbe9ff-0afc-470b-bdc0-592198339968
related:
- id: 22c45af6-f590-4d44-bab3-b5b2d2a2b6d9
type: similar
status: experimental
description: |
Detects potential execution of MeshAgent which is a tool used for remote access.
Historical data shows that threat actors rename MeshAgent binary to evade detection.
Matching command lines with the '--meshServiceName' argument can indicate that the MeshAgent is being used for remote access.
references:
- https://www.huntress.com/blog/know-thy-enemy-a-novel-november-case-on-persistent-remote-access
- https://thecyberexpress.com/ukraine-hit-by-meshagent-malware-campaign/
- https://wazuh.com/blog/how-to-detect-meshagent-with-wazuh/
- https://www.security.com/threat-intelligence/medusa-ransomware-attacks
author: Norbert Jaśniewicz (AlphaSOC)
date: 2025-05-19
tags:
- attack.command-and-control
- attack.t1219.002
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains: '--meshServiceName'
condition: selection
falsepositives:
- Environments that legitimately use MeshAgent
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Remote Access Tool - RURAT Execution From Unusual Location
Detects execution of Remote Utilities RAT (RURAT) from an unusual location (outside of 'C:\Program Files')
view Sigma YAML
title: Remote Access Tool - RURAT Execution From Unusual Location
id: e01fa958-6893-41d4-ae03-182477c5e77d
status: test
description: Detects execution of Remote Utilities RAT (RURAT) from an unusual location (outside of 'C:\Program Files')
references:
- https://redcanary.com/blog/misbehaving-rats/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-19
modified: 2023-03-05
tags:
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith:
- '\rutserv.exe'
- '\rfusclient.exe'
- Product: 'Remote Utilities'
filter:
Image|startswith:
- 'C:\Program Files\Remote Utilities'
- 'C:\Program Files (x86)\Remote Utilities'
condition: selection and not filter
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Remote Access Tool - ScreenConnect Execution
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
view Sigma YAML
title: Remote Access Tool - ScreenConnect Execution
id: 57bff678-25d1-4d6c-8211-8ca106d12053
status: test
description: |
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-5---screenconnect-application-download-and-install-on-windows
author: frack113
date: 2022-02-13
modified: 2023-03-05
tags:
- attack.command-and-control
- attack.t1219.002
logsource:
category: process_creation
product: windows
detection:
selection:
- Description: 'ScreenConnect Service'
- Product: 'ScreenConnect'
- Company: 'ScreenConnect Software'
condition: selection
falsepositives:
- Legitimate usage of the tool
level: medium
Convert to SIEM query
medium
Moderate
High FP
Remote Access Tool - ScreenConnect Installation Execution
Detects ScreenConnect program starts that establish a remote access to a system.
view Sigma YAML
title: Remote Access Tool - ScreenConnect Installation Execution
id: 75bfe6e6-cd8e-429e-91d3-03921e1d7962
status: test
description: Detects ScreenConnect program starts that establish a remote access to a system.
references:
- https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies
author: Florian Roth (Nextron Systems)
date: 2021-02-11
modified: 2024-02-26
tags:
- attack.persistence
- attack.initial-access
- attack.t1133
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'e=Access&'
- 'y=Guest&'
- '&p='
- '&c='
- '&k='
condition: selection
falsepositives:
- Legitimate use by administrative staff
level: medium
Convert to SIEM query
medium
Strong
High FP
Remote Access Tool - ScreenConnect Potential Suspicious Remote Command Execution
Detects potentially suspicious child processes launched via the ScreenConnect client service.
view Sigma YAML
title: Remote Access Tool - ScreenConnect Potential Suspicious Remote Command Execution
id: 7b582f1a-b318-4c6a-bf4e-66fe49bf55a5
related:
- id: d1a401ab-8c47-4e86-a7d8-2460b6a53e4a
type: derived
status: test
description: |
Detects potentially suspicious child processes launched via the ScreenConnect client service.
references:
- https://www.mandiant.com/resources/telegram-malware-iranian-espionage
- https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode
- https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708
- https://www.trendmicro.com/en_us/research/24/b/threat-actor-groups-including-black-basta-are-exploiting-recent-.html
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), @Kostastsale
date: 2022-02-25
modified: 2024-02-28
tags:
- attack.command-and-control
- attack.t1219.002
logsource:
product: windows
category: process_creation
detection:
selection:
ParentCommandLine|contains|all:
- ':\Windows\TEMP\ScreenConnect\'
- 'run.cmd'
Image|endswith:
- '\bitsadmin.exe'
- '\cmd.exe'
- '\curl.exe'
- '\dllhost.exe'
- '\net.exe'
- '\nltest.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\rundll32.exe'
- '\wevtutil.exe'
condition: selection
falsepositives:
- If the script being executed make use of any of the utilities mentioned in the detection then they should filtered out or allowed.
level: medium
Convert to SIEM query
medium
Moderate
High FP
Remote Access Tool - ScreenConnect Remote Command Execution - Hunting
Detects remote binary or command execution via the ScreenConnect Service.
Use this rule in order to hunt for potentially anomalous executions originating from ScreenConnect
view Sigma YAML
title: Remote Access Tool - ScreenConnect Remote Command Execution - Hunting
id: d1a401ab-8c47-4e86-a7d8-2460b6a53e4a
related:
- id: b1f73849-6329-4069-bc8f-78a604bb8b23
type: derived
- id: 7b582f1a-b318-4c6a-bf4e-66fe49bf55a5
type: derived
status: test
description: |
Detects remote binary or command execution via the ScreenConnect Service.
Use this rule in order to hunt for potentially anomalous executions originating from ScreenConnect
references:
- https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-02-23
modified: 2024-02-26
tags:
- attack.execution
- detection.threat-hunting
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\ScreenConnect.ClientService.exe'
condition: selection
falsepositives:
- Legitimate commands launched from ScreenConnect will also trigger this rule. Look for anomalies.
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Remote Access Tool - Simple Help Execution
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
view Sigma YAML
title: Remote Access Tool - Simple Help Execution
id: 95e60a2b-4705-444b-b7da-ba0ea81a3ee2
status: test
description: |
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
references:
- https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-02-23
tags:
- attack.command-and-control
- attack.t1219.002
logsource:
category: process_creation
product: windows
detection:
selection:
Image|contains:
- '\JWrapper-Remote Access\'
- '\JWrapper-Remote Support\'
Image|endswith: '\SimpleService.exe'
condition: selection
falsepositives:
- Legitimate usage of the tool
level: medium
Convert to SIEM query
medium
Moderate
High FP
Remote Access Tool - TacticalRMM Agent Registration to Potentially Attacker-Controlled Server
Detects TacticalRMM agent installations where the --api, --auth, and related flags are used on the command line.
These parameters configure the agent to connect to a specific RMM server with authentication, client ID, and site ID.
This technique could indicate a threat actor attempting to register the agent with an attacker-controlled RMM infrastructure silently.
view Sigma YAML
title: Remote Access Tool - TacticalRMM Agent Registration to Potentially Attacker-Controlled Server
id: 2db93a3f-3249-4f73-9e68-0e77a0f8ae7e
status: experimental
description: |
Detects TacticalRMM agent installations where the --api, --auth, and related flags are used on the command line.
These parameters configure the agent to connect to a specific RMM server with authentication, client ID, and site ID.
This technique could indicate a threat actor attempting to register the agent with an attacker-controlled RMM infrastructure silently.
references:
- https://github.com/amidaware/tacticalrmm
- https://apophis133.medium.com/powershell-script-tactical-rmm-installation-45afb639eff3
author: Ahmed Nosir (@egycondor)
date: 2025-05-29
tags:
- attack.command-and-control
- attack.t1219
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection:
Image|contains: '\TacticalAgent\tacticalrmm.exe'
CommandLine|contains|all:
- '--api'
- '--auth'
- '--client-id'
- '--site-id'
- '--agent-type'
condition: selection
falsepositives:
- Legitimate system administrator deploying TacticalRMM
level: medium
Convert to SIEM query
medium
Moderate
High FP
Remote Access Tool - UltraViewer Execution
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
view Sigma YAML
title: Remote Access Tool - UltraViewer Execution
id: 88656cec-6c3b-487c-82c0-f73ebb805503
status: test
description: |
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md
author: frack113
date: 2022-09-25
modified: 2024-03-14
tags:
- attack.command-and-control
- attack.t1219.002
logsource:
category: process_creation
product: windows
detection:
selection:
- Product: 'UltraViewer'
- Company: 'DucFabulous Co,ltd'
- OriginalFileName: 'UltraViewer_Desktop.exe'
condition: selection
falsepositives:
- Legitimate use
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Remote Access Tool Services Have Been Installed - Security
Detects service installation of different remote access tools software. These software are often abused by threat actors to perform
view Sigma YAML
title: Remote Access Tool Services Have Been Installed - Security
id: c8b00925-926c-47e3-beea-298fd563728e
related:
- id: 1a31b18a-f00c-4061-9900-f735b96c99fc
type: similar
status: test
description: Detects service installation of different remote access tools software. These software are often abused by threat actors to perform
references:
- https://redcanary.com/blog/misbehaving-rats/
author: Connor Martin, Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-23
modified: 2024-12-07
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.t1543.003
- attack.t1569.002
logsource:
product: windows
service: security
definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
selection:
EventID: 4697
ServiceName|contains:
# Based on https://github.com/SigmaHQ/sigma/pull/2841
- 'AmmyyAdmin' # https://www.ammyy.com/en/
- 'AnyDesk' # https://usersince99.medium.com/windows-privilege-escalation-8214ceaf4db8
- 'Atera'
- 'BASupportExpressSrvcUpdater' # https://www.systemlookup.com/O23/6837-BASupSrvcUpdater_exe.html
- 'BASupportExpressStandaloneService' # https://www.systemlookup.com/O23/6839-BASupSrvc_exe.html
- 'chromoting'
- 'GoToAssist' # https://www.goto.com/it-management/resolve
- 'GoToMyPC' # https://get.gotomypc.com/
- 'jumpcloud'
- 'LMIGuardianSvc' # https://www.logmein.com/
- 'LogMeIn' # https://www.logmein.com/
- 'monblanking'
- 'Parsec'
- 'RManService' # https://www.systemlookup.com/O23/7855-rutserv_exe.html
- 'RPCPerformanceService' # https://www.remotepc.com/
- 'RPCService' # https://www.remotepc.com/
- 'SplashtopRemoteService' # https://www.splashtop.com/
- 'SSUService'
- 'TeamViewer'
- 'TightVNC' # https://www.tightvnc.com/
- 'vncserver'
- 'Zoho'
condition: selection
falsepositives:
- The rule doesn't look for anything suspicious so false positives are expected. If you use one of the tools mentioned, comment it out
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Remote Access Tool Services Have Been Installed - System
Detects service installation of different remote access tools software. These software are often abused by threat actors to perform
view Sigma YAML
title: Remote Access Tool Services Have Been Installed - System
id: 1a31b18a-f00c-4061-9900-f735b96c99fc
related:
- id: c8b00925-926c-47e3-beea-298fd563728e
type: similar
status: test
description: Detects service installation of different remote access tools software. These software are often abused by threat actors to perform
references:
- https://redcanary.com/blog/misbehaving-rats/
author: Connor Martin, Nasreddine Bencherchali
date: 2022-12-23
modified: 2023-06-22
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.t1543.003
- attack.t1569.002
logsource:
product: windows
service: system
detection:
selection:
Provider_Name: 'Service Control Manager'
EventID:
- 7045
- 7036
ServiceName|contains:
# Based on https://github.com/SigmaHQ/sigma/pull/2841
- 'AmmyyAdmin' # https://www.ammyy.com/en/
- 'Atera'
- 'BASupportExpressSrvcUpdater' # https://www.systemlookup.com/O23/6837-BASupSrvcUpdater_exe.html
- 'BASupportExpressStandaloneService' # https://www.systemlookup.com/O23/6839-BASupSrvc_exe.html
- 'chromoting'
- 'GoToAssist' # https://www.goto.com/it-management/resolve
- 'GoToMyPC' # https://get.gotomypc.com/
- 'jumpcloud'
- 'LMIGuardianSvc' # https://www.logmein.com/
- 'LogMeIn' # https://www.logmein.com/
- 'monblanking'
- 'Parsec'
- 'RManService' # https://www.systemlookup.com/O23/7855-rutserv_exe.html
- 'RPCPerformanceService' # https://www.remotepc.com/
- 'RPCService' # https://www.remotepc.com/
- 'SplashtopRemoteService' # https://www.splashtop.com/
- 'SSUService'
- 'TeamViewer'
- 'TightVNC' # https://www.tightvnc.com/
- 'vncserver'
- 'Zoho'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Remote Code Execute via Winrm.vbs
Detects an attempt to execute code or create service on remote host via winrm.vbs.
view Sigma YAML
title: Remote Code Execute via Winrm.vbs
id: 9df0dd3a-1a5c-47e3-a2bc-30ed177646a0
status: test
description: Detects an attempt to execute code or create service on remote host via winrm.vbs.
references:
- https://twitter.com/bohops/status/994405551751815170
- https://redcanary.com/blog/lateral-movement-winrm-wmi/
- https://lolbas-project.github.io/lolbas/Scripts/Winrm/
author: Julia Fomina, oscd.community
date: 2020-10-07
modified: 2023-03-03
tags:
- attack.stealth
- attack.t1216
logsource:
category: process_creation
product: windows
detection:
selection_img:
# Note: winrm.vbs can only be run by a process named cscript (see "IsCScriptEnv" function)
- Image|endswith: '\cscript.exe'
- OriginalFileName: 'cscript.exe'
selection_cli:
CommandLine|contains|all:
- 'winrm'
- 'invoke Create wmicimv2/Win32_'
- '-r:http'
condition: all of selection*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Remote DLL Load Via Rundll32.EXE
Detects a remote DLL load event via "rundll32.exe".
view Sigma YAML
title: Remote DLL Load Via Rundll32.EXE
id: f40017b3-cb2e-4335-ab5d-3babf679c1de
status: test
description: Detects a remote DLL load event via "rundll32.exe".
references:
- https://github.com/gabe-k/themebleed
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-09-18
tags:
- attack.execution
- attack.t1204.002
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith: '\rundll32.exe'
ImageLoaded|startswith: '\\\\'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Remote File Download Via Desktopimgdownldr Utility
Detects the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.
view Sigma YAML
title: Remote File Download Via Desktopimgdownldr Utility
id: 214641c2-c579-4ecb-8427-0cf19df6842e
status: test
description: Detects the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.
references:
- https://www.elastic.co/guide/en/security/current/remote-file-download-via-desktopimgdownldr-utility.html
author: Tim Rauch, Elastic (idea)
date: 2022-09-27
tags:
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\desktopimgdownldr.exe'
ParentImage|endswith: '\desktopimgdownldr.exe'
CommandLine|contains: '/lockscreenurl:http'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Remote File Download Via Findstr.EXE
Detects execution of "findstr" with specific flags and a remote share path. This specific set of CLI flags would allow "findstr" to download the content of the file located on the remote share as described in the LOLBAS entry.
view Sigma YAML
title: Remote File Download Via Findstr.EXE
id: 587254ee-a24b-4335-b3cd-065c0f1f4baa
related:
- id: bf6c39fc-e203-45b9-9538-05397c1b4f3f
type: obsolete
status: test
description: |
Detects execution of "findstr" with specific flags and a remote share path. This specific set of CLI flags would allow "findstr" to download the content of the file located on the remote share as described in the LOLBAS entry.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Findstr/
- https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
- https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems)
date: 2020-10-05
modified: 2024-03-05
tags:
- attack.credential-access
- attack.command-and-control
- attack.stealth
- attack.t1218
- attack.t1564.004
- attack.t1552.001
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection_findstr:
- CommandLine|contains: findstr
- Image|endswith: 'findstr.exe'
- OriginalFileName: 'FINDSTR.EXE'
selection_cli_download_1:
CommandLine|contains|windash: ' -v '
selection_cli_download_2:
CommandLine|contains|windash: ' -l '
selection_cli_download_3:
CommandLine|contains: '\\\\'
condition: selection_findstr and all of selection_cli_download_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Remote PowerShell Session Host Process (WinRM)
Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM host process) as a parent or child process (sign of an active PowerShell remote session).
view Sigma YAML
title: Remote PowerShell Session Host Process (WinRM)
id: 734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8
status: test
description: Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM host process) as a parent or child process (sign of an active PowerShell remote session).
references:
- https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019-09-12
modified: 2022-10-09
tags:
- attack.execution
- attack.lateral-movement
- attack.t1059.001
- attack.t1021.006
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\wsmprovhost.exe'
- ParentImage|endswith: '\wsmprovhost.exe'
condition: selection
falsepositives:
- Legitimate usage of remote Powershell, e.g. for monitoring purposes.
level: medium
Convert to SIEM query
medium
Strong
Low FP
Remote Registry Management Using Reg Utility
Remote registry management using REG utility from non-admin workstation
view Sigma YAML
title: Remote Registry Management Using Reg Utility
id: 68fcba0d-73a5-475e-a915-e8b4c576827e
status: test
description: Remote registry management using REG utility from non-admin workstation
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
author: Teymur Kheirkhabarov, oscd.community
date: 2019-10-22
modified: 2023-12-15
tags:
- attack.credential-access
- attack.persistence
- attack.discovery
- attack.defense-impairment
- attack.s0075
- attack.t1012
- attack.t1112
- attack.t1552.002
logsource:
product: windows
service: security
detection:
selection:
EventID: 5145
RelativeTargetName|contains: '\winreg'
filter_main:
IpAddress|expand: '%Admins_Workstations%'
condition: selection and not filter_main
falsepositives:
- Legitimate usage of remote registry management by administrator
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Remote Service Activity via SVCCTL Named Pipe
Detects remote service activity via remote access to the svcctl named pipe
view Sigma YAML
title: Remote Service Activity via SVCCTL Named Pipe
id: 586a8d6b-6bfe-4ad9-9d78-888cd2fe50c3
status: test
description: Detects remote service activity via remote access to the svcctl named pipe
references:
- https://web.archive.org/web/20230329155141/https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html
author: Samir Bousseaden
date: 2019-04-03
modified: 2024-08-01
tags:
- attack.lateral-movement
- attack.persistence
- attack.t1021.002
logsource:
product: windows
service: security
definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
detection:
selection:
EventID: 5145
ShareName: '\\\\\*\\IPC$' # looking for the string \\*\IPC$
RelativeTargetName: svcctl
AccessList|contains: 'WriteData'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Remote Task Creation via ATSVC Named Pipe
Detects remote task creation via at.exe or API interacting with ATSVC namedpipe
view Sigma YAML
title: Remote Task Creation via ATSVC Named Pipe
id: f6de6525-4509-495a-8a82-1f8b0ed73a00
status: test
description: Detects remote task creation via at.exe or API interacting with ATSVC namedpipe
references:
- https://web.archive.org/web/20230409194125/https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html
author: Samir Bousseaden
date: 2019-04-03
modified: 2024-08-01
tags:
- attack.privilege-escalation
- attack.execution
- attack.lateral-movement
- attack.persistence
- car.2013-05-004
- car.2015-04-001
- attack.t1053.002
logsource:
product: windows
service: security
definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
detection:
selection:
EventID: 5145
ShareName: '\\\\\*\\IPC$' # looking for the string \\*\IPC$
RelativeTargetName: atsvc
AccessList|contains: 'WriteData'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Remote Task Creation via ATSVC Named Pipe - Zeek
Detects remote task creation via at.exe or API interacting with ATSVC namedpipe
view Sigma YAML
title: Remote Task Creation via ATSVC Named Pipe - Zeek
id: dde85b37-40cd-4a94-b00c-0b8794f956b5
related:
- id: f6de6525-4509-495a-8a82-1f8b0ed73a00
type: derived
status: test
description: Detects remote task creation via at.exe or API interacting with ATSVC namedpipe
references:
- https://web.archive.org/web/20230409194125/https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html
author: 'Samir Bousseaden, @neu5rn'
date: 2020-04-03
modified: 2022-12-27
tags:
- attack.privilege-escalation
- attack.execution
- attack.lateral-movement
- attack.persistence
- car.2013-05-004
- car.2015-04-001
- attack.t1053.002
logsource:
product: zeek
service: smb_files
detection:
selection:
path: '\\\*\IPC$'
name: 'atsvc'
# Accesses: '*WriteData*'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Remote Thread Created In Shell Application
Detects remote thread creation in command shell applications, such as "Cmd.EXE" and "PowerShell.EXE".
It is a common technique used by malware, such as IcedID, to inject malicious code and execute it within legitimate processes.
view Sigma YAML
title: Remote Thread Created In Shell Application
id: a9d4d3fa-8fc0-41bc-80b1-30b9fda79d6f
status: test
description: |
Detects remote thread creation in command shell applications, such as "Cmd.EXE" and "PowerShell.EXE".
It is a common technique used by malware, such as IcedID, to inject malicious code and execute it within legitimate processes.
references:
- https://research.splunk.com/endpoint/10399c1e-f51e-11eb-b920-acde48001122/
- https://www.binarydefense.com/resources/blog/icedid-gziploader-analysis/
author: Splunk Research Team
date: 2024-07-29
modified: 2025-07-04
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1055
- detection.threat-hunting
logsource:
product: windows
category: create_remote_thread
detection:
selection:
TargetImage|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
filter_main_system:
SourceImage|startswith:
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
- 'C:\Program Files (x86)\'
- 'C:\Program Files\'
filter_optional_defender:
SourceImage|endswith: '\MsMpEng.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Remote Thread Creation By Uncommon Source Image
Detects uncommon processes creating remote threads.
view Sigma YAML
title: Remote Thread Creation By Uncommon Source Image
id: 66d31e5f-52d6-40a4-9615-002d3789a119
related:
- id: 02d1d718-dd13-41af-989d-ea85c7fab93f
type: derived
status: test
description: Detects uncommon processes creating remote threads.
references:
- Personal research, statistical analysis
- https://lolbas-project.github.io
author: Perez Diego (@darkquassar), oscd.community
date: 2019-10-27
modified: 2025-07-08
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1055
logsource:
product: windows
category: create_remote_thread
detection:
selection:
SourceImage|endswith:
- '\explorer.exe'
- '\iexplore.exe'
- '\msiexec.exe'
- '\powerpnt.exe'
- '\schtasks.exe'
- '\winlogon.exe'
filter_main_winlogon_1:
SourceImage: 'C:\Windows\System32\winlogon.exe'
TargetImage:
- 'C:\Windows\System32\services.exe' # happens on Windows 7
- 'C:\Windows\System32\wininit.exe' # happens on Windows 7
- 'C:\Windows\System32\csrss.exe' # multiple OS
- 'C:\Windows\System32\LogonUI.exe' # multiple OS
- 'C:\Windows\System32\wlrmdr.exe'
- 'C:\Windows\System32\AtBroker.exe'
- 'C:\Windows\System32\dwm.exe'
- 'C:\Windows\System32\fontdrvhost.exe'
- 'C:\Windows\System32\userinit.exe'
filter_main_winlogon_2:
SourceImage: 'C:\Windows\System32\winlogon.exe'
TargetParentProcessId: 4
filter_main_schtasks_conhost:
SourceImage:
- 'C:\Windows\System32\schtasks.exe'
- 'C:\Windows\SysWOW64\schtasks.exe'
TargetImage: 'C:\Windows\System32\conhost.exe'
filter_main_explorer:
SourceImage: 'C:\Windows\explorer.exe'
TargetImage|startswith:
- 'C:\Program Files (x86)\'
- 'C:\Program Files\'
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
filter_main_system:
TargetImage: 'System'
filter_main_msiexec_1:
# Note: MSI installers will trigger this
SourceImage|endswith: '\msiexec.exe'
TargetImage|contains:
- '\AppData\Local\'
- 'C:\Program Files (x86)\'
- 'C:\Program Files\'
- 'C:\Windows\Microsoft.NET\Framework64\' # C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
filter_main_msiexec_2:
SourceImage|endswith: '\msiexec.exe'
TargetImage:
- 'C:\Windows\System32\msiexec.exe'
- 'C:\Windows\SysWOW64\msiexec.exe'
filter_main_iexplore:
SourceImage: 'C:\Program Files\Internet Explorer\iexplore.exe'
TargetImage:
- 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
- 'C:\Windows\System32\rundll32.exe'
filter_main_powerpnt:
SourceImage|endswith: '\POWERPNT.EXE'
TargetImage|contains:
- 'C:\Program Files\Microsoft Office\' # C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exe
- 'C:\Program Files (x86)\Microsoft Office\'
filter_optional_aurora_smartconsole1:
SourceImage: 'C:\Program Files\internet explorer\iexplore.exe'
SourceCommandLine|contains|all:
- 'https://'
- '.checkpoint.com/documents/'
- 'SmartConsole_OLH/'
- 'default.htm#cshid='
filter_optional_aurora_smartconsole2:
SourceImage: 'C:\Program Files\internet explorer\iexplore.exe'
SourceParentImage|startswith:
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
SourceParentImage|contains|all:
- '\CheckPoint\SmartConsole\'
- '\SmartConsole.exe'
filter_optional_powerpnt:
# Raised by the following issue: https://github.com/SigmaHQ/sigma/issues/2479
SourceImage|contains: '\Microsoft Office\'
SourceImage|endswith: '\POWERPNT.EXE'
TargetImage: 'C:\Windows\System32\csrss.exe'
filter_main_null:
TargetImage: null
filter_main_empty:
TargetImage: ''
filter_optional_onedrive:
SourceImage: 'C:\Windows\explorer.exe'
TargetImage|endswith: '\AppData\Local\Microsoft\OneDrive\OneDrive.exe'
filter_optional_aurora:
SourceImage: 'C:\Windows\explorer.exe'
TargetImage|endswith: '\aurora-dashboard.exe'
filter_optional_officesetup:
SourceImage: 'C:\Windows\explorer.exe'
TargetImage|endswith: '\OfficeSetup.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- This rule is best put in testing first in order to create a baseline that reflects the data in your environment.
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Remote Thread Creation In Uncommon Target Image
Detects uncommon target processes for remote thread creation
view Sigma YAML
title: Remote Thread Creation In Uncommon Target Image
id: a1a144b7-5c9b-4853-a559-2172be8d4a03
related:
- id: f016c716-754a-467f-a39e-63c06f773987
type: obsolete
status: test
description: Detects uncommon target processes for remote thread creation
references:
- https://web.archive.org/web/20220319032520/https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection
author: Florian Roth (Nextron Systems)
date: 2022-03-16
modified: 2025-07-04
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1055.003
logsource:
product: windows
category: create_remote_thread
detection:
selection:
TargetImage|endswith:
- '\calc.exe'
- '\calculator.exe'
- '\mspaint.exe'
- '\notepad.exe'
- '\ping.exe'
- '\sethc.exe'
- '\spoolsv.exe'
- '\wordpad.exe'
- '\write.exe'
filter_main_csrss:
SourceImage: 'C:\Windows\System32\csrss.exe'
filter_main_notepad:
SourceImage:
- 'C:\Windows\System32\explorer.exe'
- 'C:\Windows\System32\OpenWith.exe'
TargetImage: 'C:\Windows\System32\notepad.exe'
filter_main_sethc:
SourceImage: 'C:\Windows\System32\AtBroker.exe'
TargetImage: 'C:\Windows\System32\Sethc.exe'
filter_optional_aurora_1:
StartFunction: 'EtwpNotificationThread'
filter_optional_aurora_2:
SourceImage|contains: 'unknown process'
filter_optional_vmtoolsd:
SourceImage: 'C:\Program Files\VMware\VMware Tools\vmtoolsd.exe'
StartFunction: 'GetCommandLineW'
TargetImage:
- 'C:\Windows\System32\notepad.exe'
- 'C:\Windows\System32\spoolsv.exe'
filter_optional_xerox_pjems:
SourceImage: 'C:\Program Files\Xerox\XeroxPrintExperience\CommonFiles\XeroxPrintJobEventManagerService.exe'
StartFunction: 'LoadLibraryW'
TargetImage: 'C:\Windows\System32\spoolsv.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Remote Thread Creation Via PowerShell
Detects the creation of a remote thread from a Powershell process to another process
view Sigma YAML
title: Remote Thread Creation Via PowerShell
id: eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50
related:
- id: 99b97608-3e21-4bfe-8217-2a127c396a0e
type: derived
status: test
description: Detects the creation of a remote thread from a Powershell process to another process
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
author: Nikita Nazarov, oscd.community
date: 2020-10-06
modified: 2023-11-10
tags:
- attack.execution
- attack.t1059.001
- detection.threat-hunting
logsource:
product: windows
category: create_remote_thread
detection:
selection:
SourceImage|endswith:
- '\powershell.exe'
- '\pwsh.exe'
filter_main_compattelrunner:
SourceParentImage|endswith: ':\Windows\System32\CompatTelRunner.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Remote Thread Creation Via PowerShell In Uncommon Target
Detects the creation of a remote thread from a Powershell process in an uncommon target process
view Sigma YAML
title: Remote Thread Creation Via PowerShell In Uncommon Target
id: 99b97608-3e21-4bfe-8217-2a127c396a0e
related:
- id: eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50
type: similar
status: test
description: Detects the creation of a remote thread from a Powershell process in an uncommon target process
references:
- https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html
author: Florian Roth (Nextron Systems)
date: 2018-06-25
modified: 2023-11-10
tags:
- attack.execution
- attack.stealth
- attack.t1218.011
- attack.t1059.001
logsource:
product: windows
category: create_remote_thread
detection:
selection:
SourceImage|endswith:
- '\powershell.exe'
- '\pwsh.exe'
TargetImage|endswith:
# Note: Please add additional potential interesting targets to increase coverage
- '\rundll32.exe'
- '\regsvr32.exe'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Remote Utilities Host Service Install
Detects Remote Utilities Host service installation on the target system.
view Sigma YAML
title: Remote Utilities Host Service Install
id: 85cce894-dd8b-4427-a958-5cc47a4dc9b9
status: test
description: Detects Remote Utilities Host service installation on the target system.
references:
- https://www.remoteutilities.com/support/kb/host-service-won-t-start/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-31
tags:
- attack.persistence
logsource:
product: windows
service: system
detection:
# Example:
# <EventData>
# <Data Name="ServiceName">Remote Utilities - Host</Data>
# <Data Name="ImagePath">"C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" -service</Data>
# <Data Name="ServiceType">user mode service</Data>
# <Data Name="StartType">auto start</Data>
# <Data Name="AccountName">LocalSystem</Data>
# </EventData>
selection_root:
Provider_Name: 'Service Control Manager'
EventID: 7045
selection_service:
- ImagePath|contains|all:
- '\rutserv.exe'
- '-service'
- ServiceName: 'Remote Utilities - Host'
condition: all of selection_*
falsepositives:
- Legitimate use of the tool
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Removal Of Index Value to Hide Schedule Task - Registry
Detects when the "index" value of a scheduled task is removed or deleted from the registry. Which effectively hides it from any tooling such as "schtasks /query"
view Sigma YAML
title: Removal Of Index Value to Hide Schedule Task - Registry
id: 526cc8bc-1cdc-48ad-8b26-f19bff969cec
related:
- id: acd74772-5f88-45c7-956b-6a7b36c294d2
type: similar
- id: 5b16df71-8615-4f7f-ac9b-6c43c0509e61
type: similar
status: test
description: Detects when the "index" value of a scheduled task is removed or deleted from the registry. Which effectively hides it from any tooling such as "schtasks /query"
references:
- https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-26
modified: 2025-10-25
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: windows
category: registry_delete
detection:
selection:
TargetObject|contains|all:
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\'
- 'Index'
condition: selection
falsepositives:
- Unknown
level: medium
regression_tests_path: regression_data/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_index_value_removal/info.yml
Convert to SIEM query
medium
Moderate
Medium FP
Removal Of SD Value to Hide Schedule Task - Registry
Remove SD (Security Descriptor) value in \Schedule\TaskCache\Tree registry hive to hide schedule task. This technique is used by Tarrask malware
view Sigma YAML
title: Removal Of SD Value to Hide Schedule Task - Registry
id: acd74772-5f88-45c7-956b-6a7b36c294d2
related:
- id: 526cc8bc-1cdc-48ad-8b26-f19bff969cec
type: similar
status: test
description: Remove SD (Security Descriptor) value in \Schedule\TaskCache\Tree registry hive to hide schedule task. This technique is used by Tarrask malware
references:
- https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/
author: Sittikorn S
date: 2022-04-15
modified: 2025-10-25
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: windows
category: registry_delete
detection:
selection:
TargetObject|contains|all:
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\'
- 'SD'
condition: selection
falsepositives:
- Unknown
level: medium
regression_tests_path: regression_data/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal/info.yml
Convert to SIEM query
medium
Strong
Medium FP
Removal of Potential COM Hijacking Registry Keys
Detects any deletion of entries in ".*\shell\open\command" registry keys.
These registry keys might have been used for COM hijacking activities by a threat actor or an attacker and the deletion could indicate steps to remove its tracks.
view Sigma YAML
title: Removal of Potential COM Hijacking Registry Keys
id: 96f697b0-b499-4e5d-9908-a67bec11cdb6
status: test
description: |
Detects any deletion of entries in ".*\shell\open\command" registry keys.
These registry keys might have been used for COM hijacking activities by a threat actor or an attacker and the deletion could indicate steps to remove its tracks.
references:
- https://github.com/OTRF/detection-hackathon-apt29/issues/7
- https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.md
- https://learn.microsoft.com/en-us/windows/win32/shell/launch
- https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand
- https://learn.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-05-02
modified: 2025-10-07
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
product: windows
category: registry_delete
detection:
selection:
TargetObject|endswith: '\shell\open\command'
filter_main_explorer:
Image|endswith: 'C:\Windows\explorer.exe'
filter_main_svchost:
Image: 'C:\Windows\system32\svchost.exe'
filter_main_msiexec:
Image:
- 'C:\Windows\System32\msiexec.exe'
- 'C:\Windows\SysWOW64\msiexec.exe'
filter_main_generic_prorams:
Image|startswith:
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
filter_main_openwith:
Image: 'C:\Windows\System32\OpenWith.exe'
filter_optional_dropbox:
Image|endswith: '\Dropbox.exe'
# We don't use the HKCR anchor as it could be logged as a different variation (HKEY_CLASSES_ROOT)
TargetObject|contains: '\Dropbox.'
filter_optional_wireshark:
Image|endswith: '\AppData\Local\Temp\Wireshark_uninstaller.exe'
# We don't use the HKCR anchor as it could be logged as a different variation (HKEY_CLASSES_ROOT)
TargetObject|contains: '\wireshark-capture-file\'
filter_optional_peazip:
Image|contains: 'peazip'
# We don't use the HKCR anchor as it could be logged as a different variation (HKEY_CLASSES_ROOT)
TargetObject|contains: '\PeaZip.'
filter_optional_everything:
Image|endswith: '\Everything.exe'
# We don't use the HKCR anchor as it could be logged as a different variation (HKEY_CLASSES_ROOT)
TargetObject|contains: '\Everything.'
filter_optional_uninstallers:
# This image path is linked with different uninstallers when running as admin unfortunately
Image|startswith: 'C:\Windows\Installer\MSI'
filter_optional_java:
Image|startswith: 'C:\Program Files (x86)\Java\'
Image|endswith: '\installer.exe'
TargetObject|contains: '\Classes\WOW6432Node\CLSID\{4299124F-F2C3-41b4-9C73-9236B2AD0E8F}'
filter_optional_edgeupdate:
Image|contains: '\Microsoft\EdgeUpdate\Install'
filter_optional_avira:
Image:
- 'C:\Program Files (x86)\Avira\Antivirus\'
- 'C:\Program Files\Avira\Antivirus\'
TargetObject|endswith:
- '\CLSID\{305CA226-D286-468e-B848-2B2E8E697B74}\Shell\Open\Command'
- '\AntiVir.Keyfile\shell\open\command'
filter_optional_installer_temp:
- Image|contains|all:
- 'AppData\Local\Temp'
- '\setup.exe'
- Image|contains|all:
- '\Temp\is-'
- '\target.tmp'
filter_optional_ninite:
Image|endswith: '\ninite.exe'
filter_optional_discord:
Image|endswith: '\reg.exe'
TargetObject|endswith: '\Discord\shell\open\command'
filter_optional_spotify:
Image|endswith: '\Spotify.exe'
TargetObject|endswith: '\Spotify\shell\open\command'
filter_optional_eclipse:
Image|endswith: 'C:\eclipse\eclipse.exe'
TargetObject|contains: '_Classes\eclipse+'
filter_optional_teamviewer:
Image|contains|all:
- '\Temp'
- '\TeamViewer'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Legitimate software (un)installations are known to cause false positives. Please add them as a filter when encountered
level: medium
Convert to SIEM query
medium
Moderate
High FP
Remove Account From Domain Admin Group
Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users.
Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.
view Sigma YAML
title: Remove Account From Domain Admin Group
id: 48a45d45-8112-416b-8a67-46e03a4b2107
status: test
description: |
Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users.
Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1531/T1531.md#atomic-test-3---remove-account-from-domain-admin-group
author: frack113
date: 2021-12-26
tags:
- attack.impact
- attack.t1531
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- 'Remove-ADGroupMember'
- '-Identity '
- '-Members '
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Remove Immutable File Attribute
Detects usage of the 'chattr' utility to remove immutable file attribute.
view Sigma YAML
title: Remove Immutable File Attribute
id: 34979410-e4b5-4e5d-8cfb-389fdff05c12
related:
- id: a5b977d6-8a81-4475-91b9-49dbfcd941f7
type: derived
status: test
description: Detects usage of the 'chattr' utility to remove immutable file attribute.
references:
- https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-15
tags:
- attack.defense-impairment
- attack.t1222.002
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith: '/chattr'
CommandLine|contains: ' -i '
condition: selection
falsepositives:
- Administrator interacting with immutable files (e.g. for instance backups).
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Remove Immutable File Attribute - Auditd
Detects removing immutable file attribute.
view Sigma YAML
title: Remove Immutable File Attribute - Auditd
id: a5b977d6-8a81-4475-91b9-49dbfcd941f7
status: test
description: Detects removing immutable file attribute.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md
author: Jakob Weinzettl, oscd.community
date: 2019-09-23
modified: 2022-11-26
tags:
- attack.defense-impairment
- attack.t1222.002
logsource:
product: linux
service: auditd
detection:
selection:
type: 'EXECVE'
a0|contains: 'chattr'
a1|contains: '-i'
condition: selection
falsepositives:
- Administrator interacting with immutable files (e.g. for instance backups).
level: medium
simulation:
- type: atomic-red-team
name: Remove immutable file attribute
technique: T1222.002
atomic_guid: e7469fe2-ad41-4382-8965-99b94dd3c13f
Convert to SIEM query
medium
Moderate
Medium FP
Remove Scheduled Cron Task/Job
Detects usage of the 'crontab' utility to remove the current crontab.
This is a common occurrence where cryptocurrency miners compete against each other by removing traces of other miners to hijack the maximum amount of resources possible
view Sigma YAML
title: Remove Scheduled Cron Task/Job
id: c2e234de-03a3-41e1-b39a-1e56dc17ba67
status: test
description: |
Detects usage of the 'crontab' utility to remove the current crontab.
This is a common occurrence where cryptocurrency miners compete against each other by removing traces of other miners to hijack the maximum amount of resources possible
references:
- https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-15
tags:
- attack.stealth
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: 'crontab'
CommandLine|contains: ' -r'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Renamed AutoHotkey.EXE Execution
Detects execution of a renamed autohotkey.exe binary based on PE metadata fields
view Sigma YAML
title: Renamed AutoHotkey.EXE Execution
id: 0f16d9cf-0616-45c8-8fad-becc11b5a41c
status: test
description: Detects execution of a renamed autohotkey.exe binary based on PE metadata fields
references:
- https://www.autohotkey.com/download/
- https://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/
author: Nasreddine Bencherchali
date: 2023-02-07
tags:
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection:
- Product|contains: 'AutoHotkey'
- Description|contains: 'AutoHotkey'
- OriginalFileName:
- 'AutoHotkey.exe'
- 'AutoHotkey.rc'
filter:
- Image|endswith:
- '\AutoHotkey.exe'
- '\AutoHotkey32.exe'
- '\AutoHotkey32_UIA.exe'
- '\AutoHotkey64.exe'
- '\AutoHotkey64_UIA.exe'
- '\AutoHotkeyA32.exe'
- '\AutoHotkeyA32_UIA.exe'
- '\AutoHotkeyU32.exe'
- '\AutoHotkeyU32_UIA.exe'
- '\AutoHotkeyU64.exe'
- '\AutoHotkeyU64_UIA.exe'
- Image|contains: '\AutoHotkey'
condition: selection and not filter
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Renamed BOINC Client Execution
Detects the execution of a renamed BOINC binary.
view Sigma YAML
title: Renamed BOINC Client Execution
id: 30d07da2-83ab-45d8-ae75-ec7c0edcaffc
status: test
description: Detects the execution of a renamed BOINC binary.
references:
- https://boinc.berkeley.edu/
- https://www.virustotal.com/gui/file/91e405e8a527023fb8696624e70498ae83660fe6757cef4871ce9bcc659264d3/details
- https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software
author: Matt Anderson (Huntress)
date: 2024-07-23
tags:
- attack.defense-impairment
- attack.t1553
logsource:
category: process_creation
product: windows
detection:
selection:
OriginalFileName: 'BOINC.exe'
filter_main_legit_name:
Image|endswith: '\BOINC.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Renamed CURL.EXE Execution
Detects the execution of a renamed "CURL.exe" binary based on the PE metadata fields
view Sigma YAML
title: Renamed CURL.EXE Execution
id: 7530cd3d-7671-43e3-b209-976966f6ea48
status: test
description: Detects the execution of a renamed "CURL.exe" binary based on the PE metadata fields
references:
- https://twitter.com/Kostastsale/status/1700965142828290260
author: X__Junior (Nextron Systems)
date: 2023-09-11
modified: 2023-10-12
tags:
- attack.execution
- attack.stealth
- attack.t1059
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection:
- OriginalFileName: 'curl.exe'
- Description: 'The curl executable'
filter_main_img:
Image|contains: '\curl'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_renamed_curl/info.yml
Convert to SIEM query
medium
Moderate
Medium FP
Renamed FTP.EXE Execution
Detects the execution of a renamed "ftp.exe" binary based on the PE metadata fields
view Sigma YAML
title: Renamed FTP.EXE Execution
id: 277a4393-446c-449a-b0ed-7fdc7795244c
status: test
description: Detects the execution of a renamed "ftp.exe" binary based on the PE metadata fields
references:
- https://lolbas-project.github.io/lolbas/Binaries/Ftp/
author: Victor Sergeev, oscd.community
date: 2020-10-09
modified: 2023-02-03
tags:
- attack.execution
- attack.stealth
- attack.t1059
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection_original:
OriginalFileName: 'ftp.exe'
filter_img:
Image|endswith: '\ftp.exe'
condition: selection_original and not filter_img
falsepositives:
- Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_renamed_ftp/info.yml
Convert to SIEM query
medium
Moderate
Medium FP
Renamed Microsoft Teams Execution
Detects the execution of a renamed Microsoft Teams binary.
view Sigma YAML
title: Renamed Microsoft Teams Execution
id: 88f46b67-14d4-4f45-ac2c-d66984f22191
status: test
description: Detects the execution of a renamed Microsoft Teams binary.
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-07-12
tags:
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection:
OriginalFileName:
- 'msteams.exe'
- 'teams.exe'
filter_main_legit_names:
Image|endswith:
- '\msteams.exe'
- '\teams.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Renamed Remote Utilities RAT (RURAT) Execution
Detects execution of renamed Remote Utilities (RURAT) via Product PE header field
view Sigma YAML
title: Renamed Remote Utilities RAT (RURAT) Execution
id: 9ef27c24-4903-4192-881a-3adde7ff92a5
status: test
description: Detects execution of renamed Remote Utilities (RURAT) via Product PE header field
references:
- https://redcanary.com/blog/misbehaving-rats/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-19
modified: 2023-02-03
tags:
- attack.collection
- attack.command-and-control
- attack.discovery
- attack.stealth
- attack.s0592
logsource:
category: process_creation
product: windows
detection:
selection:
Product: 'Remote Utilities'
filter:
Image|endswith:
- '\rutserv.exe'
- '\rfusclient.exe'
condition: selection and not filter
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Replace.exe Usage
Detects the use of Replace.exe which can be used to replace file with another file
view Sigma YAML
title: Replace.exe Usage
id: 9292293b-8496-4715-9db6-37028dcda4b3
status: test
description: Detects the use of Replace.exe which can be used to replace file with another file
references:
- https://lolbas-project.github.io/lolbas/Binaries/Replace/
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/replace
author: frack113
date: 2022-03-06
modified: 2024-03-13
tags:
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\replace.exe'
argument:
CommandLine|contains|windash: '-a'
condition: selection and argument
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Response File Execution Via Odbcconf.EXE
Detects execution of "odbcconf" with the "-f" flag in order to load a response file which might contain a malicious action.
view Sigma YAML
title: Response File Execution Via Odbcconf.EXE
id: 5f03babb-12db-4eec-8c82-7b4cb5580868
related:
- id: 2d32dd6f-3196-4093-b9eb-1ad8ab088ca5
type: similar
- id: 65d2be45-8600-4042-b4c0-577a1ff8a60e
type: obsolete
status: test
description: Detects execution of "odbcconf" with the "-f" flag in order to load a response file which might contain a malicious action.
references:
- https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16
- https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/
- https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control
- https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/
author: Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-22
modified: 2024-03-05
tags:
- attack.stealth
- attack.t1218.008
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\odbcconf.exe'
- OriginalFileName: 'odbcconf.exe'
selection_cli:
CommandLine|contains|windash: ' -f '
selection_rsp_ext:
CommandLine|contains: '.rsp'
condition: all of selection_*
falsepositives:
- The rule is looking for any usage of response file, which might generate false positive when this function is used legitimately. Investigate the contents of the ".rsp" file to determine if it is malicious and apply additional filters if necessary.
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Rhadamanthys Stealer Module Launch Via Rundll32.EXE
Detects the use of Rundll32 to launch an NSIS module that serves as the main stealer capability of Rhadamanthys infostealer, as observed in reports and samples in early 2023
view Sigma YAML
title: Rhadamanthys Stealer Module Launch Via Rundll32.EXE
id: 5cdbc2e8-86dd-43df-9a1a-200d4745fba5
status: test
description: Detects the use of Rundll32 to launch an NSIS module that serves as the main stealer capability of Rhadamanthys infostealer, as observed in reports and samples in early 2023
references:
- https://elis531989.medium.com/dancing-with-shellcodes-analyzing-rhadamanthys-stealer-3c4986966a88
- https://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/
- https://www.joesandbox.com/analysis/790122/0/html
- https://twitter.com/anfam17/status/1607477672057208835
author: TropChaud
date: 2023-01-26
modified: 2023-02-05
tags:
- attack.stealth
- attack.t1218.011
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_rundll32:
- OriginalFileName: 'RUNDLL32.EXE'
- Image|endswith: '\rundll32.exe'
selection_dll:
CommandLine|contains: 'nsis_uns'
selection_export_function:
CommandLine|contains: 'PrintUIEntry'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Root Account Enable Via Dsenableroot
Detects attempts to enable the root account via "dsenableroot"
view Sigma YAML
title: Root Account Enable Via Dsenableroot
id: 821bcf4d-46c7-4b87-bc57-9509d3ba7c11
status: test
description: Detects attempts to enable the root account via "dsenableroot"
references:
- https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1078.003/T1078.003.md
- https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/persistence_enable_root_account.toml
- https://ss64.com/osx/dsenableroot.html
author: Sohan G (D4rkCiph3r)
date: 2023-08-22
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1078
- attack.t1078.001
- attack.t1078.003
- attack.initial-access
- attack.persistence
logsource:
category: process_creation
product: macos
detection:
selection:
Image|endswith: '/dsenableroot'
filter_main_disable:
CommandLine|contains: ' -d '
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Root Certificate Installed - PowerShell
Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
view Sigma YAML
title: Root Certificate Installed - PowerShell
id: 42821614-9264-4761-acfc-5772c3286f76
status: test
description: Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md
author: 'oscd.community, @redcanary, Zach Stanford @svch0st'
date: 2020-10-10
modified: 2022-12-02
tags:
- attack.defense-impairment
- attack.t1553.004
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection1:
ScriptBlockText|contains|all:
- 'Move-Item'
- 'Cert:\LocalMachine\Root'
selection2:
ScriptBlockText|contains|all:
- 'Import-Certificate'
- 'Cert:\LocalMachine\Root'
condition: 1 of selection*
falsepositives:
- Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP
level: medium
Convert to SIEM query
medium
Moderate
High FP
Ruby Inline Command Execution
Detects execution of ruby using the "-e" flag. This is could be used as a way to launch a reverse shell or execute live ruby code.
view Sigma YAML
title: Ruby Inline Command Execution
id: 20a5ffa1-3848-4584-b6f8-c7c7fd9f69c8
status: test
description: Detects execution of ruby using the "-e" flag. This is could be used as a way to launch a reverse shell or execute live ruby code.
references:
- https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
- https://www.revshells.com/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-02
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\ruby.exe'
- OriginalFileName: 'ruby.exe'
selection_cli:
CommandLine|contains: ' -e'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Ruby on Rails Framework Exceptions
Detects suspicious Ruby on Rails exceptions that could indicate exploitation attempts
view Sigma YAML
title: Ruby on Rails Framework Exceptions
id: 0d2c3d4c-4b48-4ac3-8f23-ea845746bb1a
status: stable
description: Detects suspicious Ruby on Rails exceptions that could indicate exploitation attempts
references:
- http://edgeguides.rubyonrails.org/security.html
- http://guides.rubyonrails.org/action_controller_overview.html
- https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception
- https://github.com/rails/rails/blob/cd08e6bcc4cd8948fe01e0be1ea0c7ca60373a25/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb
author: Thomas Patzke
date: 2017-08-06
modified: 2020-09-01
tags:
- attack.initial-access
- attack.t1190
logsource:
category: application
product: ruby_on_rails
detection:
keywords:
- ActionController::InvalidAuthenticityToken
- ActionController::InvalidCrossOriginRequest
- ActionController::MethodNotAllowed
- ActionController::BadRequest
- ActionController::ParameterMissing
condition: keywords
falsepositives:
- Application bugs
level: medium
Convert to SIEM query
Showing 2951-3000 of 3,751