SOAR
Panther
1,713 rules · Sigma detections in Panther syntax
The same Sigma detection corpus, machine-rendered into Panther query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
Download all 3,742 rules (.zip, 1.7 MB)
Every Panther query in this view, packaged to deploy.
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance12
Resource Development10
Initial Access10
Execution30
Persistence43
Privilege Escalation20
Stealth83
Defense Impairment32
Credential Access35
Discovery33
Lateral Movement16
Collection20
Command and Control24
Exfiltration10
Impact18
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.
◈
Detection rules
50 shown of 1,713
high
Strong
Medium FP
Suspicious Sysmon as Execution Parent
Detects suspicious process executions in which Sysmon itself is the parent of a process, which could be a sign of exploitation (e.g. CVE-2022-41120)
view Sigma YAML
title: Suspicious Sysmon as Execution Parent
id: 6d1058a4-407e-4f3a-a144-1968c11dc5c3
status: test
description: Detects suspicious process executions in which Sysmon itself is the parent of a process, which could be a sign of exploitation (e.g. CVE-2022-41120)
references:
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41120
- https://twitter.com/filip_dragovic/status/1590052248260055041
- https://twitter.com/filip_dragovic/status/1590104354727436290
author: Florian Roth (Nextron Systems), Tim Shelton (fp werfault)
date: 2022-11-10
modified: 2025-07-04
tags:
- attack.privilege-escalation
- attack.t1068
- cve.2022-41120
- detection.emerging-threats
logsource:
product: windows
category: process_creation
detection:
selection:
ParentImage|endswith:
- '\Sysmon.exe'
- '\Sysmon64.exe'
filter_main_temp_sysmon:
# C:\Users\ADMINI~1\AppData\Local\Temp\2\Sysmon.exe
Image|startswith: 'C:\Users\'
Image|contains: '\AppData\Local\Temp\'
Image|endswith:
- '\Sysmon.exe'
- '\Sysmon64.exe'
filter_main_generic:
Image|contains:
- ':\Windows\Sysmon.exe'
- ':\Windows\Sysmon64.exe'
- ':\Windows\System32\conhost.exe'
- ':\Windows\System32\WerFault.exe' # When Sysmon crashes
- ':\Windows\System32\WerFaultSecure.exe' # When Sysmon crashes
- ':\Windows\System32\wevtutil.exe'
- ':\Windows\SysWOW64\wevtutil.exe'
filter_main_null:
Image: null
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious TSCON Start as SYSTEM
Detects a tscon.exe start as LOCAL SYSTEM
view Sigma YAML
title: Suspicious TSCON Start as SYSTEM
id: 9847f263-4a81-424f-970c-875dab15b79b
status: test
description: Detects a tscon.exe start as LOCAL SYSTEM
references:
- http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html
- https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6
- https://www.ired.team/offensive-security/lateral-movement/t1076-rdp-hijacking-for-lateral-movement
author: Florian Roth (Nextron Systems)
date: 2018-03-17
modified: 2022-05-27
tags:
- attack.command-and-control
- attack.t1219.002
logsource:
category: process_creation
product: windows
detection:
selection:
User|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
Image|endswith: '\tscon.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Low FP
Suspicious Teams Application Related ObjectAcess Event
Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.
view Sigma YAML
title: Suspicious Teams Application Related ObjectAcess Event
id: 25cde13e-8e20-4c29-b949-4e795b76f16f
status: test
description: Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.
references:
- https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/
- https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens
author: '@SerkinValery'
date: 2022-09-16
tags:
- attack.credential-access
- attack.t1528
logsource:
product: windows
service: security
detection:
selection:
EventID: 4663
ObjectName|contains:
- '\Microsoft\Teams\Cookies'
- '\Microsoft\Teams\Local Storage\leveldb'
filter:
ProcessName|contains: '\Microsoft\Teams\current\Teams.exe'
condition: selection and not filter
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious UltraVNC Execution
Detects suspicious UltraVNC command line flag combination that indicate a auto reconnect upon execution, e.g. startup (as seen being used by Gamaredon threat group)
view Sigma YAML
title: Suspicious UltraVNC Execution
id: 871b9555-69ca-4993-99d3-35a59f9f3599
status: test
description: Detects suspicious UltraVNC command line flag combination that indicate a auto reconnect upon execution, e.g. startup (as seen being used by Gamaredon threat group)
references:
- https://web.archive.org/web/20220224045756/https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine
- https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution
- https://uvnc.com/docs/uvnc-viewer/52-ultravnc-viewer-commandline-parameters.html
author: Bhabesh Raj
date: 2022-03-04
modified: 2022-03-09
tags:
- attack.lateral-movement
- attack.g0047
- attack.t1021.005
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- '-autoreconnect '
- '-connect '
- '-id:'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious Uninstall of Windows Defender Feature via PowerShell
Detects the use of PowerShell with Uninstall-WindowsFeature or Remove-WindowsFeature cmdlets to disable or remove the Windows Defender GUI feature, a common technique used by adversaries to evade defenses.
view Sigma YAML
title: Suspicious Uninstall of Windows Defender Feature via PowerShell
id: c443012c-7928-43bf-ac20-7eda5efe61ad
status: experimental
description: |
Detects the use of PowerShell with Uninstall-WindowsFeature or Remove-WindowsFeature cmdlets to disable or remove the Windows Defender GUI feature, a common technique used by adversaries to evade defenses.
references:
- https://learn.microsoft.com/en-us/powershell/module/microsoft.windows.servermanager.migration/uninstall-windowsfeature
- https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware
author: yxinmiracle
date: 2025-08-22
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell_ise.exe'
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell_ISE.EXE'
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_cli_uninstall:
CommandLine|contains:
- 'Uninstall-WindowsFeature'
- 'Remove-WindowsFeature' # Only supported in Windows Server 2008 R2 and Windows 2012 R2
selection_cli_defender_feature:
CommandLine|contains: 'Windows-Defender'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded
Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes.
Tools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll.
As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.
view Sigma YAML
title: Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded
id: bdc64095-d59a-42a2-8588-71fd9c9d9abc
related:
- id: 0e277796-5f23-4e49-a490-483131d4f6e1 # Suspicious Loading
type: similar
status: test
description: |
Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes.
Tools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll.
As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.
references:
- https://learn.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump
- https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html
- https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6
author: Perez Diego (@darkquassar), oscd.community, Ecco
date: 2019-10-27
modified: 2022-12-09
tags:
- attack.credential-access
- attack.t1003.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith:
- '\dbghelp.dll'
- '\dbgcore.dll'
Signed: 'false'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious Unsigned Thor Scanner Execution
Detects loading and execution of an unsigned thor scanner binary.
view Sigma YAML
title: Suspicious Unsigned Thor Scanner Execution
id: ea5c131b-380d-49f9-aeb3-920694da4d4b
status: stable
description: Detects loading and execution of an unsigned thor scanner binary.
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-10-29
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith:
- '\thor.exe'
- '\thor64.exe'
ImageLoaded|endswith:
- '\thor.exe'
- '\thor64.exe'
filter_main:
Signed: 'true'
SignatureStatus: 'valid'
Signature: 'Nextron Systems GmbH'
condition: selection and not filter_main
falsepositives:
- Other legitimate binaries named "thor.exe" that aren't published by Nextron Systems
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious Usage Of ShellExec_RunDLL
Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack
view Sigma YAML
title: Suspicious Usage Of ShellExec_RunDLL
id: d87bd452-6da1-456e-8155-7dc988157b7d
related:
- id: 36c5146c-d127-4f85-8e21-01bf62355d5a
type: obsolete
- id: 8823e85d-31d8-473e-b7f4-92da070f0fc6
type: similar
status: test
description: Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack
references:
- https://redcanary.com/blog/raspberry-robin/
- https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/
- https://github.com/SigmaHQ/sigma/issues/1009
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-01
modified: 2022-12-30
tags:
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection_openasrundll:
CommandLine|contains: 'ShellExec_RunDLL'
selection_suspcli:
CommandLine|contains:
# Note: The ordinal number may differ depending on the DLL version
- '\Desktop\'
- '\Temp\'
- '\Users\Public\'
- 'comspec'
- 'iex'
- 'Invoke-'
- 'msiexec'
- 'odbcconf'
- 'regsvr32'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious Use of CSharp Interactive Console
Detects the execution of CSharp interactive console by PowerShell
view Sigma YAML
title: Suspicious Use of CSharp Interactive Console
id: a9e416a8-e613-4f8b-88b8-a7d1d1af2f61
status: test
description: Detects the execution of CSharp interactive console by PowerShell
references:
- https://redcanary.com/blog/detecting-attacks-leveraging-the-net-framework/
author: Michael R. (@nahamike01)
date: 2020-03-08
modified: 2022-07-14
tags:
- attack.execution
- attack.stealth
- attack.t1127
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\csi.exe'
ParentImage|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- '\powershell_ise.exe'
OriginalFileName: 'csi.exe'
condition: selection
falsepositives:
- Possible depending on environment. Pair with other factors such as net connections, command-line args, etc.
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious User Agent
Detects suspicious malformed user agent strings in proxy logs
view Sigma YAML
title: Suspicious User Agent
id: 7195a772-4b3f-43a4-a210-6a003d65caa1
status: test
description: Detects suspicious malformed user agent strings in proxy logs
references:
- https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb
author: Florian Roth (Nextron Systems)
date: 2017-07-08
modified: 2022-10-31
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: proxy
detection:
selection1:
c-useragent|startswith:
- 'user-agent' # User-Agent: User-Agent:
- 'Mozilla/3.0 '
- 'Mozilla/2.0 '
- 'Mozilla/1.0 '
- 'Mozilla ' # missing slash
- ' Mozilla/' # leading space
- 'Mozila/' # single 'l'
- 'Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol' # https://twitter.com/NtSetDefault/status/1303643299509567488
selection2:
c-useragent|contains:
- ' (compatible;MSIE ' # typical typo - missing space
- '.0;Windows NT ' # typical typo - missing space
- 'loader' # https://twitter.com/securityonion/status/1522614635152744453?s=20&t=gHyPTSq5A27EqKwrCd9ohg
selection3:
c-useragent:
- '_'
- 'CertUtil URL Agent' # https://twitter.com/stvemillertime/status/985150675527974912
- 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0)' # CobaltStrike Beacon https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/
- 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0' # used by APT28 malware https://threatvector.cylance.com/en_us/home/inside-the-apt28-dll-backdoor-blitz.html
- 'HTTPS' # https://twitter.com/stvemillertime/status/1204437531632250880
- 'Erbium-UA-4ce7c27cb4be9d32e333bf032c88235a' # https://www.cyfirma.com/outofband/erbium-stealer-malware-report
- 'x' # Use by Racoon Stealer but could be something else
- 'xxx' # Use by Racoon Stealer but could be something else
falsepositives:
- c-useragent: 'Mozilla/3.0 * Acrobat *' # Acrobat with linked content
- cs-host|endswith: # Adobe product traffic, example: Mozilla/3.0 (compatible; Adobe Synchronizer 10.12.20000)
- '.acrobat.com'
- '.adobe.com'
- '.adobe.io'
condition: 1 of selection* and not falsepositives
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious VBScript UN2452 Pattern
Detects suspicious inline VBScript keywords as used by UNC2452
view Sigma YAML
title: Suspicious VBScript UN2452 Pattern
id: 20c3f09d-c53d-4e85-8b74-6aa50e2f1b61
status: test
description: Detects suspicious inline VBScript keywords as used by UNC2452
references:
- https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
author: Florian Roth (Nextron Systems)
date: 2021-03-05
modified: 2022-10-09
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.001
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'Execute'
- 'CreateObject'
- 'RegRead'
- 'window.close'
- '\Microsoft\Windows\CurrentVersion'
filter:
CommandLine|contains: '\Software\Microsoft\Windows\CurrentVersion\Run'
condition: selection and not filter
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious Velociraptor Child Process
Detects the suspicious use of the Velociraptor DFIR tool to execute other tools or download additional payloads, as seen in a campaign where it was abused for remote access and to stage further attacks.
view Sigma YAML
title: Suspicious Velociraptor Child Process
id: 4bc90587-e6ca-4b41-be0b-ed4d04e4ed0c
status: experimental
description: Detects the suspicious use of the Velociraptor DFIR tool to execute other tools or download additional payloads, as seen in a campaign where it was abused for remote access and to stage further attacks.
references:
- https://news.sophos.com/en-us/2025/08/26/velociraptor-incident-response-tool-abused-for-remote-access/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-08-29
tags:
- attack.command-and-control
- attack.persistence
- attack.t1219
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\Velociraptor.exe'
selection_child_vscode_tunnel:
CommandLine|contains|all:
- 'code.exe'
- 'tunnel'
- '--accept-server-license-terms'
selection_child_msiexec:
CommandLine|contains|all:
- 'msiexec'
- '/i'
- 'http'
selection_child_powershell:
Image|endswith:
- '\powershell.exe'
- '\powershell_ise.exe'
- '\pwsh.exe'
CommandLine|contains:
- 'Invoke-WebRequest '
- 'IWR '
- '.DownloadFile'
- '.DownloadString'
# Add more child process patterns as needed
condition: selection_parent and 1 of selection_child_*
falsepositives:
- Legitimate administrators or incident responders might use Velociraptor to execute scripts or tools. However, the combination of Velociraptor spawning these specific processes with these command lines is suspicious. Tuning may be required to exclude known administrative actions or specific scripts.
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious Volume Shadow Copy VSS_PS.dll Load
Detects the image load of vss_ps.dll by uncommon executables. This DLL is used by the Volume Shadow Copy Service (VSS) to manage shadow copies of files and volumes.
It is often abused by attackers to delete or manipulate shadow copies, which can hinder forensic investigations and data recovery efforts.
The fact that it is loaded by processes that are not typically associated with VSS operations can indicate suspicious activity.
view Sigma YAML
title: Suspicious Volume Shadow Copy VSS_PS.dll Load
id: 333cdbe8-27bb-4246-bf82-b41a0dca4b70
related:
- id: 48bfd177-7cf2-412b-ad77-baf923489e82 # vsstrace.dll
type: similar
- id: 37774c23-25a1-4adb-bb6d-8bb9fd59c0f8 # vssapi.dll
type: similar
status: test
description: |
Detects the image load of vss_ps.dll by uncommon executables. This DLL is used by the Volume Shadow Copy Service (VSS) to manage shadow copies of files and volumes.
It is often abused by attackers to delete or manipulate shadow copies, which can hinder forensic investigations and data recovery efforts.
The fact that it is loaded by processes that are not typically associated with VSS operations can indicate suspicious activity.
references:
- https://www.virustotal.com/gui/file/ba88ca45589fae0139a40ca27738a8fc2dfbe1be5a64a9558f4e0f52b35c5add
- https://twitter.com/am0nsec/status/1412232114980982787
author: Markus Neis, @markus_neis
date: 2021-07-07
modified: 2025-07-11
tags:
- attack.impact
- attack.t1490
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\vss_ps.dll'
filter_main_legit:
Image|startswith: 'C:\Windows\'
Image|endswith:
- '\clussvc.exe'
- '\dismhost.exe'
- '\dllhost.exe'
- '\inetsrv\appcmd.exe'
- '\inetsrv\iissetup.exe'
- '\msiexec.exe'
- '\rundll32.exe'
- '\searchindexer.exe'
- '\srtasks.exe'
- '\svchost.exe'
- '\System32\SystemPropertiesAdvanced.exe'
- '\taskhostw.exe'
- '\thor.exe'
- '\thor64.exe'
- '\tiworker.exe'
- '\vssvc.exe'
- '\vssadmin.exe'
- '\WmiPrvSE.exe'
- '\wsmprovhost.exe'
filter_main_update:
CommandLine|startswith: 'C:\$WinREAgent\Scratch\'
CommandLine|contains: '\dismhost.exe {'
filter_main_image_null:
Image: null
filter_optional_programfiles:
# When using this rule in your environment replace the "Program Files" folder by the exact applications you know use this. Examples would be software such as backup solutions
Image|startswith:
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious Volume Shadow Copy Vssapi.dll Load
Detects the image load of VSS DLL by uncommon executables
view Sigma YAML
title: Suspicious Volume Shadow Copy Vssapi.dll Load
id: 37774c23-25a1-4adb-bb6d-8bb9fd59c0f8
related:
- id: 333cdbe8-27bb-4246-bf82-b41a0dca4b70 # vss_ps.dll
type: similar
- id: 48bfd177-7cf2-412b-ad77-baf923489e82 # vsstrace.dll
type: similar
status: test
description: Detects the image load of VSS DLL by uncommon executables
references:
- https://github.com/ORCx41/DeleteShadowCopies
author: frack113
date: 2022-10-31
modified: 2026-05-18
tags:
- attack.impact
- attack.t1490
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\vssapi.dll'
filter_main_windows:
- Image:
- 'C:\Windows\explorer.exe'
- 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe'
- Image|startswith:
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
- 'C:\Windows\Temp\{' # Installers
- 'C:\Windows\WinSxS\'
- 'C:\$WinREAgent\Scratch\'
filter_main_program_files:
# When using this rule in your environment replace the "Program Files" folder by the exact applications you know use this. Examples would be software such as backup solutions
Image|startswith:
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
filter_main_null_image:
Image: null
filter_optional_programdata_packagecache:
# The following filter is required because of many FPs cause by:
# C:\ProgramData\Package Cache\{10c6cfdc-27af-43fe-bbd3-bd20aae88451}\dotnet-sdk-3.1.425-win-x64.exe
# C:\ProgramData\Package Cache\{b9cfa33e-ace4-49f4-8bb4-82ded940990a}\windowsdesktop-runtime-6.0.11-win-x86.exe
# C:\ProgramData\Package Cache\{50264ff2-ad47-4569-abc4-1c350f285fb9}\aspnetcore-runtime-6.0.11-win-x86.exe
# C:\ProgramData\Package Cache\{2dcef8c3-1563-4149-a6ec-5b6c98500d7d}\dotnet-sdk-6.0.306-win-x64.exe
# etc.
Image|startswith: 'C:\ProgramData\Package Cache\'
filter_optional_avira:
Image|contains|all:
- '\temp\is-'
- '\avira_system_speedup.tmp'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious WMIC Execution Via Office Process
Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin).
view Sigma YAML
title: Suspicious WMIC Execution Via Office Process
id: e1693bc8-7168-4eab-8718-cdcaa68a1738
related:
- id: 438025f9-5856-4663-83f7-52f878a70a50
type: derived
- id: 518643ba-7d9c-4fa5-9f37-baed36059f6a
type: obsolete
- id: 9d1c72f5-43f0-4da5-9320-648cf2099dd0
type: obsolete
- id: c0e1c3d5-4381-4f18-8145-2583f06a1fe5
type: obsolete
- id: 04f5363a-6bca-42ff-be70-0d28bf629ead
type: obsolete
status: test
description: Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin).
references:
- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
author: Vadim Khrykov, Cyb3rEng
date: 2021-08-23
modified: 2023-02-14
tags:
- attack.stealth
- attack.t1204.002
- attack.t1047
- attack.t1218.010
- attack.execution
logsource:
product: windows
category: process_creation
detection:
selection_parent:
ParentImage|endswith:
- '\WINWORD.EXE'
- '\EXCEL.EXE'
- '\POWERPNT.exe'
- '\MSPUB.exe'
- '\VISIO.exe'
- '\MSACCESS.EXE'
- '\EQNEDT32.EXE'
- '\ONENOTE.EXE'
- '\wordpad.exe'
- '\wordview.exe'
selection_wmic_img:
- Image|endswith: '\wbem\WMIC.exe'
- OriginalFileName: 'wmic.exe'
selection_wmic_cli:
CommandLine|contains|all:
- 'process'
- 'create'
- 'call'
CommandLine|contains:
# Add more suspicious LOLBINs as you see fit
- 'regsvr32'
- 'rundll32'
- 'msiexec'
- 'mshta'
- 'verclsid'
- 'wscript'
- 'cscript'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious WebDav Client Execution Via Rundll32.EXE
Detects "svchost.exe" spawning "rundll32.exe" with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397
view Sigma YAML
title: Suspicious WebDav Client Execution Via Rundll32.EXE
id: 982e9f2d-1a85-4d5b-aea4-31f5e97c6555
status: test
description: |
Detects "svchost.exe" spawning "rundll32.exe" with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397
references:
- https://twitter.com/aceresponder/status/1636116096506818562
- https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/
- https://www.pwndefend.com/2023/03/15/the-long-game-persistent-hash-theft/
- https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2023/03/Figure-7-sample-webdav-process-create-event.png
- https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/
author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)
date: 2023-03-16
modified: 2023-09-18
tags:
- attack.exfiltration
- attack.t1048.003
- cve.2023-23397
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\svchost.exe'
ParentCommandLine|contains: '-s WebClient'
Image|endswith: '\rundll32.exe'
CommandLine|contains: 'C:\windows\system32\davclnt.dll,DavSetCookie'
CommandLine|re: '://\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}'
filter_local_ips:
CommandLine|contains:
- '://10.' # 10.0.0.0/8
- '://192.168.' # 192.168.0.0/16
- '://172.16.' # 172.16.0.0/12
- '://172.17.'
- '://172.18.'
- '://172.19.'
- '://172.20.'
- '://172.21.'
- '://172.22.'
- '://172.23.'
- '://172.24.'
- '://172.25.'
- '://172.26.'
- '://172.27.'
- '://172.28.'
- '://172.29.'
- '://172.30.'
- '://172.31.'
- '://127.' # 127.0.0.0/8
- '://169.254.' # 169.254.0.0/16
condition: selection and not 1 of filter_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious Windows ANONYMOUS LOGON Local Account Created
Detects the creation of suspicious accounts similar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts.
view Sigma YAML
title: Suspicious Windows ANONYMOUS LOGON Local Account Created
id: 1bbf25b9-8038-4154-a50b-118f2a32be27
status: test
description: Detects the creation of suspicious accounts similar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts.
references:
- https://twitter.com/SBousseaden/status/1189469425482829824
author: James Pemberton / @4A616D6573
date: 2019-10-31
modified: 2022-10-09
tags:
- attack.persistence
- attack.t1136.001
- attack.t1136.002
logsource:
product: windows
service: security
detection:
selection:
EventID: 4720
SamAccountName|contains|all:
- 'ANONYMOUS'
- 'LOGON'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious Windows Defender Registry Key Tampering Via Reg.EXE
Detects the usage of "reg.exe" to tamper with different Windows Defender registry keys in order to disable some important features related to protection and detection
view Sigma YAML
title: Suspicious Windows Defender Registry Key Tampering Via Reg.EXE
id: 452bce90-6fb0-43cc-97a5-affc283139b3
status: test
description: |
Detects the usage of "reg.exe" to tamper with different Windows Defender registry keys in order to disable some important features related to protection and detection
references:
- https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/
- https://github.com/swagkarna/Defeat-Defender-V1.2.0/tree/ae4059c4276da6f6303b8f53cdff085ecae88a91
- https://www.elevenforum.com/t/video-guide-how-to-completely-disable-microsoft-defender-antivirus.14608/page-2
- https://tria.ge/241231-j9yatstqbm/behavioral1
author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)
date: 2022-03-22
modified: 2025-06-04
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_root_img:
- Image|endswith: '\reg.exe'
- OriginalFileName: 'reg.exe'
selection_root_path:
CommandLine|contains:
- 'SOFTWARE\Microsoft\Windows Defender\'
- 'SOFTWARE\Policies\Microsoft\Windows Defender Security Center'
- 'SOFTWARE\Policies\Microsoft\Windows Defender\'
selection_dword_0:
CommandLine|contains|all:
- ' add '
- 'd 0'
CommandLine|contains:
- 'DisallowExploitProtectionOverride'
- 'EnableControlledFolderAccess'
- 'MpEnablePus'
- 'PUAProtection'
- 'SpynetReporting'
- 'SubmitSamplesConsent'
- 'TamperProtection'
selection_dword_1:
CommandLine|contains|all:
- ' add '
- 'd 1'
CommandLine|contains:
- 'DisableAccess'
- 'DisableAntiSpyware'
- 'DisableAntiSpywareRealtimeProtection'
- 'DisableAntiVirus'
- 'DisableAntiVirusSignatures'
- 'DisableArchiveScanning'
- 'DisableBehaviorMonitoring'
- 'DisableBlockAtFirstSeen'
- 'DisableCloudProtection'
- 'DisableConfig'
- 'DisableEnhancedNotifications'
- 'DisableIntrusionPreventionSystem'
- 'DisableIOAVProtection'
- 'DisableNetworkProtection'
- 'DisableOnAccessProtection'
- 'DisablePrivacyMode'
- 'DisableRealtimeMonitoring'
- 'DisableRoutinelyTakingAction'
- 'DisableScanOnRealtimeEnable'
- 'DisableScriptScanning'
- 'DisableSecurityCenter'
- 'Notification_Suppress'
- 'SignatureDisableUpdateOnStartupWithoutEngine'
condition: all of selection_root_* and 1 of selection_dword_*
falsepositives:
- Rare legitimate use by administrators to test software (should always be investigated)
level: high
Convert to SIEM query
high
Strong
High FP
Suspicious Windows Service Tampering
Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts
view Sigma YAML
title: Suspicious Windows Service Tampering
id: ce72ef99-22f1-43d4-8695-419dcb5d9330
related:
- id: eb87818d-db5d-49cc-a987-d5da331fbd90
type: obsolete
- id: 6783aa9e-0dc3-49d4-a94a-8b39c5fd700b
type: obsolete
- id: 7fd4bb39-12d0-45ab-bb36-cebabc73dc7b
type: obsolete
status: test
description: |
Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts
references:
- https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus/Genshin%20Impact%20Figure%2010.jpg
- https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
- https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/
- https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955
- https://learn.microsoft.com/en-us/windows/win32/cimwin32prov/delete-method-in-class-win32-service
author: Nasreddine Bencherchali (Nextron Systems), frack113 , X__Junior (Nextron Systems)
date: 2022-09-01
modified: 2025-08-27
tags:
- attack.impact
- attack.defense-impairment
- attack.t1489
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_tools_img:
- OriginalFileName:
- 'net.exe'
- 'net1.exe'
- 'PowerShell_ISE.EXE'
- 'PowerShell.EXE'
- 'psservice.exe'
- 'pwsh.dll'
- 'sc.exe'
- 'wmic.exe'
- Image|endswith:
- '\net.exe'
- '\net1.exe'
- '\PowerShell_ISE.EXE'
- '\powershell.exe'
- '\PsService.exe'
- '\PsService64.exe'
- '\pwsh.exe'
- '\sc.exe'
- '\wmic.exe' # wmic process call win32_service where name='servicename' delete
selection_tools_cli:
- CommandLine|contains:
- ' delete '
- '.delete()' # Get-WmiObject win32_service -Filter "name='$serviceName'" ).delete()
- ' pause ' # Covers flags from: PsService and Sc.EXE
- ' stop ' # Covers flags from: PsService.EXE, Net.EXE and Sc.EXE
- 'Stop-Service '
- 'Remove-Service '
- CommandLine|contains|all:
- 'config'
- 'start=disabled'
selection_services:
CommandLine|contains:
- '143Svc'
- 'Acronis VSS Provider'
- 'AcronisAgent'
- 'AcrSch2Svc'
- 'AdobeARMservice'
- 'AHS Service'
- 'Antivirus'
- 'Apache4'
- 'ARSM'
- 'aswBcc'
- 'AteraAgent'
- 'Avast Business Console Client Antivirus Service'
- 'avast! Antivirus'
- 'AVG Antivirus'
- 'avgAdminClient'
- 'AvgAdminServer'
- 'AVP1'
- 'BackupExec'
- 'bedbg'
- 'BITS'
- 'BrokerInfrastructure'
- 'CASLicenceServer'
- 'CASWebServer'
- 'Client Agent 7.60'
- 'Core Browsing Protection'
- 'Core Mail Protection'
- 'Core Scanning Server'
- 'DCAgent'
- 'dwmrcs'
- 'EhttpSr'
- 'ekrn'
- 'Enterprise Client Service'
- 'epag'
- 'EPIntegrationService'
- 'EPProtectedService'
- 'EPRedline'
- 'EPSecurityService'
- 'EPUpdateService'
- 'EraserSvc11710'
- 'EsgShKernel'
- 'ESHASRV'
- 'FA_Scheduler'
- 'FirebirdGuardianDefaultInstance'
- 'FirebirdServerDefaultInstance'
- 'FontCache3.0.0.0'
- 'HealthTLService'
- 'hmpalertsvc'
- 'HMS'
- 'HostControllerService'
- 'hvdsvc'
- 'IAStorDataMgrSvc'
- 'IBMHPS'
- 'ibmspsvc'
- 'IISAdmin'
- 'IMANSVC'
- 'IMAP4Svc'
- 'instance2'
- 'KAVFS'
- 'KAVFSGT'
- 'kavfsslp'
- 'KeyIso'
- 'klbackupdisk'
- 'klbackupflt'
- 'klflt'
- 'klhk'
- 'KLIF'
- 'klim6'
- 'klkbdflt'
- 'klmouflt'
- 'klnagent'
- 'klpd'
- 'kltap'
- 'KSDE1.0.0'
- 'LogProcessorService'
- 'M8EndpointAgent'
- 'macmnsvc'
- 'masvc'
- 'MBAMService'
- 'MBCloudEA'
- 'MBEndpointAgent'
- 'McAfeeDLPAgentService'
- 'McAfeeEngineService'
- 'MCAFEEEVENTPARSERSRV'
- 'McAfeeFramework'
- 'MCAFEETOMCATSRV530'
- 'McShield'
- 'McTaskManager'
- 'mfefire'
- 'mfemms'
- 'mfevto'
- 'mfevtp'
- 'mfewc'
- 'MMS'
- 'mozyprobackup'
- 'mpssvc'
- 'MSComplianceAudit'
- 'MSDTC'
- 'MsDtsServer'
- 'MSExchange'
- 'msftesq1SPROO'
- 'msftesql$PROD'
- 'msftesql$SQLEXPRESS'
- 'MSOLAP$SQL_2008'
- 'MSOLAP$SYSTEM_BGC'
- 'MSOLAP$TPS'
- 'MSOLAP$TPSAMA'
- 'MSOLAPSTPS'
- 'MSOLAPSTPSAMA'
- 'mssecflt'
- 'MSSQ!I.SPROFXENGAGEMEHT'
- 'MSSQ0SHAREPOINT'
- 'MSSQ0SOPHOS'
- 'MSSQL'
- 'MSSQLFDLauncher$'
- 'MySQL'
- 'NanoServiceMain'
- 'NetMsmqActivator'
- 'NetPipeActivator'
- 'netprofm'
- 'NetTcpActivator'
- 'NetTcpPortSharing'
- 'ntrtscan'
- 'nvspwmi'
- 'ofcservice'
- 'Online Protection System'
- 'OracleClientCache80'
- 'OracleDBConsole'
- 'OracleMTSRecoveryService'
- 'OracleOraDb11g_home1'
- 'OracleService'
- 'OracleVssWriter'
- 'osppsvc'
- 'PandaAetherAgent'
- 'PccNTUpd'
- 'PDVFSService'
- 'POP3Svc'
- 'postgresql-x64-9.4'
- 'POVFSService'
- 'PSUAService'
- 'Quick Update Service'
- 'RepairService'
- 'ReportServer'
- 'ReportServer$'
- 'RESvc'
- 'RpcEptMapper'
- 'sacsvr'
- 'SamSs'
- 'SAVAdminService'
- 'SAVService'
- 'ScSecSvc'
- 'SDRSVC'
- 'SearchExchangeTracing'
- 'sense'
- 'SentinelAgent'
- 'SentinelHelperService'
- 'SepMasterService'
- 'ShMonitor'
- 'Smcinst'
- 'SmcService'
- 'SMTPSvc'
- 'SNAC'
- 'SntpService'
- 'Sophos'
- 'SQ1SafeOLRService'
- 'SQL Backups'
- 'SQL Server'
- 'SQLAgent'
- 'SQLANYs_Sage_FAS_Fixed_Assets'
- 'SQLBrowser'
- 'SQLsafe'
- 'SQLSERVERAGENT'
- 'SQLTELEMETRY'
- 'SQLWriter'
- 'SSISTELEMETRY130'
- 'SstpSvc'
- 'storflt'
- 'svcGenericHost'
- 'swc_service'
- 'swi_filter'
- 'swi_service'
- 'swi_update'
- 'Symantec'
- 'sysmon'
- 'TeamViewer'
- 'Telemetryserver'
- 'ThreatLockerService'
- 'TMBMServer'
- 'TmCCSF'
- 'TmFilter'
- 'TMiCRCScanService'
- 'tmlisten'
- 'TMLWCSService'
- 'TmPfw'
- 'TmPreFilter'
- 'TmProxy'
- 'TMSmartRelayService'
- 'tmusa'
- 'Tomcat'
- 'Trend Micro Deep Security Manager'
- 'TrueKey'
- 'UFNet'
- 'UI0Detect'
- 'UniFi'
- 'UTODetect'
- 'vds'
- 'Veeam'
- 'VeeamDeploySvc'
- 'Veritas System Recovery'
- 'vmic'
- 'VMTools'
- 'vmvss'
- 'VSApiNt'
- 'VSS'
- 'W3Svc'
- 'wbengine'
- 'WdNisSvc'
- 'WeanClOudSve'
- 'Weems JY'
- 'WinDefend'
- 'wmms'
- 'wozyprobackup'
- 'WPFFontCache_v0400'
- 'WRSVC'
- 'wsbexchange'
- 'WSearch'
- 'wscsvc'
- 'Zoolz 2 Service'
condition: all of selection_*
falsepositives:
- Administrators or tools shutting down the services due to upgrade or removal purposes. If you experience some false positive, please consider adding filters to the parent process launching this command and not removing the entry
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious Windows Strings In URI
Detects suspicious Windows strings in URI which could indicate possible exfiltration or webshell communication
view Sigma YAML
title: Suspicious Windows Strings In URI
id: 9f6a34b4-2688-4eb7-a7f5-e39fef573d0e
status: test
description: Detects suspicious Windows strings in URI which could indicate possible exfiltration or webshell communication
references:
- https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-06
modified: 2023-01-02
tags:
- attack.persistence
- attack.exfiltration
- attack.t1505.003
logsource:
category: webserver
detection:
selection:
cs-uri-query|contains:
- '=C:/Users'
- '=C:/Program%20Files'
- '=C:/Windows'
- '=C%3A%5CUsers'
- '=C%3A%5CProgram%20Files'
- '=C%3A%5CWindows'
condition: selection
falsepositives:
- Legitimate application and websites that use windows paths in their URL
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious Windows Trace ETW Session Tamper Via Logman.EXE
Detects the execution of "logman" utility in order to disable or delete Windows trace sessions
view Sigma YAML
title: Suspicious Windows Trace ETW Session Tamper Via Logman.EXE
id: cd1f961e-0b96-436b-b7c6-38da4583ec00
status: test
description: Detects the execution of "logman" utility in order to disable or delete Windows trace sessions
references:
- https://twitter.com/0gtweet/status/1359039665232306183?s=21
- https://ss64.com/nt/logman.html
author: Florian Roth (Nextron Systems)
date: 2021-02-11
modified: 2023-02-21
tags:
- attack.defense-impairment
- attack.t1685
- attack.t1685.005
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\logman.exe'
- OriginalFileName: 'Logman.exe'
selection_action:
CommandLine|contains:
- 'stop '
- 'delete '
selection_service:
CommandLine|contains:
- 'Circular Kernel Context Logger'
- 'EventLog-' # Cover multiple traces starting with EventLog-*
- 'SYSMON TRACE'
- 'SysmonDnsEtwSession'
condition: all of selection*
falsepositives:
- Legitimate deactivation by administrative staff
- Installer tools that disable services, e.g. before log collection agent installation
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious Windows Update Agent Empty Cmdline
Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags
view Sigma YAML
title: Suspicious Windows Update Agent Empty Cmdline
id: 52d097e2-063e-4c9c-8fbb-855c8948d135
status: test
description: |
Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags
references:
- https://redcanary.com/blog/blackbyte-ransomware/
author: Florian Roth (Nextron Systems)
date: 2022-02-26
modified: 2023-11-11
tags:
- attack.stealth
- attack.t1036
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\Wuauclt.exe'
- OriginalFileName: 'Wuauclt.exe'
selection_cli:
CommandLine|endswith:
- 'Wuauclt'
- 'Wuauclt.exe'
condition: all of selection*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious WmiPrvSE Child Process
Detects suspicious and uncommon child processes of WmiPrvSE
view Sigma YAML
title: Suspicious WmiPrvSE Child Process
id: 8a582fe2-0882-4b89-a82a-da6b2dc32937
related:
- id: 692f0bec-83ba-4d04-af7e-e884a96059b6
type: similar
- id: d21374ff-f574-44a7-9998-4a8c8bf33d7d
type: similar
- id: 18cf6cf0-39b0-4c22-9593-e244bdc9a2d4
type: obsolete
status: test
description: Detects suspicious and uncommon child processes of WmiPrvSE
references:
- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
- https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/
- https://twitter.com/ForensicITGuy/status/1334734244120309760
author: Vadim Khrykov (ThreatIntel), Cyb3rEng, Florian Roth (Nextron Systems)
date: 2021-08-23
modified: 2023-11-10
tags:
- attack.execution
- attack.stealth
- attack.t1047
- attack.t1204.002
- attack.t1218.010
logsource:
product: windows
category: process_creation
detection:
selection_parent:
ParentImage|endswith: '\wbem\WmiPrvSE.exe'
selection_children_1:
# TODO: Add more LOLBINs or suspicious processes that make sens in your environment
Image|endswith:
- '\certutil.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\msiexec.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\verclsid.exe'
- '\wscript.exe'
selection_children_2:
# This is in a separate selection due to the nature of FP generated with CMD
Image|endswith: '\cmd.exe'
CommandLine|contains:
- 'cscript'
- 'mshta'
- 'powershell'
- 'pwsh'
- 'regsvr32'
- 'rundll32'
- 'wscript'
filter_main_werfault:
Image|endswith: '\WerFault.exe'
filter_main_wmiprvse:
Image|endswith: '\WmiPrvSE.exe' # In some legitimate case WmiPrvSE was seen spawning itself
filter_main_msiexec:
Image|endswith: '\msiexec.exe'
CommandLine|contains: '/i '
condition: selection_parent and 1 of selection_children_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious Word Cab File Write CVE-2021-40444
Detects file creation patterns noticeable during the exploitation of CVE-2021-40444
view Sigma YAML
title: Suspicious Word Cab File Write CVE-2021-40444
id: 60c0a111-787a-4e8a-9262-ee485f3ef9d5
status: test
description: Detects file creation patterns noticeable during the exploitation of CVE-2021-40444
references:
- https://twitter.com/RonnyTNL/status/1436334640617373699?s=20
- https://twitter.com/vanitasnk/status/1437329511142420483?s=21
author: Florian Roth (Nextron Systems), Sittikorn S
date: 2021-09-10
modified: 2023-06-22
tags:
- attack.resource-development
- attack.t1587
- detection.emerging-threats
logsource:
product: windows
category: file_event
detection:
selection_cab:
Image|endswith: '\winword.exe'
TargetFilename|contains: '\Windows\INetCache'
TargetFilename|endswith: '.cab'
selection_inf:
Image|endswith: '\winword.exe'
TargetFilename|contains|all:
- '\AppData\Local\Temp\'
- '.inf'
filter_main_legit:
TargetFilename|startswith: 'C:\Users\'
TargetFilename|contains: 'AppData\Local\Temp'
TargetFilename|endswith: '\Content.inf'
condition: 1 of selection_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Symlink Etc Passwd
Detects suspicious command lines that look as if they would create symbolic links to /etc/passwd
view Sigma YAML
title: Symlink Etc Passwd
id: c67fc22a-0be5-4b4f-aad5-2b32c4b69523
status: test
description: Detects suspicious command lines that look as if they would create symbolic links to /etc/passwd
references:
- https://www.qualys.com/2021/05/04/21nails/21nails.txt
author: Florian Roth (Nextron Systems)
date: 2019-04-05
modified: 2021-11-27
tags:
- attack.t1204.001
- attack.execution
logsource:
product: linux
detection:
keywords:
- 'ln -s -f /etc/passwd'
- 'ln -s /etc/passwd'
condition: keywords
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
SysKey Registry Keys Access
Detects handle requests and access operations to specific registry keys to calculate the SysKey
view Sigma YAML
title: SysKey Registry Keys Access
id: 9a4ff3b8-6187-4fd2-8e8b-e0eae1129495
status: test
description: Detects handle requests and access operations to specific registry keys to calculate the SysKey
references:
- https://threathunterplaybook.com/hunts/windows/190625-RegKeyAccessSyskey/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019-08-12
modified: 2021-11-27
tags:
- attack.discovery
- attack.t1012
logsource:
product: windows
service: security
detection:
selection:
EventID:
- 4656
- 4663
ObjectType: 'key'
ObjectName|endswith:
- 'lsa\JD'
- 'lsa\GBG'
- 'lsa\Skew1'
- 'lsa\Data'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Sysinternals PsSuspend Suspicious Execution
Detects suspicious execution of Sysinternals PsSuspend, where the utility is used to suspend critical processes such as AV or EDR to bypass defenses
view Sigma YAML
title: Sysinternals PsSuspend Suspicious Execution
id: 4beb6ae0-f85b-41e2-8f18-8668abc8af78
related:
- id: 48bbc537-b652-4b4e-bd1d-281172df448f # Basic Execution
type: similar
status: test
description: Detects suspicious execution of Sysinternals PsSuspend, where the utility is used to suspend critical processes such as AV or EDR to bypass defenses
references:
- https://learn.microsoft.com/en-us/sysinternals/downloads/pssuspend
- https://twitter.com/0gtweet/status/1638069413717975046
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-23
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_img:
- OriginalFileName: 'pssuspend.exe'
- Image|endswith:
- '\pssuspend.exe'
- '\pssuspend64.exe'
selection_cli:
# Add more interesting/critical processes
CommandLine|contains: 'msmpeng.exe'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
Medium FP
Syslog Clearing or Removal Via System Utilities
Detects specific commands commonly used to remove or empty the syslog. Which is a technique often used by attacker as a method to hide their tracks
view Sigma YAML
title: Syslog Clearing or Removal Via System Utilities
id: 3fcc9b35-39e4-44c0-a2ad-9e82b6902b31
status: test
description: |
Detects specific commands commonly used to remove or empty the syslog. Which is a technique often used by attacker as a method to hide their tracks
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.002/T1070.002.md
- https://www.virustotal.com/gui/file/54d60fd58d7fa3475fa123985bfc1594df26da25c1f5fbc7dfdba15876dd8ac5/behavior
author: Max Altgelt (Nextron Systems), Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
date: 2021-10-15
modified: 2025-10-15
tags:
- attack.defense-impairment
- attack.t1685.006
logsource:
product: linux
category: process_creation
detection:
selection_file:
CommandLine|contains: '/var/log/syslog'
selection_command_rm:
# Examples:
# rm -f /var/log/syslog
Image|endswith: '/rm'
CommandLine|contains:
- ' -r '
- ' -f '
- ' -rf '
- '/var/log/syslog' # We use this to avoid re-writing a separate selection
selection_command_unlink:
# Examples:
# unlink /var/log/syslog
Image|endswith: '/unlink'
selection_command_mv:
# Examples:
# mv /var/log/syslog
Image|endswith: '/mv'
selection_command_truncate:
# Examples:
# truncate --size 0 /var/log/syslog
Image|endswith: '/truncate'
CommandLine|contains|all:
- '0 '
- '/var/log/syslog' # We use this to avoid re-writing a separate selection
CommandLine|contains:
- '-s '
- '-c '
- '--size'
selection_command_ln:
# Examples:
# ln -sfn /dev/null /var/log/syslog
Image|endswith: '/ln'
CommandLine|contains|all:
- '/dev/null '
- '/var/log/syslog' # We use this to avoid re-writing a separate selection
CommandLine|contains:
- '-sf '
- '-sfn '
- '-sfT '
selection_command_cp:
# Examples:
# cp /dev/null /var/log/syslog
Image|endswith: '/cp'
CommandLine|contains: '/dev/null'
selection_command_shred:
# Examples:
# shred -u /var/log/syslog
Image|endswith: '/shred'
CommandLine|contains: '-u '
selection_unique_other:
CommandLine|contains:
- ' > /var/log/syslog'
- ' >/var/log/syslog'
- ' >| /var/log/syslog' # redirection empties w spacing, noclobber
- ': > /var/log/syslog'
- ':> /var/log/syslog'
- ':>/var/log/syslog'
- '>|/var/log/syslog'
selection_unique_journalctl:
CommandLine|contains:
- 'journalctl --vacuum'
- 'journalctl --rotate' # archives current journal files and creates new empty ones
condition: (selection_file and 1 of selection_command_*) or 1 of selection_unique_*
falsepositives:
- Log rotation.
- Maintenance.
level: high
Convert to SIEM query
high
Moderate
Low FP
Sysmon Application Crashed
Detects application popup reporting a failure of the Sysmon service
view Sigma YAML
title: Sysmon Application Crashed
id: 4d7f1827-1637-4def-8d8a-fd254f9454df
status: test
description: Detects application popup reporting a failure of the Sysmon service
references:
- https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/1803/W10_1803_Pro_19700101_17134.1/WEPExplorer/Application%20Popup.xml#L36
author: Tim Shelton
date: 2022-04-26
modified: 2024-01-17
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: windows
service: system
detection:
selection:
Provider_Name: 'Application Popup'
EventID: 26
Caption:
- 'sysmon64.exe - Application Error'
- 'sysmon.exe - Application Error'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Sysmon Blocked Executable
Triggers on any Sysmon "FileBlockExecutable" event, which indicates a violation of the configured block policy
view Sigma YAML
title: Sysmon Blocked Executable
id: 23b71bc5-953e-4971-be4c-c896cda73fc2
status: test
description: Triggers on any Sysmon "FileBlockExecutable" event, which indicates a violation of the configured block policy
references:
- https://medium.com/@olafhartong/sysmon-14-0-fileblockexecutable-13d7ba3dff3e
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-16
modified: 2023-09-16
tags:
- attack.defense-impairment
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 27 # this is fine, we want to match any FileBlockExecutable event
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
Medium FP
Sysmon Blocked File Shredding
Triggers on any Sysmon "FileBlockShredding" event, which indicates a violation of the configured shredding policy.
view Sigma YAML
title: Sysmon Blocked File Shredding
id: c3e5c1b1-45e9-4632-b242-27939c170239
status: test
description: Triggers on any Sysmon "FileBlockShredding" event, which indicates a violation of the configured shredding policy.
references:
- https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
author: frack113
date: 2023-07-20
tags:
- attack.defense-impairment
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 28 # this is fine, we want to match any FileBlockShredding event
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
Medium FP
Sysmon Channel Reference Deletion
Potential threat actor tampering with Sysmon manifest and eventually disabling it
view Sigma YAML
title: Sysmon Channel Reference Deletion
id: 18beca67-ab3e-4ee3-ba7a-a46ca8d7d0cc
status: test
description: Potential threat actor tampering with Sysmon manifest and eventually disabling it
references:
- https://twitter.com/Flangvik/status/1283054508084473861
- https://twitter.com/SecurityJosh/status/1283027365770276866
- https://securityjosh.github.io/2020/04/23/Mute-Sysmon.html
- https://gist.github.com/Cyb3rWard0g/cf08c38c61f7e46e8404b38201ca01c8
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-07-14
modified: 2025-10-22
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
product: windows
service: security
detection:
selection1:
EventID: 4657
ObjectName|contains:
- 'WINEVT\Publishers\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'
- 'WINEVT\Channels\Microsoft-Windows-Sysmon/Operational'
ObjectValueName: 'Enabled'
NewValue: 0
selection2:
EventID: 4663
ObjectName|contains:
- 'WINEVT\Publishers\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'
- 'WINEVT\Channels\Microsoft-Windows-Sysmon/Operational'
AccessMask: '0x10000'
condition: 1 of selection*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Sysmon Configuration Error
Detects when an adversary is trying to hide it's action from Sysmon logging based on error messages
view Sigma YAML
title: Sysmon Configuration Error
id: 815cd91b-7dbc-4247-841a-d7dd1392b0a8
status: test
description: Detects when an adversary is trying to hide it's action from Sysmon logging based on error messages
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
- https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html
author: frack113
date: 2021-06-04
modified: 2022-07-07
tags:
- attack.stealth
- attack.t1564
logsource:
product: windows
category: sysmon_error
detection:
selection_error:
Description|contains:
- 'Failed to open service configuration with error'
- 'Failed to connect to the driver to update configuration'
filter_generic_english:
Description|contains|all:
- 'Failed to open service configuration with error'
- 'Last error: The media is write protected.'
filter_by_errorcode:
Description|contains:
- 'Failed to open service configuration with error 19'
- 'Failed to open service configuration with error 93'
condition: selection_error and not 1 of filter*
falsepositives:
- Legitimate administrative action
level: high
Convert to SIEM query
high
Strong
Low FP
Sysmon Configuration Modification
Detects when an attacker tries to hide from Sysmon by disabling or stopping it
view Sigma YAML
title: Sysmon Configuration Modification
id: 1f2b5353-573f-4880-8e33-7d04dcf97744
status: test
description: Detects when an attacker tries to hide from Sysmon by disabling or stopping it
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
- https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html
author: frack113
date: 2021-06-04
modified: 2022-08-02
tags:
- attack.stealth
- attack.t1564
logsource:
product: windows
category: sysmon_status
detection:
selection_stop:
State: Stopped
selection_conf:
- 'Sysmon config state changed'
filter:
State: Started
condition: 1 of selection_* and not filter
falsepositives:
- Legitimate administrative action
level: high
Convert to SIEM query
high
Moderate
High FP
Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE
Detects usage of "findstr" with the argument "385201". Which could indicate potential discovery of an installed Sysinternals Sysmon service using the default driver altitude (even if the name is changed).
view Sigma YAML
title: Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE
id: 37db85d1-b089-490a-a59a-c7b6f984f480
status: test
description: Detects usage of "findstr" with the argument "385201". Which could indicate potential discovery of an installed Sysinternals Sysmon service using the default driver altitude (even if the name is changed).
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md#atomic-test-5---security-software-discovery---sysmon-service
author: frack113
date: 2021-12-16
modified: 2023-11-14
tags:
- attack.discovery
- attack.t1518.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\find.exe'
- '\findstr.exe'
- OriginalFileName:
- 'FIND.EXE'
- 'FINDSTR.EXE'
selection_cli:
CommandLine|contains: ' 385201' # Sysmon driver default altitude
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Sysmon Driver Altitude Change
Detects changes in Sysmon driver altitude value.
If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.
view Sigma YAML
title: Sysmon Driver Altitude Change
id: 4916a35e-bfc4-47d0-8e25-a003d7067061
status: test
description: |
Detects changes in Sysmon driver altitude value.
If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.
references:
- https://posts.specterops.io/shhmon-silencing-sysmon-via-driver-unload-682b5be57650
- https://youtu.be/zSihR3lTf7g
author: B.Talebi
date: 2022-07-28
modified: 2024-03-25
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\Services\'
TargetObject|endswith: '\Instances\Sysmon Instance\Altitude'
condition: selection
falsepositives:
- Legitimate driver altitude change to hide sysmon
level: high
Convert to SIEM query
high
Moderate
High FP
Sysmon Driver Unloaded Via Fltmc.EXE
Detects possible Sysmon filter driver unloaded via fltmc.exe
view Sigma YAML
title: Sysmon Driver Unloaded Via Fltmc.EXE
id: 4d7cda18-1b12-4e52-b45c-d28653210df8
related:
- id: 4931188c-178e-4ee7-a348-39e8a7a56821 # Generic
type: similar
status: test
description: Detects possible Sysmon filter driver unloaded via fltmc.exe
references:
- https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon
author: Kirill Kiryanov, oscd.community
date: 2019-10-23
modified: 2023-02-13
tags:
- attack.stealth
- attack.defense-impairment
- attack.t1070
- attack.t1685
- attack.t1685.001
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\fltMC.exe'
- OriginalFileName: 'fltMC.exe'
selection_cli:
CommandLine|contains|all:
- 'unload'
- 'sysmon'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
High FP
System Control Panel Item Loaded From Uncommon Location
Detects image load events of system control panel items (.cpl) from uncommon or non-system locations that may indicate DLL sideloading or other abuse techniques.
view Sigma YAML
title: System Control Panel Item Loaded From Uncommon Location
id: 2b140a5c-dc02-4bb8-b6b1-8bdb45714cde
status: test
description: |
Detects image load events of system control panel items (.cpl) from uncommon or non-system locations that may indicate DLL sideloading or other abuse techniques.
references:
- https://www.hexacorn.com/blog/2024/01/06/1-little-known-secret-of-fondue-exe/
- https://www.hexacorn.com/blog/2024/01/01/1-little-known-secret-of-hdwwiz-exe/
- https://github.com/mhaskar/FsquirtCPLPoC
- https://securelist.com/sidewinder-apt/114089/
author: Anish Bogati
date: 2024-01-09
modified: 2026-02-17
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
product: windows
category: image_load
detection:
selection:
ImageLoaded|endswith:
- '\appwiz.cpl' # Usually loaded by fondue.exe
- '\bthprops.cpl' # Usually loaded by fsquirt.exe
- '\hdwwiz.cpl' # Usually loaded by hdwwiz.exe
filter_main_legit_location:
ImageLoaded|startswith:
- 'C:\Windows\Prefetch\'
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
- 'C:\Windows\WinSxS\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/image_load/image_load_side_load_cpl_from_non_system_location/info.yml
Convert to SIEM query
high
Strong
Medium FP
System File Execution Location Anomaly
Detects the execution of a Windows system binary that is usually located in the system folder from an uncommon location.
view Sigma YAML
title: System File Execution Location Anomaly
id: e4a6b256-3e47-40fc-89d2-7a477edd6915
related:
- id: be58d2e2-06c8-4f58-b666-b99f6dc3b6cd # Dedicated SvcHost rule
type: derived
status: test
description: |
Detects the execution of a Windows system binary that is usually located in the system folder from an uncommon location.
references:
- https://twitter.com/GelosSnake/status/934900723426439170
- https://asec.ahnlab.com/en/39828/
- https://www.splunk.com/en_us/blog/security/inno-setup-malware-redline-stealer-campaign.html
author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2017-11-27
modified: 2026-02-12
tags:
- attack.stealth
- attack.t1036
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\atbroker.exe'
- '\audiodg.exe'
- '\bcdedit.exe'
- '\bitsadmin.exe'
- '\certreq.exe'
- '\certutil.exe'
- '\cmstp.exe'
- '\conhost.exe'
- '\consent.exe'
- '\cscript.exe'
- '\csrss.exe'
- '\dashost.exe'
- '\defrag.exe'
- '\dfrgui.exe' # Was seen used by Lazarus Group - https://asec.ahnlab.com/en/39828/
- '\dism.exe'
- '\dllhost.exe'
- '\dllhst3g.exe'
- '\dwm.exe'
- '\eventvwr.exe'
- '\fsquirt.exe' # was seen used by sidewinder APT - https://securelist.com/sidewinder-apt/114089/
- '\finger.exe'
- '\logonui.exe'
- '\LsaIso.exe'
- '\lsass.exe'
- '\lsm.exe'
- '\msiexec.exe'
- '\ntoskrnl.exe'
- '\powershell_ise.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\runonce.exe'
- '\RuntimeBroker.exe'
- '\schtasks.exe'
- '\services.exe'
- '\sihost.exe'
- '\smartscreen.exe'
- '\smss.exe'
- '\spoolsv.exe'
- '\svchost.exe'
- '\taskhost.exe'
- '\taskhostw.exe'
- '\Taskmgr.exe'
- '\userinit.exe'
- '\werfault.exe'
- '\werfaultsecure.exe'
- '\wininit.exe'
- '\winlogon.exe'
- '\winver.exe'
- '\wlanext.exe'
- '\wscript.exe'
- '\wsl.exe'
- '\wsmprovhost.exe' # Was seen used by Lazarus Group - https://asec.ahnlab.com/en/39828/
filter_main_generic:
Image|startswith:
- 'C:\$WINDOWS.~BT\'
- 'C:\$WinREAgent\'
- 'C:\Windows\SoftwareDistribution\'
- 'C:\Windows\System32\'
- 'C:\Windows\SystemTemp\'
- 'C:\Windows\SysWOW64\'
- 'C:\Windows\uus\'
- 'C:\Windows\WinSxS\'
filter_optional_system32:
Image|contains: '\SystemRoot\System32\'
filter_main_powershell:
Image|contains:
- 'C:\Program Files\PowerShell\7\'
- 'C:\Program Files\PowerShell\7-preview\'
- 'C:\Program Files\WindowsApps\Microsoft.PowerShellPreview'
- '\AppData\Local\Microsoft\WindowsApps\Microsoft.PowerShellPreview' # pwsh installed from Microsoft Store
Image|endswith: '\pwsh.exe'
filter_main_wsl_programfiles:
Image|startswith:
- 'C:\Program Files\WindowsApps\MicrosoftCorporationII.WindowsSubsystemForLinux'
- 'C:\Program Files\WSL\'
Image|endswith: '\wsl.exe'
filter_main_wsl_appdata:
Image|startswith: C:\Users\'
Image|contains: '\AppData\Local\Microsoft\WindowsApps\'
Image|endswith: '\wsl.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly/info.yml
Convert to SIEM query
high
Moderate
Medium FP
System Restore Registry Modification via CommandLine
Detects system restore registry modification via command line, which can be used by adversaries to disable system restore on the computer.
view Sigma YAML
title: System Restore Registry Modification via CommandLine
id: 7c06ab9b-b1d2-4ba9-b06e-09491ded20d9
related:
- id: 5de03871-5d46-4539-a82d-3aa992a69a83
type: similar
status: experimental
description: |
Detects system restore registry modification via command line, which can be used by adversaries to disable system restore on the computer.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-9---disable-system-restore-through-registry
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-03-11
tags:
- attack.impact
- attack.t1490
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- '\reg.exe'
- OriginalFileName:
- 'powershell.exe'
- 'pwsh.dll'
- 'reg.exe'
selection_cli_action:
CommandLine|contains:
- ' add '
- 'Set-ItemProperty'
- 'New-ItemProperty'
selection_cli_reg_root:
CommandLine|contains:
- '\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore'
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore'
selection_cli_reg_key:
CommandLine|contains:
- 'DisableConfig'
- 'DisableSR'
condition: all of selection_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_reg_system_restore_modification/info.yml
simulation:
- type: atomic-red-team
name: Disable System Restore Through Registry
technique: T1490
atomic_guid: 66e647d1-8741-4e43-b7c1-334760c2047f
Convert to SIEM query
high
Moderate
Low FP
T1047 Wmiprvse Wbemcomn DLL Hijack
Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network for a WMI DLL Hijack scenario.
view Sigma YAML
title: T1047 Wmiprvse Wbemcomn DLL Hijack
id: f6c68d5f-e101-4b86-8c84-7d96851fd65c
status: test
description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network for a WMI DLL Hijack scenario.
references:
- https://threathunterplaybook.com/hunts/windows/201009-RemoteWMIWbemcomnDLLHijack/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)
date: 2020-10-12
modified: 2022-02-24
tags:
- attack.execution
- attack.t1047
- attack.lateral-movement
- attack.t1021.002
logsource:
product: windows
service: security
detection:
selection:
EventID: 5145
RelativeTargetName|endswith: '\wbem\wbemcomn.dll'
filter:
SubjectUserName|endswith: '$'
condition: selection and not filter
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
TAIDOOR RAT DLL Load
Detects specific process characteristics of Chinese TAIDOOR RAT malware load
view Sigma YAML
title: TAIDOOR RAT DLL Load
id: d1aa3382-abab-446f-96ea-4de52908210b
status: test
description: Detects specific process characteristics of Chinese TAIDOOR RAT malware load
references:
- https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a
author: Florian Roth (Nextron Systems)
date: 2020-07-30
modified: 2021-11-27
tags:
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1055.001
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection1:
CommandLine|contains:
- 'dll,MyStart'
- 'dll MyStart'
selection2a:
CommandLine|endswith: ' MyStart'
selection2b:
CommandLine|contains: 'rundll32.exe'
condition: selection1 or ( selection2a and selection2b )
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Tamper Windows Defender - PSClassic
Attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.
view Sigma YAML
title: Tamper Windows Defender - PSClassic
id: ec19ebab-72dc-40e1-9728-4c0b805d722c
related:
- id: 14c71865-6cd3-44ae-adaa-1db923fae5f2
type: similar
status: test
description: Attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2021-06-07
modified: 2024-01-02
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: windows
category: ps_classic_provider_start
detection:
selection_set_mppreference:
Data|contains: 'Set-MpPreference'
selection_options_bool_allow:
Data|contains:
- '-dbaf $true'
- '-dbaf 1'
- '-dbm $true'
- '-dbm 1'
- '-dips $true'
- '-dips 1'
- '-DisableArchiveScanning $true'
- '-DisableArchiveScanning 1'
- '-DisableBehaviorMonitoring $true'
- '-DisableBehaviorMonitoring 1'
- '-DisableBlockAtFirstSeen $true'
- '-DisableBlockAtFirstSeen 1'
- '-DisableCatchupFullScan $true'
- '-DisableCatchupFullScan 1'
- '-DisableCatchupQuickScan $true'
- '-DisableCatchupQuickScan 1'
- '-DisableIntrusionPreventionSystem $true'
- '-DisableIntrusionPreventionSystem 1'
- '-DisableIOAVProtection $true'
- '-DisableIOAVProtection 1'
- '-DisableRealtimeMonitoring $true'
- '-DisableRealtimeMonitoring 1'
- '-DisableRemovableDriveScanning $true'
- '-DisableRemovableDriveScanning 1'
- '-DisableScanningMappedNetworkDrivesForFullScan $true'
- '-DisableScanningMappedNetworkDrivesForFullScan 1'
- '-DisableScanningNetworkFiles $true'
- '-DisableScanningNetworkFiles 1'
- '-DisableScriptScanning $true'
- '-DisableScriptScanning 1'
- '-MAPSReporting $false'
- '-MAPSReporting 0'
- '-drdsc $true'
- '-drdsc 1'
- '-drtm $true'
- '-drtm 1'
- '-dscrptsc $true'
- '-dscrptsc 1'
- '-dsmndf $true'
- '-dsmndf 1'
- '-dsnf $true'
- '-dsnf 1'
- '-dss $true'
- '-dss 1'
selection_options_actions_func:
Data|contains:
- 'HighThreatDefaultAction Allow'
- 'htdefac Allow'
- 'LowThreatDefaultAction Allow'
- 'ltdefac Allow'
- 'ModerateThreatDefaultAction Allow'
- 'mtdefac Allow'
- 'SevereThreatDefaultAction Allow'
- 'stdefac Allow'
condition: selection_set_mppreference and 1 of selection_options_*
falsepositives:
- Legitimate PowerShell scripts that disable Windows Defender for troubleshooting purposes. Must be investigated.
level: high
Convert to SIEM query
high
Strong
Medium FP
Tamper Windows Defender - ScriptBlockLogging
Detects PowerShell scripts attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.
view Sigma YAML
title: Tamper Windows Defender - ScriptBlockLogging
id: 14c71865-6cd3-44ae-adaa-1db923fae5f2
related:
- id: ec19ebab-72dc-40e1-9728-4c0b805d722c
type: derived
status: test
description: Detects PowerShell scripts attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
- https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps
- https://bidouillesecurity.com/disable-windows-defender-in-powershell/
author: frack113, elhoim, Tim Shelton (fps, alias support), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)
date: 2022-01-16
modified: 2024-01-02
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_options_disabling_preference:
ScriptBlockText|contains: 'Set-MpPreference'
selection_options_disabling_function:
ScriptBlockText|contains:
- '-dbaf $true'
- '-dbaf 1'
- '-dbm $true'
- '-dbm 1'
- '-dips $true'
- '-dips 1'
- '-DisableArchiveScanning $true'
- '-DisableArchiveScanning 1'
- '-DisableBehaviorMonitoring $true'
- '-DisableBehaviorMonitoring 1'
- '-DisableBlockAtFirstSeen $true'
- '-DisableBlockAtFirstSeen 1'
- '-DisableCatchupFullScan $true'
- '-DisableCatchupFullScan 1'
- '-DisableCatchupQuickScan $true'
- '-DisableCatchupQuickScan 1'
- '-DisableIntrusionPreventionSystem $true'
- '-DisableIntrusionPreventionSystem 1'
- '-DisableIOAVProtection $true'
- '-DisableIOAVProtection 1'
- '-DisableRealtimeMonitoring $true'
- '-DisableRealtimeMonitoring 1'
- '-DisableRemovableDriveScanning $true'
- '-DisableRemovableDriveScanning 1'
- '-DisableScanningMappedNetworkDrivesForFullScan $true'
- '-DisableScanningMappedNetworkDrivesForFullScan 1'
- '-DisableScanningNetworkFiles $true'
- '-DisableScanningNetworkFiles 1'
- '-DisableScriptScanning $true'
- '-DisableScriptScanning 1'
- '-MAPSReporting $false'
- '-MAPSReporting 0'
- '-drdsc $true'
- '-drdsc 1'
- '-drtm $true'
- '-drtm 1'
- '-dscrptsc $true'
- '-dscrptsc 1'
- '-dsmndf $true'
- '-dsmndf 1'
- '-dsnf $true'
- '-dsnf 1'
- '-dss $true'
- '-dss 1'
selection_other_default_actions_allow:
ScriptBlockText|contains: 'Set-MpPreference'
selection_other_default_actions_func:
ScriptBlockText|contains:
- 'HighThreatDefaultAction Allow'
- 'htdefac Allow'
- 'LowThreatDefaultAction Allow'
- 'ltdefac Allow'
- 'ModerateThreatDefaultAction Allow'
- 'mtdefac Allow'
- 'SevereThreatDefaultAction Allow'
- 'stdefac Allow'
condition: all of selection_options_disabling_* or all of selection_other_default_actions_*
falsepositives:
- Legitimate PowerShell scripts that disable Windows Defender for troubleshooting purposes. Must be investigated.
level: high
Convert to SIEM query
high
Strong
High FP
Tamper Windows Defender Remove-MpPreference
Detects attempts to remove Windows Defender configurations using the 'MpPreference' cmdlet
view Sigma YAML
title: Tamper Windows Defender Remove-MpPreference
id: 07e3cb2c-0608-410d-be4b-1511cb1a0448
related:
- id: ae2bdd58-0681-48ac-be7f-58ab4e593458
type: similar
status: test
description: Detects attempts to remove Windows Defender configurations using the 'MpPreference' cmdlet
references:
- https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-05
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: windows
category: process_creation
detection:
selection_remove:
CommandLine|contains: 'Remove-MpPreference'
selection_tamper:
CommandLine|contains:
- '-ControlledFolderAccessProtectedFolders '
- '-AttackSurfaceReductionRules_Ids '
- '-AttackSurfaceReductionRules_Actions '
- '-CheckForSignaturesBeforeRunningScan '
condition: all of selection_*
falsepositives:
- Legitimate PowerShell scripts
level: high
Convert to SIEM query
high
Strong
High FP
Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging
Detects attempts to remove Windows Defender configuration using the 'MpPreference' cmdlet
view Sigma YAML
title: Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging
id: ae2bdd58-0681-48ac-be7f-58ab4e593458
related:
- id: 07e3cb2c-0608-410d-be4b-1511cb1a0448
type: similar
status: test
description: Detects attempts to remove Windows Defender configuration using the 'MpPreference' cmdlet
references:
- https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-05
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_remove:
ScriptBlockText|contains: 'Remove-MpPreference'
selection_tamper:
ScriptBlockText|contains:
- '-ControlledFolderAccessProtectedFolders '
- '-AttackSurfaceReductionRules_Ids '
- '-AttackSurfaceReductionRules_Actions '
- '-CheckForSignaturesBeforeRunningScan '
condition: all of selection_*
falsepositives:
- Legitimate PowerShell scripts
level: high
Convert to SIEM query
high
Strong
Medium FP
Tamper With Sophos AV Registry Keys
Detects tamper attempts to sophos av functionality via registry key modification
view Sigma YAML
title: Tamper With Sophos AV Registry Keys
id: 9f4662ac-17ca-43aa-8f12-5d7b989d0101
status: test
description: Detects tamper attempts to sophos av functionality via registry key modification
references:
- https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-02
modified: 2023-08-17
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains:
- '\Sophos Endpoint Defense\TamperProtection\Config\SAVEnabled'
- '\Sophos Endpoint Defense\TamperProtection\Config\SEDEnabled'
- '\Sophos\SAVService\TamperProtection\Enabled'
Details: DWORD (0x00000000)
condition: selection
falsepositives:
- Some FP may occur when the feature is disabled by the AV itself, you should always investigate if the action was legitimate
level: high
Convert to SIEM query
high
Moderate
High FP
Taskkill Symantec Endpoint Protection
Detects one of the possible scenarios for disabling Symantec Endpoint Protection.
Symantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism.
As a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service.
view Sigma YAML
title: Taskkill Symantec Endpoint Protection
id: 4a6713f6-3331-11ed-a261-0242ac120002
status: test
description: |
Detects one of the possible scenarios for disabling Symantec Endpoint Protection.
Symantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism.
As a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service.
references:
- https://www.exploit-db.com/exploits/37525
- https://community.spiceworks.com/topic/2195015-batch-script-to-uninstall-symantec-endpoint-protection
- https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?MessageKey=6ce94b67-74e1-4333-b16f-000b7fd874f0&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=digestviewer
author: Ilya Krestinichev, Florian Roth (Nextron Systems)
date: 2022-09-13
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'taskkill'
- ' /F '
- ' /IM '
- 'ccSvcHst.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Taskmgr as LOCAL_SYSTEM
Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM
view Sigma YAML
title: Taskmgr as LOCAL_SYSTEM
id: 9fff585c-c33e-4a86-b3cd-39312079a65f
status: test
description: Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM
references:
- Internal Research
author: Florian Roth (Nextron Systems)
date: 2018-03-18
modified: 2022-05-27
tags:
- attack.stealth
- attack.t1036
logsource:
category: process_creation
product: windows
detection:
selection:
User|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
Image|endswith: '\taskmgr.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Tasks Folder Evasion
The Tasks folder in system32 and syswow64 are globally writable paths.
Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application
in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr
view Sigma YAML
title: Tasks Folder Evasion
id: cc4e02ba-9c06-48e2-b09e-2500cace9ae0
status: test
description: |
The Tasks folder in system32 and syswow64 are globally writable paths.
Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application
in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr
references:
- https://twitter.com/subTee/status/1216465628946563073
- https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26
author: Sreeman
date: 2020-01-13
modified: 2022-12-25
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
product: windows
category: process_creation
detection:
selection1:
CommandLine|contains:
- 'echo '
- 'copy '
- 'type '
- 'file createnew'
selection2:
CommandLine|contains:
- ' C:\Windows\System32\Tasks\'
- ' C:\Windows\SysWow64\Tasks\'
condition: all of selection*
falsepositives:
- Unknown
level: high
Convert to SIEM query
Showing 1501-1550 of 1,713