SOAR
Panther
1,490 rules · Sigma detections in Panther syntax
The same Sigma detection corpus, machine-rendered into Panther query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
Download all 3,742 rules (.zip, 1.7 MB)
Every Panther query in this view, packaged to deploy.
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance12
Resource Development10
Initial Access10
Execution30
Persistence43
Privilege Escalation20
Stealth83
Defense Impairment32
Credential Access35
Discovery33
Lateral Movement16
Collection20
Command and Control24
Exfiltration10
Impact18
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.
◈
Detection rules
50 shown of 1,490
medium
Strong
Medium FP
Suspicious PowerShell In Registry Run Keys
Detects potential PowerShell commands or code within registry run keys
view Sigma YAML
title: Suspicious PowerShell In Registry Run Keys
id: 8d85cf08-bf97-4260-ba49-986a2a65129c
status: test
description: Detects potential PowerShell commands or code within registry run keys
references:
- https://github.com/frack113/atomic-red-team/blob/a9051c38de8a5320b31c7039efcbd3b56cf2d65a/atomics/T1547.001/T1547.001.md#atomic-test-9---systembc-malware-as-a-service-registry
- https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html
- https://github.com/HackTricks-wiki/hacktricks/blob/e4c7b21b8f36c97c35b7c622732b38a189ce18f7/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
author: frack113, Florian Roth (Nextron Systems)
date: 2022-03-17
modified: 2025-07-18
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.001
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains:
- '\Software\Microsoft\Windows\CurrentVersion\Run' # Also covers "RunOnce" and "RunOnceEx"
- '\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run'
- '\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'
Details|contains:
- 'powershell'
- 'pwsh '
- 'FromBase64String'
- '.DownloadFile('
- '.DownloadString('
- ' -w hidden '
- ' -w 1 '
- '-windowstyle hidden'
- '-window hidden'
- ' -nop '
- ' -encodedcommand '
- '-ExecutionPolicy Bypass'
- 'Invoke-Expression'
- 'IEX ('
- 'Invoke-Command'
- 'ICM -'
- 'Invoke-WebRequest'
- 'IWR '
- 'Invoke-RestMethod'
- 'IRM '
- ' -noni '
- ' -noninteractive '
condition: selection
falsepositives:
- Legitimate admin or third party scripts. Baseline according to your environment
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Suspicious PowerShell Invocation From Script Engines
Detects suspicious powershell invocations from interpreters or unusual programs
view Sigma YAML
title: Suspicious PowerShell Invocation From Script Engines
id: 95eadcb2-92e4-4ed1-9031-92547773a6db
status: test
description: Detects suspicious powershell invocations from interpreters or unusual programs
references:
- https://www.securitynewspaper.com/2017/03/20/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/
author: Florian Roth (Nextron Systems)
date: 2019-01-16
modified: 2023-01-05
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\wscript.exe'
- '\cscript.exe'
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
filter_health_service:
CurrentDirectory|contains: '\Health Service State\'
condition: selection and not 1 of filter_*
falsepositives:
- Microsoft Operations Manager (MOM)
- Other scripts
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Suspicious PowerShell Invocations - Specific - ProcessCreation
Detects suspicious PowerShell invocation command parameters
view Sigma YAML
title: Suspicious PowerShell Invocations - Specific - ProcessCreation
id: 536e2947-3729-478c-9903-745aaffe60d2
related:
- id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c
type: obsolete
- id: ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71
type: similar
- id: 8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090
type: similar
status: test
description: Detects suspicious PowerShell invocation command parameters
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-05
tags:
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection_convert_b64:
CommandLine|contains|all:
- '-nop'
- ' -w '
- 'hidden'
- ' -c '
- '[Convert]::FromBase64String'
selection_iex:
CommandLine|contains|all:
- ' -w '
- 'hidden'
- '-noni'
- '-nop'
- ' -c '
- 'iex'
- 'New-Object'
selection_enc:
CommandLine|contains|all:
- ' -w '
- 'hidden'
- '-ep'
- 'bypass'
- '-Enc'
selection_reg:
CommandLine|contains|all:
- 'powershell'
- 'reg'
- 'add'
- '\software\'
selection_webclient:
CommandLine|contains|all:
- 'bypass'
- '-noprofile'
- '-windowstyle'
- 'hidden'
- 'new-object'
- 'system.net.webclient'
- '.download'
selection_iex_webclient:
CommandLine|contains|all:
- 'iex'
- 'New-Object'
- 'Net.WebClient'
- '.Download'
filter_chocolatey:
CommandLine|contains:
- "(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1"
- 'Write-ChocolateyWarning'
condition: 1 of selection_* and not 1 of filter_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Suspicious PowerShell WindowStyle Option
Adversaries may use hidden windows to conceal malicious activity from the plain sight of users.
In some cases, windows that would typically be displayed when an application carries out an operation can be hidden
view Sigma YAML
title: Suspicious PowerShell WindowStyle Option
id: 313fbb0a-a341-4682-848d-6d6f8c4fab7c
status: test
description: |
Adversaries may use hidden windows to conceal malicious activity from the plain sight of users.
In some cases, windows that would typically be displayed when an application carries out an operation can be hidden
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.003/T1564.003.md
author: frack113, Tim Shelton (fp AWS)
date: 2021-10-20
modified: 2023-01-03
tags:
- attack.stealth
- attack.t1564.003
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- 'powershell'
- 'WindowStyle'
- 'Hidden'
filter:
ScriptBlockText|contains|all:
- ':\Program Files\Amazon\WorkSpacesConfig\Scripts\'
- '$PSScriptRoot\Module\WorkspaceScriptModule\WorkspaceScriptModule'
condition: selection and not filter
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Suspicious Powercfg Execution To Change Lock Screen Timeout
Detects suspicious execution of 'Powercfg.exe' to change lock screen timeout
view Sigma YAML
title: Suspicious Powercfg Execution To Change Lock Screen Timeout
id: f8d6a15e-4bc8-4c27-8e5d-2b10f0b73e5b
status: test
description: Detects suspicious execution of 'Powercfg.exe' to change lock screen timeout
references:
- https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html
- https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/powercfg-command-line-options
author: frack113
date: 2022-11-18
tags:
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection_power:
- Image|endswith: '\powercfg.exe'
- OriginalFileName: 'PowerCfg.exe'
selection_standby:
# powercfg.exe /SETACVALUEINDEX SCHEME_CURRENT SUB_VIDEO VIDEOCONLOCK
- CommandLine|contains|all:
- '/setacvalueindex '
- 'SCHEME_CURRENT'
- 'SUB_VIDEO'
- 'VIDEOCONLOCK'
# powercfg -change -standby-timeout-dc 3000
# powercfg -change -standby-timeout-ac 3000
- CommandLine|contains|all:
- '-change '
- '-standby-timeout-'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Suspicious Process Start Locations
Detects suspicious process run from unusual locations
view Sigma YAML
title: Suspicious Process Start Locations
id: 15b75071-74cc-47e0-b4c6-b43744a62a2b
status: test
description: Detects suspicious process run from unusual locations
references:
- https://car.mitre.org/wiki/CAR-2013-05-002
author: juju4, Jonhnathan Ribeiro, oscd.community
date: 2019-01-16
modified: 2022-01-07
tags:
- attack.stealth
- attack.t1036
- car.2013-05-002
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|contains:
- ':\RECYCLER\'
- ':\SystemVolumeInformation\'
- Image|startswith:
- 'C:\Windows\Tasks\'
- 'C:\Windows\debug\'
- 'C:\Windows\fonts\'
- 'C:\Windows\help\'
- 'C:\Windows\drivers\'
- 'C:\Windows\addins\'
- 'C:\Windows\cursors\'
- 'C:\Windows\system32\tasks\'
condition: selection
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
level: medium
Convert to SIEM query
medium
Moderate
High FP
Suspicious RASdial Activity
Detects suspicious process related to rasdial.exe
view Sigma YAML
title: Suspicious RASdial Activity
id: 6bba49bf-7f8c-47d6-a1bb-6b4dece4640e
status: test
description: Detects suspicious process related to rasdial.exe
references:
- https://twitter.com/subTee/status/891298217907830785
author: juju4
date: 2019-01-16
modified: 2021-11-27
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: 'rasdial.exe'
condition: selection
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
level: medium
Convert to SIEM query
medium
Moderate
High FP
Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet
Detects suspicious reconnaissance command line activity on Windows systems using the PowerShell Get-LocalGroupMember Cmdlet
view Sigma YAML
title: Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet
id: c8a180d6-47a3-4345-a609-53f9c3d834fc
related:
- id: cef24b90-dddc-4ae1-a09a-8764872f69fc
type: similar
status: test
description: Detects suspicious reconnaissance command line activity on Windows systems using the PowerShell Get-LocalGroupMember Cmdlet
references:
- https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-10
tags:
- attack.discovery
- attack.t1087.001
logsource:
category: process_creation
product: windows
detection:
# Covers group and localgroup flags
selection_cmdlet:
CommandLine|contains: 'Get-LocalGroupMember '
selection_group:
CommandLine|contains:
# Add more groups for other languages
- 'domain admins'
- ' administrator' # Typo without an 'S' so we catch both
- ' administrateur' # Typo without an 'S' so we catch both
- 'enterprise admins'
- 'Exchange Trusted Subsystem'
- 'Remote Desktop Users'
- 'Utilisateurs du Bureau à distance' # French for "Remote Desktop Users"
- 'Usuarios de escritorio remoto' # Spanish for "Remote Desktop Users"
condition: all of selection_*
falsepositives:
- Administrative activity
level: medium
Convert to SIEM query
medium
Moderate
High FP
Suspicious Recursive Takeown
Adversaries can interact with the DACLs using built-in Windows commands takeown which can grant adversaries higher permissions on specific files and folders
view Sigma YAML
title: Suspicious Recursive Takeown
id: 554601fb-9b71-4bcc-abf4-21a611be4fde
status: test
description: Adversaries can interact with the DACLs using built-in Windows commands takeown which can grant adversaries higher permissions on specific files and folders
references:
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/takeown
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md#atomic-test-1---take-ownership-using-takeown-utility
author: frack113
date: 2022-01-30
modified: 2022-11-21
tags:
- attack.defense-impairment
- attack.t1222.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\takeown.exe'
CommandLine|contains|all:
- '/f '
- '/r'
condition: selection
falsepositives:
- Scripts created by developers and admins
- Administrative activity
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Suspicious Rejected SMB Guest Logon From IP
Detect Attempt PrintNightmare (CVE-2021-1675) Remote code execution in Windows Spooler Service
view Sigma YAML
title: Suspicious Rejected SMB Guest Logon From IP
id: 71886b70-d7b4-4dbf-acce-87d2ca135262
status: test
description: Detect Attempt PrintNightmare (CVE-2021-1675) Remote code execution in Windows Spooler Service
references:
- https://twitter.com/KevTheHermit/status/1410203844064301056
- https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/
- https://web.archive.org/web/20210701042336/https://github.com/afwu/PrintNightmare
author: Florian Roth (Nextron Systems), KevTheHermit, fuzzyf10w
date: 2021-06-30
modified: 2023-01-02
tags:
- attack.credential-access
- attack.t1110.001
logsource:
product: windows
service: smbclient-security
detection:
selection:
EventID: 31017
UserName: ''
ServerName|startswith: '\1'
condition: selection
falsepositives:
- Account fallback reasons (after failed login with specific account)
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Suspicious Remote Logon with Explicit Credentials
Detects suspicious processes logging on with explicit credentials
view Sigma YAML
title: Suspicious Remote Logon with Explicit Credentials
id: 941e5c45-cda7-4864-8cea-bbb7458d194a
status: test
description: Detects suspicious processes logging on with explicit credentials
references:
- https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
author: oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Tim Shelton
date: 2020-10-05
modified: 2022-08-03
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.stealth
- attack.t1078
- attack.lateral-movement
logsource:
product: windows
service: security
detection:
selection:
EventID: 4648
ProcessName|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\winrs.exe'
- '\wmic.exe'
- '\net.exe'
- '\net1.exe'
- '\reg.exe'
filter1:
TargetServerName: 'localhost'
filter2:
SubjectUserName|endswith: '$'
TargetUserName|endswith: '$'
condition: selection and not 1 of filter*
falsepositives:
- Administrators that use the RunAS command or scheduled tasks
level: medium
Convert to SIEM query
medium
Moderate
High FP
Suspicious RunAs-Like Flag Combination
Detects suspicious command line flags that let the user set a target user and command as e.g. seen in PsExec-like tools
view Sigma YAML
title: Suspicious RunAs-Like Flag Combination
id: 50d66fb0-03f8-4da0-8add-84e77d12a020
status: test
description: Detects suspicious command line flags that let the user set a target user and command as e.g. seen in PsExec-like tools
references:
- https://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html
author: Florian Roth (Nextron Systems)
date: 2022-11-11
tags:
- attack.privilege-escalation
logsource:
category: process_creation
product: windows
detection:
selection_user:
CommandLine|contains:
- ' -u system '
- ' --user system '
- ' -u NT'
- ' -u "NT'
- " -u 'NT"
- ' --system '
- ' -u administrator '
selection_command:
CommandLine|contains:
- ' -c cmd'
- ' -c "cmd'
- ' -c powershell'
- ' -c "powershell'
- ' --command cmd'
- ' --command powershell'
- ' -c whoami'
- ' -c wscript'
- ' -c cscript'
condition: all of selection*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
High FP
Suspicious Rundll32 Setupapi.dll Activity
setupapi.dll library provide InstallHinfSection function for processing INF files. INF file may contain instructions allowing to create values in the registry, modify files and install drivers. This technique could be used to obtain persistence via modifying one of Run or RunOnce registry keys, run process or use other DLLs chain calls (see references) InstallHinfSection function in setupapi.dll calls runonce.exe executable regardless of actual content of INF file.
view Sigma YAML
title: Suspicious Rundll32 Setupapi.dll Activity
id: 285b85b1-a555-4095-8652-a8a4106af63f
status: test
description: setupapi.dll library provide InstallHinfSection function for processing INF files. INF file may contain instructions allowing to create values in the registry, modify files and install drivers. This technique could be used to obtain persistence via modifying one of Run or RunOnce registry keys, run process or use other DLLs chain calls (see references) InstallHinfSection function in setupapi.dll calls runonce.exe executable regardless of actual content of INF file.
references:
- https://lolbas-project.github.io/lolbas/Libraries/Setupapi/
- https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf
- https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf
- https://twitter.com/Z3Jpa29z/status/1313742350292746241?s=20
author: Konstantin Grishchenko, oscd.community
date: 2020-10-07
modified: 2021-11-27
tags:
- attack.stealth
- attack.t1218.011
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\runonce.exe'
ParentImage|endswith: '\rundll32.exe'
ParentCommandLine|contains|all:
- 'setupapi.dll'
- 'InstallHinfSection'
condition: selection
falsepositives:
- Scripts and administrative tools that use INF files for driver installation with setupapi.dll
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Suspicious Runscripthelper.exe
Detects execution of powershell scripts via Runscripthelper.exe
view Sigma YAML
title: Suspicious Runscripthelper.exe
id: eca49c87-8a75-4f13-9c73-a5a29e845f03
status: test
description: Detects execution of powershell scripts via Runscripthelper.exe
references:
- https://lolbas-project.github.io/lolbas/Binaries/Runscripthelper/
author: Victor Sergeev, oscd.community
date: 2020-10-09
modified: 2022-07-11
tags:
- attack.execution
- attack.stealth
- attack.t1059
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\Runscripthelper.exe'
CommandLine|contains: 'surfacecheck'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Suspicious SQL Query
Detects suspicious SQL query keywrods that are often used during recon, exfiltration or destructive activities. Such as dropping tables and selecting wildcard fields
view Sigma YAML
title: Suspicious SQL Query
id: d84c0ded-edd7-4123-80ed-348bb3ccc4d5
status: test
description: Detects suspicious SQL query keywrods that are often used during recon, exfiltration or destructive activities. Such as dropping tables and selecting wildcard fields
author: '@juju4'
date: 2022-12-27
references:
- https://github.com/sqlmapproject/sqlmap
tags:
- attack.exfiltration
- attack.initial-access
- attack.privilege-escalation
- attack.persistence
- attack.t1190
- attack.t1505.001
logsource:
category: database
definition: 'Requirements: Must be able to log the SQL queries'
detection:
keywords:
- 'drop'
- 'truncate'
- 'dump'
- 'select \*'
condition: keywords
falsepositives:
- Inventory and monitoring activity
- Vulnerability scanners
- Legitimate applications
level: medium
Convert to SIEM query
medium
Moderate
High FP
Suspicious SYSVOL Domain Group Policy Access
Detects Access to Domain Group Policies stored in SYSVOL
view Sigma YAML
title: Suspicious SYSVOL Domain Group Policy Access
id: 05f3c945-dcc8-4393-9f3d-af65077a8f86
status: test
description: Detects Access to Domain Group Policies stored in SYSVOL
references:
- https://adsecurity.org/?p=2288
- https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100
author: Markus Neis, Jonhnathan Ribeiro, oscd.community
date: 2018-04-09
modified: 2022-01-07
tags:
- attack.credential-access
- attack.t1552.006
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- '\SYSVOL\'
- '\policies\'
condition: selection
falsepositives:
- Administrative activity
level: medium
Convert to SIEM query
medium
Strong
High FP
Suspicious Scan Loop Network
Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system
view Sigma YAML
title: Suspicious Scan Loop Network
id: f8ad2e2c-40b6-4117-84d7-20b89896ab23
status: test
description: Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md
- https://ss64.com/nt/for.html
- https://ss64.com/ps/foreach-object.html
author: frack113
date: 2022-03-12
tags:
- attack.execution
- attack.t1059
- attack.discovery
- attack.t1018
logsource:
category: process_creation
product: windows
detection:
selection_loop:
CommandLine|contains:
- 'for '
- 'foreach '
selection_tools:
CommandLine|contains:
- 'nslookup'
- 'ping'
condition: all of selection_*
falsepositives:
- Legitimate script
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Suspicious Scheduled Task Creation via Masqueraded XML File
Detects the creation of a scheduled task using the "-XML" flag with a file without the '.xml' extension. This behavior could be indicative of potential defense evasion attempt during persistence
view Sigma YAML
title: Suspicious Scheduled Task Creation via Masqueraded XML File
id: dd2a821e-3b07-4d3b-a9ac-929fe4c6ca0c
status: test
description: Detects the creation of a scheduled task using the "-XML" flag with a file without the '.xml' extension. This behavior could be indicative of potential defense evasion attempt during persistence
references:
- https://learn.microsoft.com/en-us/windows/win32/taskschd/daily-trigger-example--xml-
- https://github.com/elastic/protections-artifacts/blob/084067123d3328a823b1c3fdde305b694275c794/behavior/rules/persistence_suspicious_scheduled_task_creation_via_masqueraded_xml_file.toml
author: Swachchhanda Shrawan Poudel, Elastic (idea)
date: 2023-04-20
modified: 2024-12-01
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.stealth
- attack.t1036.005
- attack.t1053.005
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\schtasks.exe'
- OriginalFileName: 'schtasks.exe'
selection_cli_create:
CommandLine|contains:
- '/create'
- '-create'
selection_cli_xml:
CommandLine|contains:
- '/xml'
- '-xml'
filter_main_extension_xml:
CommandLine|contains: '.xml'
filter_main_system_process:
IntegrityLevel:
- 'System'
- 'S-1-16-16384'
filter_main_rundll32:
ParentImage|endswith: '\rundll32.exe'
ParentCommandLine|contains|all:
- ':\WINDOWS\Installer\MSI'
- '.tmp,zzzzInvokeManagedCustomActionOutOfProc'
filter_optional_third_party:
ParentImage|endswith:
# Consider removing any tools that you don't use to avoid blind spots
- ':\ProgramData\OEM\UpgradeTool\CareCenter_*\BUnzip\Setup_msi.exe'
- ':\Program Files\Axis Communications\AXIS Camera Station\SetupActions.exe'
- ':\Program Files\Axis Communications\AXIS Device Manager\AdmSetupActions.exe'
- ':\Program Files (x86)\Zemana\AntiMalware\AntiMalware.exe'
- ':\Program Files\Dell\SupportAssist\pcdrcui.exe'
condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Suspicious Scheduled Task Name As GUID
Detects creation of a scheduled task with a GUID like name
view Sigma YAML
title: Suspicious Scheduled Task Name As GUID
id: ff2fff64-4cd6-4a2b-ba7d-e28a30bbe66b
status: test
description: Detects creation of a scheduled task with a GUID like name
references:
- https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/
- https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-31
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.t1053.005
logsource:
product: windows
category: process_creation
detection:
selection_img:
Image|endswith: '\schtasks.exe'
CommandLine|contains: '/Create '
selection_tn:
CommandLine|contains:
# Can start with single or double quote
- '/TN "{'
- "/TN '{"
- "/TN {"
selection_end:
CommandLine|contains:
# Ending of the name to avoid possible FP in the rest of the commandline
- '}"'
- "}'"
- '} '
condition: all of selection_*
falsepositives:
- Legitimate software naming their tasks as GUIDs
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Suspicious Schtasks Schedule Type With High Privileges
Detects scheduled task creations or modification to be run with high privileges on a suspicious schedule type
view Sigma YAML
title: Suspicious Schtasks Schedule Type With High Privileges
id: 7a02e22e-b885-4404-b38b-1ddc7e65258a
related:
- id: 24c8392b-aa3c-46b7-a545-43f71657fe98
type: similar
status: test
description: Detects scheduled task creations or modification to be run with high privileges on a suspicious schedule type
references:
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-31
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.t1053.005
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\schtasks.exe'
- OriginalFileName: 'schtasks.exe'
selection_time:
CommandLine|contains:
- ' ONLOGON '
- ' ONSTART '
- ' ONCE '
- ' ONIDLE '
selection_privs:
CommandLine|contains:
- 'NT AUT' # This covers the usual NT AUTHORITY\SYSTEM
- ' SYSTEM' # SYSTEM is a valid value for schtasks hence it gets it's own value with space
- 'HIGHEST'
condition: all of selection_*
falsepositives:
- Some installers were seen using this method of creation unfortunately. Filter them in your environment
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Suspicious ScreenSave Change by Reg.exe
Adversaries may establish persistence by executing malicious content triggered by user inactivity.
Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension
view Sigma YAML
title: Suspicious ScreenSave Change by Reg.exe
id: 0fc35fc3-efe6-4898-8a37-0b233339524f
status: test
description: |
Adversaries may establish persistence by executing malicious content triggered by user inactivity.
Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md
- https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf
author: frack113
date: 2021-08-19
modified: 2022-06-02
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1546.002
logsource:
category: process_creation
product: windows
detection:
selection_reg:
Image|endswith: '\reg.exe'
CommandLine|contains:
- 'HKEY_CURRENT_USER\Control Panel\Desktop'
- 'HKCU\Control Panel\Desktop'
selection_option_1: # /force Active ScreenSaveActive
CommandLine|contains|all:
- '/v ScreenSaveActive'
- '/t REG_SZ'
- '/d 1'
- '/f'
selection_option_2: # /force set ScreenSaveTimeout
CommandLine|contains|all:
- '/v ScreenSaveTimeout'
- '/t REG_SZ'
- '/d '
- '/f'
selection_option_3: # /force set ScreenSaverIsSecure
CommandLine|contains|all:
- '/v ScreenSaverIsSecure'
- '/t REG_SZ'
- '/d 0'
- '/f'
selection_option_4: # /force set a .scr
CommandLine|contains|all:
- '/v SCRNSAVE.EXE'
- '/t REG_SZ'
- '/d '
- '.scr'
- '/f'
condition: selection_reg and 1 of selection_option_*
falsepositives:
- GPO
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Suspicious Screensaver Binary File Creation
Adversaries may establish persistence by executing malicious content triggered by user inactivity.
Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension
view Sigma YAML
title: Suspicious Screensaver Binary File Creation
id: 97aa2e88-555c-450d-85a6-229bcd87efb8
status: test
description: |
Adversaries may establish persistence by executing malicious content triggered by user inactivity.
Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md
author: frack113
date: 2021-12-29
modified: 2022-11-08
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.002
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith: '.scr'
filter_generic:
Image|endswith:
- '\Kindle.exe'
- '\Bin\ccSvcHst.exe' # Symantec Endpoint Protection
filter_tiworker:
# ParentCommandLine: C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p
Image|endswith: '\TiWorker.exe'
TargetFilename|endswith: '\uwfservicingscr.scr'
condition: selection and not 1 of filter_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Suspicious Service Installed
Detects installation of NalDrv or PROCEXP152 services via registry-keys to non-system32 folders.
Both services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU (https://github.com/hfiref0x/KDU)
view Sigma YAML
title: Suspicious Service Installed
id: f2485272-a156-4773-82d7-1d178bc4905b
status: test
description: |
Detects installation of NalDrv or PROCEXP152 services via registry-keys to non-system32 folders.
Both services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU (https://github.com/hfiref0x/KDU)
references:
- https://web.archive.org/web/20200419024230/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/
author: xknow (@xknow_infosec), xorxes (@xor_xes)
date: 2019-04-08
modified: 2023-08-17
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject:
- 'HKLM\System\CurrentControlSet\Services\NalDrv\ImagePath'
- 'HKLM\System\CurrentControlSet\Services\PROCEXP152\ImagePath'
filter:
Image|endswith:
# Please add the full paths that you use in your environment to tighten the rule
- '\procexp64.exe'
- '\procexp.exe'
- '\procmon64.exe'
- '\procmon.exe'
- '\handle.exe'
- '\handle64.exe'
Details|contains: '\WINDOWS\system32\Drivers\PROCEXP152.SYS'
condition: selection and not filter
falsepositives:
- Other legimate tools using this service names and drivers. Note - clever attackers may easily bypass this detection by just renaming the services. Therefore just Medium-level and don't rely on it.
level: medium
Convert to SIEM query
medium
Moderate
High FP
Suspicious Set Value of MSDT in Registry (CVE-2022-30190)
Detects set value ms-msdt MSProtocol URI scheme in Registry that could be an attempt to exploit CVE-2022-30190.
view Sigma YAML
title: Suspicious Set Value of MSDT in Registry (CVE-2022-30190)
id: 2d9403d5-7927-46b7-8216-37ab7c9ec5e3
status: test
description: Detects set value ms-msdt MSProtocol URI scheme in Registry that could be an attempt to exploit CVE-2022-30190.
references:
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190
- https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/
author: Sittikorn S
date: 2020-05-31
modified: 2023-08-17
tags:
- attack.stealth
- attack.t1221
- detection.emerging-threats
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|startswith: 'HKCR\ms-msdt\'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Suspicious Shell Open Command Registry Modification
Detects modifications to shell open registry keys that point to suspicious locations typically used by malware for persistence.
Generally, modifications to the `*\shell\open\command` registry key can indicate an attempt to change the default action for opening files,
and various UAC bypass or persistence techniques involve modifying these keys to execute malicious scripts or binaries.
view Sigma YAML
title: Suspicious Shell Open Command Registry Modification
id: 9e8894c0-0ae0-11ef-9d85-1f2942bec57c
status: experimental
description: |
Detects modifications to shell open registry keys that point to suspicious locations typically used by malware for persistence.
Generally, modifications to the `*\shell\open\command` registry key can indicate an attempt to change the default action for opening files,
and various UAC bypass or persistence techniques involve modifying these keys to execute malicious scripts or binaries.
references:
- https://www.trendmicro.com/en_us/research/25/f/water-curse.html
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-01-24
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1548.002
- attack.t1546.001
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\shell\open\command\'
Details|contains:
- '\$Recycle.Bin\'
- '\AppData\Local\Temp\'
- '\Contacts\'
- '\Music\'
- '\PerfLogs\'
- '\Photos\'
- '\Pictures\'
- '\Users\Public\'
- '\Videos\'
- '\Windows\Temp\'
- '%AppData%'
- '%LocalAppData%'
- '%Temp%'
- '%tmp%'
condition: selection
falsepositives:
- Legitimate software installations or updates that modify the shell open command registry keys to these locations.
level: medium
Convert to SIEM query
medium
Moderate
High FP
Suspicious Start-Process PassThru
Powershell use PassThru option to start in background
view Sigma YAML
title: Suspicious Start-Process PassThru
id: 0718cd72-f316-4aa2-988f-838ea8533277
status: test
description: Powershell use PassThru option to start in background
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036.003/T1036.003.md
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7
author: frack113
date: 2022-01-15
tags:
- attack.stealth
- attack.t1036.003
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- Start-Process
- '-PassThru '
- '-FilePath '
condition: selection
falsepositives:
- Legitimate PowerShell scripts
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Suspicious SysAidServer Child
Detects suspicious child processes of SysAidServer (as seen in MERCURY threat actor intrusions)
view Sigma YAML
title: Suspicious SysAidServer Child
id: 60bfeac3-0d35-4302-8efb-1dd16f715bc6
status: test
description: Detects suspicious child processes of SysAidServer (as seen in MERCURY threat actor intrusions)
references:
- https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/
author: Florian Roth (Nextron Systems)
date: 2022-08-26
tags:
- attack.lateral-movement
- attack.t1210
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\java.exe'
- '\javaw.exe'
ParentCommandLine|contains: 'SysAidServer'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Suspicious TCP Tunnel Via PowerShell Script
Detects powershell scripts that creates sockets/listeners which could be indicative of tunneling activity
view Sigma YAML
title: Suspicious TCP Tunnel Via PowerShell Script
id: bd33d2aa-497e-4651-9893-5c5364646595
status: test
description: Detects powershell scripts that creates sockets/listeners which could be indicative of tunneling activity
references:
- https://github.com/Arno0x/PowerShellScripts/blob/a6b7d5490fbf0b20f91195838f3a11156724b4f7/proxyTunnel.ps1
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-08
tags:
- attack.command-and-control
- attack.t1090
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- '[System.Net.HttpWebRequest]'
- 'System.Net.Sockets.TcpListener'
- 'AcceptTcpClient'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Suspicious Unblock-File
Remove the Zone.Identifier alternate data stream which identifies the file as downloaded from the internet.
view Sigma YAML
title: Suspicious Unblock-File
id: 5947497f-1aa4-41dd-9693-c9848d58727d
status: test
description: Remove the Zone.Identifier alternate data stream which identifies the file as downloaded from the internet.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-3---remove-the-zoneidentifier-alternate-data-stream
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-7.2
author: frack113
date: 2022-02-01
tags:
- attack.defense-impairment
- attack.t1553.005
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- 'Unblock-File '
- '-Path '
condition: selection
falsepositives:
- Legitimate PowerShell scripts
level: medium
Convert to SIEM query
medium
Moderate
High FP
Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe)
Detects execution of ntdsutil.exe to perform different actions such as restoring snapshots...etc.
view Sigma YAML
title: Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe)
id: a58353df-af43-4753-bad0-cd83ef35eef5
related:
- id: 2afafd61-6aae-4df4-baed-139fa1f4c345
type: derived
status: test
description: Detects execution of ntdsutil.exe to perform different actions such as restoring snapshots...etc.
references:
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731620(v=ws.11)
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-14
tags:
- attack.credential-access
- attack.t1003.003
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\ntdsutil.exe'
- OriginalFileName: 'ntdsutil.exe'
selection_cli:
- CommandLine|contains|all:
- 'snapshot'
- 'mount ' # mounts a specific snapshot - Ex: ntdsutil snapshot "mount c2b3e2c6-1ffb-4625-ba8e-3503c27a9fcb" quit quit
- CommandLine|contains|all:
# This offers more coverage to the "selection_oneliner_1" case in rule 8bc64091-6875-4881-aaf9-7bd25b5dda08
# The shorest form of "activate" can "ac". But "act", "acti"...etc are also valid forms
# Same case with the "instance" flag
- 'ac'
- ' i'
- ' ntds'
condition: all of selection_*
falsepositives:
- Legitimate usage to restore snapshots
- Legitimate admin activity
level: medium
Convert to SIEM query
medium
Moderate
High FP
Suspicious Usage of For Loop with Recursive Directory Search in CMD
Detects suspicious usage of the cmd.exe 'for /f' loop combined with the 'tokens=' parameter and a recursive directory listing.
This pattern may indicate an attempt to discover and execute system binaries dynamically, for example powershell, a technique sometimes used by attackers to evade detection.
This behavior has been observed in various malicious lnk files.
view Sigma YAML
title: Suspicious Usage of For Loop with Recursive Directory Search in CMD
id: 2782fbd8-b662-4eb5-9962-5bfbfb671e7b
status: experimental
description: |
Detects suspicious usage of the cmd.exe 'for /f' loop combined with the 'tokens=' parameter and a recursive directory listing.
This pattern may indicate an attempt to discover and execute system binaries dynamically, for example powershell, a technique sometimes used by attackers to evade detection.
This behavior has been observed in various malicious lnk files.
references:
- https://www.virustotal.com/gui/file/29837d0d3202758063185828c8f8d9e0b7b42b365c8941cc926d2d7c7bae2fb3
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2025-11-12
tags:
- attack.execution
- attack.stealth
- attack.t1059.003
- attack.t1027.010
logsource:
category: process_creation
product: windows
detection:
selection_tokens:
CommandLine|contains|all:
- 'for /f'
- 'tokens='
- 'in ('
- 'dir'
selection_tokens_parent:
ParentCommandLine|contains|all:
- 'for /f'
- 'tokens='
- 'in ('
- 'dir'
condition: 1 of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
Medium FP
Suspicious Use of /dev/tcp
Detects suspicious command with /dev/tcp
view Sigma YAML
title: Suspicious Use of /dev/tcp
id: 6cc5fceb-9a71-4c23-aeeb-963abe0b279c
status: test
description: Detects suspicious command with /dev/tcp
references:
- https://www.andreafortuna.org/2021/03/06/some-useful-tips-about-dev-tcp/
- https://book.hacktricks.xyz/shells/shells/linux
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-1---port-scan
author: frack113
date: 2021-12-10
modified: 2023-01-06
tags:
- attack.reconnaissance
logsource:
product: linux
detection:
keywords:
- 'cat </dev/tcp/'
- 'exec 3<>/dev/tcp/'
- 'echo >/dev/tcp/'
- 'bash -i >& /dev/tcp/'
- 'sh -i >& /dev/udp/'
- '0<&196;exec 196<>/dev/tcp/'
- 'exec 5<>/dev/tcp/'
- '(sh)0>/dev/tcp/'
- 'bash -c ''bash -i >& /dev/tcp/'
- 'echo -e ''#!/bin/bash\nbash -i >& /dev/tcp/'
condition: keywords
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Suspicious Use of PsLogList
Detects usage of the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery or delete events logs
view Sigma YAML
title: Suspicious Use of PsLogList
id: aae1243f-d8af-40d8-ab20-33fc6d0c55bc
status: test
description: Detects usage of the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery or delete events logs
references:
- https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/
- https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos
- https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList
- https://twitter.com/EricaZelic/status/1614075109827874817
author: Nasreddine Bencherchali (Nextron Systems)
date: 2021-12-18
modified: 2024-03-05
tags:
- attack.discovery
- attack.t1087
- attack.t1087.001
- attack.t1087.002
logsource:
category: process_creation
product: windows
detection:
selection_img:
- OriginalFileName: 'psloglist.exe'
- Image|endswith:
- '\psloglist.exe'
- '\psloglist64.exe'
selection_cli_eventlog:
CommandLine|contains:
- ' security'
- ' application'
- ' system'
selection_cli_flags:
CommandLine|contains|windash:
- ' -d'
- ' -x'
- ' -s'
- ' -c' # Clear event log after displaying
- ' -g' # Export an event log as an evt file.
condition: all of selection_*
falsepositives:
- Another tool that uses the command line switches of PsLogList
- Legitimate use of PsLogList by an administrator
level: medium
Convert to SIEM query
medium
Moderate
High FP
Suspicious User-Agents Related To Recon Tools
Detects known suspicious (default) user-agents related to scanning/recon tools
view Sigma YAML
title: Suspicious User-Agents Related To Recon Tools
id: 19aa4f58-94ca-45ff-bc34-92e533c0994a
status: test
description: Detects known suspicious (default) user-agents related to scanning/recon tools
references:
- https://github.com/wpscanteam/wpscan/blob/196fbab5b1ce3870a43515153d4f07878a89d410/lib/wpscan/browser.rb
- https://github.com/xmendez/wfuzz/blob/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/docs/user/basicusage.rst
- https://github.com/lanmaster53/recon-ng/blob/9e907dfe09fce2997f0301d746796408e01a60b7/recon/core/base.py#L92
author: Nasreddine Bencherchali (Nextron Systems), Tim Shelton
date: 2022-07-19
modified: 2023-01-02
tags:
- attack.initial-access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-user-agent|contains:
# Add more tools as you see fit
- 'Wfuzz/'
- 'WPScan v'
- 'Recon-ng/v'
- 'GIS - AppSec Team - Project Vision'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Suspicious Userinit Child Process
Detects a suspicious child process of userinit
view Sigma YAML
title: Suspicious Userinit Child Process
id: b655a06a-31c0-477a-95c2-3726b83d649d
status: test
description: Detects a suspicious child process of userinit
references:
- https://twitter.com/SBousseaden/status/1139811587760562176
author: Florian Roth (Nextron Systems), Samir Bousseaden (idea)
date: 2019-06-17
modified: 2025-10-17
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1055
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\userinit.exe'
filter_main_netlogon:
CommandLine|contains: '\netlogon\'
filter_main_explorer:
- Image|endswith: '\explorer.exe'
- OriginalFileName: 'explorer.exe'
- CommandLine: 'C:\Windows\Explorer.EXE'
filter_main_null:
Image: null
condition: selection and not 1 of filter_main_*
falsepositives:
- Administrative scripts
level: medium
Convert to SIEM query
medium
Moderate
High FP
Suspicious VBoxDrvInst.exe Parameters
Detect VBoxDrvInst.exe run with parameters allowing processing INF file.
This allows to create values in the registry and install drivers.
For example one could use this technique to obtain persistence via modifying one of Run or RunOnce registry keys
view Sigma YAML
title: Suspicious VBoxDrvInst.exe Parameters
id: b7b19cb6-9b32-4fc4-a108-73f19acfe262
status: test
description: |
Detect VBoxDrvInst.exe run with parameters allowing processing INF file.
This allows to create values in the registry and install drivers.
For example one could use this technique to obtain persistence via modifying one of Run or RunOnce registry keys
references:
- https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml
- https://twitter.com/pabraeken/status/993497996179492864
author: Konstantin Grishchenko, oscd.community
date: 2020-10-06
modified: 2021-11-27
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\VBoxDrvInst.exe'
CommandLine|contains|all:
- 'driver'
- 'executeinf'
condition: selection
falsepositives:
- Legitimate use of VBoxDrvInst.exe utility by VirtualBox Guest Additions installation process
level: medium
Convert to SIEM query
medium
Moderate
High FP
Suspicious VSFTPD Error Messages
Detects suspicious VSFTPD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
view Sigma YAML
title: Suspicious VSFTPD Error Messages
id: 377f33a1-4b36-4ee1-acee-1dbe4b43cfbe
status: test
description: Detects suspicious VSFTPD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
references:
- https://github.com/dagwieers/vsftpd/
author: Florian Roth (Nextron Systems)
date: 2017-07-05
modified: 2021-11-27
tags:
- attack.initial-access
- attack.t1190
logsource:
product: linux
service: vsftpd
detection:
keywords:
- 'Connection refused: too many sessions for this address.'
- 'Connection refused: tcp_wrappers denial.'
- 'Bad HTTP verb.'
- 'port and pasv both active'
- 'pasv and port both active'
- 'Transfer done (but failed to open directory).'
- 'Could not set file modification time.'
- 'bug: pid active in ptrace_sandbox_free'
- 'PTRACE_SETOPTIONS failure'
- 'weird status:'
- 'couldn''t handle sandbox event'
- 'syscall * out of bounds'
- 'syscall not permitted:'
- 'syscall validate failed:'
- 'Input line too long.'
- 'poor buffer accounting in str_netfd_alloc'
- 'vsf_sysutil_read_loop'
condition: keywords
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Suspicious Vsls-Agent Command With AgentExtensionPath Load
Detects Microsoft Visual Studio vsls-agent.exe lolbin execution with a suspicious library load using the --agentExtensionPath parameter
view Sigma YAML
title: Suspicious Vsls-Agent Command With AgentExtensionPath Load
id: 43103702-5886-11ed-9b6a-0242ac120002
status: test
description: Detects Microsoft Visual Studio vsls-agent.exe lolbin execution with a suspicious library load using the --agentExtensionPath parameter
references:
- https://twitter.com/bohops/status/1583916360404729857
author: bohops
date: 2022-10-30
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\vsls-agent.exe'
CommandLine|contains: '--agentExtensionPath'
filter:
CommandLine|contains: 'Microsoft.VisualStudio.LiveShare.Agent.'
condition: selection and not filter
falsepositives:
- False positives depend on custom use of vsls-agent.exe
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Suspicious WSMAN Provider Image Loads
Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution.
view Sigma YAML
title: Suspicious WSMAN Provider Image Loads
id: ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94
status: test
description: Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution.
references:
- https://twitter.com/chadtilbury/status/1275851297770610688
- https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/
- https://learn.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture
- https://github.com/bohops/WSMan-WinRM
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-06-24
modified: 2025-10-17
tags:
- attack.execution
- attack.t1059.001
- attack.lateral-movement
- attack.t1021.003
logsource:
category: image_load
product: windows
detection:
request_client:
- ImageLoaded|endswith:
- '\WsmSvc.dll'
- '\WsmAuto.dll'
- '\Microsoft.WSMan.Management.ni.dll'
- OriginalFileName:
- 'WsmSvc.dll'
- 'WSMANAUTOMATION.DLL'
- 'Microsoft.WSMan.Management.dll'
respond_server:
Image|endswith: '\svchost.exe'
OriginalFileName: 'WsmWmiPl.dll'
filter_general:
Image:
- 'C:\Program Files (x86)\PowerShell\6\pwsh.exe'
- 'C:\Program Files (x86)\PowerShell\7\pwsh.exe'
- 'C:\Program Files\PowerShell\6\pwsh.exe'
- 'C:\Program Files\PowerShell\7\pwsh.exe'
- 'C:\Windows\System32\sdiagnhost.exe'
- 'C:\Windows\System32\services.exe'
- 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe'
- 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
filter_svchost: # not available in Sysmon data, but Aurora logs
CommandLine|contains:
- 'svchost.exe -k netsvcs -p -s BITS'
- 'svchost.exe -k GraphicsPerfSvcGroup -s GraphicsPerfSvc'
- 'svchost.exe -k NetworkService -p -s Wecsvc'
- 'svchost.exe -k netsvcs'
filter_mscorsvw: # Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
Image|startswith:
- 'C:\Windows\Microsoft.NET\Framework64\v'
- 'C:\Windows\Microsoft.NET\Framework\v'
- 'C:\Windows\Microsoft.NET\FrameworkArm\v'
- 'C:\Windows\Microsoft.NET\FrameworkArm64\v'
Image|endswith: '\mscorsvw.exe'
filter_svr_2019:
Image:
- 'C:\Windows\System32\Configure-SMRemoting.exe'
- 'C:\Windows\System32\ServerManager.exe'
filter_nextron:
Image|startswith: 'C:\Windows\Temp\asgard2-agent\'
filter_citrix:
Image|startswith: 'C:\Program Files\Citrix\'
filter_upgrade:
Image|startswith: 'C:\$WINDOWS.~BT\Sources\'
filter_mmc:
Image|endswith: '\mmc.exe'
svchost:
Image|endswith: '\svchost.exe'
commandline_null:
CommandLine: null
condition: ( request_client or respond_server ) and not 1 of filter* and not ( svchost and commandline_null )
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE
Detects the usage of "reg.exe" to add Defender folder exclusions. Qbot has been seen using this technique to add exclusions for folders within AppData and ProgramData.
view Sigma YAML
title: Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE
id: 48917adc-a28e-4f5d-b729-11e75da8941f
status: test
description: Detects the usage of "reg.exe" to add Defender folder exclusions. Qbot has been seen using this technique to add exclusions for folders within AppData and ProgramData.
references:
- https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/
- https://redcanary.com/threat-detection-report/threats/qbot/
author: frack113
date: 2022-02-13
modified: 2023-02-04
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\reg.exe'
CommandLine|contains:
- 'SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths'
- 'SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths'
CommandLine|contains|all:
- 'ADD '
- '/t '
- 'REG_DWORD '
- '/v '
- '/d '
- '0'
condition: selection
falsepositives:
- Legitimate use
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Suspicious WindowsTerminal Child Processes
Detects suspicious children spawned via the Windows Terminal application which could be a sign of persistence via WindowsTerminal (see references section)
view Sigma YAML
title: Suspicious WindowsTerminal Child Processes
id: 8de89e52-f6e1-4b5b-afd1-41ecfa300d48
status: test
description: Detects suspicious children spawned via the Windows Terminal application which could be a sign of persistence via WindowsTerminal (see references section)
references:
- https://persistence-info.github.io/Data/windowsterminalprofile.html
- https://twitter.com/nas_bench/status/1550836225652686848
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-25
modified: 2023-02-14
tags:
- attack.execution
- attack.persistence
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith:
- '\WindowsTerminal.exe'
- '\wt.exe'
selection_susp:
- Image|endswith:
# Add more LOLBINS
- '\rundll32.exe'
- '\regsvr32.exe'
- '\certutil.exe'
- '\cscript.exe'
- '\wscript.exe'
- '\csc.exe'
- Image|contains:
# Add more suspicious paths
- 'C:\Users\Public\'
- '\Downloads\'
- '\Desktop\'
- '\AppData\Local\Temp\'
- '\Windows\TEMP\'
- CommandLine|contains:
# Add more suspicious commandline
- ' iex '
- ' icm'
- 'Invoke-'
- 'Import-Module '
- 'ipmo '
- 'DownloadString('
- ' /c '
- ' /k '
- ' /r '
filter_builtin_visual_studio_shell:
CommandLine|contains|all:
- 'Import-Module'
- 'Microsoft.VisualStudio.DevShell.dll'
- 'Enter-VsDevShell'
filter_open_settings:
CommandLine|contains|all:
- '\AppData\Local\Packages\Microsoft.WindowsTerminal_'
- '\LocalState\settings.json'
filter_vsdevcmd:
CommandLine|contains|all:
- 'C:\Program Files\Microsoft Visual Studio\'
- '\Common7\Tools\VsDevCmd.bat'
condition: all of selection_* and not 1 of filter_*
falsepositives:
- Other legitimate "Windows Terminal" profiles
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Suspicious Wordpad Outbound Connections
Detects a network connection initiated by "wordpad.exe" over uncommon destination ports.
This might indicate potential process injection activity from a beacon or similar mechanisms.
view Sigma YAML
title: Suspicious Wordpad Outbound Connections
id: 786cdae8-fefb-4eb2-9227-04e34060db01
status: test
description: |
Detects a network connection initiated by "wordpad.exe" over uncommon destination ports.
This might indicate potential process injection activity from a beacon or similar mechanisms.
references:
- https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit
author: X__Junior (Nextron Systems)
date: 2023-07-12
modified: 2023-12-15
tags:
- attack.command-and-control
- attack.stealth
logsource:
category: network_connection
product: windows
detection:
selection:
Initiated: 'true'
Image|endswith: '\wordpad.exe'
filter_main_ports:
DestinationPort:
- 80
- 139
- 443
- 445
- 465
- 587
- 993
- 995
condition: selection and not 1 of filter_main_*
falsepositives:
- Other ports can be used, apply additional filters accordingly
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Suspicious Workstation Locking via Rundll32
Detects a suspicious call to the user32.dll function that locks the user workstation
view Sigma YAML
title: Suspicious Workstation Locking via Rundll32
id: 3b5b0213-0460-4e3f-8937-3abf98ff7dcc
status: test
description: Detects a suspicious call to the user32.dll function that locks the user workstation
references:
- https://app.any.run/tasks/2aef9c63-f944-4763-b3ef-81eee209d128/
author: frack113
date: 2022-06-04
modified: 2023-02-09
tags:
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection_call_img:
- Image|endswith: '\rundll32.exe'
- OriginalFileName: 'RUNDLL32.EXE'
selection_call_parent:
ParentImage|endswith: '\cmd.exe'
selection_call_cli:
CommandLine|contains: 'user32.dll,'
selection_function:
CommandLine|contains: 'LockWorkStation'
condition: all of selection_*
falsepositives:
- Scripts or links on the user desktop used to lock the workstation instead of Windows+L or the menu option
level: medium
Convert to SIEM query
medium
Moderate
High FP
Suspicious X509Enrollment - Process Creation
Detect use of X509Enrollment
view Sigma YAML
title: Suspicious X509Enrollment - Process Creation
id: 114de787-4eb2-48cc-abdb-c0b449f93ea4
related:
- id: 504d63cb-0dba-4d02-8531-e72981aace2c
type: similar
status: test
description: Detect use of X509Enrollment
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41
- https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115
author: frack113
date: 2022-12-23
tags:
- attack.defense-impairment
- attack.t1553.004
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|contains:
- 'X509Enrollment.CBinaryConverter'
- '884e2002-217d-11da-b2a4-000e7bbb2b09'
condition: selection
falsepositives:
- Legitimate administrative script
level: medium
Convert to SIEM query
medium
Moderate
High FP
Suspicious X509Enrollment - Ps Script
Detect use of X509Enrollment
view Sigma YAML
title: Suspicious X509Enrollment - Ps Script
id: 504d63cb-0dba-4d02-8531-e72981aace2c
related:
- id: 114de787-4eb2-48cc-abdb-c0b449f93ea4
type: similar
status: test
description: Detect use of X509Enrollment
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41
- https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115
author: frack113
date: 2022-12-23
tags:
- attack.defense-impairment
- attack.t1553.004
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains:
- 'X509Enrollment.CBinaryConverter'
- '884e2002-217d-11da-b2a4-000e7bbb2b09'
condition: selection
falsepositives:
- Legitimate administrative script
level: medium
Convert to SIEM query
medium
Strong
Medium FP
Suspicious XOR Encoded PowerShell Command
Detects presence of a potentially xor encoded powershell command
view Sigma YAML
title: Suspicious XOR Encoded PowerShell Command
id: bb780e0c-16cf-4383-8383-1e5471db6cf9
related:
- id: 5b572dcf-254b-425c-a8c5-d9af6bea35a6
type: obsolete
status: test
description: Detects presence of a potentially xor encoded powershell command
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65
- https://redcanary.com/blog/yellow-cockatoo/
- https://zero2auto.com/2020/05/19/netwalker-re/
- https://mez0.cc/posts/cobaltstrike-powershell-exec/
author: Sami Ruohonen, Harish Segar, Tim Shelton, Teymur Kheirkhabarov, Vasiliy Burov, oscd.community, Nasreddine Bencherchali
date: 2018-09-05
modified: 2023-01-30
tags:
- attack.execution
- attack.stealth
- attack.t1059.001
- attack.t1140
- attack.t1027
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
- Description: 'Windows PowerShell'
- Product: 'PowerShell Core 6'
selection_cli_xor:
CommandLine|contains: 'bxor'
selection_cli_other:
CommandLine|contains:
- 'ForEach'
- 'for('
- 'for '
- '-join '
- "-join'"
- '-join"'
- '-join`'
- '::Join'
- '[char]'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
Suspicious ZipExec Execution
ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file.
view Sigma YAML
title: Suspicious ZipExec Execution
id: 90dcf730-1b71-4ae7-9ffc-6fcf62bd0132
status: test
description: ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file.
references:
- https://twitter.com/SBousseaden/status/1451237393017839616
- https://github.com/Tylous/ZipExec
author: frack113
date: 2021-11-07
modified: 2022-12-25
tags:
- attack.execution
- attack.stealth
- attack.t1218
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
run:
CommandLine|contains|all:
- '/generic:Microsoft_Windows_Shell_ZipFolder:filename='
- '.zip'
- '/pass:'
- '/user:'
delete:
CommandLine|contains|all:
- '/delete'
- 'Microsoft_Windows_Shell_ZipFolder:filename='
- '.zip'
condition: run or delete
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Moderate
High FP
SyncAppvPublishingServer Bypass Powershell Restriction - PS Module
Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.
view Sigma YAML
title: SyncAppvPublishingServer Bypass Powershell Restriction - PS Module
id: fe5ce7eb-dad8-467c-84a9-31ec23bd644a
related:
- id: fde7929d-8beb-4a4c-b922-be9974671667
type: derived
- id: 9f7aa113-9da6-4a8d-907c-5f1a4b908299
type: derived
status: test
description: Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/
author: 'Ensar Şamil, @sblmsrsn, OSCD Community'
date: 2020-10-05
modified: 2022-12-02
tags:
- attack.stealth
- attack.t1218
logsource:
product: windows
category: ps_module
definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
selection:
ContextInfo|contains: 'SyncAppvPublishingServer.exe'
condition: selection
falsepositives:
- App-V clients
level: medium
Convert to SIEM query
medium
Moderate
High FP
SyncAppvPublishingServer Execute Arbitrary PowerShell Code
Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe.
view Sigma YAML
title: SyncAppvPublishingServer Execute Arbitrary PowerShell Code
id: fbd7c32d-db2a-4418-b92c-566eb8911133
related:
- id: fde7929d-8beb-4a4c-b922-be9974671667
type: obsolete
status: test
description: Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md
- https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/
author: frack113
date: 2021-07-12
modified: 2022-10-04
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\SyncAppvPublishingServer.exe'
- OriginalFileName: 'syncappvpublishingserver.exe'
selection_cli:
CommandLine|contains: '"n; '
condition: all of selection_*
falsepositives:
- App-V clients
level: medium
Convert to SIEM query
medium
Moderate
High FP
SyncAppvPublishingServer Execution to Bypass Powershell Restriction
Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.
view Sigma YAML
title: SyncAppvPublishingServer Execution to Bypass Powershell Restriction
id: dddfebae-c46f-439c-af7a-fdb6bde90218
related:
- id: fde7929d-8beb-4a4c-b922-be9974671667
type: derived
- id: 9f7aa113-9da6-4a8d-907c-5f1a4b908299
type: derived
status: test
description: Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/
author: 'Ensar Şamil, @sblmsrsn, OSCD Community'
date: 2020-10-05
modified: 2022-12-25
tags:
- attack.stealth
- attack.t1218
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains: 'SyncAppvPublishingServer.exe'
condition: selection
falsepositives:
- App-V clients
level: medium
Convert to SIEM query
Showing 1251-1300 of 1,490