Tool
SIEM
Sigma (generic) detection rules
174 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Expand any rule to see its raw YAML and convert it inline to native query syntax. Pick a platform above to browse every rule already rendered in that language.
◈
Detection rules
50 shown of 174
critical
OilRig APT Activity
Detects OilRig activity as reported by Nyotron in their March 2018 report
view Sigma YAML
title: OilRig APT Activity
id: ce6e34ca-966d-41c9-8d93-5b06c8b97a06
related:
- id: 53ba33fd-3a50-4468-a5ef-c583635cfa92 # System
type: similar
- id: c0580559-a6bd-4ef6-b9b7-83703d98b561 # Security
type: similar
- id: 7bdf2a7c-3acc-4091-9581-0a77dad1c5b5 # Registry
type: similar
status: test
description: Detects OilRig activity as reported by Nyotron in their March 2018 report
references:
- https://web.archive.org/web/20180402134442/https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018C.pdf
author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
date: 2018-03-23
modified: 2023-03-08
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.defense-impairment
- attack.g0049
- attack.t1053.005
- attack.s0111
- attack.t1543.003
- attack.t1112
- attack.command-and-control
- attack.t1071.004
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_schtasks:
CommandLine|contains|all:
- 'SC Scheduled Scan'
- '\microsoft\Taskbar\autoit3.exe'
selection_temp:
Image|contains: '\Windows\Temp\DB\'
Image|endswith: '.exe'
selection_service:
Image: 'C:\Windows\system32\Service.exe'
CommandLine|contains:
- 'i'
- 'u'
selection_autoit:
ParentImage|endswith: '\local\microsoft\Taskbar\autoit3.exe'
CommandLine|contains|all:
- 'nslookup.exe'
- '-q=TXT'
condition: 1 of selection_*
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
OilRig APT Registry Persistence
Detects OilRig registry persistence as reported by Nyotron in their March 2018 report
view Sigma YAML
title: OilRig APT Registry Persistence
id: 7bdf2a7c-3acc-4091-9581-0a77dad1c5b5
related:
- id: 53ba33fd-3a50-4468-a5ef-c583635cfa92 # System
type: similar
- id: c0580559-a6bd-4ef6-b9b7-83703d98b561 # Security
type: similar
- id: ce6e34ca-966d-41c9-8d93-5b06c8b97a06 # ProcessCreation
type: similar
status: test
description: Detects OilRig registry persistence as reported by Nyotron in their March 2018 report
references:
- https://web.archive.org/web/20180402134442/https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018C.pdf
author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
date: 2018-03-23
modified: 2023-03-08
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.defense-impairment
- attack.g0049
- attack.t1053.005
- attack.s0111
- attack.t1543.003
- attack.t1112
- attack.command-and-control
- attack.t1071.004
- detection.emerging-threats
logsource:
category: registry_event
product: windows
detection:
selection:
TargetObject|endswith:
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\UMe'
- 'SOFTWARE\Microsoft\Windows\CurrentVersion\UT'
condition: selection
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
OilRig APT Schedule Task Persistence - Security
Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report
view Sigma YAML
title: OilRig APT Schedule Task Persistence - Security
id: c0580559-a6bd-4ef6-b9b7-83703d98b561
related:
- id: 53ba33fd-3a50-4468-a5ef-c583635cfa92 # System
type: similar
- id: 7bdf2a7c-3acc-4091-9581-0a77dad1c5b5 # Registry
type: similar
- id: ce6e34ca-966d-41c9-8d93-5b06c8b97a06 # ProcessCreation
type: similar
status: test
description: Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report
references:
- https://web.archive.org/web/20180402134442/https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018C.pdf
author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
date: 2018-03-23
modified: 2023-03-08
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.defense-impairment
- attack.g0049
- attack.t1053.005
- attack.s0111
- attack.t1543.003
- attack.t1112
- attack.command-and-control
- attack.t1071.004
- detection.emerging-threats
logsource:
product: windows
service: security
detection:
selection_service:
EventID: 4698
TaskName:
- 'SC Scheduled Scan'
- 'UpdatMachine'
condition: selection_service
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
OilRig APT Schedule Task Persistence - System
Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report
view Sigma YAML
title: OilRig APT Schedule Task Persistence - System
id: 53ba33fd-3a50-4468-a5ef-c583635cfa92
related:
- id: c0580559-a6bd-4ef6-b9b7-83703d98b561 # Security
type: similar
- id: 7bdf2a7c-3acc-4091-9581-0a77dad1c5b5 # Registry
type: similar
- id: ce6e34ca-966d-41c9-8d93-5b06c8b97a06 # ProcessCreation
type: similar
status: test
description: Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report
references:
- https://web.archive.org/web/20180402134442/https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018C.pdf
author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community
date: 2018-03-23
modified: 2023-03-08
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.defense-impairment
- attack.g0049
- attack.t1053.005
- attack.s0111
- attack.t1543.003
- attack.t1112
- attack.command-and-control
- attack.t1071.004
- detection.emerging-threats
logsource:
product: windows
service: system
detection:
selection:
Provider_Name: 'Service Control Manager'
EventID: 7045
ServiceName:
- 'SC Scheduled Scan'
- 'UpdatMachine'
condition: selection
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Oracle WebLogic Exploit
Detects access to a webshell dropped into a keystore folder on the WebLogic server
view Sigma YAML
title: Oracle WebLogic Exploit
id: 37e8369b-43bb-4bf8-83b6-6dd43bda2000
status: test
description: Detects access to a webshell dropped into a keystore folder on the WebLogic server
references:
- https://twitter.com/pyn3rd/status/1020620932967223296
- https://github.com/LandGrey/CVE-2018-2894
author: Florian Roth (Nextron Systems)
date: 2018-07-22
modified: 2023-01-02
tags:
- attack.t1190
- attack.initial-access
- attack.persistence
- attack.t1505.003
- cve.2018-2894
- detection.emerging-threats
logsource:
category: webserver
detection:
selection:
cs-uri-query: '*/config/keystore/*.js*'
condition: selection
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Oracle WebLogic Exploit CVE-2021-2109
Detects the exploitation of the WebLogic server vulnerability described in CVE-2021-2109
view Sigma YAML
title: Oracle WebLogic Exploit CVE-2021-2109
id: 687f6504-7f44-4549-91fc-f07bab065821
status: test
description: Detects the exploitation of the WebLogic server vulnerability described in CVE-2021-2109
references:
- https://twitter.com/pyn3rd/status/1351696768065409026
- https://mp.weixin.qq.com/s/wX9TMXl1KVWwB_k6EZOklw
author: Bhabesh Raj
date: 2021-01-20
modified: 2023-01-02
tags:
- attack.t1190
- attack.initial-access
- cve.2021-2109
- detection.emerging-threats
logsource:
category: webserver
detection:
selection:
cs-method: 'GET'
cs-uri-query|contains|all:
- 'com.bea.console.handles.JndiBindingHandle'
- 'ldap://'
- 'AdminServer'
condition: selection
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Pandemic Registry Key
Detects Pandemic Windows Implant
view Sigma YAML
title: Pandemic Registry Key
id: 47e0852a-cf81-4494-a8e6-31864f8c86ed
status: test
description: Detects Pandemic Windows Implant
references:
- https://wikileaks.org/vault7/#Pandemic
- https://twitter.com/MalwareJake/status/870349480356454401
author: Florian Roth (Nextron Systems)
date: 2017-06-01
modified: 2022-10-09
tags:
- attack.command-and-control
- attack.t1105
- detection.emerging-threats
logsource:
category: registry_event
product: windows
detection:
selection:
TargetObject|contains: '\SYSTEM\CurrentControlSet\services\null\Instance'
condition: selection
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Persistence Via Sticky Key Backdoor
By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system.
When the sticky keys are "activated" the privilleged shell is launched.
view Sigma YAML
title: Persistence Via Sticky Key Backdoor
id: 1070db9a-3e5d-412e-8e7b-7183b616e1b3
status: test
description: |
By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system.
When the sticky keys are "activated" the privilleged shell is launched.
references:
- https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html
- https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf
- https://learn.microsoft.com/en-us/archive/blogs/jonathantrull/detecting-sticky-key-backdoors
author: Sreeman
date: 2020-02-18
modified: 2023-03-07
tags:
- attack.persistence
- attack.t1546.008
- attack.privilege-escalation
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|contains|all:
- 'copy '
- '/y '
- 'C:\windows\system32\cmd.exe C:\windows\system32\sethc.exe'
condition: selection
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Possible Coin Miner CPU Priority Param
Detects command line parameter very often used with coin miners
view Sigma YAML
title: Possible Coin Miner CPU Priority Param
id: 071d5e5a-9cef-47ec-bc4e-a42e34d8d0ed
status: test
description: Detects command line parameter very often used with coin miners
references:
- https://xmrig.com/docs/miner/command-line-options
author: Florian Roth (Nextron Systems)
date: 2021-10-09
modified: 2022-12-25
tags:
- attack.privilege-escalation
- attack.t1068
logsource:
product: linux
service: auditd
detection:
cmd1:
a1|startswith: '--cpu-priority'
cmd2:
a2|startswith: '--cpu-priority'
cmd3:
a3|startswith: '--cpu-priority'
cmd4:
a4|startswith: '--cpu-priority'
cmd5:
a5|startswith: '--cpu-priority'
cmd6:
a6|startswith: '--cpu-priority'
cmd7:
a7|startswith: '--cpu-priority'
condition: 1 of cmd*
falsepositives:
- Other tools that use a --cpu-priority flag
level: critical
Convert to SIEM query
critical
Potential CVE-2021-41379 Exploitation Attempt
Detects potential exploitation attempts of CVE-2021-41379 (InstallerFileTakeOver), a local privilege escalation (LPE) vulnerability where the attacker spawns a "cmd.exe" process as a child of Microsoft Edge elevation service "elevation_service" with "LOCAL_SYSTEM" rights
view Sigma YAML
title: Potential CVE-2021-41379 Exploitation Attempt
id: af8bbce4-f751-46b4-8d91-82a33a736f61
status: test
description: Detects potential exploitation attempts of CVE-2021-41379 (InstallerFileTakeOver), a local privilege escalation (LPE) vulnerability where the attacker spawns a "cmd.exe" process as a child of Microsoft Edge elevation service "elevation_service" with "LOCAL_SYSTEM" rights
references:
- https://web.archive.org/web/20220421061949/https://github.com/klinix5/InstallerFileTakeOver
- https://www.bleepingcomputer.com/news/microsoft/new-windows-zero-day-with-public-exploit-lets-you-become-an-admin/
- https://www.zerodayinitiative.com/advisories/ZDI-21-1308/
- https://www.logpoint.com/en/blog/detecting-privilege-escalation-zero-day-cve-2021-41379/
author: Florian Roth (Nextron Systems)
date: 2021-11-22
modified: 2024-12-01
tags:
- attack.privilege-escalation
- attack.t1068
- cve.2021-41379
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'Cmd.Exe'
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_parent:
ParentImage|endswith: '\elevation_service.exe'
IntegrityLevel:
- 'System'
- 'S-1-16-16384' # System
condition: all of selection_*
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Potential CVE-2023-36884 Exploitation Pattern
Detects a unique pattern seen being used by RomCom potentially exploiting CVE-2023-36884
view Sigma YAML
title: Potential CVE-2023-36884 Exploitation Pattern
id: 0066d244-c277-4c3e-88ec-9e7b777cc8bc
status: test
description: Detects a unique pattern seen being used by RomCom potentially exploiting CVE-2023-36884
references:
- https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit
author: X__Junior
date: 2023-07-12
tags:
- attack.command-and-control
- cve.2023-36884
- detection.emerging-threats
logsource:
category: proxy
detection:
selection:
cs-method: 'GET'
c-uri|contains: '/MSHTML_C7/'
c-uri|re: '\?d=[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
condition: selection
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Potential Conti Ransomware Activity
Detects a specific command used by the Conti ransomware group
view Sigma YAML
title: Potential Conti Ransomware Activity
id: 689308fc-cfba-4f72-9897-796c1dc61487
status: test
description: Detects a specific command used by the Conti ransomware group
references:
- https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/
- https://twitter.com/VK_Intel/status/1447795359900704769?t=Xz7vaLTvaaCZ5kHoZa6gMw&s=19
author: frack113
date: 2021-10-12
modified: 2023-02-13
tags:
- attack.impact
- attack.s0575
- attack.t1486
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- '-m '
- '-net '
- '-size ' # Size 10 in references
- '-nomutex '
- '-p \\\\'
- '$'
condition: selection
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Potential Credential Dumping Via LSASS Process Clone
Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity
view Sigma YAML
title: Potential Credential Dumping Via LSASS Process Clone
id: c8da0dfd-4ed0-4b68-962d-13c9c884384e
status: test
description: Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity
references:
- https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/
- https://twitter.com/Hexacorn/status/1420053502554951689
- https://twitter.com/SBousseaden/status/1464566846594691073?s=20
author: Florian Roth (Nextron Systems), Samir Bousseaden
date: 2021-11-27
modified: 2023-03-02
tags:
- attack.credential-access
- attack.t1003
- attack.t1003.001
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\Windows\System32\lsass.exe'
Image|endswith: '\Windows\System32\lsass.exe'
condition: selection
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Potential Credential Dumping Via LSASS SilentProcessExit Technique
Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process
view Sigma YAML
title: Potential Credential Dumping Via LSASS SilentProcessExit Technique
id: 55e29995-75e7-451a-bef0-6225e2f13597
related:
- id: 36803969-5421-41ec-b92f-8500f79c23b0
type: similar
status: test
description: Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process
references:
- https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/
- https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/
author: Florian Roth (Nextron Systems)
date: 2021-02-26
modified: 2022-12-19
tags:
- attack.credential-access
- attack.t1003.001
logsource:
category: registry_event
product: windows
detection:
selection:
TargetObject|contains: 'Microsoft\Windows NT\CurrentVersion\SilentProcessExit\lsass.exe'
condition: selection
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Potential DCOM InternetExplorer.Application DLL Hijack
Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class over the network
view Sigma YAML
title: Potential DCOM InternetExplorer.Application DLL Hijack
id: 2f7979ae-f82b-45af-ac1d-2b10e93b0baa
related:
- id: e554f142-5cf3-4e55-ace9-a1b59e0def65
type: obsolete
- id: f354eba5-623b-450f-b073-0b5b2773b6aa
type: similar
status: test
description: Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class over the network
references:
- https://threathunterplaybook.com/hunts/windows/201009-RemoteDCOMIErtUtilDLLHijack/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga
date: 2020-10-12
modified: 2022-12-18
tags:
- attack.lateral-movement
- attack.t1021.002
- attack.t1021.003
logsource:
product: windows
category: file_event
detection:
selection:
Image: System
TargetFilename|endswith: '\Internet Explorer\iertutil.dll'
condition: selection
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Potential DCOM InternetExplorer.Application DLL Hijack - Image Load
Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class
view Sigma YAML
title: Potential DCOM InternetExplorer.Application DLL Hijack - Image Load
id: f354eba5-623b-450f-b073-0b5b2773b6aa
related:
- id: e554f142-5cf3-4e55-ace9-a1b59e0def65
type: obsolete
- id: 2f7979ae-f82b-45af-ac1d-2b10e93b0baa
type: similar
status: test
description: Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class
references:
- https://threathunterplaybook.com/hunts/windows/201009-RemoteDCOMIErtUtilDLLHijack/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga
date: 2020-10-12
modified: 2022-12-18
tags:
- attack.lateral-movement
- attack.t1021.002
- attack.t1021.003
logsource:
product: windows
category: image_load
detection:
selection:
Image|endswith: '\Internet Explorer\iexplore.exe'
ImageLoaded|endswith: '\Internet Explorer\iertutil.dll'
condition: selection
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Potential Dridex Activity
Detects potential Dridex acitvity via specific process patterns
view Sigma YAML
title: Potential Dridex Activity
id: e6eb5a96-9e6f-4a18-9cdd-642cfda21c8e
status: stable
description: Detects potential Dridex acitvity via specific process patterns
references:
- https://app.any.run/tasks/993daa5e-112a-4ff6-8b5a-edbcec7c7ba3
- https://redcanary.com/threat-detection-report/threats/dridex/
author: Florian Roth (Nextron Systems), oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2019-01-10
modified: 2023-02-03
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1055
- attack.discovery
- attack.t1135
- attack.t1033
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_svchost:
Image|endswith: '\svchost.exe'
CommandLine|contains|all:
- 'C:\Users\'
- '\Desktop\'
filter_svchost:
ParentImage|startswith: 'C:\Windows\System32\'
selection_regsvr:
ParentImage|endswith: '\excel.exe'
Image|endswith: '\regsvr32.exe'
CommandLine|contains:
- ' -s '
- '\AppData\Local\Temp\'
filter_regsvr:
CommandLine|contains: '.dll'
selection_anomaly_parent:
ParentImage|endswith: '\svchost.exe'
selection_anomaly_child_1:
Image|endswith: '\whoami.exe'
CommandLine|contains: ' /all'
selection_anomaly_child_2:
Image|endswith:
- '\net.exe'
- '\net1.exe'
CommandLine|contains: ' view'
condition: (selection_svchost and not filter_svchost) or (selection_regsvr and not filter_regsvr) or (selection_anomaly_parent and 1 of selection_anomaly_child_*)
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Potential Dtrack RAT Activity
Detects potential Dtrack RAT activity via specific process patterns
view Sigma YAML
title: Potential Dtrack RAT Activity
id: f1531fa4-5b84-4342-8f68-9cf3fdbd83d4
status: stable
description: Detects potential Dtrack RAT activity via specific process patterns
references:
- https://securelist.com/my-name-is-dtrack/93338/
- https://securelist.com/andariel-deploys-dtrack-and-maui-ransomware/107063/
- https://www.cyberbit.com/endpoint-security/dtrack-apt-malware-found-in-nuclear-power-plant/
- https://app.any.run/tasks/4bc9860d-ab51-4077-9e09-59ad346b92fd/
- https://app.any.run/tasks/ce4deab5-3263-494f-93e3-afb2b9d79f14/
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2019-10-30
modified: 2025-11-03
tags:
- attack.impact
- attack.t1490
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_ping:
CommandLine|re: 'ping\s+-n.{6,64}echo EEEE\s?>\s?'
selection_ipconfig:
CommandLine|re: 'ipconfig\s+/all'
CommandLine|contains: '\temp\res.ip'
selection_netsh:
CommandLine|contains|all:
- 'interface ip show config'
- '\temp\netsh.res'
condition: 1 of selection_*
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Potential Emotet Rundll32 Execution
Detecting Emotet DLL loading by looking for rundll32.exe processes with command lines ending in ,RunDLL or ,Control_RunDLL
view Sigma YAML
title: Potential Emotet Rundll32 Execution
id: 54e57ce3-0672-46eb-a402-2c0948d5e3e9
status: test
description: Detecting Emotet DLL loading by looking for rundll32.exe processes with command lines ending in ,RunDLL or ,Control_RunDLL
references:
- https://paste.cryptolaemus.com/emotet/2020/12/22/emotet-malware-IoCs_12-22-20.html
- https://cyber.wtf/2021/11/15/guess-whos-back/
author: FPT.EagleEye
date: 2020-12-25
modified: 2023-02-21
tags:
- attack.stealth
- attack.t1218.011
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\rundll32.exe'
- OriginalFileName: 'RUNDLL32.EXE'
selection_cli:
CommandLine|endswith:
- ',RunDLL'
- ',Control_RunDLL'
# - ',#1' too generic - function load by ordinal is not Emotet specific
filter_legitimate_dll:
CommandLine|endswith:
- '.dll,Control_RunDLL'
- '.dll",Control_RunDLL'
- '.dll'',Control_RunDLL'
filter_ide:
ParentImage|endswith: '\tracker.exe' # When Visual Studio compile NodeJS program, it might use MSBuild to create tracker.exe and then, the tracker.exe fork rundll32.exe
condition: all of selection_* and not 1 of filter_*
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Potential Maze Ransomware Activity
Detects specific process characteristics of Maze ransomware word document droppers
view Sigma YAML
title: Potential Maze Ransomware Activity
id: 29fd07fc-9cfd-4331-b7fd-cc18dfa21052
status: test
description: Detects specific process characteristics of Maze ransomware word document droppers
references:
- https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html
- https://app.any.run/tasks/51e7185c-52d7-4efb-ac0d-e86340053473/
- https://app.any.run/tasks/65a79440-373a-4725-8d74-77db9f2abda4/
author: Florian Roth (Nextron Systems)
date: 2020-05-08
modified: 2023-02-13
tags:
- attack.execution
- attack.t1204.002
- attack.t1047
- attack.impact
- attack.t1490
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
# Dropper
selection1:
ParentImage|endswith: '\WINWORD.exe'
Image|endswith: '.tmp'
# Binary Execution
selection2:
Image|endswith: '\wmic.exe'
ParentImage|contains: '\Temp\'
CommandLine|endswith: 'shadowcopy delete'
# Specific Pattern
selection3:
CommandLine|endswith: 'shadowcopy delete'
CommandLine|contains: '\..\..\system32'
condition: 1 of selection*
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Potential QBot Activity
Detects potential QBot activity by looking for process executions used previously by QBot
view Sigma YAML
title: Potential QBot Activity
id: 4fcac6eb-0287-4090-8eea-2602e4c20040
status: stable
description: Detects potential QBot activity by looking for process executions used previously by QBot
references:
- https://twitter.com/killamjr/status/1179034907932315648
- https://app.any.run/tasks/2e0647b7-eb86-4f72-904b-d2d0ecac07d1/
author: Florian Roth (Nextron Systems)
date: 2019-10-01
modified: 2023-02-03
tags:
- attack.execution
- attack.t1059.005
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection1:
ParentImage|endswith: '\WinRAR.exe'
Image|endswith: '\wscript.exe'
selection2:
CommandLine|contains: ' /c ping.exe -n 6 127.0.0.1 & type '
selection3:
CommandLine|contains|all:
- 'regsvr32.exe'
- 'C:\ProgramData'
- '.tmp'
condition: 1 of selection*
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Potential Russian APT Credential Theft Activity
Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike
view Sigma YAML
title: Potential Russian APT Credential Theft Activity
id: b83f5166-9237-4b5e-9cd4-7b5d52f4d8ee
status: stable
description: Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike
references:
- https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html
author: Florian Roth (Nextron Systems)
date: 2019-02-21
modified: 2023-03-08
tags:
- attack.credential-access
- attack.t1552.001
- attack.t1003.003
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_xcopy:
CommandLine|contains|all:
- 'xcopy /S /E /C /Q /H \\\\'
- '\sysvol\'
selection_adexplorer:
CommandLine|contains|all:
- 'adexplorer -snapshot "" c:\users\'
- '\downloads\'
- '.snp'
condition: 1 of selection_*
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Potential SMB Relay Attack Tool Execution
Detects different hacktools used for relay attacks on Windows for privilege escalation
view Sigma YAML
title: Potential SMB Relay Attack Tool Execution
id: 5589ab4f-a767-433c-961d-c91f3f704db1
status: test
description: Detects different hacktools used for relay attacks on Windows for privilege escalation
references:
- https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/
- https://pentestlab.blog/2017/04/13/hot-potato/
- https://github.com/ohpe/juicy-potato
- https://hunter2.gitbook.io/darthsidious/other/war-stories/domain-admin-in-30-minutes
- https://hunter2.gitbook.io/darthsidious/execution/responder-with-ntlm-relay-and-empire
- https://www.localpotato.com/
author: Florian Roth (Nextron Systems)
date: 2021-07-24
modified: 2023-02-14
tags:
- attack.collection
- attack.execution
- attack.credential-access
- attack.t1557.001
logsource:
category: process_creation
product: windows
detection:
selection_pe:
Image|contains:
- 'PetitPotam'
- 'RottenPotato'
- 'HotPotato'
- 'JuicyPotato'
- '\just_dce_'
- 'Juicy Potato'
- '\temp\rot.exe'
- '\Potato.exe'
- '\SpoolSample.exe'
- '\Responder.exe'
- '\smbrelayx'
- '\ntlmrelayx'
- '\LocalPotato'
selection_script:
CommandLine|contains:
- 'Invoke-Tater'
- ' smbrelay'
- ' ntlmrelay'
- 'cme smb '
- ' /ntlm:NTLMhash '
- 'Invoke-PetitPotam'
- '.exe -t * -p ' # JuicyPotatoNG pattern https://github.com/antonioCoco/JuicyPotatoNG
selection_juicypotato_enum: # appears when JuicyPotatoNG is used with -b
CommandLine|contains: '.exe -c "{'
CommandLine|endswith: '}" -z'
filter_hotpotatoes: # known goodware https://hotpot.uvic.ca/
Image|contains:
- 'HotPotatoes6'
- 'HotPotatoes7'
- 'HotPotatoes ' # Covers the following: 'HotPotatoes 6', 'HotPotatoes 7', 'HotPotatoes Help', 'HotPotatoes Tutorial'
condition: 1 of selection_* and not 1 of filter_*
falsepositives:
- Legitimate files with these rare hacktool names
level: critical
Convert to SIEM query
critical
Potential SharePoint ToolShell CVE-2025-53770 Exploitation - File Create
Detects the creation of file such as spinstall0.aspx which may indicate successful exploitation of CVE-2025-53770.
CVE-2025-53770 is a zero-day vulnerability in SharePoint that allows remote code execution.
view Sigma YAML
title: Potential SharePoint ToolShell CVE-2025-53770 Exploitation - File Create
id: ba479447-721f-42a9-9af2-6dcd517bbdb3
status: experimental
description: |
Detects the creation of file such as spinstall0.aspx which may indicate successful exploitation of CVE-2025-53770.
CVE-2025-53770 is a zero-day vulnerability in SharePoint that allows remote code execution.
references:
- https://research.eye.security/sharepoint-under-siege/
- https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/
- https://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-07-21
modified: 2025-07-24
tags:
- attack.initial-access
- attack.t1190
- cve.2025-53770
- detection.emerging-threats
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|startswith:
- 'C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\'
- 'C:\Program Files (x86)\Common Files\Microsoft Shared\Web Server Extensions\'
TargetFilename|contains:
- '\15\TEMPLATE\LAYOUTS\'
- '\16\TEMPLATE\LAYOUTS\'
TargetFilename|endswith:
- '\spinstall.aspx'
- '\spinstall?.aspx'
- '\debug_dev.js'
condition: selection
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Potential SystemNightmare Exploitation Attempt
Detects an exploitation attempt of SystemNightmare in order to obtain a shell as LOCAL_SYSTEM
view Sigma YAML
title: Potential SystemNightmare Exploitation Attempt
id: c01f7bd6-0c1d-47aa-9c61-187b91273a16
status: test
description: Detects an exploitation attempt of SystemNightmare in order to obtain a shell as LOCAL_SYSTEM
references:
- https://github.com/GossiTheDog/SystemNightmare
author: Florian Roth (Nextron Systems)
date: 2021-08-11
modified: 2023-02-04
tags:
- attack.privilege-escalation
- attack.t1068
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- 'printnightmare.gentilkiwi.com'
- ' /user:gentilguest '
- 'Kiwi Legit Printer'
condition: selection
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
PrinterNightmare Mimikatz Driver Name
Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527
view Sigma YAML
title: PrinterNightmare Mimikatz Driver Name
id: ba6b9e43-1d45-4d3c-a504-1043a64c8469
status: test
description: Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527
references:
- https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760
- https://www.lexjansen.com/sesug/1993/SESUG93035.pdf
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913
- https://nvd.nist.gov/vuln/detail/cve-2021-1675
- https://nvd.nist.gov/vuln/detail/cve-2021-34527
author: Markus Neis, @markus_neis, Florian Roth
date: 2021-07-04
modified: 2023-06-12
tags:
- attack.execution
- attack.t1204
- cve.2021-1675
- cve.2021-34527
- detection.emerging-threats
logsource:
product: windows
category: registry_event
detection:
selection:
TargetObject|contains:
- '\Control\Print\Environments\Windows x64\Drivers\Version-3\QMS 810\'
- '\Control\Print\Environments\Windows x64\Drivers\Version-3\mimikatz'
selection_alt:
TargetObject|contains|all:
- 'legitprinter'
- '\Control\Print\Environments\Windows'
selection_print:
TargetObject|contains:
- '\Control\Print\Environments'
- '\CurrentVersion\Print\Printers'
selection_kiwi:
TargetObject|contains:
- 'Gentil Kiwi'
- 'mimikatz printer'
- 'Kiwi Legit Printer'
condition: selection or selection_alt or (selection_print and selection_kiwi)
falsepositives:
- Legitimate installation of printer driver QMS 810, Texas Instruments microLaser printer (unlikely)
level: critical
Convert to SIEM query
critical
ProxyLogon MSExchange OabVirtualDirectory
Detects specific patterns found after a successful ProxyLogon exploitation in relation to a Commandlet invocation of Set-OabVirtualDirectory
view Sigma YAML
title: ProxyLogon MSExchange OabVirtualDirectory
id: 550d3350-bb8a-4ff3-9533-2ba533f4a1c0
status: test
description: Detects specific patterns found after a successful ProxyLogon exploitation in relation to a Commandlet invocation of Set-OabVirtualDirectory
references:
- https://bi-zone.medium.com/hunting-down-ms-exchange-attacks-part-1-proxylogon-cve-2021-26855-26858-27065-26857-6e885c5f197c
author: Florian Roth (Nextron Systems)
date: 2021-08-09
modified: 2023-01-23
tags:
- attack.t1587.001
- attack.resource-development
logsource:
product: windows
service: msexchange-management
detection:
keywords_cmdlet:
'|all':
- 'OabVirtualDirectory'
- ' -ExternalUrl '
keywords_params:
- 'eval(request'
- 'http://f/<script'
- '"unsafe"};'
- 'function Page_Load()'
condition: keywords_cmdlet and keywords_params
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
ProxyLogon Reset Virtual Directories Based On IIS Log
When exploiting this vulnerability with CVE-2021-26858, an SSRF attack is used to manipulate virtual directories
view Sigma YAML
title: ProxyLogon Reset Virtual Directories Based On IIS Log
id: effee1f6-a932-4297-a81f-acb44064fa3a
status: test
description: When exploiting this vulnerability with CVE-2021-26858, an SSRF attack is used to manipulate virtual directories
references:
- https://bi-zone.medium.com/hunting-down-ms-exchange-attacks-part-1-proxylogon-cve-2021-26855-26858-27065-26857-6e885c5f197c
author: frack113
date: 2021-08-10
modified: 2023-05-08
tags:
- cve.2021-26858
- detection.emerging-threats
- attack.initial-access
- attack.t1190
logsource:
category: webserver
definition: 'Requirements: The POST request body data must be collected in order to make use of this detection'
detection:
selection:
cs-method: 'POST'
sc-status: 200
cs-uri-stem: '/ecp/DDI/DDIService.svc/SetObject'
cs-uri-query|contains|all:
- 'schema=Reset'
- 'VirtualDirectory'
cs-username|endswith: '$'
keywords:
'|all':
- 'POST'
- 200
- '/ecp/DDI/DDIService.svc/SetObject'
- 'schema=Reset'
- 'VirtualDirectory'
- '$'
condition: selection or keywords
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Pulse Secure Attack CVE-2019-11510
Detects CVE-2019-11510 exploitation attempt - URI contains Guacamole
view Sigma YAML
title: Pulse Secure Attack CVE-2019-11510
id: 2dbc10d7-a797-49a8-8776-49efa6442e60
status: test
description: Detects CVE-2019-11510 exploitation attempt - URI contains Guacamole
references:
- https://www.exploit-db.com/exploits/47297
author: Florian Roth (Nextron Systems)
date: 2019-11-18
modified: 2023-01-02
tags:
- attack.initial-access
- attack.t1190
- cve.2019-11510
- detection.emerging-threats
logsource:
category: webserver
detection:
selection:
cs-uri-query: '*?/dana/html5acc/guacamole/*'
condition: selection
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
PwnDrp Access
Detects downloads from PwnDrp web servers developed for red team testing and most likely also used for criminal activity
view Sigma YAML
title: PwnDrp Access
id: 2b1ee7e4-89b6-4739-b7bb-b811b6607e5e
status: test
description: Detects downloads from PwnDrp web servers developed for red team testing and most likely also used for criminal activity
references:
- https://breakdev.org/pwndrop/
author: Florian Roth (Nextron Systems)
date: 2020-04-15
modified: 2021-11-27
tags:
- attack.command-and-control
- attack.t1071.001
- attack.t1102.001
- attack.t1102.003
logsource:
category: proxy
detection:
selection:
c-uri|contains: '/pwndrop/'
condition: selection
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Qakbot Rundll32 Exports Execution
Detects specific process tree behavior of a "rundll32" execution with exports linked with Qakbot activity.
view Sigma YAML
title: Qakbot Rundll32 Exports Execution
id: 339ed3d6-5490-46d0-96a7-8abe33078f58
status: test
description: Detects specific process tree behavior of a "rundll32" execution with exports linked with Qakbot activity.
references:
- https://github.com/pr0xylife/Qakbot/
author: X__Junior (Nextron Systems)
date: 2023-05-24
modified: 2023-05-30
tags:
- attack.execution
- detection.emerging-threats
- attack.stealth
logsource:
product: windows
category: process_creation
detection:
selection_paths:
ParentImage|endswith:
# Note: Only add processes seen used by Qakbot to avoid collision with other strains of malware
- '\cmd.exe'
- '\cscript.exe'
- '\curl.exe'
- '\mshta.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\wscript.exe'
Image|endswith: '\rundll32.exe'
CommandLine|contains:
# Note: Only add paths seen used by Qakbot to avoid collision with other strains of malware
- ':\ProgramData\'
- ':\Users\Public\'
- '\AppData\Local\Temp\'
- '\AppData\Roaming\'
selection_exports:
CommandLine|endswith:
# Note: Only add additional exports seen used by Qakbot
- 'aslr' # https://tria.ge/230524-scgq9add9v/behavioral1#report
- 'bind'
- 'DrawThemeIcon'
- 'GG10'
- 'GL70'
- 'jhbvygftr'
- 'kjhbhkjvydrt'
- 'LS88'
- 'Motd'
- 'N115'
- 'next' # https://tria.ge/230530-n3rxpahf9w/behavioral2
- 'Nikn'
- 'print'
- 'qqqb'
- 'qqqq'
- 'RS32'
- 'Test'
- 'Time'
- 'Updt'
- 'vips'
- 'Wind'
- 'WW50'
- 'X555'
- 'XL55'
- 'xlAutoOpen'
- 'XS88'
condition: all of selection_*
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Qakbot Rundll32 Fake DLL Extension Execution
Detects specific process tree behavior of a "rundll32" execution where the DLL doesn't have the ".dll" extension. This is often linked with potential Qakbot activity.
view Sigma YAML
title: Qakbot Rundll32 Fake DLL Extension Execution
id: bfd34392-c591-4009-b938-9fd985a28b85
status: test
description: Detects specific process tree behavior of a "rundll32" execution where the DLL doesn't have the ".dll" extension. This is often linked with potential Qakbot activity.
references:
- https://github.com/pr0xylife/Qakbot/
author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-24
tags:
- attack.execution
- detection.emerging-threats
- attack.stealth
logsource:
product: windows
category: process_creation
detection:
selection:
ParentImage|endswith:
# Note: Only add processes seen used by Qakbot to avoid collision with other strains of malware
- '\cmd.exe'
- '\cscript.exe'
- '\curl.exe'
- '\mshta.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\wscript.exe'
Image|endswith: '\rundll32.exe'
CommandLine|contains:
# Note: Only add paths seen used by Qakbot to avoid collision with other strains of malware
- ':\ProgramData\'
- ':\Users\Public\'
- '\AppData\Local\Temp\'
- '\AppData\Roaming\'
filter_main_extension:
CommandLine|contains: '.dll'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
REvil Kaseya Incident Malware Patterns
Detects process command line patterns and locations used by REvil group in Kaseya incident (can also match on other malware)
view Sigma YAML
title: REvil Kaseya Incident Malware Patterns
id: 5de632bc-7fbd-4c8a-944a-fce55c59eae5
status: test
description: Detects process command line patterns and locations used by REvil group in Kaseya incident (can also match on other malware)
references:
- https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers
- https://www.joesandbox.com/analysis/443736/0/html
- https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b
- https://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/
- https://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/
author: Florian Roth (Nextron Systems)
date: 2021-07-03
modified: 2022-05-20
tags:
- attack.execution
- attack.t1059
- attack.g0115
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection1:
CommandLine|contains:
- 'C:\Windows\cert.exe'
- 'del /q /f c:\kworking\agent.crt'
- 'Kaseya VSA Agent Hot-fix'
- '\AppData\Local\Temp\MsMpEng.exe'
- 'rmdir /s /q %SystemDrive%\inetpub\logs'
- 'del /s /q /f %SystemDrive%\\*.log'
- 'c:\kworking1\agent.exe'
- 'c:\kworking1\agent.crt'
selection2:
Image:
- 'C:\Windows\MsMpEng.exe'
- 'C:\Windows\cert.exe'
- 'C:\kworking\agent.exe'
- 'C:\kworking1\agent.exe'
selection3:
CommandLine|contains|all:
- 'del /s /q /f'
- 'WebPages\Errors\webErrorLog.txt'
condition: 1 of selection*
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
RedSun - Named Pipe Created
Detects the creation of a named pipe with the hardcoded name "REDSUN".
The RedSun exploit tool uses a pipe with this name for synchronisation and command communication between its components during the Cloud Files API + oplock-based AV bypass and privilege escalation chain.
RedSun creates the pipe as \\??\pipe\REDSUN.
The pipe server listens for the token-duplicated elevated process to connect and respond, completing the privilege escalation from user to SYSTEM.
Presence of this pipe name indicates active or recent RedSun execution.
view Sigma YAML
title: RedSun - Named Pipe Created
id: 9b4e7c2a-3f6d-4a8b-b5e9-1c7d3f2e6a4b
status: experimental
description: |
Detects the creation of a named pipe with the hardcoded name "REDSUN".
The RedSun exploit tool uses a pipe with this name for synchronisation and command communication between its components during the Cloud Files API + oplock-based AV bypass and privilege escalation chain.
RedSun creates the pipe as \\??\pipe\REDSUN.
The pipe server listens for the token-duplicated elevated process to connect and respond, completing the privilege escalation from user to SYSTEM.
Presence of this pipe name indicates active or recent RedSun execution.
references:
- https://github.com/Nightmare-Eclipse/RedSun/blob/7456cc8cf066f5e5fc6cdf7d3272a466ebd6b2f6/RedSun.cpp#L591
- https://deadeclipse666.blogspot.com/2026/04/public-disclosure-response-for-cve-2026.html
author: Swachchhanda Shrawan Poudel (Nextron Systems), @unresolvedhost
date: 2026-04-17
tags:
- attack.privilege-escalation
- attack.stealth
- attack.defense-impairment
- attack.t1055
- attack.t1685
- detection.emerging-threats
logsource:
category: pipe_created
product: windows
detection:
selection:
PipeName: '\REDSUN'
condition: selection
falsepositives:
- Unlikely
level: critical
regression_tests_path: regression_data/rules-emerging-threats/2026/Exploits/RedSun/pipe_created_win_exploit_redsun_named_pipe/info.yml
Convert to SIEM query
critical
RedSun - TieringEngineService.exe Detected as EICAR Test File
Detects Windows Defender (EventID 1119 - Remediation Action Failed) flagging TieringEngineService.exe
dropped in a characteristic RS-{GUID} temporary directory, or the RedSun.exe process itself being present.
This covers the staging pattern used by RedSun, a Cloud Files API and opportunistic lock (oplock) based
AV bypass/privilege escalation tool.
RedSun works as follows:
1. Registers a Cloud Files sync root and creates a Cloud Files placeholder for TieringEngineService.exe under %TEMP%\RS-{GUID}\
2. The placeholder file carries EICAR test file content (Virus:DOS/EICAR_Test_File) to reliably trigger
a Defender scan and remediation attempt
3. Requests a batch oplock (FSCTL_REQUEST_BATCH_OPLOCK) on the placeholder file
4. When Defender attempts to scan/quarantine the file, the oplock triggers - holding the file open
5. During the oplock break window, RedSun swaps the mount point (junction) to redirect
\\?\C:\Windows\System32 to the attacker-controlled temp path
6. This races the AV/OS into executing the malicious TieringEngineService.exe with elevated privileges
view Sigma YAML
title: RedSun - TieringEngineService.exe Detected as EICAR Test File
id: a7c3e5f2-8b1d-4e9a-b6c2-3d7f5e8a9b4c
status: experimental
description: |
Detects Windows Defender (EventID 1119 - Remediation Action Failed) flagging TieringEngineService.exe
dropped in a characteristic RS-{GUID} temporary directory, or the RedSun.exe process itself being present.
This covers the staging pattern used by RedSun, a Cloud Files API and opportunistic lock (oplock) based
AV bypass/privilege escalation tool.
RedSun works as follows:
1. Registers a Cloud Files sync root and creates a Cloud Files placeholder for TieringEngineService.exe under %TEMP%\RS-{GUID}\
2. The placeholder file carries EICAR test file content (Virus:DOS/EICAR_Test_File) to reliably trigger
a Defender scan and remediation attempt
3. Requests a batch oplock (FSCTL_REQUEST_BATCH_OPLOCK) on the placeholder file
4. When Defender attempts to scan/quarantine the file, the oplock triggers - holding the file open
5. During the oplock break window, RedSun swaps the mount point (junction) to redirect
\\?\C:\Windows\System32 to the attacker-controlled temp path
6. This races the AV/OS into executing the malicious TieringEngineService.exe with elevated privileges
references:
- https://github.com/Nightmare-Eclipse/RedSun/blob/7456cc8cf066f5e5fc6cdf7d3272a466ebd6b2f6/RedSun.cpp#L605
- https://deadeclipse666.blogspot.com/2026/04/public-disclosure-response-for-cve-2026.html
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-04-17
tags:
- attack.stealth
- attack.defense-impairment
- attack.t1036.005
- attack.t1685
- attack.privilege-escalation
- attack.t1055
- detection.emerging-threats
logsource:
product: windows
service: windefend
detection:
# EventID 1119: Microsoft Defender Antivirus has encountered an error trying to take action on malware or unwanted software
# Path field from event: file:_C:\Users\<user>\AppData\Local\Temp\<n>\RS-{GUID}\TieringEngineService.exe
# Threat name 'Virus:DOS/EICAR_Test_File' is expected - RedSun uses EICAR content to reliably trigger a Defender scan/remediation
selection_eid:
EventID: 1119
SourceName: 'Real-Time Protection'
selection_susp_path:
Path|endswith: '\TieringEngineService.exe'
ThreatName|endswith: 'EICAR_Test_File'
selection_susp_process:
ProcessName|endswith: '\RedSun.exe'
condition: selection_eid and 1 of selection_susp_*
falsepositives:
- Unlikely
level: critical
regression_tests_path: regression_data/rules-emerging-threats/2026/Exploits/RedSun/win_defender_exploit_redsun_tiering_engine_detected_as_eicar/info.yml
Convert to SIEM query
critical
RedSun - TieringEngineService.exe Staged in RS-Prefixed Temp Dir
Detects the creation of a file named TieringEngineService.exe inside a directory whose path contains the RS- prefix characteristic
of RedSun's staging directory (e.g. %TEMP%\RS-{GUID}\TieringEngineService.exe).
RedSun registers a Cloud Files sync root under this RS-prefixed path and drops a masqueraded placeholder there as part of its oplock-based AV bypass and privilege escalation chain.
The RS-{GUID} directory name is generated by RedSun itself and has no legitimate system usage,
making the combination of this path prefix and the TieringEngineService.exe filename a highly
specific indicator of RedSun activity.
view Sigma YAML
title: RedSun - TieringEngineService.exe Staged in RS-Prefixed Temp Dir
id: f2e4b7d9-5c3a-4f8b-9e1d-7a6c2b3f4e5d
status: experimental
description: |
Detects the creation of a file named TieringEngineService.exe inside a directory whose path contains the RS- prefix characteristic
of RedSun's staging directory (e.g. %TEMP%\RS-{GUID}\TieringEngineService.exe).
RedSun registers a Cloud Files sync root under this RS-prefixed path and drops a masqueraded placeholder there as part of its oplock-based AV bypass and privilege escalation chain.
The RS-{GUID} directory name is generated by RedSun itself and has no legitimate system usage,
making the combination of this path prefix and the TieringEngineService.exe filename a highly
specific indicator of RedSun activity.
references:
- https://github.com/Nightmare-Eclipse/RedSun/blob/7456cc8cf066f5e5fc6cdf7d3272a466ebd6b2f6/RedSun.cpp#L591
- https://deadeclipse666.blogspot.com/2026/04/public-disclosure-response-for-cve-2026.html
author: Swachchhanda Shrawan Poudel (Nextron Systems), @unresolvedhost
date: 2026-04-17
tags:
- attack.stealth
- attack.t1036.005
- detection.emerging-threats
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|contains|all:
- '\Temp'
- '\RS-{'
TargetFilename|endswith: '\TieringEngineService.exe'
condition: selection
falsepositives:
- Unlikely
level: critical
regression_tests_path: regression_data/rules-emerging-threats/2026/Exploits/RedSun/file_event_win_exploit_redsun_indicators/info.yml
Convert to SIEM query
critical
Registry Entries For Azorult Malware
Detects the presence of a registry key created during Azorult execution
view Sigma YAML
title: Registry Entries For Azorult Malware
id: f7f9ab88-7557-4a69-b30e-0a8f91b3a0e7
status: test
description: Detects the presence of a registry key created during Azorult execution
references:
- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/trojan.win32.azoruit.a
author: Trent Liffick
date: 2020-05-08
modified: 2021-11-27
tags:
- attack.persistence
- attack.execution
- attack.defense-impairment
- attack.t1112
logsource:
product: windows
category: registry_event
detection:
selection:
EventID:
- 12
- 13
TargetObject|contains: 'SYSTEM\'
TargetObject|endswith: '\services\localNETService'
condition: selection
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Renamed Whoami Execution
Detects the execution of whoami that has been renamed to a different name to avoid detection
view Sigma YAML
title: Renamed Whoami Execution
id: f1086bf7-a0c4-4a37-9102-01e573caf4a0
status: test
description: Detects the execution of whoami that has been renamed to a different name to avoid detection
references:
- https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/
- https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/
author: Florian Roth (Nextron Systems)
date: 2021-08-12
modified: 2022-10-09
tags:
- attack.discovery
- attack.t1033
- car.2016-03-001
logsource:
category: process_creation
product: windows
detection:
selection:
OriginalFileName: 'whoami.exe'
filter:
Image|endswith: '\whoami.exe'
condition: selection and not filter
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Rorschach Ransomware Execution Activity
Detects Rorschach ransomware execution activity
view Sigma YAML
title: Rorschach Ransomware Execution Activity
id: 0e9e6c63-1350-48c4-9fa1-7ccb235edc68
status: test
description: Detects Rorschach ransomware execution activity
references:
- https://research.checkpoint.com/2023/rorschach-a-new-sophisticated-and-fast-ransomware/
author: X__Junior (Nextron Systems)
date: 2023-04-04
modified: 2023-04-22
tags:
- attack.execution
- attack.t1059.003
- attack.t1059.001
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\bcdedit.exe'
- '\net.exe'
- '\net1.exe'
- '\netsh.exe'
- '\wevtutil.exe'
- '\vssadmin.exe'
CommandLine|contains: '11111111'
condition: selection
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
SNAKE Malware Kernel Driver File Indicator
Detects SNAKE malware kernel driver file indicator
view Sigma YAML
title: SNAKE Malware Kernel Driver File Indicator
id: d6d9d23f-69c1-41b5-8305-fa8250bd027f
status: test
description: Detects SNAKE malware kernel driver file indicator
references:
- https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-10
tags:
- attack.execution
- detection.emerging-threats
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename: 'C:\Windows\System32\Com\Comadmin.dat'
condition: selection
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
SNAKE Malware Service Persistence
Detects the creation of a service named "WerFaultSvc" which seems to be used by the SNAKE malware as a persistence mechanism as described by CISA in their report
view Sigma YAML
title: SNAKE Malware Service Persistence
id: b2e60816-96b2-45bd-ba91-b63578c03ef6
status: test
description: Detects the creation of a service named "WerFaultSvc" which seems to be used by the SNAKE malware as a persistence mechanism as described by CISA in their report
references:
- https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-10
tags:
- attack.persistence
- detection.emerging-threats
logsource:
product: windows
service: system
detection:
selection:
Provider_Name: 'Service Control Manager'
EventID: 7045
ServiceName|contains: 'WerFaultSvc' # Note: The report contains a "," in the name ("WerFaultSvc,"). Since we can't confirm if its a typo or not we don't use it
ImagePath|startswith: 'C:\Windows\WinSxS\'
ImagePath|endswith: '\WerFault.exe'
condition: selection
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Serv-U Exploitation CVE-2021-35211 by DEV-0322
Detects patterns as noticed in exploitation of Serv-U CVE-2021-35211 vulnerability by threat group DEV-0322
view Sigma YAML
title: Serv-U Exploitation CVE-2021-35211 by DEV-0322
id: 75578840-9526-4b2a-9462-af469a45e767
status: test
description: Detects patterns as noticed in exploitation of Serv-U CVE-2021-35211 vulnerability by threat group DEV-0322
references:
- https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/
author: Florian Roth (Nextron Systems)
date: 2021-07-14
modified: 2022-12-18
tags:
- attack.persistence
- attack.t1136.001
- cve.2021-35211
- detection.emerging-threats
# - threat_group.DEV-0322
logsource:
category: process_creation
product: windows
detection:
selection_whoami:
CommandLine|contains: 'whoami'
selection_cmd_1:
CommandLine|contains:
- './Client/Common/'
- '.\Client\Common\'
selection_cmd_2:
CommandLine|contains: 'C:\Windows\Temp\Serv-U.bat'
condition: selection_whoami and 1 of selection_cmd*
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Silence.EDA Detection
Detects Silence EmpireDNSAgent as described in the Group-IP report
view Sigma YAML
title: Silence.EDA Detection
id: 3ceb2083-a27f-449a-be33-14ec1b7cc973
status: test
description: Detects Silence EmpireDNSAgent as described in the Group-IP report
references:
- https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf
author: Alina Stepchenkova, Group-IB, oscd.community
date: 2019-11-01
modified: 2023-04-03
tags:
- attack.execution
- attack.t1059.001
- attack.command-and-control
- attack.t1071.004
- attack.t1572
- attack.impact
- attack.t1529
- attack.g0091
- attack.s0363
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
empire:
# better to randomise the order
ScriptBlockText|contains|all:
- 'System.Diagnostics.Process'
- 'Stop-Computer'
- 'Restart-Computer'
- 'Exception in execution'
- '$cmdargs'
- 'Close-Dnscat2Tunnel'
dnscat:
# better to randomise the order
ScriptBlockText|contains|all:
- 'set type=$LookupType`nserver'
- '$Command | nslookup 2>&1 | Out-String'
- 'New-RandomDNSField'
- '[Convert]::ToString($SYNOptions, 16)'
- '$Session.Dead = $True'
- '$Session["Driver"] -eq'
condition: empire and dnscat
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Small Sieve Malware Potential C2 Communication
Detects potential C2 communication related to Small Sieve malware
view Sigma YAML
title: Small Sieve Malware Potential C2 Communication
id: b0422664-37a4-4e78-949a-4a139309eaf0
status: test
description: Detects potential C2 communication related to Small Sieve malware
references:
- https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-19
tags:
- attack.command-and-control
- detection.emerging-threats
logsource:
category: proxy
detection:
selection:
cs-method: 'GET'
cs-host: 'api.telegram.org'
cs-uri|contains|all:
- 'chat_id=2090761833'
- 'text=com/'
condition: selection
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Solarwinds SUPERNOVA Webshell Access
Detects access to SUPERNOVA webshell as described in Guidepoint report
view Sigma YAML
title: Solarwinds SUPERNOVA Webshell Access
id: a2cee20b-eacc-459f-861d-c02e5d12f1db
status: test
description: Detects access to SUPERNOVA webshell as described in Guidepoint report
references:
- https://www.guidepointsecurity.com/supernova-solarwinds-net-webshell-analysis/
- https://www.anquanke.com/post/id/226029
author: Florian Roth (Nextron Systems)
date: 2020-12-17
modified: 2023-01-02
tags:
- attack.persistence
- attack.t1505.003
- detection.emerging-threats
logsource:
category: webserver
detection:
selection1:
cs-uri-query|contains|all:
- 'logoimagehandler.ashx'
- 'clazz'
selection2:
cs-uri-query|contains: 'logoimagehandler.ashx'
sc-status: 500
condition: selection1 or selection2
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Sticky Key Like Backdoor Execution
Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen
view Sigma YAML
title: Sticky Key Like Backdoor Execution
id: 2fdefcb3-dbda-401e-ae23-f0db027628bc
related:
- id: baca5663-583c-45f9-b5dc-ea96a22ce542
type: derived
status: test
description: Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen
references:
- https://learn.microsoft.com/en-us/archive/blogs/jonathantrull/detecting-sticky-key-backdoors
author: Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community
date: 2018-03-15
modified: 2023-03-07
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.008
- car.2014-11-003
- car.2014-11-008
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\winlogon.exe'
Image|endswith:
- '\cmd.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\wscript.exe'
- '\wt.exe'
CommandLine|contains:
- 'sethc.exe'
- 'utilman.exe'
- 'osk.exe'
- 'Magnify.exe'
- 'Narrator.exe'
- 'DisplaySwitch.exe'
condition: selection
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Sticky Key Like Backdoor Usage - Registry
Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen
view Sigma YAML
title: Sticky Key Like Backdoor Usage - Registry
id: baca5663-583c-45f9-b5dc-ea96a22ce542
status: test
description: Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen
references:
- https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/
- https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/
author: Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community
date: 2018-03-15
modified: 2022-11-26
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.008
- car.2014-11-003
- car.2014-11-008
logsource:
category: registry_event
product: windows
detection:
selection_registry:
TargetObject|endswith:
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger'
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger'
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\Debugger'
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe\Debugger'
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Narrator.exe\Debugger'
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe\Debugger'
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atbroker.exe\Debugger'
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HelpPane.exe\Debugger'
condition: selection_registry
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Successful Exchange ProxyShell Attack
Detects URP patterns and status codes that indicate a successful ProxyShell exploitation attack against Exchange servers
view Sigma YAML
title: Successful Exchange ProxyShell Attack
id: 992be1eb-e5da-437e-9a54-6d13b57bb4d8
status: test
description: Detects URP patterns and status codes that indicate a successful ProxyShell exploitation attack against Exchange servers
references:
- https://youtu.be/5mqid-7zp8k?t=2231
- https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html
- https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1
author: Florian Roth (Nextron Systems), Rich Warren
date: 2021-08-09
modified: 2023-01-02
tags:
- attack.initial-access
- detection.emerging-threats
logsource:
category: webserver
detection:
selection_auto:
cs-uri-query|contains: '/autodiscover.json'
selection_uri:
cs-uri-query|contains:
- '/powershell'
- '/mapi/nspi'
- '/EWS'
- 'X-Rps-CAT'
selection_success:
sc-status:
- 200
- 301
condition: selection_auto and selection_uri and selection_success
falsepositives:
- Unknown
level: critical
Convert to SIEM query
critical
Sudo Privilege Escalation CVE-2019-14287 - Builtin
Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287
view Sigma YAML
title: Sudo Privilege Escalation CVE-2019-14287 - Builtin
id: 7fcc54cb-f27d-4684-84b7-436af096f858
related:
- id: f74107df-b6c6-4e80-bf00-4170b658162b
type: derived
status: test
description: Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287
references:
- https://www.openwall.com/lists/oss-security/2019/10/14/1
- https://access.redhat.com/security/cve/cve-2019-14287
- https://twitter.com/matthieugarin/status/1183970598210412546
author: Florian Roth (Nextron Systems)
date: 2019-10-15
modified: 2022-11-26
tags:
- attack.privilege-escalation
- attack.t1068
- attack.t1548.003
- cve.2019-14287
- detection.emerging-threats
logsource:
product: linux
service: sudo
detection:
selection_user:
USER:
- '#-*'
- '#*4294967295'
condition: selection_user
falsepositives:
- Unlikely
level: critical
Convert to SIEM query
critical
Suspicious Child Process Of Veeam Dabatase
Detects suspicious child processes of the Veeam service process. This could indicate potential RCE or SQL Injection.
view Sigma YAML
title: Suspicious Child Process Of Veeam Dabatase
id: d55b793d-f847-4eea-b59a-5ab09908ac90
related:
- id: 869b9ca7-9ea2-4a5a-8325-e80e62f75445
type: similar
status: test
description: Detects suspicious child processes of the Veeam service process. This could indicate potential RCE or SQL Injection.
references:
- https://labs.withsecure.com/publications/fin7-target-veeam-servers
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-04
tags:
- attack.initial-access
- attack.persistence
- attack.privilege-escalation
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\sqlservr.exe'
ParentCommandLine|contains: 'VEEAMSQL'
selection_child_1:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\wsl.exe'
- '\wt.exe'
CommandLine|contains:
- '-ex '
- 'bypass'
- 'cscript'
- 'DownloadString'
- 'http://'
- 'https://'
- 'mshta'
- 'regsvr32'
- 'rundll32'
- 'wscript'
- 'copy '
selection_child_2:
Image|endswith:
- '\net.exe'
- '\net1.exe'
- '\netstat.exe'
- '\nltest.exe'
- '\ping.exe'
- '\tasklist.exe'
- '\whoami.exe'
condition: selection_parent and 1 of selection_child_*
level: critical
Convert to SIEM query
Showing 101-150 of 174