Tool
SIEM
Sigma (generic) detection rules
1,715 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Expand any rule to see its raw YAML and convert it inline to native query syntax. Pick a platform above to browse every rule already rendered in that language.
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
◈
Detection rules
50 shown of 1,715
high
Potential SNAKE Malware Installation CLI Arguments Indicator
Detects a specific command line arguments sequence seen used by SNAKE malware during its installation as described by CISA in their report
view Sigma YAML
title: Potential SNAKE Malware Installation CLI Arguments Indicator
id: 02cbc035-b390-49fe-a9ff-3bb402c826db
status: test
description: Detects a specific command line arguments sequence seen used by SNAKE malware during its installation as described by CISA in their report
references:
- https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-04
tags:
- attack.execution
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
# This CLI regex is based on the following description from the report:
# The jpsetup.exe installer requires two arguments to be passed via the command line for execution
# The first argument is a wide character string hashed with SHA-256 twice -> We assume that the first argument is of length SHA256
# The AES initialization vector (IV) consists of the first 16 bytes of the second argument to jpsetup.exe -> We assume that the second argument is of at least 16 bytes (16 characters)
CommandLine|re: '\s[a-fA-F0-9]{64}\s[a-fA-F0-9]{16}'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Potential SNAKE Malware Persistence Service Execution
Detects a specific child/parent process relationship indicative of a "WerFault" process running from the "WinSxS" as a service. This could be indicative of potential SNAKE malware activity as reported by CISA.
view Sigma YAML
title: Potential SNAKE Malware Persistence Service Execution
id: f7536642-4a08-4dd9-b6d5-c3286d8975ed
status: test
description: Detects a specific child/parent process relationship indicative of a "WerFault" process running from the "WinSxS" as a service. This could be indicative of potential SNAKE malware activity as reported by CISA.
references:
- https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-04
tags:
- attack.execution
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\services.exe'
Image|startswith: 'C:\Windows\WinSxS\'
Image|endswith: '\WerFault.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential SSH Tunnel Persistence Install Using A Scheduled Task
Detects the creation of new scheduled tasks via commandline, using Schtasks.exe. This rule detects tasks creating that call OpenSSH, which may indicate the creation of reverse SSH tunnel to the attacker's server.
view Sigma YAML
title: Potential SSH Tunnel Persistence Install Using A Scheduled Task
id: 2daa93a0-a5fb-41c5-8cd8-3c11294bfd1f
status: experimental
description: Detects the creation of new scheduled tasks via commandline, using Schtasks.exe. This rule detects tasks creating that call OpenSSH, which may indicate the creation of reverse SSH tunnel to the attacker's server.
references:
- https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/
- https://www.kroll.com/en/insights/publications/cyber/cactus-ransomware-prickly-new-variant-evades-detection
author: Rory Duncan
date: 2025-07-14
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.t1053.005
- attack.command-and-control
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\schtasks.exe'
- OriginalFileName: 'schtasks.exe'
selection_cli_sshd:
CommandLine|contains|all:
- ' /create '
- 'sshd.exe'
- '-f'
selection_cli_ssh:
CommandLine|contains|all:
- ' /create '
- 'ssh.exe'
- '-i'
condition: selection_img and 1 of selection_cli_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential Server Side Template Injection In Velocity
Detects exceptions in velocity template renderer, this most likely happens due to dynamic rendering of user input and may lead to RCE.
view Sigma YAML
title: Potential Server Side Template Injection In Velocity
id: 16c86189-b556-4ee8-b4c7-7e350a195a4f
status: test
description: Detects exceptions in velocity template renderer, this most likely happens due to dynamic rendering of user input and may lead to RCE.
references:
- https://antgarsil.github.io/posts/velocity/
- https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs
author: Moti Harmats
date: 2023-02-11
tags:
- attack.initial-access
- attack.t1190
logsource:
category: application
product: velocity
definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)'
detection:
keywords:
- 'ParseErrorException'
- 'VelocityException'
- 'TemplateInitException'
condition: keywords
falsepositives:
- Application bugs
- Missing .vm files
level: high
Convert to SIEM query
high
Potential SharePoint ToolShell CVE-2025-53770 Exploitation Indicators
Detects potential exploitation of CVE-2025-53770 by identifying indicators such as suspicious command lines discovered in Post-Exploitation activities.
CVE-2025-53770 is a zero-day vulnerability in SharePoint that allows remote code execution.
view Sigma YAML
title: Potential SharePoint ToolShell CVE-2025-53770 Exploitation Indicators
id: 7477881c-ec3b-49d6-aced-7255944e5c59
status: experimental
description: |
Detects potential exploitation of CVE-2025-53770 by identifying indicators such as suspicious command lines discovered in Post-Exploitation activities.
CVE-2025-53770 is a zero-day vulnerability in SharePoint that allows remote code execution.
references:
- https://research.eye.security/sharepoint-under-siege/
- https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-07-21
tags:
- attack.initial-access
- attack.t1190
- cve.2025-53770
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_img:
ParentImage|endswith: '\w3wp.exe'
selection_encoded_aspx:
- CommandLine|wide|base64offset|contains: 'spinstall0.aspx'
- CommandLine|base64|contains: 'spinstall0.aspx'
selection_encoded_path:
CommandLine|wide|base64offset|contains:
- ':\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\15\TEMPLATE\LAYOUTS'
- ':\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\16\TEMPLATE\LAYOUTS'
- ':\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\TEMPLATE\LAYOUTS'
- ':\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS'
selection_ioc:
CommandLine|contains:
- '-EncodedCommand JABiAGEAcwBlADYANABTAHQAcgBpAG4AZwAgAD0'
- 'TEMPLATE\LAYOUTS\spinstall0.aspx'
condition: (selection_img and 1 of selection_encoded_*) or selection_ioc
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential Signing Bypass Via Windows Developer Features
Detects when a user enable developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages.
view Sigma YAML
title: Potential Signing Bypass Via Windows Developer Features
id: a383dec4-deec-4e6e-913b-ed9249670848
related:
- id: b110ebaf-697f-4da1-afd5-b536fa27a2c1
type: similar
status: test
description: Detects when a user enable developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages.
references:
- Internal Research
- https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-11
tags:
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\SystemSettingsAdminFlows.exe'
- OriginalFileName: 'SystemSettingsAdminFlows.EXE'
selection_flag:
CommandLine|contains: 'TurnOnDeveloperFeatures'
selection_options:
CommandLine|contains:
- 'DeveloperUnlock'
- 'EnableSideloading'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential Signing Bypass Via Windows Developer Features - Registry
Detects when the enablement of developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages.
view Sigma YAML
title: Potential Signing Bypass Via Windows Developer Features - Registry
id: b110ebaf-697f-4da1-afd5-b536fa27a2c1
related:
- id: a383dec4-deec-4e6e-913b-ed9249670848
type: similar
status: test
description: Detects when the enablement of developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages.
references:
- https://twitter.com/malmoeb/status/1560536653709598721
- https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-12
modified: 2023-08-17
tags:
- attack.stealth
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains:
- '\Microsoft\Windows\CurrentVersion\AppModelUnlock'
- '\Policies\Microsoft\Windows\Appx\'
TargetObject|endswith:
- '\AllowAllTrustedApps'
- '\AllowDevelopmentWithoutDevLicense'
Details: 'DWORD (0x00000001)'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential SmadHook.DLL Sideloading
Detects potential DLL sideloading of "SmadHook.dll", a DLL used by SmadAV antivirus
view Sigma YAML
title: Potential SmadHook.DLL Sideloading
id: 24b6cf51-6122-469e-861a-22974e9c1e5b
status: test
description: Detects potential DLL sideloading of "SmadHook.dll", a DLL used by SmadAV antivirus
references:
- https://research.checkpoint.com/2023/malware-spotlight-camaro-dragons-tinynote-backdoor/
- https://www.qurium.org/alerts/targeted-malware-against-crph/
author: X__Junior (Nextron Systems)
date: 2023-06-01
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith:
- '\SmadHook32c.dll'
- '\SmadHook64c.dll'
filter_main_legit_path:
Image:
- 'C:\Program Files (x86)\SMADAV\SmadavProtect32.exe'
- 'C:\Program Files (x86)\SMADAV\SmadavProtect64.exe'
- 'C:\Program Files\SMADAV\SmadavProtect32.exe'
- 'C:\Program Files\SMADAV\SmadavProtect64.exe'
ImageLoaded|startswith:
- 'C:\Program Files (x86)\SMADAV\'
- 'C:\Program Files\SMADAV\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Potential Snatch Ransomware Activity
Detects specific process characteristics of Snatch ransomware word document droppers
view Sigma YAML
title: Potential Snatch Ransomware Activity
id: 5325945e-f1f0-406e-97b8-65104d393fff
status: stable
description: Detects specific process characteristics of Snatch ransomware word document droppers
references:
- https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/
author: Florian Roth (Nextron Systems)
date: 2020-08-26
modified: 2025-10-19
tags:
- attack.execution
- attack.t1204
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
- CommandLine|re: 'shutdown\s+/r /f /t 00' # Shutdown in safe mode immediately
- CommandLine|re: 'net\s+stop SuperBackupMan'
condition: selection
falsepositives:
- Scripts that shutdown the system immediately and reboot them in safe mode are unlikely
level: high
Convert to SIEM query
high
Potential SocGholish Second Stage C2 DNS Query
Detects a DNS query initiated from a "wscript" process for domains matching a specific pattern that was seen being used by SocGholish for its Command and Control traffic
view Sigma YAML
title: Potential SocGholish Second Stage C2 DNS Query
id: 70761fe8-6aa2-4f80-98c1-a57049c08e66
status: test
description: Detects a DNS query initiated from a "wscript" process for domains matching a specific pattern that was seen being used by SocGholish for its Command and Control traffic
references:
- https://www.virustotal.com/gui/file/0e2854753d17b1bb534de8e765d5813c9fb584a745978b3d92bc6ca78e3e7735/relations
- https://www.virustotal.com/gui/file/d5661009c461a8b20e1ad22f48609cc84dd90aee9182e026659dde4d46aaf25e/relations
- https://www.proofpoint.com/us/blog/threat-insight/part-1-socgholish-very-real-threat-very-fake-update
author: Dusty Miller
date: 2023-02-23
tags:
- attack.command-and-control
- attack.t1219.002
- detection.emerging-threats
logsource:
product: windows
category: dns_query
detection:
selection:
Image|endswith: '\wscript.exe'
QueryName|re: '[a-f0-9]{4,8}\.(?:[a-z0-9\-]+\.){2}[a-z0-9\-]+'
condition: selection
falsepositives:
- Legitimate domain names matching the regex pattern by chance (e.g. domain controllers dc01.company.co.uk)
level: high
Convert to SIEM query
high
Potential SpEL Injection In Spring Framework
Detects potential SpEL Injection exploitation, which may lead to RCE.
view Sigma YAML
title: Potential SpEL Injection In Spring Framework
id: e9edd087-89d8-48c9-b0b4-5b9bb10896b8
status: test
description: Detects potential SpEL Injection exploitation, which may lead to RCE.
references:
- https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection
- https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs
author: Moti Harmats
date: 2023-02-11
tags:
- attack.initial-access
- attack.t1190
logsource:
category: application
product: spring
definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)'
detection:
keywords:
- 'org.springframework.expression.ExpressionException'
condition: keywords
falsepositives:
- Application bugs
level: high
Convert to SIEM query
high
Potential Startup Shortcut Persistence Via PowerShell.EXE
Detects PowerShell writing startup shortcuts.
This procedure was highlighted in Red Canary Intel Insights Oct. 2021, "We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence.
Accordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats.
In the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL"
view Sigma YAML
title: Potential Startup Shortcut Persistence Via PowerShell.EXE
id: 92fa78e7-4d39-45f1-91a3-8b23f3f1088d
status: test
description: |
Detects PowerShell writing startup shortcuts.
This procedure was highlighted in Red Canary Intel Insights Oct. 2021, "We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence.
Accordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats.
In the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL"
references:
- https://redcanary.com/blog/intelligence-insights-october-2021/
- https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1547.001/T1547.001.md#atomic-test-7---add-executable-shortcut-link-to-user-startup-folder
author: Christopher Peacock '@securepeacock', SCYTHE
date: 2021-10-24
modified: 2023-02-23
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.001
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
TargetFilename|contains: '\start menu\programs\startup\'
TargetFilename|endswith: '.lnk'
condition: selection
falsepositives:
- Depending on your environment accepted applications may leverage this at times. It is recommended to search for anomalies inidicative of malware.
level: high
Convert to SIEM query
high
Potential Suspicious BPF Activity - Linux
Detects the presence of "bpf_probe_write_user" BPF helper-generated warning messages. Which could be a sign of suspicious eBPF activity on the system.
view Sigma YAML
title: Potential Suspicious BPF Activity - Linux
id: 0fadd880-6af3-4610-b1e5-008dc3a11b8a
status: test
description: Detects the presence of "bpf_probe_write_user" BPF helper-generated warning messages. Which could be a sign of suspicious eBPF activity on the system.
references:
- https://redcanary.com/blog/ebpf-malware/
- https://man7.org/linux/man-pages/man7/bpf-helpers.7.html
author: Red Canary (idea), Nasreddine Bencherchali
date: 2023-01-25
tags:
- attack.persistence
- attack.stealth
logsource:
product: linux
detection:
selection:
- 'bpf_probe_write_user'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential Suspicious Child Process Of 3CXDesktopApp
Detects potential suspicious child processes of "3CXDesktopApp.exe". Which could be related to the 3CXDesktopApp supply chain compromise
view Sigma YAML
title: Potential Suspicious Child Process Of 3CXDesktopApp
id: 63f3605b-979f-48c2-b7cc-7f90523fed88
related:
- id: 3c4b3bbf-36b4-470c-b6cf-f07e8b1c7e26 # Proxy C2
type: similar
- id: 76bc1601-9546-4b75-9419-06e0e8d10651 # Proxy GH
type: similar
- id: bd03a0dc-5d93-49eb-b2e8-2dfd268600f8 # DNS C2
type: similar
- id: 51eecf75-d069-43c7-9ea2-63f75499edd4 # net_connection C2
type: similar
- id: 93bbde78-dc86-4e73-9ffc-ff8a384ca89c # ProcCreation Exec
type: similar
- id: e7581747-1e44-4d4b-85a6-0db0b4a00f2a # ProcCreation Update
type: similar
- id: d0b65ad3-e945-435e-a7a9-438e62dd48e9 # ImageLoad
type: similar
status: test
description: Detects potential suspicious child processes of "3CXDesktopApp.exe". Which could be related to the 3CXDesktopApp supply chain compromise
references:
- https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/
- https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-29
tags:
- attack.command-and-control
- attack.execution
- attack.stealth
- attack.t1218
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\3CXDesktopApp.exe'
Image|endswith:
- '\cmd.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\wscript.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential Suspicious Mofcomp Execution
Detects execution of the "mofcomp" utility as a child of a suspicious shell or script running utility or by having a suspicious path in the commandline.
The "mofcomp" utility parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository.
Attackers abuse this utility to install malicious MOF scripts
view Sigma YAML
title: Potential Suspicious Mofcomp Execution
id: 1dd05363-104e-4b4a-b963-196a534b03a1
status: test
description: |
Detects execution of the "mofcomp" utility as a child of a suspicious shell or script running utility or by having a suspicious path in the commandline.
The "mofcomp" utility parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository.
Attackers abuse this utility to install malicious MOF scripts
references:
- https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/
- https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml
- https://learn.microsoft.com/en-us/windows/win32/wmisdk/mofcomp
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-12
modified: 2023-04-11
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\mofcomp.exe'
- OriginalFileName: 'mofcomp.exe'
selection_case:
- ParentImage|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\wsl.exe'
- '\wscript.exe'
- '\cscript.exe'
- CommandLine|contains:
- '\AppData\Local\Temp'
- '\Users\Public\'
- '\WINDOWS\Temp\'
- '%temp%'
- '%tmp%'
- '%appdata%'
filter_main_wmiprvse:
ParentImage: 'C:\Windows\System32\wbem\WmiPrvSE.exe'
CommandLine|contains: 'C:\Windows\TEMP\'
CommandLine|endswith: '.mof'
filter_optional_null_parent:
# Sometimes the parent information isn't available from the Microsoft-Windows-Security-Auditing provider.
CommandLine|contains: 'C:\Windows\TEMP\'
CommandLine|endswith: '.mof'
condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential Suspicious Winget Package Installation
Detects potential suspicious winget package installation from a suspicious source.
view Sigma YAML
title: Potential Suspicious Winget Package Installation
id: a3f5c081-e75b-43a0-9f5b-51f26fe5dba2
status: test
description: Detects potential suspicious winget package installation from a suspicious source.
references:
- https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-18
tags:
- attack.persistence
- attack.stealth
logsource:
product: windows
category: create_stream_hash
detection:
selection:
Contents|startswith: '[ZoneTransfer] ZoneId=3'
Contents|contains:
# Note: Add any untrusted sources that are custom to your env
- '://1'
- '://2'
- '://3'
- '://4'
- '://5'
- '://6'
- '://7'
- '://8'
- '://9'
TargetFilename|endswith: ':Zone.Identifier'
TargetFilename|contains: '\AppData\Local\Temp\WinGet\'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential SysInternals ProcDump Evasion
Detects uses of the SysInternals ProcDump utility in which ProcDump or its output get renamed, or a dump file is moved or copied to a different name
view Sigma YAML
title: Potential SysInternals ProcDump Evasion
id: 79b06761-465f-4f88-9ef2-150e24d3d737
status: test
description: Detects uses of the SysInternals ProcDump utility in which ProcDump or its output get renamed, or a dump file is moved or copied to a different name
references:
- https://twitter.com/mrd0x/status/1480785527901204481
author: Florian Roth (Nextron Systems)
date: 2022-01-11
modified: 2023-05-09
tags:
- attack.stealth
- attack.t1036
- attack.t1003.001
- attack.credential-access
logsource:
category: process_creation
product: windows
detection:
selection_1:
CommandLine|contains:
- 'copy procdump'
- 'move procdump'
selection_2:
CommandLine|contains|all:
- 'copy '
- '.dmp '
CommandLine|contains:
- '2.dmp'
- 'lsass'
- 'out.dmp'
selection_3:
CommandLine|contains:
- 'copy lsass.exe_' # procdump default pattern e.g. lsass.exe_220111_085234.dmp
- 'move lsass.exe_' # procdump default pattern e.g. lsass.exe_220111_085234.dmp
condition: 1 of selection_*
falsepositives:
- False positives are expected in cases in which ProcDump just gets copied to a different directory without any renaming
level: high
Convert to SIEM query
high
Potential System DLL Sideloading From Non System Locations
Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64, etc.).
view Sigma YAML
title: Potential System DLL Sideloading From Non System Locations
id: 4fc0deee-0057-4998-ab31-d24e46e0aba4
status: test
description: Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64, etc.).
references:
- https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there). Wietze Beukema (project and research)
- https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/ # WindowsCodecs.dll
- https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/ # iphlpapi.dll
- https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md # XForceIR (SideLoadHunter Project), Chris Spehn (research WFH Dridex)
- https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-14
modified: 2025-12-03
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith:
- '\aclui.dll'
- '\activeds.dll'
- '\adsldpc.dll'
- '\aepic.dll'
- '\apphelp.dll'
- '\applicationframe.dll'
- '\appvpolicy.dll'
- '\appxalluserstore.dll'
- '\appxdeploymentclient.dll'
- '\archiveint.dll'
- '\atl.dll'
- '\audioses.dll'
- '\auditpolcore.dll'
- '\authfwcfg.dll'
- '\authz.dll'
- '\avrt.dll'
- '\batmeter.dll'
- '\bcd.dll'
- '\bcp47langs.dll'
- '\bcp47mrm.dll'
- '\bcrypt.dll'
- '\bderepair.dll'
- '\bootmenuux.dll'
- '\bootux.dll'
- '\cabinet.dll'
- '\cabview.dll'
- '\certcli.dll'
- '\certenroll.dll'
- '\cfgmgr32.dll'
- '\cldapi.dll'
- '\clipc.dll'
- '\clusapi.dll'
- '\cmpbk32.dll'
- '\cmutil.dll'
- '\coloradapterclient.dll'
- '\colorui.dll'
- '\comdlg32.dll'
- '\configmanager2.dll'
- '\connect.dll'
- '\coredplus.dll'
- '\coremessaging.dll'
- '\coreuicomponents.dll'
- '\credui.dll'
- '\cryptbase.dll'
- '\cryptdll.dll'
- '\cryptsp.dll'
- '\cryptui.dll'
- '\cryptxml.dll'
- '\cscapi.dll'
- '\cscobj.dll'
- '\cscui.dll'
- '\d2d1.dll'
- '\d3d10_1.dll'
- '\d3d10_1core.dll'
- '\d3d10.dll'
- '\d3d10core.dll'
- '\d3d10warp.dll'
- '\d3d11.dll'
- '\d3d12.dll'
- '\d3d9.dll'
- '\d3dx9_43.dll'
- '\dataexchange.dll'
- '\davclnt.dll'
- '\dcntel.dll'
- '\dcomp.dll'
- '\defragproxy.dll'
- '\desktopshellext.dll'
- '\deviceassociation.dll'
- '\devicecredential.dll'
- '\devicepairing.dll'
- '\devobj.dll'
- '\devrtl.dll'
- '\dhcpcmonitor.dll'
- '\dhcpcsvc.dll'
- '\dhcpcsvc6.dll'
- '\directmanipulation.dll'
- '\dismapi.dll'
- '\dismcore.dll'
- '\dmcfgutils.dll'
- '\dmcmnutils.dll'
- '\dmcommandlineutils.dll'
- '\dmenrollengine.dll'
- '\dmenterprisediagnostics.dll'
- '\dmiso8601utils.dll'
- '\dmoleaututils.dll'
- '\dmprocessxmlfiltered.dll'
- '\dmpushproxy.dll'
- '\dmxmlhelputils.dll'
- '\dnsapi.dll'
- '\dot3api.dll'
- '\dot3cfg.dll'
- '\dpx.dll'
- '\drprov.dll'
- '\drvstore.dll'
- '\dsclient.dll'
- '\dsparse.dll'
- '\dsprop.dll'
- '\dsreg.dll'
- '\dsrole.dll'
- '\dui70.dll'
- '\duser.dll'
- '\dusmapi.dll'
- '\dwmapi.dll'
- '\dwmcore.dll'
- '\dwrite.dll'
- '\dxcore.dll'
- '\dxgi.dll'
- '\dxva2.dll'
- '\dynamoapi.dll'
- '\eappcfg.dll'
- '\eappprxy.dll'
- '\edgeiso.dll'
- '\edputil.dll'
- '\efsadu.dll'
- '\efsutil.dll'
- '\esent.dll'
- '\execmodelproxy.dll'
- '\explorerframe.dll'
- '\fastprox.dll'
- '\faultrep.dll'
- '\fddevquery.dll'
- '\feclient.dll'
- '\fhcfg.dll'
- '\fhsvcctl.dll'
- '\firewallapi.dll'
- '\flightsettings.dll'
- '\fltlib.dll'
- '\framedynos.dll'
- '\fveapi.dll'
- '\fveskybackup.dll'
- '\fvewiz.dll'
- '\fwbase.dll'
- '\fwcfg.dll'
- '\fwpolicyiomgr.dll'
- '\fwpuclnt.dll'
- '\fxsapi.dll'
- '\fxsst.dll'
- '\fxstiff.dll'
- '\getuname.dll'
- '\gpapi.dll'
- '\hid.dll'
- '\hnetmon.dll'
- '\httpapi.dll'
- '\icmp.dll'
- '\idstore.dll'
- '\ieadvpack.dll'
- '\iedkcs32.dll'
- '\iernonce.dll'
- '\iertutil.dll'
- '\ifmon.dll'
- '\ifsutil.dll'
- '\inproclogger.dll'
- '\iphlpapi.dll'
- '\iri.dll'
- '\iscsidsc.dll'
- '\iscsium.dll'
- '\isv.exe_rsaenh.dll'
- '\iumbase.dll'
- '\iumsdk.dll'
- '\joinutil.dll'
- '\kdstub.dll'
- '\ksuser.dll'
- '\ktmw32.dll'
- '\licensemanagerapi.dll'
- '\licensingdiagspp.dll'
- '\linkinfo.dll'
- '\loadperf.dll'
- '\lockhostingframework.dll'
- '\logoncli.dll'
- '\logoncontroller.dll'
- '\lpksetupproxyserv.dll'
- '\lrwizdll.dll'
- '\magnification.dll'
- '\maintenanceui.dll'
- '\mapistub.dll'
- '\mbaexmlparser.dll'
- '\mdmdiagnostics.dll'
- '\mfc42u.dll'
- '\mfcore.dll'
- '\mfplat.dll'
- '\mi.dll'
- '\midimap.dll'
- '\mintdh.dll'
- '\miutils.dll'
- '\mlang.dll'
- '\mmdevapi.dll'
- '\mobilenetworking.dll'
- '\mpr.dll'
- '\mprapi.dll'
- '\mrmcorer.dll'
- '\msacm32.dll'
- '\mscms.dll'
- '\mscoree.dll'
- '\msctf.dll'
- '\msctfmonitor.dll'
- '\msdrm.dll'
- '\msdtctm.dll'
- '\msftedit.dll'
- '\msi.dll'
- '\msiso.dll'
- '\msutb.dll'
- '\msvcp110_win.dll'
- '\mswb7.dll'
- '\mswsock.dll'
- '\msxml3.dll'
- '\mtxclu.dll'
- '\napinsp.dll'
- '\ncrypt.dll'
- '\ndfapi.dll'
- '\netapi32.dll'
- '\netid.dll'
- '\netiohlp.dll'
- '\netjoin.dll'
- '\netplwiz.dll'
- '\netprofm.dll'
- '\netprovfw.dll'
- '\netsetupapi.dll'
- '\netshell.dll'
- '\nettrace.dll'
- '\netutils.dll'
- '\networkexplorer.dll'
- '\newdev.dll'
- '\ninput.dll'
- '\nlaapi.dll'
- '\nlansp_c.dll'
- '\npmproxy.dll'
- '\nshhttp.dll'
- '\nshipsec.dll'
- '\nshwfp.dll'
- '\ntdsapi.dll'
- '\ntlanman.dll'
- '\ntlmshared.dll'
- '\ntmarta.dll'
- '\ntshrui.dll'
- '\oleacc.dll'
- '\omadmapi.dll'
- '\onex.dll'
- '\opcservices.dll'
- '\osbaseln.dll'
- '\osksupport.dll'
- '\osuninst.dll'
- '\p2p.dll'
- '\p2pnetsh.dll'
- '\p9np.dll'
- '\pcaui.dll'
- '\pdh.dll'
- '\peerdistsh.dll'
- '\pkeyhelper.dll'
- '\pla.dll'
- '\playsndsrv.dll'
- '\pnrpnsp.dll'
- '\policymanager.dll'
- '\polstore.dll'
- '\powrprof.dll'
- '\printui.dll'
- '\prntvpt.dll'
- '\profapi.dll'
- '\propsys.dll'
- '\proximitycommon.dll'
- '\proximityservicepal.dll'
- '\prvdmofcomp.dll'
- '\puiapi.dll'
- '\radcui.dll'
- '\rasapi32.dll'
- '\rasdlg.dll'
- '\rasgcw.dll'
- '\rasman.dll'
- '\rasmontr.dll'
- '\reagent.dll'
- '\regapi.dll'
- '\reseteng.dll'
- '\resetengine.dll'
- '\resutils.dll'
- '\rmclient.dll'
- '\rpcnsh.dll'
- '\rsaenh.dll'
- '\rtutils.dll'
- '\rtworkq.dll'
- '\samcli.dll'
- '\samlib.dll'
- '\sapi_onecore.dll'
- '\sas.dll'
- '\scansetting.dll'
- '\scecli.dll'
- '\schedcli.dll'
- '\secur32.dll'
- '\security.dll'
- '\sensapi.dll'
- '\shell32.dll'
- '\shfolder.dll'
- '\slc.dll'
- '\snmpapi.dll'
- '\spectrumsyncclient.dll'
- '\spp.dll'
- '\sppc.dll'
- '\sppcext.dll'
- '\srclient.dll'
- '\srcore.dll'
- '\srmtrace.dll'
- '\srpapi.dll'
- '\srvcli.dll'
- '\ssp_isv.exe_rsaenh.dll'
- '\ssp.exe_rsaenh.dll'
- '\sspicli.dll'
- '\ssshim.dll'
- '\staterepository.core.dll'
- '\structuredquery.dll'
- '\sxshared.dll'
- '\systemsettingsthresholdadminflowui.dll'
- '\tapi32.dll'
- '\tbs.dll'
- '\tdh.dll'
- '\textshaping.dll'
- '\timesync.dll'
- '\tpmcoreprovisioning.dll'
- '\tquery.dll'
- '\tsworkspace.dll'
- '\ttdrecord.dll'
- '\twext.dll'
- '\twinapi.dll'
- '\twinui.appcore.dll'
- '\uianimation.dll'
- '\uiautomationcore.dll'
- '\uireng.dll'
- '\uiribbon.dll'
- '\umpdc.dll'
- '\unattend.dll'
- '\updatepolicy.dll'
- '\upshared.dll'
- '\urlmon.dll'
- '\userenv.dll'
- '\utildll.dll'
- '\uxinit.dll'
- '\uxtheme.dll'
- '\vaultcli.dll'
- '\vdsutil.dll'
- '\version.dll'
- '\virtdisk.dll'
- '\vssapi.dll'
- '\vsstrace.dll'
- '\wbemprox.dll'
- '\wbemsvc.dll'
- '\wcmapi.dll'
- '\wcnnetsh.dll'
- '\wdi.dll'
- '\wdscore.dll'
- '\webservices.dll'
- '\wecapi.dll'
- '\wer.dll'
- '\wevtapi.dll'
- '\whhelper.dll'
- '\wimgapi.dll'
- '\winbio.dll'
- '\winbrand.dll'
- '\windows.storage.dll'
- '\windows.storage.search.dll'
- '\windows.ui.immersive.dll'
- '\windowscodecs.dll'
- '\windowscodecsext.dll'
- '\windowsudk.shellcommon.dll'
- '\winhttp.dll'
- '\wininet.dll'
- '\winipsec.dll'
- '\winmde.dll'
- '\winmm.dll'
- '\winnsi.dll'
- '\winrnr.dll'
- '\winscard.dll'
- '\winsqlite3.dll'
- '\winsta.dll'
- '\winsync.dll'
- '\wkscli.dll'
- '\wlanapi.dll'
- '\wlancfg.dll'
- '\wldp.dll'
- '\wlidprov.dll'
- '\wmiclnt.dll'
- '\wmidcom.dll'
- '\wmiutils.dll'
- '\wmpdui.dll'
- '\wmsgapi.dll'
- '\wofutil.dll'
- '\wpdshext.dll'
- '\wscapi.dll'
- '\wsdapi.dll'
- '\wshbth.dll'
- '\wshelper.dll'
- '\wsmsvc.dll'
- '\wtsapi32.dll'
- '\wwancfg.dll'
- '\wwapi.dll'
- '\xmllite.dll'
- '\xolehlp.dll'
- '\xpsservices.dll'
- '\xwizards.dll'
- '\xwtpw32.dll'
# From https://github.com/XForceIR/SideLoadHunter/blob/main/SideLoads/README.md
- '\amsi.dll'
- '\appraiser.dll'
- '\COMRES.DLL'
- '\cryptnet.dll'
- '\DispBroker.dll'
- '\dsound.dll'
- '\dxilconv.dll'
- '\FxsCompose.dll'
- '\FXSRESM.DLL'
- '\msdtcVSp1res.dll'
- '\PrintIsolationProxy.dll'
- '\rdpendp.dll'
- '\rpchttp.dll'
- '\storageusage.dll'
- '\utcutil.dll'
- '\WfsR.dll'
# The DLLs below exists in "C:\Windows\System32\DriverStore\FileRepository\" folder. But there is also a copy located in "C:\ProgramData\Package Cache\XXXXXXX\Graphics\". If you see them being loaded from there. Please comment them out, don't add a filter for ProgramData :)
- '\igd10iumd64.dll'
- '\igd12umd64.dll'
- '\igdumdim64.dll'
- '\igdusc64.dll'
# Other
- '\TSMSISrv.dll'
- '\TSVIPSrv.dll'
- '\wbemcomn.dll'
- '\WLBSCTRL.dll'
- '\wow64log.dll'
- '\WptsExtensions.dll'
filter_main_generic:
# Note: this filter is generic on purpose to avoid insane amount of FP from legitimate third party applications. A better approach would be to baseline everything and add specific filters to avoid blind spots
ImageLoaded|contains:
- 'C:\$WINDOWS.~BT\'
- 'C:\$WinREAgent\'
- 'C:\Windows\SoftwareDistribution\'
- 'C:\Windows\System32\'
- 'C:\Windows\SystemTemp\'
- 'C:\Windows\SysWOW64\'
- 'C:\Windows\WinSxS\'
- 'C:\Windows\SyChpe32\' # “hybrid” binaries containing x86-to-ARM stubs to improve the x86 emulation performance
filter_main_windows_temp:
ImageLoaded|startswith: 'C:\Windows\Temp\'
Image|startswith:
- 'C:\Windows\WinSxS\arm64'
- 'C:\Windows\UUS\arm64\'
Image|endswith:
- '\TiWorker.exe'
- '\wuaucltcore.exe'
filter_main_dot_net:
ImageLoaded|startswith: 'C:\Windows\Microsoft.NET\'
ImageLoaded|endswith: '\cscui.dll'
filter_main_defender:
ImageLoaded|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
ImageLoaded|endswith: '\version.dll'
filter_main_directx:
ImageLoaded|startswith: 'C:\Program Files\WindowsApps\Microsoft.DirectXRuntime_'
ImageLoaded|endswith: '\d3dx9_43.dll'
filter_optional_exchange:
ImageLoaded|startswith: 'C:\Program Files\Microsoft\Exchange Server\'
ImageLoaded|endswith: '\mswb7.dll'
filter_optional_arsenal_image_mounter:
ImageLoaded|startswith: 'C:\Program Files\Arsenal-Image-Mounter-'
ImageLoaded|endswith:
- '\mi.dll'
- '\miutils.dl'
filter_optional_office_appvpolicy:
Image: 'C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe'
ImageLoaded: 'C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll'
filter_optional_azure:
ImageLoaded|startswith: 'C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\'
filter_optional_dell:
Image|contains:
- 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs'
- 'C:\Windows\System32\backgroundTaskHost.exe'
ImageLoaded|startswith: 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs'
filter_optional_dell_wldp:
Image|startswith: 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs'
Image|endswith: '\wldp.dll'
filter_optional_checkpoint:
Image|startswith:
- 'C:\Program Files\CheckPoint\'
- 'C:\Program Files (x86)\CheckPoint\'
Image|endswith: '\SmartConsole.exe'
ImageLoaded|startswith:
- 'C:\Program Files\CheckPoint\'
- 'C:\Program Files (x86)\CheckPoint\'
ImageLoaded|endswith: '\PolicyManager.dll'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Legitimate applications loading their own versions of the DLLs mentioned in this rule
level: high
Convert to SIEM query
high
Potential Tampering With RDP Related Registry Keys Via Reg.EXE
Detects the execution of "reg.exe" for enabling/disabling the RDP service on the host by tampering with the 'CurrentControlSet\Control\Terminal Server' values
view Sigma YAML
title: Potential Tampering With RDP Related Registry Keys Via Reg.EXE
id: 0d5675be-bc88-4172-86d3-1e96a4476536
status: test
description: Detects the execution of "reg.exe" for enabling/disabling the RDP service on the host by tampering with the 'CurrentControlSet\Control\Terminal Server' values
references:
- https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
- http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/ # Contain description for most of the keys mentioned here (check it out if you want more information
- http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/ # Related to the Shadow RPD technique
- https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services # Contain description for most of the keys mentioned here (check it out if you want more information)
- https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/
- https://blog.sekoia.io/darkgate-internals/
- https://blog.talosintelligence.com/understanding-the-phobos-affiliate-structure/
- https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-63---disable-remote-desktop-anti-alias-setting-through-registry
- https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-64---disable-remote-desktop-security-settings-through-registry
- https://github.com/redcanaryco/atomic-red-team/blob/dd526047b8c399c312fee47d1e6fb531164da54d/atomics/T1112/T1112.yaml#L790
- https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-terminalservices-rdp-winstationextensions-securitylayer
- https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html
- https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03 # Related to the Shadow RPD technique
- https://web.archive.org/web/20200929062532/https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html # Related to RDP hijacking via the "ServiceDll" key
- https://www.trendmicro.com/en_us/research/25/i/unmasking-the-gentlemen-ransomware.html
author: pH-T (Nextron Systems), @Kostastsale, TheDFIRReport
date: 2022-02-12
modified: 2025-11-22
tags:
- attack.persistence
- attack.lateral-movement
- attack.defense-impairment
- attack.t1021.001
- attack.t1112
logsource:
product: windows
category: process_creation
detection:
selection_main_img:
- Image|endswith: '\reg.exe'
- OriginalFileName: 'reg.exe'
selection_main_cli:
CommandLine|contains|all:
- ' add '
- '\CurrentControlSet\Control\Terminal Server'
- 'REG_DWORD'
- ' /f'
selection_values_1:
CommandLine|contains|all:
- 'Licensing Core'
- 'EnableConcurrentSessions'
selection_values_2:
CommandLine|contains:
- 'AllowTSConnections'
- 'fDenyTSConnections'
- 'fEnableWinStation'
- 'fSingleSessionPerUser'
- 'IdleWinStationPoolCount'
- 'MaxInstanceCount'
- 'SecurityLayer'
- 'TSAdvertise'
- 'TSAppCompat'
- 'TSEnabled'
- 'TSUserEnabled'
- 'WinStations\RDP-Tcp'
filter_main_values_tls:
CommandLine|contains|all:
- 'SecurityLayer'
- '02' # TLS Enabled
condition: all of selection_main_* and 1 of selection_values_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential Tampering With Security Products Via WMIC
Detects uninstallation or termination of security products using the WMIC utility
view Sigma YAML
title: Potential Tampering With Security Products Via WMIC
id: 847d5ff3-8a31-4737-a970-aeae8fe21765
related:
- id: b53317a0-8acf-4fd1-8de8-a5401e776b96 # Generic Uninstall
type: derived
status: test
description: Detects uninstallation or termination of security products using the WMIC utility
references:
- https://twitter.com/cglyer/status/1355171195654709249
- https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
- https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions
- https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/
- https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2021-01-30
modified: 2023-02-14
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_cli_1:
CommandLine|contains|all:
- 'wmic'
- 'product where '
- 'call'
- 'uninstall'
- '/nointeractive'
selection_cli_2:
CommandLine|contains|all:
- 'wmic'
- 'caption like '
CommandLine|contains:
- 'call delete'
- 'call terminate'
selection_cli_3:
CommandLine|contains|all:
- 'process '
- 'where '
- 'delete'
selection_product:
CommandLine|contains:
- '%carbon%'
- '%cylance%'
- '%endpoint%'
- '%eset%'
- '%malware%'
- '%Sophos%'
- '%symantec%'
- 'Antivirus'
- 'AVG '
- 'Carbon Black'
- 'CarbonBlack'
- 'Cb Defense Sensor 64-bit'
- 'Crowdstrike Sensor'
- 'Cylance '
- 'Dell Threat Defense'
- 'DLP Endpoint'
- 'Endpoint Detection'
- 'Endpoint Protection'
- 'Endpoint Security'
- 'Endpoint Sensor'
- 'ESET File Security'
- 'LogRhythm System Monitor Service'
- 'Malwarebytes'
- 'McAfee Agent'
- 'Microsoft Security Client'
- 'Sophos Anti-Virus'
- 'Sophos AutoUpdate'
- 'Sophos Credential Store'
- 'Sophos Management Console'
- 'Sophos Management Database'
- 'Sophos Management Server'
- 'Sophos Remote Management System'
- 'Sophos Update Manager'
- 'Threat Protection'
- 'VirusScan'
- 'Webroot SecureAnywhere'
- 'Windows Defender'
condition: 1 of selection_cli_* and selection_product
falsepositives:
- Legitimate administration
level: high
Convert to SIEM query
high
Potential Ursnif Malware Activity - Registry
Detects registry keys related to Ursnif malware.
view Sigma YAML
title: Potential Ursnif Malware Activity - Registry
id: 21f17060-b282-4249-ade0-589ea3591558
status: test
description: Detects registry keys related to Ursnif malware.
references:
- https://blog.yoroi.company/research/ursnif-long-live-the-steganography/
- https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/
author: megan201296
date: 2019-02-13
modified: 2025-10-22
tags:
- attack.persistence
- attack.execution
- attack.defense-impairment
- attack.t1112
- detection.emerging-threats
logsource:
product: windows
category: registry_add
detection:
selection:
TargetObject|endswith: '\Software\AppDataLow\Software\Microsoft\3A861D62-51E0-7C9D-AB0E-15700F2219A4'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential Vcruntime140 DLL Sideloading
Detects potential DLL sideloading of vcruntime140.dll, a common C++ runtime library.
Threat actors have been observed using DLL sideloading techniques to load malicious payloads under the guise of legitimate applications such as SqlWriter, SqlDumper etc.
Notably, APT29 has been documented leveraging WinELOADER to sideload vcruntime140.dll for executing malicious code.
view Sigma YAML
title: Potential Vcruntime140 DLL Sideloading
id: d7a63acb-1284-49bc-bfea-7771146c8b1c
status: experimental
description: |
Detects potential DLL sideloading of vcruntime140.dll, a common C++ runtime library.
Threat actors have been observed using DLL sideloading techniques to load malicious payloads under the guise of legitimate applications such as SqlWriter, SqlDumper etc.
Notably, APT29 has been documented leveraging WinELOADER to sideload vcruntime140.dll for executing malicious code.
references:
- https://www.mandiant.com/resources/blog/apt29-wineloader-german-political-parties
- https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader
- https://www.nextron-systems.com/2023/09/15/detecting-janelarat-with-yara-and-thor/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-01-12
modified: 2026-05-18
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\vcruntime140.dll'
filter_main_legitimate_path:
ImageLoaded|startswith:
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
filter_main_legitimate_signer:
Signed: true
SignatureStatus: 'Valid'
Description|endswith: 'C Runtime Library'
filter_optional_onedrive:
Image|startswith: 'C:\Users\'
Image|contains: '\AppData\Local\Microsoft\OneDrive\'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/image_load/image_load_side_load_vcruntime140/info.yml
Convert to SIEM query
high
Potential Waveedit.DLL Sideloading
Detects potential DLL sideloading of "waveedit.dll", which is part of the Nero WaveEditor audio editing software.
view Sigma YAML
title: Potential Waveedit.DLL Sideloading
id: 71b31e99-9ad0-47d4-aeb5-c0ca3928eeeb
status: test
description: Detects potential DLL sideloading of "waveedit.dll", which is part of the Nero WaveEditor audio editing software.
references:
- https://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html
author: X__Junior (Nextron Systems)
date: 2023-06-14
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\waveedit.dll'
filter_main_legit_path:
Image:
- 'C:\Program Files (x86)\Nero\Nero Apps\Nero WaveEditor\waveedit.exe'
- 'C:\Program Files\Nero\Nero Apps\Nero WaveEditor\waveedit.exe'
ImageLoaded|startswith:
- 'C:\Program Files (x86)\Nero\Nero Apps\Nero WaveEditor\'
- 'C:\Program Files\Nero\Nero Apps\Nero WaveEditor\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Potential WerFault ReflectDebugger Registry Value Abuse
Detects potential WerFault "ReflectDebugger" registry value abuse for persistence.
view Sigma YAML
title: Potential WerFault ReflectDebugger Registry Value Abuse
id: 0cf2e1c6-8d10-4273-8059-738778f981ad
related:
- id: fabfb3a7-3ce1-4445-9c7c-3c27f1051cdd
type: derived
status: test
description: Detects potential WerFault "ReflectDebugger" registry value abuse for persistence.
references:
- https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html
- https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/
author: X__Junior
date: 2023-05-18
tags:
- attack.stealth
- attack.t1036.003
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\Microsoft\Windows\Windows Error Reporting\Hangs\ReflectDebugger'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential WinAPI Calls Via CommandLine
Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec
view Sigma YAML
title: Potential WinAPI Calls Via CommandLine
id: ba3f5c1b-6272-4119-9dbd-0bc8d21c2702
related:
- id: 03d83090-8cba-44a0-b02f-0b756a050306
type: derived
status: test
description: Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec
references:
- https://twitter.com/m417z/status/1566674631788007425
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-06
modified: 2025-03-06
tags:
- attack.execution
- attack.t1106
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- 'AddSecurityPackage'
- 'AdjustTokenPrivileges'
- 'Advapi32'
- 'CloseHandle'
- 'CreateProcessWithToken'
- 'CreatePseudoConsole'
- 'CreateRemoteThread'
- 'CreateThread'
- 'CreateUserThread'
- 'DangerousGetHandle'
- 'DuplicateTokenEx'
- 'EnumerateSecurityPackages'
- 'FreeHGlobal'
- 'FreeLibrary'
- 'GetDelegateForFunctionPointer'
- 'GetLogonSessionData'
- 'GetModuleHandle'
- 'GetProcAddress'
- 'GetProcessHandle'
- 'GetTokenInformation'
- 'ImpersonateLoggedOnUser'
- 'kernel32'
- 'LoadLibrary'
- 'memcpy'
- 'MiniDumpWriteDump'
# - 'msvcrt'
- 'ntdll'
- 'OpenDesktop'
- 'OpenProcess'
- 'OpenProcessToken'
- 'OpenThreadToken'
- 'OpenWindowStation'
- 'PtrToString'
- 'QueueUserApc'
- 'ReadProcessMemory'
- 'RevertToSelf'
- 'RtlCreateUserThread'
- 'secur32'
- 'SetThreadToken'
# - 'user32'
- 'VirtualAlloc'
- 'VirtualFree'
- 'VirtualProtect'
- 'WaitForSingleObject'
- 'WriteInt32'
- 'WriteProcessMemory'
- 'ZeroFreeGlobalAllocUnicode'
filter_optional_mpcmdrun:
Image|endswith: '\MpCmdRun.exe'
CommandLine|contains: 'GetLoadLibraryWAddress32'
filter_optional_compatTelRunner:
ParentImage|endswith: '\CompatTelRunner.exe'
CommandLine|contains:
- 'FreeHGlobal'
- 'PtrToString'
- 'kernel32'
- 'CloseHandle'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Some legitimate action or applications may use these functions. Investigate further to determine the legitimacy of the activity.
level: high
Convert to SIEM query
high
Potential WinAPI Calls Via PowerShell Scripts
Detects use of WinAPI functions in PowerShell scripts
view Sigma YAML
title: Potential WinAPI Calls Via PowerShell Scripts
id: 03d83090-8cba-44a0-b02f-0b756a050306
related:
- id: ba3f5c1b-6272-4119-9dbd-0bc8d21c2702
type: similar
status: test
description: Detects use of WinAPI functions in PowerShell scripts
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
author: Nasreddine Bencherchali (Nextron Systems), Nikita Nazarov, oscd.community
date: 2020-10-06
modified: 2023-06-20
tags:
- attack.execution
- attack.t1059.001
- attack.t1106
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
# Note: Add more suspicious combinations in the form of different selections
selection_injection:
ScriptBlockText|contains|all:
- 'VirtualAlloc'
- 'OpenProcess'
- 'WriteProcessMemory'
- 'CreateRemoteThread'
selection_token_steal:
ScriptBlockText|contains|all:
- 'OpenProcessToken'
- 'LookupPrivilegeValue'
- 'AdjustTokenPrivileges'
selection_duplicate_token:
ScriptBlockText|contains|all:
- 'OpenProcessToken'
- 'DuplicateTokenEx'
- 'CloseHandle'
selection_process_write_read:
ScriptBlockText|contains|all:
- 'WriteProcessMemory'
- 'VirtualAlloc'
- 'ReadProcessMemory'
- 'VirtualFree'
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential Windows Defender AV Bypass Via Dump64.EXE Rename
Detects when a user is potentially trying to bypass the Windows Defender AV by renaming a tool to dump64.exe and placing it in the Visual Studio folder.
Currently the rule is covering only usage of procdump but other utilities can be added in order to increase coverage.
view Sigma YAML
title: Potential Windows Defender AV Bypass Via Dump64.EXE Rename
id: 129966c9-de17-4334-a123-8b58172e664d
status: test
description: |
Detects when a user is potentially trying to bypass the Windows Defender AV by renaming a tool to dump64.exe and placing it in the Visual Studio folder.
Currently the rule is covering only usage of procdump but other utilities can be added in order to increase coverage.
references:
- https://twitter.com/mrd0x/status/1460597833917251595
author: Austin Songer @austinsonger, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2021-11-26
modified: 2024-06-21
tags:
- attack.credential-access
- attack.t1003.001
logsource:
product: windows
category: process_creation
detection:
selection_dump:
Image|startswith: ':\Program Files'
Image|contains: '\Microsoft Visual Studio\'
Image|endswith: '\dump64.exe'
selection_tools_procdump:
- OriginalFileName: 'procdump'
- CommandLine|contains:
- ' -ma ' # Full Dump
- ' -mp ' # Mini Plus
condition: selection_dump and 1 of selection_tools_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential Windows Defender Tampering Via Wmic.EXE
Detects potential tampering with Windows Defender settings such as adding exclusion using wmic
view Sigma YAML
title: Potential Windows Defender Tampering Via Wmic.EXE
id: 51cbac1e-eee3-4a90-b1b7-358efb81fa0a
status: test
description: Detects potential tampering with Windows Defender settings such as adding exclusion using wmic
references:
- https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1562.001/T1562.001.md
- https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/
- https://www.bleepingcomputer.com/news/security/iobit-forums-hacked-to-spread-ransomware-to-its-members/
author: frack113
date: 2022-12-11
modified: 2023-02-14
tags:
- attack.execution
- attack.defense-impairment
- attack.t1047
- attack.t1685
logsource:
product: windows
category: process_creation
detection:
selection_img:
- OriginalFileName: 'wmic.exe'
- Image|endswith: '\WMIC.exe'
selection_cli:
CommandLine|contains: '/Namespace:\\\\root\\Microsoft\\Windows\\Defender'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential Winnti Dropper Activity
Detects files dropped by Winnti as described in RedMimicry Winnti playbook
view Sigma YAML
title: Potential Winnti Dropper Activity
id: 130c9e58-28ac-4f83-8574-0a4cc913b97e
status: test
description: Detects files dropped by Winnti as described in RedMimicry Winnti playbook
references:
- https://redmimicry.com/posts/redmimicry-winnti/#dropper
author: Alexander Rausch
date: 2020-06-24
modified: 2023-01-05
tags:
- attack.stealth
- attack.t1027
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith:
- '\gthread-3.6.dll'
- '\sigcmm-2.4.dll'
- '\Windows\Temp\tmp.bat'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential WizardUpdate Malware Infection
Detects the execution traces of the WizardUpdate malware. WizardUpdate is a macOS trojan that attempts to infiltrate macOS machines to steal data and it is associated with other types of malicious payloads, increasing the chances of multiple infections on a device.
view Sigma YAML
title: Potential WizardUpdate Malware Infection
id: f68c4a4f-19ef-4817-952c-50dce331f4b0
status: test
description: Detects the execution traces of the WizardUpdate malware. WizardUpdate is a macOS trojan that attempts to infiltrate macOS machines to steal data and it is associated with other types of malicious payloads, increasing the chances of multiple infections on a device.
references:
- https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-c68a1fcbf7a3f80c87225d7fdc031f691e9f3b6a14a36754be00762bfe6eae97
- https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset
- https://www.microsoft.com/security/blog/2022/02/02/the-evolution-of-a-mac-trojan-updateagents-progression/
author: Tim Rauch (rule), Elastic (idea)
date: 2022-10-17
tags:
- attack.command-and-control
logsource:
category: process_creation
product: macos
detection:
selection_1:
Image|endswith: '/sh'
CommandLine|contains|all:
- '=$(curl '
- 'eval'
selection_2:
Image|endswith: '/curl'
CommandLine|contains: '_intermediate_agent_'
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potential XXE Exploitation Attempt In JVM Based Application
Detects XML parsing issues, if the application expects to work with XML make sure that the parser is initialized safely.
view Sigma YAML
title: Potential XXE Exploitation Attempt In JVM Based Application
id: c4e06896-e27c-4583-95ac-91ce2279345d
status: test
description: Detects XML parsing issues, if the application expects to work with XML make sure that the parser is initialized safely.
references:
- https://rules.sonarsource.com/java/RSPEC-2755
- https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing
- https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs
author: Moti Harmats
date: 2023-02-11
tags:
- attack.initial-access
- attack.t1190
logsource:
category: application
product: jvm
definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)'
detection:
keywords:
- 'SAXParseException'
- 'DOMException'
condition: keywords
falsepositives:
- If the application expects to work with XML there may be parsing issues that don't necessarily mean XXE.
level: high
Convert to SIEM query
high
Potential Zerologon (CVE-2020-1472) Exploitation
Detects potential Netlogon Elevation of Privilege Vulnerability aka Zerologon (CVE-2020-1472)
view Sigma YAML
title: Potential Zerologon (CVE-2020-1472) Exploitation
id: dd7876d8-0f09-11eb-adc1-0242ac120002
status: test
description: Detects potential Netlogon Elevation of Privilege Vulnerability aka Zerologon (CVE-2020-1472)
references:
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472
- https://www.logpoint.com/en/blog/detecting-zerologon-vulnerability-in-logpoint/
author: Aleksandr Akhremchik, @aleqs4ndr, ocsd.community
date: 2020-10-15
modified: 2023-12-15
tags:
- attack.privilege-escalation
- attack.t1068
- cve.2020-1472
logsource:
product: windows
service: security
detection:
selection:
EventID: 4742
SubjectUserName: 'ANONYMOUS LOGON'
TargetUserName|expand: '%DC-MACHINE-NAME%' # DC machine account name that ends with '$'
filter_main:
PasswordLastSet: '-'
condition: selection and not filter_main
falsepositives:
- Automatic DC computer account password change
- Legitimate DC computer account password change
level: high
Convert to SIEM query
high
Potential appverifUI.DLL Sideloading
Detects potential DLL sideloading of "appverifUI.dll"
view Sigma YAML
title: Potential appverifUI.DLL Sideloading
id: ee6cea48-c5b6-4304-a332-10fc6446f484
status: test
description: Detects potential DLL sideloading of "appverifUI.dll"
references:
- https://web.archive.org/web/20220519091349/https://fatrodzianko.com/2020/02/15/dll-side-loading-appverif-exe/
author: X__Junior (Nextron Systems)
date: 2023-06-20
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\appverifUI.dll'
filter_main_legit_path:
Image:
- 'C:\Windows\SysWOW64\appverif.exe'
- 'C:\Windows\System32\appverif.exe'
ImageLoaded|startswith:
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
- 'C:\Windows\WinSxS\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Potentially Suspicious ASP.NET Compilation Via AspNetCompiler
Detects execution of "aspnet_compiler.exe" with potentially suspicious paths for compilation.
view Sigma YAML
title: Potentially Suspicious ASP.NET Compilation Via AspNetCompiler
id: 9f50fe98-fe5c-4a2d-86c7-fad7f63ed622 # Susp Paths
related:
- id: 9ccba514-7cb6-4c5c-b377-700758f2f120 # SuspChild
type: similar
- id: 4c7f49ee-2638-43bb-b85b-ce676c30b260 # TMP File
type: similar
- id: a01b8329-5953-4f73-ae2d-aa01e1f35f00 # Exec
type: similar
status: test
description: Detects execution of "aspnet_compiler.exe" with potentially suspicious paths for compilation.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/
- https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-14
modified: 2025-02-24
tags:
- attack.execution
- attack.stealth
- attack.t1127
logsource:
category: process_creation
product: windows
detection:
selection:
Image|contains:
- ':\Windows\Microsoft.NET\Framework\'
- ':\Windows\Microsoft.NET\Framework64\'
- ':\Windows\Microsoft.NET\FrameworkArm\'
- ':\Windows\Microsoft.NET\FrameworkArm64\'
Image|endswith: '\aspnet_compiler.exe'
CommandLine|contains:
# Note: add other potential suspicious paths
- '\Users\Public\'
- '\AppData\Local\Temp\'
- '\AppData\Local\Roaming\'
- ':\Temp\'
- ':\Windows\Temp\'
- ':\Windows\System32\Tasks\'
- ':\Windows\Tasks\'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potentially Suspicious Call To Win32_NTEventlogFile Class
Detects usage of the WMI class "Win32_NTEventlogFile" in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script
view Sigma YAML
title: Potentially Suspicious Call To Win32_NTEventlogFile Class
id: caf201a9-c2ce-4a26-9c3a-2b9525413711
related:
- id: e2812b49-bae0-4b21-b366-7c142eafcde2
type: similar
status: test
description: Detects usage of the WMI class "Win32_NTEventlogFile" in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script
references:
- https://learn.microsoft.com/en-us/previous-versions/windows/desktop/legacy/aa394225(v=vs.85)
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-07-13
tags:
- attack.defense-impairment
logsource:
category: process_creation
product: windows
detection:
selection_class:
CommandLine|contains: 'Win32_NTEventlogFile'
selection_function:
CommandLine|contains:
- '.BackupEventlog('
- '.ChangeSecurityPermissions('
- '.ChangeSecurityPermissionsEx('
- '.ClearEventLog('
- '.Delete('
- '.DeleteEx('
- '.Rename('
- '.TakeOwnerShip('
- '.TakeOwnerShipEx('
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potentially Suspicious Child Process Of Regsvr32
Detects potentially suspicious child processes of "regsvr32.exe".
view Sigma YAML
title: Potentially Suspicious Child Process Of Regsvr32
id: 6f0947a4-1c5e-4e0d-8ac7-53159b8f23ca
related:
- id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d
type: obsolete
status: test
description: Detects potentially suspicious child processes of "regsvr32.exe".
references:
- https://redcanary.com/blog/intelligence-insights-april-2022/
- https://www.echotrail.io/insights/search/regsvr32.exe
- https://www.ired.team/offensive-security/code-execution/t1117-regsvr32-aka-squiblydoo
author: elhoim, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-05-05
modified: 2023-05-26
tags:
- attack.stealth
- attack.t1218.010
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\regsvr32.exe'
Image|endswith:
- '\calc.exe'
- '\cscript.exe'
- '\explorer.exe'
- '\mshta.exe'
- '\net.exe'
- '\net1.exe'
- '\nltest.exe'
- '\notepad.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\reg.exe'
- '\schtasks.exe'
- '\werfault.exe'
- '\wscript.exe'
filter_main_werfault:
Image|endswith: '\werfault.exe'
CommandLine|contains: ' -u -p '
condition: selection and not 1 of filter_main_*
falsepositives:
- Unlikely, but can rarely occur. Apply additional filters accordingly.
level: high
Convert to SIEM query
high
Potentially Suspicious Child Processes Spawned by ConHost
Detects suspicious child processes related to Windows Shell utilities spawned by `conhost.exe`, which could indicate malicious activity using trusted system components.
view Sigma YAML
title: Potentially Suspicious Child Processes Spawned by ConHost
id: dfa03a09-8b92-4d83-8e74-f72839b1c407
related:
- id: 7dc2dedd-7603-461a-bc13-15803d132355
type: similar
status: experimental
description: Detects suspicious child processes related to Windows Shell utilities spawned by `conhost.exe`, which could indicate malicious activity using trusted system components.
references:
- https://tria.ge/241015-l98snsyeje/behavioral2
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-02-05
tags:
- attack.stealth
- attack.t1202
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\conhost.exe'
selection_child:
- Image|endswith:
- '\cmd.exe' # Windows Command Prompt
- '\cscript.exe' # Windows Script Host (used for scripting exploits)
- '\mshta.exe' # MSHTA (HTML Application Host, often abused)
- '\powershell_ise.exe' # PowerShell ISE
- '\powershell.exe' # Windows PowerShell
- '\pwsh.exe' # PowerShell Core
- '\regsvr32.exe' # Windows Registry Server (commonly used for exploits)
- '\wscript.exe' # Windows Script Host (for executing scripts)
- OriginalFileName:
- 'cmd.exe'
- 'cscript.exe'
- 'mshta.exe'
- 'powershell_ise.exe'
- 'powershell.exe'
- 'pwsh.dll'
- 'regsvr32.exe'
- 'wscript.exe'
condition: all of selection_*
falsepositives:
- Legitimate administrative tasks using `conhost.exe` to spawn child processes such as `cmd.exe`, `powershell.exe`, or `regsvr32.exe`.
level: high
Convert to SIEM query
high
Potentially Suspicious Command Executed Via Run Dialog Box - Registry
Detects execution of commands via the run dialog box on Windows by checking values of the "RunMRU" registry key.
This technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps.
view Sigma YAML
title: Potentially Suspicious Command Executed Via Run Dialog Box - Registry
id: a7df0e9e-91a5-459a-a003-4cde67c2ff5d
related:
- id: f9d091f6-f1c7-4873-a24f-050b4a02b4dd
type: derived
status: test
description: |
Detects execution of commands via the run dialog box on Windows by checking values of the "RunMRU" registry key.
This technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps.
references:
- https://medium.com/@ahmed.moh.farou2/fake-captcha-campaign-on-arabic-pirated-movie-sites-delivers-lumma-stealer-4f203f7adabf
- https://medium.com/@shaherzakaria8/downloading-trojan-lumma-infostealer-through-capatcha-1f25255a0e71
- https://www.forensafe.com/blogs/runmrukey.html
- https://redcanary.com/blog/threat-intelligence/intelligence-insights-october-2024/
author: Ahmed Farouk, Nasreddine Bencherchali
date: 2024-11-01
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: registry_set
detection:
selection_key:
TargetObject|contains: '\Microsoft\Windows\CurrentVersion\Explorer\RunMRU'
selection_powershell_command:
Details|contains:
- 'powershell'
- 'pwsh'
selection_powershell_susp_keywords:
Details|contains:
- ' -e '
- ' -ec '
- ' -en '
- ' -enc '
- ' -enco'
- 'ftp'
- 'Hidden'
- 'http'
- 'iex'
- 'Invoke-'
selection_wmic_command:
Details|contains: 'wmic'
selection_wmic_susp_keywords:
Details|contains:
- 'shadowcopy'
- 'process call create'
condition: selection_key and (all of selection_powershell_* or all of selection_wmic_*)
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potentially Suspicious DLL Registered Via Odbcconf.EXE
Detects execution of "odbcconf" with the "REGSVR" action where the DLL in question doesn't contain a ".dll" extension. Which is often used as a method to evade defenses.
view Sigma YAML
title: Potentially Suspicious DLL Registered Via Odbcconf.EXE
id: ba4cfc11-d0fa-4d94-bf20-7c332c412e76
related:
- id: 9f0a8bf3-a65b-440a-8c1e-5cb1547c8e70
type: derived
status: test
description: Detects execution of "odbcconf" with the "REGSVR" action where the DLL in question doesn't contain a ".dll" extension. Which is often used as a method to evade defenses.
references:
- https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16
- https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/
- https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-22
tags:
- attack.stealth
- attack.t1218.008
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\odbcconf.exe'
- OriginalFileName: 'odbcconf.exe'
selection_cli:
# Note: The "/A" flag is not required to call a specific action
CommandLine|contains: 'REGSVR '
filter_main_dll_ext:
CommandLine|contains: '.dll'
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Potentially Suspicious Event Viewer Child Process
Detects uncommon or suspicious child processes of "eventvwr.exe" which might indicate a UAC bypass attempt
view Sigma YAML
title: Potentially Suspicious Event Viewer Child Process
id: be344333-921d-4c4d-8bb8-e584cf584780
related:
- id: 7c81fec3-1c1d-43b0-996a-46753041b1b6
type: derived
status: test
description: Detects uncommon or suspicious child processes of "eventvwr.exe" which might indicate a UAC bypass attempt
references:
- https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
- https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100
author: Florian Roth (Nextron Systems)
date: 2017-03-19
modified: 2023-09-28
tags:
- attack.privilege-escalation
- attack.t1548.002
- car.2019-04-001
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\eventvwr.exe'
filter_main_generic:
Image|endswith:
- ':\Windows\System32\mmc.exe'
- ':\Windows\System32\WerFault.exe'
- ':\Windows\SysWOW64\WerFault.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potentially Suspicious Execution From Parent Process In Public Folder
Detects a potentially suspicious execution of a parent process located in the "\Users\Public" folder executing a child process containing references to shell or scripting binaries and commandlines.
view Sigma YAML
title: Potentially Suspicious Execution From Parent Process In Public Folder
id: 69bd9b97-2be2-41b6-9816-fb08757a4d1a
status: test
description: |
Detects a potentially suspicious execution of a parent process located in the "\Users\Public" folder executing a child process containing references to shell or scripting binaries and commandlines.
references:
- https://redcanary.com/blog/blackbyte-ransomware/
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-02-25
modified: 2024-07-12
tags:
- attack.execution
- attack.stealth
- attack.t1564
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|contains: ':\Users\Public\'
selection_child:
- Image|endswith:
- '\bitsadmin.exe'
- '\certutil.exe'
- '\cmd.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\wscript.exe'
- CommandLine|contains:
- 'bitsadmin'
- 'certutil'
- 'cscript'
- 'mshta'
- 'powershell'
- 'regsvr32'
- 'rundll32'
- 'wscript'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE
Detects potentially suspicious file downloads from file sharing domains using PowerShell.exe
view Sigma YAML
title: Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE
id: b6e04788-29e1-4557-bb14-77f761848ab8
status: test
description: Detects potentially suspicious file downloads from file sharing domains using PowerShell.exe
references:
- https://labs.withsecure.com/publications/fin7-target-veeam-servers
- https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv
- https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
- https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-02-23
modified: 2024-12-10
tags:
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_websites:
CommandLine|contains:
# Note: You might want to baseline the github domain before including it
# - '.githubusercontent.com' # Includes both gists and github repositories / Michael Haag (idea).
- 'anonfiles.com'
- 'cdn.discordapp.com'
- 'ddns.net'
- 'dl.dropboxusercontent.com'
- 'ghostbin.co'
# - 'github.com' See note above
- 'glitch.me'
- 'gofile.io'
- 'hastebin.com'
- 'mediafire.com'
- 'mega.nz'
- 'onrender.com'
- 'pages.dev'
- 'paste.ee'
- 'pastebin.com'
- 'pastebin.pl'
- 'pastetext.net'
- 'pixeldrain.com'
- 'privatlab.com'
- 'privatlab.net'
- 'send.exploit.in'
- 'sendspace.com'
- 'storage.googleapis.com'
- 'storjshare.io'
- 'supabase.co'
- 'temp.sh'
- 'transfer.sh'
- 'trycloudflare.com'
- 'ufile.io'
- 'w3spaces.com'
- 'workers.dev'
selection_download:
CommandLine|contains:
- '.DownloadString('
- '.DownloadFile('
- 'Invoke-WebRequest '
- 'iwr '
- 'wget '
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potentially Suspicious File Download From ZIP TLD
Detects the download of a file with a potentially suspicious extension from a .zip top level domain.
view Sigma YAML
title: Potentially Suspicious File Download From ZIP TLD
id: 0bb4bbeb-fe52-4044-b40c-430a04577ebe
status: test
description: Detects the download of a file with a potentially suspicious extension from a .zip top level domain.
references:
- https://twitter.com/cyb3rops/status/1659175181695287297
- https://fabian-voith.de/2020/06/25/sysmon-v11-1-reads-alternate-data-streams/
author: Florian Roth (Nextron Systems)
date: 2023-05-18
tags:
- attack.stealth
logsource:
product: windows
category: create_stream_hash
detection:
selection:
Contents|contains: '.zip/'
TargetFilename|contains:
- '.bat:Zone'
- '.dat:Zone'
- '.dll:Zone'
- '.doc:Zone'
- '.docm:Zone'
- '.exe:Zone'
- '.hta:Zone'
- '.pptm:Zone'
- '.ps1:Zone'
- '.rar:Zone'
- '.rtf:Zone'
- '.sct:Zone'
- '.vbe:Zone'
- '.vbs:Zone'
- '.ws:Zone'
- '.wsf:Zone'
- '.xll:Zone'
- '.xls:Zone'
- '.xlsm:Zone'
- '.zip:Zone'
condition: selection
falsepositives:
- Legitimate file downloads from a websites and web services that uses the ".zip" top level domain.
level: high
Convert to SIEM query
high
Potentially Suspicious GoogleUpdate Child Process
Detects potentially suspicious child processes of "GoogleUpdate.exe"
view Sigma YAML
title: Potentially Suspicious GoogleUpdate Child Process
id: 84b1ecf9-6eff-4004-bafb-bae5c0e251b2
related:
- id: bdbab15a-3826-48fa-a1b7-723cd8f32fcc
type: derived
status: test
description: Detects potentially suspicious child processes of "GoogleUpdate.exe"
references:
- https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-15
modified: 2023-05-22
tags:
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\GoogleUpdate.exe'
filter_main_known_legit:
# Some other legit child process might exist. It's better to make a baseline before running this in production
- Image|contains: '\Google' # Example: GoogleUpdate.exe, GoogleCrashHandler.exe, GoogleUpdateComRegisterShell64.exe
- Image|endswith:
- '\setup.exe'
- 'chrome_updater.exe'
- 'chrome_installer.exe'
filter_main_image_null:
Image: null
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potentially Suspicious Malware Callback Communication
Detects programs that connect to known malware callback ports based on statistical analysis from two different sandbox system databases
view Sigma YAML
title: Potentially Suspicious Malware Callback Communication
id: 4b89abaa-99fe-4232-afdd-8f9aa4d20382
related:
- id: 6d8c3d20-a5e1-494f-8412-4571d716cf5c
type: similar
status: test
description: |
Detects programs that connect to known malware callback ports based on statistical analysis from two different sandbox system databases
references:
- https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
author: Florian Roth (Nextron Systems)
date: 2017-03-19
modified: 2024-03-12
tags:
- attack.persistence
- attack.command-and-control
- attack.t1571
logsource:
category: network_connection
product: windows
detection:
selection:
Initiated: 'true'
DestinationPort:
- 100
- 198
- 200
- 243
- 473
- 666
- 700
- 743
- 777
- 1443
- 1515
- 1777
- 1817
- 1904
- 1960
- 2443
- 2448
- 3360
- 3675
- 3939
- 4040
- 4433
- 4438
- 4443
- 4444
- 4455
- 5445
- 5552
- 5649
- 6625
- 7210
- 7777
- 8143
- 8843
- 9631
- 9943
- 10101
- 12102
- 12103
- 12322
- 13145
- 13394
- 13504
- 13505
- 13506
- 13507
- 14102
- 14103
- 14154
- 49180
- 65520
- 65535
filter_main_local_ranges:
DestinationIp|cidr:
- '127.0.0.0/8'
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '169.254.0.0/16'
- '::1/128' # IPv6 loopback
- 'fe80::/10' # IPv6 link-local addresses
- 'fc00::/7' # IPv6 private addresses
filter_optional_sys_directories:
Image|startswith:
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potentially Suspicious Malware Callback Communication - Linux
Detects programs that connect to known malware callback ports based on threat intelligence reports.
view Sigma YAML
title: Potentially Suspicious Malware Callback Communication - Linux
id: dbfc7c98-04ab-4ab7-aa94-c74d22aa7376
related:
- id: 4b89abaa-99fe-4232-afdd-8f9aa4d20382
type: derived
status: test
description: |
Detects programs that connect to known malware callback ports based on threat intelligence reports.
references:
- https://www.mandiant.com/resources/blog/triton-actor-ttp-profile-custom-attack-tools-detections
- https://www.mandiant.com/resources/blog/ukraine-and-sandworm-team
- https://www.elastic.co/guide/en/security/current/potential-non-standard-port-ssh-connection.html
- https://thehackernews.com/2024/01/systembc-malwares-c2-server-analysis.html
- https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors
author: hasselj
date: 2024-05-10
tags:
- attack.persistence
- attack.command-and-control
- attack.t1571
logsource:
category: network_connection
product: linux
detection:
selection:
Initiated: 'true'
DestinationPort:
- 888
- 999
- 2200
- 2222
- 4000
- 4444
- 6789
- 8531
- 50501
- 51820
filter_main_local_ranges:
DestinationIp|cidr:
- '127.0.0.0/8'
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '169.254.0.0/16'
- '::1/128' # IPv6 loopback
- 'fe80::/10' # IPv6 link-local addresses
- 'fc00::/7' # IPv6 private addresses
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potentially Suspicious ODBC Driver Registered
Detects the registration of a new ODBC driver where the driver is located in a potentially suspicious location
view Sigma YAML
title: Potentially Suspicious ODBC Driver Registered
id: e4d22291-f3d5-4b78-9a0c-a1fbaf32a6a4
status: test
description: Detects the registration of a new ODBC driver where the driver is located in a potentially suspicious location
references:
- https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-23
modified: 2023-08-17
tags:
- attack.credential-access
- attack.persistence
- attack.t1003
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\SOFTWARE\ODBC\ODBCINST.INI\'
TargetObject|endswith:
- '\Driver'
- '\Setup'
Details|contains:
- ':\PerfLogs\'
- ':\ProgramData\'
- ':\Temp\'
- ':\Users\Public\'
- ':\Windows\Registration\CRMLog'
- ':\Windows\System32\com\dmp\'
- ':\Windows\System32\FxsTmp\'
- ':\Windows\System32\Microsoft\Crypto\RSA\MachineKeys\'
- ':\Windows\System32\spool\drivers\color\'
- ':\Windows\System32\spool\PRINTERS\'
- ':\Windows\System32\spool\SERVERS\'
- ':\Windows\System32\Tasks_Migrated\'
- ':\Windows\System32\Tasks\Microsoft\Windows\SyncCenter\'
- ':\Windows\SysWOW64\com\dmp\'
- ':\Windows\SysWOW64\FxsTmp\'
- ':\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System\'
- ':\Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter\'
- ':\Windows\Tasks\'
- ':\Windows\Temp\'
- ':\Windows\Tracing\'
- '\AppData\Local\Temp\'
- '\AppData\Roaming\'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Potentially Suspicious Office Document Executed From Trusted Location
Detects the execution of an Office application that points to a document that is located in a trusted location. Attackers often used this to avoid macro security and execute their malicious code.
view Sigma YAML
title: Potentially Suspicious Office Document Executed From Trusted Location
id: f99abdf0-6283-4e71-bd2b-b5c048a94743
status: test
description: Detects the execution of an Office application that points to a document that is located in a trusted location. Attackers often used this to avoid macro security and execute their malicious code.
references:
- Internal Research
- https://twitter.com/Max_Mal_/status/1633863678909874176
- https://techcommunity.microsoft.com/t5/microsoft-365-blog/new-security-hardening-policies-for-trusted-documents/ba-p/3023465
- https://twitter.com/_JohnHammond/status/1588155401752788994
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-21
modified: 2023-10-18
tags:
- attack.stealth
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection_parent:
# Note: we add a parent shell to reduce FP. Add additional 3rd party shells that you might use
ParentImage|endswith:
- '\explorer.exe'
- '\dopus.exe'
selection_img:
- Image|endswith:
- '\EXCEL.EXE'
- '\POWERPNT.EXE'
- '\WINWORD.exe'
- OriginalFileName:
- 'Excel.exe'
- 'POWERPNT.EXE'
- 'WinWord.exe'
selection_trusted_location:
CommandLine|contains:
# Note: these are the default locations. Admins/Users could add additional ones that you need to cover
- '\AppData\Roaming\Microsoft\Templates'
- '\AppData\Roaming\Microsoft\Word\Startup\'
- '\Microsoft Office\root\Templates\'
- '\Microsoft Office\Templates\'
filter_main_dotx:
# Note: We add this filter to avoid curious people clicking on template files
CommandLine|endswith:
- '.dotx'
- '.xltx'
- '.potx'
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Potentially Suspicious Regsvr32 HTTP IP Pattern
Detects regsvr32 execution to download and install DLLs located remotely where the address is an IP address.
view Sigma YAML
title: Potentially Suspicious Regsvr32 HTTP IP Pattern
id: 2dd2c217-bf68-437a-b57c-fe9fd01d5de8
status: test
description: Detects regsvr32 execution to download and install DLLs located remotely where the address is an IP address.
references:
- https://twitter.com/mrd0x/status/1461041276514623491
- https://twitter.com/tccontre18/status/1480950986650832903
- https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/
author: Florian Roth (Nextron Systems)
date: 2022-01-11
modified: 2023-05-24
tags:
- attack.stealth
- attack.t1218.010
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\regsvr32.exe'
- OriginalFileName: 'REGSVR32.EXE'
selection_ip:
CommandLine|contains:
- ' /i:http://1'
- ' /i:http://2'
- ' /i:http://3'
- ' /i:http://4'
- ' /i:http://5'
- ' /i:http://6'
- ' /i:http://7'
- ' /i:http://8'
- ' /i:http://9'
- ' /i:https://1'
- ' /i:https://2'
- ' /i:https://3'
- ' /i:https://4'
- ' /i:https://5'
- ' /i:https://6'
- ' /i:https://7'
- ' /i:https://8'
- ' /i:https://9'
- ' -i:http://1'
- ' -i:http://2'
- ' -i:http://3'
- ' -i:http://4'
- ' -i:http://5'
- ' -i:http://6'
- ' -i:http://7'
- ' -i:http://8'
- ' -i:http://9'
- ' -i:https://1'
- ' -i:https://2'
- ' -i:https://3'
- ' -i:https://4'
- ' -i:https://5'
- ' -i:https://6'
- ' -i:https://7'
- ' -i:https://8'
- ' -i:https://9'
condition: all of selection_*
falsepositives:
- FQDNs that start with a number such as "7-Zip"
level: high
Convert to SIEM query
high
PowerShell ADRecon Execution
Detects execution of ADRecon.ps1 for AD reconnaissance which has been reported to be actively used by FIN7
view Sigma YAML
title: PowerShell ADRecon Execution
id: bf72941a-cba0-41ea-b18c-9aca3925690d
status: test
description: Detects execution of ADRecon.ps1 for AD reconnaissance which has been reported to be actively used by FIN7
references:
- https://github.com/sense-of-security/ADRecon/blob/11881a24e9c8b207f31b56846809ce1fb189bcc9/ADRecon.ps1
- https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319
author: Bhabesh Raj
date: 2021-07-16
modified: 2022-09-06
tags:
- attack.discovery
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains:
- 'Function Get-ADRExcelComOb'
- 'Get-ADRGPO'
- 'Get-ADRDomainController'
- 'ADRecon-Report.xlsx' # Default
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
Showing 1001-1050 of 1,715