Tool
SIEM
Sigma (generic) detection rules
1,715 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Expand any rule to see its raw YAML and convert it inline to native query syntax. Pick a platform above to browse every rule already rendered in that language.
Get the raw rules from SigmaHQ Detection Rules
The raw generic YAML, served by SigmaHQ. Pick a platform above to download a ready-to-deploy converted pack.
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
◈
Detection rules
50 shown of 1,715
high
Remote Access Tool - Renamed MeshAgent Execution - Windows
Detects the execution of a renamed instance of the Remote Monitoring and Management (RMM) tool, MeshAgent.
RMM tools such as MeshAgent are commonly utilized by IT administrators for legitimate remote support and system management.
However, malicious actors may exploit these tools by renaming them to bypass detection mechanisms, enabling unauthorized access and control over compromised systems.
view Sigma YAML
title: Remote Access Tool - Renamed MeshAgent Execution - Windows
id: b471f462-eb0d-4832-be35-28d94bdb4780
related:
- id: bd3b5eaa-439d-4a42-8f35-a49f5c8a2582
type: similar
- id: 2fbbe9ff-0afc-470b-bdc0-592198339968
type: derived
status: experimental
description: |
Detects the execution of a renamed instance of the Remote Monitoring and Management (RMM) tool, MeshAgent.
RMM tools such as MeshAgent are commonly utilized by IT administrators for legitimate remote support and system management.
However, malicious actors may exploit these tools by renaming them to bypass detection mechanisms, enabling unauthorized access and control over compromised systems.
references:
- https://www.huntress.com/blog/know-thy-enemy-a-novel-november-case-on-persistent-remote-access
- https://thecyberexpress.com/ukraine-hit-by-meshagent-malware-campaign/
- https://wazuh.com/blog/how-to-detect-meshagent-with-wazuh/
- https://www.security.com/threat-intelligence/medusa-ransomware-attacks
author: Norbert Jaśniewicz (AlphaSOC)
date: 2025-05-19
tags:
- attack.command-and-control
- attack.stealth
- attack.t1219.002
- attack.t1036.003
logsource:
category: process_creation
product: windows
detection:
selection_meshagent:
- CommandLine|contains: '--meshServiceName'
- OriginalFileName|contains: 'meshagent'
filter_main_legitimate:
Image|endswith: '\meshagent.exe'
condition: selection_meshagent and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Remote Access Tool - ScreenConnect Server Web Shell Execution
Detects potential web shell execution from the ScreenConnect server process.
view Sigma YAML
title: Remote Access Tool - ScreenConnect Server Web Shell Execution
id: b19146a3-25d4-41b4-928b-1e2a92641b1b
status: test
description: Detects potential web shell execution from the ScreenConnect server process.
references:
- https://blackpointcyber.com/resources/blog/breaking-through-the-screen/
- https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8
author: Jason Rathbun (Blackpoint Cyber)
date: 2024-02-26
tags:
- attack.initial-access
- attack.t1190
logsource:
product: windows
category: process_creation
detection:
selection:
ParentImage|endswith: '\ScreenConnect.Service.exe'
Image|endswith:
- '\cmd.exe'
- '\csc.exe'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Remote AppX Package Downloaded from File Sharing or CDN Domain
Detects an appx package that was added to the pipeline of the "to be processed" packages which was downloaded from a file sharing or CDN domain.
view Sigma YAML
title: Remote AppX Package Downloaded from File Sharing or CDN Domain
id: 8b48ad89-10d8-4382-a546-50588c410f0d
status: test
description: |
Detects an appx package that was added to the pipeline of the "to be processed" packages which was downloaded from a file sharing or CDN domain.
references:
- https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
- https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting
- https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-11
modified: 2025-12-10
tags:
- attack.stealth
logsource:
product: windows
service: appxdeployment-server
detection:
selection:
EventID: 854
Path|contains:
- '.githubusercontent.com' # Includes both gists and github repositories / Michael Haag (idea)
- 'anonfiles.com'
- 'cdn.discordapp.com'
- 'ddns.net'
- 'dl.dropboxusercontent.com'
- 'ghostbin.co'
- 'github.com'
- 'glitch.me'
- 'gofile.io'
- 'hastebin.com'
- 'mediafire.com'
- 'mega.nz'
- 'onrender.com'
- 'pages.dev'
- 'paste.ee'
- 'pastebin.com'
- 'pastebin.pl'
- 'pastetext.net'
- 'privatlab.com'
- 'privatlab.net'
- 'send.exploit.in'
- 'sendspace.com'
- 'storage.googleapis.com'
- 'storjshare.io'
- 'supabase.co'
- 'temp.sh'
- 'transfer.sh'
- 'trycloudflare.com'
- 'ufile.io'
- 'w3spaces.com'
- 'workers.dev'
condition: selection
falsepositives:
- Unlikely, unless the organization uses file sharing or CDN services to distribute internal applications.
level: high
Convert to SIEM query
high
Remote CHM File Download/Execution Via HH.EXE
Detects the usage of "hh.exe" to execute/download remotely hosted ".chm" files.
view Sigma YAML
title: Remote CHM File Download/Execution Via HH.EXE
id: f57c58b3-ee69-4ef5-9041-455bf39aaa89
status: test
description: Detects the usage of "hh.exe" to execute/download remotely hosted ".chm" files.
references:
- https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html
- https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md
- https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-29
modified: 2024-01-31
tags:
- attack.stealth
- attack.t1218.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- OriginalFileName: 'HH.exe'
- Image|endswith: '\hh.exe'
selection_cli:
CommandLine|contains:
- 'http://'
- 'https://'
- '\\\\'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Remote DCOM/WMI Lateral Movement
Detects remote RPC calls that performs remote DCOM operations. These could be abused for lateral movement via DCOM or WMI.
view Sigma YAML
title: Remote DCOM/WMI Lateral Movement
id: 68050b10-e477-4377-a99b-3721b422d6ef
status: test
description: Detects remote RPC calls that performs remote DCOM operations. These could be abused for lateral movement via DCOM or WMI.
references:
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9
- https://github.com/zeronetworks/rpcfirewall
- https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
- attack.lateral-movement
- attack.execution
- attack.t1021.003
- attack.t1047
logsource:
product: rpc_firewall
category: application
definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:367abb81-9844-35f1-ad32-98f038001003'
detection:
selection:
EventLog: RPCFW
EventID: 3
InterfaceUuid:
- 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57
- 99fcfec4-5260-101b-bbcb-00aa0021347a
- 000001a0-0000-0000-c000-000000000046
- 00000131-0000-0000-c000-000000000046
- 00000143-0000-0000-c000-000000000046
- 00000000-0000-0000-c000-000000000046
condition: selection
falsepositives:
- Some administrative tasks on remote host
level: high
Convert to SIEM query
high
Remote Encrypting File System Abuse
Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR
view Sigma YAML
title: Remote Encrypting File System Abuse
id: 5f92fff9-82e2-48eb-8fc1-8b133556a551
status: test
description: Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR
references:
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942
- https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-EFSR.md
- https://github.com/zeronetworks/rpcfirewall
- https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
- attack.lateral-movement
logsource:
product: rpc_firewall
category: application
definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:df1941c5-fe89-4e79-bf10-463657acf44d or c681d488-d850-11d0-8c52-00c04fd90f7e'
detection:
selection:
EventLog: RPCFW
EventID: 3
InterfaceUuid:
- df1941c5-fe89-4e79-bf10-463657acf44d
- c681d488-d850-11d0-8c52-00c04fd90f7e
condition: selection
falsepositives:
- Legitimate usage of remote file encryption
level: high
Convert to SIEM query
high
Remote Event Log Recon
Detects remote RPC calls to get event log information via EVEN or EVEN6
view Sigma YAML
title: Remote Event Log Recon
id: 2053961f-44c7-4a64-b62d-f6e72800af0d
status: test
description: Detects remote RPC calls to get event log information via EVEN or EVEN6
references:
- https://github.com/zeronetworks/rpcfirewall
- https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
- attack.discovery
logsource:
product: rpc_firewall
category: application
definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:82273fdc-e32a-18c3-3f78-827929dc23ea and uuid:f6beaff7-1e19-4fbb-9f8f-b89e2018337c"'
detection:
selection:
EventLog: RPCFW
EventID: 3
InterfaceUuid:
- 82273fdc-e32a-18c3-3f78-827929dc23ea
- f6beaff7-1e19-4fbb-9f8f-b89e2018337c
condition: selection
falsepositives:
- Remote administrative tasks on Windows Events
level: high
Convert to SIEM query
high
Remote LSASS Process Access Through Windows Remote Management
Detects remote access to the LSASS process via WinRM. This could be a sign of credential dumping from tools like mimikatz.
view Sigma YAML
title: Remote LSASS Process Access Through Windows Remote Management
id: aa35a627-33fb-4d04-a165-d33b4afca3e8
status: stable
description: Detects remote access to the LSASS process via WinRM. This could be a sign of credential dumping from tools like mimikatz.
references:
- https://pentestlab.blog/2018/05/15/lateral-movement-winrm/
author: Patryk Prauze - ING Tech
date: 2019-05-20
modified: 2023-11-29
tags:
- attack.credential-access
- attack.execution
- attack.t1003.001
- attack.t1059.001
- attack.lateral-movement
- attack.t1021.006
- attack.s0002
logsource:
category: process_access
product: windows
detection:
selection:
TargetImage|endswith: '\lsass.exe'
SourceImage|endswith: ':\Windows\system32\wsmprovhost.exe'
filter_main_access:
GrantedAccess: '0x80000000'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Remote PowerShell Session (PS Module)
Detects remote PowerShell sessions
view Sigma YAML
title: Remote PowerShell Session (PS Module)
id: 96b9f619-aa91-478f-bacb-c3e50f8df575
status: test
description: Detects remote PowerShell sessions
references:
- https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g, Tim Shelton
date: 2019-08-10
modified: 2023-01-20
tags:
- attack.execution
- attack.t1059.001
- attack.lateral-movement
- attack.t1021.006
logsource:
product: windows
category: ps_module
definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
selection:
ContextInfo|contains|all:
- ' = ServerRemoteHost ' # HostName: 'ServerRemoteHost' french : Nom d’hôte =
- 'wsmprovhost.exe' # HostApplication|contains: 'wsmprovhost.exe' french Application hôte =
filter_pwsh_archive:
ContextInfo|contains: '\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Archive\Microsoft.PowerShell.Archive.psm1'
condition: selection and not 1 of filter_*
falsepositives:
- Legitimate use remote PowerShell sessions
level: high
Convert to SIEM query
high
Remote PowerShell Sessions Network Connections (WinRM)
Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986
view Sigma YAML
title: Remote PowerShell Sessions Network Connections (WinRM)
id: 13acf386-b8c6-4fe0-9a6e-c4756b974698
status: test
description: Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986
references:
- https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019-09-12
modified: 2022-10-09
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
service: security
detection:
selection:
EventID: 5156
DestPort:
- 5985
- 5986
LayerRTID: 44
condition: selection
falsepositives:
- Legitimate use of remote PowerShell execution
level: high
Convert to SIEM query
high
Remote Printing Abuse for Lateral Movement
Detects remote RPC calls to possibly abuse remote printing service via MS-RPRN / MS-PAR
view Sigma YAML
title: Remote Printing Abuse for Lateral Movement
id: bc3a4b0c-e167-48e1-aa88-b3020950e560
status: test
description: Detects remote RPC calls to possibly abuse remote printing service via MS-RPRN / MS-PAR
references:
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8
- https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RPRN-PAR.md
- https://github.com/zeronetworks/rpcfirewall
- https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
- attack.lateral-movement
logsource:
product: rpc_firewall
category: application
definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:12345678-1234-abcd-ef00-0123456789ab or 76f03f96-cdfd-44fc-a22c-64950a001209 or ae33069b-a2a8-46ee-a235-ddfd339be281 or 0b6edbfa-4a24-4fc6-8a23-942b1eca65d1'
detection:
selection:
EventLog: RPCFW
EventID: 3
InterfaceUuid:
- 12345678-1234-abcd-ef00-0123456789ab
- 76f03f96-cdfd-44fc-a22c-64950a001209
- 0b6edbfa-4a24-4fc6-8a23-942b1eca65d1
- ae33069b-a2a8-46ee-a235-ddfd339be281
condition: selection
falsepositives:
- Actual printing
level: high
Convert to SIEM query
high
Remote Registry Lateral Movement
Detects remote RPC calls to modify the registry and possible execute code
view Sigma YAML
title: Remote Registry Lateral Movement
id: 35c55673-84ca-4e99-8d09-e334f3c29539
status: test
description: Detects remote RPC calls to modify the registry and possible execute code
references:
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78
- https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md
- https://github.com/zeronetworks/rpcfirewall
- https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
- attack.lateral-movement
- attack.defense-impairment
- attack.t1112
- attack.persistence
logsource:
product: rpc_firewall
category: application
definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:338cd001-2244-31f1-aaaa-900038001003"'
detection:
selection:
EventLog: RPCFW
EventID: 3
InterfaceUuid: 338cd001-2244-31f1-aaaa-900038001003
OpNum:
- 6
- 7
- 8
- 13
- 18
- 19
- 21
- 22
- 23
- 35
condition: selection
falsepositives:
- Remote administration of registry values
level: high
Convert to SIEM query
high
Remote Registry Recon
Detects remote RPC calls to collect information
view Sigma YAML
title: Remote Registry Recon
id: d8ffe17e-04be-4886-beb9-c1dd1944b9a8
status: test
description: Detects remote RPC calls to collect information
references:
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78
- https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md
- https://github.com/zeronetworks/rpcfirewall
- https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
- attack.discovery
logsource:
product: rpc_firewall
category: application
definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:338cd001-2244-31f1-aaaa-900038001003"'
detection:
selection:
EventLog: RPCFW
EventID: 3
InterfaceUuid: 338cd001-2244-31f1-aaaa-900038001003
filter:
OpNum:
- 6
- 7
- 8
- 13
- 18
- 19
- 21
- 22
- 23
- 35
condition: selection and not filter
falsepositives:
- Remote administration of registry values
level: high
Convert to SIEM query
high
Remote Schedule Task Lateral Movement via ATSvc
Detects remote RPC calls to create or execute a scheduled task via ATSvc
view Sigma YAML
title: Remote Schedule Task Lateral Movement via ATSvc
id: 0fcd1c79-4eeb-4746-aba9-1b458f7a79cb
status: test
description: Detects remote RPC calls to create or execute a scheduled task via ATSvc
references:
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931
- https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md
- https://github.com/zeronetworks/rpcfirewall
- https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
- attack.privilege-escalation
- attack.lateral-movement
- attack.execution
- attack.persistence
- attack.t1053
- attack.t1053.002
logsource:
product: rpc_firewall
category: application
definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:1ff70682-0a51-30e8-076d-740be8cee98b"'
detection:
selection:
EventLog: RPCFW
EventID: 3
InterfaceUuid: 1ff70682-0a51-30e8-076d-740be8cee98b
OpNum:
- 0
- 1
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Remote Schedule Task Lateral Movement via ITaskSchedulerService
Detects remote RPC calls to create or execute a scheduled task
view Sigma YAML
title: Remote Schedule Task Lateral Movement via ITaskSchedulerService
id: ace3ff54-e7fd-46bd-8ea0-74b49a0aca1d
status: test
description: Detects remote RPC calls to create or execute a scheduled task
references:
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931
- https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md
- https://github.com/zeronetworks/rpcfirewall
- https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.lateral-movement
- attack.t1053
- attack.t1053.002
logsource:
product: rpc_firewall
category: application
definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:86d35949-83c9-4044-b424-db363231fd0c"'
detection:
selection:
EventLog: RPCFW
EventID: 3
InterfaceUuid: 86d35949-83c9-4044-b424-db363231fd0c
OpNum:
- 1
- 3
- 4
- 10
- 11
- 12
- 13
- 14
- 15
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Remote Schedule Task Lateral Movement via SASec
Detects remote RPC calls to create or execute a scheduled task via SASec
view Sigma YAML
title: Remote Schedule Task Lateral Movement via SASec
id: aff229ab-f8cd-447b-b215-084d11e79eb0
status: test
description: Detects remote RPC calls to create or execute a scheduled task via SASec
references:
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931
- https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md
- https://github.com/zeronetworks/rpcfirewall
- https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
- attack.privilege-escalation
- attack.lateral-movement
- attack.execution
- attack.persistence
- attack.t1053
- attack.t1053.002
logsource:
product: rpc_firewall
category: application
definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:378e52b0-c0a9-11cf-822d-00aa0051e40f"'
detection:
selection:
EventLog: RPCFW
EventID: 3
InterfaceUuid: 378e52b0-c0a9-11cf-822d-00aa0051e40f
OpNum:
- 0
- 1
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Remote Schedule Task Recon via AtScv
Detects remote RPC calls to read information about scheduled tasks via AtScv
view Sigma YAML
title: Remote Schedule Task Recon via AtScv
id: f177f2bc-5f3e-4453-b599-57eefce9a59c
status: test
description: Detects remote RPC calls to read information about scheduled tasks via AtScv
references:
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931
- https://github.com/zeronetworks/rpcfirewall
- https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md
- https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
- attack.discovery
logsource:
product: rpc_firewall
category: application
definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:1ff70682-0a51-30e8-076d-740be8cee98b"'
detection:
selection:
EventLog: RPCFW
EventID: 3
InterfaceUuid: 1ff70682-0a51-30e8-076d-740be8cee98b
filter:
OpNum:
- 0
- 1
condition: selection and not filter
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Remote Schedule Task Recon via ITaskSchedulerService
Detects remote RPC calls to read information about scheduled tasks
view Sigma YAML
title: Remote Schedule Task Recon via ITaskSchedulerService
id: 7f7c49eb-2977-4ac8-8ab0-ab1bae14730e
status: test
description: Detects remote RPC calls to read information about scheduled tasks
references:
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931
- https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md
- https://github.com/zeronetworks/rpcfirewall
- https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
- attack.discovery
logsource:
product: rpc_firewall
category: application
definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:86d35949-83c9-4044-b424-db363231fd0c"'
detection:
selection:
EventLog: RPCFW
EventID: 3
InterfaceUuid: 86d35949-83c9-4044-b424-db363231fd0c
filter:
OpNum:
- 1
- 3
- 4
- 10
- 11
- 12
- 13
- 14
- 15
condition: selection and not filter
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Remote Server Service Abuse
Detects remote RPC calls to possibly abuse remote encryption service via MS-SRVS
view Sigma YAML
title: Remote Server Service Abuse
id: b6ea3cc7-542f-43ef-bbe4-980fbed444c7
status: test
description: Detects remote RPC calls to possibly abuse remote encryption service via MS-SRVS
references:
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9
- https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md
- https://github.com/zeronetworks/rpcfirewall
- https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
- attack.lateral-movement
logsource:
product: rpc_firewall
category: application
definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:4b324fc8-1670-01d3-1278-5a47bf6ee188'
detection:
selection:
EventLog: RPCFW
EventID: 3
InterfaceUuid: 4b324fc8-1670-01d3-1278-5a47bf6ee188
condition: selection
falsepositives:
- Legitimate remote share creation
level: high
Convert to SIEM query
high
Remote Server Service Abuse for Lateral Movement
Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR
view Sigma YAML
title: Remote Server Service Abuse for Lateral Movement
id: 10018e73-06ec-46ec-8107-9172f1e04ff2
status: test
description: Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR
references:
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9
- https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SCMR.md
- https://github.com/zeronetworks/rpcfirewall
- https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
- attack.lateral-movement
- attack.execution
- attack.t1569.002
logsource:
product: rpc_firewall
category: application
definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:367abb81-9844-35f1-ad32-98f038001003'
detection:
selection:
EventLog: RPCFW
EventID: 3
InterfaceUuid: 367abb81-9844-35f1-ad32-98f038001003
condition: selection
falsepositives:
- Administrative tasks on remote services
level: high
Convert to SIEM query
high
Remote Thread Created In KeePass.EXE
Detects remote thread creation in "KeePass.exe" which could indicates potential password dumping activity
view Sigma YAML
title: Remote Thread Created In KeePass.EXE
id: 77564cc2-7382-438b-a7f6-395c2ae53b9a
status: test
description: Detects remote thread creation in "KeePass.exe" which could indicates potential password dumping activity
references:
- https://www.cisa.gov/uscert/ncas/alerts/aa20-259a
- https://github.com/denandz/KeeFarce
- https://github.com/GhostPack/KeeThief
author: Timon Hackenjos
date: 2022-04-22
modified: 2023-05-05
tags:
- attack.credential-access
- attack.t1555.005
logsource:
product: windows
category: create_remote_thread
detection:
selection:
TargetImage|endswith: '\KeePass.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Remote Thread Creation In Mstsc.Exe From Suspicious Location
Detects remote thread creation in the "mstsc.exe" process by a process located in a potentially suspicious location.
This technique is often used by attackers in order to hook some APIs used by DLLs loaded by "mstsc.exe" during RDP authentications in order to steal credentials.
view Sigma YAML
title: Remote Thread Creation In Mstsc.Exe From Suspicious Location
id: c0aac16a-b1e7-4330-bab0-3c27bb4987c7
status: test
description: |
Detects remote thread creation in the "mstsc.exe" process by a process located in a potentially suspicious location.
This technique is often used by attackers in order to hook some APIs used by DLLs loaded by "mstsc.exe" during RDP authentications in order to steal credentials.
references:
- https://github.com/S12cybersecurity/RDPCredentialStealer/blob/1b8947cdd065a06c1b62e80967d3c7af895fcfed/APIHookInjectorBin/APIHookInjectorBin/Inject.h#L25
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-07-28
modified: 2024-01-22
tags:
- attack.credential-access
logsource:
product: windows
category: create_remote_thread
detection:
selection:
TargetImage|endswith: '\mstsc.exe'
SourceImage|contains:
- ':\Temp\'
- ':\Users\Public\'
- ':\Windows\PerfLogs\'
- ':\Windows\Tasks\'
- ':\Windows\Temp\'
- '\AppData\Local\Temp\'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Remote Thread Creation Ttdinject.exe Proxy
Detects a remote thread creation of Ttdinject.exe used as proxy
view Sigma YAML
title: Remote Thread Creation Ttdinject.exe Proxy
id: c15e99a3-c474-48ab-b9a7-84549a7a9d16
status: test
description: Detects a remote thread creation of Ttdinject.exe used as proxy
references:
- https://lolbas-project.github.io/lolbas/Binaries/Ttdinject/
author: frack113
date: 2022-05-16
modified: 2022-06-02
tags:
- attack.execution
- attack.stealth
- attack.t1127
logsource:
product: windows
category: create_remote_thread
detection:
selection:
SourceImage|endswith: '\ttdinject.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Remote XSL Execution Via Msxsl.EXE
Detects the execution of the "msxsl" binary with an "http" keyword in the command line. This might indicate a potential remote execution of XSL files.
view Sigma YAML
title: Remote XSL Execution Via Msxsl.EXE
id: 75d0a94e-6252-448d-a7be-d953dff527bb
status: test
description: Detects the execution of the "msxsl" binary with an "http" keyword in the command line. This might indicate a potential remote execution of XSL files.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1220/T1220.md
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msxsl/
author: Swachchhanda Shrawan Poudel
date: 2023-11-09
tags:
- attack.stealth
- attack.t1220
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\msxsl.exe'
CommandLine|contains: 'http'
condition: selection
falsepositives:
- Msxsl is not installed by default and is deprecated, so unlikely on most systems.
level: high
Convert to SIEM query
high
RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesses
Detects calls to the AtomicTestHarnesses "Invoke-ATHRemoteFXvGPUDisablementCommand" which is designed to abuse the "RemoteFXvGPUDisablement.exe" binary to run custom PowerShell code via module load-order hijacking.
view Sigma YAML
title: RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesses
id: a6fc3c46-23b8-4996-9ea2-573f4c4d88c5
related:
- id: f65e22f9-819e-4f96-9c7b-498364ae7a25 # PS Classic
type: similar
- id: 38a7625e-b2cb-485d-b83d-aff137d859f4 # PS Module
type: similar
- id: cacef8fc-9d3d-41f7-956d-455c6e881bc5 # PS ScriptBlock
type: similar
status: test
description: Detects calls to the AtomicTestHarnesses "Invoke-ATHRemoteFXvGPUDisablementCommand" which is designed to abuse the "RemoteFXvGPUDisablement.exe" binary to run custom PowerShell code via module load-order hijacking.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md
- https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1
author: frack113
date: 2021-07-13
modified: 2023-05-09
tags:
- attack.stealth
- attack.t1218
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|contains:
- 'Invoke-ATHRemoteFXvGPUDisablementCommand'
- 'Invoke-ATHRemoteFXvGPUDisableme'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Remotely Hosted HTA File Executed Via Mshta.EXE
Detects execution of the "mshta" utility with an argument containing the "http" keyword, which could indicate that an attacker is executing a remotely hosted malicious hta file
view Sigma YAML
title: Remotely Hosted HTA File Executed Via Mshta.EXE
id: b98d0db6-511d-45de-ad02-e82a98729620
status: test
description: Detects execution of the "mshta" utility with an argument containing the "http" keyword, which could indicate that an attacker is executing a remotely hosted malicious hta file
references:
- https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-08
modified: 2023-02-06
tags:
- attack.execution
- attack.stealth
- attack.t1218.005
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\mshta.exe'
- OriginalFileName: 'MSHTA.EXE'
selection_cli:
CommandLine|contains:
- 'http://'
- 'https://'
- 'ftp://'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Removal Of AMSI Provider Registry Keys
Detects the deletion of AMSI provider registry key entries in HKLM\Software\Microsoft\AMSI. This technique could be used by an attacker in order to disable AMSI inspection.
view Sigma YAML
title: Removal Of AMSI Provider Registry Keys
id: 41d1058a-aea7-4952-9293-29eaaf516465
status: test
description: Detects the deletion of AMSI provider registry key entries in HKLM\Software\Microsoft\AMSI. This technique could be used by an attacker in order to disable AMSI inspection.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
- https://seclists.org/fulldisclosure/2020/Mar/45
author: frack113
date: 2021-06-07
modified: 2025-10-07
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: windows
category: registry_delete
detection:
selection:
TargetObject|endswith:
- '{2781761E-28E0-4109-99FE-B9D127C57AFE}' # IOfficeAntiVirus
- '{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}' # ProtectionManagement.dll
filter_main_defender:
Image|startswith:
- 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
- 'C:\Program Files\Windows Defender\'
- 'C:\Program Files (x86)\Windows Defender\'
Image|endswith: '\MsMpEng.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unlikely
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key/info.yml
simulation:
- type: atomic-red-team
name: AMSI Bypass - Remove AMSI Provider Reg Key
technique: T1562.001
atomic_guid: 13f09b91-c953-438e-845b-b585e51cac9b
Convert to SIEM query
high
Remove Exported Mailbox from Exchange Webserver
Detects removal of an exported Exchange mailbox which could be to cover tracks from ProxyShell exploit
view Sigma YAML
title: Remove Exported Mailbox from Exchange Webserver
id: 09570ae5-889e-43ea-aac0-0e1221fb3d95
status: test
description: Detects removal of an exported Exchange mailbox which could be to cover tracks from ProxyShell exploit
references:
- https://github.com/rapid7/metasploit-framework/blob/1416b5776d963f21b7b5b45d19f3e961201e0aed/modules/exploits/windows/http/exchange_proxyshell_rce.rb#L430
author: Christian Burkard (Nextron Systems)
date: 2021-08-27
modified: 2023-01-23
tags:
- attack.stealth
- attack.t1070
logsource:
service: msexchange-management
product: windows
detection:
keywords:
'|all':
- 'Remove-MailboxExportRequest'
- ' -Identity '
- ' -Confirm "False"'
condition: keywords
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Renamed AdFind Execution
Detects the use of a renamed Adfind.exe. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.
view Sigma YAML
title: Renamed AdFind Execution
id: df55196f-f105-44d3-a675-e9dfb6cc2f2b
status: test
description: Detects the use of a renamed Adfind.exe. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.
references:
- https://www.joeware.net/freetools/tools/adfind/
- https://thedfirreport.com/2020/05/08/adfind-recon/
- https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/
- https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
- https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx
- https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md
author: Florian Roth (Nextron Systems)
date: 2022-08-21
modified: 2025-02-26
tags:
- attack.discovery
- attack.t1018
- attack.t1087.002
- attack.t1482
- attack.t1069.002
logsource:
category: process_creation
product: windows
detection:
selection_1:
CommandLine|contains:
- 'domainlist'
- 'trustdmp'
- 'dcmodes'
- 'adinfo'
- ' dclist '
- 'computer_pwdnotreqd'
- 'objectcategory='
- '-subnets -f'
- 'name="Domain Admins"'
- '-sc u:'
- 'domainncs'
- 'dompol'
- ' oudmp '
- 'subnetdmp'
- 'gpodmp'
- 'fspdmp'
- 'users_noexpire'
- 'computers_active'
- 'computers_pwdnotreqd'
selection_2:
Hashes|contains:
- 'IMPHASH=BCA5675746D13A1F246E2DA3C2217492'
- 'IMPHASH=53E117A96057EAF19C41380D0E87F1C2'
- 'IMPHASH=d144de8117df2beceaba2201ad304764'
- 'IMPHASH=12ce1c0f3f5837ecc18a3782408fa975'
- 'IMPHASH=4fbf3f084fbbb2470b80b2013134df35'
- 'IMPHASH=49b639b4acbecc49d72a01f357aa4930'
- 'IMPHASH=680dad9e300346e05a85023965867201'
- 'IMPHASH=21aa085d54992511b9f115355e468782'
selection_3:
OriginalFileName: 'AdFind.exe'
filter:
Image|endswith: '\AdFind.exe'
condition: 1 of selection* and not filter
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_renamed_adfind/info.yml
Convert to SIEM query
high
Renamed AutoIt Execution
Detects the execution of a renamed AutoIt2.exe or AutoIt3.exe.
AutoIt is a scripting language and automation tool for Windows systems. While primarily used for legitimate automation tasks, it can be misused in cyber attacks.
Attackers can leverage AutoIt to create and distribute malware, including keyloggers, spyware, and botnets. A renamed AutoIt executable is particularly suspicious.
view Sigma YAML
title: Renamed AutoIt Execution
id: f4264e47-f522-4c38-a420-04525d5b880f
status: test
description: |
Detects the execution of a renamed AutoIt2.exe or AutoIt3.exe.
AutoIt is a scripting language and automation tool for Windows systems. While primarily used for legitimate automation tasks, it can be misused in cyber attacks.
Attackers can leverage AutoIt to create and distribute malware, including keyloggers, spyware, and botnets. A renamed AutoIt executable is particularly suspicious.
references:
- https://twitter.com/malmoeb/status/1665463817130725378?s=12&t=C0_T_re0wRP_NfKa27Xw9w
- https://www.autoitscript.com/site/
author: Florian Roth (Nextron Systems)
date: 2023-06-04
modified: 2024-11-23
tags:
- attack.stealth
- attack.t1027
logsource:
category: process_creation
product: windows
detection:
selection_1:
CommandLine|contains:
- ' /AutoIt3ExecuteScript'
- ' /ErrorStdOut'
selection_2:
Hashes|contains:
- 'IMPHASH=FDC554B3A8683918D731685855683DDF' # AutoIt v2 - doesn't cover all binaries
- 'IMPHASH=CD30A61B60B3D60CECDB034C8C83C290' # AutoIt v2 - doesn't cover all binaries
- 'IMPHASH=F8A00C72F2D667D2EDBB234D0C0AE000' # AutoIt v3 - doesn't cover all binaries
selection_3:
OriginalFileName:
- 'AutoIt3.exe'
- 'AutoIt2.exe'
- 'AutoIt.exe'
filter_main_legit_name:
Image|endswith:
- '\AutoIt.exe'
- '\AutoIt2.exe'
- '\AutoIt3_x64.exe'
- '\AutoIt3.exe'
condition: 1 of selection_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Renamed BrowserCore.EXE Execution
Detects process creation with a renamed BrowserCore.exe (used to extract Azure tokens)
view Sigma YAML
title: Renamed BrowserCore.EXE Execution
id: 8a4519e8-e64a-40b6-ae85-ba8ad2177559
status: test
description: Detects process creation with a renamed BrowserCore.exe (used to extract Azure tokens)
references:
- https://twitter.com/mariuszbit/status/1531631015139102720
author: Max Altgelt (Nextron Systems)
date: 2022-06-02
modified: 2023-02-03
tags:
- attack.credential-access
- attack.stealth
- attack.t1528
- attack.t1036.003
logsource:
category: process_creation
product: windows
detection:
selection:
OriginalFileName: BrowserCore.exe
filter_realbrowsercore:
Image|endswith: '\BrowserCore.exe'
condition: selection and not 1 of filter_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Renamed Cloudflared.EXE Execution
Detects the execution of a renamed "cloudflared" binary.
view Sigma YAML
title: Renamed Cloudflared.EXE Execution
id: e0c69ebd-b54f-4aed-8ae3-e3467843f3f0
status: test
description: Detects the execution of a renamed "cloudflared" binary.
references:
- https://github.com/cloudflare/cloudflared/releases
- https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/
- https://github.com/cloudflare/cloudflared
- https://www.intrinsec.com/akira_ransomware/
- https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/
tags:
- attack.command-and-control
- attack.t1090.001
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-12-20
logsource:
category: process_creation
product: windows
detection:
selection_cleanup:
CommandLine|contains|all:
- ' tunnel '
- 'cleanup '
CommandLine|contains:
- '-config '
- '-connector-id '
selection_tunnel:
CommandLine|contains|all:
- ' tunnel '
- ' run '
CommandLine|contains:
- '-config '
- '-credentials-contents '
- '-credentials-file '
- '-token '
selection_accountless:
CommandLine|contains|all:
- '-url'
- 'tunnel'
selection_hashes:
Hashes|contains:
- 'SHA256=2fb6c04c4f95fb8d158af94c137f90ac820716deaf88d8ebec956254e046cb29'
- 'SHA256=b3d21940a10fdef5e415ad70331ce257c24fe3bcf7722262302e0421791f87e8'
- 'SHA256=1fbd8362b2d2d2e6a5750ae3db69cd1815e6c1d31da48a98b796450971a8e039'
- 'SHA256=0409c9b12f9d0eda86e461ed9bdabeefb00172b26322079681a0bdf48e68dc28'
- 'SHA256=7cfb411d04bac42ef93d1f0c93c0a481e38c6f4612b97ae89d4702595988edc7'
- 'SHA256=5b3c2d846ab162dc6bc595cce3a49de5731afde5d6060be7066d21b013a28373'
- 'SHA256=ce95df7f69664c3df19b76028e115931919a71517b776da7b42d353e2ff4a670'
- 'SHA256=1293525a19cfe3bc8296b62fbfe19f083632ed644a1c18c10b045a1d3030d81a'
- 'SHA256=af2b9161cfcb654b16408cd6b098afe9d1fb61a037d18d7090a119d4c0c8e0f0'
- 'SHA256=39ddceb56a15798826a5fc4892fa2b474c444bb4d7a8bf2fa95e41cab10fa7a1'
- 'SHA256=ccd11f2328023a0e7929e845d5b6e7bc783fb4650d65faef3ae090239d4bbce2'
- 'SHA256=b6e5c5d2567ae8c69cc012ebcae30e6c9b5359d64a58d17ba75ec89f8bce71ac'
- 'SHA256=f813484ea441404f18caad96f28138e8aaf0cb256163c09c2ab8a3acab87f69f'
- 'SHA256=fc4a0802ab9c7409b892ca00636bec61e2acfc911bccfdeb9978b8ab5a2f828d'
- 'SHA256=083150724b49604c8765c1ba19541fa260b133be0acb0647fcd936d81f054499'
- 'SHA256=44303d6572956f28a0f2e4b188934fb9874f2584f5c81fa431a463cfbf28083b'
- 'SHA256=5d38c46032a58e28ae5f7d174d8761ec3d64d186677f3ec53af5f51afb9bfd2f'
- 'SHA256=e1e70fa42059911bc6685fafef957f9a73fc66f214d0704a9b932683a5204032'
- 'SHA256=c01356092a365b84f84f0e66870bd1a05ba3feb53cafd973fa5fea2534bee234'
- 'SHA256=b3f9c06151e30ee43d39e788a79cd918a314f24e04fe87f3de8272a2057b624f'
- 'SHA256=cd81b2792f0739f473c31c9cb7cf2313154bfa28b839975802b90e8790bb5058'
- 'SHA256=9ec7e6c8e1bfd883663d8d9d62c9e4f9ae373b731407181e32491b27a7218a2c'
- 'SHA256=c2cfd23fdc6c0e1b1ffa0e545cbe556f18d11b362b4a89ba0713f6ab01c4827f'
- 'SHA256=53f8adbd76c0eb16f5e43cadde422474d8a06f9c8f959389c1930042ad8beaa5'
- 'SHA256=648c8d2f8001c113d2986dd00b7bbd181593d462bef73522cee212c4f71f95b3'
- 'SHA256=ae047e2095e46c3f9c518b2be67ec753f4f0aad23b261a361fcb6144dcdb63b4'
- 'SHA256=3153d2baa462978dd22ab33d1c2274ecc88c200225d6a3327f98d5b752d08f5c'
- 'SHA256=f49cde976e628012c9db73e1c8d76081944ecf2297cdafeb78bb13290da274c4'
- 'SHA256=d2513e58bb03ccc83affde685c6ef987924c37ce6707d8e9857e2524b0d7e90f'
- 'SHA256=bb67c7623ba92fe64ffd9816b8d5b3b1ea3013960a30bd4cf6e295b3eb5b1bad'
- 'SHA256=b34b3c3a91e3165d1481f0b3ec23eab93a1cfba94345a6cbfe5b18ddbd48eac7'
- 'SHA256=f7848034e010d55f15e474ca998f96391e320ff29b00cfcc4c5e536529703e75'
- 'SHA256=b6fc9493778cbe3bfc062d73f5cc604bc0ff058bc5e5dc6aac87f3a4008b54b6'
- 'SHA256=f5c5e962577e2293c4ad10603816dce7cc273585969615fbf4e4bfa9eaff1688'
- 'SHA256=d14c52d9220b606f428a8fe9f7c108b0d6f14cf71e7384749e98e6a95962e68f'
- 'SHA256=d3a0e1a79158f3985cd49607ebe0cdfcc49cb9af96b8f43aefd0cdfe2f22e663'
- 'SHA256=2fbbfc8299537ff80cadf9d0e27c223fe0ccb9052bf9d8763ad717bbfa521c77'
- 'SHA256=19074674c6fbdaa573b3081745e5e26144fdf7a086d14e0e220d1814f1f13078'
filter_main_known_names:
Image|endswith:
- '\cloudflared.exe'
- '\cloudflared-windows-386.exe'
- '\cloudflared-windows-amd64.exe'
condition: 1 of selection_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Renamed CreateDump Utility Execution
Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory
view Sigma YAML
title: Renamed CreateDump Utility Execution
id: 1a1ed54a-2ba4-4221-94d5-01dee560d71e
related:
- id: 515c8be5-e5df-4c5e-8f6d-a4a2f05e4b48
type: similar
status: test
description: Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory
references:
- https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/
- https://twitter.com/bopin2020/status/1366400799199272960
author: Florian Roth (Nextron Systems)
date: 2022-09-20
modified: 2023-02-14
tags:
- attack.stealth
- attack.t1036
- attack.t1003.001
- attack.credential-access
logsource:
category: process_creation
product: windows
detection:
selection_pe:
OriginalFileName: 'FX_VER_INTERNALNAME_STR'
selection_cli:
- CommandLine|contains|all:
- ' -u ' # Short version of '--full'
- ' -f ' # Short version of '--name'
- '.dmp'
- CommandLine|contains|all:
- ' --full ' # Short version of '--full'
- ' --name ' # Short version of '--name'
- '.dmp'
filter:
Image|endswith: '\createdump.exe'
condition: 1 of selection_* and not filter
falsepositives:
- Command lines that use the same flags
level: high
Convert to SIEM query
high
Renamed Gpg.EXE Execution
Detects the execution of a renamed "gpg.exe". Often used by ransomware and loaders to decrypt/encrypt data.
view Sigma YAML
title: Renamed Gpg.EXE Execution
id: ec0722a3-eb5c-4a56-8ab2-bf6f20708592
status: test
description: Detects the execution of a renamed "gpg.exe". Often used by ransomware and loaders to decrypt/encrypt data.
references:
- https://securelist.com/locked-out/68960/
author: Nasreddine Bencherchali (Nextron Systems), frack113
date: 2023-08-09
tags:
- attack.impact
- attack.t1486
logsource:
category: process_creation
product: windows
detection:
selection:
OriginalFileName: 'gpg.exe'
filter_main_img:
Image|endswith:
- '\gpg.exe'
- '\gpg2.exe'
condition: selection and not 1 of filter_main_*
level: high
Convert to SIEM query
high
Renamed Jusched.EXE Execution
Detects the execution of a renamed "jusched.exe" as seen used by the cobalt group
view Sigma YAML
title: Renamed Jusched.EXE Execution
id: edd8a48c-1b9f-4ba1-83aa-490338cd1ccb
status: test
description: Detects the execution of a renamed "jusched.exe" as seen used by the cobalt group
references:
- https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf
author: Markus Neis, Swisscom
date: 2019-06-04
modified: 2023-02-03
tags:
- attack.execution
- attack.stealth
- attack.t1036.003
logsource:
category: process_creation
product: windows
detection:
selection:
Description:
- Java Update Scheduler
- Java(TM) Update Scheduler
filter:
Image|endswith: '\jusched.exe'
condition: selection and not filter
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Renamed Mavinject.EXE Execution
Detects the execution of a renamed version of the "Mavinject" process. Which can be abused to perform process injection using the "/INJECTRUNNING" flag
view Sigma YAML
title: Renamed Mavinject.EXE Execution
id: e6474a1b-5390-49cd-ab41-8d88655f7394
status: test
description: Detects the execution of a renamed version of the "Mavinject" process. Which can be abused to perform process injection using the "/INJECTRUNNING" flag
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md
- https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e
- https://twitter.com/gN3mes1s/status/941315826107510784
- https://reaqta.com/2017/12/mavinject-microsoft-injector/
- https://twitter.com/Hexacorn/status/776122138063409152 # Deleted tweet
- https://github.com/SigmaHQ/sigma/issues/3742
- https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection
author: frack113, Florian Roth
date: 2022-12-05
modified: 2023-02-03
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1055.001
- attack.t1218.013
logsource:
category: process_creation
product: windows
detection:
selection:
OriginalFileName:
- 'mavinject32.exe'
- 'mavinject64.exe'
filter:
Image|endswith:
- '\mavinject32.exe'
- '\mavinject64.exe'
condition: selection and not filter
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Renamed MegaSync Execution
Detects the execution of a renamed MegaSync.exe as seen used by ransomware families like Nefilim, Sodinokibi, Pysa, and Conti.
view Sigma YAML
title: Renamed MegaSync Execution
id: 643bdcac-8b82-49f4-9fd9-25a90b929f3b
status: test
description: Detects the execution of a renamed MegaSync.exe as seen used by ransomware families like Nefilim, Sodinokibi, Pysa, and Conti.
references:
- https://redcanary.com/blog/rclone-mega-extortion/
author: Sittikorn S
date: 2021-06-22
modified: 2023-02-03
tags:
- attack.stealth
- attack.t1218
logsource:
product: windows
category: process_creation
detection:
selection:
OriginalFileName: 'megasync.exe'
filter:
Image|endswith: '\megasync.exe'
condition: selection and not filter
falsepositives:
- Software that illegally integrates MegaSync in a renamed form
- Administrators that have renamed MegaSync
level: high
Convert to SIEM query
high
Renamed Msdt.EXE Execution
Detects the execution of a renamed "Msdt.exe" binary
view Sigma YAML
title: Renamed Msdt.EXE Execution
id: bd1c6866-65fc-44b2-be51-5588fcff82b9
status: test
description: Detects the execution of a renamed "Msdt.exe" binary
references:
- https://lolbas-project.github.io/lolbas/Binaries/Msdt/
author: pH-T (Nextron Systems)
date: 2022-06-03
modified: 2023-02-03
tags:
- attack.stealth
- attack.t1036.003
logsource:
category: process_creation
product: windows
detection:
selection:
OriginalFileName: 'msdt.exe'
filter:
Image|endswith: '\msdt.exe'
condition: selection and not filter
falsepositives:
- Unlikely
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_renamed_msdt/info.yml
Convert to SIEM query
high
Renamed NetSupport RAT Execution
Detects the execution of a renamed "client32.exe" (NetSupport RAT) via Imphash, Product and OriginalFileName strings
view Sigma YAML
title: Renamed NetSupport RAT Execution
id: 0afbd410-de03-4078-8491-f132303cb67d
status: test
description: Detects the execution of a renamed "client32.exe" (NetSupport RAT) via Imphash, Product and OriginalFileName strings
references:
- https://redcanary.com/blog/misbehaving-rats/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-19
modified: 2024-11-23
tags:
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection:
- Product|contains: 'NetSupport Remote Control'
- OriginalFileName|contains: 'client32.exe'
- Hashes|contains: IMPHASH=A9D50692E95B79723F3E76FCF70D023E
filter:
Image|endswith: '\client32.exe'
condition: selection and not filter
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Renamed NirCmd.EXE Execution
Detects the execution of a renamed "NirCmd.exe" binary based on the PE metadata fields.
view Sigma YAML
title: Renamed NirCmd.EXE Execution
id: 264982dc-dbad-4dce-b707-1e0d3e0f73d9
status: test
description: Detects the execution of a renamed "NirCmd.exe" binary based on the PE metadata fields.
references:
- https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
- https://www.nirsoft.net/utils/nircmd.html
author: X__Junior (Nextron Systems)
date: 2024-03-11
tags:
- attack.execution
- attack.stealth
- attack.t1059
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection:
OriginalFileName: 'NirCmd.exe'
filter_main_img:
Image|endswith:
- '\nircmd.exe'
- '\nircmdc.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Renamed Office Binary Execution
Detects the execution of a renamed office binary
view Sigma YAML
title: Renamed Office Binary Execution
id: 0b0cd537-fc77-4e6e-a973-e53495c1083d
status: test
description: Detects the execution of a renamed office binary
references:
- https://infosec.exchange/@sbousseaden/109542254124022664
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-20
modified: 2025-12-09
tags:
- attack.stealth
- attack.t1036.003
logsource:
category: process_creation
product: windows
detection:
selection:
- OriginalFileName:
- 'Excel.exe'
- 'MSACCESS.EXE'
- 'MSPUB.EXE'
- 'OneNote.exe'
- 'OneNoteM.exe'
- 'OUTLOOK.EXE'
- 'POWERPNT.EXE'
- 'WinWord.exe'
- 'Olk.exe'
- Description:
- 'Microsoft Access'
- 'Microsoft Excel'
- 'Microsoft OneNote'
- 'Microsoft Outlook'
- 'Microsoft PowerPoint'
- 'Microsoft Publisher'
- 'Microsoft Word'
- 'Sent to OneNote Tool'
filter_main_legit_names:
Image|endswith:
- '\EXCEL.exe'
- '\excelcnv.exe'
- '\MSACCESS.exe'
- '\MSPUB.EXE'
- '\ONENOTE.EXE'
- '\ONENOTEM.EXE'
- '\OUTLOOK.EXE'
- '\POWERPNT.EXE'
- '\WINWORD.exe'
- '\OLK.EXE'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Renamed PAExec Execution
Detects execution of renamed version of PAExec. Often used by attackers
view Sigma YAML
title: Renamed PAExec Execution
id: c4e49831-1496-40cf-8ce1-b53f942b02f9
related:
- id: 7b0666ad-3e38-4e3d-9bab-78b06de85f7b
type: obsolete
status: test
description: Detects execution of renamed version of PAExec. Often used by attackers
references:
- https://www.poweradmin.com/paexec/
- https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf
author: Florian Roth (Nextron Systems), Jason Lynch
date: 2021-05-22
modified: 2024-11-23
tags:
- attack.stealth
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection:
- Description: 'PAExec Application'
- OriginalFileName: 'PAExec.exe'
- Product|contains: 'PAExec'
- Hashes|contains:
- IMPHASH=11D40A7B7876288F919AB819CC2D9802
- IMPHASH=6444f8a34e99b8f7d9647de66aabe516
- IMPHASH=dfd6aa3f7b2b1035b76b718f1ddc689f
- IMPHASH=1a6cca4d5460b1710a12dea39e4a592c
filter_main_known_location:
- Image|endswith: '\paexec.exe'
- Image|startswith: 'C:\Windows\PAExec-'
condition: selection and not 1 of filter_main_*
falsepositives:
- Weird admins that rename their tools
- Software companies that bundle PAExec with their software and rename it, so that it is less embarrassing
- When executed with the "-s" flag. PAExec will copy itself to the "C:\Windows\" directory with a different name. Usually like this "PAExec-[XXXXX]-[ComputerName]"
level: high
Convert to SIEM query
high
Renamed PingCastle Binary Execution
Detects the execution of a renamed "PingCastle" binary based on the PE metadata fields.
view Sigma YAML
title: Renamed PingCastle Binary Execution
id: 2433a154-bb3d-42e4-86c3-a26bdac91c45
status: test
description: Detects the execution of a renamed "PingCastle" binary based on the PE metadata fields.
references:
- https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/
- https://www.pingcastle.com/documentation/scanner/
author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
date: 2024-01-11
tags:
- attack.execution
- attack.stealth
- attack.t1059
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection:
- OriginalFileName:
- 'PingCastleReporting.exe'
- 'PingCastleCloud.exe'
- 'PingCastle.exe'
- CommandLine|contains:
- '--scanner aclcheck'
- '--scanner antivirus'
- '--scanner computerversion'
- '--scanner foreignusers'
- '--scanner laps_bitlocker'
- '--scanner localadmin'
- '--scanner nullsession'
- '--scanner nullsession-trust'
- '--scanner oxidbindings'
- '--scanner remote'
- '--scanner share'
- '--scanner smb'
- '--scanner smb3querynetwork'
- '--scanner spooler'
- '--scanner startup'
- '--scanner zerologon'
- CommandLine|contains: '--no-enum-limit'
- CommandLine|contains|all:
- '--healthcheck'
- '--level Full'
- CommandLine|contains|all:
- '--healthcheck'
- '--server '
filter_main_img:
Image|endswith:
- '\PingCastleReporting.exe'
- '\PingCastleCloud.exe'
- '\PingCastle.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Renamed Plink Execution
Detects the execution of a renamed version of the Plink binary
view Sigma YAML
title: Renamed Plink Execution
id: 1c12727d-02bf-45ff-a9f3-d49806a3cf43
status: test
description: Detects the execution of a renamed version of the Plink binary
references:
- https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/
- https://the.earth.li/~sgtatham/putty/0.58/htmldoc/Chapter7.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-06
modified: 2023-02-03
tags:
- attack.stealth
- attack.t1036
logsource:
category: process_creation
product: windows
detection:
selection:
- OriginalFileName: 'Plink'
- CommandLine|contains|all:
- ' -l forward'
- ' -P '
- ' -R '
filter:
Image|endswith: '\plink.exe'
condition: selection and not filter
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Renamed ProcDump Execution
Detects the execution of a renamed ProcDump executable.
This often done by attackers or malware in order to evade defensive mechanisms.
view Sigma YAML
title: Renamed ProcDump Execution
id: 4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67
related:
- id: 03795938-1387-481b-9f4c-3f6241e604fe
type: obsolete
status: test
description: |
Detects the execution of a renamed ProcDump executable.
This often done by attackers or malware in order to evade defensive mechanisms.
references:
- https://learn.microsoft.com/en-us/sysinternals/downloads/procdump
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2019-11-18
modified: 2024-06-25
tags:
- attack.stealth
- attack.t1036.003
logsource:
product: windows
category: process_creation
detection:
selection_ofn:
OriginalFileName: 'procdump'
selection_cli_dump_flag:
CommandLine|contains|windash:
- ' -ma ' # Full Dump
- ' -mp ' # Mini Plus
selection_cli_eula_flag:
# Note: Even though the "accepteula" flag isn't required. We add it to avoid collision with similar utilities.
CommandLine|contains|windash: ' /accepteula'
filter_main_known_names:
Image|endswith:
- '\procdump.exe'
- '\procdump64.exe'
condition: (selection_ofn or all of selection_cli_*) and not 1 of filter_main_*
falsepositives:
- Procdump illegally bundled with legitimate software.
- Administrators who rename binaries (should be investigated).
level: high
Convert to SIEM query
high
Renamed PsExec Service Execution
Detects suspicious launch of a renamed version of the PSEXESVC service with, which is not often used by legitimate administrators
view Sigma YAML
title: Renamed PsExec Service Execution
id: 51ae86a2-e2e1-4097-ad85-c46cb6851de4
status: test
description: Detects suspicious launch of a renamed version of the PSEXESVC service with, which is not often used by legitimate administrators
references:
- https://learn.microsoft.com/en-us/sysinternals/downloads/psexec
- https://www.youtube.com/watch?v=ro2QuZTIMBM
author: Florian Roth (Nextron Systems)
date: 2022-07-21
tags:
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection:
OriginalFileName: 'psexesvc.exe'
filter:
Image: 'C:\Windows\PSEXESVC.exe'
condition: selection and not filter
falsepositives:
- Legitimate administrative tasks
level: high
Convert to SIEM query
high
Renamed Schtasks Execution
Detects the execution of renamed schtasks.exe binary, which is a legitimate Windows utility used for scheduling tasks.
One of the very common persistence techniques is schedule malicious tasks using schtasks.exe.
Since, it is heavily abused, it is also heavily monitored by security products. To evade detection, threat actors may rename the schtasks.exe binary to schedule their malicious tasks.
view Sigma YAML
title: Renamed Schtasks Execution
id: f91e51c9-f344-4b32-969b-0b6f6b8537d4
status: experimental
description: |
Detects the execution of renamed schtasks.exe binary, which is a legitimate Windows utility used for scheduling tasks.
One of the very common persistence techniques is schedule malicious tasks using schtasks.exe.
Since, it is heavily abused, it is also heavily monitored by security products. To evade detection, threat actors may rename the schtasks.exe binary to schedule their malicious tasks.
references:
- https://x.com/JangPr0/status/1932034543026065833
- https://ss64.com/nt/schtasks.html
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-27
tags:
- attack.execution
- attack.persistence
- attack.privilege-escalation
- attack.stealth
- attack.t1036.003
- attack.t1053.005
logsource:
category: process_creation
product: windows
detection:
selection_cmd_operation:
CommandLine|contains|windash:
- ' /create '
- ' /delete '
- ' /query '
- ' /change '
- ' /run '
- ' /end '
selection_cmd_flags:
CommandLine|contains|windash:
- ' /tn '
- ' /tr '
- ' /sc '
- ' /st '
- ' /ru '
- ' /fo '
selection_pe:
OriginalFileName: 'schtasks.exe'
filter_main_cmd:
CommandLine|contains: 'schtasks'
filter_main_img:
Image|endswith: '\schtasks.exe'
condition: (all of selection_cmd_* and not filter_main_cmd) or (selection_pe and not filter_main_img)
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Renamed SysInternals DebugView Execution
Detects suspicious renamed SysInternals DebugView execution
view Sigma YAML
title: Renamed SysInternals DebugView Execution
id: cd764533-2e07-40d6-a718-cfeec7f2da7f
status: test
description: Detects suspicious renamed SysInternals DebugView execution
references:
- https://www.epicturla.com/blog/sysinturla
author: Florian Roth (Nextron Systems)
date: 2020-05-28
modified: 2023-02-14
tags:
- attack.resource-development
- attack.t1588.002
logsource:
category: process_creation
product: windows
detection:
selection:
Product: 'Sysinternals DebugView'
filter:
OriginalFileName: 'Dbgview.exe'
Image|endswith: '\Dbgview.exe'
condition: selection and not filter
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Renamed Sysinternals Sdelete Execution
Detects the use of a renamed SysInternals Sdelete, which is something an administrator shouldn't do (the renaming)
view Sigma YAML
title: Renamed Sysinternals Sdelete Execution
id: c1d867fe-8d95-4487-aab4-e53f2d339f90
status: test
description: Detects the use of a renamed SysInternals Sdelete, which is something an administrator shouldn't do (the renaming)
references:
- https://learn.microsoft.com/en-us/sysinternals/downloads/sdelete
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md
author: Florian Roth (Nextron Systems)
date: 2022-09-06
modified: 2023-02-03
tags:
- attack.impact
- attack.t1485
logsource:
category: process_creation
product: windows
detection:
selection:
OriginalFileName: 'sdelete.exe'
filter:
Image|endswith:
- '\sdelete.exe'
- '\sdelete64.exe'
condition: selection and not filter
falsepositives:
- System administrator usage
level: high
Convert to SIEM query
high
Renamed Visual Studio Code Tunnel Execution
Detects renamed Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel
view Sigma YAML
title: Renamed Visual Studio Code Tunnel Execution
id: 2cf29f11-e356-4f61-98c0-1bdb9393d6da
status: test
description: Detects renamed Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel
references:
- https://ipfyx.fr/post/visual-studio-code-tunnel/
- https://badoption.eu/blog/2023/01/31/code_c2.html
- https://code.visualstudio.com/docs/remote/tunnels
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-09-28
modified: 2025-10-29
tags:
- attack.command-and-control
- attack.t1071.001
- attack.t1219
logsource:
category: process_creation
product: windows
detection:
selection_image_only_tunnel:
OriginalFileName: null
CommandLine|endswith: '.exe tunnel'
selection_image_tunnel_args:
CommandLine|contains|all:
- '.exe tunnel'
- '--accept-server-license-terms'
selection_image_tunnel_service:
CommandLine|contains|all:
- 'tunnel '
- 'service'
- 'internal-run'
- 'tunnel-service.log'
selection_parent_tunnel:
ParentCommandLine|endswith: ' tunnel'
Image|endswith: '\cmd.exe'
CommandLine|contains|all:
- '/d /c '
- '\servers\Stable-'
- 'code-server.cmd'
filter_main_parent_code:
ParentImage|endswith:
- '\code-tunnel.exe'
- '\code.exe'
filter_main_image_code:
Image|endswith:
- '\code-tunnel.exe'
- '\code.exe'
condition: (1 of selection_image_* and not 1 of filter_main_image_*) or (selection_parent_tunnel and not 1 of filter_main_parent_*)
falsepositives:
- Unknown
level: high
Convert to SIEM query
Showing 1151-1200 of 1,715