Tool
SIEM
Sigma (generic) detection rules
1,715 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Expand any rule to see its raw YAML and convert it inline to native query syntax. Pick a platform above to browse every rule already rendered in that language.
Get the raw rules from SigmaHQ Detection Rules
The raw generic YAML, served by SigmaHQ. Pick a platform above to download a ready-to-deploy converted pack.
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance12
Resource Development10
Initial Access10
Execution30
Persistence43
Privilege Escalation20
Stealth83
Defense Impairment32
Credential Access35
Discovery33
Lateral Movement16
Collection20
Command and Control24
Exfiltration10
Impact18
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.
◈
Detection rules
50 shown of 1,715
high
Strong
Medium FP
Suspicious Download From Direct IP Via Bitsadmin
Detects usage of bitsadmin downloading a file using an URL that contains an IP
view Sigma YAML
title: Suspicious Download From Direct IP Via Bitsadmin
id: 99c840f2-2012-46fd-9141-c761987550ef
related:
- id: 90f138c1-f578-4ac3-8c49-eecfd847c8b7
type: similar
status: test
description: Detects usage of bitsadmin downloading a file using an URL that contains an IP
references:
- https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin
- https://isc.sans.edu/diary/22264
- https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
- https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/
author: Florian Roth (Nextron Systems)
date: 2022-06-28
modified: 2023-02-15
tags:
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1197
- attack.s0190
- attack.t1036.003
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\bitsadmin.exe'
- OriginalFileName: 'bitsadmin.exe'
selection_flags:
CommandLine|contains:
- ' /transfer '
- ' /create '
- ' /addfile '
selection_extension:
CommandLine|contains:
- '://1'
- '://2'
- '://3'
- '://4'
- '://5'
- '://6'
- '://7'
- '://8'
- '://9'
filter_seven_zip:
CommandLine|contains: '://7-' # For https://7-zip.org/
condition: all of selection_* and not 1 of filter_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_bitsadmin_download_direct_ip/info.yml
Convert to SIEM query
high
Strong
Medium FP
Suspicious Download From File-Sharing Website Via Bitsadmin
Detects usage of bitsadmin downloading a file from a suspicious domain
view Sigma YAML
title: Suspicious Download From File-Sharing Website Via Bitsadmin
id: 8518ed3d-f7c9-4601-a26c-f361a4256a0c
status: test
description: Detects usage of bitsadmin downloading a file from a suspicious domain
references:
- https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin
- https://isc.sans.edu/diary/22264
- https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker
- https://www.cisa.gov/uscert/ncas/alerts/aa22-321a
- https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
author: Florian Roth (Nextron Systems)
date: 2022-06-28
modified: 2025-12-10
tags:
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1197
- attack.s0190
- attack.t1036.003
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\bitsadmin.exe'
- OriginalFileName: 'bitsadmin.exe'
selection_flags:
CommandLine|contains:
- ' /transfer '
- ' /create '
- ' /addfile '
selection_domain:
CommandLine|contains:
- '.githubusercontent.com' # Includes both gists and github repositories / Michael Haag (idea)
- 'anonfiles.com'
- 'cdn.discordapp.com'
- 'ddns.net'
- 'dl.dropboxusercontent.com'
- 'ghostbin.co'
- 'github.com' # bitsadmin /transfer n https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1047/bin/calc.dll %PUBLIC%\calc.dll
- 'glitch.me'
- 'gofile.io'
- 'hastebin.com'
- 'mediafire.com'
- 'mega.nz'
- 'onrender.com'
- 'pages.dev'
- 'paste.ee'
- 'pastebin.com'
- 'pastebin.pl'
- 'pastetext.net'
- 'privatlab.com'
- 'privatlab.net'
- 'send.exploit.in'
- 'sendspace.com'
- 'storage.googleapis.com'
- 'storjshare.io'
- 'supabase.co'
- 'temp.sh'
- 'transfer.sh'
- 'trycloudflare.com'
- 'ufile.io'
- 'w3spaces.com'
- 'workers.dev'
condition: all of selection_*
falsepositives:
- Some legitimate apps use this, but limited.
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains/info.yml
simulation:
- type: atomic-red-team
name: Windows - BITSAdmin BITS Download
technique: T1105
atomic_guid: a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b
Convert to SIEM query
high
Moderate
Medium FP
Suspicious Download and Execute Pattern via Curl/Wget
Detects suspicious use of command-line tools such as curl or wget to download remote
content - particularly scripts - into temporary directories (e.g., /dev/shm, /tmp), followed by
immediate execution, indicating potential malicious activity. This pattern is commonly used
by malicious scripts, stagers, or downloaders in fileless or multi-stage Linux attacks.
view Sigma YAML
title: Suspicious Download and Execute Pattern via Curl/Wget
id: a2d9e2f3-0f43-4c7a-bcd9-9acfc0d723aa
status: experimental
description: |
Detects suspicious use of command-line tools such as curl or wget to download remote
content - particularly scripts - into temporary directories (e.g., /dev/shm, /tmp), followed by
immediate execution, indicating potential malicious activity. This pattern is commonly used
by malicious scripts, stagers, or downloaders in fileless or multi-stage Linux attacks.
references:
- https://gtfobins.github.io/gtfobins/wget/
- https://gtfobins.github.io/gtfobins/curl/
author: Aayush Gupta
date: 2025-06-17
tags:
- attack.execution
- attack.t1059.004
- attack.t1203
logsource:
category: process_creation
product: linux
detection:
selection_downloader:
CommandLine|contains:
- '/curl'
- '/wget'
selection_tmp:
CommandLine|contains:
- '/tmp/'
- '/dev/shm/'
selection_executor:
CommandLine|contains: 'sh -c'
condition: all of selection_*
falsepositives:
- System update scripts using temporary files
- Installer scripts or automated provisioning tools
level: high
Convert to SIEM query
high
Strong
High FP
Suspicious Download from Office Domain
Detects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents
view Sigma YAML
title: Suspicious Download from Office Domain
id: 00d49ed5-4491-4271-a8db-650a4ef6f8c1
status: test
description: Detects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents
references:
- https://twitter.com/an0n_r0/status/1474698356635193346?s=12
- https://twitter.com/mrd0x/status/1475085452784844803?s=12
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2021-12-27
modified: 2022-08-02
tags:
- attack.command-and-control
- attack.resource-development
- attack.t1105
- attack.t1608
logsource:
product: windows
category: process_creation
detection:
selection_download:
- Image|endswith:
- '\curl.exe'
- '\wget.exe'
- CommandLine|contains:
- 'Invoke-WebRequest'
- 'iwr '
- 'curl '
- 'wget '
- 'Start-BitsTransfer'
- '.DownloadFile('
- '.DownloadString('
selection_domains:
CommandLine|contains:
- 'https://attachment.outlook.live.net/owa/'
- 'https://onenoteonlinesync.onenote.com/onenoteonlinesync/'
condition: all of selection_*
falsepositives:
- Scripts or tools that download attachments from these domains (OneNote, Outlook 365)
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious Driver/DLL Installation Via Odbcconf.EXE
Detects execution of "odbcconf" with the "INSTALLDRIVER" action where the driver doesn't contain a ".dll" extension. This is often used as a defense evasion method.
view Sigma YAML
title: Suspicious Driver/DLL Installation Via Odbcconf.EXE
id: cb0fe7c5-f3a3-484d-aa25-d350a7912729
related:
- id: 3f5491e2-8db8-496b-9e95-1029fce852d4
type: derived
status: test
description: Detects execution of "odbcconf" with the "INSTALLDRIVER" action where the driver doesn't contain a ".dll" extension. This is often used as a defense evasion method.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/
- https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176
- https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-23
tags:
- attack.stealth
- attack.t1218.008
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\odbcconf.exe'
- OriginalFileName: 'odbcconf.exe'
selection_cli:
# Note: The "/A" flag is not required to call a specific action
CommandLine|contains: 'INSTALLDRIVER '
filter_main_dll_ext:
CommandLine|contains: '.dll'
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious Dropbox API Usage
Detects an executable that isn't dropbox but communicates with the Dropbox API
view Sigma YAML
title: Suspicious Dropbox API Usage
id: 25eabf56-22f0-4915-a1ed-056b8dae0a68
status: test
description: Detects an executable that isn't dropbox but communicates with the Dropbox API
references:
- https://app.any.run/tasks/7e906adc-9d11-447f-8641-5f40375ecebb
- https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east
author: Florian Roth (Nextron Systems)
date: 2022-04-20
tags:
- attack.command-and-control
- attack.exfiltration
- attack.t1105
- attack.t1567.002
logsource:
category: network_connection
product: windows
detection:
selection:
Initiated: 'true'
DestinationHostname|endswith:
- 'api.dropboxapi.com'
- 'content.dropboxapi.com'
filter_main_legit_dropbox:
# Note: It's better to add a specific path to the exact location(s) where dropbox is installed
Image|contains: '\Dropbox'
condition: selection and not 1 of filter_main_*
falsepositives:
- Legitimate use of the API with a tool that the author wasn't aware of
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious DumpMinitool Execution
Detects suspicious ways to use the "DumpMinitool.exe" binary
view Sigma YAML
title: Suspicious DumpMinitool Execution
id: eb1c4225-1c23-4241-8dd4-051389fde4ce
status: test
description: Detects suspicious ways to use the "DumpMinitool.exe" binary
references:
- https://twitter.com/mrd0x/status/1511415432888131586
- https://twitter.com/mrd0x/status/1511489821247684615
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/DumpMinitool/
author: Florian Roth (Nextron Systems)
date: 2022-04-06
modified: 2023-04-12
tags:
- attack.credential-access
- attack.stealth
- attack.t1036
- attack.t1003.001
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith:
- '\DumpMinitool.exe'
- '\DumpMinitool.x86.exe'
- '\DumpMinitool.arm64.exe'
- OriginalFileName:
- 'DumpMinitool.exe'
- 'DumpMinitool.x86.exe'
- 'DumpMinitool.arm64.exe'
filter_folder:
Image|contains:
- '\Microsoft Visual Studio\'
- '\Extensions\' # https://github.com/microsoft/vstest/blob/b2e2126f1aa7e5753cafe9515563c99ade6a59ce/src/package/nuspec/Microsoft.TestPlatform.Portable.nuspec#L159
susp_flags:
CommandLine|contains: '.txt'
cmd_has_flags:
CommandLine|contains:
- ' Full'
- ' Mini'
- ' WithHeap'
filter_cmd_misses_flags:
CommandLine|contains: '--dumpType'
condition: selection and ( ( not filter_folder ) or susp_flags or ( cmd_has_flags and not filter_cmd_misses_flags ) )
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call
Detects suspicious base64 encoded and obfuscated "LOAD" keyword used in .NET "reflection.assembly"
view Sigma YAML
title: Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call
id: 9c0295ce-d60d-40bd-bd74-84673b7592b1
related:
- id: 62b7ccc9-23b4-471e-aa15-6da3663c4d59
type: similar
status: test
description: Detects suspicious base64 encoded and obfuscated "LOAD" keyword used in .NET "reflection.assembly"
references:
- https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar
- https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
- https://learn.microsoft.com/en-us/dotnet/api/system.appdomain.load?view=net-7.0
author: pH-T (Nextron Systems)
date: 2022-03-01
modified: 2023-04-06
tags:
- attack.execution
- attack.stealth
- attack.t1059.001
- attack.t1027
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
# ::("L"+"oad")
- 'OgA6ACgAIgBMACIAKwAiAG8AYQBkACIAKQ'
- 'oAOgAoACIATAAiACsAIgBvAGEAZAAiACkA'
- '6ADoAKAAiAEwAIgArACIAbwBhAGQAIgApA'
# ::("Lo"+"ad")
- 'OgA6ACgAIgBMAG8AIgArACIAYQBkACIAKQ'
- 'oAOgAoACIATABvACIAKwAiAGEAZAAiACkA'
- '6ADoAKAAiAEwAbwAiACsAIgBhAGQAIgApA'
# ::("Loa"+"d")
- 'OgA6ACgAIgBMAG8AYQAiACsAIgBkACIAKQ'
- 'oAOgAoACIATABvAGEAIgArACIAZAAiACkA'
- '6ADoAKAAiAEwAbwBhACIAKwAiAGQAIgApA'
# ::('L'+'oad')
- 'OgA6ACgAJwBMACcAKwAnAG8AYQBkACcAKQ'
- 'oAOgAoACcATAAnACsAJwBvAGEAZAAnACkA'
- '6ADoAKAAnAEwAJwArACcAbwBhAGQAJwApA'
# ::('Lo'+'ad')
- 'OgA6ACgAJwBMAG8AJwArACcAYQBkACcAKQ'
- 'oAOgAoACcATABvACcAKwAnAGEAZAAnACkA'
- '6ADoAKAAnAEwAbwAnACsAJwBhAGQAJwApA'
# ::('Loa'+'d')
- 'OgA6ACgAJwBMAG8AYQAnACsAJwBkACcAKQ'
- 'oAOgAoACcATABvAGEAJwArACcAZAAnACkA'
- '6ADoAKAAnAEwAbwBhACcAKwAnAGQAJwApA'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious Encoded PowerShell Command Line
Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)
view Sigma YAML
title: Suspicious Encoded PowerShell Command Line
id: ca2092a1-c273-4878-9b4b-0d60115bf5ea
status: test
description: Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)
references:
- https://app.any.run/tasks/6217d77d-3189-4db2-a957-8ab239f3e01e
author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community
date: 2018-09-03
modified: 2023-04-06
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_cli_enc:
CommandLine|contains: ' -e' # covers -en and -enc
selection_cli_content:
CommandLine|contains:
- ' JAB'
- ' SUVYI'
- ' SQBFAFgA'
- ' aQBlAHgA'
- ' aWV4I'
- ' IAA'
- ' IAB'
- ' UwB'
- ' cwB'
selection_standalone:
CommandLine|contains:
- '.exe -ENCOD '
- ' BA^J e-' # Reversed
filter_optional_remote_signed:
CommandLine|contains: ' -ExecutionPolicy remotesigned '
condition: selection_img and (all of selection_cli_* or selection_standalone) and not 1 of filter_optional_*
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious Encoded Scripts in a WMI Consumer
Detects suspicious encoded payloads in WMI Event Consumers
view Sigma YAML
title: Suspicious Encoded Scripts in a WMI Consumer
id: 83844185-1c5b-45bc-bcf3-b5bf3084ca5b
status: test
description: Detects suspicious encoded payloads in WMI Event Consumers
references:
- https://github.com/RiccardoAncarani/LiquidSnake
author: Florian Roth (Nextron Systems)
date: 2021-09-01
modified: 2022-10-09
tags:
- attack.privilege-escalation
- attack.execution
- attack.t1047
- attack.persistence
- attack.t1546.003
logsource:
product: windows
category: wmi_event
detection:
selection_destination:
Destination|base64offset|contains:
- 'WriteProcessMemory'
- 'This program cannot be run in DOS mode'
- 'This program must be run under Win32'
condition: selection_destination
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious Environment Variable Has Been Registered
Detects the creation of user-specific or system-wide environment variables via the registry. Which contains suspicious commands and strings
view Sigma YAML
title: Suspicious Environment Variable Has Been Registered
id: 966315ef-c5e1-4767-ba25-fce9c8de3660
status: test
description: Detects the creation of user-specific or system-wide environment variables via the registry. Which contains suspicious commands and strings
references:
- https://infosec.exchange/@sbousseaden/109542254124022664
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-20
modified: 2023-08-17
tags:
- attack.persistence
- attack.stealth
logsource:
product: windows
category: registry_set
detection:
selection_main:
TargetObject|contains: '\Environment\'
selection_details:
- Details:
- 'powershell'
- 'pwsh'
- Details|contains:
# Add more suspicious strings in env variables below
- '\AppData\Local\Temp\'
- 'C:\Users\Public\'
# Base64 MZ Header
- 'TVqQAAMAAAAEAAAA' # MZ..........
- 'TVpQAAIAAAAEAA8A'
- 'TVqAAAEAAAAEABAA'
- 'TVoAAAAAAAAAAAAA'
- 'TVpTAQEAAAAEAAAA'
# Base64 Invoke- (UTF-8)
- 'SW52b2tlL'
- 'ludm9rZS'
- 'JbnZva2Ut'
# Base64 Invoke- (UTF-16LE)
- 'SQBuAHYAbwBrAGUALQ'
- 'kAbgB2AG8AawBlAC0A'
- 'JAG4AdgBvAGsAZQAtA'
- Details|startswith: # https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639
- 'SUVY'
- 'SQBFAF'
- 'SQBuAH'
- 'cwBhA'
- 'aWV4'
- 'aQBlA'
- 'R2V0'
- 'dmFy'
- 'dgBhA'
- 'dXNpbm'
- 'H4sIA'
- 'Y21k'
- 'cABhAH'
- 'Qzpc'
- 'Yzpc'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious Eventlog Clearing or Configuration Change Activity
Detects the clearing or configuration tampering of EventLog using utilities such as "wevtutil", "powershell" and "wmic".
This technique were seen used by threat actors and ransomware strains in order to evade defenses.
view Sigma YAML
title: Suspicious Eventlog Clearing or Configuration Change Activity
id: cc36992a-4671-4f21-a91d-6c2b72a2edf5
status: stable
description: |
Detects the clearing or configuration tampering of EventLog using utilities such as "wevtutil", "powershell" and "wmic".
This technique were seen used by threat actors and ransomware strains in order to evade defenses.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md
- https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil
- https://gist.github.com/fovtran/ac0624983c7722e80a8f5a4babb170ee
- https://jdhnet.wordpress.com/2017/12/19/changing-the-location-of-the-windows-event-logs/
- https://www.linkedin.com/posts/huntress-labs_when-a-sketchy-incident-hits-your-network-activity-7304940371078238208-Th_l/?utm_source=share&utm_medium=member_desktop&rcm=ACoAAAJTlRcB28IaUtg03HUU-IdliwzoAL1flGc
- https://stackoverflow.com/questions/66011412/how-to-clear-a-event-log-in-powershell-7
- https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventing.reader.eventlogsession.clearlog?view=windowsdesktop-9.0&viewFallbackFrom=dotnet-plat-ext-5.0#System_Diagnostics_Eventing_Reader_EventLogSession_ClearLog_System_String_
- https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventlog.clear
author: Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2019-09-26
modified: 2026-06-01
tags:
- attack.defense-impairment
- attack.t1685.005
- attack.t1685.001
- car.2016-04-002
logsource:
category: process_creation
product: windows
detection:
selection_wevtutil_img:
- Image|endswith: '\wevtutil.exe'
- OriginalFileName: 'wevtutil.exe'
selection_wevtutil_cmd:
CommandLine|contains:
- 'clear-log ' # clears specified log
- ' cl ' # short version of 'clear-log'
- 'set-log ' # modifies config of specified log. could be used to set it to a tiny size
- ' sl ' # short version of 'set-log'
- 'lfn:' # change log file location and name
selection_other_ps_img:
Image|endswith:
- '\powershell.exe'
- '\powershell_ise.exe'
- '\pwsh.exe'
selection_other_ps_cmd:
- CommandLine|contains:
- 'Clear-EventLog '
- 'Remove-EventLog '
- 'Limit-EventLog '
- 'Clear-WinEvent '
- CommandLine|contains|all:
- 'Eventing.Reader.EventLogSession' # [System.Diagnostics.Eventing.Reader.EventLogSession]::GlobalSession.ClearLog($_.LogName)
- 'ClearLog'
- CommandLine|contains|all:
- 'Diagnostics.EventLog'
- 'Clear'
selection_other_wmi:
Image|endswith:
- '\powershell.exe'
- '\powershell_ise.exe'
- '\pwsh.exe'
- '\wmic.exe'
CommandLine|contains: 'ClearEventLog'
filter_main_msiexec:
# Example seen during office update/installation:
# ParentImage: C:\Windows\SysWOW64\msiexec.exe
# CommandLine: "C:\WINDOWS\system32\wevtutil.exe" sl Microsoft-RMS-MSIPC/Debug /q:true /e:true /l:4 /rt:false
ParentImage:
- 'C:\Windows\SysWOW64\msiexec.exe'
- 'C:\Windows\System32\msiexec.exe'
CommandLine|contains: ' sl '
condition: ((all of selection_wevtutil_*) or (all of selection_other_ps_*) or selection_other_wmi) and not 1 of filter_main_*
falsepositives:
- Admin activity
- Scripts and administrative tools used in the monitored environment
- Maintenance activity
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious Executable File Creation
Detect creation of suspicious executable file names.
Some strings look for suspicious file extensions, others look for filenames that exploit unquoted service paths.
view Sigma YAML
title: Suspicious Executable File Creation
id: 74babdd6-a758-4549-9632-26535279e654
status: test
description: |
Detect creation of suspicious executable file names.
Some strings look for suspicious file extensions, others look for filenames that exploit unquoted service paths.
references:
- https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae
- https://app.any.run/tasks/76c69e2d-01e8-49d9-9aea-fb7cc0c4d3ad/
author: frack113
date: 2022-09-05
modified: 2023-12-11
tags:
- attack.stealth
- attack.t1564
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith:
- ':\$Recycle.Bin.exe'
- ':\Documents and Settings.exe'
- ':\MSOCache.exe'
- ':\PerfLogs.exe'
- ':\Recovery.exe'
- '.bat.exe'
- '.sys.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious Execution From Outlook Temporary Folder
Detects a suspicious program execution in Outlook temp folder
view Sigma YAML
title: Suspicious Execution From Outlook Temporary Folder
id: a018fdc3-46a3-44e5-9afb-2cd4af1d4b39
status: test
description: Detects a suspicious program execution in Outlook temp folder
author: Florian Roth (Nextron Systems)
references:
- Internal Research
date: 2019-10-01
modified: 2022-10-09
tags:
- attack.initial-access
- attack.t1566.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|contains: '\Temporary Internet Files\Content.Outlook\'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious Execution Location Of Wermgr.EXE
Detects suspicious Windows Error Reporting manager (wermgr.exe) execution location.
view Sigma YAML
title: Suspicious Execution Location Of Wermgr.EXE
id: 5394fcc7-aeb2-43b5-9a09-cac9fc5edcd5
related:
- id: 396f6630-f3ac-44e3-bfc8-1b161bc00c4e
type: similar
status: test
description: Detects suspicious Windows Error Reporting manager (wermgr.exe) execution location.
references:
- https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html
- https://www.echotrail.io/insights/search/wermgr.exe
- https://github.com/binderlabs/DirCreate2System
author: Florian Roth (Nextron Systems)
date: 2022-10-14
modified: 2023-08-23
tags:
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\wermgr.exe'
filter_main_legit_location:
Image|startswith:
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
- 'C:\Windows\WinSxS\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious Execution Of Renamed Sysinternals Tools - Registry
Detects the creation of the "accepteula" key related to the Sysinternals tools being created from executables with the wrong name (e.g. a renamed Sysinternals tool)
view Sigma YAML
title: Suspicious Execution Of Renamed Sysinternals Tools - Registry
id: f50f3c09-557d-492d-81db-9064a8d4e211
related:
- id: 25ffa65d-76d8-4da5-a832-3f2b0136e133
type: derived
- id: 8023f872-3f1d-4301-a384-801889917ab4
type: similar
status: test
description: Detects the creation of the "accepteula" key related to the Sysinternals tools being created from executables with the wrong name (e.g. a renamed Sysinternals tool)
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-24
modified: 2025-10-26
tags:
- attack.resource-development
- attack.t1588.002
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|contains:
# Please add new values while respecting the alphabetical order
- '\Active Directory Explorer'
- '\Handle'
- '\LiveKd'
- '\ProcDump'
- '\Process Explorer'
- '\PsExec'
- '\PsLoggedon'
- '\PsLoglist'
- '\PsPasswd'
- '\PsPing'
- '\PsService'
- '\SDelete'
TargetObject|endswith: '\EulaAccepted'
filter:
Image|endswith:
# Please add new values while respecting the alphabetical order
- '\ADExplorer.exe'
- '\ADExplorer64.exe'
- '\handle.exe'
- '\handle64.exe'
- '\livekd.exe'
- '\livekd64.exe'
- '\procdump.exe'
- '\procdump64.exe'
- '\procexp.exe'
- '\procexp64.exe'
- '\PsExec.exe'
- '\PsExec64.exe'
- '\PsLoggedon.exe'
- '\PsLoggedon64.exe'
- '\psloglist.exe'
- '\psloglist64.exe'
- '\pspasswd.exe'
- '\pspasswd64.exe'
- '\PsPing.exe'
- '\PsPing64.exe'
- '\PsService.exe'
- '\PsService64.exe'
- '\sdelete.exe'
condition: selection and not filter
falsepositives:
- Unlikely
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_pua_sysinternals_renamed_execution_via_eula/info.yml
Convert to SIEM query
high
Moderate
Medium FP
Suspicious Explorer Process with Whitespace Padding - ClickFix/FileFix
Detects process creation with suspicious whitespace padding followed by a '#' character, which may indicate ClickFix or FileFix techniques used to conceal malicious commands from visual inspection.
ClickFix and FileFix are social engineering attack techniques where adversaries distribute phishing documents or malicious links that deceive users into opening the Windows Run dialog box or File Explorer search bar.
The victims are then instructed to paste commands from their clipboard, which contain extensive whitespace padding using various Unicode space characters to push the actual malicious command far to the right, effectively hiding it from immediate view.
view Sigma YAML
title: Suspicious Explorer Process with Whitespace Padding - ClickFix/FileFix
id: 3ae9974a-eb09-4044-8e70-8980a50c12c8
related:
- id: 8f2a5c3d-9e4b-4a7c-8d1f-2e5a6b9c3d7e
type: similar
- id: 7a1b4c5e-8f3d-4b9a-7c2e-1f4a5b8c6d9e
type: similar
status: experimental
description: |
Detects process creation with suspicious whitespace padding followed by a '#' character, which may indicate ClickFix or FileFix techniques used to conceal malicious commands from visual inspection.
ClickFix and FileFix are social engineering attack techniques where adversaries distribute phishing documents or malicious links that deceive users into opening the Windows Run dialog box or File Explorer search bar.
The victims are then instructed to paste commands from their clipboard, which contain extensive whitespace padding using various Unicode space characters to push the actual malicious command far to the right, effectively hiding it from immediate view.
references:
- https://expel.com/blog/cache-smuggling-when-a-picture-isnt-a-thousand-words/
- https://mrd0x.com/filefix-clickfix-alternative/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-04
modified: 2025-11-26
tags:
- attack.execution
- attack.stealth
- attack.t1204.004
- attack.t1027.010
logsource:
category: process_creation
product: windows
detection:
selection_explorer:
ParentImage|endswith: '\explorer.exe'
CommandLine|contains: '#'
selection_space_variation:
CommandLine|contains:
- ' ' # En Quad (U+2000)
- ' ' # Em Quad (U+2001)
- ' ' # En Space (U+2002)
- ' ' # Em Space (U+2003)
- ' ' # Three-Per-Em Space (U+2004)
- ' ' # Four-Per-Em Space (U+2005)
- ' ' # Six-Per-Em Space (U+2006)
- ' ' # Figure Space (U+2007)
- ' ' # Punctuation Space (U+2008)
- ' ' # Thin Space (U+2009)
- ' ' # Hair Space (U+200A)
- ' ' # No-Break Space (U+00A0)
- ' ' # Normal space (0x20)
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious External WebDAV Execution
Detects executables launched from external WebDAV shares using the WebDAV Explorer integration, commonly seen in initial access campaigns.
view Sigma YAML
title: Suspicious External WebDAV Execution
id: 1ae64f96-72b6-48b3-ad3d-e71dff6c6398
related:
- id: 4c55738d-72d8-490e-a2db-7969654e375f
type: similar
status: test
description: |
Detects executables launched from external WebDAV shares using the WebDAV Explorer integration, commonly seen in initial access campaigns.
references:
- https://dear-territory-023.notion.site/WebDav-Share-Testing-e4950fa0c00149c3aa430d779b9b1d0f?pvs=4
- https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462
- https://www.trendmicro.com/en_no/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html
- https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html
author: Ahmed Farouk
date: 2024-05-10
tags:
- attack.initial-access
- attack.resource-development
- attack.t1584
- attack.t1566
logsource:
category: proxy
detection:
selection_webdav:
c-useragent|startswith: 'Microsoft-WebDAV-MiniRedir/'
cs-method: 'GET'
selection_execution:
c-uri|endswith:
- '.7z'
- '.bat'
- '.dat'
- '.cmd'
- '.exe'
- '.js'
- '.lnk'
- '.ps1'
- '.rar'
- '.url'
- '.vbe'
- '.vbs'
- '.zip'
filter_main_local_ips:
dst_ip|cidr:
- '127.0.0.0/8'
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '169.254.0.0/16'
- '::1/128' # IPv6 loopback
- 'fe80::/10' # IPv6 link-local addresses
- 'fc00::/7' # IPv6 private addresses
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
High FP
Suspicious File Created Via OneNote Application
Detects suspicious files created via the OneNote application. This could indicate a potential malicious ".one"/".onepkg" file was executed as seen being used in malware activity in the wild
view Sigma YAML
title: Suspicious File Created Via OneNote Application
id: fcc6d700-68d9-4241-9a1a-06874d621b06
status: test
description: Detects suspicious files created via the OneNote application. This could indicate a potential malicious ".one"/".onepkg" file was executed as seen being used in malware activity in the wild
references:
- https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/
- https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/
- https://twitter.com/MaD_c4t/status/1623414582382567424
- https://labs.withsecure.com/publications/detecting-onenote-abuse
- https://www.trustedsec.com/blog/new-attacks-old-tricks-how-onenote-malware-is-evolving/
- https://app.any.run/tasks/17f2d378-6d11-4d6f-8340-954b04f35e83/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-09
modified: 2023-02-27
tags:
- attack.stealth
logsource:
category: file_event
product: windows
detection:
selection:
Image|endswith:
- '\onenote.exe'
- '\onenotem.exe'
- '\onenoteim.exe'
TargetFilename|contains: '\AppData\Local\Temp\OneNote\'
TargetFilename|endswith:
# TODO: Add more suspicious extensions
- '.bat'
- '.chm'
- '.cmd'
- '.dll'
- '.exe'
- '.hta'
- '.htm'
- '.html'
- '.js'
- '.lnk'
- '.ps1'
- '.vbe'
- '.vbs'
- '.wsf'
condition: selection
falsepositives:
- False positives should be very low with the extensions list cited. Especially if you don't heavily utilize OneNote.
- Occasional FPs might occur if OneNote is used internally to share different embedded documents
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious File Created by ArcSOC.exe
Detects instances where the ArcGIS Server process ArcSOC.exe, which hosts REST services running on an ArcGIS
server, creates a file with suspicious file type, indicating that it may be an executable, script file,
or otherwise unusual.
view Sigma YAML
title: Suspicious File Created by ArcSOC.exe
id: e890acee-d488-420e-8f20-d9b19b3c3d43
status: experimental
description: |
Detects instances where the ArcGIS Server process ArcSOC.exe, which hosts REST services running on an ArcGIS
server, creates a file with suspicious file type, indicating that it may be an executable, script file,
or otherwise unusual.
references:
- https://reliaquest.com/blog/threat-spotlight-inside-flax-typhoons-arcgis-compromise/
- https://enterprise.arcgis.com/en/server/12.0/administer/windows/inside-an-arcgis-server-site.htm
author: Micah Babinski
date: 2025-11-25
tags:
- attack.command-and-control
- attack.persistence
- attack.initial-access
- attack.execution
- attack.stealth
- attack.t1127
- attack.t1105
- attack.t1133
logsource:
category: file_event
product: windows
detection:
selection:
Image|endswith: '\ArcSOC.exe'
TargetFilename|endswith:
- '.ahk'
- '.aspx'
- '.au3'
- '.bat'
- '.cmd'
- '.dll'
- '.exe'
- '.hta'
- '.js'
- '.ps1'
- '.py'
- '.vbe'
- '.vbs'
- '.wsf'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious File Created in Outlook Temporary Directory
Detects the creation of files with suspicious file extensions in the temporary directory that Outlook uses when opening attachments.
This can be used to detect spear-phishing campaigns that use suspicious files as attachments, which may contain malicious code.
view Sigma YAML
title: Suspicious File Created in Outlook Temporary Directory
id: fabb0e80-030c-4e3e-a104-d09676991ac3
related:
- id: f748c45a-f8d3-4e6f-b617-fe176f695b8f
type: obsolete
status: experimental
description: |
Detects the creation of files with suspicious file extensions in the temporary directory that Outlook uses when opening attachments.
This can be used to detect spear-phishing campaigns that use suspicious files as attachments, which may contain malicious code.
references:
- https://vipre.com/blog/svg-phishing-attacks-the-new-trick-in-the-cybercriminals-playbook/
- https://thecyberexpress.com/rogue-rdp-files-used-in-ukraine-cyberattacks/
- https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/
author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-07-22
tags:
- attack.initial-access
- attack.t1566.001
logsource:
product: windows
category: file_event
detection:
selection_extension:
TargetFilename|endswith:
- '.cpl'
- '.hta'
- '.iso'
- '.rdp'
- '.svg'
- '.vba'
- '.vbe'
- '.vbs'
selection_location:
- TargetFilename|contains:
- '\AppData\Local\Packages\Microsoft.Outlook_'
- '\AppData\Local\Microsoft\Olk\Attachments\'
- TargetFilename|contains|all:
- '\AppData\Local\Microsoft\Windows\'
- '\Content.Outlook\'
condition: all of selection_*
falsepositives:
- Opening of headers or footers in email signatures that include SVG images or legitimate SVG attachments
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious File Creation Activity From Fake Recycle.Bin Folder
Detects file write event from/to a fake recycle bin folder that is often used as a staging directory for malware
view Sigma YAML
title: Suspicious File Creation Activity From Fake Recycle.Bin Folder
id: cd8b36ac-8e4a-4c2f-a402-a29b8fbd5bca
related:
- id: 5ce0f04e-3efc-42af-839d-5b3a543b76c0
type: derived
status: test
description: Detects file write event from/to a fake recycle bin folder that is often used as a staging directory for malware
references:
- https://www.mandiant.com/resources/blog/infected-usb-steal-secrets
- https://unit42.paloaltonetworks.com/cloaked-ursa-phishing/
author: X__Junior (Nextron Systems)
date: 2023-07-12
modified: 2023-12-11
tags:
- attack.persistence
- attack.stealth
logsource:
category: file_event
product: windows
detection:
selection:
- Image|contains:
# e.g. C:\$RECYCLER.BIN
- 'RECYCLERS.BIN\'
- 'RECYCLER.BIN\'
- TargetFilename|contains:
# e.g. C:\$RECYCLER.BIN
- 'RECYCLERS.BIN\'
- 'RECYCLER.BIN\'
condition: selection
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec/info.yml
Convert to SIEM query
high
Moderate
Medium FP
Suspicious File Creation In Uncommon AppData Folder
Detects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs
view Sigma YAML
title: Suspicious File Creation In Uncommon AppData Folder
id: d7b50671-d1ad-4871-aa60-5aa5b331fe04
status: test
description: Detects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-05
modified: 2023-02-23
tags:
- attack.execution
- attack.stealth
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|startswith: 'C:\Users\'
TargetFilename|contains: '\AppData\'
TargetFilename|endswith:
# Add more as needed
- '.bat'
- '.cmd'
- '.cpl'
- '.dll'
- '.exe'
- '.hta'
- '.iso'
- '.lnk'
- '.msi'
- '.ps1'
- '.psm1'
- '.scr'
- '.vbe'
- '.vbs'
filter_main:
TargetFilename|startswith: 'C:\Users\'
TargetFilename|contains:
- '\AppData\Local\'
- '\AppData\LocalLow\'
- '\AppData\Roaming\'
condition: selection and not filter_main
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious File Download From File Sharing Domain Via Curl.EXE
Detects potentially suspicious file download from file sharing domains using curl.exe
view Sigma YAML
title: Suspicious File Download From File Sharing Domain Via Curl.EXE
id: 56454143-524f-49fb-b1c6-3fb8b1ad41fb
status: test
description: Detects potentially suspicious file download from file sharing domains using curl.exe
references:
- https://labs.withsecure.com/publications/fin7-target-veeam-servers
- https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-05
modified: 2025-12-10
tags:
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\curl.exe'
- OriginalFileName: 'curl.exe'
selection_websites:
CommandLine|contains:
- '.githubusercontent.com' # Includes both gists and github repositories / Michael Haag (idea)
- 'anonfiles.com'
- 'cdn.discordapp.com'
- 'ddns.net'
- 'dl.dropboxusercontent.com'
- 'ghostbin.co'
- 'github.com'
- 'glitch.me'
- 'gofile.io'
- 'hastebin.com'
- 'mediafire.com'
- 'mega.nz'
- 'onrender.com'
- 'pages.dev'
- 'paste.ee'
- 'pastebin.com'
- 'pastebin.pl'
- 'pastetext.net'
- 'pixeldrain.com'
- 'privatlab.com'
- 'privatlab.net'
- 'send.exploit.in'
- 'sendspace.com'
- 'storage.googleapis.com'
- 'storjshare.io'
- 'supabase.co'
- 'temp.sh'
- 'transfer.sh'
- 'trycloudflare.com'
- 'ufile.io'
- 'w3spaces.com'
- 'workers.dev'
selection_http:
CommandLine|contains: 'http'
selection_flag:
CommandLine|contains:
- ' -O' # covers the alias for --remote-name and --output
- '--remote-name'
- '--output'
selection_ext:
CommandLine|endswith:
- ".ps1"
- ".ps1'"
- '.ps1"'
- ".dat"
- ".dat'"
- '.dat"'
- ".msi"
- ".msi'"
- '.msi"'
- ".bat"
- ".bat'"
- '.bat"'
- ".exe"
- ".exe'"
- '.exe"'
- ".vbs"
- ".vbs'"
- '.vbs"'
- ".vbe"
- ".vbe'"
- '.vbe"'
- ".hta"
- ".hta'"
- '.hta"'
- ".dll"
- ".dll'"
- '.dll"'
- ".psm1"
- ".psm1'"
- '.psm1"'
condition: all of selection_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains/info.yml
Convert to SIEM query
high
Strong
Medium FP
Suspicious File Download From File Sharing Domain Via Wget.EXE
Detects potentially suspicious file downloads from file sharing domains using wget.exe
view Sigma YAML
title: Suspicious File Download From File Sharing Domain Via Wget.EXE
id: a0d7e4d2-bede-4141-8896-bc6e237e977c
status: test
description: Detects potentially suspicious file downloads from file sharing domains using wget.exe
references:
- https://labs.withsecure.com/publications/fin7-target-veeam-servers
- https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv
- https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-05
modified: 2025-12-10
tags:
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\wget.exe'
- OriginalFileName: 'wget.exe'
selection_websites:
CommandLine|contains:
- '.githubusercontent.com' # Includes both gists and github repositories / Michael Haag (idea)
- 'anonfiles.com'
- 'cdn.discordapp.com'
- 'ddns.net'
- 'dl.dropboxusercontent.com'
- 'ghostbin.co'
- 'github.com'
- 'glitch.me'
- 'gofile.io'
- 'hastebin.com'
- 'mediafire.com'
- 'mega.nz'
- 'onrender.com'
- 'pages.dev'
- 'paste.ee'
- 'pastebin.com'
- 'pastebin.pl'
- 'pastetext.net'
- 'pixeldrain.com'
- 'privatlab.com'
- 'privatlab.net'
- 'send.exploit.in'
- 'sendspace.com'
- 'storage.googleapis.com'
- 'storjshare.io'
- 'supabase.co'
- 'temp.sh'
- 'transfer.sh'
- 'trycloudflare.com'
- 'ufile.io'
- 'w3spaces.com'
- 'workers.dev'
selection_http:
CommandLine|contains: 'http'
selection_flag:
- CommandLine|re: '\s-O\s'
- CommandLine|contains: '--output-document'
selection_ext:
CommandLine|endswith:
- '.ps1'
- ".ps1'"
- '.ps1"'
- '.dat'
- ".dat'"
- '.dat"'
- '.msi'
- ".msi'"
- '.msi"'
- '.bat'
- ".bat'"
- '.bat"'
- '.exe'
- ".exe'"
- '.exe"'
- '.vbs'
- ".vbs'"
- '.vbs"'
- '.vbe'
- ".vbe'"
- '.vbe"'
- '.hta'
- ".hta'"
- '.hta"'
- '.dll'
- ".dll'"
- '.dll"'
- '.psm1'
- ".psm1'"
- '.psm1"'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious File Download From File Sharing Websites - File Stream
Detects the download of suspicious file type from a well-known file and paste sharing domain
view Sigma YAML
title: Suspicious File Download From File Sharing Websites - File Stream
id: 52182dfb-afb7-41db-b4bc-5336cb29b464
related:
- id: ae02ed70-11aa-4a22-b397-c0d0e8f6ea99
type: similar
status: test
description: Detects the download of suspicious file type from a well-known file and paste sharing domain
references:
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015
- https://www.cisa.gov/uscert/ncas/alerts/aa22-321a
- https://fabian-voith.de/2020/06/25/sysmon-v11-1-reads-alternate-data-streams/
- https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
author: Florian Roth (Nextron Systems)
date: 2022-08-24
modified: 2025-12-10
tags:
- attack.stealth
- attack.s0139
- attack.t1564.004
logsource:
product: windows
category: create_stream_hash
detection:
selection_domain:
Contents|contains:
- '.githubusercontent.com' # Includes both gists and github repositories / Michael Haag (idea)
- 'anonfiles.com'
- 'cdn.discordapp.com'
- 'ddns.net'
- 'dl.dropboxusercontent.com'
- 'ghostbin.co'
- 'github.com'
- 'glitch.me'
- 'gofile.io'
- 'hastebin.com'
- 'mediafire.com'
- 'mega.nz'
- 'onrender.com'
- 'pages.dev'
- 'paste.ee'
- 'pastebin.com'
- 'pastebin.pl'
- 'pastetext.net'
- 'pixeldrain.com'
- 'privatlab.com'
- 'privatlab.net'
- 'send.exploit.in'
- 'sendspace.com'
- 'storage.googleapis.com'
- 'storjshare.io'
- 'supabase.co'
- 'temp.sh'
- 'transfer.sh'
- 'trycloudflare.com'
- 'ufile.io'
- 'w3spaces.com'
- 'workers.dev'
selection_extension:
TargetFilename|contains:
- '.cpl:Zone'
- '.dll:Zone'
- '.exe:Zone'
- '.hta:Zone'
- '.lnk:Zone'
- '.one:Zone'
- '.vbe:Zone'
- '.vbs:Zone'
- '.xll:Zone'
condition: all of selection_*
falsepositives:
- Some false positives might occur with binaries download via Github
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious File Download From IP Via Curl.EXE
Detects potentially suspicious file downloads directly from IP addresses using curl.exe
view Sigma YAML
title: Suspicious File Download From IP Via Curl.EXE
id: 5cb299fc-5fb1-4d07-b989-0644c68b6043
status: test
description: Detects potentially suspicious file downloads directly from IP addresses using curl.exe
references:
- https://labs.withsecure.com/publications/fin7-target-veeam-servers
- https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv
- https://github.com/pr0xylife/IcedID/blob/8dd1e218460db4f750d955b4c65b2f918a1db906/icedID_09.28.2023.txt
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-07-27
tags:
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\curl.exe'
- OriginalFileName: 'curl.exe'
selection_ip:
CommandLine|re: '://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
selection_http:
CommandLine|contains: 'http'
selection_flag:
CommandLine|contains:
- ' -O' # covers the alias for --remote-name and --output
- '--remote-name'
- '--output'
selection_ext:
# Note: If you add more extensions please consider adding them also in 9cc85849-3b02-4cb5-b371-3a1ff54f2218
CommandLine|endswith:
- '.bat'
- '.bat"'
- '.dat'
- '.dat"'
- '.dll'
- '.dll"'
- '.exe'
- '.exe"'
- '.gif'
- '.gif"'
- '.hta'
- '.hta"'
- '.jpeg'
- '.jpeg"'
- '.log'
- '.log"'
- '.msi'
- '.msi"'
- '.png'
- '.png"'
- '.ps1'
- '.ps1"'
- '.psm1'
- '.psm1"'
- '.vbe'
- '.vbe"'
- '.vbs'
- '.vbs"'
- ".bat'"
- ".dat'"
- ".dll'"
- ".exe'"
- ".gif'"
- ".hta'"
- ".jpeg'"
- ".log'"
- ".msi'"
- ".png'"
- ".ps1'"
- ".psm1'"
- ".vbe'"
- ".vbs'"
condition: all of selection_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions/info.yml
Convert to SIEM query
high
Strong
Medium FP
Suspicious File Download From IP Via Wget.EXE
Detects potentially suspicious file downloads directly from IP addresses using Wget.exe
view Sigma YAML
title: Suspicious File Download From IP Via Wget.EXE
id: 17f0c0a8-8bd5-4ee0-8c5f-a342c0199f35
status: test
description: Detects potentially suspicious file downloads directly from IP addresses using Wget.exe
references:
- https://www.gnu.org/software/wget/manual/wget.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-07-27
tags:
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\wget.exe'
- OriginalFileName: 'wget.exe'
selection_ip:
CommandLine|re: '://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
selection_http:
CommandLine|contains: 'http'
selection_flag:
- CommandLine|re: '\s-O\s'
- CommandLine|contains: '--output-document'
selection_ext:
CommandLine|endswith:
# Note you can transform this into a "contains" to increase coverage but you would need to take care of some FP.
- '.ps1'
- ".ps1'"
- '.ps1"'
- '.dat'
- ".dat'"
- '.dat"'
- '.msi'
- ".msi'"
- '.msi"'
- '.bat'
- ".bat'"
- '.bat"'
- '.exe'
- ".exe'"
- '.exe"'
- '.vbs'
- ".vbs'"
- '.vbs"'
- '.vbe'
- ".vbe'"
- '.vbe"'
- '.hta'
- ".hta'"
- '.hta"'
- '.dll'
- ".dll'"
- '.dll"'
- '.psm1'
- ".psm1'"
- '.psm1"'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious File Download From IP Via Wget.EXE - Paths
Detects potentially suspicious file downloads directly from IP addresses and stored in suspicious locations using Wget.exe
view Sigma YAML
title: Suspicious File Download From IP Via Wget.EXE - Paths
id: 40aa399c-7b02-4715-8e5f-73572b493f33
status: test
description: Detects potentially suspicious file downloads directly from IP addresses and stored in suspicious locations using Wget.exe
references:
- https://www.gnu.org/software/wget/manual/wget.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-02-23
tags:
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\wget.exe'
- OriginalFileName: 'wget.exe'
selection_ip:
CommandLine|re: '://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
selection_http:
CommandLine|contains: 'http'
selection_flag:
- CommandLine|re: '\s-O\s'
- CommandLine|contains: '--output-document'
selection_paths:
- CommandLine|contains:
- ':\PerfLogs\'
- ':\Temp\'
- ':\Users\Public\'
- ':\Windows\Help\'
- ':\Windows\Temp\'
- '\Temporary Internet'
- CommandLine|contains|all:
- ':\Users\'
- '\Favorites\'
- CommandLine|contains|all:
- ':\Users\'
- '\Favourites\'
- CommandLine|contains|all:
- ':\Users\'
- '\Contacts\'
- CommandLine|contains|all:
- ':\Users\'
- '\Pictures\'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious File Downloaded From Direct IP Via Certutil.EXE
Detects the execution of certutil with certain flags that allow the utility to download files from direct IPs.
view Sigma YAML
title: Suspicious File Downloaded From Direct IP Via Certutil.EXE
id: 13e6fe51-d478-4c7e-b0f2-6da9b400a829
related:
- id: 19b08b1c-861d-4e75-a1ef-ea0c1baf202b # Direct IP download
type: similar
- id: 42a5f1e7-9603-4f6d-97ae-3f37d130d794 # File sharing download
type: similar
status: test
description: Detects the execution of certutil with certain flags that allow the utility to download files from direct IPs.
references:
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
- https://forensicitguy.github.io/agenttesla-vba-certutil-download/
- https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/
- https://twitter.com/egre55/status/1087685529016193025
- https://lolbas-project.github.io/lolbas/Binaries/Certutil/
- https://twitter.com/_JohnHammond/status/1708910264261980634
- https://www.hexacorn.com/blog/2020/08/23/certutil-one-more-gui-lolbin
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-15
modified: 2025-12-01
tags:
- attack.stealth
- attack.t1027
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\certutil.exe'
- OriginalFileName: 'CertUtil.exe'
selection_flags:
CommandLine|contains:
- 'urlcache '
- 'verifyctl '
- 'URL '
selection_http:
CommandLine|contains:
- '://1'
- '://2'
- '://3'
- '://4'
- '://5'
- '://6'
- '://7'
- '://8'
- '://9'
# filter_local_ips:
# # Note: Uncomment this filter if you want to exclude local IPs
# CommandLine|contains:
# - '://10.' # 10.0.0.0/8
# - '://192.168.' # 192.168.0.0/16
# - '://172.16.' # 172.16.0.0/12
# - '://172.17.'
# - '://172.18.'
# - '://172.19.'
# - '://172.20.'
# - '://172.21.'
# - '://172.22.'
# - '://172.23.'
# - '://172.24.'
# - '://172.25.'
# - '://172.26.'
# - '://172.27.'
# - '://172.28.'
# - '://172.29.'
# - '://172.30.'
# - '://172.31.'
# - '://127.' # 127.0.0.0/8
# - '://169.254.' # 169.254.0.0/16
filter_main_seven_zip:
CommandLine|contains: '://7-' # For https://7-zip.org/
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_download_direct_ip/info.yml
Convert to SIEM query
high
Strong
Medium FP
Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE
Detects the execution of certutil with certain flags that allow the utility to download files from file-sharing websites.
view Sigma YAML
title: Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE
id: 42a5f1e7-9603-4f6d-97ae-3f37d130d794
related:
- id: 19b08b1c-861d-4e75-a1ef-ea0c1baf202b # Direct IP download
type: similar
- id: 13e6fe51-d478-4c7e-b0f2-6da9b400a829 # Generic download
type: similar
status: test
description: Detects the execution of certutil with certain flags that allow the utility to download files from file-sharing websites.
references:
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
- https://forensicitguy.github.io/agenttesla-vba-certutil-download/
- https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/
- https://twitter.com/egre55/status/1087685529016193025
- https://lolbas-project.github.io/lolbas/Binaries/Certutil/
- https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
- https://www.hexacorn.com/blog/2020/08/23/certutil-one-more-gui-lolbin
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-15
modified: 2025-12-10
tags:
- attack.stealth
- attack.t1027
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\certutil.exe'
- OriginalFileName: 'CertUtil.exe'
selection_flags:
CommandLine|contains:
- 'urlcache '
- 'verifyctl '
- 'URL '
selection_http:
CommandLine|contains:
- '.githubusercontent.com' # Includes both gists and github repositories / Michael Haag (idea)
- 'anonfiles.com'
- 'cdn.discordapp.com'
- 'ddns.net'
- 'dl.dropboxusercontent.com'
- 'ghostbin.co'
- 'github.com'
- 'glitch.me'
- 'gofile.io'
- 'hastebin.com'
- 'mediafire.com'
- 'mega.nz'
- 'onrender.com'
- 'pages.dev'
- 'paste.ee'
- 'pastebin.com'
- 'pastebin.pl'
- 'pastetext.net'
- 'privatlab.com'
- 'privatlab.net'
- 'send.exploit.in'
- 'sendspace.com'
- 'storage.googleapis.com'
- 'storjshare.io'
- 'supabase.co'
- 'temp.sh'
- 'transfer.sh'
- 'trycloudflare.com'
- 'ufile.io'
- 'w3spaces.com'
- 'workers.dev'
condition: all of selection_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains/info.yml
Convert to SIEM query
high
Strong
Medium FP
Suspicious File Encoded To Base64 Via Certutil.EXE
Detects the execution of certutil with the "encode" flag to encode a file to base64 where the extensions of the file is suspicious
view Sigma YAML
title: Suspicious File Encoded To Base64 Via Certutil.EXE
id: ea0cdc3e-2239-4f26-a947-4e8f8224e464
related:
- id: e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a
type: derived
status: test
description: Detects the execution of certutil with the "encode" flag to encode a file to base64 where the extensions of the file is suspicious
references:
- https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior
- https://www.virustotal.com/gui/file/427616528b7dbc4a6057ac89eb174a3a90f7abcf3f34e5a359b7a910d82f7a72/behavior
- https://www.virustotal.com/gui/file/34de4c8beded481a4084a1fd77855c3e977e8ac643e5c5842d0f15f7f9b9086f/behavior
- https://www.virustotal.com/gui/file/4abe1395a09fda06d897a9c4eb247278c1b6cddda5d126ce5b3f4f499e3b8fa2/behavior
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-15
modified: 2024-03-05
tags:
- attack.stealth
- attack.t1027
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\certutil.exe'
- OriginalFileName: 'CertUtil.exe'
selection_cli:
CommandLine|contains|windash: '-encode'
selection_extension:
CommandLine|contains:
- '.acl'
- '.bat'
- '.doc'
- '.gif'
- '.jpeg'
- '.jpg'
- '.mp3'
- '.pdf'
- '.png'
- '.ppt'
- '.tmp'
- '.xls'
- '.xml'
condition: all of selection_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions/info.yml
Convert to SIEM query
high
Moderate
Medium FP
Suspicious File Execution From Internet Hosted WebDav Share
Detects the execution of the "net use" command to mount a WebDAV server and then immediately execute some content in it. As seen being used in malicious LNK files
view Sigma YAML
title: Suspicious File Execution From Internet Hosted WebDav Share
id: f0507c0f-a3a2-40f5-acc6-7f543c334993
status: test
description: Detects the execution of the "net use" command to mount a WebDAV server and then immediately execute some content in it. As seen being used in malicious LNK files
references:
- https://twitter.com/ShadowChasing1/status/1552595370961944576
- https://www.virustotal.com/gui/file/a63376ee1dba76361df73338928e528ca5b20171ea74c24581605366dcaa0104/behavior
author: pH-T (Nextron Systems)
date: 2022-09-01
modified: 2023-02-21
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|contains: '\cmd.exe'
- OriginalFileName: 'Cmd.EXE'
selection_base:
CommandLine|contains|all:
- ' net use http'
- '& start /b '
- '\DavWWWRoot\'
selection_ext:
CommandLine|contains:
- '.exe '
- '.dll '
- '.bat '
- '.vbs '
- '.ps1 '
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious File Write to SharePoint Layouts Directory
Detects suspicious file writes to SharePoint layouts directory which could indicate webshell activity or post-exploitation.
This behavior has been observed in the exploitation of SharePoint vulnerabilities such as CVE-2025-49704, CVE-2025-49706 or CVE-2025-53770.
view Sigma YAML
title: Suspicious File Write to SharePoint Layouts Directory
id: 1f0489be-b496-4ddf-b3a9-5900f2044e9c
status: experimental
description: |
Detects suspicious file writes to SharePoint layouts directory which could indicate webshell activity or post-exploitation.
This behavior has been observed in the exploitation of SharePoint vulnerabilities such as CVE-2025-49704, CVE-2025-49706 or CVE-2025-53770.
references:
- https://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/
- https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-07-24
tags:
- attack.initial-access
- attack.t1190
- attack.persistence
- attack.t1505.003
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith:
- '\cmd.exe'
- '\powershell_ise.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\w3wp.exe'
TargetFilename|startswith:
- 'C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\'
- 'C:\Program Files (x86)\Common Files\Microsoft Shared\Web Server Extensions\'
TargetFilename|contains:
- '\15\TEMPLATE\LAYOUTS\'
- '\16\TEMPLATE\LAYOUTS\'
TargetFilename|endswith:
- '.asax'
- '.ascx'
- '.ashx'
- '.asmx'
- '.asp'
- '.aspx'
- '.bat'
- '.cmd'
- '.cer'
- '.config'
- '.hta'
- '.js'
- '.jsp'
- '.jspx'
- '.php'
- '.ps1'
- '.vbs'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious FileFix Execution Pattern
Detects suspicious FileFix execution patterns where users are tricked into running malicious commands through browser file upload dialog manipulation.
This attack typically begins when users visit malicious websites impersonating legitimate services or news platforms,
which may display fake CAPTCHA challenges or direct instructions to open file explorer and paste clipboard content.
The clipboard content usually contains commands that download and execute malware, such as information stealing tools.
view Sigma YAML
title: Suspicious FileFix Execution Pattern
id: b5b29e4e-31fa-4fdf-b058-296e7a1aa0c2
related:
- id: 4fee3d51-8069-4a4c-a0f7-924fcaff2c70
type: similar
- id: 4be03877-d5b6-4520-85c9-a5911c0a656c
type: obsolete
status: experimental
description: |
Detects suspicious FileFix execution patterns where users are tricked into running malicious commands through browser file upload dialog manipulation.
This attack typically begins when users visit malicious websites impersonating legitimate services or news platforms,
which may display fake CAPTCHA challenges or direct instructions to open file explorer and paste clipboard content.
The clipboard content usually contains commands that download and execute malware, such as information stealing tools.
references:
- https://mrd0x.com/filefix-clickfix-alternative/
- https://expel.com/blog/cache-smuggling-when-a-picture-isnt-a-thousand-words/ # phishing lure directly asking users to open file explorer and paste command
- https://blog.checkpoint.com/research/filefix-the-new-social-engineering-attack-building-on-clickfix-tested-in-the-wild/
author: 0xFustang, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-24
tags:
- attack.execution
- attack.t1204.004
logsource:
category: process_creation
product: windows
detection:
selection_exec_parent:
# This is case where phishing pages trick users to paste commands in browser file upload dialog
ParentImage|endswith:
- '\brave.exe'
- '\chrome.exe'
- '\firefox.exe'
- '\msedge.exe'
CommandLine|contains: '#'
selection_cli_lolbin:
CommandLine|contains:
- '%comspec%'
- 'bitsadmin'
- 'certutil'
- 'cmd'
- 'cscript'
- 'curl'
- 'finger'
- 'mshta'
- 'powershell'
- 'pwsh'
- 'regsvr32'
- 'rundll32'
- 'schtasks'
- 'wget'
- 'wscript'
selection_cli_captcha:
CommandLine|contains:
- 'account'
- 'anti-bot'
- 'botcheck'
- 'captcha'
- 'challenge'
- 'confirmation'
- 'fraud'
- 'human'
- 'identification'
- 'identificator'
- 'identity'
- 'robot'
- 'validation'
- 'verification'
- 'verify'
condition: selection_exec_parent and 1 of selection_cli_*
falsepositives:
- Legitimate use of PowerShell or other utilities launched from browser extensions or automation tools
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious Filename with Embedded Base64 Commands
Detects files with specially crafted filenames that embed Base64-encoded bash payloads designed to execute when processed by shell scripts.
These filenames exploit shell interpretation quirks to trigger hidden commands, a technique observed in VShell malware campaigns.
view Sigma YAML
title: Suspicious Filename with Embedded Base64 Commands
id: 179b3686-6271-4d87-807d-17d843a8af73
status: experimental
description: |
Detects files with specially crafted filenames that embed Base64-encoded bash payloads designed to execute when processed by shell scripts.
These filenames exploit shell interpretation quirks to trigger hidden commands, a technique observed in VShell malware campaigns.
references:
- https://www.trellix.com/blogs/research/the-silent-fileless-threat-of-vshell/
author: '@kostastsale'
date: 2025-11-22
tags:
- attack.execution
- attack.stealth
- attack.t1059.004
- attack.t1027
logsource:
product: linux
category: file_event
detection:
selection:
TargetFilename|contains:
- '{echo'
- '{base64,-d}'
condition: selection
falsepositives:
- Legitimate files with similar naming patterns (very unlikely).
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious GUP Usage
Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks
view Sigma YAML
title: Suspicious GUP Usage
id: 0a4f6091-223b-41f6-8743-f322ec84930b
status: test
description: Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks
references:
- https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html
author: Florian Roth (Nextron Systems)
date: 2019-02-06
modified: 2022-08-13
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\GUP.exe'
filter_programfiles:
Image|endswith:
- '\Program Files\Notepad++\updater\GUP.exe'
- '\Program Files (x86)\Notepad++\updater\GUP.exe'
filter_user:
Image|contains: '\Users\'
Image|endswith:
- '\AppData\Local\Notepad++\updater\GUP.exe'
- '\AppData\Roaming\Notepad++\updater\GUP.exe'
condition: selection and not 1 of filter_*
falsepositives:
- Execution of tools named GUP.exe and located in folders different than Notepad++\updater
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious Get-ADDBAccount Usage
Detects suspicious invocation of the Get-ADDBAccount script that reads from a ntds.dit file and may be used to get access to credentials without using any credential dumpers
view Sigma YAML
title: Suspicious Get-ADDBAccount Usage
id: b140afd9-474b-4072-958e-2ebb435abd68
status: test
description: Detects suspicious invocation of the Get-ADDBAccount script that reads from a ntds.dit file and may be used to get access to credentials without using any credential dumpers
references:
- https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/
- https://github.com/MichaelGrafnetter/DSInternals/blob/7ba59c12ee9a1cb430d7dc186a3366842dd612c8/Documentation/PowerShell/Get-ADDBAccount.md
author: Florian Roth (Nextron Systems)
date: 2022-03-16
tags:
- attack.credential-access
- attack.t1003.003
logsource:
product: windows
category: ps_module
definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
selection:
Payload|contains|all:
- 'Get-ADDBAccount'
- 'BootKey '
- 'DatabasePath '
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious Get-Variable.exe Creation
Get-Variable is a valid PowerShell cmdlet
WindowsApps is by default in the path where PowerShell is executed.
So when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet.
view Sigma YAML
title: Suspicious Get-Variable.exe Creation
id: 0c3fac91-5627-46e8-a6a8-a0d7b9b8ae1b
status: test
description: |
Get-Variable is a valid PowerShell cmdlet
WindowsApps is by default in the path where PowerShell is executed.
So when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet.
references:
- https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/
- https://www.joesandbox.com/analysis/465533/0/html
author: frack113
date: 2022-04-23
tags:
- attack.privilege-escalation
- attack.persistence
- attack.stealth
- attack.t1546
- attack.t1027
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith: 'Local\Microsoft\WindowsApps\Get-Variable.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious Greedy Compression Using Rar.EXE
Detects RAR usage that creates an archive from a suspicious folder, either a system folder or one of the folders often used by attackers for staging purposes
view Sigma YAML
title: Suspicious Greedy Compression Using Rar.EXE
id: afe52666-401e-4a02-b4ff-5d128990b8cb
status: test
description: Detects RAR usage that creates an archive from a suspicious folder, either a system folder or one of the folders often used by attackers for staging purposes
references:
- https://decoded.avast.io/martinchlumecky/png-steganography
author: X__Junior (Nextron Systems), Florian Roth (Nextron Systems)
date: 2022-12-15
modified: 2024-01-02
tags:
- attack.execution
- attack.t1059
logsource:
product: windows
category: process_creation
detection:
# Example : rar.exe a -m5 -r -y -ta20210204000000 -hp1qazxcde32ws -v2560k Asia1Dpt-PC-c.rar c:\\*.doc c:\\*.docx c:\\*.xls c:\\*.xlsx c:\\*.pdf c:\\*.ppt c:\\*.pptx c:\\*.jpg c:\\*.txt >nul
selection_opt_1:
- Image|endswith: '\rar.exe'
- Description: 'Command line RAR'
selection_opt_2:
CommandLine|contains:
- '.exe a '
- ' a -m'
selection_cli_flags:
CommandLine|contains|all:
- ' -hp' # password
- ' -r ' # recursive
selection_cli_folders:
CommandLine|contains:
- ' ?:\\\*.'
- ' ?:\\\\\*.'
- ' ?:\$Recycle.bin\'
- ' ?:\PerfLogs\'
- ' ?:\Temp'
- ' ?:\Users\Public\'
- ' ?:\Windows\'
- ' %public%'
condition: 1 of selection_opt_* and all of selection_cli_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious GrpConv Execution
Detects the suspicious execution of a utility to convert Windows 3.x .grp files or for persistence purposes by malicious software or actors
view Sigma YAML
title: Suspicious GrpConv Execution
id: f14e169e-9978-4c69-acb3-1cff8200bc36
status: test
description: Detects the suspicious execution of a utility to convert Windows 3.x .grp files or for persistence purposes by malicious software or actors
references:
- https://twitter.com/0gtweet/status/1526833181831200770
author: Florian Roth (Nextron Systems)
date: 2022-05-19
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- 'grpconv.exe -o'
- 'grpconv -o'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious HH.EXE Execution
Detects a suspicious execution of a Microsoft HTML Help (HH.exe)
view Sigma YAML
title: Suspicious HH.EXE Execution
id: e8a95b5e-c891-46e2-b33a-93937d3abc31
status: test
description: Detects a suspicious execution of a Microsoft HTML Help (HH.exe)
references:
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/
- https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7
- https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/
- https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37
author: Maxim Pavlunin
date: 2020-04-01
modified: 2023-04-12
tags:
- attack.execution
- attack.initial-access
- attack.stealth
- attack.t1047
- attack.t1059.001
- attack.t1059.003
- attack.t1059.005
- attack.t1059.007
- attack.t1218
- attack.t1218.001
- attack.t1218.010
- attack.t1218.011
- attack.t1566
- attack.t1566.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- OriginalFileName: 'HH.exe'
- Image|endswith: '\hh.exe'
selection_paths:
CommandLine|contains:
- '.application'
- '\AppData\Local\Temp\'
- '\Content.Outlook\'
- '\Downloads\'
- '\Users\Public\'
- '\Windows\Temp\'
# - '\AppData\Local\Temp\Temp?_'
# - '\AppData\Local\Temp\Rar$'
# - '\AppData\Local\Temp\7z'
# - '\AppData\Local\Temp\wz'
# - '\AppData\Local\Temp\peazip-tmp'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious HWP Sub Processes
Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation
view Sigma YAML
title: Suspicious HWP Sub Processes
id: 023394c4-29d5-46ab-92b8-6a534c6f447b
status: test
description: Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation
references:
- https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/
- https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1
- https://twitter.com/cyberwar_15/status/1187287262054076416
- https://blog.alyac.co.kr/1901
- https://en.wikipedia.org/wiki/Hangul_(word_processor)
author: Florian Roth (Nextron Systems)
date: 2019-10-24
modified: 2021-11-27
tags:
- attack.initial-access
- attack.t1566.001
- attack.execution
- attack.t1203
- attack.t1059.003
- attack.g0032
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\Hwp.exe'
Image|endswith: '\gbb.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious IIS Module Registration
Detects a suspicious IIS module registration as described in Microsoft threat report on IIS backdoors
view Sigma YAML
title: Suspicious IIS Module Registration
id: 043c4b8b-3a54-4780-9682-081cb6b8185c
status: test
description: Detects a suspicious IIS module registration as described in Microsoft threat report on IIS backdoors
references:
- https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/
author: Florian Roth (Nextron Systems), Microsoft (idea)
date: 2022-08-04
modified: 2023-01-23
tags:
- attack.persistence
- attack.t1505.004
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\w3wp.exe'
selection_cli_1:
CommandLine|contains: 'appcmd.exe add module'
selection_cli_2:
CommandLine|contains: ' system.enterpriseservices.internal.publish'
Image|endswith: '\powershell.exe'
selection_cli_3:
CommandLine|contains|all:
- 'gacutil'
- ' /I'
condition: selection_parent and 1 of selection_cli_*
falsepositives:
- Administrative activity
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious Inbox Forwarding Identity Protection
Indicates suspicious rules such as an inbox rule that forwards a copy of all emails to an external address
view Sigma YAML
title: Suspicious Inbox Forwarding Identity Protection
id: 27e4f1d6-ae72-4ea0-8a67-77a73a289c3d
status: test
description: Indicates suspicious rules such as an inbox rule that forwards a copy of all emails to an external address
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-inbox-forwarding
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-03
tags:
- attack.t1114.003
- attack.collection
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'suspiciousInboxForwarding'
condition: selection
falsepositives:
- A legitimate forwarding rule.
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious Inbox Manipulation Rules
Detects suspicious rules that delete or move messages or folders are set on a user's inbox.
view Sigma YAML
title: Suspicious Inbox Manipulation Rules
id: ceb55fd0-726e-4656-bf4e-b585b7f7d572
status: test
description: Detects suspicious rules that delete or move messages or folders are set on a user's inbox.
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-inbox-manipulation-rules
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-03
tags:
- attack.stealth
- attack.t1140
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'mcasSuspiciousInboxManipulationRules'
condition: selection
falsepositives:
- Actual mailbox rules that are moving items based on their workflow.
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious Interactive PowerShell as SYSTEM
Detects the creation of files that indicator an interactive use of PowerShell in the SYSTEM user context
view Sigma YAML
title: Suspicious Interactive PowerShell as SYSTEM
id: 5b40a734-99b6-4b98-a1d0-1cea51a08ab2
status: test
description: Detects the creation of files that indicator an interactive use of PowerShell in the SYSTEM user context
references:
- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/PowerSploit_Invoke-Mimikatz.htm
author: Florian Roth (Nextron Systems)
date: 2021-12-07
modified: 2022-08-13
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename:
- 'C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt'
- 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive'
condition: selection
falsepositives:
- Administrative activity
- PowerShell scripts running as SYSTEM user
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious Invocation of Shell via AWK - Linux
Detects the execution of "awk" or it's sibling commands, to invoke a shell using the system() function.
This behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation.
view Sigma YAML
title: Suspicious Invocation of Shell via AWK - Linux
id: 8c1a5675-cb85-452f-a298-b01b22a51856
status: test
description: |
Detects the execution of "awk" or it's sibling commands, to invoke a shell using the system() function.
This behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation.
references:
- https://gtfobins.github.io/gtfobins/awk/#shell
- https://gtfobins.github.io/gtfobins/gawk/#shell
- https://gtfobins.github.io/gtfobins/nawk/#shell
- https://gtfobins.github.io/gtfobins/mawk/#shell
author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
date: 2024-09-02
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith:
- '/awk'
- '/gawk'
- '/mawk'
- '/nawk'
CommandLine|contains: 'BEGIN {system'
selection_cli:
CommandLine|contains:
- '/bin/bash'
- '/bin/dash'
- '/bin/fish'
- '/bin/sh'
- '/bin/zsh'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious Invocation of Shell via Rsync
Detects the execution of a shell as sub process of "rsync" without the expected command line flag "-e" being used, which could be an indication of exploitation as described in CVE-2024-12084. This behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation.
view Sigma YAML
title: Suspicious Invocation of Shell via Rsync
id: 297241f3-8108-4b3a-8c15-2dda9f844594
status: experimental
description: |
Detects the execution of a shell as sub process of "rsync" without the expected command line flag "-e" being used, which could be an indication of exploitation as described in CVE-2024-12084. This behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation.
references:
- https://sysdig.com/blog/detecting-and-mitigating-cve-2024-12084-rsync-remote-code-execution/
- https://gist.github.com/Neo23x0/a20436375a1e26524931dd8ea1a3af10
author: Florian Roth
date: 2025-01-18
tags:
- attack.execution
- attack.t1059
- attack.t1203
logsource:
category: process_creation
product: linux
detection:
selection:
ParentImage|endswith:
- '/rsync'
- '/rsyncd'
Image|endswith:
- '/ash'
- '/bash'
- '/csh'
- '/dash'
- '/ksh'
- '/sh'
- '/tcsh'
- '/zsh'
filter_main_expected:
CommandLine|contains: ' -e '
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious Invoke-WebRequest Execution
Detects a suspicious call to Invoke-WebRequest cmdlet where the and output is located in a suspicious location
view Sigma YAML
title: Suspicious Invoke-WebRequest Execution
id: 5e3cc4d8-3e68-43db-8656-eaaeefdec9cc
related:
- id: e218595b-bbe7-4ee5-8a96-f32a24ad3468
type: derived
status: test
description: Detects a suspicious call to Invoke-WebRequest cmdlet where the and output is located in a suspicious location
references:
- https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-02
modified: 2025-07-18
tags:
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell_ise.exe'
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'powershell_ise.EXE'
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_commands:
CommandLine|contains:
# These are all aliases of Invoke-WebRequest
- 'curl '
- 'Invoke-WebRequest'
- 'iwr '
- 'wget '
selection_flags:
CommandLine|contains:
- ' -ur'
- ' -o'
selection_susp_locations:
CommandLine|contains:
- '\AppData\'
- '\Desktop\'
- '\Temp\'
- '\Users\Public\'
- '%AppData%'
- '%Public%'
- '%Temp%'
- '%tmp%'
- ':\Windows\'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
Showing 1351-1400 of 1,715